Page 1 Configuration Guide TL-R600VPN 1910012202 REV4.0.0 July 2017...
Page 2: Table Of Contents
CONTENTS About This Guide Intended Readers ................................1 Conventions ................................... 1 More Information ................................. 1 Viewing Status Information ....................2 System Status ..................................3 Traffic Statistics .................................. 4 Viewing the Interface Statistics .................................4 Viewing the IP Statistics ..................................5 Configuring Network ......................7 Overview ....................................
Page 3 Creating a VLAN ......................................36 Configuring the PVID of a Port ................................37 IPv6 Configuration ................................39 Configuring the LAN ....................................39 Configuring the WAN ....................................40 Configuring the Number of WAN Ports ........................40 Configuring the WAN Connection ...........................41 Configuring Preferences ....................49 Overview ....................................50 IP Group Configuration ..............................
Page 4 Configuring the Static Routing ................................74 Configuring the Policy Routing ...............................75 Viewing the Routing Table .................................76 Configuration Examples ..............................77 Example for Configuring NAT ................................77 Network Requirements ................................77 Network Topology ..................................77 Configuration Scheme ................................77 Configuration Procedure ..............................78 Example for Configuring Load Balancing ..........................80 Network Requirements ................................80 Network Topology ..................................80 Configuration Scheme ................................80...
Page 5 Example for Anti ARP Spoofing ..............................99 Network Requirements ................................99 Configuration Scheme ................................99 Configuration Procedure ..............................100 Example for MAC Filtering ................................102 Network Requirements ...............................102 Configuration Scheme ................................103 Configuration Procedure ..............................103 Example for Access Control .................................104 Network Requirements ...............................104 Configuration Scheme ................................104 Configuration Procedure ..............................105 Configuring Behavior Control ..................
Page 6 Configuring the IPSec Policy.................................127 Configuring the Basic Parameters ..........................127 Configuring the Advanced Parameters ........................128 Verifying the Connectivity of the IPSec VPN tunnel ......................131 L2TP Configuration ................................132 Configuring the VPN IP Pool ................................132 Configuring L2TP Globally ................................133 Configuring the L2TP Server ................................133 Configuring the L2TP Client ................................134 (Optional) Configuring the L2TP Users ............................136 Verifying the Connectivity of L2TP VPN Tunnel .........................137...
Page 7 Supported Features ...................................157 Supported Web Server ...............................158 Supported Authentication Server..........................158 Guest Resources..................................158 Local Authentication Configuration .........................159 Configuring the Authentication Page ............................159 Configuring the Local User Account ............................162 Configuring the Local User Account ...........................162 (Optional) Configuring the Backup of Local Users ....................165 RADIUS Authentication Configuration ........................166 Configuring RADIUS Authentication ............................166 Onekey Online Configuration .............................169...
Page 8 Configuration Procedure .................................188 Specifying the IP Address of the Host ........................188 Configuring the DDNS function .............................188 System Tools ........................190 System Tools ..................................191 Overview ........................................191 Support Features ....................................191 Admin Setup ..................................192 Admin Setup ......................................192 Remote Management ..................................193 System Setting .....................................193 Management ..................................195 Factory Default Restore ...................................195 Backup &...
Page 9: About This Guide
About This Guide Intended Readers About This Guide This Configuration Guide provides information for managing TL-R600VPN router. Please read this guide carefully before operation. Intended Readers This Guide is intended for network managers familiar with IT concepts and network terminologies.
Page 10: Viewing Status Information
Part 1 Viewing Status Information CHAPTERS 1. System Status 2. Traffic Statistics...
Page 11: System Status
Viewing Status Information System Status System Status The System Status page displays the basic system information (like the hardware version, firmware version and system time) and the running information (like the WAN interface status, memory utilization and CPU utilization). Choose the menu Status > System Status > System Status to load the following page. Figure 1-1 System Status Configuration Guide...
Page 12: Traffic Statistics
Viewing Status Information Traffic Statistics Traffic Statistics Traffic Statistics displays detailed information relating to the data traffic of interfaces and IP addresses. You can monitor the traffic and locate faults according to this information. With the Traffic Statistics function, you can:  View the traffic statistics on each interface.
Page 13: Viewing The Ip Statistics
Viewing Status Information Traffic Statistics Total RX Packets Displays the number of packets received on the interface. You can enable Auto Refresh or click Refresh to get the latest statistics information, or click Clear to clear the current statistics information. Viewing the IP Statistics Choose the menu Status >...
Page 14 Viewing Status Information Traffic Statistics Total TX Bytes Displays the bytes of packets transmitted by the user who owns the IP address. Total RX Bytes Displays the bytes of packets received by the user who owns the IP address. Total TX Packets Displays the number of packets transmitted by the user who owns the IP address.
Page 15: Configuring Network
Part 2 Configuring Network CHAPTERS 1. Overview 2. WAN Configuration 3. LAN Configuration 4. IPTV Configuration 5. MAC Configuration 6. Switch Configuration 7. VLAN Configuration 8. IPv6 Configuration...
Page 16: Overview
Configuring Network Overview Overview The Network module provides basic router functions, including WAN connection, DHCP service, VLAN, IPTV service and more. 1.1 Supported Features The router can provide a maximum of four WAN ports. Each WAN port has its own internet connection, providing link backup and load balancing.
Page 17: Wan Configuration
Configuring Network WAN Configuration WAN Configuration You can configure at most four WAN ports. Each WAN port can have its own WAN connection, providing link backup and load balancing. To complete WAN configuration, follow these steps: 1) Configure the number of WAN ports. 2) Configure the WAN connection.
Page 18 Configuring Network WAN Configuration Static IP: If your ISP provides you with a fixed IP address and the corresponding parameters, choose Static IP. Dynamic IP: If your ISP automatically assigns the IP address and the corresponding parameters, choose Dynamic IP. PPPoE: If your ISP provides you with a PPPoE account, choose PPPoE.
Page 19 Configuring Network WAN Configuration Specify the MTU (Maximum Transmission Unit) of the WAN port. MTU is the maximum data unit transmitted in the physical network. When Dynamic IP is selected, MTU can be set in the range of 576-1500 bytes. The default value is 1500.
Page 20 Configuring Network WAN Configuration Connection Type Choose the connection type as Static IP if your ISP has offered you a fixed IP address. IP Address Enter the IP address provided by your ISP. Subnet Mask Enter the subnet mask provided by your ISP. Default Gateway Enter the default gateway provided by your ISP.
Page 21 Configuring Network WAN Configuration  Configuring the PPPoE Choose the menu Network > WAN > WAN to load the following page. Figure 2-4 Configuring the PPPoE In the Connection Configuration section, select the connection type as PPPoE. Enter the corresponding parameters and click Save. Connection Type Choose the connection type as PPPoE if your ISP provides you with a PPPoE account.
Page 22 Configuring Network WAN Configuration Downstream Specify the downstream bandwidth of the WAN port. The value configured here is the Bandwidth lower limit of the “Maximum Downstream Bandwidth” on Transmission > Bandwidth Control > Bandwidth Control page, to make “Bandwidth Control” take effect, please ensure this parameter is set correctly.
Page 23 Configuring Network WAN Configuration  Configuring the L2TP Choose the menu Network > WAN > WAN to load the following page. Figure 2-5 Configuring the L2TP In the Connection Configuration section, select the connection type as L2TP. Enter the corresponding parameters and click Save. Connection Type Choose the connection type as L2TP if your ISP provides you with an L2TP account.
Page 24 Configuring Network WAN Configuration Upstream Specify the upstream bandwidth of the WAN port. The value configured here is the Bandwidth upper limit of the “Maximum Upstream Bandwidth” on Transmission > Bandwidth Control > Bandwidth Control page, to make “Bandwidth Control” take effect, please ensure this parameter is set correctly.
Page 25 Configuring Network WAN Configuration  Configuring the PPTP Choose the menu Network > WAN > WAN to load the following page. Figure 2-6 Configuring the PPTP In Connection Configuration section, select the connection type as PPTP. Enter the corresponding parameters and click Save. Connection Type Choose the connection type as PPTP if your ISP provides you with a PPTP account.
Page 26 Configuring Network WAN Configuration Upstream Specify the upstream bandwidth of the WAN port. The value configured here is the Bandwidth upper limit of the “Maximum Upstream Bandwidth” on Transmission > Bandwidth Control > Bandwidth Control page, to make “Bandwidth Control” take effect, please ensure this parameter is set correctly.
Page 27 Configuring Network WAN Configuration  Configuring the BigPond Cable Choose the menu Network > WAN > WAN to load the following page. Figure 2-7 Configuring the BigPond Cable In Connection Configuration section, select the connection type as BigPond Cable. Enter the corresponding parameters and click Save. Connection Type Choose the connection type as BigPond if your ISP provides you with a BigPond account.
Page 28 Configuring Network WAN Configuration Specify the MTU (Maximum Transmission Unit) of the WAN port. MTU is the maximum data unit transmitted in the physical network. When BigPond Cable is selected, MTU can be set in the range of 576-1500 bytes. The default value is 1500.
Page 29: Lan Configuration
Configuring Network LAN Configuration LAN Configuration The LAN port is used to connect to the LAN clients, and works as the default gateway for these clients. You can configure the DHCP server for the LAN clients, and clients will automatically be assigned to IP addresses if the method of obtaining IP addresses is set as “Obtain IP address automatically”.
Page 30: Configuring The Dhcp Server
Configuring Network LAN Configuration Note: Changing the IP address of LAN port will automatically redirect the browser to the new man- • agement page. If the redirecting failed, please try to reconnect your PC to the router to auto- matically get a new IP address, or configure a proper static IP address manually. Changing the IP address of the LAN port may affect some related functions, like the IP pool of •...
Page 31 Optional. Specify the option 60 for device identification. Mostly it is used under the scenario where the clients apply for different IP addresses from different servers according to the needs. By default, it is TP-LINK. If a client requests option 60, the server will respond a packet containing the option 60 configured here.
Page 32: Viewing The Dhcp Client List
Configuring Network LAN Configuration Figure 3-3 Configuring the Address Reservation Enter the MAC address of the client and the IP address to be reserved, then click OK. MAC Address Enter the MAC address of the client. IP Address Enter the IP address to be reserved. Description Optional.
Page 33: Iptv Configuration
Configuring Network IPTV Configuration IPTV Configuration You can configure IPTV according to the type of IPTV service provided by your ISP:  Configure IPTV based on IGMP.  Configure IPTV in Bridge mode.  Configure IPTV in Custom mode. Configuring IPTV Based on IGMP Some ISPs provide IPTV service based on IGMP technology.
Page 34: Configuring Iptv In Bridge Mode
Configuring Network IPTV Configuration 4.2 Configuring IPTV in Bridge Mode If your ISP doesn’t provide any parameters and the IPTV service is not based on IGMP technology, you can enable IPTV function and choose the Bridge mode, then specify a port to connect IPTV set-top box.
Page 35 Configuring Network IPTV Configuration Figure 4-3 Configuring the Custom Mode Follow these steps to configure IPTV in Custom mode: 1) Enable IPTV function and choose the mode as Custom. IPTV Check the box to enable IPTV function. Mode Choose the mode as Custom. In Custom mode, the services are labeled with different VLAN tags, which is specified by the ISP.
Page 36 Configuring Network IPTV Configuration IPTV VLAN Enter the VLAN priority of the IPTV service. It is provided by your ISP. Priority IPTV Multicast Enter the VLAN ID of the IPTV multicast service. It is provided by your ISP. VLAN ID IPTV Multicast Enter the VLAN priority of the IPTV multicast service.
Page 37: Mac Configuration
Configuring Network MAC Configuration MAC Configuration Generally, the MAC address does not need to be changed. However, in some particular situations, you may need to change the MAC address of the WAN port or LAN port.  Configure the MAC Address of the WAN port In the condition that your ISP has bound the account to the MAC address of the dial-up device, if you want to replace the dial-up device with this router, you can just set the MAC address of this router’s WAN port as the same as that of the previous dial-up device for a...
Page 38 Configuring Network MAC Configuration MAC Clone Restore Factory MAC: Click this button to restore the MAC address to the factory default value. Clone Current PC’s MAC: Click this button to clone the MAC address of the PC you are currently using to configure the router. It’s only available for the WAN ports. Note: To avoid a MAC address conflict in the LAN, it is not permitted to set the MAC address of the router’s LAN port as the MAC address of the current management PC.
Page 39: Switch Configuration
Configuring Network Switch Configuration Switch Configuration The router provides some basic switch port management function, including Statistics, Port Mirror, Port Config and Port Status. Viewing the Statistics Choose the menu Network > Switch > Statistics to load the following page. Figure 6-1 Viewing the Statistics Statistics displays the detailed traffic information of each port, which allows you to monitor the traffic and locate faults promptly.
Page 40: Configuring Port Mirror
Configuring Network Switch Configuration Total Displays the total bytes of the received or transmitted packets (including error frames). Undersize Displays the number of received packets which have a length less than 64 bytes (including error frames). Normal Displays the number of received packets which have length between 64 bytes and the maximum frame length (including error frames).
Page 41: Configuring Rate Control
Configuring Network Switch Configuration Enable Port Check the box to enable Port Mirror function. Mirror Mirror Mode Choose the mirror mode which includes Ingress, Egress and Ingress and Egress. Ingress: The packets received by the mirrored port will be copied to the mirroring port.
Page 42: Configuring Port Config
Configuring Network Switch Configuration Ingress Frame Specify the ingress frame type to be limited. It is All Frames by default. Type All Frames: The ingress rate of all frames is limited. Broadcast: The ingress rate of broadcast frames is limited. Broadcast and Multicast: The ingress rate of broadcast and multicast frames is limited.
Page 43: Viewing Port Status
Configuring Network Switch Configuration Negotiation Select the negotiation mode for the port. You can set the mode as Auto, or manually Mode set the speed and duplex mode for the port. It is recommended to configure both devices of a link to work in Auto-Negotiation mode or manually configure them to work in the same speed and duplex mode.
Page 44: Vlan Configuration
Configuring Network VLAN Configuration VLAN Configuration The router supports 802.1Q VLAN, which can divide a LAN into multiple logical LANs. Each logical LAN is a VLAN. Hosts in the same VLAN can communicate with each other. However, hosts in different VLANs cannot communicate directly. Therefore, broadcast packets can be limited to within the VLAN.
Page 45: Configuring The Pvid Of A Port
Configuring Network VLAN Configuration Viewing the VLANs Choose the menu Network > VLAN > VLAN to load the following page. Figure 7-2 Viewing the VLAN In the VLAN list you can view all the VLANs existing in the router. VLAN ID Displays the VLAN ID.
Page 46 Configuring Network VLAN Configuration Figure 7-3 Configuring the PVID Configure the PVID of the port, then click Save. Port Displays the port. PVID Specify the PVID for the port. VID indicates the default VLAN for the corresponding port. VLAN Displays the VLAN(s) the port belongs to. Configuration Guide...
Page 47: Ipv6 Configuration
Configuring Network IPv6 Configuration IPv6 Configuration To complete IPv6 configuration, follow these steps: 1) Configure the LAN to specify the type of assigning IPv6 address to the client. 2) Configure the WAN connection. Configuring the LAN Configure the type of assigning IPv6 address to the LAN clients. Choose the menu Network >...
Page 48: Configuring The Wan
Configuring Network IPv6 Configuration Assigned Type Select the appropriate type of assigning the IPv6 address according to your ISP. DHCPv6: The DHCP server automatically assigns the IPv6 address and DNS information to the clients. SLAAC+Stateless DHCP: The DHCP server advertises the IPv6 prefix to the client, the client then dynamically form a host identifier that is 64 bits long and will be suffixed to the end of the advertised prefix to form an IPv6 address.
Page 49: Configuring The Wan Connection
Configuring Network IPv6 Configuration WAN Mode Specify the number of WAN ports. 1: Configure physical interface 1 as WAN1. 2: Configure physical interface 1 and interface 2 as WAN1 and WAN2 respectively. 3: Configure physical interface 1, interface 2 and interface3 as WAN1, WAN2 and WAN3 respectively.
Page 50 Configuring Network IPv6 Configuration Choose the menu Network > IPv6 > WAN to load the following page.  Configuring the Dynamic IP (SLAAC/DHCPv6) Figure 8-2 Configuring the Dynamic IP (SLAAC/DHCPv6) Follow these steps to configure Dynamic IP connection: 1) In the General section, check the box to enable IPv6 function, then click Save. IPv6 Check the box to enable IPv6 function.
Page 51 Configuring Network IPv6 Configuration 3) In the Internet section, click Advanced to configure the way of getting the IPv6 address and DNS address, and configure the Prefix Delegation. Then click Save. Get IPv6 Address Choose the method by which the IPv6 address is obtained from the ISP. DHCPv6: The DHCP server automatically assigns the IPv6 address.
Page 52 Configuring Network IPv6 Configuration Follow these steps to configure static IP connection: 1) In the General section, check the box to enable IPv6 function, then click Save. IPv6 Check the box to enable IPv6 function. 2) In the Internet section, choose the Internet Connection type as Static IP, and configure the corresponding parameters.
Page 53 Configuring Network IPv6 Configuration  Configuring the PPPoE Figure 8-4 Configuring the PPPoE Follow these steps to configure PPPoE connection: 1) In the General section, check the box to enable IPv6 function, then click Save. IPv6 Check the box to enable IPv6 function. 2) In the Internet section, choose the Internet Connection type as PPPoE, and configure the corresponding parameters.
Page 54 Configuring Network IPv6 Configuration Internet Choose PPPoE as the connection type. Connection Type Note: If your ISP provides only one PPPoE account for both IPv4 and IPv6 con- • nections, and you have already established an IPv4 connection on this WAN port, you can check PPPoE same session with IPv4 connection, then the WAN port will use the PPP session of IPv4 PPPoE connection to get the IPv6 address.
Page 55 Configuring Network IPv6 Configuration  Configuring the 6to4 Tunnel 6to4 is an internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network. The IPv6 packet will be encapsulated in the IPv4 packet and transmitted to the IPv6 destination through IPv4 network.
Page 56 Configuring Network IPv6 Configuration 3) (Optional) In Internet section, click Advanced to configure the DNS server. Then click Save. Use the following Check the box to manually enter the IP address DNS server provided by your DNS Server ISP. Note: If this option is not enabled, the router will use the default DNS servers with the IPv6 address as 2001:4860:4860::8888 and 2001:4860:4860::8844.
Page 57: Configuring Preferences
Part 3 Configuring Preferences CHAPTERS 1. Overview 2. IP Group Configuration 3. Time Range Configuration 4. VPN IP Pool Configuration 5. Service Type Configuration...
Page 58: Overview
Configuring Preferences Overview Overview You can preset certain preferences, such as IP groups, time ranges, IP Pools and service types. These preferences will appear as options for you to choose when you are configuring the corresponding parameters for some functions. For example, the IP groups configured here will appear as options when you are configuring the effective IP addresses for functions like Bandwidth Control, Session Limit , Policy Routing and so on.
Page 59: Ip Group Configuration
Configuring Preferences IP Group Configuration IP Group Configuration IP groups configured here can be used as effective IP addresses for multiple functions like Bandwidth Control, Session Limit , Policy Routing and so on. To complete IP Group configuration, follow these steps: 1) Add IP address entries.
Page 60: Grouping Ip Address Entries
Configuring Preferences IP Group Configuration 2.2 Grouping IP Address Entries Choose the menu Preferences > IP Group > IP Group and click Add to load the following page. Figure 2-2 Create an IP Group Follow these steps to create an IP group and add IP address entries to the group: 1) Specify a name and configure the range to add an IP address range.
Page 61: Time Range Configuration
Configuring Preferences Time Range Configuration Time Range Configuration Time range configuration allows you to define time ranges by specifying the period in a day and days in a week. The time range configured here can be used as the effective time for multiple functions like Bandwidth Control, Link Backup, Policy Routing and so on.
Page 62 Configuring Preferences Time Range Configuration Figure 3-2 Working Calendar Mode Select the time slices and click OK to set the time range. You can click the time slices, or alternatively drag the areas to select or deselect the time slices.  Manually Manually mode allows you to enter the time range and select the effective days in a week manually.
Page 63: Vpn Ip Pool Configuration
Configuring Preferences VPN IP Pool Configuration VPN IP Pool Configuration The VPN IP pools configured here can be used as the VPN IP address pools when configuring L2TP VPN and PPTP VPN. Choose the menu Preferences > VPN IP Pool > VPN IP Pool and click Add to load the following page.
Page 64: Service Type Configuration
Configuring Preferences Service Type Configuration Service Type Configuration The service type entries configured here can be used as part of the matching conditions when configuring the Access Control rules in Firewall. Choose the menu Preferences > Service Type > Service Type to load the following page. Figure 5-1 Service Type List The entries in gray are system predefined service types.
Page 65 Configuring Preferences Service Type Configuration Click Add to load the following page. Figure 5-2 Add an Service Type Entry Follow these steps to add a service type entry: 1) Enter a name for the service type. Service Type Name Enter a name for the service type. Only letters, digits or underscores are allowed.
Page 66 Configuring Preferences Service Type Configuration When Other is selected, the following page will appear. Figure 5-5 Other Protocols Protocol Number Specify the protocol number of the packets. Packets with the protocol number field matched are considered as the target packets. 3) (Optional) Enter a brief description of this service type to make identifying it easier. 4) Click OK.
Page 67: Configuring Transmission
Part 4 Configuring Transmission CHAPTERS 1. Transmission 2. NAT Configurations 3. Bandwidth Control Configuration 4. Session Limit Configurations 5. Load Balancing Configurations 6. Routing Configurations 7. Configuration Examples...
Page 68: Transmission
Configuring Transmission Transmission Transmission 1.1 Overview Transmission function provides multiple traffic control measures for the network. You can configure the transmission function according to your actual needs. 1.2 Supported Features The transmission module includes NAT, Bandwidth Control, Session Limit, Load Balancing and Routing.
Page 69 Configuring Transmission Transmission external ports, the router can forward them to the corresponding host. Port Triggering is mainly applied to online games, VoIPs, video players and so on.  NAT-DMZ When a PC is set to be a DMZ (Demilitarized Zone) host in the local network, it is totally exposed to the internet, which can realize the unlimited bidirectional communication between internal hosts and external hosts.
Page 70: Nat Configurations
Configuring Transmission NAT Configurations NAT Configurations With NAT configurations, you can:  Configure the Multi-Nets NAT.  Configure the One-to-One NAT.  Configure the Virtual Servers.  Configure the Port Triggering.  Configure the NAT-DMZ.  Configure the ALG. 2.1 Configuring the Multi-Nets NAT Choose the menu Transmission >...
Page 71: Configuring The One-To-One Nat
Configuring Transmission NAT Configurations Status Check the box to enable the rule. Description Give a description for the rule entry to facilitate your management. 2) Click OK. 2.2 Configuring the One-to-One NAT Choose the menu Transmission > NAT > One-to-One NAT and click Add to load the following page.
Page 72: Configuring The Virtual Servers
Configuring Transmission NAT Configurations Note: One-to-One NAT take effects only when the connection type of WAN is Static IP. 2.3 Configuring the Virtual Servers Choose the menu Transmission > NAT > Virtual Servers and click Add to load the following page. Figure 2-3 Configuring the Virtual Servers Follow these steps to configure the Virtual Servers: 1) Specify the name of the Virtual Server rule and configure other related parameters.
Page 73: Configuring The Port Triggering
Configuring Transmission NAT Configurations Configuring the Port Triggering Choose the menu Transmission > NAT > Port Triggering and click Add to load the following page. Figure 2-4 Configuring the Port Triggering Follow these steps to configure the Port Triggering: 1) Specify the name of the Port Triggering rule and configure other related parameters. Interface Specify the effective interface for the rule.
Page 74: Configuring The Nat-Dmz
Configuring Transmission NAT Configurations 2.5 Configuring the NAT-DMZ Choose the menu Transmission > NAT > NAT-DMZ and click Add to load the following page. Figure 2-5 Configuring the NAT-DMZ Follow these steps to configure the NAT-DMZ: 1) Specify the name of the NAT-DMZ rule and configure other related parameters. Interface Specify the effective interface for the rule.
Page 75: Bandwidth Control Configuration
Configuring Transmission Bandwidth Control Configuration Bandwidth Control Configuration Bandwidth Control functions to control the bandwidth by configuring rules for limiting various data flows. In this way, the network bandwidth can be reasonably distributed and utilized. Choose the menu Transmission> Bandwidth Control to load the following page. Figure 3-1 Configuring the Bandwidth Control Follow these steps to configure the Bandwidth Control rule: 1) In the Bandwidth Control Config Section, enable Bandwidth Control function globally.
Page 76 Configuring Transmission Bandwidth Control Configuration Figure 3-2 Add Bandwidth Control rules Specify the name of the Bandwidth Control rule and configure other related parameters. Then click OK. Direction Specify the data stream direction for the rule. Group Specify the address group for the rule to define the controlled users. The IP group referenced here can be created on the Preferences >...
Page 77: Session Limit Configurations
Configuring Transmission Session Limit Configurations Session Limit Configurations To complete Session Limit configuration, follow these steps: 1) Configure session limit. 2) View the session limit information. Configuring Session Limit Choose the menu Transmission> Session Limit > Session Limit to load the following page.
Page 78: Viewing The Session Limit Information
Configuring Transmission Session Limit Configurations Group Specify the address group to which the rule will be applied. The IP group referenced here can be created on the Preferences > IP Group > IP Group page. Max Sessions Specify the max sessions for the controlled users. Status Check the box to enable the rule.
Page 79: Load Balancing Configurations
Configuring Transmission Load Balancing Configurations Load Balancing Configurations With load balancing configurations, you can:  Configure the load balancing  Configure the link backup  Configure the online detection Configuring the Load Balancing Choose the menu Transmission> Load Balancing > Basic Settings to load the following page.
Page 80: Configuring The Link Backup
Configuring Transmission Load Balancing Configurations 5.2 Configuring the Link Backup With Link Backup function, the router will switch all the new sessions from dropped line automatically to another to keep an always on-line network. Choose the menu Transmission> Load Balancing > Link Backup and click Add to load the following page.
Page 81: Configuring The Online Detection
Configuring Transmission Load Balancing Configurations Configuring the Online Detection With Online Detection function, you can detect the online status of the WAN port. Choose the menu Transmission> Load Balancing > Online Detection and click to load the following page. Figure 5-3 Configuring the Online Detection Configure the following parameters on this page and click OK.
Page 82: Routing Configurations
Configuring Transmission Routing Configurations Routing Configurations With routing configurations, you can:  Configure the static routing  Configure the policy routing rule  View the routing table 6.1 Configuring the Static Routing Choose the menu Transmission> Routing > Static Route and click Add to load the following page.
Page 83: Configuring The Policy Routing
Configuring Transmission Routing Configurations Description Enter a brief description for the rule. Status Check the box to enable the rule. Configuring the Policy Routing Choose the menu Transmission> Routing > Policy Routing and click Add to load the following page. Figure 6-2 Configuring the Policy Routing Specify the name of the policy routing entry and configure other related parameters.
Page 84: Viewing The Routing Table
Configuring Transmission Routing Configurations 6.3 Viewing the Routing Table Choose the menu Transmission> Routing > Routing Table to load the following page. Figure 6-3 Routing Table The Routing Table shows the information of the current route entries. Destination IP Displays the destination IP address the route leads to. Subnet Mask Displays the subnet mask of the destination network.
Page 85: Configuration Examples
Configuring Transmission Configuration Examples Configuration Examples Example for Configuring NAT 7.1.1 Network Requirements A company has two departments: Market Department and RD department. Each department is assigned to an individual subnet. The company has the following requirements: 1) The two departments need to access the internet via the same gateway router. 2) The company has a web server which needs to be accessed by the users on the internet.
Page 86: Configuration Procedure
Configuring Transmission Configuration Examples To meet the second requirement, add One-to-One NAT entry for the Web Server on the gateway router, thus the web server with a private IP address can be accessed at a corresponding valid public IP address. Note that One-to-One NAT take effects only when the connection type of WAN port is Static IP.
Page 87 Configuring Transmission Configuration Examples 2) Add static routes for the two departments respectively: Specify the entry name as RD/ Market, enter 172.16.10.0/172.16.20.0 as the destination IP, and specify the VLAN 1 interface IP of L3 switch as next hop, then choose the interface as WAN1. Keep Status of this entry as Enable.
Page 88: Example For Configuring Load Balancing
Configuring Transmission Configuration Examples Figure 7-6 Adding a Multi-Nets Entry for RD Department 7.2 Example for Configuring Load Balancing 7.2.1 Network Requirements To make good use of bandwidth, the network administrator decides to bind two WAN links using load balancing. 7.2.2 Network Topology Figure 7-7 Network Topology Router WAN1...
Page 89: Configuration Procedure
Configuring Transmission Configuration Examples 7.2.4 Configuration Procedure Follow the steps below to configure load balancing on the router:  Configuring the WAN parameters For WAN1 port, configure the connection type as PPPoE, and specify Upstream and Downstream bandwidth for this link based on your ADSL bandwidth (You could consult your internet Service Provider for the bandwidth information).
Page 90: Network Topology
Configuring Transmission Configuration Examples 7.3.2 Network Topology Figure 7-9 Network Topology WAN1 Router FTP Server IP:192.168.0.100 7.3.3 Configuration Scheme In this scenario, both virtual server and DMZ host can be configured to meet the requirement. Here we take configuring Virtual Server as an example, owing to that for a DMZ host all ports are open which may result in unsafety.
Page 91: Example For Configuring Policy Routing
Configuring Transmission Configuration Examples Example for Configuring Policy Routing 7.4.1 Network Requirements The network administrator has a router with 3 computers (192.168.0.2-192.168.0.4) connected to the LAN side, all computers are routed to internet by WAN1 port and WAN2 port, the requirements are as follows:  WAN2 link is used to backup WAN1 link to keep an always on-line network.
Page 92 Configuring Transmission Configuration Examples 2) Specify the primary WAN as WAN1, the backup WAN as WAN2 and the mode as Failover so that the backup link will be enabled when the primary WAN failed. Keep Status of this entry as Enable. Click OK. Figure 7-12 Configuring the Link Backup  Configuring the Policy Routing Rules 1) Choose the menu Preferences >...
Page 93 Configuring Transmission Configuration Examples 3) Choose the menu Transmission > Routing > Policy routing to load the configuration page, and click Add. Specify the policy routing rule name as policy1, the service type as HTTP, the source IP as group1, the destination IP as IPGROUP_ANY which means no limit. Choose WAN1, and keep Status of this entry as Enable.
Page 94: Configuring Firewall
Part 5 Configuring Firewall CHAPTERS 1. Firewall 2. Firewall Configuration 3. Configuration Examples...
Page 95: Firewall
Configuring Firewall Firewall Firewall Overview Firewall is used to enhance the network security. It can prevent external network threats from spreading to the internal network, protect the internal hosts from ARP attacks, and control the internal users’ access to the external network. Supported Features The Firewall module supports four functions: Anti ARP Spoofing, Attack Defense, MAC Filtering and Access Control.
Page 96 Configuring Firewall Firewall The router provides two types of Attack Defense: Flood Defense and Packet Anomaly Defense. Flood Defense limits the receiving rate of the specific types of packets, and Packet Anomaly Defense discards the illegal packets directly. MAC Filtering MAC Filtering can flexibly control the access to the network of the specific hosts.
Page 97: Firewall Configuration
Configuring Firewall Firewall Configuration Firewall Configuration In Firewall module, you can configure the following features:  Anti ARP Spoofing  Attack Defense  MAC Filtering  Access Control Anti ARP Spoofing To complete Anti ARP Spoofing configuration, there are two steps. First, add IP-MAC Binding entries to the IP-MAC Binding List.
Page 98 Configuring Firewall Firewall Configuration Adding IP-MAC Binding Entries Manually Before adding entries manually, get the IP addresses and MAC addresses of the hosts on the network and make sure of their accuracy. Choose the menu Firewall > Anti ARP Spoofing > IP-MAC Binding to load the following page.
Page 99 Configuring Firewall Firewall Configuration Interface Select an interface on which the binding rule takes effect. Description Give a description for identification. Export to DHCP Choose to whether export the entry to the DHCP Address Reservation list. Address Reservation Status Enable this entry. Only when the status is Enable will this entry be effective. 3) Click OK and the added entry will be displayed in the list.
Page 100: Enable Anti Arp Spoofing
Configuring Firewall Firewall Configuration 2) Wait for a moment without any operation. The scanning result will be displayed in the following table. Click to export the entry to the IP-MAC Binding table. Figure 2-5 ARP Scanning Result Also, you can go to Firewall > Anti ARP Spoofing > ARP List to view and bind the ARP Scanning entries.
Page 101 Configuring Firewall Firewall Configuration Follow the steps below to configure Anti ARP Spoofing rule: 1) In the General section, enable ARP Spoofing Defense globally. With this option enabled, the router can protect its ARP table from being falsified by ARP spoofing packets. 2) Choose whether to enable the two sub functions.
Page 102: Configuring Attack Defense
Configuring Firewall Firewall Configuration 2.2 Configuring Attack Defense Choose the menu Firewall > Attack Defense > Attack Defense to load the following page. Figure 2-2 Attack Defense Follow the steps below to configure Attack Defense. 1) In the Flood Defense section, check the box and configure the corresponding parameters to enable your desired feature.
Page 103 Configuring Firewall Firewall Configuration Multi-connections With this feature enabled, the router will filter the subsequent ICMP ICMP Flood packets if the number of this kind of packets reaches the specified threshold. The valid threshold ranges from 100 to 99999. Stationary source TCP With this feature enabled, the router will filter the subsequent stationary SYN Flood source TCP SYN packets if the number of this kind of packets reaches the...
Page 104: Configuring Mac Filtering
Configuring Firewall Firewall Configuration 2.3 Configuring MAC Filtering To complete MAC Filtering configuration, there are two steps. First, add MAC Filtering entries to the MAC Filtering List. Then configure the filtering rule for these entries. Note: In case MAC Filtering causes access problems to the currently connected devices, it’s recommended to add and verify the MAC Filtering entries first before configuring the filtering rule.
Page 105: Configuring Access Control
Configuring Firewall Firewall Configuration Allow packets with the Choose whether to select this filtering rule. With this rule selected, the MAC addresses listed router will allow the packets with the MAC addresses in the MAC Filtering below and deny the rest List and deny other packets.
Page 106 Configuring Firewall Firewall Configuration 2) Configure the required parameters and click OK: Name Specify a name for the rule. It can be 50 characters at most. The name of each entry cannot be repeated. Policy Select whether to block or allow the packets matching the rule to access the network.
Page 107: Configuration Examples
Configuring Firewall Configuration Examples Configuration Examples Example for Anti ARP Spoofing 3.1.1 Network Requirements In the diagram below, several hosts are connected to the network via a layer 2 switch, and the router is the gateway of this network. Since there exists the possibility that the attacker will launch a series of ARP attacks, it is required to configure the router to protect itself and the terminal hosts from the ARP attacks.
Page 108: Configuration Procedure
Configuring Firewall Configuration Examples The attacker pretends to be legal terminal hosts and sends fake ARP packets to the router, cheating the router into recording wrong ARP maps of the hosts. As a result, packets from the gateway cannot be correctly sent to the hosts. To protect the router from this kind of attack, you can configure Anti ARP Spoofing on the router.
Page 109 Configuring Firewall Configuration Examples Figure 3-2 Anti ARP Spoofing Page 2) The following page will appear. Enter the IP address and MAC address of Host A, select “LAN” as the effective interface, and give a description “Host A” for this entry. Since the IP address 192.168.0.10 has been used by Host A, we keep Export to DHCP Address Reservation as “Enable"...
Page 110: Example For Mac Filtering
Configuring Firewall Configuration Examples Figure 3-4 Verify IP-MAC Binding Entires 4) In the General section on the same page, check the boxes to enable ARP Spoofing Defense and Send GARP packets when ARP attack is detected, and keep the interval as 1000 milliseconds.
Page 111: Configuration Scheme
Configuring Firewall Configuration Examples 3.2.2 Configuration Scheme To meet this requirement, we can configure MAC Filtering on the router to filter the packets with the MAC address of the attacker. The configuration overview is as follows: 1) Enable MAC Filtering globally and select the filtering rule as “Deny packets with the MAC addresses listed below and allow the rest“.
Page 112: Example For Access Control
Configuring Firewall Configuration Examples 3.3 Example for Access Control 3.3.1 Network Requirements In the diagram below, the R&D and some other departments are connected to a layer 2 switch and access the internet via the router. To limit the acts of the R&D department users, such as sending emails with the exterior mailbox, it is required that the R&D users can only visit websites via HTTP and HTTPs on the internet at any time.
Page 113: Configuration Procedure
Configuring Firewall Configuration Examples 4) Since visiting the internet needs DNS service, add a rule to allow the DNS packets to be sent to the WAN. DNS service is already in the Service Type list by default. 5) Create a rule to block all packets from the R&D department to the WAN. This rule should have the lowest priority among all the rules.
Page 114 Configuring Firewall Configuration Examples Figure 3-4 Configure HTTPS Service Type 4) Choose the menu Firewall > Access Control > Access Control to load the configuration page, and click Add. Specify a name for this rule. Select “Allow” as the rule policy, “HTTP” as the service type, “LAN”...
Page 115 Configuring Firewall Configuration Examples Figure 3-6 Configure Allow Rule for HTTPS Service 6) Choose the menu Firewall > Access Control > Access Control to load the configuration page, and click Add. Specify a name for this rule. Select “Allow” as the rule policy, “DNS” as the service type, “LAN”...
Page 116 Configuring Firewall Configuration Examples This rule means that all packets from the R&D department are blocked from being sent from the LAN to the internet at all times. Figure 3-8 Configure Block Rule for ALL Services 8) Verify your configuration result. In the Access Control List, the rule with a smaller ID has a higher priority.
Page 117: Configuring Behavior Control
Part 6 Configuring Behavior Control CHAPTERS 1. Behavior ControlBehavior Control 2. Behavior Control Configuration 3. Configuration Examples...
Page 118: Behavior Control
Configuring Behavior Control Behavior Control Behavior Control 1.1 Overview With the Behavior Control feature, you can control the online behavior of local hosts. You can block specific hosts’ access to specific websites using URLs or keywords, block HTTP posts and prevent certain types of files from being downloaded from the internet. 1.2 Supported Features The Behavior Control module supports two features: Web Filtering and Web Security.
Page 119: Behavior Control Configuration
Configuring Behavior Control Behavior Control Configuration Behavior Control Configuration In Behavior Control module, you can configure the following features:  Web Filtering  Web Security Configuring Web Filtering There are two methods to filter websites: Web Group Filtering and URL Filtering. 2.1.1 Configure Web Group Filtering To configure Web Group Filtering, add one or more web groups first, and then add web group filtering entries using the created groups.
Page 120 Enter key, Space key, “,” or “;” to divide different websites. File Path Import member list in your TXT file from your host. The format is “www.tp-link. com” or “*.tp-link.com”, in which “*” is a wildcard. Use Enter key, Space key, “,” or “;” to divide different websites. Description Enter a brief description for the group.
Page 121 Configuring Behavior Control Behavior Control Configuration Policy Choose to allow or deny the websites that are in the selected web group(s). Web Group Select one or more web groups. The web group referenced here can be created on the Behavior Control > Web Filtering > Web Group page.
Page 122: Configuring Url Filtering
Configuring Behavior Control Behavior Control Configuration 2.1.2 Configuring URL Filtering Before configuring URL Filtering, go to the Preferences module to configure the IP Group and Effective Time according to your needs. Choose the menu Behavior Control > Web Filtering > URL Filtering and click Add to load the following page.
Page 123 Configuring Behavior Control Behavior Control Configuration Mode Select the filtering mode. Keywords: If a website address contains any of the keywords, the policy will be applied to this website. URL Path: If a website address is the same as any of the entire URLs, the policy will be applied to this website.
Page 124: Configuring Web Security
Configuring Behavior Control Behavior Control Configuration 2.2 Configuring Web Security Before configuring Web Security, go to Preferences module to configure the IP Group and Effective Time according to your needs. Choose the menu Behavior Control > Web Security > Web Security and click Add to load the following page.
Page 125 Configuring Behavior Control Behavior Control Configuration File Suffix Enter file suffixes to specify the file types. Use Enter key, Space key, “,” or “;” to divide different file suffixes. The hosts of the selected IP group cannot download these types of files from the internet. Effective Select the effective time.
Page 126: Configuration Examples
Configuring Behavior Control Configuration Examples Configuration Examples 3.1 Example for Access Control 3.1.1 Network Requirements In the diagram below, the R&D and some other departments are connected to a layer 2 switch and access the internet via the router. For data security purposes, it is required that the R&D department users can only visit the official website of the company, for example: http://www.tp- link.com.
Page 127: Configuration Procedure
2) Create a web group with the group member www.tp-link.com. 3) Add a Whitelist rule to allow the R&D department users to access www.tp-link.com. 4) Add a Blacklist rule to forbid the R&D department users from accessing all websites. Note that the priority of this rule should be lower than the Whitelist rule.
Page 128 Add. Select “RD_Dept” as the IP Group, “Whitelist” as the Policy, “RD_Filtering“ as the Web Group, and “Any” as the Effective Time. Click OK. This rule means that the hosts in the R&D department are allowed to access the website www.tp-link.com at any time. Configuration Guide...
Page 129 Configuring Behavior Control Configuration Examples Figure 3-5 Configure Whitelist Rule 5) On the same page, click Add. Select “RD_Dept” as the IP Group, “Blacklist” as the Policy, “All” as the Web Group, and “Any” as the Effective Time. Click OK. This rule means that the hosts in the R&D department are denied access to all websites at all times.
Page 130: Example For Web Security
Configuring Behavior Control Configuration Examples Figure 3-7 Verify Configuration Result 7) In the General section on the same page, enable Web Filtering globally and click Save. Figure 3-8 Enable Web Filtering 3.2 Example for Web Security 3.2.1 Network Requirements In the diagram below, the company’s hosts are connected to a layer 2 switch and access the internet via the router.
Page 131: Configuration Scheme
Configuring Behavior Control Configuration Examples 3.2.2 Configuration Scheme We can configure Web Security to meet these requirements. To block behaviors such as login and comment submitting, we can configure the router to block HTTP post; to block downloading of rar files, we can specify the suffix “rar” in the file suffix column. 3.2.3 Configuration Procedure Follow the steps below to complete the configuration: 1) Choose the menu Behavior Control >...
Page 132: Configuring Vpn
Part 7 Configuring VPN CHAPTERS 1. VPN 2. IPSec VPN Configuration 3. L2TP Configuration 4. PPTP Configuration 5. Configuration Examples...
Page 133: Vpn
Configuring VPN Overview VPN (Virtual Private Network) provides a means for secure communication between remote computers across a public wide area network (WAN), such as the internet. Virtual indicates the VPN connection is based on the logical end-to-end connection instead of the physical end-to-end connection.
Page 134 Configuring VPN IPSec IPSec (IP Security) can provide security services such as data confidentiality, data integrity and data authentication at the IP layer. IPSec uses IKE (Internet Key Exchange) to handle negotiation of protocols and algorithms based on the user-specified policy, and to generate the encryption and authentication keys to be used by IPSec.
Page 135: Ipsec Vpn Configuration
Configuring VPN IPSec VPN Configuration IPSec VPN Configuration To complete the IPSec VPN configuration, follow these steps: 1) Configure the IPSec Policy. 2) Verify the connectivity of the IPSec VPN tunnel. Configuration Guidelines  For both ends of the VPN tunnel, the Pre-shared key, Proposal, Exchange Mode, and Encapsulation Mode should be identical.
Page 136: Configuring The Advanced Parameters
Configuring VPN IPSec VPN Configuration When the LAN-to-LAN mode is selected, the following section will appear. Remote Enter an IP address or a domain name (1 to 255 characters) as the remote Gateway gateway. 0.0.0.0 represents any IP address. Only when the negotiation mode is set to Responder Mode can you enter 0.0.0.0.
Page 137 Configuring VPN IPSec VPN Configuration SA. IKEv1 phase-2 is used to negotiate about keys and security related parameters, then establish the IPSec SA. It is suggested to keep the default advanced settings. You can complete the configurations according to your actual needs.  Configuring the IKE Phase-1 Parameters Choose the menu VPN >...
Page 138 Configuring VPN IPSec VPN Configuration Local ID When the Local ID Type is configured as NAME, enter a name for the local device as the ID in IKE negotiation. Remote ID Specify the remote ID type for IKE negotiation. Type IP Address: Use an IP address as the ID in IKE negotiation.
Page 139: Verifying The Connectivity Of The Ipsec Vpn Tunnel
Configuring VPN IPSec VPN Configuration Select the DH group to enable PFS (Perfect Forward Security) for IKE mode, then the key generated in phase 2 will be irrelevant with the key in phase 1, which enhance the network security. If you select None, it means PFS is disabled and the key in phase 2 will be generated based on the key in phase 1.
Page 140: L2Tp Configuration
Configuring VPN L2TP Configuration L2TP Configuration To complete the L2TP configuration, follow these steps: 1) Configure the VPN IP pool. 2) Configure L2TP globally. 3) Configure the L2TP server/client. 4) (Optional) Configure the L2TP users. 5) Verify the connectivity of the L2TP VPN tunnel. Configuration Guidelines  When the network mode is configured as Client-to-LAN and the router acts as the L2TP server, you don’t need to configure the L2TP client on the router.
Page 141: Configuring L2Tp Globally
Configuring VPN L2TP Configuration Note: The starting IP address should not be greater than the ending IP address. • The ranges of IP Pools cannot overlap. • Configuring L2TP Globally Choose the menu VPN> L2TP > Global Config to load the following page. Figure 3-2 Configuring L2TP Globally In the General section, configure L2TP parameters globally and click Save.
Page 142: Configuring The L2Tp Client
Configuring VPN L2TP Configuration Follow these steps to configure the L2TP server: 1) Specify the WAN port used for L2TP tunnel. 2) Specify whether to enable the encryption for the tunnel. IPSec Specify whether to enable the encryption for the tunnel. If enabled, the L2TP Encryption tunnel will be encrypted by IPSec (L2TP over IPSec).
Page 143 Configuring VPN L2TP Configuration Account Name Specify the account name of L2TP tunnel. It should be configured identically on server and client. Password Specify the password of L2TP tunnel. It should be configured identically on server and client. Specify the WAN port used for L2TP tunnel. Server IP Specify the IP address or domain name of L2TP server.
Page 144: Optional) Configuring The L2Tp Users
Configuring VPN L2TP Configuration 3.5 (Optional) Configuring the L2TP Users Choose the menu VPN> Users > Users and click Add to load the following page. Figure 3-5 Configuring the L2TP User Follow these steps to configure the L2TP User: 1) Specify the account name and password of the L2TP User. Account Name Specify the account name used for the VPN tunnel.
Page 145: Verifying The Connectivity Of L2Tp Vpn Tunnel
Configuring VPN L2TP Configuration Network Mode Specify the network mode. There are two modes: Client-to-LAN: Select this option when the L2TP/PPTP client is a single host. LAN-to-LAN: Select this option when the L2TP/PPTP client is a VPN gateway. The tunneling request is always initiated by a device. Specify the maximum number of connections that the tunnel can support.
Page 146: Pptp Configuration
Configuring VPN PPTP Configuration PPTP Configuration To complete the PPTP configuration, follow these steps: 1) Configure the VPN IP pool. 2) Configure PPTP globally. 3) Configure the PPTP server/client. 4) (Optional) Configure the PPTP users. 5) Verify the connectivity of the PPTP VPN tunnel. Configuration Guidelines  When the network mode is configured as Client-to-LAN and the router acts as the PPTP server, you don’t need to configure a PPTP client on the router.
Page 147: Configuring Pptp Globally
Configuring VPN PPTP Configuration Note: The starting IP address should not be greater than the ending IP address. • The ranges of IP Pools cannot overlap. • Configuring PPTP Globally Choose the menu VPN> PPTP > Global Config to load the following page. Figure 4-2 Configuring PPTP Globally In the General section, configure PPTP parameters globally and click Save.
Page 148: Configuring The Pptp Client
Configuring VPN PPTP Configuration Follow these steps to configure the PPTP server: 1) Specify the WAN port used for PPTP tunnel. 2) Specify whether to enable the MPPE encryption for the PPTP tunnel. 3) Enable the PPTP tunnel. 4) Click OK. 4.4 Configuring the PPTP Client Choose the menu VPN>...
Page 149: Configuring The Pptp Users
Configuring VPN PPTP Configuration MPPE Specify whether to enable the encryption for the tunnel. If enabled, the PPTP tunnel Encryption will be encrypted by MPPE. Remote Subnet Specify the remote network. (It’s always the IP address range of LAN on the remote peer of the VPN tunnel.) It’s the combination of IP address and subnet mask.
Page 150: Verifying The Connectivity Of Pptp Vpn Tunnel
Configuring VPN PPTP Configuration Account Name Specify the account name used for the VPN tunnel. This parameter should be the same as that of the PPTP client. Password Specify the password of users. This parameter should be the same as that of the PPTP client.
Page 151 Configuring VPN PPTP Configuration Tunnel Displays the name of the tunnel when the router is a PPTP client. Local IP Displays the local IP address of the tunnel. Remote IP Displays the remote real IP address of the tunnel. Remote Local Displays the remote local IP address of the tunnel.
Page 152: Configuration Examples
Configuring VPN Configuration Examples Configuration Examples 5.1 Example for Configuring IPSec VPN 5.1.1 Network Requirements A business requires a highly secure connection between one of the branch offices and the head office. Thus we can build the site-to-site IPSec VPN tunnel between the branch office and the head office to establish the virtual private connection.
Page 153 Configuring VPN Configuration Examples  Configuring the Router A 1) Choose the menu VPN > IPSec > IPSec Policy to load the following page. Click Add. Figure 5-2 IPSec Policy List 2) The following page will appear. Specify the IPSec Policy Name as tplink and configure the Mode as LAN-to-LAN as the network is connected to the other network, then configure other relevant parameters.
Page 154 Configuring VPN Configuration Examples Figure 5-4 Configuring the IKE Phase-1 Parameters In the Phase-2 Settings section, configure the IKE phase-2 parameters and click OK. Figure 5-5 Configuring the IKE Phase-2 Parameters  Configuring the Router B 1) Choose the menu VPN > IPSec > IPSec Policy to load the following page. Click Add. Figure 5-6 IPSec Policy List 2) The following page will appear.
Page 155 Configuring VPN Configuration Examples Figure 5-7 Configuring the IPSec Policy 3) Choose the menu VPN > IPSec > IPSec Policy and click Advanced Settings to load the following page. Advanced settings include IKEv1 phase-1 settings and IKEv1 phase-2 settings. You can keep the default advanced settings. In the Phase-1 Settings section, configure the IKE phase-1 parameters and click OK.
Page 156: Example For Configuring L2Tp Vpn
Configuring VPN Configuration Examples Figure 5-9 Configuring the IKE Phase-2 Parameters  Verifying the connectivity of the IPSec VPN tunnel On Router A or Router B, choose the menu VPN > IPSec > IPSec SA to view the information of the established IPSec VPN tunnel. Here we take router A for example. Figure 5-10 Viewing the IPSec SA 5.2 Example for Configuring L2TP VPN 5.2.1 Network Requirements...
Page 157: Configuration Scheme
Configuring VPN Configuration Examples 5.2.2 Configuration Scheme To meet the requirements, configure L2TP server on the router, and configure L2TP client on the remote PC. For the remote PC, use Windows built-in L2TP software or third-party L2TP software to connect to L2TP server. Then verify whether the L2TP VPN tunnel is established successfully.
Page 158 Figure 5-15 Configuring the VPN User  Configuring the Remote PC For remote PC, use Windows built-in L2TP software or third-party L2TP software to connect to L2TP server. For more information, you can refer to our official website: http://www.tp-link.com/us/faq-1629.html Configuration Guide...
Page 159: Example For Configuring Pptp Vpn
Configuring VPN Configuration Examples  Verifying the connectivity of the L2TP VPN tunnel On the router, choose the menu VPN> L2TP > Tunnel List to verify the connectivity of the L2TP VPN tunnel. Figure 5-16 Viewing the L2TP VPN Tunnel Example for Configuring PPTP VPN 5.3.1 Network Requirements The employees at headquarters need to access the network resources through the server at the US subsidiary via a secure connection.
Page 160 Configuring VPN Configuration Examples  Configuring Router A 1) Choose the menu Preferences > VPN IP Pool > VPN IP Pool to load the configuration page, and click Add. Specify the pool name as VPN_Pool, and enter the starting/ending IP address. Figure 5-18 Configuring the VPN IP Pool 2) Choose the menu VPN>...
Page 161 Figure 5-22 Adding the Multi-Nets NAT Entry  Configuring the Remote PC For remote PC, use Windows built-in PPTP software or third-party PPTP software to connect to PPTP server. For more information, you can refer to our official website: http://www.tp-link.com/us/faq-1629.html Configuration Guide...
Page 162 Configuring VPN Configuration Examples  Verifying the connectivity of the PPTP VPN tunnel On the router, choose the menu VPN> PPTP > Tunnel List to verify the connectivity of the PPTP VPN tunnel. Figure 5-23 Viewing the PPTP VPN Tunnel Configuration Guide...
Page 163: Configuring Authentication
Part 8 Configuring Authentication CHAPTERS 1. Overview 2. Local Authentication Configuration 3. RADIUS Authentication Configuration 4. Onekey Online Configuration 5. Guest Resources Configuration 6. Viewing the Authentication Status 7. Configuration Example...
Page 164: Overview
Configuring Authentication Overview Overview Portal authentication, also known as Web authentication, is usually deployed in a guest- access network (like a hotel or a coffee shop) to control the client’s internet access. In portal authentication, all the client’s HTTP requests will be redirected to an authentication page first.
Page 165: Portal Authentication Process
Configuring Authentication Overview 1.2 Portal Authentication Process The portal authentication process is shown as below: Figure 1-2 Portal Authentication Process Client Router Web Server Authentication Server http:// Visit the Internet Redirect the client to Web Server Visit the Web Server Returns the authentication login page Enter the Username and Password in the login page Forwards the username and password to the Authentication Server Returns the authentication result...
Page 166: Supported Web Server
Configuring Authentication Overview 1.3.1 Supported Web Server The router has a built-in web server and also supports external web server. You can configure the authentication page either using the built-in server or the external server. Custom Page You can use the built-in web server and customize the authentication page on your router. External Links You can specify the external web server and configure the authentication page on the external web server.
Page 167: Local Authentication Configuration
Configuring Authentication Local Authentication Configuration Local Authentication Configuration To configure local authentication, follow the steps: 1) Configure the authentication page. 2) Configure the local user account. Configuring the Authentication Page The browser will redirect to the authentication page when the client try to access the internet.
Page 168 Configuring Authentication Local Authentication Configuration Figure 2-1 Configuring the Authentication Page Follow these steps to configure authentication page: 1) In the Settings section, enable authentication status, configure the idle timeout and portal authentication port. Status Check the box to enable portal authentication. Idle Timeout Specify the idle timeout.
Page 169 Configuring Authentication Local Authentication Configuration Authentication Choose the authentication page type. Page Custom: You can use the built-in web server to customize the authentication page by specifying the background picture, welcome information and copyright information. External Links: You can specify a external web server to provide the authentication page by entering the URL of the external web server.
Page 170: Configuring The Local User Account
Configuring Authentication Local Authentication Configuration Remind Interval Specify the interval at which the router reminds users if the remind type is specified as “Remind Periodically“. Remind Content Specify the remind content. The content will be displayed on the Remind page. Page Preview Click the button to view the remind page.
Page 171 Configuring Authentication Local Authentication Configuration Figure 2-2 Configuring the Formal User Account Specify the user type, configure the username and password for the formal user account, and configure the other corresponding parameters. Then click OK. User Type Specify the user type as Formal User. Username / Specify the username and password of the account.
Page 172 Configuring Authentication Local Authentication Configuration Maximum Users Specify the maximum number of users that are allowed use this account to authenticate. Note: If the MAC Binding Type is either Static Binding or Dynamic Binding, only one client can use this username and password to authenticate,i.e., the bound client, even if the value of Maximum Users is configured to be greater than one.
Page 173: Optional) Configuring The Backup Of Local Users
Configuring Authentication Local Authentication Configuration Username / Specify the username and password of the user account. The username cannot be Password the same as any existing one. Authentication Specify the free duration of the account. The default value is 30 minutes. Timeout Maximum Users Specify the maximum number of users that are allowed to use this username and...
Page 174: Radius Authentication Configuration
Configuring Authentication RADIUS Authentication Configuration RADIUS Authentication Configuration To configure RADIUS Authentication, follow the steps: 1) Configure the authentication page. 2) Specify the external RADIUS server and configure the corresponding parameters. 3.1 Configuring RADIUS Authentication Choose the menu Authentication > Authentication Settings > Web Authentication to load the following page.
Page 175 Configuring Authentication RADIUS Authentication Configuration Status Check the box to enable portal authentication. Idle Timeout Specify the idle timeout. The client will be disconnected after the specified period (Idle Timeout) of inactivity, and is required to be authenticated again. Value 0 means the client will always keep online until the authentication timeout leased, even if the client remains inactive.
Page 176 Configuring Authentication RADIUS Authentication Configuration Authentication Choose the authentication type as RADIUS Authentication. Type Primary RADIUS Enter the IP address of the primary RADIUS server. Server Secondary Optional. Enter the IP address of the secondary RADIUS server. If the primary RADIUS Server server is down, the secondary server will be effective.
Page 177: Onekey Online Configuration
Configuring Authentication Onekey Online Configuration Onekey Online Configuration In Onekey Online authentication, users only need to click the “Onekey online” button on the authentication page, then can access the internet. The username and password are not required. Configuring the Authentication Page Choose the menu Authentication >...
Page 178 Configuring Authentication Onekey Online Configuration 2) In the Authentication Parameters section, configure the parameters of the authentication page and choose the authentication type, then click Save. Authentication Choose the type of authentication page as Custom Page. Page Note: External Links is not available for Onekey Online. Background Click the Upload button to choose a local image as the background picture of Picture...
Page 179: Guest Resources Configuration
Configuring Authentication Guest Resources Configuration Guest Resources Configuration Guest resources are limited network resources provided for users before they pass the portal authentication. You can configure the guest resources in two ways:  Five Tuple Type Specify the client and the network resources the client can visit based on the settings of IP address, MAC address, VLAN ID, service port and protocol.
Page 180 Configuring Authentication Guest Resources Configuration Figure 5-1 Configuring the Five Tuple Type Specify the client and the network resources the client can visit by configuring the IP address, MAC address and service port, then click OK. Name Enter the name of the guest resource entry. Type Choose the guest resource type as Five Tuple Type.
Page 181: Configuring The Url Type
Configuring Authentication Guest Resources Configuration Note: In a Guest Resource entry, if some parameter is left empty, it means the router will not restrict that parameter. For example, if the source IP range is left empty, it means all the clients can visit the specified guest resources.
Page 182 Configuring Authentication Guest Resources Configuration Description Enter a brief description for the Guest Resources entry to make it easier to search and manage. Status Check the box to enable the guest resource entry. Note: In a Guest Resource entry, if some parameter is left empty, it means the router will not restrict that parameter.
Page 183: Viewing The Authentication Status
Configuring Authentication Viewing the Authentication Status Viewing the Authentication Status Choose the menu Authentication > Authentication Status > Authentication Status to load the following page. Figure 6-1 Viewing the Authentication Status Here you can view the clients that pass the portal authentication. Type Displays the authentication type of the client.
Page 184: Configuration Example
Configuring Authentication Configuration Example Configuration Example Here we take the application of Local Authentication as an example. 7.1 Network Requirements A hotel needs to offer internet service to the guests and push hotel advertisement. For network security, only the authorized guests can access the internet. Figure 7-1 Network Topology Router Core Switch...
Page 185: Configuration Procedures
Configuring Authentication Configuration Example  To push hotel advertisement, you can simply customize the authentication page by set the background picture and the welcome information. Configuration Procedures 1) Enable Portal Authentication, choose the authentication type as Local Authentication, and customize the authentication page. 2) Create the authentication accounts for the guests.
Page 186: Configuring Authentication Accounts For The Guests
Configuring Authentication Configuration Example Figure 7-4 Configure the authentication type and expiration reminder 7.3.2 Configuring Authentication Accounts for the Guests Choose the menu Authentication > User Management > User Management to load the following page. Here we take the configuration of Formal User account as an example. We create an account for the guests of room 101.
Page 187: Managing Services
Part 9 Managing Services CHAPTERS 1. Services 2. Dynamic DNS Configurations 3. UPnP Configuration 4. Configuration Example for Dynamic DNS...
Page 188: Services
Managing Services Services Services Overview The Services module incorporates two functions, Dynamic DNS (DDNS) and UPnP (Universal Plug and Play) to provide convenient network services. Support Features Dynamic DNS Nowadays, network protocols such as PPPoE and DHCP are widely employed by ISPs to assign public IP addresses to users.
Page 189: Dynamic Dns Configurations
Managing Services Dynamic DNS Configurations Dynamic DNS Configurations With Dynamic DNS configurations, you can:  Configure and view Peanuthull DDNS  Configure and view Comexe DDNS  Configure and view DynDNS  Configure and view NO-IP DDNS 2.1 Configure and View Peanuthull DDNS Choose the menu Service >...
Page 190: Configure And View Comexe Ddns
Managing Services Dynamic DNS Configurations 3) View the DDNS status. Figure 2-2 View the Status of Peanuthull DDNS Status Displays whether the corresponding DDNS service is enabled. Service Status Displays the current status of DDNS service. Offline: DDNS service is offline. Connecting: DDNS client is connecting to the server.
Page 191: Configure And View Dyndns
Managing Services Dynamic DNS Configurations 2) Configure the following parameters and click OK. Interface Select the interface for the DDNS service. Account Name Enter the account name of your DDNS account. You can click Go to register to visit the official website of Comexe to register an account. Password Enter the password of your DDNS account.
Page 192 Managing Services Dynamic DNS Configurations Figure 2-5 Configure DynDNS Follow these steps to configure DynDNS. 1) Click Go to register to visit the official website of DynDNS and register an account and a domain name. 2) Configure the following parameters and click OK. Interface Select the interface for the DDNS service.
Page 193: Configure And View No-Ip Ddns
Managing Services Dynamic DNS Configurations Service Status Displays the current status of DDNS service. Offline: DDNS service is offline. Connecting: DDNS client is connecting to the server. Online: DDNS is working normally. Incorrect account name or password: The account name or password is incorrect.
Page 194 Managing Services Dynamic DNS Configurations Update Interval Specify the Update Interval that the device dynamically updates IP addresses for registered domain names. Status Check the box to enable the DDNS service. 3) View the DDNS status. Figure 2-8 View the Status of NO-IP DDNS Status Displays whether the corresponding DDNS service is enabled.
Page 195: Upnp Configuration
Managing Services UPnP Configuration UPnP Configuration Choose the menu Service > UPnP to load the following page. Figure 3-1 Configure UPnP Function Follow these steps to configure UPnP function: 1) In the General section, enable the UPnP function and select the interface. Then click Save.
Page 196: Configuration Example For Dynamic Dns
Managing Services Configuration Example for Dynamic DNS Configuration Example for Dynamic DNS Network Requirement Host A gets internet services from an ISP (Internet Service Provider) via a PPPoE dial-up connection. The user wants to visit the router’s web management interface using another host on the internet.
Page 197 Managing Services Configuration Example for Dynamic DNS Figure 4-2 Registering a Domain Name 2) Set the Interface as WAN1, set the Update Interval as 6 hours, and enter the Account Name and Password previously registered before. Click OK. Figure 4-3 Specifying Peanuthull DDNS Parameters Configuration Guide...
Page 198: System Tools
Part 10 System Tools CHAPTERS 1. System Tools 2. Admin Setup 3. Management 4. SNMP 5. Diagnostics 6. Time Settings 7. System Log...
Page 199: System Tools
System Tools System Tools System Tools Overview The System Tools module provides several system management tools for users to manage the router. Support Features Admin Setup Admin Setup is used to configure the parameters for users’ login. With this function, you can modify the login account, specify the IP subnet and mask for remote access and specify the HTTP and HTTPS server port.
Page 200: Admin Setup
System Tools Admin Setup Admin Setup In Admin Setup module, you can configure the following features:  Admin Setup  Remote Management  System Settings 2.1 Admin Setup Choose the menu System Tools > Admin Setup > Admin Setup to load the following page. Figure 2-1 Modifying the Admin Account In the Account section, configure the following parameters and click Save to modify the admin account...
Page 201: Remote Management
System Tools Admin Setup Remote Management Choose the menu System Tools > Admin Setup > Remote Management and click Add to load the following page. Figure 2-2 Configuring Remote Management In the Remote Management section, configure the following parameters and click OK to specify the IP subnet and mask for remote management.
Page 202 System Tools Admin Setup HTTP Server Enter the http server port for web management. The port number should be different Port from other servers’. The default setting is 80. After changing the http server port, you should access the interface by using IP address and the port number in the format of 192.168.0.1:1600.
Page 203: Management
System Tools Management Management In Management module, you can configure the following features:  Factory Default Restore  Backup & Restore  Reboot  Firmware Upgrade Factory Default Restore Choose the menu System Tools > Management > Factory Default Restore to load the following page.
Page 204: Reboot
System Tools Management 1) In the Backup section, click Backup to save your current configuration as a configuration file and export the file to the host. 2) In the Restore section, select one configuration file saved in the host and click Restore to import the saved configuration to your router.
Page 205: Snmp
System Tools SNMP SNMP Choose the menu System Tools > SNMP > SNMP to load the following page. Figure 4-1 Configuring SNMP Follow these steps to configure the SNMP function: 1) Check the box to enable the SNMP function. 2) Configure the following parameters and click Save. Contact Enter the textual identification of the contact person for this the device, for example, contact or e-mail address.
Page 206: Diagnostics
System Tools Diagnostics Diagnostics In Diagnostics module, you can configure the following features:  Diagnostics  Remote Assistance Diagnostics Ping and traceroute are both used to test the connectivity between two devices in the network. In addition, ping can show the roundtrip time between the two devices directly and traceroute can show the IP address of routers along the route path.
Page 207: Configuring Traceroute
System Tools Diagnostics Destination IP/ Enter the IP address or the domain name that you want to ping or tracert. Domain Name Interface Select the interface that sends the detection packets. 2) (Optional) Click Advanced and the following section will appear. Figure 5-2 Advanced Parameters for Ping Method Ping Count Specify the count of the test packets to be sent during the ping process.
Page 208: Remote Assistance
System Tools Diagnostics 1) In Diagnostics section, select Traceroute and configure the following parameters. Diagnostic Tool Select Traceroute to test the connectivity between the router and the desired device. Destination IP/ Enter the IP address or the domain name that you want to ping or tracert. Domain Name Interface Select the interface that sends the detection packets.
Page 209: Time Settings
System Tools Time Settings Time Settings In Time Settings module, you can configure the following features:  System Time  Daylight Saving Time Setting the System Time Choose one method to set the system time. 6.1.1 Getting time from the Internet Automatically Choose the menu System Tools >...
Page 210: Setting The System Time Manually
System Tools Time Settings 6.1.2 Setting the System Time Manually Choose the menu System Tools > Time Settings > Time Settings to load the following page. Figure 6-2 Setting the System Time Manually In the Time Settings section, configure the following parameters and click Save. Current Time Displays the current system time.
Page 211: Recurring Mode
System Tools Time Settings Figure 6-3 Predefined Mode Page In the Daylight Saving Time section, select one predefined DST schedule and click Save. DST Status Check the box to enable the DST function. Mode Select Predefined Mode to choose a predefined daylight saving time. Select the Daylight Saving Time of the USA.
Page 212: Date Mode
System Tools Time Settings DST Status Check the box to enable the DST function. Mode Select Recurring Mode to specify a cycle time range for the daylight saving time. This configuration will take effects every year. Time Offset Specify the time added in minutes when Daylight Saving Time takes effect. Starting Time Specify the starting time of Daylight Saving Time.
Page 213: System Log
System Tools System Log System Log Choose the menu System Tools > System Log > System Log to load the following page. Figure 7-1 System Log Page Follow these steps to view the system log: 1) In the Log Settings section, configure the following parameters and click Save. Enable Auto- Check the box to enable this function and the page will refresh automatically refresh...
Page 214 System Tools System Log Severity Enable Severity and specify the importance of the logs you want to view in the log list. ALL Level: Logs of all levels. EMERGENCY: Errors that render the router unusable, such as hardware errors. ALERT: Errors that must be resolved immediately, such as flash write errors. CRITICAL: Errors that put the system at risk, such as a failure to release memory.
Page 215 Specifications are subject to change without notice. is a registered trademark of TP-Link Technologies Co., Ltd. Other brands and product names are trademarks or registered trademarks of their respective holders. No part of the specifications may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from TP-Link Technologies Co., Ltd.
Page 216 Canadian Compliance Statement This device complies with Industry Canada license-exempt RSSs. Operation is subject to the following two conditions: 1) This device may not cause interference, and 2) This device must accept any interference, including interference that may cause undesired operation of the device. Le présent appareil est conforme aux CNR d’Industrie Canada applicables aux appareils radio exempts de licence.
Page 217 此為甲類資訊技術設備，于居住環境中使用時，可能會造成射頻擾動，在此種情況下，使用者會被要求採取某些適當的對策。限用物質含有情況標示聲明書限用物質及其化學符號產品元件名稱鉛鎘汞六價鉻多溴聯苯多溴二苯醚 CrVI PBDE ○ ○ ○ ○ ○ ○ 外殼 ○ ○ ○ ○ ○ ○ 電源供應 ○ ○ ○ ○ ○ 板備考1."超出0.1 wt %"...
Page 218 Explanation of the symbols on the product label Symbol Explanation AC voltage Indoor use only. RECYCLING This product bears the selective sorting symbol for Waste electrical and electronic equipment (WEEE). This means that this product must be handled pursuant to European directive 2012/19/EU in order to be recycled or dismantled to minimize its impact on the environment.

TP-Link TL-R600VPN Configuration Manual

Quick Links

Related Manuals for TP-Link TL-R600VPN

Summary of Contents for TP-Link TL-R600VPN

Table of Contents