TRENDnet TW100-BRV204 - VPN Firewall Router User Manual
  1. Manuals
  2. Brands
  3. TRENDnet Manuals
  4. Network Router
  5. TW100-BRV204 - VPN Firewall Router
  6. User manual

TRENDnet TW100-BRV204 - VPN Firewall Router User Manual

Vpn firewall router, cable/dsl internet access, 4-port switching hub
Hide thumbs Also See for TW100-BRV204 - VPN Firewall Router:
Table of Contents

Advertisement

Quick Links

Download this manual
TW100-BRV204
VPN Firewall Router
Cable/DSL Internet Access
4-Port Switching Hub
User's Guide

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the TW100-BRV204 - VPN Firewall Router and is the answer not in the manual?

Questions and answers

Related Manuals for TRENDnet TW100-BRV204 - VPN Firewall Router

Summary of Contents for TRENDnet TW100-BRV204 - VPN Firewall Router

  • Page 1 TW100-BRV204 VPN Firewall Router Cable/DSL Internet Access 4-Port Switching Hub User's Guide...

  • Page 2: Table Of Contents

    Table of Contents CHAPTER 1 INTRODUCTION ..................... 1 TW100-BRV204 Features....................1 Package Contents ......................3 Physical Details........................4 CHAPTER 2 INSTALLATION....................6 Requirements........................6 Procedure ........................... 6 CHAPTER 3 SETUP ........................ 8 Overview ..........................8 Configuration Program ....................9 Setup Wizard ........................11 WAN Port Configuration Screen...................
  • Page 3 Examples .......................... 81 Using Certificates ......................99 CHAPTER 9 OTHER FEATURES AND SETTINGS ............104 Overview ........................104 Config File........................105 PC Database........................106 Remote Administration....................110 Routing ........................... 111 Upgrade Firmware ......................115 UPNP ..........................116 APPENDIX A TROUBLESHOOTING ................117 Overview ........................

  • Page 4: Chapter 1 Introduction

    Chapter 1 Introduction This Chapter provides an overview of the TW100-BRV204's features and ca- pabilities. Congratulations on the purchase of your new TW100-BRV204. The TW100-BRV204 is a multi-function device providing the following services: • Shared Broadband Internet Access for all LAN users. •...

  • Page 5: Advanced Internet Functions

    TW100-BRV204 User Guide Advanced Internet Functions • Communication Applications. Support for Internet communication applications, such as interactive Games, Telephony, and Conferencing applications, which are often difficult to use when behind a Firewall, is included. • Special Internet Applications. Applications which use non-standard connections or port numbers are normally blocked by the Firewall.

  • Page 6: Package Contents

    Introduction • Protection against DoS attacks. DoS (Denial of Service) attacks can flood your Internet connection with invalid packets and connection requests, using so much band- width and so many resources that Internet access becomes unavailable. The TW100- BRV204 incorporates protection against DoS attacks. •...

  • Page 7: Physical Details

    TW100-BRV204 User Guide Physical Details Front-mounted LEDs Figure 2: Front Panel Power On - Power on. (Green) Off - No power. Status On - Error condition. (Red) Off - Normal operation. Blinking - This LED blinks during start up. For each port, there are 2 LEDs •...

  • Page 8: Rear Panel

    Introduction Rear Panel Figure 3: Rear Panel Reset Button This button has two (2) functions: • Reboot. When pressed and released, the TW100-BRV204 will reboot (restart). • Clear All Data. This button can also be used to clear ALL data and restore ALL settings to the factory default values.

  • Page 9: Chapter 2 Installation

    Chapter 2 Installation This Chapter covers the physical installation of the TW100-BRV204. Requirements • Network cables. Use standard 10/100BaseT network (UTP) cables with RJ45 connectors. • TCP/IP protocol must be installed on all PCs. • For Internet Access, an Internet Access account with an ISP, and either of a DSL or Cable modem (for WAN port usage) Procedure Figure 4: Installation Diagram...

  • Page 10: Check The Leds

    Installation 3. Connect WAN Cable Connect the DSL or Cable modem to the WAN port on the TW100-BRV204. Use the ca- ble supplied with your DSL/Cable modem. If no cable was supplied, use a standard cable. 4. Power Up • Power on the Cable or DSL modem.

  • Page 11: Chapter 3 Setup

    Chapter 3 Setup This Chapter provides Setup details of the TW100-BRV204. Overview This chapter describes the setup procedure for: • Internet Access • LAN configuration PCs on your local LAN may also require configuration. For details, see Chapter 4 - PC Con- figuration.

  • Page 12: Configuration Program

    Setup Configure or use any of the following: Chapter 9: Other Features and Settings • Config File backup/restore • PC Database • Remote Admin • Routing (RIP and static Routing) • Upgrade Firmware • UPnP Where use of a certain feature requires that PCs or other LAN devices be configured, this is also explained in the relevant chapter.

  • Page 13: Using Your Web Browser

    TW100-BRV204 User Guide Using your Web Browser To establish a connection from your PC to the TW100-BRV204: 1. After installing the TW100-BRV204 in your LAN, start your PC. If your PC is already running, restart it. 2. Start your WEB browser. 3.

  • Page 14: Setup Wizard

    Setup Setup Wizard The first time you connect to the TW100-BRV204, the Setup Wizard will run automatically. (The Setup Wizard will also run if the TW100-BRV204's default setting are restored.) 1. Step through the Wizard until finished. • You need to know the type of Internet connection service used by your ISP. Check the data supplied by your ISP.

  • Page 15: Singtel Ras

    TW100-BRV204 User Guide • PPTP Mainly used in Europe. PPTP Server IP Address. • User name and password. You connect to the ISP only when required. The IP address • IP Address allocated to is usually allocated automati- you, if Static (Fixed). cally, but may be Static (Fixed).

  • Page 16: Home Screen

    Setup Home Screen After finishing or exiting the Setup Wizard, you will see the Home screen. When you connect in future, you will see this screen when you connect. An example screen is shown below. Figure 6: Home Screen Navigation & Data Input •...

  • Page 17: Wan Port Configuration Screen

    TW100-BRV204 User Guide WAN Port Configuration Screen The WAN Port Configuration screen provides an alternative to using the Wizard. It can be accessed from the Internet menu. An example screen is shown below. Figure 7: WAN Port Screen Data - WAN Port Screen Identification Hostname Normally, there is no need to change the default name, but if your...
  • Page 18 Setup Specified Also called Static IP Address. Select this if your ISP has allocated IP Address you a fixed IP Address. If this option is selected, the following data must be entered. • IP Address. The IP Address allocated by the ISP. •...

  • Page 19: Mac Address

    TW100-BRV204 User Guide MAC Address MAC Address Also called Network Adapter Address or Physical Address. This is a low-level identifier, as seen from the WAN port. Normally there is no need to change this, but some ISPs require a particular value, often that of the PC initially used for Internet access. You can use the Copy from PC button to copy your PC's address into this field, the Default button to insert the default value, or enter a value directly.

  • Page 20: Lan Screen

    Setup LAN Screen Use the LAN link on the main menu to reach the LAN screen. An example screen is shown below. Figure 8: LAN Screen Data - LAN Screen TCP/IP IP Address IP address for the TW100-BRV204, as seen from the local LAN. Use the default value unless the address is already in use or your LAN is using a different IP address range.

  • Page 21: What Dhcp Does

    TW100-BRV204 User Guide DHCP What DHCP Does A DHCP (Dynamic Host Configuration Protocol) Server allocates a valid IP address to a DHCP Client (PC or device) upon request. • The client request is made when the client device starts up (boots). •...

  • Page 22: Chapter 4 Pc Configuration

    Chapter 4 PC Configuration This Chapter details the PC Configuration required on the local ("Internal") LAN. Overview For each PC, the following may need to be configured: • TCP/IP network settings • Internet Access configuration Windows Clients This section describes how to configure Windows clients for Internet access via the TW100- BRV204.

  • Page 23: Using Dhcp

    TW100-BRV204 User Guide Checking TCP/IP Settings - Windows 9x/ME: 3. Select Control Panel - Network. You should see a screen like the following: Figure 9: Network Configuration 4. Select the TCP/IP protocol for your network card. 5. Click on the Properties button. You should then see a screen like the following. Figure 10: IP Address (Win 95) Ensure your TCP/IP settings are correct, as follows: Using DHCP...
  • Page 24 PC Configuration • On the Gateway tab, enter the TW100-BRV204 's IP address in the New Gateway field and click Add, as shown below. Your LAN administrator can advise you of the IP Address they assigned to the TW100-BRV204. Figure 11: Gateway Tab (Win 95/98) •...

  • Page 25: Checking Tcp/Ip Settings - Windows Nt

    TW100-BRV204 User Guide Checking TCP/IP Settings - Windows NT4.0 1. Select Control Panel - Network, and, on the Protocols tab, select the TCP/IP protocol, as shown below. Figure 13: Windows NT4.0 - TCP/IP 2. Click the Properties button to see a screen like the one below.
  • Page 26 PC Configuration Figure 14: Windows NT4.0 - IP Address 3. Select the network card for your LAN. 4. Select the appropriate radio button - Obtain an IP address from a DHCP Server or Specify an IP Address, as explained below. Obtain an IP address from a DHCP Server This is the default Windows setting.
  • Page 27 TW100-BRV204 User Guide Figure 15 - Windows NT4.0 - Add Gateway 2. The DNS should be set to the address provided by your ISP, as follows: • Click the DNS tab. • On the DNS screen, shown below, click the Add button (under DNS Service Search Order), and enter the DNS provided by your ISP.
  • Page 28 PC Configuration Figure 16: Windows NT4.0 - DNS...

  • Page 29: Checking Tcp/Ip Settings - Windows

    TW100-BRV204 User Guide Checking TCP/IP Settings - Windows 2000: 1. Select Control Panel - Network and Dial-up Connection. 2. Right - click the Local Area Connection icon and select Properties. You should see a screen like the following: Figure 17: Network Configuration (Win 2000) 3.
  • Page 30 PC Configuration Figure 18: TCP/IP Properties (Win 2000) 5. Ensure your TCP/IP settings are correct, as described below. Using DHCP To use DHCP, select the radio button Obtain an IP Address automatically. This is the default Windows setting. Using this is recommended. By default, the TW100-BRV204 will act as a DHCP Server.

  • Page 31: Checking Tcp/Ip Settings - Windows Xp

    TW100-BRV204 User Guide Checking TCP/IP Settings - Windows XP 1. Select Control Panel - Network Connection. 2. Right click the Local Area Connection and choose Properties. You should see a screen like the following: Figure 19: Network Configuration (Windows XP) 3.
  • Page 32 PC Configuration Figure 20: TCP/IP Properties (Windows XP) 5. Ensure your TCP/IP settings are correct. Using DHCP To use DHCP, select the radio button Obtain an IP Address automatically. This is the default Windows setting. Using this is recommended. By default, the TW100-BRV204 will act as a DHCP Server.

  • Page 33: For Windows Xp

    TW100-BRV204 User Guide Internet Access To configure your PCs to use the TW100-BRV204 for Internet access: • Ensure that the DSL modem, Cable modem, or other permanent connection is functional. • Use the following procedure to configure your Browser to access the Internet via the LAN, rather than by a Dial-up connection.

  • Page 34: Macintosh Clients

    PC Configuration Macintosh Clients From your Macintosh, you can access the Internet via the TW100-BRV204. The procedure is as follows. 1. Open the TCP/IP Control Panel. 2. Select Ethernet from the Connect via pop-up menu. 3. Select Using DHCP Server from the Configure pop-up menu. The DHCP Client ID field can be left blank.

  • Page 35: Chapter 5 Operation And Status

    Chapter 5 Operation and Status This Chapter details the operation of the TW100-BRV204 and the status screens. Operation Once both the TW100-BRV204 and the PCs are configured, operation is automatic. However, there are some situations where additional Internet configuration may be required: •...
  • Page 36 Operation and Status Data - Status Screen Internet This indicates the current connection method, as set in the Setup Connection Method Wizard. This shows the connection status of the modem. Broadband Modem Internet Connection Current connection status: • Active • Idle •...

  • Page 37: Connection Status - Pppoe

    TW100-BRV204 User Guide Connection Status - PPPoE If using PPPoE (PPP over Ethernet), a screen like the following example will be displayed when the "Connection Details" button is clicked. Figure 22: PPPoE Status Screen Data - PPPoE Screen Connection Physical Address The hardware address of this device, as seen by remote devices on the Internet.

  • Page 38: Connection Log Messages

    Operation and Status Buttons Connect If not connected, establish a connection to your ISP. Disconnect If connected to your ISP, hang up the connection. Delete all data currently in the Log. This will make it easier to Clear Log read new messages. Update the data on screen.

  • Page 39: Connection Status - Pptp

    TW100-BRV204 User Guide Connection Status - PPTP If using PPTP (Peer-to-Peer Tunneling Protocol), a screen like the following example will be displayed when the "Connection Details" button is clicked. Figure 23: PPTP Status Screen Data - PPTP Screen Connection The hardware address of this device, as seen by remote devices on Physical Address the Internet.

  • Page 40: Connection Status - Telstra Big Pond

    Operation and Status Disconnect If connected to your ISP, hang up the connection. Delete all data currently in the Log. This will make it easier to read Clear Log new messages. Update the data on screen. Refresh Connection Status - Telstra Big Pond An example screen is shown below.

  • Page 41: Connection Details - Singtel Ras

    TW100-BRV204 User Guide Connection Log • The Connection Log shows status messages relating to the Connection Log existing connection. • The Clear Log button will restart the Log, while the Refresh button will update the messages shown on screen. Buttons If not connected, establish a connection to Telstra Big Pond.
  • Page 42 Operation and Status Network Mask The Network Mask associated with the IP Address above. The IP Address of the remote Gateway or Router associated with the Default Gateway IP Address above. The IP Address of the Domain Name Server which is currently used. DNS IP Address DHCP Client This will show "Enabled"...

  • Page 43: Connection Details - Fixed/Dynamic Ip Address

    TW100-BRV204 User Guide Connection Details - Fixed/Dynamic IP Address If your access method is "Direct" (no login), a screen like the following example will be displayed when the "Connection Details" button is clicked. Figure 26: Connection Details - Fixed/Dynamic IP Address Data - Fixed/Dynamic IP address Screen Internet The hardware address of this device, as seen by remote devices on...
  • Page 44 Operation and Status • If the ISP's DHCP Server has NOT allocated an IP Address for "Renew" the TW100-BRV204, this button will say "Renew". Clicking the "Renew" button will attempt to re-establish the connection and obtain an IP Address from the ISP's DHCP Server. •...

  • Page 45: Chapter 6 Internet Features

    Chapter 6 Internet Features This Chapter explains when and how to use the TW100-BRV204's "Internet" Features. Overview The following advanced features are covered in this Chapter: • Advanced Internet • Communication Applications • Special Applications • • URL filter • Dynamic DNS •...

  • Page 46: Communication Applications

    Internet Features Communication Applications Most applications are supported transparently by the TW100-BRV204. But sometimes it is not clear which PC should receive an incoming connection. This problem could arise with the Communication Applications listed on this screen. If this problem arises, you can use this screen to set which PC should receive an incoming connection, as described below.

  • Page 47: Using A Special Application

    TW100-BRV204 User Guide Figure 28: Special Applications Screen Data - Special Applications Screen Checkbox Use this to Enable or Disable this Special Application as required. Name Enter a descriptive name to identify this Special Application. • Type - Select the protocol (TCP or UDP) used when you receive data Incoming from the special application or service.

  • Page 48: Url Filter

    Internet Features If an application still cannot function correctly, try using the "DMZ" feature. This feature, if enabled, allows one (1) computer on your LAN to be exposed to all users on the Internet, allowing unrestricted 2-way communication between the "DMZ PC" and other Internet users or Servers.
  • Page 49 TW100-BRV204 User Guide URL Filter Screen Click the "Configure URL Filter" button on the Advanced Internet screen to access the URL Filter screen. An example screen is shown below. Figure 29: URL Filter Screen Data - URL Filter Screen Filter Strings This lists any existing entries.

  • Page 50: Dynamic Dns (Domain Name Server)

    Internet Features Dynamic DNS (Domain Name Server) This free service is very useful when combined with the Virtual Server feature. It allows Internet users to connect to your Virtual Servers using a URL, rather than an IP Address. This also solves the problem of having a dynamic IP address. With a dynamic IP address, your IP address may change whenever you connect, which makes it difficult to connect to you.
  • Page 51 TW100-BRV204 User Guide DDNS Data User Name Enter the "User name" specified at the www.dyndns.org Web site when you registered. Password Enter your current password for www.dyndns.org • Enter your domain name, as allocated at www.dyndns.org. Domain Name • The name should consist only of letters and the hyphen (dash). Using any other characters may cause problems..

  • Page 52: Virtual Servers

    Internet Features Virtual Servers This feature allows you to make Servers on your LAN accessible to Internet users. Normally, Internet users would not be able to access a server on your LAN because: • Your Server does not have a valid external IP Address. •...

  • Page 53: Virtual Servers Screen

    TW100-BRV204 User Guide Virtual Servers Screen The Virtual Servers screen is reached by the Virtual Servers link on the Internet menu. An example screen is shown below. Figure 32: Virtual Servers Screen This screen lists a number of pre-defined Servers,. providing a quick and convenient method to set up the common server types.

  • Page 54: Options

    Internet Features It is more convenient if you are using a Fixed IP Address from your ISP, rather than Dynamic. However, you can use the Dynamic DNS feature, described in the following section, to allow users to connect to your Virtual Servers using a URL, rather than an IP Address. Options This screen allows advanced users to enter or change a number of settings.

  • Page 55: Chapter 7 Security Configuration

    Chapter 7 Security Configuration This Chapter explains the settings available via the security configuration section of the "Security" menu. Overview The following advanced configurations are provided. • Admin Login • Access Control • Firewall Rules • Logs • Security Options •...
  • Page 56 Security Configuration Figure 35: Password Dialog Enter the "User Name" and "Password" you set on the Admin Login screen above.

  • Page 57: Access Control

    TW100-BRV204 User Guide Access Control This feature is accessed by the Access Control link on the Security menu. The Access Control feature allows administrators to restrict the level of Internet Access avail- able to PCs on your LAN. With the default settings, everyone has unrestricted Internet access. To use this feature: 1.
  • Page 58 Security Configuration "Members" Button Click this button to add or remove members from the current Group. • If the current group is "Default", then members can not be added or deleted. This group contains PCs not allocated to any other group. •...

  • Page 59: Group Members Screen

    TW100-BRV204 User Guide Group Members Screen This screen is displayed when the Members button on the Access Control screen is clicked. Figure 37: Group Members Use this screen to add or remove members (PCs) from the current group. • The "Del >>" button will remove the selected PC (in the Members list) from the current group.

  • Page 60: Firewall Rules

    Security Configuration Firewall Rules For normal operation and LAN protection, it is not necessary to use this screen. The Firewall will always block DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it - the service is unavailable.
  • Page 61 TW100-BRV204 User Guide For each rule, the following data is shown: Data • Name - The name you assigned to the rule. • Source - The traffic covered by this rule, defined by the source IP address. If the IP address is followed by ... this indicates there is range of IP addresses, rather than a single address.
  • Page 62 Security Configuration Define Firewall Rule Clicking the "Add" button in the Firewall Rules screen will display a screen like the example below. Figure 39: Define Firewall Rule Data - Define Firewall Rule Screen Enter a suitable name for this rule. Name Type This determines the source and destination ports for traffic...
  • Page 63 TW100-BRV204 User Guide Dest IP These settings determine which traffic, based on their destination IP address, is covered by this rule. Select the desired option: • Any - All traffic from the source port is covered by this rule. • Single address - Enter the required IP address in the "Start IP address"...

  • Page 64: Logs

    Security Configuration Logs The Logs record various types of activity on the TW100-BRV204. This data is useful for troubleshooting, but enabling all logs will generate a large amount of data and adversely affect performance. Since only a limited amount of log data can be stored in the TW100-BRV204, log data can also be E-mailed to your PC or sent to a Syslog Server.

  • Page 65: Syslog Server

    TW100-BRV204 User Guide Firewall Rules If enabled, the log will details of packets blocked by user-defined Firewall rules. Logging can be set for each rule individually. Only rules which have logging enabled will be included. If enabled, the VPN log will record incoming and outgoing VPN connections.

  • Page 66: Security Options

    Security Configuration Security Options This screen allows you to set Firewall and other security-related options. Figure 41: Security Options Screen Data - Security Options Screen SPI Firewall If enabled, DoS (Denial of Service) attacks will be detected and Enable DoS blocked.
  • Page 67 TW100-BRV204 User Guide Options The ICMP protocol is used by the "ping" and "trace route" programs, Respond to and by network monitoring and diagnostic programs. ICMP • If checked, the TW100-BRV204 will respond to ICMP packets received from the Internet. •...

  • Page 68: Scheduling

    Security Configuration Scheduling • This schedule can be (optionally) applied to any Access Control Group. • Blocking will be performed during the scheduled time (between the "Start" and "Finish" times.) • Two (2) separate sessions or periods can be defined. •...

  • Page 69: Services

    TW100-BRV204 User Guide Services Services are used in defining traffic to be blocked or allowed by the Access Control or Fire- wall Rules features. Many common Services are pre-defined, but you can also define your own services if required. To view the Services screen, select the Services link on the Security menu. Figure 43: Services Screen Data - Services Screen Available Services...
  • Page 70 Security Configuration Buttons Delete Delete the selected service from the list. Add a new entry to the Service list, using the data shown in the "Add New Service" area on screen. Cancel Clear the " Add New Service " area, ready for entering data for a new Service.

  • Page 71: Chapter 8 Vpn

    Chapter 8 This Chapter describes the VPN capabilities and configuration required for common situations. Overview This section describes the VPN (Virtual Private Network) support provided by your TW100- BRV204. A VPN (Virtual Private Network) provides a secure connection between 2 points, over an insecure network - typically the Internet.
  • Page 72 • Phase I is the negotiation and establishment of the IKE connection. • Phase II is the negotiation and establishment of the IPsec connection. Because the IKE and IPsec connections are separate, they have different SAs (security associa- tions). Policies VPN configuration settings are stored in Policies.

  • Page 73: Common Vpn Situations

    TW100-BRV204 User Guide Common VPN Situations VPN Pass-through Figure 44: VPN Pass-through Here, a PC on the LAN behind the Router/Gateway is using VPN software, but the Router/Gateway is NOT acting as a VPN endpoint. It is only allowing the VPN connection. •...
  • Page 74 Connecting 2 LANs via VPN Figure 46: Connecting 2 VPN Gateways This allows two (2) LANs to be connected. PCs on each endpoint gain secure access to the remote LAN. • The 2 LANs MUST use different IP address ranges. •...

  • Page 75: Vpn Configuration

    TW100-BRV204 User Guide VPN Configuration This section covers the configuration required on the TW100-BRV204 when using Manual Key Exchange (Manual Policies) or IKE (Automatic Policies). Details of using Certificates are covered in a later section. VPN Policies Screen To view this screen, select VPN Policies from the VPN menu. This screen lists all existing VPN policies.
  • Page 76 Move There are 2 ways to change the order of policies: • Use the up and down indicators on the right to move the selected row. You must confirm your changes by clicking "OK". If you change your mind before clicking "OK", click "Cancel" to reverse your changes.

  • Page 77: General Settings

    TW100-BRV204 User Guide Figure 49: VPN Wizard - General General Settings Enter a suitable name. This name is not supplied to the remote VPN. It is Policy Name used only to help you manage the policies. Enable Policy Enable or disable the policy as required. For each remote VPN, only 1 policy can be enabled at any time.
  • Page 78 Figure 50: VPN Wizard - Traffic Selector • For outgoing VPN connections, these settings determine which traffic will cause a VPN tunnel to be created, and which traffic will be sent through the tunnel. • For incoming VPN connections, these settings determine which systems on your local LAN will be available to the remote endpoint.
  • Page 79 TW100-BRV204 User Guide Remote IP addresses • Single address - enter an IP address in the "Start IP address" Type field. • Range address - enter the starting IP address in the "Start IP address" field, and the finish IP address in the "Finish IP ad- dress"...
  • Page 80 These settings must match the remote VPN. Note that you cannot use both AH and ESP. Manually assigned Keys AH Authentication AH (Authentication Header) specifies the authentication protocol for the VPN header, if used. (AH is often NOT used) If AH is not enabled, the following settings can be ignored. Keys •...
  • Page 81 TW100-BRV204 User Guide IKE Phase 1 If you selected IKE, the following screen is displayed after the Traffic Selector screen. Figure 52: VPN Wizard - IKE Phase 1 IKE Phase 1 (IKE SA) Select the desired option: Direction • Initiator - Only outgoing connections will be created. Incoming connection attempts will be rejected.
  • Page 82 IKE SA Life Time This setting does not have to match the remote VPN endpoint; the shorter time will be used. Although measured in seconds, it is com- mon to use time periods of several hours, such 28,800 seconds. DH Group Select the desired method, and ensure the remote VPN endpoint uses the same method.
  • Page 83 TW100-BRV204 User Guide ESP Encryption ESP (Encapsulating Security Payload) provides security for the payload (data) sent through the VPN tunnel. Generally, you will want to enable both ESP Encryption and ESP Authentication. Select the desired method, and ensure the remote VPN endpoint uses the same method.

  • Page 84: Examples

    Examples This section describes some examples of using the TW100-BRV204 in common VPN situa- tions. Example 1: Connecting 2 TW100-BRV204s In this example, 2 LANs are connected via VPN. Figure 54: Connecting 2 TW100-BRV204s Note • The LANs MUST use different IP address ranges. •...
  • Page 85 TW100-BRV204 User Guide IKE Authentication Pre-shared Key Pre-shared Key Certificates are not widely method used. Pre-shared Key Xxxxxxxxxx Xxxxxxxxxx Must match IKE Authentication Must match algorithm IKE Encryption Must match IKE Exchange Main Mode Main Mode Must match mode DH Group Group 1 (768 bit) Group 1 (768 bit) Must match...
  • Page 86 Example 2: Windows 2000/XP Client to LAN In this example, a Windows 2000/XP client connects to the TW100-BRV204 and gains access to the local LAN. Figure 55: Windows 2000/XP Client to TW100-BRV204 To use 3DES encryption on Windows 2000, you need Service Pack 3 or later installed.
  • Page 87 TW100-BRV204 User Guide DH Group Group 1 (768 bit) Must match client PC IKE SA Life time 28800 Does not have to match client PC. Shorter period will be used. IKE PFS Disable Must match client PC IPSec SA Parameters IPSec SA Life time 28800 Do not have to match.
  • Page 88 Figure 57: Windows 2000/XP - Policy Properties • Note that no rules are in use. Two 2 rules are required - incoming and outgoing. • The outgoing rule will be added first. 6. Deselect the "Use Add Wizard" checkbox, then click "Add" to view the screen below. Figure 58: IP Filter List 7.
  • Page 89 TW100-BRV204 User Guide Figure 59: Filter Properties: Addressing 8. Enter the Source IP address and the Destination IP address. • Since this is the outgoing filter, the Source IP address is "My IP address" and the Destination IP address is the address range used on the remote LAN. •...
  • Page 90 Figure 61: New Rule Properties: Filter Action 11. Select Require Security, then click the "Edit" button, to view the Require Security Proper- ties screen. Figure 62: Require Security Properties 12. Select Negotiate security (this selects IKE), then click "Add".
  • Page 91 TW100-BRV204 User Guide Figure 63: Modify Security Method 13. On the resulting screen (above), select High [ESP] then click "OK" to save your changes and return to the Require Security Properties screen. Figure 64: Require Security Properties 14. Ensure the following settings are correct, then click "OK" to return to the Filter Action tab of the Edit Rule Properties screen.
  • Page 92 15. Click the Tunnel Setting tab, then select The tunnel endpoint is specified by this IP address. Enter the WAN (Internet) IP address of the Broadband VPN Gateway, as shown below. Figure 65: Tunnel Setting 16. Click the Authentication Methods tab, then click the "Edit" to see the screen like the example below.
  • Page 93 TW100-BRV204 User Guide Figure 67: Windows 2000/XP Client to Broadband VPN Gateway 20. To add the second (incoming) rule, click "Add". For the name, enter "To Win2K", then click "Add". Figure 68: Windows 2000/XP Client to Broadband VPN Gateway 21. Enter the Source IP address and the Destination IP address as shown below. •...
  • Page 94 Figure 69: Filter Properties: Addressing 22. Click "OK" to save your changes, then "Close". Figure 70: Filter List 23. Ensure the "To Win2K" filter is selected, then click the Filter Action tab.
  • Page 95 TW100-BRV204 User Guide Figure 71: Filter Action 24. Select Require Security, then click "Edit". On the Require Security Methods screen below, select Negotiate security. Figure 72: Security Methods 25. Click the "Add" button. On the resulting Modify Security Method screen below, select High [ESP].
  • Page 96 Figure 73: Modify Security Method 26. Click "OK" to save your changes, then click "OK" again to return to the Filter Action screen. 27. Select the Tunnel Setting tab, and enter the WAN (Internet) IP address of this PC (172.16.9.10 in this example). Figure 74: Tunnel Setting 28.
  • Page 97 TW100-BRV204 User Guide Figure 75: Authentication Method 29. Select Use this string to protect the key exchange (preshared key), then enter your pre- shared key in the field provided. 30. Click "OK" to save your settings, then "Close" to return to the DUT to Win2K Properties screen.
  • Page 98 Figure 77: Properties - General Tab 32. Click the "Advanced" button to see the screen below. Figure 78: Key Exchange Settings 33. Click the "Methods" button to see the screen below.
  • Page 99 TW100-BRV204 User Guide Figure 79: Key Exchange Security Methods 34. Select the first entry, and click the "Edit" button to see the following screen. Figure 80: IKE Security Algorithms 35. Select "SHA1" for Integrity Algorithm, "3DES" for Encryption algorithm, and "Low(1)" for the Diffie-Hellman Group.
  • Page 100 Example 3: Windows 2000 Server to VPN Gateway In this example, a Windows 2000 Server connects to the TW100-BRV204. Users on each LAN can then gain access to the remote LAN. Figure 82: TW100-BRV204 to Windows 2000 Server TW100-BRV204 Configuration This is the same as for the client setup earlier, with the exception of the IP address range for the remote endpoint.

  • Page 101: Windows 2000 Server Configuration

    TW100-BRV204 User Guide Windows 2000 Server Configuration Configuration is the same as for Example 2: Windows 2000/XP Client to except for specifying the Source and Destination addresses for the "Filter Properties". Instead, for both IP Filters, the Filter Properties- Addressing should be completed as follows. Figure 83: Windows 2000 Server - Addressing •...

  • Page 102: Using Certificates

    Using Certificates Certificates are used to authenticate users. Certificates are issued to you by various CAs (Certification Authorities). These Certificates are called "Self Certificates". Each CA also issues a certificate to itself. This Certificate is required in order to validate communication with the CA.
  • Page 103 TW100-BRV204 User Guide Adding a Trusted Certificate 1. After obtaining a new Certificate from the CA, you need to upload it to the TW100- BRV204. 2. On the "Certificates" screen, click the "Add Trusted Certificate" button to view the Add Trusted Certificate screen, shown below.
  • Page 104 Subject Name This is the name which other organizations will see as the Holder (owner) of this Certificate. This should be your registered business name or official company name. Gener- ally, all Certificates should have the same value in the Subject field.
  • Page 105 TW100-BRV204 User Guide Figure 88: Add Self Certificate (3) 8. Upload the Certificate: • Click the "Browse" button, and locate the certificate file on your PC • Select the file. The name will appear in the "Certificate File" field. • Click "Upload"...
  • Page 106 Figure 90: Upload CRL 4. Upload the CRL file: • Click the "Browse" button, and locate the CRL file on your PC • Select the file. The name will appear in the "File to Upload" field. • Click "Upload" to upload the CRL file to the TW100-BRV204. •...

  • Page 107: Chapter 9 Other Features And Settings

    Chapter 9 Other Features and Settings This Chapter explains the screens and settings available via the "Other" menu. Overview Normally, it is not necessary to use these screens, or change any settings. These screens and settings are provided to deal with non-standard situations, or to provide additional options for advanced users.

  • Page 108: Config File

    Other Features and Settings Config File This feature allows you to download the current settings from the Broadband Router, and save them to a file on your PC. You can restore a previously-downloaded configuration file to the Broadband Router, by uploading it to the Broadband Router.

  • Page 109: Pc Database

    TW100-BRV204 User Guide PC Database The PC Database is used whenever you need to select a PC (e.g. for the "DMZ" PC). It elimi- nates the need to enter IP addresses. Also, you do not need to use fixed IP addresses on your LAN.
  • Page 110 Other Features and Settings Data - PC Database Screen Known PCs This lists all current entries. Data displayed is name (IP Address) type. The "type" indicates whether the PC is connected to the LAN. Name If adding a new PC to the list, enter its name here. It is best if this matches the PC's "hostname".
  • Page 111 TW100-BRV204 User Guide PC Database (Admin) This screen is displayed if the "Advanced Administration" button on the PC Database is clicked. It provides more control than the standard PC Database screen. Figure 93: PC Database (Admin) Data - PC Database ( Admin) Screen Known PCs This lists all current entries.
  • Page 112 Other Features and Settings IP Address Select the appropriate option: • Automatic - The PC is set to be a DHCP client (Windows: "Ob- tain an IP address automatically"). The TW100-BRV204 will allocate an IP address to this PC when requested to do so. The IP address could change, but normally won't.

  • Page 113: Remote Administration

    TW100-BRV204 User Guide Remote Administration This feature allows you to manage the TW100-BRV204 via the Internet. Figure 94: Remote Administration Screen Data - Remote Administration Screen Remote Administration Enable to allow administration via the Internet. If Disabled, this Enable Remote device will ignore management connection attempts from the Inter- Administration net.

  • Page 114: Routing

    Other Features and Settings Routing Overview • If you don't have other Routers or Gateways on your LAN, you can ignore the "Routing" page completely. • If the TW100-BRV204 is only acting as a Gateway for the local LAN segment, ignore the "Routing"...

  • Page 115: Static Routing

    TW100-BRV204 User Guide Figure 95: Routing Screen Data - Routing Screen Enable RIP Check this to enable the RIP (Routing Information Protocol) feature of the TW100-BRV204. The TW100-BRV204 supports RIP 1 only. Static Routing Static Routing This list shows all entries in the Routing Table. Table Entries •...

  • Page 116: Configuring Other Routers On Your Lan

    Other Features and Settings Buttons Save Save the RIP setting. This has no effect on the Static Routing Table. Add a new entry to the Static Routing table, using the data shown in the "Properties" area on screen. The entry selected in the list is ignored, and has no effect.
  • Page 117 TW100-BRV204 User Guide Static Routing - Example Figure 96: Routing Example For the TW100-BRV204 's Routing Table For the LAN shown above, with 2 routers and 3 LAN segments, the TW100-BRV204 requires 2 entries as follows. Entry 1 (Segment 1) Destination IP Address 192.168.1.0 Network Mask...

  • Page 118: Upgrade Firmware

    Other Features and Settings Upgrade Firmware The firmware (software) in the TW100-BRV204 can be upgraded using your Web Browser. You must first download the upgrade file, then select Upgrade on the Other menu. You will see a screen like the following. Figure 97: Upgrade Firmware Screen To perform the Firmware Upgrade: 1.

  • Page 119: Upnp

    TW100-BRV204 User Guide UPNP An example UPNP screen is shown below. Figure 98: UPNP Screen Data - UPNP Screen UPnP • UPnP (Universal Plug and Play) allows automatic discovery and Enable UPnP configuration of equipment attached to your LAN. UPnP is by Services supported by Windows ME, XP, or later.

  • Page 120: Appendix A Troubleshooting

    Appendix A Troubleshooting This Appendix covers the most likely problems and their solutions. Overview This chapter covers some common problems that may be encountered while using the TW100- BRV204 and some possible solutions to them. If you follow the suggested steps and the TW100-BRV204 still does not function properly, contact your dealer for further advice.
  • Page 121 TW100-BRV204 User Guide Solution 2: The TW100-BRV204 processes the data passing through it, so it is not transparent. Use the Special Applications feature to allow the use of Internet applications which do not function correctly. If this does solve the problem you can use the DMZ function. This should work with almost every application, but: •...

  • Page 122: Appendix B Specifications

    Appendix B Specifications TW100-BRV204 Model TW100-BRV204 Dimensions 141mm(W) * 100mm(D) * 27mm(H) Operating Temperature 0° C to 40° C Storage Temperature -10° C to 70° C Network Protocol: TCP/IP Network Interface: 5 Ethernet: 4 * 10/100BaseT (RJ45) LAN connection 1 * 10/100BaseT (RJ45) for WAN LEDs Power Adapter 12V DC External...

  • Page 123: Ce Marking Warning

    TW100-BRV204 User Guide FCC Radiation Exposure Statement This equipment complies with FCC RF radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with a minimum distance of 20 centimeters between the radiator and your body. This device complies with Part 15 of the FCC Rules.

This manual is also suitable for:

Tw100-brv204

Table of Contents