Table of Contents
Advertisement
Quick Links
Advertisement
Table of Contents
Related Manuals for TP-Link TL-ER6120
Summary of Contents for TP-Link TL-ER6120
- Page 1 TL-ER6120 Gigabit Dual-WAN VPN Router REV1.2.0 1910010936...
-
Page 2: Fcc Statement
COPYRIGHT & TRADEMARKS Specifications are subject to change without notice. is a registered trademark of TP-LINK TECHNOLOGIES CO., LTD. Other brands and product names are trademarks of their respective holders. No part of the specifications may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from TP-LINK TECHNOLOGIES CO., LTD. -
Page 3: Safety Information
Продукт сертифіковано згідно с правилами системи УкрСЕПРО на відповідність вимогам нормативних документів та вимогам, що передбачені чинними законодавчими актами України. Safety Information When product has power button, the power button is one of the way to shut off the product; When ... -
Page 4: Table Of Contents
CONTENTS ........................1 Package Contents ....................2 Chapter 1 About this Guide Intended Readers ........................2 Conventions ...........................2 Overview of this Guide ......................2 ......................4 Chapter 2 Introduction Overview of the Router ......................4 Features..........................5 Appearance..........................6 2.3.1 Front Panel ........................6 2.3.2 Rear Panel.........................7 ......................9 Chapter 3 Configuration Network..........................9 3.1.1 Status.........................9... - Page 5 3.3.3 Session Limit ......................55 3.3.4 Load Balance......................57 3.3.5 Routing ........................61 Firewall..........................66 3.4.1 Anti ARP Spoofing ....................66 3.4.2 Attack Defense ......................69 3.4.3 MAC Filtering ......................71 3.4.4 Access Control......................71 3.4.5 App Control......................77 VPN............................79 3.5.1 IKE...........................79 3.5.2 IPsec........................83 3.5.3 L2TP/PPTP......................90 Services ..........................94 3.6.1 PPPoE Server......................94 3.6.2 E-Bulletin .......................100...
- Page 6 Network Topology.......................125 Configurations........................125 4.3.1 Internet Setting ......................125 4.3.2 VPN Setting ......................127 4.3.3 Network Management....................133 4.3.4 Network Security....................137 ........................143 Chapter 5 CLI Configuration........................143 Interface Mode ........................146 Online Help ........................147 Command Introduction.......................149 5.4.1 ip..........................149 5.4.2 ip-mac ........................149 5.4.3 sys .........................150 5.4.4 user........................151 5.4.5 history ........................152 5.4.6...
-
Page 7: Package Contents
Package Contents The following items should be found in your package: One TL-ER6120 Router One Power Cord One Console Cable One Ground Cable Two mounting brackets and other fittings Installation Guide Resource CD Note: Make sure that the package contains the above items. -
Page 8: Chapter 1 About This Guide
Chapter 1 About this Guide This User Guide contains information for setup and management of TL-ER6120 router. Please read this guide carefully before operation. 1.1 Intended Readers This Guide is intended for Network Engineer and Network Administrator. 1.2 Conventions In this Guide the following conventions are used: The router or TL-ER6120 mentioned in this Guide stands for TL-ER6120 SafeStream Gigabit ... - Page 9 Appendix A Hardware Lists the hardware specifications of this router. Specifications Appendix B FAQ Provides the possible solutions to the problems that may occur during the installation and operation of the router. Appendix C Glossary Lists the glossary used in this guide.
-
Page 10: Chapter 2 Introduction
Thanks for choosing the SafeStream Gigabit Dual-WAN VPN Router TL-ER6120. 2.1 Overview of the Router The SafeStream Gigabit Dual-WAN VPN Router TL-ER6120 from TP-LINK possesses excellent data processing capability and multiple powerful functions including IPsec/PPTP/L2TP VPN, Load Balance, Access Control, Bandwidth Control, Session Limit, IM/P2P Blocking, PPPoE Server and so on, which consumedly meet the needs of small and medium enterprise, hotels and communities with volumes of users demanding a efficient and easy-to-manage network with high security. -
Page 11: Features
Dual-WAN Ports + Providing two 10/100/1000M WAN ports for users to connect two Internet lines for bandwidth expansion. + Supporting multiple Load Balance modes, including Bandwidth Based Balance Routing, Application Optimized Routing, and Policy Routing to optimize bandwidth usage. + Featured Link Backup to switch all the new sessions from dropped line automatically to another for keeping an always on-line network. -
Page 12: Appearance
Supports GARP (Gratuitous ARP) Deploys One-Click restricting of IM/P2P applications 2.3 Appearance 2.3.1 Front Panel The front panel of TL-ER6120 is shown as the following figure. LEDs Status Indication The router is powered on The router is powered off or power supply is abnormal... -
Page 13: Rear Panel
Reset button (about 4~5 seconds). After the SYS LED goes out, release the Reset button. If the SYS LED is flashing with a high frequency about two or three seconds, it means the router is restored successfully. 2.3.2 Rear Panel The rear panel of TL-ER6120 is shown as the following figure. - Page 14 Power Socket Connect the female connector of the power cord to this power socket, and the male connector to the AC power outlet. Please make sure the voltage of the power supply meets the requirement of the input voltage (100-240V~ 50/60Hz). Grounding Terminal ...
-
Page 15: Chapter 3 Configuration
Figure 3-1 Status 3.1.2 System Mode The TL-ER6120 can work in three modes: NAT, Non-NAT and Classic. If your router is hosting your local network’s connection to the Internet with a network topology as the Figure 3-2 shown, you can set it to NAT mode. - Page 16 Figure 3-2 Network Topology - NAT Mode If your router is connecting the two networks of different areas in a large network environment with a network topology as the Figure 3-3 shown, and forwards the packets between these two networks by the Routing rules, you can set it to Non-NAT mode.
- Page 17 Figure 3-4 Network Topology – Classic Mode Choose the menu Network→System Mode to load the following page. Figure 3-5 System Mode You can select a System Mode for your router according to your network need. NAT Mode NAT (Network Address Translation) mode allows the router to translate private IP addresses within internal networks to public IP addresses for traffic transport over external networks, such as the Internet.
-
Page 18: Wan
3.1.3 WAN TL-ER6120 provides the following six Internet connection types: Static IP, Dynamic IP, PPPoE/Russian PPPoE, L2TP/Russian L2TP, PPTP/Russian PPTP and BigPond. To configure the WAN, please first select the type of Internet connection provided by your ISP (Internet Service Provider). - Page 19 Static IP Select Static IP if your ISP has assigned a static IP address for your Connection Type: computer. IP Address: Enter the IP address assigned by your ISP. If you are not clear, please consult your ISP. Subnet Mask: Enter the Subnet Mask assigned by your ISP.
- Page 20 Figure 3-7 WAN – Dynamic IP The following items are displayed on this screen: Dynamic IP Select Dynamic IP if your ISP assigns the IP address automatically. Connection Type: Click <Obtain> to get the IP address from your ISP’s server. Click <Release>...
- Page 21 Use the following DNS Select this option to enter the DNS (Domain Name Server) address Server: manually. Enter the IP address of your ISP’s Primary DNS (Domain Name Primary DNS: Server). If you are not clear, please consult your ISP. Secondary DNS: Optional.
- Page 22 PPPoE If your ISP (Internet Service Provider) has provided the account information for the PPPoE connection, please choose the PPPoE connection type (Used mainly for DSL Internet service). Figure 3-8 WAN - PPPoE The following items are displayed on this screen: -16-...
- Page 23 PPPoE Settings Select PPPoE if your ISP provides xDSL Virtual Dial-up connection. Connection Type: Click <Connect> to dial-up to the Internet and obtain the IP address. Click <Disconnect> to disconnect the Internet connection and release the current IP address. Account Name: Enter the Account Name provided by your ISP.
- Page 24 Service Name: Optional. Enter the Service Name provided by your ISP. It's null by default. Enter the IP address of your ISP’s Primary DNS. Primary DNS: Secondary DNS: Optional. Enter the IP address of your ISP’s Secondary DNS. Secondary Connection: Here allows you to configure the secondary connection.
- Page 25 response from your ISP. Please ensure that your settings are correct and your network is connected well. Consult your ISP if this problem remains. Displays the IP address assigned by your ISP. IP Address: Gateway Address: Displays the Gateway Address assigned by your ISP. Primary DNS: Displays the IP address of your ISP’s Primary DNS.
- Page 26 Figure 3-9 WAN - L2TP The following items are disp layed on this screen: L2TP Settings Connection T ype: Select L2TP if your ISP provides a L2TP connection. Click <Connect> to dial-up to the Internet and obtain the IP address.
- Page 27 Server IP: Enter the Server IP provided by your ISP. MTU: MTU (Max imum Transmission Unit) is the maximum data unit transmitted by the physical network. It can be set in the range of 576-1460. The default MTU is 1460. It is recommended to keep the default value if no other MTU value is provided by yo ur ISP.
- Page 28 Downstream Specify the bandwidth for receiving packets on the port. Bandwidth: L2TP Status Status: Displays the status of PPPoE connection. “Disabled” indicates that the L2TP connection type is not applied. “Connecting” indicates that the router is obtaining the IP ...
- Page 29 Figure 3-10 WAN - PPTP The following items are displayed on this screen: PPTP Settings Connection Type: Select PPTP if your ISP provides a PPTP connection. Click <Connect> to dial-up to the Internet and obtain the IP address. Click <Disconnect>...
- Page 30 Server IP: Enter the Server IP provided by your ISP. MTU: MTU (Maximum Transmission Unit) is the maximum data unit ansmitted by the physical network. It can be set in the range of 576- 1460. The default MTU is 1460. It is recommended to keep the default value if no other MTU value is pro vided by your ISP.
- Page 31 PPTP Status Displays the status of PPTP connection. Status: “Disabled” indicates that the PPTP connection type is not applied. “Connecting” indicates that the router is obtaining the IP parameters from your ISP. “Connected” indicates that the router has successfully obtained ...
- Page 32 Figure 3-11 WAN – Bigpond The following items are displayed on this screen: BigPond Settings Connection Type: Select BigPond if your ISP pro vides a BigPond connection. Click <Connect> to dial-up to the Internet and obtain the IP address. Click <Disconnect>...
- Page 33 Auth M ode: You can select the proper Active mode according to your need. Manual: Select this option to manually activate or terminate the Internet connection by the <Connect> or <Disconnect> button. It’s optimum for the dial-up connection charged on time. Always-on: Select this option to keep the connection always on.
-
Page 34: Lan
Note: To ensure the BigPond connection re-established normally, please restart the connection at least 5 seconds after the connection is off. 3.1.4 LAN 3.1.4.1 On this page, you can configure the parameters for LAN port of this router. Choose the menu Network→LAN→LAN to load the following page. Figure 3-12 LAN The fo llowing items are... - Page 35 Figure 3-13 DHCP Settings The following items are displayed on this screen: DHCP Settings DHCP Server: Enable or disable the DHCP server on your router. To enable the router to assign the TCP/IP pa rameters to the computers in the LAN automatically, please select Enable.
-
Page 36: Dhcp Reservation
Primary DNS: Optional. Enter the Primary DNS server address provided by your ISP. It is recommended to enter the IP address of the LAN port of the router. Secondary D Optional. If a Secondary DNS Server address is available, enter it. 3.1.4.3 DHCP Client On this page, you can view the information about all the DHCP clients connected to the router. -
Page 37: Dmz
DMZ (Demilitarized Zone) is a network which has fewer default firewall restrictions than the LAN does. TL-ER6120 provides a DMZ port to allow all the local hosts connected to this port to be exposed to the Internet for some special-purpose services, such as such as Internet gaming and video-conferencing. - Page 38 Z can directly communicate with LAN using the private IP addresses within the different subnet of LAN. Figure 3-17 DMZ – Private Mode 3.1.5.1 This page allows you to configure the DMZ port of TL-ER6120. Choose the menu Network→DMZ→DMZ to load the following page. Figure 3-18 DMZ -32-...
-
Page 39: Mac Address
In a complex network topology with all the ARP bound devices, if you want to use TL-ER6120 instead of the current router in a network node, you can just set the MAC address of TL-ER6120‘s LAN port the same to the MAC address of the previous router, which can avoid all... -
Page 40: Switch
LAN port to th e MAC addre ss of the current management PC. 3.1.7 Switch Some basic switch port man agement functions are provided by TL-ER6120, wh ich facilitates you to monitor the traffic and manage the network effectively. 3.1.7.1 Statistics Statistics screen displays the detailed traffic information of each port, which allows you to monitor the traffic and locate faults promptly. - Page 41 Choos e the men u Network→ Switch→Statistics to load the following page. Figure 3-20 Statistics The following items are displayed on this screen: Statistics Unicast: Displays the number of normal unicast packets r eceived or transmitted on the port. Displays the number of normal broadcast packets received or Broadcast: transmitted on the port.
-
Page 42: Port Mirror
Displays the number of the received packets (including error frames) that Normal are between 64 bytes and the maximum frame length. The maximum untagged frame this router can support is 1518 bytes long and the maximum t agged frame is 1522 bytes long. Oversiz Displays the number of the received packets (including error fr ames) that... - Page 43 General Enable Port Mirror: Check the box to enable the Port Mirror function. If unchecked, it will be disabled. Select the mode for the port mirror function. Options include: Mode: Ingress: When this mode is selected, only the incoming packets sent ...
-
Page 44: Rate Control
Check the box before Enable Port Mirror to enable the Port Mir ror function and select the Ingress & Egress mode. Select Port 3 to be the Mirroring Port to monitor all the packets of the other ports. Select all the other ports to be the Mirrored Ports. Click the <Save>... -
Page 45: Port Config
Select the Ingress Mode for each port. Options include: Ingress Mode: All Frames: Select this option to limit all the frames. Broadcast & Multicast: Select this option to limit broadcast frame and multicast frame. Broadcast: Select this option to limit the broadcast frame. ... -
Page 46: Port Status
Therefore, broadcast p ackets are limited in a VLAN. TL-ER6120 provides the Port VLAN function, which allows you to create multiple logical VLANs for the LAN ports based on their port numbers. Choose the menu Network→Switch→Port VLAN to load the following page. -
Page 47: User Group
Figure 3-25 Port VLAN The following items are displayed on this screen: Port VLAN Displays the current logical network o f the physical port. Network: VLAN: Select the desired VLAN for the port. Tips: ● The Port VLAN can only be created among the LAN ports. ●... -
Page 48: User
The following items are displayed on this screen: Group Config Group Name: Specify a unique name for the group. Description: Give a description for the group. It's optional. List of Group In this table, you can view the information of the Groups and edit them by the Action buttons. 3.2.2 User On this page, you can configure the User for the group. - Page 49 Figure 3-28 View Configuration The following items are displayed on this screen: View Config Select the desired view for configuration. View: User Name: Select the name of th e desired User. Available Group: Displays the Groups that the User can join. Selected Group: Displays the Groups to whic h this User belongs.
-
Page 50: Advanced
3.3 Advanced 3.3.1 NAT NAT (Network Address Translation) is the translation between private IP and public IP, which allows private network users to visit the public network using private IP addresses. With the explosion of the Internet, the number of available IP addresses is not enough. NAT provides a way to allow multiple private hosts to access the public network with one public IP at the same time, which alleviates the shortage of IP addresses. - Page 51 One-to-One NAT Mapping IP Address: Enter the Original IP Address in the first checkbox and Translated IP Address in the second checkbox. TL-ER6120 allows mapping from LAN port to WAN port and DMZ in LAN Mode. terface: Sele ct an interface for forwarding data packets.
- Page 52 3.3.1.3 Multi-Nets Multi-Nets NAT function a llows the IP under LAN or DMZ port within multiple subnets to access the Internet via NAT. Choose the menu Advanced→NAT→Multi-Nets NAT to load the following page. Figure 3-31 Multi-Nets NAT The following items are displayed on this screen: ...
- Page 53 Application Example: Network Requirements The LAN subnet of TL-ER6120 is 192.168.0.0 /24, the subnet of VLAN2 under a thre e layer switch is 192.168.2.0 /24, while the subnet of VLAN3 is 192.168.3.0 /24. The IP of VLAN for cascading the switch to the router is 192.168.0.2.
-
Page 54: Virtual Server
Then set the correspo nding Static Route entry, enter the IP address of the interface connecting the router and the three layer switch into the Next Hop field. Choos e the me nu Advanced→Routi ng→Static Route to load the following page. The Static Route entry is as follows: 3.3.1.4 Virtual Server... - Page 55 Virtual Server Enter a name for Virtual Server entries. Up to 28 characters can be Name: entered. External Port: Enter the service port or port range the router provided for accessing external network. All the requests from Internet to this service port or port range will be redirected to the specified server in local network.
- Page 56 Figure 3-33 Port Triggering following items are displayed on this screen: Port Triggering Name: Enter a name for Port Triggering entries. Up to 28 characters can be entered. Trigger Port: Enter the trigger port number or the range of port. Only when the trigger port initiates connection will all the corresponding incoming ports open and provide service for the applications, otherwise the incoming ports will not open.
- Page 57 Note: ● The Trigger Port and Incoming Port should be set in the range of 1-65535. The Incoming Port can be set in a continuous range such as 8690-8696. ● The router supports up to 16 Port Triggering entries. Each entry supports at most 5 groups of trigger ports and overlapping between the ports is not allowed.
-
Page 58: Traffic Control
SIP ALG: Enable or disable SIP ALG. The default setting is en abled. It is recommended to keep the default setting if no special requirement. Enable or disable IPsec ALG. The default setting is enabled. It is IPsec ALG: recommended to keep default if no special re quirement. -
Page 59: Bandwidth Control
Enable Bandwidth Select this option to enable Bandwidth Control all the time. Control all the time: With this option selected, the Bandwidth Control will take effect when the Enable Bandwidth Control When: bandwidth usage reaches the specified value. Default Limit Limited Default Limit applies only for users that are not constrained by Bandwidth Bandwidth:... - Page 60 Figure 3-36 Bandwidth Control The following items are displayed on this screen: Bandwidth Control Rule Direction: Select the data stream direction for the entry. The direction of arrowhead indicates the data stream direction The DMZ port displays in the drop-down list only when the DMZ port is enabled.
-
Page 61: Session Limit
Effective Time: Specify the time for the entry to take effect. Give a description for the entry. Description: Activate or inactivate the entry. Status: List of Rules You can view the information of the entries and edit them by the Action buttons. The first entry in Figure 3-36 indicates: The users within group “sales”... -
Page 62: Session List
Figure 3-37 Session Limit The following items are displayed on this screen: General Enable Session Check here to enable Session Limit, otherwise all the Session Limit Limit: entries will be disabled. Session Limit Group: Select a group to define the controlled users. Max. -
Page 63: Load Balance
Figure 3-38 Session List In this table, you can view the session limit information of users configured with Session Limit. Click the <Refresh> button to get the latest information. 3.3.4 Load Balance In this part, you can configure the traffic sharing mode of the WAN ports to optimize the resource utilization. - Page 64 Figure 3-40 Policy Routing The following items are displayed on this screen: General Protocol: Select the protocol for the entry in the drop-down list. If the protocol you want to set is not in the list, you can add it to the list on 3.3.4.4 Protocol page.
- Page 65 Status: Activate or inactivate the entry List of Rules You can view the informati on of the entries and edit them by the Action buttons. The first entry in Figure 3-40 indicates: All the packets with Source IP between 192.168.0.100 and 92.168.0.199 an d Destina tion IP between 116.10.20.28 and 116.10.20.29 will be forwarded from...
- Page 66 General Displays all the WAN ports in use. You can drag the light-blue WAN WAN Ports: button to primary and backup WA list. The color of W AN button changing to gray indicates that the WAN port is alread y in the primary and backup WAN list.
-
Page 67: Routing
3.3.4.4 Protocol On this page, you can specify the protocol for routing rules conveniently. A protocol constitutes of the name and number. The router predefines three commonly used pr otocols such as TCP, UDP and TCP/UDP. Moreover, you can also add new protocols as your wish. Choose the menu Advanced→Load Balance→Protocol to load the following page. - Page 68 Commonly used in small- sized network with fixed topology, Static Route does not change along with network topology automatically. The administrator should modify the static r oute information manually as long as the network topology or link status is changed. ose the menu Advanced→Routing→Static Route to load the following page.
- Page 69 List of Rules You can view the information of the entries and edit them by the Action buttons. The first entry in Figure 3-43 indicates: If there are packets being sent to a device with IP address of 211.162.1.0 and subnet mask of 255.255.255.0, the router will forward the packets from WAN1 port to the next hop of 211.200.1.1.
- Page 70 Length Subnet Mask), simple plain text authentication, MD5 cryptograph authentication, CIDR (Classless Inter-Domain Routing) and multicast. TL-ER6120 supports both RIPv1 version and RIPv2 version, thus you can configure the RIP version base d on the actual need to improve the network performance.
- Page 71 General Displays the interfaces which has been physically connected or assigned Interface: static IP. Status: Enable or disable RIP protocol. Select RIPv1 or RIPv2. RIPv2 supports multicast and broadcast. RIP Version: Password If RIPv2 is enabled, set the Password Authentication according to the actual network situation, and the password should not be more than 15 characters.
-
Page 72: Firewall
Figure 3-45 RIP The following items are displayed on this screen: Route Table Destination: The Destination of route entry. The Gateway of route entry. Gateway: Flags: The Flags of route entry. The Flags describe certain characteristics of the route. Logical Interface: The logical interface of route entry. - Page 73 packets, which results in a breakd own of the normal communication. Thus, ARP defense technolog y is generated to prevent the network from this kind of attack. 3.4.1. MAC Binding IP-MAC Binding functions to bind the IP address, MAC address of the host together and only allows the Hosts matching the boun d entries to access the network.
- Page 74 cription Give a description for the entry. Status: Activate or inactivate the entry. List of Rules You an view t he information of the entries and edit them by the Action buttons. The first entry in Figure 3-46 indicates: The IP address of 192.168.1.101 and MAC address of 00-19-66-83-53-CF have been bound and this entry is activated.
-
Page 75: Attack Defense
Indicates that the IP and MAC address of this entry are not bound and may be replaced by error ARP information. Indicates that this entry is imported to the list on IP-MAC Binding page, but not effective yet. Indicates that the IP and MAC address of this entry are already bound. To bind the entries in the list, check these entries and click the <Import>... - Page 76 Figure 3-49 Attack Defense The fo llowing items are displayed on this screen: General Flood Defense: Flood attack is a commonly used DoS (Denial of Service) attack, cluding TCP SYN, UDP, ICMP and so on. It is recommended to select all th e Flood Defense options and specify the corresponding thresholds.
-
Page 77: Mac Filtering
MAC Filtering 3.4.3 On this page, you can control the Internet access of local hosts by specifying their MAC addresses. Choose the menu Firewall→MAC Filtering→MAC Filtering to load the following page. Figure 3-50 MAC Filtering The following items are displayed on t his screen: ... - Page 78 Choose the menu F irew all Acces → s Control→URL Filtering to load the following page. Figure 3-51 URL Filtering The following items are displayed on this screen: General To control the access to Internet for hosts in your private network, you are recommended to check the box before Enable URL Filtering and select a filtering rule based on the actual situation.
-
Page 79: Web Filtering
List of Rules You can view the information of the entries and edit them by the Action buttons. Application Example: Network Requirements: Prevent the local hosts from accessing Internet website www.aabbcc.com anytime and downloading the files with suffix of “exe” at 8:00-20:00 from Monday to Friday. Configuration Procedure: Select Keywords mode and type ”exe“... - Page 80 3.4.4.3 Access Ru Choose the menu Firewall→Ac cess Contro l→Access Rules to load the following page. Figure 3-53 Access Rule The fo llowing item s are displaye d on this screen: Access Rules Select a policy for the entry: Policy: ...
- Page 81 Source: Select the Source IP Range for the entries, including the following three ways: IP/MASK: Enter an IP address or subnet mask. ("0.0.0.0/32" means any IP). Group: Select a predefined group of users. You can set the group on3.2.1 Group.
- Page 82 3.4.4.4 Service Service function allows you to specify the protocol and port number to be filt ered for Firewall function conveniently. Protocol name and port range constitute a service type. The router predefines three commonly used services such as HTTP, FTP and TELNET and you can also add customized services if needed.
-
Page 83: App Control
List of Service You can view the informati on of the entries and edit them by the Action buttons. Note: The service types predefined by the system cannot be modified. App Control 3.4.5 3.4.5 Contro l Rules On this page, you can enable the Application Rules function. - Page 84 Control Rules Object: Specify the object for the entry. Yo u can select “Group” to limit the predefined group, or select “ANY” to limit all the users. If select “Group” as object, you can select the group in the drop-down list. Group: To establish new group, please refer to 3.2.1 Group.
-
Page 85: Vpn
As the packets are encapsulated and de-encapsulated in the router, the tunneling topology implemented by encapsulating packets is transparent to users. The tunneling protocols supported by TL-ER6120 contain Layer 3 IPsec and Layer 2 L2TP/PPTP. 3.5.1 IKE In the IPsec V... -
Page 86: Ike Policy
phase 2, the IKE peers use the ISAKMP SA established in Phase 1 to negotiate the parameters for security protocols in IPsec and create IPsec SA to secure t he transmission data. 3.5.1.1 IKE Policy On this page you can con figure the related parameters for IKE negotiation. - Page 87 Select the IKE Exchange Mode in phase 1, and ensure the remote VPN Exchange Mode: peer uses the same mode. Main: Main mode provides identity pro tection and exchanges more information, which applies to the scenarios with higher requirement for identity protection.
- Page 88 3.5.1.2 IKE Propo On this page, you can define and edit the IKE Proposal. Choose the menu VPN→IKE→IKE Proposal to load the following page. Figure 3-59 IKE Proposal The following items are displayed on this screen: IKE Proposal Proposal Name: Specify a unique name to the IKE proposal for identification and management purposes.
-
Page 89: Ipsec
Select the DH (Diffie-Hellman) group to be used in key negotiation phase DH Group: 1. The DH Group sets the strength of the algorithm in bits. Options include DH1, DH2 and DH5. DH1: 768 bits DH2: 1024 bits DH3: 1536 bits ... - Page 90 Figure 3-60 IPsec Policy The followin g items are displayed on this screen: General You can enable/dis able IPsec fun ction for the router here. IPsec Policy Policy Name: Specify a unique name to the IPsec policy. Up to 28 characters can be entered.
- Page 91 Remote Subnet: Specify IP address range on y our remote network to identify which PCs on the remote network are covered by this policy. It's formed by IP address and subnet mask. WAN: Specify the local WAN port for this Policy. The "Remote Gateway"...
- Page 92 Status: Activate or inactivate the entry. Manual Mode Select the IPsec Proposal. Only one proposal can be selected IPsec Proposal: on Manual mode. You need to first create the IPsec Proposal. Incoming SPI: Specify the Incoming SPI (Security Parameter Index) manually The Incoming SPI here must match the Outgoing SPI value at the other end of the tunnel, and vice versa.
- Page 93 ESP Encryption Key-Out: Specify the outbound ESP Encryption Key manually if ESP protocol is used in the corresponding IPsec Proposal. The outbound key here must match the inbound ESP encryption key at the other end of the tunnel, and vice versa. ...
- Page 94 IPsec Proposal Specify a unique name to the IPsec Proposal for identification and Proposal Name: management purposes. The IPs ec proposal can be applied to IPsec policy. Select the security protocol to be used. Options include: Security Protocol: uthentication Header) provides data...
- Page 95 ESP Encryption: Select the algorithm used to encrypt the data for ESP encryption. Options include: NONE: Performs no encryption. DES: DES (Data Encryption Standard) encrypts a 64-bit block of plain text with a 56-bit key. The key should be 8 characters. 3DES: Triple DES, encrypts a plain text with 168-bit key.
-
Page 96: L2Tp/Pptp
3.5.3 L2TP/PPTP Layer 2 VPN tunneling protocol consists of L2TP (Layer 2 Tunneling Protocol) and PPTP (Point to Point Tunneling Protocol). Both L2TP and PPTP encapsulate packet and add extra header to the packet by using PPP (Point to Point Protocol). Table depicts the difference between L2TP and PPTP. Protocol Media Tunnel... - Page 97 Figure 3-63 L2TP/PPTP Tunnel The following items are displaye d on this screen: General Enable VPN-to-Internet: Specify whether to enabl e VPN-to-Internet function. If enabled, the VPN client is permitted to access the LAN of the server and Internet. Specify the interval to send hello packets.
- Page 98 Mode: Specify the working mode for this router. Options include: Client: In this mode, the device sends a request to the remote L2TP/PPTP server initiatively for establishing a tunnel. Server: In this mode, the router responds the request from the ...
- Page 99 Client IP: Enter the IP address of the client which is allowed to connect to this L2TP/PPTP server. The default IP "0.0.0.0" means any IP address is acceptable. IP Address Pool: Select the IP Pool Name to specify the address range for the server's IP assignment.
-
Page 100: Services
IP Address Pool Specify a unique name to the IP Address Pool for identification and Pool Name: management purposes. IP Address Range: Specify the start and the end IP address for IP Pool. Th e start IP address should not exceed the end address and the IP ranges must not overlap. ... - Page 101 The PPPoE configuration can be implemented on General, IP Address Pool, Account, Exceptional IP and List of Account pages. 3.6.1.1 General On this page, you can configur e PPPoE function globally. ose the menu S ervices→P PPoE Server→General to load the following page. Figure 3-66 General The following items are displayed on t his screen:...
- Page 102 Max Echo-Requests: Specify the maximum number of Echo-Requests sent by the server to wait for response. The default is 10. The link will be dropped when the number of the unacknowledged LCP echo requests reaches your specified Max Echo-Requests. Idle Timeout: Enter the maximum idle time.
- Page 103 Figure 3-67 IP Address Pool The following items are displayed on this screen: IP Address Pool Pool Name: Specify a unique name to the IP Address Pool for identification and managemen t purposes. Specify the start and the end IP address for IP Pool. The start IP address IP Address Range: should not exceed the end address and the IP address ranges must not overlap.
- Page 104 Figure 3-68 Account The following items are displayed on t his screen: Account Enter the account name. This name should not be the same with Account Name: one in L2TP/PPTP connection settings. Password: Enter the password. IP Address Assigned Select the IP Address Assigned Mode for IP assignment.
- Page 105 Status: Activate or inactivate the entry. MAC Binding: Select a MAC Binding type from the pull-down list. Options include: Disable: Select this option to disable the MAC Binding function. Manual: Select this option to bind the ac count to a MAC address ...
-
Page 106: E-Bulletin
Exceptional IP Specify the start and the end IP address to make an exceptional IP address IP Address Range: range. This range should be in the same IP range with LAN port or DMZ port of the router. The start IP address should not exceed the end address and the IP address ranges must not overlap. - Page 107 Figure 3-71 E-Bulletin The fo llowing items are displayed on this screen: General Enable E-Bulletin: Specify whether to enabl e electronic bulletin function. Interval: Specify the interval to release the bulletin. Enable Logs: Specify whether to log the E-Bulletin. E-Bulletin ...
-
Page 108: Dynamic Dns
Object: Select the object of this bulletin. Options include: ANY: The bulletin will be released to all the users and the PCs on the LAN. Group: The bulletin will be released to the users in the selected group. You can click <... - Page 109 DDNS service provide rs for username, password and domain name. TL-ER6120 router offers PeanutHull DDNS client, Dyndns DDNS client, NO-IP DDNS client and Comexe DD NS client. The Dynamic DNS can be implemented on DynDNS DDNS, No-IP DDNS, Peanuthull DDNS and Comexe DDNS pages.
- Page 110 WAN Port: Displays the WAN port for which Dyndns DDNS is selected. DDNS Status: Displays the current status of DDNS service Offline: DDNS service is disabled. Connecting: client is connecting to the server. Online: DDNS works normally. Authorization fails: The Account Name or Password is incorrect.
- Page 111 Domain Name: Enter the Domain Name that you registered with your DDNS service provider. Activate o r inactivate DDNS service here. DDNS Service: WAN Port: Displays the WAN port for which No-IP DDN S is selected. Displays the current status of DDNS servic DDNS Status: Offline: DDNS service is disabled.
- Page 112 PeanutHull DDNS Enter the Account Name of your DDNS account. If you have not Account Name: registered, click <Go to register> to go to the website of PeanutHull for register. Password: Enter the password of your DDNS account. DDNS Service: Activate or inactivate DDNS service here.
- Page 113 Figure 3-75 Comexe DDNS The following items are displayed on this screen: Comexe DDNS Enter the Account Name of your DDNS account. If you have no Account Name: registered, click <Go to register> to go to the website of Comexe fo register.
-
Page 114: Upnp
DDNS Se rvice: Activate or inactivate DDNS service here. WAN Port: Displays the WAN port for which Comexe DDNS is selected. Displays the current status of DDNS service. DDNS Status: Offline: DDNS service is disabled. Connecting: Client is connecting to the ser ver. -
Page 115: Maintenance
General UPnP Function: Enable or disable the UPnP function globally. List of UPnP M apping After UPnP is enabled, all UPnP connection rules will be displayed in the list of UPnP Mapping. The NO.1 entry in Figure 3-76 indicates: TCP data received on port 12856 of the WAN port in the router will be forwarded to port 12856 in 192.168.0.101 server in LAN. - Page 116 New Pa ssword: Enter a new password for the router. Confirm New Re-enter the new password for confirmation. Password: Note: ● The factory default password and user name are both admin. ● You should enter the new user name and password when next login if the current username and password has been changed.
-
Page 117: Remote Management
Note: ● The default Web Management Port is 80. If the port is changed, you should type in the new address, such as http://192.168.0.1:XX (“XX” is the new management port number). E.g: If the Web Management Port is changed to 88, type http://192.168.0.1:88 in the address filed to login the router. -
Page 118: Management
Figure 3-79 Remote Management The following items are displayed on this screen: Remote Management Subnet/Mask: Specify a single IP address or network address fo r the hosts desired to access the router from external n etwork. Status: Activate or inactivate the entry. ... - Page 119 Figure 3-81 Export and Import The following items are displayed on this screen: Configuration Version Displays the current Configuration version of the router. Export Click the <Export> button to save the current configuration as a file to your computer. You are suggested to t ake this measure before upgrading or modifying the configuration.
-
Page 120: License
The configuration will not be lost after rebooting. The Internet connection will be temporarily interrupted while rebooting. Note: To avoid damage, please don't turn off the device while rebooting. 3.7.2.4 Firmware Upgrade Choose the menu Maintenance→Management →Firmware Upgrade to load the following page. Figure 3-83 Firmware Upgrade To upgrade the router is to get more functions and better performance. -
Page 121: Statistics
Figure 3-84 License 3.7.4 Statistics 3.7. Interface Traffic atistics Interface T affic Statistics screen displays the det ailed traffic information of each port and extra information of WAN ports. Choose the menu Maintenance→Statistics→Interface Traffic Statistics to load the following page. Figure 3-85 Interface Traffic Statistics The following items are displayed on this screen: ... - Page 122 Rate Rx: Displays the rate for receiving data frames. Rate Tx: Displays the rate for transmitting data frames. Displays the number of packets received on the interface. Packets Rx: Packets Tx: Displays the number of packets transmitted on the interface. Displays the bytes of packets received on the interface.
-
Page 123: Diagnostics
General Allows you to enable or disable IP Traffic Statistics. Enable IP Traffic Statistics: Enable Auto-refresh: Allows you to enable/disable refreshing the IP Traffic Statistics automatically. The default refresh interval is 10 seconds. Traffic Statistics Direction: Select the direction in the drop-down list to get the Flow Statistics of the specified direction. - Page 124 Figure 3-87 Diagnostics The following items are displa yed on this screen: Ping Destination IP/Domain: Enter destinati on IP address or Domain name here. Then select a port for testing, if you select “Auto”, the router will select the interface of destination automatically.
-
Page 125: Time
3.7.5.2 Online Detection On this page, you can detect the WAN port is online or not. Choose the menu Maintenance→Diagnostics→Online Detection to load the following page. Figur e 3-88 Online Dete ction The following items are displayed on this screen: ... - Page 126 Choose the menu Maintenance→Time →Time to load the following page. Figure 3-89 Time The following items are displayed on this screen: Current Time System Time: Displays the current date and time of the route Time Zone: Displays the curr ent time zone of the router.
- Page 127 3.7. Dayli ght Saving T On this page you can configure th e Daylight Savin g Time of the router. Choose the menu Maintenance→ i T me→Daylight Saving Time to load the following page. Figure 3-90 Daylight Saving Time The following items are displayed on this screen: ...
-
Page 128: Logs
Date Mod pecify he DST configu ration in Date mode. This configuration is one ff in use. Offset: Specify the time adding in minutes when Daylight ving Time comes. rt/E nd Time: Select the start time and end time of Daylight ... - Page 129 Level Description Severity The system is unusable. Emergency Action must be taken immediately. alerts Critical conditions critical Error conditions errors Warnings conditions warnings Normal but significant conditions notifications Informational messages informational Debug-level messages debugging -123-...
-
Page 130: Chapter 4 Application
Chapter 4 Application 4.1 Network Requirements The company has established the server farms in the headquarters to provide the Web, Mail and FTP services for all the staff in the headquarters and the branch offices, and to transmit the commercial confidential data to its partners. -
Page 131: Network Topology
4.2 Network Topology 4.3 Configurations You can configure the router via the PC connected to the LAN port of this router. To log in to the router, the IP address of your PC should be in the same subnet of the LAN port of this router. (The default subnet of LAN port is 192.168.0.0/24.). -
Page 132: Internet Connection
Choose the menu Network→System Mode to load the following page. Select the NAT mode and the <Save> button to apply. Figure 4-1 System Mode 4.3.1.2 Internet Connection Configure the Static IP connection type for the WAN1 and WAN2 ports of the router. Choose the menu Network→WAN→WAN1 to load the following page. -
Page 133: Vpn Setting
Figure 4-3 Link Backup 4.3.2 VPN Setting To enable the h osts in the re mote branch office (WAN: 116.31.85 .133, LAN: 172.31.10.1) to access the servers in the head quarters, you can create the VPN tunnel via the TP-LINK VPN routers between the headquarters and the remote branch office to guarantee a secured communication. - Page 134 DH Group: Click the <Add> button to apply. Figure 4-4 IKE Proposal IKE Policy Choose the menu VPN→IKE→IKE Policy to load the configuration page. Settings: Policy Name: IKE_1 Exchange Mode: Main IKE Proposal: proposal_IKE_1 (you just created) Pre-shared Key: aabbccddee SA Lifetime: 3600...
- Page 135 Figure 4-5 IKE Policy Tips: For the VPN router in the re mote branch office, th e IKE settings should be the same as the router in the headquarters. IPsec Setting To configure the IPs ec funct ion, you should create an IPsec Proposal firstly.
- Page 136 Figure 4-6 IPsec Proposal IPsec Policy Choose the menu VPN→IPsec→IPsec Policy to load the configuration page. Settings: IPsec: Enable Policy Name: IPsec_1 Status: Activate Mode LAN-to-LAN Local Subnet: 192.168.0.0/24 Remote Subnet: 172.31.10.0/24 WAN: WAN1 Remote Gateway: 116.31.85.133 Exchange Mode IKE Policy: IKE_1 IPsec Proposal:...
- Page 137 Figure 4-7 IPsec Policy Tips: For the VPN router in the remote branch office, the IPsec settings should be consistent with the router in the headquarters. The Remote Gateway of the remote router should be set to the IP address of the router in the headquarters.
- Page 138 L2TP/PPTP Tunnel Choose the menu VPN→L2TP/PPTP→L2TP/PPTP Tunnel to load the following page. Check the box of Enable VPN-to-Internet to allow the PPTP clients to access the local enterprise network and the Internet. Then continue with the following settings for the PPTP Tunnel. Settings: L2TP/PPTP: Enable...
-
Page 139: Network Management
4.3.3 Network Management To manage the enterprise network effectively and forbid the Hosts within the IP range of 192.168.0.30-192.168.0.50 to use IM/P2P application, you can set up a User Group and specify the network bandwidth limit and session limit for this group. The detailed configurations are as follows. 4.3.3.1 User Group Create a User Group with all the Hosts in the IP range of 192.168.0.30-192.168.0.50 as its group... - Page 140 User Choose the menu User Group→User to load the configuration page. Click the <Batch> button to enter the batch processing screen. Then continue with the following settings: Settings: Action: Start IP Address: 192.168.0.30 End IP Address: 192.168.0.50 Prefix Username: User Start No.: Step:...
- Page 141 Application: Click the <Applicat ion List> button and select the applications desired to be blocked on the popup window. Status: Activate Figure 4-11 App Rules 4.3.3.3 Bandwidth Control To enable Bandwid th Control, you should configur e the total bandwid th of interfaces and the detailed bandwid th control rule first.
- Page 142 Interface B andwidth Choose the menu Network→WAN→W AN1 to lo ad the configuration page. Configure the Upstream Bandwidth and Downstream Bandwidth of the interface as Figure 4-13 shows. The entered bandwidth value should be consis tent with the actual bandwidth value. Bandwidth Control Rule Choose the menu Advanced→Traffic Control→Bandwidth Control to load the configuration page.
-
Page 143: Network Security
Max. Sessions: Status: Activate Click the <Add> button to apply. Figure 4-15 Session Limit 4.3.4 Network Security You can enable the IP-MAC Binding function to defend the ARP attack from local or public network and enable Sending GARP packets functio n to defend ARP att ack. - Page 144 Figure 4-17 Scanning Result Choose the menu Firewall→Anti ARP Spoofing→IP-MAC Binding to load the configuration page. Select the ARP entries needed to be bound or click the <Select All> button, and then click the <Import>button. The ARP List will display as the following figure shows. Figure 4-18 ARP List Set IP-MAC Binding Entry Manually Configure the IP-MAC Binding entry manually and add it to ARP List.
- Page 145 Figure 4-19 IP-MAC Binding 4.3.4.2 WAN ARP Defense To prevent the WAN ARP attack, you can bind the default gateway and IP address of WAN port. Obtain the MAC address of WAN port by ARP Scanning first. Choose the menu Firewall→Anti ARP Spoofing→ARP Scanning to load the configuration page. Enter the default gateway of the WAN port such as 58.51.128.254 in the Scanning Range field and click the <Scan>...
-
Page 146: Traffic Monitoring
Figure 4-20 Attack Defense 4.3.4.4 Traffic Monitoring Port Mirror Choose the menu Network→Switch→Port Mirror to load the configuration page. Check the box before Enable Port Mirror and select the Ingress&Egress mode. Select the Port 5 for the Mirroring Port and the Port 3 and the Port 4 for the Mirrored ports. - Page 147 Figure 4-21 Port Mirror Statistics Choose the menu Maintenance→Statistics to load the page. Load the Interface Traffic Statistics page to view the traffic statistics of each physical interface of the router as Figure 4-22 shows. Figure 4-22 Interface Traffic Statistics Load the IP Traffic Statistics page, and Check the box before Enable IP Traffic Statistics and Enable Auto-refresh, then click the <Save>...
- Page 148 Figure 4-23 IP Traffic Statistics After all the above steps, the enterprise network will be operated based on planning. -142-...
-
Page 149: Chapter 5 Cli
Chapter 5 CLI TL-ER6120 provides a Console port for CLI (Command Line Interface) configuration, which enables you to configure the router by accessing the CLI from console (such as Hyper Terminal) or Telnet. The following part will introduce the steps to access CLI via Hyper Terminal and some common CLI commands. - Page 150 Figure 5-2 Connection Description Select the port (The default port is COM1) to connect in Figure 5-3, and click OK. Figure 5-3 Select the port to connect Configure the port selected in the step above as the following Figure 5-4 shows. Configure Bits per second as 115200, Data bits as 8, Parity as None, Stop bits as 1, Flow control as None, and then click OK.
- Page 151 Figure 5-4 Port Settings Choose File → Properties → Settings on the Hyper Terminal window as Figure 5-5 shows, then choose VT100 or Auto detect for Emulation and click OK. Figure 5-5 Connection Properties Settings -145-...
-
Page 152: Interface Mode
Figure 5-6 Log in the Route 5.2 Interface Mode The CLI of TL-ER6120 offers two command modes: User EXEC Mode and Privileged EXEC Mode. User EXEC Mode only allows users to do some simple operations such as view the system information, while Privileged EXEC Mode allows you to manage and configure the router. -
Page 153: Online Help
EC mode. As Figure 5-7 shown: Figure 5-7 Interface Mode 5.3 Online Help TL-ER6120 possesses CLI Online Help: Type a question m ark to get all commands of this view and their brief description in either mode. ←Type ? TP-LINK >... - Page 154 rivileged mode disable - Exit the p enable - Enter the privileged mode exit - Exit the CLI (only for telnet) history - Show command history - Display or Set the IP configuration ip-mac - Dis play or Set the IP mac bin d configuration - System manager user...
-
Page 155: Command Introduction
5.4 Comm and Introduction TL-ER6120 provides a number of CLI commands for users to manage the router and user information. For better understanding, each comman d is followed by note which is the meaning of the command. .1 ip ip ommand is used to view or configure the IP address and subnet mask of the interfaces. V command can be used in both User EXEC Mode and Privileged EXEC Mode while configuration function can be only used in Privileged EXEC Mode. -
Page 156: Sys
● The parameters in the brackets are default setting and you can enter the actual parameters behind them. Press Enter key directly if there are no changes. ● TL-ER6120 connects to the FTP server using port 21 by default. -150-... -
Page 157: User
● Pay special attention that the specified account must be with appro priate permissions since the functions such as export, import and firmware upgrade require read-write operation on FTP server. TP-LINK # sys import config Import the configuration file. Server address: [192.168.1.10 The steps are as the above item sho Username: [admin]... -
Page 158: History
TP-LINK > user get Query the user name an password current Username: admi Guest. Password: adm TP-LINK > user set password Modify the password of the Guest. Enter old password: Enter new pass word: Confirm new p assword: TP-LINK # user get Query the user name and password Userna... -
Page 159: Exit
TP-LINK > history View the hi story command. 1. history sys show 3. history TP-LINK > history clear Clear the history command. 1. history 2. sys show 3. history 4. history clear 5.4.6 exit The exit command is used to exit the system when logging in by Telnet. TP-LINK >... -
Page 160: Appendix A Hardware Specifications
Appendix A Hardw are Specifications IEEE 802.3, IEEE 802.3u, IEEE 802.3ab, IEEE 802.3x, TCP/ IP, DHCP, Standards ICMP, NAT、PPPoE, SNT P, HTTP, DNS, L2TP, PPTP, IPsec Two 10/100/1000M Auto-Negotiation WAN RJ45 port (Auto MDI/MDIX) Two 10/100/1000M Auto-Negotiation LAN RJ45 ports (Auto MDI/MDIX) Ports One 10/100/1000M Auto-Negotiation LAN/DMZ RJ45 port (Auto MDI/MDIX) One Console Port... -
Page 161: Appendix Bfaq
192.168.0.x ("x" is any number between 2 to 254) for the IP address and 255.255.255.0 for the Subnet Mask. Test the connection between your PC and TL-ER6120 via Ping command. If you still cannot access the configuration page, please restore your router to its factory default settings and try to log in again. - Page 162 Q3: What can I do if the router with the re mote management function enabled cannot be accessed by the remote computer? ke sure tha t the IP address o f the remote co mputer is in the subnet allowed to remotely access the router.
-
Page 163: Glossary
Appendix C Glossary Glossary Description Application Level Gateway (ALG) is application specific translation agent that allows an application on a host in one ALG ( Application Layer address realm to connect to its counterpart running on a host in Gateway) different realm transparently. - Page 164 Glossary Description H.323 allows dissimilar communication devices to communicate with each other by using a standardized communication H.323 protocol. H.323 defines a common set of CODECs, call setup and negotiating procedures, and basic data transport methods. The protocol used by Web bro wsers and Web servers to HTTP(Hypertext Transfer transfer files, such as...
- Page 165 Glossary Description Standardized data link layer address that is required for every port or device that connects to a LA N. Other devices in the MAC address(Media network use these addresses to locate specific ports in the Access Control address network and to create and update routing tables and data )...
- Page 166 Glossary Description TCP(Transfer Control Connection-oriented transport layer protocol that provides Protocol) reliable full-duplex data transmission. TCP/IP(Transmission Common name for the suite of protocols to support the Control Protocol/ Internet construction of worldwide Internet works. TCP and IP are the Protocol) two best-known protocols in the suite.