User Manual Configuration Dualband Industrial Wireless LAN Access Point/Client BAT54-Rail, BAT54-Rail FCC, BAT54-F, BAT54-F FCC, BAT54-F X2 BAT54-F X2 FCC BAT54-Rail/F.. Technical Support Release 7.54 06/08 HAC-Support@hirschmann.de...
Page 2
This publication has been created by Hirschmann Automation and Control GmbH according to the best of our knowledge. Hirschmann reserves the right to change the con- tents of this manual without prior notice. Hirschmann can give no guarantee in respect of the correctness or accuracy of the details in this publication.
3.4.3 WLAN routing (isolated mode) 3.4.4 The physical WLAN interfaces 3.4.5 The logical WLAN interfaces 3.4.6 Additional WLAN functions 3.5 Extended WLAN protocol filters 3.5.1 Protocol filter parameters 3.5.2 Procedure for filter test 3.5.3 Redirect function 3.5.4 DHCP address tracking BAT54-Rail/F.. Release 7.54 06/08...
Page 4
4.2 Configuration software 4.3 Searching and configuring devices 4.4 Configuration using different tools 4.4.1 LANconfig 4.4.2 WEBconfig 4.4.3 Telnet 4.4.4 TFTP 4.4.5 SNMP 4.4.6 Encrypted configuration with SSH access 4.4.7 SSH authentication 4.5 Working with configuration files BAT54-Rail/F.. Release 7.54 06/08...
Page 5
4.6 New firmware with Hirschmann FirmSafe 4.6.1 This is how Hirschmann FirmSafe works 4.6.2 How to load new software 4.7 How to reset the device? 4.8 Managing administrators rights 4.8.1 Rights for the administrators 4.8.2 Administrators' access via TFTP and SNMP 4.8.3 Configuration of user rights...
Page 6
6.1.6 Examples of traces 6.1.7 Recording traces 6.2 SYSLOG storage in the device 6.2.1 Activate SYSLOG module 6.2.2 Configuring the SYSLOG client 6.2.3 Read-out SYSLOG messages 6.3 The ping command 6.4 Monitoring the switch 6.5 Cable testing BAT54-Rail/F.. Release 7.54 06/08...
Page 7
8.4.2 Configuration of the IDS 8.5 Denial of Service 8.5.1 Examples of Denial of Service Attacks 8.5.2 Configuration of DoS blocking 8.5.3 Configuration of ping blocking and Stealth mode 9 Quality of Service 9.1 Why QoS? BAT54-Rail/F.. Release 7.54 06/08...
Page 8
10.5.1 Different VLAN IDs per WLAN client 10.5.2 Special VLAN ID for DSLoL interfaces 10.6 VLAN tags on layer 2/3 in the Ethernet 10.6.1 Configuring VLAN tagging on layer 2/3 10.7 VLAN tags for DSL interfaces 10.8 VLAN Q-in-Q tagging BAT54-Rail/F.. Release 7.54 06/08...
Page 9
11.5 Demilitarized Zone (DMZ) 11.5.1 Assigning interfaces to the DMZ 11.5.2 Assigning network zones to the DMZ 11.5.3 Address check with DMZ and intranet interfaces 11.6 Advanced Routing and Forwarding 11.6.1 Introduction 11.6.2 Defining networks and assigning interfaces BAT54-Rail/F.. Release 7.54 06/08...
Page 10
11.11 DSL Connection with PPTP 11.12 Extended connection for flat rates—Keep-alive 11.13 Callback functions 11.13.1 Callback for Microsoft CBCP 11.13.2 Fast callback 11.13.3 Callback with RFC 1570 (PPP LCP extensions) 11.13.4 Overview of configuration of callback function BAT54-Rail/F.. Release 7.54 06/08...
Page 11
12.2 Vendor Class and User Class Identifier on the DHCP Client 12.3 DNS 12.3.1 What does a DNS server do? 12.3.2 DNS forwarding 12.3.3 Setting up the DNS server 12.3.4 URL blocking 12.3.5 Dynamic DNS 12.4 Accounting BAT54-Rail/F.. Release 7.54 06/08...
Page 12
13.2 SNMP Traps 13.3 Radio channels 13.3.1 Radio channels in the 2,4 GHz frequency band 13.3.2 Radio channels in the 5 GHz frequency band 13.3.3 Radio channels and frequency ranges for Indoor and Out- door operating BAT54-Rail/F.. Release 7.54 06/08...
These are for example: Systems design of the LCOS operating system Configuration Management Diagnosis Security Routing and WAN functions Firewall Quality of Service (QoS) Virtual Local Networks (VLAN) Wireless Networks Further server services (DHCP, DNS, charge management) BAT54-Rail/F.. Release 7.54 06/08...
’Security’ → page 237. We ask you additionally to inform you about technical developments and ac- tual hints to your product on our Web page www.hirschmann.com, and to download new software versions if necessary.
Page 17
Preface In case you encounter any errors, or just want to issue critics enhancements, please do not hesitate to send an email directly to: info@hirschmann.com BAT54-Rail/F.. Release 7.54 06/08...
WEBconfig, Telnet, Switch TFTP IPX router DSLoL IPX over PPTP/VPN LANCAPI Notes regarding the respective modules and interfaces: The IP router takes care of routing data on IP connections between the interfaces from LAN and WAN. BAT54-Rail/F.. Release 7.54 06/08...
Page 20
The DSLoL interface (DSL over LAN) is no physical WAN interface, but more a “virtual WAN interface”. With appropriate LCOS settings, it is pos- sible to use on some models a LAN interface as an additional xDSL/Ca- ble interface. BAT54-Rail/F.. Release 7.54 06/08...
IEEE 802.11b with up to 11 Mbps transfer rate in the 2,4 GHz band IEEE 802.11g with up to 54 Mbps transfer rate in the 2,4 GHz band, up to 108 Mbps in turbo mode. (complement to standard) BAT54-Rail/F.. Release 7.54 06/08...
Page 22
Mbps, afterwards to 2 and finally to 1 Mbps. The range of the transmission distances is between up to 150 m in open expanses and in buildings typically up to 30 m. Due to different frequency bands in use, IEEE 802.11b is not compatible to IEEE 802.11a. BAT54-Rail/F.. Release 7.54 06/08...
Page 23
- is included in the indicated transfer rates. The net data transfer rate can be thus lower than the indicated gross data rates, typically over up to the half for all IEEE 802.11 standards mentioned above. BAT54-Rail/F.. Release 7.54 06/08...
Page 24
(both network adapters and base stations). For further increase of the trans- fer distance, we recommend the operation with additional antennas. IEEE standards In order to guarantee a maximum of compatibility, Hirschmann Systems fully complies with the industry standards of the IEEE described in the preceding paragraph.
You will find a table with the allotted frequencies and the permission reg- ulations in the appendix. 3.1.2 Operation modes of Wireless LANs and base stations Wireless LAN technology and base stations in Wireless LANs are used in the following operation modes: BAT54-Rail/F.. Release 7.54 06/08...
Page 26
LAN becomes more comfortable and more efficient. A Wireless LAN with one or more base stations is referred to as an infrastructure network in Wireless LAN terminology. Note: In some devices the access point is built in, so called WLAN router. BAT54-Rail/F.. Release 7.54 06/08...
Page 27
It is possible to change from a radio cell into another one without interruption of the network connection. The transmission of roaming information and data between the base stations is enabled by the wired LAN connection. BAT54-Rail/F.. Release 7.54 06/08...
Page 28
Firewall filters of the router permit specific IP addresses, protocols and ports to be blocked. With MAC address filters it is also possible to specifically control the access of workstations in the LAN to the IP routing function of the device. BAT54-Rail/F.. Release 7.54 06/08...
Page 29
Wireless bridge between two Ethernet segments With two base stations, two LANs can be connected via a radio link (point-to- point mode). In this so-called bridge mode, all data is transferred automati- cally to the remote network. BAT54-Rail/F.. Release 7.54 06/08...
Page 30
It is possible to couple up to seven remote network segments to an united network by wireless bridges in the so-called P2MP operation (point-to-multi- point) mode. Point-to-station operation The so-called P2Station operation (point-to-station) connects a single station is to a remote LAN. BAT54-Rail/F.. Release 7.54 06/08...
Page 31
802.11i and WPA. Those clients that are programmed with the SSID can make use of the radio cell and work with the parameters as defined. The access point treats all clients on an equal basis BAT54-Rail/F.. Release 7.54 06/08...
Page 32
This function enables a physical WLAN interface of an access point to be assigned with more than one SSID. Up to eight different logical radio cells—each with its own SSID—can be supported by a single WLAN in- terface. SSID='PUBLIC' SSID='PUBLIC' SSID='CLOSED' BAT54-Rail/F.. Release 7.54 06/08...
Such an authentication can be provided, for exam- ple, using certificates or passwords. BAT54-Rail/F.. Release 7.54 06/08...
Page 34
Since this part of the key pair cannot be used for decryption, there are no misgivings with regard to security. BAT54-Rail/F.. Release 7.54 06/08...
The data packet for encryption is then XOR'd byte by byte with this byte stream. The receiver simply repeats this procedure with the same key and in the same order to produce the original data packet again. BAT54-Rail/F.. Release 7.54 06/08...
Page 36
These weaknesses unfortunately degraded WEP to an encryption scheme which at best could be used to protect a home network against 'accidental eavesdrop- pers.' BAT54-Rail/F.. Release 7.54 06/08...
WLAN—the possibility of installing a valid WEP key for the next session is more or less a byproduct. Figure 2 shows the basic process of a session secured by EAP. BAT54-Rail/F.. Release 7.54 06/08...
Page 38
EAÜ/802.1x mentioned previously. The access point packs these packets in RADIUS queries and sends them on to the authentication server. The access point converts the replies coming from the RADIUS server back into EAP packets, and sends them back to the client. BAT54-Rail/F.. Release 7.54 06/08...
Page 39
These practical hurdles have thus limited EAP/802.1x to professional use so far—the home user must sim- ply make do with WEPplus, or address security problems on the applications level. BAT54-Rail/F.. Release 7.54 06/08...
For this reason, WPA defines countermeasures if a WLAN card detects more than two Michael errors per minute: both the client and the access point break data transfer off for one minute, afterwards rene- gotiating TKIP and Michael keys. BAT54-Rail/F.. Release 7.54 06/08...
Page 41
EAP/802.11i is used in combination with the key handshake described here. BAT54-Rail/F.. Release 7.54 06/08...
RC4. Since only the newest generation of WLAN chips contain AES hardware, 802.11i continues to define TKIP, but with the opposite pre- requisites: any 802.11i-compliant hardware must support AES, while TKIP is optional—in WPA that was exactly the other way around. BAT54-Rail/F.. Release 7.54 06/08...
Page 43
PMK is still stored. If yes, the 802.1x phase can be skipped and the connection is quickly restored. This optimization is unnecessary if the PMK in a WLAN is calculated from a passphrase as this applies everywhere and is known. BAT54-Rail/F.. Release 7.54 06/08...
The AES procedure provides security on a level that satisfies the Federal In- formation Standards (FIPS) 140-2 specifications that are required by many public authorities. Hirschmann equips its 54Mbps products with the Atheros chip set featuring a hardware AES accelerator. This guarantees the highest possible level of encryption without performance loss.
(’IEEE 802.1x/EAP’ → page 83) or activate an additional encryption of the WLAN connection as used for VPN tunnels (’IPSec over WLAN’ → page 84). In special cases, a combination of these two mechanisms is possible. BAT54-Rail/F.. Release 7.54 06/08...
MAC address can indeed be intercepted—but this method never transmits the passphrase over wireless. This greatly increases the difficulty of attacking the WLAN as the combination of MAC address and passphrase requires both to be known before an encryption can be negotiat- BAT54-Rail/F.. Release 7.54 06/08...
Page 47
128 bits. LANconfig When using LANconfig for the configuration, you will find the list of stations approved for the WLAN in the configuration area 'WLAN Security' on the 'Sta- tions' tab under the button Stations. BAT54-Rail/F.. Release 7.54 06/08...
"wireless" configuration from a computer with a WLAN card. To use a WLAN client to connect to a new BAT access point for wireless configuration, the WLAN client must be programmed with the 13-character standard WEP key. BAT54-Rail/F.. Release 7.54 06/08...
An example of rogue APs are access points that a company's employees connect to the network without the knowledge or permission of the system administrators, thereby consciously or unconsciously making the network vulnerable to potential at- BAT54-Rail/F.. Release 7.54 06/08...
Page 50
WLAN device ap- pears. Note: Further information can be found under ’Rogue AP and rogue client detection with the WLANmonitor’ → page 217. BAT54-Rail/F.. Release 7.54 06/08...
Page 51
Conversely, for the BAT Wireless Router in client mode, the back- ground scan function is generally used for improved mobile WLAN cli- ent roaming. In order to achieve fast roaming, the scan time is limited here, for example, to 260 seconds. BAT54-Rail/F.. Release 7.54 06/08...
802.11i with AES or WPA with TKIP or WEP. A third group of parameters affect the wireless network operation, but are not significant only to WLANs. These include, for example, the protocol filter in the LAN bridge. BAT54-Rail/F.. Release 7.54 06/08...
If the stations do not answer these packets, then the charging sys- tems recognizes the station as no longer active. Configuration with LANconfig For configuration with LANconfig you will find the general WLAN access set- tings under the configuration area 'WLAN Security' on the 'General' tab. BAT54-Rail/F.. Release 7.54 06/08...
Page 54
'WLAN Security' on the 'Stations' tab. Check that the setting 'filter out data from the listed stations, transfer all other' is activated. New stations that are to participate in your wireless network are added with the button 'Stations'. BAT54-Rail/F.. Release 7.54 06/08...
"Redirect“ is described in detail in the section ’Redirect function’ → page 82. Configuration with LANconfig For configuration with LANconfig you will find the protocol filter under the con- figuration area 'WLAN Security' on the 'Protocols' tab. BAT54-Rail/F.. Release 7.54 06/08...
Page 56
Note: Lists of the official protocol and port numbers are available in the Inter- net under www.iana.org. Action for the data packets: Let through Reject Redirect (and state the target address) List of interfaces that the filters apply to Redirect address when the 'Redirect' action is selected BAT54-Rail/F.. Release 7.54 06/08...
Page 57
(WEP152) in length. A number of security loopholes in WEP have come to light over time, and so the latest 802.11i/WPA methods should be used wherever possible. Note: Further information about the 802.11i and WPA standards are avail- able under ’Development of WLAN security’ → page 33. BAT54-Rail/F.. Release 7.54 06/08...
Page 58
8 and up to 63 ASCII characters. Note: Please be aware that the security of this encryption method depends on the confidential treatment of this passphrase. Passphrases should not be made public to larger circles of users. BAT54-Rail/F.. Release 7.54 06/08...
Page 59
Rules of the entry of the keys can be found in the description of the WEP group key ’Rules for entering WEP keys’ → page 62. Configuration with LANconfig For configuration with LANconfig you will find the private WEP settings under the configuration area 'WLAN Security' on the '802.11i/WEP' tab. BAT54-Rail/F.. Release 7.54 06/08...
Page 60
WEP keys for each physical WLAN interface. Note: If 802.1x/EAP is in use and the 'dynamic key generation and transmis- sion' is activated, the group keys from 802.1x/EAP will be used and are consequently no longer available for WEP encryption. BAT54-Rail/F.. Release 7.54 06/08...
Page 61
Configuration with WEBconfig or Telnet Under WEBconfig or Telnet you will find the group keys for the physical WLAN interface under the following paths: Configuration tool Menu/Table WEBconfig Expert configuration Setup Interfaces WLAN-Interfaces Group- Keys Terminal/Telnet cd /Setup/Interfaces/WLAN-Interfaces/ Group-Keys BAT54-Rail/F.. Release 7.54 06/08...
WLAN interfaces can be set up for the country where they are operated. Configuration with LANconfig For the configuration with LANconfig, the country settings can be found in the configuration area 'Interfaces' on the tab 'Wireless LAN' in the group 'Gener- al': BAT54-Rail/F.. Release 7.54 06/08...
IP router. Note: So the IP router can transfer data between LAN and WLAN correctly, both areas must have different IP address sections and the local routing must be activated in the IP router settings. BAT54-Rail/F.. Release 7.54 06/08...
For configuration with LANconfig you will find the settings for the WLAN card under the configuration area 'Interfaces' on the 'Wireless LAN' tab. Open the list of physical WLAN interfaces by clicking on the button Physical WLAN settings. BAT54-Rail/F.. Release 7.54 06/08...
Page 65
In this case the device serves to link a cabled network device to another access point over a wireless connec- tion. Select the operation mode from the tab 'Operation'. If the WLAN interface is not required, it can be completely deactivated. BAT54-Rail/F.. Release 7.54 06/08...
To prevent the data transfer being interrupted whenever a new channel is being selected, a BAT (LCOS version 5.00 and higher) executes the scanning procedure before selecting a certain channel. Following infor- mation about the scanned channels is saved in an internal data base: BAT54-Rail/F.. Release 7.54 06/08...
Page 67
"free" and available for immediate use. As with earlier versions of LCOS, the configuration item 'DFS rescan hours' makes it possible to force the one-minute scan to take place at a time of day when the wireless network is not being used. BAT54-Rail/F.. Release 7.54 06/08...
Page 68
WLAN chips (two- or three-chip modules) do not have to meet this standard and, as such, do not have to be upgraded. Hirschmann supplies LCOS firmware of the versions 7.30 (for the current Wireless Routers and Access Points) and 7.52 (for BAT Wireless L-310agn and BAT Wireless L-305agn) with DFS 2 support.
Page 69
The reception antenna gain can be increased without exceeding the legal limits on transmission pow- er. This leads to an improvement in the maximum possible range and, in particular, the highest possible data transfer rates. BAT54-Rail/F.. Release 7.54 06/08...
Page 70
Access points are not limited to communications with mobile clients; they can also transfer data from one access point to another. On the 'Point-to-Point' tab for the physical interface settings, you can allow the additional exchange of data with other access points. You can select from: BAT54-Rail/F.. Release 7.54 06/08...
Interpoint- Settings Terminal/Telnet cd /Setup/Interfaces/WLAN-Interfaces/ Interpoint-Settings Client mode If the BAT Wireless Router device is operating as a client, the tab 'Client mode' can be used for further settings that affect the behavior as a client. BAT54-Rail/F.. Release 7.54 06/08...
Page 72
Preferred BSS-ID If the client station is only supposed to log in on a certain access point, you can enter the MAC address of the WLAN card from the access point. BAT54-Rail/F.. Release 7.54 06/08...
Page 73
With address-adaption (’Address Adaption’ → page 73) the MAC address of only one connected device is visible to the access point. With a Client-Bridge Support all MAC addresses of the stations in the LAN behind the client sta- tions are transmitted transparently to the access point. BAT54-Rail/F.. Release 7.54 06/08...
Page 74
Configuration with WEBconfig or Telnet Under WEBconfig or Telnet you will find the settings for the client mode under the following paths: Configuration tool Menu/Table WEBconfig Expert configuration Setup Interfaces WLAN-Interfaces Client-Settings Terminal/Telnet cd /Setup/Interfaces/WLAN-Interfaces/ Client-Settings BAT54-Rail/F.. Release 7.54 06/08...
Page 75
Select the desired client EAP method here. Please observe that the selected client EAP method must match the settings on the access point that the BAT Wireless Router is attempting to log onto. The following val- ues are available: TTLS/PAP TTLS/CHAP TTLS/MSCHAP TTLS/MSCHAPv2 TTLS/MD5 PEAP/MSCHAPv2 BAT54-Rail/F.. Release 7.54 06/08...
Page 76
Expert configuration > Setup > WLAN Indoor-only [default: off] In the 5 GHz band in ETSI countries, the channel selection is limited to the channels 36, 40, 44 and 48 in the frequency range 5.15 to BAT54-Rail/F.. Release 7.54 06/08...
Page 77
Number of connections: In this operation mode, the LED uses "inverse flashing" in order to display the number of WLAN clients that are logged on to this access point as clients. There is a short pause after BAT54-Rail/F.. Release 7.54 06/08...
For configuration with LANconfig you will find the settings for the logical WLAN interface under the configuration area 'Interfaces' on the 'Wireless LAN' tab. Open the list of logical WLAN interfaces by clicking on the button Logical WLAN settings and select the required logical interface. BAT54-Rail/F.. Release 7.54 06/08...
Stations) the MAC ad- dresses of the Clients are entered, which may connect to the access point. With the switch 'MAC filter enabled' the MAC filter list for single logical net- works can be switched off. BAT54-Rail/F.. Release 7.54 06/08...
Page 80
WLAN interface under the following paths: Configuration tool Menu/Table WEBconfig Expert configuration Setup Interfaces WLAN-Interfaces Network-Settings Terminal/Telnet cd /Setup/Interfaces/WLAN-Interfaces/ Network settings Transmission settings Details for the data transfer over the logical interface are set on the 'Trans- mission' tab. BAT54-Rail/F.. Release 7.54 06/08...
Page 81
(in this case the wireless con- nection) being blocked. A collision results and neither of the transmissions ³ » · from will be successful. The RTS/CTS protocol is used to pre- vent collisions. BAT54-Rail/F.. Release 7.54 06/08...
Clients within wireless networks often have one main aspect in common: a high degree of mobility. The clients are thus not always connected to the same access point, but frequently change between access points and the re- lated LANs. BAT54-Rail/F.. Release 7.54 06/08...
Page 83
This technology also enables the secure transmission and the regular auto- matic changing of WEP keys. In this way, IEEE 802.1x improves the security of WEP. The IEEE-802.1x technology is already fully integrated in Windows XP. Cli- ent software exists for other operating systems. BAT54-Rail/F.. Release 7.54 06/08...
Page 84
Router access point is upgraded to a VPN gateway with the VPN Option. In addition to the encryption per 802.11i, WPA or WEP, the BAT Wireless Router now offers the possibility of encrypting wireless connections with an IPSec-based VPN. BAT54-Rail/F.. Release 7.54 06/08...
Page 85
Staggered: In this mode, the beacons are not sent together at a partic- ular time, rather they are divided across the available beacon periods. Beginning at 0 Kµs, WLAN-1 only is sent; after 33.3 Kµs WLAN-2, after BAT54-Rail/F.. Release 7.54 06/08...
Page 86
The total number of attempts is thus (soft retries + 1) * hard retries. The advantage of using soft retries at the expense of hard retries is that the rate-adaption algorithm immediately begins the next series of hard retries with a lower datarate. Default: 0 BAT54-Rail/F.. Release 7.54 06/08...
Note: Lists of the official protocol and port numbers are available in the Inter- net under www.iana.org. Action: Action performed for the data packets captured using this rule: Pass: The packet is forwarded on without change. Drop: The complete packet is dropped. BAT54-Rail/F.. Release 7.54 06/08...
Page 89
Pass 0.0.0.0 vant 0000 HTTP irrele- 00000000 0800 0.0.0.0 0.0.0.0 6 WLAN- Redirect 192.168.1 vant 0000 ARP, DHCP, ICMP are allowed to pass, Telnet and HTTP are redirected to 192.168.11.5 and all other packets are rejected. BAT54-Rail/F.. Release 7.54 06/08...
If several rules apply, the most accurate rule action is car- ried out. Parameters are more accurate the further down the list of parameters they are or the further right they appear in the protocol table. BAT54-Rail/F.. Release 7.54 06/08...
This table can be viewed under Status > LAN Bridge > Connection table. Rules in this table have a higher priority than oth- er matching rules with the 'Transfer' or 'Drop' actions. BAT54-Rail/F.. Release 7.54 06/08...
Status > LAN Bridge Statistics > DHCP Table. DHCP tracking is enabled on an interface if, for this interface, a mini- mum of one rule is defined where 'DHCP Source MAC' is set to 'Yes'. BAT54-Rail/F.. Release 7.54 06/08...
LAN adapters and not as access points (AP). The use of client mode therefore allows devices fitted with only an Ethernet interface, such as PCs and printers, to be integrated into a wire- less LAN. BAT54-Rail/F.. Release 7.54 06/08...
WLAN settings for the desired WLAN interface. Note: The devices have either one or more WLAN interfaces depending on model. The WLAN interface is enabled from the 'Operation' tab. In addition, the WLAN operating mode is set to 'Station (client mode)'. BAT54-Rail/F.. Release 7.54 06/08...
WLAN settings for the desired WLAN interface. In 'Scan bands', define whether the client station scans just the 2.4 GHz, just the 5 GHz, or all of the available bands to locate an access point. BAT54-Rail/F.. Release 7.54 06/08...
Page 96
To enter the SSIDs, change to the 'General' tab under LANconfig in the 'Wireless LAN' configuration area. In the 'Interfaces' section, select the first WLAN interface from the list of logical WLAN settings. BAT54-Rail/F.. Release 7.54 06/08...
Page 97
To enter the key, change to the '802.11i/WEP' tab under LANconfig in the 'Wireless LAN' configuration area. From 'WPA / private WEP settings', se- lect the first WLAN interface from the list of logical WLAN settings. BAT54-Rail/F.. Release 7.54 06/08...
To allow roaming, at least one additional access point must be within range of the client, it must provide a network with an identical SSID and matching radio and encryption settings. BAT54-Rail/F.. Release 7.54 06/08...
Page 99
To achieve fast roaming, the scan time is restrict- ed to e.g. a minimum of 260 seconds (2.4 GHz) or 720 seconds (5 GHz). BAT54-Rail/F.. Release 7.54 06/08...
Note: Values which are too small may cause the client to detect lost connec- tions more often than necessary. Roaming threshold This value is the percentage difference in signal strength between access points above which the client will switch to the stronger access point. Default: 15 BAT54-Rail/F.. Release 7.54 06/08...
For example, they can provide a secure connection between two networks that are several kilometers apart—without direct cabling or expen- sive leased lines. The behavior of an access point when exchanging data with other access points is defined in the "Point-to-point operation mode". BAT54-Rail/F.. Release 7.54 06/08...
The current signal quality over a P2P connection can be displayed on the de- vice's LEDs or in the LANmonitor in order to help find the best possible align- ment for the antennas. Right-clicking with the mouse on 'Point-to-point' activates the option 'Adjusting Point-to-Point WLAN Antennas...' BAT54-Rail/F.. Release 7.54 06/08...
Page 103
Once signal monitoring has commenced, the P2P dialog displays the abso- lute values for the current signal strength and the maximum value since start- ing the measurement. The development of the signal strength over time and the maximum value are displayed in a diagram, too. BAT54-Rail/F.. Release 7.54 06/08...
For each of the maximum of six P2P connections, enter either the MAC address of the WLAN card at the remote station or enter the WLAN station's name (depending on the chosen method of identification). BAT54-Rail/F.. Release 7.54 06/08...
Page 105
Configuration with WEBconfig or Telnet Under WEBconfig or Telnet you can set the settings for the point-to-point connections under the following paths: Configuration tool Menu/Table WEBconfig Expert configuration Setup Interfaces WLAN-Interfac- Interpoint-Settings Terminal/Telnet cd /Setup/Interfaces/WLAN-Interfaces/ Interpoint-Settings BAT54-Rail/F.. Release 7.54 06/08...
Page 106
WLAN interface. In the point-to-point configuration, select the identification by station name and enter the name of the corresponding station. LANconfig: Wireless LAN General Point to point partners WEBconfig: Setup Interfaces WLAN interpoint peers BAT54-Rail/F.. Release 7.54 06/08...
WLAN interface (i.e. WLAN-1 if you are using the first WLAN card for the P2P connection, WLAN-2 if you are using the second card, e.g. as with an access point with two WLAN modules). Activate the 802.11i encryption. Select the method '802.11i (WPA)-PSK'. BAT54-Rail/F.. Release 7.54 06/08...
Interfaces WLAN-Inter- faces Encryption-Settings Terminal/Telnet /Setup/Interfaces/WLAN-Interfaces/Encryption-Settings 3.7.5 LEPS for P2P connections A further gain in security can be attained by additionally using BAT Enhanced Passphrase Security (LEPS) which involves the matching of MAC address and passphrase. BAT54-Rail/F.. Release 7.54 06/08...
What antennas must be used for the desired application? How must the antennas be positioned to ensure a problem-free connec- tion? What performance characteristics do the antennas need to ensure suffi- cient data throughput within the legal limits? BAT54-Rail/F.. Release 7.54 06/08...
Page 110
To ensure that the Fresnel zone 1 remains unobstructed, the height of the an- tennas must exceed that of the highest obstruction by this radius. The full height of the antenna mast (M) should be as depicted: BAT54-Rail/F.. Release 7.54 06/08...
Page 111
In between there are attenuating elements such as the cable, plug connections or simply the air transmitting the signals and amplifying ele- ments such as the external antennas. BAT54-Rail/F.. Release 7.54 06/08...
The areas where the waves amplify or cancel them- selves out are known as Fresnel zones. BAT54-Rail/F.. Release 7.54 06/08...
Page 113
To ensure that the Fresnel zone 1 remains unobstructed, the height of the an- tennae must exceed that of the highest obstruction by this radius. The full height of the antenna mast (M) should be as depicted: BAT54-Rail/F.. Release 7.54 06/08...
Amplification with antenna gain gain Loss through ca- Loss through ca- ble, plugs and light- ble, plugs and ning protection lightning protec- tion Output power of the ra- Input signal at the ra- dio module dio module BAT54-Rail/F.. Release 7.54 06/08...
Page 115
18 dBm. The total power output from the antenna is thus: 12 dBm + 18 dBm = 30 dBm. Note: This power emission must be within the legal limits of the country where the antenna is in operation! BAT54-Rail/F.. Release 7.54 06/08...
Page 116
72 (Turbo) 96 (Turbo) 108 (Turbo) Note: This values are the result of a calculation that includes a 'safety margin' of 10dB. As every radio path is unique, these values can only serve as a rough guide. BAT54-Rail/F.. Release 7.54 06/08...
Wireless LAN – WLAN 3.9 Bandwidth limits in the WLAN 3.8.3 Emitted power and maximum distance Please refer to the „Hirschmann Antenna Guide“ (download from www.hir- schmann-ac.com) for concrete antenna data. 3.8.4 Transmission power reduction Every country has regulations concerning the permissible output power from WLAN antennae, often with differences according to the WLAN standard or divided according to indoor or outdoor use.
Note: The significance of the Rx and Tx values depends on the device's op- erating mode. In this case, as a client, Tx stands for "Send data" and Rx stands for "Receive data". BAT54-Rail/F.. Release 7.54 06/08...
IEEE 802.11a standard, which had already been available for a while. The wider use of 5 GHz WLANs was, however, restricted by its exclusive use in closed spaces and the relatively low transmission power. BAT54-Rail/F.. Release 7.54 06/08...
Page 120
This includes radar equipment that counts as "primary applications". The "secondary applications" such as WLAN have to change the frequency as soon as a conflict is detected. Dynamic Frequency Selection – DFS BAT54-Rail/F.. Release 7.54 06/08...
Page 121
GHz, DFS and TPC are not possible here). The higher maximum trans- mission power not only compensates for the higher attenuation of 5 GHz radio waves in air, it also makes noticeably longer ranges possible than in the 2.4 GHz range. BAT54-Rail/F.. Release 7.54 06/08...
The following overview shows which channels may be used in the different regions. Channel Frequency ETSI (EU) FCC (US) Japan 5.180 GHz 5.200 GHz 5.220 GHz 5.240 GHz 5.260 GHz 5.280 GHz 5.300 GHz 5.320 GHz 5.500 GHz 5.520 GHz 5.540 GHz 5.560 GHz BAT54-Rail/F.. Release 7.54 06/08...
What is the difference between these three possibilities? On one hand, the availability: Configuration via outband is always available. Inband configuration is not possible, however, in the event of a network fault. Remote configuration is also dependent on an ISDN connection. BAT54-Rail/F.. Release 7.54 06/08...
(inband and remote configuration). The following table shows, how you can use the configuration: Configuration LAN, WAN, Config Interface ISDN remote Analog dail-in (with BAT Modem software WLAN (Outband) configuration Adapter Kit) (Inband) LANconfig WEBconfig SNMP BAT54-Rail/F.. Release 7.54 06/08...
(Rx, TX, ground only), hence the hardware handshake has to be deactivated. The BAT54-Rail featurees a fully-fledged serial interface which sup- ports the hardware handshake of the terminal program. Caution: If the hardware handshake is not well configured, some char- acters may get lost while transmitting script or configuration files result- ing in a damaged device configuration.
Note: If the firewall is activated the LANconfig might not be able to find the new device in the LAN. In this occasion deactivate the firewill whilst the configuration. Your BAT device is equipped with an extensive firewall and protects your computer even if no further firewall is active. BAT54-Rail/F.. Release 7.54 06/08...
Page 129
The 'Simple configuration display' mode only shows the settings required under normal circumstances. The 'Complete configuration display' mode shows all available configura- tion options. Some of them should only be modified by experienced users. Select the display mode in the View Options menu. BAT54-Rail/F.. Release 7.54 06/08...
Page 130
’drag an drop’ into the desired folders. Note: LANconfig shows only those parameters that are suitable for multi de- vice configuration when more than one device is selected, e.g. MAC Ac- cess Control Lists for all BAT Wireless Access Points. BAT54-Rail/F.. Release 7.54 06/08...
Note: For maximum security, please ensure to have installed the latest ver- sion of your Internet browser. For Windows 2000, Hirschmann recom- mends to use the “High Encryption Pack” or at least Internet Explorer 5.5 with Service Pack 2 or above.
Page 132
If there is a DNS server for name resolution in the LAN, which interchanges the assignment of IP addresses to names with the DHCP server, then the de- vice can be accessed by the name “BAT <MAC address>” (e.g. “BAT- 00a057xxxxxx”) BAT54-Rail/F.. Release 7.54 06/08...
Note: Linux and Unix also provide Telnet over SSL encoded connections. Depending on your distribution you might have to replace your version with one that provides SSL. The encoded Telnet connection is started with the command C:\>telnet -z ssl 10.0.0.1 telnets BAT54-Rail/F.. Release 7.54 06/08...
Page 134
→ the device (BAT ’Scripting’ page 181). cd [path] Change the current directory. Certain abbreviations exists, e.g. ”cd ../..” can be abbreviated to ”cd ...” etc. del [name] Delete the table entry with the index <name> BAT54-Rail/F.. Release 7.54 06/08...
Page 135
Show which values are allowed for a configuration item. If [path] is empty, this is displayed for each item in the current directory. setenv <NAME> Set environment variable <VALUE> unsetenv <NAME> Remove environment variable getenv <NAME> Read out environment variable (no newline) BAT54-Rail/F.. Release 7.54 06/08...
Page 136
“ping ?” displays the options for the built-in PING command. A complete listing of available commands for a particular device is avail- able by entering ’?’ from the command line. BAT54-Rail/F.. Release 7.54 06/08...
The files on a TFTP server can be loaded with the following commands: LoadConfig LoadFirmware LoadScript These commands can be used with following parameters: -s <server IP address or server name> -f <directory and file name> In directory and file name the following variables are permitted: BAT54-Rail/F.. Release 7.54 06/08...
Your BAT can export a so-called device MIB file (Management Information Base) for use in SNMP programs. Configuration tool WEBconfig Get Device SNMP MIB (in main menu) TFTP tftp 10.0.0.1 get readmib file1 BAT54-Rail/F.. Release 7.54 06/08...
Alternatively, you can use LANconfig under Tools Options Extras to en- ter your SSH client as an "external program“; then start the SSH access with a right-mouseclick on the device and open WEBconfig/Console session Open SSH session. BAT54-Rail/F.. Release 7.54 06/08...
The pairs consisting of public and private keys can be generated with the help of OpenSource software OpenSSH, for example. The following com- mand from a Linux operating system creates a key pair from the public part 'id_rsa.pub' and the private part 'id_rsa': ssh-keygen -t rsa BAT54-Rail/F.. Release 7.54 06/08...
Page 141
BAT Router. When the BAT Router finds an entry in the list that includes the user name that cor- BAT54-Rail/F.. Release 7.54 06/08...
In this case you can save a great deal of work by first importing identical parameters as a basic configuration and then only making individual settings to the separate devices. BAT54-Rail/F.. Release 7.54 06/08...
4.6 New firmware with Hirschmann FirmSafe The software for devices from Hirschmann is constantly being further devel- oped. We have fitted the devices with a flash ROM which makes child's play of updating the operating software so that you can enjoy the benefits of new features and functions.
Page 144
In this case the configuration software notifies a conflict and recommends the use of the “converter”. This converter can be downloaded free of charge from the Hirschmann website. With the converter the memory in the BAT is divided into a larger area for the new firmware version and a smaller area for the exist- ing version.
Configuration and management 4.6 New firmware with Hirschmann FirmSafe The minimal firmware can not be configurated. Changes in the config- uration over LANconfig, WEBconfig or Telnet are not saved in the de- vice. 4.6.2 How to load new software There are various ways of carrying out a firmware upload, all of which pro-...
Page 146
(Rx, TX, ground only), hence the hardware handshake has to be deactivated. The BAT54-Rail featurees a fully-fledged serial interface which sup- ports the hardware handshake of the terminal program. Caution: If the hardware handshake is not well configured, some char- acters may get lost while transmitting script or configuration files result- ing in a damaged device configuration.
Page 147
(Rx, TX, ground only), hence the hardware handshake has to be deactivated. The BAT54-Rail featurees a fully-fledged serial interface which sup- ports the hardware handshake of the terminal program. Caution: If the hardware handshake is not well configured, some char- acters may get lost while transmitting script or configuration files result- ing in a damaged device configuration.
ETH1 ISDN Config(COM) Reset Antenna Main Note: After applying the reset, the device will start fresh with factory defaults. settings will be lost. Therefore, you should save the current configura- tion if possible before the reset! BAT54-Rail/F.. Release 7.54 06/08...
Page 149
Caution: This hard reset causes the device to start with the default facto- ry settings; all previous settings are lost! Caution: Note that resetting the device leads to a loss on the WLAN en- cryption settings within the device and that the default WEP key is active again. BAT54-Rail/F.. Release 7.54 06/08...
Supervisor — member of all groups Admin-RW Limited Local administrator with read and write access Admin-RO Read only Local administrator with read access but no write access None None No access to the configuration Supervisor: Has full access to the configuration BAT54-Rail/F.. Release 7.54 06/08...
TFTP or SNMP. Access with LANconfig A user with supervisor rights can login to LANconfig by entering his user data into the Password field of the login window in the combination <User- name>:<Password>. BAT54-Rail/F.. Release 7.54 06/08...
Page 152
(’Password protection for SNMP read-only access.’ → page 175). If this access is not allowed, then the 'public' community will have access to no menus at all. Otherwise, the same limitations on rights apply for the menus as with Telnet. BAT54-Rail/F.. Release 7.54 06/08...
Further administrators. Enter the following values: Name for the new administrator with password. Access rights Function rights Note: You can temporarily deactivate the entries without having to delete them completely with the button 'Entry active'. BAT54-Rail/F.. Release 7.54 06/08...
Page 154
Second column from the right: 1 (RAS Wizard) + 4 (Change Time) = "5" (hexadecimal) Third column from the right: 1 (WLAN-Linktest) = "1" (hexadecimal) For this example, the function rights are entered with the value "0000015a". BAT54-Rail/F.. Release 7.54 06/08...
WLAN link test ✔ readconfig ✔ writeconfig ✔ writeflash ✔ ✔ setenv ✔ ✔ testmail ✔ ✔ time The 'time' command can also be executed if the user possesses the function right to set the system time BAT54-Rail/F.. Release 7.54 06/08...
HTTP tunnel. Network access to devices released in this way is not trans- ferable! Configuring the TCP/HTTP tunnel The following parameters are available for configuring HTTP tunnel in BAT: Configuration tool Call WEBconfig, Telnet Expert configuration > Setup > HTTP BAT54-Rail/F.. Release 7.54 06/08...
Page 157
BAT Router behind which the device to be released is locat- ed. If necessary obtain the required login data from the responsible ad- ministrator. In the area 'Extras', select the entry Create TCP/HTTP tunnel BAT54-Rail/F.. Release 7.54 06/08...
Page 158
TCP-IP HTTP to access the list of active tunnels and delete the one you no longer require. Note: Although active TCP connections in this tunnel are not terminated im- mediately, no new connections can be established. BAT54-Rail/F.. Release 7.54 06/08...
Routing tag of the loopback address. Loopback addresses with the rout- ing tag '0' (untagged) are visible to all networks. Loopback addresses with a different routing tag are only visible to networks with the same routing tag. Values: 0 to 65,535 0: Untagged Default: 0 BAT54-Rail/F.. Release 7.54 06/08...
WEBconfig, Telnet Expert configuration > Setup > WAN > Polling table Peer Name of the remote station which is to be checked with this entry. IP address 1 - 4 IP addresses for targeting with ICMP requests to check the remote site. BAT54-Rail/F.. Release 7.54 06/08...
(NTP server). The BAT can then be provided the time to all stations in the local network. When defining the time server, the name or IP address of the NTP server being queried by the BAT Router can be entered as well as loopback addresses. BAT54-Rail/F.. Release 7.54 06/08...
Name of a loopback address. Any other IP address. 4.9.3 Loopback addresses for SYSLOG clients The SYSLOG module enables the logging of accesses to the BAT Router. SYSLOG clients are set up to be able to receive the SYSLOG messages. BAT54-Rail/F.. Release 7.54 06/08...
Page 163
Logins: Messages concerning the user's login or logout during the PPP negotiation, and any errors that occur during this. System time: Messages about changes to the system time Console logins: Messages about console logins (Telnet, Outband, etc.), logouts and any errors that occurred during this. BAT54-Rail/F.. Release 7.54 06/08...
Page 164
Debug: Communication of all debug messages. Debug messages generate large data volumes and can compromise the device's oper- ation. For this reason they should be disabled for normal operations and only used for trouble-shooting (general SYSLOG priority: DEBUG). BAT54-Rail/F.. Release 7.54 06/08...
Network management with the LANtools primarily involves the following functions: Device configuration Management of configurations, i.e. save and restore the settings Carries out updates to the latest firmware versions Activates additional software options Monitors device status Connection monitoring (including VPN) Monitoring of firewall actions BAT54-Rail/F.. Release 7.54 06/08...
If the list in LANconfig contains multiple devices, just click on the device of your choice with the right mouse key to open a context menu offering the following ac- tions: BAT54-Rail/F.. Release 7.54 06/08...
Page 167
Configure: Opens up the LANconfig configuration dialog for the selected device Check: Checks if the selected device can be contacted Firmware upload: Uploads firmware simultaneously to all selected devic- Apply Script: Applies a configuration script to all selected devices BAT54-Rail/F.. Release 7.54 06/08...
Page 168
Note: When setting the time, please observe the functions of the BAT as NTP client and NTP server (’Time server for the local net’ → page 486). Delete: Deletes the selected devices from the LANconfig list. BAT54-Rail/F.. Release 7.54 06/08...
Use user-specific settings Activates the use of the lanconf.ini file in the current user's directory ..\User\Application Files\BAT\LANconfig. With this option activated, changes to the program settings are saved to this ini file. Possible values: On/off Default: Off BAT54-Rail/F.. Release 7.54 06/08...
Devices can also be moved from one folder to another in this way. Note: The arrangement of devices in folders effects only the display of the devices within LANconfig. The organization of the folders has no influence on the configuration of the devices. BAT54-Rail/F.. Release 7.54 06/08...
LANconfig allows multiple configuration dialogs to be opened at the same time ("multithreading"). After opening the configuration for a device, simply open up further configurations from the device list in LANconfig. All of the configurations can be processed in parallel. BAT54-Rail/F.. Release 7.54 06/08...
Simply click on the column header with the right-hand mouse button and use Select columns. The menu item Arrange icons allows you to sort the items as you prefer. BAT54-Rail/F.. Release 7.54 06/08...
BAT models and LCOS versions are, ideally, saved to a central archive directory. The search for new versions of the firmware in this directory can either be initiated manually or automatically after starting LANconfig. BAT54-Rail/F.. Release 7.54 06/08...
Page 174
Firmware management Check for firmware update. If you wish to update several devices simultaneously, the entry Check for firm- ware updates is displayed directly in the context menu. BAT54-Rail/F.. Release 7.54 06/08...
LANmonitor--can be password protected. This uses the same user data as with access to LANconfig. Password protection of SNMP access means that the user data must be entered before information about the device status, etc. can be accessed over SNMP. BAT54-Rail/F.. Release 7.54 06/08...
Page 176
A user without rights has no SNMP access to the device's information. LANconfig For configuration with LANconfig, you will find the switch for SNMP access in the configuration area 'Management' on the 'General' tab. BAT54-Rail/F.. Release 7.54 06/08...
LANconfig or specifically for each individual device. The global settings overwrite the specific settings here – therefore, in the specific device set- tings, only the settings allowed in the global configuration can take effect. BAT54-Rail/F.. Release 7.54 06/08...
Page 178
HTTPS, HTTP and TFTP are attempted in that order. Caution: The device-specific settings are subordinate to the global com- munications settings. This allows, for example, the use of a protocol to be restricted centrally. BAT54-Rail/F.. Release 7.54 06/08...
A protocol can therefore only be used for operating a device when it is also activated in the global settings. 5.2.8 LANconfig behavior at Windows startup LANconfig can be automatically started when the operating system starts. BAT54-Rail/F.. Release 7.54 06/08...
Page 180
) may interpret this change as an attack and may is- sue a warning or even prevent the entry from being made. In order for LANconfig's startup behavior to be controlled as desired, you can ignore these warnings and allow the changes to be made. BAT54-Rail/F.. Release 7.54 06/08...
This ensures that the configuration is available only until the next system boot, so that in case of theft, for example, sen- sitive elements of the configuration cannot fall into the wrong hands. BAT54-Rail/F.. Release 7.54 06/08...
The configuration commands in the script file initially effect the configuration that is stored in the device's RAM only. The flash mode then determines whether or not the changes are to be made to the flash memory as well. BAT54-Rail/F.. Release 7.54 06/08...
The script can be generated entirely with a text editor. The configuration, or a section of it, is read out of a device, stored as a script file and then altered with a suitable text editor. BAT54-Rail/F.. Release 7.54 06/08...
Page 184
This method is especially advantageous when dealing with larger configuration files as it avoids the po- tentially confusing method of using the Clipboard. Set up a connection to the device with Hyperterminal. BAT54-Rail/F.. Release 7.54 06/08...
Page 185
(Rx, TX, ground only), hence the hardware handshake has to be deactivated. The BAT54-Rail featurees a fully-fledged serial interface which sup- ports the hardware handshake of the terminal program. Caution: If the hardware handshake is not well configured, some char- acters may get lost while transmitting script or configuration files result- ing in a damaged device configuration.
Enter the sections to which the script should be transferred into this field, e.g. /setup/wlan. 5.3.4 Uploading configuration commands and script files There are two basic methods of uploading the script commands to the inter- mediate memory of the BAT: BAT54-Rail/F.. Release 7.54 06/08...
Page 187
Entering the command exit executes of the configuration commands. Note: If the command exit is already included in the commands after past- ing, the execution of the configuration will be carried out automatically im- mediately after pasting! BAT54-Rail/F.. Release 7.54 06/08...
Page 188
Upload script with Hyperterminal A further way to upload scripts to a BAT is to use a terminal program such as Hyperterminal as supplied with Windows. Set up a connection to the device with Hyperterminal. BAT54-Rail/F.. Release 7.54 06/08...
Page 189
(Rx, TX, ground only), hence the hardware handshake has to be deactivated. The BAT54-Rail featurees a fully-fledged serial interface which sup- ports the hardware handshake of the terminal program. Caution: If the hardware handshake is not well configured, some char- acters may get lost while transmitting script or configuration files result- ing in a damaged device configuration.
BAT in its current state. In the simplest case, the BAT lists only com- mands that are relevant to those parameters that no longer have the fac- tory settings. Syntax: readscript [-n][-d][-c] [-m] [PATH] Note: Supervisor rights are necessary to execute this command. BAT54-Rail/F.. Release 7.54 06/08...
Page 191
Only those table entries or values which cannot be left empty are di- rectly changed with the Set command. Note: The table lines or strings containing passwords are displayed in plain text as this is the format required by the Telnet user interface. BAT54-Rail/F.. Release 7.54 06/08...
Page 192
This command deletes the table in the branch of the menu tree defined with Path. Syntax: del [PATH]* default This command enables individual parameters, tables or entire menu trees to be reset to their factory settings. Syntax: default [-r] [PATH] BAT54-Rail/F.. Release 7.54 06/08...
Page 193
The command killscript deletes the content of a script session that has not yet been executed. The script session is selected by its name (’show script’ → page 193). Note: Supervisor rights are necessary to execute this command. flash Yes/No BAT54-Rail/F.. Release 7.54 06/08...
Highly convenient installation wizards are available to help you with the con- figuration of BAT Access Points for your wireless LAN. The settings include the general shared parameters and also the individual settings for one or more logical wireless LAN networks (WLAN radio cells or SSIDs). BAT54-Rail/F.. Release 7.54 06/08...
Page 195
Access Point over a wireless connection. In this operating mode, parallel point-to- point connections are not possible. For further information please refer to section → Client Mode. BAT54-Rail/F.. Release 7.54 06/08...
IP address are uploaded as well. Group configuration with LANconfig enables the easy import of partial configuration files and thus makes the si- multaneous administration of multiple devices a reality. BAT54-Rail/F.. Release 7.54 06/08...
Then click on the folder with the right-hand mouse key and select the en- New group configuration... from the context menu. After selecting the group type and the firmware version, the LANconfig configuration di- alogue opens up with a reduced selection of configuration options. BAT54-Rail/F.. Release 7.54 06/08...
Page 198
Properties from the context menu. Note: The group configuration is a link to the partial configuration file. Please note that changes to the partial configuration file will lead to changes in that group configuration. BAT54-Rail/F.. Release 7.54 06/08...
'OK'. Note: It is also possible to use the partial configuration for a device as a group configuration. Simply drag the device entry onto the group configu- ration entry. BAT54-Rail/F.. Release 7.54 06/08...
To activate a group configuration, click on the entry with the right-hand mouse key and select Active from the context menu. All other group config- urations are then deactivated automatically. Note: Different group configurations in one folder may not be linked to the same partial configuration file. BAT54-Rail/F.. Release 7.54 06/08...
WEBconfig start page. Possible values: On, off Default: Off Title The name for the Rollout Wizard that appears on the start page of WEBconfig. Possible values: Maximum 64 alphanumerical characters Default: Roll-out BAT54-Rail/F.. Release 7.54 06/08...
This default text must be shorter than the maximum length, otherwise it will be truncated. Password: splayed while being entered. Entering a password has to be repeated. The Rollout Wizard will execute no actions if the pass- words do not agree. BAT54-Rail/F.. Release 7.54 06/08...
[Protocol:]Argument. If no protocol is entered, 'exec.' is applied. exec: Executes any command just as it is used in Telnet to configure a BAT. The following example sets the name of the device to 'MyLAN- COM': BAT54-Rail/F.. Release 7.54 06/08...
When being executed, the arguments can be defined with the start value and increment. This action renumbers the entries starting with the start value and continuing with the increment as chosen. If the start value and BAT54-Rail/F.. Release 7.54 06/08...
The information that can be taken from the overview includes, among others, details about active WAN connections, the five most recent firewall messag- es, the current VPN connections and system information about charges and online times. BAT54-Rail/F.. Release 7.54 06/08...
Page 206
Last error message IP address of the gateway Encryption information Accounting information The accounting information is a protocol of the connections from each station in the LAN to remote sites in the WAN. The detailed information recorded includes BAT54-Rail/F.. Release 7.54 06/08...
Page 207
VPN, LANCAPI and a/b port, and a list of firewall activities. The detailed information recorded includes Date and time Source Message Firewall actions log The firewall actions log lists the last 100 actions taken by the firewall. The detailed information recorded includes BAT54-Rail/F.. Release 7.54 06/08...
In addition to the device statistics that can also be read out during a Telnet or terminal session or using WEBconfig, a variety of other useful functions are also available in LANmonitor, such as the enabling of an additional charge limit. BAT54-Rail/F.. Release 7.54 06/08...
Note: Many important details on the status of the BAT are not displayed until the display of the system information is activated. These include, for ex- ample, the ports and the charge management. Therefore, we recommend that interested users activate the display of the system information. BAT54-Rail/F.. Release 7.54 06/08...
IP address of the router that you would like to monitor. If the configuration of the device is protected by password, enter the password too. Alternatively, you can select the device via the LANconfig and monitor it using Device Monitor Device. BAT54-Rail/F.. Release 7.54 06/08...
Page 211
If you would like a log of the LANmonitor output in file form, select Device Device Activities Logging and go to the 'Logging' tab. Open the dialog for the settings for the activity protocol, click on Tools Options. BAT54-Rail/F.. Release 7.54 06/08...
5.7.4 Tracing with LANmonitor Traces can be executed very easily with LANmonitor. Simply click on the en- try for the device with the right-hand mouse key and select Traces from the context menu. BAT54-Rail/F.. Release 7.54 06/08...
Page 213
As soon as the trace results are returned, the other buttons are de- activated. Stops the output of trace results. Switches to the mode for configuring the trace output. BAT54-Rail/F.. Release 7.54 06/08...
WLANmonitor can also collect access points into groups. These groups may consist of access points gathered in buildings, departments, or at particular locations. In particular with large WLAN infrastructures, this helps to keep an overview of the entire network. BAT54-Rail/F.. Release 7.54 06/08...
Access point: Name of the access point that the client is logged on to SSID: Identifier for the WLAN network Encryption: Type of encryption used for the wireless connection WPA version (WPA-1 or WPA-2) MAC address: Hardware address of the WLAN client BAT54-Rail/F.. Release 7.54 06/08...
Further, WLAN information can be called up according to the groups. You can group your access points according to their departments, locations or applications (e.g. public hotspot), for example. BAT54-Rail/F.. Release 7.54 06/08...
WLAN and attempt to log on to one of the ac- cess points, for example, in order to use the Internet connection or in order to receive access to secured areas on the network. BAT54-Rail/F.. Release 7.54 06/08...
The WLANmonitor uses the following groups for sorting the APs that are found: All APs: List of all scanned WLAN networks grouped as follows New APs: New unknown and unconfigured WLAN networks are automat- ically grouped here (APs displayed in yellow) BAT54-Rail/F.. Release 7.54 06/08...
Page 219
'Rogue Client Detection' while displaying the following information: Time of first and last detection MAC address of the client Network name Note: No configuration of the BAT Wireless Router is necessary to make use of rogue client detection. BAT54-Rail/F.. Release 7.54 06/08...
Page 220
Tools Options General Rogue AP detection activated Activate this option if WLANmonitor is to display unknown or unconfigured access points. Rogue client detection activated Activate this option if WLANmonitor is to display unknown or unconfigured clients. BAT54-Rail/F.. Release 7.54 06/08...
Page 221
Note: In order to send e-mail alerts, the computer on which WLANmonitor is running requires a standard e-mail client (MS Outlook Express or Mozilla Thunderbird) that allows automatic mail transmission to be configured and running. BAT54-Rail/F.. Release 7.54 06/08...
SMS to a system administrator's mobile telephone. The following requirements have to be met for messaging: The status of the VPN connection must be monitored, for example by means of "dead-peer-detection" (DPD). BAT54-Rail/F.. Release 7.54 06/08...
Page 223
In this way the administrator receives an alert even if the VPN gateway at the central location fails, which could potentially prevent any messages from being transmitted. BAT54-Rail/F.. Release 7.54 06/08...
Page 224
03:00h and switched on again three minutes after 03:00h. The number 1 fol- lowing the path to the action table is an index that stands for the first entry in the table. BAT54-Rail/F.. Release 7.54 06/08...
... in combination with the trace causes the following: displays a help text switches on a trace output switches off a trace output switches between different trace outputs (toggle) no code displays the current status of the trace BAT54-Rail/F.. Release 7.54 06/08...
Messages from the activity protocol Cron cron table RADIUS RADIUS trace Serial Status of serial interface Status of USB interface Load-Balancer Load balancing information VRRP Information concerning Virtual Router Redundancy Protocol Ethernet Status of ethernet interface BAT54-Rail/F.. Release 7.54 06/08...
Some traces, such as the IP router trace or the VPN trace, produce a large number of outputs. The amount of output can become unmanageable. The trace filters allow you to sift out the information that is important to you. BAT54-Rail/F.. Release 7.54 06/08...
“port: 80” is in quotes so that the space is recognised as a part of the string. 6.1.7 Recording traces Traces can be conveniently recorded under Windows (e.g. as an aid to Sup- port), and we recommend you do this as follows: BAT54-Rail/F.. Release 7.54 06/08...
SYSLOG information over an appropriate SYSLOG client, the 100 most re- cent SYSLOG messages are stored in the device's RAM. This means that the SYSLOG messages can be viewed directly on the device to help with di- agnosis. BAT54-Rail/F.. Release 7.54 06/08...
127.0.0.1) as the SYSLOG client; for this client, you then activate only certain sources and/ or priorities. LANconfig For configuration with LANconfig you can open the list of SYSLOG clients un- der the configuration area 'Log & Trace' on the 'SYSLOG' tab using the SYS- LOG clients button. BAT54-Rail/F.. Release 7.54 06/08...
Configuration tool Call/Table WEBconfig Expert-Configuration Setup SYSLOG Table-SYSLOG Terminal/Telnet /Setup/SYSLOG/Table-SYSLOG 6.2.3 Read-out SYSLOG messages To read the SYSLOG messages, access the statistics under WEBconfig or Telnet. The SYSLOG output can be accessed under Status TCP-IP-sta- tistics Syslog-statistics: BAT54-Rail/F.. Release 7.54 06/08...
Ping command does not give an output on the panel Change to traceroute mode: every interstation passed by the data package is listed -s n Sets the package size to n Byte (max. 1472) -i n Time between the packages in seconds BAT54-Rail/F.. Release 7.54 06/08...
6.4 Monitoring the switch The data transmission over the switch of the devices only takes place on the port the target computer is attached to. Therefore the connections on the oth- er ports are not visible. BAT54-Rail/F.. Release 7.54 06/08...
Setup Interfaces Ethernet-Ports Terminal/Telnet /Setup/Interfaces/Ethernet-Ports 6.5 Cable testing A cabling defect might have occurred, if no data is transmitted over LAN or WAN connection, although the configuration of the devices does not show any discernible errors. BAT54-Rail/F.. Release 7.54 06/08...
Page 235
10 meters distance. open with indication of distance: Cable is plugged in, but defect at the in- dicated distance. Impedance error: The pair of cables is not terminated with the correct im- pedance at the other end. BAT54-Rail/F.. Release 7.54 06/08...
Needless to say, the parameters that you have set should not be modified by unauthorized persons. The BAT thus offers a variety of options to protect the configuration. 7.1.1 Password protection The simplest option for the protection of the configuration is the establish- ment of a password. BAT54-Rail/F.. Release 7.54 06/08...
Page 238
If an employee with access to a password leaves the company, it is high time to change this password. A password should also always be changed when there is the slightest suspicion of a leak. BAT54-Rail/F.. Release 7.54 06/08...
If barring is activated on one port all other ports are automatically barred too. The following entries are available in the configuration tools to configure login barring: Lock configuration after (Login-errors) BAT54-Rail/F.. Release 7.54 06/08...
Note: If no configuration MSN ist entered when configuring the first time, the remote configuration ist switched off and the device ist protected from the access over the ISDN line. Change to the register card 'Admin' in the 'Management' configuration ar- BAT54-Rail/F.. Release 7.54 06/08...
Page 241
I.e. all on the Admin MSN incoming connections are not limited by the access restrictions of remote networks. Note: If you want to completely switch off the ISDN remote management, leave the field with Admin MSN empty. BAT54-Rail/F.. Release 7.54 06/08...
Page 242
'denied'. You can reach the configuration of the access-list of WEBconfig or Telnet with the following runs: Configuration tool WEBconfig Expert Configuration Setup Config Access-list Terminal/Telnet /Setup/Config-Modul/access-list BAT54-Rail/F.. Release 7.54 06/08...
Page 243
The filter entries can designate both individual com- puters and whole networks. With WEBconfig for Telnet you reach the configuration of the access list with the following runs: Configuration tool WEBconfig Expert Configuration Setup / TCP-IP Access-list Terminal/Telnet /setup/TCP-IP/access-list BAT54-Rail/F.. Release 7.54 06/08...
Have you assigned a password to the SNMP configuration? Also protect the SNMP configuration with a password. The field for pro- tection of the SNMP configuration with a password is also contained in LANconfig in the 'Management' configuration area on the 'Security' tab. BAT54-Rail/F.. Release 7.54 06/08...
Page 245
Firewall. Only those connections, which are explicitly desired have to allowed by the a dedicated Firewall rule then. Thus ’Trojans’ and certain Email viruses loose their communication way back. The Firewall rules are summarized in LANconfig under ’Firewall/Qos’ on the register card ’Rules’. BAT54-Rail/F.. Release 7.54 06/08...
Page 246
Protect the saved configurations against unauthorized access in a safe place. A saved configuration could otherwise be loaded in another device by an unauthorized person, enabling, for example, the use of your Internet connections at your expense. BAT54-Rail/F.. Release 7.54 06/08...
Page 247
With 802.11i, WPA or WEP you can encode your data in the radio net- work with different kinds of encoding methods as for AES, TKIP or WEP. Hirschmann recommends the most secure encoding with 802.11i and AES. If the used WLAN client adapter does not provide these, use the TKIP or at least WEP.
Use of LAN workstations for purposes of the attackers, e. g. for the distri- bution of own contents, attacks to third workstations etc. Modify data of LAN workstations, e. g. to obtain even further ways for ac- cess. BAT54-Rail/F.. Release 7.54 06/08...
IP protocol, the search for open ports is also called “port scanning”. On the occasion, the attacker starts an inquiry for particular services with a certain program, either generally from the Internet, or, only on certain networks and unprotected workstations, which in turn will give the according answer. BAT54-Rail/F.. Release 7.54 06/08...
But probably it is only a matter of time that a defenceless workstation installed in the Internet will - perhaps even acci- dentally - become the victim of attacks. BAT54-Rail/F.. Release 7.54 06/08...
Firewalls called “rules” or “guidelines”. Depending on the kind of information, which are used for creation of the rules and which are checked during the op- eration of the Firewall, one distinguishes different types of Firewalls. BAT54-Rail/F.. Release 7.54 06/08...
The following details belong to the analyzed information: IP address of source and destination Transfer protocol (TCP, UDP or ICMP) BAT54-Rail/F.. Release 7.54 06/08...
Page 254
FTP connection. An alternative is to use passive FTP. Thereby, the client establishes the connection itself to the serv- er over a particular port, which was told to the server before. This process is, however, not supported by all clients/servers. BAT54-Rail/F.. Release 7.54 06/08...
The Stateful Inspection dynamically adds also these additional ports into the connection state list, of course limited to the particular source and destination addresses only. BAT54-Rail/F.. Release 7.54 06/08...
Page 256
Therefore, complete IP packets can be checked by the Firewall, rather than individual parts only. BAT54-Rail/F.. Release 7.54 06/08...
Page 257
For each application to be allowed through this gateway, an own service will be set up, e.g. SMTP for mail, HTTP for surfing the Internet or FTP for data downloads. BAT54-Rail/F.. Release 7.54 06/08...
Page 258
Note: Functions of Application Gateways are not supported by the BAT, mainly because of the high hardware demands. BAT54-Rail/F.. Release 7.54 06/08...
8.3.1 How the BAT Firewall inspects data packets The Firewall filters only those data packets out of the entire data stream run- ning through the IP router of the BAT, for which a special treatment has been defined. BAT54-Rail/F.. Release 7.54 06/08...
Page 260
LAN stations, and not with the outside known Internet address of the BAT. The BAT Firewall uses several lists for checking data packets, which are au- tomatically generated from Firewall rules, resulting Firewall actions or by ac- tive data connections: BAT54-Rail/F.. Release 7.54 06/08...
Page 261
RIP, NTP, SNMP, SYS- VPN / PPTP LAN / Switch LOG, SMTP WAN interfaces DSLoL WLAN-1-1 connection via LAN/ WLAN-1-8 IP router WLAN-2- ADSL IP-Redirect WLAN-2- Configuration & ISDN management: WEBconfig, Telnet, TFTP IPX router IPX over PPTP/ LANCAPI BAT54-Rail/F.. Release 7.54 06/08...
Examples of these kinds of protocols are FTP, H.323 or also many UDP-based protocols. Thereby it is necessary that further con- nections must be opened, additionally to the first connection. See also ’Dif- ferent types of Firewalls’ → page 253. BAT54-Rail/F.. Release 7.54 06/08...
Page 263
UDP connection are covered. BAT54-Rail/F.. Release 7.54 06/08...
8.3.3 General settings of the Firewall Apart from individual Firewall rules, which ensure the entries in the filter, con- nection and block lists, some settings apply generally to the Firewall: Firewall/QoS enabled Administrator email (→ Page 265) Fragments (→ Page 265) BAT54-Rail/F.. Release 7.54 06/08...
Page 265
The Firewall enters all actual permitted connections into the connection list. Entries disappear automatically from the connection list after a certain time (timeout), when no data has been transmitted over this connection any more re-triggering the timeout. BAT54-Rail/F.. Release 7.54 06/08...
Page 266
Possible settings are: Off: ICMP answers are not blocked. Always: ICMP answers are always blocked. WAN only: ICMP answers are blocked on all WAN connections. Default route only: ICMP answers are blocked on default route (usually Internet). BAT54-Rail/F.. Release 7.54 06/08...
Page 267
“conformingly”. The problem thereby is however that a setting, which hides all ports, but re- jects the ident port is unreasonable - alone by the fact that rejecting the ident port would make the BAT visible. BAT54-Rail/F.. Release 7.54 06/08...
The higher the priority of the Firewall rule, the earlier it will be placed in the according filter list. Note: For complex rule types please check the filter list as described in sec- tion ’Firewall diagnosis’ → page 295. BAT54-Rail/F.. Release 7.54 06/08...
Page 269
VPN rule will be derived from this Firewall rule. Apart from this basic information, a Firewall rule answers the question when and/or on what it should apply to and which actions should be executed: BAT54-Rail/F.. Release 7.54 06/08...
Page 270
In section ’How the BAT Firewall inspects data packets’ → page 259 we have already described that in the end the lists for checking data packets are cre- ated from Firewall rules. Thus the extension of the block diagram looks like as follows: BAT54-Rail/F.. Release 7.54 06/08...
Page 271
The entire local network (LAN) Certain remote stations (described by the name of the remote site list) Certain stations of the LAN described by the host name) Certain MAC addresses Ranges of IP addresses Complete IP networks BAT54-Rail/F.. Release 7.54 06/08...
Page 272
Every network device has its own MAC address. MAC addresses are worldwide unique, similar to serial numbers. MAC addresses allow distinguishing between the PCs in order to give or withdraw them dedicated rights on an IP level. MAC addresses can be found on most networking devices in a hexadecimal form (e.g. 00:A0:57:01:02:03). BAT54-Rail/F.. Release 7.54 06/08...
Page 273
SNMP/LANmonitor: Sends a SNMP trap, that will be analyzed e. g. by LANmonitor. Note: Each of these three message measures leads automatically to an en- try in the Firewall event table. Disconnect: Cuts the connection, over which the filtered packet has been received. BAT54-Rail/F.. Release 7.54 06/08...
Let us assume a filter named 'BLOCKHTTP', which blocks all access to a HTTP server 192.168.200.10. In case some station would try to access the server nevertheless, the filter would block any traffic from and to this station, and inform the administrator via SYSLOG also. BAT54-Rail/F.. Release 7.54 06/08...
Page 275
0 packets transmitted or received on a connection because of this the actions below were performed: drop block source address for 1 minutes send syslog message send SNMP trap send email to administrator BAT54-Rail/F.. Release 7.54 06/08...
Page 276
Configuration tool Call WEBconfig Expert Configuration Setup IP Router Firewall Terminal/Telnet /Setup/IP-Router/Firewall To send an email an the required settings must be entered under LANconfig in the configuration area 'Log & Trace' under the tab 'SMTP Account'. BAT54-Rail/F.. Release 7.54 06/08...
Page 277
SNMP: Message type = SNMPv1 SNMP: Version = 1 (0x0) SNMP: Community = public SNMP: PDU type = SNMPv1 Trap SNMP: Enterprise = 1.3.6.1.4.1.2356.400.1.6021 SNMP: Agent IP address = 10.0.0.43 SNMP: Generic trap = enterpriseSpecific (6) BAT54-Rail/F.. Release 7.54 06/08...
Page 278
SNMP: Specific trap = 26 (0x1A) SNMP: Time stamp = 1442 (0x5A2) System descriptor SNMP: OID = 1.3.6.1.2.1.1.1.0 1. SNMP: String Value = BAT54-Rail 2.80.0001 / 23.09.2002 8699.000.036 Device string SNMP: OID = 1.3.6.1.2.1.1.5.0 2. System-Name SNMP: String Value = BAT54-Rail Time stamp SNMP: OID = 1.3.6.1.4.1.2356.400.1.6021.1.10.26.1.2.1 3.
Firewall is configured in this way that only the following accesses are possi- ble: Stations from the Internet can access to the servers in the DMZ, but no access from the Internet to the LAN is possible. BAT54-Rail/F.. Release 7.54 06/08...
Page 280
Some BAT models support this structure by a separate LAN interface only used for the DMZ. Looking at the path of data through the BAT, then the func- tion of the Firewall for shielding the LAN against the DMZ becomes visible. BAT54-Rail/F.. Release 7.54 06/08...
Firewall rules, you'll find in the following some hints for your specific application For BAT devices with VoIP functions that were already integrated or added in with a software option, the ports required for voice connections are acti- vated automatically. BAT54-Rail/F.. Release 7.54 06/08...
Page 282
With the help of scripts firewall rules can easily be transmitted to device and software (’Scripting’ → page 181). Example scripts are saved in the BAT KnowledgeBase under www.hirschmann.com/support. Note: If you operate a web server in your LAN, that has been permitted ac- cess to this service from the outside (see ’IP masquerading’...
Page 283
Local network All stations transmit HTTP, HTTPS ALLOW_FTP Local network All stations transmit ALLOW_EMAIL Local network All stations transmit MAIL, NEWS ALLOW_DNS_FOR IP address of LANOM transmit transmit WARDING (or: Local network) DENY_ALL All stations reject reject BAT54-Rail/F.. Release 7.54 06/08...
Page 284
If you operate e.g. an own web server, you selectively allow access to the server: Rule Source Destination Action Service (target port) ALLOW_WEBSERVER Webserver transmit HTTP, HTTPS For diagnostic purposes it is helpful to allow ICMP protocols (e.g. ping): Rule Source Destination Action Service ALLOW_PING Local network transmit ICMP BAT54-Rail/F.. Release 7.54 06/08...
(e.g. Deny All). Examine the filter list in case of complex rule sets, as de- scribed in the following section. 8.3.8 Configuration of Firewall rules Firewall wizard The fastest method to configure the Firewall is provided by the Firewall wiz- ard in LANconfig: BAT54-Rail/F.. Release 7.54 06/08...
Page 286
General: Here the name of the Firewall rule is specified, as well as if fur- ther rules should be considered after this rule matched, and whether a VPN rule should be derived from this rule. BAT54-Rail/F.. Release 7.54 06/08...
Page 287
Actions: Here the Firewall actions are defined, consisting of condition, trigger, packet action and further measures. QoS: Here you can assign minimum bandwidths for data packets speci- fied by according Firewall rules (see also ’Defining minimum and maxi- mum bandwidths’ → page 328). BAT54-Rail/F.. Release 7.54 06/08...
Page 288
Services: Here the IP protocols, source and destination ports are speci- fied for which the filter rule shall apply. For example, it can be specified here that only access to web pages and emails shall be permissible. BAT54-Rail/F.. Release 7.54 06/08...
Page 289
The action table contains Firewall actions The object table contains stations and services Note: Objects from these tables can be used for rule definition, but this is not a must. They simply facilitate the use of frequently used objects. BAT54-Rail/F.. Release 7.54 06/08...
Page 290
The object table defines elements and objects that apply to the rule table of the Firewall. Objects can be: Single PCs (MAC or IP address, host name) Entire networks Protocols Services (ports or port ranges, e. g. HTTP, Mail&News, FTP, ...) BAT54-Rail/F.. Release 7.54 06/08...
Page 291
(%S20-25). The occurrence of a "0" or an empty string repre- sents the ’any’ object. Note: When configuring via console (Telnet or terminal program), the com- bined parameters (port, destination, source) must be embraced with in- verted commas (character "). BAT54-Rail/F.. Release 7.54 06/08...
Page 292
Number of packets/second, minute, hour on the connection after which the action %lcps is executed. %lcpm %lcph Global data Global data (abs): Absolute number of kilobytes received from the destination %lgd (abs) station or sent to it, after which the action is executed. BAT54-Rail/F.. Release 7.54 06/08...
Page 293
Disconnects the connection to the remote site from which the packet was received or sent. Zero limit Resets the limit counter to 0 again upon exceeding of the trigger thresh- old. Fragmentation Forces a fragmentation of all packets not matching to the rule. BAT54-Rail/F.. Release 7.54 06/08...
Page 294
16. In addition, they can be entered directly into the action field of the rule table. BAT54-Rail/F.. Release 7.54 06/08...
If an event occurred that had to be logged in either way, i.e. a log action was specified with the receipt of a packet, or a report by e-mail, Syslog or SNMP was generated, then this event is held in the logging table. BAT54-Rail/F.. Release 7.54 06/08...
Page 296
Protocol (TCP, UDP etc.) of the filtered packet Src-p Source port of the filtered packet (only with port-related protocols) Dst-p Destination port of the filtered packet (only with port-related protocols) Filter-Rule Name of the rule, which has raised the entry. BAT54-Rail/F.. Release 7.54 06/08...
Page 297
On Telnet level, the content of the filter list can be displayed with the com- mand show filter: BAT54-Rail/F.. Release 7.54 06/08...
Page 298
Source network mask, which determinates the source network together with the source IP mask address, or 0.0.0.0, if the filter should apply to packets from all networks. Q start Start source port of the packets to be filtered. BAT54-Rail/F.. Release 7.54 06/08...
Page 299
This table is sorted according to source address, destination address, proto- col, source port and destination port of the packet, which caused the entry in the table. Under WEBconfig the filter list has the following structure: BAT54-Rail/F.. Release 7.54 06/08...
Page 300
00002000 rule is catenated 00010000 destination is on "local route" 00020000 destination is on default route 00040000 destination is on VPN route 00080000 physical connection is not established 00100000 source is on default route BAT54-Rail/F.. Release 7.54 06/08...
It is true that certain effects of some viruses and worms are stopped, because communication is blocked via the required ports, but no Firewall alone is a comprehensive protection against viruses. BAT54-Rail/F.. Release 7.54 06/08...
(e.g. Smurf). The BAT Firewall protects itself against spoofing by route examination, i.e. it examines, whether a packet was allowed to be received over a certain inter- face at all, from which it was received. BAT54-Rail/F.. Release 7.54 06/08...
Parameters of the Intrusion Detection System are set in LANconfig in the configuration tool 'Firewall/QoS' on index card 'IDS': Apart from the maximum number of port inquiries, fragment action and the possible registration mechanisms, also these reactions are possible: The connection will be cut off. BAT54-Rail/F.. Release 7.54 06/08...
"half-open" TCP connections are staying thereby, and just consume resources (e.g. memory) of the attacked computer. This procedure can go that far that the victim can accept no more TCP connection or crashes due to the lack of memory. BAT54-Rail/F.. Release 7.54 06/08...
Page 305
This variant is also recognized and blocked by a BAT. Ping of Death The Ping of Death belongs to those attacks, which use errors when fragment- ed packets are reassembled. This functions as follows: BAT54-Rail/F.. Release 7.54 06/08...
Page 306
In the first case the imple- mentation within the Firewall must be correct, so that the Firewall does not become the victim itself. In the other case "half" reassembled packets accu- mulate again at the victim. BAT54-Rail/F.. Release 7.54 06/08...
SYN Flooding), at most 50 half-open connections of a single computer (see Portscan) of fragmented packets to be reassembled. 8.5.2 Configuration of DoS blocking LANconfig Parameters against DoS attacks are set in the LANconfig in the configuration tool 'Firewall/QoS' on the register card 'DoS': BAT54-Rail/F.. Release 7.54 06/08...
Page 308
The connection will be cut off. The sender address will be blocked for an adjustable period of time. The destination port of the scan will be blocked for an adjustable period of time. BAT54-Rail/F.. Release 7.54 06/08...
Blocking of broadcasts into local area network (against Smurf and Co). 8.5.3 Configuration of ping blocking and Stealth mode LANconfig Parameters for ping blocking and Stealth mode can be set with LANconfig under 'Firewall/QoS' on register card 'General': BAT54-Rail/F.. Release 7.54 06/08...
Page 310
Firewall 8.5 Denial of Service WEBconfig, Telnet With WEBconfig or Telnet the suppression of responses can be configured here: Configuration tool WEBconfig Expert Configuration: Setup/IP Router Module/Firewall Terminal/Telnet Setup/IP Router Module/Firewall BAT54-Rail/F.. Release 7.54 06/08...
(UDP) is often used for this kind of application. Also this protocol has very little administrative overhead. But chronological delivery of packets is not guaranteed, data packets are simply sent out. Because no confirmation receipt exists, lost packets never get delivered again. BAT54-Rail/F.. Release 7.54 06/08...
FTP connection or those of a certain department (in a separate subnet). For treatment of data packets classified by the firewall the following two possibilities can be chosen: Guaranteed minimum bandwidth Limited maximum bandwidth BAT54-Rail/F.. Release 7.54 06/08...
101110 46 101000 40 AF23 010110 22 110000 48 AF31 011010 26 111000 56 AF32 011100 28 9.2.1 Guaranteed minimum bandwidths Hereby you give priority to enterprise-critical applications, e.g. Voice-over-IP (VoIP) PBX systems or certain user groups. BAT54-Rail/F.. Release 7.54 06/08...
Page 314
WAN interface. If the QoS rule has been defined globally, then the reserved bandwidth will be unblocked only after the ending of the last connection. BAT54-Rail/F.. Release 7.54 06/08...
TCP control packets can be likewise dispatched by this queue prefer- entially (see ’SYN/ACK speedup’ → page 365). Urgent queue II This is for all packets that have been assigned a guaranteed minimum bandwidth, but whose connection has exceeded this minimum band- width. BAT54-Rail/F.. Release 7.54 06/08...
Page 316
As a result, the queues will automatically fill up. n x 64 kBps 54 MBps 100 MBps 64 KBit/s 128 KBps Internet Queues BAT54-Rail/F.. Release 7.54 06/08...
BAT’s WAN interface is fed by clearly fewer data from the broadband modem than would actually be receivable. All data packets re- ceived on the WAN interface are transferred to the LAN with equal rights. BAT54-Rail/F.. Release 7.54 06/08...
- depending on the situation - by very long data packets of other applications. This is the case e.g. when IP telephony and a FTP data transfer are simultaneously active on the WAN connection. BAT54-Rail/F.. Release 7.54 06/08...
Page 319
VoIP connection is able to deliver the packets without noticeable delay within the required time slots. A resulting delay has no disadvantageous effect to the TCP-secured FTP transfer. BAT54-Rail/F.. Release 7.54 06/08...
The “International Telecommunications Union” (ITU) has exam- ined in extensive tests, what human beings perceive as sufficient voice qual- ity, and has published as the result in the ITU G.114 recommendation. BAT54-Rail/F.. Release 7.54 06/08...
Page 321
(jitter buffer) the packets are stored intermediately, and passed on at a constant rate to the addressee. By this intermediate buffering, the delay variations due to individual transmission times of the individual packets can be removed. The delay is influenced by several components: BAT54-Rail/F.. Release 7.54 06/08...
Page 322
Serialization Propagation 150ms The time for processing is determined by the used codec. For a sampling time of 20 ms, exactly each 20 ms a new packet is generated. Times for compression can mostly be neglected. BAT54-Rail/F.. Release 7.54 06/08...
Page 323
IP payload: Voice payload + 40 byte header (12 byte RTP; 8 byte UDP; 20 byte IP header) IPSec payload: IP paket + padding + 2 byte (padding length & next header) = multiple of the IPSec initialization vector BAT54-Rail/F.. Release 7.54 06/08...
The following two variants apply: The direction corresponds to the logical connection setup The direction corresponds to the physical data transfer over the appropri- ate interface BAT54-Rail/F.. Release 7.54 06/08...
'General' whether the 'Type of service field' or alternatively the 'DiffServ field' is to be observed for prioritization of data packets. When both options are turned off, the ToS/DiffServ field will be ignored. BAT54-Rail/F.. Release 7.54 06/08...
Page 326
The code points from the DiffServ field can be evaluated by Firewall rules for further control of QoS parameters such as minimum bandwidth or PMTU re- duction. LANconfig The parameters for evaluating the DiffServ fields are adjusted when defining the QoS rule in LANconfig: BAT54-Rail/F.. Release 7.54 06/08...
Page 327
“Expedited Forwarding” can therefore be indicated as “@dEF”, “@d46” or “@d0x2e”. Furthermore, collective names (CSx resp. AFxx) are possible. Examples: %Lcds0 @dAFxx %A: Accept (secured transmission) on DiffServ “AF”, limit “0” %Qcds32 @dEF: Minimum bandwidth for DiffServ “EF” of 32 kbps BAT54-Rail/F.. Release 7.54 06/08...
The rule does not need an action, because QoS rules always implicitly as- sume “transfer” as action. The guaranteed bandwidth is defined on index card 'QoS'. The option 'Action only for default route' limits the rule to those pack- ets, which are sent or received via default route. BAT54-Rail/F.. Release 7.54 06/08...
Note: Devices with built-in ADSL/SDSL modem resp. with an ISDN adapter make these settings independently for the respective interface. For a BAT model with Ethernet and ISDN interface, these settings have to be made solely for the Ethernet interface. BAT54-Rail/F.. Release 7.54 06/08...
Page 330
Under WEBconfig or Telnet the restrictions of data transfer rates for Ether- net, DSL and DSLoL interfaces are entered at the following places: Configuration tool WEBconfig Setup/Interfaces/DSL Interfaces Telnet Setup/Interfaces/DSL Interfaces Note: Only upstream and downstream rates are indicated by Kbps, external overhead in bytes/packet. BAT54-Rail/F.. Release 7.54 06/08...
WAN interface is e.g. made by the following Firewall rule: %Lcdstw16%d 9.7.5 Reducing the packet length The length reduction of the data packets is defined by a Firewall rule accord- ing to the following conditions: BAT54-Rail/F.. Release 7.54 06/08...
Page 332
Firewall rule by parameter “P” for PMTU reduction (Path MTU, MTU = Maximum Transmission Unit) and “F” for the fragment size: Configuration tool WEBconfig Setup/IP router/Firewall/Rule list Telnet Setup/IP router/Firewall/Rule list BAT54-Rail/F.. Release 7.54 06/08...
Distributed Coordination Function. Note: Priorities can only be set if the WLAN client and the access point both support 802.11e or WMM, and also if the applications are able to mark the data packets with the corresponding priorities. BAT54-Rail/F.. Release 7.54 06/08...
Page 334
A BAT access point can activate 802.11e for each of its physical WLAN net- works separately. Configuration tool Call LANconfig Interfaces Wireless LAN Physical WLAN settings Performance WEBconfig, Telnet Expert-Configuration > Setup > Interfaces > WLAN > Performance BAT54-Rail/F.. Release 7.54 06/08...
By defining VLANs on a LAN the following goals should be achieved: Data traffic of certain logical units should be shielded against other net- work users. Broadcast traffic should also be reduced to logical units, not bearing a burden on the entire LAN. BAT54-Rail/F.. Release 7.54 06/08...
“normal” data packets. The tagging is realized by an additional field within the MAC frame. This field contains two important information for the virtual LAN: BAT54-Rail/F.. Release 7.54 06/08...
Main application of virtual LANs is to install different logical networks on a physical Ethernet segment, whose data traffic is protected against the other logical networks. The following sections present examples for the operation of virtual LANs on behalf of this background. BAT54-Rail/F.. Release 7.54 06/08...
Page 339
In both cases, the individual units must have an independent, protected LAN. But this task is very burdensome to realize by hardware changes, or even not at all, because e.g. only one single central cabling exists in the office building. BAT54-Rail/F.. Release 7.54 06/08...
Company B is also shielded by VLAN ID 11 against all other networks, only the service provider can access all devices for maintenance purposes. 10.3Configuration of VLANs Note: VLAN technology functions are presently only supported by BAT Router devices. BAT54-Rail/F.. Release 7.54 06/08...
The port table configures the individual ports of the device for use by the VLAN. The table has got an entry for each port of the device with the follow- ing values: Port: Name of the port, not editable. BAT54-Rail/F.. Release 7.54 06/08...
P2P-6 10.3.3 Configuration with LANconfig Parameters for virtual networks can be set with LANconfig under 'Interfaces' on the register card 'VLAN'. The definition of the used virtual networks can be accessed via the button VLAN table: BAT54-Rail/F.. Release 7.54 06/08...
Page 343
Virtual LANs (VLANs) 10.3 Configuration of VLANs The button Port table opens a drop down list where a VLAN port can be se- lected for editing: BAT54-Rail/F.. Release 7.54 06/08...
Under WEBconfig or Telnet the tables for configuring the VLANs can be found via the following paths: Configuration tool Menu/table WEBconfig Expert Configuration Setup LAN Management VLAN Configuration Terminal/Telnet cd /Setup/LAN Management/VLAN Configuration The VLAN configuration shows up under WEBconfig as follows BAT54-Rail/F.. Release 7.54 06/08...
Setup/LAN Bridge/VLAN or in LANconfig in the configuration area under 'Interfaces' using the 'VLAN' tab in the field 'VLAN tag'. The default is '8100' (802.1p/q VLAN tagging) other typical values for VLAN tagging could be '9100' or '9901'. BAT54-Rail/F.. Release 7.54 06/08...
In order to better separate the data traffic on a DLSoL interface from other traffic, 'VLAN ID' can be set up for the DSLoL interface under Setup/Inter- faces/DSLoL or in LANconfig in the configuration area 'Interfaces' using the 'WAN' tab under the interface settings for the DSLoL interface. BAT54-Rail/F.. Release 7.54 06/08...
VLAN ID recorded earlier is entered into the packet together with the precedence to form a VLAN tag. Where a connection causes oth- er connections to be opened, e.g. with FTP or H.323, then the tag is in- herited to the new entries. BAT54-Rail/F.. Release 7.54 06/08...
Off: VLAN tags are ignored. On: Priority bits in the VLAN tag are always copied to the precedence of the DSCP. Automatic: Priority bits in the VLAN tag are only copied to the DSCP precedence if this is '000'. BAT54-Rail/F.. Release 7.54 06/08...
VLAN ID ID used to explicitly identify the VLAN over the DSL connection. Default: 0 With VLAN ID '0' only untagged packets are accepted; with any other VLAN ID only packets with the corresponding tag are accepted. BAT54-Rail/F.. Release 7.54 06/08...
Outgoing packets are given a VLAN tag unless they belong to the VLAN defined for this port. Ingress-mixed: Arriving (ingress) packets may or may not have a VLAN tag; outbound (egress) packets are never given a VLAN tag. Default: Ingress mixed BAT54-Rail/F.. Release 7.54 06/08...
Page 351
In the 'Mixed' mode, this value determines whether outgoing packets receive a VLAN tag or not: Packets assigned to the VLAN defined for this port are given no VLAN tag; all others are given a VLAN tag. Values: 1 to 4094 Default: 1 BAT54-Rail/F.. Release 7.54 06/08...
Characteristic of WAN connections is the close cooperation with the router modules in the BAT. The router modules (IP and IPX) take care of connecting LAN and WAN. They make use of the WAN modules to fulfil requests from PCs within the LAN for external resources. BAT54-Rail/F.. Release 7.54 06/08...
IP address of the receiver. The computer sends the packet with this address over the LAN to the router. The router determines the remote station in its IP routing table via which the target IP address can be reached, e.g. 'Provider_A'. BAT54-Rail/F.. Release 7.54 06/08...
This only allows data transmissions to destination addresses entered in the routing table. This section explains the structure of the IP routing table of an Hirschmann router, as well as the additional functions available to sup- port IP routing.
Page 356
Therefore not only the target IP adress for the selection of the route is detected but also other information, which is joined to the data packets by the firewall. With the routing tag “0” the routing entry is valid for all packets. Router BAT54-Rail/F.. Release 7.54 06/08...
Page 357
Masquerading Use the 'Masquerade' option in the routing table to inform the router which IP addresses to use when transferring packets from local net- works. For further information see the section ’IP masquerading’ → page 369. BAT54-Rail/F.. Release 7.54 06/08...
(defined by an IP address range). Alternatively, certain protocols receive a different supplementary routing tag. The diagram demonstrates the application of policy-routing with load balanc- ing: BAT54-Rail/F.. Release 7.54 06/08...
Page 359
"1". Routing tags and RIP: The routing tag is also transmitted in RIP packets for processing upon reception, so that, for example, the change in dis- tances in the proper route can be changed. BAT54-Rail/F.. Release 7.54 06/08...
Page 360
In the IP routing table, two appropriately tagged routes are required: IP address IP netmask Rtg tag Peer or IP distance Masquerading 10.0.0.138 255.255.255.25 PEER02 PPTP 10.0.0.138 255.255.255.25 PEER01 PPTP 192.168.0.0 255.255.0.0 0.0.0.0 172.16.0.0 255.240.0.0 0.0.0.0 10.0.0.0 255.0.0.0 0.0.0.0 224.0.0.0 224.0.0.0 0.0.0.0 255.255.255.255 0.0.0.0 PEER LB BAT54-Rail/F.. Release 7.54 06/08...
For local routing leads to a doubling of all data packets to the desired target network. The data is first sent to the default rout- er and is then sent on from here to the router which is actually responsible in the local network. BAT54-Rail/F.. Release 7.54 06/08...
11.2 IP routing 11.2.4 Dynamic routing with IP RIP In addition to the static routing table, Hirschmann routers also have a dynam- ic routing table. Unlike the static table, you do not fill this out yourself, but leave it to be dealt with by the router itself. It uses the Routing Information Protocol (RIP) for this purpose.
Page 363
Note: RIP packets from the WAN will be ignored and will be rejected imme- diately. RIP packets from the LAN will be evaluated and will not be prop- agated in the LAN. BAT54-Rail/F.. Release 7.54 06/08...
Page 364
IP broadcast. 'RIP-2': Similar to 'RIP-1 compatible', except that all RIP packets are sent to the IP multicast address 224.0.0.9. The entry under 'RIP-1 mask' (or 'R1 mask') can be set to the following values: BAT54-Rail/F.. Release 7.54 06/08...
The greatest effect occurs with SYN/ACK speedup with fast connections (e. g. ADSL) when data quantities are simultaneously transferred in both direc- tions at high speed. The SYN/ACK speedup is activated at the factory. BAT54-Rail/F.. Release 7.54 06/08...
For every WAN interface exists a separate peer list. The peer list reached as follows: Configuration tool Menu/table LANconfig Communication Remote sites Remote Sites (DSL) WEBconfig Expert configuration Setup DSL-Broadband-Peers Terminal/Telnet cd /Setup/WAN set DSL-Broadband-Peers[...] set Dialup-Peers BAT54-Rail/F.. Release 7.54 06/08...
Page 367
Peers list) are entered, the BAT when connecting to the remote station uses the “faster” interface. The other interface is then used as a back- If nor the access concentrator neither the service is specified the rout- er connects to the first AC that answers the query. BAT54-Rail/F.. Release 7.54 06/08...
Like 'PPP', only the asynchronous mode is used. This means that PPP functions cPPP' character-oriented. '... with All options can be run with their own script if desired. The script is specified in the script' script list. 'DHCP' Assignment of the network parameters via DHCP. BAT54-Rail/F.. Release 7.54 06/08...
IP address to communicate with computers in the LAN the public IP address to communicate with remote stations in the Internet The computers in the LAN use the router as a gateway but are recognizable themselves. The router divides the intranet from the internet. BAT54-Rail/F.. Release 7.54 06/08...
The response to this new packet is now sent to the IP address of the router with the new sender port number. The entry in the internal table allows the router to assign this response to the original sender again. BAT54-Rail/F.. Release 7.54 06/08...
Page 371
IP masquerading. Among the group of protocols sup- ported by IP masquerading in the BAT are: FTP (using the standard ports) H.323 (to the same extent as used by Microsoft Netmeeting) PPTP IPSec BAT54-Rail/F.. Release 7.54 06/08...
IP address of the FTP server in the LAN from the entry in the ser- vice table. The packet is forwarded to this computer. All packets that come from the FTP server in the LAN (answers from the server) are hidden behind the IP address of the router. BAT54-Rail/F.. Release 7.54 06/08...
Page 373
Configuration of the inverse masquerading The service table for setting inverse masquerading can be reached in LANconfig in the configuration area 'IP Router' on the tab 'Masq.'. BAT54-Rail/F.. Release 7.54 06/08...
Page 374
Deny All Firewall strategy an additional entry in the Stateful Inspection Firewall, which enables the access of all stations to the respec- tive server. BAT54-Rail/F.. Release 7.54 06/08...
LANconfig When using LANconfig for the configuration, you will find the service list in the configuration area 'IP Router' on the 'Masq.' tab under the button Service list. BAT54-Rail/F.. Release 7.54 06/08...
11.4.4 De-Militarized Zone (DMZ) Locally the router can manage two different IP address sections: the intranet (LAN) and the 'De-Militarized Zone' (DMZ). The DMZ has it's own area, which is used for reachable servers in the internet. BAT54-Rail/F.. Release 7.54 06/08...
11.4.5 Unmasked Internet access for server in the While the inverse masquerading described in the proceeding paragraph al- lows to expose at least one service of each type (e.g. one Web, Mail and FTP server), this method is bound to some restrictions. BAT54-Rail/F.. Release 7.54 06/08...
Page 378
Intranet, but any IP traffic from the DMZ towards the Intranet must be prohibited. For the above example, this reads as follows: With a ’Allow All’ strategy (default): Deny access from 123.45.67.2 to “All stations in local network“ BAT54-Rail/F.. Release 7.54 06/08...
11.5.1 Assigning interfaces to the DMZ To configure the DMZ the corresponding interface is defined as the DMZ in- terface. Configuration with LANconfig Ethernet ports are defined in LANconfig in the configuration area 'Interfaces' on the 'LAN' tab under 'Ethernet ports'. BAT54-Rail/F.. Release 7.54 06/08...
Configuration with WEBconfig, Telnet or SSH Under WEBconfig, Telnet or SSH client you will find the settings for the Eth- ernet ports under the following paths: Configuration tool Menu/Table WEBconfig Expert configuration Setup TCP-IP Terminal/Telnet Setup/TCP-IP BAT54-Rail/F.. Release 7.54 06/08...
7011 VPN only, as a more precise address check has already already been used for this device. Configuration with LANconfig You will find the button for activating the DMZ and Intranet address check in LANconfig in the 'TCP-IP' configuration area on the 'General' tab page. BAT54-Rail/F.. Release 7.54 06/08...
Forwarding (ARF), which provides very flexible options in the definition of IP networks and the assignment of these networks to the interfaces. The dia- gram below illustrates the network/interface assignment at various levels. The configuration options applied here are described in the following chap- ters. BAT54-Rail/F.. Release 7.54 06/08...
Page 383
WLAN interfaces are assigned to each physical WLAN module: Per module this may be up to eight WLAN networks and up to six P2P connections. These logical interfaces are further specified and grouped in the next stage: BAT54-Rail/F.. Release 7.54 06/08...
Page 384
IP network '10.0.0.0' with the netmask '255.255.255.0'. To implement these requirements, each company is given an IP network '10.0.0.0/255.255.255.0' with a unique name and a unique interface tag. In the routing table, a default route with the corresponding routing tag is created BAT54-Rail/F.. Release 7.54 06/08...
Page 385
(and any other DMZ networks, of course). 'DMZ' type networks with the interface tag '0' are a special case: As "supervisor networks" they can see all other networks, and they are also visible to all other networks. BAT54-Rail/F.. Release 7.54 06/08...
(LAN) or a wireless port (WLAN). To realize the scenarios outlined above, it is possible for several networks to be active on one interface: Conversely, a network can also be active on multiple interfaces (via bridge groups or with the interface assignment 'Any'). BAT54-Rail/F.. Release 7.54 06/08...
Page 387
BAT Router's public IP address at the transition to the Internet. In a DMZ, fixed public IP addresses are often used as no masking takes place. For each remote station, the IP routing table can be used to set whether BAT54-Rail/F.. Release 7.54 06/08...
Page 388
VoIP is given VLAN ID 2. Based on the VLAN IDs, the central router permits users in the intranet to access the Internet and via VPN to the headquarters; visitors in the guest WLAN only have access to the Inter- net. BAT54-Rail/F.. Release 7.54 06/08...
Page 389
6, BRG-1 to BRG-8, any (depending on the availability of logical inter- faces in the respective model). A logical interface which is assigned to a network in this way is referred to as a "bonded" interface. Any: The network is valid for all logical interfaces. BAT54-Rail/F.. Release 7.54 06/08...
Page 390
If a routing tag is defined for a VPN route, then automatic VPN rules are only generated for IP networks with the same interface tag. The net- work type must also be set to 'Intranet'. Values: 0 to 65,535 Default: 0 Particular values: 0 (untagged). BAT54-Rail/F.. Release 7.54 06/08...
DHCP relay server. As a DHCP relay agent the BAT Router forwards DHCP requests to an- other DHCP server. As DHCP relay server the BAT Router processes DHCP requests for- warded from DHCP relay agents. BAT54-Rail/F.. Release 7.54 06/08...
Page 392
Activating the DHCP server for an interface The DHCP server can be separately activated or deactivated for each logical interface. Configuration tool Call LANconfig TCP/IP DHCP Port table WEBconfig, Telnet Expert configuration > Setup > DHCP > Ports BAT54-Rail/F.. Release 7.54 06/08...
Page 393
DHCP server operating DHCP server operating mode in this network. Depending on the operating mode, the DHCP server can enable/disable itself. The DHCP statistics show whether the DHCP server is enabled. No: DHCP server is permanently switched off. BAT54-Rail/F.. Release 7.54 06/08...
Page 394
(DHCP relay agent mode). Default: Automatic. Broadcast bit check This setting decides whether the broadcast bit from clients is to be checked. If the bit is not checked then all DHCP messages are sent as broadcasts. Default: Off. BAT54-Rail/F.. Release 7.54 06/08...
Page 395
IP addresses and the netmask. In special cases (e.g. when using subnets for a selection of workstations) it may be neces- sary to use a different broadcast address. In this case the broadcast address is entered into the DHCP module. BAT54-Rail/F.. Release 7.54 06/08...
Page 396
TCP/IP settings is communicated as the NBNS server. NBNS backup IP address of the backup NBNS name server for the forwarding of NBNS requests, in the event that the first nameserver should fail. BAT54-Rail/F.. Release 7.54 06/08...
Page 397
With the configuration of IP and DHCP networks, multiple networks with dif- ferent DHCP settings can be active at a logical interface. In this case, the DHCP settings for the first suitable network are applied. A prioritization of net- works may be necessary here. BAT54-Rail/F.. Release 7.54 06/08...
Similarly, all names that were learned from untagged networks are visible for tagged networks. Names learned from relay agents are handled as though they were learned from an untagged network, i.e. these names are visible to all networks. BAT54-Rail/F.. Release 7.54 06/08...
The workgroup/domain enables networks to be scanned for NetBIOS names when a device is started. The workgroup is different for every network and has to be defined everywhere. In networks without domains, the name of the largest workgroup should be defined here. BAT54-Rail/F.. Release 7.54 06/08...
The standard routing tag for this interface. Routes with a routing tag set with the interface tag are propagated by the interface with the tag config- ured here. Routes that are received at the interface with the standard rout- BAT54-Rail/F.. Release 7.54 06/08...
Page 401
(hops). RIP uses various timers to control the exchange of routing informa- tion. IP-router Parameters WEBconfig: Setup Update interval The time between two regular updates. A random value of +/- 5 seconds is always added to this value. Possible values: 0 to 99 seconds. BAT54-Rail/F.. Release 7.54 06/08...
Page 402
As long as this delay is running, new routing information is accepted and entered into the table but it is not reported any further. The router actively reports its current entries only after expiry of this delay. BAT54-Rail/F.. Release 7.54 06/08...
Page 403
Note: In a router at the central location, RFC 2091 can be switched off and the gateway can remain on 0.0.0.0 because the central location always observes the requests from the subsidiaries. Note: The BAT automatically reverts to standard RIP if the indicated gateway does not support RFC 2091. BAT54-Rail/F.. Release 7.54 06/08...
Page 404
Until now routes learned from RIP could only be filtered by their routing tag. However, it is desirable to be able to filter routes by their network address as well. For example, "only learn routes within the network 192.168.0.0/ 255.255.0.0". BAT54-Rail/F.. Release 7.54 06/08...
Page 405
RIP (16). This value can be adapted with the parameter Max Hopcount. WEBconfig: Setup IP-router Parameters Max hop count Sets the maximum number of permissible hops. Possible values: 16 to 99 Default: 16 BAT54-Rail/F.. Release 7.54 06/08...
The network is of the type 'Intranet'. Note: VPN rules for a DMZ also have to be manually created just as for net- works with an interface tag which does not fit to the routing tag of the VPN route. BAT54-Rail/F.. Release 7.54 06/08...
"INTERNET-HOME"). Both networks have web servers which are to be accessible from the Internet. This scenario is covered by the following rules: Name Protocol Source Target Action HTTP-COMPANY TCP %Hinternet-biz %Lcompany %S80 HTTP-PRIV %Hinternet-home %Lhome %S80 INET-COMPANY %Lcompany %Hinternet-biz INET-PRIV %Lhome %Hinternet-home BAT54-Rail/F.. Release 7.54 06/08...
If Development and Sales were in IP networks with different address ranges, then it would be no problem to assign the routing tags with firewall rules. Since both departments are in the same IP network, the only available meth- od of assignment is with network names. BAT54-Rail/F.. Release 7.54 06/08...
If a packet is received at a LAN interface and is to be routed to a WAN interface, then this WAN interface is considered to be a default route if ei- ther the untagged default route or if a default route tagged with the inter- face tag refers to this WAN interface. BAT54-Rail/F.. Release 7.54 06/08...
The use of virtual routers when using port forwarding demands an exact se- lection of the remote station. Configuration tool Call LANconfig IP Router Masq. Port forwarding table WEBconfig, Telnet Expert Configuration > Setup > IP-Router > 1-N-NAT > Service table Start port D-port from (start port) BAT54-Rail/F.. Release 7.54 06/08...
Page 411
Values: Valid IP address Default: 0.0.0.0 Particular values: With the IP address 0.0.0.0 the address assigned to the connection will be used automatically. Entry active Switches the entry on or off. Comment Comment on the defined entry (64 characters) BAT54-Rail/F.. Release 7.54 06/08...
6, BRG-1 to BRG-8, any (depending on the availability of logical inter- faces in the respective model). A logical interface which is assigned to a network in this way is referred to as a "bonded" interface. Any: The network is valid for all logical interfaces. BAT54-Rail/F.. Release 7.54 06/08...
Special significance: If the interface is removed from all bridge groups by setting 'none', then there is no communication between the LAN and WLAN via the LAN bridge (isolated mode). With this setting, LAN/ WLAN data transfers over this interface are only possible via the router. BAT54-Rail/F.. Release 7.54 06/08...
The remote bridge couples two remote networks as if they were physically connected. They are completely independent of the employed network pro- tocols. Configuration tool Call LANconfig Bridge General WEBconfig, Telnet Expert Configuration > Setup > Bridge BAT54-Rail/F.. Release 7.54 06/08...
The availability of direct bundling depends on the Internet provider's product range. If available, the user has access to the sum of the band- widths of all of the bundled channels. Multilink-PPPoE can also be used for bundling PPP connections. BAT54-Rail/F.. Release 7.54 06/08...
Page 416
Two TCP connections divided between two DSL ports External ADSL modem Note: Unlike direct channel bundling, load balancing offers the true sum of all bundled bandwidths. This version is thus highly effective for combining different bandwidths. BAT54-Rail/F.. Release 7.54 06/08...
DSL-1, DSL-2, ... : The port is allocated to one of the DSL interfaces Monitor: The port is a monitor port, i.e. everything received at the other ports is output via this port. A packet sniffer such as Ethereal can be connected to this port, for example. BAT54-Rail/F.. Release 7.54 06/08...
Page 418
In the list of Ethernet ports, the ports must be switched to DSL port. In the layer used for the connection, a bundling method has to be ac- tivated that is also supported at the remote site. BAT54-Rail/F.. Release 7.54 06/08...
Page 419
Note: Every DSL connection contains its own MAC address. If two remote stations are configured with identical MAC addresses, the first connection uses the configured MAC address. For the second connection a "locally managed", unambiguous MAC address will be calculated from the user- defined MAC address. BAT54-Rail/F.. Release 7.54 06/08...
DSL connections all have different IP addresses. Thus load balancing also considers the information in the firewall connection list. This list has an entry for every established TCP connection, and for load balancing the list is supplemented with information about the DSL port used. BAT54-Rail/F.. Release 7.54 06/08...
Apart from the dynamic choice of connection outlined in the previous section, there are possible scenarios where certain TCP connections should always make use of the same DSL connection. Two cases are to be considered here: BAT54-Rail/F.. Release 7.54 06/08...
Ethernet-Ports. Telnet: /Setup/Interfaces/Ethernet-ports WEBconfig: Expert configuration Setup Interfaces Ethernet ports Activate the additional DSL interfaces in LANconfig via Interfaces Interface settings. Enter the data rates for up- and downstream. Telnet: /Setup/Interfaces/DSL WEBconfig: Expert configuration Setup Interfaces BAT54-Rail/F.. Release 7.54 06/08...
Page 423
'INET1' and 'INET2', with the aid of the LANconfig Wizard. To distribute Internet traffic across different DSL interfaces, the individual remote stations are assigned to different DSL ports in LANconfig under Communication Remote sites Remote sites (DSL). Telnet: /Setup/WAN/DSL-broadband-peers WEBconfig: Expert configuration Setup DSL-broadband- peers BAT54-Rail/F.. Release 7.54 06/08...
Page 424
'1'; do this with LANconfig via Firewall/QoS Rules. Telnet: /Setup/IP-router/Firewall/Rules WEBconfig: Expert configuration Setup IP router Firewall Rules. BAT54-Rail/F.. Release 7.54 06/08...
Rules for this address translation are defined in a static table in the BAT. Thereby new addresses are assigned to single stations, parts of the network, or the entire LAN, by which the stations can contact other networks then. BAT54-Rail/F.. Release 7.54 06/08...
(or more) server(s) of the other one: Network of firm A: Network of firm B: 10.0.0.x 10.0.0.x N:N mapping to 192.168.2.x N:N mapping to 192.168.1.x Gateway Gateway VPN tunnel Target: 192.168.2.1 Server_A1: 10.0.0.1 Server_B1: 10.0.0.1 Server_A2: 10.0.0.2 Server_B2: 10.0.0.2 BAT54-Rail/F.. Release 7.54 06/08...
Page 427
VPN. With the use of the nearly ubiquitous broadband Internet connections, the administrator of such man- agement scenarios is no longer dependent of the different data communica- tion technologies or expensive leased lines. BAT54-Rail/F.. Release 7.54 06/08...
Page 428
In order to avoid the effort to building up its own VPN tunnel to each individual subnetwork of the clients A and B, the service provider makes only one VPN connection to the head office, and uses the existing VPN lines between head office and branches for communication with the branches. BAT54-Rail/F.. Release 7.54 06/08...
Page 429
The administrator selects the address ranges 192.168.2.x and 192.168.3.x for client C and D, so that the addresses of these networks do differ from the own network of the service provider. BAT54-Rail/F.. Release 7.54 06/08...
Note: The address range for translation must be at minimum as large as the source address range. Note: Please notice that the N:N mapping functions are only effective when the firewall has been activated. (’Firewall/QoS enabled’ → page 265)! BAT54-Rail/F.. Release 7.54 06/08...
Page 431
IP router on one hand, and the VPN module on the other hand. All rules related to the own network use therefore the “unmapped” original ad- dresses. The entries of the remote network use the “mapped” addresses of the remote side, valid on the VPN connection. BAT54-Rail/F.. Release 7.54 06/08...
Page 432
IP-Redirect Configuration & ISDN management: WEBconfig, Telnet, TFTP IPX router IPX over PPTP/VPN LANCAPI Configuration with different tools LANconfig With LANconfig you adjust the address translation for the configuration range ’IP router’ on register card 'N:N-Mapping': BAT54-Rail/F.. Release 7.54 06/08...
Page 433
Configuration tool WEBconfig Expert configuration / Setup / IP router / NAT table Terminal/Telnet Setup / IP router / NAT table When starting a new entry under WEBconfig, the NAT table shows up as fol- lows: BAT54-Rail/F.. Release 7.54 06/08...
11.10Establishing connection with PPP Hirschmann routers also support the point-to-point protocol (PPP). PPP is a generic term for a whole series of WAN protocols which enable the interac- tion of routers made by different manufacturers since this protocol is support- ed by practically all manufacturers.
Page 435
CHAP or MS CHAP is being used. Perhaps a callback is also negotiated in this phase via CBCP (Callback Control Protocol). Network phase BAT, supports the protocols IPCP and IPXCP. BAT54-Rail/F.. Release 7.54 06/08...
Internet as a backup. Note: During remote access of individual workstations with Windows operat- ing systems, we recommend switching off the regular LCP requests since these operating systems do not reply to LCP echo requests. BAT54-Rail/F.. Release 7.54 06/08...
BAT. This can be accomplished with Windows dial-up networking through the settings in the 'TCP settings' under 'IP address' and 'DNS configuration'. This is where the options 'IP address assigned by server' and 'Specify name server addresses' are activated. Internet access BAT54-Rail/F.. Release 7.54 06/08...
Not the other way round. This means that 'PAP', 'CHAP' security is not useful when connecting to Internet service providers, who may not wish to provide a password. Select 'none' as the security attribute for connections such as these. BAT54-Rail/F.. Release 7.54 06/08...
The PPTP list for editing the configuration can be reached as follows: Configuration tool List LANconfig Communication Protocols PPTP list WEBconfig Expert Configuration Setup PPTP-Peers Terminal/Telnet cd /Setup/WAN/set PPTP-Peers [...] The PPTP configuration consists of three parameters: 'Remote site'—the entry from the DSL-Broadband-Peers list. BAT54-Rail/F.. Release 7.54 06/08...
With a holding time of 9,999 seconds the connection is always re-established after any disconnection. Additionally, the connection is re-established after a reboot of the device (’auto reconnect’). 11.13Callback functions The BAT supports automatic callback via its ISDN port. BAT54-Rail/F.. Release 7.54 06/08...
For this setting the callback entry must be set to 'Call back the remote site after name verification' (or must have the value 'Name' in WEBconfig or in the console). In the peer list no telephone number may be specified. BAT54-Rail/F.. Release 7.54 06/08...
('fast' when configuring via WEBconfig, terminal program or Telnet). Note: For fast callback using this method, the number list for answering calls must be kept up to date at both ends. BAT54-Rail/F.. Release 7.54 06/08...
In other words, in order to be able to use rapid callback, the caller must be in the 'Looser' mode while the party being called must discontinue callback with 'fast'. BAT54-Rail/F.. Release 7.54 06/08...
Note: The setting 'Name' offers the greatest security when an entry is made into the number list as well as the PPP list. The setting 'fast' offers the fast- est callback method between two Hirschmann routers. Note: With Windows remote stations, the 'Name' setting must be selected.
“null modem cables” or the like. The use of uncompliant accessories will cause serious damage on the BAT and/or the modem. For further details please refer to the ’Contact as- signment of BAT modem adapter kit’ → page 453. BAT54-Rail/F.. Release 7.54 06/08...
115,200 bps. Configuration with LANconfig The settings for the serial interface as a WAN interface can be found in the LANconfig configuration area 'Interfaces'. Select the 'V.24 interface' with the 'Interface settings' button on the 'WAN' tab. BAT54-Rail/F.. Release 7.54 06/08...
Dial command [default: ATDT] Escape sequence to terminate data phase resp. to return to command phase [Default: +++] Hold time after escape sequence [Default: 1000 in milli seconds] Disconnect: command to hang up during data phase [Default: ATH] BAT54-Rail/F.. Release 7.54 06/08...
Page 448
Init-string: L0X1M1S0=0+CGDCONT=1, “IP”, “internet.t-d1.de” Dial-up number: *99# Vodafone Init-string: L0X1M1S0=0+CGDCONT=1, “IP”, “web.vodafone.de” Dial-up number: *99# or *99***1# Configuration with LANconfig The modem parameters can be found in the LANconfig configuration area 'Interfaces' on the 'WAN' and 'Modem' tab. BAT54-Rail/F.. Release 7.54 06/08...
BAT. This function allows you to send any AT commands to the modem. Note: Sending AT commands ist possible in the internal modem state 'idle' or 'Modem ready' only. The responses can be found in the serial trace (’Trace output’ → page 450). BAT54-Rail/F.. Release 7.54 06/08...
The remote sites list (ISDN/serial contains the following information: Name: Name of the remote device Telephone number: Telephone number that reaches the remote site. The field can be left empty if calls are to be received only. BAT54-Rail/F.. Release 7.54 06/08...
Page 451
The remote site list with the remote sites for the modem at the serial interface can be found under the following paths: Configuration tool Menu/Table LANconfig Communication Remote sites Name list (ISDN) WEBconfig Expert configuration Setup Dialup-Peers Terminal/Telnet Setup/WAN/Dialup-Peers BAT54-Rail/F.. Release 7.54 06/08...
DNS server in your provider's network. The polling table is to be found under the following paths: Configuration tool Menu/Table LANconfig Communication Remote Sites Polling Table WEBconfig Expert configuration Setup Polling table Terminal/Telnet Setup/WAN/Polling-table BAT54-Rail/F.. Release 7.54 06/08...
This additional fragmentation can cause losses in the data-transfer speeds. This problem can be avoided by entering a fixed MTU for each remote site. BAT54-Rail/F.. Release 7.54 06/08...
11.16WAN RIP In order for routes learned from RIP to be broadcast across the WAN, the re- spective remote stations can be entered into the WAN RIP table. The WAN RIP table contains the following values: BAT54-Rail/F.. Release 7.54 06/08...
Page 455
LAN with the default tag (0). In the WAN, they are propagated with the tag with which they were learned. Configuration with LANconfig The WAN RIP table can be found in the LANconfig in the configuration area 'IP router' on the 'General' tab. BAT54-Rail/F.. Release 7.54 06/08...
After initialization all ports are initially in the "blocking" state in which only BP- DUs are exchanged. The ports subsequently switch to the states of "listen- ing" and then "learning" before reaching "forwarding" which allows payload data to be exchanged via the ports. BAT54-Rail/F.. Release 7.54 06/08...
Since no additional sta- tions can occur between the two bridges, the switch into the forwarding state can take place faster. In the ideal case, RSTP immediately resorts to familiar alternative network paths in case of connection failure. BAT54-Rail/F.. Release 7.54 06/08...
When Spanning Tree is turned off, a BAT does not send any Spanning Tree packets and passes received packets along instead of processing them itself. Protocol version Classic: Uses the classical STP to determine network topology. Rapid: Uses the RSTP method to determine network topology. BAT54-Rail/F.. Release 7.54 06/08...
Page 459
Spanning Tree port can change the status (listening, learn- ing, forwarding). Default: 6 Note: When using RSTP the forwarding delay often has no effect because RSTP has suitable mechanisms of its own to prompt a rapid switching into the forwarding state. BAT54-Rail/F.. Release 7.54 06/08...
Page 460
Path-Cost-Override This parameter controls the priority of paths with equal value. The value set here is used to make the selection instead of the computed path costs. Particular values: 0 switches path-cost override off. Default: 0 BAT54-Rail/F.. Release 7.54 06/08...
The port table can be used to inspect the following values for all available ports (LAN, wireless LAN, point-to-point connections). Priority The priority of this port taken from the port configuration State The current status of the port: BAT54-Rail/F.. Release 7.54 06/08...
Page 462
Note: If path costs for a port were manually entered, then the configured val- ue appears in this column. Information in the RSTP port statistics The RSTP port table can be used to inspect the following values for all avail- able ports (LAN, wireless LAN, point-to-point connections). BAT54-Rail/F.. Release 7.54 06/08...
Page 463
11.17 The rapid spanning tree protocol Role Root or Non-root bridge Learning Port in learning state. Forwarding Port in forwarding state. Edge port Port defined as an edge port. Protocol version Classic or Rapid Costs Setting for this port's cost BAT54-Rail/F.. Release 7.54 06/08...
Page 464
Routing and WAN connections 11.17 The rapid spanning tree protocol BAT54-Rail/F.. Release 7.54 06/08...
DHCP server. 12.1.1 The DHCP server As a DHCP server, the BAT can administer the IP addresses in its TCP/IP network. In doing so, it passes the following parameters to the workstation computers: IP-address BAT54-Rail/F.. Release 7.54 06/08...
DHCP server off, changes to the DHCP client mode, and obtains the IP address from the DHCP server in the LAN. This prevents the uncon- figured device from assigning addresses not in the local network when switched on. BAT54-Rail/F.. Release 7.54 06/08...
Three options exist for determining the available selection of addresses: The IP address can be taken from the address pool selected (start ad- dress pool to end address pool). Any valid addresses in the local network can be entered here. BAT54-Rail/F.. Release 7.54 06/08...
Page 468
If the router has neither an Intranet address nor an DMZ address, the de- vice has gone into a special operating mode. It then uses the IP address '172.23.56.254' for itself and the address pool '172.23.56.x' for the assign- ment of IP addresses in the network. BAT54-Rail/F.. Release 7.54 06/08...
Page 469
The device always assigns the requesting computer its own IP address as a gateway address. If necessary, this assignment can be overwritten with the settings on the workstation computer. DNS and NBNS assignment This assignment is based on the associated entries in the 'TCP/IP-module'. BAT54-Rail/F.. Release 7.54 06/08...
Page 470
On the 'WINS configuration' tab, the 'Use DHCP for WINS Resolution' option must also be selected if you want to use Windows networks over IP with name resolution using NBNS servers. In this case, the DHCP server must also have an NBNS entry. BAT54-Rail/F.. Release 7.54 06/08...
Page 471
'static' A computer has informed the DHCP server that it has a fixed IP address. This address can no longer be used. 'dynamic' The DHCP server assigned the computer an address. BAT54-Rail/F.. Release 7.54 06/08...
Setup/DHCP or in LANconfig in the configura- tion area under 'TCP/IP' on the 'DHCP' tab in the 'User Class ID' field (de- fault: empty). The user class ID is only transmitted when the user has configured a value. BAT54-Rail/F.. Release 7.54 06/08...
(domains) and IP addresses. This service is required for Internet communications, to return the correct IP ad- dress for a request such as 'www.hirschmann.com' for example. However, it's also useful to be able to clearly associate IP addresses to computer names within a local network or in a LAN interconnection.
The user wants to be able to connect to the company intranet and direct- ly to the Internet at the same time. The requests sent into the intranet must be routed to the company DNS server, and all other requests to the DNS server of the provider. BAT54-Rail/F.. Release 7.54 06/08...
The settings for the DNS server are contained in the following menu or list: Configuration tool Run/Table LANconfig TCP/IP WEBconfig Expert Configuration Setup Terminal/Telnet cd /setup/DNS Proceed as follows to set the DNS server: Switch the DNS server on. WEBconfig … Operating Terminal/Telnet set operating on BAT54-Rail/F.. Release 7.54 06/08...
Page 476
Host names table, for which you know the name and IP address, that are not located in your own LAN, that are not on the Internet and that are accessible via the router. BAT54-Rail/F.. Release 7.54 06/08...
Page 477
When entering the name areas, the wildcards '?' (for individual charac- ters) and '*' (for multiple characters) may be used. To reroute all domains with the ending '.intern' to a DNS server in the LAN of the remote station 'COMPANY', create the following entry: BAT54-Rail/F.. Release 7.54 06/08...
In the console mode the command is: set 002 *.com 10.0.0.123 255.255.255.255 Note: The hit list in the DNS statistics contains the 64 most frequently re- quested names and provides a good basis for setting up the filter list. BAT54-Rail/F.. Release 7.54 06/08...
, and transfer this address - in case of a change - to their respective Dy- namic DNS server server at DynDNS provider PC with DynDNS cli- ent program Internet The current WAN IP address of a BAT can be picked under the following ad- dress: http://<address of Device>/config/1/6/8/3/ BAT54-Rail/F.. Release 7.54 06/08...
Page 480
More services 12.3 DNS Alternatively the BAT can directly transmit the present WAN IP to the DynDNS provider. server at DynDNS provider Internet The required settings can be changed comfortably with the Setup Wizard: BAT54-Rail/F.. Release 7.54 06/08...
Using accounting snapshots, ac- counting data can be regularly saved at specific times for later evaluation. BAT54-Rail/F.. Release 7.54 06/08...
Page 482
Conversely, with this setting, data can be separated from clients that are behind another router and therefore appear with the same MAC address as the router in the accounting list. BAT54-Rail/F.. Release 7.54 06/08...
Page 483
The day of the month on which caching will take place: Only relevant if the interval is 'monthly'. Day of week The weekday on which caching will take place. Only relevant if the interval is 'weekly'. Hour The hour on which caching will take place: '0' to '23' BAT54-Rail/F.. Release 7.54 06/08...
Start LANconfig. Under 'Management', select the 'Log & Trace' tab. Turn the module on and click SYSLOG clients. In the next window click Add..First enter the IP address of the SYSLOG client, and then set the sources and priorities. BAT54-Rail/F.. Release 7.54 06/08...
Page 485
Administra- messages regarding configuration changes, remotely executed com- LOCAL2 tion mands etc. Router regular statistics on the most frequently used services (sorted by port LOCAL3 numbers) and messages regarding filtered packets, routing errors etc. BAT54-Rail/F.. Release 7.54 06/08...
BAT routers can apply exact information of time either over ISDN or over public time servers on the internet (NTP-Server with ’Open Access’ policy). The BAT can then provide the detected time for all stations in the local net- work. BAT54-Rail/F.. Release 7.54 06/08...
With these settings only the BAT applies the time from public time servers. To provide the real time for the remaining device enable the local time server under the tab 'Time Server'. Furthermore activate the broadcast mode and enter the broadcast interval. BAT54-Rail/F.. Release 7.54 06/08...
Linux distributions have to be installed with NTP. The settings of date and time in a XP system can be opened with a double click on the time at the bottom left, where you can select the server for syn- chronization. BAT54-Rail/F.. Release 7.54 06/08...
Page 489
Configuration tool Call LANconfig Date & time General WEBconfig, Telnet Expert configuration > Setup > Time > Daylight-saving time Daylight-saving time Off: The system time will not be adjusted to daylight-saving time. BAT54-Rail/F.. Release 7.54 06/08...
Page 490
January to December: The month on which the change will take place. Hour 0 to 23: The hour in which the change will take place. Minute 0 to 59: The minute in which the change will take place. BAT54-Rail/F.. Release 7.54 06/08...
The firewall and QoS rules are at first temporally constant. But it can be useful to make variable settings for different daytimes or weekdays. At e. g. off-hours or weekends different priorities for guaranteed bandwidths can be set than at business hours. regular firmware or configuration updates BAT54-Rail/F.. Release 7.54 06/08...
VPN connection at once. To avoid these effects, the CRON jobs can be set with a random delay time between 0 and 59 min- utes. BAT54-Rail/F.. Release 7.54 06/08...
Real time: These rules evaluate all time/date information. Operation time: These rules only evaluate the minutes and hours since the last time the device was started. Default: Real time BAT54-Rail/F.. Release 7.54 06/08...
Page 494
CRON job after the set start time. The actual delay time is determined ran- domly and lies between 0 and the time entered here. Default: 0 Values: 0 to 65535 seconds. Particular values: With the variation set to zero the CRON job will be executed at the set time. BAT54-Rail/F.. Release 7.54 06/08...
The computers in Purchasing are assigned with an IP address from a certain address range (e.g. 192.168.100.200 to 192.168.100.254) from the list of ad- dresses for dial-in connections (LANconfig TCP/IP Addresses). Note: The BAT itself is in a different IP address range! BAT54-Rail/F.. Release 7.54 06/08...
Page 496
Along with the activation of the PPPoE server (LANconfig Communication General), further limitations (e.g. permissible MAC addresses) can also be defined in the PPPoE server. The example uses the existing entry 'DE- FAULT' with the MAC address '00.00.00.00.00.00', thereby permitting all MAC addresses. BAT54-Rail/F.. Release 7.54 06/08...
Page 497
More services 12.8 PPPoE Servers The firewall (LANconfig Firewall/QoS Rules) can be used to control which services are available to the employees in Purchasing (e.g. release of HTTP and EMAIL only). BAT54-Rail/F.. Release 7.54 06/08...
More services 12.8 PPPoE Servers 12.8.3 Configuration Configuration with LANconfig The settings for the PPPoE server can be found in LANconfig in the configu- ration area 'Communication' on the 'General' tab. BAT54-Rail/F.. Release 7.54 06/08...
Page 499
MAC address. Once the limit has been reached, the server no longer responds to the client queries that are received. Default value is '1', maximum value '99'. A Session limit of '0' stands for an unlimited number of sessions. BAT54-Rail/F.. Release 7.54 06/08...
Authenticator: A network component positioned between network and cli- ent and which forwards on the authorization. This task can be performed by an BAT Access Point for example. The authenticator is referred to as the Network Access Server (NAS). RADIUS server Client Authenticator BAT54-Rail/F.. Release 7.54 06/08...
Page 501
Using PPP when dialing into a network (see ’Dial-in using PPP and RA- DIUS’ → page 505) Via WLAN (see ’Dial-in using WLAN and RADIUS’ → page 507) Via the 802.1x protocol (see ’Dial-in using 802.1x and RADIUS’ → page 508) BAT54-Rail/F.. Release 7.54 06/08...
For each of these cases there is a specific set of parameters which may be configured independently of other applications. There are also gen- eral parameters which need to be configured for each of these applications. Not all devices support all applications. BAT54-Rail/F.. Release 7.54 06/08...
Page 503
Note: With PPP authentication using RADIUS, please note that the device dialing accepts the RADIUS timeout configured here. Retries [default: 3] This value specifies how many authentication attempts are made in total before a Reject is issued. BAT54-Rail/F.. Release 7.54 06/08...
Accounting for a logical WLAN network can be enabled from a RADIUS serv- er by enabling the "RADIUS Accounting" option in the logical WLAN settings for the network. Configuration tool Call LANconfig Interfaces Wireless LAN Logical WLAN settings WEBconfig, Telnet Expert configuration > Setup > RADIUS module BAT54-Rail/F.. Release 7.54 06/08...
Page 505
RADIUS. All user data, such as user name and password, is entered on the RADIUS server. Server IP address Specify here the IP address of your RADIUS server from which users are managed centrally. BAT54-Rail/F.. Release 7.54 06/08...
Page 506
In order to use the return call control from RADIUS, a user must be set up on the RADIUS server for each telephone number to be authenti- cated. The user name corresponds to the telephone number and the user password is the CLIP password specified here. BAT54-Rail/F.. Release 7.54 06/08...
Page 507
Expert configuration > Setup > WLAN > RADIUS access check Note: To use the RADIUS functionality for WLAN clients, the option "Transfer data from the listed stations, authenticate all others via RADIUS or filter them out“ must be selected for the "Filter stations" parameter. BAT54-Rail/F.. Release 7.54 06/08...
Page 508
Note: Please refer to ’EAP and 802.1x’ → page 37 for further information on the 802.1 x protocol. Configuration tool Call LANconfig WLAN Security IEEE 802.1X RADIUS server WEBconfig, Telnet Expert configuration -->Setup -->IEEE802.1x > Radius server BAT54-Rail/F.. Release 7.54 06/08...
In addition to its function as RADIUS authenticator or NAS, an BAT access point can also operate as a RADIUS server. When in this mode, information in the device on users authorized to register is made available to other ac- cess points in Authenticator mode. BAT54-Rail/F.. Release 7.54 06/08...
Page 510
RADIUS clients wanting to register at other access points. In an installation having several access points, client access authori- zations can be maintained centrally. Configuration tool Call LANconfig WLAN security RADIUS WEBconfig, Telnet Expert configuration > Setup > WLAN > RADIUS access check BAT54-Rail/F.. Release 7.54 06/08...
CHAP challenge from the NAS to com- pute the CHAP response. If this computed response and the answer sent by the client via the NAS correspond, then the RADIUS server sends a RADIUS accept; otherwise it sends a RADIUS reject. BAT54-Rail/F.. Release 7.54 06/08...
Note: Please note that the TLS implementation in LCOS does not support certificate chains or certificate revocation lists (CRLs). BAT54-Rail/F.. Release 7.54 06/08...
The realm is removed from the string prior to the search of the RADIUS server's user table. Realms allow entire networks which are mutually trustworthy to work with common RADIUS servers located in part- ner networks, and to authenticate users who move between these networks. BAT54-Rail/F.. Release 7.54 06/08...
Page 514
If no EAP tunnel server is defined then the LCOS RADIUS server forwards the request to itself, meaning that both the internal and the external EAP authentications are han- dled by the LCOS RADIUS server itself. BAT54-Rail/F.. Release 7.54 06/08...
Password required by the client for access to the RADIUS server in the BAT access point. Note: In addition to the configuration of the RADIUS server, the user infor- mation source must also be defined . BAT54-Rail/F.. Release 7.54 06/08...
Page 516
Alternative forwarding server in case the first forwarding server is not available. EAP options for the RADIUS server EAP tunnel server This realm refers to the entry in the table of the forwarding server that is to be used for tunneled TTLS or PEAP requests. BAT54-Rail/F.. Release 7.54 06/08...
These settings are made at all locations where a BAT is configured as a RA- DIUS client. WEBconfig: Setup RADIUS WEBconfig: Setup WLAN RADIUS-access-check WEBconfig: Setup WLAN RADIUS-accounting WEBconfig: Setup Public-spot-module Provider-table WEBconfig: Setup IEEE802.1x RADIUS-server BAT54-Rail/F.. Release 7.54 06/08...
Separate X.509 certificates are required for TLS encryption of the RADSEC connection. The individual certificates (root certificate, devices certificate and private key) can be uploaded to the device individually or as a PKCS#12 con- tainer. WEBconfig: Upload certificate or file BAT54-Rail/F.. Release 7.54 06/08...
X.75 / V.110 not working DSL line error (Layer 1) Cable not connected 13.1.2 VPN error messages Note: For correct evaluation of error messages for VPN connections, at least LCOS version 3.22 must be installed on both BAT devices. BAT54-Rail/F.. Release 7.54 06/08...
Page 520
IP address from the LAN at the remote site. Dynamic VPN - predefined The fee limit under "Configure --> Costs --> Fees charge limit exceeded - Limit (ISDN)" was reached. Please reboot the device. BAT54-Rail/F.. Release 7.54 06/08...
Page 521
IKE key mismatch Please compare the preshared keys under x (IKE) "Configure --> VPN --> IKE --> IKE key" IKE key mismatch Please compare the preshared keys under x (IKE) "Configure --> VPN --> IKE --> IKE key" BAT54-Rail/F.. Release 7.54 06/08...
RADIUS access check for Access point Checking of RADIUS access to the WLAN station was suc- WLAN station succeeded cessful RADIUS access check for Access point Checking of RADIUS access to the WLAN station was WLAN station failed unsuccessful BAT54-Rail/F.. Release 7.54 06/08...
Bold values indicate the default setting of the BAT radio adapters when utilized in a base station. 13.3.2 Radio channels in the 5 GHz frequency band In the frequency range from 5,13 to 5,805 GHz up to 19 non-overlapping channels are available in Europe, defined as the sub-bands as follows: BAT54-Rail/F.. Release 7.54 06/08...
Greece National Telecommunications Commis- sion (EET) www.oftel.gov.uk Great Britain Office of Telecommunications (Oftel) www.postcomm.gov.uk/ Postal Services Commission (Postcomm) www.open.gov.uk/radiocom Radiocommunications Agency www.comreg.ie Ireland Commission for Communications Regula- tion (ComReg) www.pta.is Iceland Post and Telecom Administration (PTA) BAT54-Rail/F.. Release 7.54 06/08...
Page 527
Comision del Mercado de las Telecomuni- caciones (CMT) www.ctu.cz Czechia Czech Telecommunication Office www.hif.hu Hungary Communication Authority (HIF) Note: Please inform yourself about the current radio regulations of the coun- try you want to operate a Wireless LAN device. BAT54-Rail/F.. Release 7.54 06/08...
The ESP CBC-Mode Cipher Algorithms 2516 A Method for Transmitting PPP Over Ethernet (PPPoE) 2684 Multiprotocol Encapsulation over ATM Adaptation Layer 5 3280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Pro- file BAT54-Rail/F.. Release 7.54 06/08...
Domain Name Service - computers communicate with computers in remote networks using IP addresses; DNS servers translate names into IP addresses; without DNS serv- ers, you would have to remember all IP addresses and couldn't work with names (e.g. www.hirschmann.com) BAT54-Rail/F.. Release 7.54 06/08...
Page 530
IP masquerad- Combination of PAT (Port Address Translation) and NAT (Network Address Translation) from Hirschmann process used for connection of an intranet (multiple workstations) to the Internet over a single IP address; simultaneously, the internal computers are protected from attacks from outside...
Page 531
Router Intelligent network components; comparable with a post office, which can determine from the logical destination address of a packet which next network component should trans- mit the packet; knows the overall topology of the network BAT54-Rail/F.. Release 7.54 06/08...
Page 532
Wireless Local Area Network - local radio network WiFi Protected Access; name for security mechanisms beyond IEEE 802.11; generated by the WiFi Alliance WISP Wireless Internet Service Provider xDSL xDSL stands for the family of Digital Subscriber Line technologies Logical operation "exclusive OR" BAT54-Rail/F.. Release 7.54 06/08...
Access router Address administration IP address administration Address pool Administrator’s access ADSL AES-CCM Antenna gain Antenna power AT commands ATM adaptation layer Authentication Authentication process TTLS Authentication with EAP/802.1X in client mode Auto reconnect Background scanning Bandwidth BAT54-Rail/F.. Release 7.54 06/08...
Page 534
Client Client mode Collision domain Command line interface Command line reference Computer names Configuration procedure SNMP Configuration files Configuration interface configuration updates CRON service CSMA/CA D channel Data throughput Denial of Service Attacks Bonk Fragrouter LAND BAT54-Rail/F.. Release 7.54 06/08...
Page 535
Assured Forwarding Best Effort Class Selector Expedited Forwarding IPSec Distance of a route IP address assignment available information DNS forwarding DNS server DNS-table Dynamic DNS filter mechanism Domain deny access Domain name service (DNS) Download Downstream BAT54-Rail/F.. Release 7.54 06/08...
Page 537
Frequency Frequency band Fresnel zone active FTP data transfer download passive FTP TCP-secured transfer Gateway GPRS backup connection Gross data rate Group configuration HDLC Hidden station Host Host name table HotSpot HTTPS IAPP roaming IBBS IBSS BAT54-Rail/F.. Release 7.54 06/08...
Page 538
Intrusion Detection IP-Spoofing Inverse masquerading IP address IP broadcast IP header IP masquerading simple masquerading IP multicast IP Quality of Service IP routing standard router IP routing table IP Spoofing IP telephony IPSec IPSec over WLAN BAT54-Rail/F.. Release 7.54 06/08...
Page 539
Display options Firewall actions log Monitor Internet connection System information Traces VPN connections LANtools Layer-2 Layer-2-switch Layer-3 LCOS LCP echo reply request LLC-MUX Logging table Logical LAN Logical sending direction Logical wireless networks Login Login barring BAT54-Rail/F.. Release 7.54 06/08...
Page 540
Sending MLPPPoE Modem Monitoring MS-CHAP Multi SSID Multilink PPP (MLPPP) Multi-PPPoE Multithreading N:N mapping Central mapping Configuration Decentralized mapping DNS forwarding Firewall Loopback address NAT table Network coupling via VPN Routing table VPN rule NBNS server BAT54-Rail/F.. Release 7.54 06/08...
Page 541
Passphrase Security passwd Password Password protection PEAP Period of validity Physical LAN Physical sending direction Physical WLAN interface Ping Ping blocking ping command Ping of Death PMTU reduction Point-to-Multipoint (WLAN) Point-to-Point (WLAN) Point-to-Point connection Point-to-Point Tunneling BAT54-Rail/F.. Release 7.54 06/08...
Page 542
Direction of data transfer VLAN tag QoS – → Quality of Service Quality of Service 802.11e Queues Secured queue Standard queue Urgent queue I Urgent queue II Radio cell Radio frequency RADIUS WLAN access list RADIUS server RADSEC Range BAT54-Rail/F.. Release 7.54 06/08...
Page 543
Rogue client detection Roll-out Router Router-name RTS threshold RTS/CTS protocol RX rate Scheduled Events Scripting commands SDSL Security checklist settings Security settings Serial port Server Signal-quality display via LEDs SINA SMTP Smurf SNMP SNMP Trap SNMP-ID BAT54-Rail/F.. Release 7.54 06/08...
Page 544
SYSLOG TCP control packets TCP Stealth mode TCP/IP TCP/IP networks TCP-Stealth-Modus Teardrop Telnet Ausgabe der SNMP-ID Temporal Key Integrity Protocol Term Terminal program TFTP Time Time server TKIP High Reliability IPSec Low Delay Priority Trace examples BAT54-Rail/F.. Release 7.54 06/08...
Page 545
Connection of WLAN stations Conversion in the interfaces Default ID Default-VLAN ID Layer 2 tagging Management of LAN traffic Network table Port Port list Port table Priority Shielding of SNMP traffic Use of a central cabling BAT54-Rail/F.. Release 7.54 06/08...
Page 546
Explanation of the process Private WEP settings Sniffer tools WEP group keys WEP encryption WEP key dynamic WEPplus Limits WiFi Wi-Fi Alliance WiFi Alliance Wi-Fi Multimedia WiFi Protected Access Wildcards WINS Address Wired Equivalent Privacy Wireless LAN BAT54-Rail/F.. Release 7.54 06/08...
Page 547
Country setting DFS method Frequency band IBBS Indoor function infrastructure network IPSec over WLAN Keep client connection alive Maximum distance Multi-SSID Network settings Network types Operation mode Point-to-point connections Point-to-Point mode Protocol filter Protocol filters Radio settings BAT54-Rail/F.. Release 7.54 06/08...
Need help?
Do you have a question about the BAT54-Rail and is the answer not in the manual?
Questions and answers