Internet Settings Wireless Settings Network Settings DMZ Setup PPTP L2TP SSLVPNServer SSLVPNClient USB Settings VLANSettings
Wizard
Internet:
If you are new to networking and have never configured a router before, click on Internet Connection Setup Wizard and the router will run you through a few simple steps to get your network up and running. If you consider yourself an Advanced user and have configured a router before, click Manual Internet Connection Setup to input all the settings manually. Wireless Settings: If you are new to wireless networking and have never configured a wireless router before, click on Wireless Network Setup Wizard and the router will guide you through a few simple steps to get your wireless network up and running. If you have configured the wireless router with WPS and want to add a new supported client device to the network, click on Add Wireless Device and the router will guide you through the WPS configuration. If you consider yourself an advanced user and have configured a wireless router before, click Manual Wireless Network Setup to input all the settings manually. VPN Wizard: If you have never configured a VPN settings before, click on VPN Setup Wizard and the router will run you through a few simple steps to set up VPN policy. If you consider yourself an Advanced user and have configured a VPN settings before, click Manual VPN Configuration to input VPN settings manually.
Internet Settings
WAN1 Status:
The actions that can be taken differ with the connection type. If WAN is configured using DHCP, the DHCP release renew options are available, other connection types offer other options. MAC Address: MAC Address of the WAN port. IPv4 Address: IP address of the WAN port followed by the WAN subnet. WAN State: Indicates the state of the WAN port (UP or DOWN) NAT (IPv4 only): Indicates if the security appliance is in NAT mode (enabled) or routing mode (disabled). IPv4 Connection Type: Indicates if the WAN IPv4 address is obtained dynamically through a DHCP server or assigned statically by the user or obtained through a PPPoE/PPTP/L2TP ISP connection. IPv4 Connection State: Indicates if the WAN is connected to the Internet Service Provider. Link State: Detects if a link is present on the WAN Interface WAN Mode: Indicates if Dedicated WAN or Optional port is in use Gateway: Gateway IP address of the WAN port. Primary DNS: Primary DNS server IP address of the WAN port. Secondary DNS: Secondary DNS server IP address of the WAN port. If the Connection Status indicated that the association with the ISP is active, then the WAN can be disconnected by clicking the Disable button. If the Connection Status indicated that the association with the ISP is active, then the WAN can be disconnected by clicking the Disable button. WAN1 Setup: Note: If you have a PPPoE connection, first create a PPPoE profile which can then be selected below. ISP Configuration ISP Connection Type ISP Connection Type: Choose from among the following options: DHCP, Static, PPPoE, PPTP, or L2TP. PPPoE Profile Name: For a PPPoE connection, select the name of the PPPoE Profile that you previously configured on the SETUP->Internet Settings->PPPoE Profiles->WAN1/WAN2 PPPoE Profiles page Username: Enter the username required to log in to the ISP. Password: Enter the password required to login to the ISP. Secret: Enter the secret phrase to log into the server (for L2TP connections only). MPPE Encryption: Check this if PPTP server supports the MPPE encryption. Split Tunnel: This option is available only for PPTP and L2TP. Enabling split tunnel will prevent you from adding a Gateway IP address and instead you need to add specific routes to route LAN traffic. Connectivity Type: Select one of the following options: Keep Connected: The connection is always on. Idle Time: The connection is automatically ended if it is idle for a specified number of minutes. Enter the number of minutes in the Idle Time field. This feature is useful if your ISP charges you based on the amount of time that you are connected. My IP Address: Enter the IP address assigned by the ISP to make a connection with the ISP server (for PPTP and L2TP connections only). Server IP Address: Enter the IP address of the PPTP server (for PPTP and L2TP connections only). Internet (IP) Address IP Address Source: Choose one of the following options: Get Dynamically from ISP: Choose this option if you have not been assigned any static IP address. The ISP will automatically assign an IP address to the router using DHCP network protocol. Use Static IP Address: Choose this option if your ISP has assigned a fixed (static or permanent) IP address. Also complete the fields that are highlighted white in this section. IP Address: Enter the static IP address that your ISP assigned to you. This address will identify the router to your ISP. IP Subnet Mask: Enter the IPv4 Subnet Mask. This is usually provided by the ISP or your network administrator. Gateway IP Address: Enter the IP address of the ISP gateway. This is usually provided by the ISP or your network administrator. Domain Name System (DNS) Servers Domain name servers (DNS) convert Internet names such as www.dlink.com, to IP addresses to route traffic to the correct resources on the Internet. If you configure your router to get an IP address dynamically from the ISP, then you need to specify the DNS server source in this section. DNS Server Source: Choose one of the following options: Get Dynamically from ISP: Choose this option if your ISP did not assign a static DNS IP address. Use These DNS Servers: Choose this option if your ISP assigned a static DNS IP address for you to use. Also complete the fields that are highlighted white in this section. Primary DNS Server: Enter a valid primary DNS Server IP Address. Secondary DNS Server: Enter a valid secondary DNS Server IP Address. Router's MAC Address The router has a unique 48-bit local Ethernet address, also referred to as the MAC (Media Access Control) address. In most cases, the default address can be used to identify your router to your ISP. However, you can change this setting if required by your ISP. MAC Address Source: Choose Use Default Address unless your ISP requires MAC authentication and another MAC address has been previously registered with your ISP. In that case, choose one of the following options: MAC Address: Enter a MAC address in the following format: XX:XX:XX:XX:XX:XX where X is a number from 0 to 9 (inclusive) or an alphabetical letter between A and F (inclusive). Clone your PC's MAC Address: Choose this option to assign the MAC address of the computer that you are using to configure the router. Host Name: Specify the host-name option to send to the DHCP server. The host-name string only contains the client's hostname prefix, to which the server will append the DDNS domain name or domain-name options, if any, to derive the fully qualified domain name of the client Click Save Settings to save your changes. Click Don't Save Settings to revert to the previous settings. Note: If the router is unable to connect, ensure that the settings for the WAN port are the same as the ones provided by your ISP. Check with your ISP to see if the settings are correct and up-to-date. WAN1 PPPoE Profiles: The List of PPPoE Profiles for WAN1 contains the configured profiles. The following fields are displayed: Profile Name: The name will identify the profile. Status: The profile can be configured and then enabled/disabled depending on whether it should be available to assign to a WAN. User Name: The PPPoE login username of this Profile. Authentication Type: The type of Authentication in use by the profile: Auto-Negotiate/PAP/CHAP/MS-CHAP/MS-CHAPv2. Add: Opens the Profile Configuration page. Edit: Allows the user to Edit an already existing PPPoE Profile. Enable: Allows the user to enable a PPPoE profile on a WAN Interface to establish the tunnel Disable: Allows the user to disable a PPPoE profile Delete: Allows the user to delete a PPPoE Profile. WAN1 PPPoE Profiles Config: Profile Name: Name of the profile. User Name: The PPPoE login username of this Profile. Password: The PPPoE login password of this Profile. Service: Use this field if you need to distinguish two servers using the same Username and Password combination. With PPP, as you can't specify servers using IP address, you can specify the particular server to connect to using this field. Authentication Type: Authentication type (PAP/CHAP/MS-CHAP/MS-CHAPv2) that the profile uses. If you are unsure of the type to be selected, choose Auto-Negotiate. Connectivity Type: Select one of the following options: Keep Connected: The connection is always on. Idle Time: The connection is automatically ended if it is idle for a specified number of minutes. Enter the number of minutes in the Idle Time field. This feature is useful if your ISP charges you based on the amount of time that you are connected. Internet (IP) Address IP Address Source: Choose one of the following options: Get Dynamically from ISP: Choose this option if you have not been assigned any static IP address. The ISP will automatically assign an IP address to the router using DHCP network protocol. Use Static IP Address: Choose this option if your ISP has assigned a fixed (static or permanent) IP address. Also complete the fields that are highlighted white in this section. IP Address: Enter the static IP address that your ISP assigned to you. This address will identify the router to your ISP. IP Subnet Mask: Enter the IPv4 Subnet Mask. This is usually provided by the ISP or your network administrator. Gateway IP Address: Enter the IP address of the ISP gateway. This is usually provided by the ISP or your network administrator. Domain Name System (DNS) Servers Domain name servers (DNS) convert Internet names such as www.dlink.com, to IP addresses to route traffic to the correct resources on the Internet. If you configure your router to get an IP address dynamically from the ISP, then you need to specify the DNS server source in this section. DNS Server Source: Choose one of the following options: Get Dynamically from ISP: Choose this option if your ISP did not assign a static DNS IP address. Use These DNS Servers: Choose this option if your ISP assigned a static DNS IP address for you to use. Also complete the fields that are highlighted white in this section. Primary DNS Server: Enter a valid primary DNS Server IP Address. Secondary DNS Server: Enter a valid secondary DNS Server IP Address. WAN2 Status: The actions that can be taken differ with the connection type. If WAN is configured using DHCP, the DHCP release renew options are available, other connection types offer other options. MAC Address: MAC Address of the WAN port. IPv4 Address: IP address of the WAN port followed by the WAN subnet. WAN State: Indicates the state of the WAN port (UP or DOWN) NAT (IPv4 only): Indicates if the security appliance is in NAT mode (enabled) or routing mode (disabled). IPv4 Connection Type: Indicates if the WAN IPv4 address is obtained dynamically through a DHCP server or assigned statically by the user or obtained through a PPPoE/PPTP/L2TP ISP connection. IPv4 Connection State: Indicates if the WAN is connected to the Internet Service Provider. Link State: Detects if a link is present on the WAN Interface WAN Mode: Indicates if Dedicated WAN or Optional port is in use Gateway: Gateway IP address of the WAN port. Primary DNS: Primary DNS server IP address of the WAN port. Secondary DNS: Secondary DNS server IP address of the WAN port. If the Connection Status indicated that the association with the ISP is active, then the WAN can be disconnected by clicking the Disable button. If the Connection Status indicated that the association with the ISP is active, then the WAN can be disconnected by clicking the Disable button. WAN2 Setup: The List of PPPoE Profiles for WAN2 contains the configured profiles. The following fields are displayed: Profile Name: The name will identify the profile. Status: The profile can be configured and then enabled/disabled depending on whether it should be available to assign to a WAN. User Name: The PPPoE login username of this Profile. Authentication Type: The type of Authentication in use by the profile: Auto-Negotiate/PAP/CHAP/MS-CHAP/MS-CHAPv2. Add: Opens the Profile Configuration page. Edit: Allows the user to Edit an already existing PPPoE Profile. Enable: Allows the user to enable a PPPoE profile on a WAN Interface to establish the tunnel Disable: Allows the user to disable a PPPoE profile Delete: Allows the user to delete a PPPoE Profile. WAN2 PPPoE Profiles Config: Profile Name: Name of the profile. User Name: The PPPoE login username of this Profile. Password: The PPPoE login password of this Profile. Service: Use this field if you need to distinguish two servers using the same Username and Password combination. With PPP, as you can't specify servers using IP address, you can specify the particular server to connect to using this field. Authentication Type: Authentication type (PAP/CHAP/MS-CHAP/MS-CHAPv2) that the profile uses. If you are unsure of the type to be selected, choose Auto-Negotiate. Connectivity Type: Select one of the following options: Keep Connected: The connection is always on. Idle Time: The connection is automatically ended if it is idle for a specified number of minutes. Enter the number of minutes in the Idle Time field. This feature is useful if your ISP charges you based on the amount of time that you are connected. Internet (IP) Address IP Address Source: Choose one of the following options: Get Dynamically from ISP: Choose this option if you have not been assigned any static IP address. The ISP will automatically assign an IP address to the router using DHCP network protocol. Use Static IP Address: Choose this option if your ISP has assigned a fixed (static or permanent) IP address. Also complete the fields that are highlighted white in this section. IP Address: Enter the static IP address that your ISP assigned to you. This address will identify the router to your ISP. IP Subnet Mask: Enter the IPv4 Subnet Mask. This is usually provided by the ISP or your network administrator. Gateway IP Address: Enter the IP address of the ISP gateway. This is usually provided by the ISP or your network administrator. Domain Name System (DNS) Servers Domain name servers (DNS) convert Internet names such as www.dlink.com, to IP addresses to route traffic to the correct resources on the Internet. If you configure your router to get an IP address dynamically from the ISP, then you need to specify the DNS server source in this section. DNS Server Source: Choose one of the following options: Get Dynamically from ISP: Choose this option if your ISP did not assign a static DNS IP address. Use These DNS Servers: Choose this option if your ISP assigned a static DNS IP address for you to use. Also complete the fields that are highlighted white in this section. Primary DNS Server: Enter a valid primary DNS Server IP Address. Secondary DNS Server: Enter a valid secondary DNS Server IP Address. Configurable Port: Routing mode between WAN and LAN: NAT: NAT is a technique which allows several computers on a LAN to share an Internet connection. The computers on the LAN use a "private" IP address range while the WAN port on the router is configured with a single "public" IP address. Along with connection sharing, NAT also hides internal IP addresses from the computers on the Internet. Select NAT if your ISP has assigned only one IP address to you. The computers that connect through the router will need to be assigned IP addresses from a private subnet (example: 192.168.10.0). Classic Routing: If your ISP has assigned an IP address for each of the computers that you use, select this option. IP addresses on the LAN will be exposed and be in the same subnet as the WAN. Transparent: Select this to allow traffic from the LAN and WAN to be bridged. There is no NAT performed, though the WAN and LAN can be configured to have different subnets. Note: The router will delete all inbound firewall rules when switching routing modes between the LAN and WAN. Dynamic Routing (RIP) RIP (Routing Information Protocol, RFC 2453) is an Interior Gateway Protocol (IGP) that is commonly used in internal networks. It allows a router to exchange its routing information automatically with other routers, and allows it to dynamically adjust its routing tables and adapt to changes in the network. Note: RIP is disabled by default. RIP Direction: Determines how the router sends and receives RIP packets: Both: The router both broadcasts its routing table and also processes RIP information received from other routers. Out Only: The router broadcasts its routing table periodically but does not accept RIP information from other routers. In Only: The router accepts RIP information from other routers, but does not broadcast its routing table. None: The router neither broadcasts its route table nor does it accept any RIP packets from other routers. This effectively disables RIP. RIP Version: RIP version can be one of the following Disabled: select to disable RIP. RIP-1: this is a class-based routing version that does not include subnet information. This is the most commonly supported version. RIP-2: includes all the functionality of RIPv1 plus it supports subnet information. Though the data is sent in RIP-2 format for both RIP-2B and RIP-2M, the mode in which packets are sent is different. RIP-2B broadcasts data in the entire subnet, while RIP-2M sends data to multicast addresses. RIPng is an extension of RIPv2 to support IPv6. Authentication for RIP 2B/2M Authentication for RIP 2B/2M required: RIP authentication is disabled by default. To enable authentication for RIP-2B or RIP-2M, select the corresponding checkbox. First Key Parameters MD5 Key ID: Input the unique MD-5 key ID MD5 Auth Key: Input the auth key for this MD5 key Not Valid Before: Start date of the First Key for MD5 based authentication between routers. Not Valid After: End date of the First Key for MD5 based authentication between routers. Second Key Parameters MD5 Key ID: Input the unique MD-5 key id MD5 Auth Key: Input the auth key for this MD5 key Not Valid Before: Start date of the Second Key for MD5 based authentication between routers. Not Valid After: End date of the Second Key for MD5 based authentication between routers. Click Save Settings to save your changes. Click Don't Save Settings to revert to the previous settings. WAN Mode: Port Mode The Port Mode settings allow you to configure whether the router should use only one WAN connection or both if more than one is available. If you have configured a single ISP connection for the LAN, then select Use only single WAN port and select the WAN port that is connected to your ISP. If you have two ISP links for internet connectivity, the router can be configured either in Auto Rollover Mode or Load Balancing Mode. If you want to use a redundant ISP link for backup purposes, then choose Auto-Rollover using WAN port and select the WAN port that will act as the primary link for this mode. Ensure that the backup WAN port is configured before enabling Auto Rollover. When the router is configured in Auto Rollover Mode, it checks the connection of the primary link at regular intervals to detect its status. To use multiple ISP links simultaneously, select Load Balancing. In Load Balancing mode, the two links will carry data for the protocols that are bound to them. Round Robin is when new connections to the internet are alternated between available links. Spillover Mode will use a single WAN link for all connections until the bandwidth threshold is reached, after which point the other WAN link is used for new connections. Protocol bindings can be specified by clicking the Protocol Bindings button. This feature can be used to segregate traffic between links that are not of the same speed. High volume traffic can be routed through the port connected to a high speed link and low volume traffic can be routed through the port connected to the slow link. For example, if the HTTP protocol is bound to WAN1 (dedicated WAN) and FTP protocol is bound to WAN2 (configurable port), then the router will automatically channel FTP data from and to the computers on the LAN through the WAN2 port. All HTTP traffic will be routed through the WAN1 port. When the router is configured in Load Balancing Mode, it checks the connection of both the links at regular intervals to detect its status. If WAN is configured for Idle Timeout, then Load Balancing Mode is not applicable. WAN Failure Detection Link failure is detected by DNS lookup using an internet server or ping to an external IP address. To have no check for detecting WAN failure, select None. This option is valid only if WAN mode is set to Load Balancing. Select DNS lookup using WAN DNS Severs to detect failure of a WAN link using the DNS servers configured in the Dedicated WAN or Configurable Port WAN pages under the Networking menu. To use a specific DNS server for detecting WAN failure, select DNS lookup using DNS Servers and enter the IP addresses of custom DNS servers for WAN1 and WAN2. To detect WAN failure by pinging to an IP address, select Ping these IP addresses and enter the IP addresses in the fields to ping from WAN1 and WAN2. Ensure that this destination host is reliable. Retry Interval is: The number tells the router how often it should run the above configured failure detection method. Failover after: This sets the number of retries after which failover is initiated. Click Save Settings to save your changes. Click Don't Save Settings to revert to the previous settings.
Wireless Settings
Access Points:
Status: This column displays the Enabled/Disabled state of an AP. An AP can be disabled if not in use and enabled when needed. Disabling an AP does not delete the configuration, but stops the AP from sending wireless beacons. Enabling the AP creates a wireless network, where computers and other devices can join and communicate with the devices connected to the access point or the devices on the Local Area Network (LAN). Virtual AP: This column shows the name for the access point configuration. SSID: The Service Set Identifier (SSID) is the name of the wireless network serviced by this AP, and is seen by clients in the 802.11 environment when broadcast is enabled for this AP. Broadcast: The icon indicates whether or not SSID is broadcast in the beacon frames transmitted by the AP. If SSID is not broadcast, then wireless devices will not be able to see the network name (SSID). The green tick mark indicates that the SSID is to be broadcasted to the public; the red cancel icon indicates that the SSID is not to be broadcasted and a device would have to specify the SSID exactly to connect to this AP. Profile Name: This field has a brief description of the security, encryption and authentication combination assigned to the AP. A profile does not have to be unique to an AP; rather this grouping of wireless settings can be applied to more than one AP simultaneously. Active Time: This field indicates if the AP is configured to be functional for only a certain duration during the day: Yes or No. Start Time: The time of the day when the AP is activated. Stop Time: The time of the day when the AP is deactivated. The actions that can be taken on the List of Available Access Points are: (Check Box At First Column Header): Selects all the APs in the table. Edit: Opens the Access Points Configuration page, which allows one to edit the settings for the selected access point. Enable: Enables the selected AP(s). Disable: Stops the selected AP(s). Delete: Stops and deletes the selected AP(s). Add: Opens the Access Point Configuration page to add a new AP. MAC Filter: Opens the MAC Filter configuration page to configure MAC Address filtering and ACL Policy settings Status: Opens the Access Point Status page, displaying traffic statistics for the AP and the list of the connected clients. Access Points Config: AP Name: Identifier corresponding to this access point configuration. Profile Name: Choose the encryption and authentication methods to be used by clients connecting to this AP from the drop-down list of configured profiles. This list is populated by adding profiles in the Wireless > Profiles page. Active Time: Enable this setting to activate the AP during the period of time specified by the Start Time and End Time fields. Start Time: Set the hour, minute, and AM/PM when the AP is to be activated each day. Stop Time: Set the hour, minute, and AM/PM when the AP is to be deactivated each day. WLAN Partition: Check this box to create a separate virtual network for each wireless connection. When this feature is enabled, each of your wireless clients will be in its own virtual network and will not be able to communicate with other clients. Click Save Settings to save your changes.| Click Don't Save Settings to revert to the previous settings. Access ControllList: AP Name: This is the name of the Profile that is being configured ACL Policy Status: Indicates the type of access policy: Allow, Deny, or Open. An Allow policy permits connections by a client whose MAC address appears in the list. A Deny policy prevents connections by a client whose MAC address appears in the list. An Open policy permits all clients to connect and does not filter access based on the list. Click Save Settings to save your changes. Click Don't Save Settings to revert to the previous settings. MAC Address: This list shows all the MAC addresses of computers and devices which are authorized/unauthorized (based on the default ACL Policy) to connect to this access point. The actions that can be taken are: (Check Box At First Column Header): Selects all the MAC addresses in the list. Delete: Deletes the selected MAC address or addresses from the list. Add: Opens the MAC Filter Configuration page to add a new MAC address. AP Status: MAC Address: Enter the MAC (Media Access Control) address of the client that you would like to add to the list of MAC addresses. The format for the MAC address is XX:XX:XX:XX:XX:XX where X is a number from 0 to 9 (inclusive) or an alphabetical letter between A and F (inclusive). Click Save Settings to save your changes. Click Don't Save Settings to revert to the previous settings. Profiles: Profile Name: This is the unique (alphanumeric) identifier of this wireless profile. SSID: The Service Set Identifier (SSID) is the name of the wireless network associated with the wireless profile. Broadcast: The icon indicates whether or not SSID is broadcast in the beacon frames transmitted by the AP. If SSID is not broadcast, then wireless devices will not be able to see the network name (SSID). The green tick mark indicates that the SSID is to be broadcasted to the public; the red cancel icon indicates that the SSID is not to be broadcasted and a device would have to specify the SSID exactly to connect to this AP. Security: This field displays the type of wireless security (if any) assigned to this profile: OPEN, WEP, WPA, WPA2, WPA+WPA2 Encryption: This field displays the encryption type that is assigned to the profile: TKIP, CCMP, TKIP + CCMP. Authentication: This field displays the client authentication method that is configured in the profile: PSK, RADIUS, PSK + RADIUS. The actions that can be taken on the profiles are: (Check Box at First Column Header): Selects all the profiles in the table Edit: Opens the Profile Configuration page to edit the selected profile. Delete: Deletes the selected profile or profiles Add: Opens the Profile Configuration page to add a new profile. Profile Config: Profile Configuration Profile Name: Enter a unique (alphanumeric) identifier for this wireless profile. SSID: The Service Set Identifier (SSID) is the name of the wireless network/APs associated with this profile. Broadcast SSID: Check this box to broadcast the SSID. Disable this option to prevent auto-detection of the SSID. In this case clients that want to connect to this AP will need to specify the SSID without detecting the SSID via a scan of the 802.11 environment. Security: Choose the type of security to be configured in this profile: OPEN: No security. Any supported wireless client can connect to this AP (subject to AP ACL policy). WEP (Wired Equivalent Privacy): Select this to use WEP encryption on the data packets. WEP is not considered to be secure and can be easily broken. Select this only if there are clients which can only support WEP security (i.e. legacy clients). WPA (Wi-Fi Protected Access): WPA is part of the wireless security standard (802.11i) standardized by the Wi-Fi Alliance and was intended as an intermediate measure to take the place of WEP while 802.11i was being prepared. It supports TKIP or CCMP encryption (default is TKIP) and PSK or RADIUS based authentication. WPA2: WPA2 is the implementation of security standard specified in final 802.11i. It supports TKIP or CCMP encryption (default is CCMP) and PSK or RADIUS based authentication. WPA + WPA2: This mode allows both WPA and WPA2 clients to connect simultaneously. When supported by the client, the stronger security method (WPA2) will be used. Encryption: Select the WPA/WPA2 encryption method to be used: TKIP, CCMP, or both. Authentication: Select the WPA/WPA2 authentication method to be used: RADIUS, PSK, or PSK + RADIUS. WPA Password: The Pre-shared key for WPA/WPA2 PSK authentication. The clients also need to be configured with the same passphrase. Enable Pre-Authentication: Check this box to enable Pre-Authentication for this profile. WEP Index and Keys Selecting WEP as the Security option for this profile requires selecting the type of authentication and specifying the static WEP key to be used in the computers or devices that wish to access this secured wireless network. Authentication: Select either Open System or Shared Key scheme. Encryption: Select the encryption type - 64 WEP or 128 WEP. The larger size keys provide stronger encryption, thus making the key more difficult to crack (i.e. 64 WEP has a 40 bit key which is less secure than the 128 WEP which has a 104 bit key). WEP Passphrase: Define a alphanumeric phrase (longer than 8 characters for optimal security) and click generate key to generate 4 unique WEP keys. Select one of the four to use as the static key that devices must have in order to use the wireless network. WEP Key 1-4: If WEP Passphrase is not specified, a key can be entered directly in one of the WEP Key boxes. The length of the key should be 5 ASCII characters (or 10 hex characters) for 64-bit WEP and 13 ASCII characters (or 26 hex characters) for 128-bit WEP. WEP Key Index: Based on which WEP key box is used, the WEP key index is derived. Click Save Settings to save your changes. Click Don't Save Settings to revert to the previous settings. Radio Settings:
Network Settings
LAN Setup Configuration:
In most cases, the default settings should be sufficient. LAN Configuration IP Address: Enter the LAN IP address for the router. Subnet Mask: Subnet Mask for the above IP Address IMPORTANT: If you change the LAN IP address of the router, the browser will not respond when you click Save to save the changes. You must use the new IP address to reconnect to the Configuration Utility. For example, if you change the LAN TCP/IP address from 192.168.10.1 (default) to 10.0.0.1, you must change the IP address of your computer (or release and renew IP address if connected via DHCP) so that it is in the 10.0.0.0 subnet and then type http://10.0.0.1/ in your browser to connect to the Configuration Utility. DHCP By default, the router will function as a DHCP (Dynamic Host Configuration Protocol) server, providing TCP/IP configuration to computers connected to the LAN network. DHCP Mode: If the computers on the LAN are configured with static IP addresses or are configured to use another DHCP server, select the None option. If DHCP Relay is selected, then enter the relay gateway information. To use the router as a DHCP server, select DHCP Server and enter the following information: Starting IP Address: Enter the first IP address in the range. Any new DHCP client joining the LAN will be assigned an IP address between this address and the Ending IP Address. Ending IP Address: Enter the last IP address in the range of addresses to lease to LAN hosts. Any new DHCP client joining the LAN will be assigned an IP address between the Starting IP Address and this IP address. Note: The Starting and Ending DHCP addresses should be in the same "network" as the LAN TCP/IP address of the router (the IP Address field in LAN TCP/IP Setup section). Primary DNS Server: Enter the primary DNS Server IP. Secondary DNS Server: Secondary DNS Server IP. WINS Server: IP address of a WINS server (Optional). The Windows Internet Naming Service is the equivalent of a DNS server but uses the NetBIOS protocol to resolve hostnames. If the network consists only of Windows based computers and you would like to use a WINS server for name resolution, then enter the IP address of the WINS server. The router will include the WINS server IP address in the DHCP configuration when acknowledging a DHCP request from a DHCP client. Lease Time: Enter the duration (in hours) for which IP addresses will be leased to clients. Relay Gateway: Enter the gateway address. This is the only configuration parameter required in this section when DHCP Relay is selected as its DHCP mode. LAN Proxy Enable DNS Proxy: Check this box to enable DNS proxy on this LAN. When this feature is enabled, the router will act as a proxy for all DNS requests and communicate with the ISP's DNS servers (as configured in the WAN settings page). All DHCP clients will receive the Primary/Secondary DNS IP along with the IP where the DNS Proxy is running, i.e. the box's LAN IP. All DHCP clients will receive the DNS IP addresses of the ISP excluding the DNS Proxy IP address when it is disabled. The feature is particularly useful in Auto Rollover mode. For example, if the DNS servers for each connection are different, then a link failure may render the DNS servers inaccessible. However, when the DNS proxy is enabled, then clients can make requests to the router and the router, in turn, sends those requests to the DNS servers of the active connection. Run-Time User Authentication Enable Run-Time User Authentication: Select this option to require LAN hosts to first login using credential stored on this router's local user database before being allowed to join the LAN. Click Save Settings to save your changes. Click Don't Save Settings to revert to the previous settings. LAN DHCP Reserved Ips: The router's DHCP server can assign TCP/IP configurations to computers in the LAN explicitly by adding client's network interface hardware address and the IP address to be assigned to that client in DHCP server's database. Whenever DHCP server receives a request from client, hardware address of that client is compared with the hardware address list present in the database, if an IP address is already assigned to that computer or device in the database , the customized IP address is configured otherwise an IP address is assigned to the client automatically from the DHCP pool. IP Addresses: The LAN IP address of a host that is reserved by the DHCP server. MAC Addresses: The MAC address that will be assigned the reserved IP address when it is on the LAN. The actions that can be taken on list of reserved IP addresses are: (Check Box at First Column Header): Selects all the reserved IP addresses in the list. Edit: Opens the LAN DHCP Reserved IP Configuration page to edit the selected binding rule. Delete: Deletes the selected IP address reservation(s) Add: Opens the LAN DHCP Reserved IP Configuration page to add a new binding rule. LAN DHCP Reserved Ip Config: IP Addresses: The LAN IP address that should be reserved by the DHCP server. MAC Addresses: The MAC address that will be assigned the reserved IP address when it is on the LAN. Click Save Settings to save your changes. Click Don't Save Settings to revert to the previous settings. LAN DHCP Leased Clients: IP Addresses: The LAN IP address of a host that matches the reserved IP list. MAC Addresses: The MAC address of a LAN host that has a configured IP address reservation.
DMZ Setup
DMZ Setup Configuration:
This page allows you to configure and set up the DMZ Port. Before you can use this page, you must configure the Configurable Port Status as DMZ. In most cases, the default settings should be sufficient. DMZ Port Setup IP Address: Enter the DMZ IP address for the router. Subnet Mask: Subnet Mask for the above IP Address DHCP for DMZ Connected Computers By default, the router will function as a DHCP (Dynamic Host Configuration Protocol) server, providing TCP/IP configuration to computers connected to the DMZ network. DHCP Mode: If the computers on the DMZ are configured with static IP addresses or are configured to use another DHCP server, select the None option. If DHCP Relay is selected, then enter the relay gateway information. To use the router as a DHCP server, select DHCP Server and enter the following information: Starting IP Address: Enter the first IP address in the range. Any new DHCP client joining the DMZ will be assigned an IP address between this address and the Ending IP Address. Ending IP Address: Enter the last IP address in the range of addresses to lease to DMZ hosts. Any new DHCP client joining the LAN will be assigned an IP address between the Starting IP Address and this IP address. Note: The Starting and Ending DHCP addresses should be in the same "network" as the DMZ TCP/IP address of the router (the IP Address field in LAN TCP/IP Setup section). Primary DNS Server: Enter the primary DNS Server IP. Secondary DNS Server: Secondary DNS Server IP. WINS Server: IP address of a WINS server (Optional). The Windows Internet Naming Service is the equivalent of a DNS server but uses the NetBIOS protocol to resolve hostnames. If the network consists only of Windows based computers and you would like to use a WINS server for name resolution, then enter the IP address of the WINS server. The router will include the WINS server IP address in the DHCP configuration when acknowledging a DHCP request from a DHCP client. Lease Time: Enter the duration (in hours) for which IP addresses will be leased to clients. Relay Gateway: Enter the gateway address. This is the only configuration parameter required in this section when DHCP Relay is selected as its DHCP mode. DMZ Proxy Enable DNS Proxy: Check this box to enable DNS proxy on this DMZ. When this feature is enabled, the router will act as a proxy for all DNS requests and communicate with the ISP's DNS servers (as configured in the WAN settings page). All DHCP clients will receive the Primary/Secondary DNS IP along with the IP where the DNS Proxy is running, i.e. the box's DMZ IP address. All DHCP clients will receive the DNS IP addresses of the ISP excluding the DNS Proxy IP address when it is disabled. The feature is particularly useful in Auto Rollover mode. For example, if the DNS servers for each connection are different, then a link failure may render the DNS servers inaccessible. However, when the DNS proxy is enabled, then clients can make requests to the router and the router, in turn, sends those requests to the DNS servers of the active connection. Click Save Settings to save your changes. Click Don't Save Settings to revert to the previous settings. DMZ DHCP Reserved Ips: The router's DHCP server can assign TCP/IP configurations to computers in the DMZ explicitly by adding client's network interface hardware address and the IP address to be assigned to that client in DHCP server's database. Whenever DHCP server receives a request from client, hardware address of that client is compared with the hardware address list present in the database, if an IP address is already assigned to that computer or device in the database , the customized IP address is configured otherwise an IP address is assigned to the client automatically from the DHCP pool. IP Addresses: The DMZ IP address of a host that is reserved by the DHCP server. MAC Addresses: The MAC address that will be assigned the reserved IP address when it is on the DMZ. The actions that can be taken on list of reserved IP addresses are: (Check Box at First Column Header): Selects all the reserved IP addresses in the list. Edit: Opens the LAN DHCP Reserved IP Configuration page to edit the selected binding rule. Delete: Deletes the selected IP address reservation(s) Add: Opens the LAN DHCP Reserved IP Configuration page to add a new binding rule. DMZ DHCP Reserved Ip Config: IP Addresses: The DMZ IP address that should be reserved by the DHCP server. MAC Addresses: The MAC address that will be assigned the reserved IP address when it is on the DMZ. Click Save Settings to save your changes. Click Don't Save Settings to revert to the previous settings. DMZ DHCP Leased Clients: IP Addresses: The DMZ IP address that should be reserved by the DHCP server. MAC Addresses: The MAC address that will be assigned the reserved IP address when it is on the DMZ.
IPSec
IPSec Policies:
Both Manual and Auto IPSec policies are configured here. Policy identifiers and source/destination details are required for both types. You can use the VPN wizard to quickly create both Manual or Auto policies. Once the policy is created, you can modify it to meet your tunnel requirements. If setting up a Manual policy, only the Phase 2 (Manual Policy) parameters are required to define the encryption and authentication key details. These must be the same as on the remote peer. An Auto IPSec policy uses IKE to to automatically exchange keys between two IPSec hosts. The Phase 1 (IKE) and Phase 2 (Auto Policy) details will determine the security of the tunnel. The IPSec policy can be in Tunnel or Transport mode. Choose tunnel mode to pass traffic between two trusted networks through an untrusted network. Transport mode (the default) is used for end-to-end communication. Status: The status of the policy can be enabled (i.e. in use) or disabled (configured but not in use). Name: A unique name assigned to the policy. The name is not used to identify the tunnel to the remote WAN/client, but for managing the tunnel properties. Type: The IPSec policy type can be Manual or Auto IPSec Mode: The IPSec mode can be Tunnel or Transport. IPSec tunnel mode is useful for protecting traffic between different networks, when traffic must pass through an intermediate, untrusted network. Tunnel mode is primarily used for interoperability with gateways, or end-systems that do not support L2TP/IPSec or PPTP connections. Transport mode is the default mode for IPSec, and it is used for end-to-end communications (for example, for communications between a client and a server). Local: The IP address or address range on the LAN that is covered by this policy. Remote: The IP address or address range on the remote network that is covered by this policy. Auth: Authentication Header displays the data integrity algorithm used by the tunnel. Encr: Encapsulating Security Payload displays the encryption algorithm used by this tunnel. The actions that can be taken on IPSec Policies are: (Check Box at First Column Header): Selects all the policies in the table Edit: Opens the VPN Policy Configuration page to edit the selected VPN policy. Enable: Enables the selected policies Disable: Disables the selected policies Delete: Deletes the selected policy or policies Add: Opens the VPN Policy Configuration page to add a new policy. IPSec Policy Config: General These settings are required for both Manual and Auto policies. Policy Name: Enter a unique name to identify the policy. Policy Type: Select one of the following options: Manual policy: All settings (including the keys) for the VPN tunnel are manually input for each end point. No third-party server or organization is involved. Auto Policy: Some parameters for the VPN tunnel are generated automatically. This requires using the IKE (Internet Key Exchange) protocol to perform negotiations between the two VPN Endpoints. IPSec Mode: This can be either 'Tunnel' mode or 'Transport' mode. Transport Mode: This mode can be used when we want to secure communication only between two gateways (The communication between only those 2 gateways is secured and you can't specify subnet/range etc. options for this mode.) Tunnel Mode: This mode is to be used if you require IPSec communication to happen not just between 2 gateways, but also LAN hosts of the gateways (you can specify subnet, range etc. for this option.) Select Local Gateway: In the event two WAN ports are configured to connect to an ISP, select the gateway that will be used as the local endpoint for this IPSec tunnel. Remote Endpoint: Select the type of identifier that you want to provide for the gateway at the remote endpoint: IP Address or FQDN (Fully Qualified Domain Name) Enable NetBIOS: Check this box to allow NetBIOS broadcasts to travel over the VPN tunnel, or uncheck this box to disable NetBIOS broadcasts over the VPN tunnel. For client policies, the NetBIOS feature is available by default. Enable RollOver?: Check this box to allow the VPN to rollover when WAN Mode is set to Auto Rollover on the WAN Mode page. Enable DHCP: Check this box to allow VPN clients to connect to your router over IPSec and get an assigned IP using DHCP. Tunnel mode IPSec policies require local and remote traffic selection to be defined. For both local and remote endpoints configure the following settings: Local/Remote IP: Select the type of identifier that you want to provide for the endpoint: Any: Specifies that the policy is for traffic from the given end point (local or remote). Note that selecting Any for both local and remote end points is not valid. Single: Limits the policy to one host. Enter the IP address of the host that will be part of the VPN in Start IP Address field. Range: Allows computers within an IP address range to connect to the VPN. Enter the Start IP Address and End IP Address in the provided fields. Subnet: Allows an entire subnet to connect to the VPN. Enter the network address in the Start IP Address field, and enter the Subnet Mask in the Subnet Mask field. Start Address: Enter the first IP address in the range. If you selected Single, simply enter the single IP address in this field and leave the End IP Address field blank. End Address: Enter the last IP address in the range. Subnet Mask: If you chose Subnet as the type, enter the Subnet Mask of the network. Phase 1 – IKE SA Parameters These settings are applicable for Auto IPSec policies that use IKE to perform negotiations between the two VPN Endpoints. Exchange Mode: Choose one of the following options: Main mode: This mode negotiates the tunnel with higher security, but is slower. Aggressive mode: This mode establishes a faster connection but with lowered security. Direction/Type: Choose one of the following connection methods: Initiator: The router will initiate the connection to the remote end. Responder: The router will wait passively and respond to remote IKE requests. Both: The router will work in either Initiator or Responder mode. Nat Traversal: Set NAT traversal to 'On' if you expect any Network Address Translation (NAT) to occur during IPSec communication. If not set this option to Off. NAT Keep Alive Frequency (in seconds): When NAT traversal is set to 'On', use this option to control the keep-alive-frequency value. Keep-alive packets are sent at the mentioned time interval and these are used to keep the NAT mappings alive on the NAT device. Setting this value to 0 disables this feature. Local Identifier Type: Choose the ISAKMP identifier for this router. It can be one of the following: Local WAN IP Internet Address/FQDN User FQDN DER ASN1 DN Local Identifier: Enter the value of the respective option chosen in the Identifier Type drop-down list. Remote Identifier Type: The ISAKMP identifier for the remote device. It can be one of the following: Remote WAN IP Internet Address/FQDN User FQDN DER ASN1 DN Remote Identifier: The value of the respective option chosen in the Identifier Type drop down list for the remote host. Note: If either the Local or Remote identifier type is not an IP address, then negotiation is only possible in Aggressive Mode. If FQDN, User FQDN or DER ASN1 DN is selected, the router will disable Main mode and set the default to Aggressive mode. The Security Association (SA) parameters define the strength and the mode for negotiating the SA. The fields in the SA are: Encryption Algorithm: The algorithm used to negotiate the SA. There are five algorithms supported by this router: DES, 3DES, AES-128, AES-192, and AES-256. Authentication Algorithm: Specify the authentication algorithm for the VPN header. There are five algorithms supported by this router: MD5, SHA-1, SHA2-256, SHA2-384 and SHA2-512. Note: Ensure that the authentication algorithm is configured identically on both sides. Authentication Method: Select Pre-Shared Key for a simple password based key. Selecting RSA-Signature will disable the pre-shared key text box and uses the Active Self Certificate uploaded in the Certificates page. In that case, a certificate must be configured in order for RSA-Signature to work. Please Note: Following character is not supported for pre-shared key: " (Double Quote character). Pre-Shared Key: alpha-numeric key to be shared with IKE peer Diffie-Hellman (DH) Group: The Diffie-Hellman algorithm is used when exchanging keys. The DH Group sets the strength of the algorithm in bits. Note: Ensure that the DH Group is configured identically on both sides of the IKE policy. SA-Lifetime (sec): the interval after which the Security Association becomes invalid. Enable Dead Peer Detection: Dead Peer Detection is used to detect whether the Peer is alive or not. If peer is detected as Dead, it deletes the IPSec and IKE Security Association. Detection Period (sec): Detection Period is the interval between consecutive DPD R-U-THERE messages. DPD R-U-THERE messages are sent only when the IPSec traffic is idle. Reconnect after failure count: Maximum number of DPD failures allowed before tearing down the connection. Enable Extended Authentication: Ticking this check-box enables Extended Authentication (XAUTH). Rather than configuring a unique VPN policy for each user, you can enable the VPN gateway router to authenticate users from a stored list of user accounts or with an external authentication server such as a RADIUS server. When connecting many VPN clients to a VPN gateway router, XAUTH allows authentication of users with methods in addition to the authentication method mentioned in the IKE SA parameters. Username: This is the unique identifier for the user, and can contain any alphanumeric characters. Password: The password can contain alphanumeric characters. Phase 2 - Manual Policy Parameters This section is used when a Manual IPSec policy is in use. The Manual Policy creates an SA (Security Association) based on the following static inputs: SPI-Incoming, SPI-Outgoing: Enter a hexadecimal value between 3 and 8 characters. For example: 0x1234 Encryption Algorithm: Select the algorithm used to encrypt the data. Key Length: BLOWFISH and CAST128 are variable length algorithms, and so the key length field is required when using either of these encryption types. For BLOWFISH, the Key Length must be between 40 and 448 and it must be a multiple of 8. For CAST128, the Key Length must be between 40 and 128 and it must be a multiple of 8. The keys entered (Key-In and Key-Out) must have the length as (Keylength/8). Key-In: Enter the encryption key of the inbound policy. The length of the key depends on the algorithm chosen: • DES - 8 characters • 3DES - 24 characters • AES-128 - 16 characters • AES-192 - 24 characters • AES-256 - 32 characters • AES-CCM - 16 characters • AES-GCM - 20 characters • TWOFISH (128) - 16 characters • TWOFISH (192) - 24 characters • TWOFISH (256) - 32 characters • BLOWFISH and CAST128 are variable length algorithms Key-Out: Enter the encryption key of the outbound policy. The length of the key depends on the algorithm chosen, as shown above. Integrity Algorithm: Select the algorithm used to verify the integrity of the data. Key-In: Enter the integrity key (for ESP with Integrity-mode) for the inbound policy. The length of the key depends on the algorithm chosen: • MD5 - 16 characters • SHA-1 - 20 characters • SHA2-224 - 28 characters • SHA2-256 - 32 characters • SHA2-384 - 48 characters • SHA2-512 - 64 characters Key-Out: Enter the integrity key (for ESP with Integrity-mode) for the outbound policy. The length of the key depends on the algorithm chosen, as shown above. Manual Policy Example: Creating a VPN tunnel between two routers: Router 1: WAN1=10.0.0.1 LAN=192.168.10.1 Subnet=255.255.255.0 Policy Name: manualVPN Policy Type: Manual Policy Local Gateway: WAN1 Remote Endpoint: 10.0.0.2 Local IP: Subnet 192.168.10.0 255.255.255.0 Remote IP: Subnet 192.168.20.0 255.255.255.0 SPI-Incoming: 0x1111 Encryption Algorithm: DES Key-In: 11112222 Key-Out: 33334444 SPI-Outgoing: 0x2222 Integrity Algorithm: MD5 Key-In: 1122334444332211 Key-Out: 5566778888776655 Router 2: WAN1=10.0.0.2 LAN=192.168.20.1 Subnet=255.255.255.0 Policy Name: manualVPN Policy Type: Manual Policy Local Gateway: WAN1 Remote Endpoint: 10.0.0.1 Local IP: Subnet 192.168.20.0 255.255.255.0 Remote IP: Subnet 192.168.20.0 255.255.255.0 SPI-Incoming: 0x2222 Encryption Algorithm: DES Key-In: 33334444 Key-Out: 11112222 SPI-Outgoing: 0x1111 Integrity Algorithm: MD5 Key-In: 5566778888776655 Key-Out: 1122334444332211 Phase 2 - Auto Policy Parameters When an Auto IPSec policy is used, the phase 2 negotiations require the following parameters. Note that this should match the phase 2 settings on the remote tunnel endpoint. SA Lifetime: Enter the duration of the Security Association and choose the unit from the drop-down list: Seconds: Choose this option to measure the SA Lifetime in seconds. After the specified number of seconds passes, the Security Association is renegotiated. The default value is 3600 seconds. The minimum value is 300 seconds. Kbytes: Choose this option to measure the SA Lifetime in kilobytes. After the specified number of kilobytes of data is transferred, the SA is renegotiated. The minimum value is 1920000 KB. Note: When configuring a Lifetime in kilobytes (also known as lifebytes), be aware that two SAs are created for each policy. One SA applies to inbound traffic, and one SA applies to outbound traffic. Due to differences in the upstream and downstream traffic flows, the SA may expire asymmetrically. For example, if the downstream traffic is very high, the lifebyte for a download stream may expire frequently. The lifebyte of the upload stream may not expire as frequently. It is recommended that the values be reasonably set, to reduce the difference in expiry frequencies of the SAs; otherwise the system may eventually run out of resources as a result of this asymmetry. The lifebyte specifications are generally recommended for advanced users only. Encryption Algorithm: Select the algorithm used to encrypt the data. Integrity Algorithm: Select the algorithm used to verify the integrity of the data. PFS Key Group: Check this box to enable Perfect Forward Secrecy (PFS) to improve security. While slower, this protocol helps to prevent eavesdroppers by ensuring that a Diffie-Hellman exchange is performed for every phase-2 negotiation. Click Save Settings to save the settings. Click Don't Save Settings to revert to the previous settings. DHCP RANGE: This page displays the IP range to be assigned to clients connecting using DHCP over IPsec. By default the range is in 192.168.12.0 subnet. You can change it to any other subnet in this page. Starting IP Address: The starting IP address of the range. Ending IP Address: The ending IP address of the range. Subnet Mask: Subnet Mask for the mentioned range. Click Save Settings to save the settings. Click Don't Save Settings to revert to previous settings.
PPTP
PPTP Sever:
This page displays three fields related to the PPTP client that is connected to the server. The username of the client with which it is connected to the server, the IP address of the client that the server has assigned and the PPTP server IP address. Enable PPTP Server: A check box to enable/disable PPTP server. Starting IP Address: The starting IP address of the range of IP addresses to assign to connecting users. Ending IP Address: The ending IP address of the range of IP addresses to assign to connecting users. Click Save Settings to save the settings. Click Don't Save Settings to revert to previous settings. PPTP Active Users: The List of PPTP Active Users table displays the following: User Name: 'User name' of the user(s) currently connected. Remote IP: The IP that has been assigned to this particular user by PPTP server. PPTP IP: Local IP of the server.
L2TP
L2TP Sever:
This page displays three fields related to the L2TP client that is connected to the server. The username of the client with which it is connected to the server, the IP address of the client that the server has assigned and the L2TP server IP address. Enable L2TP Server: A check box to enable/disable L2TP server. Starting IP Address: The starting IP address of the range of IP addresses to assign to connecting users. Ending IP Addresses: The ending IP address of the range of IP addresses to assign to connecting users. Click Save Settings to save the settings. Click Don't Save Settings to revert to previous settings. L2TP Active Users: The List of L2TP Active Users table displays the following: User Name: 'User name' of the user(s) currently connected. Remote IP: The IP that has been assigned to this particular user by L2TP server. L2TP IP: Local IP of the server.
SSLVPN Server
Portal Layout:
Layout Name: The unique identifier of the portal layout. The default layout is indicated by a “*”. Use Count: Use Count of the portal layout Portal URL: URL of the portal layout The actions that can be taken on portal layouts are: (Check Box at First Column Header): Selects all the portal layouts in the table. Edit: The Edit button will link to the Portal Layout Configuration page, allowing you to make changes to the selected Portal Layout. Delete: Deletes the selected portal layout or layouts. Set Default: Clicking this button will set the selected portal layout as the default for SSL VPN clients. Add: Clicking this button will link to the Portal Layout Configuration page. Portal Layout Config: Portal Layout and Theme Name Portal Layout Name: The portal layout name should have a descriptive name for the portal that is being configured. It will be used as part of the path for the SSL portal URL. Only alphanumeric characters, hyphens (‘-’), and underscore (‘_’) characters are allowed for this field. Portal Site Title: It is the web browser window title for the portal. Banner Title: It is the banner title to display to users before logging into the portal. Banner Message: It is the message text that would be displayed along with the banner title. Display banner message on login page: Enable this checkbox to show the banner title and banner message. HTTP meta tags for cache control (recommended): It is a security feature that should be enabled to ensure that client’s browsers do not cache SSL VPN portal pages and other web content. The HTTP meta tags cache control directives prevent out-of-date web pages and data from being stored on the client’s web browser cache. ActiveX web cache cleaner: Enable this checkbox to load an ActiveX cache control whenever users login to this SSL VPN portal. SSL VPN Portal Pages to Display Select the SSL VPN Portal pages that users can access in this portal by enabling one or more of the following pages: • VPN Tunnel page • Port Forwarding Any page that is not selected will not be visible from the SSL VPN portal navigation menu. However users can still access the hidden pages unless SSL VPN access policies are created to prevent access to these pages. Click Save Settings to save the settings. Click Don't Save Settings to revert to previous settings. SSLVPN Policies: Query Select one of the following to view the list of SSL VPN policies for: Global: Select this option to display policies applicable to all users. Group: Select this option to display policies applicable to a group. User: Select this option to display policies applicable to a user. Available Groups: The group dropdown menu is a filter that allows you to display group-level policies for the selected group. Available Users: The user dropdown menu is a filter that allows you to display user-level policies for a particular user. Display: Updates the policy table (List of SSL VPN Policies below) with the results of the query. Note: User policies have higher priority than group policies, which have higher priority than global policies. This hierarchy holds regardless of the policy definition. List of SSL VPN Policies The table lists the SSL VPN Policies that have been added and allows several operations on the policies. Name: This is a unique name assigned to the policy. The name is not used to identify the tunnel to the remote WAN/client, but for managing the tunnel properties. Service: Choose between VPN Tunnel, Port Forwarding, or All Services. Destination: The IP address to which the policy routes the selected service(s) Permission: This can be either Permit or Deny. The actions that can be taken on SSL VPN policies are: (Check Box at First Column Header): Selects all the SSL VPN policies in the table. Edit: The Edit button will link to the SSL VPN Policy Configuration page, allowing you to make changes to the selected SSL VPN policy. Delete: Deletes the selected SSL VPN policy or policies. Add: Clicking this button will link to the SSL VPN Policy Configuration page. SSLVPN Policies Config: Policy For Add a policy to a particular user, group or global level by making the appropriate radio dial selection. Global: Select this option to add a policy applicable to all users of the device. Group: Select this option to add a policy applicable to a group of users of the device. User: Select this option to add a policy applicable to a particular user of the device. Available Groups: The group dropdown menu is a filter that allows you to add a group-level policy for the selected group. Available Users: The user dropdown menu is a filter that allows you to add a user-level policy for a particular user. SSL VPN Policy All policies must have a policy name, service and permission setting. Apply Policy to: Select the appropriate option for the policy you are adding. Select from a Network Resource, an IP address, an IP network, or All Addresses managed by the device. If applying the SSL VPN policy to a specific IP address, you must set the IP address in the appropriate field below. If applying the SSL VPN policy to an IP network, you must also set in the Mask length. Policy Name: A unique name for identifying of the policy. IP Address: Enter the IP Address to which the SSL VPN Policy needs to be applied. Mask Length: Enter the subnet mask for the above IP address. Port Range / Port Number Begin & End: Specify a port or a range of ports to apply the policy to all TCP and UDP traffic with those ports. Leave the fields empty to apply the policy to all traffic. Service: Choose between VPN Tunnel, Port Forwarding, or All Services Defined Resources: A dropdown list of pre-defined services that can be chosen for a particular policy. This is only available when applying the policy to a Network Resource, in the “Resources” tab under the SSL VPN menu. Permission: Choose either Permit or Deny for this policy Click Save Settings to save the settings. Click Don't Save Settings to revert to previous settings. Resources: Resource Name: The resource identifier Service: The type of service assigned to a particular resource on the LAN The actions that can be taken on resources are: (Check Box at First Column Header): Selects all the resources in the table. Delete: Deletes the selected resource or resources. Configure: The Configure button will link to the Resource Configuration page, allowing you to make changes to the selected resource. Add: Clicking this button will link to the Resource Configuration page. Resource Object Config: HELP TOPIC COME HERE.... Resource Config: Resource Name: The unique identifier of the resource Service: Choose one among the supported SSL VPN services like VPN Tunnel, Port Forwarding, or All Services. Click Save Settings to save the settings. Click Don't Save Settings to revert to previous settings. Port Forwarding: List of Configured Applications for Port Forwarding The table lists the applications configured for port forwarding for this device and allows several operations on the applications. Local Server IP Address: IP Address of the local server TCP Port Number: TCP Port Number of the local server The actions that can be taken on configured applications are: (Check Box at First Column Header): Selects all the applications in the table. Delete: Deletes the selected application or applications. Add: Clicking this button will link to the Port Forwarding Application Configuration page. Note: Active connections can persist even when browser is closed without uninstalling the SSL client. Java, Java Script, Active-X controls must be enabled / permitted in your browser settings in order to use SSL VPN port forwarding. List of Configured Host Names for Port Forwarding The table lists the Host Names configured for port forwarding for this device and allows several operations on the host names. Local Server IP Address: IP Address of the local server Fully Qualified Domain Name: Enter a name which will enable users to access the private network servers by using a hostname instead of an IP address. The actions that can be taken on host names are: (Check Box at First Column Header): Selects all the host names in the table. Delete: Deletes the selected host name or names. Add: Clicking this button will link to the Port Forwarding Host Configuration page. Common Applications and Corresponding TCP Port Numbers TCP Application Port Number FTP Data (usually not needed) 20 FTP Control Protocol 21 SSH 22 Telnet 23 SMTP (send mail) 25 HTTP (web) 80 POP3 (receive mail) 110 NTP (network time protocol) 123 Citrix 1494 Terminal Services 3389 VNC (virtual network computing) 5900 or 5800 Port Forwarding App Config: Local Server IP Address: Enter IP Address of the internal host machine or local server TCP Port Number: Enter port number of the TCP application that would enable port forwarding Click Save Settings to save the settings. Click Don't Save Settings to revert to previous settings. Port Forwarding Host Config: Local Server IP Address: Enter IP Address of the internal host machine or local server. Note: This address should already be in the List of Configured Applications for Port Forwarding table on Port Forwarding page. Fully Qualified Domain Name: Enter domain name of the internal FQDN server Click Save Settings to save the settings. Click Don't Save Settings to revert to previous settings.
SSLVPN Client
SSLVPN Client:
Enable Full Tunnel Support: Check this to enable full tunnel support; otherwise the default is a split tunnel and appropriate client routes must be added. DNS Suffix: Set the DNS Suffix for this client. Primary DNS Server: Set the primary DNS Server for this client. Secondary DNS Server: Set the secondary DNS Server for this client. Client Address Range Begin: Set the first IP address of the IP address range. Client Address Range End: Set the last IP address of the IP address range. LCP Timeout: this advanced setting is to determine the wait time for a SSL VPN tunnel negotiation attempts. Click Save Settings to save the settings. Click Don't Save Settings to revert to previous settings. Configured Client Routes: This feature is presently supported on Microsoft Windows, Linux and Apple Mac operating systems. The List of Configured Client Routes display the destination networks and corresponding subnet masks for the routes belonging to VPN Tunnel client. The actions that can be taken on client routes are: (Check Box at First Column Header): Selects all client routes in the table. Delete: Deletes the selected client route from being available to SSL VPN users. Add: Clicking this button will link to the SSL VPN Client Route Configuration page. Configured Client Routes Config: To configure a client route for split tunnel SSL VPN support, set the following: Destination Network: the IP address on the LAN that the SSL VPN user can access. Subnet Mask: the destination network’s corresponding subnet mask. Click Save Settings to save the settings. Click Don't Save Settings to revert to previous settings. SSLVPN Client Portal: SSL VPN Tunnel facilitates the use of an encrypted tunnel to the corporate network from a browser based negotiation with the remote client. Port Forwarding allows you to tunnel into the LAN to access predefined applications or services on the corporate network. Note: Active connections can persist even when browser is closed without uninstalling the SSL client. Java, Java Script, Active-X controls must be enabled / permitted in your browser settings in order to use SSL VPN port forwarding. USB Settings
USB1 Settings:
USB Settings:
Enable USB Device: Select this option to allow the router to detect and interact with a USB device inserted to one of the available slots. Type of USB Device: The router supports interfacing with a USB disk drive (memory stick) device or a 3G USB modem (adapter). Click Save Settings to save the settings. Click Don't Save Settings to revert to previous settings. USB2 Settings: Help Content Goes Here...
VLAN Settings
VLAN Configuration:
Virtual LANs can be created in this router to provide segmentation capabilities for firewall rules and VPN policies. The LAN network is considered the default VLAN. Check the Enable VLAN box to add VLAN functionality to the LAN. Click Save Settings to save the settings. Click Don't Save Settings to revert to previous settings. Port VLAN: By configuring a unique VLAN ID and mode to a port, all devices connected to the physical port of the router will assume these VLAN attributes. Port VLANs By configuring a unique VLAN ID and mode to a port, all devices connected to the physical port of the router will assume these VLAN attributes. The Port VLANs table displays the following: Port Name: the physical LAN switch port on the router, Mode: The mode of this VLAN can be General, Access, or Trunk. The default is access. PVID: Unique ID for the VLAN, assigned when the General VLAN mode is used. VLAN Membership: traffic can be routed from this port VLAN to others in this VLAN membership list, when the port is in General or Trunk mode. (Check Box at First Column Header): Selects all the ports in the table. Edit: The Edit button will link to the Port VLAN Configuration page, allowing you to make changes to the selected port VLAN attributes. Wireless VLANs Wireless AP’s can be treated as ports on the LAN as well. By configuring a unique VLAN ID and mode to a configured AP, all clients of this AP will assume these VLAN attributes. The Wireless VLANs table displays the following: SSID: the AP identifier. Mode: The mode of this VLAN can be General, Access, or Trunk. The default is access. PVID: Unique ID for the VLAN, assigned when the General VLAN mode is used. VLAN Membership: traffic can be routed from this AP to others in this VLAN membership list, when the AP VLAN is in General or Trunk mode. (Check Box at First Column Header): Selects all the ports in the table. Edit: The Edit button will link to the Port VLAN Configuration page, allowing you to make changes to the selected port VLAN attributes. Port VLAN Config: Port Name: the physical LAN switch port on the router or configured AP. Mode: The mode of this VLAN can be General, Access, or Trunk. The default is access. Access: select to isolate this port from other VLANs. All data going into and out of the port is untagged. Traffic through a port in access mode looks like any other Ethernet frame. General: select to allow the port to become a member of a user selectable set of VLANs. The port sends and receives data that is tagged or untagged with a VLAN ID. If the data into the port is untagged, it is assigned the defined PVID. All tagged data sent out of the port with the same PVID will be untagged. Trunk: select to multiplex traffic for multiple VLANs over the same physical link. All data going into and out of the port is tagged. Untagged coming into the port is not forwarded, except for the default VLAN with PVID=1, which is untagged. PVID: Unique ID for the VLAN, assigned when the General VLAN mode is used. This can range from 2 to 4093. When VLAN is disabled, the LAN port has a default PVID = 1 in the Ethernet packet header. VLAN Membership: traffic can be routed from this port VLAN to others in this VLAN membership list, when the port is in General or Trunk mode. The available VLAN membership options are determined by the List of Available VLANs. Click Save Settings to save the settings. Click Don't Save Settings to revert to previous settings. Multiple VLAN Subnets: Each configured VLAN ID can map directly to a subnet within the LAN. Each LAN port can be assigned a unique IP address and a VLAN specific DHCP server can be configured to assign IP address leases to devices on this VLAN. VLAN ID: The PVID of the VLAN that will have all member devices be part of the same subnet range. IP Address: The IP address associated with a port assigned this VLAN ID. Subnet Mask: Subnet Mask for the above IP Address (Check Box at First Column Header): Selects all the ports in the table. Edit: The Edit button will link to the Port VLAN Configuration page, allowing you to make changes to the selected port VLAN attributes. Multiple VLAN Subnets Config: Multi VLAN Subnet VLAN ID: The PVID of the VLAN that will have all member devices be part of the same subnet range. IP Address: Enter the LAN IP address for this VLAN ID. Subnet Mask: Subnet Mask for the above IP Address DHCP You can have this VLAN assign TCP/IP configuration to member devices. DHCP Mode: If the computers on the VLAN are configured with static IP addresses or are configured to use another DHCP server, select the None option. If DHCP Relay is selected, then enter the relay gateway information. To use the router as a DHCP server, select DHCP Server and enter the following information: Starting IP Address: Enter the first IP address in the range. Any new DHCP client joining the VLAN will be assigned an IP address between this address and the Ending IP Address. Ending IP Address: Enter the last IP address in the range of addresses to lease to LAN hosts. Any new DHCP client joining the VLAN will be assigned an IP address between the Starting IP Address and this IP address. Note: The Starting and Ending DHCP addresses should be in the same "network" as the VLAN’s IP address set above. Primary DNS Server: Enter the primary DNS Server IP. Secondary DNS Server: Secondary DNS Server IP. Lease Time: Enter the duration (in hours) for which IP addresses will be leased to clients. Relay Gateway: Enter the gateway address. This is the only configuration parameter required in this section when DHCP Relay is selected as its DHCP mode. LAN Proxy Enable DNS Proxy: Check this box to enable DNS proxy on this VLAN. When this feature is enabled, the router will act as a proxy for all DNS requests and communicate with the ISP's DNS servers (as configured in the WAN settings page). All DHCP clients will receive the Primary/Secondary DNS IP along with the IP where the DNS Proxy is running, i.e. the box's VLAN IP. All DHCP clients will receive the DNS IP addresses of the ISP excluding the DNS Proxy IP address when it is disabled. The feature is particularly useful in Auto Rollover mode. For example, if the DNS servers for each connection are different, then a link failure may render the DNS servers inaccessible. However, when the DNS proxy is enabled, then clients can make requests to the router and the router, in turn, sends those requests to the DNS servers of the active connection. Click Save Settings to save the settings. Click Don't Save Settings to revert to previous settings. Available VLANs: The List of Available VLANs displays configured VLANs by Name (the identifier for management only) and VLAN ID (a unique numeric value). (Check Box at First Column Header): Selects all the VLANs in the table. Edit: The Edit button will link to the Available VLAN Configuration page, allowing you to make changes to the selected VLAN. Delete: Deletes the selected VLAN(s). Add: Clicking this button will link to the Available VLAN Configuration page. Available VLAN Config: Name: This will be the unique identifier used to manage the VLAN attributes ID: this numeric value associated with the VLAN is used both for management and in some cases to update the Ethernet packet header for member device traffic forwarded through this VLAN. Click Save Settings to save the settings. Click Don't Save Settings to revert to previous settings. |