Application Rules
Application Rules:
Application rules are also commonly referred to as port triggering
rules. Port triggering allows computers on the private network (LAN
or DMZ) to request one or more ports to be forwarded to them. Unlike
basic port forwarding, which forwards ports to only one IP address,
port triggering waits for an outbound request from the private network
on one of the defined outgoing ports. It then automatically sets
up forwarding to the IP address from where the request was made.
When the application ceases to transmit data over the port, the
router waits for a timeout interval and then closes the port or
range of ports, making them available to other computers on the
private network.
For example, if an IRC client on the private network makes a connection
request through port 6667 and sends its username information to
the IRC server, the IRC server will send an IDENT verification packet
on port 113 to check the authenticity of the IRC client. In NAT
mode, the router will discard this packet since it doesn't know
which computer to send the request on port 113 to. A Port Triggering
rule can define port 6667 (or the range: 6660 to 7000) as the outgoing
(trigger) port(s) and port 113 as the incoming (response) port.
List of Available Application Rules
Name: Displays the user-defined name for this rule.
Enable: Displays the current status of the rule, i.e., whether
it is enabled or disabled.
Protocol: Displays whether the port uses the TCP or UDP protocol.
Interface: Displays interface name on which port triggering
rule is configured.
Outgoing Ports: Displays the port number or range of port
numbers that will trigger this rule when a connection request for
outgoing traffic is made. If the outgoing connection uses only one
port, then both the Start Port and End Port fields
will display the same port number.
Incoming Ports: Displays the port number or range of port
numbers used by the remote system to respond to the request it receives.
If the incoming connection uses only one port, then both the
Start Port and End Port fields will display the same
port number.
The actions that can be taken on port triggering rules are:
(Check Box at First Column Header): Selects all the rules
in the table.
Edit: Opens the Port Triggering Configuration page, to edit
the selected rule.
Delete: Deletes the selected rule or rules.
Add: Opens the Port Triggering Configuration page to add
a new rule. Application Rules Config:
This page is used to configure port triggering for applications
when the router is in NAT mode.
Name: Specify an easily identifiable name for this rule.
Enable: Specify whether to enable or disable the rule.
Protocol: Specify whether the port uses the TCP or UDP protocol.
Outgoing (Trigger) Port Range
Specify the port number or range of port numbers that will trigger
this rule when a connection request from outgoing traffic is made.
If the outgoing connection uses only one port, then specify the
same port number in the Start Port and To Port fields.
Incoming (Response) Port Range
Specify the port number or range of port numbers used by the remote
system to respond to the request it receives. If the incoming connection
uses only one port, then specify the same port number in the
Start Port and To Port fields.
Click Save Settings to save the settings.
Click Don't Save Settings to revert to previous settings.
Application Rules Status:
LAN / DMZ IP address: The internal network IP address that triggered
the application rule to be active, and resulted in response ports
being opened.
Open Ports: The incoming response ports that have been opened
through this firewall based on the internal devices request.
Time Remaining (sec): remaining time in seconds for which
the open ports will allow external traffic. This time is reset whenever
traffic is sent from the LAN / DMZ out on the trigger ports.
Click Refresh to update this status page.
Website Filter
Content Filtering:
Content Filtering Configuration
Check the box to Enable Content Filtering in order to support
URL filtering and keyword blocking. The default is to have this
feature disabled.
Web Components
Certain commonly used web components can be blocked for increased
security. Some of these components can be used by malicious websites
to infect computers that access them. With content filtering enabled,
select the checkbox next to the component you wish to block:
Proxy: A proxy server (or simply, proxy) allows computers
to route connections to other computers through the proxy, thus
circumventing certain firewall rules. For example, if connections
to a specific IP address are blocked by a firewall rule, the requests
can be routed through a proxy that is not blocked by the rule, rendering
the restriction ineffective. Enabling this feature blocks proxy
servers.
Java: Blocks java applets from being downloaded from pages
that contain them. Java applets are small programs embedded in web
pages that enable dynamic functionality of the page. A malicious
applet can be used to compromise or infect computers. Enabling this
setting blocks Java applets from being downloaded.
ActiveX: Similar to Java applets, ActiveX controls are installed
on a Windows computer while running Internet Explorer. A malicious
ActiveX control can be used to compromise or infect computers. Enabling
this setting blocks ActiveX applets from being downloaded.
Cookies: Cookies are used to store session information by
websites that usually require login. However, several websites use
cookies to
store tracking information and browsing habits. Enabling this option filters
out cookies from being created by a website.
Note: Many websites require that cookies be accepted in order
for the site to be accessed properly. Blocking cookies may cause
many websites to not function properly.
Click Save Settings to save the settings.
Click Don't Save Settings to revert to previous settings.
Approved URLS:
Example: If yahoo is added to the blocked keywords list and www.yahoo.com
is added to the trusted domain list, then www.yahoo.com will be
allowed but mail.yahoo.com will not allowed.
Approved URL List
Trusted Domains: This is the URL or domain name for which
content filtering is bypassed.
The actions that can be taken on domains are:
(Check Box at First Column Header): Selects all the domains
in the table.
Edit: The Edit button will link to the approved URL configuration
page, allowing you to make changes to the selected domain.
Delete: Deletes the selected approved URL (s).
Add: Clicking this button will link to the approved URL configuration
page.
Approved URL Config:
Those names entered in the trusted domain list will be bypassed
by keyword filtering. Example: If yahoo is added to the blocked
keywords list and www.yahoo.com is added to the trusted domain list,
then www.yahoo.com will be allowed but mail.yahoo.com will not allowed.
URL: Enter the domain name for which content filtering needs
to be bypassed.
Click Save Settings to save the settings.
Click Don't Save Settings to revert to previous settings.
Blocked Keywords
Blocked Keywords: The table lists all the Blocked Keywords
and allows several operations on the keywords. Up to 64 keywords
can be added to the list
Status: The status of the rule can be enabled or disabled.
Blocked Keyword: The keyword or URL to be blocked. All website
names (web site URL, newsgroup name, etc.) or pages that contain
the specified word (Keyword) will be blocked by the router.
The actions that can be taken on keywords are:
(Check Box At First Column Header): Selects all the keywords
in the Blocked URLs table.
Edit: Opens the blocked keyword configuration page.
Enable: Enables the selected keywords to block list
Disable: Disables the selected keywords from block list.
Delete: Deletes the selected keyword or keywords from block
list.
Add: Opens the blocked keyword configuration page to add
a new rule.
Blocked Keywords Config:
Example: If yahoo is added to the list, any website containing the
word yahoo in its URL or page contents will be blocked
Keyword: All website names (web site URL, newsgroup name,
etc.) or pages that contain the specified word (keyword) will be
blocked by the router. A single keyword can be up to 63 characters
in length.
Click Save Settings to save the settings.
Click Don't Save Settings to revert to previous settings.
Firewall Settings
Default Outbound Policy:
This configuration field determines whether LAN or DMZ users can
access the internet in the absence of specific allowed outbound rules.
To permit any outbound traffic to pass through the firewall and
reach the WAN, use Allow Always as the default outbound policy.
In order to closely manage the outbound traffic use Block Always
as the default outbound policy. In this case the router admin will
need to configure firewall and application rules in order to permit
outbound traffic from LAN and DMZ addresses.
Click Save Settings to save the settings.
Click Don't Save Settings to revert to previous settings.
Firewall Rules:
List of Available Firewall Rules
The List of Available Firewall Rules table includes all firewall
rules for this device and allows several operations on the firewall
rules.
Status: The status of the rule can be Enabled (active) or
Disabled (configured but not in use).
From Zone: The source of the traffic that is controlled by
this firewall rule: LAN, WAN, or DMZ.
To Zone: The destination of the traffic that is controlled
by this firewall rule: Secure or Public.
Service: The service that is controlled by this firewall
rule. The name usually indicates the type of traffic the rule covers
such as FTP, SSH, telnet, ping, etc. Services not already in the
list can be added as a Custom Service.
Action: The action to be taken on the enabled rule:
Block Always: Block selected service at all times.
Enable Always: Allow data matching the selected service to
pass through at all times.
Block by schedule, otherwise allow: Works in conjunction
with a predefined schedule. The selected service will be blocked
during the schedule interval and will be allowed to pass through
at other times.
Allow by schedule, otherwise block: Works in conjunction
with a predefined schedule. The selected service will be allowed
to pass through during the schedule interval and will be blocked
at other times.
Source Hosts: The hosts that originate the traffic for this
firewall rule: Any, Single, Range.
Destination Hosts: The hosts that receive the traffic for
this firewall rule: Any, Single, Range.
Local Server: An IP address and port number of a machine
on the secure zone(LAN) which is hosting the server. It is displayed
in the form: <IP address:port number>.
For example, if a machine with an IP address of 192.168.1.100 on
the LAN side is running a telnet server on port 2000, then the table
will display 192.168.10.100:2000. If the telnet server is running
on the default port (port 23), then the table will display only
the IP address.
Internet Destination: The WAN port that is the destination
for the traffic.
The actions that can be taken on firewall rules are:
(Check Box At First Column Header): Selects all the firewall
rules in the table.
Edit: Opens the Firewall Rule Configuration page to edit
the selected rule.
Enable: Enables the selected firewall rules.
Disable: Disables the selected firewall rules.
Delete: Deletes the selected firewall rule(s).
Add: Opens the Firewall Rule Configuration page to add a
new rule.
Firewall Rules Configuration:
From Zone: Set the source for the traffic that is controlled
by this rule: Secure (LAN), Insecure (WAN1/WAN2), or DMZ.
To Zone: Set the destination for traffic that is controlled
by this rule: Insecure or Public.
Service: Choose the type of service that is controlled by
this firewall rule. Common services are included in the drop-down
list. You can add additional services on the Firewall > Services
page.
Action: Choose the action to be taken:
Block Always: Block the selected service at all times.
Enable Always: Allow the selected service to pass through
at all times.
Block by schedule, otherwise allow: Works in conjunction
with a schedule defined on the Schedule Configuration page. The
selected service will be blocked during the scheduled interval and
will be allowed to pass through at other times.
Allow by schedule, otherwise block: Works in conjunction
with a schedule defined on the Schedule Configuration page. The
selected service will be allowed to pass through during the scheduled
interval and will be blocked at other times.
Select Schedule: Choose a predefined schedule from the drop-down
list.
Source Hosts: Select one of the following:
Any: Choose this option for a rule that applies to traffic
from all hosts.
Single Address: Choose this option for a rule that applies
to traffic from one host. Enter the IP address of the host in the
From box.
Address Range: Choose this option for a rule that applies
to traffic from a group of computers/devices within an IP address
range. To specify the range, enter the first address in the From
box, and enter the final address in the To box.
Destination Hosts: Select one of the following:
Any: Choose this option for a rule that applies to traffic
destined for all hosts.
Single Address: Choose this option for a rule that applies
to traffic destined for one host. Enter the IP address of the host
in the From box.
Address Range: Choose this option for a rule that applies
to traffic destined for a group of computers/devices within an IP
address range. To specify the range, enter the first address in
the From box, and enter the final address in the To
box.
Log: Specify whether or not the packets for this rule should
be logged. To log details for all packets that match this rule,
select Always. Select Never to disable logging.
For example, if an outbound rule for a schedule is selected as Block
Always, then for every packet that tries to make an outbound connection
for that service, a message with the packet's source address and
destination address (and other information) will be recorded in
the log. Enabling logging may generate a significant volume of log
messages and is recommended for debugging purposes only.
QoS Priority: Assign a priority to IP packets of this service.
The priorities are defined by "Type of Service (TOS) in the Internet
Protocol Suite" standards, RFC 1349. The gateway marks the Type
Of Service (TOS) field as defined below:
Normal-Service: No special priority is given to the traffic.
The IP packets for services with this priority are marked with a
TOS value of 0.
Minimize-Cost: Choose this option when data must be transferred
over a link that has a lower "cost". The IP packets for services
with this priority are marked with a TOS value of 2.
Maximize-Reliability: Choose this option when data needs
to travel to the destination over a reliable link and with little
or no retransmission. The IP packets for services with this priority
are marked with a TOS value of 4.
Maximize-Throughput: Choose this option when the volume of
data transferred during an interval is important even if the latency
over the link is high. The IP packets for services with this priority
are marked with a TOS value of 8.
Minimize-Delay: Choose this option when the time required
(latency) for the packet to reach the destination must be low. The
IP packets for services with this priority are marked with a TOS
value of 16.
Source NAT Settings
These settings are available when the rule manages traffic being
allowed from the LAN / DMZ to the WAN. Source Network Address Translation
(SNAT) requires rewriting the source or destination IP address of
incoming IP packets as they pass through the firewall.
External IP Address: You can use choose WAN interface address
or choose Single Address.
Single IP Address: If Single Address was selected for the
External IP address, define it here.
WAN Interface: Choose one of the available configured WAN
interfaces if the SNAT is to be done on all matching traffic coming
from that interface.
Destination NAT Settings
These settings are required when the traffic is coming from the
WAN to the DMZ or the LAN. Destination Network Address Translation
maps a public IP address (your Dedicated WAN address, Optional WAN
address, or another address) to an IP address on your private network.
Internal IP Address: Specify an IP address of a machine on
the Local Network which is hosting the server.
Enable Port Forwarding: Check this box to enable port forwarding
to the port that you specify in the Translate Port Number field.
Translate Port Number: Enter the port number to use for port
forwarding. For example, if a machine on the Local Network side
is running a telnet server on port 2000, then check the Enable Port
Forwarding box and type 2000 in the Translate Port Number field.
If the server is listening on the default port 23, then the box
can be left unchecked.
External IP Address: Select the internet destination IP address
that is used for this firewall rule: Dedicated WAN, Optional WAN,
or Other. If you choose Other, enter the IP address in the Other
IP Address field.
Other IP Address: Enter the WAN IP address that will map
to the internal server.
Click Save Settings to save your changes.
Click Dont Save Settings to revert to the previous settings.
Custom Services:
List of Available Custom Services
Name: Name of the service for identification and management
purposes.
Type: The layer 4 Protocol that the service uses: TCP, UDP
or ICMP
ICMP Type/Port Range: ICMP Type field is enabled when the
layer 3 protocol (in the Type field) is selected as ICMP or ICMPv6.
The ICMP type is a numeric value that can range between 0 and 40,
while for ICMPv6 the type ranges from 0 to 255. Port Range is the
first TCP or UDP port of a range the service uses.
The actions that can be taken on custom cervices are:
(Check Box At First Column Header): Selects all the custom
services in the table.
Edit: Opens the Custom Services Configuration page, to edit
the selected custom Service.
Delete: Deletes the selected custom service or custom services.
Add: Opens the Custom Service Configuration page to add a
new service.
Custom Services Config:
Created services are available as options for firewall rule configuration.
Name: Name of the service for identification and management
purposes.
Type: The layer 3 Protocol that the service uses. Can be
TCP, UDP or ICMP
ICMP Type: This field is enabled when the layer 3 protocol
(in the Type field) is selected as ICMP. The ICMP type is a numeric
value that can range between 0 and 40. For a list of ICMP types,
visit the following URL:
http://www.iana.org/assignments/icmp-parameters.
Start Port: The first TCP or UDP port of a range that the service
uses. If the service uses only one port, then the Start Port will
be the same as the Finish Port.
Finish Port: The last port in the range that the service
uses. If the service uses only one port, then the Finish Port will
be the same as the
Start Port.
Click Save Settings to save your changes.
Click Dont Save Settings to revert to the previous settings.
ALGs:
Enable ALGs
This router supports kernel level ALGs for the following protocols:
PPTP: Allows multiple machines on the LAN to connect to their
corporate networks using PPTP protocol. When the PPTP ALG is enabled,
LAN computers can establish PPTP VPN connections either with the
same or with different VPN servers. When the PPTP ALG is disabled,
the router allows VPN operation in a restricted way -- LAN computers
are typically able to establish VPN tunnels to different VPN Internet
servers but not to the same server. The advantage of disabling the
PPTP ALG is to increase VPN performance. Enabling the PPTP ALG also
allows incoming VPN connections to a LAN side VPN server.
IPSec: Allows multiple VPN clients to connect to their corporate
networks using IPSec. Some VPN clients support traversal of IPSec
through NAT. This option may interfere with the operation of such
VPN clients. If you are having trouble connecting with your corporate
network, try disabling this option.
Check with the system administrator of your corporate network whether
your VPN client supports NAT traversal. Note that L2TP VPN connections
typically use IPSec to secure the connection. To achieve multiple
VPN pass-through in this case, the IPSec ALG must be enabled.
RTSP: Allows applications that use Real Time Streaming Protocol
to receive streaming media from the internet. QuickTime and Real
Player are some of the common applications using this protocol.
SIP: Allows devices and applications using VoIP (Voice over
IP) to communicate across NAT. Some VoIP applications and devices
have the ability to discover NAT devices and work around them. This
ALG may interfere with the operation of such devices. If you are
having trouble making VoIP calls, try turning this ALG off.
H.323: Allows H.323 (specifically Microsoft Netmeeting) clients
to communicate across NAT. Note that if you want your buddies to
call you, you should also set up a virtual server for NetMeeting.
SMTP: Allows inbound mail services that use SMTP to be mapped
appropriately across NAT.
DNS: Allows NAT-PT (Network Address Translation/Protocol
Translation) implementations to meet DNS address mapping requirements.
TFTP: Allows Trivial FTP (TFTP) clients and servers to transfer
data across NAT
Click Save Settings to save your changes.
Click Dont Save Settings to revert to the previous settings.
VPN Passthrough:
Choose one or more of the following to enable pass through for
the device.
IPSec: Enable this to allow IPsec tunnels to pass through
the router
PPTP: Enable this to allow PPTP tunnels to pass through the
router. To make this work, enable PPTP ALG also.
L2TP: Enable this to allow L2TP tunnels to pass through the
router
Click Save Settings to save your changes.
Click Dont Save Settings to revert to the previous settings.
Wireless Setting
Advanced Wireless:
Typically default settings on this page are appropriate for
most wireless applications.
Advanced Wireless Configuration
Beacon Interval: Enter the time in milliseconds between beacon
transmissions. The default interval is 100 milliseconds.
Dtim Interval: Enter the interval at which the delivery traffic
indication message should be sent. This setting is related to the
beacon interval. The default interval is 2 beacon intervals.
RTS Threshold: The Request to Send (RTS) threshold is the
packet size in bytes that requires the AP to check the transmitting
frames to determine if RTS/Clear to Send (CTS) handshake is required
with the receiving client. Using a small value causes RTS packets
to be sent more often, consuming more of the available bandwidth,
therefore reducing the apparent throughput of the network packets.
The default value is 2346, which effectively disables RTS.
Fragmentation Threshold: This is the maximum length of the
frame, in bytes, beyond which packets must be broken up (fragmented)
into two or more frames. Collisions occur more often for long frames
because while sending them, they occupy the channel for a longer
time. The default value is 2346, which effectively disables fragmentation.
Preamble mode: 802.11b requires that a preamble be appended
to every frame before it is transmitted through the air. The preamble
may be either the traditional "long" preamble, which requires 192
microseconds for transmission, or it may be an optional "short"
preamble that requires only 96 microseconds. A long preamble is
needed for compatibility with the legacy 802.11 systems operating
at 1 and 2 Mbps. The default selection is Long.
Protection Mode: Select the CTS-to-Self Protection option
to enable CTS-to-Self protection mechanism, which is used to minimize
collisions among stations in a mixed 802.11 b & g environment. The
default selection is None.
Power Save Enable: Select this to enable the Unscheduled Automatic
Power Save Delivery (also referred to as WMM Power Save) feature
that allows the radio to conserve power.
Short Retry Limit / Long Retry Limit: These limits determine
the number of time the AP will re-attempt a failed frame transmission.
The limit applies to both long and short frames of a size less than
or equal to the RTS threshold.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
WPS:
WPS is available for configured and enabled APs that support WPA
/ WPA2 security. You must have a WPS-supporting 802.11 client to
let that client join this APs network via WPS.
WPS Configuration
Select VAP: Select one of the configured Virtual APs (VAP)
from the drop down box on which WPS is to be enabled. Only the SSIDs
for AP which are configured with WPA, WPA2 or WPA + WPA2 security
modes are available for WPS configuration.
WPS Status: Select Enable from the drop down box to enable
WPS for this AP. By default WPS is disabled.
WPS Current Status
Security: The security mode being employed by the AP on which
WPS is configured.
Authentication Type: The authentication method being employed
by the AP on which the WPS is configured.
Encryption Type: The encryption method being employed by
the AP on which the WPS is configured.
WPS Setup Method
Station PIN: To use a PIN to establish the WPA/WPS2 link,
enter the PIN (a pre-shared password) that is configured on the
WPS clients.
Click Configure via PIN to initiate the WPS session using
the PIN (Personal Identification Number) method.
Click Configure via PBC to initiate the WPS session using
the PBC (Push button configuration) method. Once this is clicked,
press down on the clients push button within 60 seconds to establish
the WPS link.
Session Status Displays messages indicating current status
of a WPS session.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
Advanced Network
UPnP:
Do you want to enable UPnP?: Select yes to enable UPnP support
and no to disable it. If disabled, the router will not allow for
automatic device configuration.
LAN: If desired, UPnP can be enabled on the entire LAN segment
or specific configured VLAN groups. Available VLANs will be displayed
in the menu along with the LAN interface.
Advertisement Period: This is the period (in seconds) of
how often this wireless gateway will broadcast its UPnP information
to all devices within range.
Advertisement Time to Live: This is expressed in hops for
each UPnP packet. This is the number of steps a packet is allowed
to propagate before being discarded. Small values will limit the
UPnP broadcast range.
UPnP Portmap Table
The UPnP Portmap Table shows IP addresses and other settings of
UPnP devices that have accessed this wireless gateway.
Active: A yes/no indicating whether the port of the UPnP
device that established a connection is currently active
Protocol: The network protocol (i.e. HTTP, FTP, etc.) that
the device is using to connect to this wireless gateway
Int. Port (Internal Port): Which, if any, internal ports
are opened by the UPnP device
Ext. Port (External Port): Which, if any, external ports
are opened by the UPnP device
IP Address: The IP address of the UPnP device that is accessing
this gateway
Click Refresh to refresh the portmap table and search for
any new UPnP devices.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
WAN Port Setup:
WANs Ping:
Respond to Ping: To configure the router to respond to an
ICMP Echo (ping) packet coming in from the WAN side, check this
box. This setting is usually used as a diagnostic tool for connectivity
problems. It is recommended that the option be disabled at other
times to prevent hackers from easily discovering the router via
a ping.
Note: When using NAT routing mode, a firewall rule that directs
ping requests to a particular computer on the LAN will override
this option.
WAN1/WAN2 Port Setup
MTU Type: Select either Default or Custom. If Custom is selected,
then enter the MTU Size.
MTU Size: The MTU (Maximum Transmit Unit) is the size of
the largest packet that can be sent over the network. The standard
MTU value for Ethernet networks is usually 1500 Bytes and for PPPoE
connections, it is 1492 Bytes. Unless a change is required by your
ISP, it is recommended that the MTU values be left as is.
Port Speed: The Ethernet port speed can be manually set or
specified depending on your WAN requirements.
Auto Sense: Select this to let the gateway and network to
determine the optimal port settings.
Duplex: Choose between Half Duplex and Full Duplex based
on the port support. The default is Full Duplex for all ports.
Speed: One of three port speeds can be selected: 10 Mbps,
100 Mbps and 1000 Mbps (i.e. 1 Gbps).
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
IGMP Setup:
Active IGMP snooping is referred to as IGMP proxy. When in use
IGMP packets through the LAN are filtered in order to reduce the
amount of multicast traffic in the network.
Enable IGMP Proxy: Check this to enable IGMP proxy on this
LAN
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
IPS:
Intrusion Detection/Prevention Enable
This gateway has an intrusion detection system (IDS) that allows
you to detect, log, and block malicious attacks that can potentially
impact security and usability of the device. This is a passive detection
tool used to log and alert the user of potential threats. This page
has the basic configuration settings used to enable IDS.
Enable Intrusion Detection: select to allow intrusion events
to be detected and logged. Each incoming packet to the gateway is
reviewed for potential malicious attacks, based on the settings
configured in this page.
Enable Intrusion Prevention: select to allow the devices
intrusion prevention system to monitoring inline traffic from the
WAN. This can affect system performance.
IPS Checks Active Between
LAN and WAN: select this to enable IPS between the secure
LAN and public WAN.
DMZ and WAN: select this to enable IPS between the secure
DMZ and public WAN.
IPS Status
Number of Signatures Loaded: This is a static number of intrusion
signatures that are stored in the router and are used for detecting
IPS events.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
Attack Checks:
WAN Security Checks
Enable Stealth Mode: If Stealth Mode is enabled, the router
will not respond to port scans from the WAN. This makes it less
susceptible to discovery and attacks.
Block TCP Flood: If this option is enabled, the router will
drop all invalid TCP packets and be protected from a SYN flood attack.
LAN Security Checks
Block UDP Flood: If this option is enabled, the router will
not accept more than 20 simultaneous, active UDP connections from
a single computer on the LAN.
ICSA Settings
Block ICMP Notification: selecting this prevents ICMP packets
from being identified as such. ICMP packets, if identified, can
be captured and used in a Ping (ICMP) flood DoS attack.
Block Fragmented Packets: selecting this option drops any
fragmented packets through or to the gateway
Block Multicast Packets: selecting this option drops multicast
packets, which could indicate a spoof attack, through or to the
gateway.
DoS Attacks
SYN Flood Detect Rate (max/sec): The rate at which the SYN
Flood can be detected.
Echo Storm (ping pkts/sec): The number of ping packets per
second at which the router detects an Echo storm attack from the
WAN and prevents further ping traffic from that external address.
ICMP Flood (ICMP pkts/sec): The number of ICMP packets per
second at which the router detects an ICMP flood attack from the
WAN and prevents further ICMP traffic from that external address.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
Band Width Profiles:
Example: When a new connection is established via the device,
the device will locate the firewall rule corresponding to the connection.
If the rule has a bandwidth profile specifications, then the device
will create a bandwidth class in the kernel. If multiple connections
correspond to the same firewall rule, they will share the same class.
An exception is in case of individual type bandwidth profile in
which the classes are per source IP. The "source IP" is the source
IP of the first packet of the connection. So for the outbound rules
the source IP will be LAN side IP and for inbound rules the source
IP will be the WAN-side IP. The class thus will be deleted when
all the connections using the class expire.
Select the box to Enable Bandwidth Profiles in order to proceed
with configuration.
List of Bandwidth Profiles
The table lists the Bandwidth Profiles for this device and allows
several operations on the Bandwidth Profiles.
Name: Displays the user-defined name for this bandwidth profile.
Bandwidth Range/Priority: Displays the range for bandwidth
profile.
The actions that can be taken on bandwidth profiles are:
(Check Box At First Column Header): Selects all the bandwidth
profiles in the table.
Edit: The Edit button will link to the bandwidth profiles
configuration page, allowing you to make changes to the selected
bandwidth profile.
Delete: Deletes the selected bandwidth profile or profiles.
Add: Clicking this button will link to the bandwidth profiles
configuration page.
Band Width Profiles Config:
Name: Specify a unique name for the profile.
Profile Type: Determine the profile type as either priority
or rate.
Priority: Choose from Low, Medium or High if the profile
type is priority
Minimum Bandwidth Rate: Specify the minimum bandwidth rate
in Kbps if the profile type is rate
Maximum Bandwidth Rate: Specify the maximum bandwidth rate
in Kbps if the profile type is rate
WAN Interface: Indicate which of the available interfaces
will be associated with this profile.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
Traffic Selectors:
Service: Indicates the service associated with this traffic
selector.
Traffic Selector Type: Displays the type of traffic selector
selected.
Bandwidth Profile Name: Displays the name of the bandwidth
profile associated with the Traffic Selector.
The actions that can be taken on Traffic Selectors are:
(Check Box At First Column Header): Selects all the Traffic
Selectors in the table.
Edit: The Edit button will link to the Traffic Selector Configuration
page, allowing you to make changes to the selected Traffic Selector.
Delete: Deletes the selected Traffic Selector or Traffic
Selectors.
Add: Clicking this button will link to the Traffic Selector
Configuration page.
Traffic Selector Config:
Available Profiles: Select one of the previously configured
bandwidth profiles to associate this traffic selector
Service: Select one of the services from the defined services,
or to have this traffic selector apply to all traffic choose ANY.
Traffic Selector Match Type: The match type can be one of
the following:
IP Address: Select this option to associate this traffic
selector to a IP Address of a LAN device. Once selected, enter the
IP address of the LAN device.
MAC Address: Select this option to associate this traffic
selector a specific MAC address on the LAN. Once selected, enter
a valid MAC Address.
Port Number: If this option is selected, then enter the LAN
port number (1 through 4)
VLAN: Select this option to associate this traffic selector
a specific VLAN. If this option is selected, then select one of
the configured Port Name identifiers.
BSSID: Select this option to associate the traffic selector
to a configured AP, and then choose the AP from the Available
BSSIDs list.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
Routing
Static Routing:
Name: Name of the route, for identification and management purposes.
Destination: Destination host or network the route leads
to.
Subnet Mask: subnet mask of the destination IP address.
Gateway: IP Address of the gateway through which the destination
host or network can be reached.
Interface: The physical network interface (dedicated WAN,
secondary WAN, DMZ or LAN), through which this route is accessible.
Metric: Determines the priority of the route. If multiple
routes to the same destination exist, the route with the lowest
metric is chosen.
Active: Determines whether the route is active or inactive.
A route can be added to the table and made inactive, if not needed.
This allows routes to be used as needed without deleting and re-adding
the entry. An inactive route is not broadcast if RIP is enabled.
Private: Determines whether the route can be shared with
other routers when RIP is enabled. If Yes is selected, then the
route will not be shared in a RIP broadcast or multicast. This is
only applicable for IPv4 static routes.
The actions that can be taken on static routes are:
(Check Box At First Column Header): Selects all the static
routes in the table.
Edit: The Edit button will link to the Route Configuration
page, allowing you to make changes to the selected static route.
Delete: Deletes the selected static route or static routes.
Add: Clicking this button will link to the Route Configuration
page. Static Routing Config:
Route Name: Name of the route, for identification and management
purposes.
Active: Defines whether the route will be active or inactive.
When a route is added in inactive state, it will be listed in the
table, but will not be used by the router. The route can be enabled
later. This is useful if the network that the route connects to
is not available when you added the route. When the network becomes
available, the route can be enabled.
Private: Defines whether the route can be shared with other
routers when RIP is enabled. If checked, the route will be marked
private, and will not be shared in a RIP broadcast or multicast.
Destination IP Address: Destination host or
network the route leads to.
IP Subnet Mask: IPv4 Subnet Mask.
Interface: The physical network interface (dedicated WAN,
secondary WAN, DMZ or LAN), through which this route is accessible.
Gateway IP Address: IP Address of the gateway
through which the destination host or network can be reached.
Metric: Defines the priority of the route. Please choose
a value between 2 and 15. If multiple routes to the same destination
exist, the route with the lowest metric is chosen.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
Protocol Bindings:
Protocol bindings are used to ensure a defined type of traffic
is always sent over one of the two configured WAN interfaces when
more than one gateway to the internet is available.
Status: A protocol binding can be disabled if not in use
and enabled when needed. The protocol binding is disabled if the
status light is grey and it is enabled if the status light is green.
Disabling a protocol binding does not delete the configuration.
Service: One of the various services available for protocol
binding is displayed
Local Gateway: The port that sets the local gateway for this
protocol binding (either dedicated WAN or configurable port WAN)
Source Network: One among the following can
be the source network for a protocol binding Any, Single Address,
Address Range or a Group Name defined for this device
Destination Network: One among the following can be
the destination network for a protocol binding Any, Single Address,
Address Range or a Group Name defined for this device
The actions that can be taken on protocol bindings are:
(Check Box At First Column Header): Selects
all the protocol bindings in the table.
Edit: The Edit button will link to the Protocol Binding Configuration
page, allowing you to make changes to the selected protocol binding.
Enable: Enables the selected protocol bindings
Disable: Stops the selected protocol bindings
Delete: Deletes the selected protocol binding(s).
Add: Clicking this button will link to the Protocol Binding
Configuration page.
Protocol Binding Config:
Service: Select one of the various services available for protocol
binding
Local Gateway: select the port that sets the local gateway
for this protocol binding (either dedicated WAN or configurable
port WAN)
Source Network: Select one of the following:
Any: No specific network needs to be given.
Single Address: Limit to one computer. Requires the IP address
of the computer that will be part of the source network for this
protocol binding
Address Range: Select if you want to allow computers within
an IP address range to be a part of the source network. Requires
Start address and End address
Start Address: IP address from where the range needs to begin,
or the single address if that is the source network selected.
End Address: IP address where the range needs to end
Destination Network: Select one of the following:
Any: No specific network needs to be given.
Single Address: Limit to one computer. Requires the IP address
of the computer that will be part of the destination network for
this protocol binding
Address Range: Select if you want to allow computers within
an IP address range to be a part of the destination network. Requires
Start address and End address
Start Address: IP address from where the range needs to begin,
or the single address if that is the destination network selected.
End Address: IP address where the range needs to end
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
Certificate
Certificate:
Trusted Certificates (CA Certificate)
Trusted Certificates or CA certificates are used to verify the validity
of certificates signed by them. When a certificate is generated,
it is signed by a trusted organization or authority called the Certificate
Authority. The table contains the certificates of each CA.
When a remote VPN gateway or client presents a digital certificate,
the authentication process verifies that the presented certificate
is issued by one of the trusted authorities. The Trusted CA certificates
are used in this authentication process.
The following data is displayed for each certificate entry in the
table:
CA Identity (Subject Name): The organization or person to
whom the certificate is issued.
Issuer Name: The name of the CA that issued the certificate.
Expiry Time: The date after which the certificate becomes
invalid.
(Check Box At First Column Header): Select all the certificates
in the table.
Upload: New certificates can be uploaded to the router with
the Upload Trusted Certificate option.
Delete: Purge the selected certificate or certificates.
Active Self Certificates
This table lists the certificates issued to you by trusted Certification
Authorities (CAs), and available for presentation to remote IKE
servers. The remote IKE server validates this router using these
certificates. For each certificate, the following data is displayed:
Name: A unique name used to identify a certificate.
Subject Name: This is the name which other organizations
will see as the Certificate Holder (owner). This is usually your
registered business or company name.
Serial Number: The serial number is used by the CA to identify
the certificate itself in their records.
Issuer Name: The name of the CA which issued the certificate.
Expiry Time: The date on which the Certificate expires. You
should renew the certificate before it expires.
(Check Box At First Column Header): Select all the certificates
in the table.
Upload: New certificates can be uploaded to the router with
the Upload Active Self Certificate option.
Delete: Purge the selected certificate or certificates.
Self Certificate Requests
The Self Certificate Requests table displays a list of all the certificate
requests made.
Name: A unique name used to identify a certificate.
Status: Will indicate if the self certificate is uploaded
or not uploaded to this router.
Action: Click View to view details of the request and copy
the contents as required.
(Check Box At First Column Header): Select all the certificates
in the table.
New Self Certificate: This button links to the Generate Self
Certificate Request configuration page.
Delete: Purge the selected certificate or certificates.
Upload Trusted Certificates:
This router can upload a trusted certificate from a location
on the host used to manage the router. Click on Choose File
and select the certificate file located on your computer. Click
Upload to store the certificate on the router, and once loaded
it will appear in the list of Trusted Certificates (CA Certificates).
View Certificate Request Data:
Certificate Details: Display the details of Self Certificate
are shown, such as the System Name, Hash Algorithm, Signature Algorithm,
and Key Length.
Data to supply to CA: This is the encrypted data generated
by the certificate request that should be sent to the CA or Trusted
authority for signing. Copy the contents of the Data to supply to
CA text box and save it in a file. Follow the instructions of the
CA to complete the certificate signing process.
Generate Self Certificate Request:
Name: this is the identifier used to manage this self certificate
request and will appear in the list of Self Certificate Requests.
Subject: This field will populate the CN (Common Name) entry
of the generated certificate. Subject names are usually defined
in the following format: CN=<device name>, OU=<department>, O=<organization>,
L=<city>, ST=<state>, C=<country>. For example: CN=router1, OU=my_company,
O=mydept, L=SFO, C=US.
Hash Algorithm: choose between MD5 and SHA-1 for the Hash
algorithm used by the certificate
Signature Key Length: the length of the signature, either
512 or 1024
As well, the certificate request can contain some optional fields
to further customize the certificate request: IP Address, Domain
name, E-mail Address.
Click Generate to create a new certificate request. Once
created it is added to the Self Certificate Requests table. To view
a request, click on the View button next to the appropriate
request in this table.
Upload Active Self Certificate Request:
This router can upload an active self certificate from a location
on the host used to manage the router. Click on Choose
File and select the certificate file located on your computer.
Click Upload to store the certificate on the router, and
once loaded it will appear in the list of Active Self Certificates.
Users
Get UsersDB:
Help content will here......
Domains:
Domain Name: The domain name is a unique identifier.
Authentication Type: The authentication type for this particular
domain can be Local User Database (default), Radius-PAP, Radius-CHAP,
Radius-MSCHAP, Radius-MSCHAPv2, NT Domain, Active Directory or LDAP.
Portal Layout Name: The portal layout, configured in the
SSL VPN Portal menu, selected for this domain is displayed.
The actions that can be taken on domains are:
Edit: The Edit button will link to the domains configuration
page, allowing you to make changes to the selected domain.
(Check Box At First Column Header): Selects all the domains
in the table.
Delete: Deletes the selected domain or domains.
Add: Clicking this button will link to the domains configuration
page.
Domain Config:
Domain Name: This is the unique identifier (alphanumeric) of
the domain.
Authentication Type: Choose the authentication type for this
particular domain. Options are: Local User Database (default), Radius-PAP,
Radius-CHAP, Radius-MSCHAP, Radius-MSCHAPv2, NT Domain, Active Directory,
LDAP.
Select Portal: Select from the dropdown list of portal layouts.
These are configured in the SSL VPN Portal menu. The * indicates
the default portal layout.
Authentication Server: If using an authentication types other
than the Local User Database, enter the server name used to authenticate
the user. Up to 3 Authentication servers can be configured that
will be used as backups in case the primary server does not respond.
Timeout: The time in seconds for the router to wait for a
response before an authentication attempt with the server is considered
failed.
Retries: The number of retries that the router will attempt
to contact a authentication server after reaching the timeout limit.
After the number of retries is reached the next authentication server
will be used for the authentication attempt. If all three servers
have been used without success, the authentication of the user with
this domain has failed.
Authentication Secret: Radius authentication (all types:
PAP, CHAP, MSCHAP, MSCHAPv2) all require an authentication secret;
contact your administrator for this secret if configuring RADIUS
authentication for this domain.
Workgroup: The NT domain type of authentication requires
the workgroup field; contact your administrator for the workgroup
needed to configure NT Domain authentication.
LDAP Base DN: LDAP authentication requires the base domain
name; contact your administrator for the Base DN to use LDAP authentication
for this domain.
Active Directory Domain: if Active Directory is the chose
authentication type, you must enter the Active Directory domain
name in this field. Users that are registered in the Active Directory
database can now access the SSL VPN portal by using their Active
Directory username and password.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
Groups:
Name: The group is the first level grouping to which a user
belongs.
Domain: Displays which (if any) of the pre-configured authentication
domains are used to authenticate this group.
The actions that can be taken on groups are:
(Check Box At First Column Header): Selects all the groups
in the table.
Edit: The Edit button will link to the groups configuration
page, allowing you to make changes to the selected group.
Delete: Deletes the selected group or groups.
Add: Clicking this button will link to the groups configuration
page.
Groups Config:
Group Name: This is the unique identifier for the group, can
use any alphanumeric characters.
Domain: Assign a domain from the dropdown list of authentication
domains.
Idle Timeout: The default timeout of 5 minutes can be changed
for the group here.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
Users:
List of Users
User Name: The user name is a unique identifier.
Group: The group is the first level grouping to which the
user belongs.
Type: The user type is one among Administrator, SSL VPN User,
or IPsec VPN User.
Authentication Domain: Displays which (if any) of the pre-configured
authentication domains are used to authenticate this user.
Login Status: the ability for this user to login to the routers
GUI is highlighted here.
The actions that can be taken on users are:
(Check Box At First Column Header): Selects all the users
in the table.
Login Policies: The Policies button will link to the Login
Policies page, allowing you to add login policies to the selected
user.
Policies By Browser: This will link to the Login Policies
Browser page, where specific browsers can have management login
policies associated to them.
Policies By IP: This will link to the Login Policies IP page,
where specific IP addresses can have management login policies associated
to them.
Edit: The Edit button will link to the SSL Users page, allowing
you to make changes to the selected user.
Delete: Deletes the selected user or users
Add: Clicking this button will link to the SSL Users Page.
Users Config:
User Name: This is the unique identifier for the user, can use
any alphanumeric characters.
First Name: The users first name, this is useful when the
authentication domain is an external server (i.e. RADIUS).
Last Name: The users last name, this is useful when the authentication
domain is an external server (i.e. RADIUS).
User Type: The user can have credentials of an Administrator,
SSL VPN User, or IPsec VPN User.
Select Group: The dropdown list contains configured groups
available for the user.
Password: The password must contain alphanumeric, or _ characters.
Confirm Password: The password entered in this field must
match the one above for the password to be set.
Idle Timeout: This is the session timeout for the user. The
default is 5 minutes of no activity.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
Login Policies:
User name: This is the name of the user that can have its login
policy edited
Disable Login: Enable to prevent this user from logging into
the devices management interface(s)
Deny Login from WAN interface: Enable to prevent this user
from logging in from a WAN (wide area network) interface. In this
case only login through LAN is allowed.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
Login Policies Browser:
User name: This is the name of the user that can have its login
policy edited
Deny Login from Defined Browsers: The list of defined browsers
below will be used to prevent this user from logging in to the routers
GUI. All non-defined browsers will be allowed for login for this
user.
Allow Login from Defined Browsers: The list of defined browsers
below will be used to allow this user from logging in to the routers
GUI. All non-defined browsers will be denied for login for this
user.
Defined Browsers
This list displays the web browsers that have been added to the
Defined Browsers list, upon which user login policies can be defined.
(Check Box At First Column Header): Selects all the defined
browsers in the table.
Delete: Deletes the selected browser(s).
You can add to the list of Defined Browsers by selecting a client
browser from the drop down menu and clicking Add. This browser
will then appear in the above list of Defined Browsers.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
Login Policies IP:
User Policy by Source IP Address
User Name: The user name is a unique identifier
Deny Login from Defined Addresses: Enable to prevent the
user from logging in from any Defined Addresses (displayed in the
Defined Addresses table below)
Allow Login only from Defined Addresses: Enable to allow
the user to login only if the user is accessing the device from
an IP address/network in the list of Defined Addresses (displayed
in the Defined Addresses table below).
Defined Addresses
The list of defined Addresses indicates the type of source address
(single address or subnetwork), the specific Network Address or
IP address, and mask length if applicable.
(Check Box At First Column Header): Selects all the defined
addresses in the table.
Delete: Deletes the selected address(es)
Add: Clicking this button will link to the Defined Address
Configuration Page.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
Defined Address Config:
Source Address Type: Select either IP address or IP Network.
Network Address/IP Address: Enter the IP or Network address
to add to the Defined Addresses list.
Mask Length: If entering a network address, define the mask
length (0-32).
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
IP/MAC Binding
IP/MAC BindingList:
If user has enabled logging option for IP/MAC Binding, such
packets will be logged before dropping. The router displays the
total count of dropped packets which violated either IP to MAC Binding
or MAC to IP Binding.
Example: If three computers are on the LAN with the following setup:
Host1 -- MAC address(00:01:02:03:04:05) & IP adress(192.168.10.10)
Host2 -- MAC address(00:01:02:03:04:06) & IP adress(192.168.10.11)
Host3 -- MAC address(00:01:02:03:04:07) & IP adress(192.168.10.12)
All the above host entries are added in IP/MAC Binding table. The
scenarios for the above hosts are as such:
Host1 -- Matching IP & MAC address in IP/MAC Table.
Host2 -- Matching IP but inconsistent MAC address in IP/MAC Table.
Host3 -- Matching MAC but inconsistent IP address in IP/MAC Table.
The router will block the traffic coming from Host2 & Host3 but
allow the traffic coming from Host1 to any external network. Total
count of dropped packets will be displayed.
List of IP / MAC Binding
Name: Displays the user-defined name for this rule.
MAC Addresses: Displays the MAC Addresses for this rule.
IP Addresses: Displays the IP Addresses for this rule.
Log Dropped Packets: Displays logging option for this rule.
The actions that can be taken on IP/MAC Bind rules are:
(Check Box At First Column Header): Selects all the rules
in the table.
Edit: The Edit button will link to the IP MAC Binding Configuration
page, allowing you to make changes to the selected rule.
Delete: Deletes the selected rule or rules.
Add: Clicking this button will link to the IP MAC Binding
Configuration page. IP/MAC Binding Config:
Name: Specify a unique name for this rule.
MAC Address: Specify the MAC address for this rule.
IP Addresses: Specify the IP address for this rule.
Log Dropped Packets: Specify logging option for this rule.
If enabled, such packets will be logged before dropping. The router
displays the total count of dropped packets which violated either
IP to MAC Binding or MAC to IP Binding.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
IPV6
IPMode:
Routing Mode
IPv4 only mode: Select if the LAN and WAN interfaces are
members of an IPv4 only network. This is the default setting.
IPV4/IPV6 mode: Select this option to enable support for
IPV4 and IPV6 in dual stack mode.
Link Local Connectivity: This option will map all IPv4 addresses
in the network to a link-local IPv6 address.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
IPv6 WAN1 Config:
Internet Address
IPv6: Select DHCPv6 if you have not been assigned
a static IP address from the ISP. A DHCP server will automatically
assign an IPv6 address to the router using DHCP network protocol.
If your ISP has assigned a fixed (static or permanent) IP address,
select Static IPv6 and configure the following fields:
IPv6 Address: Static IPv6 address assigned to you. This will
identify the router to your ISP.
IPv6 Prefix Length: The IPv6 network (subnet) is identified
by the initial bits of the address called the prefix. All hosts
in the network have the identical initial bits for their IPv6 address;
the number of common initial bits in the networks addresses is set
by the prefix length field.
Default IPv6 Gateway: IPv6 address of the ISPs gateway. This
is usually provided by the ISP or your network administrator.
Primary DNS Server: Valid primary DNS Server IP Address
Secondary DNS Server: Valid secondary DNS Server IP Address
DHCPv6
If the ISP chosen is DHCPv6, there are two ways to obtain
an appropriate address for the gateway. You must select one of the
following:
Stateless Address Auto Configuration:
this option will use router advertisement for address assignment.
The IPv6 RADVD protocol will be enabled to advertise this router
as a DHCPv6 client.
Stateful Address Auto Configuration:
select this option to request an IPv6 address from any available
DHCPv6 servers available on the ISP.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
IPv6 WAN2 Config:
Internet Address
IPv6: Select DHCPv6 if you have not been assigned a static
IP address from the ISP. A DHCP server will automatically assign
an IPv6 address to the router using DHCP network protocol. If your
ISP has assigned a fixed (static or permanent) IP address, select
Static IPv6 and configure the following fields:
IPv6 Address: Static IPv6 address assigned to you. This will
identify the router to your ISP.
IPv6 Prefix Length: The IPv6 network (subnet) is identified
by the initial bits of the address called the prefix. All hosts
in the network have the identical initial bits for their IPv6 address;
the number of common initial bits in the networks addresses is set
by the prefix length field.
Default IPv6 Gateway: IPv6 address of the ISPs gateway. This
is usually provided by the ISP or your network administrator.
Primary DNS Server: Valid primary DNS Server IP Address
Secondary DNS Server: Valid secondary DNS Server IP Address
DHCPv6
If the ISP chosen is DHCPv6, there are two ways to obtain
an appropriate address for the gateway. You must select one of the
following:
Stateless Address Auto Configuration: this option will use
router advertisement for address assignment. The IPv6 RADVD protocol
will be enabled to advertise this router as a DHCPv6 client.
Stateful Address Auto Configuration: select this option to
request an IPv6 address from any available DHCPv6 servers available
on the ISP.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous
settings.
IPv6 LAN Config:
LAN TCP/IP Setup
IPv6 Address: Router's LAN IPv6 address.
IPv6 Prefix Length: The IPv6 network (subnet) is identified
by the initial bits of the address called the prefix. All hosts
in the network have the identical initial bits for their IPv6 address;
the number of common initial bits in the networks addresses is set
by the prefix length field.
Note: If you change the LAN IP address of the router, the
browser will not respond when you Apply changes. You must use the
new IP address to connect to the web management interface of the
router.
DHCPv6
DHCP Status: By default the DHCPv6 server is disabled for
the LAN. Once enabled, configure the following fields:
DHCP Mode: If the computers on the LAN are configured with
static IP addresses or are configured to use another DHCP server,
select the Disable DHCPv6 Server option. To use the router as a
DHCP server, select Enable DHCPv6 Server and configure the following:
Domain Name: Name of the domain (Optional) for this DHCPv6
server.
Server Preference: This is used by the stateless DHCP to
indicate the preference level of this DHCP server. DHCPv6 clients
will pick up the DHCPv6 server which has highest preference value.
The preference value must be a decimal integer and be between 0
and 255 (inclusive).
DNS Servers: Select one of the following options for DNS
servers for the DHCPv6 clients
Use DNS Proxy: Check this box to enable DNS proxy on this
LAN, or uncheck this box to disable this proxy. When this feature
is enabled, the router will act as a proxy for all DNS requests
and communicate with the ISP's DNS servers (as configured in the
WAN settings page)
Use DNS from ISP: This option allows the ISP to define the DNS
servers (primary/secondary) for the LAN DHCP client
User below: if selected, the below configured Primary and Secondary
DNS servers are used for DHCPv6 clients.
Primary DNS Server: primary DNS Server IP.
Secondary DNS Server: Secondary DNS Server IP.
Lease/Rebind Time: Duration (in seconds) for which IP addresses
will be leased to clients.
List of IPv6 Address Pools
The configured IPv6 address pools are listed here by starting and
ending address of the pool.
The actions that can be taken on IPv6 Address Pools are:
(Check Box At First Column Header): Selects all the defined
address pools
Edit: The Edit button will link to the IPv6 LAN Pools configuration
page.
Delete: Deletes the selected address pool(s).
Add: Clicking this button will link to the IPv6 LAN Pools
configuration page
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
IPv6 LAN Pools Config:
Start IPv6 Address: the starting IPv6 address in the consecutive
list of addresses that makes up this LAN pool for the DHCPv6 server.
Start IPv6 Address: the ending IPv6 address in the consecutive
list of addresses that makes up this LAN pool for the DHCPv6 server.
Prefix Length: The number of common initial bits for this
LAN pool is set by the delegation prefix length.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
Router Advertisement:
Router Advertisement Daemon (RADVD)
RADVD listens for router solicitations in the IPv6 LAN and responds
with router advertisements as required. This is stateless IPv6 auto
configuration as it distributes IPv6 prefixes to all nodes on the
network.
RADVD Status: You can enable the RADVD process here to allow
stateless auto configuration of the IPv6 LAN network.
Advertise Mode: Select one of the following:
Unsolicited Multicast: select to send router advertisements
(RA's) to all interfaces belonging to the multicast group.
Unicast only: This option restricts advertisements to well known
IPv6 addresses only (RA's are sent to the interface belonging to
the known address only)
Advertise Interval: This sets the maximum advertise interval.
The advertise interval used when RADVD is enabled is a random value
between Minimum Router Advertisement Interval and Maximum Router
Advertisement Interval. The minimum router advertisement interval
is 1/3 of this configured value, and the default is 30 seconds.
RA Flags: Chose Managed to use the administered /stateful
protocol for address auto configuration. If the Other flag is selected
the host uses administered/stateful protocol of other (i.e. non-address)
information auto configuration.
Router Preference: Chose between low/medium/high for the
preference associated with the RADVD process of the router. This
feature is useful if there are other RADVD enabled devices on the
LAN. The default is high.
MTU: This is used in RA's to ensure all nodes on the network
use the same MTU value in the cases where the LAN MTU is not well
known. The default is 1500
Router Lifetime: The lifetime in seconds of the route. The
default is 3600 seconds.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
Advertisement Prefixes:
List of Prefixes to Advertise
When a IPv6 LAN node attempts stateless auto configuration, the
following configured IPv6 prefixes will be advertised as available
for this node to join the network.
IPv6 Prefix: This defines the IPv6 network address
IPv6 Prefix Length: This is a numeric value that indicates
the number of contiguous, higher order bits of the address that
make up the network portion of the address
Prefix Lifetime: The length of time over which the requesting
router is allowed to use the prefix.
The actions that can be taken on the List of Prefixes to Advertise
are:
(Check Box At First Column Header): Selects all the prefixes
in the table.
Edit: The Edit button will link to the Advertisement Prefix
Configuration page, allowing you to make changes to the selected
rule.
Delete: Deletes the selected prefix(es).
Add: Clicking this button will link to the Advertisement
Prefix Configuration page.
Advertisement Prefixe Config:
IPv6 Prefix Type: Option whether to select the prefix type as
6to4 or Global/Local/ISATAP
SLA ID: The SLA ID (Site-Level Aggregation Identifier) in
the 6to4 address prefix is set to the interface ID of the interface
on which the advertisements are sent
IPv6 Prefix: This defines the IPv6 network address
IPv6 Prefix Length: This is a numeric value that indicates
the number of contiguous, higher order bits of the address that
make up the network portion of the address
Prefix Lifetime: The length of time over which the requesting
router is allowed to use the prefix.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
IPv6 Static Routing:
Name: Name of the route, for identification and management purposes.
Destination: Destination host or network the route leads
to.
Gateway: IP Address of the gateway through which the destination
host or network can be reached.
Interface: The physical network interface (dedicated WAN,
secondary WAN, DMZ or LAN), through which this route is accessible.
Metric: Determines the priority of the route. If multiple
routes to the same destination exist, the route with the lowest
metric is chosen.
Active: Determines whether the route is active or inactive.
A route can be added to the table and made inactive, if not needed.
This allows routes to be used as needed without deleting and re-adding
the entry. An inactive route is not broadcast if RIP is enabled.
The actions that can be taken on static routes are:
(Check Box At First Column Header): Selects all the static
routes in the table.
Edit: The Edit button will link to the IPv6 Route Configuration
page, allowing you to make changes to the selected static route.
Delete: Deletes the selected static route or static routes.
Add: Clicking this button will link to the IPv6 Route Configuration
page.
IPv6 Static Routing Config:
Route Name: Name of the route, for identification and management
purposes.
Active: Defines whether the route will be active or inactive.
When a route is added in inactive state, it will be listed in the
table, but will not be used by the router. The route can be enabled
later. This is useful if the network that the route connects to
is not available when you added the route. When the network becomes
available, the route can be enabled.
IPv6 Destination: Destination host or network the route leads
to.
IPv6 Prefix Length: the number of prefix bits in the IPv6
address that define the subnet.
Interface: The physical network interface (dedicated WAN,
secondary WAN, DMZ or LAN), through which this route is accessible.
IPv6 Gateway: IP Address of the gateway through which the
destination host or network can be reached.
Metric: Defines the priority of the route. Please choose
a value between 2 and 15. If multiple routes to the same destination
exist, the route with the lowest metric is chosen.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
6to4 Tunneling:
Select the check box to Enable Automatic Tunneling and
allow traffic from an IPv6 LAN to be sent over a IPv4 WAN to reach
a remote IPv6 network.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
IPv6 Tunnels Status:
Tunnel Name: The active IPv6 to IPv4 tunnel identifier.
IPv6 Addresses: the source IPv6 address(es) in your LAN that have
data being sent over this tunnel.
Click Refresh to update this status page.
ISATAP Tunnels:
List of Available ISATAP Tunnels
Intra-site automatic tunnel addressing protocol is a method to transmit
IPv6 packets between dual-stack nodes over an IPv4 network. This
device is one endpoint (a node) for the tunnel, and you must set
a Local Endpoint as well as the ISATAP Subnet
Prefix that defines the logical ISTAP subnet to configure
a tunnel.
The actions that can be taken on static routes are:
(Check Box At First Column Header): Selects all the tunnels
in the table.
Edit: The Edit button will link to the IPv6 ISATAP Tunnels
Configuration page, allowing you to make changes to the selected
ISATAP tunnel.
Delete: Deletes the selected tunnel or tunnels.
Add: Clicking this button will link to the IPv6 ISATAP Tunnels
Configuration page.
ISATAP Tunnel Config:
ISATAP Subnet Prefix: This is the 64-bit subnet prefix that
is assigned to the logical ISATAP subnet for this intranet. This
can be obtained from your ISP or internet registry, or derived from
RFC 4193.
Local End Point Address: This is the endpoint address for
the tunnel that starts with this router. The endpoint can be the
LAN interface (assuming the LAN is an IPv4 network), or a specific
LAN IPv4 address.
IPv4 Address: The local end point address if not the entire
LAN.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
Radius Setting
Radius Setting:
Authentication Server IP Address (Primary): IP address of the
primary RADIUS authentication server.
Authentication Server IP Address (Secondary): IP address
of the secondary RADIUS authentication server.
Authentication Port: RADIUS authentication server port to
send RADIUS messages.
Secret: Secret key that allows the device to log into the
configured RADIUS server. It must match the secret on RADIUS server.
Timeout: Set the amount of time in seconds, the router should
wait for a response from the RADIUS server.
Retries: This determines the number of tries the router will
make to the RADIUS server before giving up.
Click Save Settings to save the settings.
Click Don't Save Settings to revert to the previous settings.
Power Saving
Power Saving:
Power Saving State: When enabled, the total power to the LAN
switch is dependent on the number of connected ports. The overall
current draw when a single port is connected is less than when all
of the available LAN ports have an active Ethernet connection.
Length Detection State: When enabled the LAN switch will reduce
the overall current supplied to the LAN port when a small cable
length is connected to that port. Longer cables have higher resistance
than shorter cables and require more power to transmit packets over
that distance. This option will reduce the power to a LAN port if
an Ethernet cable of less than 10 ft is detected as being connected
to that port.
Click Save Settings to save your changes.
Click Don't Save Settings to revert to the previous settings.
|