Advanced Help
 
Application Rules
Application Rules:
Application rules are also commonly referred to as port triggering rules. Port triggering allows computers on the private network (LAN or DMZ) to request one or more ports to be forwarded to them. Unlike basic port forwarding, which forwards ports to only one IP address, port triggering waits for an outbound request from the private network on one of the defined outgoing ports. It then automatically sets up forwarding to the IP address from where the request was made. When the application ceases to transmit data over the port, the router waits for a timeout interval and then closes the port or range of ports, making them available to other computers on the private network.
For example, if an IRC client on the private network makes a connection request through port 6667 and sends its username information to the IRC server, the IRC server will send an IDENT verification packet on port 113 to check the authenticity of the IRC client. In NAT mode, the router will discard this packet since it doesn't know which computer to send the request on port 113 to. A Port Triggering rule can define port 6667 (or the range: 6660 to 7000) as the outgoing (trigger) port(s) and port 113 as the incoming (response) port.

List of Available Application Rules
Name: Displays the user-defined name for this rule.

Enable: Displays the current status of the rule, i.e., whether it is enabled or disabled.

Protocol: Displays whether the port uses the TCP or UDP protocol.

Interface: Displays interface name on which port triggering rule is configured.

Outgoing Ports: Displays the port number or range of port numbers that will trigger this rule when a connection request for outgoing traffic is made. If the outgoing connection uses only one port, then both the Start Port and End Port fields will display the same port number.

Incoming Ports: Displays the port number or range of port numbers used by the remote system to respond to the request it receives. If the incoming connection uses only one port, then both the Start Port and End Port fields will display the same port number.

The actions that can be taken on port triggering rules are:

(Check Box at First Column Header): Selects all the rules in the table.

Edit: Opens the Port Triggering Configuration page, to edit the selected rule.

Delete: Deletes the selected rule or rules.

Add: Opens the Port Triggering Configuration page to add a new rule.

Application Rules Config:
This page is used to configure port triggering for applications when the router is in NAT mode.

Name: Specify an easily identifiable name for this rule.

Enable: Specify whether to enable or disable the rule.

Protocol: Specify whether the port uses the TCP or UDP protocol.

Outgoing (Trigger) Port Range
Specify the port number or range of port numbers that will trigger this rule when a connection request from outgoing traffic is made. If the outgoing connection uses only one port, then specify the same port number in the Start Port and To Port fields.

Incoming (Response) Port Range
Specify the port number or range of port numbers used by the remote system to respond to the request it receives. If the incoming connection uses only one port, then specify the same port number in the Start Port and To Port fields.

Click Save Settings to save the settings.

Click Don't Save Settings to revert to previous settings.

Application Rules Status:
LAN / DMZ IP address:
The internal network IP address that triggered the application rule to be active, and resulted in response ports being opened.

Open Ports: The incoming response ports that have been opened through this firewall based on the internal devices request.

Time Remaining (sec): remaining time in seconds for which the open ports will allow external traffic. This time is reset whenever traffic is sent from the LAN / DMZ out on the trigger ports.

Click Refresh to update this status page.

 
Website Filter
Content Filtering:
Content Filtering Configuration

Check the box to Enable Content Filtering in order to support URL filtering and keyword blocking. The default is to have this feature disabled.

Web Components
Certain commonly used web components can be blocked for increased security. Some of these components can be used by malicious websites to infect computers that access them. With content filtering enabled, select the checkbox next to the component you wish to block:

Proxy: A proxy server (or simply, proxy) allows computers to route connections to other computers through the proxy, thus circumventing certain firewall rules. For example, if connections to a specific IP address are blocked by a firewall rule, the requests can be routed through a proxy that is not blocked by the rule, rendering the restriction ineffective. Enabling this feature blocks proxy servers.

Java: Blocks java applets from being downloaded from pages that contain them. Java applets are small programs embedded in web pages that enable dynamic functionality of the page. A malicious applet can be used to compromise or infect computers. Enabling this setting blocks Java applets from being downloaded.

ActiveX: Similar to Java applets, ActiveX controls are installed on a Windows computer while running Internet Explorer. A malicious ActiveX control can be used to compromise or infect computers. Enabling this setting blocks ActiveX applets from being downloaded.

Cookies: Cookies are used to store session information by websites that usually require login. However, several websites use cookies to
 store tracking information and browsing habits. Enabling this option filters out cookies from being created by a website.

Note: Many websites require that cookies be accepted in order for the site to be accessed properly. Blocking cookies may cause many websites to not function properly.

Click Save Settings to save the settings.

Click Don't Save Settings to revert to previous settings.

Approved URLS:
Example: If yahoo is added to the blocked keywords list and www.yahoo.com is added to the trusted domain list, then www.yahoo.com will be allowed but mail.yahoo.com will not allowed.

Approved URL List

Trusted Domains: This is the URL or domain name for which content filtering is bypassed.

The actions that can be taken on domains are:

(Check Box at First Column Header): Selects all the domains in the table.

Edit: The Edit button will link to the approved URL configuration page, allowing you to make changes to the selected domain.

Delete: Deletes the selected approved URL (s).

Add: Clicking this button will link to the approved URL configuration page.

Approved URL Config:
Those names entered in the trusted domain list will be bypassed by keyword filtering. Example: If yahoo is added to the blocked keywords list and www.yahoo.com is added to the trusted domain list, then www.yahoo.com will be allowed but mail.yahoo.com will not allowed.

URL: Enter the domain name for which content filtering needs to be bypassed.

Click Save Settings to save the settings.

Click Don't Save Settings to revert to previous settings.

Blocked Keywords
Blocked Keywords: The table lists all the Blocked Keywords and allows several operations on the keywords. Up to 64 keywords can be added to the list

Status: The status of the rule can be enabled or disabled.

Blocked Keyword: The keyword or URL to be blocked. All website names (web site URL, newsgroup name, etc.) or pages that contain the specified word (Keyword) will be blocked by the router.

The actions that can be taken on keywords are:

(Check Box At First Column Header): Selects all the keywords in the Blocked URLs table.

Edit: Opens the blocked keyword configuration page.

Enable: Enables the selected keywords to block list

Disable: Disables the selected keywords from block list.

Delete: Deletes the selected keyword or keywords from block list.

Add: Opens the blocked keyword configuration page to add a new rule.

Blocked Keywords Config:
Example: If yahoo is added to the list, any website containing the word yahoo in its URL or page contents will be blocked

Keyword: All website names (web site URL, newsgroup name, etc.) or pages that contain the specified word (keyword) will be blocked by the router. A single keyword can be up to 63 characters in length.

Click Save Settings to save the settings.

Click Don't Save Settings to revert to previous settings.

 
Firewall Settings
Default Outbound Policy:
This configuration field determines whether LAN or DMZ users can access the internet in the absence of specific allowed outbound rules. To permit any outbound traffic to pass through the firewall and reach the WAN, use Allow Always as the default outbound policy.

In order to closely manage the outbound traffic use Block Always as the default outbound policy. In this case the router admin will need to configure firewall and application rules in order to permit outbound traffic from LAN and DMZ addresses.

Click Save Settings to save the settings.

Click Don't Save Settings to revert to previous settings.

Firewall Rules:
List of Available Firewall Rules
The List of Available Firewall Rules table includes all firewall rules for this device and allows several operations on the firewall rules.

Status: The status of the rule can be Enabled (active) or Disabled (configured but not in use).

From Zone: The source of the traffic that is controlled by this firewall rule: LAN, WAN, or DMZ.

To Zone: The destination of the traffic that is controlled by this firewall rule: Secure or Public.

Service: The service that is controlled by this firewall rule. The name usually indicates the type of traffic the rule covers such as FTP, SSH, telnet, ping, etc. Services not already in the list can be added as a Custom Service.

Action: The action to be taken on the enabled rule:

Block Always: Block selected service at all times.
Enable Always: Allow data matching the selected service to pass through at all times.
Block by schedule, otherwise allow: Works in conjunction with a predefined schedule. The selected service will be blocked during the schedule interval and will be allowed to pass through at other times.
Allow by schedule, otherwise block: Works in conjunction with a predefined schedule. The selected service will be allowed to pass through during the schedule interval and will be blocked at other times.

Source Hosts: The hosts that originate the traffic for this firewall rule: Any, Single, Range.

Destination Hosts: The hosts that receive the traffic for this firewall rule: Any, Single, Range.

Local Server: An IP address and port number of a machine on the secure zone(LAN) which is hosting the server. It is displayed in the form: <IP address:port number>.

For example, if a machine with an IP address of 192.168.1.100 on the LAN side is running a telnet server on port 2000, then the table will display 192.168.10.100:2000. If the telnet server is running on the default port (port 23), then the table will display only the IP address.

Internet Destination: The WAN port that is the destination for the traffic.

The actions that can be taken on firewall rules are:

(Check Box At First Column Header): Selects all the firewall rules in the table.

Edit: Opens the Firewall Rule Configuration page to edit the selected rule.

Enable: Enables the selected firewall rules.

Disable: Disables the selected firewall rules.

Delete: Deletes the selected firewall rule(s).

Add: Opens the Firewall Rule Configuration page to add a new rule.

Firewall Rules Configuration:
From Zone:
Set the source for the traffic that is controlled by this rule: Secure (LAN), Insecure (WAN1/WAN2), or DMZ.

To Zone: Set the destination for traffic that is controlled by this rule: Insecure or Public.

Service: Choose the type of service that is controlled by this firewall rule. Common services are included in the drop-down list. You can add additional services on the Firewall > Services page.

Action: Choose the action to be taken:

Block Always: Block the selected service at all times.
Enable Always: Allow the selected service to pass through at all times.
Block by schedule, otherwise allow: Works in conjunction with a schedule defined on the Schedule Configuration page. The selected service will be blocked during the scheduled interval and will be allowed to pass through at other times.
Allow by schedule, otherwise block: Works in conjunction with a schedule defined on the Schedule Configuration page. The selected service will be allowed to pass through during the scheduled interval and will be blocked at other times.

Select Schedule: Choose a predefined schedule from the drop-down list.

Source Hosts: Select one of the following:

Any: Choose this option for a rule that applies to traffic from all hosts.
Single Address: Choose this option for a rule that applies to traffic from one host. Enter the IP address of the host in the From box.
Address Range: Choose this option for a rule that applies to traffic from a group of computers/devices within an IP address range. To specify the range, enter the first address in the From box, and enter the final address in the To box.

Destination Hosts: Select one of the following:
Any: Choose this option for a rule that applies to traffic destined for all hosts.
Single Address: Choose this option for a rule that applies to traffic destined for one host. Enter the IP address of the host in the From box.
Address Range: Choose this option for a rule that applies to traffic destined for a group of computers/devices within an IP address range. To specify the range, enter the first address in the From box, and enter the final address in the To box.

Log: Specify whether or not the packets for this rule should be logged. To log details for all packets that match this rule, select Always. Select Never to disable logging.
 
For example, if an outbound rule for a schedule is selected as Block Always, then for every packet that tries to make an outbound connection for that service, a message with the packet's source address and destination address (and other information) will be recorded in the log. Enabling logging may generate a significant volume of log messages and is recommended for debugging purposes only.

QoS Priority: Assign a priority to IP packets of this service. The priorities are defined by "Type of Service (TOS) in the Internet Protocol Suite" standards, RFC 1349. The gateway marks the Type Of Service (TOS) field as defined below:

Normal-Service: No special priority is given to the traffic. The IP packets for services with this priority are marked with a TOS value of 0.
Minimize-Cost: Choose this option when data must be transferred over a link that has a lower "cost". The IP packets for services with this priority are marked with a TOS value of 2.
Maximize-Reliability: Choose this option when data needs to travel to the destination over a reliable link and with little or no retransmission. The IP packets for services with this priority are marked with a TOS value of 4.
Maximize-Throughput: Choose this option when the volume of data transferred during an interval is important even if the latency over the link is high. The IP packets for services with this priority are marked with a TOS value of 8.
Minimize-Delay: Choose this option when the time required (latency) for the packet to reach the destination must be low. The IP packets for services with this priority are marked with a TOS value of 16.

Source NAT Settings

These settings are available when the rule manages traffic being allowed from the LAN / DMZ to the WAN. Source Network Address Translation (SNAT) requires rewriting the source or destination IP address of incoming IP packets as they pass through the firewall.

External IP Address: You can use choose WAN interface address or choose Single Address.

Single IP Address: If Single Address was selected for the External IP address, define it here.

WAN Interface: Choose one of the available configured WAN interfaces if the SNAT is to be done on all matching traffic coming from that interface.

Destination NAT Settings
These settings are required when the traffic is coming from the WAN to the DMZ or the LAN. Destination Network Address Translation maps a public IP address (your Dedicated WAN address, Optional WAN address, or another address) to an IP address on your private network.

Internal IP Address: Specify an IP address of a machine on the Local Network which is hosting the server.

Enable Port Forwarding: Check this box to enable port forwarding to the port that you specify in the Translate Port Number field.

Translate Port Number: Enter the port number to use for port forwarding. For example, if a machine on the Local Network side is running a telnet server on port 2000, then check the Enable Port Forwarding box and type 2000 in the Translate Port Number field. If the server is listening on the default port 23, then the box can be left unchecked.

External IP Address: Select the internet destination IP address that is used for this firewall rule: Dedicated WAN, Optional WAN, or Other. If you choose Other, enter the IP address in the Other IP Address field.

Other IP Address: Enter the WAN IP address that will map to the internal server.

Click Save Settings to save your changes.

Click Dont Save Settings to revert to the previous settings.

Custom Services:
List of Available Custom Services
Name: Name of the service for identification and management purposes.

Type: The layer 4 Protocol that the service uses: TCP, UDP or ICMP

ICMP Type/Port Range: ICMP Type field is enabled when the layer 3 protocol (in the Type field) is selected as ICMP or ICMPv6. The ICMP type is a numeric value that can range between 0 and 40, while for ICMPv6 the type ranges from 0 to 255. Port Range is the first TCP or UDP port of a range the service uses.

The actions that can be taken on custom cervices are:

(Check Box At First Column Header): Selects all the custom services in the table.

Edit: Opens the Custom Services Configuration page, to edit the selected custom Service.

Delete: Deletes the selected custom service or custom services.

Add: Opens the Custom Service Configuration page to add a new service.

Custom Services Config:
Created services are available as options for firewall rule configuration.

Name: Name of the service for identification and management purposes.

Type: The layer 3 Protocol that the service uses. Can be TCP, UDP or ICMP

ICMP Type: This field is enabled when the layer 3 protocol (in the Type field) is selected as ICMP. The ICMP type is a numeric value that can range between 0 and 40. For a list of ICMP types, visit the following URL: http://www.iana.org/assignments/icmp-parameters.

Start Port: The first TCP or UDP port of a range that the service uses. If the service uses only one port, then the Start Port will be the same as the Finish Port.

Finish Port: The last port in the range that the service uses. If the service uses only one port, then the Finish Port will be the same as the
 Start Port.

Click Save Settings to save your changes.

Click Dont Save Settings to revert to the previous settings.

ALGs:
Enable ALGs
This router supports kernel level ALGs for the following protocols:

PPTP: Allows multiple machines on the LAN to connect to their corporate networks using PPTP protocol. When the PPTP ALG is enabled, LAN computers can establish PPTP VPN connections either with the same or with different VPN servers. When the PPTP ALG is disabled, the router allows VPN operation in a restricted way -- LAN computers are typically able to establish VPN tunnels to different VPN Internet servers but not to the same server. The advantage of disabling the PPTP ALG is to increase VPN performance. Enabling the PPTP ALG also allows incoming VPN connections to a LAN side VPN server.

IPSec: Allows multiple VPN clients to connect to their corporate networks using IPSec. Some VPN clients support traversal of IPSec through NAT. This option may interfere with the operation of such VPN clients. If you are having trouble connecting with your corporate network, try disabling this option.

Check with the system administrator of your corporate network whether your VPN client supports NAT traversal. Note that L2TP VPN connections typically use IPSec to secure the connection. To achieve multiple VPN pass-through in this case, the IPSec ALG must be enabled.

RTSP: Allows applications that use Real Time Streaming Protocol to receive streaming media from the internet. QuickTime and Real Player are some of the common applications using this protocol.

SIP: Allows devices and applications using VoIP (Voice over IP) to communicate across NAT. Some VoIP applications and devices have the ability to discover NAT devices and work around them. This ALG may interfere with the operation of such devices. If you are having trouble making VoIP calls, try turning this ALG off.

H.323: Allows H.323 (specifically Microsoft Netmeeting) clients to communicate across NAT. Note that if you want your buddies to call you, you should also set up a virtual server for NetMeeting.

SMTP: Allows inbound mail services that use SMTP to be mapped appropriately across NAT.

DNS: Allows NAT-PT (Network Address Translation/Protocol Translation) implementations to meet DNS address mapping requirements.

TFTP: Allows Trivial FTP (TFTP) clients and servers to transfer data across NAT

Click Save Settings to save your changes.

Click Dont Save Settings to revert to the previous settings.

VPN Passthrough:
Choose one or more of the following to enable pass through for the device.

IPSec: Enable this to allow IPsec tunnels to pass through the router

PPTP: Enable this to allow PPTP tunnels to pass through the router. To make this work, enable PPTP ALG also.

L2TP: Enable this to allow L2TP tunnels to pass through the router

Click Save Settings to save your changes.

Click Dont Save Settings to revert to the previous settings.

 
Wireless Setting
Advanced Wireless:
Typically default settings on this page are appropriate for most wireless applications.

Advanced Wireless Configuration
Beacon Interval: Enter the time in milliseconds between beacon transmissions. The default interval is 100 milliseconds.

Dtim Interval: Enter the interval at which the delivery traffic indication message should be sent. This setting is related to the beacon interval. The default interval is 2 beacon intervals.

RTS Threshold: The Request to Send (RTS) threshold is the packet size in bytes that requires the AP to check the transmitting frames to determine if RTS/Clear to Send (CTS) handshake is required with the receiving client. Using a small value causes RTS packets to be sent more often, consuming more of the available bandwidth, therefore reducing the apparent throughput of the network packets. The default value is 2346, which effectively disables RTS.

Fragmentation Threshold: This is the maximum length of the frame, in bytes, beyond which packets must be broken up (fragmented) into two or more frames. Collisions occur more often for long frames because while sending them, they occupy the channel for a longer time. The default value is 2346, which effectively disables fragmentation.

Preamble mode: 802.11b requires that a preamble be appended to every frame before it is transmitted through the air. The preamble may be either the traditional "long" preamble, which requires 192 microseconds for transmission, or it may be an optional "short" preamble that requires only 96 microseconds. A long preamble is needed for compatibility with the legacy 802.11 systems operating at 1 and 2 Mbps. The default selection is Long.

Protection Mode: Select the CTS-to-Self Protection option to enable CTS-to-Self protection mechanism, which is used to minimize collisions among stations in a mixed 802.11 b & g environment. The default selection is None.

Power Save Enable: Select this to enable the Unscheduled Automatic Power Save Delivery (also referred to as WMM Power Save) feature that allows the radio to conserve power.

Short Retry Limit / Long Retry Limit: These limits determine the number of time the AP will re-attempt a failed frame transmission. The limit applies to both long and short frames of a size less than or equal to the RTS threshold.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

WPS:
WPS is available for configured and enabled APs that support WPA / WPA2 security. You must have a WPS-supporting 802.11 client to let that client join this APs network via WPS.

WPS Configuration
Select VAP: Select one of the configured Virtual APs (VAP) from the drop down box on which WPS is to be enabled. Only the SSIDs for AP which are configured with WPA, WPA2 or WPA + WPA2 security modes are available for WPS configuration.

WPS Status: Select Enable from the drop down box to enable WPS for this AP. By default WPS is disabled.

WPS Current Status

Security: The security mode being employed by the AP on which WPS is configured.

Authentication Type: The authentication method being employed by the AP on which the WPS is configured.

Encryption Type: The encryption method being employed by the AP on which the WPS is configured.

WPS Setup Method

Station PIN: To use a PIN to establish the WPA/WPS2 link, enter the PIN (a pre-shared password) that is configured on the WPS clients.

Click Configure via PIN to initiate the WPS session using the PIN (Personal Identification Number) method.

Click Configure via PBC to initiate the WPS session using the PBC (Push button configuration) method. Once this is clicked, press down on the clients push button within 60 seconds to establish the WPS link.
 
Session Status Displays messages indicating current status of a WPS session.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

 
Advanced Network
UPnP:
Do you want to enable UPnP?:
Select yes to enable UPnP support and no to disable it. If disabled, the router will not allow for automatic device configuration.

LAN: If desired, UPnP can be enabled on the entire LAN segment or specific configured VLAN groups. Available VLANs will be displayed in the menu along with the LAN interface.

Advertisement Period: This is the period (in seconds) of how often this wireless gateway will broadcast its UPnP information to all devices within range.

Advertisement Time to Live: This is expressed in hops for each UPnP packet. This is the number of steps a packet is allowed to propagate before being discarded. Small values will limit the UPnP broadcast range.

UPnP Portmap Table

The UPnP Portmap Table shows IP addresses and other settings of UPnP devices that have accessed this wireless gateway.

Active: A yes/no indicating whether the port of the UPnP device that established a connection is currently active

Protocol: The network protocol (i.e. HTTP, FTP, etc.) that the device is using to connect to this wireless gateway

Int. Port (Internal Port): Which, if any, internal ports are opened by the UPnP device

Ext. Port (External Port): Which, if any, external ports are opened by the UPnP device

IP Address: The IP address of the UPnP device that is accessing this gateway

Click Refresh to refresh the portmap table and search for any new UPnP devices.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

WAN Port Setup:
WANs Ping:

Respond to Ping: To configure the router to respond to an ICMP Echo (ping) packet coming in from the WAN side, check this box. This setting is usually used as a diagnostic tool for connectivity problems. It is recommended that the option be disabled at other times to prevent hackers from easily discovering the router via a ping.

Note: When using NAT routing mode, a firewall rule that directs ping requests to a particular computer on the LAN will override this option.

WAN1/WAN2 Port Setup
MTU Type: Select either Default or Custom. If Custom is selected, then enter the MTU Size.

MTU Size: The MTU (Maximum Transmit Unit) is the size of the largest packet that can be sent over the network. The standard MTU value for Ethernet networks is usually 1500 Bytes and for PPPoE connections, it is 1492 Bytes. Unless a change is required by your ISP, it is recommended that the MTU values be left as is.

Port Speed: The Ethernet port speed can be manually set or specified depending on your WAN requirements.

Auto Sense: Select this to let the gateway and network to determine the optimal port settings.
Duplex: Choose between Half Duplex and Full Duplex based on the port support. The default is Full Duplex for all ports.
Speed: One of three port speeds can be selected: 10 Mbps, 100 Mbps and 1000 Mbps (i.e. 1 Gbps).

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

IGMP Setup:
Active IGMP snooping is referred to as IGMP proxy. When in use IGMP packets through the LAN are filtered in order to reduce the amount of multicast traffic in the network.

Enable IGMP Proxy: Check this to enable IGMP proxy on this LAN

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

IPS:
Intrusion Detection/Prevention Enable

This gateway has an intrusion detection system (IDS) that allows you to detect, log, and block malicious attacks that can potentially impact security and usability of the device. This is a passive detection tool used to log and alert the user of potential threats. This page has the basic configuration settings used to enable IDS.

Enable Intrusion Detection: select to allow intrusion events to be detected and logged. Each incoming packet to the gateway is reviewed for potential malicious attacks, based on the settings configured in this page.

Enable Intrusion Prevention: select to allow the devices intrusion prevention system to monitoring inline traffic from the WAN. This can affect system performance.

IPS Checks Active Between

LAN and WAN: select this to enable IPS between the secure LAN and public WAN.

DMZ and WAN: select this to enable IPS between the secure DMZ and public WAN.

IPS Status
Number of Signatures Loaded: This is a static number of intrusion signatures that are stored in the router and are used for detecting IPS events.

 
Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

Attack Checks:
WAN Security Checks


Enable Stealth Mode: If Stealth Mode is enabled, the router will not respond to port scans from the WAN. This makes it less susceptible to discovery and attacks.

Block TCP Flood: If this option is enabled, the router will drop all invalid TCP packets and be protected from a SYN flood attack.

LAN Security Checks
Block UDP Flood: If this option is enabled, the router will not accept more than 20 simultaneous, active UDP connections from a single computer on the LAN.

ICSA Settings
Block ICMP Notification: selecting this prevents ICMP packets from being identified as such. ICMP packets, if identified, can be captured and used in a Ping (ICMP) flood DoS attack.

Block Fragmented Packets: selecting this option drops any fragmented packets through or to the gateway

Block Multicast Packets: selecting this option drops multicast packets, which could indicate a spoof attack, through or to the gateway.

DoS Attacks

SYN Flood Detect Rate (max/sec): The rate at which the SYN Flood can be detected.

Echo Storm (ping pkts/sec): The number of ping packets per second at which the router detects an Echo storm attack from the WAN and prevents further ping traffic from that external address.

ICMP Flood (ICMP pkts/sec): The number of ICMP packets per second at which the router detects an ICMP flood attack from the WAN and prevents further ICMP traffic from that external address.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

Band Width Profiles:
Example: When a new connection is established via the device, the device will locate the firewall rule corresponding to the connection. If the rule has a bandwidth profile specifications, then the device will create a bandwidth class in the kernel. If multiple connections correspond to the same firewall rule, they will share the same class. An exception is in case of individual type bandwidth profile in which the classes are per source IP. The "source IP" is the source IP of the first packet of the connection. So for the outbound rules the source IP will be LAN side IP and for inbound rules the source IP will be the WAN-side IP. The class thus will be deleted when all the connections using the class expire.

Select the box to Enable Bandwidth Profiles in order to proceed with configuration.

List of Bandwidth Profiles
The table lists the Bandwidth Profiles for this device and allows several operations on the Bandwidth Profiles.

Name: Displays the user-defined name for this bandwidth profile.

Bandwidth Range/Priority: Displays the range for bandwidth profile.

The actions that can be taken on bandwidth profiles are:

(Check Box At First Column Header): Selects all the bandwidth profiles in the table.

Edit: The Edit button will link to the bandwidth profiles configuration page, allowing you to make changes to the selected bandwidth profile.

Delete: Deletes the selected bandwidth profile or profiles.

Add: Clicking this button will link to the bandwidth profiles configuration page.

Band Width Profiles Config:
Name:
Specify a unique name for the profile.

Profile Type: Determine the profile type as either priority or rate.

Priority: Choose from Low, Medium or High if the profile type is priority

Minimum Bandwidth Rate: Specify the minimum bandwidth rate in Kbps if the profile type is rate

Maximum Bandwidth Rate: Specify the maximum bandwidth rate in Kbps if the profile type is rate

WAN Interface: Indicate which of the available interfaces will be associated with this profile.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

Traffic Selectors:
Service:
Indicates the service associated with this traffic selector.

Traffic Selector Type: Displays the type of traffic selector selected.

Bandwidth Profile Name: Displays the name of the bandwidth profile associated with the Traffic Selector.

The actions that can be taken on Traffic Selectors are:

(Check Box At First Column Header): Selects all the Traffic Selectors in the table.

Edit: The Edit button will link to the Traffic Selector Configuration page, allowing you to make changes to the selected Traffic Selector.

Delete: Deletes the selected Traffic Selector or Traffic Selectors.

Add: Clicking this button will link to the Traffic Selector Configuration page.

Traffic Selector Config:
Available Profiles:
Select one of the previously configured bandwidth profiles to associate this traffic selector

Service: Select one of the services from the defined services, or to have this traffic selector apply to all traffic choose ANY.

Traffic Selector Match Type: The match type can be one of the following:

IP Address: Select this option to associate this traffic selector to a IP Address of a LAN device. Once selected, enter the IP address of the LAN device.
MAC Address: Select this option to associate this traffic selector a specific MAC address on the LAN. Once selected, enter a valid MAC Address.
Port Number: If this option is selected, then enter the LAN port number (1 through 4)
VLAN: Select this option to associate this traffic selector a specific VLAN. If this option is selected, then select one of the configured Port Name identifiers.
BSSID: Select this option to associate the traffic selector to a configured AP, and then choose the AP from the Available BSSIDs list.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

 
Routing
Static Routing:
Name:
Name of the route, for identification and management purposes.

Destination: Destination host or network the route leads to.

Subnet Mask: subnet mask of the destination IP address.

Gateway: IP Address of the gateway through which the destination host or network can be reached.

Interface: The physical network interface (dedicated WAN, secondary WAN, DMZ or LAN), through which this route is accessible.

Metric: Determines the priority of the route. If multiple routes to the same destination exist, the route with the lowest metric is chosen.

Active: Determines whether the route is active or inactive. A route can be added to the table and made inactive, if not needed. This allows routes to be used as needed without deleting and re-adding the entry. An inactive route is not broadcast if RIP is enabled.
 
Private: Determines whether the route can be shared with other routers when RIP is enabled. If Yes is selected, then the route will not be shared in a RIP broadcast or multicast. This is only applicable for IPv4 static routes.

The actions that can be taken on static routes are:

(Check Box At First Column Header): Selects all the static routes in the table.

Edit: The Edit button will link to the Route Configuration page, allowing you to make changes to the selected static route.

Delete: Deletes the selected static route or static routes.

Add: Clicking this button will link to the Route Configuration page.

Static Routing Config:
Route Name:
Name of the route, for identification and management purposes.

Active: Defines whether the route will be active or inactive. When a route is added in inactive state, it will be listed in the table, but will not be used by the router. The route can be enabled later. This is useful if the network that the route connects to is not available when you added the route. When the network becomes available, the route can be enabled.

Private: Defines whether the route can be shared with other routers when RIP is enabled. If checked, the route will be marked private, and will not be shared in a RIP broadcast or multicast.

Destination IP Address: Destination host or network the route leads to.

IP Subnet Mask: IPv4 Subnet Mask.

Interface: The physical network interface (dedicated WAN, secondary WAN, DMZ or LAN), through which this route is accessible.

Gateway IP Address: IP Address of the gateway through which the destination host or network can be reached.

Metric: Defines the priority of the route. Please choose a value between 2 and 15. If multiple routes to the same destination exist, the route with the lowest metric is chosen.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

Protocol Bindings:
Protocol bindings are used to ensure a defined type of traffic is always sent over one of the two configured WAN interfaces when more than one gateway to the internet is available.

Status: A protocol binding can be disabled if not in use and enabled when needed. The protocol binding is disabled if the status light is grey and it is enabled if the status light is green. Disabling a protocol binding does not delete the configuration.

Service: One of the various services available for protocol binding is displayed

Local Gateway: The port that sets the local gateway for this protocol binding (either dedicated WAN or configurable port WAN)

Source Network: One among the following can be the source network for a protocol binding Any, Single Address, Address Range or a Group Name defined for this device

Destination Network: One among the following can be the destination network for a protocol binding Any, Single Address, Address Range or a Group Name defined for this device

The actions that can be taken on protocol bindings are:

(Check Box At First Column Header):  Selects all the protocol bindings in the table.

Edit:
The Edit button will link to the Protocol Binding Configuration page, allowing you to make changes to the selected protocol binding.

Enable: Enables the selected protocol bindings

Disable: Stops the selected protocol bindings

Delete: Deletes the selected protocol binding(s).

Add: Clicking this button will link to the Protocol Binding Configuration page.

Protocol Binding Config:
Service:
Select one of the various services available for protocol binding

Local Gateway: select the port that sets the local gateway for this protocol binding (either dedicated WAN or configurable port WAN)

Source Network: Select one of the following:

Any: No specific network needs to be given.

Single Address:
Limit to one computer. Requires the IP address of the computer that will be part of the source network for this protocol binding

Address Range:
Select if you want to allow computers within an IP address range to be a part of the source network. Requires Start address and End address

Start Address:
IP address from where the range needs to begin, or the single address if that is the source network selected.

End Address:
IP address where the range needs to end

Destination Network: Select one of the following:

Any:
No specific network needs to be given.

Single Address:
Limit to one computer. Requires the IP address of the computer that will be part of the destination network for this protocol binding

Address Range:
Select if you want to allow computers within an IP address range to be a part of the destination network. Requires Start address and End address

Start Address:
IP address from where the range needs to begin, or the single address if that is the destination network selected.

End Address:
IP address where the range needs to end

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

 
Certificate
Certificate:
Trusted Certificates (CA Certificate)

Trusted Certificates or CA certificates are used to verify the validity of certificates signed by them. When a certificate is generated, it is signed by a trusted organization or authority called the Certificate Authority. The table contains the certificates of each CA.
When a remote VPN gateway or client presents a digital certificate, the authentication process verifies that the presented certificate is issued by one of the trusted authorities. The Trusted CA certificates are used in this authentication process.

The following data is displayed for each certificate entry in the table:

CA Identity (Subject Name): The organization or person to whom the certificate is issued.

Issuer Name: The name of the CA that issued the certificate.

Expiry Time: The date after which the certificate becomes invalid.

(Check Box At First Column Header): Select all the certificates in the table.

Upload: New certificates can be uploaded to the router with the Upload Trusted Certificate option.

Delete: Purge the selected certificate or certificates.

Active Self Certificates

This table lists the certificates issued to you by trusted Certification Authorities (CAs), and available for presentation to remote IKE servers. The remote IKE server validates this router using these certificates. For each certificate, the following data is displayed:

Name: A unique name used to identify a certificate.

Subject Name: This is the name which other organizations will see as the Certificate Holder (owner). This is usually your registered business or company name.

Serial Number: The serial number is used by the CA to identify the certificate itself in their records.

Issuer Name: The name of the CA which issued the certificate.

Expiry Time: The date on which the Certificate expires. You should renew the certificate before it expires.

(Check Box At First Column Header): Select all the certificates in the table.

Upload: New certificates can be uploaded to the router with the Upload Active Self Certificate option.

Delete: Purge the selected certificate or certificates.

Self Certificate Requests

The Self Certificate Requests table displays a list of all the certificate requests made.

Name: A unique name used to identify a certificate.

Status: Will indicate if the self certificate is uploaded or not uploaded to this router.

Action: Click View to view details of the request and copy the contents as required.

(Check Box At First Column Header): Select all the certificates in the table.

New Self Certificate: This button links to the Generate Self Certificate Request configuration page.

Delete: Purge the selected certificate or certificates.

Upload Trusted Certificates:
This router can upload a trusted certificate from a location on the host used to manage the router. Click on Choose File and select the certificate file located on your computer. Click Upload to store the certificate on the router, and once loaded it will appear in the list of Trusted Certificates (CA Certificates).

View Certificate Request Data:
Certificate Details:
Display the details of Self Certificate are shown, such as the System Name, Hash Algorithm, Signature Algorithm, and Key Length.

Data to supply to CA: This is the encrypted data generated by the certificate request that should be sent to the CA or Trusted authority for signing. Copy the contents of the Data to supply to CA text box and save it in a file. Follow the instructions of the CA to complete the certificate signing process.
 

Generate Self Certificate Request:
Name:
this is the identifier used to manage this self certificate request and will appear in the list of Self Certificate Requests.

Subject: This field will populate the CN (Common Name) entry of the generated certificate. Subject names are usually defined in the following format: CN=<device name>, OU=<department>, O=<organization>, L=<city>, ST=<state>, C=<country>. For example: CN=router1, OU=my_company, O=mydept, L=SFO, C=US.

Hash Algorithm: choose between MD5 and SHA-1 for the Hash algorithm used by the certificate

Signature Key Length: the length of the signature, either 512 or 1024

As well, the certificate request can contain some optional fields to further customize the certificate request: IP Address, Domain name, E-mail Address.

Click Generate to create a new certificate request. Once created it is added to the Self Certificate Requests table. To view a request, click on the View button next to the appropriate request in this table.

Upload Active Self Certificate Request:
This router can upload an active self certificate from a location on the host used to manage the router. Click on Choose File and select the certificate file located on your computer. Click Upload to store the certificate on the router, and once loaded it will appear in the list of Active Self Certificates.

 
Users
Get UsersDB:
Help content will here......

Domains:
Domain Name:
The domain name is a unique identifier.

Authentication Type: The authentication type for this particular domain can be Local User Database (default), Radius-PAP, Radius-CHAP, Radius-MSCHAP, Radius-MSCHAPv2, NT Domain, Active Directory or LDAP.

Portal Layout Name: The portal layout, configured in the SSL VPN Portal menu, selected for this domain is displayed.

The actions that can be taken on domains are:

Edit: The Edit button will link to the domains configuration page, allowing you to make changes to the selected domain.

(Check Box At First Column Header): Selects all the domains in the table.

Delete: Deletes the selected domain or domains.

Add: Clicking this button will link to the domains configuration page.

Domain Config:
Domain Name:
This is the unique identifier (alphanumeric) of the domain.

Authentication Type: Choose the authentication type for this particular domain. Options are: Local User Database (default), Radius-PAP, Radius-CHAP, Radius-MSCHAP, Radius-MSCHAPv2, NT Domain, Active Directory, LDAP.

Select Portal: Select from the dropdown list of portal layouts. These are configured in the SSL VPN Portal menu. The * indicates the default portal layout.

Authentication Server: If using an authentication types other than the Local User Database, enter the server name used to authenticate the user. Up to 3 Authentication servers can be configured that will be used as backups in case the primary server does not respond.

Timeout: The time in seconds for the router to wait for a response before an authentication attempt with the server is considered failed.

Retries: The number of retries that the router will attempt to contact a authentication server after reaching the timeout limit. After the number of retries is reached the next authentication server will be used for the authentication attempt. If all three servers have been used without success, the authentication of the user with this domain has failed.

Authentication Secret: Radius authentication (all types: PAP, CHAP, MSCHAP, MSCHAPv2) all require an authentication secret; contact your administrator for this secret if configuring RADIUS authentication for this domain.

Workgroup: The NT domain type of authentication requires the workgroup field; contact your administrator for the workgroup needed to configure NT Domain authentication.

LDAP Base DN: LDAP authentication requires the base domain name; contact your administrator for the Base DN to use LDAP authentication for this domain.

Active Directory Domain: if Active Directory is the chose authentication type, you must enter the Active Directory domain name in this field. Users that are registered in the Active Directory database can now access the SSL VPN portal by using their Active Directory username and password.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

Groups:
Name: The group is the first level grouping to which a user belongs.

Domain: Displays which (if any) of the pre-configured authentication domains are used to authenticate this group.

The actions that can be taken on groups are:

(Check Box At First Column Header): Selects all the groups in the table.

Edit: The Edit button will link to the groups configuration page, allowing you to make changes to the selected group.

Delete: Deletes the selected group or groups.

Add: Clicking this button will link to the groups configuration page.

Groups Config:
Group Name:
This is the unique identifier for the group, can use any alphanumeric characters.

Domain: Assign a domain from the dropdown list of authentication domains.

Idle Timeout: The default timeout of 5 minutes can be changed for the group here.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

Users:
List of Users

User Name: The user name is a unique identifier.

Group: The group is the first level grouping to which the user belongs.

Type: The user type is one among Administrator, SSL VPN User, or IPsec VPN User.

Authentication Domain: Displays which (if any) of the pre-configured authentication domains are used to authenticate this user.

Login Status: the ability for this user to login to the routers GUI is highlighted here.

The actions that can be taken on users are:

(Check Box At First Column Header): Selects all the users in the table.

Login Policies: The Policies button will link to the Login Policies page, allowing you to add login policies to the selected user.

Policies By Browser: This will link to the Login Policies Browser page, where specific browsers can have management login policies associated to them.

Policies By IP: This will link to the Login Policies IP page, where specific IP addresses can have management login policies associated to them.

Edit: The Edit button will link to the SSL Users page, allowing you to make changes to the selected user.

Delete: Deletes the selected user or users

Add: Clicking this button will link to the SSL Users Page.

Users Config:
User Name:
This is the unique identifier for the user, can use any alphanumeric characters.

First Name: The users first name, this is useful when the authentication domain is an external server (i.e. RADIUS).

Last Name: The users last name, this is useful when the authentication domain is an external server (i.e. RADIUS).

User Type: The user can have credentials of an Administrator, SSL VPN User, or IPsec VPN User.

Select Group: The dropdown list contains configured groups available for the user.

Password: The password must contain alphanumeric, or _ characters.

Confirm Password: The password entered in this field must match the one above for the password to be set.

Idle Timeout: This is the session timeout for the user. The default is 5 minutes of no activity.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

Login Policies:
User name:
This is the name of the user that can have its login policy edited

Disable Login: Enable to prevent this user from logging into the devices management interface(s)

Deny Login from WAN interface: Enable to prevent this user from logging in from a WAN (wide area network) interface. In this case only login through LAN is allowed.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

Login Policies Browser:
User name:
This is the name of the user that can have its login policy edited

Deny Login from Defined Browsers: The list of defined browsers below will be used to prevent this user from logging in to the routers GUI. All non-defined browsers will be allowed for login for this user.

Allow Login from Defined Browsers: The list of defined browsers below will be used to allow this user from logging in to the routers GUI. All non-defined browsers will be denied for login for this user.

Defined Browsers

This list displays the web browsers that have been added to the Defined Browsers list, upon which user login policies can be defined.

(Check Box At First Column Header): Selects all the defined browsers in the table.

Delete: Deletes the selected browser(s).

You can add to the list of Defined Browsers by selecting a client browser from the drop down menu and clicking Add. This browser will then appear in the above list of Defined Browsers.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

Login Policies IP:
User Policy by Source IP Address

User Name: The user name is a unique identifier

Deny Login from Defined Addresses: Enable to prevent the user from logging in from any Defined Addresses (displayed in the Defined Addresses table below)

Allow Login only from Defined Addresses: Enable to allow the user to login only if the user is accessing the device from an IP address/network in the list of Defined Addresses (displayed in the Defined Addresses table below).

Defined Addresses

The list of defined Addresses indicates the type of source address (single address or subnetwork), the specific Network Address or IP address, and mask length if applicable.

(Check Box At First Column Header): Selects all the defined addresses in the table.

Delete: Deletes the selected address(es)

Add: Clicking this button will link to the Defined Address Configuration Page.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

Defined Address Config:
Source Address Type:
Select either IP address or IP Network.

Network Address/IP Address: Enter the IP or Network address to add to the Defined Addresses list.

Mask Length: If entering a network address, define the mask length (0-32).

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

 
IP/MAC Binding
IP/MAC BindingList:
If user has enabled logging option for IP/MAC Binding, such packets will be logged before dropping. The router displays the total count of dropped packets which violated either IP to MAC Binding or MAC to IP Binding.

Example: If three computers are on the LAN with the following setup:

Host1 -- MAC address(00:01:02:03:04:05) & IP adress(192.168.10.10)

Host2 -- MAC address(00:01:02:03:04:06) & IP adress(192.168.10.11)

Host3 -- MAC address(00:01:02:03:04:07) & IP adress(192.168.10.12)

All the above host entries are added in IP/MAC Binding table. The scenarios for the above hosts are as such:

Host1 -- Matching IP & MAC address in IP/MAC Table.

Host2 -- Matching IP but inconsistent MAC address in IP/MAC Table.

Host3 -- Matching MAC but inconsistent IP address in IP/MAC Table.

The router will block the traffic coming from Host2 & Host3 but allow the traffic coming from Host1 to any external network. Total count of dropped packets will be displayed.

List of IP / MAC Binding

Name: Displays the user-defined name for this rule.

MAC Addresses: Displays the MAC Addresses for this rule.

IP Addresses: Displays the IP Addresses for this rule.

Log Dropped Packets: Displays logging option for this rule.

The actions that can be taken on IP/MAC Bind rules are:

(Check Box At First Column Header): Selects all the rules in the table.

Edit: The Edit button will link to the IP MAC Binding Configuration page, allowing you to make changes to the selected rule.

Delete: Deletes the selected rule or rules.

Add: Clicking this button will link to the IP MAC Binding Configuration page.

IP/MAC Binding Config:
Name:
Specify a unique name for this rule.

MAC Address: Specify the MAC address for this rule.

IP Addresses: Specify the IP address for this rule.

Log Dropped Packets: Specify logging option for this rule. If enabled, such packets will be logged before dropping. The router displays the total count of dropped packets which violated either IP to MAC Binding or MAC to IP Binding.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.
 

 
IPV6
IPMode:
Routing Mode

IPv4 only mode: Select if the LAN and WAN interfaces are members of an IPv4 only network. This is the default setting.

IPV4/IPV6 mode: Select this option to enable support for IPV4 and IPV6 in dual stack mode.

Link Local Connectivity: This option will map all IPv4 addresses in the network to a link-local IPv6 address.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

IPv6 WAN1 Config:
Internet Address

IPv6: Select DHCPv6 if you have not been assigned a static IP address from the ISP. A DHCP server will automatically assign an IPv6 address to the router using DHCP network protocol. If your ISP has assigned a fixed (static or permanent) IP address, select Static IPv6 and configure the following fields:

IPv6 Address: Static IPv6 address assigned to you. This will identify the router to your ISP.

IPv6 Prefix Length: The IPv6 network (subnet) is identified by the initial bits of the address called the prefix. All hosts in the network have the identical initial bits for their IPv6 address; the number of common initial bits in the networks addresses is set by the prefix length field.

Default IPv6 Gateway: IPv6 address of the ISPs gateway. This is usually provided by the ISP or your network administrator.

Primary DNS Server: Valid primary DNS Server IP Address

Secondary DNS Server: Valid secondary DNS Server IP Address

DHCPv6
If the ISP chosen is DHCPv6, there are two ways to obtain an appropriate address for the gateway. You must select one of the following:

Stateless Address Auto Configuration: this option will use router advertisement for address assignment. The IPv6 RADVD protocol will be enabled to advertise this router as a DHCPv6 client.

Stateful Address Auto Configuration: select this option to request an IPv6 address from any available DHCPv6 servers available on the ISP.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

IPv6 WAN2 Config:
Internet Address
IPv6:
Select DHCPv6 if you have not been assigned a static IP address from the ISP. A DHCP server will automatically assign an IPv6 address to the router using DHCP network protocol. If your ISP has assigned a fixed (static or permanent) IP address, select Static IPv6 and configure the following fields:

IPv6 Address: Static IPv6 address assigned to you. This will identify the router to your ISP.

IPv6 Prefix Length: The IPv6 network (subnet) is identified by the initial bits of the address called the prefix. All hosts in the network have the identical initial bits for their IPv6 address; the number of common initial bits in the networks addresses is set by the prefix length field.

Default IPv6 Gateway: IPv6 address of the ISPs gateway. This is usually provided by the ISP or your network administrator.

Primary DNS Server: Valid primary DNS Server IP Address

Secondary DNS Server: Valid secondary DNS Server IP Address

DHCPv6

If the ISP chosen is DHCPv6, there are two ways to obtain an appropriate address for the gateway. You must select one of the following:

Stateless Address Auto Configuration: this option will use router advertisement for address assignment. The IPv6 RADVD protocol will be enabled to advertise this router as a DHCPv6 client.

Stateful Address Auto Configuration: select this option to request an IPv6 address from any available DHCPv6 servers available on the ISP.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

IPv6 LAN Config:
LAN TCP/IP Setup

IPv6 Address: Router's LAN IPv6 address.

IPv6 Prefix Length: The IPv6 network (subnet) is identified by the initial bits of the address called the prefix. All hosts in the network have the identical initial bits for their IPv6 address; the number of common initial bits in the networks addresses is set by the prefix length field.

Note: If you change the LAN IP address of the router, the browser will not respond when you Apply changes. You must use the new IP address to connect to the web management interface of the router.

DHCPv6
DHCP Status: By default the DHCPv6 server is disabled for the LAN. Once enabled, configure the following fields:

DHCP Mode: If the computers on the LAN are configured with static IP addresses or are configured to use another DHCP server, select the Disable DHCPv6 Server option. To use the router as a DHCP server, select Enable DHCPv6 Server and configure the following:
 
Domain Name: Name of the domain (Optional) for this DHCPv6 server.

Server Preference: This is used by the stateless DHCP to indicate the preference level of this DHCP server. DHCPv6 clients will pick up the DHCPv6 server which has highest preference value. The preference value must be a decimal integer and be between 0 and 255 (inclusive).

DNS Servers: Select one of the following options for DNS servers for the DHCPv6 clients

Use DNS Proxy: Check this box to enable DNS proxy on this LAN, or uncheck this box to disable this proxy. When this feature is enabled, the router will act as a proxy for all DNS requests and communicate with the ISP's DNS servers (as configured in the WAN settings page)

Use DNS from ISP:
This option allows the ISP to define the DNS servers (primary/secondary) for the LAN DHCP client

User below:
if selected, the below configured Primary and Secondary DNS servers are used for DHCPv6 clients.

Primary DNS Server: primary DNS Server IP.

Secondary DNS Server: Secondary DNS Server IP.

Lease/Rebind Time: Duration (in seconds) for which IP addresses will be leased to clients.

List of IPv6 Address Pools

The configured IPv6 address pools are listed here by starting and ending address of the pool.

The actions that can be taken on IPv6 Address Pools are:

(Check Box At First Column Header): Selects all the defined address pools

Edit: The Edit button will link to the IPv6 LAN Pools configuration page.

Delete: Deletes the selected address pool(s).

Add: Clicking this button will link to the IPv6 LAN Pools configuration page

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

IPv6 LAN Pools Config:
Start IPv6 Address:
the starting IPv6 address in the consecutive list of addresses that makes up this LAN pool for the DHCPv6 server.

Start IPv6 Address: the ending IPv6 address in the consecutive list of addresses that makes up this LAN pool for the DHCPv6 server.

Prefix Length: The number of common initial bits for this LAN pool is set by the delegation prefix length.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

Router Advertisement:
Router Advertisement Daemon (RADVD)

RADVD listens for router solicitations in the IPv6 LAN and responds with router advertisements as required. This is stateless IPv6 auto configuration as it distributes IPv6 prefixes to all nodes on the network.

RADVD Status: You can enable the RADVD process here to allow stateless auto configuration of the IPv6 LAN network.

Advertise Mode: Select one of the following:

Unsolicited Multicast: select to send router advertisements (RA's) to all interfaces belonging to the multicast group.

Unicast only:
This option restricts advertisements to well known IPv6 addresses only (RA's are sent to the interface belonging to the known address only)

Advertise Interval: This sets the maximum advertise interval. The advertise interval used when RADVD is enabled is a random value between Minimum Router Advertisement Interval and Maximum Router Advertisement Interval. The minimum router advertisement interval is 1/3 of this configured value, and the default is 30 seconds.

RA Flags: Chose Managed to use the administered /stateful protocol for address auto configuration. If the Other flag is selected the host uses administered/stateful protocol of other (i.e. non-address) information auto configuration.

Router Preference: Chose between low/medium/high for the preference associated with the RADVD process of the router. This feature is useful if there are other RADVD enabled devices on the LAN. The default is high.

MTU: This is used in RA's to ensure all nodes on the network use the same MTU value in the cases where the LAN MTU is not well known. The default is 1500

Router Lifetime: The lifetime in seconds of the route. The default is 3600 seconds.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

Advertisement Prefixe Config:
IPv6 Prefix Type: Option whether to select the prefix type as 6to4 or Global/Local/ISATAP

SLA ID: The SLA ID (Site-Level Aggregation Identifier) in the 6to4 address prefix is set to the interface ID of the interface on which the advertisements are sent

IPv6 Prefix: This defines the IPv6 network address

IPv6 Prefix Length: This is a numeric value that indicates the number of contiguous, higher order bits of the address that make up the network portion of the address

Prefix Lifetime: The length of time over which the requesting router is allowed to use the prefix.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

IPv6 Static Routing:
Name:
Name of the route, for identification and management purposes.

Destination: Destination host or network the route leads to.

Gateway: IP Address of the gateway through which the destination host or network can be reached.

Interface: The physical network interface (dedicated WAN, secondary WAN, DMZ or LAN), through which this route is accessible.

Metric: Determines the priority of the route. If multiple routes to the same destination exist, the route with the lowest metric is chosen.

Active: Determines whether the route is active or inactive. A route can be added to the table and made inactive, if not needed. This allows routes to be used as needed without deleting and re-adding the entry. An inactive route is not broadcast if RIP is enabled.
The actions that can be taken on static routes are:

(Check Box At First Column Header): Selects all the static routes in the table.

Edit: The Edit button will link to the IPv6 Route Configuration page, allowing you to make changes to the selected static route.

Delete: Deletes the selected static route or static routes.

Add: Clicking this button will link to the IPv6 Route Configuration page.

IPv6 Static Routing Config:
Route Name:
Name of the route, for identification and management purposes.

Active: Defines whether the route will be active or inactive. When a route is added in inactive state, it will be listed in the table, but will not be used by the router. The route can be enabled later. This is useful if the network that the route connects to is not available when you added the route. When the network becomes available, the route can be enabled.

IPv6 Destination: Destination host or network the route leads to.

IPv6 Prefix Length: the number of prefix bits in the IPv6 address that define the subnet.

Interface: The physical network interface (dedicated WAN, secondary WAN, DMZ or LAN), through which this route is accessible.

IPv6 Gateway: IP Address of the gateway through which the destination host or network can be reached.

Metric: Defines the priority of the route. Please choose a value between 2 and 15. If multiple routes to the same destination exist, the route with the lowest metric is chosen.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

6to4 Tunneling:
Select the check box to Enable Automatic Tunneling and allow traffic from an IPv6 LAN to be sent over a IPv4 WAN to reach a remote IPv6 network.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

IPv6 Tunnels Status:
Tunnel Name: The active IPv6 to IPv4 tunnel identifier.

IPv6 Addresses: the source IPv6 address(es) in your LAN that have data being sent over this tunnel.

Click Refresh to update this status page.

ISATAP Tunnels:
List of Available ISATAP Tunnels

Intra-site automatic tunnel addressing protocol is a method to transmit IPv6 packets between dual-stack nodes over an IPv4 network. This device is one endpoint (a node) for the tunnel, and you must set a Local Endpoint as well as the ISATAP Subnet Prefix that defines the logical ISTAP subnet to configure a tunnel.

The actions that can be taken on static routes are:

(Check Box At First Column Header): Selects all the tunnels in the table.

Edit: The Edit button will link to the IPv6 ISATAP Tunnels Configuration page, allowing you to make changes to the selected ISATAP tunnel.

Delete: Deletes the selected tunnel or tunnels.

Add: Clicking this button will link to the IPv6 ISATAP Tunnels Configuration page.

ISATAP Tunnel Config:
ISATAP Subnet Prefix: This is the 64-bit subnet prefix that is assigned to the logical ISATAP subnet for this intranet. This can be obtained from your ISP or internet registry, or derived from RFC 4193.

Local End Point Address: This is the endpoint address for the tunnel that starts with this router. The endpoint can be the LAN interface (assuming the LAN is an IPv4 network), or a specific LAN IPv4 address.

IPv4 Address: The local end point address if not the entire LAN.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.

 
Radius Setting
Radius Setting:
Authentication Server IP Address (Primary):
IP address of the primary RADIUS authentication server.

Authentication Server IP Address (Secondary): IP address of the secondary RADIUS authentication server.

Authentication Port: RADIUS authentication server port to send RADIUS messages.

Secret: Secret key that allows the device to log into the configured RADIUS server. It must match the secret on RADIUS server.

Timeout: Set the amount of time in seconds, the router should wait for a response from the RADIUS server.

Retries: This determines the number of tries the router will make to the RADIUS server before giving up.

Click Save Settings to save the settings.

Click Don't Save Settings to revert to the previous settings.
 
Power Saving
Power Saving:
Power Saving State:
When enabled, the total power to the LAN switch is dependent on the number of connected ports. The overall current draw when a single port is connected is less than when all of the available LAN ports have an active Ethernet connection.

Length Detection State: When enabled the LAN switch will reduce the overall current supplied to the LAN port when a small cable length is connected to that port. Longer cables have higher resistance than shorter cables and require more power to transmit packets over that distance. This option will reduce the power to a LAN port if an Ethernet cable of less than 10 ft is detected as being connected to that port.

Click Save Settings to save your changes.

Click Don't Save Settings to revert to the previous settings.