Netopia 2200 Instrukcja Użytkownika

Netopia® Software User GuideApril 2006Netopia® 2200 and 3300 Series GatewaysVersion 7.6

Table of Contents 10 CHAPTER 7 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 -----A----- . . . . . . . . . . . .

100Link: UPnPUniversal Plug and Play (UPnP™) is a set of protocols that allows a PC to automatically dis-cover other UPnP devices (anything from an in

101ConfigureLink: LAN ManagementTR-064 is a LAN-side DSL Gateway configuration specification. It is an extension of UPnP. It defines more services to loc

102Link: Advanced -> Ethernet BridgeThe Netopia Gateway can be used as a bridge, rather than a router. A bridge is a device that joins two networks

103ConfigureConfiguring for Bridge Mode1. Browse into the Netopia Gateway’s web interface.2. Click on the Configure button in the upper Menu bar.3. Clic

104The Ethernet Bridge page appears.The appearance of this page varies, depending on your Gateway’s inter-faces.7. If available:a. Check the Enable Br

105Configure11. If you are satisfied with the changes you have made, click Save and Restart in the Save Database box to Apply changes and restart Gatew

106Link: VLANA Virtual Local Area Network (VLAN) is a network of computers that behave as if they are connected to the same wire even though they may

107ConfigureAn example of multiple VLANs is shown below:To create a VLAN, click the Add button.The VLAN Entry page appears.You can create up to 32 VLA

108• VLAN id – This must be a unique identifying number between 1 and 4095.• VLAN Name – A descriptive name for the VLAN.• VLAN Protocol – This field i

109ConfigureFor Netopia VGx technology models, separate Ethernet switch ports are displayed and may be configured.To enable any of them on this VLAN, s

11 Table of Contents International . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329Regulatory notices. . . . . .

110You can Add, Edit, or Delete your VLAN entries by returning to the VLANs page, and selecting the appropriate entry from the displayed list.

111ConfigureLink: SystemThe System Name defaults to your Gateway's factory identifier combined with its serial number. Some cable-oriented Service

112• Syslog: Enable syslog logging in the system.• Syslog Host Name/IP Address: Enter the name or the IP Address of the host that should receive syslo

113ConfigureLog Event MessagesAdministration Related Log Messages1. administrative access attempted:This log-message is generated whenever the user at

114DSL Log Messages (most common):1. WAN: Data link activated at <Rate> Kbps (rx/tx)This log message is generated when the DSL link comes up.2.W

115Configure6. dropped - frag-mented packet:This log-message is generated whenever a packet, traversing the router, is dropped because it is fragmente

116Link: Internal ServersYour Gateway ships with an embedded Web server and support for a Telnet session, to allow ease of use for configuration and ma

117ConfigureTo select the games or software that you want to host for a specific PC, highlight the name(s) in the box on the left side of the screen. C

118Buddy Phone Calista IP Phone CART Precision Racing, v 1.0Citrix Metaframe/ICA Client Close Combat for Windows 1.0 Close Combat: A Bridge Too Far, v

119ConfigureRename a User(PC)If a PC on your LAN has no assigned host name, you can assign one by clicking the Rename a User(PC) link.To rename a serv

Table of Contents 12 VPN IPSec Pass Through . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343VPN IPSec Tunnel Termination. . . . . . .

120☛ NOTE:The new name given to a server is only known to Software Hosting. It is not used as an identifier in other network functions, such as DNS or

121ConfigureLink: Time ZoneWhen you click the Time Zone link, the Time Zone page appears.You can set your local time zone by selecting the number of h

122SecurityButton: SecurityThe Security features are available by clicking on the Security toolbar button. Some items of this category do not appear w

123SecurityLink: PasswordsAccess to your Gateway may be controlled through two optional user accounts, Admin and User. When you first power up your Gat

124To display the Passwords window, click the Security toolbar button on the Home page.Use the following procedure to change existing passwords or add

125SecurityLink: FirewallUse a Netopia FirewallBreakWater Basic Firewall. BreakWater delivers an easily selectable set of pre-configured firewall protec

1264. Click on the radio button to select the protection level you want. Click Submit. Changing the BreakWater setting does not require a restart to t

127SecurityTIPS for making your BreakWater Basic Firewall Selection Basic Firewall BackgroundAs a device on the Internet, a Netopia Gateway requires a

128This table shows how inbound traffic is treated. Inbound means the traffic is coming from the WAN into the WAN side of the Gateway. This table shows

129Security☛ NOTE:The Gateway’s WAN DHCP client port in SilentRunning mode is enabled. This feature allows end users to continue using DHCP-served IP

13 What’s New in 7.6 CHAPTER 1 Introduction What’s New in 7.6 New in Netopia Firmware Version 7.6 are the following features: • TR-069 CLI Enhancemen

130Link: IPSecWhen you click on the IPSec link, the IPSec configuration screen appears.Your Gateway can support two mechanisms for IPSec tunnels:• IPSe

131SecuritySafeHarbour IPSec VPNSafeHarbour VPN IPSec Tunnel provides a single, encrypted tunnel to be terminated on the Gateway, making a secure tunn

132A typical SafeHarbour configuration is shown below:Configuring a SafeHarbour VPNUse the following procedure to configure your SafeHarbour tunnel.1. Ob

133SecurityTable 1: IPSec Tunnel Details Parameter Setup WorksheetParameter Netopia Gateway Peer GatewayNamePeer Internal NetworkPeer Internal Netmask

1343. Be sure that you have SafeHarbour VPN enabled.SafeHarbour is a keyed feature. See “Install Keys” on page 184. for information con-cerning instal

135Security10.Make the Tunnel Details entries.Enter or select the required set-tings.Refer to your “IPSec Tunnel Details Parameter Setup Work-sheet” o

136Parameter DescriptionsThe following tables describe SafeHarbour’s parameters that are used for an IPSec VPN tunnel configuration:Table 2: IPSec Conf

137SecurityPAT Address If NAT is enabled, this field appears. You can specify a Port Address Trans-lation (PAT) address or leave the default all-zeroes

138SA Hash Type SA Hash Type refers to the Authentication Hash algorithm used during SA negotiation. Values supported include MD5 and SHA1. N/A will

139SecurityXauth Enable Extended Authentication (XAuth), an extension to the Internet Key Exchange (IKE) protocol. The Xauth extension provides dual a

14 About Netopia Documentation ☛ NOTE: This guide describes the wide variety of features and functionality of the Neto-pia Gateway, when used in Ro

140Link: Stateful InspectionAll computer operating systems are vulnerable to attack from outside sources, typically at the operating system or Interne

141Security• UDP no-activity time-out: The time in seconds after which a UDP session will be ter-minated, if there is no traffic on the session.• TCP n

142Add, Edit, or delete exposed addresses options are active only if NAT is disabled on a WAN interface. The hosts specified in exposed addresses will

143SecurityClick the Add button to add a new range of exposed addresses.You can edit a previously configured range by clicking the Edit button, or dele

144Stateful Inspection OptionsStateful Inspection Parameters are active on a WAN interface only if you enable them on your Gateway.• Stateful Inspecti

145SecurityOpen Ports in Default Stateful Inspection Installation Port Protocol DescriptionLAN (Private) InterfaceWAN (Public) Interface23 TCP telnet

146Firewall TutorialGeneral firewall terms☛ Note:Breakwater Basic Firewall (see “BreakWater Basic Firewall” on page 125) does not make use of the pack

147Firewall TutorialThis header information is what the packet filter uses to make filtering decisions. It is important to note that a packet filter does

148Example TCP/UDP PortsFirewall design rulesThere are two basic rules to firewall design:• “What is not explicitly allowed is denied.”and• “What is no

149Firewall Tutorialand a packet goes through these rules destined for FTP, the packet would forward through the first rule (WWW), go through the secon

15 Documentation Conventions Documentation Conventions General This manual uses the following conventions to present information: Internal Web Interf

150Example filter set pageThis is an example of the Netopia filter set page:

151Firewall TutorialFilter basicsIn the source or destination IP address fields, the IP address that is entered must be the network address of the subn

152 Example filters Example 1 Incoming packet has the source address of 200.1.1.28This incoming IP packet has a source IP address that matches the ne

153 Firewall Tutorial Example 4 Incoming packet has the source address of 200.1.1.104.This rule does match and this packet will not be forwarded.

154 Link: Packet Filter When you click the Packet Filter link the Filter Sets screen appears.Security should be a high priority for anyone admini

155 Firewall Tutorial admit or refuse TCP/IP connections from certain remote networks and specific hosts. You will also use filters to screen particula

156 Filter priority Continuing the customs inspectors analogy, imagine the inspectors lined up to examine a package. If the package matches the first

157 Firewall Tutorial A filtering rule The criteria are based on information contained in the packets. A filter is simply a rule that prescribes certai

158Port numbersA filter can also match a packet’s port number attributes, but only if the filter’s protocol type is set to TCP or UDP, since only those

159Firewall Tutorial• Less Than: For the filter to match, the packet’s port number must be less than the port number specified in the filter.• Less Than

16curly ({ }) brackets, with values sep-arated with vertical bars (|).Alternative values for an argument are pre-sented in curly ({ }) brackets, with

160• Fwd: Shows whether the filter forwards (Yes) a packet or discards (No) it when there’s a match. • Src-IP: The packet source IP address to match.•

161Firewall Tutorial• Source IP Address = 199.211.211.17• Source IP address mask = 255.255.255.255• Destination IP Address = 0.0.0.0• Destination IP a

162Filtering example #2Suppose a filter is configured to block all incoming IP packets with the source IP address of 200.233.14.0, regardless of the typ

163Firewall TutorialDesign guidelinesCareful thought must go into designing a new filter set. You should consider the following guidelines: • Be sure t

164Working with IP Filters and Filter SetsTo work with filters and filter sets, begin by accessing the filter set pages.☛ NOTE:Make sure you understand

165Working with IP Filters and Filter SetsEnter new name for the filter set, for example Filter Set 1.To save the filter set, click the Submit button. T

166Packets in Netopia Firmware Version 7.6 pass through an input filter if they originate from the WAN and through an output filter if they’re being sen

167Working with IP Filters and Filter SetsThe Filter Set page appears.☛ Note:There are two Add buttons in this page, one for input filters and one for

1682. If you want the filter to forward packets that match its criteria to the desti-nation IP address, check the Forward checkbox.If Forward is unchec

169Working with IP Filters and Filter SetsIf Protocol Type is set to TCP or UDP, the settings for port comparison will appear. These settings only tak

17OrganizationOrganizationThis guide consists of nine chapters, including a glossary, and an index. It is organized as follows:• Chapter 1, “Introduct

170Modifying filtersTo modify a filter, select a filter from the table and click the Edit button. The Rule Entry page appears. The parameters in this pag

171Associating a Filter Set with an InterfaceAssociating a Filter Set with an InterfaceOnce you have created a filter set, you must associate it with a

172You can repeat this process for both the WAN and LAN interfaces, to associate your filter sets.When you return to the Filter Sets page, it will disp

173Policy-based Routing using FiltersetsPolicy-based Routing using FiltersetsNetopia Firmware Version 7.6 offers the ability to route IP packets using

174If you check the Idle Reset checkbox, a match on this rule will keep the WAN connection alive by resetting the idle-timeout status.The Idle Reset s

175Policy-based Routing using Filtersetsconfigure one filter to match the first type of packet and apply Force Routing. A subsequent filter is required to

176Link: Security LogSecurity Monitoring is a keyed feature. See page 184 for information concerning installing Netopia Software Feature Keys.Security

177Policy-based Routing using FiltersetsThe capacity of the security log is 100 security alert messages. When the log reaches capacity, subsequent mes

178To reset this log, select Reset from the Security Monitor tool bar.The following message is displayed.When the Security Log contains no entries, th

179InstallInstallButton: InstallFrom the Install toolbar button you can Install new Operating System Software and Feature Keys as updates become avail

18

180Link: Install Software(This link is not available on the 3342/3352 models, since firmware updates must be upgraded via the USB host driver. 3342N/33

181InstallStep 1: Required FilesUpgrading Netopia Firmware Version 7.6 requires a Netopia firmware image file.BackgroundFirmware upgrade image files are

1823. Enter the filename into the text box by using one of these techniques:The Netopia firmware file name begins with a shortened form of the version nu

183Install5. When the success message appears, click the Restart button and confirm the Restart when you are prompted.Your Netopia Gateway restarts wit

184Link: Install KeysYou can obtain advanced product functionality by employing a software Feature Key. Soft-ware feature keys are specific to a Gatewa

185Install4. Click the Install Key button.5. Click the Restart toolbar button.The Confirmation screen appears.

1866. Click the Restart the Gateway link to confirm.To check your installed features:7. Click the Install toolbar button.8. Click the list of features

187InstallThe System Status page appears with the information from the features link displayed below. You can check that the feature you just installe

188Link: Install CertificateSecure Sockets Layer (SSL) is a protocol for transmitting private information over the Inter-net. SSL uses two keys to encr

189InstallThe Install Certificate page appears.2. Browse to the location where you have saved your certificate and select the file, or type the full path

19CHAPTER 2 Basic Mode SetupMost users will find that the basic Quickstart configuration is all that they ever need to use. This section may be all that

190

191CHAPTER 4 Basic TroubleshootingThis section gives some simple suggestions for troubleshooting problems with your Gate-way’s initial configuration.B

192Status Indicator LightsThe first step in troubleshooting is to check the status indicator lights (LEDs) in the order outlined below.Netopia Gateway

193Status Indicator LightsNetopia Gateway 2246N status indicator lightsLED ActionPowerGreen when power is on. Red if device malfunctions.Ethernet 1, 2

194Netopia Gateway 2247NWG status indicator lightsLED ActionPowerGreen when power is on. Red if device malfunctions.Ethernet 1, 2, 3, 4Solid green whe

195Status Indicator LightsNetopia Gateway 3340(N) status indicator lightsEthernet LinkEthernet TrafficDSL TrafficDSL SyncPPPoE ActivePowerPower:PPPoE

196Netopia Gateway 3341(N), 3351(N) status indicator lightsEthernet LinkEthernet TrafficDSL TrafficDSL SyncUSB ActivePowerPower:USB Active:DSL Traffic

197Status Indicator LightsNetopia Gateway 3342/3342N, 3352/3352N status indicator lights☛ Special patterns:• Both LEDs are off during boot (power on

198Netopia Gateway 3346(N), 3356(N) status indicator lightsLAN 1LAN 2LAN 3LAN 4DSL SYNCPowerPower:DSL Sync:Solid green when trained with the DSL lineB

199Status Indicator LightsNetopia Gateway 3347W, 3347(N)WG status indicator lightsPower - Green when power is appliedFlashes green when trainingSolid

2 Copyright Copyright © 2006 Netopia, Inc. Netopia, the Netopia logo, and 3-D Reach are registered trademarks belonging to Netopia, Inc., registered

20Important Safety InstructionsPOWER SUPPLY INSTALLATIONConnect the power supply cord to the power jack on the Netopia Gateway. Plug the power supply

200Netopia Gateway MiAVo status indicator lightsPower - Ethernet 1, 2, 3, 4 -Flash green when there isactivity on the LAN.Front ViewSolid green when c

201Status Indicator LightsLED Function Summary MatrixIf a status indicator light does not look correct, look for these possible problems: Unlit Solid

202 EN Link UnlitNote: EN Link light is inactive if only using USB.1. Make sure the you are using the Ethernet cable, not the DSL cable. The Ethernet

203Factory Reset SwitchFactory Reset Switch(optional on some models; 3342/3342N/3352/3352N models do not have a reset switch)Lose your password? This

2042. Carefully insert the point of a pen or an unwound paperclip into the open-ing.•If you press the factory default button for less than 1/2 a secon

205CHAPTER 5 Advanced TroubleshootingAdvanced Troubleshooting can be accessed from the Gateway’s Web UI. Point your browser to http://192.168.1.254. T

206Home PageThe home page displays basic information about the Gateway. This includes the ISP User-name, Connection Status, Device Address, Remote Gat

207Status of Connection ‘Waiting for DSL’ is displayed while the Gateway is training. This should change to ‘Up’ within two minutes. If not, make sure

208Button: TroubleshootExpert ModeExpert Mode has advanced troubleshooting tools that are used to pinpoint the exact source of a problem. Clicking the

209Link: System StatusIn the system status screen, there are several utilities that are useful for troubleshooting. Some examples are given in the fol

21Wichtige SicherheitshinweiseWichtige SicherheitshinweiseNETZTEIL INSTALLIERENVerbinden Sie das Kabel vom Netzteil mit dem Power-Anschluss an dem Net

210Link: Ports: EthernetThe Ethernet port selection shows the traffic sent and received on the Ethernet interface. There should be frames and bytes on

211Link: Ports: DSLThe DSL port selection shows the state of the DSL line, whether it is up or down and how many times the Gateway attempted to train.

212Link: IP: InterfacesThe IP interfaces selection shows the state and configuration information for your IP LAN and WAN interfaces. Below is an exampl

213Link: DSL: Circuit ConfigurationThe DSL Circuit Configuration screen shows the traffic sent and received over the DSL line as well as the trained rate

214Link: System Log: EntireThe system log shows the state of the WAN connection as well as the PPPoE session. Ver-ify that the PPPoE session has been

215Link: DiagnosticsThe diagnostics section tests a number of different things at the same time, including the DSL line, the Ethernet inter face and t

216Link: Network ToolsThree test tools are available from this page.• NSLookup - converts a domain name to its IP address and vice versa.• Ping - test

217PING: The network tools section sends a PING from the Gateway to either the LAN or WAN to verify connectivity. A PING could be either an IP address

218Below are some specific tests:3. To use the TraceRoute capability, type a destination address (domain name or IP address) in the text box and click

219Example: Show the path to the grosso.com site.Result: It took 20 hops to get to the grosso.com web site.

22Setting up the Netopia GatewayRefer to your Quickstart Guide for instructions on how to connect your Netopia gateway to your power source, PC or loc

220

221CHAPTER 6 Command Line InterfaceThe Netopia Gateway operating software includes a command line interface (CLI) that lets you access your Netopia Ga

222OverviewThe CLI has two major command modes: SHELL and CONFIG. Summary tables that list the commands are provided below. Details of the entire comm

223OverviewCONFIG CommandsCommand Verbs Status and/or Descriptiondelete Delete configuration list datahelp Help command optionsave Save configuration da

224Starting and Ending a CLI SessionOpen a telnet connection from a workstation on your network.You initiate a telnet connection by issuing the follow

225Using the CLI Help FacilitySaving SettingsIn CONFIG mode, the save command saves the working copy of the settings to the Gate-way. The Gateway auto

226The only commands you cannot truncate are restart and clear. To prevent accidental interruption of communications, you must enter the restart and c

227SHELL CommandsdiagnoseRuns a diagnostic utility to conduct a series of internal checks and loopback tests to verify network connectivity over each

228install [server_address] [filename] [confirm](Not supported on model 3342/3352)Downloads a new version of the Netopia Gateway operating software from

229SHELL Commands•1 or low – Low-level informational messages or greater; includes trivial status mes-sages.•2 or medium – Medium-level informational

23Setting up the Netopia GatewayThen go to Step 2.Step 2. Select Obtain an IP address automatically.Step 3. Select Obtain DNS server address automatic

230• The -c count argument lets you specify the number of ICMP packets generated for the ping request. Values greater than 250 are truncated to 250.Yo

231SHELL Commandsreset ipmapClears the IPMap table (NAT).reset logRewinds the diagnostic log display to the top of the existing Netopia Gateway diagno

232show configDumps the Netopia Gateway’s configuration script just as the script command does in config mode.show crashDisplays the most recent crash in

233SHELL Commandsshow ip igmpDisplays the contents of the IGMP Group Address table and the IGMP Report table main-tained by your Netopia Gateway.show

234show logDisplays blocks of information from the Netopia Gateway diagnostic log. To see the entire log, you can repeat the show log command or you c

235SHELL Commandstelnet { hostname | ip_address } [port] Lets you open a telnet connection to the specified host through your Netopia Gateway.• The hos

236WAN Commandsatmping vccn [ segment | end-to-end ]Lets you check the ATM connection reachability and network connectivity. This command sends five Op

237About CONFIG Commandsshow dslDisplays DSL port statistics, such as upstream and downstream connection rates and noise levels. show ppp [{ stats | l

238Netopia-3000/9437188 (top)>> quitNetopia-3000/9437188 >• Moving from top to a subnode — You can navigate from the top node to a subnode by

239About CONFIG CommandsEntering Commands in CONFIG ModeCONFIG commands consist of keywords and arguments. Keywords in a CONFIG command specify the ac

24Macintosh MacOS 8 or higher or Mac OS X: Step 1. Access the TCP/IP or Network control panel. a. MacOS follows a path like this:Apple Menu -> Cont

240Guidelines: CONFIG CommandsThe following table provides guidelines for entering and formatting CONFIG commands.If a command is ambiguous or miskeye

241About CONFIG CommandsWhen you are in step mode, the command line interface prompts you to enter required and optional settings. If a setting has a

242CONFIG CommandsThis section describes the keywords and arguments for the various CONFIG commands.DSL CommandsATM Settings. You can use the CLI to s

243CONFIG Commandsthe raw WAN (DSL) bit rate. The Maximum Burst Size (MBS) is the number of cells that can be sent at the PCR rate, after which the PV

244Your Service Provider will indicate the required encapsulation mode.set atm [vccn] pppoe-sessions { 1 ... 8 }Select the number of PPPoE sessions t

245CONFIG Commandsset bridge ethernet option { on | off } Enables or disables bridging services for the specified virtual circuit using Ethernet fram-i

246set dhcp start-address ip_address If you selected server, specifies the first address in the DHCP address range. The Neto-pia Gateway can reserve a s

247CONFIG CommandsDMT SettingsDSL Commandsset dmt type [ lite | dmt | ansi | multi | adsl2 | adsl2+ | readsl2 | adsl2anxm | ads

248• auto - The device will scan for standard telephone service (POTS). If it finds POTS, it dis-ables metallic termination. If it does not find POTS du

249CONFIG Commandsrent dynamically-assigned IP address. This allows you to get to the IP address assigned to your Gateway, even though your actual IP

25Setting up the Netopia GatewayThen go to Step 2.Step 2. Select Built-in Ethernet Step 3. Select Configure Using DHCPStep 4. Close and Save, if prompt

250IP SettingsYou can use the command line interface to specify whether TCP/IP is enabled, identify a default Gateway, and to enter TCP/IP settings fo

251CONFIG CommandsThe broadcast address for most networks is the network number followed by 255. For example, the broadcast address for the 192.168.1.

252If you specify v2-MD5, you must also specify a rip-send-key. Keys are ASCII strings with a maximum of 31 characters, and must match the other route

253CONFIG Commandsset ip ethernet A netmask netmaskSpecifies the subnet mask for the local Ethernet inter face. The subnet mask specifies which bits of

254set ip ethernet A rip-receive { off | v1 | v2 | v1-compat | v2-MD5 }Specifies whether the Netopia Gateway should use Routing Information Protocol (R

255CONFIG Commandsset ip ip-ppp [vccn] address ip_addressAssigns an IP address to the virtual PPP interface. If you specify an IP address other than 0

256set ip ip-ppp [vccn] rip-send { off | v1 | v2 | v1-compat | v2-MD5 }Specifies whether the Netopia Gateway unit should use Routing Information Protoc

257CONFIG CommandsStatic ARP SettingsYour Netopia Gateway maintains a dynamic Address Resolution Protocol (ARP) table to map IP addresses to Ethernet

258IP Prioritizationset ip prioritize [ off | on ]Allows you to support traffic that has the TOS bit set. This defaults to off.Differentiated Services

259CONFIG Commandsset diffserv custom-flows name name protocol [ TCP | UDP | ICMP | other ] direction [ outbound | inbound | both ]

26Configuring the Netopia Gateway1. Run your Web browser application, such as Firefox or Microsoft Internet Explorer, from the computer connected to th

260• qos – Allows you to specify the Quality of Service for the flow: off, assure, or expedite. These are used both to mark the IP TOS byte and to dist

261CONFIG Commandsset ip static-routes destination-network net_address interface { ip-address | ppp-vccn }Specifies the interface through which th

262IPMaps Settingsset ip-maps name <name> internal-ip <ip address>Specifies the name and static ip address of the LAN device to be mapped.s

263CONFIG Commandsset nat-default host-hardware-address MAC_address }Specifies the hardware (MAC) address of the IP passthrough host.Network Address Tr

264set pinhole name name external-port-end [ 0 - 49151 ]Specifies the last port number in the range being translated.set pinhole name name internal-ip

265CONFIG Commandsset ppp module [vccn] mru integerSpecifies the Maximum Receive Unit (MRU) for the PPP interface. The integer argument can be any numb

266set ppp module [vccn] configure-max integerSpecifies the maximum number of unacknowledged configuration requests that your Neto-pia Gateway will send.

267CONFIG CommandsCHAP and specify the same name and secret on the Netopia Gateway before the link can be established.set ppp module [vccn] port-authe

268set preference more linesSpecifies how many lines of information you want the command line interface to display at one time. The lines argument spec

269CONFIG CommandsPort Renumbering SettingsIf you use NAT pinholes to forward HTTP or telnet traffic through your Netopia Gateway to an internal host,

27Configuring the Netopia GatewayMiAVo VDSL and Ethernet WAN models QuickstartThe browser then displays the Quickstart page.2. Click the Connect to th

270Security SettingsSecurity settings include the Firewall and IPSec parameters. All of the security functionality is keyed.Firewall Settings (for Bre

271CONFIG Commandsset security ipsec tunnels name "123" tun-enable (on) {on | off}This enables this particular tunnel. Currently, one

272set security ipsec tunnels name "123" IKE-mode pre-shared-key ("") {hex string}See page 130 for details about SafeHarbour

273CONFIG Commandsset security ipsec tunnels name "123" IKE-mode PFS-enable { off | on }See page 130 for details about SafeHarbour IPse

274set security ipsec tunnels name "123" local-id id_valueSpecifies the NAT local ID value as specified in the local-id-type for the specified

275CONFIG CommandsInternet Key Exchange (IKE) SettingsThe following four IPsec parameters configure the rekeying event.set security ipsec tunnels name

276Stateful InspectionStateful inspection options are accessed by the security state-insp tag.set security state-insp [ ip-ppp | dsl ] vccn option [ o

277CONFIG Commandsset security state-insp udp-timeout [ 30 - 65535 ]Sets the stateful inspection UDP timeout interval, in seconds.set security state-i

278set security state-insp xposed-addr exposed-address# "n" start-port [ 1 - 65535 ]set security state-insp xposed-addr exposed

279CONFIG Commandsset security pkt-filter filterset filterset-name [ in | out ] index frc-rte [ on | off ]Turns forced routing on or off for the spe

28PPPoE QuickstartFor a PPPoE connection, your browser will display a different series of web pages:The browser then displays the Quickstart web page.

280set security pkt-filter filterset filterset-name [ in | out ] index tos-mask valueSpecifies the TOS (Type Of Service) mask to match packets. The

281CONFIG Commandsset security pkt-filter filterset filterset-name [ in | out ] index src-port valueSpecifies the source IP port to match packets (t

282SNMP SettingsThe Simple Network Management Protocol (SNMP) lets a network administrator monitor problems on a network by retrieving settings on rem

283CONFIG CommandsSNMP Notify Type SettingsSNMP Notify Type is supported beginning with Firmware Version 7.4.2.set snmp notify type [ v1-trap | v2-tra

284set system diagnostic-level { off | low | medium | high | alerts | failures }Specifies the types of log messages you want the Netopia Gateway to

285CONFIG Commandsset system password { admin | user }Specifies the administrator or user password for a Netopia Gateway. When you enter the set system

286out, each heartbeat sequence will send out a total 20 heartbeats, spaced at 30 second intervals, and then sleep for 30 minutes. So to have the Gate

287CONFIG Commandsset system ntp option [ off | on ]:server-address (204.152.184.72)alt-server-address (18.72.0.3):time-zone [ -12 - 12 ] update-perio

288Syslogset system syslog option [ off | on ]Enables or disables system syslog feature. If syslog option is on, the following commands are available:

289CONFIG Commands set security state-insp eth B option on• Type the command to enable the router to drop fragmented packets set security state-ins

29Configuring the Netopia Gateway4. When the connection succeeds, your browser will display a success message.Once a connection is established, your b

290Wireless Settings (supported models)set wireless option ( on | off )Administratively enables or disables the wireless interface.set wireless networ

291CONFIG Commandsset wireless mode { both-b-and-g | b-only | g-only }Beginning with Netopia Firmware Version 7.5.1. specifies the wireless operating m

292set wireless multi-ssid second-ssid-privacy { off | WEP | WPA-PSK | WPA-802.1x }set wireless multi-ssid third-ssid-privacy { off | WEP | WPA-P

293CONFIG Commandsset wireless multi-ssid second-ssid-wepkey { hexadecimal digits }set wireless multi-ssid third-ssid-wepkey { hexadecimal digits }set

294protect your network and data from intruders. Note that 40bit is the same as 64bit and will work with either type of wireless client. The default i

295CONFIG Commandsset wireless network-id privacy encryption-key1 { hexadecimal digits }set wireless network-id privacy encryption-key2 { hexadecimal

296Wireless MAC Address Authorization Settingsset wireless mac-auth option { on | off }Enabling this feature limits the MAC addresses that are allowed

297CONFIG Commandsset radius radius-port port_numberSpecifies the port on which the RADIUS server is listening. The default value is 1812.VLAN Settings

298 id (1) [ 1 - 4095 ]: 52 type (by-port) [ by-port ]: admin-restricted (off) [ off | on ]: off port(port) node list ...S

299CONFIG Commands☛ Note:To make a set of VLANs non-routable, the lan-uplink port must be included in at least one VLAN and must be excluded from any

3 Table of Contents Table of Contents Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 CHAPTER 1 Int

30Netopia Gateway Status Indicator LightsColored LEDs on your Netopia Gateway indicate the status of various port activity. Different Gateway models h

300TR-069. DSL Forum CPE WAN Management Protocol (TR-069) provides services similar to UPnP and TR-064. The communication between the Netopia Gateway

301CONFIG CommandsOn units that support SSL, the format for the ACS URL can also be:https://some_url.com:port_numberorhttps://123.45.678.910:port_numb

302VDSL Settings☛ CAUTION!These settings are for very advanced users and lab technicians. Exercise extreme caution when modifying any of these settin

303CONFIG CommandsVDSL Parameter DefaultsParameter Default Meaningsys-option 0x00 VDSL system option(bit0=ntr, 1=margin, 2=ini, 3=pbo, 4=tlan, 5=pbo)

304VDSL Parameters Accepted ValuesParameter Accepted Valuessys-option Bit[0]: NTR_DISABLEBit[1]: ALW_MARGIN_ADJUST.1: the SNR margin for the optional

305CONFIG Commandssys-bandplan BP1_998_3 (0x00)BP2_998_3 (0x01)BP998_3B_8_5M (0x01) BP3_998_4 (0x02)BP998_4B_12M (0x02)BP4_997_

306psd-mask-level 0x00 -- default mask (old gains from before)0x01 -- ANSI M1 CAB0x02 -- ANSI M2 CAB0x03 -- ETSI M1 CAB0x04 -- ETSI M2 CAB0x05 -- ITU-

307CONFIG Commandsport-bandplan BP1_998_3 (0x00)BP2_998_3 (0x01)BP998_3B_8_5M (0x01) BP3_998_4 (0x02)BP998_4B_12M (0x02)BP4_997

308framing-mode HDLC – 0x80AUTO – 0x90ATM – 0x00band-mod Bit 0, 1: Tx Cfg band1- All tones on2- All tones below 640 Khz are turned off3- All tones bel

309CONFIG Commandsrx-filter 0: using internal filter in Rx path1: using K1 external filter in Rx path(for Korea VLR Application)2: using U1 external filte

31Home Page - Basic ModeHome Page - Basic ModeAfter you have performed the basic Quickstart configuration, any time you log in to your Netopia Gateway

310

311CHAPTER 7 Glossary10Base-T. IEEE 802.3 specification for Ethernet that uses unshielded twisted pair (UTP) wiring with RJ-45 eight-conductor plugs at

312ADSL. Asymmetric Digital Subscriber Line. Modems attached to twisted pair copper wiring that transmit 1.5-9 Mbps downstream (to the subscriber) and

313BRI. Basic Rate Interface. ISDN standard for provision of low-speed ISDN services (two B channels (64 kbps each) and one D channel (16 kbps)) over

314crossover cable. Cable that lets you connect a port on one Ethernet hub to a port on another Ethernet hub. You can order an Ethernet crossover cabl

315Diffie-Hellman. A group of key-agreement algorithms that let two computers compute a key independently without exchanging the actual key. It can gen

316encapsulation. Technique used to enclose information formatted for one protocol, such as AppleTalk, within a packet formatted for a different proto

317FTP. File Transfer Protocol. Application protocol that lets one IP node trans-fer files to and from another node.FTP server. Host on network from wh

318-----I-----IGMP. Internet Group Management Protocol allows a router to determine which host groups have members on a given network segment.IKE. Int

319-----K-----Key Management . The Key Management algorithm manages the exchange of security keys in the IPSec protocol architecture. SafeHarbour supp

32The Home Page displays the following information in the center section: The links in the left-hand column on this page allow you to manage or configu

320at the other end of the connection converts the analog signal back to a digi-tal signal. MRU. Maximum Receive Unit. The maximum packet size, in byt

321Aggressive Mode. Main mode requires 3 two-way message exchanges while Aggressive mode only requires 3 total message exchanges.null modem. Cable or

322PPP. Point-to-Point Protocol. Provides a method for transmitting datagrams over serial router-to-router or host-to-network connections using synchr

323route. Path through a network from one node to another. A large internet-work can have several alternate routes from a source to a destination. rou

324Soft MBytes. Setting the Soft MBytes parameter forces the renegotiation of the IPSec Security Associations (SAs) at the configured Soft MByte value.

325-----T-----telnet. IP protocol that lets a user on one host establish and use a virtual terminal connection to a remote host.TR-064. TR-064 is a LA

326-----W-----WAN. Wide Area Network. Private network facilities, usually offered by pub-lic telephone companies but increasingly available from alter

327DescriptionCHAPTER 8 Technical Specifications and Safety InformationDescriptionDimensions: Smart Modems: 13.5 cm (w) x 13.5 cm (d) x 3.5 cm (h); 5.

328Relative storage humidity: 20 to 80% noncondensingSoftware and protocolsSoftware media: Software preloaded on internal flash memory; field upgrades d

329Agency approvalsAgency approvalsNorth AmericaSafety Approvals: United States – UL 60950, Third Edition Canada – CSA: CAN/CSA-C22.2 No. 60950-00EM

33Home Page - Basic ModeLink: Manage My AccountYou can change your ISP account information for the Netopia Gateway. You can also man-age other aspects

330The Netopia Firmware Version 7.6 complies with the following EU directives: Low Voltage, 73/23/EEC EMC Compatibility, 89/336/EEC, conforming to E

331Manufacturer’s Declaration of Conformance☛ ImportantThis product was tested for FCC compliance under conditions that included the use of shielded

332Important Safety InstructionsAustralian Safety InformationThe following safety information is provided in conformance with Australian safety requir

33347 CFR Part 68 Information47 CFR Part 68 InformationFCC Requirements1. The Federal Communications Commission (FCC) has established Rules which perm

334d) The REN is used to determine the number of devices that may be connected to a telephone line. Excessive RENs on a telephone line may result in t

335CHAPTER 9 Overview of Major CapabilitiesThe Netopia Gateway offers simplified setup and management features as well as advanced broadband router cap

336Wide Area Network TerminationPPPoE/PPPoA (Point-to-Point Protocol over Ethernet/ATM)The PPPoE specification, incorporating the PPP and Ethernet stan

337Simplified Local Area Network Setup• Your network may change address with each connection making it more difficult to attack.When you configure Insta

338☛ NOTE:The Netopia DNS Proxy only proxies UDP DNS queries, not TCP DNS queries.ManagementEmbedded Web ServerThere is no specialized software to in

339SecurityTraceRoute - displays the path to a destination by showing the number of hops and the router addresses of these hops.The system log also pr

34Link: Status DetailsIf you need to diagnose any problems with your Netopia Gateway or its connection to the Internet, you can run a sophisticated di

340from routers on networks connected to its WAN interface. In other words, the end com-puter stations on your LAN are invisible from the Internet.Onl

341Security☛ NOTE:1. The default setting for NAT is ON.2. Netopia uses Port Address Translation (PAT) to implement the NAT facility.3. NAT Pinhole tr

342Common TCP/IP protocols and ports are:See page 75 for How To instructions.Default ServerThis feature allows you to:• Direct your Gateway to forward

343SecurityIP-PassthroughNetopia OS now offers an IP passthrough feature. The IP passthrough feature allows a sin-gle PC on the LAN to have the Gatewa

344☛ NOTE:Typically, no special configuration is necessary to use the IPSec pass through feature.In the diagram, VPN PC clients are shown behind the N

345IndexSymbols!! command 226AAccess the GUI 39Address resolution table 232Administrativerestrictions 255Administrator password 39,123, 224Arguments,

346DSL Forum settings 299EEcho request 265echo-period 265Embedded Web Server 338Ethernet address 244Ethernet statistics 230FFeature KeysObtaining 184f

347Install Software 179Quickstart 48, 50, 68Local Area Network 337Location, SNMP 282Log 234Logging in 224lost echoes 265MMagic number 265Memory 234Met

348Restrictions 255RIP 251, 253Routing Information Protocol(RIP) 251, 253SSecondary nameserver 248Secure Sockets Layer 188Securityfilters 154Security

349Syslog 111System contact, SNMP 282System diagnostics 284system idle-timeout 284TTelnet 224, 262Telnet command 235Telnet traffic 269TFTP 262TFTP ser

35Home Page - Basic ModeLink: Enable Remote ManagementThis link allows you to authorize a remotely-located person, such as a support technician, to di

350

Netopia 2200 and 3300 series by NetopiaNetopia, Inc.6001 Shellmound StreetEmeryville, CA 94608April 10, 2006

36Link: Expert ModeMost users will find that the basic Quickstart configuration is all that they ever need to use. Some users, however, may want to do m

37Home Page - Basic ModeLink: Update Firmware(This link is not available on the 3342/3352 models, since firmware updates must be upgraded via the USB h

38Link: Factory ResetIn some cases, you may need to clear all the configuration settings and start over again to program the Netopia Gateway. You can p

39Accessing the Expert Web InterfaceCHAPTER 3 Expert ModeUsing the Expert Mode Web-based user interface for the Netopia 2200- and 3300-series Gateway

Table of Contents 4 Status Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Enable Remote Management

403. Click on the Expert Mode link in the left-hand column of links.You are challenged to confirm your choice.Click OK.The Home Page opens in Expert Mo

41Accessing the Expert Web InterfaceHome Page - Expert ModeThe Home Page is the summary page for your Netopia Gateway. The toolbar at the top pro-vide

42Home Page - InformationThe Home page’s center section contains a summary of the Gateway’s configuration set-tings and operational status.Summary Info

43Accessing the Expert Web InterfaceDHCP Server On or Off. ON if using DHCP to get IP addresses for your LAN client machines.DHCP Leases A “lease” is

44ToolbarThe toolbar is the dark blue bar at the top of the page containing the major navigation but-tons. These buttons are available from almost eve

45RestartRestartButton: RestartThe Restart button on the toolbar allows you to restart the Gateway at any time. You will be prompted to confirm the res

46Link: Alert SymbolThe Alert symbol appears in the upper right corner if you make a database change; one in which a change is made to the Gateway’s c

47HelpHelpButton: HelpContext-sensitive Help is provided in your Gateway. The page shown here is displayed when you are on the Home page or other tran

48ConfigureButton: ConfigureThe Configuration options are presented in the order of likelihood you will need to use them. Quickstart is typically accesse

49Configure2. Click Connect to the Internet.A brief message is displayed while the Gateway attempts to establish a connection. 3. When the connection

5 Table of Contents Configure the IPMaps Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83FAQs for the IPMaps Feature . . . .

50Link: LAN* Enable Interface: Enables all LAN-connected computers to share resources and to con-nect to the WAN. The Interface should always be enabl

51Configure• Advanced: Clicking on the Advanced link displays the Advanced LAN IP Interface page.• IGMP Forwarding: The default setting is Disabled. I

52• Static Client Address Translation: If you check this checkbox, this feature allows a statically addressed computer whose IP address falls outside

53ConfigureWireless(supported models)If your Gateway is a wireless model (such as a 3347W) you can enable or disable the wire-less LAN (WLAN) by click

54☛ NOTE:On the 2200-Series Gateways, WEP-Manual privacy is enabled by default. Use the Netopia Installation Wizard on the accompanying Netopia CD to

55ConfigureThe Pre Shared Key is a passphrase shared between the Router and the clients and is used to generate dynamically changing keys. The passphr

56Click the Submit button. The Alert icon appears. Click the Alert icon, and then the Save and Restart link.

57ConfigureAdvancedIf you click the Advanced link, the advanced 802.11 Wireless Settings page appears.Note: This page displays different options depen

58options you have enabled.You can then configure:Operating Mode: The pull-down menu allows you to select and lock the Gateway into the wireless transm

59ConfigureEnable Closed System Mode: If enabled, Closed System Mode hides the wireless net-work from the scanning features of wireless client compute

Table of Contents 6 SafeHarbour IPSec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Configuring a SafeHarbour VPN . . .

60Block Wireless Bridging: Check the checkbox to block wireless clients from communicat-ing with other wireless clients on the LAN side of the Gateway

61ConfigureEncryption Key #1 – #4: The encryption keys. You enter keys using hexadecimal digits. For 40/64bit encryption, you need ten digits; 26 digi

62Multiple SSIDsThe Multiple Wireless SSIDs feature allows you to add additional network identifiers (SSIDs or Network Names) for your wireless network

63ConfigurePrivacy modes available from the pull-down menu for the multiple SSIDs are: WPA-PSK, WPA-802.1x, or Off-No Privacy. WEP can also be selecte

64To enable Wireless MAC Authentication, click the MAC Authorization link.When the Wireless MAC Authentication screen appears, check the Enable Wirele

65ConfigureEnter the MAC (hardware) address of the client PC you want to authorize for access to your wireless LAN. The Allow Access? checkbox is enab

66Use RADIUS ServerRADIUS servers allow external authentication of users by means of a remote authentica-tion database. The remote authentication data

67ConfigureThe Advanced Network Configuration page appears.You access the RADIUS Server configuration screen from the Advanced Network Configura-tion web

68Link: WANWAN IP InterfacesYour IP interfaces are listed. Click on an interface to configure it.IP GatewayEnable Gateway: You can configure the Gateway

69ConfigureATM Circuits: You can configure the ATM circuits and the number of Sessions. The IP Interface(s) should be reconfigured after making changes

7 Table of Contents Modifying filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Deleting filters. . . . . . . .

70You can choose UBR (Unspecified Bit Rate), CBR (Constant Bit Rate), or VBR (Variable Bit Rate) from the pull-down menu and set the Peak Cell Rate (PC

71Configure☛ Note:The difference between VBR-rt and VBR-nrt is the tolerated Cell Delay Varia-tion range and the provisioned Maximum Burst Size. Clas

72Link: AdvancedSelected Advanced options are discussed in the pages that follow. Many are self-explana-tory or are dictated by your service provider.

73ConfigureLink: IP Static RoutesA static route identifies a manually configured pathway to a remote network. Unlike dynamic routes, which are acquired

74• Interface Type: Choose PPP (vcc1) – depending on the interface; typically vcc1 for DSL – or IP Address from the pull-down menu to specify whether

75ConfigureWhen you are finished, click the Alert icon , switch to the Save Changes page, and click the Save Changes link.Link: IP Static ARPYour Gate

76Configure Specific Pinholes. Planning for Your Pinholes. Determine if any of the service applications that you want to provide on your LAN stations us

77Configure☛ TIPS for making Pinhole Entries:1. If the port forwarding feature is required for Web services, ensure that the embedded Web server’s po

78A diagram of this LAN example is:You can also use the LAN-side address of the Gateway, 192.168.1.x:8100 to access the web and 192.168.1.x:23 to acce

79ConfigurePinhole Configuration Procedure. Use the following steps:1. From the Configure toolbar button -> Advanced link, select the Internal Server

Table of Contents 8 CHAPTER 6 Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . 221 Overview . . . . . . . . . . . . . . . . .

805. Click Add. Type your specific data into the Pinhole Entries table of this page. Click Submit. 6. Click on the Add or Edit more Pinholes link. Clic

81Configure7. Click on the Add or Edit more Pinholes link. Click the Add button. Add the next Pinhole. Type the specific data for the third Pinhole.☛

8210. Select the Save and Restart link to complete the entire Pinhole creation task and ensure that the parameters are properly saved.☛ NOTE:REMEMBER

83ConfigureConfigure the IPMaps FeatureFAQs for the IPMaps FeatureBefore configuring an example of an IPMaps-enabled network, review these frequently as

84IPMaps Block DiagramThe following diagram shows the IPMaps principle in conjunction with existing Netopia NAT operations:NAT/PAT Table143.137.50.371

85ConfigureLink: Default ServerThis feature allows you to:• Direct your Gateway to forward all externally initiated IP traffic (TCP and UDP protocols o

86Typical Network Diagram. A typical network using the NAT Default Server looks like this:You can also use the LAN-side address of the Gateway, 192.16

87ConfigureWith this topology, you configure the embedded administration ports as a first task, fol-lowed by the Pinholes and, finally, the NAT Default S

88The Host Hardware Address field displays. Here you enter the MAC address of the desig-nated IP-Passthrough computer.• If this MAC address is not all

89ConfigureLink: Differentiated ServicesWhen you click the Differentiated Services link, the Differentiated Services configura-tion screen appears.Neto

9 Table of Contents Default IP Gateway Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 254IP-over-PPP Settings . . . . . . . . . .

90You can then define Custom Flows. If your applications do not provide Quality of Service (QoS) control, Custom Flows allows you to define streams for

91Configure• Quality of Service (QoS) – This is the Quality of Service setting for the flow, based on the TOS bit information. Select Expedite, Assure,

92Link: DNSYour Service Provider may maintain a Domain Name server. If you have the information for the DNS servers, enter it on the DNS page. If your

93ConfigureYour Service Provider may, for certain services, want to provide configuration from its DHCP servers to the computers on your LANs. In this

94Link: RADIUS ServerRADIUS servers allow external authentication of users by means of a remote authentica-tion database. The remote authentication da

95ConfigureLink: SNMPWhen you click the SNMP link, the SNMP configuration page appears.The Simple Network Management Protocol (SNMP) lets a network adm

96☛ WARNING:SNMP presents you with a security issue. The community facility of SNMP behaves somewhat like a password. The community “public” is a wel

97ConfigureThe IP Trap Entry screen appears.Enter an IP Trap Entry IP address. This is the destination for SNMP trap messages, the IP address of the h

98To configure the IGMP options available in Netopia Gateways, click the IGMP link.The IGMP page appears.You can set the following options:• IGMP Snoop

99Configure• Unsolicited Report Interval – the amount of time in seconds between repetitions of a particular computer’s initial report of membership i