Netopia 3300-ENT Instrukcja Użytkownika

NNNNeeeettttooooppppiiiiaaaa ®®®® FFFFiiiirrrrmmmmwwwwaaaarrrreeee UUUUsssseeeerrrr GGGGuuuuiiiiddddeeee 3333333300000000----EEEENNNNTT

x Firmware User Guide

4-8 Firmware User GuideAbout L2TP TunnelsL2TP stands for Layer 2 Tunnelling Protocol, an extension to the PPP protocol. L2TP combines features of two

Virtual Private Networks (VPNs) 4-9When you define a Connection Profile as using L2TP by selecting L2TP as the datalink encapsulation method, and then

4-10 Firmware User Guide• You can specify that this Router will Initiate Connections (acting as a PAC) or only answer them (acting as a PNS).• Tunnel

Virtual Private Networks (VPNs) 4-11About GRE TunnelsGeneric Routing Encapsulation (GRE) protocol is another form of tunneling that Netopia routers

4-12 Firmware User Guide• Enter a GRE Partner IP Address in standard dotted-quad format to specify the address of the other end of the tunnel.• You c

Virtual Private Networks (VPNs) 4-13The IP Profile Parameters screen appears.• Enter the Remote IP Address and Remote IP Mask for the host to which y

4-14 Firmware User GuideVPN force-allGRE tunnelling supports “VPN force-all,” which forces all traffic coming from the LAN onto the GRE tunnel. You ac

Virtual Private Networks (VPNs) 4-15About ATMP TunnelsTo set up an ATMP tunnel, you create a Connection Profile including the IP address and other re

4-16 Firmware User GuideWhen you define a Connection Profile as using ATMP by selecting ATMP as the datalink encapsulation method, and then select Data

Virtual Private Networks (VPNs) 4-17• You can specify that this Router will Initiate Connections, acting as a foreign agent (Ye s), or only answer t

Introduction 1-1 CCCChhhhaaaapppptttteeeerrrr 1111 IIIInnnnttttrrrroooodddduuuuccccttttiiiioooonnnn This Firmware User Guide covers the adva

4-18 Firmware User GuideMS-CHAP V2 and 128-bit strong encryptionNotes:• Netopia Firmware Version 8.4 supports 128-bit (“strong”) encryption when usin

Virtual Private Networks (VPNs) 4-19• Toggle Answer ATMP/PPTP Connections to Yes if you want the Router to accept VPN connections or No (the default

4-20 Firmware User GuideVPN QuickViewYou can view the status of your VPN connections in the VPN QuickView screen.From the Main Menu select QuickView

Virtual Private Networks (VPNs) 4-21Dial-Up Networking for VPNMicrosoft Windows Dial-Up Networking software permits a remote standalone workstation

4-22 Firmware User GuideThe Communications window appears.5. In the Communications window, select Dial-Up Networking and click the OK button.This ret

Virtual Private Networks (VPNs) 4-23Configuring a Dial-Up Networking profileOnce you have created your Dial-Up Networking profile, you configure it for

4-24 Firmware User Guide4. Click the TCP/IP Settings button. • If your ISP uses dynamic IP addressing (DHCP), select the Server assigned IP address r

Virtual Private Networks (VPNs) 4-25For PPTP negotiation to work, TCP packets inbound and outbound destined for port 1723 must be allowed. Likewise,

4-26 Firmware User GuidePPTP exampleTo enable a firewall to allow PPTP traffic, you must provision the firewall to allow inbound and outbound TCP packet

Virtual Private Networks (VPNs) 4-27In the Display/Change Filter Set screen select Display/Change Output Filter. Display/Change Output Filter screen

1-2 Firmware User Guide Telnet-based Management Telnet-based management is a fast menu-driven interface for the capabilities built into the Netopia

4-28 Firmware User GuideSelect Output Filter 2 and press Return. In the Change Output Filter 2 screen, set the Protocol Type to allow GRE as shown be

Virtual Private Networks (VPNs) 4-29Select Input Filter 1 and press Return. In the Change Input Filter 1 screen, set the Destination Port informatio

4-30 Firmware User GuideIn the Display/Change Filter Set screen select Display/Change Output Filter. Display/Change Output Filter screenSelect Output

Virtual Private Networks (VPNs) 4-31Windows Networking BroadcastsNetopia firmware provides the ability to forward Windows Networking NetBIOS broadcas

4-32 Firmware User GuideConfiguration for Router AConfiguration for Router B IP Profile Parameters Address Translati

Virtual Private Networks (VPNs) 4-33Note: Microsoft Network browsing is available with or without a Windows Internet Name Service (WINS) server. Sha

4-34 Firmware User Guide

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-1CCCChhhhaaaapppptttteeeerrrr 5555IIIInnnntttteeeerrrrnnnneeeetttt KKKKeeeeyyyy

5-2 Firmware User GuideThe advantage of using IKE is that it automatically negotiates IPsec Security Associations and enables IPsec secure communicat

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-3The Add Connection Profile screen appears.• From the Encapsulation Type pop-up menu sele

Introduction 1-3 provider or remote site. See “WAN Configuration,” beginning on page 2-1. See also Chapter 4, “Virtual Private Networks (VPNs).” • T

5-4 Firmware User Guide• A pop-up window displays a list of IKE Phase 1 Profiles that you have configured. If you have not previously configured an IKE

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-5• The Profile Name field accepts any name of up to 16 characters. Sixteen IKE Phase 1 pro

5-6 Firmware User GuideNormally it is not necessary to change the settings of the items on the Advanced IKE Phase 1 Options screen. Most of these set

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-7• Include Vendor-ID Payload toggles whether or not the Router includes the vendor-ID pa

5-8 Firmware User GuideSelecting Delete IKE Phase 1 Profile and choosing an IKE phase 1 profile name from the pop-up list displays a confirmation alert

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-9A Change Connection Profile screen is shown below.Note: The Change Connection Profile scr

5-10 Firmware User GuideThe Key Management pop-up menu at the top of the IPsec Tunnel Options screen allows you to choose between IKE key management

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-11• The ESP Authentication Transform pop-up menu (which is visible only if you have sele

5-12 Firmware User Guide• Maximum Packet Size permits you to modify the MTU setting for the tunnel. Some ISPs require a setting of e.g. 1492 (or othe

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-13The defaults are 5 seconds and 90 seconds, respectively. You may adjust these to suit

1-4 Firmware User Guide Configuring Telnet software If you are configuring your device using a Telnet session, your computer must be running a Telnet

5-14 Firmware User GuideAdvantages of Multiple Network IPsec are:• scalability• flexibility, by adding any combination of remote/local network ranges•

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-15Last Address. You supply these values.Complete the Local Member 1st Address and Local

5-16 Firmware User Guide• Scroll down and up with the arrow keys to select the one you want to change, and press Return. You will be returned to the

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-17• Specifying IKE key management alters the Advanced IP Profile Options screen as follow

5-18 Firmware User GuideIPsec WAN Configuration ScreensYou can also configure IKE Phase 1 Profiles in the WAN Configuration menus.The WAN Configuration sc

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-19The IKE Phase 1 Configuration screen allows configuration of global (non-connection-profi

5-20 Firmware User GuideSelect IPsec Manual Keys and press Return.Depending on your selections of Encapsulation, Encryption Transform, and Authentica

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-21If the remote tunnel end point is a hostname (or “0.0.0.0”) 0.0.0.0 is displayed until

5-22 Firmware User GuideIKE: no matching ph2 proposal Either the local Router rejected the proposals of the remote or the remote rejected the local R

IP Setup 6-1CCCChhhhaaaapppptttteeeerrrr 6666IIIIPPPP SSSSeeeettttuuuuppppThe Netopia Firmware Version 8.4 uses Internet Protocol (IP) to comm

Introduction 1-5 To help you find your way to particular screens, some sections in this guide begin with a graphical path guide similar to the follo

6-2 Firmware User GuideIP SetupThe IP Setup options screen is where you configure the Ethernet side of the Router. The information you enter here cont

IP Setup 6-3The Netopia Firmware Version 8.4 supports multiple IP subnets on the Ethernet interface. You may want to configure multiple IP subnets to

6-4 Firmware User Guidethat the addresses distributed by the Router and those that are manually configured are not the same. Each method of distributi

IP Setup 6-5For example:• To delete a configured subnet, set both the IP address and subnet mask values to 0.0.0.0, either explicitly or by clearing

6-6 Firmware User GuideIf you have configured multiple Ethernet IP subnets, the IP Setup screen changes slightly:The IP address and Subnet mask items

IP Setup 6-7The Static Routes screen will appear.Viewing static routesTo display a view-only table of static routes, select Display/Change Static Ro

6-8 Firmware User GuideSubnet Mask: The subnet mask associated with the destination network.Next Gateway: The IP address of the gateway that will be

IP Setup 6-9• To make sure that the static route is known only to the Router, select Advertise Route Via RIP and toggle it to No. To allow other RIP

6-10 Firmware User GuideRIP-2 MD5 AuthenticationFirmware version 5.3.7 supports RIP-2 MD5 Authentication (RFC2082 Routing Internet Protocol Version 2

IP Setup 6-11• Select RIP Options. The Ethernet LAN RIP Options screen appears.• Select Receive RIP, and from the pull-down menu choose v2 MD5 Authe

1-6 Firmware User Guide

6-12 Firmware User Guide• You can also select Transmit RIP, and choose v2 MD5 (broadcast) or v2 MD5 (multicast) from the pull-down menu.• RIP v2 Auth

IP Setup 6-13• Select RIP v2 Authentication Keys.The RIP v2 Authentication Keys screen appears.Adding a keySelect Add Key. The Add Key Screen appear

6-14 Firmware User Guide• The Start Date and End Date formats are determined by the System Date Format, set on the Set Date and Time menu under the S

IP Setup 6-15Connection Profiles and Default ProfileRIP-2 MD5 authentication may be configured in Connection Profiles, as well. If you are not using NAT

6-16 Firmware User Guide• Receive RIP is always visible. Here you select Off, v1, v2, Both v1 and v2, or v2 MD5 Authentication from the pull-down men

IP Setup 6-17IP Address ServingIn addition to being a gateway, the Router is also an IP address server. There are three protocols it can use to dist

6-18 Firmware User GuideFollow these steps to configure IP Address Serving:• If you enabled IP Address Serving, then DHCP, BootP clients and Dynamic W

IP Setup 6-19If you have configured multiple Ethernet IP subnets, the appearance of the IP Address Serving screen is altered slightly:Three menu item

6-20 Firmware User GuideIP Address PoolsThe IP Address Pools screen allows you to configure a separate IP address serving pool for each of up to eight

IP Setup 6-21Numerous factors influence the choice of served address. It is difficult to specify the address that will be served to a particular clien

WAN and System Configuration 2-1 CCCChhhhaaaapppptttteeeerrrr 2222 WWWWAAAANNNN aaaannnndddd SSSSyyyysssstttteeeemmmm CCCCoooonnnnffff

6-22 Firmware User Guide• To serve DHCP clients with the type of NetBIOS used on your network, select Serve NetBIOS Type and toggle it to Yes . • Fro

IP Setup 6-23Select NetBIOS Name Server IP Addr and enter the IP address for the NetBIOS name server.You are now finished setting up DHCP NetBIOS Opt

6-24 Firmware User Guide• The ability to view the host name associated with a client to which the gateway has leased an IP address.• The ability for

IP Setup 6-25You can select the entries in the Served IP Addresses screen. Use the up and down arrow keys to move the selection to one of the entrie

6-26 Firmware User GuideSelecting Details… displays a pop-up menu that provides additional information associated with the IP address. The pop-up men

IP Setup 6-27An IP address is marked declined when a client to whom the DHCP server offers the address declines the address. A client declines an ad

6-28 Firmware User GuideDHCP Relay AgentThe Netopia Firmware Version 8.4 offers DHCP Relay Agent functionality, as defined in RFC1542. A DHCP relay ag

IP Setup 6-29Select IP Address Serving and press Return. The IP Address Serving screen appears.Select IP Address Serving Mode. The pop-up menu offer

6-30 Firmware User GuideNow you can enter the IP address(es) of your remote DHCP server(s), such as might be located in your company’s corporate head

IP Setup 6-31The Add Connection Profile screen appears.On a Router you can add up to 15 more connection profiles, for a total of 16, although only one

2-2 Firmware User GuideWAN Ethernet Configuration screenThe WAN Ethernet Configuration screen appears as follows:• Address Translation Enabled allows y

6-32 Firmware User Guide4. Toggle or enter any IP parameters you require and return to the Add Connection Profile screen by pressing Escape. For more

IP Setup 6-33Multicast ForwardingMulticast is a method for transmitting large amounts of information to many, but not all, hosts over an Internet. O

6-34 Firmware User GuideTypically, you will have a Connection Profile that you created in Easy Setup. You may have more. Select the Connection Profile

Line Backup 7-1CCCChhhhaaaapppptttteeeerrrr 7777LLLLiiiinnnneeee BBBBaaaacccckkkkuuuuppppNetopia Firmware Version 8.4 offers line backup funct

7-2 Firmware User Guide• the Backup IP Gateway menu item in the IP Setup screen under the System Configuration menuHere you enter a Backup Gateway IP

Line Backup 7-3Assuming you selected PPP, new fields appear.Underlying Encapsulation and PPP Mode do not usually need to be changed for a PPP connect

7-4 Firmware User GuideThe Datalink (PPP/MP) Options screen appears.• Data Compression should remain set to Standard LZS.• Usually, you use PAP Authe

Line Backup 7-5• Select IP Profile Parameters. The IP Profile Parameters screen appears.• Unless otherwise instructed, accept the defaults, except the

7-6 Firmware User Guide• From the Dial pop-up menu, you can choose whether to Dial Out Only, Dial In Only, or Dial In/Out (default).• Dialing Prefix:

Line Backup 7-7IP SetupHere, you set the IP address of the alternate gateway.Navigate to the IP Setup screen under the System Configuration menu.• Se

WAN and System Configuration 2-3• The WAN Ethernet Speed Setting is now configurable via a pop-up menu. Options are: Auto-Negotiation (the default), 1

7-8 Firmware User GuideWAN ConfigurationTo configure the modem characteristics, from the Main Menu select WAN Configuration and then WAN Setup. The Choo

Line Backup 7-9Choose the interface to configure for backup, MODEM (Wan Module 2) Setup.The Internal Modem Setup screen appears.• Modem Dialing Prefix

7-10 Firmware User GuideBackup Configuration screenNavigate to the Backup Configuration screen.This screen is used to configure the conditions under whi

Line Backup 7-11has gone down. Should this address become unreachable the router will treat this as a loss of connectivity and begin the backup time

7-12 Firmware User GuideUsing Scheduled Connections with BackupThe backup link is a PPP dial-up connection and only connects to the Internet service

Line Backup 7-13• Toggle Scheduled Connection Enable to On.• From the How Often pop-up menu, select Weekly and press Return.• From the Schedule Type

7-14 Firmware User Guide• Select Use Connection Profile, and press Return. A screen displays all of your Connection Profiles. Select the one you want t

Line Backup 7-15The Backup Configuration screen appears.This screen is used to configure the conditions under which backup will occur, if it will reco

7-16 Firmware User GuideIP Setup screenTo configure the backup gateway, from the Main Menu select System Configuration then IP Setup.The IP Setup scree

Line Backup 7-17Backup Management/StatisticsIf backup is enabled, the Statistics & Logs menu offers a Backup Management/Statistics option.To vie

Copyright Copyright© 2004, Netopia, Inc. Netopia and the Netopia logo are registered trademarks belonging to Netopia, Inc., registered U.S. Patent an

2-4 Firmware User GuideIf you want the Netopia Router to advertise its routing table to other routers via RIP, select Transmit RIP and select v1, v2

7-18 Firmware User GuideDuring recovery, the following reasons may appear:• Time Since Detection is a display-only field that is only visible if backu

Monitoring Tools 8-1CCCChhhhaaaapppptttteeeerrrr 8888MMMMoooonnnniiiittttoooorrrriiiinnnngggg TTTToooooooollllssssThis chapter discusses the R

8-2 Firmware User GuideGeneral statusCurrent Date: The current date; this can be set with the Date and Time utility (see “Date and time” on page 2-29

Monitoring Tools 8-3Current statusThe current status section is a table showing the current status of the DSL connection. For example:Profile Name: L

8-4 Firmware User GuideStatistics & LogsWhen you are troubleshooting your Router, the Statistics & Logs screens provide insight into the rece

Monitoring Tools 8-5WAN Event HistoryThe WAN Event History screen lists a total of 128 events on the WAN. The most recent events appear at the top.E

8-6 Firmware User GuideIn the Statistics & Logs screen, select Device Event History. The Device Event History screen appears.If the event history

Monitoring Tools 8-7IP Routing TableThe IP routing table displays all of the IP routes currently known to the Router.The routing table screen repres

8-8 Firmware User GuidePhysical InterfaceThe top left side of the screen lists total packets received and total packets transmitted for the following

Monitoring Tools 8-9System InformationThe System Information screen gives a summary view of the general system level values in the Router.From the S

WAN and System Configuration 2-5VCs are identified by a Virtual Path Identifier (VPI) and Virtual Channel Identifier (VCI). A VPI is an 8-bit value betw

8-10 Firmware User GuideSimple Network Management Protocol (SNMP)The Netopia Firmware Version 8.4 includes a Simple Network Management Protocol (SNMP

Monitoring Tools 8-11The SNMP Setup screenFrom the Main Menu, select SNMP in the System Configuration screen and press Return. The SNMP Setup screen

8-12 Firmware User GuideCommunity stringsThe Read-Only Community String and the Read/Write Community String are like passwords that must be used by a

Monitoring Tools 8-13To go to the IP Trap Receivers screen, select IP Trap Receivers. The IP Trap Receivers screen appears.Setting the IP trap recei

8-14 Firmware User Guide

Security 9-1CCCChhhhaaaapppptttteeeerrrr 9999SSSSeeeeccccuuuurrrriiiittttyyyyThe Netopia Firmware Version 8.4 provides a number of security featu

9-2 Firmware User GuideTelnet Tiered Access – Two Password LevelsNetopia Firmware Version 8.4 offers tiered access control for greater security and p

Security 9-3PCs using UPnP can retrieve the Gateway’s WAN IP address, and automatically create NAT port maps. This means that applications that supp

9-4 Firmware User GuideLimited user configurationThe Add Access Name/Password and Show/Change Access Name/Passwords screens allow you to select which

Security 9-5You can toggle the default user privileges for each user. The defaults are set to minimize the possibility of an individual user inadver

2-6 Firmware User Guide• Enter a name for the circuit in the Circuit Name field.• Toggle Circuit Enabled to Yes.• Enter the Virtual Path Identifier and

9-6 Firmware User GuideAdvanced Security OptionsThe Advanced Security Options screen allows you to configure the global access privileges of users aut

Security 9-7Since authentication via RADIUS server is, by definition, authentication of remote users, the WAN-related defaults are preset to Yes. Tog

9-8 Firmware User GuideTACACS+ server authenticationNetopia Firmware Version 8.4 supports TACACS+ server authentication. Its application to a Netopia

Security 9-9Selecting this option displays the Change Access Password screen.When changing a password, you will be challenged to enter it again to b

9-10 Firmware User Guide• All users have access to System Configuration, Quick Menus, and Quick View, but limited users have only limited access to co

Security 9-11WAN Configuration screensIf a limited user is allowed WAN, Connection Profile, or PVC configuration access, the WAN Configuration option in

9-12 Firmware User GuideConnection ProfilesThe Superuser can disallow limited user access to a particular Connection Profile. When adding a Connection

Security 9-13Note: Network Address Translation (NAT) is displayed in this screen in order to make access control simpler. Security becomes Change Ac

9-14 Firmware User GuideUtilities & Diagnostics menuBased on access level, the Utilities & Diagnostics menu displays its configuration options

Security 9-15Quick MenusQuick Menus vary considerably between models, features, and access levels. The following is an example comparison of the Qui

WAN and System Configuration 2-7VBR: This class is characterized by:• a Peak Cell Rate (PCR), which is a temporary burst, not a sustained rate, and •

9-16 Firmware User GuideThe ATM Circuits Configuration menu screen appears as follows:Note: Multiple ATM circuit configuration is supported on multiple

Security 9-17About Filters and Filter SetsSecurity should be a high priority for anyone administering a network connected to the Internet. Using pac

9-18 Firmware User GuideFilter priorityContinuing the customs inspectors analogy, imagine the inspectors lined up to examine a package. If the packag

Security 9-19• Blocks (discards) the packet• Ignores the packetA filter forwards or blocks a packet only if it finds a match after applying its criter

9-20 Firmware User GuidePort number comparisonsA filter can also use a comparison option to evaluate a packet’s source or destination port number. The

Security 9-21Putting the parts togetherWhen you display a filter set, its filters are displayed as rows in a table:The table’s columns correspond to e

9-22 Firmware User GuideFiltering example #1Returning to our filtering rule example from above (see page 9-19), look at how a rule is translated into

Security 9-23This filter blocks any packets coming from a remote network with the IP network address 200.233.14.0. The 0 at the end of the address si

9-24 Firmware User Guide• That which is not expressly permitted is prohibited.It is strongly recommended that you take the latter, and safer, approac

Security 9-25Adding a filter setYou can create up to eight different custom filter sets. Each filter set can contain up to 16 output filters and up to 1

2-8 Firmware User GuideNote: With multiple VCs you must explicitly statically bind the second (and all subsequent) VCs to a profile. The first VC will

9-26 Firmware User GuideAdding filters to a filter setThere are two kinds of filters you can add to a filter set: input and output. Input filters check pa

Security 9-27Note: There are two groups of items in this screen, one for input filters and one for output filters. In this section, you’ll learn how t

9-28 Firmware User Guide3. If you want the filter to forward packets that match its criteria to the destination IP address, select Forward and toggle

Security 9-29Deleting filtersTo delete a filter, select Delete Input Filter or Delete Output Filter in the Display/Change Filter Set screen to display

9-30 Firmware User GuideBasic Firewall blocks undesirable traffic originating from the WAN (in most cases, the Internet), but forwards all traffic orig

Security 9-31Output filter 1: This filter forwards all outgoing traffic to make sure that no outgoing connections from the LAN are blocked.Basic Firewa

9-32 Firmware User GuideFTP sessions. To allow WAN-originated FTP sessions to a LAN-based FTP server with the IP address a.b.c.d (corresponding to a

Security 9-33The new filterset screen appears as follows:To use the policy-based routing feature, you create a filter that forwards the traffic.• Toggl

9-34 Firmware User GuideNote:Default Forwarding FilterIf you create one or more filters that have a matching action of forward, then action on a packe

Security 9-35Firewall TutorialGeneral firewall termsFilter rule: A filter set is comprised of individual filter rules.Filter set: A grouping of individ

WAN and System Configuration 2-9Creating a New Connection ProfileConnection profiles are useful for configuring the connection and authentication settin

9-36 Firmware User GuideExample TCP/UDP PortsFirewall design rulesThere are two basic rules to firewall design:• “What is not explicitly allowed is de

Security 9-37and a packet goes through these rules destined for FTP, the packet would forward through the first filter rule (WWW), match the second ru

9-38 Firmware User GuideEstablished connectionsThe TCP header contains one bit called the ACK bit (or TCP Ack bit). This ACK bit appears only with TC

Security 9-39Example networkExample filtersExample 1 Incoming packet has the source address of 200.1.1.28Less Than or Equal Any port less than or equ

9-40 Firmware User Guide This incoming IP packet has a source IP address that matches the network address in the Source IP Address field (00000000) i

Security 9-41 Since the Source IP Network Address in the Router is 01100000, and the source IP address after the logical AND is 1011000, this rule

9-42 Firmware User Guide Since the Source IP Network Address in the Router is 01100000, and the source IP address after the logical AND is 01100000,

Security 9-43 Select Save Current Configuration as , and press Return. The Save Current Configuration screen appears.Enter a descriptive name for yo

9-44 Firmware User Guide A warning screen will ask you to confirm your choice. TFTP You can also send or receive your stored configuration files via TF

Utilities and Diagnostics 10-1 CCCChhhhaaaapppptttteeeerrrr 11110000 UUUUttttiiiilllliiiittttiiiieeeessss aaaannnndddd DDDDiiiiaaaag

2-10 Firmware User GuideMultiple Data Link Encapsulation Settings4. Select Encapsulation Options and press Return.• If you selected ATMP, PPTP, L2TP,

10-2 Firmware User Guide Ping The Netopia Firmware Version 8.4 includes a standard Ping test utility. A Ping test generates IP packets destined for

Utilities and Diagnostics 10-3Status: The current status of the Ping test. This item can display the status messages shown in the able below:Packets

10-4 Firmware User GuidePackets Lost: The number of packets unaccounted for, shown in total and as a percentage of total packets sent. This statisti

Utilities and Diagnostics 10-54. Select Use Reverse DNS to learn the names of the gateways between the Netopia Router and the destination gateway. T

10-6 Firmware User GuideFactory DefaultsYou can reset the Router to its factory default settings. In the Utilities & Diagnostics screen, select R

Utilities and Diagnostics 10-7Updating firmwareFirmware updates may be available periodically from Netopia or from a site maintained by your organiza

10-8 Firmware User Guide• Select Config File Name and enter the name of the file you will download. The name of the file is available from the site wher

Troubleshooting A-1AAAAppppppppeeeennnnddddiiiixxxx AAAATTTTrrrroooouuuubbbblllleeeesssshhhhoooooooottttiiiinnnnggggThis appendix is intended to h

A-2 Firmware User GuideNote: If you are attempting to modify the IP address or subnet mask from a previous, successful configuration attempt, you will

Troubleshooting A-3How to Reset the Router to Factory DefaultsLose your password? This section shows how to reset the Netopia Router so that you can

WAN and System Configuration 2-11Return to the Add Connection Profile screen by pressing Escape.5. Select IP Profile Parameters and press Return. The I

A-4 Firmware User GuideEnvironment profile• Locate the Router’s model number, product serial number, and firmware version. The serial number is on the

Understanding IP Addressing B-1AAAAppppppppeeeennnnddddiiiixxxx BBBBUUUUnnnnddddeeeerrrrssssttttaaaannnnddddiiiinnnngggg IIIIPPPP AAAAdddddd

B-2 Firmware User GuideIP addresses are maintained and assigned by the InterNIC, a quasi-governmental organization now increasingly under the auspice

Understanding IP Addressing B-3Subnet masksTo create subnets, the network manager must define a subnet mask, a 32-bit number that indicates which bits

B-4 Firmware User GuideNetwork configurationBelow is a diagram of a simple network configuration. The ISP is providing a Class C address to the custome

Understanding IP Addressing B-5BackgroundThe IP addresses and routing configurations for the devices shown in the diagram are outlined below. In addit

B-6 Firmware User GuideThese two methods are not mutually exclusive; you can manually issue some of the addresses while the rest are distributed by t

Understanding IP Addressing B-7ConfigurationThis section describes the specific IP address lease, renew, and release mechanisms for both the Mac and PC

B-8 Firmware User Guide• For a dynamic address, the Router releases the address back to the address pool after it has lost contact with the Mac works

Understanding IP Addressing B-9• define the address that you want to serve in the Connection Profile's IP Setup screen. This method requires a sta

2-12 Firmware User Guide6. Toggle or enter your IP Parameters.For more information, see:• “IP Setup” on page 6-2• “Network Address Translation (NAT)”

B-10 Firmware User GuideThe figure above shows an example of a block of IP addresses being distributed correctly.The example follows these rules:• An

Understanding IP Addressing B-11Nested IP SubnetsUnder certain circumstances, you may want to create remote subnets from the limited number of IP add

B-12 Firmware User GuideRouters B and C (which could also be Routers) serve the two remote networks that are subnets of a.b.c.0. The subnetting is ac

Understanding IP Addressing B-13Let’s see how a packet from the Internet gets routed to the host with IP address a.b.c.249, which is served by Router

B-14 Firmware User GuideThe following diagram illustrates the IP address space taken up by the two remote IP subnets. You can see from the diagram wh

Binary Conversion Table C-1AAAAppppppppeeeennnnddddiiiixxxx CCCCBBBBiiiinnnnaaaarrrryyyy CCCCoooonnnnvvvveeeerrrrssssiiiioooonnnn TTTTaaaabb

C-2 Firmware User Guide30 11110 62 111110 94 1011110 126 111111031 11111 63 111111 95 1011111 127 1111111Decimal Binary Decimal Binary Decimal Binary

Binary Conversion Table C-3159 10011111 191 10111111 223 11011111 255 11111111Decimal Binary Decimal Binary Decimal Binary Decimal Binary

C-4 Firmware User Guide

Technical Specifications and Safety Information D-1AAAAppppppppeeeennnnddddiiiixxxx DDDDTTTTeeeecccchhhhnnnniiiiccccaaaallll SSSSppppeeeecccciii

WAN and System Configuration 2-13• The Receive RIP pop-up menu controls the reception and transmission of Routing Information Protocol (RIP) packets

D-2 Firmware User GuideAgency approvalsNorth AmericaSafety Approvals:• United States – UL 60950 Third Edition• Canada – CSA: CAN/CSA-C22.2 No. 60950-

Technical Specifications and Safety Information D-3Manufacturer’s Declaration of ConformanceNote: Warnings:This is a Class B product. In a domestic en

D-4 Firmware User GuideBefore installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local te

Technical Specifications and Safety Information D-5• USB-powered models: For Use with Listed I.T.E. Only.Telecommunication installation cautions• Neve

D-6 Firmware User Guideb) List all applicable certification jack Universal Service Order Codes (“USOC”) for the equipment: RJ11.c) A plug and jack use

Technical Specifications and Safety Information D-7Electrical Safety AdvisoryTelephone companies report that electrical surges, typically lightning tr

D-8 Firmware User Guide

Index-1IIIInnnnddddeeeexxxxAadd static route 6-8ADSL Line Configuration 2-4advanced configurationfeatures 2-22ATMP 4-17tunnel options 4-15Bbackup defa

Index-2Ffilterparts 9-19parts of 9-19filter priority 9-18filter setadding 9-25display 9-21filter setsadding 9-25defined 9-17deleting 9-29disadvantages

Index-3management and statistics 7-17scheduled connections 7-12WAN configuration 7-8MMIBs supported 8-10model numbers 1-3MPPE 4-17MS-CHAPv2 4-18Multic

Contents iii G Chapter 1 — Introduction...1-1 What’s New in 8.4 ...

2-14 Firmware User GuideAdvanced Connection OptionsConfiguration Changes Reset WAN ConnectionThe menu supports delaying some configuration changes unti

Index-4Sscheduled connections 2-15adding 2-17deleting 2-20modifying 2-20once-only 2-19viewing 2-16weekly 2-18securityfilters 9-17–9-32measures to incr

Index-5upgrade 1-3uploading configuration files 10-8with TFTP 10-8utilities and diagnostics 10-1VVariable Bit Rate (VBR) 2-6viewing scheduled connecti

Index-6

WAN and System Configuration 2-15When you toggle Configuration Changes Reset WAN Connection either to Yes or No using the Tab key and press Return, a

2-16 Firmware User GuideViewing scheduled connectionsTo display a table of scheduled connections, select Display/Change Scheduled Connection in the S

WAN and System Configuration 2-17• The time of day that the connection will Begin At• The duration of the connection (HH:MM)• Whether it’s a recurrin

2-18 Firmware User Guide• Demand-Blocked, meaning that this schedule will prevent a demand call on the line.• Periodic, meaning that the connection i

WAN and System Configuration 2-19• Select Scheduled Window Duration Per Day and enter the maximum duration allowed for this scheduled connection, per

2-20 Firmware User GuideYou are finished configuring the once-only options. Return to the Add Scheduled Connection screen to continue.• In the Add Sche

WAN and System Configuration 2-21The Router will recognize a delay-sensitive packet as having the low-latency bit set in the TOS field of the IP heade

2-22 Firmware User GuideSystem Configuration ScreensSystem configuration featuresThe Netopia Router’s default settings may be all you need to configure.

WAN and System Configuration 2-23IP SetupThese screens allow you to configure your network’s use of the IP networking protocol.• Details are given in

iv Firmware User Guide Logging ... 2-38 Chapter 3 — Multiple Network Address Translation ..

2-24 Firmware User Guide• UDP no-activity time-out: The time in seconds after which a UDP session will be terminated, if there is no traffic on the se

WAN and System Configuration 2-25Select Stateful Inspection Options and press Return. The Stateful Inspection Parameters screen appears.• Max. TCP Se

2-26 Firmware User GuideNote: If Stateful Inspection is enabled on a base connection profile (for example, for PPP, RFC1483 bridged/routed, or PPPoE),

WAN and System Configuration 2-27Exposed AddressesYou can specify the IP addresses you want to expose by selecting Add Exposed Address List and press

2-28 Firmware User Guide• Protocol: Select the Protocol of the traffic to be allowed to the host range from the pull-down menu. Options are Any, TCP,

WAN and System Configuration 2-29Date and timeYou can set the system’s date and time parameters in the Set Date and Time screen.Select Date and Time

2-30 Firmware User GuideWireless configurationIf your Router is a wireless model (such as a 3347W) you can enable or disable the wireless LAN by selec

WAN and System Configuration 2-31region. The widest range available is from 1 to 14. However, in North America only 1 to 11 may be selected. Europe,

2-32 Firmware User GuideThe Pre Shared Key field becomes visible to allow you to enter a Pre Shared Key. The key can be between 8 and 63 characters, b

WAN and System Configuration 2-33You select a single key for encryption of outbound traffic. The WEP-enabled client must have an identical key of the

Contents v G ATMP configuration ... 4-15Encryption Support ...

2-34 Firmware User Guideneeds to be done once. Avoid the temptation to enter all the same characters. Default Key (#1 – #4): Specifies which key the R

WAN and System Configuration 2-35The Wireless MAC Authorization screen appears.To enable Wireless Mac Authorization, toggle Enable MAC Authentication

2-36 Firmware User GuideYour entry will be added to a list of up to 32 authorized addresses. To display the list of authorized MAC addresses, select

WAN and System Configuration 2-37Change Device to a BridgeFor Netopia DSL Routers, this feature allows you to turn off the routing features and use y

2-38 Firmware User GuideYou can reinstate Router mode by returning to the System Configuration menu.Select Change Device to a Router.Press Return, con

WAN and System Configuration 2-39The Logging Configuration screen appears.By default, all events are logged in the event history. • By toggling each e

2-40 Firmware User GuideYou will need to install a Syslog client daemon program on your PC and configure it to report the WAN events you specified in t

Multiple Network Address Translation 3-1CCCChhhhaaaapppptttteeeerrrr 3333MMMMuuuullllttttiiiipppplllleeee NNNNeeeettttwwwwoooorrrrkkkk AAAA

3-2 Firmware User GuideFeaturesMultiNAT features can be divided into several categories that can be used simultaneously in different combinations on

Multiple Network Address Translation 3-3Dynamic mappingDynamic mapping, often referred to as many-to-few, offers an extension to the advantages prov

vi Firmware User Guide Authentication configuration... 6-10Connection Profiles and Default Profile ... 6-15IP

3-4 Firmware User GuideExterior addresses are allocated to internal hosts on a demand, or as-needed, basis and then made available when traffic from t

Multiple Network Address Translation 3-5Complex mapsMap lists and server lists are completely independent of each other. A Connection Profile can use

3-6 Firmware User GuideSupport for Yahoo MessengerNetopia Firmware Version 8.4 provides Application Level Gateway (ALG) support for Yahoo Messenger.

Multiple Network Address Translation 3-7The two map lists, Easy-PAT List and Easy-Servers, are created by default and NAT configuration becomes effec

3-8 Firmware User GuideSelect Network Address Translation (NAT) and press Return.The Network Address Translation screen appears.Public Range defines a

Multiple Network Address Translation 3-9NAT rulesThe following rules apply to assigning NAT ranges and server lists:• Static public address ranges m

3-10 Firmware User GuideSelect First Public Address and enter the first exterior IP address in the range you want to assign. Select Last Public Addres

Multiple Network Address Translation 3-11• Select First and Last Private Address and enter the first and last interior IP addresses you want to assig

3-12 Firmware User Guide• The Add NAT Map screen now displays the range you have assigned.• Select ADD NAT MAP and press Return. Your mapping is adde

Multiple Network Address Translation 3-13The Show/Change NAT Map List screen appears.• Add Map allows you to add a new map to the map list.• Show/Ch

Contents vii G Simple Network Management Protocol (SNMP)... 8-10The SNMP Setup screen... 8-11SNMP trap

3-14 Firmware User GuideThe Change NAT Map screen appears.Make any modifications you need and then select CHANGE NAT MAP and press Return. Your change

Multiple Network Address Translation 3-15Adding Server ListsServer lists, also known as Exports, are handled similarly to map lists. If you want to

3-16 Firmware User Guide• Select Service and press Return. A pop-up menu appears listing a selection of commonly exported services.• Choose the servi

Multiple Network Address Translation 3-17• Enter the First and Last Port Number between ports 1 and 65535. Select OK and press Return. You will be r

3-18 Firmware User Guide• Select the Server List Name you want to modify from the pop-up menu and press Return.The Show/Change NAT Server List screen

Multiple Network Address Translation 3-19Select any server from the list and press Return. The Change NAT Server screen appears.You can make changes

3-20 Firmware User GuideA pop-up menu lists your configured servers. Select the one you want to delete and press Return. A dialog box asks you to confi

Multiple Network Address Translation 3-21Binding Map Lists and Server ListsOnce you have created your map lists and server lists, for most Netopia R

3-22 Firmware User Guide• Select the map list you want to bind to this Connection Profile and press Return. The map list you selected will now be boun

Multiple Network Address Translation 3-23IP Parameters (WAN Default Profile)The Netopia Firmware Version 8.4 using RFC 1483 supports a WAN default pr

viii Firmware User Guide TFTP ... 9-44 Chapter 10 — Utilities and Diagnostics ...

3-24 Firmware User Guide• Select the map list you want to bind to the default profile and press Return. The map list you selected will now be bound to

Multiple Network Address Translation 3-25NAT AssociationsConfiguration of map and server lists alone is not sufficient to enable NAT for a WAN connect

3-26 Firmware User Guide• Select the list name you want to assign and press Return again. Your selection will then be associated with the correspondi

Multiple Network Address Translation 3-27IP PassthroughNetopia Firmware Version 8.4 offers an IP passthrough feature. The IP passthrough feature all

3-28 Firmware User GuideThe IP Profile Parameters screen, found under the WAN Configuration menu, Add/Change Connection Profile screen, appears as shown

Multiple Network Address Translation 3-29Toggling IP Passthrough DHCP Enabled to Ye s displays the IP Passthrough DHCP MAC address field. This is an

3-30 Firmware User GuideA restrictionSince both the router and the passthrough host will use same IP address, new sessions that conflict with existing

Multiple Network Address Translation 3-31MultiNAT Configuration ExampleTo help you understand a typical MultiNAT configuration, this section describes

3-32 Firmware User GuideEnter your ISP-supplied values as shown below.Select NEXT SCREEN and press Return.Your IP values are shown here.Then navigate

Multiple Network Address Translation 3-33Select Show/Change Public Range, then Easy-PAT Range, and press Return. Enter the value your ISP assigned f

Contents ix G Broadcasts... B-14Packet header types ...

3-34 Firmware User GuideSelect ADD NAT PUBLIC RANGE and press Return. You are returned to the Network Address Translation screen.Next, select Show/Ch

Multiple Network Address Translation 3-35• First, navigate to the Show/Change Map List screen, select Easy-PAT List and then Show/Change Maps. Choos

3-36 Firmware User Guide

Virtual Private Networks (VPNs) 4-1CCCChhhhaaaapppptttteeeerrrr 4444VVVViiiirrrrttttuuuuaaaallll PPPPrrrriiiivvvvaaaatttteeee NNNNeeeettttw

4-2 Firmware User GuideNetopia Firmware Version 8.4 can be used in VPNs either to initiate the connection or to answer it. When used in this way, the

Virtual Private Networks (VPNs) 4-3leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receivi

4-4 Firmware User GuideAbout PPTP TunnelsTo set up a PPTP tunnel, you create a Connection Profile including the IP address and other relevant informat

Virtual Private Networks (VPNs) 4-5When you define a Connection Profile as using PPTP by selecting PPTP as the datalink encapsulation method, and then

4-6 Firmware User GuideNote: Netopia Firmware Version 8.4 supports 128-bit (“strong”) encryption. Unlike MS-CHAP version 1, which supports one-way au

Virtual Private Networks (VPNs) 4-7The IP Profile Parameters screen appears.• Enter the Remote IP Address and Remote IP Mask for the host to which yo