Device Configuration 101 Hotspot – General Setting Maximum Total Data Usage (in MBytes): Pre-configure total data usage allowed for each session. value range from 0 ~ 5120MB; 0 means no speed limitation. Captive Portal UAM Server: Select a server you wish to use, Build-in, External or Socifi. Fill in the blanks to use External UAM server. UAM Server: Built-in & External Login URL: Enter the login URL offered by the UAM server. Shared Secret: Set the shared secret password offered.
Device Configuration 102 Hotspot – Built-in User Account Built-in User Account It is a local database on the router with pre-defined user accounts authorized by the BEC 4700A/AZ to grant and provide Wi-Fi hotspot access for Wi-Fi capable devices/users. 16, maximum, accounts are allowed. Rule Index: The indication of the rule number. The maximum entry is up to 16. Active: Select Yes to enable the rule of the account. Username / Password: Create a username and password for this user account.
Device Configuration 103 Hotspot – Authorized of Client Authorized of Client Add and predefine a trusted wireless MAC address of a Wi-Fi capable device for an immediate hotspot/Internet access. Hotspot/Internet access requires no authentication. 16, maximum, accounts are allowed. Authorized of Client: Select Activated to enable this feature. Rule Index: The indication of the rule number. The maximum entry is up to 16. Active: Select Yes to enable the rule of the client.
Device Configuration 104 Hotspot – Walled Garden Walled Garden Add and predefine websites (domain names) or web IP address to allow Wi-Fi devices / clients to access to. Web site access requires no authentication. 16, maximum, websites / domains are allowed. Rule Index: The indication of the rule number. The maximum entry is up to 16. Active: Select Yes to enable the rule of the walled garden. Allow Type: Either a Host/Network or Domain.
Device Configuration 105 Hotspot – Advertisement Advertisement Add pop-ups ads and redirects to BEC 4700A/AZ Wi-Fi Hotspot, and only a random ad will be displayed per a login. 16, maximum, ads are allowed. Advertisement: Select Activated to enable this feature. Mode: Two (2) web advertising methods are available. Frame: Redirect to a random ad site, a full-page ad, before reaching to the login page. This full-page ad will get redirect to the login page after 5-10 seconds.
Device Configuration 106 Hotspot – Hotspot Status Log Hotspot Status Log Record all hotspot access information and e-mail the statistics report of the hotspot clients in a specific duration. Session Log: Select Activated to enable this feature. Log Session Data in every (minute): Input session log time duration, (min)1 to (max) 60 minutes. Mail Session Log File in every (minute): BEC 4700A/AZ will send all access information, such as access IP addresses, NAT tables, etc.
Device Configuration 107 Hotspot – Customization Customization Allow modification to some of the captive portal settings. Customization: Select Activated to enable this feature. Title: The Banner message. Default is “Hotspot” Login Subtitle: Default is “Welcome to my Hotspot” Term Part 1 / 2 / 3: Create your own Terms and Conditions. To use default, same terms, please skip this part. NOTE: No newline is accepted in each text box.
Device Configuration 108 Hotspot – Customization Login Successfully Message: A greeting message after successful login to the Wi-Fi hotspot. Default is “Success!” Footnote: Additional information, if needed. Default is “This service is provided for free and used at your own risk.” Show Logo: Select Activated to display company Logo on the portal. (To change logo, please contact with BEC technical support for more information). Click Save to apply settings.
Device Configuration 109 Advanced Setup – Firewall Advanced Setup Advanced Setup provides advanced features including Firewall, Routing, Dynamic Routing, NAT, VRRP, Static DNS, QoS, Interface Grouping, Port Isolation, Time Schedule, and Mail Alert for advanced users. Firewall Your router includes a firewall for helping to prevent attacks from hackers.
Device Configuration 110 Advanced Setup – Routing Static Routing This is static route feature. You are equipped with the capability to control the routing of all the traffic across your network. With each routing rule created, user can specifically assign the destination where the traffic will be routed to. Index #: The indication of the routing table number. Destination IP Address: IP address of the destination network Subnet Mask: The subnet mask of destination network.
Device Configuration Advanced Setup – Dynamic Routing (OSPF) 111 Dynamic Routing The NAT (Network Address Translation) feature transforms a private IP into a public IP, allowing multiple users to access the internet through a single IP account, sharing the single IP address.
Device Configuration 112 Advanced Setup – Dynamic Routing (BGP) ❖ Border Gateway Protocol (BGP) A standardized exterior gateway protocol (an uniquely TCP based inter-Autonomous System routing protocol) designed to allow setting up an inter-domain dynamic routing system that automatically updates routing tables of devices running BGP in case of network topology changes. BGP: Enable to activate BGP routing. AS Number: Designate the AS number of the local router.
Device Configuration 113 Advanced Setup – NAT NAT The NAT (Network Address Translation) feature transforms a private IP into a public IP, allowing multiple users to access the internet through a single IP account, sharing the single IP address. NAT break the originally envisioned model of IP end-to-end connectivity across the internet so NAT can cause problems where IPSec/ PPTP encryption is applied or some application layer protocols such as SIP phones are located behind a NAT.
Device Configuration 114 Advanced Setup – NAT (DMZ) DMZ NOTE: This feature disables automatically if WAN connection is in BRIDGE mode or NAT is being turned OFF. The DMZ Host is a local computer which has all UDP and TCP ports exposed to the Internet. When setting an internal IP address as the DMZ Host, all incoming packets will be forwarded to this local host device. Packet filter or virtual server entries will take priority over forwarding internet packets to the DMZ host.
Device Configuration 115 Advanced Setup – NAT (Virtual Server) Virtual Server NOTE: This feature disables automatically if WAN connection is in BRIDGE mode or NAT is being turned OFF. Virtual Server is also known as Port Forwarding that allows BEC 4700A/AZ to direct all incoming traffic to the servers on the LAN.
Device Configuration 116 Advanced Setup – NAT (Virtual Server) Examples of well-known and registered port numbers are shown below. For further information, please see IANA’s website at http://www.iana.
Device Configuration 117 Advanced Setup – NAT (Example) Example: How to setup Port Forwarding for port 21 (FTP server) If you have FTP server in your LAN network and want others to access it through WAN. Step 1: Assign a static IP to your local computer that is hosting the FTP server. Step 2: Login to the Gateway and go to Configuration / Advanced Setup / NAT / Virtual Server. FTP server uses TCP protocol with port 21. Enter ”21” to Start and End Port Number.
Device Configuration 118 Advanced Setup – VRRP VRRP VRRP is designed to eliminate the single point of failure inherent in the static default routed environment. VRRP specifies an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers in a LAN. The VRRP router controlling the IP address associated with a virtual router is called the Master, and forwards packets sent to these IP addresses.
Device Configuration 119 Advanced Setup – Static DNS Static DNS The Domain Name System (DNS) is a hierarchical naming system built on a distributed database for computers, services, or any resource connected to the Internet or a private network associated with various information with domain names assigned to each of the participating entities.
Device Configuration 120 Advanced Setup – QoS QoS QoS helps you control the upload traffic of each application from LAN (Ethernet and/or Wireless) to WAN (Internet). It facilitates you the features to control the quality of throughput for each application. This is useful when there on certain types of data you want giver higher priority to, such as voice data packets given higher priority than web data packets. SW QoS: Select Activate to enable the feature.
Device Configuration 121 Advanced Setup – QoS SW QoS Rule Rule Index: Index marking for each rule up to maximum of 16. Application: Assign a name that identifies the new QoS application rule, e.g. FTP, HTTP, etc. Direction: Shows the direction mode of the QoS application WAN Interface: Select a WAN interface connection to allow external access to your internal network. QoS Type: Choose Limited (Maximum) or Guaranteed (Minimum) to specify the date rate is allowed for this policy.
Device Configuration 122 Advanced Setup – QoS o Example: Share Bandwidth, Bandwidth set to 100Mbps, Internal IP Address: 192.168.1.100-104 (total of 5). Result: IP 192.168.100-104, those 5 devices will share bandwidth of 100Mbps. Bandwidth per Host – Each of the LAN devices within the internal IP address/range obtain the specific bandwidth configured below. o Example: Bandwidth per Host, Bandwidth set to 50Mbps, Internal IP Address: 192.168.1.100-104 (total of 5). Result: The IP address/device, 192.168.
Device Configuration 123 Advanced Setup – Interface Grouping Interface Grouping Interface grouping is a function to group interfaces, known as VLAN. A Virtual LAN, commonly known as a VLAN, is a group of hosts with the common set of requirements that communicate as if they were attached to the same broadcast domain, regardless of the physical location.
Device Configuration 124 Advanced Setup – Interface Grouping (Example) Example: Create two WAN services, 4G/LTE and EWAN You are going to group the ports and services into two working group, as shown below.
Device Configuration 125 Advanced Setup – Interface Grouping (Example) Click Group Summary to show the configuration results.
Device Configuration 126 Advanced Setup – Port Isolation Port Isolation Port isolation is to prevent LAN (Wired or Wireless) devices, e.g. PC, Notebook, to associate or communicate with each other devices. By default, all ports (LAN port and WLAN port) are sharing one group, and devices in all these ports can have access to each other. Available LAN interfaces of the BEC 4700A/AZ are LAN, Wireless 2.4G, and Wireless 5G.
Device Configuration 127 Advanced Setup – Time Schedule Time Schedule The Time Schedule supports up to 16 timeslots which helps you to manage your Internet connection. In each time profile, you may schedule specific day(s) i.e. Monday through Sunday to restrict or allowing the usage of the Internet by users or applications.
Device Configuration 128 Advanced Setup – Mail Alert Mail Alert Mail alert is designed to keep system administrator or other relevant personnel alerted of any unexpected events that might have occurred to the network computers or server for monitoring efficiency. With this alert system, appropriate solutions may be tackled to fix problems that may have arisen so that the server can be properly maintained. SMTP Server: Enter the SMTP server that you would like to use for sending emails.
Device Configuration 129 VPN – IPSec VPN A Virtual Private Network (VPN) is a private network that interconnects remote (and often geographically separate) networks through primarily public communication infrastructures such as the Internet. VPNs provide security through tunneling protocols and security procedures such as encryption. For example, a VPN could be used to securely connect the branch offices of an organization to a Headquarter office network through the public Internet.
Device Configuration 130 VPN – IPSec IPSec Connection Setting Connection Name: Enter a description for this connection/profile. Active: Yes to activate the connection. Interface: Select a WAN interface to establish a tunnel with the remote VPN device. Auto allows system to automatically initiate a connection via current connected WAN interface. Remote Gateway IP: The WAN IP address of the remote VPN device. Enter 0.0.0.0 for unknown remote WAN IP address – only the peer can initiate the tunnel connection.
Device Configuration 131 VPN – IPSec IPSec Phase 1(IKE) IKE Mode: IKE, Internet Key Exchange, is the mechanism to negotiate and exchange parameters and keys between IPSec peers to establish security associations (SA). Select Main or Aggressive mode. Local ID Type / Remote ID Type: When the mode of IKE is aggressive, Local and Remote peers can be identified by other IDs.
Device Configuration 132 VPN – IPSec authentication information, AH (Authentication Header) and ESP (Encapsulating Security Payload). Use ESP for greater security so that data will be encrypted, and the data origin be authenticated but using AH data origin will only be authenticated but not encrypted. Encryption Algorithm: Select the encryption algorithm from the drop-down menu. There are several options: DES and AES (128, 192 and 256). 3DES and AES are more powerful but increase latency.
Device Configuration 133 VPN – IPSec Please be noted, it must be enabled on the both sites. PING to the IP: It is able to IP Ping the remote PC with the specified IP address and alert when the connection fails. Once alter message is received, Router will drop this tunnel connection. Reestablish of this connection is required. Default setting is 0.0.0.0 which disables the function Interval: This sets the time interval between Pings to the IP function to monitor the connection status.
Device Configuration 134 VPN – IPSec (Example on LAN-to-LAN) Examples: IPSec – Network (LAN) to Network (LAN) Two of the BEC 4700A/AZ devices want to setup a secure IPSec VPN tunnel NOTE: The IPSec Settings shall be consistent between the two routers.
Device Configuration 135 VPN – IPSec (Example on LAN-to-LAN) Headquarter office Side: Configuration Settings Connection Name Remote Secure Gateway Access Network Local Access Range Local Network IP Address Local Network Netmask Remote Access Range Remote Network IP Address Remote Network Netmask IPSec Proposal IKE Mode Pre-Shared Key Phase 1 Encryption Phase 1 Authentication Phase 1 Diffie-Hellman Group Phase 2 Proposal Phase 2 Authentication Phase 2 Encryption Prefer Forward Security BEC 4700A / 4700AZ Us
Device Configuration 136 VPN – IPSec (Example on LAN-to-LAN) Branch Office Side: Configuration Settings Connection Name Remote Secure Gateway Access Network Local Access Range Local Network IP Address Local Network Netmask Remote Access Range Remote Network IP Address Remote Network Netmask IPSec Proposal IKE Mode Pre-Shared Key Phase 1 Encryption Phase 1 Authentication Phase 1 Diffie-Hellman Group Phase 2 Proposal Phase 2 Authentication Phase 2 Encryption Prefer Forward Security BEC 4700A / 4700AZ User Ma
Device Configuration 137 VPN – IPSec (Example on Remote Access) Examples: IPSec – Remote Employee to BEC 4700A/AZ Connection Router servers as VPN server, and host should install the IPSec client to connect to Headquarter office through IPSec VPN.
Device Configuration 138 VPN – IPSec (Example on Remote Access) Headquarter office Side: Configuration Settings Connection Name Remote Secure Gateway Access Network Local Access Range Local Network IP Address Local Network Netmask Remote Access Range Remote Network IP Address Remote Network Netmask IPSec Proposal IKE Mode Pre-Shared Key Phase 1 Encryption Phase 1 Authentication Phase 1 Diffie-Hellman Group Phase 2 Proposal Phase 2 Authentication Phase 2 Encryption Prefer Forward Security BEC 4700A / 4700AZ
Device Configuration 139 VPN – PPTP Server PPTP Server The Point-to-Point Tunneling Protocol (PPTP) is a Layer2 tunneling protocol for implementing virtual private networks through IP network. In the Microsoft implementation, the tunneled PPP traffic can be authenticated with PAP, CHAP, and Microsoft CHAP V1/V2 . The PPP payload is encrypted using Microsoft Point-to-Point Encryption (MPPE) when using MSCHAPv1/v2. NOTE: 4 sessions for Client and 4 sessions for Server respectively.
Device Configuration 140 VPN – PPTP Server MS-DNS: Assign a DNS server or use router default IP address to be the MS-DNS server IP address. Rule Index: The indication of the rule number. The maximum entry is up to 4. Connection Name: Enter a description for this connection/profile. Active: Yes to activate the account. PPTP server is waiting for the client to connect to this account. Username / Password: Enter the username / password for this profile.
Device Configuration 141 VPN – PPTP Client PPTP Client Establish a PPTP tunnel over Internet to connect with a PPTP server. A total of 4 PPTP Client sessions can be created. Rule Index: The indication of the rule number. The maximum entry is up to 4. Connection Name: Enter a description for this connection/profile. Active: Yes to activate the account. PPTP server is waiting for the client to connect to this account. Authentication Type: Pick an authentication type from the drop-down list.
Device Configuration 142 VPN – PPTP Client Connection Type: Select Remote Access for single user, Select LAN to LAN for remote gateway. Server IP Address: Enter the WAN IP address of the PPTP server. Remote Network IP Address: Enter the subnet IP of the server/host LAN network. Remote Network Netmask: Enter the Netmask of the server/host LAN network. Fixed IP: Specific and reserve a LAN IP address from the remote PPTP server. Click Enable then enter the request IP address.
Device Configuration 143 VPN – PPTP (Example on Remote Dial-In) Example: PPTP – Remote Employee Dial-in to BEC 4700A/AZ The input IP address 192.168.1.2 will be assigned to the remote worker. Please make sure this IP is not used in the Office LAN. Configuration Settings Connection Name Authentication Type Username Password Connection Type Assigned IP BEC 4700A / 4700AZ User Manual HS-RA MS-CHAPv2 test test Remote Access 192.168.1.
Device Configuration 144 VPN – PPTP (Example on Remote Dial-Out) Example: PPTP – Remote Employee Dial-out to BEC 4700A/AZ A company’s office establishes a PPTP VPN connection with a file server located at a separate location. The router is installed in the office, connected to a couple of PCs and Servers. PPTP Server WAN IP address is 61.121.1.33 of the Headquarter office.
Device Configuration 145 VPN – PPTP (Example on LAN-to-LAN) Example: PPTP – Network (LAN) to Network (LAN) Connection The branch office establishes a PPTP VPN tunnel with Headquarter office to connect two private networks over the Internet. The routers are installed in the Headquarter office and branch offices accordingly. NOTE: Both office LAN networks must be in different subnets with the LAN-LAN application.
Device Configuration 146 VPN – PPTP (Example on LAN-to-LAN) Configuring PPTP Server in the Headquarter office The IP address 192.168.1.2 will be assigned to the router located in the branch office. Please make sure this IP is not used in the Headquarter office LAN.
Device Configuration 147 VPN – PPTP (Example on LAN-to-LAN) Configuring PPTP Client in the Branch office The IP address 69.1.121.33 is the Public IP address of the router located in Headquarter office. Configuration Settings Description Connection Name BC-LL Assigned name to this tunnel/profile Authentication Type MS-CHAPv2 Authentication type Username test Password test Connection Type LAN to LAN LAN to LAN connection Server IP 69.121.1.
Device Configuration 148 VPN – L2TP L2TP L2TP, Layer 2 Tunneling Protocol is a tunneling protocol used to support virtual private networks (VPNs). It does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide. NOTE: 4 sessions for dial-in connections and 4 sessions for dial-out connections Rule Index: The indication of the rule number. The maximum entry is up to 8 (4 dial-in and 4 dial-out profiles).
Device Configuration 149 VPN – L2TP Authentication Type: Default in Chap/Pap (CHAP, Challenge Handshake Authentication Protocol. PAP, Password Authentication Protocol). If you want the router to determine the authentication type to use, or else manually specify PAP if you know which type the server is using (when acting as a client), or else the authentication type you want clients connecting to you to use (when acting as a server).
Device Configuration 150 VPN – L2TP Local Host Name: Enter hostname of Local VPN device that is connected / established a VPN tunnel. Remote Host Name: Enter hostname of remote VPN device. It is a tunnel identifier from the Remote VPN device matches with the Remote hostname provided. If remote hostname matches, tunnel will be connected; otherwise, it will be dropped.
Device Configuration 151 VPN – L2TP (Example on Remote Dial-in) Example: L2TP VPN – Remote Employee Dial-in to BEC 4700A/AZ A remote worker establishes a L2TP VPN connection with the Headquarter office using Microsoft's VPN Adapter The router is installed in the Headquarter office, connected to a couple of PCs and Servers. The input IP address 192.168.1.200 will be assigned to the remote worker. Please make sure this IP is not used in the Office LAN.
Device Configuration 152 VPN – L2TP (Example on Remote Dial-out) Example: L2TP VPN – BEC 4700A/AZ Dial-out to a Server A company’s office establishes a L2TP VPN connection with a file server located at a separate location. The router is installed in the office, connected to a couple of PCs and Servers. Item Connection Name Connection Mode Server IP Authentication Type Username Password Connection Type BEC 4700A / 4700AZ User Manual Description HC-RA Dial out 69.121.1.
Device Configuration 153 VPN – L2TP (Example on LAN-to-LAN) Example: L2TP VPN – Network (LAN) to Network (LAN) Connection The branch office establishes a L2TP VPN tunnel with Headquarter office to connect two private networks over the Internet. The routers are installed in the Headquarter office and branch office accordingly. NOTE: Both office LAN networks must be in different subnets with the LAN-LAN application.
Device Configuration 154 VPN – L2TP (Example on LAN-to-LAN) Configuring L2TP VPN Dial-in in the Headquarter office The IP address 192.168.1.200 will be assigned to the router located in the branch office. Item Description Connection Name HS-LL Assigned name to this tunnel/profile Connection Mode Dial in Operate as L2TP server Authentication Type Chap/Pap Authentication type Username Test Password Test Assigned IP 192.168.1.
Device Configuration 155 VPN – L2TP (Example on LAN-to-LAN) Configuring L2TP VPN Dial-out in the Branch office The IP address 69.1.121.33 is the Public IP address of the router located in Headquarter office. Item Description Connection Name BC-LL Assigned name to this tunnel/profile Connection Mode Dial out Operate as L2TP client Server IP 69.121.1.
Device Configuration 156 VPN – GRE GRE Tunnel Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a wide variety of network layer protocol packets inside virtual point-to-point links over an IP network. NOTE: Up to 8 GRE tunnels supported. Rule Index: The numeric rule indicator for GRE. The maximum entry is up to 8. Connection Name: Enter a description for this connection/profile. Active: Yes to activate this GRE profile.
Device Configuration 157 VPN – GRE TUN (IP over GRE) TUN is in layer 3, networking level which routes packets via GRE tunnels. Interface: Select a WAN interface to establish a tunnel with the remote VPN device. Remote Gateway IP: Enter the remote GRE WAN IP address. Tunnel Local IP Address & Remote IP Address (Virtual Interface): Enter a virtual IP address for local and peer network of the GRE tunnel. Tunnel Network Netmask (Virtual Interface): Enter the Netmask for this virtual interface.
Device Configuration 158 VPN – GRE Active as Default Route: Select if to set the GRE tunnel as the default route. IPSec: Click the checkbox to establish a GRE tunnel inside of the IPSec tunnel. IKE Mode: IKE, Internet Key Exchange, is the mechanism to negotiate and exchange parameters and keys between IPSec peers to establish security associations (SA). Select Main or Aggressive mode.
Device Configuration 159 VPN – GRE TAN (Ethernet over GRE) TAN is in layer 2, Ethernet level which acts as a switch adding Ethernet frame passed over the GRE tunnels. Bridge Mode: Select Yes to enable TAN bridge mode. Bridge Mode – No Interface: Select a WAN interface to establish a tunnel with the remote VPN device. Remote Gateway IP: Enter the remote GRE WAN IP address. Remote Network IP Address: Enter the actual remote LAN network IP address.
Device Configuration 160 VPN – GRE specific headers) an IP attempts to send through the interface. Key: This tunnel key has a maximum string of 5 containing alphanumeric characters. Both sides, local and remote, should use the same key. Click Save to apply settings.
Device Configuration 161 VPN – GRE (Example) Example: GRE VPN – Network (LAN) to Network (LAN) Connection The branch office establishes a GRE VPN tunnel with Headquarter office to connect two private networks over the Internet. The routers are installed in the Headquarter office and branch office accordingly. NOTE: Both office LAN networks must be in different subnets with the GRE VPN connection.
Device Configuration 162 VPN – GRE (Example) Configuring GRE connection in the Headquarter office The IP address 69.1.121.30 is the Public IP address of the router located in branch office. Item Connection Name Remote Gateway IP Tunnel Local IP Address (Virtual Interface) Tunnel Remote IP Address (Virtual Interface) Tunnel Network Netmask (Virtual Interface) Remote Network IP/ Netmask BEC 4700A / 4700AZ User Manual HS-LL 69.121.1.30 192.168.100.11 192.168.100.
Device Configuration 163 VPN – GRE (Example) Configuring GRE connection in the Branch office The IP address 69.1.121.3 is the Public IP address of the router located in Headquarter office. Item Connection Name Remote Gateway IP Tunnel Local IP Address (Virtual Interface) Tunnel Remote IP Address (Virtual Interface) Tunnel Network Netmask (Virtual Interface) Remote Network IP/ Netmask BEC 4700A / 4700AZ User Manual BC-LL 69.121.1.3 192.168.100.10 192.168.100.
Device Configuration 164 VPN – OpenVPN (OpenVPN Server – TAN Mode) OpenVPN OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange.
Device Configuration 165 VPN – OpenVPN (OpenVPN Server – TAN Mode) Local Access Range IP Address / Netmask: Enter local OpenVPN Server’s LAN network IP address and Netmask. Certification Local Certificate / Trusted CA Index: OpenVPN mutually authenticate the server and client based on certificates and CA. Select a certificate and CA. To import certificates and CAs, go to Maintenance >> Certificate Management to upload files. Otherwise, select Default certificate and CA.
Device Configuration 166 VPN – OpenVPN (OpenVPN Server – TAP (Serve-Bridge) TAP (Ethernet Over OpenVPN) in Server-Bridge Mode ◆ Bridge: No – Using its own client IP address. ◆ Local Service Port: Port 1194 is the default assigned port for OpenVPN. ◆ Protocol: OpenVPN can run over either UDP or TCP transports. Select the protocol. ◆ Tunnel Network IP Address / Netmask: Enter a virtual IP address and Netmask for this tunnel. NOTE: The virtual IP addresses cannot be existed or used in both networks.
Device Configuration 167 VPN – OpenVPN (OpenVPN Server – TAP (Serve-Bridge) Cryptographic Suite Cipher: OpenVPN uses all the ciphers available in the OpenSSL package to encrypt both the data and channels. Select an encryption method. Hash: To establish the integrity of the datagram and ensures it is not tampered with in transmission. There are options: Message Digest 5 (MD5) and Secure Hash Algorithm (SHA1, SHA256). SHA1 is more resistant to brute-force attacks than MD5. However, it is slower.
Device Configuration 168 VPN – OpenVPN Client (Profile Setup Manually) OpenVPN Client OpenVPN client must match the VPN information / settings with the OpenVPN Server. Rule Index: The indication of the rule number. Maximum up to 4 profile/tunnels Configuration Method: OpenVPN client profiles can be manually entered or imported a preconfigured client profile. Connection Name: Display the name of the connection or profile. Active: Display whether the connection or profile is set to active or not.
Device Configuration 169 VPN – OpenVPN Client (Profile Setup Manually) ◆ Active as Default Route: Choose Yes to let the OpenVPN tunnel/connection be the default route for traffic, under this circumstance, all outgoing packets will be forwarded to this tunnel and routed to the next hop. ◆ Remote Network IP Address / Netmask: Enter the LAN network IP address and Netmask of the OpenVPN Server.
Device Configuration 170 VPN – OpenVPN Client (Profile Setup Manually) Certification Local Certificate / Trusted CA Index: OpenVPN mutually authenticate the server and client based on certificates and CA. Select a certificate and CA. To import certificates and CAs, go to Maintenance >> Certificate Management to upload files. Otherwise, select Default certificate and CA. Additional Authentication: Enter the extra credential requested by the OpenVPN server.
Device Configuration 171 VPN – OpenVPN Client (Profile Setup Manually) Keepalive: Check the box to enable the keepalive feature. The system will automatically send ping packet to remote peer to keep the tunnel active. Interval: Set the keep-alive Interval, unit in seconds. Default is 10 seconds. Valid interval range is from 0 to 3600 seconds. Timeout: Re-establish tunnel if no responses from peer network after timeout period expires. Default is 120 seconds. Click Save to apply settings.
Device Configuration 172 VPN – OpenVPN (OpenVPN Client (Import a Clint Profile)) Import an OpenVPN Client Profile Rule Index: The indication of the rule number. Connection Name: Enter a description for this connection/profile. Active: Yes to activate this profile. Additional Authentication: Enter the extra credential requested by the OpenVPN server. Configuration File: Click “Choose File” to find the OpenVPN client profile you want to upload. If the .
Device Configuration 173 VPN – OpenVPN (Example) Example: OpenVPN – Network (LAN) to Network (LAN) Connection The Branch office establishes a tunnel with Headquarter office to connect two private networks over the OpenVPN. NOTE: Both office LAN networks must be in different subnets.
Device Configuration 174 VPN – OpenVPN (Example) Configuring OpenVPN server in Headquarter office The IP address 69.1.121.30 is the WAN IP address of the router located in the Branch office. The OpenVPN tunnel network virtual interface is set to 192.168.100.0/24. Item Connection Name Tunnel Network (Virtual Interface) Local Access Range BEC 4700A / 4700AZ User Manual HS-LL 192.168.100.0/ 255.255.255.0 192.168.1.0/ 255.255.255.
Device Configuration 175 VPN – OpenVPN (Example) Configuring OpenVPN client in Branch office The IP address 69.1.121.3 is the WAN IP address of the router located in Headquarter office. Item Connection Name Server IP Address Remote Subnet BEC 4700A / 4700AZ User Manual BC-LL 69.121.1.3 192.168.1.0/ 255.255.255.0 Description Assigned name to this tunnel/profile The WAN IP address of OpenVPN server.
Device Configuration 176 Access Management – Device Management Access Management Device Management Device Host Name Host Name: Enter the host name of the router. Default is home.gateway Embedded Web Server HTTP Port: It is the embedded web server (Web GUI) accessing port, default is 80. It can be changed other port other than port 80, e.g. port 8080. HTTPS Port: Similar to HTTP which is an unencrypted communication using port 80. HTTPS is encrypted by SSL using port 443 instead.
Device Configuration 177 Access Management – SNMP SNMP Simple Network Management Protocol (SNMP) is a protocol used for exchanging management information between network devices. Your BEC 4700A/AZ serves as a SNMP agent that allows a manager station to manage and monitor the router through the network. SNMP: Activate to enable SNMP. Get Community: Type the Get Community, which is the password for the incoming Get-and-GetNext requests from the management station.
Device Configuration 178 Access Management – SNMP exchange. Set the authentication and encryption information here and below. Authentication Key: Set the authentication key, 8-31 characters. Privacy Protocol: Select the privacy mode, DES and AES. Privacy Key: Set the privacy key, 8-31 characters. Click Save to apply settings.
Device Configuration 179 Access Management – Syslog Syslog (System Log) Use the Syslog to collect system event information to a remote log server. Remote System Log: Select Activated to enable this feature Server IP Address: Assign the remote log server IP address. Server UDP Port: Assign the remote log server port, 514 is commonly used. Click Save to apply settings.
Device Configuration 180 Access Management – UPnP Universal Plug & Play UPnP offers peer-to-peer network connectivity for PCs and other network devices, along with control and data transfer between devices. UPnP offers many advantages for users running NAT routers through UPnP NAT Traversal, and on supported systems makes tasks such as port forwarding much easier by letting the application control the required settings, removing the need for the user to control advanced configuration of their device.
Device Configuration 181 Access Management – DDNS Dynamic DNS (DDNS) The Dynamic DNS function allows you to alias a dynamic IP address to a static hostname, allowing users whose ISP does not assign them a static IP address to use a domain name. This is especially useful for hosting servers via your internet connection, so that anyone wishing to connect to you may use your domain name, rather than having to use your dynamic IP address, which changes from time to time.
Device Configuration 182 Access Management – DDNS (Example) Example: How to register a DDNS account If you do not have an account with Dynamic DNS, please go to www.dyndns.org to register an account first. User test1 register a Dynamic Domain Names in DDNS provider http://www.dyndns.org/ . DDNS: www.hometest.
Device Configuration 183 Access Management – Access Control Access Control Access Control Listing allows you to determine which services/protocols can access your BEC 4700A/AZ interface from which computers. It is a management tool aimed to allow IPs (set in secure IP address) to access specified embedded applications (Web, etc., user can set) through some specified interface (LAN, WAN or both). User can have an elaborate understanding in the examples below. The maximum number of entries is 16.
Device Configuration 184 Access Management – Access Control Rule Index: The numeric rule indicator. User Application Active: Yes to add a new rule. User Application Name: A self-define name to identify the application. User Application Protocol: Enter a protocol, TCP, UDP, UDP/TCP, to use for this application. User Application Port: Enter the port number which defines the application. Click Save to save the rule. By default, the “Access Control” has two default rules.
Device Configuration 185 Access Management – Access Control BEC 4700A / 4700AZ User Manual
Device Configuration 186 Access Management – Packet Filter (IP & MAC Filter) Packet Filter You can filter the packages by MAC address, IP address, Protocol, Port number and Application or URL. ❖ Packet Filter - IP & MAC Filter IP & MAC Filter Editing Rule Index: The indication of the rule number. Individual Active: Yes to enable the rule. Action: This is how to deal with the packets matching the rule. Allow please select White List or Black selecting Blacklist.
Device Configuration 187 Access Management – Packet Filter (IP & MAC Filter) IPv4 Source IP Address: The source IP address of packets to be monitored. 0.0.0.0 means “Don’t care”. Source Subnet Mask: Enter the subnet mask of the source network. Source Port Number: The source port number of packets to be monitored. 0 means “Don’t care”. Destination IP Address: The destination IP address of packets to be monitored. 0.0.0.0 means “Don’t care”.
Device Configuration 188 Access Management – Packet Filter (IP & MAC Filter) MAC Source MAC Address: show the MAC address of the rule applied. Time Schedule: Select a TimeSlot to activate the rule. Go to Time Schedule to configure a time control first. Click Save to apply settings.
Device Configuration 189 Access Management – Packet Filter (URL Filter) ❖ Filter Type - URL Filter URL Filter Rule Index: The indication of the rule number. Individual Active: Click Yes to enable this rule/policy. Domain: Enter the domain name in the blank field to be allowed or prohibited. URL (Host): Enter the specific URL in the blank field to be blocked. Time Schedule: Select a TimeSlot to activate the rule. Go to Time Schedule to configure a time control first. Click Save to apply settings.
Device Configuration 190 Access Management – Packet Filter (Domain Filter) ❖ Filter Type - Domain Filter Action: This is how to deal with the packets matching the rule. Allow please select White List or Black selecting Blacklist. Domain Filter Rule Index: The indication of the rule number. Individual Active: Click Yes to enable this rule/policy. Domain: Enter the domain name in the blank field to be allowed or prohibited. Click Save to apply settings.
Device Configuration 191 Access Management – CWMP (TR-069) CWMP (TR-069) CWMP, short for CPE WAN Management Protocol, also called TR069 is a Broadband Forum technical specification entitled CPE WAN Management Protocol (CWMP). It defines an application layer protocol for remote management of end-user devices. It defines an application layer protocol for remote management of end-user devices.
Device Configuration 192 Access Management – CWMP (TR-069) Path: Local path in HTTP URL for an ACS to make a Connection Request notification to the CPE. Username: Username used to authenticate an ACS making a Connection Request to the CPE. Password: Password used to authenticate an ACS making a Connection Request to the CPE. Periodic Inform Config Periodic Inform: Select Activated to authorize the router to send an Inform message to the ACS automatically.
Device Configuration 193 Access Management – Parental Control Parental Control This feature provides Web content filtering offering safer and more reliable web surfing for users especially for parents to protect network security and control the contents for children at home. To activate this feature, please log on to www.opendns.com to get an OpenDNS account first. Parent Control Provider: Hosted by www.opendns.
Device Configuration 194 Access Management – BECentral Management BECentral Management BECentral is a cloud-based device management platform that provides operators with a comprehensive suite of services to manage devices in real-time. BECentral Management: Activate to enable the feature. BECentral Management URL: Access path to the BECentral. BECentral Management Port: Port listened by the BECentral. Organization ID: Customer ID (By BE C administrator only) Tag ID: By BEC administrator only.
Device Configuration 195 Maintenance – User Management (Administrator Account) Maintenance Maintenance equipment the users with the ability of maintaining the device as well as examining the connectivity of the WAN connections, including User Management, Certificate Management, Time Zone, License, Firmware & Configuration, System Restart, Auto Reboot and Diagnostic Tool.
Device Configuration 196 Maintenance – User Management (Creating Other User Accounts) ❖ Creating Other User Accounts User Account Setup Index #: The indication of the rule number. The maximum entry is up to 8. Username: Create account(s) username for GUI management. New Password: Password for the user account. Confirm Password: Re-enter the password. Web GUI Permission Guest Account: Enable to create this new guest account and select features to allow user account to access to.
Device Configuration 197 Maintenance – Certificate Management Certificate Management This feature is used for OpenVPN and HTTPS Server authentication of the device using certificate. If the imported certificate doesn't match the authorized certificate with the Server, then no access is allowed. Edit: Click Delete: Click (Edit) to import a certificate. (Delete) to remove the certificate from the list. Local Certificate Listing Index #: The indication of the rule number. The maximum entry is up to 2.
Device Configuration 198 Maintenance – Certificate Management Private Key File: Browse to locate the target file on PC before uploading it. If PKCS enabled, please ignore this setting. Password: Enter the password if any, which is used to protect the private key. Otherwise, leave it empty. Click Apply to save settings. Trusted CA Listing Index #: The indication of the rule number. The maximum entry is up to 2. CA Name: Description of the CA.
Device Configuration 199 Maintenance – Time Zone Time Zone With default, BEC 4700A/AZ does not contain the correct local time and date. There are several options to setup, maintain, and configure current local time/date on the BEC 4700A/AZ. If you plan to use Time Schedule feature, it is extremely important you set up the Time Zone correctly. Synchronize time with: Select the methods to synchronize the time.
Device Configuration 200 Maintenance – License License Some of the advanced features are required for a license. For more information, please contact with Billion/BEC for more information. Input your license key here and click “Upgrade” to enable the features. NOTE: Device will reboot after the upgrade.
Device Configuration 201 Maintenance – Firmware & Configuration Firmware & Configuration Firmware is the software that controls the hardware and provides all functionalities which are available in the GUI. This software may be improved and/or modified; your BEC 4700A/AZ provides an easy way to update the code to take advantage of the changes. . To upgrade the firmware of BEC 4700A/AZ, you should download or copy the firmware to your local environment first.
Device Configuration 202 Maintenance – System Restart System Restart Click System Restart with option Current Settings to reboot your router. If you wish to restart the router using the factory default settings (for example, after a firmware upgrade or if you have saved an incorrect configuration), select Factory Default Settings to restore to factory default settings.
Device Configuration 203 Maintenance – Auto Reboot Auto Reboot Schedule an automatic reboot for your 4700A/AZ to ensure proper operation and best performance. This reboot will only reboot with current configuration settings and not overwrite any existing settings. Click Save to apply settings Example: Schedule your 4700A/AZ to reboot at 10:00pm (22:00) every weekday (Monday thru Friday) and reboot at 9:00am on Saturday and Sunday.
Device Configuration 204 Maintenance Diagnostics Tool The Diagnostic Test page shows the test results for the connectivity of the physical layer and protocol layer for both LAN and WAN sides. 4G/LTE or EWAN Ping other IP Address: Click Yes if you wish to ping other IP address rather than google.com Click START to begin to diagnose the connection. Speed Time: Measure the current uplink and downlink speed rate. Take less than a minute to run the test.
Device Configuration 205 Maintenance Trace Route is to display how many hops (also view the exact hops) required to get to the destination. Click Yes, enter the IP address or domain then Start Trace Route. IP Address or Domain: Set the destination host (IP, domain name) to be traced. Max TTL value: Set the max Time to live (TTL) value. Shown as we “trace” www.billion.com below. LAN Ping other IP Address: Click Yes to ping any desired IP address or a domain.
Troubleshooting 206 Chapter 5: Troubleshooting If your BEC 4700A/AZ is not functioning properly, you can refer to this chapter for simple troubleshooting before contacting your service provider support. This can save you time and effort but if symptoms persist, consult your service provider. Problems with the Router Problem Suggested Action None of the LEDs is on when you turn on the router Check the connection between the router and the adapter.
Troubleshooting 207 Recovery Procedures Problem Suggested Action - The front LEDs display incorrectly - Still cannot access to the router management interface after pressing the RESET button. - Software / Firmware upgrade failure Before starting recovery process, please configure the IP address of the PC as 192.168.1.100 and proceed with the following step-by-step guide. 1. Power the router off. 2.
Appendix 208 APPENDIX: PRODUCT SUPPORT & CONTACT If you come across any problems, please contact the dealer from where you have purchased the product. Contact BEC @ http://www.bectechnologies.net MAC OS is a registered Trademark of Apple Computer, Inc. Windows 10/8/7 and Windows Vista are registered Trademarks of Microsoft Corporation.
Appendix 209 FCC Statement This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.
Appendix 210 Professional Installation Instruction 1.Installation personnel This product is designed for specific application and needs to be installed by qualified personnel who has RF and related rule knowledge. The general user shall not attempt to install or change the settings. 2.Installation location The product shall be installed at a location where the radiating antenna can be kept 20 cm from nearby person in normal operation condition to meet Regulatory RF exposure requirement.
