BiGuard 50G 802.11g Gateway Dual WAN Security www.billion.uk.com User’s Manual Version Release 1.03 (FW:1.
BiGuard 50G User’s Manual (Updated September, 2007) Deleted: June Copyright Information Formatted: Justified © 2007 Billion Electric Corporation, Ltd. Deleted: 1 The contents of this publication may not be reproduced in whole or in part, transcribed, stored, translated, or transmitted in any form or any means, without the prior written consent of Billion Electric Corporation. Published by Billion Electric Corporation. All rights reserved.
Safety Warnings Your BiGuard 50G is built for reliability and long service life. For your safety, be sure to read and follow the following safety warnings. • Read this installation guide thoroughly before attempting to set up your BiGuard 50G. • Your BiGuard 50G is a complex electronic device. DO NOT open or attempt to repair it yourself. Opening or removing the covers can expose you to high voltage and other risks.
Table of Contents Chapter 1: Introduction 1.1 Overview 1.2 Product Highlights 1.2.1 Increased Bandwidth, Scalability and Resilience 1.2.2 Virtual Private Network Support 1.2.3 Advanced Firewall Security 1.2.4 Intelligent Bandwidth Management 1.3 Package Contents 1.3.1 Front Panel 1.3.2 Rear Panel 1.3.3 Cabling Chapter 2: Router Applications 2.1 Overview 2.2 Bandwidth Management with QoS 2.2.1 QoS Technology 2.2.2 QoS Policies for Different Applications 2.2.3 Guaranteed / Maximum Bandwidth 2.2.
2.6.2 VPN Planning - Fail Over 2.6.3 Concentrator Chapter 3: Getting Started 3.1 Overview 3.2 Before You Begin 3.3 Connecting Your Router 3.4 Configuring PCs for TCP/IP Networking 3.4.1 Overview 3.4.2 Windows XP 3.4.2.1 Configuring 3.4.2.2 Verifying Settings 3.4.3 Windows 2000 3.4.3.1 Configuring 3.4.3.2 Verifying Settings 3.4.4 Windows 98 / ME 3.4.4.1 Installing Components 3.4.4.2 Configuring 3.4.4.3 Verifying Settings 3.5 Factory Default Settings 3.5.1 Username and Password 3.5.
4.2.3 Routing Table 4.2.4 Session Table 4.2.5 DHCP Table 4.2.6 IPSec Status 4.2.7 PPTP Status 4.2.8 Traffic Statistics 4.2.9 CPU Statistics 4.2.10 System Log 4.3 Quick Start 4.3.1 DHCP 4.3.2 Static IP 4.3.3 PPPoE 4.3.4 PPTP 4.3.5 Big Pond 4.4 Configuration 4.4.1 LAN 4.4.1.1 Ethernet 4.4.1.2 Wireless Security 4.4.1.3 WEP 4.4.1.4 DHCP Server 4.4.1.5 LAN Address Mapping 4.4.2 WAN 4.4.2.1 ISP Settings 4.4.2.1.1 DHCP 4.4.2.1.2 Static IP 4.4.2.1.3 PPPoE 4.4.2.1.4 PPTP 4.4.2.1.5 Big Pond 4.4.2.
4.4.4.3 Firmware Upgrade 4.4.4.4 Backup / Restore 4.4.4.5 Restart 4.4.4.6 Password 4.4.5 Firewall 4.4.5.1 Packet Filter 4.4.5.2 URL Filter 4.4.5.3 Ethernet MAC Filter 4.4.5.4 Wireless MAC Filter 4.4.5.5 Block WAN Request 4.4.5.6 Intrusion Detection 4.4.6 VPN 4.4.6.1 IPSec 4.4.6.1.1 IPSec Wizard 4.4.6.1.2 IPSec Policy 4.4.6.2 PPTP 4.4.7 QoS 4.4.8 Virtual Server 4.4.8.1 DMZ 4.4.8.2 Port Forwarding Table 4.4.9 Advanced 4.4.9.1 Static Route 4.4.9.2 Dynamic DNS 4.4.9.3 Device Management 4.5 Log & Email Alert 4.
Chapter 5: Troubleshooting - * see the CD provided 5.1 Basic Functionality 5.1.1 Router Won’t Turn On 5.1.2 LEDs Never Turn Off 5.1.3 LAN or Internet Port Not On 5.1.4 Forgot My Password 5.2 LAN Interface 5.2.1 Can’t Access Router from the LAN 5.2.2 Can’t Ping Any PC on the LAN 5.2.3 Can’t Access Web Configuration Interface 5.2.3.1 Pop-up Windows 5.2.3.2 Javascripts 5.2.3.3 Java Permissions 5.3 WAN Interface 5.3.1 Can’t Get WAN IP Address from the ISP 5.4 ISP Connection 5.5 Problems with Date and Time 5.
Appendix D: Network, Routing, and Firewall Basics D.1 Network Basics D.1.1 IP Addresses D.1.1.1 Netmask D.1.1.2 Subnet Addressing D.1.1.3 Private IP Addresses D.1.2 Network Address Translation (NAT) D.1.3 Dynamic Host Configuration Protocol (DHCP) D.2 Router Basics D.2.1 Why use a Router? D.2.2 What is a Router? D.2.3 Routing Information Protocol (RIP) D.3 Firewall Basics D.3.1 What is a Firewall? D.3.2.1 Stateful Packet Inspection D.3.2.2 Denial of Service (DoS) Attack D.3.
Appendix F: IPSec Logs and Events F.1 IPSec Log Event Categories F.2 IPSec Log Event Table Appendix G: Bandwidth Management with QoS G.1 Overview G.2 What is Quality of Service? G.3 How Does QoS Work? G.4 Who Needs QoS? G.4.1 Home Users G.4.2 Office Users Appendix H: Router Setup Examples H.1 Outbound Fail Over H.2 Outbound Load Balancing H.3 Inbound Fail Over H.4 DNS Inbound Fail Over H.5 DNS Inbound Load Balancing H.6 Dynamic DNS Inbound Load Balancing H.7 VPN Configuration H.7.
Chapter 1: Introduction Formatted: Justified 1.1 Overview Congratulations on purchasing BiGuard 50G Router from Billion. Combining a router with an Ethernet network switch, BiGuard 50G is a state-of-the-art device that provides everything you need to get your network connected to the Internet over your Cable or DSL connection quickly and easily.
connections are possible on BiGuard 50G, with performance of up to 10Mbps. 1.2.3 Advanced Firewall Security Aside from intelligent broadband sharing, BiGuard 50G offers integrated firewall protection with advanced features to secure your network from outside attacks. Stateful Packet Inspection (SPI) determines if a data packet is permitted to enter the private LAN. Denial of Service (DoS) prevents hackers from interrupting network services via malicious attacks.
LED Function Power A solid light indicates a steady connection to a power source. Status A blinking light indicates the device is writing to flash memory. LAN Lit when connected to an Ethernet device. 1–4 10/100M : Lit green when connected at 100Mbps. Not lit when connected at 10Mbps. Link/ACT: Lit when device is connected. Blinking when data is transmitting/receiving. WAN1 Lit when connected to an Ethernet device. 10/100M : Lit green when connected at 100Mbps.
1.3.2 Rear Panel Port 1 2 3 4 Function Wireless Antenna One detachable 2.4GHz 5dbi SMA antenna WAN2 WAN2 10/100M Ethernet port (with auto crossover support); connect xDSL/Cable modem here. WAN1 WAN1 10/100M Ethernet port (with auto crossover support); connect xDSL/Cable modem here. LAN 1—4 Connect a UTP Ethernet cable (Cat-5 or Cat-5e) to one of the eight LAN ports when connecting a PC to the network.
1.3.4 Cabling Most Ethernet networks currently use unshielded twisted pair (UTP) cabling. The UTP cable contains eight conductors, arranged in four twisted pairs, and terminated with an RJ45 type connector. One of the most common causes of networking problems is bad cabling. Make sure that all connected devices are turned on. On the front panel of BiGuard 50G, verify that the LAN link and WAN line LEDs are lit. If they are not, check to see that you are using the proper cabling.
Chapter 2: Router Applications 2.1 Overview Your BiGuard 50G router is a versatile device that can be configured to not only protect your network from malicious attackers, but also ensure optimal usage of available bandwidth with Quality of Service (QoS) and both Inbound and Outbound Load Balancing. Alternatively, BiGuard 50G can also be set to redirect incoming and outgoing network traffic with the Fail Over capability, ensuring minimal downtime and increased reliability.
Deleted: 2.2.2 QoS Policies for Different Applications By setting different QoS policies according to the applications you are running, you can use BiGuard 50G to optimize the bandwidth that is being used on your network. VoIP Normal PCs Restricted PC As illustrated in the diagram above, applications such as Voiceover IP (VoIP) require low network latencies to function properly.
applications such as an FTP server, users using VoIP will experience network lag and/or service interruptions during use. To avoid this scenario, this network has assigned VoIP with a guaranteed bandwidth and higher priority to ensure smooth communications. The FTP server, on the other hand, has been given a maximum bandwidth cap to make sure that regular service to both VoIP and normal Internet applications is uninterrupted. 2.2.
manage your bandwidth, providing reliable Internet and network service to your organization. 2.2.5 Priority Bandwidth Utilization Assigning priority to a certain service allows BiGuard 50G to give either a higher or lower priority to traffic from this particular service. Assigning a higher priority to an application ensures that it is processed ahead of applications with a lower priority and vice versa.
Deleted: 2.2.6 Management by IP or MAC address BiGuard 50G can also be configured to apply traffic policies based on a particular IP or MAC address. This allows you to quickly assign different traffic policies to a specific computer on the network. Deleted: Formatted: Bullets and Numbering DiffServ (DSCP Marking) DiffServ (a.k.a. DSCP Marking) allows you to classify traffic based on IP DSCP values.
Other interfaces can match traffic based on the DSCP markings. DSCP markings are Deleted: These markings used to decide how packets should be treated, and is a useful tool to give can be used to identify precedence to varying types of data. traffic within the network. Deleted: 2.2.8 DSCP (Matching) Formatted: Font: Bold Just like the DSCP Marking, DSCP is used on traffics (Both inbound rules and Formatted: Normal, Justified outbound rules have DSCP matching).
In the above example, PC 1 (IP_192.168.2.2) and PC 2 (IP_192.168.2.3) are connected to the Internet via WAN1 (IP_230.100.100.1) on BiGuard 50G. Should WAN1 fail, Outbound Fail Over tells BiGuard 50G to reroute outgoing traffic to WAN2 (IP_213.10.10.2). Configuring your BiGuard 50G for Outbound Fail Over provides a more reliable connection for your outgoing traffic. Please refer to appendix H for example settings. 2.3.
connected to the Internet via WAN1 (IP_230.100.100.1) and WAN2 (IP_213.10.10.2) on BiGuard 50G. You can configure BiGuard 50G to balance the load of each WAN port with one of two mechanisms: 1. Session (by session/by traffic/weight of link capability) 2. IP Hash (by traffic/weight of link capability) The IP Hash mechanism will ensure that the traffic from the same source IP address and destination IP address will go through the same WAN port.
2.4.1 Inbound Fail Over Configuring BiGuard 50G for Inbound Fail Over allows you to ensure that incoming traffic is uninterrupted by having BiGuard 50G default to WAN2 should WAN1 fail. In the above example, an FTP Server (IP_192.168.2.2) and an HTTP Server (IP_192.168.2.3) are connected to the Internet via WAN1 (ftp.billion.dyndns.org) on BiGuard 50G. A remote computer is trying to access these servers via the Internet.
2.4.2 Inbound Load Balancing Inbound Load Balancing allows BiGuard 50G to intelligently manage inbound traffic based on the amount of load of each WAN connection. In the above example, an FTP server (IP_192.168.2.2) and an HTTP server (IP_192.168.2.3) are connected to the Internet via WAN1 (www.billion2.dyndns.org) and WAN2 (www.billion3.dyndns.org) on BiGuard 50G. Remote PCs are attempting to access the servers via the Internet.
2.5 DNS Inbound Using DNS Inbound is a great way to intelligently direct network traffic. DNS Inbound is a three step process. First, a DNS request is made to the router via a remote PC. BiGuard 50G, based on settings specified by the user, will direct the requesting PC to the correct WAN port by replying the selected WAN IP address through the built-in DNS server. The remote PC then accesses the network via the specified WAN port.
2.5.1 DNS Inbound Fail Over BiGuard 50G can be configured to reply the WAN2 IP address for the DNS domain name request should WAN1 fail. In the above example, an FTP Server (IP_192.168.2.2) and an HTTP Server (IP_192.168.2.3) are connected to the Internet via WAN1 (IP_200.200.200.1) on BiGuard 50G. A remote computer is trying to access these servers via the Internet, and makes a DNS request. The DNS request (www.mydomain.com) will be sent through WAN1 (200.200.200.1) to the built-in DNS server.
2.5.2 DNS Inbound Load Balancing DNS Inbound Load Balancing allows BiGuard 50G to intelligently manage inbound traffic based on the amount of load of each WAN connection by assigning the IP address with the lowest traffic load to incoming requests. In the above example, an FTP server (IP_192.168.2.2) and an HTTP server (IP_192.168.2.3) are connected to the Internet via WAN1 (IP_200.200.200.1) and WAN2 (IP_100.100.100.1) on BiGuard 50G.
11 HTTP Reply 5 DNS Reply 1 DNS Request 6 HTTP Request 2 WAN 1 10 7 URL Host Map WAN 2 4 DNS Server 3 Bandwidth Monitor 9 8 HTTP Server In the example above, the client is making a DNS request. The request is sent to the DNS server of BiGuard 50G through WAN2 (1). WAN2 will route this request to the embedded DNS server of BiGuard 50G (2). BiGuard 50G will analyze the bandwidth of both WAN1 and WAN2 and decide which WAN IP to reply to the request (3).
2.6 Virtual Private Networking A Virtual Private Network (VPN) enables you to send data between two computers across a shared or public network in a manner that emulates the properties of a point-to-point private link. As such, it is perfect for connecting branch offices to headquarters across the Internet in a secure fashion. The following section discusses Virtual Private Networking with BiGuard 50G. 2.6.1 General VPN Setup There are typically three different VPN scenarios.
VPN provides a flexible, cost-efficient, and reliable way for companies of all sizes to stay connected. One of the most important steps in setting up a VPN is proper planning. The following sections demonstrate the various ways of using BiGuard 50G to setup your VPN. 2.6.2 VPN Planning - Fail Over Configuring your VPN with Fail Over allows BiGuard 50G to automatically default to WAN2 should WAN1 fail. Because the dynamic domain name biguard.billion.
gateway using WAN1 through a secure VPN tunnel. Should WAN1 fail, outbound traffic from BiGuard 50G will automatically be redirected to WAN2. This process is completely transparent to the remote gateway, as BiGuard 50G will automatically update the domain name (biguard.billion.com) with the WAN2 IP address. Configuring a Gateway to Multiple Gateway setup with Fail Over is similar, as shown below: Configuring BiGuard 50G for Fail Over provides added reliability to your VPN.
2.6.3 Concentrator The VPN Concentrator provides an easy way for branch offices to connect to headquarter through a VPN tunnel. All branch office traffic will be redirected to the VPN tunnel to headquarter with the exception of LAN-side traffic. This way, all branch offices can connect to each other through headquarter via the headquarter’s firewall management. You can also configure BiGuard 50G to function as a VPN Concentrator: Please refer to appendix H for example settings.
Chapter 3: Getting Started 3.1 Overview BiGuard 50G is designed to be a powerful and flexible network device that is also easy to use. With an intuitive web-based configuration, BiGuard 50G allows you to administer your network via virtually any Java-enabled web browser and is fully compatible with Linux, Mac OS, and Windows 98/Me/NT/2000/XP operating systems. The following chapter takes you through the very first steps to configuring your network for BiGuard 50G.
password for security reason. 4. Prepare to physically connect BiGuard 50G to Cable or DSL modems and a computer. Be sure to also review the Safety Warnings located in the preface of this manual before working with your BiGuard 50G. 3.3 Connecting Your Router Connecting BiGuard 50G is an easy three-step process: 1. Connect BiGuard 50G to your LAN by connecting Ethernet cables from your networked PCs to the LAN ports on the router.
3.4 Configuring PCs for TCP/IP Networking Now that your BiGuard 50G is connected properly to your network, it’s time to configure your networked PCs for TCP/IP networking. In order for your networked PCs to communicate with your router, they must have the following characteristics: 1. Have a properly installed and functioning Ethernet Network Interface Card (NIC). 2. Be connected to BiGuard 50G, either directly or through an external repeater hub via an Ethernet cable. 3.
- Windows 95/98/Me/NT/2000/XP - Mac OS 7 and later If you are using Windows 3.1, you must purchase a third-party TCP/IP application package. Any TCP/IP capable workstation can be used to communicate with or through BiGuard 50G. To configure other types of workstations, please consult the manufacturer’s documentation. 3.4.2 Windows XP 3.4.2.1 Configuring 1. Select Start > Settings > Network Connections. 2. In the Network Connections window, right-click Local Area Connection and select Properties.
3. Select Internet Protocol (TCP/IP) and click Properties. 4a.
address automatically and Obtain DNS server address automatically radio buttons. 4b. To manually assign your PC a fixed IP address, select the Use the following IP address radio button and enter your desired IP address, subnet mask, and default gateway in the blanks provided. Remember that your PC must reside in the same subnet mask as the router. To designate a DNS server, select the Use the following DNS server and fill in the preferred DNS address. 5. Click OK to finish the configuration.
3.4.2.2 Verifying Settings To verify your settings using a command prompt: 1. Click Start > Programs > Accessories > Command Prompt. 2. In the Command Prompt window, type ipconfig and then press ENTER.
- An IP address between 192.168.1.1 and 192.168.1.253 - A subnet mask of 255.255.255.0 To verify your settings using the Windows XP GUI: 1. Click Start > Settings > Network Connections.
2. Right click one of the network connections listed and select Status from the pop-up menu. 3. Click the Support tab.
If you are using BiGuard 50G’s default settings, your PC should: - Have an IP address between 192.168.1.1 and 192.168.1.253 - Have a subnet mask of 255.255.255.0 3.4.3 Windows 2000 3.4.3.1 Configuring 1. Select Start > Settings > Control Panel.
2. In the Control Panel window, double-click Network and Dial-up Connections. 3. In Network and Dial-up Connections, double-click Local Area Connection.
4. In the Local Area Connection window, click Properties. 5. Select Internet Protocol (TCP/IP) and click Properties.
6a. To have your PC obtain an IP address automatically, select the Obtain an IP address automatically and Obtain DNS server address automatically radio buttons. 6b. To manually assign your PC a fixed IP address, select the Use the following IP address radio button and enter your desired IP address, subnet mask, and default gateway in the blanks provided. Remember that your PC must reside in the same subnet mask as the router.
7. Click OK to finish the configuration.
3.4.3.2 Verifying Settings 1. Click Start > Programs > Accessories > Command Prompt. 2. In the Command Prompt window, type ipconfig and then press ENTER. If you are using BiGuard 50G’s default settings, your PC should have: - An IP address between 192.168.1.1 and 192.168.1.
- A subnet mask of 255.255.255.0 3.4.4 Windows 98 / Me 3.4.4.1 Installing Components To prepare Windows 98/Me PCs for TCP/IP networking, you may need to manually install TCP/IP on each PC. To do this, follow the steps below. Be sure to have your Windows CD handy, as you may need to insert it during the installation process. 1. On the Windows taskbar, select Start > Settings > Control Panel. 2. Double-click the Network icon. The Network window displays a list of installed components.
You must have the following installed: 50
- An Ethernet adapter - TCP/IP protocol - Client for Microsoft Networks If you need to install a new Ethernet adapter, follow these steps: a. Click Add. b. Select Adapter, then Add. c. Select the manufacturer and model of your Ethernet adapter, then click OK.
If you need TCP/IP: a. Click Add.
b. Select Protocol, then click Add. c. Select Microsoft. Æ TCP/IP, then OK. If you need Client for Microsoft Networks: a. Click Add.
b. Select Client, then click Add. c. Select Microsoft. Æ Client for Microsoft Networks, and then click OK. 3. Restart your PC to apply your changes. 3.4.4.2 Configuring 1. Select Start > Settings > Control Panel.
2. In the Control Panel, double-click Network and choose the Configuration tab.
3. Select TCP / IP > ASUSTek or the name of any Network Interface Card (NIC) in your PC and click Properties. 4. Select the IP Address tab and click the Obtain an IP address automatically radio button.
5. Select the DNS Configuration tab and select the Disable DNS radio button. 6. Click OK to apply the configuration.
3.4.4.3 Verifying Settings To check the TCP/IP configuration, use the winipcfg.exe utility: 1. Select Start > Run. 2. Type winipcfg, and then click OK. 3. From the drop-down box, select your Ethernet adapter.
The window is updated to show your settings. Using the default BiGuard 50G settings, your PC should have: - An IP address between 192.168.1.1 and 192.168.1.253 - A subnet mask of 255.255.255.0 - A default gateway of 192.168.1.254 3.5 Factory Default Settings Before configuring your BiGuard 50G, you need to know the following default settings: Web Interface: Username: admin Password: admin LAN Device IP Settings: IP Address: 192.168.1.254 Subnet Mask: 255.255.255.
ISP setting in WAN site: Obtain an IP Address automatically (DHCP Client) DHCP server: DHCP server is enabled. Start IP Address: 192.168.1.100 End IP Address: 192.168.1.199 3.5.1 User Name and Password The default user name and password are "admin" and "admin" respectively. If you ever forget your user name and/or password, you can restore your BiGuard 50G to its factory settings by holding the Reset button on the back of your router until the Status LED begins to blink.
3.6 Information From Your ISP 3.6.1 Protocols Before configuring this device, you have to check with your ISP (Internet Service Provider) to find out what kind of service is provided such as DHCP, Static IP, PPPoE, or PPTP. The following table outlines each of these protocols: DHCP Configure this WAN interface to use DHCP client protocol to get an IP address from your ISP automatically. Your ISP provides an IP address to the router dynamically when logging in.
3.6.2 Configuration Information If your ISP does not dynamically assign configuration information but instead uses fixed configurations, you will need the following basic information from your ISP: - An IP address and subnet mask - A gateway IP address - One or more domain name server (DNS) IP addresses Depending on your ISP, a host name and domain suffix may also be provided. If any of these items are dynamically supplied by the ISP, your BiGuard 50G will automatically acquire them.
2. Double-click the Network icon. 3. In the Network Connections window, right-click Local Area Connection and select Properties.
4. Select Internet Protocol (TCP/IP) and click Properties. 5. If an IP address, subnet mask and a Default gateway are shown, write down the information.
assigned. Click the Obtain an IP address automatically radio button. 6. If any DNS server addresses are shown, write them down. Click the Obtain DNS server address automatically radio button. 7. Click OK to save your changes.
3.7 Web Configuration Interface BiGuard 50G includes a Web Configuration Interface for easy administration via virtually any browser on your network. To access this interface, open your web browser, enter the IP address of your router, which by default is 192.168.1.254, and click Go. A user name and password window prompt will appear. Enter your user name and password (the default user name and password are "admin" and "admin") to access the Web Configuration Interface.
Deleted: If the Web Configuration Interface appears, congratulations! You are now ready to configure your BiGuard 50G. If you are having trouble accessing the interface, please refer to Chapter 5: Troubleshooting on the CD for possible resolutions.
Chapter 4: Router Configuration 4.1 Overview The Web Configuration Interface makes it easy for you to manage your network via any PC connected to it. On the Web Configuration homepage, you will see the navigation pane located on the left hand side. From it, you will be able to select various options used to configure your router. Deleted: 1. Click Apply if you would like to apply the settings on the current screen to the device.
restricted to only one PC accessing the web configuration interface at a time. Once a PC has logged into the web interface, other PCs cannot gain access until the current PC has logged out. If the previous PC forgets to logout, the second PC can access the page after a user-defined period (5 minutes by default). The following sections will show you how to configure your router using the Web Configuration Interface. Please consult the manual on the CD provided for detailed configuration – see sections 4.2-4.
Device Information Device Name: Displays the device name. System Up Time: System uptime enables a user to determine how long has the system being online or the time that an unexpected restart or fault occurred. The system up-time is restarted when there is a power failure or upon software or hardware reset. Registration: Click on the Register button to open a web page on Billion’s website to register the BiGuard 50G.
Support Telephone Support for Internet Access ONLY is available during office hours from Mon-Fri 10am–5pm on 0870-8501528. If you are successfully connected to the Internet and have a support query please contact www.billion.uk.com/esupport and submit a ticket. This symbol on the product or in the instructions means that your electrical and electronic equipment should be disposed at the end of its life separately from your household waste. There are separate collection systems for recycling in the EU.
