Vigor2850 Series User’s Guide ii
Vigor2850 Series VDSL2 Security Firewall User’s Guide Version: 2.0 Firmware Version: V3.6.
Copyright Information Copyright Declarations Copyright 2012 All rights reserved. This publication contains information that is protected by copyright. No part may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language without written permission from the copyright holders. Trademarks The following trademarks are used in this document: z Microsoft is a registered trademark of Microsoft Corp.
European Community Declarations Manufacturer: Address: Product: DrayTek Corp. No. 26, Fu Shing Road, Hukou Township, Hsinchu Industrial Park, Hsinchu County, Taiwan 303 Vigor2850 Series Router DrayTek Corp. declares that Vigor2850 Series of routers are in compliance with the following essential requirements and other relevant provisions of R&TTE Directive 1999/5/EEC.
Vigor2850 Series User’s Guide vi
Table of Contents Preface ..........................................................................................................1 1.1 Web Configuration Buttons Explanation ................................................................................. 1 1.2 LED Indicators and Connectors .............................................................................................. 2 1.2.1 For Vigor2850 ....................................................................................................
3.2.1 Basics of LAN ................................................................................................................. 86 3.2.2 General Setup................................................................................................................. 88 3.2.3 Static Route .................................................................................................................... 96 3.2.4 VLAN..........................................................................................
3.10.3 Remote Access Control .............................................................................................. 202 3.10.4 PPP General Setup .................................................................................................... 203 3.10.5 IPSec General Setup .................................................................................................. 204 3.10.6 IPSec Peer Identity .................................................................................................
3.17 Diagnostics........................................................................................................................ 309 3.17.1 Dial-out Triggering ...................................................................................................... 309 3.17.2 Routing Table ............................................................................................................. 310 3.17.3 ARP Cache Table ...............................................................................
Preface Vigor2850 series is a VDSL2 router. It integrates IP layer QoS, NAT session/bandwidth management to help users control works well with large bandwidth. By adopting hardware-based VPN platform and hardware encryption of AES/DES/3DES, the router increases the performance of VPN greatly, and offers several protocols (such as IPSec/PPTP/L2TP) with up to 32 VPN tunnels. The object-based design used in SPI (Stateful Packet Inspection) firewall allows users to set firewall policy with ease.
1.2 LED Indicators and Connectors Before you use the Vigor router, please get acquainted with the LED indicators and connectors first. 1.2.1 For Vigor2850 LED Status Explanation ACT (Activity) WCF Blinking Off On Blinking On Off Blinking On ADSL On On Blinking On On The router is powered on and running normally. The router is powered off. USB device is connected and ready for use. The data is transmitting. Internet connection is ready. Internet connection is not ready. The data is transmitting.
Interface Description Factory Reset GigaLAN (1-3) 4/WAN VDSL/ADSL USB PWR Restore the default settings. Usage: Turn on the router (ACT LED is blinking). Press the hole and keep for more than 5 seconds. When you see the ACT LED begins to blink rapidly than usual, release the button. Then the router will restart with the factory default configuration. Connecters for local network devices. Connecter for local network devices or remote network devices. Connecter for accessing the Internet.
1.2.2 For Vigor2850n LED Status Explanation ACT (Activity) Blinking Off On Blinking On Off Blinking On Blinking On Blinking On On The router is powered on and running normally. The router is powered off. USB device is connected and ready for use. The data is transmitting. Internet connection is ready. Internet connection is not ready. The data is transmitting. Wireless access point is ready. It will blink slowly while wireless traffic goes through.
Interface Description Wireless LAN ON/OFF/WPS GigaLAN (1-3) 4/WAN VDSL/ADSL USB PWR Press "Wireless LAN ON/OFF/WPS" button once to wait for client device making network connection through WPS. Press "Wireless LAN ON/OFF/WPS" button twice to enable (WLAN LED on) or disable (WLAN LED off) wireless connection. Restore the default settings. Usage: Turn on the router (ACT LED is blinking). Press the hole and keep for more than 5 seconds.
1.2.3 For Vigor2850Vn LED Status Explanation ACT (Activity) Blinking Off On Blinking On Off Blinking On Blinking Off On Off Blinking The router is powered on and running normally. The router is powered off. USB device is connected and ready for use. The data is transmitting. Internet connection is ready. Internet connection is not ready. The data is transmitting. Wireless access point is ready. It will blink slowly while wireless traffic goes through.
Interface Description Wireless LAN ON/OFF/WPS Phone 1/2 Line GigaLAN (1-3) 4/WAN VDSL/ADSL USB PWR Press "Wireless LAN ON/OFF/WPS" button once to wait for client device making network connection through WPS. Press "Wireless LAN ON/OFF/WPS" button twice to enable (WLAN LED on) or disable (WLAN LED off) wireless connection. Restore the default settings. Usage: Turn on the router (ACT LED is blinking). Press the hole and keep for more than 5 seconds.
1.2.4 For Vigor2850i LED Status Explanation ACT (Activity) WCF Blinking Off On Blinking On Off Blinking On ADSL Off On On Blinking On On The router is powered on and running normally. The router is powered off. USB device is connected and ready for use. The data is transmitting. Internet connection is ready. Internet connection is not ready. The data is transmitting. The Web Content Filter is active. (It is enabled from Firewall >> General Setup). The Web Content Filter is disabled.
Interface Description Factory Reset ISDN GigaLAN (1-3) 4/WAN VDSL/ADSL USB PWR Restore the default settings. Usage: Turn on the router (ACT LED is blinking). Press the hole and keep for more than 5 seconds. When you see the ACT LED begins to blink rapidly than usual, release the button. Then the router will restart with the factory default configuration. Connecter for ISDN line. Connecters for local network devices. Connecter for local network devices or modem for accessing Internet.
1.3 Hardware Installation Before starting to configure the router, you have to connect your devices correctly. 1. Connect the XDSL interface to the external XDSL splitter with an XDSL line cable for all models. For Vigor2850Vn, also connect Line interface to external XDSL splitter. 2. Connect one end of an Ethernet cable (RJ-45) to one of the LAN ports of the router and the other end of the cable (RJ-45) into the Ethernet port on your computer. 3.
1.4 Printer Installation You can install a printer onto the router for sharing printing. All the PCs connected this router can print documents via the router. The example provided here is made based on Windows XP/2000. For Windows 98/SE/Vista, please visit www.DrayTek.com. Before using it, please follow the steps below to configure settings for connected computers (or wireless clients). 1. Connect the printer with the router through USB/parallel port. 2. Open Start->Settings-> Printer and Faxes. 3.
4. Click Local printer attached to this computer and click Next. 5. In this dialog, choose Create a new port Type of port and use the drop down list to select Standard TCP/IP Port. Click Next.
6. In the following dialog, type 192.168.1.1 (router’s LAN IP) in the field of Printer Name or IP Address and type IP_192.168.1.1 as the port name. Then, click Next. 7. Click Standard and choose Generic Network Card. 8. Then, in the following dialog, click Finish.
9. Now, your system will ask you to choose right name of the printer that you installed onto the router. Such step can make correct driver loaded onto your PC. When you finish the selection, click Next. 10. For the final stage, you need to go back to Control Panel-> Printers and edit the property of the new printer you have added. 11. Select "LPR" on Protocol, type p1 (number 1) as Queue Name. Then click OK. Next please refer to the red rectangle for choosing the correct protocol and LPR name.
The printer can be used for printing now. Most of the printers with different manufacturers are compatible with vigor router. Note 1: Some printers with the fax/scanning or other additional functions are not supported. If you do not know whether your printer is supported or not, please visit www.draytek.com to find out the printer list. Open Support >FAQ; find out the link of Printer Server and click it. Then, click the What types of printers are compatible with Vigor router? link.
This page is left blank.
Basic Settings For using the router properly, it is necessary for you to change the password of web configuration for security and adjust primary basic settings. This chapter explains how to setup a password for accessing into the web configurator of Vigor router and how to adjust settings for accessing Internet successfully. 2.1 Accessing Web Page 1. Make sure your PC connects to the router correctly.
4. Now, the Main Screen will appear. Note: The home page will be different slightly in accordance with the type of the router you have. 5. The web page can be logged out according to the chosen condition. The default setting is Auto Logout, which means the web configuration system will logout after 5 minutes without any operation. Change the setting for your necessity.
2.2 Changing Password Please change the password for the original security of the router. 1. Open a web browser on your PC and type http://192.168.1.1. A pop-up window will open to ask for username and password. 2. Please type “admin/admin” as Username/Password for accessing into the web configurator with admin mode. 3. Go to System Maintenance page and choose Administrator Password/. 4. Enter the login password (the default is “admin”) on the field of Old Password. Type New Password.
2.3 Quick Start Wizard If your router can be under an environment with high speed NAT, the configuration provide here can help you to deploy and use the router quickly. The first screen of Quick Start Wizard is entering login password. After typing the password, please click Next. On the next page as shown below, please select the WAN interface that you use. If DSL interface is used, please choose WAN1; if Ethernet interface is used, please choose WAN2; if 3G USB modem is used, please choose WAN3.
2.3.1 For WAN1 (ADSL/VDSL) WAN1 is specified for ADSL or VDSL connection. You have to select the appropriate Internet access type according to the information from your ISP. For example, you should select PPPoE mode if the ISP provides you PPPoE interface. In addition, the field of For ADSL Only will be available only when ADSL is detected. Then click Next for next step. PPPoE/PPPoA 1. Choose WAN1 as WAN Interface and click the Next button; you will get the following page.
interface. Choose PPPoE or PPPoA as the protocol. 2. For ADSL Only Such field is provided for ADSL only. You have to choose encapsulation and type the values for VPI and VCI. Or, click Auto detect to find out the best values. Fixed IP Click Yes to enable Fixed IP feature. IP Address Type the IP address if Fixed IP is enabled. Primary DNS Type in the primary IP address for the router. Secondary DNS Type in secondary IP address for necessity in the future.
Item Description Password Assign a valid password provided by the ISP. Confirm Password Retype the password. 3. Please manually enter the Username/Password provided by your ISP. Then click Next for viewing summary of such connection. 4. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown. 5. Now, you can enjoy surfing on the Internet.
MPoA / Static or Dynamic IP 1. Choose WAN1 as WAN Interface and click the Next button; you will get the following page. Available settings are explained as follows: Item Description Protocol There are two modes offered for you to choose for WAN1 interface. Choose MPoA / Static or Dynamic IP as the protocol. For ADSL Only Such field is provided for ADSL only. You have to choose encapsulation and type the values for VPI and VCI. Or, click Auto detect to find out the best values.
Secondary DNS Type in secondary IP address for necessity in the future. Back Click it to return to previous setting page. Next Click it to get into the next setting page. Cancel Click it to give up the quick start wizard. 2. Please type in the IP address/mask/gateway information originally provided by your ISP. Then click Next for viewing summary of such connection. 3. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown. 4.
2.3.2 For WAN2 (Ethernet) WAN2 is dedicated to physical mode in Ethernet. If you choose WAN2, please specify physical type. Then, click Next. On the next page as shown below, please select the appropriate Internet access type according to the information from your ISP. For example, you should select PPPoE mode if the ISP provides you PPPoE interface. Then click Next for next step. PPPoE 1. Choose WAN2 as the WAN Interface and click the Next button.
2. Click PPPoE as the Internet Access Type. Then click Next to continue. Available settings are explained as follows: 3. Item Description User Name Assign a specific valid user name provided by the ISP. Password Assign a valid password provided by the ISP. Confirm Password Retype the password. Back Click it to return to previous setting page. Next Click it to get into the next setting page. Cancel Click it to give up the quick start wizard.
4. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown. 5. Now, you can enjoy surfing on the Internet. PPTP/L2TP 1. Choose WAN2 as the WAN Interface and click the Next button. The following page will be open for you to specify Internet Access Type. 2. Click PPTP/L2TP as the Internet Access Type. Then click Next to continue.
Available settings are explained as follows: Item Description User Name Assign a specific valid user name provided by the ISP. Password Assign a valid password provided by the ISP. Confirm Password Retype the password. WAN IP Configuration Obtain an IP address automatically – the router will get an IP address automatically from DHCP server. Specify an IP address – you have to type relational settings manually. IP Address - Type the IP address. Subnet Mask –Type the subnet mask.
5. Now, you can enjoy surfing on the Internet. Static IP 1. Choose WAN2 as the WAN Interface and click the Next button. The following page will be open for you to specify Internet Access Type. 2. Click Static IP as the Internet Access type. Simply click Next to continue.
Item Description WAN IP Type the IP address. Subnet Mask Type the subnet mask. Gateway Type the IP address of gateway. Primary DNS Type in the primary IP address for the router. Secondary DNS Type in secondary IP address for necessity in the future. Back Click it to return to previous setting page. Next Click it to get into the next setting page. Cancel Click it to give up the quick start wizard. 3. Please type in the IP address information originally provided by your ISP.
DHCP 1. Choose WAN2 as WAN Interface and click the Next button. The following page will be open for you to specify Internet Access Type. 2. Click DHCP as the Internet Access type. Simply click Next to continue. Available settings are explained as follows: Item Description Host Name Type the name of the host. MAC Some Cable service providers specify a specific MAC address for access authentication. In such cases you need to enter the MAC address. Back Click it to return to previous setting page.
Next Click it to get into the next setting page. Cancel Click it to give up the quick start wizard. 3. After finished the settings above, click Next for viewing summary of such connection. 4. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown. 5. Now, you can enjoy surfing on the Internet.
2.3.3 For WAN3 (USB) 1. Choose WAN3 as WAN Interface. 2. Then, click Next for viewing summary of such connection. 3. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown. 4. Now, you can enjoy surfing on the Internet.
2.4 Service Activation Wizard Service Activation Wizard can guide you to activate WCF service (Web Content Filter) with a quick and easy way. For the Service Activation Wizard is only available for admin operation, therefore, please type “admin/admin” on Username/Password while Logging into the web configurator. Service Activation Wizard is a tool which allows you to use trial version or update the license of WCF directly without accessing into the server (MyVigor) located on http://myvigor.draytek.com.
3. In the following page, you can activate the Web content filter services at the same time or individually. When you finish the selection, please click Next. Commtouch is the web content filter based on Commtouch operated in the worldwide. There is a 30-day trial period. After trial, you can purchase DrayTek's prepared Commtouch GlobalView WCF package from retailing outlets. 4. Setting confirmation page will be displayed as follows, please click Next. 5.
Note: The service will be activated and applied as the default rule configured in Firewall>>General Setup. 6. Now, the web page will display the service that you have activated according to your selection(s). The valid time for the free trial of these services is one month. Later, if you need to extend the license valid time for the same service, you can also use the Service Activation Wizard again to reach your goal by clicking the radio button of Formal edition with license key and clicking Next.
2.5 Online Status 2.5.1 Physical Connection Such page displays the physical connection status such as LAN connection status, WAN connection status, ADSL information, and so on.
Detailed explanation (for IPv4) is shown below: Item Description LAN Status Primary DNS-Displays the primary DNS server address for WAN interface. Secondary DNS -Displays the secondary DNS server address for WAN interface. IP Address-Displays the IP address of the LAN interface. TX Packets-Displays the total transmitted packets at the LAN interface. RX Packets-Displays the total received packets at the LAN interface.
Item Description Mode - Displays the type of WAN connection (e.g., TSPC). Up Time - Displays the total uptime of the interface. IP - Displays the IP address of the WAN interface. Gateway IP - Displays the IP address of the default gateway. Note: The words in green mean that the WAN connection of that interface is ready for accessing Internet; the words in red mean that the WAN connection of that interface is not ready for accessing Internet. 2.5.
2.6 VDSL This menu allows you to check VDSL status and configure VDSL settings for you request. 2.6.1 VDSL Status This page displays the VDSL information for such router such as current connection status, the firmware version of such router, the profile used by such VDSL2 line, the rates for upstream and downstream, and so on. 2.6.2 VDSL Setup This page allows you to set VDSL2 profile and G.hs Carrier Set.
G.hs Carrier Set Choose one of the items as the G.hs Carrier Set. Each set will have different frequency indices and maximum power level for data in upstream and downstream. Bit Swap As line conditions change, bit swapping allows the modem to swap bits around different channels without retraining, as each channel becomes more or less capable. After finished the above settings, simply click OK to save them. 2.6.
2.8 Registering Vigor Router You have finished the configuration of Quick Start Wizard and you can surf the Internet at any time. Now it is the time to register your Vigor router to MyVigor website for getting more service. Please follow the steps below to finish the router registration. 1 Please login the web configuration interface of Vigor router by typing “admin/admin” as User Name / Password. 2 Click Support Area>>Production Registration from the home page.
4 The following page will be displayed after you logging in MyVigor. From this page, please click Add or Product Registration. 5 When the following page appears, please type in Nickname (for the router) and choose the right registration date from the popup calendar (it appears when you click on the box of Registration Date). After adding the basic information for the router, please click Submit. 6 When the following page appears, your router information has been added to the database.
7 Now, you have finished the product registration. 8 After clicking OK, you will see the following page. Your router has been registered to myvigor website successfully. If you have not activated web content filter service by using Service Activation Wizard, you can activate the service from this step. Please click the serial number link. 9 From the Device’s Service section, click the Trial. 10 In the following page, check the box of “I have read and accept the above Agreement”.
11 When this page appears, click Register. 12 Wait for a moment until the following page appears. 13 Click Close.
Web Configuration This chapter will guide users to execute web configuration. 1. Open a web browser on your PC and type http://192.168.1.1. The window will ask for typing username and password. 2. Please type “admin/admin” on Username/Password for administration operation. Now, the Main Screen will appear. Note that different model will have different web pages. 3.1 WAN Quick Start Wizard offers user an easy method to quick setup the connection mode for the router.
What are Public IP Address and Private IP Address As the router plays a role to manage and further protect its LAN, it interconnects groups of host PCs. Each of them has a private IP address assigned by the built-in DHCP server of the Vigor router. The router itself will also use the default private IP address: 192.168.1.1 to communicate with the local hosts. Meanwhile, Vigor router will communicate with other network devices through a public IP address.
3.1.2 General Setup This section will introduce some general settings of Internet and explain the connection modes for WAN1, WAN2 and WAN3 in details. This router supports multiple-WAN function. It allows users to access Internet and combine the bandwidth of the multiple WANs to speed up the transmission through the network. Each WAN port can connect to different ISPs, Even if the ISPs use different technology to provide telecommunication service (such as DSL, Cable modem, etc.).
Physical Mode / Type Display the physical mode and physical type of such WAN interface. Line Speed Display the downstream and upstream rate of such WAN interface. Active Mode Display whether such WAN interface is Active device or backup device. Backup WAN Display the Backup WAN interface for such WAN when it is disabled. Note: In default, each WAN port is enabled. WAN1 with ADSL/VDSL Vigor router will detect the physical line is connected by ADSL or VDSL automatically.
Physical Mode Display the physical mode of such interface. If VDSL is detected, this field will display “VDSL”; if ADSL is detected, it will display “ADSL”. Fallback Mode It allows you to specify which physical connection is used. Once the mode is specified, the router will not detect physical mode automatically whenever powering up the router. Physical Type For such interface, no type can be selected.
Active Mode Choose Always On to make the WAN1 connection being activated always; Backup Type If you choose Backup as the Active Mode, Backup Type will appear. Please specify which WAN will be the Backup interface. When any WAN disconnect – Such backup WAN will be activated when any master WAN interface disconnects. When all WAN disconnect – Such backup WAN will be activated only when all master WAN interfaces disconnect. WAN2 with Ethernet WAN2 is fixed with physical mode of Ethernet.
Physical type You can change the physical type for WAN2 or choose Auto negotiation for determined by the system. Line Speed If your choose According to Line Speed as the Load Balance Mode, please type the line speed for downloading and uploading for such WAN interface. The unit is kbps. VLAN Tag insertion Enable – Enable the function of VLAN with tag. The router will add specific VLAN number to all packets on the WAN while sending them out.
Available settings are explained as follows: Item Description Enable Choose Yes to invoke the settings for this WAN interface. Choose No to disable the settings for this WAN interface. Display Name Type the description for such WAN interface. Physical Mode Display the physical mode of such WAN interface. Physical type In such WAN interface, no type can be selected.
Backup Type If you choose Backup as the Active Mode, Backup Type will appear. Please specify which WAN will be treated as the Backup WAN. When any WAN disconnect – Such backup WAN will be activated when any master WAN interface disconnects. When all WAN disconnect – Such backup WAN will be activated only when all master WAN interfaces disconnect. 3.1.3 Internet Access For the router supports multi-WAN function, the users can set different WAN settings (for WAN1/WAN2/WAN3) for Internet Access.
Item Description Index Display the WAN interface. Display Name It shows the name of the WAN1/WAN2/WAN3 that entered in general setup. Physical Mode It shows the physical connection for WAN1(ADSL/VDSL) /WAN2 (Ethernet) /WAN3 (3G USB Modem) according to the real network connection. Access Mode Use the drop down list to choose a proper access mode. The details page of that mode will be popped up. If not, click Details Page for accessing the page to configure the settings.
Details Page for PPPoE/PPPoA in WAN1 To choose PPPoE /PPPoA as the accessing protocol of the Internet, please select PPPoE/PPPoA from the WAN>>Internet Access >>WAN1 page. The following web page will be shown. Available settings are explained as follows: Item Description Enable/Disable Click Enable for activating this function. If you click Disable, this function will be closed and all the settings that you adjusted in this page will be invalid.
settings in this group. Modulation –Default setting is Multimode. Choose the one that fits the requirement of your router. PPPoE Pass-through The router offers PPPoE dial-up connection. Besides, you also can establish the PPPoE connection directly from local clients to your ISP via the Vigor router. When PPPoA protocol is selected, the PPPoE package transmitted by PC will be transformed into PPPoA package and sent to WAN server. Thus, the PC can access Internet through such direction.
checking this box. If it is checked, the system will ask you to type another group of account and password additionally. PPP Authentication – Select PAP only or PAP or CHAP for PPP. If you want to connect to Internet all the time, you can check Always On. Idle Timeout – Set the timeout for breaking down the Internet after passing through the time without any action. IP Address From ISP Usually ISP dynamically assigns IP address to you each time you connect to it and request.
Details Page for MPoA/Static or Dynamic IP in WAN1 MPoA is a specification that enables ATM services to be integrated with existing LANs, which use either Ethernet, token-ring or TCP/IP protocols. The goal of MPoA is to allow different LANs to send packets to each other via an ATM backbone. To use MPoA/Static or Dynamic IP as the accessing protocol of the Internet, select MPoA /Static or Dynamic IP from the WAN>>Internet Access >>WAN1 page. The following web page will appear.
Modulation –Default setting is Multimode. Choose the one that fits the requirement of your router. ISDN Dial Backup Setup This setting is only available for the router supporting ISDN function. Before utilizing the ISDN dial backup feature, you must create a dial backup profile first. Please click ISDN > Dialing to a Single ISP to create the backup profile. None - Disable the backup function.
function. Bridge Mode If you choose Bridged IP as the protocol, you can check this box to invoke the function. The router will work as a bridge modem. WAN IP Network Settings This group allows you to obtain an IP address automatically and allows you type in IP address manually. WAN IP Alias - If you have multiple public IP addresses and would like to utilize them on the WAN interface, please use WAN IP Alias. You can set up to 8 public IP addresses other than the current one you are using.
Details Page for PPPoE in WAN2 To choose PPPoE as the accessing protocol of the Internet, please select PPPoE from the WAN>>Internet Access >>WAN2 page. The following web page will be shown. Available settings are explained as follows: Item Description Enable/Disable Click Enable for activating this function. If you click Disable, this function will be closed and all the settings that you adjusted in this page will be invalid.
ISDN Dial Backup Setup This setting is only available for the router supporting ISDN function. Before utilizing the ISDN dial backup feature, you must create a dial backup profile first. Please click ISDN > Dialing to a Single ISP to create the backup profile. None - Disable the backup function. Packet Triggering -The backup line is not on until a packet from a local host triggers the router to establish a connection.
IP Address Assignment Method (IPCP) Usually ISP dynamically assigns IP address to you each time you connect to it and request. In some case, your ISP provides service to always assign you the same IP address whenever you request. In this case, you can fill in this IP address in the Fixed IP field. Please contact your ISP before you want to use this function. WAN IP Alias - If you have multiple public IP addresses and would like to utilize them on the WAN interface, please use WAN IP Alias.
Available settings are explained as follows: Item Description Enable / Disable Click Enable for activating this function. If you click Disable, this function will be closed and all the settings that you adjusted in this page will be invalid. ISDN Dial Backup Setup This setting is only available for the router supporting ISDN function. Before utilizing the ISDN dial backup feature, you must create a dial backup profile first. Please click ISDN > Dialing to a Single ISP to create the backup profile.
environments because some ISPs will drop connections if there is no traffic within certain periods of time. Check Enable PING to keep alive box to activate this function. PING to the IP - If you enable the PING function, please specify the IP address for the system to PING it for keeping alive. PING Interval - Enter the interval for the system to execute the PING operation.
IP Address: Type the IP address. Subnet Mask: Type the subnet mask. Gateway IP Address: Type the gateway IP address. Default MAC Address: Click this radio button to use default MAC address for the router. Specify a MAC Address: Some Cable service providers specify a specific MAC address for access authentication. In such cases you need to click the Specify a MAC Address and enter the MAC address in the MAC Address field.
Disable – Click this radio button to close the connection through PPTP or L2TP. Server Address - Specify the IP address of the PPTP/L2TP server if you enable PPTP/L2TP client mode. Specify Gateway IP Address – Specify the gateway IP address for DHCP server. ISP Access Setup Username -Type in the username provided by ISP in this field. Password -Type in the password provided by ISP in this field. Index (1-15) in Schedule Setup - You can type in four sets of time schedule for your request.
Fixed IP - Usually ISP dynamically assigns IP address to you each time you connect to it and request. In some case, your ISP provides service to always assign you the same IP address whenever you request. In this case, you can fill in this IP address in the Fixed IP field. Please contact your ISP before you want to use this function. Click Yes to use this function and type in a fixed IP address in the box. Fixed IP Address -Type a fixed IP address.
Details Page for PPP in WAN3 To use PPP (for 3G USB Modem) as the accessing protocol of the internet, please choose Internet Access from WAN menu. Then, select PPP mode for WAN2. The following web page will be shown. Available settings are explained as follows: Item Description Enable / Disable Click Enable for activating this function. If you click Disable, this function will be closed and all the settings that you adjusted in this page will be invalid.
PPP Username Type the PPP username (optional). PPP Password Type the PPP password (optional). Always On If you want to connect to Internet all the time, you can check Always On. Idle Timeout – Set the timeout for breaking down the Internet after passing through the time without any action. Index (1-15) in Schedule Setup - You can type in four sets of time schedule for your request.
Below shows an example for successful IPv6 connection based on PPPoE mode. Note: At present, the IPv6 prefix can be acquired via the PPPoE mode connection which is available for the areas such as Taiwan (hinet), the Netherlands, Australia and UK. Details Page for IPv6 – TSPC in WAN1/WAN2/WAN3 Tunnel setup protocol client (TSPC) is an application which could help you to connect to IPv6 network easily. Please make sure your IPv4 WAN connection is OK and apply one free account from hexago (http://gogonet.
Available settings are explained as follows: Item Description Username Type the name obtained from the broker. It is suggested for you to apply another username and password for http://gogonet.gogo6.com/page/freenet6-account. Password Type the password assigned with the user name. Confirm Password Type the password again to make the confirmation. Tunnel Broker Type the address for the tunnel broker IP, FQDN or an optional port number.
Username Type the name obtained from the broker. Please apply new account at http://www.sixxs.net/. It is suggested for you to apply another username and password. Password Type the password assigned with the user name. Confirm Password Type the password again to make the confirmation. Tunnel Broker Type the address for the tunnel broker IP, FQDN or an optional port number.
Details Page for IPv6 – Static IPv6 in WAN1/WAN2 This type allows you to setup static IPv6 address for WAN interface. Available settings are explained as follows: Item Description Static IPv6 Address configuration IPv6 Address – Type the IPv6 Static IP Address. Prefix Length – Type the fixed value for prefix length. Add – Click it to add a new entry. Delete – Click it to remove an existed entry. Current IPv6 Address Table Display current interface IPv6 address.
3.1.4 Multi-PVCs This router allows you to create multi-PVCs for different data transferring for using. Simply go to Internet Access and select Multi-PVCs page. General The system allows you to set up to eight channels which are ready for choosing as the first PVC line that will be used as multi-PVCs. Available settings are explained as follows: Item Description Enable Check this box to enable that channel.
Protocol Select a proper protocol for this channel. Encapsulation Choose a proper type for this channel. The types will be different according to the protocol setting that you choose. WAN link for Channel 5, 6 and 7 are provided for router-borne application such as TR-069. The settings must be applied and obtained from your ISP. For your special request, please contact with your ISP and then click WAN link of Channel 5, 6 or 7 to configure your router.
WAN for Router-borne Application Choose the router service for channel 5, 6 or 7. Management - It can be specified for general management (Web configuration/telnet/TR069). If you choose Management, the configuration for this PVC will be effective for Web configuration/telnet/TR069. VoIP - It can be specified for VoIP only. If you choose VoIP, the configuration for this PVC will be effective for VoIP data transmitting and receiving. For other settings, refer to Details Page for PPPoE/PPPoA in WAN1.
MBS It represents Maximum Burst Size. The range of the value is 10 to 50. Port-based Bridge General page lets you set the first PVC. As to set the second PVC line, please click the Port-based Bridge tab to open Bridge configuration page. Available settings are explained as follows: Item Description Enable Check this box to enable that channel. Only channel 3 to 8 can be set in this page, for channel 1 to 2 are reserved for NAT using. P1 to P4 It means the LAN port 1 to 4.
Click Clear to remove all the configurations in this page if you do not satisfy it. When you finish the configuration, please click OK to save and exit this page. Or click Cancel to abort the configuration and exit this page. 3.1.5 Multi-VLAN This router allows you to create multi-VLAN for different data transferring for using. Simply go to WAN and select Multi-VLAN. General The system allows you to set up to eight channels for multi-VLAN.
WAN link for Channel 5, 6 and 7 are provided for router-borne application such as TR-069. The settings must be applied and obtained from your ISP. For your special request, please contact with your ISP and then click WAN link of Channel 5, 6 or 7 to configure your router. Available settings are explained as follows: Item Description WAN for Router-borne Application Choose the router service for channel 5, 6 or 7. Management - It can be specified for general management (Web configuration/telnet/TR069).
Bridge General page lets you set the first channel. As to set the third channel, please click the Bridge tab to open Bridge configuration page. Available settings are explained as follows: Item Description Enable Check this box to enable that channel. Only channel 3 to 8 can be set in this page, for channel 1 to 2 are reserved for NAT using. P1 to P4 It means the LAN port 1 to 4. Check the box to designate the LAN port for channel 3 to 8.
3.1.6 Load-Balance Policy This router supports the function of load balancing. It can assign traffic with protocol type, IP address for specific host, a subnet of hosts, and port range to be allocated in WAN1, WAN2, and WAN3 interface. The user can assign traffic category and force it to go to dedicate network interface based on the following web page setup. Twenty policies of load-balance are supported by this router. Note: Load-Balance Policy is running only when WAN1, WAN2 and WAN3 are activated.
Click Index 1 to access into the following page for configuring load-balance policy. Available settings are explained as follows: Item Description Enable Check this box to enable this policy. Protocol Use the drop-down menu to choose a proper protocol for the WAN interface. Binding WAN interface Choose the WAN interface (WAN1/WAN2/WAN3) for binding. Auto failover to other WAN – Check this button to lead the data passing through other WAN automatically when the selected WAN interface is failover.
3.2 LAN Local Area Network (LAN) is a group of subnets regulated and ruled by router. The design of network structure is related to what type of public IP addresses coming from your ISP. 3.2.1 Basics of LAN The most generic function of Vigor router is NAT. It creates a private subnet of your own. As mentioned previously, the router will talk to other public hosts on the Internet by using public IP address and talking to local hosts by using its private IP address.
What is Routing Information Protocol (RIP) Vigor router will exchange routing information with neighboring routers using the RIP to accomplish IP routing. This allows users to change the information of the router such as IP address and the routers will automatically inform for each other. What is Static Route When you have several subnets in your LAN, sometimes a more effective and quicker way for connection is the Static routes function rather than other method.
3.2.2 General Setup This page provides you the general settings for LAN. Click LAN to open the LAN settings page and choose General Setup. There are four subnets provided by the router which allow users to divide groups into different subnets (LAN1 – LAN4). In addition, different subnets can link for each other by configuring Inter-LAN Routing. At present, LAN1 setting is fixed with NAT mode only. LAN2 – LAN4 can be operated under NAT or Route mode. IP Routed Subnet can be operated under Route mode.
Details Page for LAN1 – Ethernet TCP/IP and DHCP Setup There are two configuration pages for LAN1, Ethernet TCP/IP and DHCP Setup (based on IPv4) and IPv6 Setup. Click the tab for each type and refer to the following explanations for detailed information. Available settings are explained as follows: Item Description Network Configuration For NAT Usage, IP Address - Type in private IP address for connecting to a local private network (Default: 192.168.1.1).
server is located the relay agent should redirect the DHCP request to. Start IP Address - Enter a value of the IP address pool for the DHCP server to start with when issuing IP addresses. If the 1st IP address of your router is 192.168.1.1, the starting IP address must be 192.168.1.2 or greater, but smaller than 192.168.1.254. IP Pool Counts - Enter the maximum number of PCs that you want the DHCP server to assign IP addresses to. The default is 50 and the maximum is 253.
Details Page for LAN1 – IPv6 Setup There are two configuration pages for LAN1, Ethernet TCP/IP and DHCP Setup (based on IPv4) and IPv6 Setup. Click the tab for each type and refer to the following explanations for detailed information. Below shows the settings page for IPv6. It provides 2 daemons for LAN side IPv6 address configuration. One is RADVD(stateless) and the other is DHCPv6 Server (Stateful).
list. DHCPv6 Server Configuration Enable Server –Click it to enable DHCPv6 server. DHCPv6 Server could assign IPv6 address to PC according to the Start/End IPv6 address configuration. Disable Server –Click it to disable DHCPv6 server. Start IPv6 Address / End IPv6 Address –Type the start and end address for IPv6 server. DNS Server IPv6 Address Primary DNS Sever – Type the IPv6 address for Primary DNS server. Secondary DNS Server –Type another IPv6 address for DNS server if required.
Details Page for LAN2/LAN3/LAN4 Available settings are explained as follows: Item Description Network Configuration Enable/Disable - Click Enable to enable such configuration; click Disable to disable such configuration. For NAT Usage - Click this radio button to invoke NAT function. For Routing Usage - Click this radio button to invoke this function. IP Address - Type in private IP address for connecting to a local private network (Default: 192.168.1.1).
Gateway IP Address - Enter a value of the gateway IP address for the DHCP server. The value is usually as same as the 1st IP address of the router, which means the router is the default gateway. Details Page for IP Routed Subnet Available settings are explained as follows: Item Description Network Configuration Enable/Disable - Click Enable to enable such configuration; click Disable to disable such configuration. For Routing Usage - Click this radio button to invoke this function.
DHCP Server Configuration DHCP stands for Dynamic Host Configuration Protocol. The router by factory default acts a DHCP server for your network so it automatically dispatch related IP settings to any local user configured as a DHCP client. It is highly recommended that you leave the router enabled as a DHCP server if you do not have a DHCP server for your network.
3.2.3 Static Route Go to LAN to open setting page and choose Static Route. The router offers IPv4 and IPv6 for you to configure the static route. Both protocols bring different web pages. Static Route for IPv4 Available settings are explained as follows: Item Description Index The number (1 to 10) under Index allows you to open next page to set up static route. Destination Address Displays the destination address of the static route. Status Displays the status of the static route.
Static Route for IPv6 You can set up to 40 profiles for IPv6 static route. Available settings are explained as follows: Item Description Index The number (1 to 40) under Index allows you to open next page to set up static route. Destination Address Displays the destination address of the static route. Status Displays the status of the static route. Set to Factory Default Clear all of the settings and return to factory default settings.
Available settings are explained as follows: Item Description Enable Click it to enable this profile. Destination IPv6 Address / Prefix Len Type the IP address with the prefix length for this entry. Gateway IPv6 Address Type the gateway address for this entry. Network Interface Use the drop down list to specify an interface for this static route.
1. Go to LAN page and click General Setup, select 1st Subnet as the RIP Protocol Control. Then click the OK button. Note: There are two reasons that we have to apply RIP Protocol Control on 1st Subnet. The first is that the LAN interface can exchange RIP packets with the neighboring routers via the 1st subnet (192.168.1.0/24). The second is that those hosts on the internal private subnets (ex. 192.168.10.
3.2.4 VLAN Virtual LAN function provides you a very convenient way to manage hosts by grouping them based on the physical port. You can also manage the in/out rate of each port. Go to LAN page and select VLAN. The following page will appear. Click Enable to invoke VLAN function. Note: Settings in this page only applied to LAN port but not WAN port. Available settings are explained as follows: Item Description Enable Click it to enable VLAN configuration.
Subnet Choose one of them to make the selected VLAN mapping to the specified subnet only. For example, LAN1 is specified for VLAN0. It means that PCs grouped under VLAN0 can get the IP address(es) that specified by the subnet. Note: Leave one VLAN untagged at least to prevent from not connecting to Vigor router due to unexpected error. To add or remove a VLAN, please refer to the following example. 1.
3.2.5 Bind IP to MAC This function is used to bind the IP and MAC address in LAN to have a strengthening control in network. When this function is enabled, all the assigned IP and MAC address binding together cannot be changed. If you modified the binding IP or MAC address, it might cause you not access into the Internet. Click LAN and click Bind IP to MAC to open the setup page. Available settings are explained as follows: Item Description Enable Click this radio button to invoke this function.
Refresh Refresh the ARP table listed below to obtain the newest ARP table information. Add and Edit IP Address – Type the IP address that will be used for the specified MAC address. Mac Address – Type the MAC address that is used to bind with the assigned IP address. Comment – Type a brief description for the entry. Show Comment – Check it to display the content of the comment. IP Bind List It displays a list for the IP bind to MAC information.
Item Description Port Mirror Check Enable to activate this function. Or, check Disable to close this function. Mirror Port Select a port to view traffic sent from mirrored ports. Mirrored port Select which ports are necessary to be mirrored. After finishing all the settings here, please click OK to save the configuration. 3.3 NAT Usually, the router serves as an NAT (Network Address Translation) router. NAT is a mechanism that one or more private IP addresses can be mapped into a single public one.
3.3.1 Port Redirection Port Redirection is usually set up for server related service inside the local network (LAN), such as web servers, FTP servers, E-mail servers etc. Most of the case, you need a public IP address for each server and this public IP address/domain name are recognized by all users.
Available settings are explained as follows: Item Description Enable Check this box to enable such port redirection setting. Mode Two options (Single and Range) are provided here for you to choose. To set a range for the specific service, select Range. In Range mode, if the public port (start port and end port) and the starting IP of private IP had been entered, the system will calculate and display the ending IP of private IP automatically.
Note that the router has its own built-in services (servers) such as Telnet, HTTP and FTP etc. Since the common port numbers of these services (servers) are all the same, you may need to reset the router in order to avoid confliction. For example, the built-in web configurator in the router is with default port 80, which may conflict with the web server in the local network, http://192.168.1.13:80.
The security properties of NAT are somewhat bypassed if you set up DMZ host. We suggest you to add additional filter rules or a secondary firewall. Click DMZ Host to open the following page: DMZ Host for WAN2 and WAN3 is slightly different with WAN1. Active True IP selection is available for WAN1 only. See the following figure.
If you previously have set up WAN Alias for PPPoE or Static or Dynamic IP mode in WAN2 interface, you will find them in Aux. WAN IP for your selection. Available settings are explained as follows: Item Description Enable Check to enable the DMZ Host function. Private IP Enter the private IP address of the DMZ host, or click Choose PC to select one. Choose PC Click this button and then a window will automatically pop up, as depicted below.
3.3.3 Open Ports Open Ports allows you to open a range of ports for the traffic of special applications. Common application of Open Ports includes P2P application (e.g., BT, KaZaA, Gnutella, WinMX, eMule and others), Internet Camera etc. Ensure that you keep the application involved up-to-date to avoid falling victim to any security exploits.
Available settings are explained as follows: Item Description Enable Open Ports Check to enable this entry. Comment Make a name for the defined network application/service. WAN IP Specify the WAN IP address that will be used for this entry. This setting is available when WAN IP Alias is configured. Local Computer Enter the private IP address of the local host or click Choose PC to select one.
Available settings are explained as follows: Item Description Protocol Display the protocol used for this address mapping. Public IP Display the public IP address selected for this entry, e.g., 172.16.3.102. Private IP Display the private IP set for this address mapping, e.g., 192.168.1.10. Mask Display the subnet mask selected for this address mapping. Status Display the status for the entry, enable or disable. Click the index number link to open the configuration page.
WAN Interface Choose the WAN interface for such address mapping profile. WAN IP Select an IP address (the selections provided here are set in IP Alias List of Network >>WAN interface). Local host can use this IP to connect to Internet. If you want to choose any one of the Public IP settings, you must specify some IP addresses in the IP Alias List of the Static/DHCP Configuration page first. If you did not type in any IP address in the IP Alias List, the Public IP setting will be empty in this field.
Triggering Protocol Display the protocol of the triggering packets. Triggering Port Display the port of the triggering packets. Incoming Protocol Display the protocol for the incoming data of such triggering profile. Incoming Port Display the port for the incoming data of such triggering profile. Status Display if the rule is active or de-active. Click the index number link to open the configuration page.
Triggering Port Type the port or port range for such trigger profile. Incoming Protocol When the triggering packets received, it is expected the incoming packets will use the selected protocol. Select the protocol (TCP, UDP or TCP/UDP) for the incoming data of such triggering profile. Incoming Port Type the port or port range for the incoming packets. 3.4 Firewall 3.4.
Stateful Packet Inspection (SPI) Stateful inspection is a firewall architecture that works at the network layer. Unlike legacy static packet filtering, which examines a packet based on the information in its header, stateful inspection builds up a state machine to track each connection traversing all interfaces of the firewall and makes sure they are valid. The stateful firewall of Vigor router not just examine the header information also monitor the state of the connection.
1. SYN flood attack 2. UDP flood attack 3. ICMP flood attack 4. Port Scan attack 5. IP options 6. Land attack 7. Smurf attack 8. Trace route 9. SYN fragment 10. Fraggle attack 11. TCP flag scan 12. Tear drop attack 13. Ping of Death attack 14. ICMP fragment 15. Unknown protocol Below shows the menu items for Firewall. 3.4.2 General Setup General Setup allows you to adjust settings of IP Filter and common options. Here you can enable or disable the Call Filter or Data Filter.
Data Filter Check Enable to activate the Data Filter function. Assign a start filter set for the Data Filter. Accept large incoming… Some on-line games (for example: Half Life) will use lots of fragmented UDP packets to transfer game data. Instinctively as a secure firewall, Vigor router will reject these fragmented packets to prevent attack unless you enable “Accept large incoming fragmented UDP or ICMP Packets”. By checking this box, you can play these kinds of on-line games.
Available settings are explained as follows: Item Description Filter Select Pass or Block for the packets that do not match with the filter rules. Sessions Control The number typed here is the total sessions of the packets that do not match the filter rule configured in this page. The default setting is 60000. Quality of Service Choose one of the QoS rules to be applied as firewall rule. For detailed information of setting QoS, please refer to the related section later.
APP Enforcement Select an APP Enforcement profile for global IM/P2P application blocking. If there is no profile for you to select, please choose [Create New] from the drop down list in this page to create a new profile. All the hosts in LAN must follow the standard configured in the APP Enforcement profile selected here. For detailed information, refer to the section of APP Enforcement profile setup. For troubleshooting needs, you can specify to record information for IM/P2P by checking the Log box.
Advance Setting Click Edit to open the following window. However, it is strongly recommended to use the default settings here. Codepage - This function is used to compare the characters among different languages. Choose correct codepage can help the system obtaining correct ASCII after decoding data from URL and enhance the correctness of URL Content Filter. The default value for this setting is ANSI 1252 Latin I. If you do not choose any codepage, no decoding job of URL will be processed.
3.4.3 Filter Setup Click Firewall and click Filter Setup to open the setup page. To edit or add a filter, click on the set number to edit the individual set. The following page will be shown. Each filter set contains up to 7 rules. Click on the rule number button to edit each rule. Check Active to enable the rule. Available settings are explained as follows: Item Description Filter Rule Click a button numbered (1 ~ 7) to edit the filter rule. Click the button will open Edit Filter Rule web page.
Available settings are explained as follows: Item Description Check to enable the Filter Rule Check this box to enable the filter rule. Comments Enter filter set comments/description. Maximum length is 14- character long. Index(1-15) Set PCs on LAN to work at certain time interval only. You may choose up to 4 schedules out of the 15 schedules pre-defined in Applications >> Schedule setup. The default setting of this field is blank and the function will always work.
Direction Set the direction of packet flow. It is for Data Filter only. For the Call Filter, this setting is not available since Call Filter is only applied to outgoing traffic. Note: RT means routing domain for 2nd subnet or other LAN. Source/Destination IP Click Edit to access into the following dialog to choose the source/destination IP or IP ranges. To set the IP address manually, please choose Any Address/Single Address/Range Address/Subnet Address as the Address Type and type them in this dialog.
Service Type Click Edit to access into the following dialog to choose a suitable service type. To set the service type manually, please choose User defined as the Service Type and type them in this dialog. In addition, if you want to use the service type from defined groups or objects, please choose Group and Objects as the Service Type. Protocol - Specify the protocol(s) which this filter rule will apply to.
Filter Specifies the action to be taken when packets match the rule. Block Immediately - Packets matching the rule will be dropped immediately. Pass Immediately - Packets matching the rule will be passed immediately. Block If No Further Match - A packet matching the rule, and that does not match further rules, will be dropped. Pass If No Further Match - A packet matching the rule, and that does not match further rules, will be passed through.
APP Enforcement Select an APP Enforcement profile for global IM/P2P application blocking. If there is no profile for you to select, please choose [Create New] from the drop down list in this page to create a new profile. All the hosts in LAN must follow the standard configured in the APP Enforcement profile selected here. For detailed information, refer to the section of APP Enforcement profile setup. For troubleshooting needs, you can specify to record information for IM/P2P by checking the Log box.
Advance Setting Click Edit to open the following window. However, it is strongly recommended to use the default settings here. Codepage - This function is used to compare the characters among different languages. Choose correct codepage can help the system obtaining correct ASCII after decoding data from URL and enhance the correctness of URL Content Filter. The default value for this setting is ANSI 1252 Latin I. If you do not choose any codepage, no decoding job of URL will be processed.
Example As stated before, all the traffic will be separated and arbitrated using on of two IP filters: call filter or data filter. You may preset 12 call filters and data filters in Filter Setup and even link them in a serial manner. Each filter set is composed by 7 filter rules, which can be further defined. After that, in General Setup you may specify one set for call filter and one set for data filter to execute first.
3.4.4 DoS Defense As a sub-functionality of IP Filter/Firewall, there are 15 types of detect/ defense function in the DoS Defense setup. The DoS Defense functionality is disabled for default. Click Firewall and click DoS Defense to open the setup page. Available settings are explained as follows: Item Description Enable Dos Defense Check the box to activate the DoS Defense Functionality. Select All Click this button to select all the items listed below.
Enable ICMP flood defense Check the box to activate the ICMP flood defense function. Similar to the UDP flood defense function, once if the Threshold of ICMP packets from Internet has exceeded the defined value, the router will discard the ICMP echo requests coming from the Internet. The default setting for threshold and timeout are 50 packets per second and 10 seconds, respectively.
Many machines may crash when receiving ICMP datagrams (packets) that exceed the maximum length. To avoid this type of attack, the Vigor router is designed to be capable of discarding any fragmented ICMP packets with a length greater than 1024 octets. Block Ping of Death Check the box to activate the Block Ping of Death function. This attack involves the perpetrator sending overlapping packets to the target hosts so that those target hosts will hang once they re-construct the packets.
3.5 User Management User Management is a security feature which disallows any IP traffic (except DHCP-related packets) from a particular host until that host has correctly supplied a valid username and password. Instead of managing with IP address/MAC address, User Management function manages hosts with user account. Network administrator can give different firewall policies or rules for different hosts with different User Management accounts. This is more flexible and convenient for network management.
3.5.1 General Setup General Setup can determine the standard (rule-based or user-based) for the users controlled by User Management. The mode (standard) selected here will influence the contents of the filter rule(s) applied to every user. Available settings are explained as follows: Item Description Mode There are two modes offered here for you to choose. Each mode will bring different filtering effect to the users involved.
3.5.2 User Profile This page allows you to set customized profiles (up to 200) which will be applied for users controlled under User Management. Simply open User Management>>User Profile. To set the user profile, please click any index number link to open the following page. Notice that profile 1 (admin) and profile 2 (System Reservation) are factory default settings. Profile 2 is reserved for future use.
Available settings are explained as follows: Item Description Enable this account Check this box to enable such user profile. User Name Type a name for such user profile (e.g., LAN_User_Group_1, WLAN_User_Group_A, WLAN_User_Group_B, etc). When a user tries to access Internet through this router, an authentication step must be performed first. The user has to type the User Name specified here to pass the authentication. When the user passes the authentication, he/she can access Internet via this router.
For the detailed configuration, simply refer to Firewall>>Filter Rule. The firewall filter rules that are not selected in Firewall>>General>>Default rule can be available for use in User Management>>User Profile. External Service Authentication The router will authenticate the dial-in user by itself or by external service such as LDAP server or Radius server. If LDAP or Radius is selected here, it is not necessary to configure the password setting above.
window with remaining time of connection for such user will be displayed. Next, the user can access Internet through any browser on Windows. Note that Alert Tool can be downloaded from DrayTek web site. Telnet – If it is selected, the user can use Telnet command to perform the authentication job.
Available settings are explained as follows: Item Description Name Type a name for this user group. Available User Objects You can gather user profiles (objects) from User Profile page within one user group. All the available user objects that you have created will be shown in this box. Notice that user object, Admin and Dial-In User are factory settings. User defined profiles will be numbered with 3, 4, 5 and so on. Selected Keyword Objects Click box.
Available settings are explained as follows: Item Description Refresh Seconds Use the drop down list to choose the time interval of refreshing data flow that will be done by the system automatically. Refresh Click this link to refresh this page manually. Index Display the number of the data flow. Active User Display the users which connect to Vigor router currently. You can click the link under the username to open the user profile setting page for that user.
3.6 Objects Settings For IPs in a range and service ports in a limited range usually will be applied in configuring router’s settings, therefore we can define them with objects and bind them with groups for using conveniently. Later, we can select that object/group that can apply it. For example, all the IPs in the same department can be defined with an IP object (a range of IP address). 3.6.1 IP Object You can set up to 192 sets of IP Objects with different conditions.
Click the number under Index column for settings in detail. Available settings are explained as follows: Item Description Name Type a name for this profile. Maximum 15 characters are allowed. Interface Choose a proper interface. For example, the Direction setting in Edit Filter Rule will ask you specify IP or IP range for WAN or LAN or any IP address.
MAC Address Type the MAC address of the network card which will be controlled. Start IP Address Type the start IP address for Single Address type. End IP Address Type the end IP address if the Range Address type is selected. Subnet Mask Type the subnet mask if the Subnet Address type is selected. Invert Selection If it is checked, all the IP addresses except the ones listed above will be applied later while it is chosen. Below is an example of IP objects settings. 3.6.
Set to Factory Default Clear all profiles. Click the number under Index column for settings in detail. Available settings are explained as follows: Item Description Name Type a name for this profile. Maximum 15 characters are allowed. Interface Choose WAN, LAN or Any to display all the available IP objects with the specified interface. Available IP Objects All the available IP objects with the specified interface chosen above will be shown in this box.
3.6.3 IPv6 Object You can set up to 64 sets of IPv6 Objects with different conditions. Available settings are explained as follows: Item Description Set to Factory Default Clear all profiles. Click the number under Index column for settings in detail. Available settings are explained as follows: Item Description Name Type a name for this profile. Maximum 15 characters are allowed.
Address Type Determine the address type for the IPv6 address. Select Single Address if this object contains one IPv6 address only. Select Range Address if this object contains several IPv6s within a range. Select Subnet Address if this object contains one subnet for IPv6 address. Select Any Address if this object contains any IPv6 address. Select Mac Address if this object contains Mac address. MAC Address Type the MAC address of the network card which will be controlled.
3.6.4 IPv6 Group This page allows you to bind several IPv6 objects into one IPv6 group. Available settings are explained as follows: Item Description Set to Factory Default Clear all profiles. Click the number under Index column for settings in detail.
Name Type a name for this profile. Maximum 15 characters are allowed. Available IPv6 Objects All the available IPv6 objects with the specified interface chosen above will be shown in this box. Selected IPv6 Objects Click >> button to add the selected IPv6 objects in this box. 3.6.5 Service Type Object You can set up to 96 sets of Service Type Objects with different conditions. Available settings are explained as follows: Item Description Set to Factory Default Clear all profiles.
Name Type a name for this profile. Protocol Specify the protocol(s) which this profile will apply to. Source/Destination Port Source Port and the Destination Port column are available for TCP/UDP protocol. It can be ignored for other protocols. The filter rule will filter out any port number. (=) – when the first and last value are the same, it indicates one port; when the first and last values are different, it indicates a range for the port and available for this profile.
3.6.6 Service Type Group This page allows you to bind several service types into one group. Available settings are explained as follows: Item Description Set to Factory Default Clear all profiles.
Click the number under Index column for settings in detail. Available settings are explained as follows: Item Description Name Type a name for this profile. Available Service Type Objects All the available service objects that you have added on Objects Setting>>Service Type Object will be shown in this box. Selected Service Type Objects Click >> button to add the selected IP objects in this box. 3.6.
Available settings are explained as follows: Item Description Set to Factory Default Clear all profiles. Click the number under Index column for setting in detail. Available settings are explained as follows: Item Description Name Type a name for this profile, e.g., game. Contents Type the content for such profile. For example, type gambling as Contents.
3.6.8 Keyword Group This page allows you to bind several keyword objects into one group. The keyword groups set here will be chosen as black /white list in CSM >>URL /Web Content Filter Profile. Available settings are explained as follows: Item Description Set to Factory Default Clear all profiles. Click the number under Index column for setting in detail. Available settings are explained as follows: Item Description Name Type a name for this group.
Available Keyword Objects You can gather keyword objects from Keyword Object page within one keyword group. All the available Keyword objects that you have created will be shown in this box. Selected Keyword Objects Click this box. button to add the selected Keyword objects in 3.6.9 File Extension Object This page allows you to set eight profiles which will be applied in CSM>>URL Content Filter.
Available settings are explained as follows: Item Description Profile Name Type a name for this profile. Type a name for such profile and check all the items of file extension that will be processed in the router. Finally, click OK to save this profile.
3.7 CSM Profile Content Security Management (CSM) CSM is an abbreviation of Content Security Management which is used to control IM/P2P usage, filter the web content and URL content to reach a goal of security management. APP Enforcement Filter As the popularity of all kinds of instant messenger application arises, communication cannot become much easier.
3.7.1 APP Enforcement Profile You can define policy profiles for IM (Instant Messenger)/P2P (Peer to Peer)/Protocol/Misc application. This page allows you to set 32 profiles for different requirements. The APP Enforcement Profile will be applied in Default Rule of Firewall>>General Setup for filtering. Available settings are explained as follows: Item Description Set to Factory Default Clear all profiles. Profile Display the number of the profile which allows you to click to set different policy.
Below shows the items which are categorized under Protocol. Available settings are explained as follows: Item Description Profile Name Type a name for the CSM profile. Select All Click it to choose all of the items in this page. Clear All Uncheck all the selected boxes. The profiles configured here can be applied in the Firewall>>General Setup and Firewall>>Filter Setup pages as the standard for the host(s) to follow. Below shows the items which are categorized under IM.
The items categorized under P2P ----- The items categorized under Misc ----- 159 Vigor2850 Series User’s Guide
3.7.2 URL Content Filter Profile To provide an appropriate cyberspace to users, Vigor router equips with URL Content Filter not only to limit illegal traffic from/to the inappropriate web sites but also prohibit other web feature where malicious code may conceal. Once a user type in or click on an URL with objectionable keywords, URL keyword blocking facility will decline the HTTP request to that web page thus can limit user’s access to the website.
Available settings are explained as follows: Item Description Profile Name Type a name for the CSM profile. Priority It determines the action that this router will apply. Both: Pass – The router will let all the packages that match with the conditions specified in URL Access Control and Web Feature below passing through. When you choose this setting, both configuration set in this page for URL Access Control and Web Feature will be inactive.
Log None – There is no log file will be recorded for this profile. Pass – Only the log about Pass will be recorded in Syslog. Block – Only the log about Block will be recorded in Syslog. All – All the actions (Pass and Block) will be recorded in Syslog. URL Access Control Enable URL Access Control - Check the box to activate URL Access Control. Note that the priority for URL Access Control is higher than Restrict Web Feature.
should be noticed that the more simplified the blocking keyword list is, the more efficiently the Vigor router performs. Web Feature Enable Restrict Web Feature - Check this box to make the keyword being blocked or passed. Action - This setting is available only when Either: URL Access Control First or Either: Web Feature Firs is selected. Pass allows accessing into the corresponding webpage with the keywords listed on the box below.
3.7.3 Web Content Filter Profile There are three ways to activate WCF on vigor router, using Service Activation Wizard, by means of CSM>>Web Content Filter Profile or via System Maintenance>>Activation. Service Activation Wizard allows you to use trial version or update the license of WCF directly without accessing into the server (MyVigor) located on http://myvigor.draytek.com.
Setup Test Server It is recommended for you to use the default setting, auto-selected. Find more Click it to open http://myvigor.draytek.com for searching another qualified and suitable server. Test a site to verify whether it is categorized Click this link to do the verification. Set to Factory Default Click this link to retrieve the factory settings. Cache None – the router will check the URL that the user wants to access via WCF precisely, however, the processing rate is normal.
Available settings are explained as follows: Item Description Black/White List Enable – Activate white/black list function for such profile. Group/Object Selections – Click Edit to choose the group or object profile as the content of white/black list. Pass - allow accessing into the corresponding webpage with the characters listed on Group/Object Selections. If the web pages do not match with the specified feature set here, they will be processed with the categories listed on the box below.
Action Pass - allow accessing into the corresponding webpage with the categories listed on the box below. Block - restrict accessing into the corresponding webpage with the categories listed on the box below. If the web pages do not match with the specified feature set here, it will be processed with reverse action. Log None – There is no log file will be recorded for this profile. Pass – Only the log about Pass will be recorded in Syslog. Block – Only the log about Block will be recorded in Syslog.
To activate the function of limit session, simply click Enable and set the default session limit. Available settings are explained as follows: Item Description Session Limit Enable - Click this button to activate the function of limit session. Disable - Click this button to close the function of limit session. Default session limit - Defines the default session number used for each computer in LAN. Limitation List Displays a list of specific limitations that you set on this web page.
Specific Limitation Start IP- Defines the start IP address for limit session. End IP - Defines the end IP address for limit session. Maximum Sessions - Defines the available session number for each host in the specific range of IP addresses. If you do not set the session number in this field, the system will use the default session limit for the specific limitation you set for each index. Add - Adds the specific session limitation onto the list above.
3.8.2 Bandwidth Limit The downstream or upstream from FTP, HTTP or some P2P applications will occupy large of bandwidth and affect the applications for other programs. Please use Limit Bandwidth to make the bandwidth usage more efficient. In the Bandwidth Management menu, click Bandwidth Limit to open the web page. To activate the function of limit bandwidth, simply click Enable and set the default upstream and downstream limit.
for each computer in LAN. Default RX limit - Define the default speed of the downstream for each computer in LAN. Allow auto adjustment….- Check this box to make the best utilization of available bandwidth. Limitation List Display a list of specific limitations that you set on this web page. Specific Limitation Start IP - Define the start IP address for limit bandwidth. End IP - Define the end IP address for limit bandwidth.
other applications are not protected by QoS, it will detract much from their performance in the overcrowded network. This is especially essential to those are low tolerant of loss, delay or jitter (delay variation). Another reason is due to congestions at network intersections where speeds of interconnected circuits mismatch or traffic aggregates, packets will queue up and traffic can be throttled back to a lower speed.
This page displays the QoS settings result of the WAN interface. Click the Setup link to access into next page for the general setup of WAN interface. As to class rule, simply click the Edit link to access into next for configuration. You can configure general setup for the WAN interface, edit the Class Rule, and edit the Service Type for the Class Rule for your request.
Online Statistics Display an online statistics for quality of service for your reference. General Setup for WAN Interface When you click Setup, you can configure the bandwidth ratio for QoS of the WAN interface. There are four queues allowed for QoS control. The first three (Class 1 to Class 3) class rules can be adjusted for your necessity. Yet, the last one is reserved for the packets which are not suitable for the user-defined class rules.
Enable the QoS Control The factory default for this setting is checked. Please also define which traffic the QoS Control settings will apply to. IN- apply to incoming traffic only. OUT-apply to outgoing traffic only. BOTH- apply to both incoming and outgoing traffic. Check this box and click OK, then click Setup link again. You will see the Online Statistics link appearing on this page. WAN Inbound Bandwidth It allows you to set the connecting rate of data input for WAN2/WAN3.
Edit the Class Rule for QoS The first three (Class 1 to Class 3) class rules can be adjusted for your necessity. To add, edit or delete the class rule, please click the Edit link of that one. After you click the Edit link, you will see the following page. Now you can define the name for that Class. In this case, “Test” is used as the name of Class Index #1. For adding a new rule, click Add to open the following page.
Item Description ACT Check this box to invoke these settings. Ethernet Type Please specify which protocol (IPv4 or IPv6) will be used for this rule. Local Address Click the Edit button to set the local IP address (on LAN) for the rule. Remote Address Click the Edit button to set the remote IP address (on LAN/WAN) for the rule. Address Type – Determine the address type for the source address. For Single Address, you have to fill in Start IP address.
Edit the Service Type for Class Rule To add a new service type, edit or delete an existed service type, please click the Edit link under Service Type field. After you click the Edit link, you will see the following page.
For adding a new service type, click Add to open the following page. Available settings are explained as follows: Item Description Service Name Type in a new service for your request. Service Type Choose the type (TCP, UDP or TCP/UDP or other) for the new service. Port Configuration Type - Click Single or Range as the Type. If you select Range, you have to type in the starting port number and the end porting number on the boxes below.
most popular DDNS service providers such as www.dyndns.org, www.no-ip.com, www.dtdns.com, www.changeip.com, www.dynamic- nameserver.com. You should visit their websites to register your own domain name for the router. Enable the Function and Add a Dynamic DNS Account 1. Assume you have a registered domain name from the DDNS provider, say hostname.dyndns.org, and an account with username: test and password: test. 2. In the DDNS setup menu, check Enable Dynamic DNS Setup.
Available settings are explained as follows: Item Description Enable Dynamic DNS Account Check this box to enable the current account. If you did check the box, you will see a check mark appeared on the Active column of the previous web page in step 2). WAN Interface WAN1/WAN2/WAN3 First - While connecting, the router will use WAN1/WAN2/WAN3 as the first channel for such account. If WAN1/WAN2/WAN3 fails, the router will use another WAN interface instead.
4. Mail Extender If the mail server is defined with another name, please type the name in this area. Such mail server will be used as backup mail exchange. Force WAN IP Update The system will renew the DDNS IP automatically within certain time. Click OK button to activate the settings. You will see your setting has been saved.
You can set up to 15 schedules. Then you can apply them to your Internet Access or VPN and Remote Access >> LAN-to-LAN settings. To add a schedule, please click any index, say Index No. 1. The detailed settings of the call schedule with index 1 are shown below. Available settings are explained as follows: Item Description Enable Schedule Setup Check to enable the schedule. Start Date (yyyy-mm-dd) Specify the starting date of the schedule. Start Time (hh:mm) Specify the starting time of the schedule.
Example Suppose you want to control the PPPoE Internet access connection to be always on (Force On) from 9:00 to 18:00 for whole week. Other time the Internet access connection should be disconnected (Force Down). Office Hour: (Force On) Mon - Sun 9:00 am to 6:00 pm 1. Make sure the PPPoE connection and Time Setup is working properly. 2. Configure the PPPoE always on from 9:00 to 18:00 for whole week. 3. Configure the Force Down from 18:00 to next day 9:00 for whole week. 4.
Shared Secret The RADIUS server and client share a secret that is used to authenticate the messages sent between them. Both sides must be configured to use the same shared secret. Confirm Shared Secret Re-type the Shared Secret for confirmation. 3.9.4 LDAP /Active Directory Setup Lightweight Directory Access Protocol (LDAP) is a communication protocol for using in TCP/IP network.
3.9.5 UPnP The UPnP (Universal Plug and Play) protocol is supported to bring to network connected devices the ease of installation and configuration which is already available for directly connected PC peripherals with the existing Windows 'Plug and Play' system. For NAT routers, the major feature of UPnP on the router is “NAT Traversal”. This enables applications inside the firewall to automatically open the ports that they need to pass through a router.
and configure port mappings on the router. Subsequently, such a facility forwards packets from the external ports of the router to the internal ports used by the application. The reminder as regards concern about Firewall and UPnP Can't work with Firewall Software Enabling firewall applications on your PC may cause the UPnP function not working properly. This is because these applications will block the accessing ability of some network ports.
3.9.6 IGMP IGMP is the abbreviation of Internet Group Management Protocol. It is a communication protocol which is mainly used for managing the membership of Internet Protocol multicast groups. Available settings are explained as follows: Item Description Enable IGMP Proxy Check this box to enable this function. The application of multicast will be executed through WAN port. In addition, such function is available in NAT mode. Enable IGMP Snooping Check this box to enable this function.
3.9.7 Wake on LAN A PC client on LAN can be woken up by the router it connects. When a user wants to wake up a specified PC through the router, he/she must type correct MAC address of the specified PC on this web page of Wake on LAN (WOL) of this router. In addition, such PC must have installed a network card supporting WOL function. By the way, WOL function must be set as “Enable” on the BIOS setting.
3.9.8 Short Message Service The function of Short Message Service is that Vigor router sends a message to user’s mobile through specified service provider to assist the user knowing the real-time abnormal situations. Vigor router allows you to set up to 8 SMS profiles which will be sent out according to different conditions. Click any index number line to access into the web page for detailed configuration.
Available settings are explained as follows: Item Description Enable SMS Setup Click Enable to enable SMS function. Click Disable to close SMS function. Profile Name Type a name for such SMS profile. Service Provider Use the drop down list to specify the service provider which offers SMS service. Username Type a user name that the sender can use to register to selected SMS provider. Password Type a password that the sender can use to register to selected SMS provider.
3.10 VPN and Remote Access A Virtual Private Network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. In short, by VPN technology, you can send data between two computers across a shared or public network in a manner that emulates the properties of a point-to-point private link. Below shows the menu items for VPN and Remote Access. 3.10.1 VPN Client Wizard Such wizard is used to configure VPN settings for VPN client.
Please choose a LAN-to-LAN Profile There are 32 VPN profiles for users to set. 2. When you finish the mode and profile selection, please click Next to open the following page.
In this page, you have to select suitable VPN type for the VPN client profile. There are six types provided here. Different type will lead to different configuration page. After making the choices for the client profile, please click Next. You will see different configurations based on the selection(s) you made.
z When you choose L2TP, you will see the following graphic: z When you choose L2TP over IPSec (Nice to Have) or L2TP over IPSec (Must), you will see the following graphic: Available settings are explained as follows: Item Description Profile Name Type a name for such profile. The length of the file is limited to 10 characters.
VPN Dial-Out Through Use the drop down menu to choose a proper WAN interface for this profile. This setting is useful for dial-out only. WAN1 First - While connecting, the router will use WAN1 as the first channel for VPN connection. If WAN1 fails, the router will use another WAN interface instead. WAN1 Only - While connecting, the router will use WAN1 as the only channel for VPN connection. WAN2 First - While connecting, the router will use WAN2 as the first channel for VPN connection.
3. After finishing the configuration, please click Next. The confirmation page will be shown as follows. If there is no problem, you can click one of the radio buttons listed on the page and click Finish to execute the next action. Available settings are explained as follows: Item Description Go to the VPN Connection Management Click this radio button to access VPN and Remote Access>>Connection Management for viewing VPN Connection status.
3.10.2 VPN Server Wizard Such wizard is used to configure VPN settings for VPN server. Such wizard will guide to set the LAN-to-LAN profile for VPN dial in connection (from client to server) step by step. 1. Open VPN and Remote Access>>VPN Server Wizard. The following page will appear. Available settings are explained as follows: Item Description VPN Server Mode Selection Choose the direction for the VPN server.
Please choose a LAN-to-LAN Profile This item is available when you choose Site to Site VPN (LAN-to-LAN) as VPN server mode. There are 32 VPN profiles for users to set. Please choose a Dial-in User Accounts This item is available when you choose Remote Dial-in User (Teleworker) as VPN server mode. There are 32 VPN tunnels for users to set. Allowed Dial-in Type This item is available after you choose any one of dial-in user account profiles.
z When you check PPTP, you will see the following graphic: z When you check PPTP/IPSec/L2TP (three types) or PPTP/IPSec (two types) or L2TP with Policy (Nice to Have/Must), you will see the following graphic: Vigor2850 Series User’s Guide 200
z When you check IPSec, you will see the following graphic: Available settings are explained as follows: Item Description Profile Name Type a name for such profile. The length of the file is limited to 10 characters. User Name This field is used to authenticate for connection when you select PPTP or L2TP with or without IPSec policy above. Password This field is used to authenticate for connection when you select PPTP or L2TP with or without IPSec policy above.
3. After finishing the configuration, please click Next. The confirmation page will be shown as follows. If there is no problem, you can click one of the radio buttons listed on the page and click Finish to execute the next action. Available settings are explained as follows: Item Description Go to the VPN Connection Management Click this radio button to access VPN and Remote Access>>Connection Management for viewing VPN Connection status.
3.10.4 PPP General Setup This submenu only applies to PPP-related VPN connections, such as PPTP, L2TP, L2TP over IPSec. Available settings are explained as follows: Item Description Dial-In PPP Authentication PAP Only - elect this option to force the router to authenticate dial-in users with the PAP protocol. PAP or CHAP - Selecting this option means the router will attempt to authenticate dial-in users with the CHAP protocol first.
Mutual Authentication (PAP) The Mutual Authentication function is mainly used to communicate with other routers or clients who need bi-directional authentication in order to provide stronger security, for example, Cisco routers. So you should enable this function when your peer router requires mutual authentication. You should further specify the User Name and Password of the mutual authentication peer. Assigned IP Start Enter a start IP address for the dial-in PPP connection.
Available settings are explained as follows: Item Description IKE Authentication Method This usually applies to those are remote dial-in user or node (LAN-to-LAN) which uses dynamic IP address and IPSec-related VPN connections such as L2TP over IPSec and IPSec tunnel. Pre-Shared Key -Currently only support Pre-Shared Key authentication. Pre-Shared Key- Specify a key for IKE authentication Confirm Pre-Shared Key- Retype the characters to confirm the pre-shared key.
3.10.6 IPSec Peer Identity To use digital certificate for peer authentication in either LAN-to-LAN connection or Remote User Dial-In connection, here you may edit a table of peer certificate for selection. As shown below, the router provides 32 entries of digital certificates for peer dial-in users. Available settings are explained as follows: Item Description Set to Factory Default Click it to clear all indexes.
Available settings are explained as follows: Item Description Profile Name Type the name of the profile. Accept Any Peer ID Click to accept any peer regardless of its identity. Accept Subject Alternative Name Click to check one specific field of digital signature to accept the peer with matching value. The field can be IP Address, Domain, or E-mail Address. The box under the Type will appear according to the type you select and ask you to fill in corresponding setting.
3.10.7 Remote Dial-in User You can manage remote access by maintaining a table of remote user profile, so that users can be authenticated to dial-in via VPN connection. You may set parameters including specified connection peer ID, connection type (VPN connection - including PPTP, IPSec Tunnel, and L2TP by itself or over IPSec) and corresponding security methods, etc. The router provides 32 access accounts for dial-in users.
Available settings are explained as follows: Item Description User account and Authentication Enable this account - Check the box to enable this function. Idle Timeout- If the dial-in user is idle over the limitation of the timer, the router will drop this connection. By default, the Idle Timeout is set to 300 seconds. Allowed Dial-In Type PPTP - Allow the remote dial-in user to make a PPTP VPN connection through the Internet. You should set the User Name and Password of remote dial-in user below.
z Nice to Have - Apply the IPSec policy first, if it is applicable during negotiation. Otherwise, the dial-in VPN connection becomes one pure L2TP connection. z Must -Specify the IPSec policy to be definitely applied on the L2TP connection. Specify Remote Node -You can specify the IP address of the remote dial-in user, ISDN number or peer ID (used in IKE aggressive mode).
Profiles set in the VPN and Remote Access >>IPSec Peer Identity. IPSec Security Method This group of fields is a must for IPSec Tunnels and L2TP with IPSec Policy when you specify the remote node. Check the Medium, DES, 3DES or AES box as the security method. Medium-Authentication Header (AH) means data will be authenticated, but not be encrypted. By default, this option is invoked. You can uncheck it to disable it.
3.10.8 LAN to LAN Here you can manage LAN-to-LAN connections by maintaining a table of connection profiles. You may set parameters including specified connection direction (dial-in or dial-out), connection peer ID, connection type (VPN connection - including PPTP, IPSec Tunnel, and L2TP by itself or over IPSec) and corresponding security methods, etc. The router supports up to 32 VPN tunnels simultaneously. The following figure shows the summary table.
Available settings are explained as follows: Item Description Common Settings Profile Name – Specify a name for the profile of the LAN-to-LAN connection. Enable this profile - Check here to activate this profile. VPN Dial-Out Through - Use the drop down menu to choose a proper WAN interface for this profile. This setting is useful for dial-out only. z WAN1 /WAN2 /WAN3 First - While connecting, the router will use WAN1 /WAN2 /WAN3 as the first channel for VPN connection.
WAN1 /WAN2 /WAN3 Only - While connecting, the router will use WAN1 /WAN2 /WAN3 as the only channel for VPN connection. Netbios Naming Packet z Pass – click it to have an inquiry for data transmission between the hosts located on both sides of VPN Tunnel while connecting. z Block – When there is conflict occurred between the hosts on both sides of VPN Tunnel in connecting, such function can block data transmission of Netbios Naming Packet inside the tunnel.
authentication of remote server. IPSec Tunnel - Build an IPSec VPN connection to the server through Internet. L2TP with IPSec Policy - Build a L2TP VPN connection through the Internet. You can select to use L2TP alone or with IPSec. Select from below: z None: Do not apply the IPSec policy. Accordingly, the VPN connection employed the L2TP without IPSec policy can be viewed as one pure L2TP connection. z Nice to Have: Apply the IPSec policy first, if it is applicable during negotiation.
scheme. z 3DES with Authentication-Use triple DES encryption algorithm and apply MD5 or SHA-1 authentication algorithm. z AES without Authentication-Use AES encryption algorithm and not apply any authentication scheme. z AES with Authentication-Use AES encryption algorithm and apply MD5 or SHA-1 authentication algorithm. Advanced - Specify mode, proposal and key life of each IKE phase, Gateway, etc. The window of advance setup is shown as below: IKE phase 1 mode -Select from Main mode and Aggressive mode.
47 characters. Callback Function (CBCP) - (for s models only) The callback function provides a callback service as a part of PPP suite only for the ISDN dial-in user. The router owner will be charged the connection fee by the telecom. Require Remote to Callback-Enable this to let the router to require the remote peer to callback for the connection afterwards.
z IPSec Tunnel- Allow the remote dial-in user to trigger an IPSec VPN connection through Internet. z L2TP with IPSec Policy - Allow the remote dial-in user to make a L2TP VPN connection through the Internet. You can select to use L2TP alone or with IPSec. Select from below: None - Do not apply the IPSec policy. Accordingly, the VPN connection employed the L2TP without IPSec policy can be viewed as one pure L2TP connection.
High- Encapsulating Security Payload (ESP) means payload (data) will be encrypted and authenticated. You may select encryption algorithm from Data Encryption Standard (DES), Triple DES (3DES), and AES. The callback function provides a callback service only for the ISDN LAN-to-LAN connection (this feature is useful for “i” model only). The remote user will be charged the connection fee by the telecom. Enable Callback Function-Enables the callback function.
address here. Do not change the default value if you do not select PPTP or L2TP. Remote Network IP/ Remote Network Mask - Add a static route to direct all traffic destined to this Remote Network IP Address/Remote Network Mask through the VPN connection. For IPSec, this is the destination clients IDs of phase 2 quick mode. Local Network IP / Local Network Mask - Display the local network IP and mask for TCP / IP configuration. You can modify the settings if required.
¾ VPN TRUNK-VPN Backup mechanism is compliant with all WAN modes (single/multi) ¾ Dial-out connection types contain IPSec, PPTP, L2TP, L2TP over IPSec and ISDN (depends on hardware specification) ¾ The web page is simple to understand and easy to configure ¾ Filly compliant with VPN Server LAN Sit Single/Multi Network ¾ Mail Alert support, please refer to System Maintenance >> SysLog / Mail Alert for detailed configuration ¾ Syslog support, please refer to System Maintenance >> SysLog / Mail Aler
Available settings are explained as follows: Item Description Backup Profile List Set to Factory Default - Click to clear all VPN TRUNK-VPN Backup mechanism profile. No – The order of VPN TRUNK-VPN Backup mechanism profile. Status - “v” means such profile is enabled; “x” means such profile is disabled. Name - Display the name of VPN TRUNK-VPN Backup mechanism profile. Member1 - Display the dial-out profile selected from the Member1 drop down list below. Active - “Yes” means normal condition.
IPSec, PPTP, L2TP, L2TP over IPSec (NICE), L2TP over IPSec(MUST) and so on. Member2 - Display the dial-out profile selected from the Member2 drop down list below. Advanced – This button is available only when LAN to LAN profile (or more) is created. Detailed information for this dialog, see later section Advanced Load Balance and Backup. Load Balance Profile List Set to Factory Default - Click to clear all VPN TRUNK-VPN Load Balance mechanism profile.
Detailed information for this dialog, see later section Advanced Load Balance and Backup. General Setup Vigor2850 Series User’s Guide Status- After choosing one of the profile listed above, please click Enable to activate this profile. If you click Disable, the selected or current used VPN TRUNK-Backup/Load Balance mechanism profile will not have any effect for VPN tunnel. Profile Name- Type a name for VPN TRUNK profile. Each profile can group two VPN connections set in LAN-to-LAN.
(Enable or Disable), profile name, member1 or member2. Delete - Click this button to delete the selected VPN TRUNK profile. The corresponding members (LAN-to-LAN profiles) grouped in the deleted VPN TRUNK profile will be released and that profiles in LAN-to-LAN will be displayed in black. Time for activating VPN TRUNK – VPN Backup mechanism profile VPN TRUNK – VPN Backup mechanism will be activated automatically after the initial connection of single VPN Tunnel off-line.
Balance mechanism profile, the selected LAN-to-LAN profiles will be released and expressed in black. How can you set a GRE over IPSec profile? 1. Please go to LAN to LAN to set a profile with IPSec. 2. If the router will be used as the VPN Server (i.e., with virtual address 192.168.50.200). Please type 192.168.50.200 in the field of My GRE IP. Type IP address (192.168.50.100) of the client in the field of Peer GRE IP. See the following graphic for an example. 3.
Advanced Load Balance and Backup After setting profiles for load balance, you can choose any one of them and click Advance for more detailed configuration. The windows for advanced load balance and backup are different. Refer to the following explanation: Advanced Load Balance Available settings are explained as follows: Item Description Profile Name List the load balance profile name. Load Balance Algorithm Round Robin – Based on packet base, both tunnels will send the packet alternatively.
99:1). VPN Load Balance Policy Below shows the algorithm for Load Balance. Edit – Click this radio button for assign a blank table for configuring Binding Tunnel. Insert after – Click this radio button to adding a new binding tunnel table. Tunnel Bind Table Index- 128 Binding tunnel tables are provided by this device. Specify the number of the tunnel for such Load Balance profile. Active – In-active/Delete can delete this binding tunnel table. Active can activate this binding tunnel table.
policy for load balance: Note : To configure a successful binding tunnel, you have to: Type Binding Src IP range (Start and End) and Binding Des IP range (Start and End). Choose TCP/UDP, IGMP/ICMP or Other as Binding Protocol. Detailed Settings for Advanced Backup Available settings are explained as follows: Item Description Profile Name List the backup profile name. ERD Mode ERD means “Environment Recovers Detection”.
Recovers Detection. 3.10.10 Connection Management You can find the summary table of all VPN connections. You may disconnect any VPN connection by clicking Drop button. You may also aggressively Dial-out by using Dial-out Tool and clicking Dial button. Available settings are explained as follows: Item Description Dial-out Tool General Mode - This filed displays the profile configured in LAN-to-LAN (with Index number and VPN Server IP address).
Refresh - Click this button to refresh the whole connection status. 3.11 Certificate Management A digital certificate works as an electronic ID, which is issued by a certification authority (CA). It contains information such as your name, a serial number, expiration dates etc., and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Here Vigor router support digital certificates conforming to standard X.509.
Type in all the information that the window requests. Then click Generate again. Import Click this button to import a saved file as the certification information. Refresh Click this button to refresh the information listed below. View Click this button to view the detailed settings for certificate request.
3.11.2 Trusted CA Certificate Trusted CA certificate lists three sets of trusted CA certificate. To import a pre-saved trusted CA certificate, please click IMPORT to open the following window. Use Browse… to find out the saved text file. Then click Import. The one you imported will be listed on the Trusted CA Certificate window. Then click Import to use the pre-saved file. For viewing each trusted CA certificate, click View to open the certificate detail information window.
3.11.3 Certificate Backup Local certificate and Trusted CA certificate for this router can be saved within one file. Please click Backup on the following screen to save them. If you want to set encryption password for these certificates, please type characters in both fields of Encrypt password and Retype password. Also, you can use Restore to retrieve these two settings to the router whenever you want. 3.12 VoIP Note: This function is used for “V” models.
z Calling via SIP Servers First, the Vigor V models of yours will have to register to a SIP Registrar by sending registration messages to validate. Then, both parties’ SIP proxies will forward the sequence of messages to caller to establish the session. If you both register to the same SIP Registrar, then it will be illustrated as below: The major benefit of this mode is that you don’t have to memorize your friend’s IP address, which might change very frequently if it’s dynamic.
3.12.1 DialPlan This page allows you to set phone book and digit map for the VoIP function. Click the Phone Book and Digit Map links on the page to access into next pages for dialplan settings. Available settings are explained as follows: Item Description Enable Secure Phone It allows users to have encrypted RTP stream with the peer side using the same protocol (ZRTP+SRTP). Check this box to have secure call. Enable SAS Voice Prompt If it is enabled, SAS prompt will be heard for both ends every time.
Phone Book In this section, you can set your VoIP contacts in the “phonebook”. It can help you to make calls quickly and easily by using “speed-dial” Phone Number. There are total 60 index entries in the phonebook for you to store all your friends and family members’ SIP addresses. Loop through and Backup Phone Number will be displayed if you are using Vigor2850Vn for setting the phone book. Click any index number to display the dial plan setup page.
Display Name The Caller-ID that you want to be displayed on your friend’s screen. This let your friend can easily know who’s calling without memorizing lots of SIP URL Address. SIP URL Enter your friend’s SIP Address. Dial Out Account Choose one of the SIP accounts for this profile to dial out. It is useful for both sides (caller and callee) that registered to different SIP Registrar servers. If caller and callee do not use the same SIP server, sometimes, the VoIP phone call connection may not succeed.
Available settings are explained as follows: Item Description Enable Check this box to invoke this setting. Match Prefix It is used to match with the number you dialed and can be modified with the OP Number by the mode (add, strip or replace). Mode None - No action. Add - When you choose this mode, the OP number will be added with the prefix number for calling out through the specific VoIP interface.
settings from the saved SIP accounts. Please set up one SIP account first to make this interface available. This item will be changed according to the port settings configured in VoIP>> Phone Settings. Move UP /Move Down Click the link to move the selected entry up or down. Call Barring Call barring is used to block phone calls coming from the one that is not welcomed. Click any index number to display the dial plan setup page.
Call Direction Determine the direction for the phone call, IN – incoming call, OUT-outgoing call, IN & OUT – both incoming and outgoing calls. Barring Type Determine the type of the VoIP phone call, URI/URL or number. Specific URI/URL or Specific Number This field will be changed based on the type you selected for barring Type. Route All means all the phone calls will be blocked with such mechanism.
Vigor2850 Series User’s Guide 242
For Block IP Address – this function can block incoming calls (through Phone port) coming from IP address. Such control also can be done based on preconfigured schedules. Regional This page allows you to process incoming or outgoing phone calls by regional. Default values (common used in most areas) will be shown on this web page. You can change the number based on the region that the router is placed.
Last Call Return [Out] Dial the number typed in this field to call the previous outgoing phone call again. Call Forward [All][Act] Dial the number typed in this field to forward all the incoming calls to the specified place. Call Forward [Deact] Dial the number typed in this field to release the call forward function. Call Forward [Busy][Act] Dial the number typed in this field to forward all the incoming calls to the specified place while the phone is busy.
PSTN Setup Some emergency phone (e.g., 911) or special phone cannot be dialed out by using VoIP and can be called out through PSTN line only. To solve this problem, this page allows you to set five sets of PSTN number for dialing without passing through Internet. Please type the number in the field of phone number for PSTN relay. Then, check the Enable box to make the PSTN number available for dial whenever you need. 3.12.2 SIP Accounts In this section, you set up your own SIP settings.
Available settings are explained as follows: Item Description Index Click this link to access into next page for setting SIP account. Profile Display the profile name of the account. Domain/Realm Display the domain name or IP address of the SIP registrar server. Proxy Display the domain name or IP address of the SIP proxy server. Account Name Display the account name of SIP address before @. Codec Display the codec type for the account.
SIP PING interval The default value is 150 (sec). It is useful for a Nortel server NAT Traversal Support. Click any index link to access into the following page for configuring SIP account. Available settings are explained as follows: Item Description Profile Name Assign a name for this profile for identifying. You can type similar name with the domain. For example, if the domain name is draytel.org, then you might set draytel-1 in this field.
SIP Port Set the port number for sending/receiving SIP message for building a session. The default value is 5060. Your peer must set the same value in his/her Registrar. Domain/Realm Set the domain name or IP address of the SIP Registrar server. Proxy Set domain name or IP address of SIP proxy server. By the time you can type :port number after the domain name to specify that port as the destination of data transmission (e.g., nat.draytel.
solution, you can choose this option. Call Forwarding There are four options for you to choose. Disable is to close call forwarding function. Always means all the incoming calls will be forwarded into SIP URL without any reason. Busy means the incoming calls will be forwarded into SIP URL only when the local system is busy. No Answer means if the incoming calls do not receive any response, they will be forwarded to the SIP URL by the time out. SIP URL – Type in the SIP URL (e.g., aaa@draytel.
Voice Active Detector Vigor2850 Series User’s Guide This function can detect if the voice on both sides is active or not. If not, the router will do something to save the bandwidth for other using. Click On to invoke this function; click off to close the function.
3.12.3 Phone Settings This page allows user to set phone settings for Phone 1 and Phone 2 respectively. However, it changes slightly according to different model you have. Available settings are explained as follows: Item Description Phone List Port – there are two phone ports provided here for you to configure. Phone1/Phone2 allows you to set general settings for PSTN phones. Call Feature – A brief description for call feature will be shown in this field for your reference.
Detailed Settings for Phone Port Click the number link for Phone port, you can access into the following page for configuring Phone settings. Available settings are explained as follows: Item Description Hotline Check the box to enable it. Type in the SIP URL in the field for dialing automatically when you pick up the phone set. Session Timer Check the box to enable the function.
connecting call will be closed automatically. T.38 Fax Function Check the box to enable T.38 fax function. Error Correction Mode – choose a mode for error correction. DND (Do Not Disturb) mode Set a period of peace time without disturbing by VoIP phone call. During the period, the one who dial in will listen busy tone, yet the local user will not listen any ring tone.
Available settings are explained as follows: Item Description Region Select the proper region which you are located. The common settings of Caller ID Type, Dial tone, Ringing tone, Busy tone and Congestion tone will be shown automatically on the page. If you cannot find out a suitable one, please choose User Defined and fill out the corresponding values for dial tone, ringing tone, busy tone, congestion tone by yourself for VoIP phone.
Also, you can specify each field for your necessity. It is recommended for you to use the default settings for VoIP communication. Volume Gain Mic Gain (1-10)/Speaker Gain (1-10) - Adjust the volume of microphone and speaker by entering number from 1- 10. The larger of the number, the louder the volume is. MISC Dial Tone Power Level - This setting is used to adjust the loudness of the dial tone. The smaller the number is, the louder the dial tone is. It is recommended for you to use the default setting.
z OutBand - Choose this one then the Vigor will capture the keypad number you pressed and transform it to digital form then send to the other side; the receiver will generate the tone according to the digital form it receive. This function is very useful when the network traffic congestion occurs and it still can remain the accuracy of DTMF tone. z SIP INFO- Choose this one then the Vigor will capture the DTMF tone and transfer it into SIP form. Then it will be sent to the remote end with SIP message.
Port It shows current connection status for Phone(s) and ISDN ports. Status It shows the VoIP connection status. IDLE - Indicates that the VoIP function is idle. HANG_UP - Indicates that the connection is not established (busy tone). CONNECTING - Indicates that the user is calling out. WAIT_ANS - Indicates that a connection is launched and waiting for remote user’s answer. ALERTING - Indicates that a call is coming. ACTIVE-Indicates that the VoIP connection is launched.
3.13.2 General Settings This web page allows you to enable ISDN function. Available settings are explained as follows: Item Description ISDN Port Click Enable to open the ISDN port and Disable to close it. Country Code For proper operation on your local ISDN network, you should choose the correct country code. D-Channel Mode It allows you to configure ISDN layer2 protocol as: Point-to-Point - Configure ISDN port to use static TEI (Terminal Endpoint Identifier).
Router network provider should support MSN services. The router provides ten fields for MSN numbers. Note that MSN service must be acquired from your local telecom operators. By default, MSN function is disabled. If you leave the fields blank, all incoming calls will be accepted without number matching. 1-10 fields – Fill in the portion that is different with the own number. For example, the own number is 1234567 and MSN numbers are 1234550, 1234517 and 1234582 respectively.
dial-out function. Dialup 64Kbps allows you to use one ISDN B channel for Internet access. Dialup 128Kbps allows you to use both ISDN B channels for Internet access. Dialup BOD (for detailed information of configuration, please refer to section 3.13.4) stands for bandwidth-on-demand. The router will use only one B channel in low traffic situations. Once the single B channel bandwidth is fully used, the other B channel will be activated automatically through the dialup.
Available settings are explained as follows: Item Description Common Settings Enable Dual ISPs Function - Check to enable the Dual ISPs function. Require ISP Callback (CBCP) -If your ISP supports the callback function, check this box to activate the Callback Control Protocol during the PPP negotiation. PPP/MP Setup Link Type – There are three link types provided here for different purpose. Link Disable disables the ISDN dial-out function.
After entering the necessary settings and clicking OK, you will see Goto ISDN Diagnostic link appears on the bottom of the webpage. To have an ISDN connection, please click this link. Now, the system will guide you to click Dial ISDN. Wait for a moment after clicking the dial link. Then, a successful ISDN connection will be shown as the following.
3.13.4 Call Control Some applications require that the router (only for the ISDN models) be remotely activated, or be able to dial up to the ISP via the ISDN interface. Vigor routers provide this feature by allowing user to make a phone call to the router and then ask it to dial up to the ISP. Accordingly, a teleworker can access the remote network to retrieve resources.
PPP Authentication - It specifies the PPP authentication method for PPP/MP connections. Normally you can set it to PAP/CHAP for better compatibility. TCP Header Compression - VJ Compression: It is used for TCP/IP protocol header compression. Normally it is set to Yes to improve bandwidth utilization. Idle Timeout - Because our IDSN link type is Dial On Demand, the connection will be initiated only when needed. Bandwidth-On-Demand (BOD) Setup Bandwidth-On-Demand is for Multiple-Link PPP \(ML-PPP or MP).
The Vigor wireless routers are equipped with a wireless LAN interface compliant with the standard IEEE 802.11n draft 2 protocol. To boost its performance further, the Vigor Router is also loaded with advanced wireless technology to lift up data rate up to 300 Mbps*. Hence, you can finally smoothly enjoy stream music and video.
In WPA-Personal, a pre-defined key is used for encryption during data transmission. WPA applies Temporal Key Integrity Protocol (TKIP) for data encryption while WPA2 applies AES. The WPA-Enterprise combines not only encryption but also authentication. Since WEP has been proved vulnerable, you may consider using WPA for the most secure connection. You should select the appropriate security mechanism according to your needs.
Available settings are explained as follows: Item Description Enable Wireless LAN Check the box to enable wireless function. Mode At present, the router can connect to 11n Only, 11g Only, Mixed (11b+11g), Mixed (11a+11n), Mixed (11g+11n), and Mixed (11b+11g+11n) stations simultaneously. Simply choose Mixed (11b+11g+11n) mode. In which, 802.11b/g operates on 2.4G band, 802.11a operates on 5G band, and 802.11n operates on either 2.
or 5G band. Index(1-15) Set the wireless LAN to work at certain time interval only. You may choose up to 4 schedules out of the 15 schedules pre-defined in Applications >> Schedule setup. The default setting of this field is blank and the function will always work. Hide SSID Check it to prevent from wireless sniffing and make it harder for unauthorized clients or STAs to join your wireless LAN.
is active only when both sides of Access Point and Station (in wireless client) invoke this function at the same time. That is, the wireless client must support this feature and invoke the function, too. Note: Vigor N61 wireless adapter supports this function. Therefore, you can use and install it into your PC for matching with Packet-OVERDRIVE (refer to the following picture of Vigor N61 wireless utility window, choose Enable for TxBURST on the tab of Option).
3.14.3 Security This page allows you to set security with different modes for SSID 1, 2, 3 and 4 respectively. After configuring the correct settings, please click OK to save and invoke it. The default security mode is Mixed (WPA+WPA2)/PSK. Default Pre-Shared Key (PSK) is provided and stated on the label pasted on the bottom of the router. For the wireless client who wants to access into Internet through such router, please input the default PSK value for connection.
Mode There are several modes provided for you to choose. Note: You should also set RADIUS Server simultaneously if 802.1x mode is selected. Disable - Turn off the encryption mechanism. WEP-Accepts only WEP clients and the encryption key should be entered in WEP Key. WEP/802.1x Only - Accepts only WEP clients and the encryption key is obtained dynamically from RADIUS server with 802.1X protocol. WPA/802.
such as 0x4142434445.) 128-Bit - For 128 bits WEP key, either 13 ASCII characters, such as ABCDEFGHIJKLM (or 26 hexadecimal digits leading by 0x, such as 0x4142434445464748494A4B4C4D). All wireless devices must support the same WEP encryption bit size and have the same key. Four keys can be entered here, but only one key can be selected at a time. The keys can be entered in ASCII or Hexadecimal. Check the key you wish to use. 3.14.
(expressed by MAC addresses) listed in the box can be grouped under different wireless LAN. For example, they can be grouped under SSID 1 and SSID 2 at the same time if you check SSID 1 and SSID 2. MAC Address Filter Display all MAC addresses that are edited before. Client’s MAC Address Manually enter the MAC address of wireless client. Apply SSID After entering the client’s MAC address, check the box of the SSIDs desired to insert this MAC address into their access control list.
z On the side of Vigor 2850 series which served as an AP, press WPS button once on the front panel of the router or click Start PBC on web configuration interface. On the side of a station with network card installed, press Start PBC button of network card. z If you want to use PIN code, you have to know the PIN code specified in wireless client. Then provide the PIN code of the wireless client you wish to connect to the vigor router.
Below shows Wireless LAN>>WPS web page. Available settings are explained as follows: Item Description Enable WPS Check this box to enable WPS setting. WPS Status Display related system information for WPS. If the wireless security (encryption) function of the router is properly configured, you can see ‘Configured’ message here. SSID Display the SSID1 of the router. WPS is supported by SSID1 only. Authentication Mode Display current authentication mode of the router.
3.14.6 WDS WDS means Wireless Distribution System. It is a protocol for connecting two access points (AP) wirelessly. Usually, it can be used for the following application: y y Provide bridge traffic between two LANs through the air. Extend the coverage range of a WLAN. To meet the above requirement, two WDS modes are implemented in Vigor router. One is Bridge, the other is Repeater.
Bridge mode, packets received from a WDS link will only be forwarded to local wired or wireless hosts. In other words, only Repeater mode can do WDS-to-WDS packet forwarding. In the following examples, hosts connected to Bridge 1 or 3 can communicate with hosts connected to Bridge 2 through WDS links. However, hosts connected to Bridge 1 CANNOT communicate with hosts connected to Bridge 3 through Bridge 2. Click WDS from Wireless LAN menu. The following page will be shown.
Item Description Mode Choose the mode for WDS setting. Disable mode will not invoke any WDS setting. Bridge mode is designed to fulfill the first type of application. Repeater mode is for the second one. Security There are three types for security, Disable, WEP and Pre-shared key. The setting you choose here will make the following WEP or Pre-shared key field valid or not. Choose one of the types for the router. WEP Check this box to use the same key set in Security Settings page.
3.14.7 Advanced Setting This page allows users to set advanced settings such as operation mode, channel bandwidth, guard interval, and aggregation MSDU for wireless data transmission. Available settings are explained as follows: Item Description Operation Mode Mixed Mode – the router can transmit data with the ways supported in both 802.11a/b/g and 802.11n standards. However, the entire wireless transmission will be slowed down if 802.11g or 802.11b wireless client is connected.
3.14.8 WMM Configuration WMM is an abbreviation of Wi-Fi Multimedia. It defines the priority levels for four access categories derived from 802.1d (prioritization tabs). The categories are designed with specific types of traffic, voice, video, best effort and low priority data. There are four accessing categories - AC_BE , AC_BK, AC_VI and AC_VO for WMM. APSD (automatic power-save delivery) is an enhancement over the power-save mechanisms supported by Wi-Fi networks.
categories must be smaller; however, the difference between AC_BE and AC_BK categories must be greater. Txop It means transmission opportunity. For WMM categories of AC_VI and AC_VO that need higher priorities in data transmission, please set greater value for them to get highest transmission opportunity. Specify the value ranging from 0 to 65535. ACM It is an abbreviation of Admission control Mandatory. It can restrict stations from using specific category class if it is checked.
Available settings are explained as follows: Item Description Scan It is used to discover all the connected AP. The results will be shown on the box above this button. Statistics It displays the statistics for the channels used by APs. Add to If you want the found AP applying the WDS settings, please type in the AP’s MAC address on the bottom of the page and click Bridge or Repeater. Next, click Add to. Later, the MAC address of the AP will be added to Bridge or Repeater field of WDS settings page.
Available settings are explained as follows: Item Description Refresh Click this button to refresh the status of station list. Add Click this button to add current typed MAC address into Access Control. 3.14.11 Web Portal Log-in This page allows you to specify an URL for accessing into or display a message when a remote user connects to Internet through this router.
Available settings are explained as follows: Item Description Disable Click this button to close this function. Redirect to URL Any user who wants to access into Internet through this router will be redirected to the URL specified here first. It is a useful method for the purpose of advertisement. For example, force the wireless user(s) in hotel to access into the web page that the hotel wants the user(s) to visit. Show the message Type words or sentences here.
3.15.1 USB General Settings This page will determine the number of concurrent FTP connection, default charset for FTP server and enable Samba service. At present, the Vigor router can support USB storage disk with formats of FAT16 and FAT32 only. Therefore, before connecting the USB storage disk into the Vigor router, please make sure the memory format for the USB storage disk is FAT16 or FAT32. It is recommended for you to use FAT32 for viewing the filename completely (FAT16 cannot support long filename).
LAN And WAN - Both LAN and WAN users can access samba server of the router. NetBios Name Service For the NetBios service of USB storage disk, you have to specify a workgroup name and a host name. A workgroup name must not be the same as the host name. The workgroup name can have as many as 15 characters and the host name can have as many as 23 characters. Both them cannot contain any of the following--- ; : " < > * + = \ | ?. Workgroup Name – Type a name for the workgroup.
Click index number to access into configuration page. Available settings are explained as follows: Item Description FTP/Samba User Enable – Click this button to activate this profile (account) for FTP service or Samba User service. Later, the user can use the username specified in this page to login into FTP server. Disable – Click this button to disable such profile. Username Type the username for FTP/Samba users for accessing into FTP server (USB storage disk).
You can click to open the following dialog to add any new folder which can be specified as the Home Folder. Access Rule It determines the authority for such profile. Any user, who uses such profile for accessing into USB storage disk, must follow the rule specified here. File – Check the items (Read, Write and Delete) for such profile. Directory –Check the items (List, Create and Remove) for such profile.
3.15.3 File Explorer File Explorer offers an easy way for users to view and manage the content of USB storage disk connected on Vigor router. Available settings are explained as follows: Item Description Click this icon to refresh files list. Refresh Click this icon to return to the upper directory. Back Click this icon to add a new folder. Create Current Path Display current folder. Upload Click this button to upload the selected file to the USB storage disk.
Item Description Connection Status If there is no USB storage disk connected to Vigor router, “No Disk Connected” will be shown here. Disk Capacity It displays the total capacity of the USB storage disk. Free Capacity It displays the free space of the USB storage disk. Click Refresh at any time to get new status for free capacity. Index It displays the number of the client which connecting to FTP server. IP Address It displays the IP address of the user’s host which connecting to the FTP server.
Stop record when fulls – when the capacity of syslog is full, the system will stop recording. Always record the new event – only the newest events will be recorded by the system. Time Display the time of the event occurred. Message Display the information for each event. For USB Syslog This page displays the syslog recorded on the USB storage disk. Available settings are explained as follows: Item Description Time Display the time of the event occurred. Log Type Display the type of the record.
3.16 System Maintenance For the system setup, there are several items that you have to know the way of configuration: Status, Administrator Password, Configuration Backup, Syslog, Time setup, Reboot System, Firmware Upgrade. Below shows the menu items for System Maintenance. 3.16.1 System Status The System Status provides basic network settings of Vigor router. It includes LAN and WAN interface information.
LAN MAC Address - Display the MAC address of the LAN Interface. IP Address - Display the IP address of the LAN interface. Subnet Mask - Display the subnet mask address of the LAN interface. DHCP Server - Display the current status of DHCP server of the LAN interface DNS - Display the assigned IP address of the primary DNS. Wireless LAN MAC Address - Display the MAC address of the wireless LAN. Frequency Domain - It can be Europe (13 usable channels), USA (11 usable channels) etc.
Available settings are explained as follows: Item Description ACS Server On Choose the interface for the router connecting to ACS server. ACS Server URL/Username/Password – Such data must be typed according to the ACS (Auto Configuration Server) you want to link. Please refer to Auto Configuration Server user’s manual for detailed information. CPE Client Such information is useful for Auto Configuration Server. Enable/Disable – Allow/Deny the CPE Client to connect with Auto Configuration Server.
relational settings listed below: Server IP – Type the IP address of the STUN server. Server Port – Type the port number of the STUN server. Minimum Keep Alive Period – If STUN is enabled, the CPE must send binding request to the server for the purpose of maintaining the binding in the Gateway. Please type a number as the minimum period. The default setting is “60 seconds”.
3.16.4 User Password This page allows you to set new password for user operation. Available settings are explained as follows: Item Description Enable User Mode for simple web configuration After checking this box, you can access into the web configurator with the password typed here for simple web configuration. The settings on simple web configurator will be different with full web configurator accessed by using the administrator password. Password Type in new password in this field.
3.16.6 Configuration Backup Backup the Configuration Follow the steps below to backup your configuration. 1. Go to System Maintenance >> Configuration Backup. The following windows will be popped-up, as shown below. 2. Click Backup button to get into the following dialog. Click Save button to open another dialog for saving configuration as a file. 3. In Save As dialog, the default filename is config.cfg. You could give it another name by yourself.
4. Click Save button, the configuration will download automatically to your computer as a file named config.cfg. The above example is using Windows platform for demonstrating examples. The Mac or Linux platform will appear different windows, but the backup function is still available. Note: Backup for Certification must be done independently. The Configuration Backup does not include information of Certificate. Restore Configuration 1. Go to System Maintenance >> Configuration Backup.
3.16.7 Syslog/Mail Alert SysLog function is provided for users to monitor router. There is no bother to directly get into the Web Configurator of the router or borrow debug equipments. Available settings are explained as follows: Item Description SysLog Access Setup Enable - Check Enable to activate function of syslog. Syslog Save to – Check Syslog Server to save the log to Syslog server. Check USB Disk to save the log to the attached USB storage disk.
Syslog. AlertLog Setup Check “Enable” to activate function of alert log. AlertLog Port - Type the port number for alert log. The default setting is 514. Mail Alert Setup Check “Enable” to activate function of mail alert. Send a test e-mail - Make a simple test for the e-mail address specified in this page. Please assign the mail address first and click this button to execute a test for verify the mail address is available or not. SMTP Server - The IP address of the SMTP server.
301 Vigor2850 Series User’s Guide
3.16.8 Time and Date It allows you to specify where the time of the router should be inquired from. Available settings are explained as follows: Item Description Current System Time Click Inquire Time to get the current time. Use Browser Time Select this option to use the browser time from the remote administrator PC host as router’s system time. Use Internet Time Select to inquire time information from Time Server on the Internet using assigned protocol. Time Protocol Select a time protocol.
3.16.9 Management This page allows you to manage the settings for access control, access list, port setup, and SNMP setup. For example, as to management access control, the port number is used to send/receive SIP message for building a session. The management pages for IPv4 and IPv6 protocols are different. For IPv4 Available settings are explained as follows: Item Description Router Name Type in the router name provided by ISP.
Management Port Setup User Defined Ports - Check to specify user-defined port numbers for the Telnet, HTTP and FTP servers. Default Ports - Check to use standard port numbers for the Telnet and HTTP servers. Enable SNMP Agent - Check it to enable this function. Get Community - Set the name for getting community by typing a proper character. The default setting is public. Set Community - Set community by typing a proper name. The default setting is private.
login from a specific host or network defined in the list. A maximum of three IPs/subnet masks is allowed. IPv6 Address /Prefix Length- Indicate the IP address(es) allowed to login to the router. 3.16.10 Reboot System The Web Configurator may be used to restart your router. Click Reboot System from System Maintenance to open the following page. Index (1-15) in Schedule Setup - You can type in four sets of time schedule for performing system reboot.
3.16.11 Firmware Upgrade Before upgrading your router firmware, you need to install the Router Tools. The Firmware Upgrade Utility is included in the tools. The following web page will guide you to upgrade firmware by using an example. Note that this example is running over Windows OS (Operating System). Download the newest firmware from DrayTek's web site or FTP site. The DrayTek web site is www.DrayTek.com (or local DrayTek's web site) and FTP site is ftp.DrayTek.com.
3.16.12 Activation There are three ways to activate WCF on vigor router, using Service Activation Wizard, by means of CSM>>Web Content Filter Profile or via System Maintenance>>Activation. After you have finished the setting profiles for WCF (refer to Web Content Filter Profile), it is the time to activate the mechanism for your computer. Click System Maintenance>>Activation to open the following page for accessing http://myvigor.draytek.com.
Below shows the successful activation of Web Content Filter: Vigor2850 Series User’s Guide 308
3.17 Diagnostics Diagnostic Tools provide a useful way to view or diagnose the status of your Vigor router. Below shows the menu items for Diagnostics. 3.17.1 Dial-out Triggering Click Diagnostics and click Dial-out Trigger to open the web page. The internet connection (e.g., PPPoE) is triggered by a package sending from the source IP address.
3.17.2 Routing Table Click Diagnostics and click Routing Table to open the web page. Available settings are explained as follows: Item Description Refresh Click it to reload the page. 3.17.3 ARP Cache Table Click Diagnostics and click ARP Cache Table to view the content of the ARP (Address Resolution Protocol) cache held in the router. The table shows a mapping between an Ethernet hardware address (MAC Address) and an IP address.
Available settings are explained as follows: Item Description Refresh Click it to reload the page. 3.17.4 IPv6 Neighbour Table The table shows a mapping between an Ethernet hardware address (MAC Address) and an IPv6 address. This information is helpful in diagnosing network problems, such as IP address conflicts, etc. Click Diagnostics and click IPv6 Neighbour Table to open the web page. Available settings are explained as follows: Item Description Refresh Click it to reload the page.
3.17.5 DHCP Table The facility provides information on IP address assignments. This information is helpful in diagnosing network problems, such as IP address conflicts, etc. Click Diagnostics and click DHCP Table to open the web page. Available settings are explained as follows: Item Description Index It displays the connection item number. IP Address It displays the IP address assigned by this router for specified PC.
3.17.6 NAT Sessions Table Click Diagnostics and click NAT Sessions Table to open the list page. Available settings are explained as follows: Item Description Private IP:Port It indicates the source IP address and port of local PC. #Pseudo Port It indicates the temporary port of the router used for NAT. Peer IP:Port It indicates the destination IP address and port of remote host. Interface It displays the representing number for different interface. Refresh Click it to reload the page.
3.17.7 Ping Diagnosis Click Diagnostics and click Ping Diagnosis to pen the web page. Available settings are explained as follows: Item Description IPV4 /IPV6 Choose the interface for such function. Ping through Use the drop down list to choose the WAN interface that you want to ping through or choose Unspecified to be determined by the router automatically.
want to ping. IP Address Type the IP address of the Host/IP that you want to ping. Ping IPv6 Address Type the IPv6 address that you want to ping. Run Click this button to start the ping work. The result will be displayed on the screen. Clear Click this link to remove the result on the window. 3.17.8 Data Flow Monitor This page displays the running procedure for the IP address monitored and refreshes the data in an interval of several seconds.
Available settings are explained as follows: Item Description Enable Data Flow Monitor Check this box to enable this function. Refresh Seconds Use the drop down list to choose the time interval of refreshing data flow that will be done by the system automatically. Refresh Click this link to refresh this page manually. Index Display the number of the data flow. IP Address Display the IP address of the monitored device. TX rate (kbps) Display the transmission speed of the monitored device.
3.17.9 Traffic Graph Click Diagnostics and click Traffic Graph to pen the web page. Choose WAN1/WAN2/WAN3 Bandwidth, Sessions, daily or weekly for viewing different traffic graph. Click Refresh to renew the graph at any time. The horizontal axis represents time. Yet the vertical axis has different meanings. For WAN1/WAN2/WAN3Bandwidth chart, the numbers displayed on vertical axis represent the numbers of the transmitted and received packets in the past.
3.17.10 Trace Route Click Diagnostics and click Trace Route to open the web page. This page allows you to trace the routes from router to the host. Simply type the IP address of the host in the box and click Run. The result of route trace will be shown on the screen.
it. Trace through Use the drop down list to choose the interface that you want to ping through. Protocol Use the drop down list to choose the protocol that you want to ping through. Host/IP Address It indicates the IP address of the host. Trace Host/IP Address It indicates the IPv6 address of the host. Run Click this button to start route tracing work. Clear Click this link to remove the result on the window.
3.17.11 Web Firewall Syslog Such page provides real-time syslog and displays the information on the screen. For Web Syslog This page displays the time and message for User/Firewall/call/WAN/VPN settings. You can check Enable Web Syslog, specify the type of Syslog and choose the display mode you want. Later, the event of Syslog with specified type will be shown for your reference.
For USB Syslog This page displays the syslog recorded on the USB storage disk. Available settings are explained as follows: Item Description Time Display the time of the event occurred. Log Type Display the type of the record. Message Display the information for each event. 3.17.12 TSPC Status IPv6 TSPC status web page could help you to diagnose the connection status of TSPC.
3.18 External Devices This page allows you to enable or disable the function of detecting external devices. Available settings are explained as follows: Item Description External Device Auto Discovery Check this box to detect the external device automatically and display on this page.
Application and Examples 4.1 How to configure settings for IPv6 Service in Vigor2850 Due to the shortage of IPv4 address, more and more countries use IPv6 to solve the problem. However, to continually use the original rich resources of IPv4, both IPv6 and IPv4 networks shall communicate for each other via intercommunication mechanism to complete the shifting job from IPv4 to IPv6 gradually.
Note: Only one WAN interface support IPv6 service at one time. In this example, WAN2 is chosen as the one supporting IPv6 service. 2. In the following figure, use the drop down list to choose a proper connection type. Different connection types will bring out different configuration page. Refer to the following: z PPP – Dual Stack application, IPv4 and IPv6 services can be utilized at the same time Choose PPP and type the information for PPPoE of IPv4.
Click OK and open Online Status. If the connection is successful, you will get the IP address for IPv4 and IPv6 at the same time.
z TSPC – Tunnel application, both IPv6 hosts communicate through IPv4 network Choose TSPC and type the information for TSPC service. Note: While using such mode, you have to make sure the IPv4 network connection is normal. (In the following figure, the TSPC information is obtained from http://gogo6.com/ after applied for the service.) Click OK and open Online Status.
z AICCU – Tunnel application Choose AICCU and type the information for AICCU of IPv6. Note: While using such mode, you have to make sure the IPv4 network connection is normal. (In the following figure, the AICCU information is obtained from https://www.sixxs.net/main/ after applied for the service.) Click OK and open Online Status.
z DHCPv6 Client Choose DHCPv6 Client. Click one of the identity associations and type the IAID number. Click OK and open Online Status.
z Static IPv6 Choose Static IPv6. Type IPv6 address, Prefix Length and Gateway Address. Click OK and open Online Status.
II. Configuring the LAN Settings After finished the WAN settings for IPv6, please configure the LAN settings to make the router’s client getting the IPv6 address. 1. Access into the web configurator of Viogr2850. Open LAN>> General Setup. Click the IPv6 button. Note: Only the subnet of LAN1 supports IPv6 feature. 2. In the field of RADVD Configuration, the default setting is Enable.
III. Confirming IPv6 Service Run Successfully 1. Make sure you have get the correct IPv6 IP address. Get into MS-DOS interface and type the command of “ipconfig”. Refer to the following figure. From the above figure we can see IPv6 IP address has been captured by the system. 2. Use the Ping command to ping any IPv6 address indicating an IPv6 website. For example, www.kame.net is a website supporting IPv4 IP and IPv6 IP services.
3. Connect to the website for IPv6. Open a web browser and type an URL of IPv6, e.g., www.kame.net. If your computer accesses into the website by using IPv6 address, you may see a turtle dancing on the screen. If not, only a steady turtle will be seen. If you can see a turtle dancing on the screen, that means IPv6 service is ready for you to access and utilize.
4.2 How can I get the files from USB storage device connecting to Vigor router? Files on USB storage device can be reviewed by opening USB Applicaiton>>File Explorer. If it is necessary for you to delete, copy files on the device or write, paste files to the devcie, it must be done through SAMBA server or FTP server. Samba service is based on the original USB FTP service. You will need to setup USB FTP first. We would like to give brief instructions on USB FTP setup here. 1.
4. Click OK to save the configuration. 5. Make sure the FTP service is running properly. Please open a browser and type ftp://192.168.1.1. Use the account "user1" to login.
6. When the following screen appears, it means the FTP service is running properly. 7. Return to USB Application >> USB Disk Status. The information for FTP server will be shown as below. Now, users in LAN of Vigor2710 can access into the USB storage device by typing ftp://192.168.1.1 on any browser. They can add or remove files / directories, depending on the Access Rule for FTP account settings in USB Application >>USB User Management.
4.3 Create a LAN-to-LAN Connection Between Remote Office and Headquarter The most common case is that you may want to connect to network securely, such as the remote branch office and headquarter. According to the network structure as shown in the below illustration, you may follow the steps to create a LAN-to-LAN profile. These two networks (LANs) should NOT have the same network address. Settings in Router A in headquarter: 1.
3. Go to LAN-to-LAN. Click on one index number to edit a profile. 4. Set Common Settings as shown below. You should enable both of VPN connections because any one of the parties may start the VPN connection.
5. Set Dial-Out Settings as shown below to dial to connect to Router B aggressively with the selected Dial-Out method. If an IPSec-based service is selected, you should further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-Out connection. If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, PPP Authentication and VJ Compression for this Dial-Out connection.
6. Set Dial-In settings to as shown below to allow Router B dial-in to build VPN connection. If an IPSec-based service is selected, you may further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-In connection. Otherwise, it will apply the settings defined in IPSec General Setup above. If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, and VJ Compression for this Dial-In connection.
7. At last, set the remote network IP/subnet in TCP/IP Network Settings so that Router A can direct the packets destined to the remote network to Router B via the VPN connection. Settings in Router B in the remote office: 1. Go to VPN and Remote Access and select Remote Access Control to enable the necessary VPN service and click OK. 2. Then, for using PPP based services, such as PPTP, L2TP, you have to set general settings in PPP General Setup.
3. Go to LAN-to-LAN. Click on one index number to edit a profile. 4. Set Common Settings as shown below. You should enable both of VPN connections because any one of the parties may start the VPN connection. 5. Set Dial-Out Settings as shown below to dial to connect to Router B aggressively with the selected Dial-Out method. If an IPSec-based service is selected, you should further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-Out connection.
If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, PPP Authentication and VJ Compression for this Dial-Out connection. 6. Set Dial-In settings to as shown below to allow Router A dial-in to build VPN connection. If an IPSec-based service is selected, you may further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-In connection.
If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, and VJ Compression for this Dial-In connection. 7. At last, set the remote network IP/subnet in TCP/IP Network Settings so that Router B can direct the packets destined to the remote network to Router A via the VPN connection.
4.4 Create a Remote Dial-in User Connection Between the Teleworker and Headquarter The other common case is that you, as a teleworker, may want to connect to the enterprise network securely. According to the network structure as shown in the below illustration, you may follow the steps to create a Remote User Profile and install Smart VPN Client on the remote host. Settings in VPN Router in the enterprise office: 1.
3. Go to Remote Dial-In User. Click on one index number to edit a profile. 4. Set Dial-In settings to as shown below to allow the remote user dial-in to build VPN connection. If an IPSec-based service is selected, you may further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-In connection. Otherwise, it will apply the settings defined in IPSec General Setup above.
If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, and VJ Compression for this Dial-In connection. Settings in the remote host: 1. For Win98/ME, you may use "Dial-up Networking" to create the PPTP tunnel to Vigor router. For Win2000/XP, please use "Network and Dial-up connections" or “Smart VPN Client”, complimentary software to help you create PPTP, L2TP, and L2TP over IPSec tunnel. You can find it in CD-ROM in the package or go to www.DrayTek.
You may further specify the method you use to get IP, the security method, and authentication method. If the Pre-Shared Key is selected, it should be consistent with the one set in VPN router. If a PPP-based service is selected, you should further specify the remote VPN server IP address, Username, Password, and encryption method. The User Name and Password should be consistent with the one set up in the VPN router.
4. Click Connect button to build connection. When the connection is successful, you will find a green light on the right down corner. 4.5 QoS Setting Example Assume a teleworker sometimes works at home and takes care of children. When working time, he would use Vigor router at home to connect to the server in the headquarter office downtown via either HTTPS or VPN to check email and access internal database. Meanwhile, children may chat on Skype in the restroom. 1.
3. Set Inbound/Outbound bandwidth. Note: The rate of outbound/inbound must be smaller than the real bandwidth to ensure correct calculation of QoS. It is suggested to set the bandwidth value for inbound/outbound as 80% - 85% of physical network speed provided by ISP to maximize the QoS performance. 4. Return to previous page. Enter the Name of Index Class 1 by clicking Edit link. Type the name “E-mail” for Class 1.
5. For this index, the user will set reserved bandwidth (e.g., 25%) for E-mail using protocol POP3 and SMTP. 6. Return to previous page. Enter the Name of Index Class 2 by clicking Edit link. In this index, the user will set reserved bandwidth for HTTPS. And click OK. 7. Click Setup link for WAN2.
8. Check Enable UDP Bandwidth Control on the bottom to prevent enormous UDP traffic of influent other application. Click OK. 9. If the worker has connected to the headquarter using host to host VPN tunnel. (Please refer to Chapter 3 VPN for detail instruction), he may set up an index for it. Enter the Class Name of Index 3. In this index, he will set reserved bandwidth for 1 VPN tunnel. 10. Click Edit to open a new window.
11. Click Add to open the following window. Check the ACT box, first. 12. Then click Edit of Local Address to set a worker’s subnet address. Click Edit of Remote Address to set headquarter’s IP address. Leave other fields and click OK.
4.6 Upgrade Firmware for Your Router Using Firmware Upgrade Utility Before upgrading your router firmware, you need to install the Router Tools. The Firmware Upgrade Utility is included in the tools. 1. Go to www.DrayTek.com. 2. Access into Support >> Downloads. Please find out Firmware menu and click it. Search the model you have and click on it to download the newly update firmware for your router. 3. Access into Support >> Downloads. Please find out Utility menu and click it. 4.
5. Double click on the icon of router tool. The setup wizard will appear. 6. Follow the onscreen instructions to install the tool. Finally, click Finish to end the installation. 7. From the Start menu, open Programs and choose Router Tools XXX >> Firmware Upgrade Utility. 8. Type in your router IP, usually 192.168.1.1. 9. Click the button to the right side of Firmware file typing box. Locate the files that you download from the company web sites.
10. Click Send. 11. Now the firmware update is finished. Using Web Page The web page also can guide you to upgrade firmware. Note that this example is running over Windows OS (Operating System). 1. Download the newest firmware from DrayTek's web site or FTP site. The DrayTek web site is www.DrayTek.com (or local DrayTek's web site) and FTP site is ftp.DrayTek.com. 2. Click System Maintenance>> Firmware Upgrade. 3. Select a firmware file by clicking Browse. 4.
4.7 Request a certificate from a CA server on Windows CA Server 1. Go to Certificate Management and choose Local Certificate.
2. You can click GENERATE button to start to edit a certificate request. Enter the information in the certificate request. 3. Copy and save the X509 Local Certificate Requet as a text file and save it for later use. 4. Connect to CA server via web browser. Follow the instruction to submit the request. Below we take a Windows 2000 CA server for example. Select Request a Certificate.
Select Advanced request. Select Submit a certificate request a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file Import the X509 Local Certificate Requet text file. Select Router (Offline request) or IPSec (Offline request) below. Then you have done the request and the server now issues you a certificate. Select Base 64 encoded certificate and Download CA certificate. Now you should get a certificate (.cer file) and save it.
5. Back to Vigor router, go to Local Certificate. Click IMPORT button and browse the file to import the certificate (.cer file) into Vigor router. When finished, click refresh and you will find the below window showing “------BEGINE CERTIFICATE------.....” 6. You may review the detail information of the certificate by clicking View button.
4.8 Request a CA Certificate and Set as Trusted on Windows CA Server 1. Use web browser connecting to the CA server that you would like to retrieve its CA certificate. Click Retrive the CA certificate or certificate recoring list.
2. In Choose file to download, click CA Certificate Current and Base 64 encoded, and Download CA certificate to save the .cer. file. 3. Back to Vigor router, go to Trusted CA Certificate. Click IMPORT button and browse the file to import the certificate (.cer file) into Vigor router. When finished, click refresh and you will find the below illustration. 4. You may review the detail information of the certificate by clicking View button.
4.9 Creating an Account for MyVigor The website of MyVigor (a server located on http://myvigor.draytek.com) provides several useful services (such as Anti-Spam, Web Content Filter, Anti-Intrusion, and etc.) to filtering the web pages for the sake of protecting your system. To access into MyVigor for getting more information, please create an account for MyVigor. 4.9.1 Creating an Account via Vigor Router 1. Click CSM>> Web Content Filter Profile. The following page will appear.
2. Click the Activate link. A login page for MyVigor web site will pop up automatically. 3. Click the link of Create an account now. 4. Check to confirm that you accept the Agreement and click Accept.
5. Type your personal information in this page and then click Continue. 6. Choose proper selection for your computer and click Continue.
7. Now you have created an account successfully. Click START. 8. Check to see the confirmation email with the title of New Account Confirmation Letter from myvigor.draytek.com. 9. Click the Activate my Account link to enable the account that you created. The following screen will be shown to verify the register process is finished. Please click Login.
10. When you see the following page, please type in the account and password (that you just created) in the fields of UserName and Password. 11. Now, click Login. Your account has been activated. You can access into MyVigor server to activate the service (e.g., WCF) that you want. 4.9.2 Creating an Account via MyVigor Web Site 1. Access into http://myvigor.draytek.com. Find the line of Not registered yet?. Then, click the link Click here! to access into next page.
2. Check to confirm that you accept the Agreement and click Accept. 3. Type your personal information in this page and then click Continue. 4. Choose proper selection for your computer and click Continue.
5. Now you have created an account successfully. Click START. 6. Check to see the confirmation email with the title of New Account Confirmation Letter from myvigor.draytek.com. 7. Click the Activate my Account link to enable the account that you created. The following screen will be shown to verify the register process is finished. Please click Login.
8. When you see the following page, please type in the account and password (that you just created) in the fields of UserName and Password. Then type the code in the box of Auth Code according to the value displayed on the right side of it. Now, click Login. Your account has been activated. You can access into MyVigor server to activate the service (e.g., WCF) that you want.
This page is left blank.
Trouble Shooting This section will guide you to solve abnormal situations if you cannot access into the Internet after installing the router and finishing the web configuration. Please follow sections below to check your basic installation status stage by stage. z Checking if the hardware status is OK or not. z Checking if the network connection settings on your computer are OK or not. z Pinging the router from your computer. z Checking if the ISP settings are OK or not.
5.2 Checking If the Network Connection Settings on Your Computer Is OK or Not Sometimes the link failure occurs due to the wrong network connection settings. After trying the above section, if the link is stilled failed, please do the steps listed below to make sure the network connection settings is OK. For Windows The example is based on Windows XP. As to the examples for other operation systems, please refer to the similar steps or find support notes in www.DrayTek.com. 1.
4. Select Obtain an IP address automatically and Obtain DNS server address automatically. For Mac OS 1. Double click on the current used Mac OS on the desktop. 2. Open the Application folder and get into Network. 3. On the Network screen, select Using DHCP from the drop down list of Configure IPv4.
5.3 Pinging the Router from Your Computer The default gateway IP address of the router is 192.168.1.1. For some reason, you might need to use “ping” command to check the link status of the router. The most important thing is that the computer will receive a reply from 192.168.1.1. If not, please check the IP address of your computer. We suggest you setting the network connection as get IP automatically. (Please refer to the section 6.2) Please follow the steps below to ping the router correctly.
5.4 Checking If the ISP Settings are OK or Not Open WAN >> Internet Access page and then check whether the ISP settings are set correctly. Click Details Page of WAN1/WAN2 to review the settings that you configured previously. 5.5 Problems for 3G Network Connection When you have trouble in using 3G network transmission, please check the following: Check if USB LED lights on or off You have to wait about 15 seconds after inserting 3G USB Modem into your Vigor2850.
Transmission Rate is not fast enough Please connect your Notebook with 3G USB Modem to test the connection speed to verify if the problem is caused by Vigor2850. In addition, please refer to the manual of 3G USB Modem for LED Status to make sure if the modem connects to Internet via HSDPA mode. If you want to use the modem indoors, please put it on the place near the window to obtain better signal receiving. 5.
Hardware Reset While the router is running (ACT LED blinking), press the Factory Reset button and hold for more than 5 seconds. When you see the ACT LED blinks rapidly, please release the button. Then, the router will restart with the default configuration. After restore the factory default setting, you can configure the settings for the router again to fit your personal request. 5.
