ii Vigor2910 Series User’s Guide
Vigor2910 Dual-WAN Security Router User’s Guide Version: 4.0 Firmware Version: V3.2.4 Date: 11/05/2010 Copyright 2010 All rights reserved. This publication contains information that is protected by copyright. No part may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language without written permission from the copyright holders. The scope of delivery and other details are subject to change without prior notice.
Copyright Information Copyright Declarations Copyright 2010 All rights reserved. This publication contains information that is protected by copyright. No part may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language without written permission from the copyright holders. Trademarks The following trademarks are used in this document: z Microsoft is a registered trademark of Microsoft Corp.
European Community Declarations Manufacturer: Address: Product: DrayTek Corp. No. 26, Fu Shing Road, HuKou Township, HsinChu Industrial Park, Hsin-Chu, Taiwan 303 Vigor2910 Series Routers DrayTek Corp. declares that Vigor2910 series of routers are in compliance with the following essential requirements and other relevant provisions of R&TTE Directive 1999/5/EEC.
vi Vigor2910 Series User’s Guide
Table of Contents 1 Preface ...............................................................................................................1 1.1 Web Configuration Buttons Explanation ................................................................................. 1 1.2 LED Indicators and Connectors .............................................................................................. 1 1.2.1 For Vigor2910 ............................................................................................
3.3.2 DMZ Host........................................................................................................................ 55 3.3.3 Open Ports...................................................................................................................... 58 3.3.4 Address Mapping............................................................................................................ 59 3.4 Objects and Groups ................................................................................
3.12 ISDN.................................................................................................................................. 162 3.12.1 General Setup............................................................................................................. 163 3.12.2 Dialing to a Single ISP ................................................................................................ 164 3.12.3 Dialing to Dual ISPs...........................................................................
4.2 Create a Remote Dial-in User Connection Between the Teleworker and Headquarter...... 224 4.3 QoS Setting Example.......................................................................................................... 228 4.4 LAN – Created by Using NAT ............................................................................................. 232 4.5 Calling Scenario for VoIP function ...................................................................................... 234 4.5.
1 Preface The Vigor2910 series router provides Dual-WAN interface (which is a configuration second WAN) for Internet access to make the Internet connection more reliable. The wireless LAN supports more secure features and the transmission speed is up to 108Mbps (SuperGTM). Object-oriented firewall is flexible and allows your network be safe. In addition, through VoIP function, the communication fee for you and remote people can be reduced. 1.
1.2.1 For Vigor2910 LED Explanation LED Status Explanation ACT (Activity) Blinking The router is powered on and running properly. Off DMZ QoS On On The router is powered off. DMZ Host is specified in certain site. The QoS function is active. Attack Off On Blinking The QoS function is inactive. DoS Defense function is active. An attack is detected. VPN On The VPN tunnel is launched. USB * WAN(W1-W2) On Orange Green Blinking Orange The USB interface printer or 3G USB modem is ready.
1.2.2 For Vigor2910G LED Explanation LED Status Explanation ACT (Activity) Blinking Off On On Off On Blinking On Blinking Off On Orange Green Blinking Orange The router is powered on and running properly. The router is powered off. DMZ Host is specified in certain site. The QoS function is active. The QoS function is inactive. DoS Defense function is active. An attack is detected. Wireless access point is ready. Wireless traffic goes through. Wireless access point is turned off.
1.2.3 For Vigor2910i LED Explanation LED Status Explanation ACT (Activity) Blinking The router is powered on and running properly. Off The router is powered off. On The ISDN network is correctly setup. Blinking A successful connection on the ISDN BRI B1/B2 channel. On Off On Blinking On The QoS function is active. The QoS function is inactive. DoS Defense function is active. An attack is detected. The VPN tunnel is launched.
1.2.4 For Vigor2910V LED Explanation LED Status Explanation ACT (Activity) Blinking Off On On The router is powered on and running properly. The router is powered off. DMZ Host is specified in certain site. The phone is off hook (the handset of phone is hanging). DMZ FXS1/FXS2 Blinking A phone call is incoming or on-line. VPN On The VPN tunnel is launched. USB * WAN(W1-W2) On Orange The USB interface printer or 3G USB modem is ready. Green A normal 100Mbps WAN link is ready.
1.2.5 For Vigor2910VG LED Explanation LED Status Explanation ACT (Activity) Blinking Off On On Blinking On Blinking Off On Orange Green Blinking Orange The router is powered on and running properly. The router is powered off. DMZ Host is specified in certain site. The phone is off hook (the handset of phone is hanging). A phone call is incoming or on-line. Wireless access point is ready. Wireless traffic goes through. Wireless access point is turned off.
1.2.6 For Vigor2910VGi LED Explanation LED ACT (Activity) ISDN FXS1/FXS2 WLAN USB * WAN(W1-W2) LAN (P1, P2, P3, P4) Status Explanation Blinking Off On The router is powered on and running properly. The router is powered off. The ISDN network is correctly setup. Blinking On Blinking On Blinking Off On Orange Green Blinking Orange A successful connection on the ISDN BRI B1/B2 channel. The phone is off hook (the handset of phone is hanging). A phone call is incoming or on-line.
1.3 Hardware Installation Before starting to configure the router, you have to connect your devices correctly. 1. Connect this device to a router/modem with an Ethernet cable. 2. Connect one port of 4-port switch to your computer with a RJ-45 cable. This device allows you to connect 4 PCs directly. 3. Connect one end of the power cord to the power port of this device. Connect the other end to the wall outlet of electricity. 4. Connect the telephone sets with phone lines (for using VoIP function).
1.4 Printer Installation You can install a printer onto the router for sharing printing. All the PCs connected this router can print documents via the router. The example provided here is made based on Windows XP/2000. For Windows 98/SE, please visit www.draytek.com. Before using it, please follow the steps below to configure settings for connected computers (or wireless clients). 1. Connect the printer with the router through USB/parallel port. 2. Open Start->Settings-> Printer and Faxes.
3. Open File->Add a New Computer. A welcome dialog will appear. Please click Next. 4. Click Local printer attached to this computer and click Next. 5. In this dialog, choose Create a new port Type of port and use the drop down list to select Standard TCP/IP Port. Click Next.
6. In the following dialog, type 192.168.1.1 (router’s LAN IP) in the field of Printer Name or IP Address and type IP_192.168.1.1 as the port name. Then, click Next. 7. Click Standard and choose Generic Network Card. 8. Then, in the following dialog, click Finish.
9. Now, your system will ask you to choose right name of the printer that you installed onto the router. Such step can make correct driver loaded onto your PC. When you finish the selection, click Next. 10. For the final stage, you need to go back to Control Panel-> Printers and edit the property of the new printer you have added. 11. Select "LPR" on Protocol, type p1 (number 1) as Queue Name. Then click OK. Next please refer to the red rectangle for choosing the correct protocol and UPR name.
Note 1: Some printers with the fax/scanning or other additional functions are not supported. If you do not know whether your printer is supported or not, please visit www.draytek.com to find out the printer list. Open Support >FAQ; find out the link of Printer Server and click it; then click the What types of printers are compatible with Vigor router? link. Note 2: Vigor router supports printing request from computers via LAN ports but not WAN port.
This page is left blank.
2 Configuring Basic Settings For use the router properly, it is necessary for you to change the password of web configuration for security and adjust primary basic settings. This chapter explains how to setup a password for an administrator and how to adjust basic settings for accessing Internet successfully. Be aware that only the administrator can change the router configuration. 2.
3. Now, the Main Screen will pop up. Notice that the main screen differs according to the model of the router that you have. Below is an example. 4. Go to System Maintenance page and choose Administrator Password. 5. Enter the login password (the default is blank) on the field of Old Password. Type a new one in the field of New Password and retype it on the field of Retype New Password. Then click OK to continue. 6. Now, the password has been changed.
2.2 Quick Start Wizard If your router can be under an environment with high speed NAT, the configuration provide here can help you to deploy and use the router quickly. The first screen of Quick Start Wizard is entering login password. After typing the password, please click Next. On the next page as shown below, please select the WAN interface that you use. Choose Auto negotiation as the physical type for your router. Then click Next for next step.
On the next page as shown below, please select the appropriate Internet access type according to the information from your ISP. For example, you should select PPPoE mode if the ISP provides you PPPoE interface. Then click Next for next step. In the Quick Start Wizard, you can configure the router to access the Internet with different protocol/modes such as PPPoE, PPTP, L2TP, Static IP or DHCP. The router supports the DSL WAN interface for Internet access. 2.2.
User Name Assign a specific valid user name provided by the ISP. Password Assign a valid password provided by the ISP. Confirm Password Retype the password for confirmation. Click Next for viewing summary of such connection. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown.
2.2.2 PPTP Click PPTP as the protocol. Type in all the information that your ISP provides for this protocol. Click Next for viewing summary of such connection. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown.
2.2.3 Static IP Click Static IP as the protocol. Type in all the information that your ISP provides for this protocol. After finishing the settings in this page, click Next to see the following page. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown.
2.2.4 L2TP Click L2TP as the protocol. Type in all the information that your ISP provides for this protocol. After finishing the settings in this page, click Next to see the following page. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown.
2.2.5 DHCP Click DHCP as the protocol. Type in all the information that your ISP provides for this protocol. After finishing the settings in this page, click Next to see the following page. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown.
2.3 Online Status The online status shows the system status, WAN status, ADSL Information and other status related to this router within one page. If you select PPPoE as the protocol, you will find out a button of Dial PPPoE or Dial PPPoE in the Online Status web page.
Online status for DHCP Detailed explanation is shown below: Primary DNS Displays the IP address of the primary DNS. Secondary DNS Displays the IP address of the secondary DNS. LAN Status IP Address Displays the IP address of the LAN interface. TX Packets Displays the total transmitted packets at the LAN interface. RX Packets Displays the total number of received packets at the LAN interface. WAN1/2 Status Line Displays the physical connection (Ethernet) of this interface.
2.4 Saving Configuration Each time you click OK on the web page for saving the configuration, you can find messages showing the system interaction with you. Ready indicates the system is ready for you to input settings. Settings Saved means your settings are saved once you click Finish or OK button.
3 Advanced Web Configuration After finished basic configuration of the router, you can access Internet with ease. For the people who want to adjust more setting for suiting his/her request, please refer to this chapter for getting detailed information about the advanced configuration of this router. As for other examples of application, please refer to chapter 4. 3.1 WAN Quick Start Wizard offers user an easy method to quick setup the connection mode for the router.
3.1.2 Network Connection by 3G USB Modem For 3G mobile communication through Access Point is popular more and more, Vigor 2910 adds the function of 3G network connection for such purpose. By connecting 3G USB Modem to the USB port of Vigor2910, it can support HSDPA/UMTS/EDGE/GPRS/GSM and the future 3G standard (HSUPA, etc). Vigor2910 with 3G USB Modem allows you to receive 3G signals at any place such as your car or certain location holding outdoor activity and share the bandwidth for using by more people.
Enable Choose Yes to invoke the settings for this WAN interface. Choose No to disable the settings for this WAN interface. Display Name Type the description for the WAN1/WAN2 interface. Physical Mode For WAN1, the physical connection is done and fixed through Ethernet port; yet the physical connection for WAN2 is done through an Ethernet port (P1) or USB port. You cannot change it. To use 3G network connection through 3G USB Modem, choose 3G USB Modem as the physical mode in WAN2.
Load Balance Mode If you know the practical bandwidth for your WAN interface, please choose the setting of According to Line Speed. Otherwise, please choose Auto Weigh to let the router reach the best load balance. Line Speed If your choose According to Line Speed as the Load Balance Mode, please type the line speed for downloading and uploading through WAN1/WAN2. The unit is kbps.
3.1.4 Internet Access For the router supports dual WAN function, the users can set different WAN settings (for WAN1/WAN2) for Internet Access. Due to different Physical Mode for WAN1 and WAN2, the Access Mode for these two connections also varies slightly. Index It shows the WAN modes that this router supports. WAN1 is the default WAN interface for accessing into the Internet. WAN2 is the optional WAN interface for accessing into the Internet when WAN 1 is inactive for some reason.
Details Page for PPPoE To use PPPoE as the accessing protocol of the internet, please choose Internet Access from WAN menu. Then, select PPPoE mode for WAN2. The following web page will be shown. PPPoE Client Mode Click Enable for activating this function. If you click Disable, this function will be closed and all the settings that you adjusted in this page will be invalid.
None - Disable the backup function. Packet Trigger -The backup line is not on until a packet from a local host triggers the router to establish a connection. WAN Connection Detection Such function allows you to verify whether network connection is alive or not through ARP Detect or Ping Detect. Mode – Choose ARP Detect or Ping Detect for the system to execute for WAN detection. Ping IP – If you choose Ping Detect as detection mode, you have to type IP address in this field for pinging.
address in the box of Fixed IP Address. Default MAC Address – You can use Default MAC Address or specify another MAC address by typing on the boxes of MAC Address for the router. Specify a MAC Address – Type the MAC address for the router manually. After finishing all the settings here, please click OK to activate them.
Due to the absence of the ISDN interface in some models, the ISDN dial backup feature and its associated setup options are not available to them. Please refer to the previous part for further information. None - Disable the backup function. Packet Trigger -The backup line is not on until a packet from a local host triggers the router to establish a connection.
Obtain an IP address automatically – Click this button to obtain the IP address automatically if you want to use Dynamic IP mode. Router Name: Type in the router name provided by ISP. Domain Name: Type in the domain name that you have assigned. Specify an IP address – Click this radio button to specify some data if you want to use Static IP mode. IP Address: Type the IP address. Subnet Mask: Type the subnet mask. Gateway IP Address: Type the gateway IP address.
Details Page for PPTP/L2TP To use PPTP as the accessing protocol of the internet, please choose Internet Access from WAN menu. Then, select PPTP mode for WAN2. The following web page will be shown. PPTP/L2TP Client Mode Enable PPTP- Click this radio button to enable a PPTP client to establish a tunnel to a DSL modem on the WAN interface. Enable L2TP - Click this radio button to enable a L2TP client to establish a tunnel to a DSL modem on the WAN interface.
information. None - Disable the backup function. Packet Trigger -The backup line is not on until a packet from a local host triggers the router to establish a connection. MTU It means Max Transmit Unit for packet. The default setting is 1442. PPP Setup PPP Authentication - Select PAP only or PAP or CHAP for PPP. Idle Timeout - Set the timeout for breaking down the Internet after passing through the time without any action.
WAN IP Network Settings Obtain an IP address automatically – Click this button to obtain the IP address automatically. Specify an IP address – Click this radio button to specify some data. IP Address – Type the IP address. Subnet Mask – Type the subnet mask. Details Page for PPP To use PPP (for 3G USB Modem) as the accessing protocol of the internet, please choose Internet Access from WAN menu. Then, select PPP mode for WAN2. The following web page will be shown.
3.1.5 Load-Balance Policy This router supports the function of load balancing. It can assign traffic with protocol type, IP address for specific host, a subnet of hosts, and port range to be allocated in WAN1 or WAN2 interface. The user can assign traffic category and force it to go to dedicate network interface based on the following web page setup. Twenty policies of load-balance are supported by this router. Note: Load-Balance Policy is running only when both WAN1 and WAN2 are activated.
Enable Check this box to enable this policy. Protocol Use the drop-down menu to choose a proper protocol for the WAN interface. Binding WAN interface Choose the WAN interface (WAN1 or WAN2) for binding. Src IP Start Type the source IP start for the specified WAN interface. Src IP End Type the source IP end for the specified WAN interface. If this field is blank, it means that all the source IPs inside the LAN will be passed through the WAN interface.
3.2 LAN Local Area Network (LAN) is a group of subnets regulated and ruled by router. The design of network structure is related to what type of public IP addresses coming from your ISP. 3.2.1 Basics of LAN The most generic function of Vigor router is NAT. It creates a private subnet of your own. As mentioned previously, the router will talk to other public hosts on the Internet by using public IP address and talking to local hosts by using its private IP address.
What is Routing Information Protocol (RIP) Vigor router will exchange routing information with neighboring routers using the RIP to accomplish IP routing. This allows users to change the information of the router such as IP address and the routers will automatically inform for each other. What is Static Route When you have several subnets in your LAN, sometimes a more effective and quicker way for connection is the Static routes function rather than other method.
3.2.2 General Setup This page provides you the general settings for LAN. Click LAN to open the LAN settings page and choose General Setup. 1st IP Address Type in private IP address for connecting to a local private network (Default: 192.168.1.1). 1st Subnet Mask Type in an address code that determines the size of the network. (Default: 255.255.255.0/ 24) For IP Routing Usage Click Enable to invoke this function. The default setting is Disable.
Start IP Address: Enter a value of the IP address pool for the DHCP server to start with when issuing IP addresses. If the 2nd IP address of your router is 220.135.240.1, the starting IP address must be 220.135.240.2 or greater, but smaller than 220.135.240.254. IP Pool Counts: Enter the number of IP addresses in the pool. The maximum is 10. For example, if you type 3 and the 2nd IP address of your router is 220.135.240.1, the range of IP address by the DHCP server will be from 220.135.240.2 to 220.135.240.
of the router, which means the router is the default gateway. DHCP Server IP Address for Relay Agent - Set the IP address of the DHCP server you are going to use so the Relay Agent can help to forward the DHCP request to the DHCP server. DNS Server Configuration DNS stands for Domain Name System. Every Internet host must have a unique IP address, also they may have a human-friendly, easy to remember name such as www.yahoo.com. The DNS server converts the user-friendly name into its equivalent IP address.
Index The number (1 to 10) under Index allows you to open next page to set up static route. Destination Address Displays the destination address of the static route. Status Displays the status of the static route. Viewing Routing Table Displays the routing table for your reference. Add Static Routes to Private and Public Networks Here is an example of setting Static Route in Main Router so that user A and B locating in different subnet can talk to each other via the router.
Note: There are two reasons that we have to apply RIP Protocol Control on 1st Subnet. The first is that the LAN interface can exchange RIP packets with the neighboring routers via the 1st subnet (192.168.1.0/24). The second is that those hosts on the internal private subnets (ex. 192.168.10.0/24) can access the Internet via the router, and continuously exchange of IP routing information with different subnets. 2. Click the LAN - Static Route and click on the Index Number 1. Check the Enable box.
3.2.4 Bind IP to MAC This function is used to bind the IP and MAC address in LAN to have a strengthen control in network. When this function is enabled, all the assigned IP and MAC address binding together cannot be changed. If you modified the binding IP or MAC address, it might cause you not access into the Internet. Click LAN and click Bind IP to MAC to open the setup page. Enable Click this radio button to invoke this function.
Add It allows you to add the one you choose from the ARP table or the IP/MAC address typed in Add and Edit to the table of IP Bind List. Edit It allows you to edit and modify the selected IP address and MAC address that you create before. Delete You can remove any item listed in IP Bind List. Simply click and select the one, and click Delete. The selected item will be removed from the IP Bind List. Note: Before you select Strict Bind, you have to bind one set of IP/MAC address for one PC.
Share vpn remote dial in profile – you can share the account set in remote VPN dial-in profiles. Click this button and press Account Setting link to choose one of the accounts (total 32 profiles) for applying to the web authentication. Timeout Setting Users might have to re-login after passing the timeout setting specified here. When you enable the timeout setting, please specify the conditions for logout. Click Disable to disable the timeout feature.
3.3 NAT Usually, the router serves as an NAT (Network Address Translation) router. NAT is a mechanism that one or more private IP addresses can be mapped into a single public one. Public IP address is usually assigned by your ISP, for which you may get charged. Private IP addresses are recognized only among internal hosts.
The port redirection can only apply to incoming traffic. To use this function, please go to NAT page and choose Port Redirection web page. The Port Redirection Table provides 20 port-mapping entries for the internal hosts. Press any number under Index to access into next page for configuring port redirection.
Mode Two options are provided here for you to choose. To set a range for the specific service, select Range. Service Name Enter the description of the specific network service. Protocol Select the transport layer protocol (TCP or UDP). Public Port Specify which port can be redirected to the specified Private IP and Port of the internal host. If you choose Range as the port redirection mode, you will see two boxes on this field. Simply type the required number on the first box.
3.3.2 DMZ Host As mentioned above, Port Redirection can redirect incoming TCP/UDP or other traffic on particular ports to the specific private IP address/port of host in the LAN. However, other IP protocols, for example Protocols 50 (ESP) and 51 (AH), do not travel on a fixed port. Vigor router provides a facility DMZ Host that maps ALL unsolicited data on any protocol to a single host in the LAN.
The inherent security properties of NAT are somewhat bypassed if you set up DMZ host. We suggest you to add additional filter rules or a secondary firewall. Click DMZ Host to open the following page: WAN1 This page allows you to set Private IP or Active True IP as the DMZ host. Private IP If you choose Private IP as the selection for DMZ host, please type in private IP or select any one by clicking the Choose PC button.
Private IP Enter the private IP address of the DMZ host, or click Choose PC to select one. Choose PC Click this button and then a window will automatically pop up, as depicted below. The window consists of a list of private IP addresses of all hosts in your LAN network. Select one private IP address in the list to be the DMZ host. When you have selected one private IP from the above dialog, the IP address will be shown on the following screen. Click OK to save the setting.
3.3.3 Open Ports Open Ports allows you to open a range of ports for the traffic of special applications. Common application of Open Ports includes P2P application (e.g., BT, KaZaA, Gnutella, WinMX, eMule and others), Internet Camera etc. Ensure that you keep the application involved up-to-date to avoid falling victim to any security exploits. Click Open Ports to open the following page: Index Indicate the relative number for the particular entry that you want to offer service in a local host.
To add or edit port settings, click one index number on the page. The index entry setup page will pop up. In each index entry, you can specify 10 port ranges for diverse services. Enable Open Ports Check to enable this entry. Comment Make a name for the defined network application/service. WAN Interface Specify the WAN interface that will be used for this entry. WAN IP Choose one of the WAN IPs from this drop-down list.
to Internet. You can use address mapping function to achieve this demand. Simply type 192.168.1.10 as the Private IP; and type 86.123.123.2 as the WAN IP. Protocol Display the protocol used for this address mapping. Public IP Display the public IP address selected for this entry, e.g., 172.16.3.102. Private IP Display the private IP set for this address mapping, e.g., 192.168.1.10 Mask Display the subnet mask selected for this address mapping.
IP to connect to Internet. If you want to choose any one of the Public IP settings, you must specify some IP addresses in the IP Alias List of the Static/DHCP Configuration page first. If you did not type in any IP address in the IP Alias List, the Public IP setting will be empty in this field. When you click Apply, a message will appear to inform you. Private IP Assign an IP address (e.g., 192.168.1.10) or a subnet to be compared with the Public IP address for incoming packets.
Name Type a name for this profile. Maximum 15 characters are allowed. Interface Choose a proper interface (WAN, LAN or Any). For example, the Direction setting in Edit Filter Rule will ask you specify IP or IP range for WAN or LAN or any IP address. If you choose LAN as the Interface here, and choose LAN as the direction setting in Edit Filter Rule, then all the IP addresses specified with LAN interface will be opened for you to choose in Edit Filter Rule page.
3.4.2 IP Group This page allows you to bind several IP objects into one IP group. Set to Factory Default Clear all profiles. Click the number under Index column for settings in detail. Name Type a name for this profile. Maximum 15 characters are allowed. Interface Choose WAN, LAN or Any to display all the available IP objects with the specified interface. Available IP Objects All the available IP objects with the specified interface chosen above will be shown in this box.
3.4.3 Service Type Object You can set up to 96 sets of Service Type Objects with different conditions. Set to Factory Default Clear all profiles. Click the number under Index column for settings in detail. Name Type a name for this profile. Protocol Specify the protocol(s) which this profile will apply to. Source/Destination Port Source Port and the Destination Port column are available for TCP/UDP protocol. It can be ignored for other protocols. The filter rule will filter out any port number.
(!=) – when the first and last value are the same, it indicates all the ports except the port defined here; when the first and last values are different, it indicates that all the ports except the range defined here are available for this service type. (>) – the port number greater than this value is available. (<) – the port number less than this value is available for this profile. Below is an example of service type objects settings. 3.4.
Name Type a name for this profile. Available Service Type Objects You can add IP objects from IP Objects page. All the available IP objects will be shown in this box. Selected Service Type Objects Click >> button to add the selected IP objects in this box. 3.4.5 IM Object You can define policy profiles for IM (Instant Messenger) application. The object profile(s) configured here will be seen and adopted in CSM>>IM/P2P Filter Profile page. Set to Factory Default Clear all profiles.
Profile Name Type a name for the CSM profile. Check for Disallow Check the items that disallow to use. Any device that uses such profile might not be allowed to access into the forbidden items. 3.4.6 P2P Object You can define policy profiles for P2P (Point-to-Point) application. The object profile(s) configured here will be seen and adopted in CSM>>IM/P2P Filter Profile page. Set to Factory Default Clear all profiles. Click the number under Index column for settings in detail.
Profile Name Type a name for the CSM profile. Check for Disallow Check the items that disallow to use. Any device that uses such profile might not be allowed to access into the forbidden items. In the above figure, BitTorrent protocol is disallowed if you apply such object profile as filtering rule (setting in Firewall). 3.4.7 Misc Object You can define policy profiles for Misc application. The object profile(s) configured here will be seen and adopted in CSM>>IM/P2P Filter Profile page.
Profile Name Type a name for the CSM profile. Check for Disallow Check the items that disallow to use. Any device that uses such profile might not be allowed to access into the forbidden items. 3.5 CSM Content Security Management (CSM) CSM is an abbreviation of Content Security Management which is used to control IM/P2P usage, filter the web content and URL content to reach a goal of security management.
For example, an ActiveX control object is usually used for providing interactive web feature. If malicious code hides inside, it may occupy user’s system. Web Content Filter We all know that the content on the Internet just like other types of media may be inappropriate sometimes. As a responsible parent or employer, you should protect those in your trust against the hazards.
Profile Name Type a name for the CSM profile. Each profile can contain three objects settings, IM Object, P2P Object and Misc Object. Such profile can be applied in the Firewall>>General Setup and Firewall>>Filter Setup pages as the standard for the host(s) to follow. 3.5.
Enable URL Access Control Check the box to activate URL Access Control. Black List (block those Click this button to restrict accessing into the corresponding webpage with the keywords listed on the box below. matching keyword) White List (pass those Click this button to allow accessing into the corresponding webpage with the keywords listed on the box below. matching keyword) Keyword The Vigor router provides 8 frames for users to define keywords and each frame supports multiple keywords.
You must clear your browser cache first so that the URL content filtering facility operates properly on a web page that you visited before. Enable Restrict Web Feature Check the box to activate the function. Java - Check the checkbox to activate the Block Java object function. The Vigor router will discard the Java objects from the Internet. ActiveX - Check the box to activate the Block ActiveX object function. Any ActiveX object from the Internet will be refused.
3.5.3 Web Content Filter Profile We all know that the content on the Internet just like other types of media may be inappropriate sometimes. As a responsible parent or employer, you should protect those in your trust against the hazards. With Web filtering service of the Vigor router, you can protect your business from common primary threats, such as productivity, legal liability, network and security threats. For parents, you can protect your children from viewing adult websites or chat rooms.
3.6 Firewall 3.6.1 Basics for Firewall While the broadband users demand more bandwidth for multimedia, interactive applications, or distance learning, security has been always the most concerned. The firewall of the Vigor router helps to protect your local network against attack from unauthorized outsiders. It also restricts users in the local network from accessing the Internet. Furthermore, it can filter out specific packets that trigger the router to build an unwanted outgoing connection.
IP Filters Depending on whether there is an existing Internet connection, or in other words “the WAN link status is up or down”, the IP filter architecture categorizes traffic into two: Call Filter and Data Filter. z Call Filter - When there is no existing Internet connection, Call Filter is applied to all traffic, all of which should be outgoing. It will check packets according to the filter rules. If legal, the packet will pass.
Denial of Service (DoS) Defense The DoS Defense functionality helps you to detect and mitigate the DoS attack. The attacks are usually categorized into two types, the flooding-type attacks and the vulnerability attacks. The flooding-type attacks will attempt to exhaust all your system's resource while the vulnerability attacks will try to paralyze the system by offending the vulnerabilities of the protocol or operation system.
Call Filter Check Enable to activate the Call Filter function. Assign a start filter set for the Call Filter. Data Filter Check Enable to activate the Data Filter function. Assign a start filter set for the Data Filter. Filter Default rule is applied in this page. Pass – All the packets are allowed to pass through the router without considering settings configured in Firewall>>Filter Setup.
3.6.3 Filter Setup Click Firewall and click Filter Setup to open the setup page. To edit or add a filter, click on the set number to edit the individual set. The following page will be shown. Each filter set contains up to 7 rules. Click on the rule number button to edit each rule. Check Active to enable the rule. Filter Rule Click a button numbered (1 ~ 7) to edit the filter rule. Click the button will open Edit Filter Rule web page. For the detailed information, refer to the following page.
Check to enable the Filter Rule Check this box to enable the filter rule. Comments Enter filter set comments/description. Maximum length is 14character long. Index (1-15) Set the PCs on LAN to work at certain time interval only. You may choose up to 4 schedules out of the 15 schedules pre-defined in Applications >> Schedule setup. The default setting of this filed is blank and the function will always work. Direction Set the direction of packet flow (LAN->WAN/WAN->LAN). It is for Data Filter only.
Address/Range Address/Subnet Address as the Address Type and type them in this dialog. In addition, if you want to use the IP range from defined groups or objects, please choose Group and Objects as the Address Type. From the IP Group drop down list, choose the one that you want to apply. Or use the IP Object drop down list to choose the object that you want. Service Type Click Edit to access into the following dialog to choose a suitable service type.
Service Group/Object - Use the drop down list to choose the one that you want. Fragments Specify the action for fragmented packets. And it is used for Data Filter only. Don’t care -No action will be taken towards fragmented packets. Unfragmented -Apply the rule to unfragmented packets. Fragmented - Apply the rule to fragmented packets. Too Short - Apply the rule only to packets that are too short to contain a complete header. Filter Specifies the action to be taken when packets match the rule.
Example As stated before, all the traffic will be separated and arbitrated using on of two IP filters: call filter or data filter. You may preset 12 call filters and data filters in Filter Setup and even link them in a serial manner. Each filter set is composed by 7 filter rules, which can be further defined. After that, in General Setup you may specify one set for call filter and one set for data filter to execute first.
3.6.4 DoS Defense As a sub-functionality of IP Filter/Firewall, there are 15 types of detect/ defense function in the DoS Defense setup. The DoS Defense functionality is disabled for default. Click Firewall and click DoS Defense to open the setup page. Enable Dos Defense Check the box to activate the DoS Defense Functionality. Enable SYN flood defense Check the box to activate the SYN flood defense function.
port-scanning Threshold rate, the Vigor router will send out a warning. By default, the Vigor router sets the threshold as 150 packets per second. Block IP options Check the box to activate the Block IP options function. The Vigor router will ignore any IP packets with IP option field in the datagram header.
SYN packets with the identical source and destination addresses, as well as the port number to victims. Block Unknown Protocol Check the box to activate the Block Unknown Protocol function. Individual IP packet has a protocol field in the datagram header to indicate the protocol type running over the upper layer. However, the protocol types greater than 100 are reserved and undefined at this time. Therefore, the router should have ability to detect and reject this kind of packets.
3.7 Bandwidth Management Below shows the menu items for Bandwidth Management. 3.7.1 Sessions Limit A PC with private IP address can access to the Internet via NAT router. The router will generate the records of NAT sessions for such connection. The P2P (Peer to Peer) applications (e.g., BitTorrent) always need many sessions for procession and also they will occupy over resources which might result in important accesses impacted.
Maximum Sessions Defines the available session number for specific range of IP addresses. If you do not set the session number in this field, the system will use the default session limit for the specific limitation you set for each index. Add Adds the specific session limitation onto the list above. Edit Allows you to edit the settings for the selected limitation. Delete Remove the selected settings existing on the limitation list.
Default TX limit Define the default speed of the upstream for each computer in LAN. Default RX limit Define the default speed of the downstream for each computer in LAN. Limitation List Display a list of specific limitations that you set on this web page. Start IP Define the start IP address for limit bandwidth. End IP Define the end IP address for limit bandwidth.
z Scheduling: Based on classification of service level to assign packets to queues and associated service types The basic QoS implementation in Vigor routers is to classify and schedule packets based on the service type information in the IP header. For instance, to ensure the connection with the headquarter, a teleworker may enforce an index of QoS Control to reserve bandwidth for HTTPS connection while using lots of application at the same time.
This page displays the QoS settings result of the WAN interface. Click the Setup link to access into next page for the general setup of WAN (1/2) interface. As to class rule, simply click the Edit link to access into next for configuration. You can configure general setup for the WAN interface, edit the Class Rule, and edit the Service Type for the Class Rule for your request. General Setup for WAN Interface When you click Setup, you can configure the bandwidth ratio for QoS of the WAN interface.
Reserved Bandwidth Ratio It is reserved for the group index in the form of ratio of reserved bandwidth to upstream speed and reserved bandwidth to downstream speed. Enable UDP Bandwidth Control Check this and set the limited bandwidth ratio on the right field. This is a protection of TCP application traffic since UDP application traffic such as streaming video will exhaust lots of bandwidth.
For adding a new rule, click Add to open the following page. ACT Check this box to invoke these settings. Source Address Click the SrcEdit button to set the source address for the rule. Destination Address Click the DestEdit button to set the destination address for the rule. SrcEdit/DestEdit It allows you to edit source address information. Address Type – Determine the address type for the source address. For Single Address, you have to fill in Start IP address.
Service Type It determines the service type of the data for processing with QoS control. It can also be edited. You can choose the predefined service type from the Service Type drop down list. Those types are predefined in factory. Simply choose the one that you want for using by current QoS. By the way, you can set up to 20 rules for one Class. If you want to edit an existed rule, please select the radio button of that one and click Edit to open the rule edit page for modification.
For adding a new rule, click Add to open the following page. If you want to edit an existed service type, please select the radio button of that one and click Edit to open the following page for modification. Service Name Type in a new service for your request. Service Type Choose the type (TCP, UDP or TCP/UDP) for the new service. Port Configuration Click Single or Range. If you select Range, you have to type in the starting port number and the end porting number on the boxes below.
3.8 Applications Below shows the menu items for Applications. 3.8.1 Dynamic DNS The ISP often provides you with a dynamic IP address when you connect to the Internet via your ISP. It means that the public IP address assigned to your router changes each time you access the Internet. The Dynamic DNS feature lets you assign a domain name to a dynamic WAN IP address. It allows the router to update its online WAN IP address mappings on the specified Dynamic DNS server.
3. 4. Index Click the number below Index to access into the setting page of DDNS setup to set account(s). WAN Interface Display current WAN interface used for accessing Internet. Domain Name Display the domain name that you set on the setting page of DDNS setup. Active Display if this account is active or inactive. View Log Display DDNS log status. Force Update Force the router updates its information to DDNS server. Select Index number 1 to add an account for the router.
Disable the Function and Clear all Dynamic DNS Accounts In the DDNS setup menu, uncheck Enable Dynamic DNS Setup, and push Clear All button to disable the function and clear all accounts from the router. Delete a Dynamic DNS Account In the DDNS setup menu, click the Index number you want to delete and then push Clear All button to delete the account. 3.8.2 Schedule The Vigor router has a built-in real time clock which can update itself manually or automatically by means of Network Time Protocols (NTP).
Enable Schedule Setup Check to enable the schedule. Start Date (yyyy-mm-dd) Specify the starting date of the schedule. Start Time (hh:mm) Specify the starting time of the schedule. Duration Time (hh:mm) Specify the duration (or period) for the schedule. Action Specify which action Call Schedule should apply during the period of the schedule. Force On -Force the connection to be always on. Force Down -Force the connection to be always down.
3. Configure the Force Down from 18:00 to next day 9:00 for whole week. 4. Assign these two profiles to the PPPoE Internet access profile. Now, the PPPoE Internet connection will follow the schedule order to perform Force On or Force Down action according to the time plan that has been pre-defined in the schedule profiles. 3.8.
3.8.4 UPnP The UPnP (Universal Plug and Play) protocol is supported to bring to network connected devices the ease of installation and configuration which is already available for directly connected PC peripherals with the existing Windows 'Plug and Play' system. For NAT routers, the major feature of UPnP on the router is “NAT Traversal”. This enables applications inside the firewall to automatically open the ports that they need to pass through a router.
The reminder as regards concern about Firewall and UPnP Can't work with Firewall Software Enabling firewall applications on your PC may cause the UPnP function not working properly. This is because these applications will block the accessing ability of some network ports. Security Considerations Activating the UPnP function on your network may incur some security threats. You should consider carefully these risks before activating the UPnP function.
3.8.5 IGMP IGMP is the abbreviation of Internet Group Management Protocol. It is a communication protocol which is mainly used for managing the membership of Internet Protocol multicast groups. Enable IGMP Proxy Check this box to enable this function. The application of multicast will be executed through WAN1/2 port or PVC. Use the drop down list to choose the interface. 3.8.6 Wake On LAN A PC client on LAN can be woken up by the router it connects.
Wake Up Click this button to wake up the selected IP. See the following figure. The result will be shown on the box.
3.9 VPN and Remote Access A Virtual Private Network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. In short, by VPN technology, you can send data between two computers across a shared or public network in a manner that emulates the properties of a point-to-point private link. Besides, here provides ISDN LAN to LAN and remote dial-in functions (for i model only). Below shows the menu items for VPN and Remote Access. 3.9.
Please choose a LAN-to-LAN Profile There are 32 VPN tunnels for users to set. When you finish the mode and profile selection, please click Next to open the following page. In this page, you have to select suitable VPN type for the VPN client profile. There are six types provided here. Different type will lead to different configuration page.
the choices for the client profile, please click Next. You will see different configurations based on the selection(s) you made.
z When you choose L2TP over IPSec (Nice to Have), you will see the following graphic: z When you choose L2TP over IPSec (Must), you will see the following graphic: 108 Vigor2910 Series User’s Guide
Profile Name Type a name for such profile. The length of the file is limited to 10 characters. VPN Connection Through Use the drop down menu to choose a proper WAN interface for this profile. This setting is useful for dial-out only. WAN1 First - While connecting, the router will use WAN1 as the first channel for VPN connection. If WAN1 fails, the router will use another WAN interface instead. WAN1 Only - While connecting, the router will use WAN1 as the only channel for VPN connection.
Profiles (set from VPN and Remote Access>>IPSec Peer Identity). IPSec Security Method Medium - Authentication Header (AH) means data will be authenticated, but not be encrypted. By default, this option is active. High - Encapsulating Security Payload (ESP) means payload (data) will be encrypted and authenticated. You may select encryption algorithm from Data Encryption Standard (DES), Triple DES (3DES), and AES.
3.9.2 VPN Server Wizard Such wizard is used to configure VPN settings for VPN server. Such wizard will guide to set the LAN-to-LAN profile for VPN dial in connection (from client to server) step by step. VPN Server Mode Selection Choose the direction for the VPN server. Site to Site VPN/Remote Dial-in User – To set a LAN-to-LAN profile automatically, please choose Site to Site VPN.
Please choose a Dial-in User Accounts This item is available when you choose Remote Dial-in User (Teleworker) as VPN server mode. There are 32 VPN tunnels for users to set. Allowed Dial-in Type This item is available after you choose any one of dial-in user account profiles. Next, you have to select suitable dial-in type for the VPN server profile. There are six types provided here (similar to VPN Client Wizard). Different Dial-in Type will lead to different configuration page.
Profile Name Type a name for such profile. The length of the file is limited to 10 characters. User Name This field is used to authenticate for connection when you select PPTP or L2TP with or without IPSec policy above. Password This field is used to authenticate for connection when you select PPTP or L2TP with or without IPSec policy above. Pre-Shared Key For IPSec/L2TP IPSec authentication, you have to type a pre-shared key. Confirm Pre-Shared Key Type the pre-shared key again for confirmation.
z When you check IPSec, you will see the following graphic: After finishing the configuration, please click Next. The confirmation page will be shown as follows. If there is no problem, you can click one of the radio buttons listed on the page and click Finish to execute the next action.
Go to the VPN Connection Click this radio button to access VPN and Remote Access>>Connection Management for viewing VPN Management Connection status. Do another VPN Server Wizard Setup Click this radio button to set another profile of VPN Server through VPN Server Wizard. View more detailed configuration Click this radio button to access VPN and Remote Access>>LAN to LAN for viewing detailed configuration. 3.9.3 Remote Access Control Enable the necessary VPN service as you need.
Enable L2TP VPN Service Check this box to activate the VPN service through L2TP protocol. Enable ISDN Dial-IN This feature is available for i model. Check this box to activate the ISDN dial-in. 3.9.4 PPP General Setup This submenu only applies to PPP-related connections, such as PPTP, L2TP, L2TP over IPSec of VPN or ISDN. Select this option to force the router to authenticate dial-in Dial-In PPP Authentication PAP Only users with the PAP protocol.
authentication. You should further specify the User Name and Password of the mutual authentication peer. Start IP Address Enter a start IP address for the dial-in PPP connection. You should choose an IP address from the local private network. For example, if the local private network is 192.168.1.0/255.255.255.0, you could choose 192.168.1.200 as the Start IP Address. But, you have to notice that the first two IP addresses of 192.168.1.200 and 192.168.1.201 are reserved for ISDN remote dial-in user. 3.9.
IKE Authentication Method This usually applies to those are remote dial-in user or node (LAN to LAN) which uses dynamic IP address and IPSec-related VPN connections such as L2TP over IPSec and IPSec tunnel. Pre-Shared Key -Currently only support Pre-Shared Key authentication. Pre-Shared Key- Specify a key for IKE authentication Confirm Pre-Shared Key-Confirm the pre-shared key. IPSec Security Method Medium - Authentication Header (AH) means data will be authenticated, but not be encrypted.
Profile Name Type in a name in this file. Enable this account-Check this box to enable such profile. Accept Any Peer ID Click to accept any peer regardless of its identity. Accept Subject Alternative Click to check one specific field of digital signature to accept the peer with matching value. The field can be IP Address, Name Domain, or E-mail Address. The box under the Type will appear according to the type you select and ask you to fill in corresponding setting.
3.9.7 Remote Dial-in User You can manage remote access by maintaining a table of remote user profile, so that users can be authenticated to dial-in via ISDN or build the VPN connection. You may set parameters including specified connection peer ID, connection type (ISDN Dial-In connection, VPN connection - including PPTP, IPSec Tunnel, and L2TP by itself or over IPSec) and corresponding security methods, etc. The router provides 32 access accounts for dial-in users.
Enable this account Check the box to enable this function. Idle Timeout- If the dial-in user is idle over the limitation of the timer, the router will drop this connection. By default, the Idle Timeout is set to 300 seconds. ISDN Allow the remote ISDN dial-in connection. You can further set up Callback function below. You should set the User Name and Password of remote dial-in user below. This feature is for i model only.
aggressive mode). Uncheck the checkbox-This means the connection type you select above will apply the authentication methods and security methods in the general settings. Netbios Naming Packet Pass – Click it to have an inquiry for data transmission between the hosts located on both sides of VPN Tunnel while connecting. Block – When there is conflict occurred between the hosts on both sides of VPN Tunnel in connecting, such function can block data transmission of Netbios Naming Packet inside the tunnel.
Specify the callback number-The option is for extra security. Once enabled, the router will ONLY call back to the specified Callback Number. Check to enable callback budget control-By default, the callback function has a time restriction. Once the callback budget has been exhausted, the callback mechanism will be disabled automatically. Callback Budget (Unit: minutes)- Specify the time budget for the dial-in user. The budget will be decreased automatically per callback connection. 3.9.
Click each index to edit each profile and you will get the following page. Each LAN to LAN profile includes 4 subgroups. If the fields gray out, it means you may leave it untouched. The following explanations will guide you to fill all the necessary fields. When VPN TRUNK is activated, several fields (e.g., Dial-in Settings, Dial-in selection in Call Direction and others) might be locked and dimmed. Please refer to VPN and Remote Access>>VPN Backup Management for more details.
Profile Name Specify a name for the profile of the LAN to LAN connection. Enable this profile Check here to activate this profile. VPN Connection Through Use the drop down menu to choose a proper WAN interface for this profile. This setting is useful for dial-out only. WAN1 First - While connecting, the router will use WAN1 as the first channel for VPN connection. If WAN1 fails, the router will use another WAN interface instead.
the state of a VPN connection for router’s judgment of redial. Normally, if any one of VPN peers wants to disconnect the connection, it should follow a serial of packet exchange procedure to inform each other. However, if the remote peer disconnect without notice, Vigor router will by no where to know this situation. To resolve this dilemma, by continuously sending PING packets to the remote host, the Vigor router can know the true existence of this VPN connection and react accordingly.
IPSec Security Method This group of fields is a must for IPSec Tunnels and L2TP with IPSec Policy. Medium Authentication Header (AH) means data will be authenticated, but not be encrypted. By default, this option is active. High (ESP-Encapsulating Security Payload)- means payload (data) will be encrypted and authenticated. Select from below: DES without Authentication -Use DES encryption algorithm and not apply any authentication scheme.
IKE phase 2 proposal-To propose the local available algorithms to the VPN peers, and get its feedback to find a match. Three combinations are available for both modes. We suggest you select the combination that covers the most algorithms. IKE phase 1 key lifetime-For security reason, the lifetime of key should be defined. The default value is 28800 seconds. You may specify a value in between 900 and 86400 seconds. IKE phase 2 key lifetime-For security reason, the lifetime of key should be defined.
Allowed Dial-In Type Determine the dial-in connection with different types. ISDN Allow the remote ISDN LAN to LAN connection. You should set the User Name and Password of remote dial-in user below. This feature is useful for i model only. In addition, you can further set up Callback function below. PPTP Allow the remote dial-in user to make a PPTP VPN connection through the Internet. You should set the User Name and Password of remote dial-in user below.
connection employed the L2TP without IPSec policy can be viewed as one pure L2TP connection. Nice to Have- Apply the IPSec policy first, if it is applicable during negotiation. Otherwise, the dial-in VPN connection becomes one pure L2TP connection. Must- Specify the IPSec policy to be definitely applied on the L2TP connection. Specify CLID or Remote VPN Gateway….
Callback number-The option is for extra security. Once enabled, the router will ONLY call back to the specified Callback Number. Callback Budget (Unit: minutes) - By default, the callback function has limitation of callback period. Once the callback budget is exhausted, the function will be disabled automatically. Specify the time budget for the dial-in user. The budget will be decreased automatically per callback connection. The default value 0 means no limitation of callback period.
More Add a static route to direct all traffic destined to more Remote Network IP Addresses/ Remote Network Mask through the VPN connection. This is usually used when you find there are several subnets behind the remote VPN router. RIP Direction The option specifies the direction of RIP (Routing Information Protocol) packets. You can enable/disable one of direction here. Herein, we provide four options: TX/RX Both, TX Only, RX Only, and Disable. RIP Version Select the RIP protocol version. Specify Ver.
3.9.9 VPN Backup Management VPN Backup Management is a backup mechanism to set multiple VPN tunnels for using as backup tunnel. It can assure the network connection would not be cut off due to network environment blocked by any reason. Features of VPN Backup ¾ VPN Backup can judge abnormal situation for the environment of VPN server and correct it to complete the backup of VPN Tunnel in real-time.
Name (on Backup Profile field) Display the name of VPN TRUNK profile. Member1 (on Backup Profile field) Display the dial-out profile selected from the Member1 drop down list below. Active (on Backup Profile field) “Yes” means normal condition. ”No” means the state might be disabled or that profile currently is set with Dial-in mode (for call direction) in LAN to LAN.
Time for activating VPN Backup profile VPN TRUNK backup will be activated automatically after the initial connection of single VPN Tunnel off-line. The content in Member1/2 within VPN TRUNK backup profile is similar to dial-out profile configured in LAN to LAN web page. VPN TRUNK backup profile will process and handle everything unless it is off-line once it is activated. How can you set a VPN Backup profile? 1. Go to VPN and Remote Access>>LAN to LAN. Set two or more LAN to LAN profiles first. 2.
3.9.10 Connection Management You can find the summary table of all VPN connections. You may disconnect any VPN connection by clicking Drop button. You may also aggressively Dial-out by using Dial-out Tool and clicking Dial button. General Mode This filed displays the profile configured in LAN to LAN (with Index number and VPN Server IP address). The VPN connection built by General Mode does not support VPN backup function.
Refresh Seconds Choose the time for refresh the dial information among 5, 10, and 30. Refresh Click this button to refresh the whole connection status. Note: The status of LAN to LAN for ISDN is shown on the page of Online Status.
3.10 Certificate Management A digital certificate works as an electronic ID, which is issued by a certification authority (CA). It contains information such as your name, a serial number, expiration dates etc., and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Here Vigor router support digital certificates conforming to standard X.509.
Type in all the information that the window request. Then click Generate again. Import Click this button to import a saved file as the certification information. Refresh Click this button to refresh the information listed below. View Click this button to view the detailed settings for certificate request.
3.10.2 Trusted CA Certificate Trusted CA certificate lists three sets of trusted CA certificate. To import a pre-saved trusted CA certificate, please click IMPORT to open the following window. Use Browse… to find out the saved text file. Then click Import. The one you imported will be listed on the Trusted CA Certificate window. Then click Import to use the pre-saved file. For viewing each trusted CA certificate, click View to open the certificate detail information window.
3.10.3 Certificate Backup Local certificate and Trusted CA certificate for this router can be saved within one file. Please click Backup on the following screen to save them. If you want to set encryption password for these certificates, please type characters in both fields of Encrypt password and Retype password.
3.11 VoIP Voice over IP network (VoIP) enables you to use your broadband Internet connection to make toll quality voice calls over the Internet. There are many different call signaling protocols, methods by which VoIP devices can talk to each other. The most popular protocols are SIP, MGCP, Megaco and H.323. These protocols are not all compatible with each other (except via a soft-switch server).
only have to using dial plan or directly dial your friend’s account name if you are with the same SIP Registrar. Please refer to the section 4.5.1. z Peer-to-Peer Before calling, you have to know your friend’s IP Address. The Vigor VoIP Routers will build connection between each other. Please refer to the section 4.5.2. Our Vigor V models firstly apply efficient codecs designed to make the best use of available bandwidth, but Vigor V models also equip with automatic QoS assurance.
Click any index number to display the dial plan setup page. Enable Click this to enable this entry. Phone Number The speed-dial number of this index. This can be any number you choose, using digits 0-9 and * . Display Name The Caller-ID that you want to be displayed on your friend’s screen. This let your friend can easily know who’s calling without memorizing lots of SIP URL Address.
This page will differ for different models. Below is a sample page obtained from Vigor 2910VGi. The selection of Loop through and Backup Phone Number is only available for 2910VGi model. Enable Click this to enable this entry. Phone Number The speed-dial number of this index. This can be any number you choose, using digits 0-9 and * . Display Name The Caller-ID that you want to be displayed on your friend’s screen.
type in backup phone number (PSTN number) for this VoIP phone setting. Digit Map For the convenience of user, this page allows users to edit prefix number for the SIP account with adding number, stripping number or replacing number. It is used to help user having a quick and easy way to dial out through VoIP interface. Enable Check this box to invoke this setting. Match Prefix The phone number set here is used to add, strip, or replace the OP number. Mode None - No action.
SIP server. OP Number The front number you type here is the first part of the account number that you want to execute special function (according to the chosen mode) by using the prefix number. Min Len Set the minimal length of the dial number for applying the prefix number settings. Take the above picture (Prefix Table Setup web page) as an example, if the dial number is between 7 and 9, that number can apply the prefix number settings here.
Profile Display the profile name of the account. Domain/Realm Display the domain name or IP address of the SIP registrar server. Proxy Display the domain name or IP address of the SIP proxy server. Account Name Display the account name of SIP address before @. Ring Port Specify which port will ring when receiving a phone call. STUN Server Type in the IP address or domain of the STUN server. External IP Type in the gateway IP address. SIP PING interval The default value is 150 (sec).
Profile Name Assign a name for this profile for identifying. You can type similar name with the domain. For example, if the domain name is draytel.org, then you might set draytel-1 in this field. Register via If you want to make VoIP call without register personal information, please choose None and check the box to achieve the goal. Some SIP server allows user to use VoIP function without registering. For such server, please check the box of Call without Registeration. Choosing Auto is recommended.
Authentication ID Check the box to invoke this function and enter the name or number used for SIP Authorization with SIP Registrar. If this setting value is the same as Account Name, it is not necessary for you to check the box and set any value in this field. Password The password provided to you when you registered with a SIP service. Expiry Time The time duration that your SIP Registrar server keeps your registration record.
3.11.3 Phone Settings This page allows user to set phone settings for VoIP 1 and VoIP 2 respectively. Phone List Vigor2910 Series User’s Guide Port – There are three phone ports provided here for you to configure. Call feature – A brief description for call feature will be shown in this field for your reference. Codec – The default Codec setting for each port will be shown in this field for your reference. You can click the number below the Index field to change it for each phone port.
DTMF Relay – Display DTMF mode that configured in the advanced settings page of Phone Index. RTP Symmetric RTP – Check this box to invoke the function. To make the data transmission going through on both ends of local router and remote router not misleading due to IP lost (for example, sending data from the public IP of remote router to the private IP of local router), you can check this box to solve this problem. Dynamic RTP port start - Specifies the start port for RTP stream. The default value is 10050.
Detailed Settings for VoIP 1 and 2 Click the number 1 or 2 link under Index column, you can access into the following page for configuring Phone settings. Hotline Check the box to enable it. Type in the SIP URL in the field for dialing automatically when you pick up the phone set. Session Timer Check the box to enable the function. In the limited time that you set in this field, if there is no response, the connecting call will be closed automatically. T.
Index (1-15) in Schedule - Enter the index of schedule profiles to control the DND mode according to the preconfigured schedules. Refer to section 3.5.2 Schedule for detailed configuration. Index (1-60) in Phone Book - Enter the index of phone book profiles. Refer to section 3.10.1 DialPlan – Phone Book for detailed configuration. Call Waiting Check this box to invoke this function. A notice sound will appear to tell the user new phone call is waiting for your response.
Play dial tone only when account registered - Check this box to invoke the function. Default Call Route It determines the default direction for the call route of the router. To ISDN (for VoIP) - The router is set by using ISDN call. To change ISDN call into VoIP call, please dial the character in this field for transferring. The character that you can type can be *, #, and 0~9. To VoIP (for ISDN) - The router is set by using VoIP call.
Also, you can specify each field for your necessity. It is recommended for you to use the default settings for VoIP communication. Caller ID Type There are several standards provided here for displaying the caller ID on the panel of the telephone set. Choose the one that is suitable for the phone set according to the area of the router installed. If you don’t know what standard that the phone set supports, please use the default setting.
useful when the network traffic congestion occurs and it still can remain the accuracy of DTMF tone. SIP INFO- Choose this one then the Vigor will capture the DTMF tone and transfer it into SIP form. Then it will be sent to the remote end with SIP message. Payload Type (rfc2833) Choose a number from 96 to 127, the default value was 101. This setting is available for the OutBand (RFC2833) mode.
only when the local system is busy. No answer means if the incoming calls do not receive any response, they will be forwarded to the SIP URL by the time out. SIP URL – Type in the SIP URL (e.g., aaa@draytel.org or abc@iptel.org) as the site for call forwarded. Time Out – Set the time out for the call forwarding. The default setting is 30 sec. DND (Do Not Disturb) mode Set a period of peace time without disturbing by VoIP phone call.
something to save the bandwidth for other using. Click On to invoke this function; click off to close the function. Default SIP Account You can set SIP accounts (up to six groups) on SIP Account page. Use the drop down list to choose one of the profile names for the accounts as the default one for this phone setting. Play dial tone only when account registered Check this box to invoke the function.
page. If you cannot find out a suitable one, please choose User Defined and fill out the corresponding values for dial tone, ringing tone, busy tone, congestion tone by yourself for VoIP phone. Also, you can specify each field for your necessity. It is recommended for you to use the default settings for VoIP communication. Volume Gain Mic Gain (1-10)/Speaker Gain (1-10) - Adjust the volume of microphone and speaker by entering number from 1- 10. The larger of the number, the louder the volume is.
Payload Type (rfc2833) - Choose a number from 96 to 127, the default value was 101. This setting is available for the OutBand (RFC2833) mode. Disallow VoIP to ISDN Calls with the Following Prefixes Set the prefix of the phone number to forbid the user dialing through VoIP to ISDN. All the phone number with the prefix specified here will not be allowed to connect through the router. If a user dials the number by force, the router will disconnect it automatically.
for the physical ISDN port. Be aware that ISDN1/2 port is available for the users living in Europe and using Vigor 2910VGi only. For other V models, only the status for VoIP1 and VoIP2 will be shown in this page. Status It shows the VoIP connection status. IDLE - Indicates that the VoIP function is idle. HANG_UP - Indicates that the connection is not established (busy tone). CONNECTING - Indicates that the user is calling out.
3.12.1 General Setup This page provides some basic ISDN settings such as enabling the ISDN port or not, MSN numbers and blocked MSN numbers, etc. ISDN Port Click Enable to open the ISDN port and Disable to close it. Country Code For proper operation on your local ISDN network, you should choose the correct country code. Own Number Enter your ISDN number. Every outgoing call will carry the number to the receiver.
3.12.2 Dialing to a Single ISP If you access the Internet via a single ISP, press this link. ISP Name Enter your ISP name. Dial Number Enter the ISDN access number provided by your ISP. Username Enter the username provided by your ISP. Password Enter the password provided by your ISP. Require ISP Callback If your ISP supports the callback function, check this box to activate the Callback Control Protocol during the PPP (CBCP) negotiation.
Yes to invoke this function and enter the IP address in the field of Fixed IP Address. Fixed IP Address Type the IP address. 3.12.3 Dialing to Dual ISPs If you have more than one ISP, press this link to configure two ISP dialup profiles. You will be able to dial to both ISPs at the same time. This is mainly for those ISPs that do not support Multiple-Link PPP (ML-PPP) function. In such cases, dialing to two ISPs can increase the bandwidth utilization of the ISDN channels to 128kbps data speed.
As depicted in the above application scenario, the Virtual TA client can make an outgoing call or accept an incoming call to/from a peer FAX machine or ISDN TA, etc. Before describing the configuration of Virtual TA in the Vigor routers, please heed the following limitations. z The Virtual TA client only supports MicrosoftTM Windows 98/SE/2000/XP platforms. z The Virtual TA client only supports the CAPI 2.0 protocol and has no built-in FAX engine. z One ISDN BRI interface has two B channels.
Install a Virtual TA Client 1. Insert the CD-ROM bundled with your Vigor router. Find VTA Client tool in the Utility menu and click on the Install button. 2. Follow the on-screen instructions of the installer. The last step will ask you to restart your computer. Click OK to restart your computer. 3. After the computer restarts, you will see a VT icon in the taskbar (usually in the bottom-right of the screen, near the clock) as shown below.
Click the Virtual TA Login tab to launch the login box. Enter the Username/Password and then click OK. After a short time, the VT icon text will turn green. MSN Configuration If you have applied to an MSN number service, the Virtual TA server can assign which client has the specified MSN number. When an incoming call arrives, the server will inform the appropriate client. Now we set an example to describe the configuration of the MSN number.
3.12.5 Call Control Some applications require that the router (only for the ISDN models) be remotely activated, or be able to dial up to the ISP via the ISDN interface. Vigor routers provide this feature by allowing user to make a phone call to the router and then ask it to dial up to the ISP. Accordingly, a teleworker can access the remote network to retrieve resources.
PPP Authentication It specifies the PPP authentication method for PPP/MP connections. Normally you can set it to PAP/CHAP for better compatibility. TCP Header Compression VJ Compression - It is used for TCP/IP protocol header compression. Normally it is set to None to improve bandwidth utilization. Idle Timeout Because our ISDN link type is “Dial On Demand”, the connection will be initiated only when needed.
3.13 Wireless LAN This function is used for G models only. 3.13.1 Basic Concepts Over recent years, the market for wireless communications has enjoyed tremendous growth. Wireless technology now reaches or is capable of reaching virtually every location on the surface of the earth. Hundreds of millions of people exchange information every day via wireless communication products. The Vigor G model, a.k.a. Vigor wireless router, is designed for maximum flexibility and efficiency of a small office/home.
WEP (Wired Equivalent Privacy) is a legacy method to encrypt each frame transmitted via radio using either a 64-bit or 128-bit key. Usually access point will preset a set of four keys and it will communicate with each station using only one out of the four keys. WPA(Wi-Fi Protected Access), the most dominating security mechanism in industry, is separated into two categories: WPA-personal or called WPA Pre-Share Key (WPA/PSK), and WPA-Enterprise or called WPA/802.1x.
Example 3 Separate the Wireless and the Wired LAN- WLAN Isolation enables you to isolate your wireless LAN from wired LAN for either quarantine or limit access reasons. To isolate means neither of the parties can access each other. To elaborate an example for business use, you may set up a wireless LAN for visitors only so they can connect to Internet without hassle of the confidential information leakage.
3.13.2 General Settings By clicking the General Settings, a new web page will appear so that you could configure the SSID and the wireless channel. Please refer to the following figure for more information. Enable Wireless LAN Check the box to enable wireless function. Mode Select an appropriate wireless mode. Mixed (11b+11g+SuperG) - The radio can support IEEE802.11b, IEEE802.11g and SuperG protocols simultaneously. Mixed (11b+11g) - The radio can support both IEEE802.11b and IEEE802.
selected channel is under serious interference. Hide SSID Check it to prevent from wireless sniffing and make it harder for unauthorized clients or STAs to join your wireless LAN. Depending on the wireless utility, the user may only see the information except SSID or just cannot see any thing about Vigor wireless router while site surveying. Long Preamble This option is to define the length of the sync field in an 802.11 packet.
3.13.3 Security By clicking the Security Settings, a new web page will appear so that you could configure the settings of WEP and WPA. Mode There are several modes provided for you to choose. Disable - Turn off the encryption mechanism. WEP Only - Accepts only WEP clients and the encryption key should be entered in WEP Key. WEP/802.1x Only - Accept WEP clients with 802.1x authentication.
either Mixed or WPA2 only in the field below. Since the key will be auto-negotiated during authentication, the field of key setting below will be not available for input. WPA The WPA encrypts each frame transmitted from the radio using the key, which either PSK entered manually in this field below or automatically negotiated via 802.1x authentication. Type - Select from Mixed (WPA+WPA2) or WPA2 only. Pre-Shared Key (PSK) - Either 8~63 ASCII characters, such as 012345678..
3.13.4 Access Control For additional security of wireless access, the Access Control facility allows you to restrict the network access right by controlling the wireless LAN MAC address of client. Only the valid MAC address that has been configured can access the wireless LAN interface. By clicking the Access Control, a new web page will appear, as depicted below, so that you could edit the clients' MAC addresses to control their access rights.
OK Click it to save the access control list. Clear All Clean all entries in the MAC address list. 3.13.5 WDS WDS means Wireless Distribution System. It is a protocol for connecting two access points (AP) wirelessly. Usually, it can be used for the following application: y y Provide bridge traffic between two LANs through the air. Extend the coverage range of a WLAN. To meet the above requirement, two WDS modes are implemented in Vigor router. One is Bridge, the other is Repeater.
In the following examples, hosts connected to Bridge 1 or 3 can communicate with hosts connected to Bridge 2 through WDS links. However, hosts connected to Bridge 1 CANNOT communicate with hosts connected to Bridge 3 through Bridge 2. Click WDS from Wireless LAN menu. The following page will be shown. Mode Choose the mode for WDS setting. Disable mode will not invoke any WDS setting. Bridge mode is designed to fulfill the first type of application. Repeater mode is for the second one.
Security There are three types for security, Disable, WEP and Pre-shared key. The setting you choose here will make the following WEP or Pre-shared key field valid or not. Choose one of the types for the router. WEP Check this box to use the same key set in Security Settings page. If you did not set any key in Security Settings page, this check box will be dimmed.
3.13.6 AP Discovery Vigor router can scan all regulatory channels and find working APs in the neighborhood. Based on the scanning result, users will know which channel is clean for usage. Also, it can be used to facilitate finding an AP for a WDS link. Notice that during the scanning process (about 5 seconds), no client is allowed to connect to Vigor. This page is used to scan the existence of the APs on the wireless LAN. Yet, only the AP which is in the same channel of this router can be found.
3.13.7 Station List Station List provides the knowledge of connecting wireless clients now along with its status code. There is a code summary below for explanation. For convenient Access Control, you can select a WLAN station and click Add to Access Control below. Refresh Click this button to refresh the status of station list. Add Click this button to add current selected MAC address into Access Control.
3.13.8 Station Rate Control This page allows you to control the upload and download rate of each wireless client (station). Please check the box of Enable to invoke this setting. The range for the rate is between 100 ~ 30,000 kbps. 3.13.9 Web Portal Log-in This page allows you to specify an URL for accessing into or display a message when a remote user connects to Internet through this router.
example, force the wireless user(s) in hotel to access into the web page that the hotel wants the user(s) to visit. Show the message Type words or sentences here. The message will be displayed on the screen for several seconds when the wireless users access into the web page through the router. 3.14 VLAN Virtual LAN function provides you a very convenient way to manage hosts by grouping them based on the physical port. 3.14.
P1 – P4 Check the box to make the computer connecting to the port being grouped in specified VLAN. Be aware that each port can be grouped in different VLAN at the same time only if you check the box. For example, if you check the boxes of VLAN0-P1 and VLAN1-P1, you can make P1 to be grouped under VLAN0 and VLAN1 simultaneously. VLAN0-3 This router allows you to set 4 groups of virtual LAN.
7890 in the boxes of W_VLAN1. Users can configure fifteen groups of wireless VLAN in this page. Enable Check this box to invoke wireless VLAN function. Login ID Type Login ID for different groups of W_VLAN with 1 to 11 characters. Password Type password for different groups of W_VLAN with 1 to 11 characters. Details Click this button to set additional attributes settings for W_VLAN. Activated Date – Use the drop down lists to set the activated date for the wireless VLAN.
Disable broadcast and multicast traffic Check this box to prevent broadcast and multicast traffic forwarding to all W_VLAN. How can you (wireless client) access into Internet? After finishing the configuration of wireless VLAN, the wireless clients connecting to this router must do the following steps to access into Internet. 1. Open a browser and type http://www.draytek.vlan/login.htm or http://(vigor router’s IP address)/login.htm on the address line. 2. The following screen will appear. 3.
5. You can go to Diagnostics>>Wireless VLAN Online Station Table for viewing the connection status whenever you want. 3.14.3 VLAN Cross Setup This function allows the router to integrate VLAN and W_VLAN for managing different computers (notebooks). See the following picture for an example. With VLAN Cross Setup, notebook A/B and PCs on VLAN0 can share resources without difficulty.
The VLAN >> VALN Cross Setup allows you to set a communication bridge between computers in Wireless VLAN and wired VLAN. To achieve the intention of the above illustration, simply check the box under VLAN0 on the line of W_VLAN0. Enable Check this box to invoke VLAN Cross Setup function. VLAN0-3 It represents the groups of virtual LAN connected by Ethernet interface. W_VLAN0-15 It represents the groups of wireless VLAN communicated by wireless interface.
3.14.4 Wireless Rate Control Rate Control manages the transmission rate of data in and out through the router. You can also manage the in/out rate of each wireless VLAN. Go to VLAN menu and select Wireless Rate Control. The following page will appear. Click Enable to invoke VLAN function. For the rate control of wireless connection, please open VLAN menu and choose Wireless Rate Control. The following page will be shown for you to adjust. Enable Check this box to enable this function (for Rate Control).
3.15 USB Application USB diskette can be regarded as an FTP server. By way of Vigor router, clients on LAN can access, write and read data stored in USB diskette. After setting the configuration in USB Application, you can type the IP address of the Vigor router and username/password created in USB Application>>FTP User Management on the FTP client software. Thus, the client can use the FTP site (USB diskette) through Vigor router. 3.15.
3.15.2 FTP User Management This page allows you to set profiles for FTP users. Any user who wants to access into the USB diskette must type the same username and password configured in this page. Before adding or modifying settings in this page, please insert a USB diskette first. Otherwise, an error message will appear to warn you. Click index number to access into configuration page. FTP User Enable – Click this button to activate this profile (account).
password specified here for accessing into USB storage diskette. Confirm Password Type the password again to make confirmation. Home Folder It determines the range for the client to access into. The user can enter a directory name in this field. Then, after clicking OK, the router will create the specific/new folder in the USB diskette. In addition, if the user types “/” here, he/she can access into all of the disk folders and files in USB diskette.
IP Address It displays the IP address of the user’s host which connecting to the FTP server. When you insert USB diskette into the Vigor router, the system will start to find out such device within several seconds. Once the USB diskette has been found, the connection status will display “Disk Connected” and the web page will be shown as follows: 3.
3.16.1 System Status The System Status provides basic network settings of Vigor router. It includes LAN and WAN interface information. Also, you could get the current running firmware version or firmware related information from this presentation. Model Name Display the model name of the router. Firmware Version Display the firmware version of the router. Build Date/Time Display the date and time of the current firmware build. MAC Address Display the MAC address of the LAN Interface.
3.16.2 TR-069 Setting Vigor router with TR-069 is available for matching with VigorACS server. Such page provides VigorACS and CPE settings under TR-069 protocol. All the settings configured here is for CPE to be controlled and managed with VigorACS server. Users need to type URL, username and password for the VigorACS server that such device will be connected. However URL, username and password under CPE client are fixed that users cannot change it.
ACS Server for authentication. For example, if you want to use such CPE with VigorACS, you can type as the following: Username: acs Password: password CPE Client It is not necessary for you to type them. Such information is useful for Auto Configuration Server. Enable/Disable – Sometimes, port conflict might be occurred. To solve such problem, you might want to change port number for CPE. Please click Enable and change the port number.
New Password Type in new password in this filed. Confirm New Password Type in the new password again. When you click OK, the login window will appear. Please use the new password to access into the web configurator again. 3.16.4 Configuration Backup Backup the Configuration Follow the steps below to backup your configuration. 1. Go to System Maintenance >> Configuration Backup. The following windows will be popped-up, as shown below. 2. Click Backup button to get into the following dialog.
4. Click Save button, the configuration will download automatically to your computer as a file named config.cfg. The above example is using Windows platform for demonstrating examples. The Mac or Linux platform will appear different windows, but the backup function is still available. Note: Backup for Certification must be done independently. The Configuration Backup does not include information of Certificate. Restore Configuration 1. Go to System Maintenance >> Configuration Backup.
3.16.5 Syslog/Mail Alert SysLog function is provided for users to monitor router. There is no bother to directly get into the Web Configurator of the router or borrow debug equipments. Enable Click “Enable” to activate this function. Router Name Assign a name for the router. Server IP The IP address of the Syslog server. Destination Port Assign a port for the Syslog protocol.
3. From the Syslog screen, select the router you want to monitor. Be reminded that in Network Information, select the network adapter used to connect to the router. Otherwise, you won’t succeed in retrieving information from the router.
3.16.6 Time and Date It allows you to specify where the time of the router should be inquired from. Current System Time Click Inquire Time to get the current time. Use Browser Time Select this option to use the browser time from the remote administrator PC host as router’s system time. Use Internet Time Client Select to inquire time information from Time Server on the Internet using assigned protocol. Server IP Address Type the IP address of the time server.
3.16.7 Management This page allows you to manage the settings for access control, access list, port setup, and SNMP setup. For example, as to management access control, the port number is used to send/receive SIP message for building a session. The default value is 5060 and this must match with the peer Registrar when making VoIP calls. Router Name Type a name for such router. Allow management from the Internet Enable the checkbox to allow system administrators to login from the Internet.
Get Community Set the name for getting community by typing a proper character. The default setting is public. Set Community Set community by typing a proper name. The default setting is private. Manager Host IP Set one host as the manager to execute SNMP function. Please type in IP address to specify certain host. Trap Community Set trap community by typing a proper name. The default setting is public. Notification Host IP Set the IP address of the host that will receive the trap community.
3.16.9 Firmware Upgrade Before upgrading your router firmware, you need to install the Router Tools. The Firmware Upgrade Utility is included in the tools. The following web page will guide you to upgrade firmware by using an example. Note that this example is running over Windows OS (Operating System). Download the newest firmware from DrayTek's web site or FTP site. The DrayTek web site is www.draytek.com (or local DrayTek's web site) and FTP site is ftp.draytek.com.
3.17 Diagnostics Diagnostic Tools provide a useful way to view or diagnose the status of your Vigor router. Below shows the menu items for Diagnostics. 3.17.1 Dial-out Trigger Click Diagnostics and click Dial-out Trigger to open the web page. The internet connection (e.g., ISDN, PPPoE, PPPoA, etc) is triggered by a package sending from the source IP address. Decoded Format It shows the source IP address (local), destination IP (remote) address, the protocol and length of the package.
3.17.2 Routing Table Click Diagnostics and click Routing Table to open the web page. Refresh Click it to reload the page. 3.17.3 ARP Cache Table Click Diagnostics and click ARP Cache Table to view the content of the ARP (Address Resolution Protocol) cache held in the router. The table shows a mapping between an Ethernet hardware address (MAC Address) and an IP address. Refresh Click it to reload the page. Clear Click it to clear the whole table.
3.17.4 DHCP Table The facility provides information on IP address assignments. This information is helpful in diagnosing network problems, such as IP address conflicts, etc. Click Diagnostics and click DHCP Table to open the web page. Index It displays the connection item number. IP Address It displays the IP address assigned by this router for specified PC. MAC Address It displays the MAC address for the specified PC that DHCP assigned IP address for it.
Peer IP:Port It indicates the destination IP address and port of remote host. Interface It indicates the interface of the WAN connection. Refresh Click it to reload the page. 3.17.6 Wireless VLAN Online Station Table Click Diagnostics and click Wireless VLAN Online Station Table to open the web page. It will display the IP address, MAC address and Login ID information for all the Wireless VLAN stations. IP Address Display the IP address of the wireless station.
3.17.7 Web Authentication Table This page displays the IP address, UserName and Login Time for the users who passing the web authentication from this router. 3.17.8 Data Flow Monitor This page displays the running procedure for the IP address monitored and refreshes the data in an interval of several seconds. The IP address listed here is configured in Bandwidth Management. You have to enable IP bandwidth limit and IP session limit before invoke Data Flow Monitor.
Enable Data Flow Monitor Refresh Seconds Check this box to enable this function. Refresh Click this link to refresh this page manually. Index Display the number of the data flow. IP Address Display the IP address of the monitored device. TX rate (kbps) Display the transmission speed of the monitored device. RX rate (kbps) Display the receiving speed of the monitored device. Sessions Display the session number that you specified in Limit Session web page.
Unblock – the device with the IP address will be blocked in five minutes. The remaining time will be shown on the session column. Current /Peak/Speed Current means current transmission rate and receiving rate for WAN1/WAN. Peak means the highest peak value detected by the router in data transmission. Speed means line speed specified in WAN>>General. If you do not specify any rate at that page, here will display Auto for instead. 3.17.
The horizontal axis represents time. Yet the vertical axis has different meanings. For WAN1/WAN2 Bandwidth chart, the numbers displayed on vertical axis represent the numbers of the transmitted and received packets in the past. For Sessions chart, the numbers displayed on vertical axis represent the numbers of the NAT sessions during the past.
3.17.10 Ping Diagnosis Click Diagnostics and click Ping Diagnosis to pen the web page. Ping through Use the drop down list to choose the WAN interface that you want to ping through or choose Unspecified to be determined by the router automatically. Ping to Use the drop down list to choose the destination that you would like to ping. IP Address Type in the IP address of the Host/IP that you want to ping. Run Click this button to start the ping work. The result will be displayed on the screen.
Ping through Use the drop down list to choose the WAN interface that you want to ping through or choose Unspecified to be determined by the router automatically. Host/IP Address It indicates the IP address of the host. Run Click this button to start route tracing work. Clear Click this link to remove the result on the window.
4 Application and Examples 4.1 Create a LAN to LAN Connection Between Remote Office and Headquarter The most common case is that you may want to connect to network securely, such as the remote branch office and headquarter. According to the network structure as shown in the below illustration, you may follow the steps to create a LAN to LAN profile. These two networks (LANs) should NOT have the same network address. Settings in Router A in headquarter: 1.
set general settings in IPSec General Setup, such as the pre-shared key that both parties have known. 3. Go to LAN to LAN. Click on one index number to edit a profile. 4. Set Common Settings as shown below. You should enable both of VPN connections because any one of the parties may start the VPN connection. 5. Set Dial-Out Settings as shown below to dial to connect to Router B aggressively with the selected Dial-Out method.
If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, PPP Authentication and VJ Compression for this Dial-Out connection. 6. Set Dial-In settings to as shown below to allow Router B dial-in to build VPN connection. If an IPSec-based service is selected, you may further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-In connection.
If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, and VJ Compression for this Dial-In connection. 7. At last, set the remote network IP/subnet in TCP/IP Network Settings so that Router A can direct the packets destined to the remote network to Router B via the VPN connection.
1. Go to VPN and Remote Access and select Remote Access Control to enable the necessary VPN service and click OK. 2. Then, for using PPP based services, such as PPTP, L2TP, you have to set general settings in PPP General Setup. For using IPSec-based service, such as IPSec or L2TP with IPSec Policy, you have to set general settings in IPSec General Setup, such as the pre-shared key that both parties have known. 3. Go to LAN to LAN. Click on one index number to edit a profile. 4.
If an IPSec-based service is selected, you should further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-Out connection. If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, PPP Authentication and VJ Compression for this Dial-Out connection. 6. Set Dial-In settings to as shown below to allow Router A dial-in to build VPN connection.
If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, and VJ Compression for this Dial-In connection. 7. At last, set the remote network IP/subnet in TCP/IP Network Settings so that Router B can direct the packets destined to the remote network to Router A via the VPN connection.
4.2 Create a Remote Dial-in User Connection Between the Teleworker and Headquarter The other common case is that you, as a teleworker, may want to connect to the enterprise network securely. According to the network structure as shown in the below illustration, you may follow the steps to create a Remote User Profile and install Smart VPN Client on the remote host. Settings in VPN Router in the enterprise office: 1.
3. Go to Remote Dial-In Users. Click on one index number to edit a profile. 4. Set Dial-In settings to as shown below to allow the remote user dial-in to build VPN connection. If an IPSec-based service is selected, you may further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-In connection. Otherwise, it will apply the settings defined in IPSec General Setup above.
Settings in the remote host: 1. For Win98/ME, you may use "Dial-up Networking" to create the PPTP tunnel to Vigor router. For Win2000/XP, please use "Network and Dial-up connections" or “Smart VPN Client”, complimentary software to help you create PPTP, L2TP, and L2TP over IPSec tunnel. You can find it in CD-ROM in the package or go to www.draytek.com download center. Install as instructed. 2. After successful installation, for the first time user, you should click on the Step 0. Configure button.
3. In Step 2. Connect to VPN Server, click Insert button to add a new entry. If an IPSec-based service is selected as shown below, You may further specify the method you use to get IP, the security method, and authentication method. If the Pre-Shared Key is selected, it should be consistent with the one set in VPN router. If a PPP-based service is selected, you should further specify the remote VPN server IP address, Username, Password, and encryption method.
server then forwarded to Internet. This will make the remote host seem to be working in the enterprise network. 4. Click Connect button to build connection. When the connection is successful, you will find a green light on the right down corner. 4.3 QoS Setting Example Assume a teleworker sometimes works at home and takes care of children.
3. Set Inbound/Outbound bandwidth. Note: The rate of outbound/inbound must be smaller than the real bandwidth to ensure correct calculation of QoS. It is suggested to set the bandwidth value for inbound/outbound as 80% - 85% of physical network speed provided by ISP to maximize the QoS performance. 4. Return to previous page. Enter the Name of Index Class 1 by clicking Edit link. Type the name “E-mail” for Class 1. 5. For this index, the user will set reserved bandwidth (e.g.
6. Return to previous page. Enter the Name of Index Class 2 by clicking Edit link. In this index, the user will set reserved bandwidth for HTTPS. 7. Click Setup link for WAN1. 8. Check Enable UDP Bandwidth Control on the bottom to prevent enormous UDP traffic of VoIP influent other application. Click OK. 9. If the worker has connected to the headquater using host to host VPN tunnel. (Please refer to Chapter 3 VPN for detail instruction), he may set up an index for it.
Class Name of Index 3. In this index, he will set reserve bandwidth for 1 VPN tunnel. 10. Click edit to open a new window. 11. First, check the ACT box. Then click Edit of Local Address to set a worker’s subnet address. Click Edit of Remote Address to set headquarter’s subnet address. Leave other fields and click OK.
4.4 LAN – Created by Using NAT An example of default setting and the corresponding deployment are shown below. The default Vigor router private IP address/Subnet Mask is 192.168.1.1/255.255.255.0. The built-in DHCP server is enabled so it assigns every local NATed host an IP address of 192.168.1.x starting from 192.168.1.10. You can just set the settings wrapped inside the red rectangles to fit the request of NAT usage.
You can just set the settings wrapped inside the red rectangles to fit the request of NAT usage.
4.5 Calling Scenario for VoIP function 4.5.1 Calling via SIP Sever Example 1: Both John and David have SIP Addresses from different service providers. John’s SIP URL: 1234@draytel.org, David’s SIP URL: 4321@iptel.org Settings for John DialPlan index 1 Phone Number: 1111 Display Name: David SIP URL: 4321@iptel.org SIP Accounts Settings --Profile Name: draytel1 Register via: Auto SIP Port: 5060 (default) Domain/Realm: draytel.org Proxy: draytel.
Example 2: Both John and David have SIP Addresses from the same service provider. John’s SIP URL: 1234@draytel.org , David’s SIP URL: 4321@draytel.org Settings for John DialPlan index 1 Phone Number: 1111 Display Name: David SIP URL: 4321@draytel.org SIP Accounts Settings --Profile Name: draytel 1 Register via: Auto SIP Port: 5060 (default) Domain/Realm: draytel.org Proxy: draytel.
4.5.2 Peer-to-Peer Calling Example 3: Arnor and Paulin have Vigor routers respectively. They can call each other without SIP Registrar. First they must have each other’s IP address and assign an Account Name for the port used for calling. Arnor’s SIP URL: 1234@214.61.172.53 Paulin’s SIP URL: 4321@ 203.69.175.24 Settings for Arnor DialPlan index 1 Phone Number: 1111 Display Name: paulin SIP URL: 4321@ 203.69.175.
4.6 Upgrade Firmware for Your Router Before upgrading your router firmware, you need to install the Router Tools. The file RTSxxx.exe will be asked to copy onto your computer. Remember the place of storing the execution file. 1. Go to www.draytek.com. 2. Access into Support >> Downloads. Please find out Firmware menu and click it. Search the model you have and click on it to download the newly update firmware for your router. 3. Access into Support >> Downloads. Please find out Utility menu and click it.
5. Double click on the router tool icon. The setup wizard will appear. 6. Follow the onscreen instructions to install the tool. Finally, click Finish to end the installation. 7. From the Start menu, open Programs and choose Router Tools XXX >> Firmware Upgrade Utility. 8. Type in your router IP, usually 192.168.1.1. 9. Click the button to the right side of Firmware file typing box. Locate the files that you download from the company web sites.
10. Click Send. 11. Now the firmware update is finished. 4.7 Request a certificate from a CA server on Windows CA Server 1. Go to Certificate Management and choose Local Certificate.
2. You can click GENERATE button to start to edit a certificate request. Enter the information in the certificate request. 3. Copy and save the X509 Local Certificate Requet as a text file and save it for later use. 4. Connect to CA server via web browser. Follow the instruction to submit the request. Below we take a Windows 2000 CA server for example. Select Request a Certificate.
Select Advanced request. Select Submit a certificate request a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file Import the X509 Local Certificate Requet text file. Select Router (Offline request) or IPSec (Offline request) below. Then you have done the request and the server now issues you a certificate. Select Base 64 encoded certificate and Download CA certificate. Now you should get a certificate (.cer file) and save it. 5.
and you will find the below window showing “------BEGINE CERTIFICATE------.....” 6. You may review the detail information of the certificate by clicking View button.
4.8 Request a CA Certificate and Set as Trusted on Windows CA Server 1. Use web browser connecting to the CA server that you would like to retrieve its CA certificate. Click Retrive the CA certificate or certificate recoring list.
2. In Choose file to download, click CA Certificate Current and Base 64 encoded, and Download CA certificate to save the .cer. file. 3. Back to Vigor router, go to Trusted CA Certificate. Click IMPORT button and browse the file to import the certificate (.cer file) into Vigor router. When finished, click refresh and you will find the below illustration. 4. You may review the detail information of the certificate by clicking View button.
4.9 VPN Backup Application You can change, disable or delete VPN Backup profile(s). Yet, the relational web pages in LAN to LAN also will be changed slightly. Please refer to the following expaination. Change the name of VPN Backup profile(s) 1. Click any one of the items from Backup profile list. 2. Type a new name in the field of Profile Name. 3. Click Edit. Disable VPN Backup profile(s) 1. Click any one of the items from Backup profile list. 2. Click Disable (as current status). 3. Click Edit. 4.
Web Page Changes for VPN Backup Corresponding web page (LAN to LAN) will be changed if VPN Backup is enabled. Refer to the following figures. Dial-in call direction and Idle Timeout will be dimmish and cannot be used. All the items in Allowed Dial-in Type will be dimmish and cannot be used. My WAN IP and Remote Gateway IP will be dimmish and cannot be used. In addition, after configuring VPN Backup profile(s), the Connection Management in VPN and Remote Access will be changed.
After adding a new VPN Backup profile, it will be listed in Backup Mode drop-down list for you to choose for dialing. Examples for VPN Backup Profile Here provides two situations that you can take advantages of VPN Backup profile mechanism. Example 1: A VPN Backup profile with member 1 (IPSec type) and Member 2(L2TP over IPSec) has been created for Router A for connecting with Router B. In general, Router A connects to Router B through Member 1 VPN tunnel (with IPSec type).
However, if the connection is off-line, Router A will use Member 2 VPN tunnel (with L2TP over IPSec) instead to connect Router B right away. Example 2: Subsidiary in Asia can use vigor router as VPN client. Every day it should transmit ERP, Mail or order information to headquarter in Europe. The Vigor router can build another backup VPN tunnel to subsidiary in America through LAN to LAN, and the VPN server in the subsidiary in American can build Routing /RIP.
4.10 ERD Mechanism for VPN Backup To use ERD (Environment Recovery Detection) mechanism for VPN Backup, please follow the steps listed below: 1. Click Start >> Run and type Telnet 192.168.1.1 in the Open box as below. Note that the IP address in the example is the default address of the router. If you have changed the default, enter the current IP address of the router. 2. Click OK. The Telnet terminal will be open.
Request Background: Some of users think it is not really environment recovery detection to borrow VPN tunnels from branches for connecting with the headquarters. The system should connect to headquarters automatically and that is called ERD. To set ERD AutoDrop mode ¾ To check current status of AutoDrop > vpn Trunk backup ERD VpnBackup AutoDrop ¾ To set AutoDrop > vpn Trunk backup ERD VpnBackup AutoDrop 3600 ¾ Why use - AutoDrop might cause unstable condition for data transmitting.
5 Trouble Shooting This section will guide you to solve abnormal situations if you cannot access into the Internet after installing the router and finishing the web configuration. Please follow sections below to check your basic installation status stage by stage. z Checking if the hardware status is OK or not. z Checking if the network connection settings on your computer are OK or not. z Pinging the router from your computer. z Checking if the ISP settings are OK or not.
For Windows The example is based on Windows XP. As to the examples for other operation systems, please refer to the similar steps or find support notes in www.draytek.com. 1. Go to Control Panel and then double-click on Network Connections. 2. Right-click on Local Area Connection and click on Properties. 3. Select Internet Protocol (TCP/IP) and then click Properties.
4. Select Obtain an IP address automatically and Obtain DNS server address automatically. For MacOs 1. Double click on the current used MacOs on the desktop. 2. Open the Application folder and get into Network. 3. On the Network screen, select Using DHCP from the drop down list of Configure IPv4.
5.3 Pinging the Router from Your Computer The default gateway IP address of the router is 192.168.1.1. For some reason, you might need to use “ping” command to check the link status of the router. The most important thing is that the computer will receive a reply from 192.168.1.1. If not, please check the IP address of your computer. We suggest you setting the network connection as get IP automatically. (Please refer to the section 5.2) Please follow the steps below to ping the router correctly.
Vigor2910 Series User’s Guide 255
5.4 Checking If the ISP Settings are OK or Not Click WAN>> Internet Access and then check whether the ISP settings are set correctly. For PPPoE Users 1. Check if the Enable option is selected. 2. Check if Username and Password are entered with correct values that you got from your ISP. For Static/Dynamic IP Users 1. Check if the Enable option is selected. 2. Check if IP address, Subnet Mask and Gateway are entered with correct values that you got from your ISP.
5.5 Problems for 3G Network Connection When you have trouble in using 3G network transmission, please check the following: Check if USB LED lights on or off You have to wait about 15 seconds after inserting 3G USB Modem into your Vigor2910. Later, the USB LED will light on which means the installation of USB Modem is successful. If the USB LED does not light on, please remove and reinsert the modem again. If it still fails, restart Vigor2910.
Transmission Rate is not fast enough Please connect your Notebook with 3G USB Modem to test the connection speed to verify if the problem is caused by Vigor2910. In addition, please refer to the manual of 3G USB Modem for LED Status to make sure if the modem connects to Internet via HSDPA mode. If you want to use the modem indoors, please put it on the place near the window to obtain better signal receiving. 5.
Hardware Reset While the router is running (ACT LED blinking), press the Factory Reset button and hold for more than 5 seconds. When you see the ACT LED blinks rapidly, please release the button. Then, the router will restart with the default configuration. After restore the factory default setting, you can configure the settings for the router again to fit your personal request. 5.
