Vigor3200 Series Multi-WAN Security Router User’s Guide Version: 1.5 Firmware Version: V3.3.7.
Copyright Information Copyright Declarations Copyright 2012 All rights reserved. This publication contains information that is protected by copyright. No part may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language without written permission from the copyright holders. Trademarks The following trademarks are used in this document: z Microsoft is a registered trademark of Microsoft Corp.
European Community Declarations Manufacturer: Address: Product: DrayTek Corp. No. 26, Fu Shing Road, HuKou Township, HsinChu Industrial Park, Hsin-Chu, Taiwan 303 Vigor3200 Series Router DrayTek Corp. declares that Vigor3200 Series of routers are in compliance with the following essential requirements and other relevant provisions of R&TTE Directive 1999/5/EEC.
v Vigor3200 Series User’s Guide
Table of Contents Introduction .................................................................................................1 1.1 Web Configuration Buttons Explanation ................................................................................. 1 1.2 LED Indicators and Connectors .............................................................................................. 2 1.2.1 For Vigor3200 ........................................................................................................
3.11.1 Creating an Account via Vigor Router .......................................................................... 80 3.11.2 Creating an Account via MyVigor Web Site.................................................................. 83 3.12 How can I get the files from USB storage device connecting to Vigor router? ................... 87 3.13 VPN Trunk Load-Balance between Vigor 3200 and Other Vigor Router ............................ 90 Advanced Web Configuration .......................................
4.8.1 Sessions Limit............................................................................................................... 201 4.8.2 Bandwidth Limit ............................................................................................................ 203 4.8.3 Quality of Service.......................................................................................................... 205 4.9 Applications .........................................................................................
4.15.2 TR-069 ........................................................................................................................ 313 4.15.3 Administrator Password.............................................................................................. 314 4.15.4 User Password ........................................................................................................... 315 4.15.5 Login Customization .....................................................................................
Introduction Vigor3200 Series, a broadband router, integrates IP layer QoS, NAT session/bandwidth management to help users control works well with large bandwidth. By adopting hardware-based VPN platform and hardware encryption of AES/DES/3DES, the router increases the performance of VPN greatly and offers several protocols (such as IPSec/PPTP/L2TP) with up to 32 VPN tunnels. The object-based design used in SPI (Stateful Packet Inspection) firewall allows users to set firewall policy easily.
1.2 LED Indicators and Connectors Before you use the Vigor router, please get acquainted with the LED indicators and connectors first. 1.2.1 For Vigor3200 LED Status Explanation ACT (Activity) Blinking Off On Blinking On Blinking On On Blinking On The router is powered on and running normally. The router is powered off. USB device is connected and ready for use. The data is transmitting. The DoS/DDoS function is active. It will blink while detecting an attack. The VPN tunnel is active.
Interface Description Factory Reset WAN1- WAN4 DMZ LAN USB PWR Restore the default settings. Usage: Turn on the router (ACT LED is blinking). Press the hole and keep for more than 5 seconds. When you see the ACT LED begins to blink rapidly than usual, release the button. Then the router will restart with the factory default configuration. Connecters for remote networked devices. Connecter for local DMZ host. Connecter for local network devices. Connecter for 3G Modem or printer.
1.2.2 For Vigor3200n LED Status Explanation ACT (Activity) Blinking Off On Blinking On Blinking The router is powered on and running normally. The router is powered off. USB device is connected and ready for use. The data is transmitting. Wireless access point is ready. Ethernet packets are transmitting over wireless LAN. The WLAN function is inactive. The VPN tunnel is active. The WAN1 ~ WAN4 connection is ready. It will blink while transmitting data.
Interface Description Wireless LAN ON/OFF/WPS WAN1- WAN4 DMZ LAN USB PWR Press "Wireless LAN ON/OFF/WPS" button once to wait for client device making network connection through WPS. Press "Wireless LAN ON/OFF/WPS" button twice to enable (WLAN LED on) or disable (WLAN LED off) wireless connection. Restore the default settings. Usage: Turn on the router (ACT LED is blinking). Press the hole and keep for more than 5 seconds. When you see the ACT LED begins to blink rapidly than usual, release the button.
1.3 Hardware Installation Before starting to configure the router, you have to connect your devices correctly. 1. Connect the cable Modem/DSL Modem/Media Converter to any WAN port of router with Ethernet cable (RJ-45). 2. Connect one end of an Ethernet cable (RJ-45) to the LAN port of the router and the other end of the cable (RJ-45) into the Ethernet port on your computer. Or, use a switch to connect Vigor router and computer(s). 3.
1.4 Printer Installation You can install a printer onto the router for sharing printing. All the PCs connected this router can print documents via the router. The example provided here is made based on Windows XP/2000. For Windows 98/SE/Vista, please visit www.DrayTek.com. Before using it, please follow the steps below to configure settings for connected computers (or wireless clients). 1. Connect the printer with the router through USB/parallel port. 2. Open Start->Settings-> Printer and Faxes.
3. Open File->Add Printer. A welcome dialog will appear. Please click Next. 4. Click Local printer attached to this computer and click Next. 5. In this dialog, choose Create a new port Type of port and use the drop down list to select Standard TCP/IP Port. Click Next.
6. In the following dialog, type 192.168.1.1 (router’s LAN IP) in the field of Printer Name or IP Address and type IP_192.168.1.1 as the port name. Then, click Next. 7. Click Standard and choose Generic Network Card. 8. Then, in the following dialog, click Finish.
9. Now, your system will ask you to choose right name of the printer that you installed onto the router. Such step can make correct driver loaded onto your PC. When you finish the selection, click Next. 10. For the final stage, you need to go back to Control Panel-> Printers and edit the property of the new printer you have added. 11. Select "LPR" on Protocol, type p1 (number 1) as Queue Name. Then click OK. Next please refer to the red rectangle for choosing the correct protocol and LPR name.
The printer can be used for printing now. Most of the printers with different manufacturers are compatible with vigor router. Note 1: Some printers with the fax/scanning or other additional functions are not supported. If you do not know whether your printer is supported or not, please visit www.DrayTek.com to find out the printer list. Open Support >FAQ; find out the link of Printer Server and click it; then choose the What types of printers are compatible with Vigor router?.
This page is left blank.
Configuring Basic Settings For using the router properly, it is necessary for you to change the password of web configuration for security and adjust primary basic settings. This chapter explains how to setup a password for accessing into the web configurator of Vigor router and how to adjust settings for accessing Internet successfully. 2.1 Accessing Web Page 1. Make sure your PC connects to the router correctly.
2.2 Changing Password No matter user mode operation or admin mode operation, please change the password for the original security of the router. 1. Open a web browser on your PC and type http://192.168.1.1. A pop-up window will open to ask for username and password. 2. Please type “admin/admin” on Username/Password for admin mode. Otherwise, do not type any word (both username and password are Null for user mode) on the window and click Login on the window. 3. Now, the Main Screen will appear.
Enter the login password on the field of Old Password. Type New Password and confirm the password. Then click OK to continue. 5. Now, the password has been changed. Next time, use the new password to access the Web Configurator for this router. 2.3 Quick Start Wizard Notice: Quick Start Wizard for user mode operation is the same as for admin mode operation. If your router can be under an environment with high speed NAT, the configuration provide here can help you to deploy and use the router quickly.
Note: There are five WAN selections available for you to choose. In which, WAN5 is selected for 3G USB modem connection. Refer to the following for detailed information. 2.3.1 For WAN1 – WAN4 Choose WAN1/WAN2/WAN3/WAN4 and click Next. On the next page as shown below, please select the appropriate Internet access type according to the information from your ISP. For example, you should select PPPoE mode if the ISP provides you PPPoE interface. Then click Next for next step. 2.3.1.
2. Click PPPoE as the Internet Access Type. Then click Next to open the following page. Available settings are explained as follows: 3. Item Description User Name Assign a specific valid user name provided by the ISP. Password Assign a valid password provided by the ISP. Confirm Password Retype the password. Back Click it to return to previous setting page. Next Click it to get into the next setting page. Cancel Click it to give up the quick start wizard.
4. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown. 5. Now, you can enjoy surfing on the Internet.
2.3.1.2 PPTP/L2TP 1. Choose WAN1/WAN2/WAN3/WAN4 as the WAN Interface and click the Next button. The following page will be open for you to specify Internet Access Type. 2. Click PPTP/L2TP as the Internet Access Type. Then click Next to continue. Available settings are explained as follows: Item Description User Name Assign a specific valid user name provided by the ISP. Password Assign a valid password provided by the ISP. Confirm Password Retype the password.
WAN IP Configuration Obtain an IP address automatically – the router will get an IP address automatically from DHCP server. Specify an IP address – you have to type relational settings manually. IP Address - Type the IP address. Subnet Mask –Type the subnet mask. Gateway – Type the IP address of the gateway. Primary DNS –Type in the primary IP address for the router. Second DNS –Type in secondary IP address for necessity in the future. PPTP Server / L2TP Server Type the IP address of the server.
2.3.1.3 Static IP 1. Choose WAN1/WAN2/WAN3/WAN4 as the WAN Interface and click the Next button. The following page will be open for you to specify Internet Access Type. 2. Click Static IP as the protocol. Type in all the information that your ISP provides for this protocol. Available settings are explained as follows: Item Description WAN IP Type the IP address. Subnet Mask Type the subnet mask. Gateway Type the IP address of gateway. Primary DNS Type in the primary IP address for the router.
Back Click it to return to previous setting page. Next Click it to get into the next setting page. Cancel Click it to give up the quick start wizard. 3. After finishing the settings in this page, click Next to see the following page. 4. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown. 5. Now, you can enjoy surfing on the Internet.
2.3.1.4 DHCP 1. Choose WAN1/WAN2/WAN3/WAN4 as the WAN Interface and click the Next button. The following page will be open for you to specify Internet Access Type. 2. Click DHCP as the protocol. Type in all the information that your ISP provides for this protocol. Available settings are explained as follows: Item Description Host Name Type the name of the host. MAC Some Cable service providers specify a specific MAC address for access authentication. In such cases you need to enter the MAC address.
Cancel Click it to give up the quick start wizard. 3. After finishing the settings in this page, click Next to see the following page. 4. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown. 5. Now, you can enjoy surfing on the Internet. 2.3.2 For WAN5 To use 3G USB modem for network connection, please choose WAN5. 1. Choose WAN5 as the WAN Interface and click the Next button.
2. Then, click Next to continue. 3. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown. 4. Now, you can enjoy surfing on the Internet.
2.4 Service Activation Wizard Service Activation Wizard can guide you to set WCF (Web Content Feature) with a quick and easy way. For the Service Activation Wizard is only available for admin operation, therefore, please type “admin/admin” on Username/Password while Logging into the web configurator. Service Activation Wizard is a tool which allows you to use trial version or update the license of WCF directly without accessing into the server (MyVigor) located on http://myvigor.draytek.com.
3. In the following page, you can activate the Web content filter service at the same time or individually. When you finish the selection, please click Next. 4. Setting confirmation page will be displayed as follows, please click Next. 5. Wait for a moment till the following page appears. When such page appears, you can enable or disable these services for your necessity. Then, click Finish. Note: The service will be activated and applied as the default rule configured in Firewall>>General Setup.
6. Now, the web page will display the service that you have activated according to your selection(s). The valid time for the free trial of these services is one month. Later, if you need to extend the license valid time, you can also use the Service Activation Wizard again to reach your goal by clicking the radio button of Formal edition with license key and clicking Next.
2.5 Online Status The online status shows the system status, WAN status, and other status related to this router within one page. If you select PPPoE as the protocol, you will find out a link of Dial PPPoE or Drop PPPoE in the Online Status web page. Detailed explanation is shown below: Item Description LAN Status Primary DNS - Displays the IP address of the primary DNS. Secondary DNS - Displays the IP address of the secondary DNS. IP Address - Displays the IP address of the LAN interface.
Item Description interface. WAN 1 Status ~ WAN 5 Status Line - Displays the physical connection of this interface. Name - Displays the name set in WAN1/WAN web page. Mode - Displays the type of WAN connection (e.g., PPPoE). Up Time - Displays the total uptime of the interface. IP - Displays the IP address of the WAN interface. GW IP - Displays the IP address of the default gateway. TX Packets - Displays the total transmitted packets at the WAN interface.
Click Support Area>>Application Note, the following web page will be displayed. Click Support Area>>FAQ, the following web page will be displayed. Click Support Area>>Product Registration, the following web page will be displayed.
2.8 Registering Vigor Router You have finished the configuration of Quick Start Wizard and you can surf the Internet at any time. Now it is the time to register your Vigor router to MyVigor website for getting more service. Please follow the steps below to finish the router registration. 1. Please login the web configuration interface of Vigor router by typing “admin/admin” as User Name / Password. 2. Click Support Area>>Production Registration from the home page.
3. A Login page will be shown on the screen. Please type the account and password that you created previously. And click Login. 4. The following page will be displayed after you logging in MyVigor. From this page, please click Add or Product Registration. Note: Below the field of Your Device List, all the Vigor routers that you have registered to MyVigor website will be displayed in sequence.
5. When the following page appears, please type in Nickname (for the router) and choose the right registration date from the popup calendar (it appears when you click on the box of Registration Date). After adding the basic information for the router, please click Submit. 6. When the following page appears, your router information has been added to the database. Click OK to leave this web page and return to My Information web page. 6.
Tutorials and Applications 3.1 How to Implement the AD/LDAP Authentication for User Management? For simplifying the configuration of LDAP authentication for User Access Management, we implement “Group” feature. There is no need to pre-configure user profile for each user on Vigor router anymore. We only need to configure the Groups DN, then the Vigor router (e.g., Vigor 3200 series) can pass the authentication to LDAP server with the pre-defined Group path. Below shows the configuration steps: 1.
3. Create LDAP server profiles. Click the Active Directory /LDAP tab to open the profile web page and click any one of the index number link. If we have two groups “RD1” and “SHRD” on LDAP server, we can configure two LDAP server profiles with different Group Distinguished Name. 4. Click OK to save the settings above. 5. Open User Management>>General Setup. Select User-Based as the Mode option.
6. Then open User Management>>User Profile to create the user profile that will authenticate with LDAP server. 7. After above configurations, users belong to either “rd1” or “shrd” group can access Internet after inputting their credentials on LDAP server.
3.2 How to implement the AD/LDAP authentication for SSL Application? Below shows the configuration steps: 1. Access into the web configurator of the Vigor router. 2. Open Applications>>Active Directory /LDAP to get the following page for configuring LDAP related settings. Click the General Setup tab and enable the AD/LDAP service. There are three types of bind type supported: z Simple Mode – Just simply do the bind authentication without any search action.
3. Click the Active Directory /LDAP tab to open the profile web page. 4. Click any one of the index number link to configure the proper Base Distinguished Name and Group Distinguished Name. Suppose that there are several departments in your company, e.g., RD1 and RD2. Here, create a profile for RD1 first. Sometimes, you may forget the Distinguished Name since it’s too long. Then you may click the button to list all the account information on the AD/LDAP Server to assist you finish the setup.
Press the In addition, account. 5. button on this page to keep searching its sub-tree. means this item is an organization; means this item is an Press certain item, its Base Distinguished Name (BDN) will be shown automatically in the AD/LDAP Distinguished Name field box. Then, press OK to save the profile and return to the previous page.
6. After finishing the AD/LDAP configuration, go to VPN and Remote Access >> PPP General Setup. Check the box of LDAP that you’ve enabled in Application >> Active Directory / LDAP. Note: Group Distinguished Name is not a MUST required option for the AD/LDAP configuration. However, you may need, sometimes, to separate certain accounts’ authority with it. For example, the Base Distinguished Name (BDN) is “ou=people,dc=ms,dc=draytek,dc=com”. There is a lot of accounts information.
9. Setup two applications profiles (named PC1 and PC2) for SSL VPN. 10. Setup two SSL Web Proxy Servers profiles (named google and baidu) for SSL VPN. 11. Go to SSL VPN >>User Group to setup two separate groups (named with g1 and g2) with different authorities and different authentication methods. Different departments should have separated access authorities.
Set the user group profile (named g2) for RD2 department: 43 Vigor3200 Series User’s Guide
12. Once you’ve finished the configuration on Vigor router, try to login SSL portal with https:/// . 13. Please type in the user name and password, and select the group that the account belongs to (In this case, the username is Caesar and the group it belongs to is g1). You may also leave this Group option blank. The router will look through all the group profiles to check which one your account belongs to. (It might take a few seconds.
45 Vigor3200 Series User’s Guide
3.3 How to Configure Multi-Subnet By identifying the tagged message, Vigor3200 can divide the LAN Port into several VLAN groups. Such LAN port with tagged information will accept the packets only with VLAN ID number. For example, Vigor3200 can divide the internal departments of a company into four different groups by using VigorSwitch G2240. Each group uses different network segment and does not connect for each other. VigorSwitch G2240 Trunk Port 23 and Vigor3200 LAN Port are connected with network cable.
Configuration for Vigor3200 1. In the page of LAN >> VLAN Configuration, check the box of Enable to enable the function of VLAN Configuration. 2. Untag VLAN0 and set LAN4 as the Subnet. 3. To activate the function of VLAN Tag for VLAN1 setting, check the box of Enable and type the value (10) for VID setting. Then check LAN Port and set LAN1 as the Subnet. 4. To activate the function of VLAN Tag for VLAN2 setting, check the box of Enable and type the value (20) for VID setting.
After finishing the above configuration, the equipment connecting to Vigor3200 LAN Port can get the corresponding IP address of the network segment. The equipment connecting to Vigor3200 LAN Port (LAN1) can get the IP address of 192.168.1.0/24. The equipment connecting to Vigor3200 LAN Port (LAN2) can get the IP address of 192.168.2.0/24. The equipment connecting to Vigor3200 LAN Port (LAN3) can get the IP address of 192.168.3.0/24.
7. To make any two of VLAN groups linked with each other, just check the boxes of the ones in the field of Inter-LAN Routing in the page of LAN >> General Setup. Refer to the following figure. LAN2 and LAN3 are linked. Configuration for VigorSwitch G2240 1. Open Vlan>>Tag-based Group. 2. Add four VID groups. In this case, we can explanation it with Port 15, 16, 17, 18 and Trunk Port 23.
4. After finishing the above configuration, the equipment connecting to VigorSwitch Port 15, 16, 17 and 18 can get the corresponding IP address(es) of the network segment. The equipment connecting to VigorSwitch Port 15 can get the IP address of 192.168.1.0/24 The equipment connecting to VigorSwitch Port 16 can get the IP address of 192.168.2.0/24 The equipment connecting to VigorSwitch Port 17 can get the IP address of 192.168.3.
3.4 How to Customize Your Login Page Login page can be customized to fit the request of the administrator. 1. Open User Management>>General Setup. Set User-Based as the Mode and click OK to save teh settings. 2. Open User Management>>User Profile to create a new user profle. 3. Click any link (e.g., #3) to access into the following page. Type a User Name and a Password. Then, click OK.
4. Open System Maintenance>>Login Customization. Check the box to enable this function. Type a brief description (e.g., Just for Carrie) in the field of Login Description which will be shown on the heading of the login dialog. Next, click OK. Note that do not type URL redirect link in Bulletin box. 5. Open a new tab in the same browser (for IE 7.0/FireFox and above) or open a new web browser. 6. Try to access into the web configurator (e.g., 192.168.1.1) of Vigor router.
3.5 Create a LAN-to-LAN Connection Between Remote Office and Headquarter The most common case is that you may want to connect to network securely, such as the remote branch office and headquarter. According to the network structure as shown in the below illustration, you may follow the steps to create a LAN-to-LAN profile. These two networks (LANs) should NOT have the same network address. Settings in Router A in headquarter: 1.
3. Go to LAN-to-LAN. Click on one index number to edit a profile. 4. Set Common Settings as shown below. You should enable both of VPN connections because any one of the parties may start the VPN connection.
5. Set Dial-Out Settings as shown below to dial to connect to Router B aggressively with the selected Dial-Out method. If an IPSec-based service is selected, you should further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-Out connection. If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, PPP Authentication and VJ Compression for this Dial-Out connection.
6. Set Dial-In settings to as shown below to allow Router B dial-in to build VPN connection. If an IPSec-based service is selected, you may further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-In connection. Otherwise, it will apply the settings defined in IPSec General Setup above. If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, and VJ Compression for this Dial-In connection.
7. At last, set the remote network IP/subnet in TCP/IP Network Settings so that Router A can direct the packets destined to the remote network to Router B via the VPN connection. Settings in Router B in the remote office: 1. Go to VPN and Remote Access and select Remote Access Control to enable the necessary VPN service and click OK. 2. Then, for using PPP based services, such as PPTP, L2TP, you have to set general settings in PPP General Setup.
3. Go to LAN-to-LAN. Click on one index number to edit a profile. 4. Set Common Settings as shown below. You should enable both of VPN connections because any one of the parties may start the VPN connection. 5. Set Dial-Out Settings as shown below to dial to connect to Router B aggressively with the selected Dial-Out method. If an IPSec-based service is selected, you should further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-Out connection.
If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, PPP Authentication and VJ Compression for this Dial-Out connection.
6. Set Dial-In settings to as shown below to allow Router A dial-in to build VPN connection. If an IPSec-based service is selected, you may further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-In connection. Otherwise, it will apply the settings defined in IPSec General Setup above. If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, and VJ Compression for this Dial-In connection.
7. At last, set the remote network IP/subnet in TCP/IP Network Settings so that Router B can direct the packets destined to the remote network to Router A via the VPN connection.
3.6 Create a Remote Dial-in User Connection Between the Teleworker and Headquarter The other common case is that you, as a teleworker, may want to connect to the enterprise network securely. According to the network structure as shown in the below illustration, you may follow the steps to create a Remote User Profile and install Smart VPN Client on the remote host. Settings in VPN Router in the enterprise office: 1.
3. Go to Remote Dial-In User. Click on one index number to edit a profile. 4. Set Dial-In settings to as shown below to allow the remote user dial-in to build VPN connection. If an IPSec-based service is selected, you may further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-In connection. Otherwise, it will apply the settings defined in IPSec General Setup above.
Settings in the remote host: 1. For Win98/ME, you may use "Dial-up Networking" to create the PPTP tunnel to Vigor router. For Win2000/XP, please use "Network and Dial-up connections" or “Smart VPN Client”, complimentary software to help you create PPTP, L2TP, and L2TP over IPSec tunnel. You can find it in CD-ROM in the package or go to www.DrayTek.com download center. Install as instructed. 2. After successful installation, for the first time user, you should click on the Step 0. Configure button.
3. In Step 2. Connect to VPN Server, click Insert button to add a new entry. If an IPSec-based service is selected as shown below, You may further specify the method you use to get IP, the security method, and authentication method. If the Pre-Shared Key is selected, it should be consistent with the one set in VPN router. If a PPP-based service is selected, you should further specify the remote VPN server IP address, Username, Password, and encryption method.
then forwarded to Internet. This will make the remote host seem to be working in the enterprise network. 4. Click Connect button to build connection. When the connection is successful, you will find a green light on the right down corner.
3.7 QoS Setting Example Assume a teleworker sometimes works at home and takes care of children. When working time, he would use Vigor router at home to connect to the server in the headquarter office downtown via either HTTPS or VPN to check email and access internal database. Meanwhile, children may chat on Skype in other room. 1. Go to Bandwidth Management>>Quality of Service. 2. Click Setup link of WAN. Make sure the QoS Control on the left corner is checked. And select BOTH in Direction. 3.
4. Return to previous page. Enter the Name of Index Class 1 by clicking Edit link. Type the name “E-mail” for Class 1. 5. For this index, the user will set reserved bandwidth (e.g., 25%) for E-mail using protocol POP3 and SMTP. 6. Return to previous page. Enter the Name of Index Class 2 by clicking Edit link. In this index, the user will set reserved bandwidth for HTTPS. And click OK.
7. Click Setup link for one of the WAN interface. 8. Check Enable UDP Bandwidth Control on the bottom to prevent enormous UDP traffic of influent other application. Click OK.
9. If the worker has connected to the headquarter using host to host VPN tunnel. (Please refer to Chapter 3 VPN for detail instruction), he may set up an index for it. Enter the Class Name of Index 3. In this index, he will set reserved bandwidth for 1 VPN tunnel. 10. Click Edit to open a new window. 11. Click Edit to open the following window. Check the ACT box, first. 12. Then click Edit of Local Address to set a worker’s subnet address. Click Edit of Remote Address to set headquarter’s IP address.
3.8 Upgrade Firmware for Your Router Using Firmware Upgrade Utility Before upgrading your router firmware, you need to install the Router Tools. The Firmware Upgrade Utility is included in the tools. 1. Go to www.DrayTek.com. 2. Access into Support >> Downloads. Please find out Firmware menu and click it. Search the model you have and click on it to download the newly update firmware for your router. 3. Access into Support >> Downloads. Please find out Utility menu and click it. 4.
5. Double click on the icon of router tool. The setup wizard will appear. 6. Follow the onscreen instructions to install the tool. Finally, click Finish to end the installation. 7. From the Start menu, open Programs and choose Router Tools XXX >> Firmware Upgrade Utility. 8. Type in your router IP, usually 192.168.1.1. 9. Click the button to the right side of Firmware file typing box. Locate the files that you download from the company web sites.
10. Click Send. 11. Now the firmware update is finished. Using Web Page The web page also can guide you to upgrade firmware. Note that this example is running over Windows OS (Operating System). 1. Download the newest firmware from DrayTek's web site or FTP site. The DrayTek web site is www.DrayTek.com (or local DrayTek's web site) and FTP site is ftp.DrayTek.com. 2. Click System Maintenance>> Firmware Upgrade. 3. Select a firmware file by clicking Browse.
3.9 Request a certificate from a CA server on Windows CA Server 1. Go to Certificate Management and choose Local Certificate.
2. You can click GENERATE button to start to edit a certificate request. Enter the information in the certificate request. 3. Copy and save the X509 Local Certificate Requet as a text file and save it for later use. 4. Connect to CA server via web browser. Follow the instruction to submit the request. Below we take a Windows 2000 CA server for example. Select Request a Certificate.
Select Advanced request. Select Submit a certificate request a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file Import the X509 Local Certificate Requet text file. Select Router (Offline request) or IPSec (Offline request) below. Then you have done the request and the server now issues you a certificate. Select Base 64 encoded certificate and Download CA certificate. Now you should get a certificate (.cer file) and save it. 5.
you will find the below window showing “------BEGINE CERTIFICATE------.....” 6. You may review the detail information of the certificate by clicking View button.
3.10 Request a CA Certificate and Set as Trusted on Windows CA Server 1. Use web browser connecting to the CA server that you would like to retrieve its CA certificate. Click Retrive the CA certificate or certificate recoring list.
2. In Choose file to download, click CA Certificate Current and Base 64 encoded, and Download CA certificate to save the .cer. file. 3. Back to Vigor router, go to Trusted CA Certificate. Click IMPORT button and browse the file to import the certificate (.cer file) into Vigor router. When finished, click refresh and you will find the below illustration. 4. You may review the detail information of the certificate by clicking View button.
3.11 Creating an Account for MyVigor The website of MyVigor (a server located on http://myvigor.draytek.com) provides several useful services (such as Anti-Spam, Web Content Filter, Anti-Intrusion, and etc.) to filter the web pages for protecting your system. To access into MyVigor for getting more information, please create an account for MyVigor first. 3.11.1 Creating an Account via Vigor Router 1. Click System Maintenance>>Activation to open the following page. 2. Click the Activate link.
4. Check to confirm that you accept the Agreement and click Accept. 5. Type your personal information in this page and then click Continue. 6. Choose proper selection for your computer and click Continue.
7. Now you have created an account successfully. Click START. 8. Check to see the confirmation email with the title of New Account Confirmation Letter from myvigor.draytek.com. 9. Click the Activate my Account link to enable the account that you created. The following screen will be shown to verify the register process is finished. Please click Login.
10. When you see the following page, please type in the account and password (that you just created) in the fields of UserName and Password. 11. Now, click Login. Your account has been activated. You can access into MyVigor server to activate the service (e.g., WCF) that you want. 3.11.2 Creating an Account via MyVigor Web Site 1. Access into http://myvigor.draytek.com. Find the line of Not registered yet?. Then, click the link Click here! to access into next page.
2. Check to confirm that you accept the Agreement and click Accept. 3. Type your personal information in this page and then click Continue. 4. Choose proper selection for your computer and click Continue.
5. Now you have created an account successfully. Click START. 6. Check to see the confirmation email with the title of New Account Confirmation Letter from myvigor.draytek.com. 7. Click the Activate my Account link to enable the account that you created. The following screen will be shown to verify the register process is finished. Please click Login.
8. When you see the following page, please type in the account and password (that you just created) in the fields of UserName and Password. Then type the code in the box of Auth Code according to the value displayed on the right side of it. Now, click Login. Your account has been activated. You can access into MyVigor server to activate the service (e.g., WCF) that you want.
3.12 How can I get the files from USB storage device connecting to Vigor router? Files on USB storage device can be reviewed by opening USB Applicaiton>>File Explorer. If it is necessary for you to delete, copy files on the device or write, paste files to the devcie, it must be done through SAMBA server or FTP server. Samba service is based on the original USB FTP service. You will need to setup USB FTP first. We would like to give brief instructions on USB FTP setup here. 1.
3. Setup a user account for the FTP service by using USB Application >>USB User Management. Click Enable to enable FTP/Samba User account. Here we add a new account "user1" and assign authorities “Read”, “Write” and “List” to it. Click OK to save the configuration. 4. Make sure the FTP service is running properly. Please open a browser and type ftp://192.168.1.1. Use the account "user1" to login.
5. When the following screen appears, it means the FTP service is running properly. 6. Return to USB Application >> USB Disk Status. The information for FTP server will be shown as below. 7. Now, users in LAN of Vigor3200 can access into the USB storage device by typing ftp://192.168.1.1 on any browser. They can add or remove files / directories, depending on the Access Rule for FTP account settings in USB Application >>USB User Management.
3.13 VPN Trunk Load-Balance between Vigor 3200 and Other Vigor Router This section will discuss how to build VPN Trunk with load-balance between Vigor3200 and other router (e.g., Vigor3300). Scenario 1: One-pair VPN Trunk The purpose is to setup a VPN trunk between Vigor3200 (192.168.1.0/24) and Vigor3300 (192.168.33.0/24). At present, Vigor3200 just supports one VPN trunk group with two members for the same VPN network pair. In this case, the VPN trunk is built for 192.168.1.0/24 <-> 192.168.33.0/24.
Settings for Vigor 3200: 1. Open VPN and Remote Access>>>LAN to LAN. Choose Index number 1 for configuring a VPN LAN to LAN profile. 2. In the following page, please configure the settings as the following figure.
3. Click OK to save the configuration and return to previous page. Choose Index number 2 for configuring another VPN LAN to LAN profile. 4. In this page, please configure the settings as the following figure.
5. Click OK to save the configuration. 6. Open VPN and Remote Access>>VPN TRUNK Management. Add these VPN profiles to the VPN Trunk and set Load Balance as the Attribute Mode. 7. Click Advanced for specifying Load Balance Algorithm.
8. When the VPN trunk is successfully connected, you may check the connection status by viewing the page of VPN and Remote Access>>Connection Management. Transferred packets (Tx Pkts) will keep increasing through both tunnels when outgoing packets sent to the remote VPN network. Settings for Vigor3300: 1. Open VPN>>IPSec>>VPN Trunk>>Policy Table. Choose Index 1 and click Edit.
2. In this page, please configure the settings as the following figure. 3. Click Apply to save the configuration and return to previous page. Choose Index 2 for configuring another VPN Trunk policy. 4. In this page, please configure the settings as the following figure.
5. Click Apply to save the configuration. 6. Open VPN>>VPN Trunk>>Group Table to group these two VPN policies. 7. Choose Index 1 and click Edit. Add these two VPN profiles (wan1 and wan2) to a VPN Trunk. Now, one-pair VPN trunk between Vigor3200 (192.168.1.0/24) and Vigor3300 (192.168.33.0/24) has be established.
Scenario 2: Two-pair VPN Trunk Vigor3200 as VPN client (dial out site) LAN: 192.168.1.0/24 WAN 1 IP: 202.211.110.30 (My GRE IP, 10.0.0.1, Peer GRE IP, 10.0.0.2) WAN 2 IP: 202.211.120.30 (My GRE IP, 10.0.0.3, Peer GRE IP, 10.0.0.4) WAN 3 IP: 202.211.130.30 (My GRE IP, 10.0.0.5, Peer GRE IP, 10.0.0.6) WAN 4 IP: 202.211.140.30 (My GRE IP, 10.0.0.7, Peer GRE IP, 10.0.0.8) Vigor3300 as VPN server (dial in site), LAN1: 192.168.33.0/24 LAN2: 192.168.10.0/24 WAN 1 IP: 202.211.110.100 (Local GRE IP, 10.0.0.
3. Open VPN and Remote Access>>VPN TRUNK Management. Add these VPN profiles to the VPN Trunk and set Load Balance as the Attribute Mode. Setting configuration is the same as Scenario 1. Profile 1 and Profile 2 are one pair; Profile 3 and Profile 4 are the other pair. 4. When the VPN trunk is successfully connected, you may check the connection status by viewing the page of VPN and Remote Access>>Connection Management.
Settings for Vigor3300: 1. Open Advanced>>LAN VLAN. Choose the tab of 802.1Q VLAN. Configure the settings as the following figure. 2. Next, open Network>>LAN. Set two LAN subnet: LAN1 192.168.33.0/24 and LAN2 192.168.10.0/24. 3. Click Apply. 4. Open VPN>>IPSec>>VPN Trunk>>Policy Table to create VPN Trunk policy.
to configure the setting is the same as Scenario 1. 5. Open VPN>>VPN Trunk>>Group Table to group these VPN policies. Group two VPN policies as the following figure and then click Apply. The way to configure the setting is the same as Scenario 1. Now, two-pair VPN trunk between Vigor3200 (192.168.1.0/24) and Vigor3300 (192.168.33.0/24) has be established. .
Advanced Web Configuration This chapter will guide users to execute advanced (full) configuration through admin mode operation. As for other examples of application, please refer to chapter 5. 1. Open a web browser on your PC and type http://192.168.1.1. The window will ask for typing username and password. 2. Please type “admin/admin” on Username/Password for administration operation. Now, the Main Screen will appear. Be aware that “Admin mode” will be displayed on the bottom left side. 4.
has reserved certain addresses that will never be registered publicly. These are known as private IP addresses, and are listed in the following ranges: From 10.0.0.0 to 10.255.255.255 From 172.16.0.0 to 172.31.255.255 From 192.168.0.0 to 192.168.255.255 What are Public IP Address and Private IP Address As the router plays a role to manage and further protect its LAN, it interconnects groups of host PCs. Each of them has a private IP address assigned by the built-in DHCP server of the Vigor router.
router. Besides, 3G USB Modem also can be used as backup device. Therefore, when other Ethernet WAN ports are not available, the router will use 3.5G for supporting automatically. The supported 3G USB Modem will be listed on DrayTek web site. Please visit www.DrayTek.com for more detailed information. Below shows the menu items for WAN. 4.1.2 General Setup This section will introduce some general settings of Internet and explain the connection modes for WAN1 to WAN5 in details.
Index Click the WAN interface link under Index to access into the WAN configuration page. Enable V means such WAN interface is enabled and ready to be used. Physical Mode / Type Display the physical mode and physical type of such WAN interface. Line Speed Display the downstream and upstream rate of such WAN interface. Active Mode Display whether such WAN interface is Active device or backup device. Always On - Display that such WAN interface is active.
Item Description Enable Choose Yes to invoke the settings for this WAN interface. Choose No to disable the settings for this WAN interface. Display Name Type the description for such WAN interface. Physical Mode Display the physical mode of such WAN interface. Physical type You can change the physical type for WAN2 or choose Auto negotiation for determined by the system.
When any WAN disconnect – WAN1 will be activated when any WAN interface disconnects. When all WAN disconnect – WAN1 will be activated when all the WAN interfaces disconnect. After finished the above settings, click OK to save the settings. For WAN5 (USB) To use 3G network connection through 3G USB Modem, please configure WAN5 interface. Available settings are explained as follows: Item Description Enable Choose Yes to invoke the settings for this WAN interface.
Active Mode Determine the WAN interface will be active for always (Always On) or be treated as a backup WAN interface (Backup). Backup Type - Determine the role of such WAN interface. It will be changed according to the Active Mode specified. If you choose Always On as Active Mode, such interface will be used for access into Internet all the time. If you choose Backup as the Active Mode, you have to specify which WAN interface will be selected to backup multiple WANs.
Each item is explained as follows: Item Description Index Display the WAN interface. Display Name It shows the name of the WAN1/WAN2/WAN3/WAN4/WAN5 that entered in general setup. Physical Mode It shows the physical connection for WAN1-WAN4 (Ethernet) /WAN5 (3G USB Modem) according to the real network connection. Access Mode Use the drop down list to choose a proper access mode. The details page of that mode will be popped up.
Details Page for PPPoE in WAN1 ~ WAN4 To choose PPPoE as the accessing protocol of the internet, please select PPPoE from the Internet Access menu. The following web page will be shown. Available settings are explained as follows: Item Description PPPoE Client Mode Click Enable for activating this function. If you click Disable, this function will be closed and all the settings that you adjusted in this page will be invalid.
Item Description have to type IP address in this field for pinging. TTL (Time to Live) – Displays value for your reference. TTL value is set by telnet command. MTU It means Max Transmit Unit for packet. The default setting is 1442. PPPoE Pass-through The router offers PPPoE dial-up connection. Besides, you also can establish the PPPoE connection directly from local clients to your ISP via the Vigor router.
Item Description Fixed IP – Click Yes to use this function and type in a fixed IP address in the box of Fixed IP Address. Default MAC Address – You can use Default MAC Address or specify another MAC address by typing on the boxes of MAC Address for the router. Specify a MAC Address – Type the MAC address for the router manually. After finishing all the settings here, please click OK to activate them.
Available settings are explained as follows: Item Description Static or Dynamic IP Click Enable for activating this function. If you click Disable, this function will be closed and all the settings that you adjusted in this page will be invalid. Keep WAN Connection Normally, this function is designed for Dynamic IP environments because some ISPs will drop connections if there is no traffic within certain periods of time. Check Enable PING to keep alive box to activate this function.
Item Description MTU It means Max Transmit Unit for packet. The default setting is 1442. RIP Protocol Routing Information Protocol is abbreviated as RIP(RFC1058) specifying how routers exchange routing tables information. Click Enable RIP for activating this function. Bridge Mode If you check this box to invoke the function, the router will work as a bridge. Such function is available only for WAN1.
Item Description MAC address for the router. Specify a MAC Address: Some Cable service providers specify a specific MAC address for access authentication. In such cases you need to click the Specify a MAC Address and enter the MAC address in the MAC Address field. DNS Server IP Address - Type in the primary IP address for the router if you want to use Static IP mode. If necessary, type in secondary IP address for necessity in the future.
Details Page for PPTP/L2TP in WAN1 ~ WAN4 To use PPTP/L2TP as the accessing protocol of the internet, please choose PPTP/L2TP from Internet Access menu. The following web page will be shown. Available settings are explained as follows: Item Description PPTP/L2TP Client Mode Enable PPTP- Click this radio button to enable a PPTP client to establish a tunnel to a DSL modem on the WAN interface.
Item Description after passing through the time without any action. IP Address Assignment Method(IPCP) Fixed IP - Usually ISP dynamically assigns IP address to you each time you connect to it and request. In some case, your ISP provides service to always assign you the same IP address whenever you request. In this case, you can fill in this IP address in the Fixed IP field. Please contact your ISP before you want to use this function.
After finishing all the settings here, please click OK to activate them. Details Page for PPP in WAN5 To use PPP (for 3G USB Modem) as the accessing protocol of the internet, please choose Internet Access from WAN menu. Then, select PPP mode for WAN5. The following web page will be shown. Available settings are explained as follows: Item Description 3G Modem Click Enable for activating this function.
Item Description ISP. PPP Username Type the PPP username (optional). PPP Password Type the PPP password (optional). Index (1-15) in Schedule Setup Set the PCs on LAN to work at certain time interval only. You can type in four sets of time schedule for your request. All the schedules can be set previously in Application >>Schedule web page and you can use the number that you have set in that web page.
4.1.4 Load-Balance Policy This router supports the function of load balancing. It can assign traffic with protocol type, IP address for specific host, a subnet of hosts, and port range to be allocated in WAN interface. The user can assign traffic category and force it to go to dedicate network interface based on the following web page setup. Twenty policies of load-balance are supported by this router. Note: Load-Balance Policy is running only when more than two WAN interfaces are activated.
Click any Index number link to access into the following page for configuring load-balance policy. Each item is explained as follows: Item Description Enable Check this box to enable this policy. Protocol Use the drop-down menu to choose a proper protocol for the WAN interface. Binding WAN interface Choose the WAN interface (WAN1 / WAN2 / WAN3 / WAN4 / WAN5) for binding.
passed through the WAN interface. After finishing all the settings here, please click OK to activate them. 4.2 LAN Local Area Network (LAN) is a group of subnets regulated and ruled by router. The design of network structure is related to what type of public IP addresses coming from your ISP. 4.2.1 Basics of LAN The most generic function of Vigor router is NAT. It creates a private subnet of your own.
In some special case, you may have a public IP subnet from your ISP such as 220.135.240.0/24. This means that you can set up a public subnet or call second subnet that each host is equipped with a public IP address. As a part of the public subnet, the Vigor router will serve for IP routing to help hosts in the public subnet to communicate with other public hosts or servers outside. Therefore, the router should be set as the gateway for public hosts.
What are Virtual LANs and Rate Control You can group local hosts by physical port and create up to 4 virtual LANs. To manage the communication between different groups, please set up rules in Virtual LAN (VLAN) function and the rate of each. 4.2.2 General Setup This page provides you the general settings for LAN. Vigor3200 series provides four LANs, one DMZ and one IP Routed Subnet. Click LAN to open the LAN settings page and choose General Setup.
Each item is explained as follows: Item Description General Setup----- Allow to configure settings for each subnet respectively. Index - Display all of the LAN items, DMZ and IP Routed Subnet. Status- Check the box to enable such LAN configuration. Basically, LAN1 status is enabled in default. LAN2, LAN3, LAN4 and IP Routed Subnet can be observed by checking the box of Status. DHCP- Check the box to enable DHCP server for such LAN configuration. LAN1 is configured with DHCP in default.
Inter-LAN Routing LAN 1 ~ LAN 4, DMZ PORT - Check the box to make the routing among LANs. After finishing all the settings here, please click OK to save the configuration. To configure LAN 1 ~ LAN 4, DMZ or IP Routed Subnet, simply click Details Page to open the settings page. Details Page for LAN 1 LAN1 is the default configuration for basic host connection.
Item Description in the LAN. Disable Server - Let you manually assign IP address to every host in the LAN. Relay Agent - Specify which subnet that DHCP server is located the relay agent should redirect the DHCP request to. Start IP Address - Enter a value of the IP address pool for the DHCP server to start with when issuing IP addresses. If the 1st IP address of your router is 192.168.1.1, the starting IP address must be 192.168.1.2 or greater, but smaller than 192.168.1.254.
Item Description external DNS server by establishing a WAN (e.g. DSL/Cable) connection. After finishing all the settings here, please click OK to save the configuration. Details Page for LAN 2, LAN 3, LAN 4 With the multi-subnet feature offered by Vigor router, LAN2 ~ LAN4 are used for different subnets. Available settings are explained as follows: Item Description Network Configuration Click Enable to enable such configuration. Click Disable to disable such configuration.
DHCP Server Configuration DHCP stands for Dynamic Host Configuration Protocol. The router by factory default acts a DHCP server for your network so it automatically dispatch related IP settings to any local user configured as a DHCP client. It is highly recommended that you leave the router enabled as a DHCP server if you do not have a DHCP server for your network.
For NAT Usage - Click this item to invoke NAT usage. For Routing Usage - Click this item to invoke Routing usage. IP Address - Type in private IP address for connecting to a local private network (Default: 192.168.9.1). Subnet Mask - Type in an address code that determines the size of the network. (Default: 255.255.255.0/ 24) DHCP Server Configuration DHCP stands for Dynamic Host Configuration Protocol.
IP Routed Subnet Vigor router can serve as a DHCP server to route the request coming from LAN PC. Available settings are explained as follows: Item Description Network Configuration Enable/Disable - Click Enable to enable such configuration; click Disable to disable such configuration. IP Address - Type in IP address for connecting to a local private network (Default: 192.168.0.1). Subnet Mask - Type in an address code that determines the size of the network. (Default: 255.255.255.
IP Pool Counts - Enter the maximum number of PCs that you want the DHCP server to assign IP addresses to. The default is 10. Use LAN Port – Specify an IP for IP Route Subnet. If it is enabled, DHCP server will assign IP address automatically for the clients coming from P1 and/or P2. Please check the box of P1 and P2. Use MAC Address - Check such box to specify MAC address.
Add Static Routes to Private and Public Networks Here is an example of setting Static Route in Main Router so that user A and B locating in different subnet can talk to each other via the router. Assuming the Internet access has been configured and the router works properly: z use the Main Router to surf the Internet. z create a private subnet 192.168.10.0 using an internal Router A (192.168.1.2) z create a public subnet 211.100.88.0 via an internal Router B (192.168.1.3). z have set Main Router 192.
2. Click the LAN>> Static Route and click on the Index number 1. Please add a static route as shown below, which regulates all packets destined to 192.168.10.0 will be forwarded to 192.168.1.2. Click OK. 3. Return to Static Route Setup page. Click on another Index Number to add another static route as show below, which regulates all packets destined to 211.100.88.0 will be forwarded to 192.168.1.3. 4. Go to Diagnostics and choose Routing Table to verify current routing table.
4.2.4 VLAN Virtual LAN function provides you a very convenient way to manage subnets by grouping them. Go to LAN page and select VLAN. The following page will appear. Click Enable to invoke VLAN function. Available settings are explained as follows: Item Description VLAN Tag Enable – Check the box to enable the function of VLAN with tag. The router will add specific VLAN number to all packets on the LAN while sending them out.
Subnet Choose one of them to make the selected VLAN mapping to the specified subnet only. For example, LAN1 is specified for VLAN0. It means that PCs grouped under VLAN0 can get the IP address (es) that specified by the subnet. After finishing all the settings here, please click OK to save the configuration. Note: Settings in this page only applied to LAN port but not WAN port. 4.2.5 Bind IP to MAC This function is used to bind the IP and MAC address in LAN to have a strengthening control in network.
Strict Bind Click this radio button to block the connection of the IP/MAC which is not listed in IP Bind List. ARP Table This table is the LAN ARP table of this router. The information for IP and MAC will be displayed in this field. Each pair of IP and MAC address listed in ARP table can be selected and added to IP Bind List by clicking Add below. Select All Click this link to select all the items in the ARP table. Sort Reorder the table based on the IP address.
Available settings are explained as follows: Item Description Port Mirror Check Enable to activate this function. Or, check Disable to close this function. Mirror Port Select a port to view traffic sent from mirrored ports. At present, only WAN4 will be treated as mirror port. When Port Mirror is enabled, the Mirror Port (WAN4) will be disabled. Mirrored port Select which ports (LAN port or WAN port) are necessary to be mirrored. P1 represents LAN port.
4.3 NAT Usually, the router serves as an NAT (Network Address Translation) router. NAT is a mechanism that one or more private IP addresses can be mapped into a single public one. Public IP address is usually assigned by your ISP, for which you may get charged. Private IP addresses are recognized only among internal hosts.
4.3.1 Port Redirection Port Redirection is usually set up for server related service inside the local network (LAN), such as web servers, FTP servers, E-mail servers etc. Most of the case, you need a public IP address for each server and this public IP address/domain name are recognized by all users.
Each item is explained as follows: Item Description Index Display the number of the profile. Service Name Display the description of the specific network service. Protocol Display the transport layer protocol (TCP or UDP). Public Port Display the port number which will be redirected to the specified Private IP and Port of the internal host. Private IP Display the IP address of the internal host providing the service. Status Display if the profile is enabled (v) or not (x).
Private IP Specify the private IP address of the internal host providing the service. If you choose Range as the port redirection mode, you will see two boxes on this field. Type a complete IP address in the first box (as the starting point) and the fourth digits in the second box (as the end point). Private Port Specify the private port number of the service offered by the internal host. After finishing all the settings here, please click OK to save the configuration.
4.3.2 DMZ Host As mentioned above, Port Redirection can redirect incoming TCP/UDP or other traffic on particular ports to the specific private IP address/port of host in the LAN. However, other IP protocols, for example Protocols 50 (ESP) and 51 (AH), do not travel on a fixed port. Vigor router provides a facility DMZ Host that maps ALL unsolicited data on any protocol to a single host in the LAN.
Choose Private IP or Active True IP first. Active True IP selection is available for WAN1 only. Private IP Enter the private IP address of the DMZ host, or click Choose PC to select one. Choose PC Click this button and then a window will automatically pop up, as depicted below. The window consists of a list of private IP addresses of all hosts in your LAN network. Select one private IP address in the list to be the DMZ host.
If you previously have set up WAN Alias for PPPoE or Static or Dynamic IP mode in WAN2/WAN3/WAN4/WAN5 interface, you will find them in Aux. WAN IP for your selection. Available settings are explained as follows: Item Description Enable Check to enable the DMZ Host function. Private IP Enter the private IP address of the DMZ host, or click Choose PC to select one. Choose PC Click this button and then a window will automatically pop up, as depicted below.
4.3.3 Open Ports Open Ports allows you to open a range of ports for the traffic of special applications. Common application of Open Ports includes P2P application (e.g., BT, KaZaA, Gnutella, WinMX, eMule and others), Internet Camera etc. Ensure that you keep the application involved up-to-date to avoid falling victim to any security exploits.
Available settings are explained as follows: Item Description Enable Open Ports Check to enable this entry. Comment Make a name for the defined network application/service. WAN Interface Specify the WAN interface that will be used for this entry. Local Computer Enter the private IP address of the local host or click Choose PC to select one. Choose PC - Click this button and, subsequently, a window having a list of private IP addresses of local hosts will automatically pop up.
Internet. You can use address mapping function to achieve this demand. Simply type 192.168.1.10 as the Private IP; and type 86.123.123.2 as the WAN IP. Available settings are explained as follows: Item Description Index Indicate the relative number for the particular entry that you want to configure You should click the appropriate index number to edit or clear the corresponding entry. Protocol Display the protocol used for this address mapping.
Item Description Enable Check to enable this entry. Protocol Specify the transport layer protocol. It could be TCP, UDP, or ALL for selection. WAN Interface Choose the WAN interface for such address mapping profile. WAN IP Select an IP address. Local host can use this IP to connect to Internet. If you want to choose any one of the Public IP settings, you must specify some IP addresses in the IP Alias List of the Static/DHCP Configuration page first.
Available settings are explained as follows: Item Description Comment Display the text which memorizes the application of this rule. Triggering Protocol Display the protocol of the triggering packets. Triggering Port Display the port of the triggering packets. Incoming Protocol Display the protocol for the incoming data of such triggering profile. Incoming Port Display the port for the incoming data of such triggering profile. Status Display if the rule is active or de-active.
Service Choose the predefined service to apply for such trigger profile. Comment Type the text to memorize the application of this rule. Triggering Protocol Select the protocol (TCP, UDP or TCP/UDP) for such triggering profile. Triggering Port Type the port or port range for such trigger profile. Incoming Protocol When the triggering packets received, it is expected the incoming packets will use the selected protocol.
4.4 Firewall 4.4.1 Basics for Firewall While the broadband users demand more bandwidth for multimedia, interactive applications, or distance learning, security has been always the most concerned. The firewall of the Vigor router helps to protect your local network against attack from unauthorized outsiders. It also restricts users in the local network from accessing the Internet. Furthermore, it can filter out specific packets that trigger the router to build an unwanted outgoing connection.
Stateful Packet Inspection (SPI) Stateful inspection is a firewall architecture that works at the network layer. Unlike legacy static packet filtering, which examines a packet based on the information in its header, stateful inspection builds up a state machine to track each connection traversing all interfaces of the firewall and makes sure they are valid. The stateful firewall of Vigor router not just examine the header information also monitor the state of the connection.
4.4.2 General Setup General Setup allows you to adjust settings of IP Filter and common options. Here you can enable or disable the Call Filter or Data Filter. Under some circumstance, your filter set can be linked to work in a serial manner. So here you assign the Start Filter Set only. Also you can configure the Log Flag settings, Apply IP filter to VPN incoming packets, and Accept incoming fragmented UDP packets. Click Firewall and click General Setup to open the general setup page.
Enable Strict Security Firewall For the sake of security, the router will execute strict security checking for data transmission. Such feature is enabled in default. All the packets, while transmitting through Vigor router, will be filtered by firewall. If the firewall system (e.g., content filter server) does not make any response (pass or block) for these packets, then the router’s firewall will block the packets directly.
Item Description section later. Load-Balance Policy Choose the WAN interface for applying Load-Balance Policy. User Management Such item is available only when Rule-Based is selected in User Management>>General Setup. The general firewall rule will be applied to the user/user group/all users specified here. Note: When there is no user profile or group profile existed, Create New User or Create New Group item will appear for you to click to create a new one.
Item Description in CSM>> Web Content Filter) for applying with this router. Please set at least one profile for anti-virus in CSM>> Web Content Filter web page first. Or choose [Create New] from the drop down list in this page to create a new profile. For troubleshooting needs, you can specify to record information for Web Content Filter by checking the Log box. It will be sent to Syslog server. Please refer to section Syslog/Mail Alert for more detailed information.
Item Description best utilization of network resources. After finishing all the settings here, please click OK to save the configuration.
4.4.3 Filter Setup Click Firewall and click Filter Setup to open the setup page. To edit or add a filter, click on the set number to edit the individual set. The following page will be shown. Each filter set contains up to 7 rules. Click on the rule number button to edit each rule. Check Active to enable the rule. Available settings are explained as follows: Item Description Filter Rule Click a button numbered (1 ~ 7) to edit the filter rule. Click the button will open Edit Filter Rule web page.
To edit Filter Rule, click the Filter Rule index button to enter the Filter Rule setup page. After finishing all the settings here, please click OK to save the configuration. Item Description Check to enable the Filter Rule Check this box to enable the filter rule. Comments Enter filter set comments/description. Maximum length is 14character long. Index(1-15) Set PCs on LAN to work at certain time interval only.
Item Description Note: RT means routing domain for 2nd subnet. Source/Destination IP Click Edit to access into the following dialog to choose the source/destination IP or IP ranges. To set the IP address manually, please choose Any Address/Single Address/Range Address/Subnet Address as the Address Type and type them in this dialog. In addition, if you want to use the IP range from defined groups or objects, please choose Group and Objects as the Address Type.
Item Description Type. Protocol - Specify the protocol(s) which this filter rule will apply to. Source/Destination Port – (=) – when the first and last value are the same, it indicates one port; when the first and last values are different, it indicates a range for the port and available for this service type.
Item Description configured in IP Object for Source IP and Destination IP be bound for applying such filter rule. No-Strict no limitation. Quality of Service Choose one of the QoS rules to be applied as firewall rule. For detailed information of setting QoS, please refer to the related section later. Load-Balance policy Choose the WAN interface for applying Load-Balance Policy. User Management Such item is available only when Rule-Based is selected in User Management>>General Setup.
Item Description Content Filter web page first. Or choose [Create New] from the drop down list in this page to create a new profile. For troubleshooting needs, you can specify to record information for Web Content Filter by checking the Log box. It will be sent to Syslog server. Please refer to section Syslog/Mail Alert for more detailed information. Advance Setting Click Edit to open the following window. However, it is strongly recommended to use the default settings here.
Item Description will be. However, if the network is not stable, small value will be proper. Session timeout–Setting timeout for sessions can make the best utilization of network resources. However, Queue timeout is configured for TCP protocol only; session timeout is configured for the data flow which matched with the firewall rule. DrayTek Banner – Please uncheck this box and the following screen will not be shown for the unreachable web page. The default setting is Enabled.
Example As stated before, all the traffic will be separated and arbitrated using on of two IP filters: call filter or data filter. You may preset 12 call filters and data filters in Filter Setup and even link them in a serial manner. Each filter set is composed by 7 filter rules, which can be further defined. After that, in General Setup you may specify one set for call filter and one set for data filter to execute first.
4.4.4 DoS Defense As a sub-functionality of IP Filter/Firewall, there are 15 types of detect/ defense function in the DoS Defense setup. The DoS Defense functionality is disabled for default. Click Firewall and click DoS Defense to open the setup page. Available settings are explained as follows: Item Description Enable Dos Defense Check the box to activate the DoS Defense Functionality. Select All Click this button to select all the items listed below.
Item defense Description Similar to the UDP flood defense function, once if the Threshold of ICMP packets from Internet has exceeded the defined value, the router will discard the ICMP echo requests coming from the Internet. The default setting for threshold and timeout are 50 packets per second and 10 seconds, respectively. Enable PortScan detection Port Scan attacks the Vigor router by sending lots of packets to many ports in an attempt to find ignorant services would respond.
Item Description fragmented ICMP packets with a length greater than 1024 octets. Block Ping of Death Check the box to activate the Block Ping of Death function. This attack involves the perpetrator sending overlapping packets to the target hosts so that those target hosts will hang once they re-construct the packets. The Vigor routers will block any packets realizing this attacking activity. Block ICMP Fragment Check the box to activate the Block ICMP fragment function.
4.5 User Management User Management is a security feature which disallows any IP traffic (except DHCP-related packets) from a particular host until that host has correctly supplied a valid username and password. Instead of managing with IP address/MAC address, User Management function manages hosts with user account. Network administrator can give different firewall policies or rules for different hosts with different User Management accounts. This is more flexible and convenient for network management.
Item Description the filter rules configured in User Management>>User Profile to the users. Rule-Based –If you choose such mode, the router will apply the filter rules configured in Firewall>>General Setup and Filter Rule to the users. After finishing all the settings here, please click OK to save the configuration. 4.5.2 User Profile (Reserved) This page allows you to set customized profiles (up to 200) which will be applied for users controlled under User Management.
Available settings are explained as follows: Item Description Enable this account Check this box to enable such user profile. User Name Type a name for such user profile (e.g., LAN_User_Group_1, WLAN_User_Group_A, WLAN_User_Group_B, etc). When a user tries to access Internet through this router, an authentication step must be performed first. The user has to type the User Name specified here to pass the authentication. When the user passes the authentication, he/she can access Internet via this router.
Item Description Default – If you choose such item, the filter rules pre-configured in Firewall can be adopted for such user profile. Create New Policy – If you choose such item, the following page will be popped up for you to define another filter rule as a new policy. For the detailed configuration, simply refer to Firewall>>Filter Rule. The firewall filter rules that are not selected in Firewall>>General>>Default rule can be available for use in User Management>>User Profile.
Item Description first. There are three ways offered by the router for the user to choose for authentication. Web – If it is selected, the use can type the URL of the router from any browser. Then, a login window will be popped up and ask the user to type the user name and password for authentication. If succeed, a Welcome Message (configured in User Management >> General Setup) will be displayed.
Please click any index number link to open the following page. Available settings are explained as follows: Item Description Name Type a name for this user group. Available User Objects You can gather user profiles (objects) from User Profile page within one user group. All the available user objects that you have created will be shown in this box. Notice that user object, Admin and Dial-In User are factory settings. User defined profiles will be numbered with 3, 4, 5 and so on.
3.5.4 User Online Status This page displays the user(s) connected to the router and refreshes the connection status in an interval of several seconds. Available settings are explained as follows: Item Description Refresh Seconds Use the drop down list to choose the time interval of refreshing data flow that will be done by the system automatically. Refresh Click this link to refresh this page manually. Index Display the number of the data flow.
4.6 Objects Settings For IPs in a range and service ports in a limited range usually will be applied in configuring router’s settings, therefore we can define them with objects and bind them with groups for using conveniently. Later, we can select that object/group that can apply it. For example, all the IPs in the same department can be defined with an IP object (a range of IP address). 4.6.1 IP Object You can set up to 192 sets of IP Objects with different conditions.
Available settings are explained as follows: Item Description Name Type a name for this profile. Maximum 15 characters are allowed. Interface Choose a proper interface. For example, the Direction setting in Edit Filter Rule will ask you specify IP or IP range for WAN or LAN or any IP address.
Item Description Start IP Address Type the start IP address for Single Address type. End IP Address Type the end IP address if the Range Address type is selected. Subnet Mask Type the subnet mask if the Subnet Address type is selected. Invert Selection If it is checked, all the IP addresses except the ones listed above will be applied later while it is chosen. Below is an example of IP objects settings. 4.6.2 IP Group This page allows you to bind several IP objects into one IP group.
Click the number under Index column for settings in detail. Available settings are explained as follows: Item Description Name Type a name for this profile. Maximum 15 characters are allowed. Interface Choose WAN, LAN or Any to display all the available IP objects with the specified interface. Available IP Objects All the available IP objects with the specified interface chosen above will be shown in this box. Selected IP Objects Click >> button to add the selected IP objects in this box.
4.6.3 Service Type Object You can set up to 96 sets of Service Type Objects with different conditions. Available settings are explained as follows: Item Description Name Display a name for this profile. Set to Factory Default Clear all profiles. Click the number under Index column for settings in detail. Available settings are explained as follows: Item Description Name Type a name for this profile. Protocol Specify the protocol(s) which this profile will apply to.
Item Description Source/Destination Port Source Port and the Destination Port column are available for TCP/UDP protocol. It can be ignored for other protocols. The filter rule will filter out any port number. (=) – when the first and last value are the same, it indicates one port; when the first and last values are different, it indicates a range for the port and available for this profile.
4.6.4 Service Type Group This page allows you to bind several service types into one group. Available settings are explained as follows: Item Description Name Display a name for this profile. Set to Factory Default Clear all profiles.
Click the number under Index column for settings in detail. Available settings are explained as follows: Item Description Name Type a name for this profile. Available Service Type Objects All the available service objects that you have added on Objects Setting>>Service Type Object will be shown in this box. Selected Service Type Objects Click >> button to add the selected IP objects in this box. After finishing all the settings here, please click OK to save the configuration.
4.6.5 Keyword Object You can set 200 keyword object profiles for choosing as black /white list in CSM >>URL Web Content Filter Profile. Available settings are explained as follows: Item Description Name Display a name for this profile. Set to Factory Default Clear all profiles. Click the number under Index column for setting in detail.
Item Description Name Type a name for this profile, e.g., game. Contents Type the content for such profile. For example, type gambling as Contents. When you browse the webpage, the page with gambling information will be watched out and be passed/blocked based on the configuration on Firewall settings. After finishing all the settings here, please click OK to save the configuration. 4.6.6 Keyword Group This page allows you to bind several keyword objects into one group.
Available settings are explained as follows: Item Description Name Type a name for this group. Available Keyword Objects You can gather keyword objects from Keyword Object page within one keyword group. All the available Keyword objects that you have created will be shown in this box. Selected Keyword Objects button to add the selected Keyword objects in Click this box. After finishing all the settings here, please click OK to save the configuration. 4.6.
Click the number under Profile column for configuration in details. Available settings are explained as follows: Item Description Profile Name Type a name for this profile. Type a name for such profile and check all the items of file extension that will be processed in the router. Finally, click OK to save this profile.
4.7 CSM Profile Content Security Management (CSM) CSM is an abbreviation of Content Security Management which is used to control IM/P2P usage, filter the web content and URL content to reach a goal of security management. APP Enforcement Filter As the popularity of all kinds of instant messenger application arises, communication cannot become much easier.
4.7.1 APP Enforcement Profile You can define policy profiles for IM (Instant Messenger)/P2P (Peer to Peer)/Protocol/Misc application. This page allows you to set 32 profiles for different requirements. The APP Enforcement Profile will be applied in Default Rule of Firewall>>General Setup for filtering. Each item is explained as follows: Item Description Set to Factory Default Clear all profiles. Profile Display the number of the profile which allows you to click to set different policy.
Below shows the items which are categorized under IM. Available settings are explained as follows: Item Description Profile Name Type a name for the CSM profile. Select All Click it to choose all of the items in this page. Clear All Uncheck all the selected boxes. After finishing all the settings here, please click OK to save the configuration. The profiles configured here can be applied in the Firewall>>General Setup and Firewall>>Filter Setup pages as the standard for the host(s) to follow.
Below shows the items which are categorized under Protocol.
The items categorized under Misc.
4.7.2 URL Content Filter Profile To provide an appropriate cyberspace to users, Vigor router equips with URL Content Filter not only to limit illegal traffic from/to the inappropriate web sites but also prohibit other web feature where malicious code may conceal. Once a user type in or click on an URL with objectionable keywords, URL keyword blocking facility will decline the HTTP request to that web page thus can limit user’s access to the website.
Default Message You can type the message manually for your necessity or click this button to get the default message which will be displayed on the field of Administration Message. You can set eight profiles as URL content filter. Simply click the index number under Profile to open the following web page. Available settings are explained as follows: Item Description Profile Name Type a name for the CSM profile. Priority It determines the action that this router will apply.
Item Description will process the packages with the conditions set below for web feature first, then URL second. Log None – There is no log file will be recorded for this profile. Pass – Only the log about Pass will be recorded in Syslog. Block – Only the log about Block will be recorded in Syslog. All – All the actions (Pass and Block) will be recorded in Syslog. URL Access Control Enable URL Access Control - Check the box to activate URL Access Control.
Item Description decline the connection request to the website whose URL string matched to any user-defined keyword. It should be noticed that the more simplified the blocking keyword list is, the more efficiently the Vigor router performs. Web Feature Enable Restrict Web Feature - Check this box to make the keyword being blocked or passed. Action - This setting is available only when Either: URL Access Control First or Either: Web Feature Firs is selected.
Item Description After finishing all the settings here, please click OK to save the configuration.
4.7.3 Web Content Filter Profile There are three ways to activate WCF on vigor router, using Service Activation Wizard, by means of CSM>>Web Content Filter Profile or via System Maintenance>>Activation. Service Activation Wizard allows you to use trial version or update the license of WCF directly without accessing into the server (MyVigor) located on http://myvigor.draytek.com.
Item Description searching when you type URL in browser based on the web content filter profile. Setup Test Server It is recommended for you to use the default setting, auto-selected. Find more Click it to open http://myvigor.draytek.com for searching another qualified and suitable server. Set to Factory Default Click this link to retrieve the factory settings.
Available settings are explained as follows: Item Description Black/White List Enable – Activate white/black list function for such profile. Group/Object Selections – Click Edit to choose the group or object profile as the content of white/black list. Pass - allow accessing into the corresponding webpage with the characters listed on Group/Object Selections. If the web pages do not match with the specified feature set here, they will be processed with the categories listed on the box below.
Item Description Pass – Only the log about Pass will be recorded in Syslog. Block – Only the log about Block will be recorded in Syslog. All – All the actions (Pass and Block) will be recorded in Syslog. After finishing all the settings here, please click OK to save the configuration. 4.8 Bandwidth Management Below shows the menu items for Bandwidth Management. 4.8.1 Sessions Limit A PC with private IP address can access to the Internet via NAT router.
To activate the function of limit session, simply click Enable and set the default session limit. Available settings are explained as follows: Item Description Enable Click this button to activate the function of limit session. Disable Click this button to close the function of limit session. Default session limit Defines the default session number used for each computer in LAN. Limitation List Displays a list of specific limitations that you set on this web page.
Item Description Delete Remove the selected settings existing on the limitation list. Administration Message Type the words which will be displayed when reaches the maximum number of Internet sessions permitted. Default Message Click this button to apply the default message offered by the router. Index (1-15) in Schedule Setup You can type in four sets of time schedule for your request.
Bandwidth Limit Enable - Click this button to activate the function of limit bandwidth. IP Routed Subnet – Check this box to apply the bandwidth limit to the second subnet specified in LAN>>General Setup. Disable - Click this button to close the function of limit bandwidth. Default TX limit - Define the default speed of the upstream for each computer in LAN. Default RX limit - Define the default speed of the downstream for each computer in LAN. Allow auto adjustment….
4.8.3 Quality of Service Deploying QoS (Quality of Service) management to guarantee that all applications receive the service levels required and sufficient bandwidth to meet performance expectations is indeed one important aspect of modern enterprise network. One reason for QoS is that numerous TCP-based applications tend to continually increase their transmission rate and consume all available bandwidth, which is called TCP slow start.
However, each node may take different attitude toward packets with high priority marking since it may bind with the business deal of SLA among different DS domain owners. It’s not easy to achieve deterministic and consistent high-priority QoS traffic throughout the whole network with merely Vigor router’s effort. In the Bandwidth Management menu, click Quality of Service to open the web page.
Item Description SIP UDP Port – Set a port number used for SIP. This page displays the QoS settings result of the WAN interface. Click the Setup link to access into next page for the general setup of WAN interface. As to class rule, simply click the Edit link to access into next for configuration. You can configure general setup for the WAN interface, edit the Class Rule, and edit the Service Type for the Class Rule for your request.
General Setup for WAN Interface When you click Setup, you can configure the bandwidth ratio for QoS of the WAN interface. There are four queues allowed for QoS control. The first three (Class 1 to Class 3) class rules can be adjusted for your necessity. Yet, the last one is reserved for the packets which are not suitable for the user-defined class rules. Available settings are explained as follows: Item Description Enable the QoS Control The factory default for this setting is checked.
Item Description Reserved Bandwidth Ratio It is reserved for the group index in the form of ratio of reserved bandwidth to upstream speed and reserved bandwidth to downstream speed. Enable UDP Bandwidth Control Check this and set the limited bandwidth ratio on the right field. This is a protection of TCP application traffic since UDP application traffic such as streaming video will exhaust lots of bandwidth.
Available settings are explained as follows: Item Description ACT Check this box to invoke these settings. Ethernet Type Please specify which protocol (IPv4 or IPv6) will be used for this rule. Local Address Click the Edit button to set the local IP address (on LAN) for the rule. Remote Address Click the Edit button to set the remote IP address (on LAN/WAN) for the rule. Edit It allows you to edit source address information. Address Type – Determine the address type for the source address.
4. After finishing all the settings here, please click OK to save the configuration. By the way, you can set up to 20 rules for one Class. If you want to edit an existed rule, please select the radio button of that one and click Edit to open the rule edit page for modification. Edit the Service Type for Class Rule 1. To add a new service type, edit or delete an existed service type, please click the Edit link under Service Type field.
After you click the Edit link, you will see the following page. For adding a new service type, click Add to open the following page. Edit the Service Type for Class Rule 1. To add a new service type, edit or delete an existed service type, please click the Edit link under Service Type field. 2. After you click the Edit link, you will see the following page.
3. For adding a new service type, click Add to open the following page. Available settings are explained as follows: 4. Item Description Service Name Type in a new service for your request. Service Type Choose the type (TCP, UDP or TCP/UDP) for the new service. Port Configuration Click Single or Range as the Type. If you select Range, you have to type in the starting port number and the end porting number on the boxes below.
4.9 Applications Below shows the menu items for Applications. 4.9.1 Dynamic DNS The ISP often provides you with a dynamic IP address when you connect to the Internet via your ISP. It means that the public IP address assigned to your router changes each time you access the Internet. The Dynamic DNS feature lets you assign a domain name to a dynamic WAN IP address. It allows the router to update its online WAN IP address mappings on the specified Dynamic DNS server.
3. Item Description Auto-Update interval Set the time for the router to perform auto update for DDNS service. View Log Display DDNS log status. Force Update Force the router updates its information to DDNS server. Index Click the number below Index to access into the setting page of DDNS setup to set account(s). WAN Interface Display the WAN interface used. Domain Name Display the domain name that you set on the setting page of DDNS setup.
4. Item Description Service Provider Select the service provider for the DDNS account. Service Type Select a service type (Dynamic, Custom or Static). If you choose Custom, you can modify the domain that is chosen in the Domain Name field. Domain Name Type in one domain name that you applied previously. Use the drop down list to choose the desired domain. Login Name Type in the login name that you set for applying domain. Password Type in the password that you set for applying domain.
time. You can inquiry an NTP server (a time server) on the Internet to synchronize the router’s clock. This method can only be applied when the WAN connection has been built up. Each item is explained as follows: Item Description Set to Factory Default Clear all profiles and recover to factory settings. Index Click the number below Index to access into the setting page of schedule. Status Display if this schedule setting is active or inactive. You can set up to 15 schedules.
2. The detailed settings of the call schedule with index 1 are shown below. Available settings are explained as follows: 3. Item Description Enable Schedule Setup Check to enable the schedule. Start Date (yyyy-mm-dd) Specify the starting date of the schedule. Start Time (hh:mm) Specify the starting time of the schedule. Duration Time (hh:mm) Specify the duration (or period) for the schedule. Action Specify which action Call Schedule should apply during the period of the schedule.
Suppose you want to control the PPPoE Internet access connection to be always on (Force On) from 9:00 to 18:00 for whole week. Other time the Internet access connection should be disconnected (Force Down). Office Hour: (Force On) Mon - Sun 9:00 am to 6:00 pm 1. Make sure the PPPoE connection and Time Setup is working properly. 2. Configure the PPPoE always on from 9:00 to 18:00 for whole week. 3. Configure the Force Down from 18:00 to next day 9:00 for whole week. 4.
4.9.3 RADIUS Remote Authentication Dial-In User Service (RADIUS) is a security authentication client/server protocol that supports authentication, authorization and accounting, which is widely used by Internet service providers. It is the most common method of authenticating and authorizing dial-up and tunneled network users. The built-in RADIUS client feature enables the router to assist the remote dial-in user or a wireless station and the RADIUS server in performing mutual authentication.
4.9.4 LDAP / Active Directory Lightweight Directory Access Protocol (LDAP) is a communication protocol for using in TCP/IP network. It defines the methods to access distributing directory server by clients, work on directory and share the information in the directory by clients. The LDAP standard is established by the work team of Internet Engineering Task Force (IETF).
The different is that, the server will firstly check if you have the search authority. For the regular mode, you’ll need to type in the Regular DN and Regular Password. Server IP Address Enter the IP address of LDAP server. Destination Port Type a port number as the destination port for LDAP server. Use SSL Check it to enable LDAP over SSL (LDAPS), which is a common method of securing LDAP communication. Regular DN Type this setting if Regular Mode is selected as Bind Type.
Item Description Name Type a name for such profile. Common Name Identifier Type or edit the common name identifier for the LDAP server. The common name identifier for most LDAP server is “cn”. Base Distinguished Name / Group Distinguished Name Type or edit the distinguished name used to look up entries on the LDAP server. Sometimes, you may forget the Distinguished Name since it’s too long.
your applications to operate. This has to manually set up port mappings or use other similar methods. The screenshots below show examples of this facility. The UPnP facility on the router enables UPnP aware applications such as MSN Messenger to discover what are behind a NAT router. The application will also learn the external IP address and configure port mappings on the router.
The UPnP function dynamically adds port mappings on behalf of some UPnP-aware applications. When the applications terminate abnormally, these mappings may not be removed. 4.9.6 IGMP IGMP is the abbreviation of Internet Group Management Protocol. It is a communication protocol which is mainly used for managing the membership of Internet Protocol multicast groups. Available settings are explained as follows: Item Description Enable IGMP Proxy Check this box to enable this function.
4.9.7 Wake on LAN A PC client on LAN can be woken up by the router it connects. When a user wants to wake up a specified PC through the router, he/she must type correct MAC address of the specified PC on this web page of Wake on LAN of this router. In addition, such PC must have installed a network card supporting WOL function. By the way, WOL function must be set as “Enable” on the BIOS setting.
4.10 VPN and Remote Access A Virtual Private Network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. In short, by VPN technology, you can send data between two computers across a shared or public network in a manner that emulates the properties of a point-to-point private link. Below shows the menu items for VPN and Remote Access. 4.10.1 VPN Client Wizard Such wizard is used to configure VPN settings for VPN client.
Please choose a LAN-to-LAN Profile There are 32 VPN profiles for users to set. When you finish the mode and profile selection, please click Next to open the following page. In this page, you have to select suitable VPN type for the VPN client profile. There are six types provided here. Different type will lead to different configuration page.
choices for the client profile, please click Next. You will see different configurations based on the selection(s) you made.
z When you choose L2TP, you will see the following graphic: z When you choose L2TP over IPSec (Nice to Have), you will see the following graphic: Vigor3200 Series User’s Guide 230
z When you choose L2TP over IPSec (Must), you will see the following graphic: Available settings are explained as follows: Item Description Profile Name Type a name for such profile. The length of the file is limited to 10 characters. VPN Dial-Out Through Always On Pre-Shared Key Use the drop down menu to choose a proper WAN interface for this profile. This setting is useful for dial-out only.
Digital Signature (X.509) Click Digital Signature to invoke this function. Use the drop down list to choose one of the certificates for using. You have to configure one certificate at least previously in Certificate Management >> Local Certificate. Otherwise, the setting you choose here will not be effective. Peer ID – Choose the peer ID selection from the drop down list. Local ID – Choose Alternative Subject Name First or Subject Name First.
Available settings are explained as follows: Item Description Go to the VPN Connection Management Click this radio button to access VPN and Remote Access>>Connection Management for viewing VPN Connection status. Do another VPN Server Wizard Setup Click this radio button to set another profile of VPN Server through VPN Server Wizard. View more detailed configuration Click this radio button to access VPN and Remote Access>>LAN to LAN for viewing detailed configuration. 4.10.
Item Description Please choose a Dial-in User Accounts This item is available when you choose Remote Dial-in User (Teleworker) as VPN server mode. There are 32 VPN tunnels for users to set. Allowed Dial-in Type This item is available after you choose any one of dial-in user account profiles. Next, you have to select suitable dial-in type for the VPN server profile. There are several types provided here (similar to VPN Client Wizard). Different Dial-in Type will lead to different configuration page.
1. Here we take the example of choosing Remote-Dial-in User as the VPN Server Mode. 2. Check the Allowed Dial-in Type for the VPN server profile 3. After making the choices for the server profile, please click Next. You will see different configurations based on the selection (dial-in type) you made.
z When you check IPSec, you will see the following graphic: Available settings are explained as follows: Item Description Profile Name Type a name for such profile. The length of the file is limited to 10 characters. User Name This field is used to authenticate for connection when you select PPTP or L2TP with or without IPSec policy above. Password This field is used to authenticate for connection when you select PPTP or L2TP with or without IPSec policy above.
4. Item Description of the remote host) for building VPN connection. Remote Network Mask Please type the network mask (according to the real location of the remote host) for building VPN connection. After finishing the configuration, please click Next. The confirmation page will be shown as follows. Available settings are explained as follows: 5.
4.10.3 Remote Access Control Enable the necessary VPN service as you need. If you intend to run a VPN server inside your LAN, you should disable the VPN service (e.g., PPTP VPN, IPSec VPN, L2TP VPN, SSL VPN, etc.) of Vigor Router to allow VPN tunnel pass through, as well as the appropriate NAT settings, such as DMZ or open port. After finishing all the settings here, please click OK to save the configuration. 4.10.
Item Description fall back to use the PAP protocol for authentication. Dial-In PPP Encryption (MPPE Optional MPPE Optional MPPE - This option represents that the MPPE encryption method will be optionally employed in the router for the remote dial-in user. If the remote dial-in user does not support the MPPE encryption algorithm, the router will transmit “no MPPE encrypted packets”. Otherwise, the MPPE encryption scheme will be used to encrypt the data.
4.10.5 IPSec General Setup In IPSec General Setup, there are two major parts of configuration. There are two phases of IPSec. ¾ Phase 1: negotiation of IKE parameters including encryption, hash, Diffie-Hellman parameter values, and lifetime to protect the following IKE exchange, authentication of both peers using either a Pre-Shared Key or Digital Signature (x.509).
Item Description Pre-Shared Key -Currently only support Pre-Shared Key authentication. Pre-Shared Key- Specify a key for IKE authentication Confirm Pre-Shared Key- Retype the characters to confirm the pre-shared key. IPSec Security Method Medium - Authentication Header (AH) means data will be authenticated, but not be encrypted. By default, this option is active. High - Encapsulating Security Payload (ESP) means payload (data) will be encrypted and authenticated.
Click each index to edit one peer digital certificate. There are three security levels of digital signature authentication: Fill each necessary field to authenticate the remote peer. The following explanation will guide you to fill all the necessary fields. Available settings are explained as follows: Item Description Profile Name Type the name of the profile. Accept Any Peer ID Click to accept any peer regardless of its identity.
4.10.7 Remote Dial-in User You can manage remote access by maintaining a table of remote user profile, so that users can be authenticated to dial-in via VPN connection. You may set parameters including specified connection peer ID, connection type (VPN connection - including PPTP, IPSec Tunnel, and L2TP by itself or over IPSec) and corresponding security methods, etc. The router provides 64 access accounts for dial-in users.
Click each index to edit one remote user profile. Each Dial-In Type requires you to fill the different corresponding fields on the right. If the fields gray out, it means you may leave it untouched. The following explanation will guide you to fill all the necessary fields. Available settings are explained as follows: Item Description User account and Authentication Enable this account - Check the box to enable this function.
Item Description policy can be viewed as one pure L2TP connection. z Nice to Have - Apply the IPSec policy first, if it is applicable during negotiation. Otherwise, the dial-in VPN connection becomes one pure L2TP connection. z Must -Specify the IPSec policy to be definitely applied on the L2TP connection. SSL Tunnel - It allows the remote dial-in user to make an SSL VPN Tunnel connection through Internet, suitable for the application through network accessing (e.g.
Item Description Draytek SSL VPN portal interface. From the web page, you will see the message to indicate that you have the privilege for the SSL Web Proxy. If you haven’t set any SSL VPN web proxy profiles, you will a link here. Click this link to access into the configuration page of SSL VPN. Note: SSL VPN can be applied in browser (e.g., IE) which supports ActivateX only. User Name This field is applicable when you select PPTP or L2TP with or without IPSec policy above.
Item Description High-Encapsulating Security Payload (ESP) means payload (data) will be encrypted and authenticated. You may select encryption algorithm from Data Encryption Standard (DES), Triple DES (3DES), and AES. Local ID - Specify a local ID to be used for Dial-in setting in the LAN-to-LAN Profile setup. This item is optional and can be used only in IKE aggressive mode. After finishing all the settings here, please click OK to save the configuration. 4.10.
Item Description View All – Click it to show all of profiles. Online/Offline – Click it to show the active/inactive profiles Trunk - Click it to show the profile which VPN tunnel is up. Name Indicate the name of the LAN-to-LAN profile. The symbol ??? represents that the profile is empty. Active Check the box to enable the selected profile. Status Indicate the status of individual profiles. The symbol V and X represent the profile to be active and inactive, respectively. To edit each profile: 1.
Available settings are explained as follows: Item Description Profile Name Specify a name for the profile of the LAN-to-LAN connection. Enable this profile Check here to activate this profile. VPN Dial-Out Through Use the drop down menu to choose a proper WAN interface for this profile. This setting is useful for dial-out only. WAN1 /WAN2 /WAN3 /WAN4 /WAN5 First - While connecting, the router will use WAN1 /WAN2 /WAN3 /WAN4 /WAN5 as the first channel for VPN connection.
Item Description any one of VPN peers wants to disconnect the connection, it should follow a serial of packet exchange procedure to inform each other. However, if the remote peer disconnect without notice, Vigor router will by no where to know this situation. To resolve this dilemma, by continuously sending PING packets to the remote host, the Vigor router can know the true existence of this VPN connection and react accordingly. This is independent of DPD (dead peer detection).
Item Description mode. Local Certificate – Select one of the profiles set in Certificate Management>>Local Certificate. IPSec Security Method This group of fields is a must for IPSec Tunnels and L2TP with IPSec Policy. Medium AH (Authentication Header) means data will be authenticated, but not be encrypted. By default, this option is active. High (ESP-Encapsulating Security Payload)- means payload (data) will be encrypted and authenticated.
Item Description suggest you select the combination that covers the most algorithms. IKE phase 1 key lifetime-For security reason, the lifetime of key should be defined. The default value is 28800 seconds. You may specify a value in between 900 and 86400 seconds. IKE phase 2 key lifetime-For security reason, the lifetime of key should be defined. The default value is 3600 seconds. You may specify a value in between 600 and 86400 seconds.
Item Description connection through the Internet. You should set the User Name and Password of remote dial-in user below. IPSec Tunnel- Allow the remote dial-in user to trigger an IPSec VPN connection through Internet. L2TP with IPSec Policy - Allow the remote dial-in user to make a L2TP VPN connection through the Internet. You can select to use L2TP alone or with IPSec. Select from below: z None - Do not apply the IPSec policy.
Item Description Certificate Management>>Local Certificate) will be inspected first. IPSec Security Method This group of fields is a must for IPSec Tunnels and L2TP with IPSec Policy when you specify the remote node. Medium- Authentication Header (AH) means data will be authenticated, but not be encrypted. By default, this option is active. High- Encapsulating Security Payload (ESP) means payload (data) will be encrypted and authenticated.
Item Description Local Network IP / Local Network Mask - Add a static route to direct all traffic destined to Local Network IP Address/Local Network Mask through the VPN connection. More - Add a static route to direct all traffic destined to more Remote Network IP Addresses/ Remote Network Mask through the VPN connection. This is usually used when you find there are several subnets behind the remote VPN router.
¾ Dial-out connection types contain IPSec, PPTP, L2TP, L2TP over IPSec and ISDN (depends on hardware specification) ¾ The web page is simple to understand and easy to configure ¾ Filly compliant with VPN Server LAN Sit Single/Multi Network ¾ Mail Alert support, please refer to System Maintenance >> SysLog / Mail Alert for detailed configuration ¾ Syslog support, please refer to System Maintenance >> SysLog / Mail Alert for detailed configuration ¾ Specific ERD (Environment Recovery Detection) mec
Available settings are explained as follows: Item Description Backup Profile List Set to Factory Default - Click to clear all VPN TRUNK-VPN Backup mechanism profile. No – The order of VPN TRUNK-VPN Backup mechanism profile. Status (on Backup Profile field) - “v” means such profile is enabled; “x” means such profile is disabled. Name (on Backup Profile field) - Display the name of VPN TRUNK-VPN Backup mechanism profile.
Type (on Backup Profile field) - Display the connection type for that profile, such as IPSec, PPTP, L2TP, L2TP over IPSec (NICE), L2TP over IPSec(MUST) and so on. Member2 (on Backup Profile field) - Display the dial-out profile selected from the Member2 drop down list below. Advanced – This button is available only when LAN to LAN profile (or more) is created. Detailed information for this dialog, see later section Advanced Load Balance and Backup.
Detailed information for this dialog, see later section Advanced Load Balance and Backup. General Setup Status- After choosing one of the profile listed above, please click Enable to activate this profile. If you click Disable, the selected or current used VPN TRUNK-Backup/Load Balance mechanism profile will not have any effect for VPN tunnel. Profile Name- Type a name for VPN TRUNK profile. Each profile can group two VPN connections set in LAN-to-LAN.
Edit Click this button to save the changes to the Status (Enable or Disable), profile name, member1 or member2. Delete Click this button to delete the selected VPN TRUNK profile. The corresponding members (LAN-to-LAN profiles) grouped in the deleted VPN TRUNK profile will be released and that profiles in LAN-to-LAN will be displayed in black.
to indicate that they are fixed. If you delete the VPN TRUNK – VPN Backup/Load Balance mechanism profile, the selected LAN-to-LAN profiles will be released and expressed in black. How can you set a GRE over IPSec profile? 1. Please go to LAN to LAN to set a profile with IPSec. 2. If the router will be used as the VPN Server (i.e., with virtual address 192.168.50.200). Please type 192.168.50.200 in the field of My GRE IP. Type IP address (192.168.50.100) of the client in the field of Peer GRE IP.
Advanced Load Balance and Backup After setting profiles for load balance, you can choose any one of them and click Advance for more detailed configuration. The windows for advanced load balance and backup are different. Refer to the following explanation: Advanced Load Balance Available settings are explained as follows: Item Description Profile Name List the load balance profile name. Load Balance Algorithm Round Robin – Based on packet base, both tunnels will send the packet alternatively.
VPN Load Balance Policy Below shows the algorithm for Load Balance. Edit – Click this radio button for assign a blank table for configuring Binding Tunnel. After insert – Click this radio button to adding a new binding tunnel table. Tunnel Bind Table Index- 128 Binding tunnel tables are provided by this device. Specify the number of the tunnel for such Load Balance profile. Active – In-active/Delete can delete this binding tunnel table. Active can activate this binding tunnel table.
Detail Information This field will display detailed information for Binding Tunnel Policy. Below shows a successful binding tunnel policy for load balance: Note : To configure a successful binding tunnel, you have to: Type Binding Src IP range (Start and End) and Binding Des IP range (Start and End). Choose TCP/UDP, IGMP/ICMP or Other as Binding Protocol. Advanced Backup Available settings are explained as follows: Item Description Profile Name List the backup profile name.
Item Description Member 1 will be the top priority for the system to do VPN connection. Detail Information This field will display detailed information for Environment Recovers Detection. 4.10.10 Connection Management You can find the summary table of all VPN connections. You may disconnect any VPN connection by clicking Drop button. You may also aggressively Dial-out by using Dial-out Tool and clicking Dial button.
Dial - Click this button to execute dial out function. Refresh Seconds Choose the time for refresh the dial information among 5, 10, and 30. Refresh Click this button to refresh the whole connection status. VPN Connection Status Display current connected VPN status. VPN – Display the name of the VPN profile. Type – Display the VPN connection mode such as PPTP or IPSec. Remote IP – Display the IP address of remote peer. Virtual Network – Display the remote network IP address with subnet address.
4.11 Certificate Management A digital certificate works as an electronic ID, which is issued by a certification authority (CA). It contains information such as your name, a serial number, expiration dates etc., and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Here Vigor router support digital certificates conforming to standard X.509.
Note: Please be noted that “Common Name” must be configured with rotuer’s WAN IP or domain name. After clicking GENERATE, the generated information will be displayed on the window below: IMPORT Vigor router allows you to generate a certificate request and submit it the CA server, then import it as “Local Certificate”. If you have already gotten a certificate from a third party, you may import it directly. The supported types are PKCS12 Certificate and Certificate with a private key.
Available settings are explained as follows: Item Description Upload Local Certificate It allows users to import the certificate which is generated by vigor router and signed by CA server. If you have done well in certificate generation, the Status of the certificate will be shown as “OK”. Upload PKCS12 Certificate It allows users to import the certificate whose extensions are usually .pfx or .p12. And these certificates usually need passwords.
REFRESH Click this button to refresh the information listed below. View Click this button to view the detailed settings for certificate request. Note: You have to copy the certificate request information from above window. Next, access your CA server and enter the page of certificate request, copy the information into it and submit a request. A new certificate will be issued to you by the CA server. You can save it.
4.11.2 Trusted CA Certificate Trusted CA certificate lists three sets of trusted CA certificate. To import a pre-saved trusted CA certificate, please click IMPORT to open the following window. Use Browse… to find out the saved text file. Then click Import. The one you imported will be listed on the Trusted CA Certificate window. Then click Import to use the pre-saved file. For viewing each trusted CA certificate, click View to open the certificate detail information window.
4.11.3 Certificate Backup Local certificate and Trusted CA certificate for this router can be saved within one file. Please click Backup on the following screen to save them. If you want to set encryption password for these certificates, please type characters in both fields of Encrypt password and Retype password. Also, you can use Restore to retrieve these two settings to the router whenever you want. 4.12 Wireless LAN This function is used for “n” models only. 4.12.
Multiple SSIDs Vigor router supports four SSID settings for wireless connections. Each SSID can be defined with different name and download/upload rate for selecting by stations connected to the router wirelessly. Security Overview Real-time Hardware Encryption: Vigor Router is equipped with a hardware AES encryption engine so it can apply the highest protection to your data without influencing user experience.
Separate the Wireless and the Wired LAN- WLAN Isolation enables you to isolate your wireless LAN from wired LAN for either quarantine or limit access reasons. To isolate means neither of the parties can access each other. To elaborate an example for business use, you may set up a wireless LAN for visitors only so they can connect to Internet without hassle of the confidential information leakage. For a more flexible deployment, you may add filters of MAC addresses to isolate users’ access from wired LAN.
4.12.2 General Setup By clicking the General Settings, a new web page will appear so that you could configure the SSID and the wireless channel. Please refer to the following figure for more information. Available settings are explained as follows: Item Description Enable Wireless LAN Check the box to enable wireless function. Mode At present, the router can connect to 11n Only, 11g Only, Mixed (11b+11g), Mixed (11a+11n), Mixed (11g+11n), and Mixed (11b+11g+11n) stations simultaneously.
Item Description In which, 802.11b/g operates on 2.4G band, 802.11a operates on 5G band, and 802.11n operates on either 2.4G or 5G band. Index(1-15) Set the wireless LAN to work at certain time interval only. You may choose up to 4 schedules out of the 15 schedules pre-defined in Applications >> Schedule setup. The default setting of this field is blank and the function will always work.
Item Description Long Preamble This option is to define the length of the sync field in an 802.11 packet. Most modern wireless network uses short preamble with 56 bit sync field instead of long preamble with 128 bit sync field. However, some original 11b wireless network devices only support long preamble. Check it to use Long Preamble if needed to communicate with this kind of devices.
Item Description environment of the network. Rate Control It controls the data transmission rate through wireless connection. Upload – Check Enable and type the transmitting rate for data upload. Default value is 30,000 kbps. Download – Type the transmitting rate for data download. Default value is 30,000 kbps. After finishing all the settings here, please click OK to save the configuration.
4.12.3 Security This page allows you to set security with different modes for SSID 1, 2, 3 and 4 respectively. After configuring the correct settings, please click OK to save and invoke it. Default Pre-Shared Key (PSK) is provided and stated on the label pasted on the bottom of the router. For the wireless client who wants to access into Internet through such router, please input the default PSK value for connection.
Available settings are explained as follows: Item Description Mode There are several modes provided for you to choose. Note: You should also set RADIUS Server simultaneously if 802.1x mode is selected. Disable - Turn off the encryption mechanism. WEP-Accepts only WEP clients and the encryption key should be entered in WEP Key. WEP/802.1x Only - Accepts only WEP clients and the encryption key is obtained dynamically from RADIUS server with 802.1X protocol. WPA/802.
Item Description as "0x321253abcde..."). WEP 64-Bit - For 64 bits WEP key, either 5 ASCII characters, such as 12345 (or 10 hexadecimal digitals leading by 0x, such as 0x4142434445.) 128-Bit - For 128 bits WEP key, either 13 ASCII characters, such as ABCDEFGHIJKLM (or 26 hexadecimal digits leading by 0x, such as 0x4142434445464748494A4B4C4D). All wireless devices must support the same WEP encryption bit size and have the same key. Four keys can be entered here, but only one key can be selected at a time.
Item Description Enable Mac Address Filter Select to enable the MAC Address filter for wireless LAN identified with SSID 1 to 4 respectively. All the clients (expressed by MAC addresses) listed in the box can be grouped under different wireless LAN. For example, they can be grouped under SSID 1 and SSID 2 at the same time if you check SSID 1 and SSID 2. MAC Address Filter Display all MAC addresses that are edited before. Client’s MAC Address Manually enter the MAC address of wireless client.
There are two methods to do network connection through WPS between AP and Stations: pressing the Start PBC button or using PIN Code. z On the side of Vigor 3200 series which served as an AP, press WPS button once on the front panel of the router or click Start PBC on web configuration interface. On the side of a station with network card installed, press Start PBC button of network card. z If you want to use PIN code, you have to know the PIN code specified in wireless client.
Available settings are explained as follows: Item Description Enable WPS Check this box to enable WPS setting. WPS Status Display related system information for WPS. If the wireless security (encryption) function of the router is properly configured, you can see ‘Configured’ message here. SSID Display the SSID1 of the router. WPS is supported by SSID1 only. Authentication Mode Display current authentication mode of the router. Only WPA2/PSK and WPA/PSK support WPS.
4.12.6 WDS WDS means Wireless Distribution System. It is a protocol for connecting two access points (AP) wirelessly. Usually, it can be used for the following application: y y Provide bridge traffic between two LANs through the air. Extend the coverage range of a WLAN. To meet the above requirement, two WDS modes are implemented in Vigor router. One is Bridge, the other is Repeater.
The major difference between these two modes is that: while in Repeater mode, the packets received from one peer AP can be repeated to another peer AP through WDS links. Yet in Bridge mode, packets received from a WDS link will only be forwarded to local wired or wireless hosts. In other words, only Repeater mode can do WDS-to-WDS packet forwarding. In the following examples, hosts connected to Bridge 1 or 3 can communicate with hosts connected to Bridge 2 through WDS links.
Available settings are explained as follows: Item Description Mode Choose the mode for WDS setting. Disable mode will not invoke any WDS setting. Bridge mode is designed to fulfill the first type of application. Repeater mode is for the second one. Security There are three types for security, Disable, WEP and Pre-shared key. The setting you choose here will make the following WEP or Pre-shared key field valid or not. Choose one of the types for the router.
Item Description Key - Type 8 ~ 63 ASCII characters or 64 hexadecimal digits leading by “0x”. Bridge If you choose Bridge as the connecting mode, please type in the peer MAC address in these fields. Four peer MAC addresses are allowed to be entered in this page at one time. Yet please disable the unused link to get better performance. If you want to invoke the peer MAC address, remember to check Enable box in the front of the MAC address after typing.
Item Description 20/40 – the router will use 20Mhz or 40Mhz for data transmission and receiving according to the station capability. Such channel can increase the performance for data transit. Guard Interval It is to assure the safety of propagation delays and reflections for the sensitive digital data. If you choose auto as guard interval, the AP router will choose short guard interval (increasing the wireless performance) or long guard interval for data transmit based on the station capability.
Item Description APSD Capable The default setting is Disable. Aifsn It controls how long the client waits for each data transmission. Please specify the value ranging from 1 to 15. Such parameter will influence the time delay for WMM accessing categories. For the service of voice or video image, please set small value for AC_VI and AC_VO categories For the service of e-mail or web browsing, please set large value for AC_BE and AC_BK categories.
4.12.9 AP Discovery Vigor router can scan all regulatory channels and find working APs in the neighborhood. Based on the scanning result, users will know which channel is clean for usage. Also, it can be used to facilitate finding an AP for a WDS link. Notice that during the scanning process (about 5 seconds), no client is allowed to connect to Vigor. This page is used to scan the existence of the APs on the wireless LAN. Yet, only the AP which is in the same channel of this router can be found.
4.12.10 Station List Station List provides the knowledge of connecting wireless clients now along with its status code. There is a code summary below for explanation. For convenient Access Control, you can select a WLAN station and click Add to Access Control below. Available settings are explained as follows: Item Description Refresh Click this button to refresh the status of station list. Add Click this button to add current typed MAC address into Access Control.
4.12.11 Web Portal This page allows you to specify an URL for accessing into or display a message when a wireless user connects to Internet through this router. No matter what purpose of the wireless client is, he/she will be forced into the URL configured here while trying to access into the Internet or the desired web page through this router. That is, a company which wants to have an advertisement for its products to the users, can specify the URL in this page to reach its goal.
4.13 SSL VPN An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be used with a standard Web browser. There are two benefits that SSL VPN provides: ¾ It is not necessary for users to preinstall VPN client software for executing SSL VPN connection. ¾ There are less restrictions for the data encrypted through SSL VPN in comparing with traditional VPN. 4.13.1 General Setup This page determines the general configuration for SSL VPN Server and SSL Tunnel.
After finishing all the settings here, please click OK to save the configuration. 4.13.2 SSL Web Proxy SSL Web Proxy will allow the remote users to access the internal web sites over SSL. Available settings are explained as follows: Item Description Name Display the name of the profile that you create. URL Display the URL. Active Display current status (active or inactive) of such profile. Click number link under Index filed to set detailed configuration.
Disable – the profile will be inactive. If you choose Disable, all the web proxy profile appeared under VPN remote dial-in web page will disappear. Secured Port Redirection – such technique applies private port mapping to random WAN port. There are two restrictions for proxy web server for such selection: 1) it is only used for WAN to LAN access, the web server must be configured behind vigor router; 2) web server gateway must be indicated to vigor router.
4.13.3 SSL Application It provides a secure and flexible solution for network resources, including VNC (Virtual Network Computer) /RDP (Remote Desktop Protocol) /SAMBA, to any remote user with access to Internet and a web browser. Each item is explained as follows: Item Description Name Display the application name of the profile that you create. Host Address Display the IP address for VNC/RDP or SAMBA path. Service Display the type of the service selected, e.g., VNC/RDP/SAMBA.
this profile. Different application type will lead different web pages. Refer to the following: z Virtual Network Computing – Choose this item for accessing and controlling a remote PC through VNC protocol. IP Address - Type the IP address for this protocol. Port - Specify the port used for this protocol. The default setting is 5900. Scaling - Chose the percentage (100%, 80%, 60) for such application.
z Samba Application - Any remote user can upload/download/delete certain files on a local samba server through web browser with this application Samba Path - Specify the path for this application. 4.13.4 User Account For SSL VPN, identity authentication and power management are implemented through deploying user accounts. Therefore, the user account for SSL VPN must be set together with remote dial-in user web page. Such menu item is similar to VPN and Remote Access>>Remote Dial-in user.
However, if you have set several SSL Web Proxy Profiles in SSL VPN>> SSL Web Proxy web page: The SSL Web Proxy profile names will be displayed (together with check box) as shown below.
4.13.5 User Group There are 10 user group profiles which can be created for authentication by LDAP server. Such profiles will be used by applications such as User Management, VPN and etc. Each item is explained as follows: Item Description Index Display the number of the client which connecting to FTP server. Name Display the name of the group profile. Click any index number link to open the following page for detailed configuration.
Available settings are explained as follows: Item Description Enable Check this box to enable such profile. Group Name Type a name for such profile. Access Authority Specify the authority for such profile. Authentication Methods It can determine the authentication method used for such profile. Local User DataBase – The system will do the authentication by using the user defined account profiles (in VPN and Remote Access>>Remote Dial-In User).
Next, users can open SSL VPN>> Online Status to view logging status of SSL VPN. Each item is explained as follows: Item Description Active User Display current user who visit SSL VPN server. Host IP Display the IP address for the host. Time out Display the time remaining for logging out. Action You can click Drop to drop certain login user from the router's SSL Portal UI.
4.14 USB Application USB diskette connected on Vigor router can be regarded as a server. By way of Vigor router, clients on LAN/WAN can access, write and read data stored in USB diskette with different applications. After setting the configuration in USB Application, you can type the IP address of the Vigor router and username/password created in USB Application>>USB User Management on the client software. Then, the client can use the FTP site (USB diskette) or share the Samba service through Vigor router.
Item Description Samba Service Settings Click Enable to invoke samba service via the router. Access Mode LAN Only – Users coming from internet cannot connect to the samba server of the router. LAN And WAN - Both LAN and WAN users can access samba server of the router. NetBios Name Service For the NetBios service of USB storage disk, you have to specify a workgroup name and a host name. A workgroup name must not be the same as the host name.
Home Folder Display the home folder of this entry. Click index number to access into configuration page. Available settings are explained as follows: Item Description FTP/Samba User Enable – Click this button to activate this profile (account) for FTP service or Samba User service. Later, the user can use the username specified in this page to login into FTP server. Disable – Click this button to disable such profile.
Item Description ON, you cannot type any new folder name in this field. Only “/” can be used in such case. You can click to open the following dialog to add any new folder which can be specified as the Home Folder. Access Rule It determines the authority for such profile. Any user, who uses such profile for accessing into USB storage disk, must follow the rule specified here. File – Check the items (Read, Write and Delete) for such profile.
4.14.3 File Explorer File Explorer offers an easy way for users to review and manage the content of USB diskette connected on Vigor router. Available settings are explained as follows: Item Description Click this icon to refresh files list. Refresh Back Click this icon to return to the upper directory. Click this icon to add a new folder. Create Current Path Display current folder. Upload Click this button to upload the selected file to the USB storage disk.
Each item is explained as follows: Item Description Connection Status If there is no USB storage disk connected to Vigor router, “No Disk Connected” will be shown here. Disk Capacity Display the total capacity of the USB storage disk. Free Capacity Display the free space of the USB storage disk. Click Refresh at any time to get new status for free capacity. Index Display the number of the client which connecting to FTP server.
Item Description Stop record when fulls – when the capacity of syslog is full, the system will stop recording. Always record the new event – only the newest events will be recorded by the system. Time Display the time of the event occurred. Message Display the information for each event. For USB Syslog This page displays the syslog recorded on the USB storage disk. Each item is explained as follows: Item Description Time Display the time of the event occurred.
4.15 System Maintenance For the system setup, there are several items that you have to know the way of configuration: Status, Administrator Password, Configuration Backup, Syslog, Time setup, Reboot System, Firmware Upgrade. Below shows the menu items for System Maintenance. 4.15.1 System Status The System Status provides basic network settings of Vigor router. It includes LAN and WAN interface information.
Item Description Build Date/Time Display the date and time of the current firmware build. LAN MAC Address - Display the MAC address of the LAN Interface. IP Address - Display the IP address of the LAN interface. Subnet Mask - Display the subnet mask address of the LAN interface. DHCP Server - Display the current status of DHCP server of the LAN interface DNS - Display the assigned IP address of the primary DNS. Wireless LAN MAC Address - Display the MAC address of the wireless LAN.
4.15.2 TR-069 This device supports TR-069 standard. It is very convenient for an administrator to manage a TR-069 device through an Auto Configuration Server, e.g., VigorACS. Available parameters are explained as follows: Item Description ACS Server On Choose the interface for the router connecting to ACS server. ACS Server URL/Username/Password – Such data must be typed according to the ACS (Auto Configuration Server) you want to link.
Item Description click Disable to close the mechanism of notification. STUN Settings The default is Disable. If you click Enable, please type the relational settings listed below: Server IP – Type the IP address of the STUN server. Server Port – Type the port number of the STUN server. Minimum Keep Alive Period – If STUN is enabled, the CPE must send binding request to the server for the purpose of maintaining the binding in the Gateway. Please type a number as the minimum period.
4.15.4 User Password Sometimes, you may want to access into User Mode to configure the web settings for some reason. Vigor router allows you to set new user password to login into the WUI to fit your request. Simply open System Maintenance>>User Password. Available parameters are explained as follows: Item Description Enable User Mode for simple web configuration Check this box to enable user mode operation.
3. The following screen will appear. Simply click OK. 4. Log out Vigor router Web Configurator. 5. The following window will be open to ask for username and password. Type the new user password in the filed of Password and click Login. 6. The main screen with User Mode will be shown as follows.
Settings to be configured in User Mode will be less than settings in Admin Mode. Only basic configuration settings will be available in User Mode. Setting in User Mode can be configured as same as in Admin Mode 4.15.5 Login Customization When you want to access into the web configurator of Vigor router, the system will ask you to offer username and password first. At that moment, the background of the web page is blank and no heading will be displayed on the Login window.
Available settings are explained as follows: Item Description Enable Check this box to enable the login customization function. Login Description Type a brief description (e.g., Welcome to DrayTek) which will be shown on the heading of the login dialog. Bulletin Type words or sentences here. It will be displayed for bulletin message. In addition, it can be displayed on the login dialog at the bottom.
4.15.6 Configuration Backup Backup the Configuration Follow the steps below to backup your configuration. 1. Go to System Maintenance >> Configuration Backup. The following windows will be popped-up, as shown below. 2. Click Backup button to get into the following dialog. Click Save button to open another dialog for saving configuration as a file. 3. In Save As dialog, the default filename is config.cfg. You could give it another name by yourself.
4. Click Save button, the configuration will download automatically to your computer as a file named config.cfg. The above example is using Windows platform for demonstrating examples. The Mac or Linux platform will appear different windows, but the backup function is still available. Note: Backup for Certification must be done independently. The Configuration Backup does not include information of Certificate. Restore Configuration 1. Go to System Maintenance >> Configuration Backup.
4.15.7 Syslog/Mail Alert SysLog function is provided for users to monitor router. There is no bother to directly get into the Web Configurator of the router or borrow debug equipments. Available parameters are explained as follows: Item Description SysLog Access Setup Enable - Check Enable to activate function of syslog. Syslog Save to – Check Syslog Server to save the log to Syslog server. Check USB Disk to save the log to the attached USB storage disk.
Item Description Mail Alert Setup Check “Enable” to activate function of mail alert. Send a test e-mail Make a simple test for the e-mail address specified in this page. Please assign the mail address first and click this button to execute a test for verify the mail address is available or not. SMTP Server The IP address of the SMTP server. Mail To Assign a mail address for sending mails out. Return-Path Assign a path for receiving the mail from outside.
323 Vigor3200 Series User’s Guide
4.15.8 Time and Date It allows you to specify where the time of the router should be inquired from. Available parameters are explained as follows: Item Description Current System Time Click Inquire Time to get the current time. Use Browser Time Select this option to use the browser time from the remote administrator PC host as router’s system time. Use Internet Time Select to inquire time information from Time Server on the Internet using assigned protocol. Time Protocol Select a time protocol.
4.15.9 Management This page allows you to manage the settings for access control, access list, port setup, and SMP setup. For example, as to management access control, the port number is used to send/receive SIP message for building a session. Available parameters are explained as follows: Item Description Router Name Type a name as an identification for such router.
Management Port Setup User Defined Ports - Check to specify user-defined port numbers for the Telnet, HTTP and FTP servers. Default Ports - Check to use standard port numbers for the Telnet and HTTP servers. SNMP Setup Enable SNMP Agent - Check it to enable this function. Get Community - Set the name for getting community by typing a proper character. The default setting is public. Set Community - Set community by typing a proper name. The default setting is private.
4.15.11 Firmware Upgrade Before upgrading your router firmware, you need to install the Router Tools. The Firmware Upgrade Utility is included in the tools. The following web page will guide you to upgrade firmware by using an example. Note that this example is running over Windows OS (Operating System). Download the newest firmware from DrayTek's web site or FTP site. The DrayTek web site is www.DrayTek.com (or local DrayTek's web site) and FTP site is ftp.DrayTek.com.
4.15.12 Activation There are three ways to activate WCF on vigor router, using Service Activation Wizard, by means of CSM>>Web Content Filter Profile or via System Maintenance>>Activation. After you have finished the setting profiles for WCF (refer to Web Content Filter Profile), it is the time to activate the mechanism for your computer. Click System Maintenance>>Activation to open the following page for accessing http://myvigor.draytek.com.
Below shows the successful activation of Web Content Filter: 4.16 Diagnostics Diagnostic Tools provide a useful way to view or diagnose the status of your Vigor router. Below shows the menu items for Diagnostics.
4.16.1 Dial-out Trigger Click Diagnostics and click Dial-out Trigger to open the web page. The internet connection (e.g., PPPoE) is triggered by a package sending from the source IP address. Each item is explained as follows: Item Description Decoded Format It shows the source IP address (local), destination IP (remote) address, the protocol and length of the package. Refresh Click it to reload the page. 4.16.2 Routing Table Click Diagnostics and click Routing Table to open the web page.
4.16.3 ARP Cache Table Click Diagnostics and click ARP Cache Table to view the content of the ARP (Address Resolution Protocol) cache held in the router. The table shows a mapping between an Ethernet hardware address (MAC Address) and an IP address. Each item is explained as follows: Item Description Clear Click it to clear the whole table. Refresh Click it to reload the page. 4.16.4 DHCP Table The facility provides information on IP address assignments.
IP Address It displays the IP address assigned by this router for specified PC. MAC Address It displays the MAC address for the specified PC that DHCP assigned IP address for it. Leased Time It displays the leased time of the specified PC. HOST ID It displays the host ID name of the specified PC. Refresh Click it to reload the page. 4.16.5 NAT Sessions Table Click Diagnostics and click NAT Sessions Table to open the list page.
4.16.6 Data Flow Monitor This page displays the running procedure for the IP address monitored and refreshes the data in an interval of several seconds. The IP address listed here is configured in Bandwidth Management. You have to enable IP bandwidth limit and IP session limit before invoke Data Flow Monitor. If not, a notification dialog box will appear to remind you enabling it. Click Diagnostics and click Data Flow Monitor to open the web page.
Item Description automatically. Refresh Click this link to refresh this page manually. Index Display the number of the data flow. IP Address Display the IP address of the monitored device. TX rate (kbps) Display the transmission speed of the monitored device. RX rate (kbps) Display the receiving speed of the monitored device. Sessions Display the session number that you specified in Limit Session web page. Action Block - can prevent specified PC accessing into Internet within 5 minutes.
4.16.7 Traffic Graph Click Diagnostics and click Traffic Graph to open the web page. Choose WAN1/WAN2/WN3/WAN4/WAN5 Bandwidth, Sessions, daily or weekly for viewing different traffic graph. Click Refresh to renew the graph at any time. The horizontal axis represents time. Yet the vertical axis has different meanings. For WAN1/WAN2/WAN3/WAN4/WAN5 Bandwidth chart, the numbers displayed on vertical axis represent the numbers of the transmitted and received packets in the past.
4.16.8 Ping Diagnosis Click Diagnostics and click Ping Diagnosis to pen the web page. Each item is explained as follows: Item Description Ping through Use the drop down list to choose the WAN interface that you want to ping through or choose Unspecified to be determined by the router automatically. Ping to Use the drop down list to choose the destination that you want to ping. IP Address Type in the IP address of the Host/IP that you want to ping. Run Click this button to start the ping work.
4.16.9 Trace Route Click Diagnostics and click Trace Route to open the web page. This page allows you to trace the routes from router to the host. Simply type the IP address of the host in the box and click Run. The result of route trace will be shown on the screen. Each item is explained as follows: Item Description Trace through Use the drop down list to choose the WAN interface that you want to ping through. Protocol Use the drop down list to choose the protocol that you want to ping through.
4.17 External Devices Vigor router can be used to connect with many types of external devices. In order to control or manage the external devices conveniently, open External Devices to make detailed configuration. From this web page, check the box of External Device Auto Discovery. Later, all the available devices will be displayed in this page with icons and corresponding information. You can change the device name if required or remove the information for off-line device whenever you want.
Trouble Shooting This section will guide you to solve abnormal situations if you cannot access into the Internet after installing the router and finishing the web configuration. Please follow sections below to check your basic installation status stage by stage. z Checking if the hardware status is OK or not. z Checking if the network connection settings on your computer are OK or not. z Pinging the router from your computer. z Checking if the ISP settings are OK or not.
5.2 Checking If the Network Connection Settings on Your Computer Is OK or Not Sometimes the link failure occurs due to the wrong network connection settings. After trying the above section, if the link is stilled failed, please do the steps listed below to make sure the network connection settings is OK. For Windows The example is based on Windows XP. As to the examples for other operation systems, please refer to the similar steps or find support notes in www.DrayTek.com. 1.
4. Select Obtain an IP address automatically and Obtain DNS server address automatically. For Mac OS 1. Double click on the current used Mac OS on the desktop. 2. Open the Application folder and get into Network. 3. On the Network screen, select Using DHCP from the drop down list of Configure IPv4.
5.3 Pinging the Router from Your Computer The default gateway IP address of the router is 192.168.1.1. For some reason, you might need to use “ping” command to check the link status of the router. The most important thing is that the computer will receive a reply from 192.168.1.1. If not, please check the IP address of your computer. We suggest you setting the network connection as get IP automatically. (Please refer to the section 5.2) Please follow the steps below to ping the router correctly.
5.4 Checking If the ISP Settings are OK or Not Open WAN >> Internet Access page and then check whether the ISP settings are set correctly. Click Details Page of each WAN interface to review the settings that you configured previously.
5.5 Problems for 3G Network Connection When you have trouble in using 3G network transmission, please check the following: Check if USB LED lights on or off You have to wait about 15 seconds after inserting 3G USB Modem into your Vigor3200. Later, the USB LED will light on which means the installation of USB Modem is successful. If the USB LED does not light on, please remove and reinsert the modem again. If it still fails, restart Vigor3200.
Software Reset You can reset the router to factory default via Web page. Such function is available in Admin Mode only. Go to System Maintenance and choose Reboot System on the web page. The following screen will appear. Choose Using factory default configuration and click OK. After few seconds, the router will return all the settings to the factory settings. Hardware Reset While the router is running (ACT LED blinking), press the Factory Reset button and hold for more than 5 seconds.
5.7 Contacting Your Dealer If the router still cannot work correctly after trying many efforts, please contact your dealer for further help right away. For any questions, please feel free to send e-mail to support@draytek.com.
