Datasheet
Firewall
Check based on the header information of an IP packet (IP or MAC source/destination addresses; source/destination ports, DiffServ attribute);
remote-site dependant and direction dependant
Packet filter
Network Address Translation (NAT) based on protocol and WAN address, i.e. to make internal webservers accessible from WANExtended port forwarding
N:N IP address mapping for translation of IP addresses or entire networksN:N IP address mapping
The firewall marks packets with routing tags, e.g. for policy-based routingTagging
Forward, drop, reject, block sender address, close destination port, disconnectActions
SYSLOG (internally)Notification
Security
Monitoring and blocking of login attempts and port scansIntrusion Prevention
Source IP address check on all interfaces: only IP addresses belonging to the defined IP networks are allowedIP spoofing
Filtering of IP or MAC addresses and preset protocols for configuration accessAccess control lists
Protection from fragmentation errors and SYN floodingDenial of Service protection
Detailed settings for handling reassembly, PING, stealth mode and AUTH portGeneral
Password-protected configuration access can be set for each interfacePassword protection
Alerts via SYSLOG (internally)Alerts
PAP, CHAP, MS-CHAP and MS-CHAPv2 as PPP authentication mechanismAuthentication mechanisms
Adjustable reset button for 'ignore', 'boot-only' and 'reset-or-boot'Adjustable reset button
High availability / redundancy
For completely safe software upgrades thanks to two stored firmware versions, incl. test mode for firmware updatesFirmSafe
Backup of VPN connections across different hierarchy levels, e.g. in case of failure of a central VPN concentrator and re-routing to multiple distributed
remote sites. Any number of VPN remote sites can be defined (the tunnel limit applies only to active connections). Up to 32 alternative remote
stations, each with its own routing tag, can be defined per VPN connection. Automatic selection may be sequential, or dependant on the last
connection, or random (VPN load balancing)
VPN redundancy
Line monitoring with LCP echo monitoring, dead-peer detection and up to 4 addresses for end-to-end monitoring with ICMP pollingLine monitoring
VPN
Max. number of concurrent active IPSec and PPTP tunnels (MPPE): 5 (25 with VPN 25 Option). Unlimited configurable connections. Configuration
of all remote sites via one configuration entry when using the RAS user template or Proadaptive VPN.
Number of VPN tunnels
Integrated hardware acceleration for ESP encryption and decryption (data path)Hardware accelerator
Integrated, buffered realtime clock to save the date and time during power failure. Assures timely validation of certificates in any caseRealtime clock
Generates high-quality randomized numbers in softwareRandom number generator
IPSec key exchange with Preshared Key or certificate (in software)IKE
X.509 digital self signed certificates (no CA support), compatible with OpenSSL, upload of PKCS#12 files via SCP. Secure Key Storage protects a
private key (PKCS#12) from theft
Certificates
Configuration of all VPN client connections in IKE ConfigMode via a single configuration entryRAS user template
Automated configuration and dynamic creation of all necessary VPN and routing entries based on a default entry for site-to-site connections.
Propagation of routes via RIPv2 if required
Proadaptive VPN
AES (128, 192 or 256 bit) and HMAC with SHA-1 / SHA-256 hashesAlgorithms
NAT-Traversal (NAT-T) support for VPN over routes without VPN passthroughNAT-Traversal
90 Mbps1418-byte frame size UDP
Firewall throughput (max.)
123 Mbps1518-byte frame size UDP
Routing functions
IP-RouterRouter
Separate processing of 16 contexts due to virtualization of the routers. Mapping to VLANs and complete independent management and configuration
of IP networks in the device. Automatic learning of routing tags for ARF contexts from the routing table
Advanced Routing and Forwarding
LANCOM 1781EF (CC)
Features as of: LCOS 8.70 CC