® Netopia Firmware User Guide ® Netopia 4000-Series Equipment Netopia Firmware Version 5.
Copyright Copyright© 2004, Netopia, Inc. Netopia and the Netopia logo are registered trademarks belonging to Netopia, Inc., registered U.S. Patent and Trademark Office. Broadband Without Boundaries and 3-D Reach are trademarks belonging to Netopia, Inc. All other trademarks are the property of their respective owners. All rights reserved. Netopia, Inc. 6001 Shellmound Street Emeryville, CA 94608 U.S.A.
Contents Contents iii Chapter 1 — Introduction..........................................................1-1 What’s New in Netopia Firmware Version 5.4 ................... 1-1 Console-based Management........................................... 1-2 Netopia Console Menus ................................................. 1-2 Netopia Models ............................................................. 1-3 Screen differences ..............................................
iv Firmware User Guide Modifying a scheduled connection....................... Deleting a scheduled connection......................... System Configuration Screens ...................................... System configuration features............................. IP Setup ............................................................ Filter Sets ......................................................... IP Address Serving............................................. Network Address Translation (NAT) .........
Contents IP profile parameters.......................................... IP Parameters (WAN Default Profile) .................... NAT Associations ......................................................... IP Passthrough ............................................................ MultiNAT Configuration Example .................................... v 3-21 3-23 3-25 3-27 3-31 Chapter 4 — Virtual Private Networks (VPNs)............................4-1 Overview ................................................
vi Firmware User Guide Adding an IKE Phase 1 Profile ............................... 5-4 Changing an IKE Phase 1 Profile ........................... 5-8 Key Management........................................................... 5-9 IPsec WAN Configuration Screens ................................. 5-18 IPsec Manual Key Entry................................................ 5-19 VPN Quickview ................................................... 5-20 WAN Event History Error Reporting ......................
Contents Event Logs .................................................................. SNMP Support ............................................................ Backup Default Gateway............................................... Backup Configuration screen .............................. IP Setup screen ................................................. Backup Management/Statistics .......................... QuickView .........................................................
viii Firmware User Guide Advanced Security Options ................................. 10-5 User access password ....................................... 10-7 User menu differences....................................... 10-8 User Accounts ........................................................... 10-15 Telnet Access ............................................................ 10-17 About Filters and Filter Sets........................................ 10-18 What’s a filter and what’s a filter set? ..........
Contents ix Updating firmware.............................................. 11-7 Downloading configuration files ........................... 11-8 Uploading configuration files ............................... 11-9 Transferring Configuration and Firmware Files with XMODEM.............................................................. 11-9 Updating firmware............................................ 11-10 Downloading configuration files ......................... 11-11 Uploading configuration files ..........
x Firmware User Guide Packet header types .......................................... B-14 Appendix C — Binary Conversion Table......................................
Introduction 1-1 Chapter 1 Introduction This Firmware User Guide covers the advanced features of the Netopia 4000-Series Router and IAD families. Your Netopia equipment offers advanced configuration features in addition to Easy Setup. The advanced feature screens are accessed through the Main Menu of the console configuration screen. This Firmware User Guide documents the advanced features, including advanced testing, security, monitoring, and configuration features.
1-2 Firmware User Guide Console-based Management Console-based management is a fast menu-driven interface for the capabilities built into the Netopia Firmware Version 5.4. Console-based management provides access to a wide variety of features that the router supports. You can customize these features for your individual setup. This chapter describes how to access the console-based management screens.
Introduction 1-3 reconfiguring the manner in which you may be using the router to connect to more than one service provider or remote site. See “WAN Configuration,” beginning on page 2-1. See also Chapter 4, “Virtual Private Networks (VPNs).
1-4 Firmware User Guide Connecting through a Telnet Session Features of the Netopia Firmware Version 5.4 can be configured through the console screens. Before you can access the console screens through Telnet, you must have: ■ A network connection locally to the router or IP access to the router. Note: Alternatively, you may have a direct serial console cable connection using a provided console cable and the Console port on the back of the router. Some models do not have a console port.
Introduction 1-5 Connecting a Console Cable to your Equipment Many Netopia models include a serial console port labeled “Console” on the back panel. You can perform all of the system configuration activities for your Netopia equipment through a local serial console connection, if available, using terminal emulation software, such as HyperTerminal provided with Windows 95, 98, 2000, or NT on the PC, or ZTerm, included on the Netopia CD, for Macintosh computers.
1-6 Firmware User Guide Launch your terminal emulation software and configure the communications software for the values shown in the table below. These are the default communication parameters that the Netopia Firmware Version 5.4 uses. Parameter Terminal type Suggested Value PC: ANSI-BBS Mac: ANSI, VT-100, or VT-200 Data bits 8 Parity None Stop bits 1 Speed 9600 - 57600 bits per second Flow Control None Note: The router firmware contains an autobaud detection feature.
Introduction 1-7 Navigating through the Console Screens Use your keyboard to navigate the Netopia Firmware Version 5.4’s configuration screens, enter and edit information, and make choices. The following table lists the keys to use to navigate through the console screens. To... Use These Keys...
1-8 Firmware User Guide
WAN and System Configuration 2-1 Chapter 2 WAN and System Configuration This chapter describes how to use the console-based management screens to access and configure advanced features of your equipment. You can customize these features for your individual setup. These menus provide a powerful method for experienced users to set up their router’s connection profiles and system configuration.
2-2 Firmware User Guide ADSL Line Configuration screen The ADSL Line Configuration screen is shown below: ADSL Line Configuration Circuit Type... Trellis Coding Enabled: Multimode On Signaling Mode... Fast Retrain Enabled: FDM On Data Link Encapsulation... RFC1483 1. Select Circuit Type and from the pop-up menu choose the type of circuit to which you will be connecting: Multimode, T1.413, G.dmt/G.lite, or ADI. 2. Select Trellis Coding Enabled. Toggle it to On (the default) or Off. 3.
WAN and System Configuration 2-3 SDSL/IDSL Configuration screen The SDSL/IDSL Line Configuration screen is shown below: Line Type... Operation Mode... Data Rate Mode... Data Rate... SDSL Line Conf+------------+ +------------+ | SDSL-ATM | | SDSL-HDLC | | IDSL | | IDSL-CM | +------------+ 384 Data Link Encapsulation... PPP Mode... PPP VC Multiplexed Return/Enter to select ... Enter Information supplied to you by your telephone company. ■ Select a Line Type from the pull-down menu.
2-4 Firmware User Guide Line Type... Operation Mode... Data Rate Mode... Data Rate... SDSL Line Configuration +----------------+ +----------------+ | Generic | | Lucent | | Nokia EOC Fast | | Nokia Fixed | | Paradyne | | Nortel UE IMAS | | Newbridge | +----------------+ Data Link Encapsulation... RFC1483 Mode... RFC1483 Routed 1483 Some of these selections will reset the defaults for the remaining options in this screen. You will be challenged to confirm your choice.
WAN and System Configuration 2-5 IDSL Line Configuration screen The IDSL Line Configuration screen is shown below: IDSL Line Configuration Line Type... IDSL Data Rate (kbps)... 144 (2B+D) Data Link Encapsulation... PPP Return/Enter to select ... Enter information supplied to you by your ISDN phone company. ■ For IDSL lines, the Data Rate (kbps) pull-down menu offers 64 (B1), 64 (B2), 128 (B1+B2), or 144 (2B+D).
2-6 Firmware User Guide G.SHDSL Line Configuration screen The G.SHDSL Line Configuration screen is shown below: DSL Line Configuration Regional Setting... Annex A Cell Format... Unused Cell Format... Scrambled Idle Data Link Encapsulation... RFC1483 Mode... PPP over Ethernet (PPPoE): RFC1483 Bridged 1483 Off Each access concentrator (DSLAM) has a different set of defaults and other parameters.
WAN and System Configuration 2-7 T1 Line Configuration screen The T1 Line Configuration screen is shown below: T1 Line Configuration Operation Mode... Line Encoding... Framing Mode... Transmit ANSI PRMs: AutoDetect DS0 Channels: Number of DS0 Channels: First DS0 Channel: HDLC B8ZS ESF No No 1 1 Buildout (-dB)... Channel Data Rate... 0-0.6 Nx64k Data Link Encapsulation... PPP over Frame Relay Enabled: Frame Relay Off Return/Enter goes to new screen.
2-8 Firmware User Guide default setting is 1 (one). Press Return. Note: You can change the First DS0 Channel number, which has a valid range from one to the maximum number minus the number of active channels. If the number of active DS0 channels is 24 (maximum), First DS0 Channel is hidden. If you specify a number of DS0 channels less than the maximum, a Contiguous Channels item appears.
WAN and System Configuration 2-9 Note: If you used Easy Setup to configure your router, you have already created a connection profile called Easy Setup Profile. If you return to the Easy Setup menus and change the Data Link Encapsulation method you set up in this step, the Easy Setup Data Link Encapsulation method will override this one and change the default data link encapsulation method in use. You are now finished configuring the Line Configuration screen.
2-10 Firmware User Guide Frame Relay Configuration LMI Type... T391 (Polling Interval in secs): N391 (Polls/Full Status Cycles): N392 (Error Threshold): N393 (Monitored Event Window): ANSI (Annex D) 10 6 3 4 Tx Injection Management... Default CIR: Default Bc: Default Be: Standard 64000 64000 0 Congestion Management Enabled: No Maximum Tx Frame Size: 1520 Return/Enter goes to new screen. Enter Information supplied to you by your telephone company. 1.
WAN and System Configuration 2-11 ting defaults to 64000, but you may modify the capacity rate if this setting will not be applicable to you. ■ The Default Bc (Bc also referred to as Committed Burst Size) represents the maximum amount of data that your Frame Relay service provider agrees to transfer from a given PVC (Permanent Virtual Circuit) or DLCI (Data Link Connection Identifier). This setting defaults to 64000, but you may change the capacity rate if necessary.
2-12 Firmware User Guide To go to the Frame Relay DLCI configuration screen, select Frame Relay DLCI Configuration in the WAN Configuration screen. Frame Relay DLCI Configuration Display/Change DLCIs... Add DLCI... Delete DLCI... Add, delete, and modify DLCIs from here. Displaying a Frame Relay DLCI configuration table To display a view-only table of the Frame Relay DLCIs, select Display/Change DLCIs in the Frame Relay DLCI Configuration screen, and press Return.
WAN and System Configuration 2-13 Changing a Frame Relay DLCI configuration To modify a Frame Relay DLCI configuration, select Display/Change DLCIs in the Frame Relay DLCI Configuration screen. Select a DLCI Name from the table and press Return to go to the Change DLCI screen. The parameters in this screen are the same as the parameters in the Add DLCI screen. To find out how to set them, see “Adding a Frame Relay DLCI configuration” on page 2-14.
2-14 Firmware User Guide Adding a Frame Relay DLCI configuration To add a new Frame Relay DLCI, select Add DLCI in the Frame Relay DLCI Configuration screen and press Return. The Add DLCI screen appears. Add DLCI DLCI Name: DLCI 16 DLCI Enabled: Yes DLCI Number (16-991): 16 Remote IP Address: 0.0.0.0 Data Flow Parameters---------------Use Default---------Value---CIR: Yes Bc: Yes Be: Yes ADD DLCI NOW CANCEL Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes.
WAN and System Configuration 2-15 provider agrees to transfer from a given PVC (Permanent Virtual Circuit) or DLCI (Data Link Connection Identifier). The setting defaults to 64000, but you may modify the committed burst size by toggling the selection in the Use Default field to No. You can then enter a different committed burst size in the Value field.
2-16 Firmware User Guide Multiple ATM Permanent Virtual Circuits The Netopia Firmware Version 5.4 supports up to eight permanent virtual circuits. Multiple ATM PVC overview On cell-based DSL WAN interfaces, the ATM connection between the device and the central office equipment (DSLAM) is divided logically into one or more virtual circuits (VCs). A virtual circuit may be either a permanent virtual circuit (PVC) or a switched virtual circuit (SVC). Netopia devices support PVCs.
WAN and System Configuration 2-17 ATM Circuits Configuration Show/Change Circuit... Add Circuit... Delete Circuit... 3. To add a circuit, select Add Circuit and press Return. The Add Circuit screen appears. Add Circuit Circuit Name: Circuit 2 Circuit Enabled: Yes Circuit VPI (0-255): 0 Circuit VCI (32-65535): QoS... Peak Cell Rate (0 = line rate): Use Connection Profile...
2-18 Firmware User Guide Quality of Service (QoS) settings ■ Select the QoS (Quality of Service) setting from the pop-up menu: UBR. or CBR. UBR: No configuration is needed for UBR VCs. Leave the default value 0 (maximum line rate). CBR: One parameter is required for CBR VCs. Enter the Peak Cell Rate that applies to the VC. This value should be between 1 and the line rate. You set this value according to specifications defined by your service provider.
WAN and System Configuration 2-19 Note: With multiple VCs you must explicitly statically bind the second (and all subsequent) VCs to a profile. The first VC will automatically statically bind according to pre-defined dynamic binding rules when you add the second VC. It will revert back to dynamic binding if the number of VCs is reduced to one; for example, by deleting previously defined VCs.
2-20 Firmware User Guide Editing circuits You configure Virtual Circuits in the ATM Circuits Configuration screen. From the Main Menu, navigate to the ATM Circuits Configuration screen. WAN Configuration Main Menu ATM Circuits Configuration Show/Change Circuit... Add Circuit... Delete Circuit... Select Show/Change Circuit and press Return.
WAN and System Configuration 2-21 Choosing Show/Change Circuit (or Delete Circuit) displays a pop-up menu that allows you to select the circuit to be modified or deleted. ATM Circuits Configuration +--Circuit Name----VPI/VCI--+ +---------------------------+ Show/Change Circuit... | Circuit 1 8/35 | Add Circuit... | Voice Circuit 0/0 | Delete Circuit... | | | | | | | | | | | | +---------------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit.
2-22 Firmware User Guide ■ Circuit Enabled allows you to enable or disable the circuit, using the Tab key. The default is enabled. ■ Traffic Type allows you to select which type of traffic will be routed on this circuit, Voice or Data. If you choose Voice, the Connection Profile is field becomes unavailable and does not display. ■ Circuit VPI allows you to specify the Virtual Path Identifier (VPI) value for the circuit. The default VPI value for both ADSL and cell-based DSL is zero (0).
WAN and System Configuration 2-23 Select VC Traffic Statistics. The ATM VC Statistics screen appears. ATM VC Statistics VPI/VCI------Local IP Addr---------Frames Rx--Frames Tx---Bytes Rx---Bytes Tx ----------------------------------SCROLL UP----------------------------------0/39 111.222.333.
2-24 Firmware User Guide Creating a New Connection Profile Connection profiles are useful for configuring the connection and authentication settings for negotiating a PPP connection on a DSL link. If you are using the PPP data link encapsulation method, you can store your authentication information in the connection profile so that your user name and password (or host name and secret) are transmitted when you attempt to connect.
WAN and System Configuration 2-25 Multiple Data Link Encapsulation Settings 4. Select Encapsulation Options and press Return. ❥ If you selected ATMP, PPTP, L2TP, or IPSec, see Chapter 4, “Virtual Private Networks (VPNs).” ❥ If you selected PPP or RFC1483, the screen offers different options: Add Connection Profile Profile Name: Profile Enabled: Encapsulation Type... RFC1483 Mode...
2-26 Firmware User Guide Datalink (PPP/MP) Options Datalink (PPP/MP) Options Data Compression... Standard LZS Data Compression... Standard LZS Send Authentication... PAP Send Authentication... PAP Send User Name: Send Password: Receive User Name: Receive Password: Send User Name: Send Password: Receive User Name: Receive Password: Dial on Demand: ❥ Data Compression defaults to Standard LZS.
WAN and System Configuration 2-27 IP Profile Parameters Address Translation Enabled: IP Addressing... Yes Numbered NAT Map List... NAT Server List... Easy-PAT List Easy-Servers Local WAN IP Address: Local WAN IP Mask: 0.0.0.0 0.0.0.0 Filter Set... Remove Filter Set RIP Profile Options... 6. Toggle or enter any IP Parameters you require and return to the Add Connection Profile screen by pressing Escape. For more information, see “IP Setup” on page 6-2. 7. Select COMMIT and press Return.
2-28 Firmware User Guide The Default Profile If you are using RFC1483 data link encapsulation, the Default Profile screen controls whether or not the DSL link will come up without an explicitly configured connection profile. (PPP datalink encapsulation does not support a default profile, and the corresponding menu item is unavailable.) See “Connection Profiles” on page 6-32 for more information.
WAN and System Configuration 2-29 IP parameters (default profile) screen If you are using RFC1483 datalink encapsulation, the IP Parameters (Default Profile) screen allows you to configure various IP parameters for DSL connections established without an explicitly configured connection profile: IP Parameters (Default Profile) Address Translation Enabled: No Filter Set (Firewall)... Remove Filter Set Receive RIP: Transmit RIP: Both Off Return/Enter accepts * Tab toggles * ESC cancels.
2-30 Firmware User Guide Scheduled Connections Display/Change Scheduled Connection... Add Scheduled Connection... Delete Scheduled Connection... Navigate from here to add/modify/change/delete Scheduled Connections. Viewing scheduled connections To display a table of scheduled connections, select Display/Change Scheduled Connection in the Scheduled Connections screen. Each scheduled connection occupies one row of the table. Scheduled Connections +-Days----Begin At---HH:MM---When----Conn. Prof.
WAN and System Configuration 2-31 The other columns show: ■ The time of day that the connection will Begin At ■ The duration of the connection (HH:MM) ■ Whether it’s a recurring Weekly connection or used Once Only ■ Which connection profile (Conn. Prof.) is used to connect ■ Whether the scheduled connection is currently Enabled The router checks the date and time set in scheduled connections against the system date and time.
2-32 Firmware User Guide demand call on the line. ■ ■ Demand-Allowed, meaning that this schedule will permit a demand call on the line. ■ Demand-Blocked, meaning that this schedule will prevent a demand call on the line. ■ Periodic, meaning that the connection is retried several times during the scheduled time. If How Often is set to Weekly, the item directly below How Often reads Set Weekly Schedule. If How Often is set to Once Only, the item directly below How Often reads Set Once-Only Schedule.
WAN and System Configuration 2-33 Set Once-Only Schedule If you set How Often to Once Only, select Set Once-Only Schedule and go to the Set Once-Only Schedule screen. Set Once-Only Schedule ■ Place Call on (MM/DD/YY): 05/07/1998 Scheduled Window Start Time: AM or PM: 11:50 AM Scheduled Window Duration: 00:00 Select Place Call On (Date) and enter a date in the format MM/DD/YY or MM/DD/YYYY (month, day, year). Note: You must enter the date in the format specified. The slashes are mandatory.
2-34 Firmware User Guide Modifying a scheduled connection To modify a scheduled connection, select Display/Change Scheduled Connection in the Scheduled Connections screen to display a table of scheduled connections. Select a scheduled connection from the table and press Return. The Change Scheduled Connection screen appears. The parameters in this screen are the same as the ones in the Add Scheduled Connection screen (except that ADD SCHEDULED CONNECTION and CANCEL do not appear).
WAN and System Configuration 2-35 System Configuration Screens System configuration features The Netopia Firmware Version 5.4 default settings may be all you need to configure your Router. Some users, however, require advanced settings or prefer manual control over the default selections. For these users, Netopia Firmware Version 5.4 provides system configuration options.
2-36 Firmware User Guide The System Configuration menu screen appears: System Configuration IP Setup... Filter Sets... IP Address Serving... Network Address Translation (NAT)... Date and Time... Console Configuration... SNMP (Simple Network Management Protocol)... Security... Upgrade Feature Set... Change Device to a Bridge... Logging... Use this screen if you want options beyond Easy Setup. IP Setup These screens allow you to configure your network’s use of the IP networking protocol.
WAN and System Configuration 2-37 Stateful Inspection firewall Stateful inspection firewall is a security feature that prevents unsolicited inbound access when NAT is disabled. You can configure UDP and TCP “no-activity” periods that will also apply to NAT time-outs if stateful inspection is enabled on the interface. Stateful Inspection parameters are active on a WAN interface only if enabled on your Gateway. Stateful inspection can be enabled on a profile whether NAT is enabled or not.
2-38 Firmware User Guide Stateful Inspection Options Enable and configure stateful inspection on a WAN interface. IP Profile Parameters Address Translation Enabled: IP Addressing... NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Yes Numbered Easy-PAT List Easy-Servers Local WAN IP Address: Local WAN IP Mask: 0.0.0.0 0.0.0.0 No Filter Set... Remove Filter Set RIP Profile Options... Return/Enter to select ...
WAN and System Configuration 2-39 Stateful Inspection Parameters Max. TCP Sequence Number Difference: 0 Enable default mapping to router: No Deny Fragmented Packets: No Exposed Address List... Enter max. allowed TCP sequence number difference (1 - 65535), 0 to disable. ■ Max. TCP Sequence Number Difference: Enter a value in this field. This value represents the maximum sequence number difference allowed between subsequent TCP packets. If this number is exceeded, the packet is dropped.
2-40 Firmware User Guide Stateful Inspection Parameters +Exposed Address List N+ +----------------------+ Max. TCP Sequ| my_xposed_list | 0 | <> | Enable defaul| | No | | Deny Fragment| | No | | Exposed Addre| | | | | | | | | | | | | | | | | | | | +----------------------+ Up/Down Arrows to select, then Return/Enter; ESC to cancel. Exposed Addresses You can specify the IP addresses you want to expose by selecting Add Exposed Address List and pressing Return.
WAN and System Configuration 2-41 Change Exposed Address Range ("my_xposed_list") First Exposed Address: 192.168.1.10 Last Exposed Address: +-------------+ +-------------+ | TCP and UDP | | TCP | | UDP | | ANY | +-------------+ Protocol... Port Start: Port End: CHANGE EXPOSED ADDRESS RANGE CANCEL ■ Start Address: Start IP Address of the exposed host range.
2-42 Firmware User Guide Date and time You can set the system’s date and time parameters in the Set Date and Time screen. Select Date and Time in the System Configuration screen and press Return. The Set Date and Time screen appears. Set Date and Time NTP (Network Time Prot.) Enabled: Time Server Host Name/IP Address Time Zone... NTP Update Interval (HHHH:MM) On 204.152.184.
WAN and System Configuration 2-43 Console Configuration You can change the default terminal communications parameters to suit your requirements. To go to the Console Configuration screen, select Console Configuration in the System Configuration screen. Console Configuration Baud Rate... 57600 SET CONFIG NOW CANCEL Follow these steps to change a parameter’s value: 1. Select 57600, 38400, 19200, or 9600. 2. Select SET CONFIG NOW to save the new parameter settings.
2-44 Firmware User Guide RFC-1483 Transparent Bridging This feature allows you to turn off the routing features and use your device as a bridge. If you select this option, the device will restart itself, and reset all the settings to factory defaults. Any configurations you have made will be erased. Use this feature with caution. If you decide to reinstate the routing capabilities, you must reconfigure the device from scratch. From the Main Menu, select System Configuration. System Configuration IP Setup.
WAN and System Configuration 2-45 Netopia Router WAN Configuration... System Configuration... Utilities & Diagnostics... Statistics & Logs... Quick View... You can reinstate router mode by returning to the System Configuration menu. System Configuration Management IP Setup... Filter Sets... Date and Time... Console Configuration... SNMP (Simple Network Management Protocol)... Security... Upgrade Feature Set... Change Device to a Router... Logging... Use this screen if you want options beyond Easy Setup.
2-46 Firmware User Guide Logging You can configure a UNIX-compatible syslog client to report a number of subsets of the events entered in the router’s WAN Event History. See “WAN Event History” on page 9-5. Select Logging from the System Configuration menu. The Logging Configuration screen appears. Logging Configuration WAN Log Log Log Log Log Event Log Options Boot and Errors: Line Specific: Connections: PPP, DHCP, CNA: IP: Syslog Parameters Syslog Enabled: Hostname or IP Address: Facility...
WAN and System Configuration 2-47 You will need to install a Syslog client daemon program on your PC and configure it to report the WAN events you specified in the Logging Configuration screen. The following screen shows a sample syslog dump of WAN events: May 5 10:14:06 tsnext.netopia.com May 5 10:14:06 tsnext.netopia.com May 5 10:14:06 tsnext.netopia.com May 5 10:14:06 tsnext.netopia.com May 5 10:14:06 tsnext.netopia.com May 5 10:14:06 tsnext.netopia.com May 5 10:14:06 tsnext.netopia.
2-48 Firmware User Guide
Multiple Network Address Translation 3-1 Chapter 3 Multiple Network Address Translation Netopia Firmware Version 5.4 offers advanced Multiple Network Address Translation functionality. You should read this chapter completely before attempting to configure any of the advanced NAT features.
3-2 Firmware User Guide Features MultiNAT features can be divided into several categories that can be used simultaneously in different combinations on a per-Connection Profile basis. The following is a general description of these features: Port Address Translation The simplest form of classic Network Address Translation is PAT (Port Address Translation). PAT allows a group of computers on a LAN, such as might be found in a home or small office, to share a single Internet connection using one IP address.
Multiple Network Address Translation 3-3 Dynamic mapping Dynamic mapping, often referred to as many-to-few, offers an extension to the advantages provided by static mapping. Instead of requiring a one-to-one association of public addresses and private addresses, as is required in static mapping, dynamic mapping uses a group of public IP addresses to dynamically allocate static mappings to private hosts that are communicating with the public network.
3-4 Firmware User Guide Available for Dynamic NAT Used for Normal NAT 172.16.1.29 172.16.1.28 172.16.1.27 172.16.1.26 172.16.1.25 WAN Network 192.168.1.16 192.168.1.15 192.168.1.14 192.168.1.13 192.168.1.12 192.168.1.11 192.168.1.10 192.168.1.9 192.168.1.8 192.168.1.7 192.168.1.6 192.168.1.5 192.168.1.4 192.168.1.3 LAN Network 192.168.1.
Multiple Network Address Translation 3-5 Complex maps Map lists and server lists are completely independent of each other. A Connection Profile can use one or the other or both. MultiNAT allows complex mapping and requires more complex configuration than in earlier firmware versions. Multiple mapped interior subnets are supported, and the rules for mapping each of the subnets may be different. The figure below illustrates a possible multiNAT configuration. 206.1.1.1 206.1.1.2 206.1.1.3 206.1.1.4 206.1.1.
3-6 Firmware User Guide Currently there is a restriction that the remote user must be routed to via the WAN interface, otherwise the connections will fail. There is no restriction as to the number of connections. There is no user configuration required for this feature. MultiNAT Configuration You configure the MultiNAT features through the console menu: ■ For a simple 1-to-many NAT configuration (classic NAT or PAT), use the Easy Setup Profile configuration, described below.
Multiple Network Address Translation 3-7 Server Lists and Dynamic NAT configuration You use the advanced NAT feature sets by first defining a series of mapping rules and then grouping them into a list. There are two kinds of lists -- map lists, made up of dynamic, PAT and static mapping rules, and server lists, a list of internal services to be presented to the external world. Creating these lists is a four-step process: 1.
3-8 Firmware User Guide IP Setup Ethernet IP Address: Ethernet Subnet Mask: Define Additional Subnets... 192.168.1.1 255.255.255.0 Default IP Gateway: 127.0.0.2 Primary Domain Name Server: Secondary Domain Name Server: Domain Name: 0.0.0.0 0.0.0.0 isp.com Receive RIP... Transmit RIP... Both Off Static Routes... Network Address Translation (NAT)... IP Address Serving... Set up the basic IP attributes of your Netopia in this screen. Select Network Address Translation (NAT) and press Return.
Multiple Network Address Translation 3-9 NAT rules The following rules apply to assigning NAT ranges and server lists: ■ Static public address ranges must not overlap other static, PAT, public addresses, or the public address assigned to the router’s WAN interface. ■ A PAT public address must not overlap any static address ranges. It may be the same as another PAT address or server list address, but the port range must not overlap.
3-10 Firmware User Guide Select First Public Address and enter the first exterior IP address in the range you want to assign. Select Last Public Address and enter an IP address at the end of the range. ■ Select ADD NAT PUBLIC RANGE and press Return. The range will be added to your list and you will be returned to the Network Address Translation screen. Once the public ranges have been assigned, the next step is to bind interior addresses to them.
Multiple Network Address Translation 3-11 ■ Select Add Map and press Return. The Add NAT Map screen appears. Add NAT Map ("my_map") First Private Address: 192.168.1.1 Last Private Address: 192.168.1.254 Use NAT Public Range... ADD NAT MAP CANCEL ■ Select First and Last Private Address and enter the first and last interior IP addresses you want to assign to this mapping. ■ Select Use NAT Public Range and press Return. A screen appears displaying the public ranges you have defined.
3-12 Firmware User Guide mapping and press Return. If none of your preconfigured ranges are suitable for this mapping, you can select <> and create a new range. If you choose <>, the Add NAT Public Range screen displays and you can create a new public range to be used by this map. See Add NAT Public Range on page 3-9. ■ The Add NAT Map screen now displays the range you have assigned. Add NAT Map ("my_map") First Private Address: 192.168.1.1 Last Private Address: 192.168.1.
Multiple Network Address Translation 3-13 Modifying map lists You can make changes to an existing map list after you have created it. Since there may be more than one map list you must select which one you are modifying. From the Network Address Translation screen select Show/Change Map List and press Return. ■ Select the map list you want to modify from the pop-up menu.
3-14 Firmware User Guide ■ Add Map allows you to add a new map to the map list. ■ Show/Change Maps allows you to modify the individual maps within the list. ■ Delete Map allows you to delete a map from the list. Selecting Show/Change Maps or Delete Map displays the same pop-up menu. Show/Change NAT Map List +---Private Address Range---------Type----Public Address Range------------+ +-------------------------------------------------------------------------+ | 192.168.1.1 192.168.1.254 pat 206.1.1.
Multiple Network Address Translation 3-15 Adding Server Lists Server lists, also known as Exports, are handled similarly to map lists. If you want to make a particular server’s port accessible (and it isn’t accessible through other means, such as a static mapping), you must create a server list. Select Add Server List from the Network Address Translation screen. The Add NAT Server List screen appears. Add NAT Server List Server List Name: my_servers Add Server...
3-16 Firmware User Guide ■ Select Add Server and press Return. The Add NAT Server screen appears. Add NAT Server ("my_servers") Service... ■ Server Private IP Address: 192.168.1.45 Public IP Address: 206.1.1.1 ADD NAT SERVER CANCEL Select Service and press Return. A pop-up menu appears listing a selection of commonly exported services. Add NAT Server ("my_servers") +-Type------Port(s)-------+ +-------------------------+ Service...
Multiple Network Address Translation 3-17 Other Exported Port First Port Number (1..65535): 31337 Last Port Number (1..65535): 31337 OK ■ ■ CANCEL Enter the First and Last Port Number between ports 1 and 65535. Select OK and press Return. You will be returned to the Add NAT Server screen. Enter the Server Private IP Address of the server whose service you are exporting.
3-18 Firmware User Guide Modifying server lists Once a server list exists, you can select it for modification or deletion. ■ Select Show/Change Server List from the Network Address Translation screen. ■ Select the Server List Name you want to modify from the pop-up menu and press Return. Network Address Translation +-NAT Server List Name-+ +----------------------+ A| my_servers | S| |.. D| | | | A| | S| | D| | | | A| | S| |.
Multiple Network Address Translation 3-19 ■ Selecting Show/Change Server or Delete Server displays the same pop-up menu. Show/Change NAT Server List +-Private Address--Public Address----Port------------+ +----------------------------------------------------+ Se| 192.168.1.254 206.1.1.6 smtp | | 192.168.1.254 206.1.1.5 smtp | | 192.168.1.254 206.1.1.4 smtp | Ad| 192.168.1.254 206.1.1.3 smtp | | 192.168.1.254 206.1.1.
3-20 Firmware User Guide Deleting a server To delete a server from the list, select Delete Server from the Show/Change NAT Server List menu and press Return. A pop-up menu lists your configured servers. Select the one you want to delete and press Return. A dialog box asks you to confirm your choice. Show/Change NAT Server List +-Internal Address-External Address--Port------------+ +----------------------------------------------------+ Se| 192.168.1.254 206.1.1.
Multiple Network Address Translation 3-21 Binding Map Lists and Server Lists Once you have created your map lists and server lists, for most Netopia Router models you must bind them to a profile, either a Connection Profile or the Default Profile.
3-22 Firmware User Guide ■ Select NAT Map List and press Return. A pop-up menu displays a list of your defined map lists. IP Profile Parameters +--NAT Map List Name---+ +----------------------+ Address Trans| Easy-PAT |s IP Addressing| my_map |mbered | <> | NAT Map List.| |sy PAT NAT Server Li| | | | Local WAN IP | | | | Remote IP Add| |7.0.0.2 Remote IP Mas| |5.255.255.255 | | Filter Set...
Multiple Network Address Translation 3-23 IP Parameters (WAN Default Profile) The Netopia Firmware Version 5.4 using RFC 1483 supports a WAN default profile that permits several parameters to be configured without an explicitly configured Connection Profile. The procedure is similar to the procedure to bind map lists and server lists to a Connection Profile. From the Main Menu go to the WAN Configuration screen, then the Default Profile screen. Select IP Parameters and press Return.
3-24 Firmware User Guide ■ Select NAT Map List and press Return. A pop-up menu displays a list of your defined map lists. IP Parameters (Default Profile) +--NAT Map List Name---+ +----------------------+ | Easy-PAT List | | my_map | Address Trans| <> |s | | NAT Map List.| | NAT Server Li| | | | Filter Set (F| | Remove Filter| | | | Receive RIP: | |th | | | | | | | | | | +----------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit.
Multiple Network Address Translation 3-25 NAT Associations Configuration of map and server lists alone is not sufficient to enable NAT for a WAN connection because map and server lists must be linked to a profile that controls the WAN interface. This can be a Connection Profile, a WAN Ethernet interface, a default profile, or a default answer profile.
3-26 Firmware User Guide keys. Select the item by pressing Return to display a pop-up menu of all of your configured lists.
Multiple Network Address Translation 3-27 IP Passthrough Netopia Firmware Version 5.4 offers an IP passthrough feature. The IP passthrough feature allows for a single PC on the LAN to have the router’s public address assigned to it. It also provides PAT (NAPT) via the same public IP address for all other hosts on the private LAN subnet. Using IP passthrough: ■ The public WAN IP is used to provide IP address translation for private LAN computers.
3-28 Firmware User Guide The IP Profile Parameters screen, found under the WAN Configuration menu, Add/Change Connection Profile screen, appears as shown. IP Profile Parameters Address Translation Enabled: IP Addressing... NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Yes Numbered Easy-PAT List Easy-Servers Local WAN IP Address: Local WAN IP Mask: 0.0.0.0 0.0.0.0 No Filter Set... Remove Filter Set RIP Profile Options...
Multiple Network Address Translation 3-29 NAT Options IP Passthrough Enabled: IP Passthrough DHCP Enabled: IP Passthrough DHCP MAC address: Yes Yes 00-00-00-00-00-00 Enter MAC addr. of IP passthrough host, or zeroes for first come first serve. Toggling IP Passthrough DHCP Enabled to Yes displays the IP Passthrough DHCP MAC address field. This is an editable field in which you can enter the MAC (hardware) address of the designated PC be used as the DHCP Client Identifier for dynamic address reservation.
3-30 Firmware User Guide A restriction Since both the router and the passthrough host will use same IP address, new sessions that conflict with existing sessions will be rejected by the router. For example, suppose you are a teleworker using an IPSec tunnel from the router and from the passthrough host. Both tunnels go to the same remote endpoint, such as the VPN access concentrator at your employer’s office.
Multiple Network Address Translation 3-31 MultiNAT Configuration Example To help you understand a typical MultiNAT configuration, this section describes an example of the type of configuration you may want to implement on your site. The values shown are for example purposes only. Make your own appropriate substitutions. A typical DSL service from an ISP might include five user addresses. Without PAT, you might be able to attach only five IP hosts.
3-32 Firmware User Guide Enter your ISP-supplied values as shown below. Connection Profile 1: Easy Setup Profile Connection Profile Name: Easy Setup Profile Address Translation Enabled: IP Addressing... Yes Numbered Local WAN IP Address: Local WAN IP Mask: 206.1.1.6 255.255.255.248 PREVIOUS SCREEN NEXT SCREEN Enter a subnet mask in decimal and dot form (xxx.xxx.xxx.xxx). Enter basic information about your WAN connection with this screen. Select NEXT SCREEN and press Return.
Multiple Network Address Translation 3-33 Select Show/Change Public Range, then Easy-PAT Range, and press Return. Enter the value your ISP assigned for your public address (206.1.1.6, in this example). Toggle Type to pat. Your public address is then mapped to the remaining private IP addresses using PAT. (If you were not using the Easy-PAT Range and Easy-PAT List that are created by default by using Easy Setup, you would have to define a public range and map list.
3-34 Firmware User Guide Select ADD NAT PUBLIC RANGE and press Return. You are returned to the Network Address Translation screen. Next, select Show/Change Map List and choose Easy-PAT List. Select Add Map. The Add NAT Map screen appears. (Now the name Easy-PAT List is a misnomer since it has a static map included in its list.) Enter in 192.168.1.1 for the First Private Address and 192.168.1.5 for the Last Private Address. Add NAT Map ("Easy-PAT List") First Private Address: 192.168.1.
Multiple Network Address Translation 3-35 To make these changes, first limit the range of remapped addresses on the Static Map and then edit the default server list called Easy-Servers. ■ First, navigate to the Show/Change Map List screen, select Easy-PAT List and then Show/Change Maps. Choose the Static Map you created and change the First Private Address from 192.168.1.1 to 192.168.1.4.
3-36 Firmware User Guide
Virtual Private Networks (VPNs) 4-1 Chapter 4 Virtual Private Networks (VPNs) The Netopia Firmware Version 5.4 offers IPsec, PPTP, and ATMP tunneling support for Virtual Private Networks (VPN).
4-2 Firmware User Guide The Netopia Firmware Version 5.4 can be used in VPNs either to initiate the connection or to answer it. When used in this way, the routers are said to be tunnelling through the public network (Internet). The advantages are that, like your long distance phone call, you don't need a direct line between one computer or LAN and the other, but use the local connections, making it much cheaper; and the information you exchange through your tunnel is private and secure.
Virtual Private Networks (VPNs) 4-3 protocol over IP. ATMP is more efficient than PPTP for network-to-network tunnels. ■ IPsec stands for IP Security, a set of protocols that supports secure exchange of IP packets at the IP layer. IPsec is deployed widely to implement Virtual Private Networks (VPNs). IPsec supports two encryption modes: Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched.
4-4 Firmware User Guide About PPTP Tunnels To set up a PPTP tunnel, you create a Connection Profile including the IP address and other relevant information for the remote PPTP partner. You use the same procedure to initiate a PPTP tunnel that terminates at a remote PPTP server or to terminate a tunnel initiated by a remote PPTP client. PPTP configuration To set up the router as a PPTP Network Server (PNS) capable of answering PPTP tunnel requests you must also configure the VPN Default Answer Profile.
Virtual Private Networks (VPNs) 4-5 When you define a Connection Profile as using PPTP by selecting PPTP as the datalink encapsulation method, and then select Data Link Options, the PPTP Tunnel Options screen appears. PPTP Tunnel Options PPTP Partner IP Address: Tunnel Via Gateway: 173.167.8.134 0.0.0.0 Authentication... Data Compression...
4-6 Firmware User Guide Note: The Netopia Firmware Version 5.4 supports 128-bit (“strong”) encryption. Unlike MS-CHAP version 1, which supports one-way authentication, MS-CHAP version 2 supports mutual authentication between connected routers and is incompatible with MS-CHAP version 1 (MS-CHAP-V1). When you choose MS-CHAP as the authentication method for the PPTP tunnel, the Netopia router will start negotiating MS-CHAP-V2.
Virtual Private Networks (VPNs) 4-7 The IP Profile Parameters screen appears. IP Profile Parameters Address Translation Enabled: Yes NAT Map List... NAT Server List... Easy-PAT Easy-Servers Local WAN IP Address: 0.0.0.0 Remote IP Address: Remote IP Mask: 173.167.8.10 255.255.0.0 Filter Set... Remove Filter Set RIP Profile Options... ■ Enter the Remote IP Address and Remote IP Mask for the host to which you want to tunnel.
4-8 Firmware User Guide About ATMP Tunnels To set up an ATMP tunnel, you create a Connection Profile including the IP address and other relevant information for the remote ATMP partner. ATMP uses the terminology of a foreign agent that initiates tunnels and a home agent that terminates them. You use the same procedure to initiate or terminate an ATMP tunnel. Used in this way, the terms initiate and terminate mean the beginning and end of the tunnel; they do not mean activate and deactivate.
Virtual Private Networks (VPNs) 4-9 When you define a Connection Profile as using ATMP by selecting ATMP as the datalink encapsulation method, and then select Data Link Options, the ATMP Tunnel Options screen appears. ATMP Tunnel Options ATMP Partner IP Address: Tunnel Via Gateway: 173.167.8.134 0.0.0.0 Network Name: Password: sam.net **** Data Encryption...
4-10 Firmware User Guide them, acting as a home agent (No). ■ Tunnels are normally initiated On Demand; however, you can disable this feature. When disabled, the tunnel must be manually established through the call management screens. ■ You can specify the Idle Timeout, an inactivity timer, whose expiration will terminate the tunnel. A value of zero disables the timer.
Virtual Private Networks (VPNs) 4-11 MS-CHAP V2 and 128-bit strong encryption Notes: ■ The Netopia Firmware Version 5.4 supports 128-bit (“strong”) encryption when using PPTP tunnels. ATMP does not have an option of using 128-bit MPPE. If you are using ATMP between two Netopia routers you can optionally set 56-bit DES encryption. ■ When you choose MS-CHAP as the authentication method for a PPTP tunnel, the Netopia router will start negotiating MS-CHAPv2.
4-12 Firmware User Guide ATMP/PPTP Default Profile Answer ATMP/PPTP Connections: No PPTP Configuration Options Receive Authentication... Data Compression... PAP None ■ Toggle Answer ATMP/PPTP Connections to Yes if you want the router to accept VPN connections or No (the default) if you do not. ■ For PPTP tunnel connections only, you must define what type of authentication these connections will use. Select Receive Authentication and press Return.
Virtual Private Networks (VPNs) 4-13 VPN QuickView You can view the status of your VPN connections in the VPN QuickView screen. From the Main Menu select QuickView and then VPN QuickView. Main Menu QuickView VPN QuickView The VPN QuickView screen appears. VPN Quick View Profile Name----------Type----Rx Pckts---Tx Pckts--RxDiscard--Remote Address-HA <-> FA1 (Jony Fon ATMP 99 99 0 173.166.82.8 HA <-> FA3 (Sleve M. ATMP 13 14 0 173.166.117.
4-14 Firmware User Guide Dial-Up Networking for VPN Microsoft Windows Dial-Up Networking software permits a remote standalone workstation to establish a VPN tunnel to a PPTP server such as a Netopia Router located at a central site. Dial-Up Networking also allows a mobile user who may not be connected to a PAC to dial into an intermediate ISP and establish a VPN tunnel to, for example, a corporate headquarters, remotely.
Virtual Private Networks (VPNs) 4-15 The Communications window appears. 5. In the Communications window, select Dial-Up Networking and click the OK button. This returns you to the Windows Setup screen. Click the OK button. 6. Respond to the prompts to install Dial-Up Networking from the system disks or CDROM. 7. When prompted, reboot your PC.
4-16 Firmware User Guide Configuring a Dial-Up Networking profile Once you have created your Dial-Up Networking profile, you configure it for TCP/IP networking to allow you to connect to the Internet through your Internet connection device. Do the following: 1. Double-click the My Computer (or whatever you have named it) icon on your desktop. Open the Dial-Up Networking folder. You will see the icon for the profile you created in the previous section. 2.
Virtual Private Networks (VPNs) 4-17 4. 5. Click the TCP/IP Settings button. ■ If your ISP uses dynamic IP addressing (DHCP), select the Server assigned IP address radio button. ■ If your ISP uses static IP addressing, select the Specify an IP address radio button and enter your assigned IP address in the fields provided. Also enter the IP address in the Primary and Secondary DNS fields. Click the OK button in this window and the next two windows.
4-18 Firmware User Guide This displays a list of possible selections for the communications option. Active components will have a check in the checkboxes to their left. 6. Check Dial Up Networking at the top of the list and Virtual Private Networking at the bottom of the list. 7. Click OK at the bottom right on each screen until you return to the Control Panel. Close the Control Panel by clicking the upper right corner X. 8.
Virtual Private Networks (VPNs) 4-19 Connecting using Dial-Up Networking A Dial-Up Networking connection will be automatically launched whenever you run a TCP/IP application, such as a web browser or email client. When you first run the application a Connect To dialog box appears in which you enter your User name and Password. If you check the Save password checkbox, the system will remember your User name and Password, and you won’t be prompted for them again.
4-20 Firmware User Guide PPTP example To enable a firewall to allow PPTP traffic, you must provision the firewall to allow inbound and outbound TCP packets specifically destined for port 1723. The source port may be dynamic, so often it is not useful to apply a compare function upon this portion of the control/negotiation packets. You must also set the firewall to allow inbound and outbound GRE packets, enabling transport of the tunnel payload.
Virtual Private Networks (VPNs) 4-21 Change Input Filter 2 Enabled: Forward: Yes Yes Source IP Address: Source IP Address Mask: 0.0.0.0 0.0.0.0 Dest. IP Address: Dest. IP Address Mask: 0.0.0.0 0.0.0.0 Protocol Type: GRE In the Display/Change Filter Set screen select Display/Change Output Filter. Display/Change Output Filter screen +-#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd-+ +-------------------------------------------------------------------------+ | 1 0.0.0.0 0.0.0.
4-22 Firmware User Guide Select Output Filter 2 and press Return. In the Change Output Filter 2 screen, set the Protocol Type to allow GRE as shown below. Change Output Filter 2 Enabled: Forward: Yes Yes Source IP Address: Source IP Address Mask: 0.0.0.0 0.0.0.0 Dest. IP Address: Dest. IP Address Mask: 0.0.0.0 0.0.0.
Virtual Private Networks (VPNs) 4-23 Select Input Filter 1 and press Return. In the Change Input Filter 1 screen, set the Destination Port information as shown below. Change Input Filter 1 Enabled: Forward: Yes Yes Source IP Address: Source IP Address Mask: 0.0.0.0 0.0.0.0 Dest. IP Address: Dest. IP Address Mask: 0.0.0.0 0.0.0.0 Protocol Type: Source Port Compare... Source Port ID: Dest. Port Compare... Dest. Port ID: Established TCP Conns.
4-24 Firmware User Guide In the Display/Change Filter Set screen select Display/Change Output Filter. Display/Change Output Filter screen +-#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd-+ +-------------------------------------------------------------------------+ | 1 0.0.0.0 0.0.0.0 TCP NC =1723 Yes Yes | | 2 0.0.0.0 0.0.0.0 GRE --Yes Yes | | | +-------------------------------------------------------------------------+ Select Output Filter 1 and press Return.
Virtual Private Networks (VPNs) 4-25 Windows Networking Broadcasts Netopia firmware provides the ability to forward Windows Networking NetBIOS broadcasts. This is useful for, for example, a Virtual Private Network, in which you want to be able to browse the remote network to which you are tunnelling, as part of your Windows Network Neighborhood. Routed connections, such as VPNs, can not use NetBEUI to carry the Network Neighborhood information. They need to use NetBIOS, because NetBEUI cannot be routed.
4-26 Firmware User Guide Configuration for Router A IP Profile Parameters Address Translation Enabled: No Remote IP Address: Remote IP Mask: 192.168.2.1 255.255.255.0 Filter Set... Remove Filter Set NetBIOS Proxy Enabled Yes RIP Profile Options... Enter an IP address in decimal and dot form (xxx.xxx.xxx.xxx). Configure IP requirements for a remote network connection here. Configuration for Router B IP Profile Parameters Address Translation Enabled: No Remote IP Address: Remote IP Mask: 192.168.
Virtual Private Networks (VPNs) 4-27 Note: Microsoft Network browsing is available with or without a Windows Internet Name Service (WINS) server. Shared volumes on the remote network are accessible with or without a WINS server. Local LAN shared volumes that have Port Address Translation (PAT) applied to them are not available to hosts on the remote LAN. For tunnelled traffic, NAT on the WAN has no effect on the Microsoft Networking traffic.
4-28 Firmware User Guide
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-1 Chapter 5 Internet Key Exchange (IKE) IPsec Key Management for VPNs IPsec stands for IP Security, a set of protocols that supports secure exchange of IP packets at the IP layer. IPsec is deployed widely to implement Virtual Private Networks (VPNs). See “Virtual Private Networks (VPNs)” on page 4-1 for more information. The Version 5.3 firmware supports Internet Key Exchange (IKE) for secure encrypted communication over a VPN tunnel.
5-2 Firmware User Guide the two devices on the Internet to communicate securely. ■ Phase 2 establishes the tunnel and provides for secure transport of data. IPsec can be configured without IKE, but IKE offers additional features, flexibility, and ease of configuration. Key exchange between your local router and a remote point can be configured either manually or by using the key exchange protocol.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-3 WAN Configuration Main Menu Add Connection Profile The Add Connection Profile screen appears. Add Connection Profile Profile Name: Profile Enabled: Encapsulation Type... Encapsulation Options... IP Profile Parameters... Profile 1 +-------------+ +-------------+ | PPP | | HDLC | | Frame Relay | | RFC1483 | | ATMP | | PPTP | | IPsec | +-------------+ Interface Group...
5-4 Firmware User Guide For Key Management you can use either IKE or Manual. If you choose Manual, skip to “IPsec Manual Key Entry” on page 5-19. If you choose IKE (the default) continue below. ■ Select IKE Phase 1 Profile and press Return. +-IKE Phase1 Profile--+ +---------------------+ | <> | | <> | Key Management... | | IKE Phase 1 Profile| | | | Encapsulation... | | | | | | | | ESP Encryption Tran| | ESP Authentication | |5-96 | | Compression Type...
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-5 Add IKE Phase 1 Profile Profile Name: IKE Profile 1 Mode... Aggressive Mode Local Identity Type... Local Identity Value: Remote Identity Type... Remote Identity Value: Authentication Method... Shared Secret: Encryption Algorithm... Hash Algorithm... Diffie-Hellman Group... IPv4 Address 0.0.0.0 IPv4 Address 0.0.0.0 Shared Secret ******************** des md5 Group 2 (1024 bits) Advanced IKE Phase 1 Options...
5-6 Firmware User Guide that will be used to generate key material for IKE Phase 1. ■ The Encryption Algorithm pop-up menu specifies the IKE Phase 1 encryption algorithm, and may be either DES (the default) or 3DES. ■ The Hash Algorithm pop-up menu specifies the IKE Phase 1 hash algorithm, and may be either SHA1 (the default) or MD5.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-7 the Phase 1 SAs under which they were created. Phase 2 SAs “dangle” when the Phase 1 SA under which they were created expires before they do. There is no requirement that the Phase 1 SA exist for the duration of the Phase 2 SA’s lifetime, but it is convenient because a Delete message may be sent. ■ The two SA Lifetime items specify the lifetime associated with each Phase 1 SA and control when the SA will expire and become invalid.
5-8 Firmware User Guide Changing an IKE Phase 1 Profile Selecting Display/Change IKE Phase 1 Profile or Delete IKE Phase 1 Profile displays an IKE Phase 1 profile pop-up menu listing the names of all currently defined IKE Phase 1 profiles: IPsec Configuration +--IKE Phase1 Profile--+ +----------------------+ D| IKE Profile 2 |1 Profile... A| Arthropods |. D| Anthropoids |e...
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-9 Key Management You specify your IKE key management on a per-Connection Profile basis.
5-10 Firmware User Guide Note: The Change Connection Profile screen will offer different options, depending on the model of router you are using. For a router with the Dial Backup feature, you can associate an IPsec profile with the Primary, the Backup, or choose to apply it to Any Port of the WAN interface by choosing the interface from the Interface Group pop-up menu as shown below. Add Connection Profile Profile Name: Profile Enabled: Profile 1 Yes Encapsulation Type... Encapsulation Options...
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-11 The Key Management pop-up menu at the top of the IPsec Tunnel Options screen allows you to choose between IKE key management (the default for a new IPsec profile) and Manual key management. If you select Manual, the IKE Phase 1 Profile option does not display, and you must enter your IPsec Manual Keys under the IPsec Manual Keys screen. See “IPsec Manual Key Entry” on page 19.
5-12 Firmware User Guide Advanced IPsec Options SA Lifetime seconds: SA Lifetime Kbytes: 28800 0 Perfect Forward Secrecy: Yes Dead Peer Detection: No This screen allows you to specify the lifetime associated with each IPsec Security Association (SA) and control when the SA will expire and become invalid. ■ SA Lifetime (seconds) specifies the duration in seconds for which the SA will remain valid. The range of permissible values is the set of non-negative integer values between 0 and 2^32-1.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-13 Netopia Firmware Version 5.4 provides a new Dead Peer Detection mechanism. An IPsec IP net interface sends ICMP ping requests to a specific IP address on a Remote Member network. The ping is periodic, and the reply is expected within a certain amount of time.
5-14 Firmware User Guide If you enable IKE key management the IP Profile Parameters screen appears. IP Profile Parameters Remote Tunnel Endpoint: 0.0.0.0 Add Network... Address Translation Enabled: No Filter Set... Remove Filter Set <> Advanced IP Profile Options... COMMIT ■ CANCEL The Remote Tunnel Endpoint field accepts either an IP address in the familiar dotted–quad notation a.b.c.d or a hostname to be resolved using the Domain Name System (DNS).
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-15 ■ ■ support for sub-netting, host and network range addressing modes ■ works with manual keying and Internet Key Exchange (IKE) ■ each IPsec network works under the same local/remote tunnel endpoints Select Add Network and press Return. The Add Network Configuration screen appears. Add Network Configuration +--------------+ +--------------+ Remote Member Format...
5-16 Firmware User Guide If you return to the IP Profile Parameters screen, two new fields are displayed: IP Profile Parameters Remote Tunnel Endpoint: 0.0.0.0 Add Network... Display/Change Network... Delete Network... Address Translation Enabled: No Filter Set... Remove Filter Set <> Advanced IP Profile Options... COMMIT CANCEL Enter the IP Address or hostname of the remote tunnel endpoint.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-17 1 2 3 4 ■ +--------------------------------------------------------------+24 | Are you sure you want to delete this network configuration? |8 | | | CANCEL CONTINUE |00 | | | | +--------------------------------------------------------------+ Specifying IKE key management alters the Advanced IP Profile Options screen as follows: Advanced IP Profile Options Local Tunnel Endpoint Address: Next Hop Gateway: 0.0.0.0 0.0.0.
5-18 Firmware User Guide IPsec WAN Configuration Screens You can also configure IKE Phase 1 Profiles in the WAN Configuration menus. Main Menu WAN Configuration IKE Phase 1 Configuration The WAN Configuration screen now includes IKE Phase 1 Configuration as shown: WAN Configuration WAN (Wide Area Network) Setup... Display/Change Connection Profile... Add Connection Profile... Delete Connection Profile... WAN Default Profile... ATMP/PPTP Default Profile... IKE Phase 1 Configuration...
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-19 IKE Phase 1 Configuration Display/Change IKE Phase 1 Profile... Add IKE Phase 1 Profile... Delete IKE Phase 1 Profile... The IKE Phase 1 Configuration screen allows configuration of global (non-connection-profile-specific) IPsec parameters. This screen allows you to Display, Change, Add, or Delete an IKE Phase 1 profile. IPsec Manual Key Entry The Version 5.3 firmware has a redesigned layout and additional options for manual key entry.
5-20 Firmware User Guide Select IPsec Manual Keys and press Return. IPsec Manual Keys SHA1 ESP Auth. Key: SHA1 AH Auth. Key: Depending on your selections of Encapsulation, Encryption Transform, and Authentication Transform in the IPsec Tunnel Options screen, the IPsec Manual Keys screen will display differing entry fields to enter authorization keys and encryption keys. With Manual Keys, you must manually configure identical authentication and encryption keys at both ends of the tunnel.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-21 VPN Quick View Profile Name----------Type--Rx Pckts--Tx Pckts--Discard--Remote Address-HA <-> FA1 (Jony Fon ATMP 99 99 173.166.82.8 HA <-> FA3 (Sleve M. ATMP 13 14 63.193.117.91 My IPsec Tunnel IPsec 23 12 0.0.0.0 Bangalore PPTP 45 35 1.1.1.1 If the remote tunnel end point is a hostname (or “0.0.0.0”) 0.0.0.0 is displayed until a Security Association is established. Previously the remote members network was displayed.
5-22 Firmware User Guide Event message: Meaning: IKE: no matching ph2 proposal Either the local router rejected the proposals of the remote or the remote rejected the local router’s. IKE: ph2 resend timeout The attempt to resend the phase 2 authentication timed out. IKE: phase 2 complete The phase 2 negotiation completed successfully.
IP Setup 6-1 Chapter 6 IP Setup The Netopia Firmware Version 5.4 uses Internet Protocol (IP) to communicate both locally and with remote networks. This chapter shows you how to configure the router to route IP traffic. You also learn how to configure the router to serve IP addresses to hosts on your local network. Netopia’s IP routing features Network Address Translation and IP address serving.
6-2 Firmware User Guide IP Setup Main Menu System Configuration IP Setup The IP Setup options screen is where you configure the Ethernet side of the Router. The information you enter here controls how the router routes IP traffic. Consult your network administrator or ISP to obtain the IP setup information (such as the Ethernet IP address, Ethernet subnet mask, default IP gateway, and Primary Domain Name Server IP address) you will need before changing any of the settings in this screen.
IP Setup 6-3 The Netopia Firmware Version 5.4 supports multiple IP subnets on the Ethernet interface. You may want to configure multiple IP subnets to service more hosts than are possible with your primary subnet. It is not always possible to obtain a larger subnet from your ISP. For example, if you already have a full Class C subnet, your only option is multiple Class C subnets, since it is virtually impossible to justify a Class A or Class B assignment.
6-4 Firmware User Guide that the addresses distributed by the Router and those that are manually configured are not the same. Each method of distribution must have its own exclusive range of addresses to draw from. IP subnets The IP Subnets screen allows you to configure up to eight Ethernet IP subnets on unlimited-user models, one “primary” subnet and up to seven secondary subnets, by entering IP address/subnet mask pairs: IP Subnets #1: IP Address ---------------192.128.117.
IP Setup 6-5 For example: IP Subnets #1: IP Address ---------------192.128.117.162 Subnet Mask --------------255.255.255.0 #2: 192.128.152.162 255.255.0.0 #3: 0.0.0.0 0.0.0.0 #4: #5: #6: #7: #8: ■ To delete a configured subnet, set both the IP address and subnet mask values to 0.0.0.0, either explicitly or by clearing each field and pressing Return to commit the change. When a configured subnet is deleted, the values in subsequent rows adjust up to fill the vacant fields.
6-6 Firmware User Guide If you have configured multiple Ethernet IP subnets, the IP Setup screen changes slightly: IP Setup Subnet Configuration... Default IP Gateway: 192.128.117.163 Primary Domain Name Server: Secondary Domain Name Server: Domain Name: 0.0.0.0 0.0.0.0 Receive RIP... Transmit RIP... Both v2 (multicast) Static Routes... Network Address Translation (NAT)... IP Address Serving... Set up the basic IP attributes of your Netopia in this screen.
IP Setup 6-7 The Static Routes screen will appear. Static Routes Display/Change Static Route... Add Static Route... Delete Static Route... Configure/View/Delete Static Routes from this and the following Screens. Viewing static routes To display a view-only table of static routes, select Display/Change Static Route. The table shown below will appear. +-Dest. Network---Subnet Mask-----Next Gateway----Priority-Enabled-+ +------------------------------------------------------------------+ | 0.0.0.0 0.0.0.
6-8 Firmware User Guide Subnet Mask: The subnet mask associated with the destination network. Next Gateway: The IP address of the router that will be used to reach the destination network. Priority: An indication of whether the Router will use the static route when it conflicts with information received from RIP packets. Enabled: An indication of whether the static route should be installed in the IP routing table. To return to the Static Routes screen, press Escape.
IP Setup 6-9 information; Low means that the RIP information takes precedence over the static route. ■ If the static route conflicts with a connection profile, the connection profile will always take precedence. ■ To make sure that the static route is known only to the Router, select Advertise Route Via RIP and toggle it to No. To allow other RIP-capable routers to know about the static route, select Advertise Route Via RIP and toggle it to Yes.
6-10 Firmware User Guide RIP-2 MD5 Authentication Firmware version 5.3.7 supports RIP-2 MD5 Authentication (RFC2082 Routing Internet Protocol Version 2, Message Digest 5). The purpose of MD5 authentication is to provide an additional level of confidence that a RIP packet received was generated by a reliable source. In other words, MD5 authentication provides an enhanced level of security that information that your PC receives does not originate from a malicious source posing as part of your network.
IP Setup 6-11 The IP Setup screen appears. IP Setup Ethernet IP Address: Ethernet Subnet Mask: Define Additional Subnets... 192.168.1.1 255.255.255.0 Default IP Gateway: Backup IP Gateway: Primary Domain Name Server: Secondary Domain Name Server: Domain Name: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 RIP Options... Multicast Forwarding... Static Routes... ■ None IP Address Serving... Select RIP Options. The Ethernet LAN RIP Options screen appears.
6-12 Firmware User Guide ■ Select Receive RIP, and from the pull-down menu choose v2 MD5 Authentication. Ethernet LAN RIP Options Receive RIP... v2 MD5 Authentication Transmit RIP... Off RIP v2 Authentication Keys... ■ You can also select Transmit RIP, and choose v2 MD5 (broadcast) or v2 MD5 (multicast) from the pull-down menu. Ethernet LAN RIP Options Receive RIP... Transmit RIP... RIP v2 Authentication Keys...
IP Setup 6-13 Transmit RIP. Note: • All of the changes on this menu require a reboot. This is unique to the Ethernet LAN. RIP changes on all other interfaces are immediately effective. • If you set the RIP Receive option to Both v1 and v2, the interface will ignore authenticated RIP packets since authenticated v1 packets do not exist. Only v2 packets can be authenticated. ■ Select RIP v2 Authentication Keys. The RIP v2 Authentication Keys screen appears. RIP v2 Authentication Keys Display/Change Key...
6-14 Firmware User Guide Adding a key Select Add Key. The Add Key Screen appears. Add Key Key ID: 0 Authentication Key: Start Date (MM/DD/YY): Start Time (hh:mm): AM or PM: 10/10/2002 12:00 AM End Time Mode: End Date (MM/DD/YY): End Time (hh/mm): AM or PM: Date 10/10/2002 12:00 AM COMMIT CANCEL ■ The key identifier Key ID can be any numeric value from 0 – 255, and must be unique per interface. You can not have two keys with the same key ID on an interface.
IP Setup 6-15 Changing or deleting a key You change or delete a key by selecting it from a pop-up menu. In the RIP v2 Authentication Keys menu, select Display/Change Key. RIP v2 Authentication Keys +-Key ID--Start Date--Start Time--End Date--End Time--Valid-+ +-----------------------------------------------------------+ | 1 10/10/2002 12:00 AM Infinite yes | | 255 3/11/2000 3:17 PM 8/6/2002 1:24 AM no | | | +-----------------------------------------------------------+ Delete Key...
6-16 Firmware User Guide Connection Profiles and Default Profile RIP-2 MD5 authentication may be configured in Connection Profiles, as well. If you are not using NAT, your public Internet connection can benefit from sending authenticated RIP packets as well as receiving them. To configure RIP-2 MD5 authentication for a Connection Profile, you can either change an existing Connection Profile, or create a new one.
IP Setup 6-17 press COMMIT in the Add or Change Key screen, then press Escape three times to return to the Add or Change Connection Profile screen. ■ Select COMMIT in the Connection Profile screen and press Return. Your changes become effective for the specified Connection Profile. Power interruptions Netopia 4000 Series routers use NTP updates to set the correct time.
6-18 Firmware User Guide Go to the System Configuration screen. Select IP Address Serving and press Return. The IP Address Serving screen will appear. IP Address Serving +--------------------+ +--------------------+ IP Address Serving Mode... | Disabled | | DHCP Server | Number of Client IP Addresses: | DHCP Relay Agent | 1st Client Address: +--------------------+ Client Default Gateway... 192.168.1.1 Serve DHCP Clients: DHCP Lease Time (Hours): DHCP NetBIOS Options...
IP Setup 6-19 Consequently, the DHCP lease time is configurable. The DHCP Lease Time (Hours) setting allows you to modify the router’s default lease time of one hour. You can enter any number up to and including 168 hours (one week) for the DHCP lease. Note: About DHCP Auto-configuration: Beginning with Firmware Version 5.3.4, routers whose model number ends in “-T” will allow the IP Address Server to auto-configure when the router is configured with a new IP Address and Subnet Mask.
6-20 Firmware User Guide IP Address Pools The IP Address Pools screen allows you to configure a separate IP address serving pool for each of up to eight configured Ethernet IP subnets: IP Address Pools Subnet (# host addrs) --------------------192.128.117.0 (253) 1st Client Addr --------------192.128.117.196 Clients ------16 Client Gateway -------------192.128.117.162 192.129.117.0 192.129.117.110 8 192.129.117.4 (253) This screen consists of between two and eight rows of four columns each.
IP Setup 6-21 Numerous factors influence the choice of served address. It is difficult to specify the address that will be served to a particular client in all circumstances. However, when the address server has been configured, and the clients involved have no prior address serving interactions, the Router will generally serve the first unused address from the first address pool with an available address.
6-22 Firmware User Guide DHCP NetBIOS Options If your network uses NetBIOS, you can enable the Router to use DHCP to distribute NetBIOS information. NetBIOS stands for Network Basic Input/Output System. It is a layer of software originally developed by IBM and Sytek to link a network operating system with specific hardware. NetBIOS has been adopted as an industry standard. It offers LAN applications a variety of “hooks” to carry out inter-application communications and data transfer.
IP Setup 6-23 ■ From the NetBIOS Type pop-up menu, select the type of NetBIOS used on your network. DHCP NetBIOS Options Serve NetBIOS Type: NetBIOS Type... Serve NetBIOS Scope: NetBIOS Scope: Serve NetBIOS Name Server: NetBIOS Name Server IP Addr: +--------+ +--------+ | Type B | | Type P | | Type M | | Type H | +--------+ No 0.0.0.0 Local network Broadcast nodes ■ To serve DHCP clients with the NetBIOS scope, select Serve NetBIOS Scope and toggle it to Yes. Select NetBIOS Scope and enter the scope.
6-24 Firmware User Guide IP Address Lease Management Reset All Leases Release BootP Leases Reclaim Declined Addresses Hit RETURN/ENTER, you will return to the previous screen. Select Release BootP Leases and press Return. ■ Back in IP Address Serving, the Serve Dynamic WAN Clients toggle More Address Serving Options The Netopia Firmware Version 5.4 includes a number of enhancements in the built-in DHCP IP address server.
IP Setup 6-25 Configuring the IP Address Server options To access the enhanced DHCP server functions, from the Main Menu navigate to Statistics & Logs and then Served IP Addresses. Main Menu Statistics & Logs Served IP Addresses The following example shows the Served IP Addresses screen after three clients have leased IP addresses. The first client did not provide a Host Name in its DHCP messages; the second and third clients did.
6-26 Firmware User Guide You can select the entries in the Served IP Addresses screen. Use the up and down arrow keys to move the selection to one of the entries in the list of served IP addresses. Served IP Addresses -IP Address------Type----Expires—-Host Name/Client Identifier--------------------------------------------------SCROLL UP----------------------------------192.168.1.100 192.168.1.101 192.168.1.102 192.168.1.103 192.168.1.104 192.168.1.105 192.168.1.106 +------------+ 192.168.1.
IP Setup 6-27 ■ Details… is displayed if the entry is associated with both a host name and a client identifier. Selecting Details… displays a pop-up menu that provides additional information associated with the IP address. The pop-up menu includes the IP address as well as the host name and client identifier supplied by the client to which the address is leased.
6-28 Firmware User Guide Served IP Addresses -IP Address------Type----Expires—-Host Name/Client Identifier--------------------------------------------------SCROLL UP----------------------------------192.168.1.100 192.168.1.101 192.1+-------------------------------------------------------------+ 192.1+-------------------------------------------------------------+ 192.1| | 192.1| You are about to make changes that will affect an address | 192.1| that is currently in use.
IP Setup 6-29 Served IP Addresses -IP Address------Type----Expires—-Host Name/Client Identifier--------------------------------------------------SCROLL UP----------------------------------192.168.1.100 192.168.1.101 192.168.1.102 +--------------------------------------+ 192.168.1.103 +--------------------------------------+ 192.168.1.104 | | 192.168.1.105 | IP Address is 192.168.1.108 | 192.168.1.106 | MAC Address: 00-00-c5-45-89-ef | 192.168.1.107 | | 192.168.1.108 | CANCEL OK | 192.168.1.109 | | 192.168.
6-30 Firmware User Guide DHCP Relay Agent The Netopia Firmware Version 5.4 offers DHCP Relay Agent functionality, as defined in RFC1542. A DHCP relay agent is a computer system or a router that is configured to forward DHCP requests from clients on the LAN to a remote DHCP server, and to pass the replies back to the requesting client systems. When a DHCP client starts up, it has no IP address, nor does it know the IP address of a DHCP server.
IP Setup 6-31 Select IP Address Serving and press Return. The IP Address Serving screen appears. IP Address Serving +------------------+ +------------------+ IP Address Serving Mode... | Disabled | | DHCP Server | Number of Client IP Addresses: | DHCP Relay Agent | 1st Client Address: +------------------+ Client Default Gateway... 192.168.1.1 Serve DHCP Clients: DHCP NetBIOS Options... Yes Serve BOOTP Clients: Yes Select IP Address Serving Mode.
6-32 Firmware User Guide Note: The remote DHCP server(s) to which the Netopia Router is relaying DHCP requests must be capable of servicing relayed requests. Not all DHCP servers support this feature. For example, the DHCP server in the Netopia Router does not. The DHCP server(s) to which the Netopia Router is relaying DHCP requests must be configured with one or more address pools that are within the Netopia Router’s primary Ethernet LAN subnet.
IP Setup 6-33 1. Select Profile Name and enter a name for this connection profile. It can be any name you wish. For example: the name of your ISP. 2. Toggle the Profile Enabled value to Yes or No. The default is Yes. 3. Select IP Profile Parameters and press Return. The IP Profile Parameters screen appears. IP Profile Parameters Address Translation Enabled: IP Addressing... Yes Numbered NAT Map List... NAT Server List... Easy-PAT List Easy-Servers Local WAN Local WAN Remote IP Remote IP 0.0.0.
6-34 Firmware User Guide 5. Select ADD PROFILE NOW and press Return. Your new connection profile will be added. If you want to view the connection profiles in your router, return to the WAN Configuration screen, and select Display/Change Connection Profile. The list of connection profiles is displayed in a scrolling pop-up screen. WAN Configuration +-Profile Name---------------------IP Address------+ +--------------------------------------------------+ | Easy Setup Profile 127.0.0.2 | | Profile 1 0.0.0.
IP Setup 6-35 Main Menu IP Setup System Configuration By default, Multicast Forwarding is tuned off (None). You enable the router to transmit multicast data by selecting Tx. from the pull-down menu. IP Setup Ethernet IP Address: Ethernet Subnet Mask: Define Additional Subnets... 192.168.1.1 255.255.255.0 Default IP Gateway: Backup IP Gateway: Primary Domain Name Server: Secondary Domain Name Server: Domain Name: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Receive RIP... Transmit RIP... Multicast Forwarding...
6-36 Firmware User Guide IP Profile Parameters Address Translation Enabled: IP Addressing... Yes Numbered NAT Map List... NAT Server List... Easy-PAT List Easy-Servers Local WAN Local WAN Remote IP Remote IP 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 IP Address: IP Mask: Address: Mask: Filter Set... Remove Filter Set +----------------+ +----------------+ | None | | Rx. | +----------------+ Multicast Forwarding... RIP Profile Options...
Line Backup 7-1 Chapter 7 Line Backup The firmware offers line backup functionality in the event of a line failure on a DSL, Ethernet, or leased-line primary WAN link. The firmware supports backup ■ to an external modem connected to the Console port or ■ to a backup default gateway. Configuration of either method is similar, but differences are noted in their respective sections.
7-2 Firmware User Guide External Dial Backup Support Netopia equipment that supports the external dial backup feature automatically display the serial port configuration menus described in the following sections. Models that do not support external dial backup do not display external dial backup-related menus, but offer menus for backup to a default gateway.
Line Backup 7-3 Main Menu WAN Configuration WAN Setup WAN Configuration WAN (Wide Area Network) Setup... Display/Change Connection Profile... Add Connection Profile... Delete Connection Profile... WAN Default Profile... ATMP/PPTP Default Profile... IKE Phase 1 Configuration... Scheduled Connections... Backup Configuration... Frame Relay Configuration... Frame Relay DLCI Configuration... Establish WAN Connection... Disconnect WAN Connection... Return/Enter to create a new Connection Profile.
7-4 Firmware User Guide Serial Port Configuration +--------------+ +--------------+ Serial Port Mode... | Console Only | | Modem/Auto | +--------------+ ■ The default mode is Console Only. This is the normal state for using a terminal emulation application to manage the router. See “Connecting a Console Cable to your Equipment” on page 1-5.
Line Backup 7-5 Note: • The modem cable should have a standard DB-9 female connector to connect to the console port. This is the standard type of modem cable connector. • Macintosh users who use a USB-to-serial adapter to connect to the console serial port can use a modem in Modem/Auto mode. However, your terminal emulator software will not function in this mode via the USB adapter, due to the pin assignments in the adapter. For console management access, Macintosh users should use Console Only mode.
7-6 Firmware User Guide backup mode and connect via your modem. Note: Backup and Recovery have resolutions of five seconds. This is how often the router evaluates the state of the connections and makes decisions. ■ Select Ping Host Name or IP Address and enter an IP address or resolvable DNS name that the router will ping. This is an optional item that is particularly useful for testing if the remote end of a VPN connection has gone down.
Line Backup 7-7 Connection Profiles The line backup feature allows you to configure a complete Connection Profile for the backup port, just as you do for your primary WAN connection. In this way profiles are associated with a particular interface. The profile should reflect the port it is associated with. It should have switched characteristics for the backup port. Add Connection Profile Profile Name: Profile Enabled: Profile 1 Yes Data Link Encapsulation... Data Link Options...
7-8 Firmware User Guide Telco Options Dial... Dial In/Out Number to Dial: Alternate Site to Dial: Dial on Demand: Idle Timeout (seconds): Yes 300 Callback: No ■ From the Dial pop-up menu, you can choose whether to Dial Out Only, Dial In Only, or Dial In/Out (default). ■ You can add the Number to Dial and an Alternate Site to Dial, if available. ■ You can toggle Dial on Demand to Yes or No.
Line Backup 7-9 The Scheduled Connections screen appears. Scheduled Connections Display/Change Scheduled Connection... Add Scheduled Connection... Delete Scheduled Connection... Return/Enter to add a Scheduled Connection. Navigate from here to add/modify/change/delete Scheduled Connections. ■ Select Add Scheduled Connection and press Return. The Add Scheduled Connection screen appears. Add Scheduled Connection Scheduled Connection Enable: On How Often... Weekly Schedule Type...
7-10 Firmware User Guide Set Weekly Schedule Monday: Tuesday: Wednesday: Thursday: Friday: Saturday: Sunday: Yes Yes Yes Yes Yes Yes Yes Scheduled Window Start Time: AM or PM: 11:27 AM Scheduled Window Duration Per Day: 24:00 Return/Enter accepts * Tab toggles * ESC cancels. ■ Toggle all the days of the week to Yes, and set the Scheduled Window Duration Per Day to 24:00. This guarantees a 24X7 connection. Press Escape to return to the Add Scheduled Connection screen.
Line Backup 7-11 Statistics & Logs... WAN Event History... Device Event History... IP Routing Table... Served IP Addresses... Backup Management/Statistics... General Statistics... System Information... Select Backup Management/Statistics and press Return. Note: This option is only visible if backup is not Disabled. The Backup Management/Statistics screen appears.
7-12 Firmware User Guide connection. ■ Switchover Time is a display-only field that is only visible if backup or recovery is in progress. It displays the time until either automatic Backup or Recovery. ■ The FORCE BACKUP/FORCE RECOVERY option is a selectable option that, depending on the current state of backup, will force the switching of ports. If you are currently in backup mode, the option will be FORCE RECOVERY. If you are currently in normal WAN link mode, the option will be FORCE BACKUP.
Line Backup 7-13 SNMP Support The router supports objects for determining the state of backup, as well as providing traps for the backup and recovery events. No objects support configuration of backup or recovery. Backup Default Gateway Introduced in version 5.1.2, the firmware offers backup functionality to an alternate gateway typically connected to a LAN port.
7-14 Firmware User Guide The Backup Configuration screen appears. Backup Configuration +-----------+ +-----------+ | Disabled | | Manual | | Automatic | +-----------+ Recovery to ADSL... Automatic Requires Recovery of (minutes): 1 Auto-Recovery on loss of Layer 2: No Backup Parameters Backup is... Requires Failure of (minutes): Ping Host Name or IP Address: Automatically switches to Backup Port on loss of Layer 1 or 2.
Line Backup 7-15 Use this setting with caution. Setting it to Yes may induce alternating switching between Backup and Recovery Mode. This field will determine the recovery behavior of a Manual backup and Ping failure backup. These two failures are treated as Layer 2 failures.
7-16 Firmware User Guide Backup Management/Statistics If backup is enabled, the Statistics & Logs menu offers a Backup Management/Statistics option. To view Backup Management/Statistics, from the Main Menu select Statistics & Logs then Backup Management/Statistics and press Return. Main Menu Backup Management/ Statistics Statistics & Logs The Backup Management/Statistics screen appears.
Line Backup 7-17 either one and pressing Return will force the link to switch to the other mode. QuickView The QuickView screen now has an information element to indicate which gateway is in use. Quick View Default IP Gateway: 0.0.0.0 Primary DNS Server: 0.0.0.0 Secondary DNS Server: 0.0.0.0 1/29/2002 01:05:35 PM CPU Load: 5% Unused Memory: 5582 KB Gateway installed -- Backup Domain Name: happyinternet.
7-18 Firmware User Guide
Voice Configuration 8-1 Chapter 8 Voice Configuration This chapter describes the telephony services and configuration of the Netopia 4700-Series Integrated Access Devices (IADs) running Netopia Firmware Version 5.4. This chapter covers the following topics: ■ “Introduction” on page 8-1 ■ “Configuring the Voice Features” on page 8-2 Introduction Netopia IADs provide small and medium sized businesses with a complete Centrex PBX system.
8-2 Firmware User Guide central office, but not long distance or local calls. Toll Restriction Operation - PBX/Local Switching Mode: When you pick up the phone, you receive local PBX dial tone. When a 9 (or outside line code) is pressed, the IAD detects the digit and returns busy (locally generated). Incoming calls are allowed. Extension calls (locally switched) are allowed. ■ Speed Dial - Centrex Mode: In Centrex Mode, when you pick up the phone, dial-tone from the central office is present.
Voice Configuration 8-3 Voice Configuration Voice Gateway... CopperCom Ring Cadence... 20 Hz Port Configuration... Voice Coding... mu-law LES Profile Number... Profile 9 ■ Select Voice Gateway and from the pop-up menu, choose the type of voice gateway device to which you will be connected. The choices are: CopperCom, JetStream, TollBridge, TDSoft, Zhone, or Alcatel. ■ Select Ring Cadence and press Return.
8-4 Firmware User Guide Echo cancellation is set to Yes by default. For ordinary telephone handsets, echo cancellation should be set to Yes (turned on) to eliminate echoes on the voice line. Toggling a port to No allows you to connect a fax machine or modem to the phone port (since fax machines and modems automatically cancel echoes). If you want to disable echo cancellation, toggle this item to No. You can enable or disable echo cancellation for each telephone port.
Monitoring Tools 9-1 Chapter 9 Monitoring Tools This chapter discusses the Router’s device and network monitoring tools. These tools can provide statistical information, report on current network status, record events, and help in diagnosing and locating problems.
9-2 Firmware User Guide General status Quick View Default IP Gateway: 0.0.0.0 Primary DNS Server: 0.0.0.0 Secondary DNS Server: 0.0.0.0 CPU Load: 4% 10/11/2001 07:31:26 AM Unused Memory: 6044 KB Domain Name: Netopia.com ----------------MAC Address--------IP Address--------------------------------Ethernet Hub: 00-00-c5-ff-70-00 192.168.1.1 ATM SDSL WAN: 00-00-c5-ff-70-02 0.0.0.0 Current DSL Status Profile Name----------Rate--%Use-Remote Address-----Est.-More Info-----------ISP 1536 10 IP 92.163.4.
Monitoring Tools 9-3 Current status The current status section is a table showing the current status of the DSL connection. For example: Current DSL Status Profile Name----------Rate--%Use-Remote Address-----Est.-More Info-----------ISP 1536 10 IP 92.163.4.1 Lcl NAT 192.163.100.6 Profile Name: Lists the name of the connection profile being used, if any. Rate: Shows the line rate for this connection.
9-4 Firmware User Guide Statistics & Logs Main Menu Statistics & Logs When you are troubleshooting your Router, the Statistics & Logs screens provide insight into the recent event activities of the router. From the Main Menu go to Statistics & Logs and select one of the options described in the sections below. Event Histories Main Menu Statistics & Logs • WAN Event History • Device Event History The Netopia Firmware Version 5.4 records certain relevant occurrences in event histories.
Monitoring Tools 9-5 WAN Event History The WAN Event History screen lists a total of 128 events on the WAN. The most recent events appear at the top. WAN Event History Current Date -- 10/11/2001 03:02:23 PM -Date-----Time-----Event---------------------------------------------------------------------------------------SCROLL UP----------------------------------07/03/98 13:59:06 DSL: IP up, channel 1, gateway: 173.166.107.
9-6 Firmware User Guide In the Statistics & Logs screen, select Device Event History. The Device Event History screen appears. Device Event History Current Date -- 10/11/2001 03:02:23 PM -Date-----Time-----Event---------------------------------------------------------------------------------------SCROLL UP----------------------------------01/22/02 02:03:11 IP address server initialization complete 01/22/02 02:03:11 --BOOT: Warm start v5.
Monitoring Tools 9-7 IP Routing Table Main Menu Statistics & Logs • IP Routing Table The IP routing table displays all of the IP routes currently known to the Router. IP Routing Table Network Address-Subnet Mask-----via Router------Port------------------Type-------------------------------------SCROLL UP----------------------------------0.0.0.0 255.0.0.0 0.0.0.0 -Other 127.0.0.1 255.255.255.255 127.0.0.1 Loopback Local 192.168.1.0 255.255.255.240 192.168.1.1 Ethernet Local 192.168.1.1 255.255.255.
9-8 Firmware User Guide General Statistics Physical I/F-----Rx Bytes---Tx Bytes---Rx Pkts---Tx Pkts----Rx Err----Tx Err Ethernet Hub 1234567 123456 123456 123456 123456 12345 ATM ADSL 1 1234567 123456 123456 123456 123456 12345 Network----------Rx Bytes---Tx Bytes---Rx Pkts---Tx Pkts----Rx Err----Tx Err IP 1234567 123456 123456 123456 123456 12345 VC Traffic Statistics...
Monitoring Tools 9-9 System Information The System Information screen gives a summary view of the general system level values in the Router. From the Statistics & Logs menu select System Information. The System Information screen appears. System Information Serial Number Firmware Version ModelNumber Processor Speed (Mhz) Flash Rom Capacity (MBytes) DRAM Capacity (MBytes) Hardware Acceleration ff-70-00 (16740352) 5.
9-10 Firmware User Guide Simple Network Management Protocol (SNMP) - V2c The Netopia Firmware Version 5.4 includes a Simple Network Management Protocol (SNMP) agent, allowing monitoring and configuration by a standard SNMP manager. Netopia Routers and IADs now support both SNMP-V1 and SNMP-V2c. Enterprise-specific SNMP Changes Enterprise-specific SNMP changes in Netopia Firmware Version 5.4 include restarting the device as a bridge or router, and controlling the ‘WAN changes reset immediately’ item.
Monitoring Tools 9-11 The SNMP Setup screen From the Main Menu, select SNMP in the System Configuration screen and press Return. The SNMP Setup screen appears. Main Menu System Configuration SNMP SNMP Setup System System System System Name: Location: Contact: Trap Version: Read-Only Community String: Read/Write Community String: Authentication Traps Enable: +----------+ +----------+ | SNMP-V1 | | SNMP-V2c | +----------+ Off IP Trap Receivers...
9-12 Firmware User Guide Community strings The Read-Only Community String and the Read/Write Community String are like passwords that must be used by an SNMP manager querying or configuring the Netopia Firmware Version 5.4. An SNMP manager using the Read-Only Community String can examine statistics and configuration information from the router, but cannot modify the router’s configuration. An SNMP manager using the Read/Write Community String can both examine and modify configuration parameters.
Monitoring Tools 9-13 To go to the IP Trap Receivers screen, select IP Trap Receivers. The IP Trap Receivers screen appears. IP Trap Receivers Display/Change IP Trap Receiver... Add IP Trap Receiver... Delete IP Trap Receiver... Return/Enter to modify an existing Trap Receiver. Navigate from here to view, add, modify and delete IP Trap Receivers. Setting the IP trap receivers 1. Select Add IP Trap Receiver. 2. Select Receiver IP Address or Domain Name.
9-14 Firmware User Guide
Security 10-1 Chapter 10 Security The Netopia Firmware Version 5.4 provides a number of security features to help protect its configuration screens and your local network from unauthorized access. Although these features are optional, it is strongly recommended that you use them.
10-2 Firmware User Guide Console Tiered Access – Two Password Levels Netopia Firmware Version 5.4 offers tiered access control for greater security and protection against accidental or malicious misconfiguration. Service providers and network administrators can now limit the access of other users to the various configuration screens to prevent misconfigurations. The access privileges of various users that may be assigned are governed by a Superuser administrative account.
Security 10-3 For Windows XP users, the automatic discovery feature places an icon representing the Netopia Gateway automatically in the “My Network Places” folder. Be sure that the Windows XP service Universal Plug and Play Device Host is enabled and running, otherwise you might not see the icon. Double clicking the icon will launch a telnet window to your Gateway’s Telnet interface. PCs using UPnP can retrieve the Gateway’s WAN IP address, and automatically create NAT port maps.
10-4 Firmware User Guide Limited user configuration The Add Access Name/Password and Show/Change Access Name/Passwords screens allow you to select which configuration features a limited (non-Superuser) user can access. From the Security Options screen, select Add Access Name/Password. The Add Access Name/Password screen appears. Add Access Name/Password Name (19 characters max): Password: Telnet Access Enabled: Web Access Enabled: Access Privileges...
Security 10-5 Access Privileges (Custom) WAN Data Configuration: Connection Profile Configuration: Circuit (PVC/DLCI) Configuration: No No No LAN Data Configuration: LAN Subnet Configuration: NAT/Filters Configuration: Yes Yes Yes Preferences (Global) Configuration:Yes Voice Configuration: Yes OK CANCEL You can toggle the default user privileges for each user. The defaults are set to minimize the possibility of an individual user inadvertently damaging the WAN connection.
10-6 Firmware User Guide Advanced Security Options Security Databases... Local only RADIUS Server Addr/Name: RADIUS Server Secret: Alt RADIUS Server Addr/Name: Alt RADIUS Server Secret: RADIUS Identifer: +-----------+ RADIUS Server Authentication Port+-----------+ RADIUS Access Privileges... | All | | LAN | | WAN | Telnet Server Port: | VOX | | Custom... | +-----------+ LAN (Ethernet) IP Filter Set...
Security 10-7 User access password Users must be able to change their names and passwords, regardless of other security access restrictions. If a user does not have security access, then they will only be able to modify the password for their account. When a limited-access user logs into the router. and accesses the System Configuration menus, the only Security option displayed is Change Access Password. System Configuration IP Setup... Filter Sets... IP Address Serving...
10-8 Firmware User Guide User menu differences Menus reflect the security access level of the user. Consequently, configuration menus will display differing options based upon the parameters a particular user is allowed to change. Some differences include: ■ Limited users (non-Superusers) do not have access to Easy Setup. ■ All users have access to System Configuration, Quick Menus, and Quick View, but limited users have only limited access to configuration elements in their descendant menus.
Security 10-9 Based on access level, the Main Menu displays its configuration options according to the following diagram: User Access Level Netopia Router Superuser WAN, Conn. Profiles, PVC All All Global, Voice Easy Setup... WAN Configuration... System Configuration... Utilities & Diagnostics... Statistics & Logs... All Quick Menus... All Quick View... Return/Enter goes to Easy Setup -- minimal configuration. You always start from this main screen.
10-10 Firmware User Guide Advanced Connection Options User Access Level Configuration Changes Reset WAN Connection: WAN Connection Profiles IKE Phase 1 Configuration... Connection Profiles Connection Profiles WAN Scheduled Connections... Accounting Configuration... Backup Configuration... No Connection Profiles The Superuser can disallow limited user access to a particular Connection Profile.
Security 10-11 System Configuration menu The System Configuration menu is always available to all users. Based on access level, the System Configuration menu displays its configuration options according to the following diagram: System Configuration User Access Level IP Setup... Filter Sets... IP Address Serving... Network Address Translation (NAT)... LAN NAT LAN NAT Global Date and Time... All Superuser Console Configuration... SNMP (Simple Network Management Protocol)... Security...
10-12 Firmware User Guide Utilities & Diagnostics menu Based on access level, the Utilities & Diagnostics menu displays its configuration options according to the following diagram: Utilities & Diagnostics User Access Level Global Global Global All Global All All Ping... Trace Route... Telnet... Log off Serial Console Session... Trivial File Transfer Protocol (TFTP)... X-Modem File Transfer... Restart System... Revert to Factory Defaults... Superuser Send ICMP Echo Requests to a network host.
Security 10-13 Based on access level, the Statistics & Logs menu displays its options according to the following diagram: User Access Level Statistics & Logs Global Global Voice Voice Voice Global WAN Event History... Device Event History... Voice Log... Voice Accounting Log... Voice Error Log... IP Routing Table... Global Served IP Addresses... Global Global Global Global Global Served IP Addresses... Accounting Statistics... Backup Management/Statistics... General Statistics... System Information.
10-14 Firmware User Guide Quick Menus Quick Menus vary considerably between models, features, and access levels. The following is an example comparison of the Quick Menu as seen by the Superuser and by a Limited user.
Security 10-15 The ATM Circuits Configuration menu screen appears as follows: ATM Circuits Configuration Display/Change WAN 1 Circuit... Add WAN 1 Circuit... Delete WAN 1 Circuit... Display/Change WAN 2 Circuit... Add WAN 2 Circuit... Delete WAN 2 Circuit... Note: Multiple ATM circuit configuration is supported on multiple ATM-capable routers.
10-16 Firmware User Guide Security Options Enable Telnet Console Access: Enable Telnet Access to SNMP Screens: Yes Yes Console Access timeout (seconds): 600 Show Users... Add User... Delete User... Advanced Security Options... Password for This Screen (11 chars max): Return/Enter accepts * Tab toggles * ESC cancels. Set up configuration access options here.
Security 10-17 To add a new user account, select Add User in the Security Options screen and press Return. The Add Name With Write Access screen appears. Add Name With Write Access Enter Name: Enter Password (11 characters max): ADD NAME/PASSWORD NOW CANCEL Follow these steps to configure the new account: 1. Select Enter Name and enter a descriptive name (for example, the user’s first name). 2. Select Enter Password and enter a password. 3.
10-18 Firmware User Guide To restrict Telnet access, select Security in the Advanced Configuration menu. The Security Options screen will appear. There are two levels of Telnet restriction available: ■ To restrict Telnet access to the SNMP screens, select Enable Telnet Access to SNMP Screens and toggle it to No. (See “SNMP traps” on page 9-12.) ■ To restrict Telnet access to all of the configuration screens, select Enable Telnet Console Access and toggle it to No.
Security 10-19 Each inspector has a specific task. One inspector’s task may be to examine the destination address of all outgoing packages. That inspector looks for a certain destination—which could be as specific as a street address or as broad as an entire country—and checks each package’s destination address to see if it matches that destination. TOR INSPEC ED FROM: FROM: ROV APP TO: FROM: TO: TO: A filter inspects data packets like a customs inspector scrutinizing packages.
10-20 Firmware User Guide If the package does not match the first inspector’s criteria, it goes to the second inspector, and so on. You can see that the order of the inspectors in the line is very important. For example, let’s say the first inspector’s orders are to send along all packages that come from Rome, and the second inspector’s orders are to reject all packages that come from France. If a package arrives from Rome, the first inspector sends it along without allowing the second inspector to see it.
Security 10-21 Parts of a filter A filter consists of criteria based on packet attributes.
10-22 Firmware User Guide Port number comparisons A filter can also use a comparison option to evaluate a packet’s source or destination port number. The comparison options are: No Compare: No comparison of the port number specified in the filter with the packet’s port number. Not Equal To: For the filter to match, the packet’s port number cannot equal the port number specified in the filter.
Security 10-23 Putting the parts together When you display a filter set, its filters are displayed as rows in a table: +-#---Source IP Addr---Dest IP Addr-----Proto-Src.Port-D.Port--On?-Fwd-+ +----------------------------------------------------------------------+ | 1 192.211.211.17 0.0.0.0 TCP 0 23 Yes No | | 2 0.0.0.0 0.0.0.0 TCP NC =6000 Yes No | | 3 0.0.0.0 0.0.0.0 ICMP --Yes Yes | | 4 0.0.0.0 0.0.0.0 TCP NC >1023 Yes Yes | | 5 0.0.0.0 0.0.0.
10-24 Firmware User Guide Filtering example #1 Returning to our filtering rule example from above (see page 10-20), look at how a rule is translated into a filter. Start with the rule, then fill in the filter’s attributes: 1. The rule you want to implement as a filter is: Block all Telnet attempts that originate from the remote host 199.211.211.17. 2. 3. 4. The host 199.211.211.17 is the source of the Telnet packets you want to block, while the destination address is any IP address.
Security 10-25 This filter blocks any packets coming from a remote network with the IP network address 200.233.14.0. The 0 at the end of the address signifies any host on the class C IP network 200.233.14.0. If, for example, the filter is applied to a packet with the source IP address 200.233.14.5, it will block it. In this case, the mask, which does not appear in the table, must be set to 255.255.255.0. This way, all packets with a source address of 200.233.14.
10-26 Firmware User Guide An approach to using filters The ultimate goal of network security is to prevent unauthorized access to the network without compromising authorized access. Using filter sets is part of reaching that goal. Each filter set you design will be based on one of the following approaches: ■ That which is not expressly prohibited is permitted. ■ That which is not expressly permitted is prohibited.
Security 10-27 3. View, change, or delete individual filters and filter sets. The sections below explain how to execute these steps. Adding a filter set You can create up to eight different custom filter sets. Each filter set can contain up to 16 output filters and up to 16 input filters. To add a new filter set, select Add Filter Set in the Filter Sets screen and press Return. The Add Filter Set screen appears. Add Filter Set...
10-28 Firmware User Guide Adding filters to a filter set There are two kinds of filters you can add to a filter set: input and output. Input filters check packets received from the Internet, destined for your network. Output filters check packets transmitted from your network to the Internet. packet WAN input filter LAN packet output filter The Netopia Router Packets in the Netopia Firmware Version 5.
Security 10-29 Display/Change Filter Set... Filter Set Name: Filter Set 3 Add Input Filter to Filter Set... Display/Change Input Filter... Delete Input Filter... Move Input Filter... Add Output Filter to Filter Set... Display/Change Output Filter... Delete Output Filter... Move Output Filter... Note: There are two groups of items in this screen, one for input filters and one for output filters. In this section, you’ll learn how to add an input filter to a filter set.
10-30 Firmware User Guide 3. If you want the filter to forward packets that match its criteria to the destination IP address, select Forward and toggle it to Yes. If Forward is toggled to No, packets matching the filter’s criteria will be discarded. 4. Select Source IP Address and enter the source IP address this filter will match on. You can enter a subnet or a host address. 5. Select Source IP Address Mask and enter a mask for the source IP address.
Security 10-31 Change Filter Enabled: Forward: No No Source IP Address: Source IP Address Mask: 0.0.0.0 0.0.0.0 Dest. IP Address: Dest. IP Address Mask: 0.0.0.0 0.0.0.0 Protocol Type: 0 Source Port Compare... Source Port ID: Dest. Port Compare... Dest. Port ID: No Compare 0 No Compare 0 Enter the IP specific information for this filter. Deleting filters To delete a filter, select Delete Input Filter or Delete Output Filter in the Display/Change Filter Set screen to display a table of filters.
10-32 Firmware User Guide Basic Firewall blocks undesirable traffic originating from the WAN (in most cases, the Internet), but forwards all traffic originating from the LAN. It follows the conservative “that which is not expressly permitted is prohibited” approach: unless an incoming packet expressly matches one of the constituent input filters, it will not be forwarded to the LAN. The five input filters and one output filter that make up Basic Firewall are shown in the table below.
Security 10-33 Output filter 1: This filter forwards all outgoing traffic to make sure that no outgoing connections from the LAN are blocked. Basic Firewall is suitable for a LAN containing only client hosts that want to access servers on the WAN, but not for a LAN containing servers providing services to clients on the WAN. Basic Firewall’s general strategy is to explicitly forward WAN-originated TCP and UDP traffic to ports greater than 1023.
10-34 Firmware User Guide FTP sessions. To allow WAN-originated FTP sessions to a LAN-based FTP server with the IP address a.b.c.d (corresponding to a numbered IP address such as 163.176.8.243), insert the following input filter ahead of the current input filter 1: ■ Enabled: Yes ■ Forward: Yes ■ Source IP Address: 0.0.0.0 ■ Source IP Address Mask: 0.0.0.0 ■ Dest. IP Address: a.b.c.d ■ Dest. IP Address Mask: 255.255.255.
Security 10-35 The new filterset screen appears as follows: Change Input Filter 1 Enabled: Yes Forward: Yes Call Placement/Idle Reset: No Change Force Routing: Yes Gateway IP Address: 163.176.8.134 Source IP Address: Source IP Address Mask: Dest. IP Address: Dest. IP Address Mask: TOS: TOS Mask: Protocol Type: Source Port Compare... Source Port ID: Dest. Port Compare... Dest. Port ID: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.
10-36 Firmware User Guide Add Input Filter Enabled: Yes Forward: Yes Call Placement/Idle Reset: No Change Force Routing: Yes Gateway IP Address: 127.0.0.3 Source IP Address: Source IP Address Mask: Dest. IP Address: Dest. IP Address Mask: TOS: TOS Mask: Protocol Type: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 16 16 ANY ADD THIS FILTER NOW CANCEL Return/Enter to add this Filter to the Filter Set. Enter the packet specific information for this filter.
Security 10-37 Firewall Tutorial General firewall terms Filter rule: A filter set is comprised of individual filter rules. Filter set: A grouping of individual filter rules. Firewall: A component or set of components that restrict access between a protected network and the Internet, or between two networks. Host: A workstation on the network. Packet: Unit of communication on the Internet.
10-38 Firmware User Guide Example TCP/UDP Ports TCP Port Service UDP Port Service 20/21 FTP 161 SNMP 23 Telnet 69 TFTP 25 SMTP 387 AURP 80 WWW 144 News Firewall design rules There are two basic rules to firewall design: ■ “What is not explicitly allowed is denied.” and ■ “What is not explicitly denied is allowed.” The first rule is far more secure, and is the best approach to firewall design.
Security 10-39 and a packet goes through these rules destined for FTP, the packet would forward through the first filter rule (WWW), match the second rule (FTP), and the packet is allowed through. Even though the next rule is to deny all FTP traffic, the FTP packet will never make it to this rule. Binary representation It is easiest when doing filtering to convert the IP address and mask in question to binary.
10-40 Firmware User Guide Established connections The TCP header contains one bit called the ACK bit (or TCP Ack bit). This ACK bit appears only with TCP, not UDP. The ACK bit is part of the TCP mechanism that guarantees the delivery of data. The ACK bit is set whenever one side of a connection has received data from the other side. Only the first TCP packet will not have the ACK bit set; once the TCP connection is in place, the remainder of the TCP packets with have the ACK bit set.
Security 10-41 Less Than or Equal Any port less than or equal to the port defined Equal Matches only the port defined Greater Than or Equal Matches the port or any port greater Greater Than Matches anything greater than the port defined Example network Input Packet Filter Internet IP 200.1.1.?? Data Example filters Example 1 Filter Rule: 200.1.1.0 (Source IP Network Address) 255.255.255.128 (Source IP Mask) Forward = No (What happens on match) Incoming packet has the source address of 200.
10-42 Firmware User Guide 00000000 (Logical AND result) This incoming IP packet has a source IP address that matches the network address in the Source IP Address field (00000000) in the Netopia Firmware Version 5.4. This will not forward this packet. Example 2 Filter Rule: 200.1.1.0 (Source IP Network Address) 255.255.255.128 (Source IP Mask) Forward = No (What happens on match) Incoming packet has the source address of 200.1.1.184. IP Address 200.1.1.
Security 10-43 255.255.255.240 11110000 (Perform the logical AND) 10110000 (Logical AND result) Since the Source IP Network Address in the Router is 01100000, and the source IP address after the logical AND is 1011000, this rule does not match and this packet will be forwarded. Example 4 Filter Rule: 200.1.1.96 (Source IP Network Address) 255.255.255.240 (Source IP Mask) Forward = No (What happens on match) Incoming packet has the source address of 200.1.1.104. IP Address 200.1.1.
10-44 Firmware User Guide 255.255.255.255 11111111 (Perform the logical AND) 01100000 (Logical AND result) Since the Source IP Network Address in the Router is 01100000, and the source IP address after the logical AND is 01100000, this rule does match and this packet will not be forwarded. This rule masks off a single IP address. Configuration Management Netopia Firmware Version 5.4 offers a Configuration Management feature.
Security 10-45 Configuration Management Save Current Configuration as... Replace Existing Conifiguration... Boot from a Configuration... Delete a Configuration... Select Save Current Configuration as, and press Return. The Save Current Configuration screen appears. Save Current Configuration Configuration Name: HappyInternet SAVE CANCEL Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes.
10-46 Firmware User Guide Configuration Management Save Current Configuration as... Replace Existing Configuration... Boot from a Configuration... Delete a Configuration... A warning screen will ask you to confirm your choice.
Security 10-47 TFTP and X-Modem You can also send or receive your stored configuration files via TFTP or X-Modem. You select the stored configuration files from pull-down menus in the TFTP or X-Modem File Transfer screens in the Utilities & Diagnostics menu, as shown. TFTP Trivial File Transfer Protocol (TFTP) TFTP Server Name: Firmware File Name: GET ROUTER FIRMWARE FROM SERVER... Config File Name: Get Configuration Destination... GET CONFIG FROM SERVER... Send Configuration... SEND CONFIG TO SERVER...
10-48 Firmware User Guide Call Filtering Netopia Firmware Version 5.4 supports a call filtering mechanism that lets you control which packets cause connections to be established and which packets cause connections to be maintained (that is, to not time out due to inactivity). This feature is part of the Filter Set management component of the firmware. Call filtering makes use of the existing sets of filter rules that can be associated with a connection.
Security 10-49 Add Output Filter Enabled: Forward: Call Placement/Idle Reset: Source IP Address: Source IP Address Mask: +-----------+ +-----------+ | No Change | | Disabled | +-----------+ 0.0.0.0 0.0.0.0 Dest. IP Address: Dest. IP Address Mask: 0.0.0.0 0.0.0.0 Protocol Type: ANY ADD THIS FILTER NOW CANCEL This pop-up menu allows you to configure what action will be taken for packets that the filter rule specifies should be forwarded.
10-50 Firmware User Guide
Utilities and Diagnostics 11-1 Chapter 11 Utilities and Diagnostics A number of utilities and tests are available for system diagnostic and control purposes.
11-2 Firmware User Guide Ping The Netopia Firmware Version 5.4 Router includes a standard Ping test utility. A Ping test generates IP packets destined for a particular (Ping-capable) IP host. Each time the target host receives a Ping packet, it returns a packet to the original sender. Ping allows you to see whether a particular IP destination is reachable from the Router. You can also ascertain the quality and reliability of the connection to the desired destination by studying the Ping test’s statistics.
Utilities and Diagnostics 11-3 Status: The current status of the Ping test. This item can display the status messages shown in the able below: Message Description Resolving host name Finding the IP address for the domain name-style address Can’t resolve host name IP address can’t be found for the domain name–style address Pinging Ping test is in progress Complete Ping test was completed Cancelled by user Ping test was cancelled manually Destination unreachable from w.x.y.
11-4 Firmware User Guide Packets Lost: The number of packets unaccounted for, shown in total and as a percentage of total packets sent. This statistic may be updated during the Ping test, and may not be accurate until after the test is over. However, if an escalating one-to-one correspondence is seen between Packets Out and Packets Lost, and Packets In is noticeably lagging behind Packets Out, the destination is probably unreachable. In this case, use STOP PING.
Utilities and Diagnostics 11-5 3. Select Timeout (seconds) to set when the trace will timeout for each hop, up to 10 seconds. The default is 3 seconds. 4. Select Use Reverse DNS to learn the names of the routers between the Netopia Router and the destination router. The default is Yes. 5. Select START TRACE ROUTE and press Return. A scrolling screen will appear that lists the destination, number of hops, IP addresses of each hop, and DNS names, if selected. 6. Cancel the trace by pressing Escape.
11-6 Firmware User Guide menu and press Return. ■ To end a suspended session, select Terminate Suspended Session. Select a session from the pop-up menu and press Return. Factory Defaults You can reset the Router to its factory default settings. In the Utilities & Diagnostics screen, select Revert to Factory Defaults and press Return. Select CONTINUE in the dialog box and press Return. The Router will reboot and its settings will return to the factory defaults, deleting your configurations.
Utilities and Diagnostics 11-7 Trivial File Transfer Protocol (TFTP) TFTP Server Name: Firmware File Name: GET ROUTER FIRMWARE FROM SERVER... Config File Name: GET CONFIG FROM SERVER... SEND CONFIG TO SERVER... TFTP Transfer State -- Idle TFTP Current Transfer Bytes -- 0 The sections below describe how to update the Router’s firmware and how to download and upload configuration files.
11-8 Firmware User Guide ■ Select GET ROUTER FIRMWARE FROM SERVER and press Return. You will see the following dialog box: +--------------------------------------------------------------------+ +--------------------------------------------------------------------+ | Are you sure you want to send a firmware file to your Netopia? | | The device will restart when the transfer is complete.
Utilities and Diagnostics 11-9 ■ If you choose to download the configuration file, the TFTP Transfer State item will change from Idle to Reading Config. The TFTP Current Transfer Bytes item will reflect the number of bytes transferred. Uploading configuration files Using TFTP, you can send a file containing a snapshot of the router’s current configuration to a TFTP server.
11-10 Firmware User Guide X-Modem File Transfer Send Firmware to Netopia... Get Configuration Destination... Send Config to Netopia... Current Configuration Send Configuration... Receive Config from Netopia... Current Configuration Updating firmware Firmware updates may be available periodically from Netopia or from a site maintained by your organization’s network administration. Follow these steps to update the Router’s firmware: 1.
Utilities and Diagnostics 11-11 Caution! Do not manually power down or reset the Router while it is automatically resetting or it could be damaged. Downloading configuration files The Router can be configured by downloading a configuration file. The downloaded file reconfigures all of the Router’s parameters. Configuration files are available from a site maintained by your organization’s network administrator or from your local site (see “Uploading configuration files,” below).
11-12 Firmware User Guide +--------------------------------------------------------------------+ +--------------------------------------------------------------------+ | Are you sure you want to save your current Netopia configuration? | | If so, when you hit Return/Enter on the CONTINUE button, you will | | have 10 seconds to begin the transfer from your terminal program. | | | | CANCEL CONTINUE | | | | | +--------------------------------------------------------------------+ 3.
Utilities and Diagnostics 11-13 Utilities & Diagnostics Ping... Trace Route... Telnet... Trivial File Transfer Protocol (TFTP)... X-Modem File Transfer... Restart System... Revert to Factory Defaults... T1 Line Statistics / Diagnostics... Select T1 Line Statistics / Diagnostics and press Return. The T1 Line Statistics / Diagnostics screen appears.
11-14 Firmware User Guide 24 hours: Cumulative statistics, for the preceding 24-hour period. Line Status: Conditions may be Normal Operation, Red Alarm, Yellow Alarm, or (Rmt/Lcl) LoopBack Loopback Status: Current loopback condition Tests: Offers a pop-up menu with the following options: ■ Normal - Clear Loopback clears any local loopbacks and sends an ANSI PLB clear to the remote CSU.
Troubleshooting A-1 Appendix A Troubleshooting This appendix is intended to help you troubleshoot problems you may encounter while setting up and using the Netopia Firmware Version 5.4. It also includes information on how to contact Netopia Technical Support. Important information on these problems can be found in the event histories kept by the Router. These event histories can be accessed in the Statistics & Logs screen.
A-2 Firmware User Guide Note: If you are attempting to modify the IP address or subnet mask from a previous, successful configuration attempt, you will need to clear the IP address or reset your Router to the factory default before reinitiating the configuration process. For further information on resetting your Router to factory default, see “How to Reset the Router to Factory Defaults” on page A-3.
Troubleshooting A-3 How to Reset the Router to Factory Defaults Lose your password? This section shows how to reset the router so that you can access the console screens once again. Keep in mind that all of your connection profiles and settings will need to be reconfigured. If you don't have a password, the only way to get back into the Router is the following: 1. Turn the router upside down. 2. Referring to the diagram below, find the paper clip-size Reset Switch slot. Reset Switch Slot 3.
A-4 Firmware User Guide Technical Support Netopia, Inc. is committed to providing its customers with reliable products and documentation, backed by excellent technical support. Before contacting Netopia Look in this guide for a solution to your problem. You may find a solution in this troubleshooting appendix or in other sections. Check the index for a reference to the topic of concern. If you cannot find a solution, complete the environment profile below before contacting Netopia Technical Support.
Understanding IP Addressing B-1 Appendix B Understanding IP Addressing This appendix is a brief general introduction to IP addressing. A basic understanding of IP will help you in configuring the Netopia Firmware Version 5.4 and using some of its powerful features, such as static routes and packet filtering.
B-2 Firmware User Guide IP addresses indicate both the identity of the network and the identity of the individual host on the network. The number of bits used for the network number and the number of bits used for the host number can vary, as long as certain rules are followed. The local network manager assigns IP host numbers to individual machines. IP addresses are maintained and assigned by the InterNIC, a quasi-governmental organization now increasingly under the auspices of private industry.
Understanding IP Addressing B-3 Subnet numbers appear within IP addresses, along with network numbers and host numbers. Since an IP address is always 32 bits long, using subnet numbers means either the network number or the host numbers must use fewer bits in order to leave room for the subnet numbers. Since the InterNIC assigns the network number proper, it should not change, so the subnet numbers must be created out of bits that would otherwise be part of the host numbers.
B-4 Firmware User Guide Network configuration Below is a diagram of a simple network configuration. The ISP is providing a Class C address to the customer site, and both networks A and B want to gain Internet access through this address. Router B connects to Router A and is provided Internet access through Routers A and B. Customer Site A PC 1: IP Address: 192.168.1.3 Subnet Mask: 255.255.255.128 Gateway: 192.168.1.1 Router B: ISP Network Router A: IP Address: 10.0.0.1 Subnet Mask: 255.255.255.
Understanding IP Addressing B-5 Background The IP addresses and routing configurations for the devices shown in the diagram are outlined below. In addition, each individual field and its meaning are described. The IP Address and Subnet Mask fields define the IP address and subnet mask of the device's Ethernet connection to the network while the Remote IP and Remote Sub fields describe the IP address and subnet mask of the remote router. This information is entered in the connection profile of the Router.
B-6 Firmware User Guide There are two schemes for distributing the remaining IP addresses: ■ Manually give each computer an address ■ Let the Router automatically distribute the addresses These two methods are not mutually exclusive; you can manually issue some of the addresses while the rest are distributed by the Router. Using the router in this way allows it to function as an address server.
Understanding IP Addressing B-7 Number of Devices (other than Router) on Local Network Largest Possible Ethernet Subnet Mask 30-61 255.255.255.192 62-125 255.255.255.128 125-259 255.255.255.0 Configuration This section describes the specific IP address lease, renew, and release mechanisms for both the Mac and PC, with either DHCP or MacIP address serving. DHCP address serving Windows 95 workstation: ■ The Win95 workstation requests and renews its lease every half hour.
B-8 Firmware User Guide ■ The Router releases the DHCP address back to the available DHCP address pool exactly one hour after the last-heard lease request. Some other DHCP implementations may hold on to the lease for an additional time after the lease expired to act as a buffer for variances in clocks between the client and server.
Understanding IP Addressing B-9 In any situation where a device is dialing into a Netopia router, the router may need to be configured to serve IP via the WAN interface. This is only a requirement if the calling device has not been configured locally to know what its address(es) are. So when a client, dialing into a Netopia router's WAN interface, is expecting addresses to be served by the answering router, you must set the answering Netopia router to serve IP via its WAN interface.
B-10 Firmware User Guide 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Block of IP host addresses (derived from network IP address + mask issued by ISP) 1 Distributed to the Router (Ethernet IP address) 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Manually distributed (static) Pool of addresses distributed by MacIP and DHCP The figure above shows an example of a block of IP addresses being distributed correctly.
Understanding IP Addressing B-11 Nested IP Subnets Under certain circumstances, you may want to create remote subnets from the limited number of IP addresses issued by your ISP or other authority. You can do this using connection profiles. These subnets can be nested within the range of IP addresses available to your network. For example, suppose that you obtain the Class C network address a.b.c.0 to be distributed among three networks.
B-12 Firmware User Guide Internet a.b.c.16 a.b.c.1 Router A a.b.c.0 a.b.c.2 Router B Router C a.b.c.128 a.b.c.248 a.b.c.129 a.b.c.249 Routers B and C (which could also be Routers) serve the two remote networks that are subnets of a.b.c.0. The subnetting is accomplished by configuring the Router with connection profiles for Routers B and C (see the following table). Connection profile Remote IP address Remote IP mask Bits available for host address For Router B a.b.c.128 255.255.255.
Understanding IP Addressing B-13 IP Routing Table Network Address-Subnet Mask-----via Router------Port------------------Type-------------------------------------SCROLL UP----------------------------------0.0.0.0 0.0.0.0 a.b.c.1 -Other 127.0.0.1 255.255.255.255 127.0.0.1 Loopback Local a.b.c.128 255.255.255.192 a.b.c.128 WAN Local a.b.c.248 255.255.255.248 a.b.c.
B-14 Firmware User Guide The following diagram illustrates the IP address space taken up by the two remote IP subnets. You can see from the diagram why the term nested is appropriate for describing these subnets. 1 Address range available to a.b.c.0, less the two nested subnets 129 valid addresses used by a.b.c.128 190 valid addresses used by a.b.c.248 249 254 Broadcasts As mentioned earlier, binary IP host or subnet addresses composed entirely of ones or zeros are reserved for broadcasting.
Binary Conversion Table C-1 Appendix C Binary Conversion Table This table is provided to help you choose subnet numbers and host numbers for IP and MacIP networks that use subnetting for IP addresses.
C-2 Firmware User Guide Decimal Binary Decimal Binary Decimal Binary Decimal Binary 128 10000000 160 10100000 192 11000000 224 11100000 129 10000001 161 10100001 193 11000001 225 11100001 130 10000010 162 10100010 194 11000010 226 11100010 131 10000011 163 10100011 195 11000011 227 11100011 132 10000100 164 10100100 196 11000100 228 11100100 133 10000101 165 10100101 197 11000101 229 11100101 134 10000110 166 10100110 198 11000110 230 11100110
Index-1 Index A add static route 6-8 ADSL Line Configuration 2-2 advanced configuration features 2-35 ATMP 4-10 tunnel options 4-8 B backup default gateway 7-13 backup, line 7-1 basic firewall 10-32 BootP 6-17 clients 6-23 broadcasts B-14 C change static route 6-9 community strings 9-12 configuration troubleshooting PC A-1 configuration files downloading with TFTP 11-8 downloading with XMODEM 11-11 uploading with TFTP 11-9 uploading with XMODEM 11-11 Configuration Management 10-44 configuration screens pro
Index-2 11 with TFTP 11-8 with XMODEM 11-11 Dynamic Host Configuration Protocol (DHCP) 6-17 Dynamic Host Configuration Protocol, see DHCP Dynamic WAN 6-17 E Easy Setup navigating 1-7 encryption 4-3, 4-7, 4-10, 5-1 event history device 9-5 WAN 9-5 Exposed Addresses 2-40 F filter parts 10-21 parts of 10-21 filter priority 10-19 filter set adding 10-27 display 10-23 filter sets adding 10-27 defined 10-18 deleting 10-31 disadvantages 10-25 sample (Basic Firewall) 10-31 using 10-26 filtering example #1 10-24 fi
Index-3 static B-8 IP passthrough 3-27 IP setup 6-2 IP trap receivers deleting 9-13 modifying 9-13 setting 9-13 viewing 9-13 IPsec 4-3, 4-7, 5-1 L latency 10-35 LED status 9-3 LEDs 9-3 line backup 7-1 backup IP gateway 7-15 connection profiles 7-7 management and statistics 7-10, 716 scheduled connections 7-8 WAN configuration 7-2, 7-3 M MIBs supported 9-10 model numbers 1-3 MPPE 4-10 MS-CHAPv2 4-11 Multicast Forwarding 6-34 Multiple Data Link Encapsulation Settings 2-25 multiple subnets 6-4 N NAT adding se
Index-4 port number comparisons 10-22 port numbers 10-21 PPTP 4-10 tunnel options 4-4 PVC 2-16 Q quality of service 10-35 Quick View 9-1 R restarting the system 11-12 restricting telnet access 10-17 RFC-1483 Transparent Bridging 2-44 RIP-2 MD5 Authentication 6-10 router to serve IP addresses to hosts 61 routing tables IP 6-6, 9-7 S scheduled connections 2-29 adding 2-31 deleting 2-34 modifying 2-34 once-only 2-33 viewing 2-30 weekly 2-32 SDSL/IDSL Line Configuration 2-3 security filters 10-18–10-34 measure
Index-5 defined 11-6 downloading configuration files 11-8 updating firmware 11-7 uploading configuration files 11-9 TFTP, transferring files 11-6 tiered access 10-2 TOS bit 10-35 Trivial File Transfer Protocol (TFTP) 11-6 Trivial File Transfer Protocol, see TFTP troubleshooting A-1 configuration PC A-1 event histories 9-4 trusted host 10-33 trusted subnet 10-33 tunnel options ATMP 4-8 PPTP 4-4 tunneling 4-2 U Universal Plug and Play (UPnP™) 10-2 Unspecified Bit Rate (UBR) 2-18 updating firmware with TFTP 1
Index-6
