LAN-Cell 2 3G Cellular Router + VPN + Firewall User’s Guide Version 4.02 November 2008 Edition 2 www.proxicast.
Contents Overview Contents Overview Introduction ............................................................................................................................ 25 Getting to Know Your LAN-Cell 2 .............................................................................................. 27 Introducing the Web Configurator & Home Screen ................................................................... 35 Tutorials: 3G Modem Setup & VPN Wizard ...............................................
Contents Overview Ethernet WAN Internet Access ................................................................................................ 447 DMZ Setup .............................................................................................................................. 453 Route Setup ............................................................................................................................. 457 WLAN Setup .....................................................................
Table of Contents Table of Contents Contents Overview ................................................................................................................... 3 Table of Contents...................................................................................................................... 5 About This User's Guide ........................................................................................................ 19 Document Conventions.................................................
Table of Contents 2.3.9 Bandwidth Monitor .................................................................................................... 49 2.3.10 Status Bar ................................................................................................................. 50 2.4 Resetting the LAN-Cell ........................................................................................................ 51 Chapter 3 Tutorials: 3G Modem Setup & VPN Wizard..............................................
Table of Contents 5.2.2 WAN Connectivity Check ......................................................................................... 101 5.3 WAN Screen ...................................................................................................................... 103 5.3.1 WAN Ethernet Encapsulation ................................................................................... 104 5.3.2 PPPoE Encapsulation .....................................................................................
Table of Contents 7.8 Configuring Wireless Security ........................................................................................... 153 7.8.1 No Security ............................................................................................................... 155 7.8.2 Static WEP ............................................................................................................... 155 7.8.3 IEEE 802.1x Only .........................................................................
Table of Contents 9.7.1 Firewall Edit Custom Service .................................................................................. 195 9.7.2 My Service Firewall Rule Example ........................................................................... 196 9.8 Firewall Technical Reference ............................................................................................. 200 Chapter 10 IPSec VPN Config Screens ....................................................................................
Table of Contents 11.7 Trusted CA Details Screen .............................................................................................. 270 11.8 Trusted CA Import Screen .............................................................................................. 273 11.9 Trusted Remote Hosts Screen ........................................................................................ 274 11.10 Trusted Remote Hosts Import Screen ...................................................................
Table of Contents 14.4 Configure DNS Cache ..................................................................................................... 313 14.5 Configuring DNS DHCP ................................................................................................ 315 14.6 DDNS Screen ................................................................................................................ 316 14.7 Configuring Dynamic DNS ......................................................................
Table of Contents 18.1.1 What You Can Do in the Bandwidth Management Screens ................................... 349 18.1.2 What You Need to Know About Bandwidth Management ...................................... 350 18.1.3 Bandwidth Management Examples ........................................................................ 351 18.2 Bandwidth Management Summary Screen ..................................................................... 354 18.3 Class Setup Screen ..........................................
Table of Contents 22.5 F/W Upload Screen ........................................................................................................ 403 22.6 Backup and Restore Screen ........................................................................................... 405 22.7 Restart Screen ................................................................................................................ 407 22.8 The Diagnostics Screen .....................................................................
Table of Contents 26.1 Introduction to LAN Setup ............................................................................................... 441 26.2 Accessing the LAN Menus .............................................................................................. 441 26.3 LAN Port Filter Setup ....................................................................................................... 441 26.4 TCP/IP and DHCP Ethernet Setup Menu ..........................................................
Table of Contents 31.4 Edit IP .............................................................................................................................. 469 31.5 Remote Node Filter ......................................................................................................... 471 Chapter 32 IP Static Route Setup............................................................................................................ 473 32.1 IP Static Route Setup ..........................................
Table of Contents 35.6.2 Applying DMZ Filters .............................................................................................. 512 35.6.3 Applying Remote Node Filters ............................................................................... 513 Chapter 36 SNMP Configuration ............................................................................................................. 515 36.1 SNMP Configuration .............................................................................
Table of Contents 38.5.3 FTP File Upload Command from the DOS Prompt Example ................................. 539 38.5.4 FTP Session Example of Firmware File Upload .................................................... 539 38.5.5 TFTP File Upload ................................................................................................... 539 38.5.6 TFTP Upload Command Example ......................................................................... 540 38.5.7 Uploading Via Console Port .............
Table of Contents 43.2 LAN-Cell Access and Login ............................................................................................. 570 43.3 Internet Access ................................................................................................................ 572 Chapter 44 Product Specifications ......................................................................................................... 575 Part VIII: Appendices ..........................................................
About This User's Guide About This User's Guide Intended Audience This manual is intended for people who want to configure the LAN-Cell 2 using the web configurator or System Management Terminal (SMT). You should have at least a basic knowledge of TCP/IP networking concepts and topology. Related Documentation • Quick Start Guide The Quick Start Guide is designed to help you get up and running right away. It contains information on setting up your network and configuring for Internet access.
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. 1 " Warnings tell you about things that could harm you or your device. Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations. Syntax Conventions • The LAN-Cell 2 may be referred to as the “LAN-Cell”, the “device” or the “system” in this User’s Guide.
Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The LAN-Cell icon is not an exact representation of your device.
Safety Warnings Safety Warnings 1 For your safety, be sure to read and follow all warning notices and instructions. • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. • Do NOT store things on the device. • Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning. • Connect ONLY suitable accessories to the device.
Safety Warnings • Antenna Warning! This device meets ETSI and FCC certification requirements when using the included antenna(s). • If you wall mount your device, make sure that no electrical lines, gas or water pipes will be damaged. This product is recyclable. Dispose of it properly.
Safety Warnings 24 LAN-Cell 2 User’s Guide
P ART I Introduction Getting to Know Your LAN-Cell 2 (27) Introducing the Web Configurator & Home Screen (35) Tutorials: 3G Modem Setup & VPN Wizard (53) 25
CHAPTER 1 Getting to Know Your LAN-Cell 2 This chapter introduces the main features and applications of the LAN-Cell 2. 1.1 LAN-Cell 2: 3G Cellular Router + VPN + Firewall Overview The LAN-Cell 2 is Proxicast’s second generation of enterprise-grade secure cellular gateways. This model features customer accessible and removeable “3G” PC-Card (PCMCIA) cellular modems -- the same ones commonly used to provide high-speed 3G cellular connectivity to laptops.
Chapter 1 Getting to Know Your LAN-Cell 2 • Command Line Interface. Line commands are mostly used for troubleshooting by service engineers and also provide access to some of the LAN-Cell’s more advanced features. • SNMP. The device can be monitored by an SNMP manager. See the SNMP chapter in this User’s Guide. 1.3 Good Habits for Managing the LAN-Cell Do the following things regularly to make the LAN-Cell more secure and to manage the LANCell more effectively. • Change the password.
Chapter 1 Getting to Know Your LAN-Cell 2 1.4.2 Redundant Secure Broadband Internet Access via Ethernet or Cellular Connect the LAN-Cell’s Ethernet WAN port to your existing Internet access gateway (company network, or your cable or DSL modem for example). Connect computers or servers to the LAN, DMZ or WLAN ports for shared Internet access.
Chapter 1 Getting to Know Your LAN-Cell 2 1.5 Front Panel Indicators Figure 4 Front Panel The following table describes the LAN-Cell’s front panel indicator lights. Table 1 Front Panel Lights LED COLOR PWR Green Red LAN/DMZ 1-4 Green Orange WAN Green Orange AUX WLAN Green Green CELL Green Orange Green/ Orange 30 STATUS DESCRIPTION Off The LAN-Cell is turned off. On The LAN-Cell is ready and running. Flashing Power-on Self Test is in progress.
Chapter 1 Getting to Know Your LAN-Cell 2 1.6 Rear Panel Connections Figure 5 Rear Panel The following table describes the LAN-Cell 2’s rear panel connections. Table 2 Rear Panel Connections LABEL DESCRIPTION PWR Connect the included 12V DC power adapter to this power jack. RESET To erase all user-entered settings, press & hold the reset button with a small object such as a paperclip for approximately 10 seconds until the PWR LED begins to flash.
Chapter 1 Getting to Know Your LAN-Cell 2 1.7 Card-Lock The LAN-Cell 2's Card-Lock system provides a mechanism for securing the PC Card modem to prevent it from coming loose in mobile applications. 1 Insert a cable-tie through the two Card-Lock brackets above and below the PC-Card slot (Figure 6) leaving enough slack to accommodate the portion of the PC-Card that extends outside of the LAN-Cell. Figure 6 Card-Lock Step 1 2 Rotate the loop toward the front of the LAN-Cell (Figure 7).
Chapter 1 Getting to Know Your LAN-Cell 2 3 Insert the PC-Card modem into the card slot, keeping the cable-tie loop toward the front of the LAN-Cell (Figure 8). Figure 8 Card-Lock Step 3 4 Once the PC-Card is inserted, slide the loop over the protruding end of the card and pull the bottom of the cable-tie straight down to tighten the loop against the card (Figure 9).
Chapter 1 Getting to Know Your LAN-Cell 2 5 Bring the bottom of the cable-tie up to secure it with the cable-tie lock (Figure 10). Figure 10 Card-Lock Step 5 6 Tighten the cable-tie against the PC Card (Figure 11). Figure 11 Card-Lock Step 6 You may also wish to lock the PC Card's external antenna "pig-tail" cable inside the cable-tie loop to minimize movement of the antenna cable.
CHAPTER 2 Introducing the Web Configurator & Home Screen This chapter describes how to access the LAN-Cell web configurator and provides an overview of its screens. 2.1 Web Configurator Overview The web configurator is an HTML-based management interface that allows easy LAN-Cell setup and management via Internet browser. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions. The recommended screen resolution is 1024 by 768 pixels.
Chapter 2 Introducing the Web Configurator & Home Screen Figure 12 Web Configurator Login Screen 4 Type "1234" (default) as the password and click Login. 5 You should see a screen (Figure 13) asking you to change your password (highly recommended). Type a new password (and retype it to confirm) and click Apply or click Ignore.
Chapter 2 Introducing the Web Configurator & Home Screen " The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes). Simply log back into the LAN-Cell if this happens to you. 2.3 Navigating the LAN-Cell Web Configurator The following summarizes how to navigate the web configurator from the HOME screen.
Chapter 2 Introducing the Web Configurator & Home Screen 2.3.2 Navigation Panel The following table describes the sub-menus on the left side navigation panel. Table 3 Screens Summary LINK TAB HOME FUNCTION This screen shows the LAN-Cell’s general device and network status information. Use this screen to access the wizards, statistics and DHCP table. NETWORK LAN WAN DMZ WLAN LAN Use this screen to configure LAN DHCP and TCP/IP settings.
Chapter 2 Introducing the Web Configurator & Home Screen Table 3 Screens Summary (continued) LINK TAB FUNCTION FIREWALL Default Rule Use this screen to activate/deactivate the firewall and the direction of network traffic to which to apply the rule Rule Summary This screen shows a summary of the firewall rules, and allows you to edit/add a firewall rule. Anti-Probing Use this screen to change your anti-probing settings. Threshold Use this screen to configure the threshold for DoS attacks.
Chapter 2 Introducing the Web Configurator & Home Screen Table 3 Screens Summary (continued) LINK TAB FUNCTION REMOTE MGMT WWW Use this screen to configure through which interface(s) and from which IP address(es) users can use HTTPS or HTTP to manage the LAN-Cell. SSH Use this screen to configure through which interface(s) and from which IP address(es) users can use Secure Shell to manage the LAN-Cell.
Chapter 2 Introducing the Web Configurator & Home Screen Right after you log in, the HOME screen is displayed. 2.3.4 HOME Screen This screen displays general status information about the LAN-Cell. Figure 16 Web Configurator HOME Screen The following table describes the labels in this screen.
Chapter 2 Introducing the Web Configurator & Home Screen Table 4 Web Configurator HOME Screen (continued) LABEL DESCRIPTION System Time This field displays your LAN-Cell’s present date (in yyyy-mm-dd format) and time (in hh:mm:ss format) along with the difference from the Greenwich Mean Time (GMT) zone. The difference from GMT is based on the time zone. It is also adjusted for Daylight Saving Time if you set the LAN-Cell to use it.
Chapter 2 Introducing the Web Configurator & Home Screen Table 4 Web Configurator HOME Screen (continued) LABEL DESCRIPTION IP Assignment For the WAN, if the LAN-Cell gets its IP address automatically from an ISP, this displays DHCP client when you’re using Ethernet encapsulation and IPCP Client when you’re using PPPoE or PPTP encapsulation. Static displays if the WAN port is using a manually entered static (fixed) IP address.
Chapter 2 Introducing the Web Configurator & Home Screen Table 4 Web Configurator HOME Screen (continued) 44 LABEL DESCRIPTION Cellular Card Firmware Revision This displays the version of the firmware currently used in the 3G card. Cellular Card IMEI This field is available only when you insert a GSM (Global System for Mobile Communications) or UMTS (Universal Mobile Telecommunications System) cellular card.
Chapter 2 Introducing the Web Configurator & Home Screen Table 4 Web Configurator HOME Screen (continued) LABEL DESCRIPTION Wi-Fi Information Wi-Fi status This displays whether or not the wireless LAN card is activated. SSID This displays a descriptive name used to identify the LAN-Cell in the wireless LAN. Bridge To This displays whether the wireless LAN card is used as part of the LAN, DMZ or WLAN. 802.11 Mode This displays the wireless standard (802.11a, 802.11b, 802.11g or 802.
Chapter 2 Introducing the Web Configurator & Home Screen Figure 17 HOME > Show Statistics The following table describes the labels in this screen. Table 5 HOME > Show Statistics LABEL DESCRIPTION Click the icon to display the chart of throughput statistics. Port These are the LAN-Cell’s interfaces.
Chapter 2 Introducing the Web Configurator & Home Screen Figure 18 HOME > Show Statistics > Line Chart The following table describes the labels in this screen. Table 6 HOME > Show Statistics > Line Chart LABEL DESCRIPTION Click the icon to go back to the Show Statistics screen. Port Select the check box(es) to display the throughput statistics of the corresponding interface(s). B/s Specify the direction of the traffic for which you want to show throughput statistics in this table.
Chapter 2 Introducing the Web Configurator & Home Screen Figure 19 HOME > DHCP Table The following table describes the labels in this screen. Table 7 HOME > DHCP Table LABEL DESCRIPTION Interface Select LAN, DMZ or WLAN to show the current DHCP client information for the specified interface. # This is the index number of the host computer. IP Address This field displays the IP address relative to the # field listed above. Host Name This field displays the computer host name.
Chapter 2 Introducing the Web Configurator & Home Screen Figure 20 HOME > VPN Status The following table describes the labels in this screen. Table 8 HOME > VPN Status LABEL DESCRIPTION # This is the security association index number. Name This field displays the identification name for this VPN policy. Local Network This field displays the IP address of the computer using the VPN IPSec feature of your LAN-Cell.
Chapter 2 Introducing the Web Configurator & Home Screen Figure 21 Home > Bandwidth Monitor The following table describes the labels in this screen. Table 9 ADVANCED > BW MGMT > Monitor LABEL DESCRIPTION Interface Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth classes. Class This field displays the name of the bandwidth class. A Default Class automatically displays for all the bandwidth in the Root Class that is not allocated to bandwidth classes.
Chapter 2 Introducing the Web Configurator & Home Screen 2.4 Resetting the LAN-Cell If you forget your password or cannot access the web configurator, you will need to reload the factory-default configuration file or use the RESET button on the back of the LAN-Cell. Uploading this configuration file replaces the current configuration file with the factorydefault configuration file.
Chapter 2 Introducing the Web Configurator & Home Screen 52 LAN-Cell 2 User’s Guide
CHAPTER 3 Tutorials: 3G Modem Setup & VPN Wizard This chapter describes how to set up a 3G Cellular PC-Card modem WAN connection and how to configure a basic VPN using the VPN Wizard and firewall security settings. 3.1 Setting Up a 3G WAN Connection 3.1.1 Inserting a 3G PC-Card To enable and use the 3G WAN connection, you need to insert a 3G PC-Card in the LAN-Cell. 1 Turn the LAN-Cell off before you install or remove a 3G card.
Chapter 3 Tutorials: 3G Modem Setup & VPN Wizard 3.1.2 Configuring 3G WAN Settings You should already have an activated user account and network access information from the service provider. 1 Click WIRELESS > Cellular on the LAN-Cell. 2 Make sure that the Cellular interface is Enabled. 3 For GSM networks such as AT&T, T-Mobile, Rogers, Vodafone, Orange, MTN, etc., enter the APN (Access Point Name) and phone number (typically *99#) that were provided by your service provider.
Chapter 3 Tutorials: 3G Modem Setup & VPN Wizard Figure 23 Tutorial: WIRELESS > Cellular (3G WAN) - GSM Example 3.1.3 Checking WAN Connections 1 Go to the web configurator’s Home screen. 2 In the network status table, make sure the status for Cellular is not Down and there is an IP address. If the Cellular connection is not up, make sure you have entered the correct information in the Cellular screen and the signal strength to the service provider’s base station is not too low.
Chapter 3 Tutorials: 3G Modem Setup & VPN Wizard Figure 24 Tutorial: Home 56 LAN-Cell 2 User’s Guide
Chapter 3 Tutorials: 3G Modem Setup & VPN Wizard 3.2 VPN Wizard Overview The web configurator contains a “wizard” feature to help you easily set up a basic IPSec VPN connnection. From the left-side navigation menu, select SECURITY then click the VPN Wizard menu item to open the VPN Wizard screen. Use this wizard to configure a VPN connection that uses a pre-shared key. If you want to set the rule to use a certificate, please go to the VPN Config screens for configuration. See Section 3.2.1 on page 57. 3.
Chapter 3 Tutorials: 3G Modem Setup & VPN Wizard Table 10 VPN Wizard: Gateway Setting LABEL DESCRIPTION Remote Gateway Address Enter the WAN IP address or domain name of the remote IPSec router (secure gateway) in the field below to identify the remote IPSec router by its IP address or a domain name. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address. Back Click Back to return to the previous screen. Next Click Next to continue. 3.2.
Chapter 3 Tutorials: 3G Modem Setup & VPN Wizard Table 11 VPN Wizard: Network Setting LABEL DESCRIPTION Local Network Local IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses. Select Single for a single IP address. Select Range IP for a specific range of IP addresses. Select Subnet to specify IP addresses on a network by their subnet mask.
Chapter 3 Tutorials: 3G Modem Setup & VPN Wizard Figure 27 VPN Wizard: IKE Tunnel Setting The following table describes the labels in this screen. Table 12 VPN Wizard: IKE Tunnel Setting LABEL DESCRIPTION Negotiation Mode Select Main Mode for identity protection. Select Aggressive Mode to allow more incoming connections from dynamic IP addresses to use separate passwords. Note: Multiple SAs (security associations) connecting through a secure gateway must have the same negotiation mode.
Chapter 3 Tutorials: 3G Modem Setup & VPN Wizard Table 12 VPN Wizard: IKE Tunnel Setting (continued) LABEL DESCRIPTION Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called "pre-shared" because you have to share it with another party before you can communicate with them over a secure connection. Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal ("0-9", "A-F") characters.
Chapter 3 Tutorials: 3G Modem Setup & VPN Wizard Table 13 VPN Wizard: IPSec Setting (continued) LABEL DESCRIPTION Encryption Algorithm When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES.
Chapter 3 Tutorials: 3G Modem Setup & VPN Wizard Figure 29 VPN Wizard: VPN Status The following table describes the labels in this screen. Table 14 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Policy Property Name This is the name of this VPN gateway policy. Gateway Policy Setting My LAN-Cell This is the WAN IP address or the domain name of your LAN-Cell. Remote Gateway Address This is the IP address or the domain name used to identify the remote IPSec router.
Chapter 3 Tutorials: 3G Modem Setup & VPN Wizard Table 14 VPN Wizard: VPN Status (continued) LABEL DESCRIPTION Remote Network Starting IP Address This is a (static) IP address on the network behind the remote IPSec router. Ending IP Address/ Subnet Mask When the remote network is configured for a single IP address, this field is N/A. When the remote network is configured for a range IP address, this is the end (static) IP address, in a range of computers on the network behind the remote IPSec router.
Chapter 3 Tutorials: 3G Modem Setup & VPN Wizard Figure 30 VPN Wizard Setup Complete LAN-Cell 2 User’s Guide 65
Chapter 3 Tutorials: 3G Modem Setup & VPN Wizard 3.3 Security Settings for VPN Traffic The LAN-Cell can apply the firewall and content filtering to the traffic going to or from the LAN-Cell’s VPN tunnels. The LAN-Cell applies the security settings to the traffic before encrypting VPN traffic that it sends out or after decrypting received VPN traffic. " The security settings apply to VPN traffic going to or from the LAN-Cell’s VPN tunnels.
Chapter 3 Tutorials: 3G Modem Setup & VPN Wizard 1 Click Security > VPN CONFIG to open the following screen. Click the Add Gateway Policy icon. Figure 32 SECURITY > VPN CONFIG > VPN Rules (IKE) 2 Use this screen to set up the connection between the routers. Configure the fields that are circled as follows and click Apply.
Chapter 3 Tutorials: 3G Modem Setup & VPN Wizard Figure 33 SECURITY > VPN CONFIG > VPN Rules (IKE)> Add Gateway Policy 3 Click the Add Network Policy icon.
Chapter 3 Tutorials: 3G Modem Setup & VPN Wizard Figure 34 SECURITY > VPN CONFIG> VPN Rules (IKE): With Gateway Policy Example 4 Use this screen to specify which computers behind the routers can use the VPN tunnel. Configure the fields that are circled as follows and click Apply. You may notice that the example does not specify the port numbers. This is due to the following reasons. • While FTP uses a control session on port 20, the port for the data session is not fixed.
Chapter 3 Tutorials: 3G Modem Setup & VPN Wizard Figure 35 SECURITY > VPN CONFIG > VPN Rules (IKE)> Add Network Policy 3.3.3 Configuring the Firewall Rules Suppose you have several VPN tunnels but you only want to allow device B’s network to access the FTP server. You also only want FTP traffic to go to the FTP server, so you want to block all other traffic types (like chat, e-mail, web and so on). The following sections show how to configure firewall rules to enforce these restrictions.
Chapter 3 Tutorials: 3G Modem Setup & VPN Wizard 3.3.3.1 Firewall Rule to Allow Access Example Configure a firewall rule that allows FTP access from the VPN tunnel to the FTP server. 1 Click Security > Firewall > Rule Summary. 2 Select VPN to LAN as the packet direction and click Refresh. Figure 36 SECURITY > FIREWALL > Rule Summary 3 Insert a new by clicking the plus sign (+) under the Modify column. Define the rule as shown in the following figure and click Apply.
Chapter 3 Tutorials: 3G Modem Setup & VPN Wizard Figure 37 SECURITY > FIREWALL > Rule Summary > Edit: Allow 4 The rule displays in the summary list of VPN to LAN firewall rules.
Chapter 3 Tutorials: 3G Modem Setup & VPN Wizard Figure 38 SECURITY > FIREWALL > Rule Summary: Allow 3.3.3.2 Default Firewall Rule to Block Other Access Example Now you configure the default firewall rule to block all VPN to LAN traffic. This blocks any other types of access from VPN tunnels to the LAN FTP server. This means that you need to configure more firewall rules if you want to allow any other VPN tunnels to access the LAN. 1 Click SECURITY > FIREWALL > Default Rule.
Chapter 3 Tutorials: 3G Modem Setup & VPN Wizard 74 LAN-Cell 2 User’s Guide
P ART II Network & Wireless Menus LAN Screens (77) WAN & 3G Cellular Screens (89) DMZ Screens (127) Wireless LAN (WLAN) Screens (137) Wi-Fi Screens (163) " The WIRELESS > CELLULAR menu option is a short-cut to the WAN > CELLULAR screen.
CHAPTER 4 LAN Screens 4.1 LAN, WAN and the LAN-Cell This chapter describes how to configure LAN settings. A network is a shared communication system to which many computers are attached. The Local Area Network (LAN) includes the computers and networking devices in your home or office that you connect to the LAN-Cell’s LAN ports. The Wide Area Network (WAN) is another network (most likely the Internet) that you connect to the LAN-Cell’s WAN port.
Chapter 4 LAN Screens 4.1.2 What You Need to Know About LAN IP Address and Subnet Mask Similar to the way houses on a street share a common street name, so too do computers on a LAN share one common network number. Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask.
Chapter 4 LAN Screens " Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. MAC Address Every Ethernet device has a unique MAC (Media Access Control) address.
Chapter 4 LAN Screens Multicast Traditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender - 1 recipient) or Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to a group of hosts on the network - not everybody and not just 1. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.
Chapter 4 LAN Screens Figure 41 NETWORK > LAN The following table describes the labels in this screen. Table 15 NETWORK > LAN LABEL DESCRIPTION LAN TCP/IP IP Address Type the IP address of your LAN-Cell in dotted decimal notation. 192.168.1.1 is the factory default. Alternatively, click the right mouse button to copy and/or paste the IP address. IP Subnet Mask The subnet mask specifies the network number portion of an IP address.
Chapter 4 LAN Screens Table 15 NETWORK > LAN (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the LAN-Cell sends (it recognizes both formats when receiving). RIP1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
Chapter 4 LAN Screens Table 15 NETWORK > LAN (continued) LABEL DESCRIPTION Allow between LAN and Cellular Select this check box to forward NetBIOS packets from the LAN to CELL and from CELL to the LAN. If your firewall is enabled with the default policy set to block CELL to LAN traffic, you also need to enable the default CELL to LAN firewall rule that forwards NetBIOS traffic. Clear this check box to block all NetBIOS packets going from the LAN to CELL and from CELL to the LAN.
Chapter 4 LAN Screens Figure 42 NETWORK > LAN > Static DHCP The following table describes the labels in this screen. Table 16 NETWORK > LAN > Static DHCP LABEL DESCRIPTION # This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your LAN. IP Address Type the IP address that you want to assign to the computer on your LAN. Alternatively, click the right mouse button to copy and/or paste the IP address.
Chapter 4 LAN Screens The LAN-Cell has a single LAN interface. Even though more than one of ports 1~4 may be in the LAN port role, they are all still part of a single physical Ethernet interface and all use the same IP address. The LAN-Cell supports three logical LAN interfaces via its single physical LAN Ethernet interface. The LAN-Cell itself is the gateway for each of the logical LAN networks.
Chapter 4 LAN Screens The following table describes the labels in this screen. Table 17 NETWORK > LAN > IP Alias LABEL DESCRIPTION Enable IP Alias 1, 2 Select the check box to configure another LAN network for the LAN-Cell. IP Address Enter the IP address of your LAN-Cell in dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address. IP Subnet Mask Your LAN-Cell will automatically calculate the subnet mask based on the IP address that you assign.
Chapter 4 LAN Screens " Your changes are also reflected in the DMZ Port Roles and WLAN Port Roles screens. Figure 45 NETWORK > LAN > Port Roles The following table describes the labels in this screen. Table 18 NETWORK > LAN > Port Roles LABEL DESCRIPTION LAN Select a port’s LAN radio button to use the port as part of the LAN. The port will use the LAN-Cell’s LAN IP address and MAC address. DMZ Select a port’s DMZ radio button to use the port as part of the DMZ.
Chapter 4 LAN Screens 88 LAN-Cell 2 User’s Guide
CHAPTER 5 WAN & 3G Cellular Screens 5.1 Overview This chapter describes how to configure WAN, 3G Cellular, Dial-Backup and Traffic Redirect settings. A WAN (Wide Area Network) connection is an outside connection to another network or the Internet. It connects your private networks such as a LAN (Local Area Network) and other networks, so that a computer in one location can communicate with computers in other locations.
Chapter 5 WAN & 3G Cellular Screens Primary WAN Interfaces 1. WAN refers to the Ethernet WAN port on the LAN-Cell which is typically connected to a DSL/cable modem, T1, or other high-speed Ethernet-based wired Internet service. 2. CELLULAR refers to 3G cellular (CDMA/GSM) modem cards that are inserted into the PC-Card slot on the side of the LAN-Cell. The primary WAN interfaces can be used in either Load-Balancing or Fail-Over modes and are the most common pathways for connecting to the Internet.
Chapter 5 WAN & 3G Cellular Screens 5.1.2 What You Need To Know About WAN Encapsulation Method Encapsulation is used to include data from an upper layer protocol into a lower layer protocol. To set up a WAN connection to the Internet, you need to use the same encapsulation method used by your ISP (Internet Service Provider). If your ISP offers a dial-up Internet connection using PPPoE (PPP over Ethernet) or PPPoA, they may also provide a username and password (and service name) for user authentication.
Chapter 5 WAN & 3G Cellular Screens The LAN-Cell's DDNS lets you select which WAN interface you want to use for each individual domain name. The DDNS high availability feature lets you have the LAN-Cell use the other WAN interface for a domain name if the configured WAN interface's connection goes down. See DDNS on page 309 for details. When configuring a VPN rule, you have the option of selecting one of the LAN-Cell's domain names in the My Address field.
Chapter 5 WAN & 3G Cellular Screens " The dial-backup or traffic redirect routes cannot take priority over the WAN and Cellular routes. WAN Continuity Check TThe LAN-Cell can periodically generate ICMP (ping) traffic to test the connection status of the Ethernet WAN, Cellular WAN or Traffic Redirect ports. This feature is useful for detecting “dead-peer” situations or other conditions where the WAN interface is not forwarding traffic even though the physical status of the interface is “up”.
Chapter 5 WAN & 3G Cellular Screens 5.2 WAN General Screen Click NETWORK > WAN to open the General screen. Use this screen to configure load balancing, route priority and traffic redirect properties.
Chapter 5 WAN & 3G Cellular Screens The following table describes the labels in this screen. Table 19 NETWORK > WAN General LABEL DESCRIPTION Active/Passive (Fail Over) Mode Select the Active/Passive (fail over) operation mode to have the LAN-Cell use the second highest priority WAN interface as a back up. This means that the LAN-Cell will normally use the highest priority (primary) WAN interface (depending on the priorities you configure in the Route Priority fields).
Chapter 5 WAN & 3G Cellular Screens Table 19 NETWORK > WAN General (continued) 96 LABEL DESCRIPTION Check WAN/ Cellular Connectivity Select the check box to have the LAN-Cell periodically test the respective WAN interface's connection. Select Ping Default Gateway to have the LAN-Cell ping the WAN interface's default gateway IP address.
Chapter 5 WAN & 3G Cellular Screens 5.2.1 Configuring Load Balancing To configure load balancing on the LAN-Cell, click NETWORK > WAN in the navigation panel. The WAN General screen displays by default. Select Active/Active Mode under Operation Mode to enable load balancing on the LAN-Cell. The WAN General screen varies depending on what you select in the Load Balancing Algorithm field. 5.2.1.
Chapter 5 WAN & 3G Cellular Screens Since WAN has a smaller load balancing index (meaning that it is less utilized than Cellular), the LAN-Cell will send the next new session traffic through WAN. Table 21 Least Load First: Example 2 OUTBOUND INBOUND INTERFACE AVAILABLE (OA) MEASURED (OM) AVAILABLE (IA) MEASURED (IM) AVERAGE LOAD BALANCING INDEX (OM / OA + IM / IA) / 2 WAN 512 K 412 K 8000 K 1600 K ( 0.8 + 0.2) / 2 = 0.5 Cellular 256 K 198 K 2000 K 1600 K ( 0.77 + 0.8 ) / 2 = 0.
Chapter 5 WAN & 3G Cellular Screens Table 22 Load Balancing: Least Load First (continued) LABEL DESCRIPTION Available Inbound Bandwidth This field is applicable when you select Outbound + Inbound or Inbound Only in the Load Balancing Index(es) field. Specify the inbound (or downstream) bandwidth (in kilo bites per second) for the interface. This should be the actual downstream bandwidth that your ISP provides.
Chapter 5 WAN & 3G Cellular Screens Figure 52 Load Balancing: Weighted Round Robin The following table describes the related fields in this screen. Table 23 Load Balancing: Weighted Round Robin LABEL DESCRIPTION Active/Active Mode Select Active/Active Mode and set the related fields to enable load balancing on the LAN-Cell. Load Balancing Algorithm Set the load balancing method to Weighted Round Robin. Interface This field displays the name of the WAN interface (WAN and Cellular).
Chapter 5 WAN & 3G Cellular Screens To load balance using the spillover method, select Spillover in the Load Balancing Algorithm field. Configure the Route Priority metrics in the WAN General screen to determine the primary and secondary WANs. By default, WAN is the primary WAN and Cellular is the secondary WAN. Figure 54 Load Balancing: Spillover The following table describes the related fields in this screen.
Chapter 5 WAN & 3G Cellular Screens " " " 102 Some ISP’s (including most cellular carriers) do not acknowledge ICMP packets on their default gateways. Choose a different IP address to check. When selecting an IP address for WAN Connectivity to check, choose either a device whose status is under your control or is well known. You can use a fully qualified domain name (FQDN) to send packets to the virtual IP address of a host with a high-availability connection to the Internet.
Chapter 5 WAN & 3G Cellular Screens 5.3 WAN Screen To change your LAN-Cell's WAN ISP, IP and MAC settings, click NETWORK > WAN > WAN. The screen differs by the encapsulation. " The WAN and Cellular IP addresses of a LAN-Cell with multiple WAN interfaces must be on different subnets. WAN IP Assignment Every computer on the Internet must have a unique IP address.
Chapter 5 WAN & 3G Cellular Screens 2 If your ISP dynamically assigns the DNS server IP addresses (along with the LANCell’s WAN IP address), set the DNS server fields to get the DNS server address from the ISP. 3 You can manually enter the IP addresses of other DNS servers. These servers can be public or private. A DNS server could even be behind a remote IPSec router (see Section on page 308). WAN MAC Address Every Ethernet device has a unique MAC (Media Access Control) address.
Chapter 5 WAN & 3G Cellular Screens Figure 55 NETWORK > WAN > WAN (Ethernet Encapsulation) The following table describes the labels in this screen. Table 27 NETWORK > WAN > WAN (Ethernet Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Chapter 5 WAN & 3G Cellular Screens Table 27 NETWORK > WAN > WAN (Ethernet Encapsulation) (continued) LABEL DESCRIPTION Relogin Every(min) (Telia Login only) The Telia server logs the LAN-Cell out if the LAN-Cell does not log in periodically. Type the number of minutes from 1 to 59 (30 default) for the LAN-Cell to wait between logins. WAN IP Address Assignment Get automatically from ISP Select this option If your ISP did not assign you a fixed IP address. This is the default selection.
Chapter 5 WAN & 3G Cellular Screens Table 27 NETWORK > WAN > WAN (Ethernet Encapsulation) (continued) LABEL DESCRIPTION Multicast Version Choose None (default), IGMP-V1 or IGMP-V2. IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group – it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use.
Chapter 5 WAN & 3G Cellular Screens Figure 56 NETWORK > WAN > WAN (PPPoE Encapsulation) The following table describes the labels in this screen. Table 28 NETWORK > WAN > WAN (PPPoE Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access 108 Encapsulation Select PPPoE for a dial-up connection using PPPoE. Service Name Type the PPPoE service name provided to you by your ISP. PPPoE uses a service name to identify and reach the PPPoE server.
Chapter 5 WAN & 3G Cellular Screens Table 28 NETWORK > WAN > WAN (PPPoE Encapsulation) (continued) LABEL DESCRIPTION Nailed-Up Select Nailed-Up if you do not want the connection to time out. Idle Timeout This value specifies the time in seconds that elapses before the LAN-Cell automatically disconnects from the PPPoE server. WAN IP Address Assignment Get automatically from ISP Select this option If your ISP did not assign you a fixed IP address. This is the default selection.
Chapter 5 WAN & 3G Cellular Screens Table 28 NETWORK > WAN > WAN (PPPoE Encapsulation) (continued) LABEL DESCRIPTION Spoof WAN MAC Address from LAN You can configure the WAN port's MAC address by either using the factory assigned default MAC Address or cloning the MAC address of a computer on your LAN. By default, the LAN-Cell uses the factory assigned MAC Address to identify itself on the WAN.
Chapter 5 WAN & 3G Cellular Screens Figure 57 NETWORK > WAN > WAN (PPTP Encapsulation) The following table describes the labels in this screen. Table 29 NETWORK > WAN > WAN (PPTP Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Set the encapsulation method to PPTP. The LAN-Cell supports only one PPTP server connection at any given time.
Chapter 5 WAN & 3G Cellular Screens Table 29 NETWORK > WAN > WAN (PPTP Encapsulation) (continued) LABEL DESCRIPTION Authentication Type The LAN-Cell supports PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol). CHAP is more secure than PAP; however, PAP is readily available on more platforms. Use the drop-down list box to select an authentication protocol for outgoing calls.
Chapter 5 WAN & 3G Cellular Screens Table 29 NETWORK > WAN > WAN (PPTP Encapsulation) (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the LAN-Cell sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M. RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
Chapter 5 WAN & 3G Cellular Screens 5.4 Cellular (3G WAN) Screen 3G (Third Generation) is a digital, packet-switched wireless technology. Bandwidth usage is optimized as multiple users share the same channel and bandwidth is only allocated to users when they send data. It allows fast transfer of voice and non-voice data and provides broadband Internet access to mobile devices. If the signal strength of a 3G network is too low, the 3G card may switch to an available 2.5G or 2.75G network.
Chapter 5 WAN & 3G Cellular Screens 5.4.
Chapter 5 WAN & 3G Cellular Screens The following table describes the labels in this screen. Table 30 NETWORK > WAN > Cellular (3G WAN) LABEL DESCRIPTION Cellular Card Configuration Cellular Card Model This displays the manufacturer and model name of your 3G card if you inserted one in the LAN-Cell. Otherwise, it displays Not Installed. Network Type Select the type of the network (UMTS/HSDPA only, GPRS/EDGE only, GSM all or WCDMA all) to which you want the card to connect.
Chapter 5 WAN & 3G Cellular Screens Table 30 NETWORK > WAN > Cellular (3G WAN) (continued) LABEL DESCRIPTION PIN Code Enter the PIN (Personal Identification Number) code (four to eight digits, 0000 for example) provided by your ISP. If you enter the PIN code incorrectly, the cellular card may be blocked by your ISP and you cannot use the account to access the Internet. If your ISP disabled PIN code authentication, enter an arbitrary number.
Chapter 5 WAN & 3G Cellular Screens 5.4.2 Configuring Cell-Sentry Budget Control Cell-Sentry enables you to monitor and/or limit the amount of usage on the Cellular WAN interface. This feature enables you to utilize a carrier's lower cost data service plans and ensures that you do not exceed your plan allowance. " Actual usage statistics on the carrier's 3G network may differ from the LANCell's counters. Set your budget limits lower than the maximum allowed on your plan.
Chapter 5 WAN & 3G Cellular Screens Table 31 NETWORK > WAN > Cellular (Cell-Sentry) (continued) " LABEL DESCRIPTION Restart budget counter on Select the date on which the LAN-Cell resets the budget every month. If the date you selected is not available in a month, such as 30th or 31th, the LAN-Cell resets the budget on the last day of the month. To more closely match your ISP’s usage counters, set this value to the date of your monthly billing cycle.
Chapter 5 WAN & 3G Cellular Screens 5.5 Traffic Redirect Screen Traffic redirect forwards WAN traffic to a backup gateway when the LAN-Cell cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the LAN-Cell still provides firewall protection for the LAN. Figure 61 Traffic Redirect WAN Setup IP alias allows you to avoid triangle route security issues when the backup gateway is connected to the LAN or DMZ.
Chapter 5 WAN & 3G Cellular Screens Figure 63 NETWORK > WAN > Traffic Redirect The following table describes the labels in this screen. Table 32 NETWORK > WAN > Traffic Redirect LABEL DESCRIPTION Active Select this check box to have the LAN-Cell use traffic redirect if the normal WAN connection goes down. Backup Gateway IP Address Type the IP address of your backup gateway in dotted decimal notation.
Chapter 5 WAN & 3G Cellular Screens 5.6 Dial Backup Screen Click NETWORK > WAN > Dial Backup to display the Dial Backup screen. Use this screen to configure the backup WAN dial-up connection. Figure 64 NETWORK > WAN > Dial Backup The following table describes the labels in this screen. Table 33 NETWORK > WAN > Dial Backup LABEL DESCRIPTION Dial Backup Setup Enable Dial Backup Select this check box to turn on dial backup.
Chapter 5 WAN & 3G Cellular Screens Table 33 NETWORK > WAN > Dial Backup (continued) LABEL DESCRIPTION Login Name Type the login name assigned by your ISP. Password Type the password assigned by your ISP. Retype to Confirm Type your password again to make sure that you have entered is correctly. Authentication Type Use the drop-down list box to select an authentication protocol for outgoing calls. Options are: CHAP/PAP - Your LAN-Cell accepts either CHAP or PAP when requested by this remote node.
Chapter 5 WAN & 3G Cellular Screens Table 33 NETWORK > WAN > Dial Backup (continued) LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Choose Both, In Only or Out Only. When set to Both or Out Only, the LAN-Cell will broadcast its routing table periodically.
Chapter 5 WAN & 3G Cellular Screens 5.6.1.2 DTR Signal The majority of WAN devices default to hanging up the current call when the DTR (Data Terminal Ready) signal is dropped by the DTE. When the Drop DTR When Hang Up check box is selected, the LAN-Cell uses this hardware signal to force the WAN device to hang up, in addition to issuing the drop command ATH. 5.6.1.
Chapter 5 WAN & 3G Cellular Screens The following table describes the labels in this screen. Table 34 NETWORK > WAN > Dial Backup > Edit LABEL DESCRIPTION AT Command Strings Dial Type the AT Command string to make a call. Drop Type the AT Command string to drop a call. "~" represents a one second wait, for example, "~~~+++~~ath" can be used if your modem has a slow response time. Answer Type the AT Command string to answer a call.
CHAPTER 6 DMZ Screens 6.1 Overview The DeMilitarized Zone (DMZ) provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death). These public servers can also still be accessed from the secure LAN. 6.1.1 What You Can Do in the DMZ Screens • Use the DMZ screen (Section 6.2 on page 129) to configure TCP/IP, DHCP, IP/MAC binding and NetBIOS settings on the DMZ.
Chapter 6 DMZ Screens without performing NAT. This may be useful for hosting servers for NAT unfriendly applications. If the DMZ computers use private IP addresses, use NAT if you want to make them publicly accessible. DHCP Like the LAN, the LAN-Cell can also assign TCP/IP configuration via DHCP to computers connected to the DMZ ports. See Section 4.3 on page 83 for more information on DHCP. IP Alias See Section 4.4 on page 84 for more information on IP alias. Port Roles See Section 4.
Chapter 6 DMZ Screens 6.1.4 DMZ Private and Public IP Address Example The following figure shows a network setup with both private and public IP addresses on the DMZ. Lower case letters represent public IP addresses (like a.b.c.d for example). The LAN port and connected computers (A through C) use private IP addresses that are in one subnet. The DMZ port and server F use private IP addresses that are in one subnet. The private IP addresses of the LAN and DMZ are on separate subnets.
Chapter 6 DMZ Screens Figure 68 NETWORK > DMZ The following table describes the labels in this screen. Table 35 NETWORK > DMZ LABEL DESCRIPTION DMZ TCP/IP IP Address Type the IP address of your LAN-Cell’s DMZ port in dotted decimal notation. Note: Make sure the IP addresses of the LAN, WAN, WLAN and DMZ are on separate subnets. 130 IP Subnet Mask The subnet mask specifies the network number portion of an IP address.
Chapter 6 DMZ Screens Table 35 NETWORK > DMZ (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the LAN-Cell sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
Chapter 6 DMZ Screens Table 35 NETWORK > DMZ (continued) LABEL DESCRIPTION Allow between DMZ and Cellular Select this check box to forward NetBIOS packets from the DMZ to CELL and from CELL to the DMZ. Clear this check box to block all NetBIOS packets going from the DMZ to CELL and from CELL to the DMZ. Allow between DMZ and WLAN Select this check box to forward NetBIOS packets from the WLAN to the DMZ and from the DMZ to the WLAN.
Chapter 6 DMZ Screens Figure 69 NETWORK > DMZ > Static DHCP The following table describes the labels in this screen. Table 36 NETWORK > DMZ > Static DHCP LABEL DESCRIPTION # This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your DMZ. IP Address Type the IP address that you want to assign to the computer on your DMZ. Alternatively, click the right mouse button to copy and/or paste the IP address.
Chapter 6 DMZ Screens The LAN-Cell supports three logical DMZ interfaces via its single physical DMZ Ethernet interface. The LAN-Cell itself is the gateway for each of the logical DMZ networks. The IP alias IP addresses can be either private or public regardless of whether the physical DMZ interface is set to use a private or public IP address. Use NAT if you want to make DMZ computers with private IP addresses publicly accessible (see Chapter 13 on page 289 for more information).
Chapter 6 DMZ Screens Table 37 NETWORK > DMZ > IP Alias (continued) LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the LAN-Cell will broadcast its routing table periodically.
Chapter 6 DMZ Screens Figure 71 NETWORK > DMZ > Port Roles The following table describes the labels in this screen. Table 38 NETWORK > DMZ > Port Roles 136 LABEL DESCRIPTION LAN Select a port’s LAN radio button to use the port as part of the LAN. The port will use the LAN-Cell’s LAN IP address and MAC address. DMZ Select a port’s DMZ radio button to use the port as part of the DMZ. The port will use the LAN-Cell’s DMZ IP address and MAC address.
CHAPTER 7 Wireless LAN (WLAN) Screens 7.1 Overview In addition to the LAN and DMZ logical networks, the LAN-Cell also provides a Wireless LAN (WLAN) logical network that can be used to segregate traffic for policy routing, security or other management purposes. This chapter discusses how to configure the wireless LAN subnet on the LAN-Cell.
Chapter 7 Wireless LAN (WLAN) Screens The wireless network is the part in the blue circle. In this wireless network, devices A and B are called wireless clients. The wireless clients use the access point (AP) to interact with other devices (such as the printer) or with the Internet. Your LAN-Cell is the AP. Every wireless network must follow these basic guidelines. • Every wireless client in the same wireless network must use the same SSID. The SSID is the name of the wireless network.
Chapter 7 Wireless LAN (WLAN) Screens " See Appendix E on page 617 for more detailed information on WLANs. 7.2 WLAN Screen The built-in Wi-Fi access point is used as part of the LAN by default. You can use the Port Roles screen (see Figure 77 on page 145) to set a port to be part of the WLAN. Then connect an external access point (AP) to it to extend the LAN-Cell’s wireless LAN coverage.
Chapter 7 Wireless LAN (WLAN) Screens Table 39 NETWORK > WLAN (continued) LABEL DESCRIPTION IP Subnet Mask The subnet mask specifies the network number portion of an IP address. Your LAN-Cell automatically calculates the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the LAN-Cell. RIP Direction RIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to exchange routing information with other routers.
Chapter 7 Wireless LAN (WLAN) Screens Table 39 NETWORK > WLAN (continued) LABEL DESCRIPTION Allow between WLAN and LAN Select this check box to forward NetBIOS packets from the WLAN to the LAN and from the LAN to the WLAN. Clear this check box to block all NetBIOS packets going from the LAN to the WLAN and from the WLAN to the LAN. Allow between WLAN and WAN Select this check box to forward NetBIOS packets from the WLAN to WAN and from WAN to the WLAN.
Chapter 7 Wireless LAN (WLAN) Screens Figure 74 NETWORK > WLAN > Static DHCP The following table describes the labels in this screen. Table 40 NETWORK > WLAN > Static DHCP LABEL DESCRIPTION # This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your WLAN. IP Address Type the IP address that you want to assign to the computer on your WLAN. Alternatively, click the right mouse button to copy and/or paste the IP address.
Chapter 7 Wireless LAN (WLAN) Screens The LAN-Cell has a single WLAN interface. Even though more than one of ports 1~4 may be in the WLAN port role, they are all still part of a single physical Ethernet interface and all use the same IP address. The LAN-Cell supports three logical WLAN interfaces via its single physical WLAN Ethernet interface. The LAN-Cell itself is the gateway for each of the logical WLAN networks.
Chapter 7 Wireless LAN (WLAN) Screens Table 41 NETWORK > WLAN > IP Alias (continued) LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the LAN-Cell will broadcast its routing table periodically.
Chapter 7 Wireless LAN (WLAN) Screens Figure 76 WLAN Port Role Example " Do the following if you are configuring from a computer connected to a LAN, DMZ or WLAN port and changing the port's role: 1 A port's IP address varies as its role changes, make sure your computer's IP address is in the same subnet as the LAN-Cell's LAN, DMZ or WLAN IP address. 2 Use the appropriate LAN, DMZ or WLAN IP address to access the LAN-Cell. To change your LAN-Cell’s port role settings, click NETWORK > WLAN > Port Roles.
Chapter 7 Wireless LAN (WLAN) Screens The following table describes the labels in this screen. Table 42 NETWORK > WLAN > Port Roles LABEL DESCRIPTION LAN Select a port’s LAN radio button to use the port as part of the LAN. The port will use the LAN IP address. DMZ Select a port’s DMZ radio button to use the port as part of the DMZ. The port will use the DMZ IP address. WLAN Select a port’s WLAN radio button to use the port as part of the WLAN. The port will use the WLAN IP address.
Chapter 7 Wireless LAN (WLAN) Screens 7.6 Wireless Security Overview The following sections introduce different types of wireless security you can set up in the wireless network. 7.6.1 SSID Normally, the AP acts like a beacon and regularly broadcasts the SSID in the area. You can hide the SSID instead, in which case the AP does not broadcast the SSID. In addition, you should change the default SSID to something that is difficult to guess.
Chapter 7 Wireless LAN (WLAN) Screens If your AP does not provide a local user database and if you do not have a RADIUS server, you cannot set up user names and passwords for your users. Unauthorized devices can still see the information that is sent in the wireless network, even if they cannot use the wireless network. Furthermore, there are ways for unauthorized wireless users to get a valid user name and password. Then, they can use that user name and password to use the wireless network.
Chapter 7 Wireless LAN (WLAN) Screens If some wireless clients support WPA and some support WPA2, you should set up WPA2PSK-Mix or WPA2-Mix (depending on the type of wireless network login) in the LAN-Cell. Many types of encryption use a key to protect the information in the wireless network. The longer the key, the stronger the encryption. Every wireless client in the wireless network must have the same key. 7.6.5 Additional Installation Requirements for Using 802.1x • A computer with an IEEE 802.
Chapter 7 Wireless LAN (WLAN) Screens 7.7 Internal Wi-Fi Access Point Setup If you are configuring the LAN-Cell from a computer connected to the wireless LAN and you change the LAN-Cell’s SSID or security settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the LAN-Cell’s new settings. Click WIRELESS > Wi-Fi to open the Wi-Fi Configuraton screen.
Chapter 7 Wireless LAN (WLAN) Screens The following table describes the labels in this screen. Table 44 WIRELESS > Wi-Fi LABEL DESCRIPTION Enable Wi-Fi Card The internal Wi-Fi access point is turned off by default. Before you enable the wireless LAN you should configure some security by setting MAC filters and/or 802.1x security; otherwise your wireless LAN will be vulnerable upon enabling it. Select the check box to enable the wireless LAN.
Chapter 7 Wireless LAN (WLAN) Screens Table 44 WIRELESS > Wi-Fi (continued) LABEL DESCRIPTION Select SSID Profile An SSID profile is the set of parameters relating to one of the LAN-Cell’s BSSs. The SSID (Service Set IDentifier) identifies the Service Set with which a wireless client is associated. Wireless clients associating with the access point (AP) must have the same SSID.
Chapter 7 Wireless LAN (WLAN) Screens Figure 80 Configuring SSID The following table describes the labels in this screen. Table 45 Configuring SSID LABEL DESCRIPTION Name Enter a name (up to 32 printable 7-bit ASCII characters) identifying this profile. SSID When a wireless client scans for an AP to associate with, this is the name that is broadcast and seen in the wireless client utility. Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless LAN.
Chapter 7 Wireless LAN (WLAN) Screens The following table describes the security modes you can configure. Table 46 Security Modes SECURITY MODE DESCRIPTION None Select this to have no data encryption. WEP Select this to use WEP encryption. 802.1x-Only Select this to use 802.1x authentication with no data encryption. 802.1x-Static64 Select this to use 802.1x authentication with a static 64bit WEP key and an authentication server. 802.1x-Static128 Select this to use 802.
Chapter 7 Wireless LAN (WLAN) Screens 7.8.1 No Security " If you do not enable any wireless security on your LAN-Cell, your network is accessible to any wireless networking device within range. Figure 82 WIRELESS > Wi-Fi > Security: None The following table describes the wireless LAN security labels in this screen. Table 48 WIRELESS > Wi-Fi > Security: None LABEL DESCRIPTION Name Type a name (up to 32 printable 7-bit ASCII characters) to identify this security profile.
Chapter 7 Wireless LAN (WLAN) Screens Figure 83 WIRELESS > Wi-Fi > Security: WEP The following table describes the labels in this screen. Table 49 WIRELESS > Wi-Fi > Security: WEP LABEL DESCRIPTION Name Type a name to identify this security profile. Security Mode Select WEP from the drop-down list. WEP Encryption WEP (Wired Equivalent Privacy) provides data encryption to prevent unauthorized wireless stations from accessing data transmitted over the wireless network.
Chapter 7 Wireless LAN (WLAN) Screens Figure 84 WIRELESS > Wi-Fi > Security: 802.1x Only The following table describes the labels in this screen. Table 50 WIRELESS > Wi-Fi > Security: 802.1x Only LABEL DESCRIPTION Name Type a name to identify this security profile. Security Mode Select 8021X-Only from the drop-down list. ReAuthentication Timer Specify how often wireless clients have to resend user names and passwords in order to stay connected. Enter a time interval between 600 and 65535 seconds.
Chapter 7 Wireless LAN (WLAN) Screens Figure 85 WIRELESS > Wi-Fi > Security: 802.1x + Static WEP The following table describes the labels in this screen. Table 51 WIRELESS > Wi-Fi > Security: 802.1x + Static WEP LABEL DESCRIPTION Name Type a name to identify this security profile. Security Mode Select 8021X-Static64 or 8021X-Static128 from the drop-down list.
Chapter 7 Wireless LAN (WLAN) Screens 7.8.5 WPA, WPA2, WPA2-MIX Click WIRELESS > Wi-Fi > Security > Edit. Select WPA, WPA2 or WPA2-MIX from the Security Mode list. Figure 86 WIRELESS > Wi-Fi > Security: WPA, WPA2 or WPA2-MIX The following table describes the labels in this screen. Table 52 WIRELESS > Wi-Fi > Security: WPA, WPA2 or WPA2-MIX LABEL DESCRIPTION Name Type a name to identify this security profile. Security Mode Select WPA, WPA2 or WPA2-MIX from the drop-down list.
Chapter 7 Wireless LAN (WLAN) Screens Table 52 WIRELESS > Wi-Fi > Security: WPA, WPA2 or WPA2-MIX (continued) LABEL DESCRIPTION Apply Click Apply to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. 7.8.6 WPA-PSK, WPA2-PSK, WPA2-PSK-MIX Click WIRELESS > Wi-Fi > Security > Edit. Select WPA-PSK, WPA2-PSK or WPA2PSK-MIX from the Security Mode list.
Chapter 7 Wireless LAN (WLAN) Screens Table 53 WIRELESS > Wi-Fi > Security: WPA(2)-PSK (continued) LABEL DESCRIPTION Group Key Update Timer The Group Key Update Timer is the rate at which the AP sends a new group key out to all clients. The re-keying process is the WPA equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis. Setting of the Group Key Update Timer is also supported in WPA(2)-PSK mode.
Chapter 7 Wireless LAN (WLAN) Screens The following table describes the labels in this menu. Table 54 WIRELESS > Wi-Fi > MAC Filter LABEL DESCRIPTION Association Define the filter action for the list of MAC addresses in the MAC address filter table. Select Deny to block access to the router, MAC addresses not listed will be allowed to access the router. Select Allow to permit access to the router, MAC addresses not listed will be denied access to the router.
CHAPTER 8 Wi-Fi Screens 8.1 Overview In these screens you can configure wireless settings for the LAN-Cell’s internal Wi-Fi 802.11 a/b/g wireless access point. 8.1.1 What You Can Do in the Wi-Fi Screens • Use the Wi-Fi Configuration screen (Section 8.2 on page 166) to configure wireless network settings such as SSID for the LAN-Cell. • Use the Security screen (Section 8.3 on page 169) to configure wireless security settings for the LAN-Cell. • Use the MAC Filter screen (Section 8.
Chapter 8 Wi-Fi Screens You can use the MAC address filter to tell the AP which wireless clients are allowed or not allowed to use the wireless network. If a wireless client is allowed to use the wireless network, it still has to have the correct settings (SSID, channel, and security). If a wireless client is not allowed to use the wireless network, it does not matter if it has the correct settings. This type of security does not protect the information that is sent in the wireless network.
Chapter 8 Wi-Fi Screens The types of encryption you can choose depend on the type of user authentication. (See Section on page 164 for information about this.) Table 55 Types of Encryption for Each Type of Authentication No Authentication Weakest RADIUS Server No Security Static WEP 802.1x +Static WEP Strongest WPA-PSK WPA WPA2-PSK or WPA2-PSK-Mix WPA2 or WPA2-Mix For example, if the wireless network has a RADIUS server, you can choose WPA or WPA2.
Chapter 8 Wi-Fi Screens 8.2 Wi-Fi Configuration Screen If you are configuring the LAN-Cell from a computer connected to the wireless LAN and you change the LAN-Cell’s SSID or security settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the LAN-Cell’s new settings. Click WIRELESS > Wi-Fi to open the Wi-Fi Configuraton screen.
Chapter 8 Wi-Fi Screens The following table describes the labels in this screen. Table 56 WIRELESS > Wi-Fi LABEL DESCRIPTION Enable Wi-Fi Card The internal Wi-Fi access point is turned off by default. Before you enable the wireless LAN you should configure some security by setting MAC filters and/or 802.1x security; otherwise your wireless LAN will be vulnerable upon enabling it. Select the check box to enable the wireless LAN. Bridge to Select LAN to use the Wi-Fi card as part of the LAN.
Chapter 8 Wi-Fi Screens Table 56 WIRELESS > Wi-Fi (continued) LABEL DESCRIPTION Select SSID Profile An SSID profile is the set of parameters relating to one of the LAN-Cell’s BSSs. The SSID (Service Set IDentifier) identifies the Service Set with which a wireless client is associated. Wireless clients associating with the access point (AP) must have the same SSID.
Chapter 8 Wi-Fi Screens Figure 90 Configuring SSID The following table describes the labels in this screen. Table 57 Configuring SSID LABEL DESCRIPTION Name Enter a name (up to 32 printable 7-bit ASCII characters) identifying this profile. SSID When a wireless client scans for an AP to associate with, this is the name that is broadcast and seen in the wireless client utility. Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless LAN.
Chapter 8 Wi-Fi Screens The following table describes the security modes you can configure. Table 58 Security Modes SECURITY MODE DESCRIPTION None Select this to have no data encryption. WEP Select this to use WEP encryption. 802.1x-Only Select this to use 802.1x authentication with no data encryption. 802.1x-Static64 Select this to use 802.1x authentication with a static 64bit WEP key and an authentication server. 802.1x-Static128 Select this to use 802.
Chapter 8 Wi-Fi Screens The following table describes the labels in this screen. Table 59 WIRELESS > Wi-Fi > Security LABEL DESCRIPTION Security Profile Index This is the index number of the security profile. Profile Name This field displays a name given to a security profile in the Security configuration screen. Security Mode This field displays the security mode this security profile uses. Action Click the Edit icon to configure security settings for that profile.
Chapter 8 Wi-Fi Screens In order to configure and enable WEP encryption, click WIRELESS > Wi-Fi > Security > Edit. Figure 93 WIRELESS > Wi-Fi > Security: WEP The following table describes the labels in this screen. Table 61 WIRELESS > Wi-Fi > Security: WEP LABEL DESCRIPTION Name Type a name to identify this security profile. Security Mode Select WEP from the drop-down list.
Chapter 8 Wi-Fi Screens 8.3.3 IEEE 802.1x Only Click the WIRELESS > Wi-Fi > Security > Edit. Select 8021X-Only from the Security Mode list. Figure 94 WIRELESS > Wi-Fi > Security: 802.1x Only The following table describes the labels in this screen. Table 62 WIRELESS > Wi-Fi > Security: 802.1x Only LABEL DESCRIPTION Name Type a name to identify this security profile. Security Mode Select 8021X-Only from the drop-down list.
Chapter 8 Wi-Fi Screens Figure 95 WIRELESS > Wi-Fi > Security: 802.1x + Static WEP The following table describes the labels in this screen. Table 63 WIRELESS > Wi-Fi > Security: 802.1x + Static WEP LABEL DESCRIPTION Name Type a name to identify this security profile. Security Mode Select 8021X-Static64 or 8021X-Static128 from the drop-down list.
Chapter 8 Wi-Fi Screens 8.3.5 WPA, WPA2, WPA2-MIX Click WIRELESS > Wi-Fi > Security > Edit. Select WPA, WPA2 or WPA2-MIX from the Security Mode list. Figure 96 WIRELESS > Wi-Fi > Security: WPA, WPA2 or WPA2-MIX The following table describes the labels in this screen. Table 64 WIRELESS > Wi-Fi > Security: WPA, WPA2 or WPA2-MIX LABEL DESCRIPTION Name Type a name to identify this security profile. Security Mode Select WPA, WPA2 or WPA2-MIX from the drop-down list.
Chapter 8 Wi-Fi Screens Table 64 WIRELESS > Wi-Fi > Security: WPA, WPA2 or WPA2-MIX (continued) LABEL DESCRIPTION Apply Click Apply to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. 8.3.6 WPA-PSK, WPA2-PSK, WPA2-PSK-MIX Click WIRELESS > Wi-Fi > Security > Edit. Select WPA-PSK, WPA2-PSK or WPA2PSK-MIX from the Security Mode list. Figure 97 WIRELESS > Wi-Fi > Security: WPA(2)-PSK The following table describes the labels in this screen.
Chapter 8 Wi-Fi Screens Table 65 WIRELESS > Wi-Fi > Security: WPA(2)-PSK (continued) LABEL DESCRIPTION Group Key Update Timer The Group Key Update Timer is the rate at which the AP sends a new group key out to all clients. The re-keying process is the WPA equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis. Setting of the Group Key Update Timer is also supported in WPA(2)-PSK mode.
Chapter 8 Wi-Fi Screens The following table describes the labels in this menu. Table 66 WIRELESS > Wi-Fi > MAC Filter LABEL DESCRIPTION Association Define the filter action for the list of MAC addresses in the MAC address filter table. Select Deny to block access to the router, MAC addresses not listed will be allowed to access the router. Select Allow to permit access to the router, MAC addresses not listed will be denied access to the router. # This is the index number of the MAC address.
P ART III Security Menu Firewall Screens (181) VPN Wizard Overview (57) IPSec VPN Config Screens (209) Certificates Screens (255) Authentication Server Screens (283) 179
CHAPTER 9 Firewall Screens 9.1 Overview A firewall is a system or group of systems that enforces an access-control policy between two networks. It is generally a mechanism used to protect a trusted network from an untrusted network. The LAN-Cell physically separates the LAN, DMZ, WLAN and the WAN and acts as a secure gateway for all data passing between the networks. The LAN-Cell protects against Denial of Service (DoS) attacks, prevents theft, destruction and modification of data, and logs events.
Chapter 9 Firewall Screens 9.1.1 What You Can Do in the Firewall Screens • Use the Default Rule screens (Section 9.3 on page 184) to configure general firewall settings that apply when no specific rules have been matched. • Use the Rule Summary screens (Section 9.4 on page 186) to configure firewall rules. • Use the Anti-Probing screen (Section 9.
Chapter 9 Firewall Screens Figure 100 Blocking All LAN to WAN IRC Traffic Example Your firewall would have the following configuration. Table 67 Blocking All LAN to WAN IRC Traffic Example # SOURCE DESTINATION SCHEDULE SERVICE ACTION 1 Any Any Any IRC Drop Default Any Any Any Any Allow • The first row blocks LAN access to the IRC service on the WAN. • The second row is the firewall’s default policy that allows all traffic from the LAN to go to the WAN.
Chapter 9 Firewall Screens Figure 101 Limited LAN to WAN IRC Traffic Example Your firewall would have the following configuration. Table 68 Limited LAN to WAN IRC Traffic Example # SOURCE DESTINATION SCHEDULE SERVICE ACTION 1 192.168.1.7 Any IRC Allow Any 2 Any Any Any IRC Drop Default Any Any Any Any Allow • The first row allows the LAN computer at IP address 192.168.1.7 to access the IRC service on the WAN. • The second row blocks LAN access to the IRC service on the WAN.
Chapter 9 Firewall Screens Figure 102 SECURITY > FIREWALL > Default Rule The following table describes the labels in this screen. Table 69 SECURITY > FIREWALL > Default Rule LABEL DESCRIPTION 0-100% This bar displays the percentage of the LAN-Cell’s firewall rules storage space that is currently in use. When the storage space is almost full, you should consider deleting unnecessary firewall rules before adding more firewall rules. Enable Firewall Select this check box to activate the firewall.
Chapter 9 Firewall Screens Table 69 SECURITY > FIREWALL > Default Rule (continued) LABEL DESCRIPTION From, To Set the firewall’s default actions based on the direction of travel of packets. Click the edit icon to go to a summary screen of the rules for that packet direction. Here are some example descriptions of the directions of travel.
Chapter 9 Firewall Screens " The ordering of your rules is very important as rules are applied in the order that they are listed. Figure 103 SECURITY > FIREWALL > Rule Summary The following table describes the labels in this screen. Table 70 SECURITY > FIREWALL > Rule Summary LABEL DESCRIPTION Packet Direction Use the drop-down list boxes and click Refresh to select a direction of travel of packets for which you want to display firewall rules.
Chapter 9 Firewall Screens Table 70 SECURITY > FIREWALL > Rule Summary LABEL DESCRIPTION # This is your firewall rule number. The ordering of your rules is important as rules are applied in turn. Click + to expand or - to collapse the Source Address, Destination Address and Service Type drop down lists. Name This is the name of the firewall rule. Active This field displays whether a firewall is turned on (Y) or not (N).
Chapter 9 Firewall Screens Figure 104 SECURITY > FIREWALL > Rule Summary > Edit LAN-Cell 2 User’s Guide 189
Chapter 9 Firewall Screens The following table describes the labels in this screen. Table 71 SECURITY > FIREWALL > Rule Summary > Edit LABEL DESCRIPTION Rule Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the firewall rule. Spaces are allowed. Edit Source/Destination Address Address Type Do you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (for example 192.168.1.10 to 192.169.1.
Chapter 9 Firewall Screens Table 71 SECURITY > FIREWALL > Rule Summary > Edit LABEL DESCRIPTION Action for Matched Packets Use the drop-down list box to select what the firewall is to do with packets that match this rule. Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender.
Chapter 9 Firewall Screens The following table describes the labels in this screen. Table 72 SECURITY > FIREWALL > Anti-Probing LABEL DESCRIPTION Respond to PING on Select the check boxes of the interfaces that you want to reply to incoming Ping requests. Clear an interface’s check box to have the LAN-Cell not respond to any Ping requests that come into that interface. Do not respond to requests for unauthorized services.
Chapter 9 Firewall Screens The following table describes the labels in this screen. Table 73 SECURITY > FIREWALL > Threshold LABEL DESCRIPTION Disable DoS Attack Protection on Select the check boxes of any interfaces (or all VPN tunnels) for which you want the LAN-Cell to not use the Denial of Service protection thresholds. This disables DoS protection on the selected interface (or all VPN tunnels).
Chapter 9 Firewall Screens 9.7 Service Screen Click SECURITY > FIREWALL > Service to open the screen as shown next. Use this screen to configure custom services for use in firewall rules or view the services that are predefined in the LAN-Cell.
Chapter 9 Firewall Screens The following table describes the labels in this screen. Table 74 SECURITY > FIREWALL > Service LABEL DESCRIPTION Custom Service This table shows all configured custom services. # This is the index number of the custom service. Service Name This is the name of the service. Protocol This is the IP protocol type. If you selected Custom, this is the IP protocol value you entered. Attribute This is the IP port number or ICMP type and code that defines the service.
Chapter 9 Firewall Screens The following table describes the labels in this screen. Table 75 SECURITY > FIREWALL > Service > Add LABEL DESCRIPTION Service Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the custom service. You cannot use the “(“ character. Spaces are allowed. IP Protocol Choose the IP protocol (TCP, UDP, TCP/UDP, ICMP or Custom) that defines your customized service from the drop down list box.
Chapter 9 Firewall Screens Figure 110 My Service Firewall Rule Example: Edit Custom Service 3 Click Rule Summary. Select WAN to LAN from the Packet Direction drop-down list boxes and click Refresh. 4 Click the insert icon (+) at the top of the row (Modify column) to create the new firewall rule before the others. Figure 111 My Service Firewall Rule Example: Rule Summary 5 The Edit Rule screen displays. Enter the name of the firewall rule.
Chapter 9 Firewall Screens Figure 112 My Service Firewall Rule Example: Rule Edit 8 In the Edit Rule screen, use the arrows between Available Services and Selected Service(s) to configure it as follows. Click Apply when you are done. " 198 Custom services show up with an * before their names in the Services list box and the Rule Summary list box.
Chapter 9 Firewall Screens Figure 113 My Service Firewall Rule Example: Rule Configuration Rule 1 allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN.
Chapter 9 Firewall Screens Figure 114 My Service Firewall Rule Example: Rule Summary 9.8 Firewall Technical Reference This technical reference contains the the following sections: • • • • Packet Direction Examples Asymmetrical Routes DoS Firewall Thresholds Security Considerations Packet Direction Examples Firewall rules are grouped based on the direction of travel of packets to which they apply.
Chapter 9 Firewall Screens By default, the LAN-Cell drops packets traveling in the following directions. • WAN to LAN • CELL to LAN These rules specify which computers connected on a remote WAN or CELL connection can access which computers or services on the LAN. For example, you may create rules to: • Allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts on the Internet to specific hosts on the LAN.
Chapter 9 Firewall Screens For example, by default the From LAN To VPN default firewall rule allows traffic from the LAN computers to go out through any of the LAN-Cell’s VPN tunnels. You could configure the From DMZ To VPN default rule to set the LAN-Cell to silently block traffic from the DMZ computers from going out through any of the LAN-Cell’s VPN tunnels. Figure 115 From LAN to VPN Example In order to do this, you would configure the SECURITY > FIREWALL > Default Rule screen as follows.
Chapter 9 Firewall Screens From VPN Packet Direction You can also apply firewall rules to traffic that comes in through the LAN-Cell’s VPN tunnels. The LAN-Cell decrypts the VPN traffic and then applies the firewall rules. From VPN means traffic that came into the LAN-Cell through a VPN tunnel and is going to the selected “to” interface. For example, by default the firewall allows traffic from any VPN tunnel to go to any of the LAN-Cell’s interfaces, the LAN-Cell itself and other VPN tunnels.
Chapter 9 Firewall Screens Figure 118 Block VPN to LAN Traffic by Default Example From VPN To VPN Packet Direction From VPN To VPN firewall rules apply to traffic that comes in through one of the LANCell’s VPN tunnels and terminates at the LAN-Cell (like for remote management) or goes out through another of the LAN-Cell’s VPN tunnels (this is called hub-and-spoke VPN, see Section 10.9 on page 238 for details).
Chapter 9 Firewall Screens Figure 119 From VPN to VPN Example You would configure the SECURITY > FIREWALL > Default Rule screen as follows.
Chapter 9 Firewall Screens Asymmetrical Routes If an alternate gateway on the LAN has an IP address in the same subnet as the LAN-Cell’s LAN IP address, return traffic may not go through the LAN-Cell. This is called an asymmetrical or “triangle” route. This causes the LAN-Cell to reset the connection, as the connection has not been acknowledged. You can have the LAN-Cell permit the use of asymmetrical route topology on the network (not reset the connection).
Chapter 9 Firewall Screens Figure 122 Three-Way Handshake For UDP, half-open means that the firewall has detected no return traffic. An unusually high number (or arrival rate) of half-open sessions could indicate a DoS attack. Threshold Values If everything is working properly, you probably do not need to change the threshold settings as the default threshold values should work for most small offices.
Chapter 9 Firewall Screens 3 Does a rule that allows Internet users access to resources on the LAN create a security vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN, Internet users may be able to connect to computers with running FTP servers.
CHAPTER 10 IPSec VPN Config Screens 10.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
Chapter 10 IPSec VPN Config Screens • Use the VPN Global Setting screen (Section 10.6 on page 232) to change settings that apply to all of your VPN tunnels. 10.1.2 What You Need to Know About IPSec VPN A VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the LAN-Cell and the remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the LAN-Cell and remote IPSec router.
Chapter 10 IPSec VPN Config Screens Figure 125 Gateway and Network Policies This figure helps explain the main fields in the VPN setup. Figure 126 IPSec Fields Summary Negotiation Mode It takes several steps to establish an IKE SA. The negotiation mode determines the number of steps to use. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. " Both routers must use the same negotiation mode.
Chapter 10 IPSec VPN Config Screens 10.2 VPN Rules (IKE) Screen Click SECURITY > VPN to display the VPN Rules (IKE) screen. Use this screen to manage the LAN-Cell’s list of VPN rules (tunnels) that use IKE SAs. Figure 127 SECURITY > VPN > VPN Rules (IKE) The following table describes the labels in this screen. Table 76 SECURITY > VPN > VPN Rules (IKE) LABEL DESCRIPTION VPN Rules These VPN rules define the settings for creating VPN tunnels for secure connection to other computers or networks.
Chapter 10 IPSec VPN Config Screens Table 76 SECURITY > VPN > VPN Rules (IKE) (continued) LABEL DESCRIPTION Remote Network This is the remote network behind the remote IPsec router. Click this icon to display a screen in which you can associate a network policy to a gateway policy. Click this icon to display a screen in which you can change the settings of a gateway or network policy. Click this icon to delete a gateway or network policy.
Chapter 10 IPSec VPN Config Screens Figure 128 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy The following table describes the labels in this screen. Table 77 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy LABEL DESCRIPTION Property Name 214 Type up to 32 characters to identify this VPN gateway policy. You may use any character, including spaces, but the LAN-Cell drops trailing spaces.
Chapter 10 IPSec VPN Config Screens Table 77 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION NAT Traversal Select this check box to enable NAT traversal. NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec routers. Note: The remote IPSec router must also have NAT traversal enabled. See Section on page 248 for more information.
Chapter 10 IPSec VPN Config Screens Table 77 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Authentication Key 216 Pre-Shared Key Select the Pre-Shared Key radio button and type your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called "pre-shared" because you have to share it with another party before you can communicate with them over a secure connection.
Chapter 10 IPSec VPN Config Screens Table 77 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Content The configuration of the peer content depends on the peer ID type. Do the following when you set Authentication Key to Pre-shared Key. For IP, type the IP address of the computer with which you will make the VPN connection. If you configure this field to 0.0.0.
Chapter 10 IPSec VPN Config Screens Table 77 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Password Enter the corresponding password for the above user name. The password can be up to 31 case-sensitive ASCII characters, but spaces are not allowed. IKE Proposal 218 Negotiation Mode Select Main or Aggressive from the drop-down list box. Multiple SAs connecting through a secure gateway must have the same negotiation mode.
Chapter 10 IPSec VPN Config Screens 10.2.2 VPN Rules (IKE): Network Policy Edit Click SECURITY > VPN and the add network policy ( ) icon in the VPN Rules (IKE) screen to display the VPN-Network Policy -Edit screen. Use this screen to configure a network policy. A network policy identifies the devices behind the IPSec routers at either end of a VPN tunnel and specifies the authentication, encryption and other settings needed to negotiate a phase 2 IPSec SA.
Chapter 10 IPSec VPN Config Screens The following table describes the labels in this screen. Table 78 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy LABEL DESCRIPTION Active If the Active check box is selected, packets for the tunnel trigger the LAN-Cell to build the tunnel. Clear the Active check box to turn the network policy off. The LAN-Cell does not apply the policy. Packets for the tunnel do not trigger the tunnel.
Chapter 10 IPSec VPN Config Screens Table 78 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION Type Select One-to-One to translate a single (static) IP address on your LAN to a single virtual IP address. Select Many-to-One to translate a range of (static) IP addresses on your LAN to a single virtual IP address. Many-to-one rules are for traffic going out from your LAN, through the VPN tunnel, to the remote network.
Chapter 10 IPSec VPN Config Screens Table 78 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION Local Port 0 is the default and signifies any port. Type a port number from 0 to 65535 in the Start and End fields. Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, HTTP; 25, SMTP; 110, POP3. Remote Network Remote Network Remote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses.
Chapter 10 IPSec VPN Config Screens Table 78 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION Perfect Forward Secret (PFS) Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if you do, which Diffie-Hellman key group to use for encryption.
Chapter 10 IPSec VPN Config Screens Figure 130 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding The following table describes the labels in this screen. Table 79 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding 224 LABEL DESCRIPTION Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen.
Chapter 10 IPSec VPN Config Screens 10.2.4 VPN Rules (IKE): Network Policy Move Screen Click the move ( ) icon in the VPN Rules (IKE) screen to display the VPN Rules (IKE): Network Policy Move screen. A VPN (Virtual Private Network) tunnel gives you a secure connection to another computer or network. Each VPN tunnel uses a single gateway policy and one or more network policies. • The gateway policy contains the IKE SA settings. It identifies the IPSec routers at either end of a VPN tunnel.
Chapter 10 IPSec VPN Config Screens 10.2.5 Dialing the VPN Tunnel via Web Configurator To test whether the IPSec routers can build the VPN tunnel, click the dial ( ) icon in the VPN Rules (IKE) screen to have the IPSec routers set up the tunnel. If you find a disconnect ( ) icon next to the rule you just created in the VPN Rules (IKE) screen, the LAN-Cell automatically built the VPN tunnel. Go to the SA Monitor screen to view a list of connected VPN tunnels. See Section 10.
Chapter 10 IPSec VPN Config Screens 10.3 VPN Rules (Manual) Refer to Figure 126 on page 211 for a graphical representation of the fields in the web configurator. Click SECURITY > VPN > VPN Rules (Manual) to open the VPN Rules (Manual) screen. Use this screen to manage the LAN-Cell’s list of VPN rules (tunnels) that use manual keys. You may want to configure a VPN rule that uses manual key management if you are having problems with IKE key management.
Chapter 10 IPSec VPN Config Screens Table 81 SECURITY > VPN > VPN Rules (Manual) (continued) LABEL DESCRIPTION Remote Network This is the IP address(es) of computer(s) on the remote network behind the remote IPSec router. This field displays N/A when the Remote Gateway Address field displays 0.0.0.0. In this case only the remote IPSec router can initiate the VPN.
Chapter 10 IPSec VPN Config Screens Figure 136 SECURITY > VPN > VPN Rules (Manual) > Edit The following table describes the labels in this screen. Table 82 SECURITY > VPN > VPN Rules (Manual) > Edit LABEL DESCRIPTION Property Active Select this check box to activate this VPN policy. Name Type up to 32 characters to identify this VPN policy. You may use any character, including spaces, but the LAN-Cell drops trailing spaces.
Chapter 10 IPSec VPN Config Screens Table 82 SECURITY > VPN > VPN Rules (Manual) > Edit (continued) LABEL DESCRIPTION Address Type Use the drop-down list box to choose Single Address, Range Address, or Subnet Address. Select Single Address for a single IP address. Select Range Address for a specific range of IP addresses. Select Subnet Address to specify IP addresses on a network by their subnet mask.
Chapter 10 IPSec VPN Config Screens Table 82 SECURITY > VPN > VPN Rules (Manual) > Edit (continued) LABEL DESCRIPTION Active Protocol Select ESP if you want to use ESP (Encapsulation Security Payload). The ESP protocol (RFC 2406) provides encryption as well as some of the services offered by AH. If you select ESP here, you must select options from the Encryption Algorithm and Authentication Algorithm fields (described next). Select AH if you want to use AH (Authentication Header Protocol).
Chapter 10 IPSec VPN Config Screens Figure 137 SECURITY > VPN > SA Monitor The following table describes the labels in this screen. Table 83 SECURITY > VPN > SA Monitor LABEL DESCRIPTION # This is the security association index number. Name This field displays the identification name for this VPN policy. Local Network This field displays the IP address of the computer using the VPN IPSec feature of your LAN-Cell.
Chapter 10 IPSec VPN Config Screens Figure 138 Overlap in a Dynamic VPN Rule 192.168.1.0/24 0.0.0.0 • Enabling the VPN Global Setting option box Do not apply VPN Rules to overlapped local and remote address ranges causes the LAN-Cell check if a packet’s destination is also at the local network before forwarding the packet. If it is, the LAN-Cell sends the traffic to the local network.
Chapter 10 IPSec VPN Config Screens In this case, if you want to send packets from network A to an overlapped IP (ex. 10.1.2.241) that is in the IP alias network M, you have to enable Do not apply VPN Rules to overlapped local and remote address ranges. 10.6.1 Configuring the Global Setting Screen Click SECURITY > VPN > Global Setting to open the VPN Global Setting screen. Figure 140 SECURITY > VPN > Global Setting The following table describes the labels in this screen.
Chapter 10 IPSec VPN Config Screens Table 84 SECURITY > VPN > Global Setting (continued) LABEL DESCRIPTION Gateway Domain Name Update Timer If you use dynamic domain names in VPN rules to identify the LAN-Cell and/ or the remote IPSec router, the IP address mapped to the domain name can change. The VPN tunnel stops working after the IP address changes. Any users of the VPN tunnel are disconnected until the LAN-Cell gets the new IP address from a DNS server and rebuilds the VPN tunnel.
Chapter 10 IPSec VPN Config Screens " Remote users (or routers) must use IPSec-compliant software or hardware to establish a VPN connection with the LAN-Cell. Refer to Proxicast’s Knowledgebase and TechNotes for examples of configuring specific VPN client software packages and devices. 10.7.
Chapter 10 IPSec VPN Config Screens With aggressive negotiation mode (see Section on page 247), the LAN-Cell can use the ID types and contents to distinguish between VPN rules. Mobile users can each use a separate VPN rule to simultaneously access the LAN-Cell. They can use different IPSec parameters. The local IP addresses (or ranges of addresses) of the rules configured on the LAN-Cell can overlap. The local IP addresses of the rules configured on the mobile users’ IPSec routers should not overlap.
Chapter 10 IPSec VPN Config Screens Table 86 Mobile Users Using Unique VPN Rules Example MOBILE USERS HEADQUARTERS Local ID Type: DNS Peer ID Type: DNS Local ID Content: UserB.com Peer ID Content: UserB.com Local IP Address: 192.168.3.2 Remote Gateway Address: UserB.dydns.org Remote Address 192.168.3.2 User C (UserC.dydns.org) Headquarters LAN-Cell Rule 3: Local ID Type: E-mail Peer ID Type: E-mail Local ID Content: myVPN@myplace.com Peer ID Content: myVPN@myplace.com Local IP Address: 192.
Chapter 10 IPSec VPN Config Screens Figure 144 on page 239 shows some example network topologies. In the first (fully-meshed) approach, there is a VPN connection between every pair of routers. In the second (hub-andspoke) approach, there is a VPN connection between each spoke router (B, C, D, and E) and the hub router (A). The hub router routes VPN traffic between the spoke routers and itself.
Chapter 10 IPSec VPN Config Screens Figure 145 Hub-and-spoke VPN Example 10.9.2 Hub-and-spoke Example VPN Rule Addresses The VPN rules for this hub-and-spoke example would use the following address settings. Branch Office A: • Remote Gateway: 10.0.0.1 • Local IP address: 192.168.167.0/255.255.255.0 • Remote IP address: 192.168.168.0~192.168.169.255 Headquarters: Rule 1: • Remote Gateway: 10.0.0.2 • Local IP address: 192.168.168.0~192.168.169.255 • Remote IP address:192.168.167.0/255.255.255.
Chapter 10 IPSec VPN Config Screens The hub router must have at least one separate VPN rule for each spoke. In the local IP address, specify the IP addresses of the hub-and-spoke networks with which the spoke is to be able to have a VPN tunnel. This may require you to use more than one VPN rule. If you want to have the spoke routers access the Internet through the hub-and-spoke VPN tunnel, set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address.
Chapter 10 IPSec VPN Config Screens Figure 146 VPN Log Example LAN-Cell> sys log disp ike ipsec # .time source destination message 0|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 Rule [ex-1] Tunnel built successfully 1|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA 2|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 Send:[HASH] 3|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA 4|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.
Chapter 10 IPSec VPN Config Screens Figure 147 IKE/IPSec Debug Example LAN-Cell> ipsec debug type level display LAN-Cell> ipsec debug type <0:Disable | 1:Original on|off | 2:IKE on|off | 3: IPSec [SPI]|on|off | 4:XAUTH on|off | 5:CERT on|off | 6: All> LAN-Cell> ipsec debug level <0:None | 1:User | 2:Low | 3:High> LAN-Cell> ipsec debug type 1 on LAN-Cell> ipsec debug type 2 on LAN-Cell> ipsec debug level 3 LAN-Cell> ipsec dial 1 get_ipsec_sa_by_policyIndex(): Start dialing for tunnel ...
Chapter 10 IPSec VPN Config Screens 10.11 IPSec VPN Technical Reference IKE SA Proposal The IKE SA proposal is used to identify the encryption algorithm, authentication algorithm, and Diffie-Hellman (DH) key group that the LAN-Cell and remote IPSec router use in the IKE SA. In main mode, this is done in steps 1 and 2, as illustrated below. Figure 148 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal The LAN-Cell sends one or more proposals to the remote IPSec router.
Chapter 10 IPSec VPN Config Screens Figure 149 IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange The DH key exchange is based on DH key groups. Each key group is a fixed number of bits long. The longer the key, the more secure the encryption keys, but also the longer it takes to encrypt and decrypt information. For example, DH2 keys (1024 bits) are more secure than DH1 keys (768 bits), but DH2 encryption keys take longer to encrypt and decrypt.
Chapter 10 IPSec VPN Config Screens " The LAN-Cell’s local and peer ID type and ID content must match the remote IPSec router’s peer and local ID type and ID content, respectively. In the following example, the ID type and content match so the LAN-Cell and the remote IPSec router authenticate each other successfully. Table 87 VPN Example: Matching ID Type and Content LAN-CELL REMOTE IPSEC ROUTER Local ID type: E-mail Local ID type: IP Local ID content: tom@yourcompany.com Local ID content: 1.1.1.
Chapter 10 IPSec VPN Config Screens " You must set up the certificates for the LAN-Cell and remote IPSec router before you can use certificates in IKE SA. See Chapter 11 on page 255 for more information about certificates. Extended Authentication Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to connect to a single IPSec router. For example, this might be used with telecommuters.
Chapter 10 IPSec VPN Config Screens Aggressive mode does not provide as much security as main mode because the identity of the LAN-Cell and the identity of the remote IPSec router are not encrypted. It is usually used when the address of the initiator is not known by the responder and both parties want to use pre-shared keys for authentication (for example, telecommuters). VPN, NAT, and NAT Traversal In the following example, there is another router (A) between router X and router Y.
Chapter 10 IPSec VPN Config Screens Otherwise, the LAN-Cell must re-negotiate the SA the next time someone wants to send traffic. " If the IKE SA times out while an IPSec SA is connected, the IPSec SA stays connected. An IPSec SA can be set to nailed up. Normally, the LAN-Cell drops the IPSec SA when the life time expires or after two minutes of outbound traffic with no inbound traffic.
Chapter 10 IPSec VPN Config Screens • Should ideally identify itself by a domain name or dynamic domain name (it must otherwise have My Address set to 0.0.0.0) • Should use a WAN connectivity check to this LAN-Cell’s WAN IP address If the remote IPSec router is not a LAN-Cell, you may also want to avoid setting the IPSec rule to nailed up. Encryption and Authentication Algorithms In most LAN-Cells, you can select one of the following encryption algorithms for each proposal.
Chapter 10 IPSec VPN Config Screens Virtual Address Mapping Virtual address mapping (NAT over IPSec) changes the source IP addresses of packets from your local devices to virtual IP addresses before sending them through the VPN tunnel. Avoiding Overlapping Local And Remote Network IP Addresses If both IPSec routers support virtual address mapping, you can access devices on both networks, even if their IP addresses overlap.
Chapter 10 IPSec VPN Config Screens Active Protocol The active protocol controls the format of each packet. It also specifies how much of each packet is protected by the encryption and authentication algorithms. IPSec VPN includes two active protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC 2406). " The LAN-Cell and remote IPSec router must use the same active protocol. Usually, you should select ESP.
Chapter 10 IPSec VPN Config Screens In transport mode, the encapsulation depends on the active protocol. With AH, the LAN-Cell includes part of the original IP header when it encapsulates the packet. With ESP, however, the LAN-Cell does not include the IP header when it encapsulates the packet, so it is not possible to verify the integrity of the source IP address.
Chapter 10 IPSec VPN Config Screens " 254 The LAN-Cell and remote IPSec router must use the same SPI.
CHAPTER 11 Certificates Screens 11.1 Overview The LAN-Cell can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication. 11.1.1 What You Can Do in the Certificate Screens • Use the My Certificate screens (see Section 11.
Chapter 11 Certificates Screens The LAN-Cell uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that you send after establishing a connection. The method used to secure the data that you send through an established connection depends on the type of connection. For example, a VPN tunnel might use the triple DES encryption algorithm. The certification authority uses its private key to sign certificates.
Chapter 11 Certificates Screens 3 Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. Figure 156 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection. 11.
Chapter 11 Certificates Screens Figure 157 SECURITY > CERTIFICATES > My Certificates The following table describes the labels in this screen. Table 89 SECURITY > CERTIFICATES > My Certificates 258 LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the LAN-Cell’s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.
Chapter 11 Certificates Screens Table 89 SECURITY > CERTIFICATES > My Certificates (continued) LABEL DESCRIPTION Modify Click the details icon to open a screen with an in-depth list of information about the certificate (or certification request). Click the export icon to save the certificate to a computer. For a certification request, click the export icon and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save.
Chapter 11 Certificates Screens Figure 158 SECURITY > CERTIFICATES > My Certificates > Details The following table describes the labels in this screen. Table 90 SECURITY > CERTIFICATES > My Certificates > Details 260 LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate. You may use any character (not including spaces).
Chapter 11 Certificates Screens Table 90 SECURITY > CERTIFICATES > My Certificates > Details (continued) LABEL DESCRIPTION Certification Path Click the Refresh button to have this read-only text box display the hierarchy of certification authorities that validate the certificate (and the certificate itself). If the issuing certification authority is one that you have imported as a trusted certification authority, it may be the only certification authority in the list (along with the certificate itself).
Chapter 11 Certificates Screens Table 90 SECURITY > CERTIFICATES > My Certificates > Details (continued) LABEL DESCRIPTION SHA1 Fingerprint This is the certificate’s message digest that the LAN-Cell calculated using the SHA1 algorithm. Certificate in PEM (Base-64) Encoded Format This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the binary certificate into a printable form.
Chapter 11 Certificates Screens The following table describes the labels in this screen. Table 91 SECURITY > CERTIFICATES > My Certificates > Export LABEL DESCRIPTION Export the certificate in binary X.509 format. Binary X.509 is an ITU-T recommendation that defines the formats for X.509 certificates. Export the certificate along with the corresponding private key in PKCS#12 format. PKCS#12 is a format for transferring public key and private key certificates.
Chapter 11 Certificates Screens • PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses 64 ASCII characters to convert a binary PKCS#7 certificate into a printable form. • Binary PKCS#12: This is a format for transferring public key and private key certificates. The private key in a PKCS #12 file is within a password-encrypted envelope. The file’s password is not connected to your certificate’s public or private passwords.
Chapter 11 Certificates Screens Figure 161 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 The following table describes the labels in this screen. Table 93 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 LABEL DESCRIPTION Password Type the file’s password that was created when the PKCS #12 file was exported. Apply Click Apply to save the certificate on the LAN-Cell. Cancel Click Cancel to quit and return to the My Certificates screen. 11.
Chapter 11 Certificates Screens Figure 162 SECURITY > CERTIFICATES > My Certificates > Create The following table describes the labels in this screen. Table 94 SECURITY > CERTIFICATES > My Certificates > Create 266 LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characters (not including spaces) to identify this certificate. Subject Information Use these fields to record information that identifies the owner of the certificate.
Chapter 11 Certificates Screens Table 94 SECURITY > CERTIFICATES > My Certificates > Create (continued) LABEL DESCRIPTION Country Type up to 127 characters to identify the nation where the certificate owner is located. You may use any character, including spaces, but the LAN-Cell drops trailing spaces. Key Length Select a number from the drop-down list box to determine how many bits the key should use (512 to 2048). The longer the key, the more secure it is.
Chapter 11 Certificates Screens Table 94 SECURITY > CERTIFICATES > My Certificates > Create (continued) 268 LABEL DESCRIPTION Create a certification request and save it locally for later manual enrollment Select Create a certification request and save it locally for later manual enrollment to have the LAN-Cell generate and store a request for a certificate. Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority.
Chapter 11 Certificates Screens Table 94 SECURITY > CERTIFICATES > My Certificates > Create (continued) LABEL DESCRIPTION Apply Click Apply to begin certificate or certification request generation. Cancel Click Cancel to quit and return to the My Certificates screen. After you click Apply in the My Certificate Create screen, you see a screen that tells you the LAN-Cell is generating the self-signed certificate or certification request.
Chapter 11 Certificates Screens The following table describes the labels in this screen. Table 95 SECURITY > CERTIFICATES > Trusted CAs LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the LAN-Cell’s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates. # This field displays the certificate index number.
Chapter 11 Certificates Screens Figure 164 SECURITY > CERTIFICATES > Trusted CAs > Details The following table describes the labels in this screen. Table 96 SECURITY > CERTIFICATES > Trusted CAs > Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).
Chapter 11 Certificates Screens Table 96 SECURITY > CERTIFICATES > Trusted CAs > Details (continued) 272 LABEL DESCRIPTION Certification Path Click the Refresh button to have this read-only text box display the end entity’s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity’s certificate.
Chapter 11 Certificates Screens Table 96 SECURITY > CERTIFICATES > Trusted CAs > Details (continued) LABEL DESCRIPTION CRL Distribution Points This field displays how many directory servers with Lists of revoked certificates the issuing certification authority of this certificate makes available. This field also displays the domain names or IP addresses of the servers. MD5 Fingerprint This is the certificate’s message digest that the LAN-Cell calculated using the MD5 algorithm.
Chapter 11 Certificates Screens Figure 165 SECURITY > CERTIFICATES > Trusted CAs > Import The following table describes the labels in this screen. Table 97 SECURITY > CERTIFICATES > Trusted CAs Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload. Apply Click Apply to save the certificate on the LAN-Cell.
Chapter 11 Certificates Screens Figure 166 SECURITY > CERTIFICATES > Trusted Remote Hosts The following table describes the labels in this screen. Table 98 SECURITY > CERTIFICATES > Trusted Remote Hosts LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the LAN-Cell’s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.
Chapter 11 Certificates Screens 11.10 Trusted Remote Hosts Import Screen Click SECURITY > CERTIFICATES > Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen. You may have peers with certificates that you want to trust, but the certificates were not signed by one of the certification authorities on the Trusted CAs screen. Follow the instructions in this screen to save a peer’s certificates from a computer to the LAN-Cell.
Chapter 11 Certificates Screens 11.11 Trusted Remote Host Certificate Details Screen Click SECURITY > CERTIFICATES > Trusted Remote Hosts to open the Trusted Remote Hosts screen. Click the details icon to open the Trusted Remote Host Details screen. You can use this screen to view in-depth information about the trusted remote host’s certificate and/or change the certificate’s name.
Chapter 11 Certificates Screens The following table describes the labels in this screen. Table 100 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details 278 LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).
Chapter 11 Certificates Screens Table 100 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details (continued) LABEL DESCRIPTION MD5 Fingerprint This is the certificate’s message digest that the LAN-Cell calculated using the MD5 algorithm. The LAN-Cell uses one of its own self-signed certificates to sign the imported trusted remote host certificates. This changes the fingerprint value displayed here (so it does not match the original).
Chapter 11 Certificates Screens The following table describes the labels in this screen. Table 101 SECURITY > CERTIFICATES > Directory Servers LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the LAN-Cell’s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates. # The index number of the directory server.
Chapter 11 Certificates Screens The following table describes the labels in this screen. Table 102 SECURITY > CERTIFICATES > Directory Server > Add LABEL DESCRIPTION Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identify this directory server. Access Protocol Use the drop-down list box to select the access protocol used by the directory server.
Chapter 11 Certificates Screens 282 LAN-Cell 2 User’s Guide
CHAPTER 12 Authentication Server Screens 12.1 Overview This chapter discusses how to configure the LAN-Cell’s authentication server feature. A LAN-Cell set to be a VPN extended authentication server can use either the local user database internal to the LAN-Cell or an external RADIUS server for an unlimited number of users. The LAN-Cell uses the same local user database for VPN extended authentication and wireless LAN security. See Appendix E on page 617 for more information about RADIUS. 12.1.
Chapter 12 Authentication Server Screens 12.2 Local User Database Screen Click SECURITY > AUTH SERVER to open the Local User Database screen. The local user database is a list of user profiles stored on the LAN-Cell. The LAN-Cell can use this list of user profiles to authenticate users. Use this screen to change your LAN-Cell’s list of user profiles. Figure 171 SECURITY > AUTH SERVER > Local User Database The following table describes the labels in this screen.
Chapter 12 Authentication Server Screens 12.3 RADIUS Screen Click SECURITY > AUTH SERVER > RADIUS to open the RADIUS screen. Configure this screen to use an external RADIUS server to authenticate users. Figure 172 SECURITY > AUTH SERVER > RADIUS The following table describes the labels in this screen. Table 104 SECURITY > AUTH SERVER > RADIUS LABEL DESCRIPTION Authentication Server Active Select the check box to enable user authentication through an external authentication server.
Chapter 12 Authentication Server Screens Table 104 SECURITY > AUTH SERVER > RADIUS 286 LABEL DESCRIPTION Key Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external accounting server and the LAN-Cell. The key is not sent over the network. This key must be the same on the external accounting server and LAN-Cell. Apply Click Apply to save your changes back to the LAN-Cell. Reset Click Reset to begin configuring this screen afresh.
P ART IV Advanced Menu Network Address Translation (NAT) Screens (289) DNS Screens (307) Remote Management Screens (319) Static Route Screens (339) Policy Route Screens (343) Bandwidth Management Screens (349) ALG Screens (365) 287
CHAPTER 13 Network Address Translation (NAT) Screens 13.1 Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network. 13.1.1 What You Can Do in the NAT Screens • Use the NAT Overview screen (Section 13.2 on page 290) to configure global NAT settings and enable NAT on a WAN interface.
Chapter 13 Network Address Translation (NAT) Screens The following table summarizes the NAT mapping types.
Chapter 13 Network Address Translation (NAT) Screens Figure 173 ADVANCED > NAT > NAT Overview The following table describes the labels in this screen. Table 106 ADVANCED > NAT > NAT Overview LABEL DESCRIPTION Global Settings Max. Concurrent Sessions This read-only field displays the highest number of NAT sessions that the LAN-Cell will permit at one time. Max.
Chapter 13 Network Address Translation (NAT) Screens Table 106 ADVANCED > NAT > NAT Overview (continued) LABEL DESCRIPTION Port Forwarding Rules The bar displays how many of the LAN-Cell's possible port forwarding rules are configured. The first number shows how many port forwarding rules are configured on the LAN-Cell. The second number shows the maximum number of port forwarding rules that can be configured on the LAN-Cell.
Chapter 13 Network Address Translation (NAT) Screens Figure 174 ADVANCED > NAT > Address Mapping The following table describes the labels in this screen. Table 107 ADVANCED > NAT > Address Mapping LABEL DESCRIPTION SUA Address Mapping Rules This read-only table displays the default address mapping rules. Full Feature Address Mapping Rules WAN Interface Select the WAN interface for which you want to view or configure address mapping rules.
Chapter 13 Network Address Translation (NAT) Screens Table 107 ADVANCED > NAT > Address Mapping (continued) LABEL DESCRIPTION Global Start IP This refers to the Inside Global IP Address (IGA), that is the starting global IP address. 0.0.0.0 is for a dynamic IP address from your ISP with Many-to-One and Server mapping types. Global End IP This is the ending Inside Global Address (IGA). This field is N/A for One-to-One, Many-to-One and Server mapping types. Type 1.
Chapter 13 Network Address Translation (NAT) Screens The following table describes the labels in this screen. Table 108 ADVANCED > NAT > Address Mapping > Edit LABEL DESCRIPTION Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for One-to-One NAT mapping type. 2. Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address.
Chapter 13 Network Address Translation (NAT) Screens " If you do not assign a Default Server IP address, the LAN-Cell discards all packets received for ports that are not specified here or in the remote management setup. Port Forwarding: Services and Port Numbers The LAN-Cell provides the additional safety of the DMZ ports for connecting your publicly accessible servers. This makes the LAN more secure by physically separating it from your public servers.
Chapter 13 Network Address Translation (NAT) Screens Figure 176 Multiple Servers Behind NAT Example NAT and Multiple WAN The LAN-Cell has two WAN interfaces (wired + cellular). You can configure port forwarding and trigger port rule sets for the first WAN interface and separate sets of rules for the second WAN interface.
Chapter 13 Network Address Translation (NAT) Screens Figure 177 Port Translation Example 13.4.2 Port Forwarding Screen Click ADVANCED > NAT > Port Forwarding to open the Port Forwarding screen. Refer to Figure 109 on page 296 for port numbers commonly used for particular services. " " " " 298 Remember to define the appropriate Firewall Rules to allow the ports listed on the Port Forwarding Screen through the correct WAN and LAN/DMZ interfaces (e.g.
Chapter 13 Network Address Translation (NAT) Screens Figure 178 ADVANCED > NAT > Port Forwarding The following table describes the labels in this screen. Table 110 ADVANCED > NAT > Port Forwarding LABEL DESCRIPTION WAN Interface Select the WAN interface for which you want to view or configure address mapping rules. Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen.
Chapter 13 Network Address Translation (NAT) Screens Table 110 ADVANCED > NAT > Port Forwarding LABEL DESCRIPTION Apply Click Apply to save your changes back to the LAN-Cell. Reset Click Reset to begin configuring this screen afresh. 13.5 Port Triggering Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side.
Chapter 13 Network Address Translation (NAT) Screens Click ADVANCED > NAT > Port Triggering to open the following screen. Use this screen to change your LAN-Cell’s trigger port settings. Figure 180 ADVANCED > NAT > Port Triggering The following table describes the labels in this screen. Table 111 ADVANCED > NAT > Port Triggering LABEL DESCRIPTION WAN Interface Select the WAN interface for which you want to view or configure address mapping rules. # This is the rule index number (read-only).
Chapter 13 Network Address Translation (NAT) Screens 13.6 NAT Technical Reference This technical reference contains the following sections: • Inside/outside and Global/locall • What NAT Does • How NAT Works • NAT Application • Port Restricted Cone NAT Inside/outside and Global/local Inside/outside denotes where a host is located relative to the LAN-Cell. For example, the computers of your subscribers are the inside hosts, while the web servers on the Internet are the outside hosts.
Chapter 13 Network Address Translation (NAT) Screens that you attach those servers to the DMZ port instead. If you do not define any servers (for Many-to-One and Many-to-Many Overload mapping), NAT offers the additional benefit of firewall protection. With no servers defined, your LAN-Cell filters out all incoming inquiries, thus preventing intruders from probing your network. For more information on IP address translation, refer to RFC 1631, The IP Network Address Translator (NAT).
Chapter 13 Network Address Translation (NAT) Screens Figure 182 NAT Application With IP Alias Port Restricted Cone NAT LAN-Cell ProxiOS version 4.00 and later uses port restricted cone NAT. Port restricted cone NAT maps all outgoing packets from an internal IP address and port to a single IP address and port on the external network. In the following example, the LAN-Cell maps the source address of all packets sent from internal IP address 1 and port A to IP address 2 and port B on the external network.
Chapter 13 Network Address Translation (NAT) Screens Figure 183 Port Restricted Cone NAT Example LAN-Cell 2 User’s Guide 305
Chapter 13 Network Address Translation (NAT) Screens 306 LAN-Cell 2 User’s Guide
CHAPTER 14 DNS Screens 14.1 Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The LAN-Cell uses a system DNS server (in the order you specify in the DNS System screen) to resolve domain names, for example, VPN, DDNS and the time server. 14.1.1 What You Can Do in the DNS Screens • Use the System screen (Section 14.
Chapter 14 DNS Screens DNS Servers There are three places where you can configure DNS setup on the LAN-Cell. 1 Use the DNS System screen to configure the LAN-Cell to use a DNS server to resolve domain names for LAN-Cell system features like VPN, DDNS and the time server. 2 Use the DNS DHCP screen to configure the DNS server information that the LAN-Cell sends to the DHCP client devices on the LAN, DMZ or WLAN. 3 Use the REMOTE MGMT DNS screen to configure the LAN-Cell to accept or discard DNS queries.
Chapter 14 DNS Screens Figure 184 Private DNS Server Example " If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote private network. DDNS DDNS Dynamic DNS) allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.).
Chapter 14 DNS Screens Figure 185 ADVANCED > DNS > System DNS The following table describes the labels in this screen. Table 113 ADVANCED > DNS > System DNS 310 LABEL DESCRIPTION Address Record An address record specifies the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.proxicast.
Chapter 14 DNS Screens Table 113 ADVANCED > DNS > System DNS LABEL DESCRIPTION Domain Zone A domain zone is a fully qualified domain name without the host. For example, proxicast.com is the domain zone for the www.proxicast.com fully qualified domain name. From This field displays whether the IP address of a DNS server is from a WAN interface (and which it is) or specified by the user. DNS Server This is the IP address of a DNS server.
Chapter 14 DNS Screens The following table describes the labels in this screen. Table 114 ADVANCED > DNS > Add (Address Record) LABEL DESCRIPTION FQDN Type a fully qualified domain name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name. For example, www.proxicast.com is a fully qualified domain name, where “www” is the host, “proxicast” is the second-level domain, and “.com” is the top level domain.
Chapter 14 DNS Screens The following table describes the labels in this screen. Table 115 ADVANCED > DNS > Insert (Name Server Record) LABEL DESCRIPTION Domain Zone This field is optional. A domain zone is a fully qualified domain name without the host. For example, proxicast.com is the domain zone for the www.proxicast.com fully qualified domain name. For example, whenever the LAN-Cell receives needs to resolve a proxicast.com domain name, it can send a query to the recorded name server IP address.
Chapter 14 DNS Screens Figure 188 ADVANCED > DNS > Cache The following table describes the labels in this screen. Table 116 ADVANCED > DNS > Cache LABEL DESCRIPTION DNS Cache Setup Cache Positive DNS Resolutions Select the check box to record the positive DNS resolutions in the cache. Caching positive DNS resolutions helps speed up the LAN-Cell’s processing of commonly queried domain names and reduces the amount of traffic that the LAN-Cell sends out to the WAN.
Chapter 14 DNS Screens Table 116 ADVANCED > DNS > Cache LABEL DESCRIPTION Remaining Time (sec) This is the number of seconds left before the DNS resolution entry is discarded from the cache. Modify Click the delete icon to remove the DNS resolution entry from the cache. 14.5 Configuring DNS DHCP Click ADVANCED > DNS > DHCP to open the DNS DHCP screen shown next. Use this screen to configure the DNS server information that the LAN-Cell sends to its LAN, DMZ or WLAN DHCP clients.
Chapter 14 DNS Screens Table 117 ADVANCED > DNS > DHCP LABEL DESCRIPTION IP Select From ISP if your ISP dynamically assigns DNS server information (and the LAN-Cell's WAN IP address). Use the drop-down list box to select a DNS server IP address that the ISP assigns in the field to the right. Select User-Defined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. If you chose User-Defined, but leave the IP address set to 0.0.0.
Chapter 14 DNS Screens High Availability A DNS server maps a domain name to a port's IP address. If that WAN port loses its connection, high availability allows the router to substitute another port's IP address for the domain name mapping. 14.7 Configuring Dynamic DNS To change your LAN-Cell’s DDNS, click ADVANCED > DNS > DDNS. The screen appears as shown. Figure 190 ADVANCED > DNS > DDNS The following table describes the labels in this screen.
Chapter 14 DNS Screens Table 118 ADVANCED > DNS > DDNS LABEL DESCRIPTION DDNS Type Select the type of service that you are registered for from your Dynamic DNS service provider. Select Dynamic if you have the Dynamic DNS service. Select Static if you have the Static DNS service. Select Custom if you have the Custom DNS service. Offline This option is available when Custom is selected in the DDNS Type field.
CHAPTER 15 Remote Management Screens 15.1 Overview This chapter provides information on the Remote Management screens. Remote management allows you to determine which services/protocols can access which LAN-Cell interface (if any) from which computers. The following figure shows secure and insecure management of the LAN-Cell coming in from the WAN. HTTPS and SSH access are secure. HTTP and Telnet access are not secure. Figure 191 Secure and Insecure Remote Management From the WAN 15.1.
Chapter 15 Remote Management Screens 15.1.2 What You Need To Know About Remote Management Firewall Rules When you configure remote management to allow management from any network except the LAN, you still need to configure a firewall rule to allow access. See Chapter 9 on page 181 for details on configuring firewall rules. You can also disable a service on the LAN-Cell by not allowing access for the service/protocol through any of the LAN-Cell interfaces.
Chapter 15 Remote Management Screens 15.2 Remote Management Examples 15.2.1 HTTPS Example If you haven’t changed the default HTTPS port on the LAN-Cell, then in your browser enter “https://LAN-Cell IP Address/” as the web site address where “LAN-Cell IP Address” is the IP address or domain name of the LAN-Cell you wish to access. 15.2.1.1 Internet Explorer Warning Messages When you attempt to access the LAN-Cell HTTPS server, a Windows dialog box pops up asking if you trust the server certificate.
Chapter 15 Remote Management Screens • The actual IP address of the HTTPS server (the IP address of the LAN-Cell’s port that you are trying to access) does not match the common name specified in the LAN-Cell’s HTTPS server certificate that your browser received. Do the following to check the common name specified in the certificate that your LAN-Cell sends to HTTPS clients. 6a Click REMOTE MGMT. Write down the name of the certificate displayed in the Server Certificate field. 6b Click CERTIFICATES.
Chapter 15 Remote Management Screens Figure 194 Replace Certificate Click Apply in the Replace Certificate screen to create a certificate using your LAN-Cell’s MAC address that will be specific to this device. Click CERTIFICATES to open the My Certificates screen. You will see information similar to that shown in the following figure. Figure 195 Device-specific Certificate Click Ignore in the Replace Certificate screen to use the common LAN-Cell certificate.
Chapter 15 Remote Management Screens Figure 196 Common LAN-Cell Certificate 15.2.2 Secure Telnet Using SSH Examples This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the LAN-Cell. The configuration and connection steps are similar for most SSH client programs. Refer to your SSH client program user’s guide. 15.2.2.1 Example 1: Microsoft Windows This section describes how to access the LAN-Cell using the Secure Shell Client program.
Chapter 15 Remote Management Screens 15.2.2.2 Example 2: Linux This section describes how to access the LAN-Cell using the OpenSSH client program that comes with most Linux distributions. 1 Test whether the SSH service is available on the LAN-Cell. Enter “telnet 192.168.1.1 22” at a terminal prompt and press [ENTER]. The computer attempts to connect to port 22 on the LAN-Cell (using the default IP address of 192.168.1.1). A message displays indicating the SSH protocol version supported by the LAN-Cell.
Chapter 15 Remote Management Screens 3 Use the “put” command to upload a new firmware to the LAN-Cell. Figure 200 Secure FTP: Firmware Upload Example $ sftp -1 192.168.1.1 Connecting to 192.168.1.1... The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts. Administrator@192.168.1.
Chapter 15 Remote Management Screens The following table describes the labels in this screen. Table 119 ADVANCED > REMOTE MGMT > WWW LABEL DESCRIPTION HTTPS Server Certificate Select the Server Certificate that the LAN-Cell will use to identify itself. The LANCell is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the LAN-Cell).
Chapter 15 Remote Management Screens It relies upon certificates, public keys, and private keys (see Chapter 11 on page 255 for more information). HTTPS on the LAN-Cell is used so that you may securely access the LAN-Cell using the web configurator.
Chapter 15 Remote Management Screens 15.5 Configuring the WWW Screen Click ADVANCED > REMOTE MGMT to open the WWW screen. ADVANCED > REMOTE MGMT > WWW The following table describes the labels in this screen. Table 120 ADVANCED > REMOTE MGMT > WWW LABEL DESCRIPTION HTTPS Server Certificate Select the Server Certificate that the LAN-Cell will use to identify itself.
Chapter 15 Remote Management Screens Table 120 ADVANCED > REMOTE MGMT > WWW (continued) LABEL DESCRIPTION Server Access Select the interface(s) through which a computer may access the LAN-Cell using this service. Secure Client IP Address A secure client is a “trusted” computer that is allowed to communicate with the LANCell using this service. Select All to allow any computer to access the LAN-Cell using this service.
Chapter 15 Remote Management Screens 15.7 Configuring the SSH Screen Click ADVANCED > REMOTE MGMT > SSH to change your LAN-Cell’s Secure Shell settings. " It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. Figure 204 ADVANCED > REMOTE MGMT > SSH The following table describes the labels in this screen.
Chapter 15 Remote Management Screens Click ADVANCED > REMOTE MGMT > TELNET to open the following screen. Use this screen to specify which interfaces allow Telnet access and from which IP address the access can come. " It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. Figure 205 ADVANCED > REMOTE MGMT > Telnet The following table describes the labels in this screen.
Chapter 15 Remote Management Screens " It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. Figure 206 ADVANCED > REMOTE MGMT > FTP The following table describes the labels in this screen. Table 123 ADVANCED > REMOTE MGMT > FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Chapter 15 Remote Management Screens Figure 207 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the LAN-Cell). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions.
Chapter 15 Remote Management Screens SNMP Traps The LAN-Cell will send traps to the SNMP manager when any one of the following events occurs: Table 124 SNMP Traps TRAP # TRAP NAME DESCRIPTION 0 coldStart (defined in RFC-1215) A trap is sent after booting (power on). 1 warmStart (defined in RFC1215) A trap is sent after booting (software reboot).
Chapter 15 Remote Management Screens The following table describes the labels in this screen. Table 125 ADVANCED > REMOTE MGMT > SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests. Set Community Enter the Set community, which is the password for incoming Set requests from the management station.
Chapter 15 Remote Management Screens The following table describes the labels in this screen. Table 126 ADVANCED > REMOTE MGMT > DNS LABEL DESCRIPTION Server Port The DNS service port number is 53 and cannot be changed here. Service Access Select the interface(s) through which a computer may send DNS queries to the LAN-Cell. Secure Client IP Address A secure client is a “trusted” computer that is allowed to send DNS queries to the LAN-Cell.
Chapter 15 Remote Management Screens The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer. 2 Encryption Method Once the identification is verified, both the client and server must agree on the type of encryption method to use.
CHAPTER 16 Static Route Screens 16.1 Overview The LAN-Cell usually uses the default gateway to route outbound traffic from local computers to the Internet. To have the LAN-Cell send data to devices not reachable through the default gateway, use static routes. Each remote node specifies only the network to which the gateway is directly connected, and the LAN-Cell has no knowledge of the networks beyond. For instance, the LAN-Cell knows about network N2 in the following figure through remote node Router 1.
Chapter 16 Static Route Screens The first two static route entries are for default WAN and Cellular routes on a LAN-Cell with multiple WAN interfaces. You cannot modify or delete a static default route. The default route is disabled after you change the static WAN IP address to a dynamic WAN IP address. Figure 212 ADVANCED > STATIC ROUTE > IP Static Route The following table describes the labels in this screen.
Chapter 16 Static Route Screens Table 127 ADVANCED > STATIC ROUTE > IP Static Route LABEL DESCRIPTION Gateway This is the IP address of the gateway. The gateway is a router or switch on the same network segment as the LAN-Cell’s interface. The gateway helps forward packets to their destinations. Modify Click the edit icon to go to the screen where you can set up a static route on the LAN-Cell. Click the delete icon to remove a static route from the LAN-Cell.
Chapter 16 Static Route Screens Table 128 ADVANCED > STATIC ROUTE > IP Static Route > Edit 342 LABEL DESCRIPTION Private This parameter determines if the LAN-Cell will include this route to a remote node in its RIP broadcasts. Select this check box to keep this route private and not included in RIP broadcasts. Clear this check box to propagate this route to other hosts through RIP broadcasts. Apply Click Apply to save your changes back to the LAN-Cell.
CHAPTER 17 Policy Route Screens 17.1 Overview Traditionally, routing is based on the destination address only and the LAN-Cell takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator. Policy-based routing is applied to incoming packets on a per interface basis, prior to the normal routing. 17.1.
Chapter 17 Policy Route Screens The actions that can be taken include: • Routing the packet to a different gateway (and hence the outgoing interface). • Setting the ToS and precedence fields in the IP header. IPPR follows the existing packet filtering facility of RAS in style and in implementation. 17.2 Policy Route Summary Screen Click ADVANCED > POLICY ROUTE to open the Policy Route Summary screen.
Chapter 17 Policy Route Screens The following table describes the labels in this screen. Table 129 ADVANCED > POLICY ROUTE > Policy Route Summary LABEL DESCRIPTION # This is the number of an individual policy route. Active This field shows whether the policy is active or inactive. Source Address/Port This is the source IP address range and/or port number range. Destination Address/Port This is the destination IP address range and/or port number range. Gateway Enter the IP address of the gateway.
Chapter 17 Policy Route Screens Figure 215 Edit IP Policy Route The following table describes the labels in this screen. Table 130 ADVANCED > POLICY ROUTE > Edit LABEL DESCRIPTION Criteria 346 Active Select the check box to activate the policy. Rule Index This is the index number of the policy route. IP Protocol Select Predefined and then the IP protocol from ALL(0), ICMP(1), IGMP(2), TCP(6), UDP(17), GRE(47), ESP(50) or AH(51). Otherwise, select Custom and enter a number from 0 to 255.
Chapter 17 Policy Route Screens Table 130 ADVANCED > POLICY ROUTE > Edit (continued) LABEL DESCRIPTION Length Comparison Choose from Equal, Not Equal, Less, Greater, Less or Equal or Greater or Equal. Application Select a predefined application (FTP, H.323 or SIP) for the policy rule. If you do not want to use a predefined application, select Custom. You can also configure the source and destination port numbers if you set IP protocol to TCP or UDP.
Chapter 17 Policy Route Screens Table 130 ADVANCED > POLICY ROUTE > Edit (continued) 348 LABEL DESCRIPTION Gateway Select User-Defined and enter the IP address of the gateway if you want to specify the IP address of the gateway. The gateway is an immediate neighbor of your LAN-Cell that will forward the packet to the destination. The gateway must be a router on the same segment as your LAN-Cell's LAN or WAN interface.
CHAPTER 18 Bandwidth Management Screens 18.1 Overview Bandwidth management allows you to allocate an interface’s outgoing capacity to specific types of traffic. It can also help you make sure that the LAN-Cell forwards certain types of traffic (especially real-time applications) with minimum delay. With the use of real-time applications such as Voice-over-IP (VoIP) increasing, the requirement for bandwidth allocation is also increasing.
Chapter 18 Bandwidth Management Screens 18.1.2 What You Need to Know About Bandwidth Management Bandwidth Classes and Filters Use bandwidth classes and sub-classes to allocate specific amounts of bandwidth capacity (bandwidth budgets). Configure a bandwidth filter to define a bandwidth class (or sub-class) based on a specific application and/or subnet. Use the Class Setup screen (see Section 18.3.1 on page 357) to set up a bandwidth class’s name, bandwidth allotment, and bandwidth filter.
Chapter 18 Bandwidth Management Screens Scheduler The scheduler divides up an interface’s bandwidth among the bandwidth classes. The LANCell has two types of scheduler: fairness-based and priority-based. Priority-based Scheduler With the priority-based scheduler, the LAN-Cell forwards traffic from bandwidth classes according to the priorities that you assign to the bandwidth classes. The larger a bandwidth class’s priority number is, the higher the priority.
Chapter 18 Bandwidth Management Screens 18.1.3.2 Maximize Bandwidth Usage Example If you configure both maximize bandwidth usage (on the interface) and bandwidth borrowing (on individual sub-classes), the LAN-Cell functions as follows. 1 The LAN-Cell sends traffic according to each bandwidth class’s bandwidth budget. 2 The LAN-Cell assigns a parent class’s unused bandwidth to its sub-classes that have more traffic than their budgets and have bandwidth borrowing enabled.
Chapter 18 Bandwidth Management Screens 18.1.3.4 Maximize Bandwidth Usage Example Here is an example of a LAN-Cell that has maximize bandwidth usage enabled on an interface. The following table shows each bandwidth class’s bandwidth budget. The classes are set up based on subnets. The interface is set to 10240 kbps. Each subnet is allocated 2048 kbps. The unbudgeted 2048 kbps allows traffic not defined in any of the bandwidth filters to go out when you do not select the maximize bandwidth option.
Chapter 18 Bandwidth Management Screens 18.1.3.6 Fairness-based Allotment of Unused and Unbudgeted Bandwidth Example The following table shows the amount of bandwidth that each class gets. Table 135 Fairness-based Allotment of Unused and Unbudgeted Bandwidth Example BANDWIDTH CLASSES AND ALLOTMENTS Root Class: 10240 kbps Administration: 1024 kbps Sales: 3072 kbps Marketing: 3072 kbps Research: 3072 kbps Suppose that all of the classes except for the administration class need more bandwidth.
Chapter 18 Bandwidth Management Screens Figure 217 ADVANCED > BW MGMT > Summary The following table describes the labels in this screen. Table 136 ADVANCED > BW MGMT > Summary LABEL DESCRIPTION Class These read-only labels represent the physical interfaces. Select an interface’s check box to enable bandwidth management on that interface. Bandwidth management applies to all traffic flowing out of the router through the interface, regardless of the traffic’s source.
Chapter 18 Bandwidth Management Screens 18.3 Class Setup Screen The Class Setup screen displays the configured bandwidth classes by individual interface. Select an interface and click the buttons to perform the actions described next. Click “+” to expand the class tree or click “-“ to collapse the class tree. Each interface has a permanent root class. The bandwidth budget of the root class is equal to the speed you configured on the interface (see Section 18.
Chapter 18 Bandwidth Management Screens Table 137 ADVANCED > BW MGMT > Class Setup (continued) LABEL DESCRIPTION Enabled classes Search Order This list displays the interface’s active bandwidth management classes (the ones that have the bandwidth filter enabled). The LAN-Cell applies the classes in the order that they appear here.
Chapter 18 Bandwidth Management Screens Figure 219 ADVANCED > BW MGMT > Class Setup > Add Sub-Class The following table describes the labels in this screen. Table 138 ADVANCED > BW MGMT > Class Setup > Add Sub-Class LABEL DESCRIPTION Class Configuration Class Name Use the auto-generated name or enter a descriptive name of up to 20 alphanumeric characters, including spaces. Bandwidth Budget (kbps) Specify the maximum bandwidth allowed for the class in kbps.
Chapter 18 Bandwidth Management Screens Table 138 ADVANCED > BW MGMT > Class Setup > Add Sub-Class (continued) LABEL DESCRIPTION Enable Bandwidth Filter Select Enable Bandwidth Filter to have the LAN-Cell use this bandwidth filter when it performs bandwidth management. You must enter a value in at least one of the following fields (other than the Subnet Mask fields which are only available when you enter the destination or source IP address).
Chapter 18 Bandwidth Management Screens Table 138 ADVANCED > BW MGMT > Class Setup > Add Sub-Class (continued) LABEL DESCRIPTION Source End Address / Subnet Mask If you are configuring a range of IP addresses, enter the ending IP address here. If you are configuring a subnet of addresses, enter the subnet mask here. Refer to Appendix C on page 605 for more information on IP subnetting. Source Port Enter the starting and ending destination port numbers.
Chapter 18 Bandwidth Management Screens Refer to the product specifications in the appendix to see how many class levels you can configure on your LAN-Cell.
Chapter 18 Bandwidth Management Screens Figure 220 ADVANCED > BW MGMT > Class Setup > Statistics The following table describes the labels in this screen. Table 141 ADVANCED > BW MGMT > Class Setup > Statistics LABEL DESCRIPTION Class Name This field displays the name of the class the statistics page is showing. Budget (kbps) This field displays the amount of bandwidth allocated to the class. Tx Packets This field displays the total number of packets transmitted.
Chapter 18 Bandwidth Management Screens Figure 221 ADVANCED > BW MGMT > Monitor The following table describes the labels in this screen. Table 142 ADVANCED > BW MGMT > Monitor LABEL DESCRIPTION Interface Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth classes. Class This field displays the name of the bandwidth class. A Default Class automatically displays for all the bandwidth in the Root Class that is not allocated to bandwidth classes.
Chapter 18 Bandwidth Management Screens 364 LAN-Cell 2 User’s Guide
CHAPTER 19 ALG Screens 19.1 Overview This chapter covers how to use the LAN-Cell’s ALG feature to allow certain applications to pass through the LAN-Cell. An Application Layer Gateway (ALG) manages a specific protocol (such as SIP, H.323 or FTP) at the application layer. The LAN-Cell can function as an ALG to allow certain NAT unfriendly applications (such as SIP) to operate properly through the LAN-Cell.
Chapter 19 ALG Screens ALG and Multiple WAN When the LAN-Cell has two WAN interfaces and uses the second highest priority WAN interfaces as a back up, traffic cannot pass through when the primary WAN connection fails. The LAN-Cell does not automatically change the connection to the secondary WAN interfaces. If the primary WAN connection fails, the client needs to re-initialize the connection through the secondary WAN interfaces to have the connection go through the secondary WAN interfaces.
Chapter 19 ALG Screens Figure 222 H.323 ALG Example • With multiple WAN IP addresses on the LAN-Cell, you can configure different firewall and port forwarding rules to allow incoming calls from each WAN IP address to go to a specific IP address on the LAN, DMZ or WLAN. Use policy routing to have the H.323 calls from each of those LAN, DMZ or WLAN IP addresses go out through the same WAN IP address that calls come in on.
Chapter 19 ALG Screens Figure 224 H.323 Calls from the WAN with Multiple Outgoing Calls • The H.323 ALG operates on TCP packets with a port 1720 destination. • The LAN-Cell allows H.323 audio connections. • The LAN-Cell can also apply bandwidth management to traffic that goes through the H.323 ALG. SIP The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet.
Chapter 19 ALG Screens Figure 225 SIP ALG Example SIP Signaling Session Timeout Most SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the LAN-Cell. If the SIP client does not have this mechanism and makes no calls during the LAN-Cell SIP timeout default (60 minutes), the LAN-Cell SIP ALG drops any incoming calls after the timeout period.
Chapter 19 ALG Screens Figure 226 ADVANCED > ALG The following table describes the labels in this screen. Table 143 ADVANCED > ALG 370 LABEL DESCRIPTION Enable FTP ALG Select this check box to allow FTP sessions to pass through the LAN-Cell. FTP (File Transfer Program) is a program that enables fast transfer of files, including large files that may not be possible by e-mail. Enable H.323 ALG Select this check box to allow H.323 sessions to pass through the LAN-Cell. H.
CHAPTER 20 Custom Application Screens 20.1 Overview Use custom application to have the LAN-Cell’s ALG and content filtering features monitor traffic on custom ports, in addition to the default ports. Use the Custom App screen (Section 26.1 on page 471) to configure custom application settings on the LAN-Cell. 20.1.1 What You Need to Know About Custom Application Default Ports By default, these LAN-Cell features monitor traffic for the following protocols on these port numbers. • FTP: 21 • SIP: 5060 • H.
Chapter 20 Custom Application Screens Figure 227 ADVANCED > Custom APP The following table describes the labels in this screen. Table 144 ADVANCED > ALG 372 LABEL DESCRIPTION Application Select the application for which you want the LAN-Cell to monitor specific ports. You can use the same application in more than one entry. To remove an entry, select Select a Type. Description Enter information about the reason for monitoring custom port numbers for this protocol.
P ART V Logs and Maintenance Menus Logs Screens (375) Maintenance Screens (397) 373
CHAPTER 21 Logs Screens 21.1 Overview This chapter contains information about configuring general log settings and viewing the LAN-Cell’s logs. Refer to Section on page 381 for example log message explanations. The logs cover categories such as system maintenance, system errors, access control, attacks (such as DoS) and IPSec. 21.1.1 What You Can Do in the Log Screens • Use the View Log screen (Section 21.2 on page 375) to see the logs for the categories that you selected in the Log Settings screen.
Chapter 21 Logs Screens Figure 228 LOGS > View Log The following table describes the labels in this screen. Table 145 LOGS > View Log 376 LABEL DESCRIPTION Display The categories that you select in the Log Settings page (see Section 21.3 on page 377) display in the drop-down list box. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page. # This field displays the log number.
Chapter 21 Logs Screens 21.2.1 Log Description Example The following is an example of how a log displays in the command line interpreter and a description of the sample log. Refer to the appendices for more log message descriptions and details on using the command line interpreter to display logs. # .time notes source destination message 5|06/08/2004 05:58:20 |172.21.4.187:137 |ACCESS BLOCK |172.21.255.
Chapter 21 Logs Screens " Alerts can only be sent via SMTP, however, some cellular phone and pager service providers allow e-mail messages sent to specific addresses to be redirected as SMS or pager messages to mobile devices. Contact your service provider for more information.
Chapter 21 Logs Screens The following table describes the labels in this screen. Table 147 LOGS > Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail. Mail Subject Type a title that you want to be in the subject line of the log e-mail message that the LAN-Cell sends.
Chapter 21 Logs Screens Table 147 LOGS > Log Settings (continued) LABEL DESCRIPTION Send Immediate Alert Select the categories of alerts for which you want the LAN-Cell to instantly email alerts to the e-mail address specified in the Send Alerts To field. Log Consolidation 380 Active Some logs (such as the Attacks logs) may be so numerous that it becomes easy to ignore other important log messages. Select this check box to merge logs with identical messages into one log.
Chapter 21 Logs Screens 21.4 Logs Technical Reference Log Descriptions This section provides descriptions of example log messages. Table 148 System Maintenance Logs LOG MESSAGE DESCRIPTION Time calibration is successful The router has adjusted its time based on information from the time server. Time calibration failed The router failed to get information from the time server. WAN interface gets IP: %s A WAN interface got a new IP address from the DHCP, PPPoE, PPTP or dial-up server.
Chapter 21 Logs Screens Table 148 System Maintenance Logs (continued) LOG MESSAGE DESCRIPTION Successful SSH login Someone has logged on to the router’s SSH server. SSH login failed Someone has failed to log on to the router’s SSH server. Successful HTTPS login Someone has logged on to the router's web configurator interface using HTTPS protocol. HTTPS login failed Someone has failed to log on to the router's web configurator interface using HTTPS protocol.
Chapter 21 Logs Screens Table 150 Access Control Logs (continued) LOG MESSAGE DESCRIPTION Triangle route packet forwarded: [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The firewall allowed a triangle route session to pass through. Packet without a NAT table entry blocked: [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The router blocked a packet that didn't have a corresponding NAT table entry.
Chapter 21 Logs Screens Table 152 Packet Filter Logs LOG MESSAGE DESCRIPTION [ TCP | UDP | ICMP | IGMP | Generic ] packet filter matched (set: %d, rule: %d) Attempted access matched a configured filter rule (denoted by its set and rule number) and was blocked or forwarded according to the rule. For type and code details, see Table 163 on page 392.
Chapter 21 Logs Screens Table 155 PPP Logs (continued) LOG MESSAGE DESCRIPTION ppp:IPCP Opening The PPP connection’s Internet Protocol Control Protocol stage is opening. ppp:LCP Closing The PPP connection’s Link Control Protocol stage is closing. ppp:IPCP Closing The PPP connection’s Internet Protocol Control Protocol stage is closing. Table 156 Attack Logs LOG MESSAGE DESCRIPTION attack [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF attack.
Chapter 21 Logs Screens Table 156 Attack Logs (continued) LOG MESSAGE DESCRIPTION ICMP Source Quench ICMP The firewall detected an ICMP Source Quench attack. ICMP Time Exceed ICMP The firewall detected an ICMP Time Exceed attack. ICMP Destination Unreachable ICMP The firewall detected an ICMP Destination Unreachable attack. ping of death. ICMP The firewall detected an ICMP ping of death attack. smurf ICMP The firewall detected an ICMP smurf attack.
Chapter 21 Logs Screens Table 158 IPSec Logs (continued) LOG MESSAGE DESCRIPTION Rule <%d> idle time out, disconnect The router dropped a connection that had outbound traffic and no inbound traffic for a certain time period. You can use the "ipsec timer chk_conn" CI command to set the time period. The default value is 2 minutes. WAN IP changed to The router dropped all connections with the “MyIP” configured as “0.0.0.0” when the WAN IP address changed.
Chapter 21 Logs Screens Table 159 IKE Logs (continued) 388 LOG MESSAGE DESCRIPTION vs. My Remote The displayed ID information did not match between the two ends of the connection. vs. My Local - The displayed ID information did not match between the two ends of the connection. Send A packet was sent. Recv IKE uses ISAKMP to transmit data. Each ISAKMP packet contains many different types of payloads. All of them show in the LOG.
Chapter 21 Logs Screens Table 159 IKE Logs (continued) LOG MESSAGE DESCRIPTION Rule [%d] Phase 1 encryption algorithm mismatch The listed rule’s IKE phase 1 encryption algorithm did not match between the router and the peer. Rule [%d] Phase 1 authentication algorithm mismatch The listed rule’s IKE phase 1 authentication algorithm did not match between the router and the peer.
Chapter 21 Logs Screens Table 159 IKE Logs (continued) LOG MESSAGE DESCRIPTION Rule [%d] Phase 2 key length mismatch The listed rule’s IKE phase 2 key lengths (with the AES encryption algorithm) did not match between the router and the peer. Remote Gateway Addr in rule [%s] is changed to %s" The IP address for the domain name of the peer gateway in the listed rule changed to the listed IP address.
Chapter 21 Logs Screens Table 160 PKI Logs (continued) LOG MESSAGE DESCRIPTION Failed to decode the received CRL The router received a corrupted CRL (Certificate Revocation List) from the LDAP server whose address and port are recorded in the Source field. Failed to decode the received ARL The router received a corrupted ARL (Authority Revocation List) from the LDAP server whose address and port are recorded in the Source field.
Chapter 21 Logs Screens Table 161 Certificate Path Verification Failure Reason Codes CODE DESCRIPTION 23 Time interval is not continuous. 24 Time information not available. 25 Database method failed due to timeout. 26 Database method failed. 27 Path was not verified. 28 Maximum path length reached. Table 162 ACL Setting Notes PACKET DIRECTION DIRECTION DESCRIPTION (L to W) LAN to WAN ACL set for packets traveling from the LAN to the WAN.
Chapter 21 Logs Screens Table 163 ICMP Notes (continued) TYPE CODE DESCRIPTION 3 Port unreachable 4 A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF) 5 Source route failed Source Quench 4 0 A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network.
Chapter 21 Logs Screens Syslog Logs There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session" is terminated. A traffic log summarizes the session's type, when it started and stopped the amount of traffic that was sent and received and so on.
Chapter 21 Logs Screens Table 165 RFC-2408 ISAKMP Payload Types (continued) LOG DISPLAY PAYLOAD TYPE DEL Delete VID Vendor ID LAN-Cell 2 User’s Guide 395
Chapter 21 Logs Screens 396 LAN-Cell 2 User’s Guide
CHAPTER 22 Maintenance Screens 22.1 Overview This chapter displays information on the maintenance screens. The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your LAN-Cell. 22.1.1 What You Can Do in the Maintenance Screens • Use the General Setup screen (Section 22.2 on page 397) to configure administrative and system-related information. • Use the Password screen (Section 22.3 on page 398) to change the LAN-Cell’s management password.
Chapter 22 Maintenance Screens Click MAINTENANCE to open the General screen. Use this screen to configure administrative and system-related information. Figure 230 MAINTENANCE > General Setup The following table describes the labels in this screen. Table 166 MAINTENANCE > General Setup LABEL DESCRIPTION General Setup System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name” in this field.
Chapter 22 Maintenance Screens Figure 231 MAINTENANCE > Password The following table describes the labels in this screen. Table 167 MAINTENANCE > Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field. If you forget the password, you may have to use the hardware RESET button. This restores the default password of 1234. New Password Type your new system password (up to 30 characters).
Chapter 22 Maintenance Screens When the LAN-Cell uses the NTP time server pools, it randomly selects one pool and tries to synchronize with a server in it. If the synchronization fails, then the LAN-Cell goes through the rest of the list in order from the first one tried until either it is successful or all the predefined NTP time server pools have been tried. Resetting the Time The LAN-Cell resets the time in the following instances: • • • • When you click Synchronize Now. On saving your changes.
Chapter 22 Maintenance Screens Table 168 MAINTENANCE > Time and Date (continued) LABEL DESCRIPTION Current Date This field displays the LAN-Cell’s present date. Time and Date Setup Manual Select this radio button to enter the time and date manually. If you configure a new time and date, Time Zone and Daylight Saving at the same time, the new time and date you entered has priority and the Time Zone and Daylight Saving settings do not affect it.
Chapter 22 Maintenance Screens Table 168 MAINTENANCE > Time and Date (continued) LABEL DESCRIPTION End Date Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving. The o'clock field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time ends in the United States on the last Sunday of October. Each time zone in the United States stops using Daylight Saving Time at 2 A.M. local time.
Chapter 22 Maintenance Screens Figure 235 Synchronization Fail 22.5 F/W Upload Screen Find firmware at support.proxicast.com in a file that (usually) uses the firmware version number as the filename with a .bin extension, for example, "402XF1.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot. See Section 38.5 on page 537 for upgrading firmware using FTP/TFTP commands. Click MAINTENANCE > F/W UPLOAD.
Chapter 22 Maintenance Screens The following table describes the labels in this screen. Table 169 MAINTENANCE > Firmware Upload 1 " LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them. Upload Click Upload to begin the upload process. This process may take up to two minutes.
Chapter 22 Maintenance Screens If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen. Figure 239 Firmware Upload Error 22.6 Backup and Restore Screen See Section 38.5 on page 537 for transferring configuration files using FTP/TFTP commands. Click MAINTENANCE > Backup & Restore. Information related to factory defaults, backup configuration, and restoring configuration appears as shown next.
Chapter 22 Maintenance Screens Backup Configuration Backup configuration allows you to back up (save) the LAN-Cell’s current configuration to a file on your computer. Once your LAN-Cell is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes. The backup configuration file will be useful in case you need to return to your previous settings. Click Backup to save the LAN-Cell’s current configuration to your computer.
Chapter 22 Maintenance Screens If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default device IP address (192.168.1.1). If the upload was not successful, the following screen will appear. Click Return to go back to the Configuration screen.
Chapter 22 Maintenance Screens Figure 245 MAINTENANCE > Restart 22.8 The Diagnostics Screen Use the Diagnostics screen to have the LAN-Cell generate and send diagnostic files by e-mail and/or the console port. The diagnostics files contain the LAN-Cell’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting. Click MAINTENANCE > Diagnostics to open the following screen.
Chapter 22 Maintenance Screens Figure 246 MAINTENANCE > Diagnostics Table 171 MAINTENANCE > Diagnostics LABEL DESCRIPTION Enable Diagnostics Select this option to turn on the diagnostics feature. Perform diagnostics when CPU utilization exceeds Set the LAN-Cell to generate and send a diagnostic file every time the CPU usage exceeds the specified percent for more than 60 seconds. Enter 0 to have the LAN-Cell not generate and send diagnostic files based on CPU usage going over a specific level.
Chapter 22 Maintenance Screens Table 171 MAINTENANCE > Diagnostics (continued) LABEL DESCRIPTION SMTP Authentication SMTP (Simple Mail Transfer Protocol) is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another. Select the check box to activate SMTP authentication. If mail server authentication is needed but this feature is disabled, you will not receive the email diagnostic files.
P ART VI System Management Terminal Introducing the SMT (413) General Setup (421) WAN, 3G and Dial Backup Setup (427) LAN Setup (441) Ethernet WAN Internet Access (447) DMZ Setup (453) Route Setup (457) WLAN Setup (461) WAN ISP Setup (465) IP Static Route Setup (473) Network Address Translation (NAT) (477) Firewall Status (497) Filter Configuration (499) SNMP Configuration (515) System Information & Diagnosis (517) Firmware and Configuration File Maintenance (529) System Maint.
CHAPTER 23 Introducing the SMT This chapter explains how to access the System Management Terminal and gives an overview of its menus. 23.1 Introduction to the SMT The LAN-Cell’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet/SSH connection. This chapter shows you how to access the SMT (System Management Terminal) menus via console port, how to navigate the SMT and how to configure SMT menus. 23.
Chapter 23 Introducing the SMT Figure 247 Initial Screen Copyright (c) 1994 - 2007 Proxicast LLC initialize ch =0, ethernet initialize ch =1, ethernet initialize ch =2, ethernet initialize ch =3, ethernet initialize ch =4, ethernet AUX port init . done Modem init . inactive address: address: address: address: address: 00:1B:39:01:23:45 00:1B:39:01:23:46 00:1B:39:01:23:47 00:1B:39:01:23:48 00:00:00:00:00:00 Press ENTER to continue... 23.2.
Chapter 23 Introducing the SMT Table 172 Main Menu Commands OPERATION KEYSTROKES DESCRIPTION Move the cursor [ENTER] or [UP]/ [DOWN] arrow keys Within a menu, press [ENTER] to move to the next field. You can also use the [UP]/[DOWN] arrow keys to move to the previous and the next field, respectively. When you are at the top of a menu, press the [UP] arrow key to move to the bottom of a menu. Entering information Fill in, or press [SPACE BAR], then press [ENTER] to select from choices.
Chapter 23 Introducing the SMT " SMT menu numbers are not sequential. SMT menu numbering has been maintained for backward compatibility with previous LAN-Cell models and customer scripting support. The following table describes the fields in this menu. Table 173 Main Menu Summary 416 NO . MENU TITLE FUNCTION 1 General Setup Use this menu to set up device mode, dynamic DNS and administrative information.
Chapter 23 Introducing the SMT 23.3.2 SMT Menus Overview The following table gives you an overview of your LAN-Cell’s various SMT menus. Table 174 SMT Menus Overview MENUS SUB MENUS 1 General Setup 1.1 Configure Dynamic DNS 2 WAN Setup 2.1 Advanced WAN Setup 3 LAN Setup 3.1 LAN Port Filter Setup 3.2 TCP/IP and DHCP Ethernet Setup 1.1.1 DDNS Host Summary 1.1.1 DDNS Edit Host 3.2.1 IP Alias Setup 4 Ethernet WAN Setup 5 DMZ Setup 5.1 DMZ Port Filter Setup 5.
Chapter 23 Introducing the SMT Table 174 SMT Menus Overview (continued) MENUS SUB MENUS 21 Filter and Firewall Setup 21.1 Filter Set Configuration 21.1.x Filter Rules Summary 21.1.x.x Generic Filter Rule 21.1.x.x TCP/IP Filter Rule 21.2 Firewall Setup 22 SNMP Configuration 23 System Password 24 System Maintenance 24.1 System Status 24.2 System Information and Console Port Speed 24.2.1 System Information 24.3 Log and Trace 24.3.1 View Error Log 24.2.2 Console Port Speed 24.3.2 Syslog Logging 24.
Chapter 23 Introducing the SMT Figure 250 Menu 23: System Password Menu 23 - System Password Old Password= ? New Password= ? Retype to confirm= ? Enter here to CONFIRM or ESC to CANCEL: 2 Type your existing password and press [ENTER]. 3 Type your new system password and press [ENTER]. 4 Re-type your new system password for confirmation and press [ENTER]. Note that as you type a password, the screen displays an “x” for each character you type. 23.5 Resetting the LAN-Cell See Section 2.
Chapter 23 Introducing the SMT 420 LAN-Cell 2 User’s Guide
CHAPTER 24 General Setup Menu 1 - General Setup contains administrative and system-related information. 24.1 Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information. 24.2 Configuring General Setup 1 Enter 1 in the main menu to open Menu 1 - General Setup. 2 The Menu 1 - General Setup screen appears, as shown next. Fill in the required fields.
Chapter 24 General Setup Table 175 Menu 1: General Setup (continued) FIELD DESCRIPTION Edit Dynamic DNS Press [SPACE BAR] and then [ENTER] to select Yes or No (default). Select Yes to configure Menu 1.1: Configure Dynamic DNS discussed next. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. 24.2.
Chapter 24 General Setup Figure 253 Menu 1.1.1: DDNS Host Summary Menu 1.1.1 DDNS Host Summary # Summary --- - ------------------------------------------------------01 Hostname=LC2.proxicast.
Chapter 24 General Setup Figure 254 Menu 1.1.1: DDNS Edit Host Menu 1.1.1 - DDNS Edit Host Hostname= LC2.proxicast.com DDNS Type= DynamicDNS Enable Wildcard Option= Yes Enable Off Line Option= N/A Bind WAN= 1 HA= Yes IP Address Update Policy: Let DDNS Server Auto Detect= Yes Use User-Defined= N/A Use WAN IP Address= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen. Table 178 Menu 1.1.
Chapter 24 General Setup Table 178 Menu 1.1.1: DDNS Edit Host (continued) FIELD DESCRIPTION IP Address Update Policy: You can select Yes in either the Let DDNS Server Auto Detect field (recommended) or the Use User-Defined field, but not both. With the Let DDNS Server Auto Detect and Use User-Defined fields both set to No, the DDNS server automatically updates the IP address of the host name(s) with the LAN-Cell’s WAN IP address. DDNS does not work with a private IP address.
Chapter 24 General Setup 426 LAN-Cell 2 User’s Guide
CHAPTER 25 WAN, 3G and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 and 11.1. 25.1 Introduction to WAN, 3G WAN and Dial Backup Setup This chapter explains how to configure settings for your WAN interface(s), a 3G WAN connection and a dial backup connection using the SMT menus. 25.2 WAN Setup From the main menu, enter 2 to open menu 2.
Chapter 25 WAN, 3G and Dial Backup Setup The following table describes the fields in this screen. Table 179 MAC Address Cloning in WAN Setup FIELD DESCRIPTION WAN MAC Address Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address. Choose Factory Default to select the factory assigned default MAC Address. Choose IP address attached on LAN to use the MAC Address of that computer whose IP you give in the following field.
Chapter 25 WAN, 3G and Dial Backup Setup Figure 256 Menu 2: Dial Backup Setup Menu 2 - WAN Setup WAN MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= No Cellular Modem Setup: Init= Configure APN APN = internet PIN code= Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
Chapter 25 WAN, 3G and Dial Backup Setup To edit the advanced setup for the Dial Backup port, move the cursor to the Edit Advanced Setup field in Menu 2 - WAN Setup, press the [SPACE BAR] to select Yes and then press [ENTER]. Figure 257 Menu 2.1: Advanced WAN Setup Menu 2.
Chapter 25 WAN, 3G and Dial Backup Setup Table 182 Advanced WAN Port Setup: Call Control Parameters FIELD DESCRIPTION Call Control Dial Timeout (sec) Enter a number of seconds for the LAN-Cell to keep trying to set up an outgoing call before timing out (stopping). The LAN-Cell times out and stops if it cannot set up an outgoing call within the timeout value. Retry Count Enter a number of times for the LAN-Cell to retry a busy or no-answer phone number before blacklisting the number.
Chapter 25 WAN, 3G and Dial Backup Setup The following table describes the fields in this menu. Table 183 Menu 11.3: Remote Node Profile (Backup ISP) FIELD DESCRIPTION Rem Node Name Enter a descriptive name for the remote node. This field can be up to eight characters. Active Press [SPACE BAR] and then [ENTER] to select Yes to enable the remote node or No to disable the remote node. Outgoing My Login Enter the login name assigned by your ISP for this remote node.
Chapter 25 WAN, 3G and Dial Backup Setup 25.3.4 Editing TCP/IP Options Move the cursor to the Edit IP field in menu 11.3, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3.2 - Remote Node Network Layer Options. Figure 259 Menu 11.3.2: Remote Node Network Layer Options Menu 11.3.2 - Remote Node Network Layer Options IP Address Assignment= Static Rem IP Addr= 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.
Chapter 25 WAN, 3G and Dial Backup Setup Table 184 Menu 11.3.2: Remote Node Network Layer Options FIELD DESCRIPTION NAT Lookup Set If you select SUA Only in the Network Address Translation field, it displays 255 and indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1. If you select Full Feature or None in the Network Address Translation field, it displays 1, 2 or 3 and indicates the SMT will use the pre-configured Set 1 in menu 15.1 for the first WAN port, Set 2 in menu 15.
Chapter 25 WAN, 3G and Dial Backup Setup Please note that the ordering of the sets is significant, i.e., starting from set 1, the LAN-Cell will wait until the ‘Expect’ string is matched before it proceeds to set 2, and so on for the rest of the script. When both the ‘Expect’ and the ‘Send’ fields of the current set are empty, the LAN-Cell will terminate the script processing and start PPP negotiation. This implies two things: first, the sets must be contiguous; the sets after an empty one are ignored.
Chapter 25 WAN, 3G and Dial Backup Setup 25.3.6 Remote Node Filter Move the cursor to the field Edit Filter Sets in menu 11.3, and then press [SPACE BAR] to set the value to Yes. Press [ENTER] to open Menu 11.3.4 - Remote Node Filter. Use menu 11.3.4 to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the LAN-Cell to prevent certain packets from triggering calls.
Chapter 25 WAN, 3G and Dial Backup Setup Figure 262 3G Modem Setup in WAN Setup Menu 2 - WAN Setup WAN MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= No Cellular Modem Setup: Init= Configure APN APN = internet PIN code=0000 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen.
Chapter 25 WAN, 3G and Dial Backup Setup Figure 263 Menu 11.2: Remote Node Profile (3G WAN) Menu 11.2 - Remote Node Profile (Cellular) Rem Node Name= CELLULAR Active= Yes Outgoing: My Login= test My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP Pri Phone #= *99# Edit IP= No Edit Script Options= No Always On= No Session Options: Edit Filter Sets= No Idle Timeout(sec)= 100 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
Chapter 25 WAN, 3G and Dial Backup Setup Table 187 Menu 11.2: Remote Node Profile (3G WAN) (continued) FIELD DESCRIPTION Edit Script Options Press [SPACE BAR] to select Yes and press [ENTER] to edit the AT script for the dial backup remote node (Menu 11.3.3 - Remote Node Script). See Section 25.3.5 on page 434 for more information. Always On Press [SPACE BAR] to select Yes to set this connection to be on all the time, regardless of whether or not there is any traffic.
Chapter 25 WAN, 3G and Dial Backup Setup 440 LAN-Cell 2 User’s Guide
CHAPTER 26 LAN Setup This chapter describes how to configure the LAN using Menu 3 - LAN Setup. 26.1 Introduction to LAN Setup This chapter describes how to configure the LAN-Cell for LAN and wireless LAN connections. 26.2 Accessing the LAN Menus From the main menu, enter 3 to open Menu 3 - LAN Setup. Figure 264 Menu 3: LAN Setup Menu 3 - LAN Setup 1. LAN Port Filter Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: 26.
Chapter 26 LAN Setup Figure 265 Menu 3.1: LAN Port Filter Setup Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 26.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup. Figure 266 Menu 3: TCP/IP and DHCP Setup Menu 3 - LAN Setup 1. LAN Port Filter Setup 2.
Chapter 26 LAN Setup Figure 267 Menu 3.2: TCP/IP and DHCP Ethernet Setup Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server Client IP Pool: Starting Address= 192.168.1.33 Size of Client IP Pool= 128 TCP/IP Setup: IP Address= 192.168.1.1 IP Subnet Mask= 255.255.255.0 RIP Direction= Both Version= RIP-1 Multicast= None Edit IP Alias= No DHCP Server Address= N/A Press ENTER to Confirm or ESC to Cancel: Follow the instructions in the next table on how to configure the DHCP fields. Table 188 Menu 3.
Chapter 26 LAN Setup Table 188 Menu 3.2: DHCP Ethernet Setup Fields FIELD DESCRIPTION First DNS Server Second DNS Server Third DNS Server The LAN-Cell passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. Select From ISP if your ISP dynamically assigns DNS server information (and the LAN-Cell's WAN IP address). The IP Address field below displays the (read-only) DNS server IP address that the ISP assigns.
Chapter 26 LAN Setup 26.4.1 IP Alias Setup IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The LAN-Cell supports three logical LAN interfaces via its single physical Ethernet interface with the LAN-Cell itself as the gateway for each LAN network. Use menu 3.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to open Menu 3.2.1 - IP Alias Setup, as shown next.
Chapter 26 LAN Setup 446 LAN-Cell 2 User’s Guide
CHAPTER 27 Ethernet WAN Internet Access This chapter shows you how to configure your LAN-Cell for Internet access via the Ethernet WAN interface. 27.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your LANCell to access the Internet. There are three different menu 4 screens depending on whether you chose Ethernet, PPTP or PPPoE Encapsulation. Contact your ISP to determine what encapsulation type you should use.
Chapter 27 Ethernet WAN Internet Access Figure 269 Menu 4: Internet Access Setup (Ethernet) Menu 4 - Ethernet WAN Setup ISP's Name= WAN Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
Chapter 27 Ethernet WAN Internet Access Table 191 Menu 4: Ethernet WAN Setup (Ethernet) (continued) FIELD DESCRIPTION Gateway IP Address Enter the gateway IP address associated with your static IP.
Chapter 27 Ethernet WAN Internet Access Figure 270 IEthernet WAN Setup (PPTP) Menu 4 - Ethernet WAN Setup ISP's Name= WAN Encapsulation= PPTP Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: The following table contains instructions about the new fields when you choose PPTP in the Encapsulati
Chapter 27 Ethernet WAN Internet Access Figure 271 Ethernet WAN Setup (PPPoE) Menu 4 - Ethernet WAN Setup ISP's Name= WAN Encapsulation= PPPoE Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: The following table contains instructions about the new fields when you choose PPPoE in the Encapsula
Chapter 27 Ethernet WAN Internet Access You may deactivate the firewall in menu 21.2 or via the LAN-Cell embedded web configurator. You may also define additional firewall rules or modify existing ones but please exercise extreme caution in doing so. See the chapters on firewall for more information on the firewall.
CHAPTER 28 DMZ Setup This chapter describes how to configure the LAN-Cell’s DMZ using Menu 5 - DMZ Setup. 28.1 Configuring DMZ Setup From the main menu, enter 5 to open Menu 5 – DMZ Setup. Figure 272 Menu 5: DMZ Setup Menu 5 - DMZ Setup 1. DMZ Port Filter Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: 28.2 DMZ Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to your public server(s) traffic. Figure 273 Menu 5.1: DMZ Port Filter Setup Menu 5.
Chapter 28 DMZ Setup 28.3 TCP/IP Setup For more detailed information about RIP setup, IP Multicast and IP alias, please refer to Chapter 4 on page 77. 28.3.1 IP Address From the main menu, enter 5 to open Menu 5 - DMZ Setup to configure TCP/IP (RFC 1155). Figure 274 Menu 5: DMZ Setup Menu 5 - DMZ Setup 1. DMZ Port Filter Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: From menu 5, select the submenu option 2. TCP/IP and DHCP Setup and press [ENTER]. The screen now displays Menu 5.
Chapter 28 DMZ Setup " DMZ, WLAN and LAN IP addresses must be on separate subnets. You must also configure NAT for the DMZ port (see Chapter 33 on page 477) in menus 15.1 and 15.2. 28.3.2 IP Alias Setup Use menu 5.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to open Menu 5.2.1 - IP Alias Setup, as shown next. Use this menu to configure the second and third networks. Figure 276 Menu 5.2.1: IP Alias Setup Menu 5.2.
Chapter 28 DMZ Setup 456 LAN-Cell 2 User’s Guide
CHAPTER 29 Route Setup This chapter describes how to configure the LAN-Cell's WAN Connectivity and Traffic Redirect features. 29.1 Configuring Route Setup From the main menu, enter 6 to open Menu 6 - Route Setup. Figure 277 Menu 6: Route Setup Menu 6 - Route Setup 1. Route Assessment 2. Traffic Redirect 3. Route Failover Enter Menu Selection Number: 29.2 Route Assessment This menu allows you to configure the Ping Continity properties. Figure 278 Menu 6.1: Route Assessment Menu 6.
Chapter 29 Route Setup The following table describes the fields in this menu. Table 194 Menu 6.1: Route Assessment FIELD DESCRIPTION Probing WAN/CELL Check Point Press [SPACE BAR] and then press [ENTER] to choose Yes to test your LANCell's WAN accessibility.
Chapter 29 Route Setup 29.4 Route Failover This menu allows you to configure how the LAN-Cell uses the route assessment ping Connectivity check function. Figure 280 Menu 6.3: Route Failover Menu 6.3 - Route Failover Period= 5 Timeout=: 3 Fail Tolerance= 3 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu. Table 196 Menu 6.
Chapter 29 Route Setup 460 LAN-Cell 2 User’s Guide
CHAPTER 30 WLAN Setup Use menu 7 to configure the IP address for LAN-Cell’s WLAN interface, other TCP/IP and DHCP settings. 30.1 TCP/IP Setup For more detailed information about RIP setup, IP Multicast and IP alias, please refer to Chapter 4 on page 77. 30.1.1 IP Address From the main menu, enter 7 to open Menu 7 - WLAN Setup to configure TCP/IP (RFC 1155). Figure 281 Menu 7: WLAN Setup Menu 7 - WLAN Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: From menu 7, select the submenu option 2.
Chapter 30 WLAN Setup Figure 282 Menu 7.2: TCP/IP and DHCP Ethernet Setup Menu 7.2 - TCP/IP and DHCP Ethernet Setup DHCP= None Client IP Pool: Starting Address= N/A Size of Client IP Pool= N/A TCP/IP Setup: IP Address= 0.0.0.0 IP Subnet Mask= 0.0.0.0 RIP Direction= None Version= N/A Multicast= IGMP-v2 Edit IP Alias= No DHCP Server Address= N/A Press ENTER to Confirm or ESC to Cancel: The DHCP and TCP/IP setup fields are the same as the ones in Menu 3.2 - TCP/IP and DHCP Ethernet Setup.
Chapter 30 WLAN Setup Figure 283 Menu 7.2.1: IP Alias Setup Menu 7.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A IP Alias 2= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Enter here to CONFIRM or ESC to CANCEL: Refer to Table 190 on page 445 for instructions on configuring IP alias parameters.
Chapter 30 WLAN Setup 464 LAN-Cell 2 User’s Guide
CHAPTER 31 WAN ISP Setup This chapter shows you how to configure a remote node to access an ISP via a WAN interface. 31.1 Introduction to WAN ISP Setup A remote node is required for placing calls to an ISP’s remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. Note that when you use menu 4 to set up WAN ISP access, you are actually configuring a remote node. The following describes how to configure Menu 11.1 - Remote Node Profile, Menu 11.1.
Chapter 31 WAN ISP Setup 31.3.1 Ethernet Encapsulation There are three variations of menu 11.1 depending on whether you choose Ethernet Encapsulation, PPPoE Encapsulation or PPTP Encapsulation. You must choose the Ethernet option when the WAN port is used as a regular Ethernet. The first menu 11.1 screen you see is for Ethernet encapsulation shown next. Figure 285 Menu 11.1: Remote Node Profile for Ethernet Encapsulation Menu 11.
Chapter 31 WAN ISP Setup Table 197 Menu 11.1: Remote Node Profile for Ethernet Encapsulation (continued) FIELD DESCRIPTION Server This field is valid only when RoadRunner is selected in the Service Type field. The LAN-Cell will find the RoadRunner Server IP automatically if this field is left blank. If it does not, then you must enter the authentication server IP address here. Relogin Every (min) This field is available when you select Telia Login in the Service Type field.
Chapter 31 WAN ISP Setup 31.3.2.1 Outgoing Authentication Protocol Generally speaking, you should employ the strongest authentication protocol possible, for obvious reasons. However, some vendor’s implementation includes a specific authentication protocol in the user profile. It will disconnect if the negotiated protocol is different from that in the user profile, even when the negotiated protocol is stronger than specified.
Chapter 31 WAN ISP Setup Figure 287 Menu 11.1: Remote Node Profile for PPTP Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Active= Yes Route= IP Encapsulation= PPTP Service Type= Standard Edit IP= No Telco Option: Allocated Budget(min)= 0 Period(hr)= 0 Schedules= Always On Connection= No Outgoing: My Login= My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP PPTP: My IP Addr= 10.0.0.140 My IP Mask= 255.255.255.0 Server IP Addr= 10.0.0.
Chapter 31 WAN ISP Setup Figure 288 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation Menu 11.1.
Chapter 31 WAN ISP Setup Table 200 Remote Node Network Layer Options Menu Fields (continued) FIELD DESCRIPTION NAT Lookup Set If you select SUA Only in the Network Address Translation field, it displays 255 and indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1. If you select Full Feature or None in the Network Address Translation field, it displays 1, 2 or 3 and indicates the SMT will use the pre-configured Set 1 in menu 15.1 for the first WAN port, Set 2 in menu 15.
Chapter 31 WAN ISP Setup Figure 289 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 290 Menu 11.1.4: Remote Node Filter (PPPoE or PPTP Encapsulation) Menu 11.1.
CHAPTER 32 IP Static Route Setup This chapter shows you how to configure static routes with your LAN-Cell. 32.1 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.1. " " The first two static route entries are for default WAN and CELL routes. You cannot modify or delete a static default route. The default route is disabled after you change the static WAN IP address to a dynamic WAN IP address.
Chapter 32 IP Static Route Setup Figure 291 Menu 12: IP Static Route Setup Menu 12 - IP Static Route Setup 1.Reserved 2.Reserved 3.________ 4.________ 5.________ 6.________ 7.________ 8.________ 9.________ 10.________ 11.________ 12.________ 13.________ 14.________ 15.________ 16.________ 17.________ 18.________ 19.________ 20.________ 21.________ 22.________ 23.________ 24.________ 25.________ 26.________ 27.________ 28.________ 29.________ 30.
Chapter 32 IP Static Route Setup Table 201 Menu 12. 1: Edit IP Static Route FIELD DESCRIPTION IP Subnet Mask Enter the IP subnet mask for this destination. Gateway IP Address Enter the IP address of the gateway. The gateway is an immediate neighbor of your LAN-Cell that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your LAN-Cell; over the WAN, the gateway must be the IP address of one of the remote nodes.
Chapter 32 IP Static Route Setup 476 LAN-Cell 2 User’s Guide
CHAPTER 33 Network Address Translation (NAT) This chapter discusses how to configure NAT on the LAN-Cell. 33.1 Using NAT " You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the LAN-Cell. 33.1.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ProxiOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. See Section 33.2.
Chapter 33 Network Address Translation (NAT) Figure 293 Menu 4: Applying NAT for Internet Access Menu 4 - Ethernet WAN Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: The following figure shows how you apply NAT to t
Chapter 33 Network Address Translation (NAT) The following table describes the fields in this menu. Table 202 Applying NAT in Menus 4 & 11.1.2 FIELD DESCRIPTION OPTIONS Network Address Translation When you select this option the SMT will use Address Mapping Set 1 (menu 15.1 - see Section 33.2.1 on page 480 for further discussion). You can configure any of the mapping types described in Chapter 13 on page 289. Choose Full Feature if you have multiple public WAN IP addresses for your LAN-Cell.
Chapter 33 Network Address Translation (NAT) " Configure DMZ, WLAN and LAN IP addresses in NAT menus 15.1 and 15.2. DMZ, WLAN and LAN IP addresses must be on separate subnets. 33.2.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 - Address Mapping Sets. Figure 296 Menu 15.1: Address Mapping Sets Menu 15.1 - Address Mapping Sets 1. NAT_SET 2. example 255. SUA (read only) Enter Menu Selection Number: 33.2.1.1 SUA Address Mapping Set Enter 255 to display the next screen (see also Section 33.1.
Chapter 33 Network Address Translation (NAT) " Menu 15.1.255 is read-only. Table 203 SUA Address Mapping Rules FIELD DESCRIPTION Set Name This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create. Idx This is the index or rule number. Local Start IP Local Start IP is the starting local IP address (ILA). Local End IP Local End IP is the ending local IP address (ILA). If the rule is for all local IPs, then the start IP is 0.0.0.0 and the end IP is 255.
Chapter 33 Network Address Translation (NAT) Figure 298 Menu 15.1.1: First Set Menu 15.1.1 - Address Mapping Rules Set Name= NAT_SET Idx --1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- -0.0.0.0 255.255.255.255 0.0.0.0 M-1 0.0.0.0 Server Action= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: " The Type, Local and Global Start/End IPs are configured in menu 15.1.1.
Chapter 33 Network Address Translation (NAT) Table 204 Fields in Menu 15.1.1 (continued) " FIELD DESCRIPTION Action The default is Edit. Edit means you want to edit a selected rule (see following field). Insert Before means to insert a rule before the rule selected. The rules after the selected rule will then be moved down by one rule. Delete means to delete the selected rule and then all the rules after the selected one will be advanced one rule. None disables the Select Rule item.
Chapter 33 Network Address Translation (NAT) The following table describes the fields in this menu. Table 205 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set FIELD DESCRIPTION Type Press [SPACE BAR] and then [ENTER] to select from a total of five types. These are the mapping types discussed in Chapter 13 on page 289. Server allows you to specify multiple servers of different types behind NAT to this computer. See Section 33.4.3 on page 489 for an example.
Chapter 33 Network Address Translation (NAT) Figure 301 Menu 15.2.x: NAT Server Sets Menu 15.2.1 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address -----------------------------------------------------001 No 0 0 0.0.0.0 002 No 0 0 0.0.0.0 003 No 0 0 0.0.0.0 004 No 0 0 0.0.0.0 005 No 0 0 0.0.0.0 006 No 0 0 0.0.0.0 007 No 0 0 0.0.0.0 008 No 0 0 0.0.0.0 009 No 0 0 0.0.0.0 010 No 0 0 0.0.0.
Chapter 33 Network Address Translation (NAT) The following table describes the fields in this screen. Table 206 15.2.x.x: NAT Server Configuration FIELD DESCRIPTION WAN Yyou can configure port forwarding and trigger port rules for the Ethernet WAN port and separate sets of rules for the Cellular WAN port. This is the WAN port (server set) you select in menu 15.2. Index This is the index number of an individual port forwarding server entry. Name Enter a name to identify this port-forwarding rule.
Chapter 33 Network Address Translation (NAT) Figure 304 Server Behind NAT Example 33.4 General NAT Examples The following are some examples of NAT configuration. 33.4.1 Internet Access Only In the following Internet access example, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP.
Chapter 33 Network Address Translation (NAT) Figure 306 Menu 4: Internet Access & NAT Example Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: From menu 4 shown above, simply choose the SUA O
Chapter 33 Network Address Translation (NAT) " In general, if you wish to access the LAN-Cell for remote management through the WAN or CELLULAR interfaces, do not define a NAT Default Server. Use the Port Forwarding Rules, Remote Management Ports, and Firewall Rules to define WAN-based remote access to the LAN-Cell. Figure 308 Menu 15.2.1: Specifying an Inside Server Menu 15.2.1 - NAT Server Setup Default Server: 192.168.1.10 Rule Act.
Chapter 33 Network Address Translation (NAT) Figure 309 NAT Example 3 1 In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.3) in Figure 310 on page 490. 2 Then enter 15 from the main menu. 3 Enter 1 to configure the Address Mapping Sets. 4 Enter 1 to begin configuring this new set.
Chapter 33 Network Address Translation (NAT) Figure 311 Example 3: Menu 15.1.1.1 Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= 192.168.1.10 End = N/A Global IP: Start= 10.132.50.1 End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: Figure 312 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Idx Local Start IP --- --------------1. 192.168.1.10 2 192.168.1.11 3. 0.0.0.0 4. 5. 6. 7. 8. 9. 10.
Chapter 33 Network Address Translation (NAT) Figure 313 Example 3: Menu 15.2.1 Menu 15.2.1 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address -----------------------------------------------------001 Yes 80 80 192.168.1.21 002 Yes 25 25 192.168.1.20 003 No 0 0 0.0.0.0 004 No 0 0 0.0.0.0 005 No 0 0 0.0.0.0 006 No 0 0 0.0.0.0 007 No 0 0 0.0.0.0 008 No 0 0 0.0.0.0 009 No 0 0 0.0.0.0 010 No 0 0 0.0.0.
Chapter 33 Network Address Translation (NAT) " Other applications such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream. These applications won’t work through NAT even when using One-to-One and Many-One-to-One mapping types. Follow the steps outlined in example 3 above to configure these two menus as follows. Figure 315 Example 4: Menu 15.1.1.1: Address Mapping Rule Menu 15.1.1.1 Address Mapping Rule Type= Many-One-to-One Local IP: Start= 192.168.1.
Chapter 33 Network Address Translation (NAT) 33.5 Trigger Port Forwarding Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP address.
Chapter 33 Network Address Translation (NAT) Figure 317 Menu 15.3.1: Trigger Port Setup Menu 15.3.1 - Trigger Port Setup Incoming Trigger Rule Name Start Port End Port Start Port End Port -------------------------------------------------------------1. Real Audio 6970 7170 7070 7070 2. 0 0 0 0 3. 0 0 0 0 4. 0 0 0 0 5. 0 0 0 0 6. 0 0 0 0 7. 0 0 0 0 8. 0 0 0 0 9. 0 0 0 0 10. 0 0 0 0 11. 0 0 0 0 12.
Chapter 33 Network Address Translation (NAT) 496 LAN-Cell 2 User’s Guide
CHAPTER 34 Firewall Status This chapter shows you how to get started with the LAN-Cell firewall. 34.1 Firewall SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next. Figure 318 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall Setup Enter Menu Selection Number: 34.1.1 Activating the Firewall Enter option 2 in this menu to bring up the following screen.
Chapter 34 Firewall Status Figure 319 Menu 21.2: Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User's Guide for details about the firewall default policies. You may define additional policy rules or modify existing ones but please exercise extreme caution in doing so. Active: Yes You can use the Web Configurator to configure the firewall.
CHAPTER 35 Filter Configuration This chapter shows you how to create and apply filters. 35.1 Introduction to Filters Your LAN-Cell uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later. Data filtering screens the data to determine if the packet should be allowed to pass.
Chapter 35 Filter Configuration 35.1.1 The Filter Structure of the LAN-Cell A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The LAN-Cell allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system. You cannot mix device filter rules and protocol filter rules within the same set.
Chapter 35 Filter Configuration Figure 321 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
Chapter 35 Filter Configuration 35.2 Configuring a Filter Set The LAN-Cell includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. 1 Enter 21 in the main menu to open menu 21. Figure 322 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall Setup Enter Menu Selection Number: 2 Enter 1 to bring up the following menu. Figure 323 Menu 21.1: Filter Set Configuration Menu 21.
Chapter 35 Filter Configuration Table 208 Abbreviations Used in the Filter Rules Summary Menu FIELD DESCRIPTION A Active: “Y” means the rule is active. “N” means the rule is inactive. Type The type of filter rule: “GEN” for Generic, “IP” for TCP/IP. Filter Rules These parameters are displayed here. M More. “Y” means there are more rules to check which form a rule chain with the present rule. An action cannot be taken until the rule chain is complete. “N” means there are no more rules to check.
Chapter 35 Filter Configuration 35.2.2 Configuring a TCP/IP Filter Rule This section shows you how to configure a TCP/IP filter rule. TCP/IP rules allow you to base the rule on the fields in the IP and the upper layer protocol, for example, UDP and TCP headers. To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.x.x - TCP/IP Filter Rule, as shown next. Figure 324 Menu 21.1.1.1: TCP/IP Filter Rule Menu 21.1.1.
Chapter 35 Filter Configuration Table 210 Menu 21.1.1.1: TCP/IP Filter Rule FIELD DESCRIPTION Port # Comp Press [SPACE BAR] and then [ENTER] to select the comparison to apply to the destination port in the packet against the value given in Destination: Port #. Options are None, Equal, Not Equal, Less and Greater. Source IP Addr Enter the source IP Address of the packet you wish to filter. This field is ignored if it is 0.0.0.0. IP Mask Enter the IP mask to apply to the Source: IP Addr.
Chapter 35 Filter Configuration Figure 325 Executing an IP Filter 35.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly.
Chapter 35 Filter Configuration For generic rules, the LAN-Cell treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes. The LAN-Cell applies the Mask (bit-wise ANDing) to the data portion before comparing the result against the Value to determine a match. The Mask and Value are specified in hexadecimal numbers.
Chapter 35 Filter Configuration Table 211 Generic Filter Rule Menu Fields FIELD DESCRIPTION Log Select the logging option from the following: None - No packets will be logged. Action Matched - Only packets that match the rule parameters will be logged. Action Not Matched - Only packets that do not match the rule parameters will be logged. Both – All packets will be logged. Action Matched Select the action for a packet matching the rule. Options are Check Next Rule, Forward and Drop.
Chapter 35 Filter Configuration Figure 328 Example Filter: Menu 21.1.3.1 Menu 21.1.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 23 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
Chapter 35 Filter Configuration After you’ve created the filter set, you must apply it. 1 2 3 4 Enter 11 from the main menu to go to menu 11. Enter 1 or 2 to open Menu 11.x - Remote Node Profile. Go to the Edit Filter Sets field, press [SPACE BAR] to select Yes and press [ENTER]. This brings you to menu 11.1.4. Apply a filter set (our example filter set 3) as shown in Figure 333 on page 513. 5 Press [ENTER] to confirm after you enter the set numbers and to leave menu 11.1.4. 35.
Chapter 35 Filter Configuration 35.5.1.1 When To Use Filtering 1 To block/allow LAN packets by their MAC addresses. 2 To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets. 3 To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific inside host/network "A" and outside host/network "B". If the filter blocks the traffic from A to B, it also blocks the traffic from B to A.
Chapter 35 Filter Configuration " If you do not activate the firewall, it is advisable to apply filters. 35.6.1 Applying LAN Filters LAN traffic filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. Go to menu 3.1 (shown next) and enter the number(s) of the filter set(s) that you want to apply as appropriate. You can choose up to four filter sets (from twelve) by entering their numbers separated by commas, e.g., 3, 4, 6, 11.
Chapter 35 Filter Configuration 35.6.3 Applying Remote Node Filters Go to menu 11.1.4 (shown below – note that call filter sets are only present for PPPoE encapsulation) and enter the number(s) of the filter set(s) as appropriate. You can cascade up to four filter sets by entering their numbers separated by commas. The LAN-Cell already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections. Figure 333 Filtering Remote Node Traffic Menu 11.1.
Chapter 35 Filter Configuration 514 LAN-Cell 2 User’s Guide
CHAPTER 36 SNMP Configuration This chapter explains SNMP configuration menu 22. 36.1 SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The “community” for Get, Set and Trap fields is SNMP terminology for password. Figure 334 Menu 22: SNMP Configuration Menu 22 - SNMP Configuration SNMP: Get Community= public Set Community= public Trusted Host= 0.0.0.0 Trap: Community= public Destination= 0.0.0.
Chapter 36 SNMP Configuration Table 212 SNMP Configuration Menu Fields (continued) FIELD DESCRIPTION Destination Type the IP address of the station to send your SNMP traps to. When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. 36.
CHAPTER 37 System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 37.1 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your LAN-Cell. These tools include updates on system status, port status and log and trace capabilities. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown below. Figure 335 Menu 24: System Maintenance Menu 24 - System Maintenance 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11.
Chapter 37 System Information & Diagnosis 3 There are three commands in Menu 24.1 - System Maintenance - Status. Entering 1 or 2 drops the WAN or CELL connection, 9 resets the counters and [ESC] takes you back to the previous screen. Figure 336 Menu 24.1: System Maintenance: Status Menu 24.
Chapter 37 System Information & Diagnosis Table 214 System Maintenance: Status Menu Fields (continued) FIELD DESCRIPTION Ethernet Address This is the MAC address of the port listed on the left. IP Address This is the IP address of the port listed on the left. IP Mask This is the IP mask of the port listed on the left. DHCP This is the DHCP setting of the port listed on the left. System up Time This is the total time the LAN-Cell has been on.
Chapter 37 System Information & Diagnosis Figure 338 Menu 24.2.1: System Maintenance: Information Menu 24.2.1 - System Maintenance - Information Name: LAN-Cell Routing: IP ProxiOS F/W Version: V4.02(AQI.0)b2 | 11/29/2006 Country Code: 255 LAN Ethernet Address: 00:13:49:00:00:01 IP Address: 192.168.1.1 IP Mask: 255.255.255.0 DHCP: Server Press ESC or RETURN to Exit: The following table describes the fields in this screen.
Chapter 37 System Information & Diagnosis Figure 339 Menu 24.2.2: System Maintenance: Change Console Port Speed Menu 24.2.2 - System Maintenance - Change Console Port Speed Console Port Speed: 9600 Press ENTER to Confirm or ESC to Cancel:Press Space Bar to Toggle. 37.4 Log and Trace There are two logging facilities in the LAN-Cell. The first is the error logs and trace records that are stored locally. The second is the UNIX syslog facility for message logging. 37.4.
Chapter 37 System Information & Diagnosis Figure 341 Examples of Error and Information Messages 52 Thu Jul 53 Thu Jul 54 Thu Jul 55 Thu Jul 57 Thu Jul 58 Thu Jul 59 Thu Jul 60 Thu Jul 61 Thu Jul 62 Thu Jul 63 Thu Jul Clear Error 1 05:54:53 1 05:54:53 1 05:54:56 1 05:54:56 1 05:54:56 1 05:54:56 1 05:54:56 1 05:55:26 1 05:56:56 1 07:50:58 1 07:53:28 Log (y/n): 2004 2004 2004 2004 2004 2004 2004 2004 2004 2004 2004 PP05 ERROR PINI INFO PP05 -WARN PP0d INFO PP0d INFO PINI INFO PINI INFO PSSV -WARN PINI INFO
Chapter 37 System Information & Diagnosis 1 CDR CDR Message Format SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String ); String = board xx line xx channel xx, call xx, str board = the hardware board ID line = the WAN ID in a board Channel = channel ID within the WAN call = the call reference number which starts from 1 and increments by 1 for each new call str = C01 Outgoing Call dev xx ch xx (dev:device No. ch:channel No.
Chapter 37 System Information & Diagnosis Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D). Src: Source Address Dst: Destination Address prot: Protocol ("TCP","UDP","ICMP") spo: Source port dpo: Destination portMar 03 10:39:43 202.132.155.
Chapter 37 System Information & Diagnosis 5 Firewall log Firewall Log Message Format SdcmdSyslogSend(SYSLOG_FIREWALL, SYSLOG_NOTICE, buf); buf = IP[Src=xx.xx.xx.xx : spo=xxxx Dst=xx.xx.xx.
Chapter 37 System Information & Diagnosis Figure 343 Call-Triggering Packet Example IP Frame: ENET0-RECV Size: Frame Type: IP Header: IP Version Header Length Type of Service Total Length Identification Flags Fragment Offset Time to Live Protocol Header Checksum Source IP Destination IP TCP Header: Source Port Destination Port Sequence Number Ack Number Header Length Flags Window Size Checksum Urgent Ptr Options 0000: 02 04 02 00 44/ 44 Time: 17:02:44.
Chapter 37 System Information & Diagnosis Figure 344 Menu 24.4: System Maintenance: Diagnostic Menu 24.4 - System Maintenance - Diagnostic TCP/IP 1. Ping Host 2. WAN DHCP Release 3. WAN DHCP Renewal 4. PPPoE/PPTP/Cellular Setup Test System 11. Reboot System Enter Menu Selection Number: WAN= Host IP Address= N/A 37.5.1 WAN DHCP DHCP functionality can be enabled on the LAN or WAN as shown in Figure 345 on page 527. LAN DHCP has already been discussed.
Chapter 37 System Information & Diagnosis Table 217 System Maintenance Menu Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LAN, DMZ, WLAN or WAN. Enter its IP address in the Host IP Address field below. WAN DHCP Release Enter 2 to release your WAN DHCP settings. WAN DHCP Renewal Enter 3 to renew your WAN DHCP settings. PPPoE/PPTP/Cellular Setup Test Enter 4 to test the Internet setup. You can also test the Internet setup in Menu 4 - WAN ISP Setup.
CHAPTER 38 Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 38.1 Introduction Use the instructions in this chapter to change the LAN-Cell’s configuration file or upgrade its firmware. After you configure your LAN-Cell, you can backup the configuration file to a computer.
Chapter 38 Firmware and Configuration File Maintenance The following table is a summary. Please note that the internal filename refers to the filename on the LAN-Cell and the external filename refers to the filename not on the LAN-Cell, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ProxiOS F/W Version field in Menu 24.2.
Chapter 38 Firmware and Configuration File Maintenance Figure 346 Telnet into Menu 24.5 Menu 24.5 - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root" and SMT password as requested. 3. Locate the 'rom-0' file. 4. Type 'get rom-0' to back up the current router configuration to your workstation.
Chapter 38 Firmware and Configuration File Maintenance 38.3.4 GUI-based FTP Clients The following table describes some of the commands that you may see in GUI-based FTP clients. Table 219 General Commands for GUI-based FTP Clients COMMAND DESCRIPTION Host Address Enter the address of the host server. Login Type Anonymous. This is when a user I.D. and password is automatically supplied to the server for anonymous access.
Chapter 38 Firmware and Configuration File Maintenance 4 Launch the TFTP client on your computer and connect to the LAN-Cell. Set the transfer mode to binary before starting data transfer. 5 Use the TFTP client (see the example below) to transfer files between the LAN-Cell and the computer. The file name for the configuration file is “rom-0” (rom-zero, not capital o). Note that the telnet connection must be active and the SMT in CI mode before and during the TFTP transfer.
Chapter 38 Firmware and Configuration File Maintenance Figure 348 System Maintenance: Backup Configuration Ready to backup Configuration via Xmodem. Do you want to continue (y/n): 2 The following screen indicates that the Xmodem download has started. Figure 349 System Maintenance: Starting Xmodem Download Screen You can enter ctrl-x to terminate operation any time. Starting XMODEM download... 3 Run the HyperTerminal program by clicking Transfer, then Receive File as shown in the following screen.
Chapter 38 Firmware and Configuration File Maintenance FTP is the preferred method for restoring your current computer configuration to your LANCell since FTP is faster. Please note that you must wait for the system to automatically restart after the file transfer is complete. 1 WARNING! Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR LAN-Cell. When the Restore Configuration process is complete, the LAN-Cell will automatically restart. 38.4.
Chapter 38 Firmware and Configuration File Maintenance 8 Enter “quit” to exit the ftp prompt. The LAN-Cell will automatically restart after a successful restore process. 38.4.2 Restore Using FTP Session Example Figure 353 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec. ftp>quit Refer to Section 38.3.
Chapter 38 Firmware and Configuration File Maintenance Figure 356 Restore Configuration Example Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. 4 After a successful restoration you will see the following screen. Press any key to restart the LAN-Cell and return to the SMT menu. Figure 357 Successful Restoration Confirmation Screen Save to ROM Hit any key to start system reboot. 38.
Chapter 38 Firmware and Configuration File Maintenance Figure 358 Telnet Into Menu 24.7.1: Upload System Firmware Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "root" and SMT password as requested. 3.
Chapter 38 Firmware and Configuration File Maintenance 38.5.3 FTP File Upload Command from the DOS Prompt Example 1 2 3 4 5 6 Launch the FTP client on your computer. Enter “open”, followed by a space and the IP address of your LAN-Cell. Press [ENTER] when prompted for a username. Enter your password as requested (the default is “1234”). Enter “bin” to set transfer mode to binary. Use “put” to transfer files from the computer to the LAN-Cell, for example, “put firmware.
Chapter 38 Firmware and Configuration File Maintenance 2 Put the SMT in command interpreter (CI) mode by entering 8 in Menu 24 – System Maintenance. 3 Enter the command “sys stdio 0” to disable the console timeout, so the TFTP transfer will not be interrupted. Enter “command sys stdio 5” to restore the five-minute console timeout (default) when the file transfer is complete. 4 Launch the TFTP client on your computer and connect to the LAN-Cell. Set the transfer mode to binary before starting data transfer.
Chapter 38 Firmware and Configuration File Maintenance Figure 361 Menu 24.7.1 As Seen Using the Console Port Menu 24.7.1 - System Maintenance - Upload System Firmware To upload system firmware: 1. Enter "y" at the prompt below to go into debug mode. 2. Enter "atur" after "Enter Debug Mode" message. 3. Wait for "Starting XMODEM upload" message before activating Xmodem upload on your terminal. 4. After successful firmware upload, enter "atgo" to restart the router.
Chapter 38 Firmware and Configuration File Maintenance Figure 363 Menu 24.7.2 As Seen Using the Console Port Menu 24.7.2 - System Maintenance - Upload System Configuration File To 1. 2. 3. upload system configuration file: Enter "y" at the prompt below to go into debug mode. Enter "atlc" after "Enter Debug Mode" message. Wait for "Starting XMODEM upload" message before activating Xmodem upload on your terminal. 4. After successful firmware upload, enter "atgo" to restart the system. Warning: 1.
CHAPTER 39 System Maint. Menus 8 to 10 This chapter leads you through SMT menus 24.8 to 24.10. 39.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions. Enter the CI from the SMT by selecting menu 24.8. Access can be by Telnet or by a serial connection to the console port, although some commands are only available with a serial connection.
Chapter 39 System Maint. Menus 8 to 10 Enter the command keywords exactly as shown, do not abbreviate. The required fields in a command are enclosed in angle brackets <>. The optional fields in a command are enclosed in square brackets []. The |symbol means “or”. For example, sys filter netbios config means that you must specify the type of netbios filter and whether to turn it on or off. 39.1.2 Command Usage A list of commands can be found by typing help or ? at the command prompt.
Chapter 39 System Maint. Menus 8 to 10 Table 221 Valid Commands COMMAND DESCRIPTION radius These commands display remote RADIUS server access information and configure RADIUS access settings. radserv These command configure the Local RADIUS server settings wcfg These command configure the SSID & security settings of the Wi-Fi AP. 39.2 Call Control Support The LAN-Cell provides two call control functions: budget management and call history.
Chapter 39 System Maint. Menus 8 to 10 Figure 368 Budget Management Menu 24.9.1 - Budget Management Remote Node Connection Time/Total Budget Elapsed Time/Total Period 1.WAN_1 No Budget No Budget 2.WAN_2 No Budget No Budget 3.Dial No Budget No Budget Reset Node (0 to update screen): The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked.
Chapter 39 System Maint. Menus 8 to 10 Figure 369 Call History Menu 24.9.2 - Call History Phone Number Dir Rate #call Max Min Total 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Enter Entry to Delete(0 to exit): The following table describes the fields in this screen. Table 223 Call History FIELD DESCRIPTION Phone Number The PPPoE service names are shown here. Dir This shows whether the call was incoming or outgoing. Rate This is the transfer rate of the call.
Chapter 39 System Maint. Menus 8 to 10 Figure 370 Menu 24: System Maintenance Menu 24 - System Maintenance 1. System Status 2. System Information and Console Port Speed 3. Log and Trace 4. Diagnostic 5. Backup Configuration 6. Restore Configuration 7. Upload Firmware 8. Command Interpreter Mode 9. Call Control 10. Time and Date Setting 11. Remote Management Setup Enter Menu Selection Number: Enter 10 to go to Menu 24.
Chapter 39 System Maint. Menus 8 to 10 The following table describes the fields in this screen. Table 224 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION Time Protocol Enter the time service protocol that your timeserver uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works. The main differences between them are the format.
Chapter 39 System Maint.
CHAPTER 40 Remote Management This chapter covers remote management found in SMT menu 24.11. 40.1 Remote Management Remote management allows you to determine which services/protocols can access which LAN-Cell interface (if any) from which computers. " When you configure remote management to allow management from any network except the LAN, you still need to configure a firewall rule to allow access. See Chapter 9 on page 181 for details on configuring firewall rules.
Chapter 40 Remote Management Figure 372 Menu 24.11 – Remote Management Control Menu 24.11 - Remote Management Control TELNET Server: FTP Server: SSH Server: HTTPS Server: HTTP Server: SNMP Service: DNS Service: Port = 23 Access = Disable Secure Client IP = 0.0.0.0 Port = 21 Access = LAN+WAN+DMZ+WLAN+CELL Secure Client IP = 0.0.0.0 Certificate = auto_generated_self_signed_cert Port = 22 Access = LAN+WAN+DMZ+WLAN+CELL Secure Client IP = 0.0.0.
Chapter 40 Remote Management Table 225 Menu 24.11 – Remote Management Control (continued) FIELD DESCRIPTION Authenticate Client Certificates Select Yes by pressing [SPACE BAR], then [ENTER] to require the SSL client to authenticate itself to the LAN-Cell by sending the LAN-Cell a certificate. To do that the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the LAN-Cell (see Appendix G on page 629 for details).
Chapter 40 Remote Management 554 LAN-Cell 2 User’s Guide
CHAPTER 41 IP Policy Routing This chapter covers setting and applying policies used for IP routing. 41.1 IP Routing Policy Summary Menu 25 shows the summary of a policy rule, including the criteria and the action of a single policy, and whether a policy is active or not. Each policy contains two lines. The former part is the criteria of the incoming packet and the latter is the action.
Chapter 41 IP Policy Routing Table 226 Menu 25: Sample IP Routing Policy Summary (continued) FIELD DESCRIPTION Criteria/Action This displays the details about to which packets the policy applies and how the policy has the LAN-Cell handle those packets. Refer to Table 227 on page 556 for detailed information. Select Command Press [SPACE BAR] to choose from None, Edit, Delete, Go To Rule, Next Page or Previous Page and then press [ENTER].
Chapter 41 IP Policy Routing 2 Select Edit in the Select Command field; type the index number of the rule you want to configure in the Select Rule field and press [ENTER] to open Menu 25.1 - IP Routing Policy Setup (see the next figure). Figure 374 Menu 25.1: IP Routing Policy Setup Menu 25.1 - IP Routing Policy Setup Rule Index= 1 Active= Yes Criteria: IP Protocol = 6 Type of Service= Normal Packet length= 40 Precedence = 0 Len Comp= Equal Source: addr start= 1.1.1.1 end= 1.1.1.
Chapter 41 IP Policy Routing Table 228 Menu 25.1: IP Routing Policy Setup FIELD DESCRIPTION addr start / end Destination IP address range from start to end. port start / end Destination port number range from start to end; applicable only for TCP/UDP. Action Specifies whether action should be taken on criteria Matched or Not Matched. Gateway Type Press [SPACE BAR] and then [ENTER] to select IP Address and enter the IP address of the gateway if you want to specify the IP address of the gateway.
Chapter 41 IP Policy Routing Figure 375 Menu 25.1.1: IP Routing Policy Setup Menu 25.1.1 - IP Routing Policy Setup Apply policy to packets received from: LAN= No DMZ= No WLAN= No ALL WAN= Yes Selected Remote Node index= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen. Table 229 Menu 25.1.1: IP Routing Policy Setup FIELD DESCRIPTION LAN/DMZ/WLAN/ ALL WAN Press [SPACE BAR] to select Yes or No.
Chapter 41 IP Policy Routing Figure 376 Example of IP Policy Routing To force Web packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the WAN port of the LAN-Cell, follow the steps as shown next. 1 Create a rule in Menu 25.1 - IP Routing Policy Setup as shown next. Figure 377 IP Routing Policy Example 1 Menu 25.
Chapter 41 IP Policy Routing 2 Select Yes in the LAN field in menu 25.1.1 to apply the policy to packets received on the LAN port. 3 Check Menu 25 - IP Routing Policy Summary to see if the rule is added correctly. 4 Create another rule in menu 25.1 for this rule to route packets from any host (IP=0.0.0.0 means any host) with protocol TCP and port FTP access through another gateway (192.168.1.100). Figure 378 IP Routing Policy Example 2 Menu 25.
Chapter 41 IP Policy Routing 562 LAN-Cell 2 User’s Guide
CHAPTER 42 Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 42.1 Introduction to Call Scheduling The call scheduling feature allows the LAN-Cell to manage a remote node and dictate when a remote node should be called and for how long. This feature is similar to the scheduler in a videocassette recorder (you can specify a time period for the VCR to record). You can apply up to 4 schedule sets in Menu 11.1 - Remote Node Profile.
Chapter 42 Call Scheduling " To delete a schedule set, enter the set number and press [SPACE BAR] and then [ENTER] or [DEL] in the Edit Name field. To set up a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next. Figure 380 Schedule Set Setup Menu 26.
Chapter 42 Call Scheduling Table 230 Schedule Set Setup (continued) FIELD DESCRIPTION Day If you selected Weekly in the How Often field above, then select the day(s) when the set should activate (and recur) by going to that day(s) and pressing [SPACE BAR] to select Yes, then press [ENTER]. Start Time Enter the start time when you wish the schedule set to take effect in hour-minute format. Duration The duration determines how long the LAN-Cell is to apply the action configured in the Action field.
Chapter 42 Call Scheduling Figure 382 Applying Schedule Set(s) to a Remote Node (PPTP) Menu 11.
P ART VII Troubleshooting and Specifications Troubleshooting (569) Product Specifications (575) 567
CHAPTER 43 Troubleshooting This chapter offers some suggestions to solve problems you might encounter. Proxicast’s web site also contains a knowledgebase of other troubleshooting, technical support, and example configuration information. Please consult support.proxicast.com for the latest LAN-Cell support information. The potential problems are divided into the following categories. • Power, Hardware Connections, and LEDs • LAN-Cell Access and Login • Internet Access 43.
Chapter 43 Troubleshooting 4 Turn the LAN-Cell off and on or disconnect and re-connect the power adaptor to the LAN-Cell. 5 If the problem continues, contact the vendor. 43.2 LAN-Cell Access and Login V I forgot the LAN IP address for the LAN-Cell. 1 The default LAN IP address is 192.168.1.1. 2 Use the console port to log in to the LAN-Cell.
Chapter 43 Troubleshooting 4 Make sure your Internet browser does not block pop-up windows and has JavaScripts and Java enabled. See Appendix A on page 583. 5 Make sure your computer's Ethernet adapter is installed and functioning properly. 6 Make sure your computer is in the same subnet as the LAN-Cell. (If you know that there are routers between your computer and the LAN-Cell, skip this step.) • If there is a DHCP server on your network, make sure your computer is using a dynamic IP address.
Chapter 43 Troubleshooting V I cannot access the SMT. / I cannot Telnet to the LAN-Cell. See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser. V I cannot use FTP to upload / download the configuration file. / I cannot use FTP to upload new firmware. See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser.
Chapter 43 Troubleshooting 2 Make sure that your 3G PC-Card modem has been properly activated on your service providers network. Use a Windows laptop to confirm that the 3G card is functioning properly on the carrier’s network. Follow the carrier or card manufacturer’s instructions on activating and updating the 3G card in Windows. 3 Check the APN, Username, Password, Authentication Type, and ISP Access phone number in the WIRELESS > CELLULAR screen. Refer to Section 5.4 on page 114.
Chapter 43 Troubleshooting 2 3 4 5 V Check the Cell-Sentry budget control. Refer to Section 5.4.2 on page 118. Check the schedule rules. Refer to Chapter 42 on page 563 (SMT). Reboot the LAN-Cell. If the problem continues, contact your ISP. The Internet connection is slow or intermittent. 1 There might be a lot of traffic on the network. Look at the LEDs, and check Section 1.5 on page 30.
CHAPTER 44 Product Specifications The following tables summarize the LAN-Cell’s hardware and firmware features. Table 231 Hardware Specifications Dimensions 220 (W) x 137 (D) x 32 (H) mm Weight 1.09 kg Power Specification 12V DC. 2.1 mm jack (center pin positive) Power Consumption 5W Typical; 8W Max Ethernet Interface LAN/DMZ Four LAN/DMZ/WLAN auto-negotiating, auto MDI/MDI-X 10/100 Mbps RJ45 Ethernet ports.
Chapter 44 Product Specifications Table 232 Firmware Specifications FEATURE DESCRIPTION Wireless Functionality Allow the IEEE 802.11a, IEEE 802.11b and/or IEEE 802.11g wireless clients to connect to the LAN-Cell wirelessly. Enable wireless security (WEP, WPA(2), WPA(2)-PSK) and/or MAC filtering to protect your wireless network. Firmware Upgrade Download new firmware (when available) from the Proxicast web site and use the web configurator, an FTP or a TFTP tool to put it on the LAN-Cell.
Chapter 44 Product Specifications Table 232 Firmware Specifications FEATURE DESCRIPTION Bandwidth Management You can efficiently manage traffic on your network by reserving bandwidth and giving priority to certain types of traffic and/or to particular computers. Remote Managemet This allows you to decide whether a service (HTTP or FTP traffic for example) from a computer on a network (LAN or WAN for example) can access the LAN-Cell.
Chapter 44 Product Specifications 3G Card Installation 1 Do not insert or remove a card with the LAN-Cell turned on. Make sure the LAN-Cell is off before inserting or removing a 3G card (to avoid damage). Slide the connector end of the card into the slot as shown next. Power Adapter Specifications NORTH AMERICAN PLUG STANDARDS AC POWER ADAPTOR MODEL PSA18R-120P (ZA)-R INPUT POWER 100-240VAC, 50/60HZ, 0.5A OUTPUT POWER 12VDC, 1.5A POWER CONSUMPTION 18 W MAX.
Chapter 44 Product Specifications JAPAN PLUG STANDARDS AC POWER ADAPTOR MODEL PSA18R-120P (ZA)-R INPUT POWER 100-240VAC, 50/60HZ, 0.5A OUTPUT POWER 12VDC, 1.5A POWER CONSUMPTION 18 W MAX. SAFETY STANDARDS JET CHINA PLUG STANDARDS AC POWER ADAPTOR MODEL PSA18R-120P (ZA)-R INPUT POWER 100-240VAC, 50/60HZ, 0.5A OUTPUT POWER 12VDC, 1.5A POWER CONSUMPTION 18 W MAX.
Chapter 44 Product Specifications Table 235 Console Cable Pin Assignments PIN DEFINITION RJ-45 END DB-9M (MALE) END CTS 7 8 DCD 8 1 N/A 9 Table 236 Console Cable Pin Assignments PIN DEFINITION RJ-45 END DB-9M (MALE) END DTR 1 4 DSR 2 6 RX 3 2 CTS 4 8 GND 5 5 TX 6 3 RTS 7 7 DCD 8 1 N/A 9 Table 237 Ethernet Cable Pin Assignments WAN / LAN ETHERNET CABLE PIN LAYOUT Straight-through 580 Crossover (Switch) (Adapter) (Switch) (Switch) 1 IRD + 1 OTD + 1 IRD + 1 I
P ART VIII Appendices Pop-up Windows, JavaScripts and Java Permissions (583) Setting up Your Computer’s IP Address (589) IP Addresses and Subnetting (605) Common Services (613) Wireless LANs (617) Brute-Force Password Guessing Protection (633) Legal Information (635) Customer Support (639) Index (641) 581
APPENDIX A Pop-up Windows, JavaScripts and Java Permissions In order to use the web configurator you need to allow: • Web browser pop-up windows from your device. • JavaScripts (enabled by default). • Java permissions (enabled by default). " Internet Explorer 6 screens are used here. Screens for other Internet Explorer versions may vary. Internet Explorer Pop-up Blockers You may have to disable pop-up blocking to log into your device.
Appendix A Pop-up Windows, JavaScripts and Java Permissions 1 In Internet Explorer, select Tools, Internet Options, Privacy. 2 Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled. Figure 385 Internet Options 3 Click Apply to save this setting. Enable pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps.
Appendix A Pop-up Windows, JavaScripts and Java Permissions Figure 386 Internet Options 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.1.1. 4 Click Add to move the IP address to the list of Allowed sites.
Appendix A Pop-up Windows, JavaScripts and Java Permissions 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed. 1 In Internet Explorer, click Tools, Internet Options and then the Security tab. Figure 388 Internet Options 2 3 4 5 6 586 Click the Custom Level... button. Scroll down to Scripting.
Appendix A Pop-up Windows, JavaScripts and Java Permissions Figure 389 Security Settings - Java Scripting Java Permissions 1 2 3 4 5 From Internet Explorer, click Tools, Internet Options and then the Security tab. Click the Custom Level... button. Scroll down to Microsoft VM. Under Java permissions make sure that a safety level is selected. Click OK to close the window.
Appendix A Pop-up Windows, JavaScripts and Java Permissions JAVA (Sun) 1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 make sure that Use Java 2 for
APPENDIX B Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/ IP on your computer. Windows 3.1 requires the purchase of a third-party TCP/IP application package.
Appendix B Setting up Your Computer’s IP Address Figure 392 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add. 2 Select Adapter and then click Add. 3 Select the manufacturer and model of your network adapter and then click OK.
Appendix B Setting up Your Computer’s IP Address Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab. • If your IP address is dynamic, select Obtain an IP address automatically. • If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields. Figure 393 Windows 95/98/Me: TCP/IP Properties: IP Address 3 Click the DNS Configuration tab.
Appendix B Setting up Your Computer’s IP Address Figure 394 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 4 Click the Gateway tab. • If you do not know your gateway’s IP address, remove previously installed gateways. • If you have a gateway IP address, type it in the New gateway field and click Add. 5 Click OK to save and close the TCP/IP Properties window. 6 Click OK to close the Network window. Insert the Windows CD if prompted. 7 Turn on your LAN-Cell and restart your computer when prompted.
Appendix B Setting up Your Computer’s IP Address Figure 395 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 396 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties.
Appendix B Setting up Your Computer’s IP Address Figure 397 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. Figure 398 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). • If you have a dynamic IP address click Obtain an IP address automatically.
Appendix B Setting up Your Computer’s IP Address Figure 399 Windows XP: Internet Protocol (TCP/IP) Properties 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: • In the IP Settings tab, in IP addresses, click Add. • In TCP/IP Address, type an IP address in IP address and a subnet mask in Subnet mask, and then click Add.
Appendix B Setting up Your Computer’s IP Address Figure 400 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). • If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.
Appendix B Setting up Your Computer’s IP Address Figure 401 Windows XP: Internet Protocol (TCP/IP) Properties 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window. 10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT). 11 Turn on your LAN-Cell and restart your computer (if prompted).
Appendix B Setting up Your Computer’s IP Address Figure 402 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 403 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following: • From the Configure box, select Manually.
Appendix B Setting up Your Computer’s IP Address • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. • Type the IP address of your LAN-Cell in the Router address box. 5 Close the TCP/IP Control Panel. 6 Click Save if prompted, to save changes to your configuration. 7 Turn on your LAN-Cell and restart your computer (if prompted). Verifying Settings Check your TCP/IP properties in the TCP/IP Control Panel window.
Appendix B Setting up Your Computer’s IP Address Figure 405 Macintosh OS X: Network 4 For statically assigned settings, do the following: • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. • Type the IP address of your LAN-Cell in the Router address box. 5 Click Apply Now and close the window. 6 Turn on your LAN-Cell and restart your computer (if prompted).
Appendix B Setting up Your Computer’s IP Address " Make sure you are logged in as the root administrator. Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. 1 Click the Red Hat button (located on the bottom left corner), select System Setting and click Network. Figure 406 Red Hat 9.0: KDE: Network Configuration: Devices 2 Double-click on the profile of the network card you wish to configure.
Appendix B Setting up Your Computer’s IP Address • If you have a dynamic IP address, click Automatically obtain IP address settings with and select dhcp from the drop down list. • If you have a static IP address, click Statically set IP Addresses and fill in the Address, Subnet mask, and Default Gateway Address fields. 3 Click OK to save the changes and close the Ethernet Device General screen. 4 If you know your DNS server IP address(es), click the DNS tab in the Network Configuration screen.
Appendix B Setting up Your Computer’s IP Address Figure 410 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 DEVICE=eth0 ONBOOT=yes BOOTPROTO=dhcp USERCTL=no PEERDNS=yes TYPE=Ethernet • If you have a static IP address, enter static in the BOOTPROTO= field. Type IPADDR= followed by the IP address (in dotted decimal notation) and type NETMASK= followed by the subnet mask. The following example shows an example where the static IP address is 192.168.1.10 and the subnet mask is 255.255.255.0.
Appendix B Setting up Your Computer’s IP Address Verifying Settings Enter ifconfig in a terminal screen to check your TCP/IP properties. Figure 414 Red Hat 9.0: Checking TCP/IP Properties [root@localhost]# ifconfig eth0 Link encap:Ethernet HWaddr 00:50:BA:72:5B:44 inet addr:172.23.19.129 Bcast:172.23.19.255 Mask:255.255.255.
APPENDIX C IP Addresses and Subnetting This appendix introduces IP addresses, IP address classes and subnet masks. You use subnet masks to subdivide a network into smaller logical networks. Introduction to IP Addresses An IP address has two parts: the network number and the host ID. Routers use the network number to send packets to the correct network, while the host ID identifies a single device on the network.
Appendix C IP Addresses and Subnetting Table 238 Classes of IP Addresses (continued) IP ADDRESS OCTET 1 OCTET 2 OCTET 3 OCTET 4 Class B Network number Network number Host ID Host ID Class C Network number Network number Network number Host ID An IP address with host IDs of all zeros is the IP address of the network (192.168.1.0 for example). An IP address with host IDs of all ones is the broadcast address for that network (192.168.1.255 for example).
Appendix C IP Addresses and Subnetting Subnet masks are expressed in dotted decimal notation just like IP addresses. The “natural” masks for class A, B and C IP addresses are as follows. Table 240 “Natural” Masks CLASS NATURAL MASK A 255.0.0.0 B 255.255.0.0 C 255.255.255.0 Subnetting With subnetting, the class arrangement of an IP address is ignored. For example, a class C address no longer has to have 24 bits of network number and 8 bits of host ID.
Appendix C IP Addresses and Subnetting Example: Two Subnets As an example, you have a class “C” address 192.168.1.0 with subnet mask of 255.255.255.0. Table 242 Two Subnets Example IP/SUBNET MASK NETWORK NUMBER HOST ID IP Address 192.168.1. 0 IP Address (Binary) 11000000.10101000.00000001. 00000000 Subnet Mask 255.255.255. 0 Subnet Mask (Binary) 11111111.11111111.11111111. 00000000 The first three octets of the address make up the network number (class “C”).
Appendix C IP Addresses and Subnetting Table 244 Subnet 2 (continued) IP/SUBNET MASK NETWORK NUMBER Subnet Address: 192.168.1.128 Lowest Host ID: 192.168.1.129 Broadcast Address: 192.168.1.255 Highest Host ID: 192.168.1.254 LAST OCTET BIT VALUE Host IDs of all zeros represent the subnet itself and host IDs of all ones are the broadcast address for that subnet, so the actual number of hosts available on each subnet in the example above is 27 – 2 or 126 hosts for each subnet. 192.168.1.
Appendix C IP Addresses and Subnetting Table 247 Subnet 3 IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. 128 IP Address (Binary) 11000000.10101000.00000001. 10000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: 192.168.1.128 Lowest Host ID: 192.168.1.129 Broadcast Address: 192.168.1.191 Highest Host ID: 192.168.1.190 Table 248 Subnet 4 IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1.
Appendix C IP Addresses and Subnetting Table 250 Class C Subnet Planning (continued) NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 3 255.255.255.224 (/27) 8 30 4 255.255.255.240 (/28) 16 14 5 255.255.255.248 (/29) 32 6 6 255.255.255.252 (/30) 64 2 7 255.255.255.254 (/31) 128 1 Subnetting With Class A and Class B Networks.
Appendix C IP Addresses and Subnetting 612 LAN-Cell 2 User’s Guide
APPENDIX D Common Services The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. • Name: This is a short, descriptive name for the service. You can use this one or create a different one, if you like. • Protocol: This is the type of IP protocol used by the service.
Appendix D Common Services Table 252 Commonly Used Services (continued) 614 NAME PROTOCOL PORT(S) DESCRIPTION FTP TCP TCP 20 21 File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail. H.323 TCP 1720 NetMeeting uses this protocol. HTTP TCP 80 Hyper Text Transfer Protocol - a client/ server protocol for the world wide web. HTTPS TCP 443 HTTPS is a secured http session often used in e-commerce.
Appendix D Common Services Table 252 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION RTELNET TCP 107 Remote Telnet. RTSP TCP/UDP 554 The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. SFTP TCP 115 Simple File Transfer Protocol. SMTP TCP 25 Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another.
Appendix D Common Services 616 LAN-Cell 2 User’s Guide
APPENDIX E Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS).
Appendix E Wireless LANs Figure 416 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood.
Appendix E Wireless LANs Figure 417 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by IEEE 802.11a/b/g wireless devices. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a different channel than an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance.
Appendix E Wireless LANs Figure 418 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations. RTS/CTS is designed to prevent collisions due to hidden nodes.
Appendix E Wireless LANs If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Preamble Type Preamble is used to signal that data is coming to the receiver. Short and Long refer to the length of the synchronization field in a packet.
Appendix E Wireless LANs Wireless security methods available on the LAN-Cell are data encryption, wireless client authentication, restricting access by device MAC address and hiding the LAN-Cell identity. The following figure shows the relative effectiveness of these wireless security methods available on your LAN-Cell. Table 254 Wireless Security Levels SECURITY LEVEL SECURITY TYPE Least Secure Unique SSID (Default) Unique SSID with Hide SSID Enabled MAC Address Filtering WEP Encryption IEEE802.
Appendix E Wireless LANs Determines the network services available to authenticated users once they are connected to the network. • Accounting Keeps track of the client’s network activity. RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server.
Appendix E Wireless LANs For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner. EAP-MD5 (Message-Digest Algorithm 5) MD5 authentication is the simplest one-way authentication method. The authentication server sends a challenge to the wireless client.
Appendix E Wireless LANs Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed. If this feature is enabled, it is not necessary to configure a default encryption key in the Wireless screen. You may still configure and store keys here, but they will not be used while Dynamic WEP is enabled.
Appendix E Wireless LANs Encryption Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA and WPA2 use Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption than TKIP. TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server.
Appendix E Wireless LANs Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client. The Windows XP patch is a free download that adds WPA capability to Windows XP's builtin "Zero Configuration" wireless client. However, you must run Windows XP to use it.
Appendix E Wireless LANs 4 The AP and wireless clients use the TKIP or AES encryption process to encrypt data exchanged between them. Figure 420 WPA(2)-PSK Authentication Security Parameters Summary Refer to this table to see what other security parameters you should configure for each Authentication Method/ key management protocol type. MAC address filters are not dependent on how you configure these security features.
Appendix E Wireless LANs In a network environment with multiple access points, wireless stations are able to switch from one access point to another as they move between the coverage areas. This is roaming. As the wireless station moves from place to place, it is responsible for choosing the most appropriate access point depending on the signal strength, network utilization or other factors.
Appendix E Wireless LANs 3 The adjacent access points should use different radio channels when their coverage areas overlap. 4 All access points must use the same port number to relay roaming information. 5 The access points must be connected to the Ethernet and be able to get IP addresses from a DHCP server if using dynamic IP address assignment. Antenna Overview An antenna couples RF signals onto air.
Appendix E Wireless LANs Types of Antennas for WLAN There are two types of antennas used for wireless LAN applications. • Omni-directional antennas send the RF signal out in all directions on a horizontal plane. The coverage area is torus-shaped (like a donut) which makes these antennas ideal for a room environment. With a wide coverage area, it is possible to make circular overlapping coverage areas with multiple access points.
Appendix E Wireless LANs 632 COUNTRY COUNTRY CODE Finland 240 France 219 Germany 237 Greece 247 Hong Kong 242 Hungary 229 India 214 Ireland 235 Israel 226 Italy 236 Japan 234 Malaysia 232 Morocco 239 Netherlands 253 New Zealand 243 Norway 245 Peru 209 Philippines 216 Poland 231 Portugal 220 Romania 207 Russia 230 S.Africa 254 S.
APPENDIX F Brute-Force Password Guessing Protection Brute-force password guessing protection allows you to specify a wait-time that must expire before entering a fourth password after three incorrect passwords have been entered. The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. See Section 39.1 on page 543 for information on the command structure.
Appendix F Brute-Force Password Guessing Protection 634 LAN-Cell 2 User’s Guide
APPENDIX G Legal Information Copyright Copyright © 2007-2009 by Proxicast, LLC. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of Proxicast, LLC. Published by Proxicast, LLC. All rights reserved.
Appendix G Legal Information If this device does cause harmful interference to radio/television reception, which can be determined by turning the device off and on, the user is encouraged to try to correct the interference by one or more of the following measures: 1 Reorient or relocate the receiving antenna. 2 Increase the separation between the equipment and the receiver. 3 Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
Appendix G Legal Information Note Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. Proxicast shall in no event be held liable for indirect or consequential damages of any kind to the purchaser.
Appendix G Legal Information 638 LAN-Cell 2 User’s Guide
APPENDIX H Customer Support Online Web Support Please refer to support.proxicast.com for additional support documentation and access to our Knowledgebase which contains many resources such as.TechNotes, Frequently Asked Questions, sample configurations and firmware updates. E-Mail Support Support E-mail: support@proxicast.com Please provide the following information when you contact customer support: • Product model and serial number.
Appendix H Customer Support 640 LAN-Cell 2 User’s Guide
Index Index Symbols #777 54 *99# 54 Numerics 1xRTT 53 3G introduction 114 3G modem 27, 53 3G WAN Applications 28 3G. see third generation 114 802.11 Country Code 162 802.11 See also WLAN. 9600 baud 413 A Access point 138 See also AP. Access Point Name 54 active protocol 252 AH 252 and encapsulation 252 ESP 252 Address Assignment 103 Address Assignment, DNS 307 Advanced Encryption Standard See AES.
Index scheduler 351, 355 statistics 361 sub-class layers 356 Basic Service Set, See BSS 617 baud 413 broadcast 80 BSS 617 budget management 545 Budget, Cell-Sentry 118 Budget, PPPoE 468 C CA 255, 624 cable-ties 32, 575 call back delay 431 call control 545 Call Detail Record 522 call history 546 call scheduling 563 max number of schedule sets 563 PPPoE 565 precedence 563 setting up a schedule 564 call-triggering packet 525 Card-Guard 575 Card-Lock 32, 575 CDMA 53, 54, 115 CDR 522 Cell-Sentry 118, 124 cellu
Index device introduction 27 DHCP 47, 79, 80, 316, 443 Relay 443 Server 443 WAN 527 DHCP clients 398 DHCP table 47 diagnostic 526 dial backup AT command strings 124 DTR signal 125 response strings 125 dial timeout 431 Dial-Backup Budget 124 Diffie-Hellman key group 245 Perfect Forward Secrecy (PFS) 253 disclaimer 635 DMZ IP alias setup 455 port filter setup 453 setup 453 TCP/IP setup 454 DNS 336 DNS Server For VPN Host 308 DNS server address assignment 103 DNS service 296 domain name 520 Domain Name System
Index activating 497 address type 190 anti-probing 191 creating/editing rules 188 custom ports 195 DoS 193 Dos threshold 193 maximum incomplete high 193 maximum incomplete low 193 one minute high 193 one minute low 193 rules 181 rules for VPN 66, 70 service type 195 SMT menus 497 stateful inspection 181 TCP maximum incomplete 193 three-way handshake 207 threshold 192 VPN 70 when to use 511 firmware determing version 41 file maintenance 529 upload 403 firmware upload 537 FTP 537 flow control 413 fragmentati
Index assignment 448, 470 default 575 pool 79, 82, 131, 140, 443 private 78 IP alias 445 IP alias setup 445 DMZ 455 IP policy routing 343, 555 IP protocol type 190 IP routing policy 555 IP static route 473 active 474 destination IP address 474 name 474 route number 474 IPSec 209 high availability 249 IPSec SA active protocol 252 authentication algorithms 244, 250 authentication key (manual keys) 253 encapsulation 252 encryption algorithms 244, 250 encryption key (manual keys) 253 local policy 250 manual ke
Index configuring 479 default server IP address 295 definitions 302 examples 487 how NAT works 303 in the SMT 477 inside global address 302 inside local address 302 Many to Many No Overload 289 Many to Many Overload 289 Many to One 289 mapping types 289 NAT unfriendly applications 492 One to One 289 ordering rules 482 port forwarding 295 port restricted cone 304 Server 289 server set 479 Single User Account 290 trigger port forwarding 494 what NAT does 302 NAT traversal 248 NBNS 80, 82 NetBIOS 82 NetBIOS N
Index R RADIUS 622 and IKE SA 247 message types 623 messages 623 shared secret key 623 RADIUS server 147, 164 Real time Transport Protocol. See RTP.
Index hidden menus 414 initial screen 413 login screen 414 main menu commands 414 menu overview 417 navigation 414 password 414 required fields 415 SMTP service 296 SNMP 333 community 515 configuration 515 Get 334 GetNext 334 manager 334 MIB 334 password 515 Set 334 Trap 334 trusted host 515 SNMP service 296 source address 190 source-based routing 343 Sprint 54 SSH 330 how SSH works 337 implementation 330 SSID 138 hide 147, 163 SSID profile 152, 168 stateful inspection firewall 181 Static IP 54, 117 static
Index user authentication 147, 164 local (user) database 147, 164 RADIUS server 147, 164 weaknesses 148, 164 user profiles 283 V Verizon Wireless 54 virtual interfaces vs asymmetrical routes 206 vs triangle routes 206 Virtual Private Network. See VPN. VLAN, see IP alias. Vodafone 54 VPN 110, 209 active protocol 252 adjust TCP maximum segment size 235 and NAT 248 and the firewall 66 certificate 216 established in two phases 210 gateway policy 57, 210, 212, 213 high availability 249 IPSec 209 IPSec SA.
Index www.dyndns.
