Netopia 3300 Bedienungsanleitung

NNNNeeeettttooooppppiiiiaaaa ®®®® FFFFiiiirrrrmmmmwwwwaaaarrrreeee UUUUsssseeeerrrr GGGGuuuuiiiiddddeeee 3333333300000000----EEEENNNNTT

x Firmware User Guide

4-4 Firmware User GuideExterior addresses are allocated to internal hosts on a demand, or as-needed, basis and then made available when traffic from t

Multiple Network Address Translation 4-5Complex mapsMap lists and server lists are completely independent of each other. A Connection Profile can use

4-6 Firmware User GuideSupport for Yahoo MessengerNetopia Firmware Version 8.7 provides Application Level Gateway (ALG) support for Yahoo Messenger.

Multiple Network Address Translation 4-7The two map lists, Easy-PAT List and Easy-Servers, are created by default and NAT configuration becomes effec

4-8 Firmware User GuideSelect Network Address Translation (NAT) and press Return.The Network Address Translation screen appears.Public Range defines a

Multiple Network Address Translation 4-9NAT rulesThe following rules apply to assigning NAT ranges and server lists:• Static public address ranges m

4-10 Firmware User GuideSelect First Public Address and enter the first exterior IP address in the range you want to assign. Select Last Public Addres

Multiple Network Address Translation 4-11• Select First and Last Private Address and enter the first and last interior IP addresses you want to assig

4-12 Firmware User Guide• The Add NAT Map screen now displays the range you have assigned.• Select ADD NAT MAP and press Return. Your mapping is adde

Multiple Network Address Translation 4-13The Show/Change NAT Map List screen appears.• Add Map allows you to add a new map to the map list.• Show/Ch

Introduction 1-1 Chapter 1 Introduction This Firmware User Guide covers the advanced features of the Netopia ENT Enterprise-Series Router family.

4-14 Firmware User GuideThe Change NAT Map screen appears.Make any modifications you need and then select CHANGE NAT MAP and press Return. Your change

Multiple Network Address Translation 4-15Adding Server ListsServer lists, also known as Exports, are handled similarly to map lists. If you want to

4-16 Firmware User Guide• Select External Service and press Return. A pop-up menu appears listing a selection of commonly exported services.• Choose

Multiple Network Address Translation 4-17• Enter the First and Last Port Number between ports 1 and 65535. Select OK and press Return. You will be r

4-18 Firmware User Guide• Choose the protocol from the pop-up menu: TCP and UDP, TCP only, or UDP only.• Enter the Internal Port Start, if different

Multiple Network Address Translation 4-19The Show/Change NAT Ser ver List screen appears.• Selecting Show/Change Server or Delete Server displays th

4-20 Firmware User GuideSelect any server from the list and press Return. The Change NAT Server screen appears.You can make changes to the server’s s

Multiple Network Address Translation 4-21A pop-up menu lists your configured servers. Select the one you want to delete and press Return. A dialog bo

4-22 Firmware User GuideBinding Map Lists and Server ListsOnce you have created your map lists and server lists, for most Netopia Router models you m

Multiple Network Address Translation 4-23• Select the map list you want to bind to this Connection Profile and press Return. The map list you selecte

1-2 Firmware User Guide Telnet-based Management Telnet-based management is a fast menu-driven interface for the capabilities built into the Netopia

4-24 Firmware User GuideIP Parameters (WAN Default Profile)The Netopia Firmware Version 8.7 using RFC 1483 supports a WAN default profile that permits

Multiple Network Address Translation 4-25• Select the map list you want to bind to the default profile and press Return. The map list you selected wi

4-26 Firmware User GuideNAT AssociationsConfiguration of map and server lists alone is not sufficient to enable NAT for a WAN connection because map an

Multiple Network Address Translation 4-27• Select the list name you want to assign and press Return again. Your selection will then be associated wi

4-28 Firmware User GuideIP PassthroughNetopia Firmware Version 8.7 offers an IP passthrough feature. The IP passthrough feature allows for a single P

Multiple Network Address Translation 4-29The IP Profile Parameters screen, found under the WAN Configuration menu, Add/Change Connection Profile screen

4-30 Firmware User GuideToggling IP Passthrough DHCP Enabled to Ye s displays the IP Passthrough DHCP MAC address field. This is an editable field in w

Multiple Network Address Translation 4-31A restrictionSince both the router and the passthrough host will use same IP address, new sessions that con

4-32 Firmware User GuideMultiNAT Configuration ExampleTo help you understand a typical MultiNAT configuration, this section describes an example of the

Multiple Network Address Translation 4-33Enter your ISP-supplied values as shown below.Select NEXT SCREEN and press Return.Your IP values are shown

Introduction 1-3 • The WAN Configuration menu displays and permits changing your connection profile(s), Virtual Private Networks (VPNs) and default

4-34 Firmware User GuideSelect Show/Change Public Range, then Easy-PAT Range, and press Return. Enter the value your ISP assigned for your public add

Multiple Network Address Translation 4-35Select ADD NAT PUBLIC RANGE and press Return. You are returned to the Network Address Translation screen.Ne

4-36 Firmware User Guide• First, navigate to the Show/Change Map List screen, select Easy-PAT List and then Show/Change Maps. Choose the Static Map y

Virtual Private Networks (VPNs) 5-1Chapter 5Virtual Private Networks (VPNs)The Netopia Firmware Version 8.7 offers IPsec, PPTP, and ATMP tunneling s

5-2 Firmware User GuideNetopia Firmware Version 8.7 can be used in VPNs either to initiate the connection or to answer it. When used in this way, the

Virtual Private Networks (VPNs) 5-3leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receivi

5-4 Firmware User GuideAbout PPTP TunnelsTo set up a PPTP tunnel, you create a Connection Profile including the IP address and other relevant informat

Virtual Private Networks (VPNs) 5-5When you define a Connection Profile as using PPTP by selecting PPTP as the datalink encapsulation method, and then

5-6 Firmware User GuideNote: Netopia Firmware Version 8.7 supports 128-bit (“strong”) encryption. Unlike MS-CHAP version 1, which supports one-way au

Virtual Private Networks (VPNs) 5-7The IP Profile Parameters screen appears.• Enter the Remote IP Address and Remote IP Mask for the host to which yo

1-4 Firmware User Guide Connecting through a Telnet Session Features of Netopia Firmware Version 8.7 can be configured through the Telnet screens.Bef

5-8 Firmware User GuideAbout L2TP TunnelsL2TP stands for Layer 2 Tunnelling Protocol, an extension to the PPP protocol. L2TP combines features of two

Virtual Private Networks (VPNs) 5-9When you define a Connection Profile as using L2TP by selecting L2TP as the datalink encapsulation method, and then

5-10 Firmware User Guide• You can specify that this Router will Initiate Connections (acting as a PAC) or only answer them (acting as a PNS).• Tunnel

Virtual Private Networks (VPNs) 5-11About GRE TunnelsGeneric Routing Encapsulation (GRE) protocol is another form of tunneling that Netopia routers

5-12 Firmware User Guide• Enter a GRE Partner IP Address in standard dotted-quad format to specify the address of the other end of the tunnel.• You c

Virtual Private Networks (VPNs) 5-13The IP Profile Parameters screen appears.• Enter the Remote IP Address and Remote IP Mask for the host to which y

5-14 Firmware User GuideVPN force-allGRE tunnelling supports “VPN force-all,” which forces all traffic coming from the LAN onto the GRE tunnel. You ac

Virtual Private Networks (VPNs) 5-15About ATMP TunnelsTo set up an ATMP tunnel, you create a Connection Profile including the IP address and other re

5-16 Firmware User GuideWhen you define a Connection Profile as using ATMP by selecting ATMP as the datalink encapsulation method, and then select Data

Virtual Private Networks (VPNs) 5-17• You can specify that this Router will Initiate Connections, acting as a foreign agent (Ye s), or only answer t

Introduction 1-5Navigating through the Telnet ScreensUse your keyboard to navigate the Netopia Firmware Version 8.7’s configuration screens, enter an

5-18 Firmware User GuideMS-CHAP V2 and 128-bit strong encryptionNotes:• Netopia Firmware Version 8.7 supports 128-bit (“strong”) encryption when usin

Virtual Private Networks (VPNs) 5-19• Toggle Answer ATMP/PPTP Connections to Ye s if you want the Router to accept VPN connections or No (the defau

5-20 Firmware User GuideVPN QuickViewYou can view the status of your VPN connections in the VPN QuickView screen.From the Main Menu select QuickView

Virtual Private Networks (VPNs) 5-21Dial-Up Networking for VPNMicrosoft Windows Dial-Up Networking software permits a remote standalone workstation

5-22 Firmware User GuideThe Communications window appears.5. In the Communications window, select Dial-Up Networking and click the OK button.This ret

Virtual Private Networks (VPNs) 5-23Configuring a Dial-Up Networking profileOnce you have created your Dial-Up Networking profile, you configure it for

5-24 Firmware User Guide4. Click the TCP/IP Settings button. • If your ISP uses dynamic IP addressing (DHCP), select the Server assigned IP address r

Virtual Private Networks (VPNs) 5-25Connecting using Dial-Up NetworkingA Dial-Up Networking connection will be automatically launched whenever you r

5-26 Firmware User GuideSelect Display/Change Input Filter.Display/Change Input Filter screenSelect Input Filter 1 and press Return. In the Change In

Virtual Private Networks (VPNs) 5-27In the Display/Change Filter Set screen select Display/Change Output Filter. Display/Change Output Filter screen

1-6 Firmware User Guide

5-28 Firmware User GuideSelect Output Filter 2 and press Return. In the Change Output Filter 2 screen, set the Protocol Type to allow GRE as shown be

Virtual Private Networks (VPNs) 5-29Select Display/Change Input Filter.Display/Change Input Filter screenSelect Input Filter 1 and press Return. In

5-30 Firmware User GuideIn the Display/Change IP Filter Set screen select Display/Change Output Filter. Display/Change Output Filter screen

Virtual Private Networks (VPNs) 5-31Select Output Filter 1 and press Return. In the Change Output Filter 1 screen, set the Protocol Type and Destina

5-32 Firmware User GuideWindows Networking BroadcastsNetopia firmware provides the ability to forward Windows Networking NetBIOS broadcasts. This is u

Virtual Private Networks (VPNs) 5-33Configuration for Router AConfiguration for Router B IP Profile Parameters Rem

5-34 Firmware User GuideNote: Microsoft Network browsing is available with or without a Windows Internet Name Service (WINS) server. Shared volumes o

Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-1Chapter 6Internet Key Exchange (IKE) IPsec Key Management for VPNsIPsec stands for IP S

6-2 Firmware User GuideThe advantage of using IKE is that it automatically negotiates IPsec Security Associations and enables IPsec secure communicat

Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-3The Add Connection Profile screen appears.• From the Encapsulation Type pop-up menu sele

WAN Configuration 2-1Chapter 2WAN ConfigurationThis chapter describes how to use the Telnet-based management screens to access and configure advanced f

6-4 Firmware User Guide• A pop-up window displays a list of IKE Phase 1 Profiles that you have configured. If you have not previously configured an IKE

Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-5• The Profile Name field accepts any name of up to 16 characters. Sixteen IKE Phase 1 pro

6-6 Firmware User Guide• If you select Xauth Options the Xauth Options screen appears.Extended Authentication (Xauth), is an extension to the IKE pro

Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-7• VPN concentrator – This configures Xauth to expect to receive authentication credentia

6-8 Firmware User GuideNormally it is not necessary to change the settings of the items on the Advanced IKE Phase 1 Options screen. Most of these set

Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-9• Traffic based Dead Peer DetectionThe default is No. Toggling this option to Yes allow

6-10 Firmware User GuideSelecting Display/Change IKE Phase 1 Profile or Delete IKE Phase 1 Profile displays an IKE Phase 1 Profile pop-up menu listing t

Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-11Key ManagementYou specify your IKE key management on a per-Connection Profile basis. Yo

6-12 Firmware User GuideNote: The Change Connection Profile screen will offer different options, depending on the model of gateway you are using. You

Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-13The Key Management pop-up menu at the top of the IPsec Tunnel Options screen allows yo

2-2 Firmware User GuideWAN Ethernet Configuration screenThe WAN Ethernet Configuration screen appears as follows:• Address Translation Enabled allows y

6-14 Firmware User Guide• The ESP Authentication Transform pop-up menu (which is visible only if you have selected ESP or AH+ESP encapsulation) allow

Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-15• Dead Peer Detection toggles whether or not the Router will detect a remote peer bein

6-16 Firmware User GuideNote:• ICMP Dead Peer Detection is not available when using manual re-keying.• ICMP Dead Peer Detection does not initiate a s

Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-17This feature allows you to define many local and remote network ranges for a given IPse

6-18 Firmware User Guide• If you choose Subnet, you must enter the Remote Member Address and the subnet mask that is the Remote Member Mask.Enter the

Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-19• Scroll down and up with the arrow keys to select the one you want to change, and pre

6-20 Firmware User Guide• Specifying IKE key management alters the Advanced IP Profile Options screen as follows:• You can specify a Local Tunnel Endp

Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-21IPsec WAN Configuration ScreensYou can also configure IKE Phase 1 Profiles in the WAN Con

6-22 Firmware User GuideThe IKE Phase 1 Configuration screen allows configuration of global (non-connection-profile-specific) IPsec parameters. This scre

Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-23Select IPsec Manual Keys and press Return.Depending on your selections of Encapsulatio

WAN Configuration 2-3• The WAN Ethernet Speed Setting is configurable via a pop-up menu. Options are: • Auto-Negotiation (the default)• 100 Mbps Full

6-24 Firmware User GuideIf the remote tunnel end point is a hostname (or “0.0.0.0”) 0.0.0.0 is displayed until a Security Association is established.

Internet Key Exchange (IKE) IPsec Key Management for VPNs 6-25IKE: no matching ph2 proposal Either the local Router rejected the proposals of the re

6-26 Firmware User Guide

IP Setup 7-1Chapter 7IP SetupNetopia Firmware Version 8.7 uses Internet Protocol (IP) to communicate both locally and with remote networks. This cha

7-2 Firmware User GuideIP SetupThe IP Setup options screen is where you configure the Ethernet side of the Router. The information you enter here cont

IP Setup 7-3The Netopia Firmware Version 8.7 supports multiple IP subnets on the Ethernet interface. You may want to configure multiple IP subnets to

7-4 Firmware User Guide• If you select IP Address Serving you will be taken to the IP Address Serving screen (see “IP Address Serving” on page 7-17).

IP Setup 7-5For example:• To delete a configured subnet, set both the IP address and subnet mask values to 0.0.0.0, either explicitly or by clearing

7-6 Firmware User GuideIf you have configured multiple Ethernet IP subnets, the IP Setup screen changes slightly:The IP address and Subnet mask items

IP Setup 7-7The Static Routes screen will appear.Viewing static routesTo display a view-only table of static routes, select Display/Change Static Ro

Copyright Copyright© 2006, Netopia, Inc. Netopia, the Netopia logo, Broadband Without Boundaries, and 3-D Reach are registered trademarks belonging t

2-4 Firmware User GuideThe Transmit RIP pop-up menu is hidden if NAT is enabled.Routing Information Protocol (RIP) is needed if there are IP routers

7-8 Firmware User GuideSubnet Mask: The subnet mask associated with the destination network.Next Gateway: The IP address of the gateway that will be

IP Setup 7-9• To make sure that the static route is known only to the Router, select Advertise Route Via RIP and toggle it to No. To allow other RIP

7-10 Firmware User GuideRIP OptionsNetopia Firmware Version 8.7 supports RIP-2 MD5 Authentication (RFC2082 Routing Internet Protocol Version 2, Messa

IP Setup 7-11• Select RIP Options. The Ethernet LAN RIP Options screen appears.• Select Receive RIP, and from the pop-up menu choose v2 MD5 Authenti

7-12 Firmware User Guide• You can also select Transmit RIP, and choose v2 MD5 (broadcast) or v2 MD5 (multicast) from the pop-up menu.• RIP v2 Authent

IP Setup 7-13Note:• All of the changes on this menu require a reboot. This is unique to the Ethernet LAN. RIP changes on all other interfaces are im

7-14 Firmware User Guide• The key identifier Key ID can be any numeric value from 0 – 255, and must be unique per interface. You can not have two keys

IP Setup 7-15Note: The date and time formats are determined by the system date and time formats. If the current date and time fall within the range

7-16 Firmware User GuideConnection Profiles and Default ProfileRIP-2 MD5 authentication may be configured in Connection Profiles, as well. If you are not

IP Setup 7-17• If either Receive RIP or Transmit RIP is set to v2 MD5 Authentication, RIP v2 Authentication Keys is visible. Selecting RIP v2 Authen

WAN Configuration 2-5Usually, the default AutoSense will detect the type and adjust itself accordingly. If you want to set it yourself, and you know

7-18 Firmware User GuideGo to the System Configuration screen. Select IP Address Serving and press Return. The IP Address Serving screen will appear.F

IP Setup 7-19• The DHCP Next-Server field allows you to enter the IP address of the next server in the boot process, which is typically a Trivial Fil

7-20 Firmware User GuideIP Address PoolsThe IP Address Pools screen allows you to configure a separate IP address serving pool for each of up to eight

IP Setup 7-21Numerous factors influence the choice of served address. It is difficult to specify the address that will be served to a particular clien

7-22 Firmware User Guide• To serve DHCP clients with the type of NetBIOS used on your network, select Serve NetBIOS Type and toggle it to Yes . • Fro

IP Setup 7-23Select NetBIOS Name Server IP Addr and enter the IP address for the NetBIOS name server.You are now finished setting up DHCP NetBIOS Opt

7-24 Firmware User Guide• The ability to view the host name associated with a client to which the gateway has leased an IP address.• The ability for

IP Setup 7-25You can select the entries in the Served IP Addresses screen. Use the up and down arrow keys to move the selection to one of the entrie

7-26 Firmware User GuideSelecting Details… displays a pop-up menu that provides additional information associated with the IP address. The pop-up men

IP Setup 7-27An IP address is marked declined when a client to whom the DHCP server offers the address declines the address. A client declines an ad

2-6 Firmware User Guide7. To add a circuit, select Add Circuit and press Return. The Add Circuit screen appears.• Enter a name for the circuit in the

7-28 Firmware User GuideDHCP Relay AgentThe Netopia Firmware Version 8.7 offers DHCP Relay Agent functionality, as defined in RFC1542. A DHCP relay ag

IP Setup 7-29Select IP Address Serving and press Return. The IP Address Serving screen appears.Select IP Address Serving Mode. The pop-up menu offer

7-30 Firmware User GuideNow you can enter the IP address(es) of your remote DHCP server(s), such as might be located in your company’s corporate head

IP Setup 7-31The Add Connection Profile screen appears.On a Router you can add up to 15 more connection profiles, for a total of 16, although only one

7-32 Firmware User Guide4. Toggle or enter any IP parameters you require and return to the Add Connection Profile screen by pressing Escape. For more

IP Setup 7-33Multicast ForwardingMulticasting is a method for transmitting large amounts of information to many, but not all, computers over an Inte

7-34 Firmware User GuideNavigate to the IP Profile Parameters screen.Typically, you will have a Connection Profile that you created in Easy Setup. You

IP Setup 7-35Select Add Virtual Router and press Return.The Add Virtual Router screen appears.• VRID – Enter a VRID value. Each logical IP interface

7-36 Firmware User GuideIf it matches the local IP address of that interface or the subnets, the Virtual Router will be defaulted to have a priority

IP Setup 7-37• Monitor WAN – Toggle this option to Ye s (the default) to enable VRRP routers on the interface to relinquish Master status if the WAN

WAN Configuration 2-7Quality of Service (QoS) settingsNote: QoS settings are not available on Ethernet-to-Ethernet WAN models.• Select the QoS (Quali

7-38 Firmware User GuideMultiple logical IP LAN support allows you to create additional IP routed LAN interfaces (ALANs). You can add, edit, or delet

IP Setup 7-39The Add Additional LAN screen appears.Supply the following information:• Name – Enter a descriptive name for the ALAN or accept the ass

7-40 Firmware User GuideEditing or Deleting ALANsYou can manage or edit your ALANs at any time. To modify or delete a configured ALAN, return to the I

Line Backup 8-1Chapter 8Line BackupNetopia Firmware Version 8.7 offers line backup functionality in the event of a line failure on the primary WAN l

8-2 Firmware User Guide• the Backup IP Gateway menu item in the IP Setup screen under the System Configuration menuHere you enter a Backup Gateway IP

Line Backup 8-3Assuming you selected PPP, new fields appear.Underlying Encapsulation and PPP Mode do not usually need to be changed for a PPP connect

8-4 Firmware User GuideThe Datalink (PPP/MP) Options screen appears.• Data Compression should remain set to Standard LZS.• Usually, you use PAP Authe

Line Backup 8-5• Select IP Profile Parameters. The IP Profile Parameters screen appears.• Unless otherwise instructed, accept the defaults, except the

8-6 Firmware User Guide• From the Dial pop-up menu, you can choose whether to Dial Out Only, Dial In Only, or Dial In/Out (default).• Dialing Prefix:

Line Backup 8-7IP SetupHere, you set the IP address of the alternate gateway.Navigate to the IP Setup screen under the System Configuration menu.• Se

2-8 Firmware User GuideNote: With multiple VCs you must explicitly statically bind the second (and all subsequent) VCs to a profile. The first VC will

8-8 Firmware User GuideWAN ConfigurationTo configure the modem characteristics, from the Main Menu select WAN Configuration and then WAN Setup. The Choo

Line Backup 8-9Choose the interface to configure for backup, MODEM (Wan Module 2) Setup.The Internal Modem Setup screen appears.• Modem Dialing Prefix

8-10 Firmware User GuideThis screen is used to configure the conditions under which backup will occur, if it will recover, and how the modem is configu

Line Backup 8-11Should this address become unreachable the router will treat this as a loss of connectivity and begin the backup timer. This loss is

8-12 Firmware User Guide• Data Link Encapsulation is Async PPP – if it appears (not on all models) this field is not editable.When you are finished, pr

Line Backup 8-13• Toggle Scheduled Connection Enable to On.• From the How Often pop-up menu, select Weekly and press Return.• From the Schedule Type

8-14 Firmware User Guide• Select Use Connection Profile, and press Return. A screen displays all of your Connection Profiles. Select the one you want t

Line Backup 8-15The Backup Configuration screen appears.This screen is used to configure the conditions under which backup will occur, if it will reco

8-16 Firmware User Guide• If you chose Automatic Recovery, select Requires Recovery of. Enter the number of minutes you want the system to wait befor

Line Backup 8-17Backup Management/StatisticsIf backup is enabled, the Statistics & Logs menu offers a Backup Management/Statistics option.To vie

WAN Configuration 2-9Creating a New Connection ProfileConnection profiles are useful for configuring the connection and authentication settings for nego

8-18 Firmware User GuideDuring recovery, the following reasons may appear:• Time Since Detection is a display-only field that is only visible if backu

Monitoring Tools 9-1Chapter 9Monitoring ToolsThis chapter discusses the Router’s device and network monitoring tools. These tools can provide statis

9-2 Firmware User GuideGeneral statusCurrent Date: The current date; this can be set with the Date and Time utility (see “Date and time” on page 3-22

Monitoring Tools 9-3Rate: Shows the line rate for this connection.%Use: Indicates the average percent utilization of the maximum capacity of the cha

9-4 Firmware User GuideEvent HistoriesNetopia Firmware Version 8.7 records certain relevant occurrences in event histories. Event histories are usefu

Monitoring Tools 9-5The first event in each call sequence is marked with double arrows (>>).Failures are marked with an asterisk (*).If the eve

9-6 Firmware User GuideIP Routing TableThe IP routing table displays all of the IP routes currently known to the Router.The routing table screen repr

Monitoring Tools 9-7Physical InterfaceThe top left side of the screen lists total packets received and total packets transmitted for the following d

9-8 Firmware User GuideSystem InformationThe System Information screen gives a summary view of the general system level values in the Router.From the

Monitoring Tools 9-9Simple Network Management Protocol (SNMP)Netopia Firmware Version 8.7 includes a Simple Network Management Protocol (SNMP) agent

2-10 Firmware User GuideMultiple Data Link Encapsulation Settings4. Select Encapsulation Options and press Return.• If you selected ATMP, PPTP, L2TP,

9-10 Firmware User GuideFollow these steps to configure the first three items in the screen:1. Select System Name and enter a descriptive name for the

Monitoring Tools 9-11Setting the Read-Only and Read-Write community strings to the empty string will block all SNMP requests to the gateway. (The ga

9-12 Firmware User GuideSetting the IP trap receivers1. Select Add IP Trap Receiver.2. Select Receiver IP Address or Domain Name. Enter the IP addres

Monitoring Tools 9-134. Toggle Send Heartbeat Trap on (Yes ) or off (No). The heartbeat setting is used to broadcast contact and location informatio

9-14 Firmware User Guide

Security 10-1Chapter 10SecurityNetopia Firmware Version 8.7 provides a number of security features to help protect its configuration screens and your

10-2 Firmware User GuideTelnet Tiered Access – Two Password LevelsNetopia Firmware Version 8.7 offers tiered access control for greater security and

Security 10-3PCs using UPnP can retrieve the Gateway’s WAN IP address, and automatically create NAT port maps. This means that applications that sup

10-4 Firmware User GuideLimited user configurationThe Add Access Name/Password and Show/Change Access Name/Passwords screens allow you to select which

Security 10-5You can toggle the default user privileges for each user. The defaults are set to minimize the possibility of an individual user inadve

WAN Configuration 2-11Return to the Add Connection Profile screen by pressing Escape.5. Select IP Profile Parameters and press Return. The IP Profile Pa

10-6 Firmware User GuideAdvanced Security OptionsThe Advanced Security Options screen allows you to configure the global access privileges of users au

Security 10-7RADIUS server authentication• You select your desired mode by using the Security Databases pop-up menu.• Choosing Local Only, the defau

10-8 Firmware User GuideNote: In the latter two modes that involve both RADIUS and the local database, if the local database includes no username/pas

Security 10-9Configuration is similar to RADIUS server configuration. An additional toggle option TACACS+ Accounting allows you to enable or disable t

10-10 Firmware User GuideAttempting to delete the last username/password pair from the local authentication database when the Security Databases pop-

Security 10-11• Select RADIUS Access Privileges, and from the pop-up menu, choose which access privilege you want this user to have: All, LAN, WAN,

10-12 Firmware User GuideUser access passwordUsers must be able to change their names and passwords, regardless of other security access restrictions

Security 10-13User menu differencesMenus reflect the security access level of the user. Consequently, configuration menus will display differing optio

10-14 Firmware User GuideBased on access level, the Main Menu displays its configuration options according to the following diagram:WAN Configuration s

Security 10-15Connection ProfilesThe Superuser can disallow limited user access to a particular Connection Profile. When adding a Connection Profile in

2-12 Firmware User Guide6. Toggle or enter your IP Parameters.For more information, see:• “IP Setup” on page 7-2• “Network Address Translation (NAT)”

10-16 Firmware User GuideSystem Configuration menuThe System Configuration menu is always available to all users. Based on access level, the System Con

Security 10-17Utilities & Diagnostics menuBased on access level, the Utilities & Diagnostics menu displays its configuration options accordin

10-18 Firmware User Guide Statistics & Logs WAN Event History... Device Event History...

Security 10-19Quick MenusQuick Menus vary considerably between models, features, and access levels. The following is an example comparison of the Qu

10-20 Firmware User GuideThe ATM Circuits Configuration menu screen appears as follows:Note: Multiple ATM circuit configuration is supported on multipl

Security 10-21About Filters and Filter SetsSecurity should be a high priority for anyone administering a network connected to the Internet. Using pa

10-22 Firmware User GuideFilter priorityContinuing the customs inspectors analogy, imagine the inspectors lined up to examine a package. If the packa

Security 10-23• Blocks (discards) the packet• Ignores the packetA filter forwards or blocks a packet only if it finds a match after applying its crite

10-24 Firmware User GuidePort number comparisonsA filter can also use a comparison option to evaluate a packet’s source or destination port number. Th

Security 10-25Putting the parts togetherWhen you display a filter set, its filters are displayed as rows in a table:The table’s columns correspond to

WAN Configuration 2-13• The Receive RIP pop-up menu controls the reception and transmission of Routing Information Protocol (RIP) packets on the WAN

10-26 Firmware User GuideFiltering example #1Returning to our filtering rule example from above (see page 10-23), look at how a rule is translated int

Security 10-27This filter blocks any packets coming from a remote network with the IP network address 200.233.14.0. The 0 at the end of the address s

10-28 Firmware User Guide• That which is not expressly prohibited is permitted.• That which is not expressly permitted is prohibited.It is strongly r

Security 10-29Adding a filter setYou can create up to eight different custom filter sets. Each filter set can contain up to 16 output filters and up to

10-30 Firmware User GuideAdding filters to a filter setThere are two kinds of filters you can add to a filter set: input and output. Input filters check p

Security 10-31Note: There are two groups of items in this screen, one for input filters and one for output filters. In this section, you’ll learn how

10-32 Firmware User Guide3. If you want the filter to forward packets that match its criteria to the destination IP address, select Forward and toggle

Security 10-33Deleting filtersTo delete a filter, select Delete Input Filter or Delete Output Filter in the Display/Change Filter Set screen to displa

10-34 Firmware User GuideBasic Firewall blocks undesirable traffic originating from the WAN (in most cases, the Internet), but forwards all traffic ori

Security 10-35Output filter 1: This filter forwards all outgoing traffic to make sure that no outgoing connections from the LAN are blocked.Basic Firew

Contents iii G Chapter 1 — Introduction...1-1 What’s New in 8.7 ...

2-14 Firmware User Guide9. Select COMMIT and press Return. Your new Connection Profile will be added.If you want to view the Connection Profiles in you

10-36 Firmware User GuideFTP sessions. To allow WAN-originated FTP sessions to a LAN-based FTP server with the IP address a.b.c.d (corresponding to a

Security 10-37In addition, the TOS field has been added to the classifier list in a filter. This allows you to filter on TOS field settings in the IP pac

10-38 Firmware User GuideCertain types of IP packets, such as voice or multimedia packets, are sensitive to latency introduced by the network. A dela

Security 10-39Firewall TutorialGeneral firewall termsFilter rule: A filter set is comprised of individual filter rules.Filter set: A grouping of indivi

10-40 Firmware User GuideExample TCP/UDP PortsFirewall design rulesThere are two basic rules to firewall design:• “What is not explicitly allowed is d

Security 10-41and a packet goes through these rules destined for FTP, the packet would for ward through the first filter rule (WWW), match the second

10-42 Firmware User GuideEstablished connectionsThe TCP header contains one bit called the ACK bit (or TCP Ack bit). This ACK bit appears only with T

Security 10-43Example networkExample filtersExample 1 Incoming packet has the source address of 200.1.1.28Less Than or Equal Any port less than or eq

10-44 Firmware User Guide This incoming IP packet has a source IP address that matches the network address in the Source IP Address field (00000000)

Security 10-45 Since the Source IP Network Address in the Router is 01100000, and the source IP address after the logical AND is 1011000, this rule

WAN Configuration 2-15Advanced Connection OptionsDepending on your model, the Advanced Connection Options screen offers a variety of powerful options

10-46 Firmware User Guide Since the Source IP Network Address in the Router is 01100000, and the source IP address after the logical AND is 01100000

Security 10-47 Select Save Current Configuration as , and press Return. The Save Current Configuration screen appears.Enter a descriptive name for y

10-48 Firmware User Guide A warning screen will ask you to confirm your choice. Factory Default to a saved configuration If you need to Factory Defaul

Security 10-49 Once you make the selection, if you factory Default the Router, it will reboot with the saved configuration you have selected.To remo

10-50 Firmware User Guide

Utilities and Diagnostics 11-1 Chapter 11 Utilities and Diagnostics A number of utilities and tests are available for system diagnostic and control

11-2 Firmware User GuidePingThe Netopia Firmware Version 8.7 includes a standard Ping test utility. A Ping test generates IP packets destined for a p

Utilities and Diagnostics 11-3Status: The current status of the Ping test. This item can display the status messages shown in the able below:Packets

11-4 Firmware User GuidePackets Lost: The number of packets unaccounted for, shown in total and as a percentage of total packets sent. This statisti

Utilities and Diagnostics 11-53. Select Timeout (seconds) to set when the trace will timeout for each hop, up to 10 seconds. The default is 3 second

2-16 Firmware User GuideWhen you toggle Configuration Changes Reset WAN Connection either to Yes or No using the Tab key and press Return, a pop-up wi

11-6 Firmware User Guide• To end a suspended session, select Terminate Suspended Session. Select a session from the pop-up menu and press Return.Fact

Utilities and Diagnostics 11-7The sections below describe how to update the Router’s firmware and how to download and upload configuration files.Updati

11-8 Firmware User Guide• Select TFTP Server Name and enter the server name or IP address of the TFTP server you will use. The server name or IP addr

Utilities and Diagnostics 11-9You must restar t the system whenever you reconfigure the Router and want the new parameter values to take effect. Unde

11-10 Firmware User Guide

Troubleshooting A-1Appendix ATroubleshootingThis appendix is intended to help you troubleshoot problems you may encounter while setting up and using

A-2 Firmware User GuideNote: If you are attempting to modify the IP address or subnet mask from a previous, successful configuration attempt, you will

Troubleshooting A-3How to Reset the Router to Factory DefaultsLose your password? This section shows how to reset the Netopia Router so that you can

A-4 Firmware User GuideBefore contacting NetopiaLook in this guide for a solution to your problem. You may find a solution in this troubleshooting app

Index-1IndexAadd static route 7-8Additional LANs 7-4, 7-38ADSL Line Configuration 2-4advanced configurationfeatures 3-1ALANs 7-38ATMP 5-17tunnel optio

WAN Configuration 2-17Viewing scheduled connectionsTo display a table of scheduled connections, select Display/Change Scheduled Connection in the Sch

Index-2navigating 1-5encryption 5-2, 5-7, 5-17, 6-1event historydevice 9-5WAN 9-4Exposed Addresses 3-4Extended Authentication 6-6Ffactory default A-3F

Index-3line backup 8-1backup IP gateway 8-16connection profiles 8-2management and statistics 8-17scheduled connections 8-12WAN configuration 8-8Loggin

Index-4router to serve IP addresses to hosts 7-1routing tablesIP 7-6, 9-6Sscheduled connections 2-16adding 2-18deleting 2-21modifying 2-21once-only 2-

Index-5updating Netopia’s firmware 11-7upgrade 1-3uploading configuration files 11-8with TFTP 11-8utilities and diagnostics 11-1VVariable Bit Rate (VB

Index-6

2-18 Firmware User Guide• The time of day that the connection will Begin At• The duration of the connection (HH:MM)• Whether it’s a recurring Weekly

WAN Configuration 2-19• Demand-Blocked, meaning that this schedule will prevent a demand call on the line.• Periodic, meaning that the connection is

2-20 Firmware User Guide• Select Scheduled Window Duration Per Day and enter the maximum duration allowed for this scheduled connection, per call.• R

WAN Configuration 2-21You are finished configuring the once-only options. Return to the Add Scheduled Connection screen to continue.• In the Add Schedu

2-22 Firmware User GuideDiffserv OptionsNetopia Firmware Version 8.7 offers Differentiated Services (Diffserv) enhancements. These enhancements allow

WAN Configuration 2-23The Diffserv options are displayed.• Enter a value from 60 to 100 (percent) in the Lo/Hi Ratio field.Differentiated Services use

iv Firmware User Guide Adding Port interfaces ... 3-16Changing or Deleting a VLAN...

2-24 Firmware User GuideThe Diffserv Rule screen appears.• Name – Enter a name in this field to label the rule.• Protocol – Select the protocol from t

WAN Configuration 2-25• Inside IP Address/Netmask – For outbound flows, specify an IP address and subnet mask on your LAN. For inbound flows, this sett

2-26 Firmware User GuideThe Router will recognize a delay-sensitive packet as having the low-latency bit set in the TOS field of the IP header.If you

WAN Configuration 2-27Toggle Ping Enable to On and press Return. The Ping settings options appear.• The Ping Host Name or IP Address #1 and Ping Host

2-28 Firmware User Guide

System Configuration 3-1Chapter 3System ConfigurationThis chapter describes how to use the Telnet-based management screens to access and configure adva

3-2 Firmware User GuideThe System Configuration menu screen appears:IP SetupThese screens allow you to configure your network’s use of the IP networkin

System Configuration 3-3Stateful InspectionStateful inspection is a security feature that prevents unsolicited inbound access when NAT is disabled. S

3-4 Firmware User GuideAdd Exposed Address ListYou can specify the IP addresses you want to expose by selecting Add Exposed Address List from the Sta

System Configuration 3-5Select Add Exposed Address Range and press Return. The Exposed Address Range screen appears.Enter the First and Last Exposed

Contents v G Modifying map lists... 4-12Adding Server Lists...

3-6 Firmware User GuideThe pop-up Protocol menu offers the type of protocols to be assigned to this range.• First Exposed Address: Start IP Address o

System Configuration 3-7You can edit or delete exposed address lists by selecting Show/Change Exposed Address List or Delete Exposed Address List. A

3-8 Firmware User GuideExposed Address AssociationsEnable and configure stateful inspection on a WAN interface.When you create or modify a Connection

System Configuration 3-9Select Stateful Inspection Options and press Return. The Stateful Inspection Parameters screen appears.• Max. TCP Sequence Nu

3-10 Firmware User GuideOpen ports in default Stateful Inspection installationPort Protocol Description Private Interface Public Interface23 TCP teln

System Configuration 3-11VLAN ConfigurationA Virtual Local Area Network (VLAN) is a network of computers that behave as if they are connected to the s

3-12 Firmware User GuideThe Add VLAN selection appears.Select Add VLAN and press Return.The Add VLAN screen appears.You can create up to 8 VLANs, and

System Configuration 3-13• VLAN Type – Beginning with Firmware Version 8.6.1, LAN or WAN Port(s) can be enabled on the VLAN. See “Adding Port interfa

3-14 Firmware User GuideCaution!If you enable 802.1x for a VLAN that includes a wireless SSID, you must access the Wireless LANConfiguration menu and

System Configuration 3-15The Add Server Profile screen appears.The Add Server Profile screen allows you to specify the RADIUS server and its authentica

vi Firmware User Guide PPTP example... 5-25ATMP example ...

3-16 Firmware User GuideAdding Port interfacesOnce you have created a VLAN entry you must associate it with a port interface. This interface may be e

System Configuration 3-17Select Add Port Interface and press Return.The Add Port Interface screen appears. (The Add Port Interface screen varies depe

3-18 Firmware User Guide• TOS-Priority – Use any 802.1p priority bits in the VLAN header to prioritize packets within the Gateway’s internal queues,

System Configuration 3-19If you are deleting a profile, you will be challenged to be sure that you want to delete the profile that you have selected.If

3-20 Firmware User GuideConfiguring additional Authentication ServersYou can configure additional (or your first) Authentication Ser ver from the main V

System Configuration 3-21The Add Server Profile screen appears.Configure your profile in the same way as described in “Adding a RADIUS Profile” on page 3

3-22 Firmware User GuideDate and timeYou can set the system’s date and time parameters in the Set Date and Time screen. Date and Time parameters gove

System Configuration 3-235. Select a System Date Format; the options are MM/DD/YY, DD/MM/YY, and YY/MM/DD, where M is month, D is day, and Y is year.

3-24 Firmware User Guide• Block Wireless Bridging: Toggle this setting to Ye s to block wireless clients from communicating with other wireless clie

System Configuration 3-25Note: Enabling Closed System Mode on your wireless Gateway provides another level of security, since your wireless LAN will

Contents vii G Additional LANs ... 7-37 Chapter 8 — Line Backup ...

3-26 Firmware User GuideTo enable the Wireless Multimedia custom settings, select diffserv from the pull-down menu.Enable PrivacyBy default, Enable P

System Configuration 3-27The Pre Shared Key field becomes visible to allow you to enter a Pre Shared Key. The key can be between 8 and 63 characters,

3-28 Firmware User Guide• WPA Version: If you select either WPA-802.1x or WPA-PSK as your privacy setting, the WPA Version pop-up menu allows you to

System Configuration 3-29You select a single key for encryption of outbound traffic. The WEP-enabled client must have an identical key of the same len

3-30 Firmware User Guideneeds to be done once. Avoid the temptation to enter all the same characters. Default Key (#1 – #4): Specifies which key the R

System Configuration 3-31Toggle Enable Multiple SSIDs to Yes , and enter names or other identifiers for up to three additional SSIDs you want to creat

3-32 Firmware User GuideYou can also specify a WPA Version from the pop-up menu in the same way as the primary SSID.These additional SSIDs are “Close

System Configuration 3-33MAC Address AuthenticationEnhanced in Firmware Version 8.5, MAC Address Authentication allows you to specify which client PC

3-34 Firmware User Guide• Allow only specified addresses - limits access to only those addresses that you enter.• Deny only specified addresses - preve

System Configuration 3-35The list is displayed as shown below.You can continue to Add, Change, or Delete addresses to the list by selecting the respe

viii Firmware User Guide Limited user configuration ... 10-4Advanced Security Options ...

3-36 Firmware User GuideFollow these steps to change a parameter’s value:1. Select 57600, 38400, 19200, or 9600.2. Select SET CONFIG NOW to save the

System Configuration 3-37Router/Bridge SetFor Netopia DSL Routers, this feature allows you to turn off the routing features and use your device as a

3-38 Firmware User GuideIf you chose CONTINUE, the device will reboot and restar t in the selected mode. Routing features will be disabled or changed

System Configuration 3-39IGMP (Internet Group Management Protocol)Multicasting is a method for transmitting large amounts of information to many, but

3-40 Firmware User Guide• IGMP Snooping – toggling this option to On enables the Netopia Router to “listen in” to IGMP traffic. The Router discovers m

System Configuration 3-41The IGMP V2/V3 Settings screen appears.You can configure the following parameters:• Last Member Query Interval (deci-sec) – t

3-42 Firmware User GuideLoggingYou can configure a UNIX-compatible (BSD syslog protocol - RFC 3164) syslog client to report a number of subsets of the

System Configuration 3-43You will need to install a Syslog client daemon program on your PC and configure it to report the WAN events you specified in

3-44 Firmware User Guide2. attempt3. administrative access authenticated and allowed4. administrative access allowed5. dropped - violation of securit

System Configuration 3-45The following syslog messages may be generated by the router if WAN Event Log Options are enabled:1. Device Restarted 2. EN:

Contents ix G Factory Defaults ... 11-6Transferring Configuration and Firmware Files with TFTP.

3-46 Firmware User Guide33. PPPOE: PADS Received 34. PPPOE: PADT Received 35. PPPOE: PADT Sent 36. PPPOE: Discovery state started profile [Profile

System Configuration 3-4766. IKE: phase 1 auth failure sg [IP Address] profile [Name], sg [IP Address] code [code] 67. IKE: phase 1 resend timeout

3-48 Firmware User GuideProcedure for Default Installation for ICSA firewall certification of Small/Medium Business Category Module (ADSL Routers)Note:

System Configuration 3-49Setting up an encrypted communication channel: (PPTP with MS-CHAP/MPPE)(See “Virtual Private Networks (VPNs)” on page 5-1 fo

3-50 Firmware User GuideSet up NTP(See “Date and time” on page 3-22 for more information.)1. NTP is enabled by default.2. To change NTP Settings, Go

System Configuration 3-512. Go to WAN Configuration…3. Select Display/Change Connection Profile…4. Select Easy Setup Profile (if available) or the desir

3-52 Firmware User Guide

Multiple Network Address Translation 4-1Chapter 4Multiple Network Address TranslationNetopia Firmware Version 8.7 offers advanced Multiple Network A

4-2 Firmware User GuideFeaturesMultiNAT features can be divided into several categories that can be used simultaneously in different combinations on

Multiple Network Address Translation 4-3Dynamic mappingDynamic mapping, often referred to as many-to-few, offers an extension to the advantages prov