Netopia Firmware 4000-Series Bedienungsanleitung

NNNNeeeettttooooppppiiiiaaaa ®®®® FFFFiiiirrrrmmmmwwwwaaaarrrreeee UUUUsssseeeerrrr GGGGuuuuiiiiddddeeee NNNNeeeettttooooppppiiiiaaaa

x Firmware User Guide Packet header types ... B-14 Appendix C — Binary Conversion Table...

3-34 Firmware User GuideSelect ADD NAT PUBLIC RANGE and press Return. You are returned to the Network Address Translation screen.Next, select Show/Ch

Multiple Network Address Translation 3-35To make these changes, first limit the range of remapped addresses on the Static Map and then edit the defau

3-36 Firmware User Guide

Virtual Private Networks (VPNs) 4-1CCCChhhhaaaapppptttteeeerrrr 4444VVVViiiirrrrttttuuuuaaaallll PPPPrrrriiiivvvvaaaatttteeee NNNNeeeettttw

4-2 Firmware User GuideThe Netopia Firmware Version 5.4 can be used in VPNs either to initiate the connection or to answer it. When used in this way,

Virtual Private Networks (VPNs) 4-3protocol over IP. ATMP is more efficient than PPTP for network-to-network tunnels. IPsec stands for IP Security,

4-4 Firmware User GuideAbout PPTP TunnelsTo set up a PPTP tunnel, you create a Connection Profile including the IP address and other relevant informat

Virtual Private Networks (VPNs) 4-5When you define a Connection Profile as using PPTP by selecting PPTP as the datalink encapsulation method, and then

4-6 Firmware User GuideNote: The Netopia Firmware Version 5.4 supports 128-bit (“strong”) encryption. Unlike MS-CHAP version 1, which supports one-wa

Virtual Private Networks (VPNs) 4-7The IP Profile Parameters screen appears. Enter the Remote IP Address and Remote IP Mask for the host to which yo

Introduction 1-1 CCCChhhhaaaapppptttteeeerrrr 1111IIIInnnnttttrrrroooodddduuuuccccttttiiiioooonnnn This Firmware User Guide covers the advanc

4-8 Firmware User GuideAbout ATMP TunnelsTo set up an ATMP tunnel, you create a Connection Profile including the IP address and other relevant informa

Virtual Private Networks (VPNs) 4-9When you define a Connection Profile as using ATMP by selecting ATMP as the datalink encapsulation method, and then

4-10 Firmware User Guidethem, acting as a home agent (No). Tunnels are normally initiated On Demand; however, you can disable this feature. When dis

Virtual Private Networks (VPNs) 4-11MS-CHAP V2 and 128-bit strong encryptionNotes: The Netopia Firmware Version 5.4 supports 128-bit (“strong”) enc

4-12 Firmware User Guide Toggle Answer ATMP/PPTP Connections to Yes if you want the router to accept VPN connections or No (the default) if you do n

Virtual Private Networks (VPNs) 4-13VPN QuickViewYou can view the status of your VPN connections in the VPN QuickView screen.From the Main Menu sele

4-14 Firmware User GuideDial-Up Networking for VPNMicrosoft Windows Dial-Up Networking software permits a remote standalone workstation to establish

Virtual Private Networks (VPNs) 4-15The Communications window appears.5. In the Communications window, select Dial-Up Networking and click the OK bu

4-16 Firmware User GuideConfiguring a Dial-Up Networking profileOnce you have created your Dial-Up Networking profile, you configure it for TCP/IP networ

Virtual Private Networks (VPNs) 4-174. Click the TCP/IP Settings button. If your ISP uses dynamic IP addressing (DHCP), select the Server assigned

1-2 Firmware User Guide Console-based Management Console-based management is a fast menu-driven interface for the capabilities built into the Netopi

4-18 Firmware User GuideThis displays a list of possible selections for the communications option. Active components will have a check in the checkbo

Virtual Private Networks (VPNs) 4-19Connecting using Dial-Up NetworkingA Dial-Up Networking connection will be automatically launched whenever you r

4-20 Firmware User GuidePPTP exampleTo enable a firewall to allow PPTP traffic, you must provision the firewall to allow inbound and outbound TCP packet

Virtual Private Networks (VPNs) 4-21In the Display/Change Filter Set screen select Display/Change Output Filter. Display/Change Output Filter screen

4-22 Firmware User GuideSelect Output Filter 2 and press Return. In the Change Output Filter 2 screen, set the Protocol Type to allow GRE as shown be

Virtual Private Networks (VPNs) 4-23Select Input Filter 1 and press Return. In the Change Input Filter 1 screen, set the Destination Port informatio

4-24 Firmware User GuideIn the Display/Change Filter Set screen select Display/Change Output Filter. Display/Change Output Filter screenSelect Output

Virtual Private Networks (VPNs) 4-25Windows Networking BroadcastsNetopia firmware provides the ability to forward Windows Networking NetBIOS broadcas

4-26 Firmware User GuideConfiguration for Router AConfiguration for Router B IP Profile Parameters Address Translati

Virtual Private Networks (VPNs) 4-27Note: Microsoft Network browsing is available with or without a Windows Internet Name Service (WINS) server. Sha

Introduction 1-3 reconfiguring the manner in which you may be using the router to connect to more than one service provider or remote site. See “WAN

4-28 Firmware User Guide

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-1CCCChhhhaaaapppptttteeeerrrr 5555IIIInnnntttteeeerrrrnnnneeeetttt KKKKeeeeyyyy

5-2 Firmware User Guidethe two devices on the Internet to communicate securely. Phase 2 establishes the tunnel and provides for secure transport of

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-3The Add Connection Profile screen appears. From the Encapsulation Type pop-up menu sele

5-4 Firmware User GuideFor Key Management you can use either IKE or Manual. If you choose Manual, skip to “IPsec Manual Key Entry” on page 5-19. If y

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-5 The Profile Name field accepts any name of up to 16 characters. Sixteen IKE Phase 1 pro

5-6 Firmware User Guidethat will be used to generate key material for IKE Phase 1. The Encryption Algorithm pop-up menu specifies the IKE Phase 1 enc

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-7the Phase 1 SAs under which they were created. Phase 2 SAs “dangle” when the Phase 1 SA

5-8 Firmware User GuideChanging an IKE Phase 1 ProfileSelecting Display/Change IKE Phase 1 Profile or Delete IKE Phase 1 Profile displays an IKE Phase 1

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-9Key ManagementYou specify your IKE key management on a per-Connection Profile basis. You

1-4 Firmware User Guide Connecting through a Telnet Session Features of the Netopia Firmware Version 5.4 can be configured through the console screen

5-10 Firmware User GuideNote: The Change Connection Profile screen will offer different options, depending on the model of router you are using. For a

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-11The Key Management pop-up menu at the top of the IPsec Tunnel Options screen allows yo

5-12 Firmware User GuideThis screen allows you to specify the lifetime associated with each IPsec Security Association (SA) and control when the SA w

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-13Netopia Firmware Version 5.4 provides a new Dead Peer Detection mechanism. An IPsec IP

5-14 Firmware User GuideIf you enable IKE key management the IP Profile Parameters screen appears. The Remote Tunnel Endpoint field accepts either an

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-15 support for sub-netting, host and network range addressing modes works with manual

5-16 Firmware User GuideIf you return to the IP Profile Parameters screen, two new fields are displayed: Display/Change Network allows you to make cha

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-17 Specifying IKE key management alters the Advanced IP Profile Options screen as follow

5-18 Firmware User GuideIPsec WAN Configuration ScreensYou can also configure IKE Phase 1 Profiles in the WAN Configuration menus.The WAN Configuration sc

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-19The IKE Phase 1 Configuration screen allows configuration of global (non-connection-profi

Introduction 1-5 Connecting a Console Cable to your Equipment Many Netopia models include a serial console port labeled “Console” on the back panel

5-20 Firmware User GuideSelect IPsec Manual Keys and press Return.Depending on your selections of Encapsulation, Encryption Transform, and Authentica

Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-21If the remote tunnel end point is a hostname (or “0.0.0.0”) 0.0.0.0 is displayed until

5-22 Firmware User GuideIKE: no matching ph2 proposal Either the local router rejected the proposals of the remote or the remote rejected the local r

IP Setup 6-1CCCChhhhaaaapppptttteeeerrrr 6666IIIIPPPP SSSSeeeettttuuuuppppThe Netopia Firmware Version 5.4 uses Internet Protocol (IP) to comm

6-2 Firmware User GuideIP SetupThe IP Setup options screen is where you configure the Ethernet side of the Router. The information you enter here cont

IP Setup 6-3The Netopia Firmware Version 5.4 supports multiple IP subnets on the Ethernet inter face. You may want to configure multiple IP subnets t

6-4 Firmware User Guidethat the addresses distributed by the Router and those that are manually configured are not the same. Each method of distributi

IP Setup 6-5For example: To delete a configured subnet, set both the IP address and subnet mask values to 0.0.0.0, either explicitly or by clearing

6-6 Firmware User GuideIf you have configured multiple Ethernet IP subnets, the IP Setup screen changes slightly:The IP address and Subnet mask items

IP Setup 6-7The Static Routes screen will appear.Viewing static routesTo display a view-only table of static routes, select Display/Change Static Ro

1-6 Firmware User Guide Launch your terminal emulation software and configure the communications software for the values shown in the table below. Th

6-8 Firmware User GuideSubnet Mask: The subnet mask associated with the destination network.Next Gateway: The IP address of the router that will be u

IP Setup 6-9information; Low means that the RIP information takes precedence over the static route. If the static route conflicts with a connection

6-10 Firmware User GuideRIP-2 MD5 AuthenticationFirmware version 5.3.7 supports RIP-2 MD5 Authentication (RFC2082 Routing Internet Protocol Version 2

IP Setup 6-11The IP Setup screen appears. Select RIP Options. The Ethernet LAN RIP Options screen appears. IP Setu

6-12 Firmware User Guide Select Receive RIP, and from the pull-down menu choose v2 MD5 Authentication. You can also select Transmit RIP, and choose

IP Setup 6-13Transmit RIP.Note:• All of the changes on this menu require a reboot. This is unique to the Ethernet LAN. RIP changes on all other inte

6-14 Firmware User GuideAdding a keySelect Add Key. The Add Key Screen appears. The key identifier Key ID can be any numeric value from 0 – 255, and

IP Setup 6-15Changing or deleting a keyYou change or delete a key by selecting it from a pop-up menu. In the RIP v2 Authentication Keys menu, select

6-16 Firmware User GuideConnection Profiles and Default ProfileRIP-2 MD5 authentication may be configured in Connection Profiles, as well. If you are not

IP Setup 6-17press COMMIT in the Add or Change Key screen, then press Escape three times to return to the Add or Change Connection Profile screen. S

Introduction 1-7Navigating through the Console ScreensUse your keyboard to navigate the Netopia Firmware Version 5.4’s configuration screens, enter

6-18 Firmware User GuideGo to the System Configuration screen. Select IP Address Serving and press Return. The IP Address Serving screen will appear.F

IP Setup 6-19Consequently, the DHCP lease time is configurable. The DHCP Lease Time (Hours) setting allows you to modify the router’s default lease t

6-20 Firmware User GuideIP Address PoolsThe IP Address Pools screen allows you to configure a separate IP address serving pool for each of up to eight

IP Setup 6-21Numerous factors influence the choice of served address. It is difficult to specify the address that will be served to a particular clien

6-22 Firmware User GuideDHCP NetBIOS OptionsIf your network uses NetBIOS, you can enable the Router to use DHCP to distribute NetBIOS information.Net

IP Setup 6-23 From the NetBIOS Type pop-up menu, select the type of NetBIOS used on your network. To ser ve DHCP clients with the NetBIOS scope,

6-24 Firmware User GuideSelect Release BootP Leases and press Return. Back in IP Address Serving, the Serve Dynamic WAN Clients toggleMore Address S

IP Setup 6-25Configuring the IP Address Server optionsTo access the enhanced DHCP ser ver functions, from the Main Menu navigate to Statistics &

6-26 Firmware User GuideYou can select the entries in the Served IP Addresses screen. Use the up and down arrow keys to move the selection to one of

IP Setup 6-27 Details… is displayed if the entry is associated with both a host name and a client identifier. Selecting Details… displays a pop-up m

1-8 Firmware User Guide

6-28 Firmware User Guide Include is displayed if the entry is either excluded or declined. An IP address is marked declined when a client to whom th

IP Setup 6-29The router’s Ethernet IP address(es) will be automatically excluded from the address serving pool(s) on startup. Entries in the served

6-30 Firmware User GuideDHCP Relay AgentThe Netopia Firmware Version 5.4 offers DHCP Relay Agent functionality, as defined in RFC1542. A DHCP relay ag

IP Setup 6-31Select IP Address Serving and press Return. The IP Address Serving screen appears.Select IP Address Serving Mode. The pop-up menu offer

6-32 Firmware User GuideNote: The remote DHCP server(s) to which the Netopia Router is relaying DHCP requests must be capable of servicing relayed re

IP Setup 6-331. Select Profile Name and enter a name for this connection profile. It can be any name you wish. For example: the name of your ISP.2. To

6-34 Firmware User Guide5. Select ADD PROFILE NOW and press Return. Your new connection profile will be added.If you want to view the connection profil

IP Setup 6-35By default, Multicast Forwarding is tuned off (None). You enable the router to transmit multicast data by selecting Tx. from the pull-d

6-36 Firmware User GuideTypically, you will have a Connection Profile that you created in Easy Setup. You may have more. Select the Connection Profile

Line Backup 7-1CCCChhhhaaaapppptttteeeerrrr 7777LLLLiiiinnnneeee BBBBaaaacccckkkkuuuuppppThe firmware offers line backup functionality in the e

WAN and System Configuration 2-1CCCChhhhaaaapppptttteeeerrrr 2222WWWWAAAANNNN aaaannnndddd SSSSyyyysssstttteeeemmmm CCCCoooonnnnffffiiiig

7-2 Firmware User GuideExternal Dial Backup SupportNetopia equipment that supports the external dial backup feature automatically display the serial

Line Backup 7-3The Choose Interface to Configure screen appears. Choose the interface to configure for backup, Serial Port Setup.The Serial Port Config

7-4 Firmware User Guide The default mode is Console Only. This is the normal state for using a terminal emulation application to manage the router.

Line Backup 7-5Note:• The modem cable should have a standard DB-9 female connector to connect to the console port. This is the standard type of mode

7-6 Firmware User Guidebackup mode and connect via your modem.Note: Backup and Recovery have resolutions of five seconds. This is how often the router

Line Backup 7-7Connection ProfilesThe line backup feature allows you to configure a complete Connection Profile for the backup port, just as you do for

7-8 Firmware User Guide From the Dial pop-up menu, you can choose whether to Dial Out Only, Dial In Only, or Dial In/Out (default). You can add the

Line Backup 7-9The Scheduled Connections screen appears. Select Add Scheduled Connection and press Return. The Add Scheduled Connection screen appe

7-10 Firmware User Guide Toggle all the days of the week to Ye s, and set the Scheduled Window Duration Per Day to 24:00. This guarantees a 24X7 con

Line Backup 7-11Select Backup Management/Statistics and press Return.Note: This option is only visible if backup is not Disabled.The Backup Manageme

Copyright Copyright© 2004, Netopia, Inc. Netopia and the Netopia logo are registered trademarks belonging to Netopia, Inc., registered U.S. Patent an

2-2 Firmware User GuideADSL Line Configuration screenThe ADSL Line Configuration screen is shown below:1. Select Circuit Type and from the pop-up menu

7-12 Firmware User Guideconnection. Switchover Time is a display-only field that is only visible if backup or recovery is in progress. It displays th

Line Backup 7-13SNMP SupportThe router supports objects for determining the state of backup, as well as providing traps for the backup and recovery

7-14 Firmware User GuideThe Backup Configuration screen appears.This screen is used to configure the conditions under which backup will occur, if it wi

Line Backup 7-15Use this setting with caution. Setting it to Yes may induce alternating switching between Backup and Recovery Mode. This field will d

7-16 Firmware User GuideBackup Management/StatisticsIf backup is enabled, the Statistics & Logs menu offers a Backup Management/Statistics option

Line Backup 7-17either one and pressing Return will force the link to switch to the other mode.QuickViewThe QuickView screen now has an information

7-18 Firmware User Guide

Voice Configuration 8-1CCCChhhhaaaapppptttteeeerrrr 8888VVVVooooiiiicccceeee CCCCoooonnnnffffiiiigggguuuurrrraaaattttiiiioooonnnnThis chapter d

8-2 Firmware User Guidecentral office, but not long distance or local calls.Toll Restriction Operation - PBX/Local Switching Mode: When you pick up th

Voice Configuration 8-3 Select Voice Gateway and from the pop-up menu, choose the type of voice gateway device to which you will be connected. The c

WAN and System Configuration 2-3SDSL/IDSL Configuration screenThe SDSL/IDSL Line Configuration screen is shown below: Select a Line Type from the pull

8-4 Firmware User GuideEcho cancellation is set to Yes by default. For ordinary telephone handsets, echo cancellation should be set to Yes (turned on

Monitoring Tools 9-1CCCChhhhaaaapppptttteeeerrrr 9999MMMMoooonnnniiiittttoooorrrriiiinnnngggg TTTToooooooollllssssThis chapter discusses the R

9-2 Firmware User GuideGeneral statusCurrent Date: The current date; this can be set with the Date and Time utility (see “Date and time” on page 2-42

Monitoring Tools 9-3Current statusThe current status section is a table showing the current status of the DSL connection. For example:Profile Name: L

9-4 Firmware User GuideStatistics & LogsWhen you are troubleshooting your Router, the Statistics & Logs screens provide insight into the rece

Monitoring Tools 9-5WAN Event HistoryThe WAN Event History screen lists a total of 128 events on the WAN. The most recent events appear at the top.E

9-6 Firmware User GuideIn the Statistics & Logs screen, select Device Event History. The Device Event Histor y screen appears.If the event histor

Monitoring Tools 9-7IP Routing TableThe IP routing table displays all of the IP routes currently known to the Router.The routing table screen repres

9-8 Firmware User GuidePhysical InterfaceThe top left side of the screen lists total packets received and total packets transmitted for the following

Monitoring Tools 9-9System InformationThe System Information screen gives a summary view of the general system level values in the Router.From the S

2-4 Firmware User GuideSome of these selections will reset the defaults for the remaining options in this screen. You will be challenged to confirm yo

9-10 Firmware User GuideSimple Network Management Protocol (SNMP) - V2cThe Netopia Firmware Version 5.4 includes a Simple Network Management Protocol

Monitoring Tools 9-11The SNMP Setup screenFrom the Main Menu, select SNMP in the System Configuration screen and press Return. The SNMP Setup screen

9-12 Firmware User GuideCommunity stringsThe Read-Only Community String and the Read/Write Community String are like passwords that must be used by a

Monitoring Tools 9-13To go to the IP Trap Receivers screen, select IP Trap Receivers. The IP Trap Receivers screen appears.Setting the IP trap recei

9-14 Firmware User Guide

Security 10-1CCCChhhhaaaapppptttteeeerrrr 11110000SSSSeeeeccccuuuurrrriiiittttyyyyThe Netopia Firmware Version 5.4 provides a number of security

10-2 Firmware User GuideConsole Tiered Access – Two Password LevelsNetopia Firmware Version 5.4 offers tiered access control for greater security and

Security 10-3For Windows XP users, the automatic discovery feature places an icon representing the Netopia Gateway automatically in the “My Network

10-4 Firmware User GuideLimited user configurationThe Add Access Name/Password and Show/Change Access Name/Passwords screens allow you to select which

Security 10-5You can toggle the default user privileges for each user. The defaults are set to minimize the possibility of an individual user inadve

WAN and System Configuration 2-5IDSL Line Configuration screenThe IDSL Line Configuration screen is shown below: For IDSL lines, the Data Rate (kbps)

10-6 Firmware User Guide Select RADIUS Access Privileges, and from the pull-down menu, choose which access privilege you want this user to have: All

Security 10-7User access passwordUsers must be able to change their names and passwords, regardless of other security access restrictions.If a user

10-8 Firmware User GuideUser menu differencesMenus reflect the security access level of the user. Consequently, configuration menus will display differ

Security 10-9Based on access level, the Main Menu displays its configuration options according to the following diagram:WAN Configuration screensIf a

10-10 Firmware User GuideConnection ProfilesThe Superuser can disallow limited user access to a particular Connection Profile. When adding a Connection

Security 10-11System Configuration menuThe System Configuration menu is always available to all users. Based on access level, the System Configuration

10-12 Firmware User GuideUtilities & Diagnostics menuBased on access level, the Utilities & Diagnostics menu displays its configuration option

Security 10-13Based on access level, the Statistics & Logs menu displays its options according to the following diagram:

10-14 Firmware User GuideQuick MenusQuick Menus vary considerably between models, features, and access levels. The following is an example comparison

Security 10-15The ATM Circuits Configuration menu screen appears as follows:Note: Multiple ATM circuit configuration is supported on multiple ATM-capa

2-6 Firmware User GuideG.SHDSL Line Configuration screenThe G.SHDSL Line Configuration screen is shown below:Each access concentrator (DSLAM) has a dif

10-16 Firmware User GuideProtecting the Security Options screenThe first screen you should protect is the Security Options screen, because it controls

Security 10-17To add a new user account, select Add User in the Security Options screen and press Return. The Add Name With Write Access screen appe

10-18 Firmware User GuideTo restrict Telnet access, select Security in the Advanced Configuration menu. The Security Options screen will appear. There

Security 10-19Each inspector has a specific task. One inspector’s task may be to examine the destination address of all outgoing packages. That inspe

10-20 Firmware User GuideIf the package does not match the first inspector’s criteria, it goes to the second inspector, and so on. You can see that th

Security 10-21Parts of a filterA filter consists of criteria based on packet attributes. A typical filter can match a packet on any one of the followin

10-22 Firmware User GuidePort number comparisonsA filter can also use a comparison option to evaluate a packet’s source or destination port number. Th

Security 10-23Putting the parts togetherWhen you display a filter set, its filters are displayed as rows in a table:The table’s columns correspond to

10-24 Firmware User GuideFiltering example #1Returning to our filtering rule example from above (see page 10-20), look at how a rule is translated int

Security 10-25This filter blocks any packets coming from a remote network with the IP network address 200.233.14.0. The 0 at the end of the address s

WAN and System Configuration 2-7T1 Line Configuration screenThe T1 Line Configuration screen is shown below: Select Operation Mode and press Return. F

10-26 Firmware User GuideAn approach to using filtersThe ultimate goal of network security is to prevent unauthorized access to the network without co

Security 10-273. View, change, or delete individual filters and filter sets.The sections below explain how to execute these steps.Adding a filter setYo

10-28 Firmware User GuideAdding filters to a filter setThere are two kinds of filters you can add to a filter set: input and output. Input filters check p

Security 10-29Note: There are two groups of items in this screen, one for input filters and one for output filters. In this section, you’ll learn how

10-30 Firmware User Guide3. If you want the filter to forward packets that match its criteria to the destination IP address, select Forward and toggle

Security 10-31Deleting filtersTo delete a filter, select Delete Input Filter or Delete Output Filter in the Display/Change Filter Set screen to displa

10-32 Firmware User GuideBasic Firewall blocks undesirable traffic originating from the WAN (in most cases, the Internet), but forwards all traffic ori

Security 10-33Output filter 1: This filter forwards all outgoing traffic to make sure that no outgoing connections from the LAN are blocked.Basic Firew

10-34 Firmware User GuideFTP sessions. To allow WAN-originated FTP sessions to a LAN-based FTP server with the IP address a.b.c.d (corresponding to a

Security 10-35The new filterset screen appears as follows:To use the policy-based routing feature, you create a filter that for wards the traffic. Tog

2-8 Firmware User Guidedefault setting is 1 (one). Press Return.Note: You can change the First DS0 Channel number, which has a valid range from one t

10-36 Firmware User GuideNote:Default Forwarding FilterIf you create one or more filters that have a matching action of forward, then action on a pack

Security 10-37Firewall TutorialGeneral firewall termsFilter rule: A filter set is comprised of individual filter rules.Filter set: A grouping of indivi

10-38 Firmware User GuideExample TCP/UDP PortsFirewall design rulesThere are two basic rules to firewall design: “What is not explicitly allowed is d

Security 10-39and a packet goes through these rules destined for FTP, the packet would forward through the first filter rule (WWW), match the second r

10-40 Firmware User GuideEstablished connectionsThe TCP header contains one bit called the ACK bit (or TCP Ack bit). This ACK bit appears only with T

Security 10-41Example networkExample filtersExample 1 Incoming packet has the source address of 200.1.1.28Less Than or Equal Any port less than or eq

10-42 Firmware User Guide This incoming IP packet has a source IP address that matches the network address in the Source IP Address field (00000000)

Security 10-43 Since the Source IP Network Address in the Router is 01100000, and the source IP address after the logical AND is 1011000, this rule

10-44 Firmware User Guide Since the Source IP Network Address in the Router is 01100000, and the source IP address after the logical AND is 01100000

Security 10-45 Select Save Current Configuration as , and press Return. The Save Current Configuration screen appears.Enter a descriptive name for y

WAN and System Configuration 2-9Note: If you used Easy Setup to configure your router, you have already created a connection profile called Easy Setup

10-46 Firmware User Guide A warning screen will ask you to confirm your choice. Configuration Management Save Curre

Security 10-47 TFTP and X-Modem You can also send or receive your stored configuration files via TFTP or X-Modem. You select the stored configuration

10-48 Firmware User Guide Call Filtering Netopia Firmware Version 5.4 supports a call filtering mechanism that lets you control which packets cause c

Security 10-49 This pop-up menu allows you to configure what action will be taken for packets that the filter rule specifies should be forwarded. If

10-50 Firmware User Guide

Utilities and Diagnostics 11-1CCCChhhhaaaapppptttteeeerrrr 11111111UUUUttttiiiilllliiiittttiiiieeeessss aaaannnndddd DDDDiiiiaaaaggggnnnnoo

11-2 Firmware User GuidePingThe Netopia Firmware Version 5.4 Router includes a standard Ping test utility. A Ping test generates IP packets destined

Utilities and Diagnostics 11-3Status: The current status of the Ping test. This item can display the status messages shown in the able below:Packets

11-4 Firmware User GuidePackets Lost: The number of packets unaccounted for, shown in total and as a percentage of total packets sent. This statisti

Utilities and Diagnostics 11-53. Select Timeout (seconds) to set when the trace will timeout for each hop, up to 10 seconds. The default is 3 second

2-10 Firmware User Guide1. Select LMI Type (Link Management Type) and press Return. From the pop-up menu, highlight either ANSI (Annex D), CCITT (Ann

11-6 Firmware User Guidemenu and press Return. To end a suspended session, select Terminate Suspended Session. Select a session from the pop-up menu

Utilities and Diagnostics 11-7The sections below describe how to update the Router’s firmware and how to download and upload configuration files.Updati

11-8 Firmware User Guide Select GET ROUTER FIRMWARE FROM SERVER and press Return. You will see the following dialog box: Select CANCEL to exit with

Utilities and Diagnostics 11-9 If you choose to download the configuration file, the TFTP Transfer State item will change from Idle to Reading Config.

11-10 Firmware User GuideUpdating firmwareFirmware updates may be available periodically from Netopia or from a site maintained by your organization’s

Utilities and Diagnostics 11-11Caution!Do not manually power down or reset the Router while it is automatically resetting or it could be damaged.Dow

11-12 Firmware User Guide3. Select CANCEL to exit without uploading the file, or select CONTINUE to upload the file.If you choose CONTINUE, you will ha

Utilities and Diagnostics 11-13Select T1 Line Statistics / Diagnostics and press Return.The T1 Line Statistics / Diagnostics screen appears.The scre

11-14 Firmware User Guide24 hours: Cumulative statistics, for the preceding 24-hour period.Line Status: Conditions may be Normal Operation, Red Alarm

Troubleshooting A-1AAAAppppppppeeeennnnddddiiiixxxx AAAATTTTrrrroooouuuubbbblllleeeesssshhhhoooooooottttiiiinnnnggggThis appendix is intended to h

WAN and System Configuration 2-11ting defaults to 64000, but you may modify the capacity rate if this setting will not be applicable to you. The De

A-2 Firmware User GuideNote: If you are attempting to modify the IP address or subnet mask from a previous, successful configuration attempt, you will

Troubleshooting A-3How to Reset the Router to Factory DefaultsLose your password? This section shows how to reset the router so that you can access t

A-4 Firmware User GuideTechnical SupportNetopia, Inc. is committed to providing its customers with reliable products and documentation, backed by exc

Understanding IP Addressing B-1AAAAppppppppeeeennnnddddiiiixxxx BBBBUUUUnnnnddddeeeerrrrssssttttaaaannnnddddiiiinnnngggg IIIIPPPP AAAAdddddd

B-2 Firmware User GuideIP addresses indicate both the identity of the network and the identity of the individual host on the network. The number of b

Understanding IP Addressing B-3Subnet numbers appear within IP addresses, along with network numbers and host numbers. Since an IP address is always

B-4 Firmware User GuideNetwork configurationBelow is a diagram of a simple network configuration. The ISP is providing a Class C address to the custome

Understanding IP Addressing B-5BackgroundThe IP addresses and routing configurations for the devices shown in the diagram are outlined below. In addit

B-6 Firmware User GuideThere are two schemes for distributing the remaining IP addresses: Manually give each computer an address Let the Router a

Understanding IP Addressing B-7ConfigurationThis section describes the specific IP address lease, renew, and release mechanisms for both the Mac and PC

Contents iii G Chapter 1 — Introduction...1-1 What’s New in Netopia Firmware Version 5.4 ...

2-12 Firmware User GuideTo go to the Frame Relay DLCI configuration screen, select Frame Relay DLCI Configuration in the WAN Configuration screen.Displa

B-8 Firmware User Guide The Router releases the DHCP address back to the available DHCP address pool exactly one hour after the last-heard lease req

Understanding IP Addressing B-9In any situation where a device is dialing into a Netopia router, the router may need to be configured to serve IP via

B-10 Firmware User GuideThe figure above shows an example of a block of IP addresses being distributed correctly.The example follows these rules: An

Understanding IP Addressing B-11Nested IP SubnetsUnder certain circumstances, you may want to create remote subnets from the limited number of IP add

B-12 Firmware User GuideRouters B and C (which could also be Routers) serve the two remote networks that are subnets of a.b.c.0. The subnetting is ac

Understanding IP Addressing B-13Let’s see how a packet from the Internet gets routed to the host with IP address a.b.c.249, which is ser ved by Route

B-14 Firmware User GuideThe following diagram illustrates the IP address space taken up by the two remote IP subnets. You can see from the diagram wh

Binary Conversion Table C-1AAAAppppppppeeeennnnddddiiiixxxx CCCCBBBBiiiinnnnaaaarrrryyyy CCCCoooonnnnvvvveeeerrrrssssiiiioooonnnn TTTTaaaabb

C-2 Firmware User GuideDecimal Binary Decimal Binary Decimal Binary Decimal Binary128 10000000 160 10100000 192 11000000 224 11100000129 10000001 161

Index-1IIIInnnnddddeeeexxxxAadd static route 6-8ADSL Line Configuration 2-2advanced configurationfeatures 2-35ATMP 4-10tunnel options 4-8Bbackup defau

WAN and System Configuration 2-13Changing a Frame Relay DLCI configurationTo modify a Frame Relay DLCI configuration, select Display/Change DLCIs in th

Index-211with TFTP 11-8with XMODEM 11-11Dynamic Host Configuration Protocol(DHCP) 6-17Dynamic Host Configuration Protocol,see DHCPDynamic WAN 6-17EEas

Index-3static B-8IP passthrough 3-27IP setup 6-2IP trap receiversdeleting 9-13modifying 9-13setting 9-13viewing 9-13IPsec 4-3, 4-7, 5-1Llatency 10-35L

Index-4port numbercomparisons 10-22port numbers 10-21PPTP 4-10tunnel options 4-4PVC 2-16Qquality of service 10-35Quick View 9-1Rrestarting the system

Index-5defined 11-6downloading configuration files 11-8updating firmware 11-7uploading configuration files 11-9TFTP, transferring files 11-6tiered acc

Index-6

2-14 Firmware User GuideAdding a Frame Relay DLCI configurationTo add a new Frame Relay DLCI, select Add DLCI in the Frame Relay DLCI Configuration scr

WAN and System Configuration 2-15provider agrees to transfer from a given PVC (Permanent Virtual Circuit) or DLCI (Data Link Connection Identifier). T

2-16 Firmware User GuideMultiple ATM Permanent Virtual CircuitsThe Netopia Firmware Version 5.4 supports up to eight permanent virtual circuits.Multi

WAN and System Configuration 2-173. To add a circuit, select Add Circuit and press Return. The Add Circuit screen appears. Enter a name for the circ

2-18 Firmware User GuideQuality of Service (QoS) settings Select the QoS (Quality of Service) setting from the pop-up menu: UBR. or CBR.UBR: No confi

WAN and System Configuration 2-19Note: With multiple VCs you must explicitly statically bind the second (and all subsequent) VCs to a profile. The firs

2-20 Firmware User GuideEditing circuitsYou configure Virtual Circuits in the ATM Circuits Configuration screen. From the Main Menu, navigate to the AT

WAN and System Configuration 2-21Choosing Show/Change Circuit (or Delete Circuit) displays a pop-up menu that allows you to select the circuit to be

iv Firmware User Guide Modifying a scheduled connection... 2-34Deleting a scheduled connection... 2-34Sys

2-22 Firmware User Guide Circuit Enabled allows you to enable or disable the circuit, using the Tab key. The default is enabled. Traffic Type allows

WAN and System Configuration 2-23Select VC Traffic Statistics.The ATM VC Statistics screen appears. To display more information about each circuit as

2-24 Firmware User GuideCreating a New Connection ProfileConnection profiles are useful for configuring the connection and authentication settings for n

WAN and System Configuration 2-25Multiple Data Link Encapsulation Settings4. Select Encapsulation Options and press Return.❥ If you selected ATMP, PP

2-26 Firmware User GuideReturn to the Add Connection Profile screen by pressing Escape.5. Select IP Profile Parameters and press Return. The IP Profile

WAN and System Configuration 2-276. Toggle or enter any IP Parameters you require and return to the Add Connection Profile screen by pressing Escape.

2-28 Firmware User GuideThe Default ProfileIf you are using RFC1483 data link encapsulation, the Default Profile screen controls whether or not the DSL

WAN and System Configuration 2-29IP parameters (default profile) screenIf you are using RFC1483 datalink encapsulation, the IP Parameters (Default Pro

2-30 Firmware User GuideViewing scheduled connectionsTo display a table of scheduled connections, select Display/Change Scheduled Connection in the S

WAN and System Configuration 2-31The other columns show: The time of day that the connection will Begin At The duration of the connection (HH:MM)

Contents v G IP profile parameters... 3-21IP Parameters (WAN Default Profile) ... 3-23NAT Assoc

2-32 Firmware User Guidedemand call on the line. Demand-Allowed, meaning that this schedule will permit a demand call on the line. Demand-Blocked,

WAN and System Configuration 2-33Set Once-Only ScheduleIf you set How Often to Once Only, select Set Once-Only Schedule and go to the Set Once-Only S

2-34 Firmware User GuideModifying a scheduled connectionTo modify a scheduled connection, select Display/Change Scheduled Connection in the Scheduled

WAN and System Configuration 2-35System Configuration ScreensSystem configuration featuresThe Netopia Firmware Version 5.4 default settings may be all

2-36 Firmware User GuideThe System Configuration menu screen appears:IP SetupThese screens allow you to configure your network’s use of the IP networki

WAN and System Configuration 2-37Stateful Inspection firewallStateful inspection firewall is a security feature that prevents unsolicited inbound acces

2-38 Firmware User GuideStateful Inspection OptionsEnable and configure stateful inspection on a WAN interface.When you create or modify a Connection

WAN and System Configuration 2-39 Max. TCP Sequence Number Difference: Enter a value in this field. This value represents the maximum sequence number

2-40 Firmware User GuideExposed AddressesYou can specify the IP addresses you want to expose by selecting Add Exposed Address List and pressing Retur

WAN and System Configuration 2-41 Start Address: Start IP Address of the exposed host range. End Address: End IP Address of the exposed host range

vi Firmware User Guide Adding an IKE Phase 1 Profile ... 5-4Changing an IKE Phase 1 Profile ... 5

2-42 Firmware User GuideDate and timeYou can set the system’s date and time parameters in the Set Date and Time screen.Select Date and Time in the Sy

WAN and System Configuration 2-43Console ConfigurationYou can change the default terminal communications parameters to suit your requirements.To go to

2-44 Firmware User GuideRFC-1483 Transparent BridgingThis feature allows you to turn off the routing features and use your device as a bridge. If you

WAN and System Configuration 2-45You can reinstate router mode by returning to the System Configuration menu.Select Change Device to a Router.Press Re

2-46 Firmware User GuideLoggingYou can configure a UNIX-compatible syslog client to report a number of subsets of the events entered in the router’s W

WAN and System Configuration 2-47You will need to install a Syslog client daemon program on your PC and configure it to report the WAN events you spec

2-48 Firmware User Guide

Multiple Network Address Translation 3-1CCCChhhhaaaapppptttteeeerrrr 3333MMMMuuuullllttttiiiipppplllleeee NNNNeeeettttwwwwoooorrrrkkkk AAAA

3-2 Firmware User GuideFeaturesMultiNAT features can be divided into several categories that can be used simultaneously in different combinations on

Multiple Network Address Translation 3-3Dynamic mappingDynamic mapping, often referred to as many-to-few, offers an extension to the advantages prov

Contents vii G Event Logs ... 7-12SNMP Support ...

3-4 Firmware User GuideExterior addresses are allocated to internal hosts on a demand, or as-needed, basis and then made available when traffic from t

Multiple Network Address Translation 3-5Complex mapsMap lists and server lists are completely independent of each other. A Connection Profile can use

3-6 Firmware User GuideCurrently there is a restriction that the remote user must be routed to via the WAN interface, otherwise the connections will

Multiple Network Address Translation 3-7Server Lists and Dynamic NAT configurationYou use the advanced NAT feature sets by first defining a series of m

3-8 Firmware User GuideSelect Network Address Translation (NAT) and press Return.The Network Address Translation screen appears.Public Range defines a

Multiple Network Address Translation 3-9NAT rulesThe following rules apply to assigning NAT ranges and server lists: Static public address ranges m

3-10 Firmware User GuideSelect First Public Address and enter the first exterior IP address in the range you want to assign. Select Last Public Addres

Multiple Network Address Translation 3-11 Select Add Map and press Return. The Add NAT Map screen appears. Select First and Last Private Address a

3-12 Firmware User Guidemapping and press Return.If none of your preconfigured ranges are suitable for this mapping, you can select <<NEW RANGE&

Multiple Network Address Translation 3-13Modifying map listsYou can make changes to an existing map list after you have created it. Since there may

viii Firmware User Guide Advanced Security Options ... 10-5User access password ...

3-14 Firmware User Guide Add Map allows you to add a new map to the map list. Show/Change Maps allows you to modify the individual maps within the

Multiple Network Address Translation 3-15Adding Server ListsServer lists, also known as Exports, are handled similarly to map lists. If you want to

3-16 Firmware User Guide Select Add Server and press Return. The Add NAT Server screen appears. Select Service and press Return. A pop-up menu appe

Multiple Network Address Translation 3-17 Enter the First and Last Port Number between ports 1 and 65535. Select OK and press Return. You will be r

3-18 Firmware User GuideModifying server listsOnce a server list exists, you can select it for modification or deletion. Select Show/Change Server Li

Multiple Network Address Translation 3-19 Selecting Show/Change Server or Delete Server displays the same pop-up menu.Select any server from the li

3-20 Firmware User GuideDeleting a serverTo delete a ser ver from the list, select Delete Server from the Show/Change NAT Server List menu and press

Multiple Network Address Translation 3-21Binding Map Lists and Server ListsOnce you have created your map lists and server lists, for most Netopia R

3-22 Firmware User Guide Select NAT Map List and press Return. A pop-up menu displays a list of your defined map lists. Select the map list you want

Multiple Network Address Translation 3-23IP Parameters (WAN Default Profile)The Netopia Firmware Version 5.4 using RFC 1483 supports a WAN default pr

Contents ix G Updating firmware... 11-7Downloading configuration files ... 11-8Upload

3-24 Firmware User Guide Select NAT Map List and press Return. A pop-up menu displays a list of your defined map lists. Select the map list you want

Multiple Network Address Translation 3-25NAT AssociationsConfiguration of map and server lists alone is not sufficient to enable NAT for a WAN connect

3-26 Firmware User Guidekeys. Select the item by pressing Return to display a pop-up menu of all of your configured lists. Select the list name you w

Multiple Network Address Translation 3-27IP PassthroughNetopia Firmware Version 5.4 offers an IP passthrough feature. The IP passthrough feature all

3-28 Firmware User GuideThe IP Profile Parameters screen, found under the WAN Configuration menu, Add/Change Connection Profile screen, appears as shown

Multiple Network Address Translation 3-29Toggling IP Passthrough DHCP Enabled to Yes displays the IP Passthrough DHCP MAC address field. This is an e

3-30 Firmware User GuideA restrictionSince both the router and the passthrough host will use same IP address, new sessions that conflict with existing

Multiple Network Address Translation 3-31MultiNAT Configuration ExampleTo help you understand a typical MultiNAT configuration, this section describes

3-32 Firmware User GuideEnter your ISP-supplied values as shown below.Select NEXT SCREEN and press Return.Your IP values are shown here.Then navigate

Multiple Network Address Translation 3-33Select Show/Change Public Range, then Easy-PAT Range, and press Return. Enter the value your ISP assigned f