Draytek VIGOR3220 SERIES, User Manual

Page 1: ......

Page 2: ...Vigor3220 Series User s Guide ii Vigor3220 Series Multi WAN Security Firewall User s Guide Version 1 2 Firmware Version V3 8 4 1 For future update please visit DrayTek web site Date September 12 2017 ...

Page 3: ...warrant to the original end user purchaser that the router will be free from any defects in workmanship or materials for a period of two 2 years from the date of purchase from the dealer Please keep your purchase receipt in a safe place as it serves as proof of date of purchase During the warranty period and upon proof of purchase should the product have indications of failure due to faulty workma...

Page 4: ...Vigor Router 41 Part II Connectivity 45 II 1 WAN 46 Web User Interface 48 II 1 1 General Setup 48 II 1 1 1 WAN1 WAN4 Ethernet 49 II 1 1 2 WAN5 USB 50 II 1 2 Internet Access 53 II 1 2 1 Details Page for PPPoE in Etherenet WAN 55 II 1 2 2 Details Page for Static or Dynamic IP in Etherenet WAN 56 II 1 2 3 Details Page for PPTP L2TP in Etherenet WAN 60 II 1 2 4 Details Page for 3G 4G USB Modem PPP mod...

Page 5: ...IP Routed Subnet 103 II 2 2 VLAN 105 II 2 3 Bind IP to MAC 108 II 2 4 LAN Port Mirror 110 II 2 5 Web Portal Setup 111 II 3 NAT 114 Web User Interface 115 II 3 1 Port Redirection 115 II 3 2 DMZ Host 119 II 3 3 Open Ports 122 II 3 4 Port Triggering 124 II 4 Applications 127 Web User Interface 129 II 4 1 Dynamic DNS 129 II 4 2 LAN DNS DNS Forwarding 132 II 4 3 DNS Security 136 II 4 3 1 General Setup ...

Page 6: ...A 3 How to setup Load Balance for Packets 184 Part III Wireless LAN 187 III 1 Wireless LAN 188 Web User Interface 191 III 1 1 Wireless Wizard 191 III 1 2 General Setup 194 III 1 3 Security 196 III 1 4 Access Control 198 III 1 5 WPS 199 III 1 6 WDS 202 III 1 7 Advanced Setting 205 III 1 8 AP Discovery 208 III 1 9 Station List 209 III 1 10 Station Control 210 III 1 11 Bandwidth Management 211 Part I...

Page 7: ... Part V Security 283 V 1 Firewall 284 Web User Interface 286 V 1 1 General Setup 286 V 1 2 Filter Setup 291 V 1 3 DoS Defense 298 Application Notes 302 A 1 How to Configure Certain Computers Accessing to Internet 302 V 2 CSM Central Security Management 306 Web User Interface 307 V 2 1 APP Enforcement Profile 307 V 2 2 APPE Signature Upgrade 309 V 2 3 URL Content Filter Profile 310 V 2 4 Web Conten...

Page 8: ...ow to Optimize the Bandwidth through QoS Technology 377 A 2 QoS Setting Example 382 VI 3 User Management 386 Web User Interface 387 VI 3 1 General Setup 387 VI 3 2 User Profile 389 VI 3 3 User Group 394 VI 3 4 User Online Status 395 Application Notes 397 A 1 How to authenticate clients via User Management 397 A 2 How to use Landing Page Feature 406 VI 4 Central Management VPN 411 Web User Interfac...

Page 9: ...lance 455 VI 5 12 Function Support List 456 VI 6 Central Management Switch 457 VI 6 1 Status 457 VI 6 1 1 Switch Status 457 VI 6 1 2 Switch Hierarchy 459 VI 6 2 Profile 460 VI 6 3 Group 463 VI 6 4 Maintenance 465 VI 6 5 Support List 466 Application Notes 467 A 1 How to set up VLAN on VigorSwitch with Central Switch Management SWM 467 VI 7 External Devices 471 Part VII Others 473 VII 1 Objects Sett...

Page 10: ...face 521 VIII 1 1 Dial out Triggering 521 VIII 1 2 Routing Table 522 VIII 1 3 ARP Cache Table 523 VIII 1 4 IPv6 Neighbour Table 524 VIII 1 5 DHCP Table 525 VIII 1 6 NAT Sessions Table 526 VIII 1 7 DNS Cache Table 527 VIII 1 8 Ping Diagnosis 528 VIII 1 9 Data Flow Monitor 530 VIII 1 10 Traffic Graph 532 VIII 1 11 Trace Route 533 VIII 1 12 Syslog Explorer 534 VIII 1 13 IPv6 TSPC Status 535 VIII 1 14...

Page 11: ... on Vigor Router 551 Part IX DrayTek Tools 559 IX 1 SmartVPN Client 560 IX 1 1 DrayTek Android based SmartVPN APP for the establishment of SSL VPN connection 560 IX 1 2 How to Use SmartVPN Android APP to Establish SSL VPN Tunnel 561 Part X Telnet Commands 565 Accessing Telnet of Vigor3220 566 ...

Page 12: ......

Page 13: ...Vigor3220 Series User s Guide 1 P Pa ar rt t I I I In ns st ta al ll la at ti io on n This part will introduce Vigor router and guide to install the device in hardware and software ...

Page 14: ...layer QoS NAT session bandwidth management to help users control works well with large bandwidth By adopting hardware based VPN platform and hardware encryption of AES DES 3DES the router increases the performance of VPN greatly and offers several protocols such as IPSec PPTP L2TP with up to 100 VPN tunnels The object based design used in SPI Stateful Packet Inspection firewall allows users to set...

Page 15: ... wireless LAN WLAN Off The WLAN function is inactive On The WAN connection is ready WAN1 WAN4 Blinking It will blink while transmitting data On The VPN tunnel is active Off VPN services are disabled VPN Blinking Traffic is passing through VPN tunnel LED on Connector On The port is connected Off The port is disconnected Left LED Green Blinking The data is transmitting On The port is connected with ...

Page 16: ...conds to wait for client s device making network connection through WPS Factory Reset Restore the default settings Usage Turn on the router ACT LED is blinking Press the hole and keep for more than 5 seconds When you see the ACT LED begins to blink rapidly than usual release the button Then the router will restart with the factory default configuration Console Connecter reserved for RD debug DMZ C...

Page 17: ...nd of an Ethernet cable RJ 45 to the LAN port of the router and the other end of the cable RJ 45 into the Ethernet port on your computer Or use a switch to connect Vigor router and computer s 3 Connect one end of the power adapter to the router s power port on the rear panel and the other side into a wall outlet 4 Power on the device by pressing down the power switch on the rear panel 5 The system...

Page 18: ...PCs connected this router can print documents via the router The example provided here is made based on Windows 7 For other Windows system please visit www DrayTek com Before using it please follow the steps below to configure settings for connected computers or wireless clients 1 Connect the printer with the router through USB parallel port 2 Open All Programs Getting Started Devices and Printers...

Page 19: ...User s Guide 7 4 A dialog will appear Click Add a local printer and click Next 5 In this dialog choose Create a new port In the field of Type of port use the drop down list to select Standard TCP IP Port Then click Next ...

Page 20: ...s User s Guide 8 6 In the following dialog type 192 168 1 1 router s LAN IP in the field of Hostname or IP Address and type 192 168 1 1 as the Port name Then click Next 7 Click Standard and choose Generic Network Card ...

Page 21: ... your system will ask you to choose right name of the printer that you installed onto the router Such step can make correct driver loaded onto your PC When you finish the selection click Next 9 Type a name for the chosen printer Click Next ...

Page 22: ...Vigor3220 Series User s Guide 10 10 Choose Do not share this printer and click Next 11 Then in the following dialog click Finish ...

Page 23: ...Guide 11 12 The new printer has been added and displayed under Printers and Faxes Click the new printer icon and click Printer server properties 13 Edit the property of the new printer you have added by clicking Configure Port ...

Page 24: ...Vigor3220 Series User s Guide 12 14 Select LPR on Protocol type p1 number 1 as Queue Name Then click OK Next please refer to the red rectangle for choosing the correct protocol and LPR name ...

Page 25: ...r additional functions are not supported If you do not know whether your printer is supported or not please visit www draytek com to find out the printer list Open Support FAQ Application Notes find out the link of USB Printer Server and click it Then click the What types of printers are compatible with Vigor router link Note 2 Vigor router supports printing request from computers via LAN ports bu...

Page 26: ...the same subnet as the default IP address of Vigor router 192 168 1 1 For the detailed information please refer to the later section Trouble Shooting of the guide 2 Open a web browser on your PC and type http 192 168 1 1 The following window will be open to ask for username and password 3 Please type admin admin as the Username Password and click Login Info If you fail to access to the web configu...

Page 27: ...fferent slightly in accordance with the type of the router you have 5 The web page can be logged out according to the chosen condition The default setting is Auto Logout which means the web configuration system will logout after 5 minutes without any operation Change the setting for your necessity ...

Page 28: ...ype admin admin as Username Password for accessing into the web user interface with admin mode 3 Go to System Maintenance page and choose Administrator Password 4 Enter the login password the default is admin on the field of Old Password Type New Password and Confirm Password Then click OK to continue Info The maximum length of the password you can set is 23 characters 5 Now the password has been ...

Page 29: ...Vigor3220 Series User s Guide 17 Info Even the password is changed the Username for logging onto the web user interface is still admin ...

Page 30: ... status including System Information IPv4 Internet Access IPv6 Internet Access Interface physical connection Security and Quick Access Click Dashboard from the main menu on the left side of the main page A web page with default selections will be displayed on the screen Refer to the following figure ...

Page 31: ...n for you to configure if required Port Color Description Black DMZ port is disconnected Orange DMZ port is connected at 10 100 Mbps DMZ Green DMZ port is connected at 1 Gbps Black LAN port is disconnected Orange LAN port is connected at 10 100 Mbps LAN Green LAN port is connected at 1 Gbps Black WAN2 port is disconnected Orange WAN2 port is connected at 10 100 Mbps GigaWAN 1 4 Green WAN2 port is ...

Page 32: ...nu items which can be accessed in a quick way just for convenience Look at the right side of the Dashboard You will find a group of common used functions grouped under Quick Access The function links of System Status Dynamic DDNS TR 069 User Management IM P2P Block Schedule Syslog Mail Alert LDAP RADIUS Firewall Object Setting and Data Flow Monitor are displayed here Move your mouse cursor on any ...

Page 33: ...st connected physically to the router via LAN port s will be displayed with green circles in the field of Connected All of the hosts including wireless clients displayed with Host ID IP Address and MAC address indicates that the traffic would be transmitted through LAN port s and then the WAN port The purpose is to perform the traffic monitor of the host s ...

Page 34: ...p All the functions the router supports are listed with table clearly in this page Users can click the function link to access into the setting page of the function for detailed configuration Click the icon on the top of the main screen to display all the functions ...

Page 35: ...elnet command via DOS prompt The changes made by using web console have the same effects as modified through web user interface The functions settings modified under Web Console also can be reviewed on the web user interface Click the Web Console icon on the top of the main screen to open the following screen ...

Page 36: ...e Config Backup icon It allows you to backup current settings as a file Such configuration file can be restored by using System Maintenance Configuration Backup Simply click the icon on the top of the main screen and a pop up dialog will appear Click Save to store the setting I I 5 5 7 7 L Lo og go ou ut t Click this icon to exit the web user interface ...

Page 37: ...e e S St ta at tu us s I I 5 5 8 8 1 1 P Ph hy ys si ic ca al l C Co on nn ne ec ct ti io on n Such page displays the physical connection status such as LAN connection status WAN connection status ADSL information and so on Physical Connection for IPv4 Protocol ...

Page 38: ...the name of the router Mode Displays the type of WAN connection e g PPPoE Up Time Displays the total uptime of the interface IP Displays the IP address of the WAN interface GW IP Displays the IP address of the default gateway TX Packets Displays the total transmitted packets at the WAN interface TX Rate Displays the speed of transmitted octets at the WAN interface RX Packets Displays the total num...

Page 39: ...the IP address of the WAN interface Gateway IP Displays the IP address of the default gateway Info The words in green mean that the WAN connection of that interface is ready for accessing Internet the words in red mean that the WAN connection of that interface is not ready for accessing Internet I I 5 5 8 8 2 2 V Vi ir rt tu ua al l W WA AN N Such page displays the virtual WAN connection informati...

Page 40: ...rd please click Next On the next page as shown below please select the WAN interface WAN 1 to WAN5 that you use If Ethernet interface is used please choose WAN1 WAN4 If USB interface is used choose WAN5 For WAN 1 to WAN4 choose Auto negotiation as the physical type for your router Here we take WAN1 as an example Then click Next for next step WAN1 WAN4 and WAN5 will bring up different configuration...

Page 41: ...your ISP For example you should select PPPoE mode if the ISP provides you PPPoE interface P PP PP Po oE E 1 Choose WAN1 as the WAN Interface and click the Next button The following page will be open for you to specify Internet Access Type 2 Click PPPoE as the Internet Access Type Then click Next to continue Available settings are explained as follows Item Description Service Name Optional Enter th...

Page 42: ... set is 62 characters Confirm Password Retype the password Back Click it to return to previous setting page Next Click it to get into the next setting page Cancel Click it to give up the quick start wizard 3 Please manually enter the Username Password provided by your ISP Click Next for viewing summary of such connection 4 Click Finish A page of Quick Start Wizard Setup OK will appear Then the sys...

Page 43: ...e 2 Click PPTP L2TP as the Internet Access Type Then click Next to continue Available settings are explained as follows Item Description User Name Assign a specific valid user name provided by the ISP Note The maximum length of the user name you can set is 63 characters Password Assign a valid password provided by the ISP Note The maximum length of the password you can set is 62 characters ...

Page 44: ...address for the router Second DNS Type in secondary IP address for necessity in the future PPTP Server L2TP Server Type the IP address of the server Back Click it to return to previous setting page Next Click it to get into the next setting page Cancel Click it to give up the quick start wizard 3 Please type in the IP address mask gateway information originally provided by your ISP Then click Next...

Page 45: ...Next to continue Available settings are explained as follows Item Description WAN IP Type the IP address Subnet Mask Type the subnet mask Gateway Type the IP address of gateway Primary DNS Type in the primary IP address for the router Secondary DNS Type in secondary IP address for necessity in the future Back Click it to return to previous setting page Next Click it to get into the next setting pa...

Page 46: ...the IP address information originally provided by your ISP Then click Next for next step 4 Click Finish A page of Quick Start Wizard Setup OK will appear Then the system status of this protocol will be shown 5 Now you can enjoy surfing on the Internet ...

Page 47: ...ailable settings are explained as follows Item Description Host Name Type the name of the host Note The maximum length of the host name you can set is 39 characters MAC Some Cable service providers specify a specific MAC address for access authentication In such cases you need to enter the MAC address Back Click it to return to previous setting page Next Click it to get into the next setting page ...

Page 48: ... finished the settings above click Next for viewing summary of such connection 4 Click Finish A page of Quick Start Wizard Setup OK will appear Then the system status of this protocol will be shown 5 Now you can enjoy surfing on the Internet ...

Page 49: ...of the selections as the protocol of accessing the internet 3G 4G USB Modem PPP mode SIM Pin code Type PIN code of the SIM card that will be used to access Internet The maximum length of the pin code you can set is 15 characters Modem Initial String Such value is used to initialize USB modem Please use the default value If you have any question please contact to your ISP The maximum length of the ...

Page 50: ...ose 4G 3G 2G as network mode the router will choose a suitable one according to the actual wireless signal automatically APN Name APN means Access Point Name which is provided and required by some ISPs Info Such mode 4G USB Modem DHCP mode is supported by WAN3 only 3 Then click Next for viewing summary of such connection 4 Click Finish A page of Quick Start Wizard Setup OK will appear Then the sys...

Page 51: ... For using Web Content Filter Profile please refer to later section Web Content Filter Profile for detailed information Now follow the steps listed below to activate WCF feature for your router Info Such function is available only for Admin Mode 1 Open Wizards Service Activation Wizard 2 In the following page you can activate the Web content filter services and APPE Enforcement service at the same...

Page 52: ...ng confirmation page will be displayed as follows please click Activate Info The service will be activated and applied as the default rule configured in Firewall General Setup 4 Now the web page will display the service that you have activated according to your selection s The valid time for the free trial of these services is one month ...

Page 53: ...o register your Vigor router to MyVigor website for getting more service Please follow the steps below to finish the router registration 1 Please login the web configuration interface of Vigor router by typing admin admin as User Name Password 2 Click Support Area Production Registration from the home page 3 A Login page will be shown on the screen Please type the account and password that you cre...

Page 54: ... section Creating an Account for MyVigor to create your own one Please read the articles on the Agreement regarding user rights carefully while creating a user account 4 The following page will be displayed after you logging in MyVigor From this page please click Add or Product Registration ...

Page 55: ...opup calendar it appears when you click on the box of Registration Date After adding the basic information for the router please click Submit 6 When the following page appears your router information has been added to the database 7 After clicking OK you will see the following page Your router has been registered to myvigor website successfully Vigor3220 ...

Page 56: ...Vigor3220 Series User s Guide 44 This page is left blank ...

Page 57: ...of subnets regulated and ruled by router The design of network structure is related to what type of public IP addresses coming from your ISP When the data flow passing through the Network Address Translation NAT function of the router will dedicate to translate public private addresses and the packets will be delivered to the correct host PC in the local area network DNS LAN DNS UPnP IGMP WOL RADI...

Page 58: ...c private addresses and the packets will be delivered to the correct host PC in the local area network Thus all the host PCs can share a common Internet connection G Ge et t Y Yo ou ur r P Pu ub bl li ic c I IP P A Ad dd dr re es ss s f fr ro om m I IS SP P In ADSL deployment the PPP Point to Point style authentication and authorization is required for bridging customer premises equipment CPE Poin...

Page 59: ... still can be used and Load Balance can be done in the router Besides 3G 4G USB Modem in WAN3 WAN4 also can be used as backup device Therefore when WAN1 and WAN2 are not available the router will use 3 5G for supporting automatically The supported 3G 4G USB Modem will be listed on DrayTek web site Please visit www draytek com for more detailed information ...

Page 60: ... is disabled If you want to enable it simply click the WAN2 link and select Yes in the field of Enable Available settings are explained as follows Item Description Load Balance Mode This option is available for multiple WAN for getting enough bandwidth for each WAN port If you know the practical bandwidth for your WAN interface please choose the setting of According to Line Speed Otherwise please ...

Page 61: ...ettings I II I 1 1 1 1 1 1 W WA AN N1 1 W WA AN N4 4 E Et th he er rn ne et t Ethernet is the Physical Mode for WAN1 to WAN4 Available settings are explained as follows Item Description Enable Choose Yes to invoke the settings for this WAN interface Choose No to disable the settings for this WAN interface Display Name Type the description for such WAN interface Physical Mode Display the physical m...

Page 62: ...tivated always Load Balance Check this box to enable auto load balance function for such WAN interface When the data traffic is large the WAN interface with the function enabled will balance the data transmission automatically among all of the WAN interfaces in connection status Failover Choose it to make the WAN connection as a backup connection WAN Failure When the active WAN failed such WAN wil...

Page 63: ...uploading for such WAN interface The unit is kbps Active Mode Always On Choose Always On to make the WAN5 connection being activated always Load Balance Check this box to enable auto load balance function for such WAN interface When the data traffic is large the WAN interface with the function enabled will balance the data transmission automatically among all of the WAN interfaces in connection st...

Page 64: ... connection will be activated when any selected WAN interface checked below disconnects All of the selected WAN disconnect Such WAN connection will be activated only when all of selected WAN interfaces checked below disconnect Check boxes for WAN1 to WAN5 Specify the WAN interface by checking the WAN box After finished the above settings click OK to save the settings ...

Page 65: ... the WAN interface Display Name It shows the name of the WAN1 WAN2 WAN3 WAN4 WAN5 that entered in general setup Physical Mode It shows the physical connection for WAN1 4 Ethernet WAN5 3G 4G USB Modem according to the real network connection Access Mode Use the drop down list to choose a proper access mode The details page of that mode will be popped up If not click Details Page for accessing the p...

Page 66: ... function of DHCP Option Each DHCP option is composed by an option number with data For example Option number 100 Data abcd When such function is enabled the specified values for DHCP option will be seen in DHCP reply packets Interface Specify the WAN interface s that will be overwritten by such function WAN5 WAN7 can be located under WAN Multi PVC VLAN Option Number Type a number for such functio...

Page 67: ...me Optional Enter the description of the specific network service Username Type in the username provided by ISP in this field The maximum length of the user name you can set is 63 characters Password Type in the password provided by ISP in this field The maximum length of the password you can set is 62 characters Index 1 15 in Schedule Setup You can type in four sets of time schedule for your requ...

Page 68: ...dresses and would like to utilize them on the WAN interface please use WAN IP Alias You can set up to 32 public IP addresses other than the current one you are using Type the additional WAN IP address and check the Enable box Then click OK to exit the dialog Fixed IP Click Yes to use this function and type in a fixed IP address in the box of Fixed IP Address Default MAC Address You can use Default...

Page 69: ... activate this function PING to the IP If you enable the PING function please specify the IP address for the system to PING it for keeping alive PING Interval Enter the interval for the system to execute the PING operation WAN Connection Detection Such function allows you to verify whether network connection is alive or not through ARP Detect or Ping Detect Mode Choose Always On ARP Detect or Ping...

Page 70: ...who sends out the packet will not be blocked by ISP WAN IP Network Settings This group allows you to obtain an IP address automatically and allows you type in IP address manually WAN IP Alias If you have multiple public IP addresses and would like to utilize them on the WAN interface please use WAN IP Alias You can set up to 32 public IP addresses other than the current one you are using Obtain an...

Page 71: ...k the Specify a MAC Address and enter the MAC address in the MAC Address field DNS Server IP Address Type in the primary IP address for the router if you want to use Static IP mode If necessary type in secondary IP address for necessity in the future After finishing all the settings here please click OK to activate them ...

Page 72: ...PPTP L2TP client mode Specify Gateway IP Address Specify the gateway IP address for DHCP server ISP Access Setup Username Type in the username provided by ISP in this field The maximum length of the user name you can set is 63 characters Password Type in the password provided by ISP in this field The maximum length of the password you can set is 62 characters Index 1 15 in Schedule Setup You can t...

Page 73: ...ettings Obtain an IP address automatically Click this button to obtain the IP address automatically Specify an IP address Click this radio button to specify some data IP Address Type the IP address Subnet Mask Type the subnet mask After finishing all the settings here please click OK to activate them I II I 1 1 2 2 4 4 D De et ta ai il ls s P Pa ag ge e f fo or r 3 3G G 4 4G G U US SB B M Mo od de...

Page 74: ... Such value is used to dial through USB mode Please use the default value If you have any question please contact to your ISP The maximum length of the string you can set is 31 characters Service Name Enter the description of the specific network service PPP Username Type the PPP username optional The maximum length of the name you can set is 63 characters PPP Password Type the PPP password option...

Page 75: ... m mo od de e i in n U US SB B W WA AN N To use 3G 4G USB Modem DHCP mode as the accessing protocol of the internet please choose Internet Access from WAN menu Then select 3G 4G USB Modem DHCP mode for WAN3 WAN4 The following web page will be shown Available settings are explained as follows Item Description Modem Support List It lists all of the modems supported by such router 3G 4G USB Modem DHC...

Page 76: ... can enable this setting to use current WAN gateway IP address for pinging With the IP address es pinging Vigor router can check if the WAN connection is on or off TTL Time to Live Set TTL value of PING operation Ping Interval Type the interval for the system to execute the PING operation Ping Retry Type the number of times that the system is allowed to execute the PING operation before WAN discon...

Page 77: ...ct for the system to execute for WAN detection Always On means no detection will be executed The network connection will be on always Ping IP Hostname If you choose Ping Detect as detection mode you have to type IP address in this field for pinging TTL Time to Live If you choose Ping Detect as detection mode you have to type TTL value RIPng Protocol RIPng RIP next generation offers the same functi...

Page 78: ... connect to IPv6 network easily Please make sure your IPv4 WAN connection is OK and apply one free account from hexago http gogonet gogo6 com page freenet6 account before you try to use TSPC for network connection TSPC would connect to tunnel broker and requests a tunnel according to the specifications inside the configuration file It gets a public IPv6 IP address and an IPv6 prefix from the tunne...

Page 79: ... port number WAN Connection Detection Such function allows you to verify whether network connection is alive or not through Ping Detect Mode Choose Always On or Ping Detect for the system to execute for WAN detection Always On means no detection will be executed The network connection will be on always Ping IP Hostname If you choose Ping Detect as detection mode you have to type IP address in this...

Page 80: ... Type the password assigned with the user name The maximum length of the password you can set is 19 characters Tunnel Broker It means a server of AICCU The server can provide IPv6 tunnels to sites or end users over IPv4 Type the address for the tunnel broker IP FQDN or an optional port number Tunnel ID One user account may have several tunnels And each tunnel shall have one specified tunnel ID e g...

Page 81: ...tect Mode Choose Always On or Ping Detect for the system to execute for WAN detection Ping IP Hostname If you choose Ping Detect as detection mode you have to type IP address in this field for pinging TTL Time to Live If you choose Ping Detect as detection mode you have to type TTL value After finished the above settings click OK to save the settings ...

Page 82: ...h function allows you to verify whether network connection is alive or not through NS Detect or Ping Detect Mode Choose Always On Ping Detect or NS Detect for the system to execute for WAN detection With NS Detect mode the system will check if network connection is established or not like IPv4 ARP Detect Always On means no detection will be executed The network connection will be on always Ping IP...

Page 83: ...ed LAN subnet and such WAN interface After finished the above settings click OK to save the settings I II I 1 1 2 2 1 11 1 D De et ta ai il ls s P Pa ag ge e f fo or r I IP Pv v6 6 S St ta at ti ic c I IP Pv v6 6 i in n E Et th he er rn ne et t W WA AN N This type allows you to setup static IPv6 address for WAN interface Available settings are explained as follows Item Description Static IPv6 Addr...

Page 84: ...wall It is available when Bridge Mode is enabled When both Bridge Mode and Firewall check boxes are enabled the settings configured user profiles under User Management will be ignored And all of the filter rules defined and enabled in Firewall menu will be activated Bridge Subnet Make a bridge between the selected LAN subnet and such WAN interface After finished the above settings click OK to save...

Page 85: ...allows you to verify whether network connection is alive or not through Ping Detect Mode Choose Always On or Ping Detect for the system to execute for WAN detection Always On means no detection will be executed The network connection will be on always Ping IP Hostname If you choose Ping Detect as detection mode you have to type IP address in this field for pinging TTL Time to Live If you choose Pi...

Page 86: ...thin a given 6rd domain It may be any value between 0 and 32 6rd Prefix Type the 6rd IPv6 address 6rd Prefix Length Type the IPv6 prefix length for the 6rd IPv6 prefix in number of bits WAN Connection Detection Such function allows you to verify whether network connection is alive or not through Ping Detect Mode Choose Always On or Ping Detect for the system to execute for WAN detection Always On ...

Page 87: ...Vigor3220 Series User s Guide 75 ...

Page 88: ...ne that will be used as multi PVC Available settings are explained as follows Item Description Channel Display the number of each channel Channels 1 and 2 are used by the Internet Access web user interface and can not be configured here Channels 5 10 are configurable Enable Display whether the settings in this channel are enabled Yes or not No WAN Type Displays the physical medium that the channel...

Page 89: ...available The user will be able to select the physical WAN interface the channel shall use here General Settings VLAN Tag Type the value as the VLAN ID number Valid settings are in the range from 1 to 4095 The network traffic flowing on each channel will be identified by the system via their VLAN Tags Channels using the same WAN type may not configure the same VLAN tag value Priority Choose the nu...

Page 90: ...o configure the settings listed under ISP Access Setup Enter your allocated username password and authentication parameters according to the information provided by your ISP ISP Name Type in the name of your ISP Username Type in the username provided by ISP in this field The maximum length of the name you can set is 80 characters Password Type in the password provided by ISP in this field The maxi...

Page 91: ... address DNS Server IP Address Type in the primary IP address for the router if you want to use Static IP mode If necessary type in secondary IP address for necessity in the future After finished the above settings click OK to save the settings and return to previous page ...

Page 92: ...al l S Se et tu up p Click WAN1 WAN2 WAN3 WAN4 WAN5 link to open the following web page Available settings are explained as follows Item Description Enable Check the box to enable such function Quota Limit Type the data traffic quota allowed for such WAN interface There are two unit MB and GB offered for you to specify When quota exceeded Check the box es as the condition s for the system to perfo...

Page 93: ...h an interval of billing cycle Custom Monthly is default setting If long period or a short period is required use Custom The period of cycle duration is between 1 day and 60 days You can determine the cycle duration by specifying the days and the hours In addition you can specify which day of today is in a cycle Cycle duration Specify the days to reset the traffic record For example 7 means the wh...

Page 94: ... on the page if Shutdown WAN interface is selected Which means no data transmission will be carried out Moreover the system will send out a warning message to the administrator if Mail Alert is selected Or the system will send out SMS message to the administrator if SMS message is selected ...

Page 95: ...r re es ss s t to o L LA AN N c cl li ie en nt ts s This document introduces how to set up Vigor Router for the LAN clients to obtain an IPv6 address from it 1 Make sure there is a WAN interface that has IPv6 access available See How to configure IPv6 on WAN interface 2 Go to LAN General Setup and click on IPv6 for the LAN subnet to enter IPv6 setting page ...

Page 96: ...6 service available enable DHCPv6 Server and click OK to apply 4 With the above configuration LAN clients will be able to obtain an IPv6 address and an IPv6 Gateway from Vigor Router For Windows PC we may check this by command ipconfig PC will be able to ping and get response from an IPv6 host e g ipv6 google com ...

Page 97: ...Vigor3220 Series User s Guide 85 ...

Page 98: ...mplement an IPv6 address on Vigor Router s WAN 1 Before configuring IPv6 on WAN please make sure the router is connected to the IPv4 Internet 2 Go to WAN Internet Access click on IPv6 of the WAN interface that you would like to configure an IPv6 address 3 Select a Connection Type from the drop down list enter the required parameters Then click OK and reboot the router to apply the settings ...

Page 99: ...ck the status from the IPv6 tab on Online Status Physical Connection page 5 Furthermore Network Administrator may test the connectivity of IPv6 from the router by going to Diagnostics Ping Diagnosis and selecting IPv6 Below we will provide some examples of configuring IPv6 with different connection types ...

Page 100: ...u un nn ne el l S Se et tu up p P Pr ro ot to oc co ol l C Cl li ie en nt t In this mode the IPv6 connectivity is provided by a tunnel broker on the IPv4 Internet through a tunnel set up by Tunnel Setup Protocol TSP To use TSPC you ll need to sign up for a tunnel broker service and get a username and password first then configure the router as follows 1 Set Connection Type to TSPC 2 Enter the User...

Page 101: ... for you you may configure that IPv6 address for WAN by doing the following steps 1 Set Connection Type to Static IPv6 2 Enter the IPv6 address and Prefix Length which provided by the ISP and click Add 3 You should see the IPv6 address in Current IPv6 Address Table Then specify the IP address of IPv6 Gateway ...

Page 102: ...ed manually To use 6in4 Static Tunnel you need sign up for a tunnel broker service and get an IPv6 address and routed IPv6 prefixes first Then configure the router as follows 1 Set Connection Type to 6in4 Static Tunnel 2 Enter the tunnel server s IPv4 address in Remote Endpoint IPv4 Address 3 Enter the router s IPv6 address in 6in4 IPv6 Address 4 Enter the routed IPv6 prefix in LAN Routed Prefix ...

Page 103: ...the packets from public IP address to private IP address to forward the right packets to the right host and vice versa Besides Vigor router has a built in DHCP server that assigns private IP address to each local host See the following diagram for a briefly understanding In some special case you may have a public IP subnet from your ISP such as 220 135 240 0 24 This means that you can set up a pub...

Page 104: ...St ta at ti ic c R Ro ou ut te e When you have several subnets in your LAN sometimes a more effective and quicker way for connection is the Static routes function rather than other method You may simply set rules to forward data from one specified subnet to another specified subnet without the presence of RIP W Wh ha at t a ar re e V Vi ir rt tu ua al l L LA AN Ns s a an nd d R Ra at te e C Co on ...

Page 105: ...t subnets LAN1 LAN6 In addition different subnets can link for each other by configuring Inter LAN Routing At present LAN1 setting is fixed with NAT mode only LAN2 LAN6 can be operated under NAT or Route mode IP Routed Subnet can be operated under Route mode Available settings are explained as follows Item Description General Setup Allow to configure settings for each subnet respectively Index Dis...

Page 106: ... abcd When such function is enabled the specified values for DHCP option will be seen in DHCP reply packets Interface Choose the interface for such option Next Server IP Address SIAddr Type the IP address for the next server Vigor router s DHCP server can redirect clients to a secondary server specified in such field Option Number Type a number for such function DataType Choose the type ASCII or H...

Page 107: ...stoppage of the exchange of routing information between routers Default Enable activate the RIP protocol DHCP Server Configuration DHCP stands for Dynamic Host Configuration Protocol The router by factory default acts a DHCP server for your network so it automatically dispatches related IP settings to any local user configured as a DHCP client It is highly recommended that you leave the router ena...

Page 108: ...he IPs will be used out and then no one will be able to get any IPs from this server anymore Therefore this feature is used to get the IP back from inactive clients i e doesn t use the IP but the server still reserves the IP for him DNS Server IP Address DNS stands for Domain Name System Every Internet host must have a unique IP address also they may have a human friendly easy to remember name suc...

Page 109: ...e tab for each type and refer to the following explanations for detailed information Below shows the settings page for IPv6 It provides 2 daemons for LAN side IPv6 address configuration One is SLAAC stateless and the other is DHCPv6 Server Stateful Available settings are explained as follows Item Description Enable Check the box to enable the configuration of LAN 1 IPv6 Setup WAN Primary Interface...

Page 110: ...rver if required Management Host under LAN can be assigned IP address from Vigor router via the following method SLAAC stateless The IP address with Prefix of the host shall be formed according to RA transmitted by Vigor router DHCPv6 stateful The IP address of the host shall be assigned after communicating with DHCPv6 server for answering the request of client Off No IP address is assigned Other ...

Page 111: ...rtisement server Hop Limt The value is required for the device behind the router when IPv6 is in use Min Max Interval Time sec It defines the interval between minimum time and maximum time for sending RA Router Advertisement packets Default Lifetime sec Within such period of time Vigor2925 can be treated as the default gateway Default Preference It determines the priority of the host behind the ro...

Page 112: ...eries User s Guide 100 from the primary WAN but also the prefix for IPv6 LAN IP address can be assigned by extension WAN specified here When you finish the configuration please click OK to save and exit this page ...

Page 113: ...r by factory default acts a DHCP server for your network so it automatically dispatch related IP settings to any local user configured as a DHCP client It is highly recommended that you leave the router enabled as a DHCP server if you do not have a DHCP server for your network Enable Server Let the router assign IP address to every host in the LAN Disable Server Let you manually assign IP address ...

Page 114: ...e IP but the server still reserves the IP for him DNS Server IP Address DNS stands for Domain Name System Every Internet host must have a unique IP address also they may have a human friendly easy to remember name such as www yahoo com The DNS server converts the user friendly name into its equivalent IP address Primary IP Address You must specify a DNS server IP address here because your ISP shou...

Page 115: ...P protocol DHCP Server Configuration DHCP stands for Dynamic Host Configuration Protocol The router by factory default acts a DHCP server for your network so it automatically dispatch related IP settings to any local user configured as a DHCP client It is highly recommended that you leave the router enabled as a DHCP server if you do not have a DHCP server for your network If you want to use anoth...

Page 116: ...t one by one and click Add to create a list of hosts which can be assigned deleted or edited from above pool Set a list of MAC Address for 2nd DHCP server will help router to assign the correct IP address of the correct subnet to the correct host So those hosts in 2nd subnet won t get an IP address belonging to 1st subnet Add Type the MAC address in the boxes and click this button to add Delete Cl...

Page 117: ...riorities for LAN side QoS You can assign each of VLANs to each of the different IP subnets that the router may also be operating to provide even more isolation The said functionality is tag based multi subnet P Po or rt t B Ba as se ed d V VL LA AN N Relative to tag based VLAN which groups clients with an identifier port based VLAN uses physical ports P1 P6 to separate the clients into different ...

Page 118: ...ged device in P1 to access router It can help users to communicate with the router still even though configuring wrong VLAN tag setting It is recommended to enable the management port LAN 1 to ensure the data transmission is unimpeded Info Leave one VLAN untagged at least to prevent from not connecting to Vigor router due to unexpected error Vigor3220 Series features a hugely flexible VLAN system ...

Page 119: ... Series User s Guide 107 4 Click OK 5 Open LAN General Setup If you want to let the clients in both groups communicate with each other simply activate Inter LAN Routing by checking the box between LAN1 and LAN2 ...

Page 120: ...igor Router for more detailed information I II I 2 2 3 3 B Bi in nd d I IP P t to o M MA AC C This function is used to bind the IP and MAC address in LAN to have a strengthening control in network When this function is enabled all the assigned IP and MAC address binding together cannot be changed If you modified the binding IP or MAC address it might cause you not access into the Internet Click LA...

Page 121: ...pecified MAC address Mac Address Type the MAC address that is used to bind with the assigned IP address Comment Type a brief description for the entry Show Comment Check this box to display the comment on IP Bind List box Add It allows you to add the one you choose from the ARP table or the IP MAC address typed in Add and Edit to the table of IP Bind List Update It allows you to edit and modify th...

Page 122: ...ting equipments to be set up Second it may be able to view traffic on one or more ports within a VLAN at the same time Third it can transfer all data traffics to be mirrored to one analyzer connecting to the mirroring port Last it is more convenient and easy to configure in user s interface Available settings are explained as follows Item Description Port Mirror Check Enable to activate this funct...

Page 123: ...ed web page through this router That is a company which wants to have an advertisement for its products to users can specify the URL in this page to reach its goal Each item is explained as follows Item Description Profile Display the number link which allows you to configure the profile Status Display the content Disable URL Redirect or Message of the profile Interface Display the applied interfa...

Page 124: ... URL Redirect Any user who wants to access into Internet through this router will be redirected to the URL specified here first It is a useful method for the purpose of advertisement For example force the wireless user s in hotel to access into the web page that the hotel wants the user s to visit Message Type words or sentences here The message will be displayed on the screen for several seconds ...

Page 125: ... the button with the word defined on Button box to proceed the operation Priority If User Management refer to VII 3 User Management mode and such web portal profile are configured and enabled for filtering users you have to determine which one shall have the highest priority Override user management Web portal profile will be used to filter users first Prefer user management User Management profil...

Page 126: ...lic IP address and the router will do the inversion based on its table Therefore the internal host can communicate with external host smoothly The benefit of the NAT includes Save cost on applying public IP address and apply efficient usage of IP address NAT allows the internal IP addresses of local hosts to be translated into one public IP address thus you can have only one IP address on behalf o...

Page 127: ...ess domain name are recognized by all users Since the server is actually located inside the LAN the network well protected by NAT of the router and identified by its private IP address port the goal of Port Redirection function is to forward all access request with public IP address from external users to the mapping private IP address port of the server The port redirection can only apply to inco...

Page 128: ...he profile Protocol Display the transport layer protocol TCP or UDP Public Port Display the port number which will be redirected to the specified Private IP and Port of the internal host Private IP Display the IP address of the internal host providing the service Status Display if the profile is enabled v or not x Press any number under Index to access into next page for configuring port redirecti...

Page 129: ... box as the ending port Source IP Use the drop down list to specify an IP object Or click IP Object link to create a new one for applying Private IP Specify the private IP address of the internal host providing the service If you choose Range as the port redirection mode you will see two boxes on this field Type a complete IP address in the first box as the starting point The second one will be as...

Page 130: ...Vigor3220 Series User s Guide 118 ...

Page 131: ...ngle host in the LAN Regular web surfing and other such Internet activities from other clients will continue to work without inappropriate interruption DMZ Host allows a defined internal user to be totally exposed to the Internet which usually helps some special applications such as Netmeeting or Internet Games etc The security properties of NAT are somewhat bypassed if you set up DMZ host We sugg...

Page 132: ...e window consists of a list of private IP addresses of all hosts in your LAN network Select one private IP address in the list to be the DMZ host When you have selected one private IP from the above dialog the IP address will be shown on the screen Click OK to save the setting DMZ Host for WAN2 WAN3 WAN4 or WAN5 is slightly different with WAN1 Active True IP selection is available for WAN1 only Se...

Page 133: ... Click this button and then a window will automatically pop up as depicted below The window consists of a list of private IP addresses of all hosts in your LAN network Select one private IP address in the list to be the DMZ host When you have selected one private IP from the above dialog the IP address will be shown on the screen Click OK to save the setting After finishing all the settings here p...

Page 134: ...ticular entry that you want to offer service in a local host You should click the appropriate index number to edit or clear the corresponding entry Comment Specify the name for the defined network service WAN Interface Display the WAN interface used by such index Aux WAN IP Display the IP alias setting used by such index If no IP alias setting exists such field will not appear Local IP Address Dis...

Page 135: ...t will be used for this entry This setting is available when WAN IP Alias is configured Private IP Enter the private IP address of the local host or click Choose PC to select one Choose IP Click this button and subsequently a window having a list of private IP addresses of local hosts will automatically pop up Select the appropriate IP address of the local host in the list Protocol Specify the tra...

Page 136: ...rt keeps the ports opened forever Once the OK button is clicked and the configuration has taken effect port triggering will only attempt to open the ports once the triggering conditions are met The duration that these ports are opened depends on the type of protocol used The default durations are shown below and these duration values can be modified via telnet commands TCP 86400 sec UDP 180 sec IG...

Page 137: ...ink to open the configuration page Available settings are explained as follows Item Description Enable Check to enable this entry Service Choose the predefined service to apply for such trigger profile Comment Type the text to memorize the application of this rule Triggering Protocol Select the protocol TCP UDP or TCP UDP for such triggering profile Triggering Port Type the port or port range for ...

Page 138: ...igor3220 Series User s Guide 126 such triggering profile Incoming Port Type the port or port range for the incoming packets After finishing all the settings here please click OK to save the configuration ...

Page 139: ...pecified private IP address S Sc ch he ed du ul le e The Vigor router has a built in clock which can update itself manually or automatically by means of Network Time Protocols NTP As a result you can not only schedule the router to dialup to the Internet at a specified time but also restrict Internet access to certain hours so that users can connect to the Internet only during certain hours say bu...

Page 140: ...outer is NAT Traversal This enables applications inside the firewall to automatically open the ports that they need to pass through a router W Wa ak ke e o on n L LA AN N A PC client on LAN can be woken up by the router it connects When a user wants to wake up a specified PC through the router he she must type correct MAC address of the specified PC on this web page of Wake on LAN WOL of this rout...

Page 141: ...ction Set to Factory Default Clear all profiles and recover to factory settings View Log Display DDNS log status Force Update Force the router updates its information to DDNS server Auto Update interval Set the time for the router to perform auto update for DDNS service Index Click the number below Index to access into the setting page of DDNS setup to set account s WAN Interface Display the WAN i...

Page 142: ...ype Select a service type Dynamic Custom or Static If you choose Custom you can modify the domain that is chosen in the Domain Name field Domain Name Type in one domain name that you applied previously Use the drop down list to choose the desired domain Login Name Type in the login name that you set for applying domain Password Type in the password that you set for applying domain Wildcard and Bac...

Page 143: ...tivate the settings You will see your setting has been saved D Di is sa ab bl le e t th he e F Fu un nc ct ti io on n a an nd d C Cl le ea ar r a al ll l D Dy yn na am mi ic c D DN NS S A Ac cc co ou un nt ts s In the DDNS setup menu uncheck Enable Dynamic DNS Setup and push Clear All button to disable the function and clear all accounts from the router D De el le et te e a a D Dy yn na am mi ic c...

Page 144: ...p FTP Mail or Web server inside LAN you can specify specific private IP address es to correspondent servers Thus even the remote PC is adopting public DNS as the DNS server the LAN DNS resolution on Vigor3220 Series will respond the specified private IP address Simply click Application LAN DNS to open the following page Each item is explained as follows Item Description Set to Factory Default Clea...

Page 145: ...m Description Enable Check this box to enable such profile Profile Type a name for such profile Note If you type a name here for LAN DNS and click OK to save the configuration the name also will be applied to conditional DNS forwarding automatically Domain Name Type the domain name for such profile CNAME Alias Domain Name CNAME is abbreviation of Canonical name record Such option is used to record...

Page 146: ...tings 4 If you need to configure LAN DNS settings click index 1 to edit the LAN DNS profile just created Or you can click index 2 to use this profile as conditional DNS forwarding Available settings are explained as follows Item Description Enable Check this box to enable such profile Profile Type a name for such profile Note If you type a name here for conditional DNS forwarding and click OK to s...

Page 147: ...Vigor3220 Series User s Guide 135 ...

Page 148: ... are explained as follows Item Description Enable Check the box to enable the DNS security management Interface There are four WAN interfaces allowed to be set with DNS security enabled Primary DNS Display the IP address of primary DNS obtained from DHCP server or specified by Static WAN Secondary DNS Display the IP address of secondary DNS obtained from DHCP server or specified by Static WAN Bogu...

Page 149: ...ings are explained as follows Item Description Domain Type the domain name or IP address IPv4 IPv6 that you want to query Interface Specify the interface required for executing diagnose DNS Server Type the IP address of the DNS Server which will diagnose the domain specified above Diagnose Click it to perform the diagnosis for the domain Result The diagnosed information will be displayed on such f...

Page 150: ...clock to current time of your PC The clock will reset once if you power down or reset the router There is another way to set up time You can inquiry an NTP server a time server on the Internet to synchronize the router s clock This method can only be applied when the WAN connection has been built up Available settings are explained as follows Item Description Set to Factory Default Clear all profi...

Page 151: ...and Specify the connection to be dial on demand and the value of idle timeout should be specified in Idle Timeout field Disable Dial On Demand Specify the connection to be up when it has traffic on the line Once there is no traffic over idle timeout the connection will be down and never up again during the schedule Idle Timeout Specify the duration or period for the schedule How often Specify how ...

Page 152: ... that supports authentication authorization and accounting which is widely used by Internet service providers It is the most common method of authenticating and authorizing dial up and tunneled network users I II I 4 4 5 5 1 1 E Ex xt te er rn na al l R RA AD DI IU US S The built in RADIUS client feature enables the router to assist the remote dial in user or a wireless station and the RADIUS serv...

Page 153: ...ret you can set is 36 characters Confirm Shared Secret Re type the Shared Secret for confirmation After finished the above settings click OK button to save the settings I II I 4 4 5 5 2 2 I In nt te er rn na al l R RA AD DI IU US S Except for being a built in RADIUS client Vigor router also can be operated as a RADIUS server which performs security authentication by itself This page is used to con...

Page 154: ...an act as the AAA server Check the box to enable the function of authentication mechanism User Profile During the process of security authentication user account and user password will be required for identity authentication Before configuring such page create at least one user profile in User Management User Profile first Select All Click it to select all of the user profiles in Available List Cl...

Page 155: ...le TACACS feature Server IP Address Enter the IP address of TACACS server Destination Port The UDP port number that the TACACS server is using Shared Secret The TACACS server and client share a secret that is used to authenticate the messages sent between them Both sides must be configured to use the same shared secret Confirm Shared Secret Re type the Shared Secret for confirmation After finished...

Page 156: ...ablished by the work team of Internet Engineering Task Force IETF As the name described LDAP is designed as an effect way to access directory service without the complexity of other directory service protocols For LDAP is defined to perform inquire and modify the information within the directory and acquire the data in the directory securely therefore users can apply LDAP to search or list the dir...

Page 157: ...ty For the regular mode you ll need to type in the Regular DN and Regular Password Server Address Enter the IP address of LDAP server Destination Port Type a port number as the destination port for LDAP server Use SSL Check the box to use the port number specified for SSL Regular DN Type this setting if Regular Mode is selected as Bind Type Regular Password Specify a password if Regular Mode is se...

Page 158: ...dditional filter Base Distinguished Name Group Distinguished Name Type or edit the distinguished name used to look up entries on the LDAP server Sometimes you may forget the Distinguished Name since it s too long Then you may click the button to list all the account information on the AD LDAP Server to assist you finish the setup After finished the above settings click OK to save and exit this pag...

Page 159: ... Control Service or Connection Status Service Default WAN It is used to specify the WAN interface for applying such function The reminder as regards concern about Firewall and UPnP Can t work with Firewall Software Enabling firewall applications on your PC may cause the UPnP function not working properly This is because these applications will block the accessing ability of some network ports Secu...

Page 160: ...rt In addition such function is available in NAT mode Enable IGMP Snooping Check this box to enable this function Multicast traffic will be forwarded to ports that have members of that group Disabling IGMP snooping will make multicast traffic treated in the same manner as broadcast traffic Refresh Click this link to renew the working multicast group status Group ID This field displays the ID port ...

Page 161: ...lable settings are explained as follows Item Description Wake by Two types provide for you to wake up the binded IP If you choose Wake by MAC Address you have to type the correct MAC address of the host in MAC Address boxes If you choose Wake by IP Address you have to choose the correct IP address IP Address The IP addresses that have been configured in Firewall Bind IP to MAC will be shown in thi...

Page 162: ...what the content is and when the SMS will be sent Available settings are explained as follows Item Description Index Check the box to enable such profile SMS Provider Use the drop down list to choose SMS service provider You can click SMS Provider link to define the SMS server Recipient Type the phone number of the one who will receive the SMS Notify Use the drop down list to choose a message prof...

Page 163: ... SMS Mail Service Option If there is no object listed click Mail Service link to define a new one with specified service provider Recipient Type the e mail address of the one who will receive the notification message Notify Profile Use the drop down list to choose a message profile The recipient will get the content stated in the message profile You can click the Notify Profile link to define the ...

Page 164: ...on e g IP setting If the host and user s computer have the plug in bonjour driver install they can utilize the service offered by the router by clicking the router name icon In short what the Clients users need to know is the name of the router only To enable the Bonjour service click Application Bonjour to open the following page Check the box es of the server service s that you want to share to ...

Page 165: ...ur and DNSSD have been installed you can open the web page DNSSD and see the following results 3 Open System Maintenance Management Type a name e g Dray_2925 as the Router Name and click OK 4 Next open Applications Bonjour Check the service that you want to use via Bonjour ...

Page 166: ...le items will be changed as the follows It means the Vigor router based on Bonjour protocol is ready to be used as a printer server FTP server SSH Server Telnet Server and HTTP Server 6 Now any page or document can be printed out through Vigor router installed with a printer ...

Page 167: ...omponent the primary to the backup component the secondary This process remains system wide resources recovers partial of failed transactions and restores the system to normal within a few seconds To configure High Availability on at least two DrayTek routers Enable High Availability on the Primary and Secondary routers Set a high Priority ID number on the Primary router and lower numbers for the ...

Page 168: ...ndby Such method is suitable for a user which has one ISP account With such method All WANs of secondary routers will be shut down by HA function WAN settings of primary and secondary routers can be the same Note When Hot Standby is used the wireless LAN function on secondary router will be disabled directlly Clients can not connect to the secondary router any more Active Standby Such method is su...

Page 169: ...ss configured on LAN General Setup page in which LAN is determined by management interface Authentication Key Type a string as the authentication key maximum 31 characters allowed It is used for encrypting the DARP to prevent malicious attack Protocol Choose IPv4 or IPv6 Management Interface Such interface is used for DARP DrayTek Address Redundancy Protocol negotiation between routers Only the in...

Page 170: ...ption Enable Config Sync Max Sync to 10 routers Check this box to enable configuration synchronization To sync configuration from primary to secondary router both primary and seconday routers need to enable config sync Note that config sync can be enabled by Hot Standby redundancy method only Config Sync Interval Day Hour Minute Primary router will sync its configuration to secondary router based ...

Page 171: ...wn the secondary device could replace the primary role to take over all jobs as soon as possible However once the primary device is working again the secondary device would be changed to original role to stand by I II I 4 4 1 13 3 L Lo oc ca al l 8 80 02 2 1 1X X G Ge en ne er ra al l S Se et tu up p Such page allows you to configure general settings for Local 802 1X server built in Vigor router A...

Page 172: ...ting for both Internal RADIUS and Local 802 1X synchronize for all of the user profiles User Management User Profile For example if Local 802 1x is configured as Enabled checked the Internal RADIUS will be configured as Enabled too If Local 802 1X is configured as Disabled unchecked the Internal RADIUS will be changed as Disabled too even if it is enabled previously OK Click it to save the setting...

Page 173: ...ss into the web user interface of the Vigor router 2 Open Applications Active Directory LDAP to get the following page for configuring LDAP related settings There are three types of bind type supported Simple Mode Just simply do the bind authentication without any search action Anonymous Perform a search action first with Anonymous account then do the bind authentication Regular Mode Mostly it is ...

Page 174: ...Vigor3220 Series User s Guide 162 and 4 Click OK to save the settings above 5 Open User Management General Setup Select User Based as the Mode option ...

Page 175: ...n VPN and Remote Access PPP General Setup to check the profile s that will be authenticated with LDAP server After above configurations users belong to either rd1 or shrd group can access Internet after inputting their credentials on LDAP server ...

Page 176: ...interface Specify Interface Through dedicated interface WAN LAN VPN the data can be sent from the source IP to the destination IP Address Mapping Allows you specify the outgoing WAN IP address es for an internal private IP address or a range of internal private IP addresses Priority The router will determine which policy will be adopted for transmitting the packet according to the priority of Stat...

Page 177: ...I II I 5 5 1 1 1 1 S St ta at ti ic c R Ro ou ut te e f fo or r I IP Pv v4 4 Available settings are explained as follows Item Description Index The number 1 to 30 under Index allows you to open next page to set up static route Destination Address Displays the destination address of the static route Status Displays the status of the static route Set to Factory Default Clear all of the settings and ...

Page 178: ...ernal Router B 192 168 1 3 have set Main Router 192 168 1 1 as the default gateway for the Router A 192 168 1 2 Before setting Static Route user A cannot talk to user B for Router A can only forward recognized packets to its default gateway Main Router 1 Go to LAN page and click General Setup select 1st Subnet as the RIP Protocol Control Then click the OK button Info There are two reasons that we ...

Page 179: ...t to enable this profile Destination IP Address Type an IP address as the destination of such static route Subnet Mask Type the subnet mask for such static route Network Interface Use the drop down list to specify an interface for such static route 3 Return to Static Route Setup page Click on another Index Number to add another static route as show below which regulates all packets destined to 211...

Page 180: ...s Displays the destination address of the static route Status Displays the status of the static route Set to Factory Default Clear all of the settings and return to factory default settings Viewing IPv6 Routing Table Displays the routing table for your reference Click any underline of index number to get the following page Available settings are explained as follows Item Description Enable Click i...

Page 181: ... Administrator may also define a priority to this policy I II I 5 5 2 2 1 1 G Ge en ne er ra al l S Se et tu up p General Setup lists all the policies and shows whether the policy is enabled disabled what are the criteria to match and through which the interface should the traffic to go if the criteria are matched and also its priority Available settings are explained as follows Item Description I...

Page 182: ... settings of route policy To use Wizard Mode simple do the following steps 1 Click the Wizard Mode radio button 2 Click Index 1 The setting page will appear as follows Available settings are explained as follows Item Description Source IP Any Any IP can be treated as the source IP Src IP Start Type the source IP start for the specified WAN interface Src IP End Type the source IP end for the specif...

Page 183: ...the above criteria will be transferred to the interface chosen here 4 After specifying the interface click Next to get the following page Available settings are explained as follows Item Description Force NAT Force Routing It determines which mechanism that the router will use to forward the packet to WAN 5 After choosing the mechanism click Next to get the summary page for reference ...

Page 184: ...Vigor3220 Series User s Guide 172 6 If there is no error click Finish to complete wizard setting ...

Page 185: ...age Available settings are explained as follows Item Description Enable Check this box to enable this policy Comment Type a brief explanation for such profile Protocol Use the drop down menu to choose a proper protocol for the WAN interface Source IP Any Any IP can be treated as the source IP Src IP Start Type the source IP start for the specified WAN interface ...

Page 186: ...ateway is used only when you want to forward the packets to the desired gateway Usually Default Gateway is selected in default Priority Packets will be transmitted based on all routes or Route Policy Vigor router will determine which rule will be adopted for transmitting the packet according to the priority of Static Route and Route Policy The greater the value is the lower the priority is Default...

Page 187: ...s se e With the analysis done by such page possible path static route routing table or policy route of the packets sent out of the router can be traced or Available settings are explained as follows Item Description Mode Analyze how a packet will be sent Choose such mode to make Vigor router analyze how a single packet will be sent by a route policy ...

Page 188: ...cify the destination port Analyze Click it to perform the job of analyzing The analyzed result will be shown on the page If required click export analysis to export the result as a file Input File Select Click the download link to get a blank example file Then click such button to select that blank csv file for saving the result of analysis Analyze Click it to perform the job of analyzing The anal...

Page 189: ...evised later Example 1 In the following figure a LAN to LAN VPN tunnel is built between DrayTek VPN router e g Vigor3220 Series and the remote router Firewall Router can receive all of the traffic coming from remote PC which wants to access into Internet and send back the packets to Remote Router through VPN Router 1 Establish a VPN tunnel between VPN Router and the Remote Router 2 Change to defau...

Page 190: ...t value is fixed as 250 And Routes in Routing Table are fixed as 150 You can adjust the value for such route policy with lower value e g 100 to ensure it will be applied to packets transmission with the highest priority 5 After finished the above settings click OK to save the configuration 6 To route the packets coming from the Firewall Router back to the remote router access into the web user int...

Page 191: ...rnet censorship circumvention A VPN tunnel has been established between Router A and router B 1 Access into the web user interface of Router A 2 Open Load Balance Route Policy 3 Click any index number e g 1 in this case 4 In the following web page check Enable type 192 168 1 10 as Src IP Range type 213 57 89 100 as the Destination IP for the remote VPN server and choose VPN as the Interface settin...

Page 192: ... which IP or mapping is decided by the internal load balancing algorithm With address mapping feature you can manually configure any host mapping to any WAN interface to fit the request In the above example you can configure NAT Host 1 to always map to 202 211 100 10 WAN1 Host 2 to always map to 202 211 100 11 WAN1 alias Host 3 always map to 203 98 200 10 WAN2 and Group 1 to always map to 202 211 ...

Page 193: ... of WAN 1 to open the following page From the above figure set main WAN IP address as 202 211 100 10 Click the WAN IP Alias button to configure the other IP address which is 202 211 100 11 Make sure Join IP NAT Pool is not checked Click OK to save the settings ...

Page 194: ...es User s Guide 182 4 After finished configuration for WAN1 open Load Balance Route Policy 5 Click Index number 1 and 2 to configure the details After finished the settings click OK to save the settings respectively ...

Page 195: ...s User s Guide 183 And 6 Upon completing the above configuration you have specified the outgoing IP address es for some specific computers Now you bind some specific computers to some WAN IP alias for outgoing traffic ...

Page 196: ... ts s The following figure shows a simple application of load balance WAN1 and WAN2 can be used to access into Internet The PC in LAN1 can send the data to the remote PC through the specified WAN1 1 Access into web user interface of Vigor3220 Series Open Load Balance Route Policy 2 From the following web page simply click index number 1 ...

Page 197: ...st IP Start and Dest IP End with 203 65 1 35 and 203 65 1 35 choose WAN1 as the Interface click default gateway 4 After finished the above settings click OK to save the configuration Now the packets sent to the remote PC IP address 203 65 1 35 will be forced to pass through WAN1 ...

Page 198: ...Vigor3220 Series User s Guide 186 This page is left blank ...

Page 199: ...r s Guide III 187 P Pa ar rt t I II II I W Wi ir re el le es ss s L LA AN N Wireless LAN enables high mobility so WLAN users can simultaneously access all LAN facilities just like on a wired LAN as well as Internet access ...

Page 200: ...wired LAN as well as Internet access Vigor3220 wireless router is a highly integrated wireless local area network WLAN for 2 4 GHz 802 11n WLAN applications Vigor3220 n series router supports 802 11n up to 300 Mbps for 40 MHz channel operations Info The actual data throughput will vary according to the network conditions and environmental factors including volume of network traffic network overhea...

Page 201: ...u may consider using WPA for the most secure connection You should select the appropriate security mechanism according to your needs No matter which security suite you select they all will enhance the over the air data protection and or privacy on your wireless network The Vigor wireless router is very flexible and can support multiple secure connections with both WEP and WPA at the same time Info...

Page 202: ... Series User s Guide 190 W WP PS S WPS Wi Fi Protected Setup provides easy procedure to make network connection between wireless station and wireless access point vigor router with the encryption of WPA and WPA2 ...

Page 203: ... screen of wireless wizard will be shown as follows This page will be used for internal users in a company or your home Available settings are explained as follows Item Description Name Type the SSID name of this router for wireless 2 4GHz The default name is defined with DrayTek Change the name if required Mode At present the router can connect to 11b Only 11g Only 11n Only 2 4 GHz Mixed 11b 11g ...

Page 204: ...e wireless station guest accessing into Internet but not being allowed to share the LAN network and VPN connection Available settings are explained as follows Item Description Enable Disable Click it to enable or disable settings in this page SSID Type the SSID name of this router SSID1 Security Key The wireless mode offered by this wizard is WPA2 PSK The WPA encrypts each frame transmitted from t...

Page 205: ...ext setting page Cancel Exit the wireless wizard without saving any changes 4 After typing the required information click Next 5 The following page will display the configuration summary for wireless setting 6 Click Finish to complete the wireless settings configuration ...

Page 206: ...ltaneously Simply choose Mixed 11b 11g 11n mode Channel Means the channel of frequency of the wireless LAN The default channel is 6 You may switch channel if the selected channel is under serious interference If you have no idea of choosing the frequency please select Auto to let system determine for you Hide SSID Check it to prevent from wireless sniffing and make it harder for unauthorized clien...

Page 207: ...cessing for each other VPN Check this box to make the wireless clients stations with different VPN not accessing for each other Schedule Set the wireless LAN to work at certain time interval only You may choose up to 4 schedules out of the 15 schedules pre defined in Applications Schedule setup The default setting of this field is blank and the function will always work After finishing all the set...

Page 208: ... to save and invoke it The password PSK of default security mode is provided and stated on the label pasted on the bottom of the router For the wireless client who wants to access into Internet through such router please input the default PSK value for connection By clicking the Security Settings a new web page will appear so that you could configure the settings of WPA and WEP Available settings ...

Page 209: ...cryption key should be entered in PSK Mixed WPA WPA2 PSK Accepts WPA and WPA2 clients simultaneously and the encryption key should be entered in PSK WPA The WPA encrypts each frame transmitted from the radio using the key which either PSK Pre Shared Key entered manually in this field below or automatically negotiated via 802 1x authentication Either 8 63 ASCII characters such as 012345678 or 64 He...

Page 210: ...c Address Filter Select to enable the MAC Address filter for wireless LAN identified with SSID 1 to 4 respectively All the clients expressed by MAC addresses listed in the box can be grouped under different wireless LAN For example they can be grouped under SSID 1 and SSID 2 at the same time if you check SSID 1 and SSID 2 MAC Address Filter Display all MAC addresses that are edited before Client s...

Page 211: ...ireless station and wireless access point vigor router with the encryption of WPA and WPA2 Info WPS is available for the wireless station with WPS supported It is the simplest way to build connection between wireless network clients and vigor router Users do not need to select any encryption mode and type any long encryption passphrase to setup a wireless client every time He she only needs to pre...

Page 212: ...art PBC button of network card If you want to use PIN code you have to know the PIN code specified in wireless client Then provide the PIN code of the wireless client you wish to connect to the vigor router For WPS is supported in WPA PSK or WPA2 PSK mode if you do not choose such mode in Wireless LAN Security you will see the following message box Please click OK and go back Wireless LAN Security...

Page 213: ... mode of the router Only WPA2 PSK and WPA PSK support WPS Configure via Push Button Click Start PBC to invoke Push Button style WPS setup procedure The router will wait for WPS requests from wireless clients about two minutes The WPS LED on the router will blink fast when WPS is in progress It will return to normal condition after two minutes You need to setup WPS within two minutes Configure via ...

Page 214: ...bridge interface The application for the WDS Repeater mode is depicted as below The major difference between these two modes is that while in Repeater mode the packets received from one peer AP can be repeated to another peer AP through WDS links Yet in Bridge mode packets received from a WDS link will only be forwarded to local wired or wireless hosts In other words only Repeater mode can do WDS ...

Page 215: ...e following page will be shown Available settings are explained as follows Item Description Mode Choose the mode for WDS setting Disable mode will not invoke any WDS setting Bridge mode is designed to fulfill the first type of application Repeater mode is for the second one ...

Page 216: ...g mode please type in the peer MAC address in these fields Four peer MAC addresses are allowed to be entered in this page at one time Yet please disable the unused link to get better performance If you want to invoke the peer MAC address remember to check Enable box in the front of the MAC address after typing Repeater If you choose Repeater as the connecting mode please type in the peer MAC addre...

Page 217: ...tection mechanism to avoid the conflict with neighboring devices of 802 11a b g Channel Bandwidth 20 the router will use 20Mhz for data transmission and receiving between the AP and the stations 20 40 the router will use 20Mhz or 40Mhz for data transmission and receiving according to the station capability Such channel can increase the performance for data transit 20 40 80 the router will use 20Mh...

Page 218: ...ust support this feature and invoke the function too Note Vigor N61 wireless adapter supports this function Therefore you can use and install it into your PC for matching with Packet OVERDRIVE refer to the following picture of Vigor N61 wireless utility window choose Enable for TxBURST on the tab of Option Info means the real transmission rate depends on the environment of the network Antenna Vigo...

Page 219: ...o not modify default value if you don t know what it is default value is 2347 Country Code Vigor router broadcasts country codes by following the 802 11d standard However some wireless stations will detect scan the country code to prevent conflict occurred If conflict is detected wireless station will be warned and is unable to make network connection Therefore changing the country code to ensure ...

Page 220: ...e of the APs on the wireless LAN Yet only the AP which is in the same channel of this router can be found Please click Scan to discover all the connected APs Available settings are explained as follows Item Description Scan It is used to discover all the connected AP The results will be shown on the box above this button Statistics It displays the statistics for the channels used by APs Add to If ...

Page 221: ...ng with its status code There is a code summary below for explanation For convenient Access Control you can select a WLAN station and click Add to Access Control below Available settings are explained as follows Item Description Refresh Click this button to refresh the status of station list Add Click this button to add current typed MAC address into Access Control ...

Page 222: ...and will not occupy the wireless network for a long time Available settings are explained as follows Item Description SSID Display the SSID that the wireless station will use it to connect with Vigor router Enable Check the box to enable the station control function Connection Time Reconnection Time Use the drop down list to choose the duration for the wireless client connecting reconnecting to Vi...

Page 223: ...limit is determined according to the limitation of the wireless client Total Upload Limit It is available when Auto Adjustment is selected Type a value to define the maximum data traffic uploading for all of the wireless clients connecting to Vigor3220 Total Download Limit It is available when Auto Adjustment is selected Type a value to define the maximum data clientstations connecting to Vigor322...

Page 224: ...Vigor3220 Series User s Guide 212 This page is left blank ...

Page 225: ... a manner that emulates the properties of a point to point private link It is a form of VPN that can be used with a standard Web browser A digital certificate works as an electronic ID which is issued by a certification authority CA It contains information such as your name a serial number expiration dates etc and the digital signature of the certificate issuing authority so that a recipient can v...

Page 226: ...the Internet In short by VPN technology you can send data between two computers across a shared or public network in a manner that emulates the properties of a point to point private link The VPN built is suitable for Communication between home office and customer Secure connection between Teleworker staff on business trip and main office Exchange data between remote office and main office POS bet...

Page 227: ...for VPN dial out connection from server to client step by step 1 Open Wizards VPN Client Wizard The following page will appear Available settings are explained as follows Item Description LAN to LAN Client Mode Selection Choose the client mode Route Mode NAT Mode If the remote network only allows you to dial in with single IP please choose NAT mode otherwise please choose Route Mode Please choose ...

Page 228: ...pes provided here Different type will lead to different configuration page After making the choices for the client profile please click Next You will see different configurations based on the selection s you made Info The following descriptions for VPN Type are based on the Route Mode specified in LAN to LAN Client Mode Selection When you choose PPTP None Encryption or PPTP Encryption you will see...

Page 229: ...Vigor3220 Series User s Guide 217 When you choose IPsec you will see the following graphic When you choose L2TP you will see the following graphic ...

Page 230: ... see the following graphic When you choose SSL you will see the following graphic Available settings are explained as follows Item Description Profile Name Type a name for such profile The length of the file is limited to 10 characters VPN Dial Out Through Use the drop down menu to choose a proper WAN interface ...

Page 231: ...nfirm the pre shared key Digital Signature X 509 Click Digital Signature to invoke this function Peer ID Choose the peer ID selection from the drop down list Local ID Choose Alternative Subject Name First or Subject Name First Local Certificate Use the drop down list to choose one of the certificates for using You have to configure one certificate at least previously in Certificate Management Loca...

Page 232: ...ailable settings are explained as follows Item Description Go to the VPN Connection Management Click this radio button to access VPN and Remote Access Connection Management for viewing VPN Connection status Do another VPN Server Wizard Setup Click this radio button to set another profile of VPN Server through VPN Server Wizard View more detailed configuration Click this radio button to access VPN ...

Page 233: ...o Site VPN Remote Dial in User You can manage remote access by maintaining a table of remote user profile so that users can be authenticated to dial in via VPN connection Please choose a LAN to LAN Profile This item is available when you choose Site to Site VPN LAN to LAN as VPN server mode There are 32 VPN profiles for users to set Please choose a Dial in User Accounts This item is available when...

Page 234: ...hanged according to the VPN Server Mode Site to Site VPN and Remote Dial in User selected 2 After making the choices for the server profile please click Next You will see different configurations based on the selection you made Here we take the examples of choosing Site to Site VPN as the VPN Server Mode When you check PPTP you will see the following graphic ...

Page 235: ... name is limited to 11 characters Pre Shared Key For IPsec L2TP IPsec authentication you have to type a pre shared key The length of the name is limited to 64 characters Confirm Pre Shared Key Type the pre shared key again for confirmation Digital Signature X 509 Check the box of Digital Signature to invoke this function Peer ID Choose the peer ID selection from the drop down list Local ID Choose ...

Page 236: ...execute the next action Available settings are explained as follows Item Description Go to the VPN Connection Management Click this radio button to access VPN and Remote Access Connection Management for viewing VPN Connection status Do another VPN Server Wizard Setup Click this radio button to set another profile of VPN Server through VPN Server Wizard View more detailed configuration Click this r...

Page 237: ... the necessary VPN service as you need If you intend to run a VPN server inside your LAN you should disable the VPN service of Vigor Router to allow VPN tunnel pass through as well as the appropriate NAT settings such as DMZ or open port After finishing all the settings here please click OK to save the configuration ...

Page 238: ...ion MPPE Optional MPPE This option represents that the MPPE encryption method will be optionally employed in the router for the remote dial in user If the remote dial in user does not support the MPPE encryption algorithm the router will transmit no MPPE encrypted packets Otherwise the MPPE encryption scheme will be used to encrypt the data Require MPPE 40 128bits Selecting this option will force ...

Page 239: ...e password is limited to 23 19 characters Assigned IP Start Enter a start IP address for the dial in PPP connection You should choose an IP address from the local private network For example if the local private network is 192 168 1 0 255 255 255 0 you could choose 192 168 1 200 as the Start IP Address You can configure up to four start IP addresses for LAN1 LAN6 PPP Authentication Methods Select ...

Page 240: ... the data payload only It can just apply to local packet e g L2TP over IPsec The Tunnel mode will not only add the AH ESP payload but also use a new IP header Tunneled IP header to encapsulate the whole original IP packet Authentication Header AH provides data authentication and integrity for IP packets passed between VPN peers This is achieved by a keyed one way hash function to the packet to cre...

Page 241: ...apsulating Security Payload ESP means payload data will be encrypted and authenticated You may select encryption algorithm from Data Encryption Standard DES Triple DES 3DES and AES After finishing all the settings here please click OK to save the configuration I IV V 1 1 6 6 I IP Ps se ec c P Pe ee er r I Id de en nt ti it ty y To use digital certificate for peer authentication in either LAN to LA...

Page 242: ...e this account Check it to enable such account profile Accept Any Peer ID Click to accept any peer regardless of its identity Accept Subject Alternative Name Click to check one specific field of digital signature to accept the peer with matching value The field can be IP Address Domain or E mail Address The box under the Type will appear according to the type you select and ask you to fill in corr...

Page 243: ...ilt in RADIUS client function The following figure shows the summary table Available settings are explained as follows Item Description Set to Factory Default Click to clear all indexes View All Click it to display the all of the user accounts Online Click it to display the online user accounts Offline Click it to display the offline user accounts Index Click the number below Index to access into ...

Page 244: ...dial in user to make a PPTP VPN connection through the Internet You should set the User Name and Password of remote dial in user below IPsec Tunnel Allow the remote dial in user to make an IPsec VPN connection through Internet L2TP with IPsec Policy Allow the remote dial in user to make a L2TP VPN connection through the Internet You can select to use L2TP alone or with IPsec Select from below None...

Page 245: ... authentication with mOTP function PIN Code Type the code for authentication e g 1234 Secret Use the 32 digit secret number generated by mOTP in the mobile phone e g e759bb6f0e94c7ab4fe6 Subnet Chose one of the subnet selections for such VPN profile Assign Static IP Address Please type a static IP address for the subnet you specified IKE Authentication Method This group of fields is applicable for...

Page 246: ... to o L LA AN N Here you can manage LAN to LAN connections by maintaining a table of connection profiles You may set parameters including specified connection direction dial in or dial out connection peer ID connection type VPN connection including PPTP IPsec Tunnel and L2TP by itself or over IPsec and corresponding security methods etc The following figure shows the summary table according to the...

Page 247: ...LAN profile The symbol represents that the profile is empty Active V means the profile has been enabled X means the profile has not been enabled Status Indicate the status of individual profiles The symbol V and X represent the profile to be active and inactive respectively To edit each profile 1 Click each index to edit each profile and you will get the following page Each LAN to LAN profile incl...

Page 248: ...ful for dial out only WAN1 First WAN2 First WAN3 First WAN4 First WAN5 First While connecting the router will use WAN1 WAN2 WAN3 WAN4 as the first channel for VPN connection If WAN1 WAN2 WAN3 WAN4 WAN5 fails the router will use another WAN interface instead WAN1 Only WAN2 Only WAN3 Only WAN4 Only WAN5 Only While connecting the router will use WAN1 WAN2 WAN3 WAN4 WAN5 as the only channel for VPN co...

Page 249: ... in the case of abnormal VPN IPsec tunnel disruption For details please refer to the note below Check to enable the transmission of PING packets to a specified IP address Enable PING to keep alive is used to handle abnormal IPsec VPN connection disruption It will help to provide the state of a VPN connection for router s judgment of redial Normally if any one of VPN peers wants to disconnect the c...

Page 250: ...sec Tunnels and L2TP with IPsec Policy Pre Shared Key Input 1 63 characters as pre shared key Digital Signature X 509 Select one predefined Profiles set in the VPN and Remote Access IPsec Peer Identity Peer ID Select one of the predefined Profiles set in VPN and Remote Access IPsec Peer Identity Local ID Specify a local ID Alternative Subject Name First or Subject Name First to be used for Dial in...

Page 251: ...emes IKE phase 2 proposal To propose the local available algorithms to the VPN peers and get its feedback to find a match Three combinations are available for both modes We suggest you select the combination that covers the most algorithms IKE phase 1 key lifetime For security reason the lifetime of key should be defined The default value is 28800 seconds You may specify a value in between 900 and...

Page 252: ...ion through Internet L2TP with IPsec Policy Allow the remote dial in user to make a L2TP VPN connection through the Internet You can select to use L2TP alone or with IPsec Select from below None Do not apply the IPsec policy Accordingly the VPN connection employed the L2TP without IPsec policy can be viewed as one pure L2TP connection Nice to Have Apply the IPsec policy first if it is applicable d...

Page 253: ...P address of the remote node Pre Shared Key Check the box of Pre Shared Key to invoke this function and type in the required characters 1 63 as the pre shared key Digital Signature X 509 Check the box of Digital Signature to invoke this function and select one predefined Profiles set in the VPN and Remote Access IPsec Peer Identity Local ID Specify which one will be inspected first Alternative Sub...

Page 254: ... value if you do not select PPTP or L2TP Remote Gateway IP This field is only applicable when you select PPTP or L2TP with or without IPsec policy above The default value is 0 0 0 0 which means the Vigor router will get a remote Gateway PPP IP address from the remote router during the IPCP negotiation phase If the PPP IP address is fixed by remote side specify the fixed IP address here Do not chan...

Page 255: ...block sessions which are not coming from the IP address defined in the Virtual IP Mapping list After checking the box of IPSec VPN with the Same subnet the options under TCP IP Network Settings will be changed as shown below Remote Network IP Remote Network Mask Add a static route to direct all traffic destined to this Remote Network IP Address Remote Network Mask through the VPN connection For IP...

Page 256: ...wo types for you to choose Whole Subnet Specific IP Address Virtual IP Mapping A pop up dialog will appear for you to specify the local IP address and the mapping virtual IP address 2 After finishing all the settings here please click OK to save the configuration ...

Page 257: ...be activated when initial connection of single VPN tunnel is off line Before setting VPN TRUNK VPN Backup mechanism backup profile please configure at least two sets of LAN to LAN profiles with fully configured dial out settings first otherwise you will not have selections for grouping Member1 and Member2 F Fe ea at tu ur re es s o of f V VP PN N T TR RU UN NK K V VP PN N L Lo oa ad d B Ba al la a...

Page 258: ...VPN Backup mechanism profile Member1 Display the dial out profile selected from the Member1 drop down list below Active Yes means normal condition No means the state might be disabled or that profile currently is set with Dial in mode for call direction in LAN to LAN Type Display the connection type for that profile such as IPsec PPTP L2TP L2TP over IPsec NICE L2TP over IPsec MUST and so on Member...

Page 259: ...ile Member1 Display the dial out profile selected from the Member1 drop down list below Active Yes means normal condition No means the state might be disabled or that profile currently is set with Dial in mode for call direction in LAN to LAN Type Display the connection type for that profile such as IPsec PPTP L2TP L2TP over IPsec NICE L2TP over IPsec MUST and so on Member2 Display the dial out pr...

Page 260: ...e Status Enable or Disable profile name member1 or member2 Delete Click this button to delete the selected VPN TRUNK profile The corresponding members LAN to LAN profiles grouped in the deleted VPN TRUNK profile will be released and that profiles in LAN to LAN will be displayed in black T Ti im me e f fo or r a ac ct ti iv va at ti in ng g V VP PN N T TR RU UN NK K V VP PN N B Ba ac ck ku up p m m...

Page 261: ... one of the LAN to LAN profiles from Member1 drop down list choose one of the LAN to LAN profiles from Member2 drop down list and click Add at last 4 Take a look for LAN to LAN profiles Index 1 is chosen as Member1 index 2 is chosen as Member2 For such reason LAN to LAN profiles of 1 and 2 will be expressed in red to indicate that they are fixed If you delete the VPN TRUNK VPN Backup Load Balance ...

Page 262: ...ver 192 168 50 200 in the field of Peer GRE IP A Ad dv va an nc ce ed d L Lo oa ad d B Ba al la an nc ce e a an nd d B Ba ac ck ku up p After setting profiles for load balance you can choose any one of them and click Advance for more detailed configuration The windows for advanced load balance and backup are different Refer to the following explanation ...

Page 263: ... rate It can be divided into Auto Weighted and According to Speed Ratio Auto Weighted can detect the device speed 10Mbps 100Mbps and switch with fixed value ratio 3 7 for packet transmission If the transmission rate for packets on both sides of the tunnels is the same the value of Auto Weighted should be 50 50 According to Speed Ratio allows user to adjust suitable rate manually There are 100 grou...

Page 264: ...such binding tunnel table can be established UDP means when the source IP destination IP destination port and fragment conditions match with the settings specified here and UDP Service Port also fits the number here such binding tunnel table can be established TCP UPD means when the source IP destination IP destination port and fragment conditions match with the settings specified here and TCP UDP...

Page 265: ... ICMP or Other as Binding Protocol A Ad dv va an nc ce ed d B Ba ac ck ku up p Available settings are explained as follows Item Description Profile Name List the backup profile name ERD Mode ERD means Environment Recovers Detection Normal choose this mode to make all dial out VPN TRUNK backup profiles being activated alternatively Resume when VPN connection breaks down or disconnects ...

Page 266: ...ction by clicking Drop button You may also aggressively Dial out by using Dial out Tool and clicking Dial button Available settings are explained as follows Item Description Dial out Tool General Mode This filed displays the profile configured in LAN to LAN with Index number and VPN Server IP address The VPN connection built by General Mode does not support VPN backup function Backup Mode This fil...

Page 267: ... User s Guide 255 Dial Click this button to execute dial out function Refresh Seconds Choose the time for refresh the dial information among 5 10 and 30 Refresh Click this button to refresh the whole connection status ...

Page 268: ...ff fi ic ce e 1 Log into the web user interface of Vigor router 2 Open VPN and Remote Access LAN to LAN to create a LAN to LAN profile The following settings are for a permanent VPN connection 3 Click any index number to open the configuration page Type a name which is easy for identification for such profile in this case type VPN Server and check the box of Enable This Profile For Vigor router wi...

Page 269: ... set the PSK and select Medium AH or High ESP as the security method 5 Continue to navigate to the TCP IP Network Settings for setting the LAN IP for remote side 6 Click OK to save the settings 7 Open VPN and Remote Access Connection Management to check the dial in connection status from branch office ...

Page 270: ...cess LAN to LAN to create a LAN to LAN profile The following settings are for a permanent VPN connection 3 Click any index number to open the configuration page Type a name which is easy for identification for such profile in this case type VPN Client and check the box of Enable This Profile For such Vigor router will be set as a client the call direction shall be set as Dial out Check the box of ...

Page 271: ...service and type the remote server IP host name e g 218 242 133 91 in this case Press the IKE Pre Shared Key button to set the PSK and select Medium AH or High ESP as the security method 5 Continue to navigate to the TCP IP Network Settings for setting the LAN IP for the remote side 6 Click OK to save the settings ...

Page 272: ...Vigor3220 Series User s Guide 260 7 Open VPN and Remote Access Connection Management to check the dial in connection status from head office ...

Page 273: ... network is a form of VPN that can be used with a standard Web browser There are two benefits that SSL VPN provides It is not necessary for users to preinstall VPN client software for executing SSL VPN connection There are less restrictions for the data encrypted through SSL VPN in comparing with traditional VPN ...

Page 274: ...r It will not affect the HTTPS Port configuration set in System Maintenance Management In general the default setting is 443 Server Certificate When the client does not set any certificate default certificate will be used for HTTPS and SSL VPN server Choose any one of the user defined certificates from the drop down list if users set several certificates previously Otherwise choose Self signed to ...

Page 275: ...e Display the name of the profile that you create URL Display the URL Active Display current status active or inactive of such profile Click number link under Index filed to set detailed configuration Available settings are explained as follows Item Description Name Type name of the profile The length of the name is limited to 15 characters URL Type the address function variation or IP address or ...

Page 276: ...web page will disappear Secured Port Redirection Such technique applies private port mapping to random WAN port There are two restrictions for proxy web server for such selection 1 it is only used for WAN to LAN access the web server must be configured behind vigor router 2 web server gateway must be indicated to vigor router In addition users must execute Connect manually in SSL Client Portal pag...

Page 277: ...iption Name Display the application name of the profile that you create Host Address Display the IP address for VNC RDP or SAMBA path Service Display the type of the service selected e g VNC RDP SAMBA Active Display current status active or inactive of the selected profile To create a new SSL application profile 1 Click number link under Index filed to set detailed configuration 2 The following pa...

Page 278: ...PC through RDP protocol IP Address If you choose VNC or RDP you have to type the IP address for this protocol Port If you choose VNC or RDP you have to specify the port used for this protocol The default setting is 5900 Idle Timeout If you choose VNC you have to specify the time for disconnecting the SSL VPN tunnel Scaling If you choose VNC you have to choose the percentage 100 80 60 for such appl...

Page 279: ... guest network or web cafe The SSL technology is the same as the encryption that you use for secure web sites such as your online bank The SSL VPN can be operated in either full tunnel mode or proxy mode Now Vigor3220 Series allows up to 16 simultaneous incoming users For SSL VPN identity authentication and power management are implemented through deploying user accounts Therefore the user account...

Page 280: ...The length of the name password is limited to 19 characters Enable Mobile One Time Passwords mOTP Check this box to make the authentication with mOTP function PIN Code Type the code for authentication e g 1234 Secret Use the 32 digit secret number generated by mOTP in the mobile phone e g e759bb6f0e94c7ab4fe6 Allowed Dial In Type PPTP Allow the remote dial in user to make a PPTP VPN connection thr...

Page 281: ...el Multicast via VPN Some programs might send multicast packets via VPN connection Pass Click this button to let multicast packets pass through the router Block This is default setting Click this button to let multicast packets be blocked by the router Subnet Chose one of the subnet selections for such VPN profile Assign Static IP Address Please type a static IP address for the subnet you specifie...

Page 282: ...ryption algorithm from Data Encryption Standard DES Triple DES 3DES and AES Local ID Specify a local ID to be used for Dial in setting in the LAN to LAN Profile setup This item is optional and can be used only in IKE aggressive mode After finishing all the settings here please click OK to save the configuration ...

Page 283: ...h profiles will be used by applications such as User Management VPN and etc Each item is explained as follows Item Description Set to Factory Default Click to clear all indexes Index Display the number of the client which connecting to FTP server Name Display the name of the group profile Click any index number link to open the following page for detailed configuration ...

Page 284: ...ss Remote Dial In User The enabled profiles will be listed in the Available User Account on the left box To add a profile into a group simply choose the one from the left box and click the button It will be displayed in the Selected User Account on the right box For detailed information about configuring the profile setting refer to Objects Setting IP Group RADIUS The RADIUS server will do the aut...

Page 285: ...cess into DrayTek SSL VPN portal interface Next users can open SSL VPN Online Status to view logging status of SSL VPN Available settings are explained as follows Item Description Active User Display current user who visits SSL VPN server Host IP Display the IP address for the host Time out Display the time remaining for logging out Action You can click Drop to drop certain login user from the rou...

Page 286: ...igor router support digital certificates conforming to standard X 509 Any entity wants to utilize digital certificates should first request a certificate issued by a CA server It should also retrieve certificates of other trusted CA servers so it can authenticate the peer with certificates issued by those trusted CA servers Here you can manage generate and manage the local digital certificates and...

Page 287: ...o import a saved file as the certification information Refresh Click this button to refresh the information listed below View Click this button to view the detailed settings for certificate request Delete Click this button to delete selected name with certification information G GE EN NE ER RA AT TE E Click this button to open Generate Certificate Signing Request window Type in all the information...

Page 288: ... T Vigor router allows you to generate a certificate request and submit it the CA server then import it as Local Certificate If you have already gotten a certificate from a third party you may import it directly The supported types are PKCS12 Certificate and Certificate with a private key Click this button to import a saved file as the certification information There are three types of local certi...

Page 289: ...n as OK Upload PKCS12 Certificate It allows users to import the certificate whose extensions are usually pfx or p12 And these certificates usually need passwords Note PKCS12 is a standard for storing private keys and certificates securely It is used in among other things Netscape and Microsoft Internet Explorer with their import and export options Upload Certificate and Private Key It is useful wh...

Page 290: ...ttings for certificate request Info You have to copy the certificate request information from above window Next access your CA server and enter the page of certificate request copy the information into it and submit a request A new certificate will be issued to you by the CA server You can save it D De el le et te e Click this button to remove the selected certificate ...

Page 291: ... certificate authority Root CA will be used to authenticate the digital certificates offered by both ends However the procedure of applying digital certificate from a trusted root certificate authority is complicated and time consuming Therefore Vigor router offers a mechanism which allows you to generate root CA to save time and provide convenience for general user Later such root CA generated by...

Page 292: ...n click GENERATE again I Im mp po or rt ti in ng g a a T Tr ru us st te ed d C CA A To import a pre saved trusted CA certificate please click IMPORT to open the following window Use Browse to find out the saved text file Then click Import The one you imported will be listed on the Trusted CA Certificate window For viewing each trusted CA certificate click View to open the certificate detail inform...

Page 293: ...tificate for this router can be saved within one file Please click Backup on the following screen to save them If you want to set encryption password for these certificates please type characters in both fields of Encrypt password and Confirm password Also you can use Restore to retrieve these two settings to the router whenever you want ...

Page 294: ...Vigor3220 Series User s Guide 282 This page is left blank ...

Page 295: ...ty has been always the most concerned The firewall of the Vigor router helps to protect your local network against attack from unauthorized outsiders It also restricts users in the local network from accessing the Internet CSM is an abbreviation of Central Security Management which is used to control IM P2P usage filter the web content and URL content to reach a goal of security management ...

Page 296: ...es unsolicited incoming data Selectable Denial of Service DoS Distributed DoS DDoS attacks protection I IP P F Fi il lt te er rs s Depending on whether there is an existing Internet connection or in other words the WAN link status is up or down the IP filter architecture categorizes traffic into two Call Filter and Data Filter Call Filter When there is no existing Internet connection Call Filter i...

Page 297: ...exhaust all your system s resource while the vulnerability attacks will try to paralyze the system by offending the vulnerabilities of the protocol or operation system The DoS Defense function enables the Vigor router to inspect every incoming packet based on the attack signature database Any malicious packet that might duplicate itself to paralyze the host in the secure LAN will be strictly block...

Page 298: ...o here you assign the Start Filter Set only Also you can configure the Log Flag settings Apply IP filter to VPN incoming packets and Accept incoming fragmented UDP packets Click Firewall and click General Setup to open the general setup page G Ge en ne er ra al l S Se et tu up p P Pa ag ge e Such page allows you to enable disable Call Filter and Data Filter determine general rule for filtering the...

Page 299: ...rity checking for data transmission Such feature is enabled in default All the packets while transmitting through Vigor router will be filtered by firewall If the firewall system e g content filter server does not make any response pass or block for these packets then the router s firewall will block the packets directly Block routing packet from WAN Usually IPv6 network sessions traffic from WAN ...

Page 300: ... QoS please refer to the related section later User Management Such item is available only when Rule Based is selected in User Management General Setup The general firewall rule will be applied to the user user group all users specified here Note When there is no user profile or group profile existed Create New User or Create New Group item will appear for you to click to create a new one APP Enfo...

Page 301: ...ile For troubleshooting needs you can specify to record information for Web Content Filter by checking the Log box It will be sent to Syslog server Please refer to section Syslog Mail Alert for more detailed information DNS Filter Select one of the DNS Filter profile settings created in CSM DNS Filter for applying with this router Please set at least one profile in CSM Web Content Filter web page ...

Page 302: ...he more the value is the better the performance will be However if the network is not stable small value will be proper Session timeout Setting timeout for sessions can make the best utilization of network resources After finishing all the settings here please click OK to save the configuration ...

Page 303: ...s Item Description Filter Rule Click a button numbered 1 7 to edit the filter rule Click the button will open Edit Filter Rule web page For the detailed information refer to the following page Active Enable or disable the filter rule Comment Enter filter set comments description Maximum length is 23 character long Move Up Down Use Up or Down link to move the order of the filter rules Next Filter S...

Page 304: ...defined in Applications Schedule setup The default setting of this field is blank and the function will always work Clear sessions when schedule ON Check this box to clear the sessions when the above schedule profiles are applied Direction Set the direction of packet flow It is for Data Filter only For the Call Filter this setting is not available since Call Filter is only applied to outgoing traf...

Page 305: ... Object drop down list to choose the object that you want Service Type Click Edit to access into the following dialog to choose a suitable service type To set the service type manually please choose User defined as the Service Type and type them in this dialog In addition if you want to use the service type from defined groups or objects please choose Group and Objects as the Service Type Protocol...

Page 306: ...dropped immediately Pass Immediately Packets matching the rule will be passed immediately Block If No Further Match A packet matching the rule and that does not match further rules will be dropped Pass If No Further Match A packet matching the rule and that does not match further rules will be passed through Branch to other Filter Set If the packet matches the filter rule the next filter rule will...

Page 307: ... for choosing in CSM URL Content Filter web page first Or choose Create New from the drop down list in this page to create a new profile For troubleshooting needs you can specify to record information for URL Content Filter by checking the Log box It will be sent to Syslog server Please refer to section Syslog Mail Alert for more detailed information Web Content Filter Select one of the Web Conten...

Page 308: ...e codepage please open Syslog From Codepage Information of Setup dialog you will see the recommended codepage listed on the dialog box Window size It determines the size of TCP protocol 0 65535 The more the value is the better the performance will be However if the network is not stable small value will be proper Session timeout Setting timeout for sessions can make the best utilization of network...

Page 309: ...hecking is not enabled then the packets will pass through the router E Ex xa am mp pl le e As stated before all the traffic will be separated and arbitrated using on of two IP filters call filter or data filter You may preset 12 call filters and data filters in Filter Setup and even link them in a serial manner Each filter set is composed by 7 filter rules which can be further defined After that i...

Page 310: ... randomly discard the subsequent TCP SYN packets for a period defined in Timeout The goal for this is prevent the TCP SYN packets attempt to exhaust the limited resource of Vigor router By default the threshold and timeout values are set to 2000 packets per second and 10 seconds respectively That means when 2000 packets per second received they will be regarded as attack event and the session will...

Page 311: ...urity for the LAN because it will carry significant information such as security TCC closed user group parameters a series of Internet addresses routing messages etc An eavesdropper outside might learn the details of your private networks Block Land Check the box to enforce the Vigor router to defense the Land attacks The Land attack combines the SYN attack technology with IP spoofing A Land attac...

Page 312: ...MP Fragment Check the box to activate the Block ICMP fragment function Any ICMP packets with more fragment bit set are dropped Block Unassigned Numbers Check the box to activate the Block Unknown Protocol function Individual IP packet has a protocol field in the datagram header to indicate the protocol type running over the upper layer However the protocol types greater than 100 are reserved and u...

Page 313: ...Vigor3220 Series User s Guide 301 ...

Page 314: ...8 1 10 192 168 1 20 accessing to Internet through Vigor router Others e g 192 168 1 31 and 192 168 1 32 outside the range can get the source from LAN only The way we can use is to set two rules under Firewall For Rule 1 of Set 2 under Firewall Filter Setup is used as the default setting we have to create a new rule starting from Filter Rule 2 of Set 2 1 Access into the web user interface of Vigor ...

Page 315: ... Filter Rule 7 If Block If No Further Match for is selected for Filter the firewall of the router would check the packets with the rules starting from Rule 3 to Rule 7 The packets not matching with the rules will be processed according to Rule 2 4 Next set another rule Just open Firewall Filter Setup Click the Set 2 link and choose the Filter Rule 3 button 5 Check the box of Check to enable the Fi...

Page 316: ... popped up Choose Range Address as Address Type by using the drop down list Type 192 168 1 10 in the field of Start IP and type 192 168 1 20 in the field of End IP Then click OK to save the settings The computers within the range can access into the Internet ...

Page 317: ...or not The action for Filter shall be set with Pass Immediately Then click OK to save the settings 8 Both filter rules have been created Click OK Now all the settings are configured well Only the computers with the IP addresses within 192 168 1 10 192 168 1 20 can access to Internet ...

Page 318: ...ecks the URL strings or some of HTTP data hiding in the payload of TCP packets while legacy firewall inspects packets based on the fields of TCP IP headers only On the other hand Vigor router can prevent user from accidentally downloading malicious codes from web pages It s very common that malicious codes conceal in the executable objects such as ActiveX Java Applet compressed files and other exe...

Page 319: ... will be applied in Default Rule of Firewall General Setup for filtering Available settings are explained as follows Item Description Set to Factory Default Clear all profiles Profile Display the number of the profile which allows you to click to set different policy Name Display the name of the APP Enforcement Profile Click the number under Index column for settings in detail There are four tabs ...

Page 320: ...is 15 characters Select All Click it to choose all of the items in this page Clear All Uncheck all the selected boxes Enable Check the box to select the APP to be blocked by Vigor router Adv A button under Enable check box allows you to open a pop up window to specify activity for that APP The profiles configured here can be applied in the Firewall General Setup and Firewall Filter Setup pages as ...

Page 321: ...are explained as follows Item Description Upgrade Setting APPE Module Version Display current version status of APPE signature New version from the Internet Download button is available only when Vigor router detects new APPE version After clicking it a dialog will appear with information added to such new version Click OK to exit the dialog and start the signature upgrade Upgrade via interface Ch...

Page 322: ... only environment hence to increase the employee work efficiency How can URL Content Filter work better than traditional firewall in the field of filtering Because it checks the URL strings or some of HTTP data hiding in the payload of TCP packets while legacy firewall inspects packets based on the fields of TCP IP headers only On the other hand Vigor router can prevent user from accidentally down...

Page 323: ...nt Filter Profile Administration Message You can type the message manually for your necessity Default Message You can type the message manually for your necessity or click this button to get the default message which will be displayed on the field of Administration Message You can set eight profiles as URL content filter Simply click the index number under Profile to open the following web page Av...

Page 324: ...atching with the conditions specified in URL Access Control and Web Feature below such function can determine the priority for the actions executed For this one the router will process the packages with the conditions set below for web feature first then URL second Log None There is no log file will be recorded for this profile Pass Only the log about Pass will be recorded in Syslog Block Only the...

Page 325: ...on the maximal length of each frame is 32 character long After specifying keywords the Vigor router will decline the connection request to the website whose URL string matched to any user defined keyword It should be noticed that the more simplified the blocking keyword list is the more efficiently the Vigor router performs Web Feature Enable Restrict Web Feature Check this box to make the keyword...

Page 326: ... draytek com for using corresponding service Please refer to section of creating MyVigor account WCF adopts the mechanism developed and offered by certain service provider e g DrayTek No matter activating WCF feature or getting a new license for web content filter you have to click Activate to satisfy your request Be aware that service provider matching with Vigor router currently offers a period ...

Page 327: ... the message manually for your necessity or click this button to get the default message which will be displayed on the field of Administration Message Cache None the router will check the URL that the user wants to access via WCF precisely however the processing rate is normal Such item can provide the most accurate URL matching L1 the router will check the URL that the user wants to access via W...

Page 328: ...er license the items will be changed simultaneously All of the configuration made for web content filter will be deleted automatically Therefore please backup your data before you change the web content filter license Available settings are explained as follows Item Description Profile Name Type a name for the CSM profile The maximum length of the name you can set is 15 characters Log None There i...

Page 329: ...page with the characters listed on Group Object Selections If the web pages do not match with the specified feature set here they will be processed with the categories listed on the box below Action Pass allow accessing into the corresponding webpage with the categories listed on the box below Block restrict accessing into the corresponding webpage with the categories listed on the box below If th...

Page 330: ...g from clients on LAN Info For DNS filter must use the WCF service profile to filter the packets therefore WCF license must be activated first Otherwise DNS filter does not have any effect on packets Available settings are explained as follows Item Description DNS Filter Profile Table It displays a list of different DNS filter profiles with specified WCF and UCF Click the profile link to open the ...

Page 331: ...ed in Syslog WCF Set the filtering conditions UCF Set the filtering conditions Enable Block Page If such function is enabled when DNS packets are blocked by DNS filter a web page containing the description listed on Administration Message will be shown on the screen Administration Message Type the words or sentences which will be displayed when a web page is blocked by Vigor router After finishing...

Page 332: ...several useful services such as Anti Spam Web Content Filter Anti Intrusion and etc to filtering the web pages for the sake of protecting your system To access into MyVigor for getting more information please create an account for MyVigor C Cr re ea at te e a an n A Ac cc co ou un nt t v vi ia a V Vi ig go or r R Ro ou ut te er r 1 Click CSM Web Content Filter Profile The following page will appea...

Page 333: ...ies User s Guide 321 2 Click the Activate link A login page for MyVigor web site will pop up automatically 3 Click the link of Create an account now 4 Check to confirm that you accept the Agreement and click Accept ...

Page 334: ...Vigor3220 Series User s Guide 322 5 Type your personal information in this page and then click Continue 6 Choose proper selection for your computer and click Continue ...

Page 335: ...TART 8 Check to see the confirmation email with the title of New Account Confirmation Letter from myvigor draytek com 9 Click the Activate my Account link to enable the account that you created The following screen will be shown to verify the register process is finished Please click Login ...

Page 336: ...rd 11 Now click Login Your account has been activated You can access into MyVigor server to activate the service e g WCF that you want C Cr re ea at te e a an n A Ac cc co ou un nt t v vi ia a M My yV Vi ig go or r W We eb b S Si it te e 1 Access into http myvigor draytek com Find the line of Not registered yet Then click the link Click here to access into next page ...

Page 337: ...confirm that you accept the Agreement and click Accept 3 Type your personal information in this page and then click Continue 4 Choose proper selection for your computer and click Continue 5 Now you have created an account successfully Click START ...

Page 338: ...mation email with the title of New Account Confirmation Letter from myvigor draytek com 7 Click the Activate my Account link to enable the account that you created The following screen will be shown to verify the register process is finished Please click Login ...

Page 339: ... password that you just created in the fields of UserName and Password Then type the code in the box of Auth Code according to the value displayed on the right side of it Now click Login Your account has been activated You can access into MyVigor server to activate the service e g WCF that you want ...

Page 340: ... lt te er r There are two ways to block the facebook service Web Content Filter and URL Content Filter Web Content Filter Benefits Easily and quickly implement the category website that you want to block Note License is required URL Content Filter Benefits Free flexible for customize webpage Note Manual setting e g one keyword for one website I I V Vi ia a W We eb b C Co on nt te en nt t F Fi il l...

Page 341: ...Networking with Action Block 3 Enable this profile in Firewall General Setup Default Rule 4 Next time when someone accesses facebook via this router the web page would be blocked and the following message would be displayed instead II Via URL Content Filter A Block the web page containing the word of Facebook ...

Page 342: ...g page 2 In the field of Contents please type facebook Configure the settings as the following figure 3 Open CSM URL Content Filter Profile Click an index number to open the setting page 4 Configure the settings as the following figure 5 When you finished the above steps click OK Then open Firewall General Setup ...

Page 343: ... the field of URL Content Filter Now users cannot open any web page with the word facebook inside B Disallow users to play games on Facebook 1 Open Object Settings Keyword Object Click an index number to open the setting page 2 In the field of Contents please type apps facebook Configure the settings as the following figure ...

Page 344: ...g page 4 Configure the settings as the following figure 5 When you finished the above steps please open Firewall General Setup 6 Click the Default Rule tab Choose the profile just configured from the drop down list in the field of URL Content Filter Now users cannot open any web page with the word facebook inside ...

Page 345: ...ing Configuration Backup Syslog Mail Alert Time and Date Management Reboot System Firmware Upgrade and Activation It is used to control the bandwith of data transmission through configuration of Sessions Limit Bandwidth Limit and Quality of Servie QoS It is a security feature which disallows any IP traffic except DHCP related packets from a particular host until that host has correctly supplied a ...

Page 346: ...re several items that you have to know the way of configuration System Status TR 069 Administrator Password User Password Login Page Greeting Configuration Backup Syslog Mail Alert Time and Date Management Reboot System Firmware Upgrade Activation and Internal Service User List Below shows the menu items for System Maintenance ...

Page 347: ...ation Available settings are explained as follows Item Description Model Name Display the model name of the router Firmware Version Display the firmware version of the router Build Date Time Display the date and time of the current firmware build LAN MAC Address Display the MAC address of the LAN Interface IP Address Display the IP address of the LAN interface Subnet Mask Display the subnet mask a...

Page 348: ...ss Display the IP address of the WAN interface Default Gateway Display the assigned IP address of the default gateway IPv6 Address Display the IPv6 address for LAN Scope Display the scope of IPv6 address For example IPv6 Link Local could only be used for direct IPv6 link It can t be used for IPv6 internet Internet Access Mode Display the connection mode chosen for accessing into Internet ...

Page 349: ...ccording to the ACS Auto Configuration Server you want to link Please refer to Auto Configuration Server user s manual for detailed information Test With Inform Click it to send a message based on the event code selection to test if such CPE is able to communicate with VigorACS SI server Event Code Use the drop down menu to specify an event to perform the test Last Inform Response Time Display the...

Page 350: ...erver for the purpose of maintaining the binding in the Gateway Please type a number as the minimum period The default setting is 60 seconds Maximum Keep Alive Period If STUN is enabled the CPE must send binding request to the server for the purpose of maintaining the binding in the Gateway Please type a number as the maximum period A value of 1 indicates that no maximum period is specified Apply ...

Page 351: ...word in this field The length of the password is limited to 23 characters Confirm Password Type in the new password again Administrator Local User The administrator can login web user interface of Vigor router to modify all of the settings to fit the requirements This feature allows other user in LAN who can access into the web user interface with the same privilege of the administrator Local User...

Page 352: ...nabled It can ensure that any user is able to successfully accesses into web user interface of Vigor router through Internet by username password of admin admin Administrator LDAP Setting Enable LDAP AD login for Admin users If it is enabled any user can access into the web user interface of Vigor router through the LDAP server authentication Enable Admin Login From Wan The default setting is enab...

Page 353: ...terface accessed by using the administrator password Password Type in new password in this field The length of the password is limited to 31 characters Confirm Password Type in the new password again Set to Factory Default Click to return to the factory default setting When you click OK the login window will appear Please use the new password to access into the web user interface again Below shows...

Page 354: ...ing screen will appear Simply click OK 4 Log out Vigor router web user interface by clicking the Logout button 5 The following window will be open to ask for username and password Type the new user password in the filed of Password and click Login ...

Page 355: ...with User Mode will be shown as follows Settings to be configured in User Mode will be less than settings in Admin Mode Only basic configuration settings will be available in User Mode Info Setting in User Mode can be configured as same as in Admin Mode ...

Page 356: ...s Item Description Enable Check this box to enable the login customization function Login Page Title Type a brief description e g Welcome to DrayTek which will be shown on the heading of the login dialog Welcome Message and Bulletin Type words or sentences here It will be displayed for bulletin message In addition it can be displayed on the login dialog at the bottom Note that do not type URL redi...

Page 357: ...Vigor3220 Series User s Guide 345 ...

Page 358: ...ystem Maintenance Configuration Backup The following page will be popped up as shown below Available settings are explained as follows Item Description Restore Choose File Click it to specify a file to be restored Click Restore to restore the configuration Backup Click it to perform the configuration backup of this router 2 Click Backup button to get into the following dialog Click Save button to ...

Page 359: ...Info Backup for Certification must be done independently The Configuration Backup does not include information of Certificate R Re es st to or re e C Co on nf fi ig gu ur ra at ti io on n 1 Go to System Maintenance Configuration Backup The following windows will be popped up as shown below 2 Click Choose File button to choose the correct configuration file for uploading to the router 3 Click Resto...

Page 360: ...lay the name for such router configured in System Maintenance Management If there is no name here simply lick the link to access into System Maintenance Management to set the router name Server IP Address The IP address of the Syslog server Destination Port Assign a port for the Syslog protocol Mail Syslog Check the box to recode the mail event on Syslog Enable syslog message Check the box listed ...

Page 361: ...de Use SSL Check this box to use port 465 for SMTP server for some e mail server uses https as the transmission method Authentication Check this box to activate this function while using e mail application User Name Type the user name for authentication Password Type the password for authentication Enable E mail Alert Check the box to send alert message to the e mail box while the router detecting...

Page 362: ...50 3 From the Syslog screen select the router you want to monitor Be reminded that in Network Information select the network adapter used to connect to the router Otherwise you won t succeed in retrieving information from the router ...

Page 363: ...se Internet Time Select to inquire time information from Time Server on the Internet using assigned protocol Time Server Type the web site of the time server Priority Choose Auto or IPv6 First as the priority Time Zone Select the time zone where the router is located Enable Daylight Saving Check the box to enable the daylight saving Such feature is available for certain area Advanced Click it to o...

Page 364: ...ained as follows Item Description Enable SNMP Agent Check it to enable this function Get Community Set the name for getting community by typing a proper character The default setting is public The maximum length of the text is limited to 23 characters Set Community Set community by typing a proper name The default setting is private The maximum length of the text is limited to 23 characters Manage...

Page 365: ... community Trap Timeout The default setting is 10 seconds Enable SNMPV3 Agent Check it to enable this function USM User USM means user based security mode Type a username which will be used for authentication The maximum length of the text is limited to 23 characters Auth Algorithm Choose one of the encryption methods listed below as the authentication algorithm Auth Password Type a password for a...

Page 366: ...tion Setup CVM Access Control and Device Management The management pages for IPv4 and IPv6 protocols are different V VI I 1 1 1 10 0 1 1 I IP Pv v4 4 M Ma an na ag ge em me en nt t S Se et tu up p Available settings are explained as follows Item Description Router Name Type in the router name provided by ISP Default Disable Auto Logout If it is enabled the function of auto logout for web user inte...

Page 367: ...user defined port numbers for the Telnet HTTP HTTPS FTP TR 069 and SSH servers Default Ports Check to use standard port numbers for the Telnet and HTTP servers TLS SSL Encryption Setup Enable SSL 3 0 Check the box to enable the function of SSL 3 0 if required Due to security consideration the built in HTTPS and SSL VPN server of the router had upgraded to TLS1 x protocol If you are using old brows...

Page 368: ...ow you managing the router from Internet Check the box es to specify Enable PING from the Internet Check the checkbox to enable all PING packets from the Internet For security issue this function is disabled by default Access List You could specify that the system administrator can only login from a specific host or network defined in the list A maximum of three IPs subnet masks is allowed Index i...

Page 369: ... from LAN interface There are several servers provided by the system which allow you to manage the router from LAN interface Check the box es to specify Apply To Subnet Check the LAN interface for the administrator to use for accessing into web user interface of Vigor router Index in IP Object Type the index number of the IP object profile Related IP address will appear automatically After finishe...

Page 370: ...edule web page and you can use the number that you have set in that web page If you want to reboot the router using the current configuration check Using current configuration and click Reboot Now To reset the router settings to default values check Using factory default configuration and click Reboot Now The router will take 5 seconds to reboot the system Info When the system pops up Reboot Syste...

Page 371: ...k s web site and FTP site is ftp DrayTek com Click System Maintenance Firmware Upgrade to launch the Firmware Upgrade Utility Choose the right firmware by clicking Select Then click Upgrade The system will upgrade the firmware of the router automatically Click OK The following screen will appear Please execute the firmware upgrade utility first For the detailed information about firmware update pl...

Page 372: ...Click System Maintenance Activation to open the following page for accessing http myvigor draytek com Available settings are explained as follows Item Description Activate via Interface Choose WAN interface used by such device for activating Web Content Filter Activate The Activate link brings you accessing into www vigorpro com to finish the activation of the account and the router Authentication...

Page 373: ...ternal RADIUS server for the user profile Uncheck the box to turn off ecurity authentication service offered by internal RADIUS server for the user profile If you check the box next to such item all of the user profiles listed in this page will be enabled with RADIUS service enabled vice versa Local 802 1X Check the box to turn on the security authentication service offered by Local 802 1X server ...

Page 374: ... traffic can be throttled back to a lower speed If there s no defined priority to specify which packets should be discarded or in another term dropped from an overflowing queue packets of sensitive applications mentioned above might be the ones to drop off How this will affect application performance There are two components within Primary configuration of QoS deployment Classification Identifying...

Page 375: ...n the backbone will do the same checking before executing treatments in order to ensure service level consistency throughout the whole QoS enabled network However each node may take different attitude toward packets with high priority marking since it may bind with the business deal of SLA among different DS domain owners It s not easy to achieve deterministic and consistent high priority QoS traf...

Page 376: ...S Se es ss si io on ns s L Li im mi it t In the Bandwidth Management menu click Sessions Limit to open the web page To activate the function of limit session simply click Enable and set the default session limit Available settings are explained as follows Item Description Session Limit Enable Click this button to activate the function of limit session ...

Page 377: ...ault session limit for the specific limitation you set for each index Add Adds the specific session limitation onto the list above Edit Allows you to edit the settings for the selected limitation Delete Remove the selected settings existing on the limitation list Administration Message Type the words which will be displayed when reaches the maximum number of Internet sessions permitted Default Mes...

Page 378: ...limit bandwidth IP Routed Subnet Check this box to apply the bandwidth limit to the second subnet specified in LAN General Setup Disable Click this button to close the function of limit bandwidth Default TX limit Define the default speed of the upstream for each computer in LAN Default RX limit Define the default speed of the downstream for each computer in LAN Allow auto adjustment Check this box...

Page 379: ...for each index Add Add the specific speed limitation onto the list above Edit Allow you to edit the settings for the selected limitation Delete Remove the selected settings existing on the limitation list Smart Bandwidth Limit Check this box to have the bandwidth limit determined by the system automatically TX limit Define the limitation for the speed of the upstream If you do not set the limit in...

Page 380: ...Display which direction that such function will influence Class 1 Class2 Class 3 Others Display the bandwidth percentage for each class UDP Bandwidth Control Display the UDP bandwidth control is enabled or not Online Statistics Display an online statistics for quality of service for your reference Setup Allow to configure general QoS setting for WAN interface Class Rule Index Display the class num...

Page 381: ... general setup of WAN interface As to class rule simply click the Edit link to access into next for configuration You can configure general setup for the WAN interface edit the Class Rule and edit the Service Type for the Class Rule for your request O On nl li in ne e S St ta at ti is st ti ic cs s Display an online statistics for quality of service for your reference This feature is available onl...

Page 382: ...ck Setup link again You will see the Online Statistics link appearing on this page WAN Inbound Bandwidth It allows you to set the connecting rate of data input for other WAN For example if your ADSL supports 1M of downstream and 256K upstream please set 1000kbps for this box The default value is 10000kbps WAN Outbound Bandwidth It allows you to set the connecting rate of data output for other WAN ...

Page 383: ...bandwidth to ensure correct calculation of QoS It is suggested to set the bandwidth value for inbound outbound as 80 85 of physical network speed provided by ISP to maximize the QoS performance E Ed di it t t th he e C Cl la as ss s R Ru ul le e f fo or r Q Qo oS S 1 The first three Class 1 to Class 3 class rules can be adjusted for your necessity To add edit or delete the class rule please click ...

Page 384: ...ource address For Single Address you have to fill in Start IP address For Range Address you have to fill in Start IP address and End IP address For Subnet Address you have to fill in Start IP address and Subnet Mask DiffServ CodePoint All the packets of data will be divided with different levels and will be processed according to the level type by the system Please assign one of the levels of the ...

Page 385: ...n of that one and click Edit to open the rule edit page for modification E Ed di it t t th he e S Se er rv vi ic ce e T Ty yp pe e f fo or r C Cl la as ss s R Ru ul le e 1 To add a new service type edit or delete an existed service type please click the Edit link under Service Type field 2 After you click the Edit link you will see the following page ...

Page 386: ...fter finishing all the settings here please click OK to save the configuration By the way you can set up to 10 service types If you want to edit delete an existed service type please select the radio button of that one and click Edit Edit for modification R Re et ta ag g t th he e P Pa ac ck ke et ts s f fo or r I Id de en nt ti if fi ic ca at ti io on n Packets coming from LAN IP can be retagged ...

Page 387: ...nd Outbond bandwidth and bandwidth ratio Vigor router can perform the bandwidth management for the protocols streaming remote control web HD and so on Click Bandwidth Management APP QoS to open the following page Available settings are explained as follows Item Description Enable Disable Click Enable to activate APP QoS function Click Disable to deactivate APP QoS function Traceable The protocol l...

Page 388: ... to all Choose one of the actions from the drop down list It is prepared for applying to all protocols Apply Click it to make the selected action be applied all of the selected protocols immediately Action There are many protocols which can be specified with different QoS Class After finishing all the settings please click OK to save the configuration ...

Page 389: ...helps you to well allocate the bandwidth upon your demand of Voice Video or Data transferring Let s see how to get the optimum bandwidth per your request by using DrayTek Vigor router as below Scenario The Internet connection you got from ISP line is 2MB 512Kb There are VoIP telephony network IPTV set top box and data server at your home Assume you want to allocate 30 of the bandwidth you got to V...

Page 390: ...lick Edit to specify the local address 5 In the pop up window choose Range Address as the Address Type and type the start IP address and end IP address in relational fields Click OK to save the settings and exit the window 6 Click OK again to save the settings ...

Page 391: ...or3220 Series User s Guide 379 7 The class rule for VoIP has been set Click OK to return to previous page 8 Do the same steps to add class rules for IPTV and Data Email with IP addresses as shown below and ...

Page 392: ... click the Setup link of WAN1 to set up the bandwidth for different groups among VoIP IPTV and Data Email 10 In the Setup page check the box of Enable the QoS Control Type 30 50 and 15 in the boxes for VoIP IPTV and Data Email respectively Check the box of Enable UDP Bandwidth Control ...

Page 393: ...Vigor3220 Series User s Guide 381 11 Click OK to save the settings The class rules for WAN1 are defined as shown below ...

Page 394: ... internal database Meanwhile children may chat on Skype in the restroom 1 Go to Bandwidth Management Quality of Service 2 Click Setup link of WAN 1 2 3 4 5 Make sure the QoS Control on the left corner is checked And select BOTH in Direction 3 Set Inbound Outbound bandwidth Info The rate of outbound inbound must be smaller than the real bandwidth to ensure correct calculation of QoS It is suggested...

Page 395: ...r Class 1 Click OK to save the settings 5 Click the Setup link for WAN2 The user can set reserved bandwidth e g 25 for E mail using protocol POP3 and SMTP Click OK to save the settings 6 Return to previous page Enter the Name of Index Class 2 by clicking Edit link In this index the user will set reserved bandwidth for HTTPS And click OK ...

Page 396: ...event enormous UDP traffic influence other application Click OK 9 If the worker has connected to the headquarter using host to host VPN tunnel Please refer to Chapter 3 VPN for detail instruction he may set up an index for it Enter the Class Name of Index 3 In this index he will set reserved bandwidth for 1 VPN tunnel ...

Page 397: ... this index the user will set reserved bandwidth for VPN 11 Click Add to open the following window Check the ACT box first 12 Then click Edit of Local Address to set a worker s subnet address Click Edit of Remote Address to set headquarter s IP address Leave other fields and click OK ...

Page 398: ...er account Network administrator can give different firewall policies or rules for different hosts with different User Management accounts This is more flexible and convenient for network management Not only offering the basic checking for Internet access User Management also provides additional firewall rules e g CSM checking for protecting hosts Info Filter rules configured under Firewall usuall...

Page 399: ...dard selected here will influence the contents of the filter rule s applied to every user Available settings are explained as follows Item Description Mode There are two modes offered here for you to choose Each mode will bring different filtering effect to the users involved User Based If you choose such mode the router will apply the filter rules configured in User Management User Profile to the...

Page 400: ...the size no mare than 524 352 pixel to have an image of enterprise or have the effect of advertisement Login Page Greeting Such link allows you to access into the setting page for login greeting For detailed information refer to System Maintenance Login Page Greeting Display IP Address on tracking window Check the box to display the IP address of the client on the tracking window Landing Page Type...

Page 401: ...files up to 200 which will be applied for users controlled under User Management Simply open User Management User Profile To set the user profile please click any index number link to open the following page Notice that profile 1 admin and profile 2 Dial In User are factory default settings Profile 2 is reserved for future use ...

Page 402: ...r has to type the User Name specified here to pass the authentication When the user passes the authentication he she can access Internet via this router However the accessing operation will be restricted with the conditions configured in this user profile The maximum length of the name you can set is 24 characters Password Type a password for such profile e g lug123 wug123 wug456 etc When a user t...

Page 403: ...user profile Create New Policy If you choose such item the following page will be popped up for you to define another filter rule as a new policy For the detailed configuration simply refer to Firewall Filter Rule The firewall filter rules that are not selected in Firewall General Default rule can be available for use in User Management User Profile External Service Authentication router will auth...

Page 404: ...the user can use Telnet command to perform the authentication job Landing Page When a user tries to access into the web user interface of Vigor router series with the user name and password specified in this profile he she will be lead into the web page configured in Landing Page field in User Management General Setup Check this box to enable such function Index 1 15 in Schedule Setup You can type...

Page 405: ...profile Reset quota to default when scheduling time expired Set default time quota and data quota for such profile When the scheduling time is up the router will use the default quota settings automatically Enable Check it to use the default setting for time quota and data quota Default Time Quota Type the value for the time manually Default Data Quota Type the value for the data manually Internal...

Page 406: ...mber link to open the following page Available settings are explained as follows Item Description Name Type a name for this user group Available User Objects You can gather user profiles objects from User Profile page within one user group All the available user objects that you have created will be shown in this box Notice that user object Admin and Dial In User are factory settings User defined ...

Page 407: ...ime interval of refreshing data flow that will be done by the system automatically Refresh Click this link to refresh this page manually Index Display the number of the data flow User Display the users which connect to Vigor router currently You can click the link under the username to open the user profile setting page for that user IP Address Display the IP address of the device Profile Display ...

Page 408: ...Vigor3220 Series User s Guide 396 Action Block can avoid specified user accessing into Internet Unblock allow the user to access into Internet Logout the user will be logged out forcefully ...

Page 409: ...before a valid username and password have been correctly supplied a particular client will not be allowed to access Internet through the router There are three ways for authentication Web Telnet and Alert Tool A Au ut th he en nt ti ic ca at ti io on n v vi ia a W We eb b If a LAN client who hasn t passed the authentication opens an external web site in his browser he will be redirected to the rou...

Page 410: ...de 398 With Microsoft Internet Explorer you may get the following warning message Please press Continue to this website not recommended With Mozilla Firefox you may get the following warning message Select I Understand the Risks ...

Page 411: ...e 399 With Chrome browser you may get the following warning Click Proceed anyway After that the web authentication window will appear Input the user name and the password for your account defined in User Management and click Login ...

Page 412: ...s failed you will get the error message The username or password you entered is incorrect Please login again In above description you access an external web site to trigger the authentication You may also directly access the router s Web UI for authentication Both HTTP and HTTPS are supported for example http 192 168 1 1 or https 192 168 1 1 Replace 192 168 1 1 with your router s real IP address a...

Page 413: ...in Successful in the Welcome Message table Also you will get a Tracking Window if you don t block the pop up window Don t setup a user profile in User Management and a VPN Remote Dial in user profile with the same Username Otherwise you may get unexpected result It is because the VPN Remote Dial in User profiles can be extended to the User profiles in User Management for authentication There are t...

Page 414: ...ser profile with the same username chaochen but a different password 1234 you will always get error message The username or password you entered is incorrect when you use chaochen test via Web to do authentication If SSL Tunnel or SSL Web Proxy is disabled in the VPN profile a User Management account and a remote dial in VPN profile can use the same Username even with different passwords However w...

Page 415: ...ccount name for the authentication 2 Type the password for authentication and press Enter The message User login successful will be displayed with the expired time if configured Info Here expired time is Unlimited means the Time Quota function is not enabled for this account After login this account will not be expired until it is logout 3 In the Web interface of router the configuration page of T...

Page 416: ...e which means this account has no time quota If the Time Quota is enabled and time is not 0 minute You will get the following message The expired time is shown after you login After you run out the available time you can t use this account any more until the administrator manually adds additional time for you ...

Page 417: ... again Authentication via VigorPro Alert Notice Tool allows user to setup the re authentication interval so that the utility will send authentication requests periodically This will keep the client hosts from having to manually authenticate again and again The configuration of the VigorPro Alert Notice Tool is as follows 1 Click Authenticate Now to start the authentication immediately 2 You may ge...

Page 418: ...l le e 1 1 U Us se er rs s c ca an n s se ee e t th he e m me es ss sa ag ge e f fo or r l la an nd di in ng g p pa ag ge e a af ft te er r l lo og gg gi in ng g i in nt to o I In nt te er rn ne et t s su uc cc ce es ss sf fu ul ll ly y 1 Open the web user interface of Vigor3220 2 Open User Management General Setup to get the following page In the field of Landing Page please type the words of Log...

Page 419: ...ick OK to save the settings 5 Open any browser e g FireFox Internet Explorer The logging page will appear and asks for username and password Please type the correct username and password 6 Click Login If the logging is successful you will see the message of Login Success from the browser you use ...

Page 420: ...c ca al ll ly y a af ft te er r l lo og gg gi in ng g i in nt to o I In nt te er rn ne et t s su uc cc ce es ss sf fu ul ll ly y 1 In the field of Landing Page please type the words as below body stats 1 script language javascript window location http www draytek com script body 2 Next enable the Landing Page function Open User Management User Profile and click one of the index number e g index nu...

Page 421: ...the following page check the box of Landing page and click OK to save the settings 4 Open any browser e g FireFox Internet Explorer The logging page will appear and asks for username and password Please type the correct username and password ...

Page 422: ...Vigor3220 Series User s Guide 410 5 Click Login If the logging is successful you will be directed into the website of www draytek com ...

Page 423: ... PN N Vigor3220 can build virtual private network VPN between itself and any other TR 069 CPE by the function of central VPN management In addition it can be treated as a server called CVM server which can manage TR 069 CPE for periodical firmware upgrade configuration backup and restoring configuration ...

Page 424: ...echanism V VI I 4 4 1 1 1 1 G Ge en ne er ra al l S Se et tt ti in ng gs s To enable the CVM feature the first thing you have to do is enabling CVM port or CVM SSL Port Available settings are explained as follows Item Description CVM SSL Port Check the box to enable the port setting Type the port number in the box CVM Port Check the box to enable the port setting Type the port number in the box WA...

Page 425: ...nt is operated through IPsec VPN connection Available settings are explained as follows Item Description IPsec Mode Choose Aggressive or Main as the IPsec Mode Security Method Choose one of the following methods AH or ESP for the security of data transmission For example choose AH to specify the IPsec protocol for the Authentication Header protocol The data will be authenticated but not be encrypt...

Page 426: ... Before using such feature make sure the CVM port has been enabled and configured properly V VI I 4 4 2 2 1 1 M Ma an na ag ge ed d D De ev vi ic ce e L Li is st t This page allows you to manage the CPEs connected to Vigor3220 Series P Pa ag ge e w wi it th ho ou ut t C CP PE E c co on nn ne ec ct te ed d P Pa ag ge e w wi it th h C CP PE E c co on nn ne ec ct te ed d ...

Page 427: ...location manually Delete To disconnect the management of any CPE click the CPE icon you want and click the Delete button Double clicking the CPE icon also can pop up the Managed Device Detail window However you cannot modify any data on the window Unmanaged Devices List Any device CPE which follows the standard of TR 069 can be configured and can be detected by Vigor3220 Series automatically Only ...

Page 428: ... Google Map Refresh Click it to refresh current web page V VI I 4 4 2 2 2 2 C CP PE E M Ma ai in nt te en na an nc ce e This area displays all the profiles which are created for applying to the managed device This page can help the administrator to do maintenance jobs like firmware upgrade configuration backup configuration restoration and etc Available settings are explained as follows Item Descr...

Page 429: ...ad dd d a a n ne ew w M Ma ai in nt te en na an nc ce e P Pr ro of fi il le e Follow the steps below to create a new maintenance profile 1 Click any index number link e g Index 1 2 The Maintenance page appears Info When restoring configuration to a CPE make sure the configuration file you selected was backup from this CPE before Because restoring from another device s configuration file may cause ...

Page 430: ...ISP username password Restoring configuration from one CPE to the other will cause Internet connection not being online Firmware Upgrade It means such profile will be used for firmware upgrade File Path Click Select to locate the file you want to save restore or upgrade for CPE Index in Schedule Vigor3220 Series will perform the specified action to the selected CPE based on the schedule configured...

Page 431: ... the LAN to LAN profile It is generated automatically when you click the PPTP IPsec Advanced button to build the VPN connection between Vigor3220 and remote CPE Type Display the dial in type and the authentication method Remote IP Display the IP address of the remote CPE and the interface Virtual Network Display the IP address and subnet mask of Vigor3220 Series Tx Pkts Display the number of the t...

Page 432: ...ty of CVM log is full the system will stop recording Always record the new event only the newest events will be recorded by the system Device Name Display the name of the managed CPE Description Name Display the brief explanation for the managed CPE Time date Display the time and date that the managed CPE scanned by Vigor3220 Series Action Type Display the action that Vigor3220 Series will perform...

Page 433: ...ord for Vigor3220 Series For this section we use Vigor2850 series as the example All the CPE configuration will be done through Vigor2850 series C Co on nf fi ig gu ur re e C CV VM M S Se et tt ti in ng gs s o on n V Vi ig go or r3 32 22 20 0 S Se er ri ie es s 1 Access into the web user interface of Vigor3220 Series 2 Open Central Management VPN General Setup 3 In the following page check the box...

Page 434: ...Vigor3220 Series User s Guide 422 4 Click OK to save the settings ...

Page 435: ...xample IE Mozilla Firefox or Netscape and type http 192 168 1 1 2 Open System Maintenance TR 069 3 In the field of ACS Server type the URL IP address with port number of Vigor3220 Series and type the same Username and Password defined on the page of Central VPN Management General Setup in Vigor3220 Series Then click Enable for CPE Client and then click OK to save the settings 4 Open System Mainten...

Page 436: ... management access control and click OK 6 Open WAN Internet Access Use the drop down list of Access Mode on WAN1 to select MPoA RFC1483 2684 Then click Details Page 7 Click Specify an IP address Type correct WAN IP address subnet mask and gateway IP address for your CPE Then click OK ...

Page 437: ...rn to the web user interface of Vigor3220 Series 2 Open Central VPN Management VPN Management Now there is one CPE displayed on the field of Unmanaged Devices List 3 Choose the one Vigor2850 from Unmanaged Devices List and click Add The following dialog will be popped up Type the name and the location of the router respectively Click OK to save the configuration 4 The selected CPE will be moved an...

Page 438: ...gurations 3 Upgrade firmware for CPE 4 Manage multiple CPEs simultaneously For CVM to work it requires settings on both Central Router VPN server and the CPEs VPN Clients The following steps are the detailed instructions of using Vigor2860 and Vigor2925 as the central router C Co on nf fi ig gu ur ri in ng g t th he e C Ce en nt tr ra al l R Ro ou ut te er r 1 Go to Central Management VPN General ...

Page 439: ...Vigor3220 Series User s Guide 427 2 Go to IPsec tab select the Local Subnet to establish VPN connection Click OK to save 3 Go to System Maintenance Management and make sure the CVM Port is enabled ...

Page 440: ...net as ACS Server On b Enter the URL of ACS server copied from the central router c Enter Username and Password as the same as in CVM settings on the central router d Enable CPE Client e Enable Periodic Inform Settings f Click OK to save 2 Go to System Maintenance Management enable Allow management from the Internet and make sure TR 069 server is enabled ...

Page 441: ...st t Now the Central Router should see the CPE on the Unmanaged Device List which can be found from Central Management VPN CPE Management Managed Devices List To add the CPE to Managed Device List a select the CPE device from Unmanaged Devices List b enter a Description Name and its Location c click Add to add it to Managed Devices List After that the CPE will appear in Managed Devices List with i...

Page 442: ...Vigor3220 Series User s Guide 430 If you have entered the exact address of the CPE you may check its location in Google Map tab ...

Page 443: ...anagement 1 The VPN Management page shows all the devices in Managed Device List and their connection status 2 Click on a device to show the VPN type options then click on one of the options to establish VPN connection In PPTP IPsec and SSL the system will give a username and password automatically however Administrator could change the encryption methods by choosing Advanced ...

Page 444: ...the connection information is in the CPE VPN Connection List below 4 After that both the CPE and central router will create a LAN to LAN profile in VPN and Remote Access LAN to LAN Administrator could also change the VPN type in VPN Management page and the settings will applied to the LAN to LAN profile automatically ...

Page 445: ...on backup Go to Applications Schedule click on an index number to add a schedule profile a Enable Schedule Setup b Select the Start Date and Start Time as the time for CPE to backup its configuration c Set Duration Time to 5 minutes Note Longer duration gives router more retrying time in case that the CPE lose connection with the central router d Select How Often does the CPE need to backup its co...

Page 446: ... profile a Enter the Profile Name b Enable this profile c For Device Name select the MAC address of the CPE d Select Config Backup for Action Type e Enter the Schedule profile index f Click OK to save 4 After the configuration backup go to USB Application File Explorer to check if the configuration file has been saved successfully ...

Page 447: ...or the device e g Vigor2850 managed by Vigor3220 Series Vigor2850 as an example is chosen for Vigor3220 to perform the CPE firmware upgrade remotely in this case 1 Plug in USB storage disk onto Vigor3220 Series via USB interface Make sure the USB disk has been installed correctly otherwise the firmware upgrade will not be successful 2 Access into web user interface of Vigor3220 Series Open Central...

Page 448: ...to perform firmware upgrade from Device Name drop down list From the Action Type choose Firmware Upgrade Type the file path of the newest firmware or click Select to locate it Specify the Schedule profile At last click OK 5 Now a new maintenance profile has been created 6 Click Now to perform the firmware upgrade immediately for Vigor2850 7 Wait for several minutes for firmware upgrade ...

Page 449: ... the managed device if the firmware upgrade is successful or not Click Managed Devices List Click the icon of Vigor2850 and click Edit and view the software version Another way to check if the firmware upgrade is completed or not simply open Central VPN Management Log Alert ...

Page 450: ...st wireless coverage will be clearly indicated through simulated signal strength A AP P M Ma ai in nt te en na an nc ce e Vigor router can execute configuration backup configuration restoration firmware upgrade and remote reboot for the APs managed by the router It is very convenient for the administrator to process maintenance without accessing into the web user interface of the access point L Lo...

Page 451: ...Da as sh hb bo oa ar rd d This page shows VigorAP s information about Status Event Log Total Traffic or Station Number by displaying VigorAP icon text and histogram Just move and click your mouse cursor on Status Event Log Total Traffic or Station Number Corresponding web pages will be open immediately ...

Page 452: ... router will be displayed here IP Address Display the true IP address of the access point SSID Display the SSID configured for the access point s connected to Vigor3220 Ch Display the channel used by the access point STA List Display the number of wireless clients stations connecting to the access point In which 0 64 means that up to 64 clients are allowed to connect to the access point But now no...

Page 453: ...ed as follows Item Description Profile Name Display the name of the profile The default profile cannot be renamed Main SSID Display the SSID configured by such wireless profile Security Display the security mode selected by such wireless profile Multi SSID Enable means multiple SSIDs more than one are active Disable means only SSID1 is active WLAN ACL Display the name of the access control list Ra...

Page 454: ...ly the selected wireless profile to the specified Access Point Simply choose the device you want from Existing Device field Click to move the device to Selected Device field Then click OK The selected WLAN profile will be applied to the selected access point immediately Later the access point will reboot Apply To Local WLAN Profile configured in this page is specified for VigorAP connected to Vigo...

Page 455: ...it t t th he e w wi ir re el le es ss s L LA AN N p pr ro of fi il le e 1 Check the box on the left side of the selected profile 2 Click the Edit button to display the following page Info The function of Auto Provision is available for the default WLAN profile ...

Page 456: ...Vigor3220 Series User s Guide 444 3 After finished the general settings configuration click Next to open the following page for 2 4G wireless security settings ...

Page 457: ...bove web page configuration click Next to open the following page for 5G wireless security settings 5 When you finished the above web page configuration click Finish to exit and return to the first page The modified WLAN profile will be shown on the web page ...

Page 458: ...med to more than one AP at one time by using Vigor3220 Available settings are explained as follows Item Description Action There are four actions provided by Vigor router to manage the access points Vigor router can backup the configuration of the selected AP restore the configuration for the selected AP perform the firmware upgrade of the selected AP reboot the selected AP remotely and perform th...

Page 459: ...or3220 Series User s Guide 447 Selected Device Display the access points that will be applied by such function after clicking OK After finishing all the settings here please click OK to perform the action ...

Page 460: ...iption Check the box to view or edit the AP Map Location Display a brief description e g ground roof of the AP Map AP Display the model name and number of VigorAP located on the AP map AP Signal Strength Display the pre defined signal strength of the AP map Dimension m Display the width and length of the AP map Map Display if the uploaded file for AP map is ready or not View Click it to review the...

Page 461: ...ngs are explained as follows Item Description Location Profile Name Type a name e g groudfloor for the AP map profile Upload Map Click the Select button to choose an image file only JPG and PNG are supported for floor plan Cancel Click it to cancel the configuration Next Click it to go to the next configuration page 2 Click Next In the web page of Dimension set dimension for the map ...

Page 462: ...de 450 3 Follow the instruction listed on the web page to draw a red line for length width Then type the value on the pop up dialog to determine the real distance The values for length and width will be displayed on the web page ...

Page 463: ... s Guide 451 4 Click Next to open the web page of Planning Available APs detected by Vigor router will be displayed on the upper end 5 Select the AP you need drag and drop an AP icon from upper end to the map on the bottom ...

Page 464: ...e 452 6 Check the box of Show AP Coverage and choose 2 4GHz or 5GHz of wireless signal for the AP located on the floor plan 7 Adjust the AP on the map to find out which place can have the best wireless coverage At last click Save ...

Page 465: ...smission rate in kbps Info Enabling Disabling such function will also enable disable the External Devices function V VI I 5 5 7 7 T Te em mp pe er ra at tu ur re e S Se en ns so or r Many VigorAP and Vigor router can be installed with temperature sensor If VigorAP e g VigorAP 910C is managed under Vigor router e g Vigor3220 then Vigor router can obtain the temperature change graph of the USB tempe...

Page 466: ... log for all of the APs managed by Vigor router will be shown on this page It is userful for troubleshooting if required V VI I 5 5 9 9 T To ot ta al l T Tr ra af ff fi ic c Such page will display the total traffic of data receiving and data transmitting for VigorAPs managed by Vigor router ...

Page 467: ... Vigor router Thus the bandwidth will not be occupied by certain access points Available settings are explained as follows Item Description Enable Check the box to enable such function Mode It is used to determine the operation mode when the system detects overload between access points By Station Number The operation of load balance will be executed based on the station number configured in this ...

Page 468: ...ill terminate the network connection of the client s station which is idle for a longest time By signal Strength When the access point is overload e g reaching the limit of station number or limit of network traffic it will terminate the network connection of the client s station with the weakest signal After finishing all the settings here please click OK to save the configuration V VI I 5 5 1 12...

Page 469: ... at one time V VI I 6 6 1 1 S St ta at tu us s V VI I 6 6 1 1 1 1 S Sw wi it tc ch h S St ta at tu us s Such page displays information including Group Switch name IP address model System Up Time Port in Use Clients and Firmware Version of VigorSwitch connected to Vigor3220 series Before checking the switch status go to Central Management External Device to enable External Device Auto Discovery Wai...

Page 470: ... the name link of VigorSwitch You can click the name link to access into the switch profile IP Address Display the IP address of VigorSwitch Model Display the model name of VigorSwitch System Up Time Display the time accumulated since this Vigorwitch is powered up Port in Use Display how many devices connected to VigorSwitch Clients Display the number of LAN ports used in VigorSwitch Firmware Vers...

Page 471: ...i it tc ch h H Hi ie er ra ar rc ch hy y Such page displays the hierarchy of VigorSwitch es managed under Vigor3220 Please note that Shutdown Port is available for LAN port of VigorSwitch connects to a LAN device When it is checked after clicking OK the network connection between that device and VigorSwitch will be terminated ...

Page 472: ...nnected VigorSwitch will have one setting profile If there are many switches connected to Vigor3220 different index number will be used to represent different VigorSwitch Name Display the user defined name of VigorSwitch Group Display the group name of VigorSwitches IP Address Display the IP address of VigorSwitch MAC Address Display the MAC address of VigorSwitch Model Display the model name of V...

Page 473: ...Password Display the original login password for the VigorSwitch However if Group Password in Central Management Switch Group is configured with other string then such field is not allowed to type any other password And only the group password will be shown instead IP Address Display the dynamic IP address of the connected switch assigned by Vigor3220 Save Click it to save the settings Cancel Clic...

Page 474: ...witch via the LAN port Shutdown Port Shutdown The port e g Port 9 in this case which is used to connect VigorSwitch and Vigor3220 will not be shutdown by Vigor3220 series Other LAN ports of VigorSwitch shall be allowed to connect to any LAN device When it is checked after clicking Save the network connection between that device and VigorSwitch will be terminated Schedule Two sechule profiles can b...

Page 475: ... p Different switches can be classified into different group s Specifc password for a group can be defined and applied to every switch uder that group Through the common password setting it is not necessary for the system administrator to remember various login passwords to access into different VigorSwitch devices Click any index number link to create a new switch group ...

Page 476: ...ng to Vigor3220 series All of the switches under the same group can be accessed into via such group password Existing Switch Display all of the VigorSwitch devices connecting to Vigor3220 Member Switch Choose the switches you want to group and click the button to move the selected devices onto the field of Member Switch Devices under Member Switch will be grouped under such group profile OK Click ...

Page 477: ...e Four actions including configuration backup configuration restore remote reboot and factory reset are offered by Vigor3220 to perform on VigorSwitch File Path Click the button to find out the required file Select Device Existing Device Display all of the VigorSwitch devices connecting to Vigor3220 Selected Device Choose the switches you want to group and click the button to move the existing dev...

Page 478: ...Vigor3220 Series User s Guide 466 V VI I 6 6 5 5 S Su up pp po or rt t L Li is st t This page lists all models of VigorSwitch which can be managed by Vigor3220 via Central Management Switch ...

Page 479: ...set up multiple subnets with tag based VLAN on Vigor Router and use Central Switch Management to configure the according VLAN setting on the switch C Co on nf fi ig gu ur ri in ng g r ro ou ut te er r s s m mu ul lt ti ip pl le e s su ub bn ne et t a an nd d V VL LA AN N 1 Go to LAN VLAN enable VLAN configuration and a Enable each LAN Subnet on different VLAN b Select the LAN port members for each...

Page 480: ...i it tc ch h M Ma an na ag ge em me en nt t 3 Go to Central Management External Device to enable External Device Auto Discovery Then connect a VigorSwitch to Vigor Router s LAN Port When the VigorSwitch is detected and shows On Line it s ready for Central Switch Management 4 Go to Central Management Switch Profile you will see the VigorSwitch is in New Switch List click Add New to put the switch i...

Page 481: ... router s VLAN settings In this example router s LAN port 3 is a member for VLAN0 VLAN1 VLAN2 and VLAN3 therefore there are four VLANs available for the switch s VLAN setup The port that connects to the router will be marked gray and automatically selected to be a member of every VLAN c For the rest of the ports select the VLAN to which they should belong If a port belongs to more than one tagged ...

Page 482: ...n different ports and verify which LAN subnet we are in by checking the IP address obtained First we connect to switch s port 8 By using command ipconfig we can see that the computer obtained an IP 192 168 2 10 which belongs to router s LAN2 Next connect to port 16 renew the IP address and we ll obtain IP 192 168 3 10 which means we re in router s LAN3 subnet Finally connect to the switch by port ...

Page 483: ... Item Description External Device Auto Discovery Check this box to detect the external device automatically and display on this page From this web page check the box of External Device Auto Discovery Later all the available devices will be displayed in this page with icons and corresponding information You can change the device name if required or remove the information for off line device wheneve...

Page 484: ...Vigor3220 Series User s Guide 472 This page is left blank ...

Page 485: ...dress service type keyword file extension and others These pre defined objects can be applied in CSM USB device connected on Vigor router can be regarded as a server or WAN interface By way of Vigor router clients on LAN can access write and read data stored in USB storage disk with different applications ...

Page 486: ...eries User s Guide 474 V VI II I 1 1 O Ob bj je ec ct ts s S Se et tt ti in ng gs s Define objects such as IP address service type keyword file extension and others These pre defined objects can be applied in CSM ...

Page 487: ... range usually will be applied in configuring router s settings therefore we can define them with objects and bind them with groups for using conveniently Later we can select that object group that can apply it For example all the IPs in the same department can be defined with an IP object a range of IP address You can set up to 192 sets of IP Objects with different conditions ...

Page 488: ...ct profile Address Display the IP address configured for the object profile Export IP Object Usually the IP objects can be created one by one through the web page of Objects IP Object However to a user who wants to save more time in bulk creating IP objects a quick method is offered by Vigor router to modify the IP objects with a single file a CSV file All of the IP objects or the template can be ...

Page 489: ...lows Item Description Name Type a name for this profile Maximum 15 characters are allowed Interface Choose a proper interface For example the Direction setting in Edit Filter Rule will ask you specify IP or IP range for WAN or LAN DMZ RT VPN or any IP address If you choose LAN DMZ RT VPN as the Interface here and choose LAN DMZ RT VPN as the direction setting in Edit Filter Rule then all the IP ad...

Page 490: ...ingle Address type End IP Address Type the end IP address if the Range Address type is selected Subnet Mask Type the subnet mask if the Subnet Address type is selected Invert Selection If it is checked all the IP addresses except the ones listed above will be applied later while it is chosen 4 After finishing all the settings here please click OK to save the configuration Below is an example of IP...

Page 491: ... are explained as follows Item Description Set to Factory Default Clear all profiles Index Display the profile number that you can configure Name Display the name of the group profile To set a new profile please do the steps listed below 1 Click the number e g 1 under Index column for configuration in details 2 The configuration page will be shown as follows ...

Page 492: ...ied interface chosen above will be shown in this box Selected IP Objects Click button to add the selected IP objects in this box 3 After finishing all the settings here please click OK to save the configuration V VI II I 1 1 3 3 I IP Pv v6 6 O Ob bj je ec ct t You can set up to 64 sets of IPv6 Objects with different conditions Available settings are explained as follows Item Description Set to Fac...

Page 493: ...everal IPv6s within a range Select Subnet Address if this object contains one subnet for IPv6 address Select Any Address if this object contains any IPv6 address Select Mac Address if this object contains Mac address Mac Address Type the MAC address of the network card which will be controlled Start IP Address Type the start IP address for Single Address type End IP Address Type the end IP address...

Page 494: ...tings are explained as follows Item Description Set to Factory Default Clear all profiles Index Display the profile number that you can configure Name Display the name of the group profile To set a new profile please do the steps listed below 1 Click the number e g 1 under Index column for configuration in details 2 The configuration page will be shown as follows ...

Page 495: ...Pv6 Objects Click button to add the selected IPv6 objects in this box 3 After finishing all the settings please click OK to save the configuration V VI II I 1 1 5 5 S Se er rv vi ic ce e T Ty yp pe e O Ob bj je ec ct t You can set up to 96 sets of Service Type Objects with different conditions Available settings are explained as follows Item Description Set to Factory Default Clear all profiles In...

Page 496: ... columns are available for TCP UDP protocol It can be ignored for other protocols The filter rule will filter out any port number when the first and last value are the same it indicates one port when the first and last values are different it indicates a range for the port and available for this profile when the first and last value are the same it indicates all the ports except the port defined h...

Page 497: ...1 6 6 S Se er rv vi ic ce e T Ty yp pe e G Gr ro ou up p This page allows you to bind several service types into one group Available settings are explained as follows Item Description Set to Factory Default Clear all profiles Index Display the profile number that you can configure Name Display the name of the group profile ...

Page 498: ...ings are explained as follows Item Description Name Type a name for this profile Maximum 15 characters are allowed Available Service Type Objects All the available service objects that you have added on Objects Setting Service Type Object will be shown in this box Selected Service Type Objects Click button to add the selected IP objects in this box 3 After finishing all the settings please click O...

Page 499: ...et 200 keyword object profiles for choosing as black white list in CSM URL Web Content Filter Profile Available settings are explained as follows Item Description Set to Factory Default Clear all profiles Index Display the profile number that you can configure Name Display the name of the object profile ...

Page 500: ... are explained as follows Item Description Name Type a name for this profile e g game Maximum 15 characters are allowed Contents Type the content for such profile For example type gambling as Contents When you browse the webpage the page with gambling information will be watched out and be passed blocked based on the configuration on Firewall settings 3 After finishing all the settings please clic...

Page 501: ...st in CSM URL Web Content Filter Profile Available settings are explained as follows Item Description Set to Factory Default Clear all profiles Index Display the profile number that you can configure Name Display the name of the group profile To set a new profile please do the steps listed below 1 Click the number e g 1 under Index column for configuration in details 2 The configuration page will ...

Page 502: ...selected Keyword objects in this box 3 After finishing all the settings please click OK to save the configuration V VI II I 1 1 9 9 F Fi il le e E Ex xt te en ns si io on n O Ob bj je ec ct t This page allows you to set eight profiles which will be applied in CSM URL Content Filter All the files with the extension names specified in these profiles will be processed according to the chosen action A...

Page 503: ...ls 2 The configuration page will be shown as follows Available settings are explained as follows Item Description Profile Name Type a name for this profile The maximum length of the name you can set is 7 characters 3 Type a name for such profile and check all the items of file extension that will be processed in the router Finally click OK to save this profile ...

Page 504: ...ice Each item is explained as follows Item Description Set to Factory Default Clear all of the settings and return to factory default settings Index Display the profile number that you can configure Profile Display the name for such SMS profile SMS Provider Display the service provider which offers SMS service To set a new profile please do the steps listed below 1 Click the SMS Provider tab and c...

Page 505: ...n use to register to selected SMS provider The maximum length of the name you can set is 31 characters Password Type a password that the sender can use to register to selected SMS provider The maximum length of the password you can set is 31 characters Quota Type the number of the credit that you purchase from the service provider chosen above Note that one credit equals to one SMS text message on...

Page 506: ...to make customized SMS service The profile name for Index 9 and Index 10 are fixed You can click the number e g 9 under Index column for configuration in details Available settings are explained as follows Item Description Profile Name Display the name of this profile It cannot be modified Service Provider Type the website of the service provider Type the URL string in the box under the filed of S...

Page 507: ...he router will send out Sending Interval Type the shortest time interval for the system to send SMS After finishing all the settings here please click OK to save the configuration M Ma ai il l S Se er rv vi ic ce e O Ob bj je ec ct t This page allows you to set ten profiles which will be applied in Application SMS Mail Alert Service Each item is explained as follows Item Description Set to Factory...

Page 508: ...ype the IP address of the mail server SMTP Port Type the port number for SMTP server Sender Address Type the e mail address of the sender Use SSL Check this box to use port 465 for SMTP server for some e mail server uses https as the transmission method Authentication The mail server must be authenticated with the correct username and password to have the right of sending message out Check the box...

Page 509: ...I 1 1 1 11 1 N No ot ti if fi ic ca at ti io on n O Ob bj je ec ct t This page allows you to set ten profiles which will be applied in Application SMS Mail Alert Service You can set an object with different monitoring situation To set a new profile please do the steps listed below 1 Open Object Setting Notification Object and click the number e g 1 under Index column for configuration in details ...

Page 510: ...15 characters Category Display the types that will be monitored Status Display the status for the category You can check the box you want to be monitored For example the check box of CPE firmware Upgrade Fail under the category of Central VPN Management is checked Once such profile is enabled Vigor router system will send out notification to the recipient via SMS 3 After finishing all the settings...

Page 511: ...e settings are explained as follows Item Description Add Click it to open the following page for adding a new string object Set to Factory Default Click it to clear all of the settings in this page Index Display the number link of the string profile String Display the string defined Clear Choose the string that you want to remove Then click this check box to delete the selected string Below shows ...

Page 512: ... Log into the web user interface of Vigor router 2 Configure relational objects first Open Object Settings SMS Mail Server Object to get the following page Index 1 to Index 8 allows you to choose the built in SMS service provider If the SMS service provider is not on the list you can configure Index 9 and Index 10 to add the new service provider to Vigor router 3 Choose any index number e g Index ...

Page 513: ...rofile setting 5 Open Object Settings Notification Object to configure the event conditions of the notification 6 Choose any index number e g Index 1 in this case to configure conditions for sending the SMS In the following page type the name of the profile and check the Disconnected and Reconnected boxes for WAN to work in concert with the topic of this paper ...

Page 514: ...o choose SMS Provider and the Notify Profile specify the time of sending SMS Then type the phone number in the field of Recipient the one who will receive the SMS 9 Click OK to save the settings Later if one of the WAN connections fails in your router the system will send out SMS to the phone number specified If the router has only one WAN interface the system will send out SMS to the phone number...

Page 515: ...S P Pr ro ov vi id de er r Choose one of the Index numbers 9 or 10 allowing you to customize the SMS Provider In the web page type the URL string of the SMS provider and type the username and password After clicking OK the new added SMS provider will be added and will be available for you to specify for sending SMS out ...

Page 516: ...SB Application you can type the IP address of the Vigor router and username password created in USB Application USB User Management on the client software Then the client can use the FTP site USB storage disk or share the Samba service through Vigor router Info USB ports on Vigor router are allowed to connect to USB modem Models of the modems supported by Vigor router can be seen from USB Applicat...

Page 517: ...ng the USB storage disk into the Vigor router please make sure the memory format for the USB storage disk is FAT16 or FAT32 It is recommended for you to use FAT32 for viewing the filename completely FAT16 cannot support long filename Available settings are explained as follows Item Description General Settings Simultaneous FTP Connections This field is used to specify the quantity of the FTP sessi...

Page 518: ... characters Both them cannot contain any of the following Workgroup Name Type a name for the workgroup Host Name Type the host name for the router Printer Server Enable Click it to make Vigor router act as a printer server with USB printer attached After finishing all the settings here please click OK to save the configuration V VI II I 2 2 2 2 U US SB B U Us se er r M Ma an na ag ge em me en nt t...

Page 519: ...served for FTP firmware upgrade usage Note FTP Passive mode is not supported by Vigor Router Please disable the mode on the FTP client Password Type the password for FTP Samba users for accessing FTP server Later you can open FTP client software and type the password specified here for accessing into USB storage disk The length of the password is limited to 11 characters Confirm Password Type the ...

Page 520: ...sing into USB storage disk must follow the rule specified here File Check the items Read Write and Delete for such profile Directory Check the items List Create and Remove for such profile Before you click OK you have to insert a USB storage disk into the USB interface of the Vigor router Otherwise you cannot save the configuration ...

Page 521: ... router Available settings are explained as follows Item Description Refresh Click this icon to refresh files list Back Click this icon to return to the upper directory Create Click this icon to add a new folder Current Path Display current folder Upload Click this button to upload the selected file to the USB storage disk The uploaded file in the USB diskette can be shared for other user through ...

Page 522: ...explained as follows Item Description Connection Status If there is no USB storage disk connected to Vigor router No Disk Connected will be shown here Disk Capacity It displays the total capacity of the USB storage disk Free Capacity It displays the free space of the USB storage disk Click Refresh at any time to get new status for free capacity Index It displays the number of the client which conn...

Page 523: ...gor routers will continuously monitor the temperature of its environment When a pre determined threshold is reached you will be alerted by either an email or SMS so you can undertake appropriate action T Te em mp pe er ra at tu ur re e S Se en ns so or r S Se et tt ti in ng gs s Available settings are explained as follows Item Description Display Settings Temperature Calibration Type a value used ...

Page 524: ...Vigor3220 Series User s Guide 512 T Te em mp pe er ra at tu ur re e C Ch ha ar rt t Below shows an example of temperature graph ...

Page 525: ...ies User s Guide 513 V VI II I 2 2 6 6 M Mo od de em m S Su up pp po or rt t L Li is st t Such page provides the information about the brand name and model name of the USB modems which are supported by Vigor router ...

Page 526: ...s Guide 514 V VI II I 2 2 7 7 S SM MB B C Cl li ie en nt t S Su up pp po or rt t L Li is st t SMB Client Support List provides the test status information for applications with file sharing operated under different platforms ...

Page 527: ... Explorer If it is necessary for you to delete copy files on the device or write paste files to the devcie it must be done through SAMBA server or FTP server Samba service is based on the original USB FTP service You will need to setup USB FTP first We would like to give brief instructions on USB FTP setup here 1 Plug the USB device to the USB port on the router Open USB Application USB Device Sta...

Page 528: ... User Management Click Enable to enable FTP Samba User account Here we add a new account user1 and assign authorities Read Write and List to it 4 Click OK to save the configuration 5 Make sure the FTP service is running properly Please open a browser and type ftp 192 168 1 1 Use the account user1 to login ...

Page 529: ...USB Application USB Disk Status The information for FTP server will be shown as below Now users in LAN of Vigor3220 can access into the USB storage device by typing ftp 192 168 1 1 on any browser They can add or remove files directories depending on the Access Rule for FTP account settings in USB Application USB User Management ...

Page 530: ...Vigor3220 Series User s Guide 518 This page is left blank ...

Page 531: ...519 P Pa ar rt t V VI II II I T Tr ro ou ub bl le es sh ho oo ot ti in ng g This part will guide you to solve abnormal situations if you cannot access into the Internet after installing the router and finishing the web configuration ...

Page 532: ...low to check your basic installation status stage by stage Checking if the hardware status is OK or not Checking if the network connection settings on your computer are OK or not Pinging the router from your computer Checking if the ISP settings are OK or not Backing to factory default setting if necessary If all above stages are done and the router still cannot run normally it is the time for you...

Page 533: ...1 1 1 1 D Di ia al l o ou ut t T Tr ri ig gg ge er ri in ng g Click Diagnostics and click Dial out Triggering to open the web page The internet connection e g PPPoE is triggered by a package sending from the source IP address Available settings are explained as follows Item Description Decoded Format It shows the source IP address local destination IP remote address the protocol and length of the ...

Page 534: ...uide 522 V VI II II I 1 1 2 2 R Ro ou ut ti in ng g T Ta ab bl le e Click Diagnostics and click Routing Table to open the web page Available settings are explained as follows Item Description Refresh Click it to reload the page ...

Page 535: ...gnostics and click ARP Cache Table to view the content of the ARP Address Resolution Protocol cache held in the router The table shows a mapping between an Ethernet hardware address MAC Address and an IP address Available settings are explained as follows Item Description Refresh Click it to reload the page ...

Page 536: ...pping between an Ethernet hardware address MAC Address and an IPv6 address This information is helpful in diagnosing network problems such as IP address conflicts etc Click Diagnostics and click IPv6 Neighbour Table to open the web page Available settings are explained as follows Item Description Refresh Click it to reload the page ...

Page 537: ...HCP Table to open the web page Available settings are explained as follows Item Description Index It displays the connection item number IP Address It displays the IP address assigned by this router for specified PC MAC Address It displays the MAC address for the specified PC that DHCP assigned IP address for it Leased Time It displays the leased time of the specified PC HOST ID It displays the ho...

Page 538: ...able settings are explained as follows Item Description Private IP Port It indicates the source IP address and port of local PC Pseudo Port It indicates the temporary port of the router used for NAT Peer IP Port It indicates the destination IP address and port of remote host Interface It displays the representing number for different interface Refresh Click it to reload the page ...

Page 539: ...and displayed on Diagnostics DNS Cache Table Available settings are explained as follows Item Description Clear Click this link to remove the result on the window Refresh Click it to reload the page When an entry s TTL is larger than Check the box the type the value of TTL time to live for each entry Click OK to enable such function It means when the TTL value of each DNS query reaches the thresho...

Page 540: ...Click Diagnostics and click Ping Diagnosis to open the web page or Available settings are explained as follows Item Description IPV4 IPV6 Choose the interface for such function Ping through Use the drop down list to choose the WAN interface that you want to ping through or choose Unspecified to be ...

Page 541: ...e the destination that you want to ping IP Address Type the IP address of the Host IP that you want to ping Ping IPv6 Address Type the IPv6 address that you want to ping Run Click this button to start the ping work The result will be displayed on the screen Clear Click this link to remove the result on the window ...

Page 542: ...IP session limit before invoking Data Flow Monitor If not a notification dialog box will appear to remind you enabling it Click Diagnostics and click Data Flow Monitor to open the web page You can click IP Address TX rate RX rate or Session link for arranging the data display Available settings are explained as follows Item Description Enable Data Flow Monitor Check this box to enable this functio...

Page 543: ...fied PC accessing into Internet within 5 minutes Unblock The device with the IP address will be blocked for five minutes The remaining time will be shown on the session column Click it to cancel the IP address blocking APP QoS Use the drop down list to change the priority in data transmission for the specified IP address host Current Peak Speed Current means current transmission rate and receiving...

Page 544: ...eset to zero the accumulated RX TX received and transmitted data of WAN Click Refresh to renew the graph at any time The horizontal axis represents time Yet the vertical axis has different meanings For WAN1 WAN2 WAN3 WAN4 WAN5 Bandwidth chart the numbers displayed on vertical axis represent the numbers of the transmitted and received packets in the past For Sessions chart the numbers displayed on ...

Page 545: ... to trace the routes from router to the host Simply type the IP address of the host in the box and click Run The result of route trace will be shown on the screen or Available settings are explained as follows Item Description IPv4 IPv6 Click one of them to display corresponding information for it Trace through Use the drop down list to choose the interface that you want ...

Page 546: ...Enable Web Syslog specify the type of Syslog and choose the display mode you want Later the event of Syslog with specified type will be shown for your reference Available settings are explained as follows Item Description Enable Web Syslog Check this box to enable the function of Web Syslog Syslog Type Use the drop down list to specify a type of Syslog to be displayed Export Click this link to sav...

Page 547: ...e type of the record Message Display the information for each event V VI II II I 1 1 1 13 3 I IP Pv v6 6 T TS SP PC C S St ta at tu us s IPv6 TSPC status web page could help you to diagnose the connection status of TSPC If TSPC has configured properly the router will display the following page when the user connects to tunnel broker successfully Available settings are explained as follows Item Des...

Page 548: ...cted router Back Return to previous page HA Setup Click it to open Applications High Availability for modifying the configuration Renew Click it to get the newest status of other router except the primary router Refresh Click it to get the newest status of the primary router Status means an error has occurred Refer to Detailed information and modify HA settings if required Router Name Display the ...

Page 549: ...ation is ready to execute Progressing means configuration synchronization is operating Fail means configuration synchronization executed and failed or wrong model name Equal means the corresponding settings are equal to the primary router Cached Time Display the time period since the last time to get the newest status of other router except the primary router Cick the link of Status Router Name IP...

Page 550: ...io on n L Lo og g This page will display the complete authentication log information Available settings are explained as follows Item Description Enable Check the box to enable such function Refresh Click it to update current page Clear Click it to remove all of the records Syslog Type Specify RADIUS 802 1X or All to display related authentication information log Display Mode Choose the mode you w...

Page 551: ...nvironment to find out if there is any abnormal connection Information of IP traced and destination port used for SYN Flood UDP Flood and ICMP Flood attacks will be detected and shown respectively on different pages Moreover IP address detected and suspected to attack the network system can be blocked shortly by clicking the Block button shown on pages of SYN Flood UDP Flood and ICMP Flood Info Th...

Page 552: ...e following web page will be blocked forever Available settings are explained as follows Item Description Blocking IP Type the IP address in this field and click add It will be added to the IP List and appear in the right frame IP list in the right frame will be blocked by Vigor system permanatly Remove It is used to remove selected IP address from the Blocking IP List Refresh Click this link to r...

Page 553: ... the hardware status 1 Check the power line and WLAN LAN cable connections Refer to I 2 Hardware Installation for details 2 Turn on the router Make sure the ACT LED blink once per second and the correspondent LAN LED is bright 3 If not it means that there is something wrong with the hardware status Simply back to I 2 Hardware Installation to execute the hardware installation again And then try aga...

Page 554: ...the link is stilled failed please do the steps listed below to make sure the network connection settings is OK F Fo or r W Wi in nd do ow ws s Info The example is based on Windows 7 As to the examples for other operation systems please refer to the similar steps or find support notes in www DrayTek com 1 Open All Programs Getting Started Control Panel Click Network and Sharing Center 2 In the foll...

Page 555: ...or3220 Series User s Guide 543 4 Select Internet Protocol Version 4 TCP IP and then click Properties 5 Select Obtain an IP address automatically and Obtain DNS server address automatically Finally click OK ...

Page 556: ...uide 544 F Fo or r M Ma ac c O OS S 1 Double click on the current used Mac OS on the desktop 2 Open the Application folder and get into Network 3 On the Network screen select Using DHCP from the drop down list of Configure IPv4 ...

Page 557: ...e router correctly F Fo or r W Wi in nd do ow ws s 1 Open the Command Prompt window from Start menu Run 2 Type command for Windows 95 98 ME or cmd for Windows NT 2000 XP Vista 7 8 The DOS command dialog will appear 3 Type ping 192 168 1 1 and press Enter If the link is OK the line of Reply from 192 168 1 1 bytes 32 time 1ms TTL 255 will appear 4 If the line does not appear please check the IP addr...

Page 558: ...Vigor3220 Series User s Guide 546 ...

Page 559: ...igured in Vigor router Check if the LEDs on Vigor router are on or not If not please install an additional switch for connecting both Vigor router and the modem offered by ISP Then check if the LEDs on Vigor router are on or not If the problem of LEDs cannot be solved by the above measures please contact with the nearest reseller or send an e mail to DrayTek FAE for technical support Check if the ...

Page 560: ...k k c co on nn ne ec ct ti io on n d do oe es s n no ot t w wo or rk k Check the PIN Code of SIM card is disabled or not Please use the utility of 3G 4G USB Modem to disable PIN code and try again If it still fails it might be the compliance problem of system Please open DrayTek Syslog Tool to capture the connection information WAN Log and send the page similar to the following graphic to the serv...

Page 561: ...ressing factory default setting you will loose all settings you did before Make sure you have recorded all useful settings before you pressing The password of factory default is null S So of ft tw wa ar re e R Re es se et t You can reset the router to factory default via Web page Such function is available in Admin Mode only Go to System Maintenance and choose Reboot System on the web page The fol...

Page 562: ...n Then the router will restart with the default configuration After restore the factory default setting you can configure the settings for the router again to fit your personal request V VI II II I 8 8 C Co on nt ta ac ct ti in ng g D Dr ra ay yT Te ek k If the router still cannot work correctly after trying many efforts please contact your dealer for further help right away For any questions plea...

Page 563: ...the difficulty is how to handle the traffics between two or more Ethernet switches Thus VLAN is suitable for some circumstances for example the rental apartment SOHO office and so on These clients may need two or three isolated networks only and setup a network in a simple way T Ta ag g b ba as se ed d The idea of tag based VLAN is to identify a virtual LAN with a specific ID therefore VLAN ID int...

Page 564: ... packet as the VID of Trunk port while forwarding the packets to another switch Bridge mode of WAN P1 and P2 are doing NAT flow to access to the internet but P3 and P4 will forward the packets between WAN and LAN ports directly W We eb b U Us se er r I In nt te er rf fa ac ce e So far there are two kinds of open system on Vigor router One is DrayOS which is DrayTek owned and another is Linux like ...

Page 565: ...Vigor3220 Series User s Guide 553 ...

Page 566: ...Vigor3220 Series User s Guide 554 LAN V VL LA AN N a ap pp pl li ic ca at ti io on ns s o on n V Vi ig go or r r ro ou ut te er r Multi Subnet VLAN of LAN ...

Page 567: ...rver LAN1 LAN2 LAN3 LAN4 However the traffics of the LAN port or SSID that are NOT being grouped in the same VLAN are unable to forward to each other The benefit of Port based is able to extend the wired ports by installing a cheaper dumb switch as many as you need but Tag based offers you a flexible and well managed network The networks are isolated secured and reduce the broadcasting storm effec...

Page 568: ...e to be isolated from your private network due to the security considerations it can be done by above settings However a switch support VLAN function is need if VLAN Tag enabled Triple Play Multi WAN NAT mode with VLAN Following settings the set top box STB is able to attach with any LAN port Video streaming which your ISP provided will be played on your monitor ...

Page 569: ...Vigor3220 Series User s Guide 557 ...

Page 570: ...idge mode with VLAN Set top box STB or the other kinds of media devices are able to attach with Port4 or Port5 of LAN Those devices that attached with Port4 or Port5 are able to access the services network directly which your ISP provided ...

Page 571: ...Vigor3220 Series User s Guide 559 P Pa ar rt t I IX X D Dr ra ay yT Te ek k T To oo ol ls s ...

Page 572: ...otocol VPN connections such as IPSec PPTP L2TP protocols for secure data exchange and communication With SSL VPN embedded on Vigor routers teleworkers can have convenient and simple access to central site VPN The teleworkers do not need to install any VPN software manually From regular web browser you can establish VPN connection back to your main office even in a guest network or web cafe DrayTek...

Page 573: ... SL L V VP PN N T Tu un nn ne el l SmartVPN APP for Android is now available on Google play This document demonstrates how to use the APP to establish a SSL VPN tunnel 1 On VPN server create a SSL user account Please refer to How to Set up SSL VPN on www draytek com for detailed instructions 2 Download the APP from Google play and run the APP 3 Click to add a new profile ...

Page 574: ...or Routers it is 443 by default d Tap SAVE to save the profile or to cancel Info Installation of relevant Root CA is required to enable server certificate authentication If you check Use default gateway on remote network all the traffic of this smart device will be forwarded to the remote gateway 5 Tap the profile bar to establish SSL VPN tunnel 6 Enter Username and Password then tap Dial ...

Page 575: ...Vigor3220 Series User s Guide 563 7 When the tunnel is up the profile will turn green Tap the bar again will disconnect the tunnel 8 Tap the pencil icon to edit or remove the profile ...

Page 576: ...Vigor3220 Series User s Guide 564 This page is left blank ...

Page 577: ...Vigor3220 Series User s Guide 565 P Pa ar rt t X X T Te el ln ne et t C Co om mm ma an nd ds s ...

Page 578: ...e Windows Features of Telnet Client has been turned on under Control Panel Programs Type cmd and press Enter The Telnet terminal will be open later In the following window type Telnet 192 168 1 1 as below and press Enter Note that the IP address in the example is the default address of the router If you have changed the default enter the current IP address of the router Next type admin admin for A...

Page 579: ...uide 567 For users using previous Windows system e g 2000 XP simply click Start Run and type Telnet 192 168 1 1 in the Open box as below Next type admin admin for Account Password And type to get a list of valid common commands ...

Page 580: ...Server 0 no selection 1 NSW 61 9 192 13 2 QLD 61 9 208 13 3 VIC 61 9 128 13 4 SA 61 9 224 13 5 WA 61 9 240 13 l List List all settings configured E Ex xa am mp pl le e bpa 1 a 1 n testUser p testPassword s 4 bpa l index 1 active UserName 1 testUser PassWord 1 testPassword ServerIP 1 4 index 2 inactive UserName 2 PassWord 2 ServerIP 2 0 T Te el ln ne et t C Co om mm ma an nd d c cs sm m a ap pp pe ...

Page 581: ... configuration of the CSM profile e Enable to block specific application d Disable to block specific application a Set the action of specific application GROUP Specify the category of the application Available options are IM P2P Protocol and Others AP_IDX Each application has independent index number for identification in CLI command Specify the index number of the application here If you have no ...

Page 582: ...COL 57 IMAP STARTTLS 4 1 PROTOCOL 58 IRC 2 4 0 T Te el ln ne et t C Co om mm ma an nd d c cs sm m a ap pp pe e c co on nf fi ig g It is used to display the configuration status enabled or disabled for IM P2P Protocol Other applications S Sy yn nt ta ax x csm appe config v INDEX i p t m S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description INDEX Specify the index number of CSM ...

Page 583: ...n n AUTO Vigor router specifies WAN interface automatically WAN Specify the WAN interface for signature downloading E Ex xa am mp pl le e csm appe interface wan1 Download interface is set as WAN1 now csm appe interface auto Download interface is set as auto selected now T Te el ln ne et t C Co om mm ma an nd d c cs sm m a ap pp pe e e em ma ai il l It is used to set notification e mail for APPE si...

Page 584: ...SG Set the administration message MSG means the content less than 255 characters of the message itself obj Specify the object for the profile INDEX Specify the index number of CSM profile from 1 to 8 n Set the profile name PROFILE_NAME Specify the name of the profile less than 16 characters p Set the priority defined by the number specified in VALUE for the profile VALUE Number 0 to 3 represent di...

Page 585: ... D De es sc cr ri ip pt ti io on n Parameter Description INDEX Specify the index number of CSM profile from 1 to 8 v View the protocol configuration of the CSM profile e Enable the function of URL Access Control d Disable the function of URL Access Control a Set the action of specific application P or B B Block The web access meets the URL Access Control will be blocked P Pass The web access meets...

Page 586: ...Access Control Action pass v Prevent web access from IP address No Obj NO Object Name No Grp NO Group Name csm ucf obj 1 uac a B Profile Index 1 Profile Name game Log none Priority Select Bundle Pass Enable URL Access Control Action block v Prevent web access from IP address No Obj NO Object Name No Grp NO Group Name ...

Page 587: ...figuration of the CSM profile e Enable the restriction of web feature d Disable the restriction of web feature a Set the action of web feature P or B B Block The web access meets the web feature will be blocked P Pass The web access meets the web feature will be passed s Enable the the Web Feature configuration Features available for configuration are c Cookie p Proxy u Upload u Cancel the web fea...

Page 588: ... S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description show Display the web content filter profiles Look Display the license information of WCF Cache Set the cache level for the profile Server WCF_SERVER Set web content filter server Msg MSG Set the administration message MSG means the content less than 255 characters of the message itself setdefault Return to default settings...

Page 589: ...gal Drug Nudity Pornography Sexually Explicit Weapons Violence School Cheating Sex Education Tasteless Child Abuse Imges Entertainment Games Sports Travel Leisure Recreation Fashin Beauty Business Job Search Web based Emai Chat Instant Messaging Anonymizers Forums Newsgroups Computers Technology Download Sites Streaming Media Downloads Phishing Fraud Search Engines Portals Social Networking Spam S...

Page 590: ... School Cheating v Sex Education v Tasteless v Child Abuse Images leisure Group Entertainment Games Sports Travel Leisure Recreation Fashion Beauty T Te el ln ne et t C Co om mm ma an nd d c cs sm m d dn ns sf f It means to configure the settings regarding to DNS filter S Sy yn nt ta ax x csm dnsf enable ON OFF csm dnsf syslog N P B A csm dnsf service WCF_PROFILE csm dnsf service_ucf UCF_PROFILE c...

Page 591: ...s one hour 2 is two hours and so on for DNS filter blockpage DNS sends block page for redirect port When a web page is blocked by DNS filter the router system will send a message page to describe that the page is not allowed to be visisted ON Enable the function of displaying message page OFF Disable the function of displaying message page SHOW Display the function of displaying message page is ON...

Page 592: ... time ddns time update in minutes Valid 1 14400 Now 14400 ddns time 1000 ddns time update in minutes Valid 1 14400 Now 1000 T Te el ln ne et t C Co om mm ma an nd d d do os s This command allows users to configure the settings for DoS defense system S Sy yn nt ta ax x dos V D A dos s ATTACK_F THRESHOLD TIMEOUT dos a e ATTACK_F ATTACK_0 d ATTACK_F ATTACK_0 S Sy yn nt ta ax x D De es sc cr ri ip pt ...

Page 593: ... than 5 a Enable the defense function for all attacks listed in ATTACK_0 e Enable defense function for a specific attack s ATTACK_0 Specify a name of the following attacks ip_option tcp_flag land teardrop smurf pingofdeath traceroute icmp_frag syn_frag unknow_proto fraggle d Disable the defense function for a specific attack s E Ex xa am mp pl le e dos A The Dos Defense system is Activated dos s s...

Page 594: ...pe in several commands in one line S isp name Set ISP Name max 23 characters P on off Enable PPPoE Service u username Set username max 49 characters for Internet accessing p password Set password max 49 characters for Internet accessing a n It means to set PPP Authentication Type and n means different types represented by 0 1 n 0 PAP CHAP this is default setting n 1 PAP Only t n Set connection dur...

Page 595: ... 15 in Schedule Setup Four Q mode Set PPP mode or DHCP mode WAN Connection Detection Mode mode 0 ARP Detect 1 Ping Detect I ping ip Set PPP mode or DHCP mode WAN Connection Detection Ping IP ping ip ppp qqq rrr sss WAN Connection Detection Ping IP L n Set PPP mode WAN Connection Detection TTL 1 255 value E sim pin code Set DHCP mode SIM PIN code max 19 characters G mode Set DHCP mode Network Mode ...

Page 596: ...he function Disable Disable the function E Ex xa am mp pl le e ip 2ndsubnet enable public subnet enabled T Te el ln ne et t C Co om mm ma an nd d i ip p p pu ub ba ad dd dr r This command allows to set the IP routed subnet for the router S Sy yn nt ta ax x ip pubaddr ip pubaddr public subnet IP address S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description Display an IP address...

Page 597: ...done T Te el ln ne et t C Co om mm ma an nd d i ip p a au ux x This command is used for configuring WAN IP Alias S Sy yn nt ta ax x ip aux add IP Join to NAT Pool wanX ip aux remove index S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description add Create a new WAN IP address remove Delete an existed WAN IP address IP It means the auxiliary WAN IP address Join to NAT Pool 0 disab...

Page 598: ... in the same network segment the IP address of the PC must be fixed with the same LAN IP address network segment set by this command for accessing into the web user interface of the router Later modify the start addresses for the DHCP server T Te el ln ne et t C Co om mm ma an nd d i ip p n nm ma as sk k This command allows users to set add a specified netmask for your router S Sy yn nt ta ax x ip...

Page 599: ...t means the LAN IP address MAC address It means the MAC address of your router LAN or WAN It indicates the direction for the arp function 0 1 2 3 4 5 0 disable to accept illegal source mac address 1 enable to accept illegal source mac address 2 disable to accept illegal dest mac address 3 enable to accept illegal dest mac address 4 Decline VRRP mac into arp table 5 Accept VRRP mac into arp table s...

Page 600: ...s and obtain another new one status It displays current status of DHCP client E Ex xa am mp pl le e ip dhcpc status I F 3 DHCP Client Status DHCP Server IP 172 16 3 7 WAN Ipm 172 16 3 40 WAN Netmask 255 255 255 0 WAN Gateway 172 16 3 1 Primary DNS 168 95 192 1 Secondary DNS 0 0 0 0 Leased Time 259200 Leased Time T1 129600 Leased Time T2 226800 Leased Elapsed 259194 Leased Elapsed T1 129594 Leased ...

Page 601: ...r Description IP address The target IP address WAN1 WAN2 It means the WAN port that the above IP address passes through Udp Icmp The UDP or ICMP E Ex xa am mp pl le e ip tracert 22 128 2 62 WAN1 Traceroute to 22 128 2 62 30 hops max 1 172 16 3 7 10ms 2 172 16 1 2 10ms 3 Request Time out 4 168 95 90 66 50ms 5 211 22 38 134 50ms 6 220 128 2 62 50ms Trace complete T Te el ln ne et t C Co om mm ma an ...

Page 602: ...uting information protocol of WAN IP S Sy yn nt ta ax x ip wanrip ifno e 0 1 S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description ifno It means the connection interface 1 WAN1 2 WAN2 3 PVC3 4 PVC4 5 PVC5 Note PVC3 PVC5 are virtual WANs e It means to disable or enable RIP setting for specified WAN interface 1 Enable the function of setting RIP of WAN IP 0 Disable the function ...

Page 603: ...yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description add It means to add an IP address as static route del It means to delete specified IP address status It means current status of static route dst It means the IP address of the destination netmask It means the netmask of the specified IP address gateway It means the gateway of the connected router ifno It means the connection int...

Page 604: ...ide 592 ip route status Codes C connected S static R RIP default private C 192 168 9 0 255 255 255 0 is directly connected DMZ C 192 168 1 0 255 255 255 0 is directly connected LAN1 S 172 16 2 0 255 255 255 0 via 172 16 2 4 WAN1 ...

Page 605: ...eans to disable proxy server wan It means to specify WAN interface for IGMP service query It means to set IGMP general query interval The default value is 125000 ms ppp 0 No need to set IGMP with PPP header 1 Set IGMP with PPP header status It means to display current status for proxy server E Ex xa am mp pl le e This command is for setting IGMP General Query Interval The default value is 125000 m...

Page 606: ...ver table Display the whole table of IGMP Snoop configuration txquery on off v2 v3 IGMP query will be sent out to LAN periodically mode hw sw Make IGMP snooping work on software or hardware chkleave on off Off Vigor router will drop LEAVE if clients still on the same group separate on off On IGMP packets will be separated by NAT Bridge mode E Ex xa am mp pl le e ip igmp_snoop mode sw igmp snooping...

Page 607: ...ive_trueip DMZ is OFF ip dmzswitch private ip dmzswitch off private trueip active_trueip PRIVATE IP DMZ is ON ip dmzswitch trueip ip dmzswitch active_trueip ip dmzswitch off private trueip active_trueip ACTIVE TRUE IP DMZ is ON T Te el ln ne et t C Co om mm ma an nd d i ip p s se es ss si io on n This command allows users to set maximum session limit number for the specified IP set message for exc...

Page 608: ...IP2 It means the range of IP address specified for this command num It means the number of the session limits e g 100 p2pnum It means the number of the session limits e g 50 for P2P E Ex xa am mp pl le e ip session default 100 ip session add 192 168 1 5 192 168 1 100 100 50 ip session on ip session status IP range 192 168 1 5 192 168 1 100 100 Current ip session limit is turn on Current default se...

Page 609: ...800 ip bandwidth add 192 168 1 50 192 168 1 100 10 60 ip bandwidth status IP range 192 168 1 50 192 168 1 100 Tx 10K Rx 60K Current ip Bandwidth limit is turn off Auto adjustment is off T Te el ln ne et t C Co om mm ma an nd d i ip p b bi in nd dm ma ac c This command allows users to set IP MAC binding for LAN host S Sy yn nt ta ax x ip bindmac on ip bindmac off ip bindmac strict_on ip bindmac sho...

Page 610: ...dress MAC Type the MAC address for binding with the IP address specified Comment Type words as a brief description All Delete all the IP bindmac settings E Ex xa am mp pl le e ip bindmac add 192 168 1 46 00 50 7f 22 33 55 just for test ip bindmac show ip bind mac function is turned ON IP 192 168 1 46 bind MAC 00 50 7f 22 33 55 Comment just ...

Page 611: ... in several commands in one line General Setup for Policy Route i value Specify an index number for setting policy route profile Value 1 to 60 1 means to get a free policy index automatically e 0 1 0 Disable the selected policy route profile 1 Enable the selected policy route profile o value Determine the operation of the policy route Value add Create a new policy rotue profile del Remove an exist...

Page 612: ...policy route profile Value Type a number 0 250 The default value is 150 I value Indicate the interface specified for the policy route profile Value Available interfaces include LAN1 LAN8 IP_Routed_Subnet DMZ_Subnet WAN1 WAN5 VPN_PROFILE_1 VPN_PROFILE_100 WAN_1_IP_ALIAS_1 WAN_4_IP_ALIAS_8 g value Indicate the gateway IP address Value The type format shall be xxx xxx xxx xxx e g 192 168 3 1 l value ...

Page 613: ...can be used as destination IP address xxx xxx xxx xxx Specify an IP address p value It means destination port Value Specify a number or type Any indicating any number t value It means protocol Value Available settings include ICMP TCP UDP and Any E Ex xa am mp pl le e ip policy_rt diagnose s 192 168 1 100 d any p any t ICMP Matched Route Priority No_Match Matched Policy Priority Policy_1 200 Concl...

Page 614: ...ted LAN DNS profile i profile setting index number Type the index number of the profile l List the content of LAN DNS profile including domain name IP address and message n domain name Set domain name p profile name Set profile name for LAN DNS r Reset the settings for selected profile s 0 1 0 reply all 1 reply only same subnet packet z Update LAN DNS config to DNS Cache E Ex xa am mp pl le e ip l...

Page 615: ...tp drayTek com ip dnsforward i 1 a 172 16 1 1 Configure Set1 s IP 172 16 1 1 ip dnsforward i 1 l Idx 1 State Disable Profile test Domain Name ftp drayTek com DNS Server IP 172 16 1 1 T Te el ln ne et t C Co om mm ma an nd d i ip p6 6 a ad dd dr r This command allows users to set the IPv6 address for your router S Sy yn nt ta ax x ip6 addr s prefix prefix length LAN WAN1 WAN2 iface ip6 addr d prefi...

Page 616: ...mand parameter The available commands with parameters are listed below means that you can type in several commands in one line a It means to show current DHCPv6 status s It means to ask the SIP S It means to ask the SIP name d It means to ask the DNS setting D It means to ask the DNS name n It means to ask NTP i It means to ask NIS I It means to ask NIS name p It means to ask NISP P It means to as...

Page 617: ...o server i parameter It means to send information request to server e parameter It means to enable or disable the DHCPv6 client 1 Enable 0 Disable E Ex xa am mp pl le e ip6 dhcp client WAN2 p 2008 1 ip6 dhcp client WAN2 a Interface WAN2 has following DHCPv6 client settings DHCPv6 client enabled request IA_PD whose IAID equals to 2008 ip6 dhcp client WAN2 n 1023456 ip6 dhcp client WAN2 a Interface ...

Page 618: ... dhcp server x ff02 3 ip6 dhcp server a Interface LAN has following DHCPv6 server settings DHCPv6 server disabled maximum address of the pool FF02 3 minimum address of the pool FF02 1 1st DNS IPv6 Addr FF02 1 T Te el ln ne et t C Co om mm ma an nd d i ip p6 6 i in nt te er rn ne et t This command allows you to configure settings for accessing Internet S Sy yn nt ta ax x ip6 internet W n M n comman...

Page 619: ...cond DNS server t dhcp ra none It means to set IPv6 PPP WAN test mode for DHCP or RADVD dhcp ra none type IPv6 address V It means to view IPv6 Internet Access Profile o It means to set AICCU always on 1 On 0 Off E Ex xa am mp pl le e ip6 internet W 2 M 2 u 88886666 p draytek123456 s amsterdam freenet6 net This setting will take effect after rebooting Please use sys reboot command to reboot the rou...

Page 620: ...0 50 7F 11 ac 22 WAN2 Neighbour 2001 2222 3333 1111 successfully added ip6 neigh a I F ADDR MAC STATE LAN FF02 1 33 33 00 00 00 01 CONNECTED WAN2 2001 5C0 1400 B 10B8 00 00 00 00 00 00 CONNECTED WAN2 2001 2222 3333 1111 00 00 00 00 00 00 CONNECTED WAN2 2001 2222 6666 1111 00 00 00 00 00 00 CONNECTED WAN2 00 00 00 00 00 00 CONNECTED LAN NONE ...

Page 621: ...ded T Te el ln ne et t C Co om mm ma an nd d i ip p6 6 r ro ou ut te e This command allows you to S Sy yn nt ta ax x ip6 route s prefix prefix length gateway LAN WAN1 WAN2 iface D ip6 route d prefix prefix length ip6 route a LAN WAN1 WAN2 iface S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description s It means to add a route d It means to delete a route a It means to show the ro...

Page 622: ...nt ta ax x ip6 ping IPV6 address Host LAN WAN1 WAN2 S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description IPV6 address Host It means to specify the IPv6 address or host for ping LAN WAN1 WAN2 It means to specify LAN or WAN interface for such address E Ex xa am mp pl le e ip6 ping 2001 4860 4860 8888 WAN2 Pinging 2001 4860 4860 8888 with 64 bytes of Data Receive reply from 2001...

Page 623: ...01 7F8 1 A501 5169 1 330 ms 6 2001 4860 1 0 4B3 350 ms 7 2001 4860 8 0 2DAF 330 ms 8 2001 4860 2 0 66E 340 ms 9 Request timed out 10 2001 4860 4860 8888 350 ms Trace complete T Te el ln ne et t C Co om mm ma an nd d i ip p6 6 t ts sp pc c This command allows you to display TSPC status S Sy yn nt ta ax x ip6 tspc ifno S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description ifno I...

Page 624: ...r is not a default router and should not appear on the default router list Type the number unit second you want V It means to show the RADVD configuration r It means RA default test r num It means RA test for item num E Ex xa am mp pl le e ip6 radvd s 1 1800 ip6 radvd V IPv6 Radvd Config Radvd Enable Default Lifetime 1800 seconds T Te el ln ne et t C Co om mm ma an nd d i ip p6 6 m mn ng gt t This...

Page 625: ... e ip6 mngt list add 1 FE80 250 7FFF FE12 1010 128 ip6 mngt list add 2 FE80 250 7FFF FE12 1020 128 ip6 mngt list add 3 FE80 250 7FFF FE12 2080 128 ip6 mngt list IPv6 Access List Index IPv6 Prefix Prefix Length 1 FE80 250 7FFF FE12 1010 128 2 FE80 250 7FFF FE12 1020 128 3 FE80 250 7FFF FE12 2080 128 ip6 mngt status IPv6 Remote Management telnet off http off ping off T Te el ln ne et t C Co om mm ma...

Page 626: ... ri ip pt ti io on n Parameter Description ifno It means the connection interface 1 WAN1 2 WAN2 add It means to add an IPv6 address which can be used to execute management through Internet prefix It means to type the IPv6 address which will be used for accessing Internet prefix length It means to type a fixed value as the length of the prefix remove It means to remove delete the specified index nu...

Page 627: ...iew VcdhrtzZ S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description V It means to show the version of this IP filter c It means to show the running call filter rules d It means to show the running data filter rules h It means to show the hit number of the filter rules r It means to show the running call and data filter rules t It means to display all the information at one time...

Page 628: ...of blocked packet Type 3 to display the log of non matching packet p VALUE It means to setup actions for packet not matching any rule e g p 1 Type 0 to let all the packets pass Type 1 to block all the packets M P2P_NO It means to configure IM P2P for the packets not matching with any rule e g M 1 Type 0 to let all the packets pass Type 1 to block all the packets U URL_NO It means to configure URL ...

Page 629: ...x x ipf rule s r command parameter ipf rule s r v S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description s Such word means Filter Set range form 1 12 r Such word means Filter Rule range from 1 7 command parameter The available commands with parameters are listed below means that you can type in several commands in one line e It means to enable or disable the rule setting 0 disa...

Page 630: ...on IP object and IP group o indicates object g indicates group obj indicates index number of object or index number of group Available settings range from 1 192 For example d g 1 means the first destination IP group profile S o g obj It means to specify Service Type object and IP group o indicates object g indicates group obj indicates index number of object or index number of group Available sett...

Page 631: ...rent code page 0 None 1 ANSI 1250 Central Europe 2 ANSI 1251 Cyrillic 3 ANSI 1252 Latin I 4 ANSI 1253 Greek 5 ANSI 1254 Turkish 6 ANSI 1255 Hebrew 7 ANSI 1256 Arabic 8 ANSI 1257 Baltic 9 ANSI 1258 Viet Nam 10 OEM 437 United States 11 OEM 850 Multilingual Latin I 12 OEM 860 Portuguese 13 OEM 861 Icelandic 14 OEM 863 Canadian French 15 OEM 865 Nordic 16 ANSI OEM 874 Thai 17 ANSI OEM 932 Japanese Shi...

Page 632: ...e URL Content Filter None Load Balance policy Auto select Log Disable CodePage ANSI 1252 Latin I Window size 65535 Session timeout 1440 DrayTek Banner Enable Strict Security Checking APP Enforcement T Te el ln ne et t C Co om mm ma an nd d i ip pf f f fl lo ow wt tr ra ac ck k This command is used to set and view flowtrack sessions S Sy yn nt ta ax x ipf flowtrack set re ipf flowtrack view f ipf f...

Page 633: ... 168 1 11 59939 ifno 3 proto 17 age 93023180 3920 flag 203 ORIGIN 192 168 1 11 15073 8 8 8 8 53 ifno 0 REPLY 8 8 8 8 53 192 168 1 11 15073 ifno 3 proto 17 age 93025100 2000 flag 203 ORIGIN 192 168 1 11 7247 8 8 8 8 53 ifno 0 REPLY 8 8 8 8 53 192 168 1 11 7247 ifno 3 proto 17 age 93020100 7000 flag 203 End to show the flowtrack sessions state T Te el ln ne et t C Co om mm ma an nd d L Lo og g This ...

Page 634: ... 0 0 0 0 Relay agent IP 0 0 0 0 25 36 49 580 DHCP WAN 5 Len 548XID 0x7880fdd4 Client IP 0 0 0 0 Your IP 0 0 0 0 Next server IP 0 0 0 0 Relay agent IP 0 0 0 0 25 36 57 580 DHCP WAN 5 Len 548XID 0x7880fdd4 Client IP 0 0 0 0 Your IP 0 0 0 0 MORE q Quit Enter New Lines Space Bar Next Page T Te el ln ne et t C Co om mm ma an nd d m mn ng gt t f ft tp pp po or rt t This command allows users to set FTP p...

Page 635: ...D De es sc cr ri ip pt ti io on n Parameter Description Https port It means to type the number for HTTPS port The default setting is 443 E Ex xa am mp pl le e mngt httpsport 443 Set web server port to 443 done T Te el ln ne et t C Co om mm ma an nd d m mn ng gt t t te el ln ne et tp po or rt t This command allows users to set telnet port for management S Sy yn nt ta ax x mngt telnetport Telnet por...

Page 636: ...iption enable It means to activate FTP server function disable It means to inactivate FTP server function E Ex xa am mp pl le e mngt ftpserver enable FTP server has been enabled mngt ftpserver disable FTP server has been disabled T Te el ln ne et t C Co om mm ma an nd d m mn ng gt t n no op pi in ng g This command is used to pass or block Ping from LAN PC to the internet S Sy yn nt ta ax x mngt no...

Page 637: ...Vigor3220 Series User s Guide 625 clearlog It means to clear the log of ping action E Ex xa am mp pl le e mngt noping off No Ping Packet Out is OFF ...

Page 638: ...of defense worm packet including source MAC and source IP clearlog It means to remove the log of defense worm packet E Ex xa am mp pl le e mngt defenseworm add 21 Add TCP port 21 Block TCP port list 135 137 138 139 445 21 mngt defenseworm del 21 Delete TCP port 21 Block TCP port list 135 137 138 139 445 T Te el ln ne et t C Co om mm ma an nd d m mn ng gt t r rm mt tc cf fg g This command can allow...

Page 639: ... port S Sy yn nt ta ax x mngt lanaccess e 0 1 s value i value mngt lanaccess f mngt lanaccess d mngt lanaccess v mngt lanaccess h S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description e 0 1 It means to enable disable the function 0 disable the function 1 enable the function s value It means to specify service offered Available values include FTP HTTP HTTPS TELNET SSH None All ...

Page 640: ... PING packets from the Internet S Sy yn nt ta ax x mngt echoicmp enable mngt echoicmp disable S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description enable It means to accept the echo ICMP packet disable It means to drop the echo ICMP packet E Ex xa am mp pl le e mngt echoicmp enable Echo ICMP packet enabled T Te el ln ne et t C Co om mm ma an nd d m mn ng gt t a ac cc ce es ss...

Page 641: ...t snmp command parameter S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description command parameter The available commands with parameters are listed below means that you can type in several commands in one line e 1 2 1 Enable the SNMP function 2 Disable the SNMP function g Community name It means to set the name for getting community by typing a proper character max 23 character...

Page 642: ...er Description 2 3 4 5 6 It means LAN interface 2 LAN2 3 LAN3 4 LAN4 5 LAN5 6 LAN6 On Off On means turning on the subnet for the specified LAN interface Off means turning off the subnet E Ex xa am mp pl le e msubnet switch 2 On LAN2 Subnet On This setting will take effect after rebooting Please use sys reboot command to reboot the router T Te el ln ne et t C Co om mm ma an nd d m ms su ub bn ne et...

Page 643: ...x D De es sc cr ri ip pt ti io on n Parameter Description 2 3 4 5 6 It means LAN interface 2 LAN2 3 LAN3 4 LAN4 5 LAN5 6 LAN6 IP address Type the subnet mask address for the specified LAN interface E Ex xa am mp pl le e msubnet nmask 2 255 255 0 0 Set LAN2 subnet mask done This setting will take effect after rebooting Please use sys reboot command to reboot the router T Te el ln ne et t C Co om mm...

Page 644: ... server for the specified LAN interface Off means disabling the DHCP server E Ex xa am mp pl le e msubnet dhcps 3 off LAN3 Subnet DHCP Server disabled This setting will take effect after rebooting Please use sys reboot command to reboot the router T Te el ln ne et t C Co om mm ma an nd d m ms su ub bn ne et t n na at t This command is used to configure the subnet for NAT or Routing usage S Sy yn n...

Page 645: ... io on n Parameter Description 2 3 4 5 6 It means LAN interface 2 LAN2 3 LAN3 4 LAN4 5 LAN5 6 LAN6 Gateway IP Specify an IP address as the gateway IP E Ex xa am mp pl le e msubnet gateway 2 192 168 1 13 Set LAN2 Dhcp Gateway IP done This setting will take effect after rebooting Please use sys reboot command to reboot the router T Te el ln ne et t C Co om mm ma an nd d m ms su ub bn ne et t i ip pc...

Page 646: ...1 LAN1 2 LAN2 3 LAN3 4 LAN4 5 LAN5 6 LAN6 On Off On It means Off It means E Ex xa am mp pl le e msubnet talk 1 2 on Enable routing between LAN1 and LAN2 This setting will take effect after rebooting Please use sys reboot command to reboot the router msubnet talk msubnet talk 1 2 3 4 5 6 1 2 3 4 5 6 On Off where 1 LAN1 2 LAN2 3 LAN3 4 LAN4 5 LAN5 6 LAN6 Now LAN1 LAN2 LAN3 LAN4 LAN5 LAN6 LAN1 V LAN2...

Page 647: ...et t C Co om mm ma an nd d m ms su ub bn ne et t p pp pp pi ip p This command is used to configure a starting IP address for PPP connection S Sy yn nt ta ax x msubnet pppip 2 3 4 5 6 Start IP S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description 2 3 4 5 6 It means LAN interface 2 LAN2 3 LAN3 4 LAN4 5 LAN5 6 LAN6 Start IP Type an IP address as the starting IP address for PPP co...

Page 648: ...de 8 H node 0 Not specify any type for node E Ex xa am mp pl le e msubnet nodetype msubnet nodetype 2 3 4 5 6 count Now LAN2 0 LAN3 0 LAN4 0 LAN5 0 LAN6 0 count 1 B node 2 P node 4 M node 8 H node msubnet nodetype 2 1 Set LAN2 Dhcp Node Type done msubnet nodetype msubnet nodetype 2 3 4 5 6 count Now LAN2 1 LAN3 0 LAN4 0 LAN5 0 LAN6 0 count 1 B node 2 P node 4 M node 8 H node T Te el ln ne et t C C...

Page 649: ... 0 0 0 LAN6 0 0 0 0 T Te el ln ne et t C Co om mm ma an nd d m ms su ub bn ne et t s se ec cW WI IN NS S This command is used to configure secondary WINS server S Sy yn nt ta ax x msubnet secWINS 2 3 4 5 6 WINS IP S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description 2 3 4 5 6 It means LAN interface 2 LAN2 3 LAN3 4 LAN4 5 LAN5 6 LAN6 WINS IP Type the IP address as the WINS IP ...

Page 650: ...Ex xa am mp pl le e msubnet tftp msubnet tftp 2 3 4 5 6 TFTP server name Now LAN2 LAN3 LAN4 LAN5 LAN6 msubnet tftp 2 publish Set LAN2 TFTP Server Name done msubnet tftp msubnet tftp 2 3 4 5 6 TFTP server name Now LAN2 publish LAN3 LAN4 LAN5 LAN6 T Te el ln ne et t C Co om mm ma an nd d m ms su ub bn ne et t m mt tu u This command allows you to configure MTU value for LAN DMZ IP Routed Subnet S Sy ...

Page 651: ...profile S Sy yn nt ta ax x object ip obj setdefault object ip obj INDEX v object ip obj INDEX n NAME object ip obj INDEX i INTERFACE object ip obj INDEX s INVERT object ip obj INDEX a TYPE START_IP END MASK_IP S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description setdefault It means to return to default settings for all profiles INDEX It means the index number of the specified...

Page 652: ...ct ip obj 1 a 1 192 168 1 45 object ip obj 1 v IP Object Profile 1 Name marketing Interface Any Address type single Start ip address 192 168 1 45 End Mask ip address 0 0 0 0 Invert Selection 0 T Te el ln ne et t C Co om mm ma an nd d o ob bj je ec ct t i ip p g gr rp p This command is used to integrate several IP objects under an IP group profile S Sy yn nt ta ax x object ip grp setdefault object ...

Page 653: ...y IP object profiles for the group profile Example object ip grp 3 a 1 2 3 4 5 The IP object profiles with index number 1 2 3 4 and 5 will be group under such profile E Ex xa am mp pl le e object ip grp 2 n First IP Group Profile 2 Name First Interface Any Included ip object index 0 0 1 0 2 0 3 0 4 0 5 0 6 0 7 0 object ip grp 2 i 1 object ip grp 2 a 1 2 IP Group Profile 2 Name First Interface Lan ...

Page 654: ...Type a name with less than 15 characters Example object ip obj 9 n bruce i INTERFACE It means to define an interface for the IP object INTERFACE 0 means any INTERFACE 1 means LAN INTERFACE 3 means WAN Example object ip obj 8 i 0 s INVERT It means to set invert seletion for the object profile INVERT 0 means disableing the function INVERT 1 means enabling the function Example object ip obj 3 s 1 a T...

Page 655: ...r all profiles INDEX It means the index number of the specified group profile v It means to view the information of the specified group profile Example object ip grp 1 v n NAME It means to define a name for the IP group NAME Type a name with less than 15 characters Example object ip grp 8 n bruce i INTERFACE It means to define an interface for the IP group INTERFACE 0 means any INTERFACE 1 means L...

Page 656: ...pt ti io on n Parameter Description setdefault It means to return to default settings for all profiles INDEX It means the index number of the specified service object profile v It means to view the information of the specified service object profile Example object service obj 1 v n NAME It means to define a name for the IP object NAME Type a name with less than 15 characters Example object service...

Page 657: ...ND_P type a port number to indicate destination port Example object service obj 3 d 1 100 200 E Ex xa am mp pl le e object service obj 1 n limit object service obj 1 p 255 object service obj 1 s 1 120 240 object service obj 1 d 1 200 220 object service obj 1 v Service Object Profile 1 Name limit Protocol 255 Source port check action Source port range 120 240 Destination port check action Destinati...

Page 658: ... object index 0 0 1 0 2 0 3 0 4 0 5 0 6 0 7 0 object service grp 1 a 1 2 Service Group Profile 1 Name Grope_1 Included service object index 0 1 1 2 2 0 3 0 4 0 5 0 6 0 7 0 T Te el ln ne et t C Co om mm ma an nd d o ob bj je ec ct t k kw w This command is used to create keyword profile S Sy yn nt ta ax x object kw obj setdefault object kw obj show PAGE object kw obj INDEX v object kw obj INDEX n NA...

Page 659: ... ln ne et t C Co om mm ma an nd d o ob bj je ec ct t f fe e This command is used to create File Extension Object profile S Sy yn nt ta ax x object fe show object fe setdefault object fe obj INDEX v object fe obj INDEX n NAME object fe obj INDEX e CATEGORY FILE_EXTENSION object fe obj INDEX d CATEGORY FILE_EXTENSION S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description show It ...

Page 660: ...olb ole tlb viv vrm ace arj bzip2 bz2 cab gz gzip rar sit zip bas bat com exe inf pif reg scr Example object fe obj 1 e bmp E Ex xa am mp pl le e object fe obj 1 n music object fe obj 1 e Audio object fe obj 1 v Profile Index 1 Profile Name music Image category bmp dib gif jpeg jpg jpg2 jp2 pct pcx pic pict png tif tiff Video category asf avi mov mpe mpeg mpg v mp4 qt rm v wmv 3gp 3gpp 3gpp2 3g2 A...

Page 661: ...ans the number of LAN port and WAN port AN 10H It means the physical type for the specific port AN auto negotiate 100F 100M Full Duplex 100H 100M Half Duplex 10F 10M Full Duplex 10H 10M Half Duplex status It means to view the Ethernet port status sniff on off port txrx restart sta tus 802 1x enable disable statu s addport delport wanfc It means to set WAN flow control E Ex xa am mp pl le e port 1 ...

Page 662: ...ssion timeout s sec It means TCP SYN protocol sec Type a number to set the TCP SYN session timeout f It means to flush all portmaps useful for diagnostics l List List all settings E Ex xa am mp pl le e portmaptime t 86400 u 300 i 10 portmaptime l Current setting TCP Timeout 86400 sec UDP Timeout 300 sec IGMP Timeout 10 sec TCP WWW Timeout 60 sec TCP SYN Timeout 60 sec T Te el ln ne et t C Co om mm...

Page 663: ...enable for outgoing traffic i bandwidth It means to set inbound bandwidth in kbps Ethernet WAN only The available setting is from 1 to 100000 o bandwidth It means to set outbound bandwidth in kbps Ethernet WAN only The available setting is from 1 to 100000 r index ratio It means to set ratio for class index in u mode It means to enable bandwidth control for UDP 0 disable 1 enable Default is disabl...

Page 664: ...enable or disable the specified rule 0 disable 1 enable l addr Set the local address Addr1 It means Single address Please specify the IP address directly for example l 172 16 3 9 addr1 addr2 It means Range address Please specify the IP addresses for example l 172 16 3 9 172 16 3 50 addr1 subnet It means the subnet address with start IP address Please type the subnet and the IP address for example ...

Page 665: ...cal address type to Range 192 168 1 50 192 168 1 80 T Te el ln ne et t C Co om mm ma an nd d q qo os s t ty yp pe e This command allows user to configure protocol type and port number for QoS S Sy yn nt ta ax x qos type a service name e no d no S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description a name It means to add rule e no It means to edit user defined service type no m...

Page 666: ... displays current status of LAN IP address settings E Ex xa am mp pl le e show lan The LAN settings ip mask dhcp star_ip pool gateway V LAN1 192 168 1 1 255 255 255 0 V 192 168 1 10 200 192 168 1 1 X LAN2 192 168 2 1 255 255 255 0 V 192 168 2 10 100 192 168 2 1 X LAN3 192 168 3 1 255 255 255 0 V 192 168 3 10 100 192 168 3 1 X LAN4 192 168 4 1 255 255 255 0 V 192 168 4 10 100 192 168 4 1 X LAN5 192...

Page 667: ...mary DNS Not set Secondary DNS Not set T Te el ln ne et t C Co om mm ma an nd d s sh ho ow w o op pe en np po or rt t This command displays current status of open port setting E Ex xa am mp pl le e show openport Openport settings Index Status Comment Local IP Address No data entry T Te el ln ne et t C Co om mm ma an nd d s sh ho ow w n na at t This command displays current status of NAT E Ex xa am...

Page 668: ...s the default setting Level1 It will be applied when the NAT sessions are smaller than 25 of the default setting Level2 It will be applied when the NAT sessions are smaller than the eighth of the default setting E Ex xa am mp pl le e show pmtime Level0 TCP 86400001 UDP 300001 ICMP 10001 Level1 TCP 600000 UDP 90000 ICMP 7000 Level2 TCP 60000 UDP 30000 ICMP 5000 T Te el ln ne et t C Co om mm ma an n...

Page 669: ...unning Mode T1 413 State TRAINING DS Actual Rate 0 bps US Actual Rate 0 bps DS Attainable Rate 0 bps US Attainable Rate 0 bps DS Path Mode Fast US Path Mode Fast DS Interleave Depth 0 US Interleave Depth 0 NE Current Attenuation 0 dB Cur SNR Margin 0 dB DS actual PSD 0 0 dB US actual PSD 0 0 dB ADSL Firmware Version 05 04 04 04 00 01 ATU C Info Far Current Attenuation 0 dB Far SNR Margin 0 dB CO I...

Page 670: ... status srv dhcp public add MAC Addr XX XX XX XX XX XX srv dhcp public del MAC Addr XX XX XX XX XX XX all ALL S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description start It means the starting point of the IP address pool for the DHCP server IP address It means to specify an IP address as the starting point in the IP address pool cnt It means the IP count number IP counts It me...

Page 671: ... le e srv dhcp dns1 168 95 1 1 srv dhcp dns1 DNS IP address Now 168 95 1 1 IP Routed Subnet dns same as NAT Subnet dns T Te el ln ne et t C Co om mm ma an nd d s sr rv v d dh hc cp p d dn ns s2 2 This command allows users to set Secondary IP Address for DNS Server in LAN S Sy yn nt ta ax x srv dhcp dns2 srv dhcp dns2 DNS IP address S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Des...

Page 672: ...v dhcp frcdnsmanl on Domain name server now is using manual settings srv dhcp frcdnsmanl off Domain name server now is using auto settings T Te el ln ne et t C Co om mm ma an nd d s sr rv v d dh hc cp p g ga at te ew wa ay y This command allows users to specify gateway address for DHCP server S Sy yn nt ta ax x srv dhcp gateway srv dhcp gateway Gateway IP S Sy yn nt ta ax x D De es sc cr ri ip pt ...

Page 673: ... ln ne et t C Co om mm ma an nd d s sr rv v d dh hc cp p o on n This function allows users to turn on DHCP server It needs rebooting router please type sys reboot command to reboot router T Te el ln ne et t C Co om mm ma an nd d s sr rv v d dh hc cp p r re el la ay y This command allows users to set DHCP relay setting S Sy yn nt ta ax x srv dhcp relay servip server ip srv dhcp relay subnet index S...

Page 674: ... pl le e srv dhcp startip 192 168 1 53 This setting will take effect after rebooting Please use sys reboot command to reboot the router T Te el ln ne et t C Co om mm ma an nd d s sr rv v d dh hc cp p s st ta at tu us s This command can display general information for the DHCP server such as IP address MAC address leased time host ID and so on E Ex xa am mp pl le e srv dhcp status DHCP server Relay...

Page 675: ...ans the lease time that DHCP server can use The unit is second E Ex xa am mp pl le e srv dhcp leasetime srv dhcp leasetime Lease Time sec Now 86400 T Te el ln ne et t C Co om mm ma an nd d s sr rv v d dh hc cp p n no od de et ty yp pe e This command can set the node type for the DHCP server S Sy yn nt ta ax x srv dhcp nodetype count S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter De...

Page 676: ...dhcp primWINS 192 168 1 88 srv dhcp primWINS srv dhcp primWINS WINS IP address srv dhcp primWINS clear Now 192 168 1 88 T Te el ln ne et t C Co om mm ma an nd d s sr rv v d dh hc cp p s se ec cW WI IN NS S This command can set the secondary IP address for the DHCP server S Sy yn nt ta ax x srv dhcp secWINS WINS IP address srv dhcp secWINS clear S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n ...

Page 677: ... p t tf ft tp p This command can set the TFTP server as the DHCP server S Sy yn nt ta ax x srv dhcp tftp TFTP server name S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description TFTP server name It means to type the name of TFTP server E Ex xa am mp pl le e srv dhcp tftp TF123 srv dhcp tftp srv dhcp tftp TFTP server name Now TF123 T Te el ln ne et t C Co om mm ma an nd d s sr rv...

Page 678: ...It means to set option number Available number ranges from 0 to 255 v It means to set option number by typing string a It means to set the option value by specifying the IP address x It means to set option number with the format of Hexadecimal characters u It means to update the option value of the sepecified index idx number It means the index number of the option value E Ex xa am mp pl le e srv ...

Page 679: ...veral commands in one line e It means to enable disable such feature 1 enable 0 disable i It means to specify the private IP address of the DMZ host r It means to remove DMZ host setting v It means to display current status E Ex xa am mp pl le e srv nat dmz 1 1 i 192 168 1 96 srv nat dmz v WAN1 DMZ mapping status Index Status WAN1 aux IP Private IP 1 Disable 0 0 0 0 192 168 1 96 T Te el ln ne et t...

Page 680: ...r disable the open port rule profile 0 disable 1 enable c comment It means to type the description less than 23 characters for the defined network service i local ip It means to set the IP address for local computer Local ip Type an IP address in this field w idx It means to specify the public IP 1 WAN1 Default 2 WAN1 Alias 1 and so on p protocol Specify the transport layer protocol Available valu...

Page 681: ...D De es sc cr ri ip pt ti io on n Parameter Description Add idx It means to add a new port redirection table with an index number Available index number is from 1 to 10 serv name It means to type one name as service name proto It means to specify TCP or UDP as the protocol pub port It means to specify which port can be redirected to the specified Private IP and Port of the internal host pri ip It ...

Page 682: ...0 2 5 0 0 0 2 6 0 0 0 2 7 0 0 0 2 8 0 0 0 2 9 0 0 0 2 10 0 0 0 2 11 0 0 0 2 12 0 0 0 2 13 0 0 0 2 14 0 0 0 2 15 0 0 0 2 16 0 0 0 2 17 0 0 0 2 18 0 0 0 2 19 0 0 0 2 20 0 0 0 2 Protocol 0 Disable 6 TCP 17 UDP T Te el ln ne et t C Co om mm ma an nd d s sr rv v n na at t s st ta at tu us s This command allows users to view NAT Port Redirection Running Table E Ex xa am mp pl le e srv nat status NAT Por...

Page 683: ...port and DMZ settings E Ex xa am mp pl le e srv nat showall Index Proto WAN IP Port Private IP Port Act R01 TCP 0 0 0 0 80 192 168 1 11 100 Y O01 TCP 0 0 0 0 23 83 192 168 1 100 23 83 Y D01 All 0 0 0 0 192 168 1 96 Y R Port Redirection O Open Ports D DMZ T Te el ln ne et t C Co om mm ma an nd d s sw wi it tc ch h i i This command is used to obtain the TX transmitted or RX received data for each co...

Page 684: ...f This command is used to turn off the auto discovery for external devices E Ex xa am mp pl le e switch off Disable External Device auto discovery T Te el ln ne et t C Co om mm ma an nd d s sw wi it tc ch h l li is st t This command is used to display the connection status of the switch E Ex xa am mp pl le e switch list No Mac IP status Dur Time Model_Name 1 00 50 7f cd 07 48 192 168 1 3 On Line 0...

Page 685: ... LDAP server The server will authenticate the local user who wants to access into the web user interface of Vigor router S Sy yn nt ta ax x sys adminuser option sys adminuser edit index username password S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description option Available options includes Local 0 1 LDAP 0 1 edit INDEX delete INDEX view INDEX Local 0 1 0 Disable the local use...

Page 686: ...mmand parameter The available commands with parameters are listed below means that you can type in several commands in one line e enable It is used to disable enable bonjour service 0 disable 1 enable h enable It is used to disable enable http web service 0 disable 1 enable t enable It is used to disable enable telnet service 0 disable 1 enable f enable It is used to disable enable FTP service 0 d...

Page 687: ...us Profile version 3 0 0 Status 1 0x491e5e6c sys cfg default T Te el ln ne et t C Co om mm ma an nd d s sy ys s c cm md dl lo og g This command displays the history of the commands that you have typed E Ex xa am mp pl le e sys cmdlog Commands Log The lowest index is the newest 1 sys cmdlog 2 sys cmdlog 3 sys 4 sys cfg status 5 sys cfg T Te el ln ne et t C Co om mm ma an nd d s sy ys s f ft tp pd d...

Page 688: ...e e sys domainname wan1 clever sys domainname wan2 intellegent sys domainname sys domainname wan1 wan2 Domain Name Suffix max 40 characters sys domainname wan1 wan2 clear Now wan1 clever wan2 intelligent T Te el ln ne et t C Co om mm ma an nd d s sy ys s i if fa ac ce e This command displays the current interface connection status UP or Down with IP address MAC address and Netmask for the router E...

Page 689: ... 0 0 0 Netmask 0x00000000 MAC 00 50 7F 00 00 05 Interface 8 Ethernet Status DOWN IP Address 0 0 0 0 Netmask 0x00000000 MAC 00 50 7F 00 00 06 Interface 9 Ethernet Status DOWN IP Address 0 0 0 0 Netmask 0x00000000 MAC 00 50 7F 00 00 07 MORE q Quit Enter New Lines Space Bar Next Page ...

Page 690: ...me sys name wan1 wan2 ASCII string max 20 characters sys name wan1 wan2 clear Now wan1 drayrouter wan2 Note Such name can be used to recognize router s identification in SysLog dialog T Te el ln ne et t C Co om mm ma an nd d s sy ys s p pa as ss sw wd d This command allows users to set password for the administrator S Sy yn nt ta ax x sys passwd ASCII string S Sy yn nt ta ax x D De es sc cr ri ip ...

Page 691: ...t on autoreboot is ON sys autoreboot 2 autoreboot is ON autoreboot time is 2 hour s T Te el ln ne et t C Co om mm ma an nd d s sy ys s c co om mm mi it t This command allows users to save current settings to FLASH Usually current settings will be saved in SRAM Yet this command will save the file to FLASH E Ex xa am mp pl le e sys commit T Te el ln ne et t C Co om mm ma an nd d s sy ys s t tf ft tp...

Page 692: ...e List Buf sk_buff 200B used 1647 cached 30 Buf KMC4088 4088B used 0 cached 8 Buf KMC2552 2552B used 1641 cached 42 Buf KMC1016 1016B used 7 cached 1 Buf KMC504 504B used 8 cached 8 Buf KMC248 248B used 26 cached 22 Buf KMC120 120B used 67 cached 61 Buf KMC56 56B used 20 cached 44 Buf KMC24 24B used 58 cached 70 Dynamic memory 13107200B 4573168B used 190480B 0B in level 1 2 cache FLOWTRACK Memory ...

Page 693: ...play quality off It means to turn off the bridge task E Ex xa am mp pl le e sys britask on bridge task is ON now T Te el ln ne et t C Co om mm ma an nd d s sy ys s t tr r0 06 69 9 This command can set CPE settings for applying in VigorACS S Sy yn nt ta ax x sys tr069 get parm option sys tr069 set parm value sys tr069 getnoti parm sys tr069 setnoti parm value sys tr069 log sys tr069 debug on off sy...

Page 694: ...n certificate based authentication off turn off certificate based authentication E Ex xa am mp pl le e sys tr069 get Int nextlevel Total number of parameter is 24 Total content length of parameter is 915 InternetGatewayDevice LANDeviceNumberOfEntries InternetGatewayDevice WANDeviceNumberOfEntries InternetGatewayDevice DeviceInfo InternetGatewayDevice ManagementServer InternetGatewayDevice Time Int...

Page 695: ...bled T Te el ln ne et t C Co om mm ma an nd d s sy ys s l li ic ce en ns se e This command can process the system license S Sy yn nt ta ax x sys license licmsg sys license licauth sys license regser sys license licera sys license licifno sys license lic_wiz set reg qry sys license dev_chg sys license dev_key S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description licmsg It means...

Page 696: ...le It means to enable the function of diag_log disable It means to disenable the function of diag_log flush It means the flush log buffer lineno w It means the total lines for displaying message w Available value ranges from 100 to 50000 level x It determines the level of data displayed x Available value ranges from 0 to 12 The larger the number is the detailed the data is displayed feature on off...

Page 697: ... 08 00 00 06 0 00 05 DSL Status was switched FirmwareRequest 1 to firmwareReady 3 0 00 05 DSL Status was switched firmwareReady 3 to Init 5 0 00 05 DSL nXtseA 0d nXtseB 00 nXtseV 07 nFwFeatures 5 0 00 05 DSL nHsToneGroupMode 0 nHsToneGroup 106 nToneSet 43 nCamState 2 0 00 05 DSL Line state has changed 000000FF 00000100 0 00 05 DSL Line state has changed 00000100 00000200 0 00 05 DSL Status was swi...

Page 698: ... 0 PortMapEnabled 0 PortMapProtocol NULL The tmpvirtual server index 0 PortMapLeaseDuration 0 PortMapEnabled 0 0 MORE q Quit Enter New Lines Space Bar Next Page T Te el ln ne et t C Co om mm ma an nd d u up pn np p s se er rv vi ic ce e This command can display the information of the UPnP service UPnP service must be enabled first E Ex xa am mp pl le e upnp on UPNP start upnp service SERVICE TABLE...

Page 699: ...erviceType urn schemas microsoft com service OSInfo 1 Subscribtion1 sid 7a2bbdd0 0047 4fc8 b870 4597b34da7fb eventKey 1 ToSendEventKey 1 expireTime 6926 active 1 DeliveryURLs http 192 168 1 113 2869 upnp eventing twtnpnsiun 2 serviceType urn schemas upnp org service WANCommonInterfaceConfig 1 Subscribtion1 sid d9cd47a5 d9c9 4d3d 8043 d03a82f27983 eventKey 1 ToSendEventKey 1 T Te el ln ne et t C Co...

Page 700: ...p pt ti io on n Parameter Description n It means to specify WAN interface to apply UPnP n 0 it means to auto select WAN interface n 1 WAN1 n 2 WAN2 E Ex xa am mp pl le e upnp wan 1 use wan1 now T Te el ln ne et t C Co om mm ma an nd d u us sb b l li is st t This command is use to display the information about the brand name and model name of the USB modems which are supported by Vigor router E Ex ...

Page 701: ...age T Te el ln ne et t C Co om mm ma an nd d v vi ig gb br rg g o on n This command can make the router to be regarded as a modem but not a router E Ex xa am mp pl le e vigbrg on Enable Vigor Bridge Function T Te el ln ne et t C Co om mm ma an nd d v vi ig gb br rg g o of ff f This command can disable vigor bridge function E Ex xa am mp pl le e vigbrg off Disable Vigor Bridge Function T Te el ln n...

Page 702: ...br rg g w wa an n1 1o on n This command is used to enable the bridge WAN1 management E Ex xa am mp pl le e vigbrg wan1on Enable Vigor Bridge Wan1 management T Te el ln ne et t C Co om mm ma an nd d v vi ig gb br rg g w wa an n1 1o of ff f This command is used to disable the bridge WAN1 management E Ex xa am mp pl le e vigbrg wan1off Disable Vigor Bridge Wan1 management T Te el ln ne et t C Co om m...

Page 703: ... ma an nd d v vp pn n l l2 2l lD Dr ro op p This command allows users to terminate current LAN to LAN VPN connection E Ex xa am mp pl le e vpn l2lDrop T Te el ln ne et t C Co om mm ma an nd d v vp pn n d di in ns se et t This command allows users to configure setting for remote dial in VPN profile S Sy yn nt ta ax x vpn dinset list index vpn dinset list index on off vpn dinset list index motp on o...

Page 704: ...b4fe6 vpn dinset 1 Dial in profile index 1 Profile Name Status Active Mobile OTP Enabled PIN 1234 Secret e759bb6f0e94c7ab4fe6 Idle Timeout 300 sec T Te el ln ne et t C Co om mm ma an nd d v vp pn n s su ub bn ne et t This command allows users to specify a subnet selection for the specified remote dial in VPN profile S Sy yn nt ta ax x vpn subnet index 1 2 3 4 5 6 S Sy yn nt ta ax x D De es sc cr r...

Page 705: ... ta ax x D De es sc cr ri ip pt ti io on n Parameter Description For PPTP Dial Out index It means the index number of the profile name It means the name of the profile ip It means the IP address to dial to usr pwd It means the user and the password required for the PPTP connection nip nmask It means the remote network IP and the mask e g vpn setup 1 name1 pptp_out 1 2 3 4 vigor 1234 192 168 1 0 25...

Page 706: ...means the remote network IP and the mask e g vpn setup 1 name1 dialin 1 2 3 4 vigor 1234 abc 192 168 1 0 255 255 255 0 E Ex xa am mp pl le e vpn setup 1 name1 dialin 1 2 3 4 vigor 1234 abc 192 168 1 0 255 255 255 0 Profile Change Log Profile Index 1 Profile Name name1 Username vigor Password 1234 Pre share Key abc Call Direction Dial In Type of Server ISDN PPTP IPSec L2TP Dial from 1 2 3 4 Remote ...

Page 707: ...s always on for dial in Other numbers e g idle 200 idle 300 idle 500 mean the router will be idle after the interval seconds configured here palive It means to enable PING to keep alive 1 disable the function 1 2 3 4 Enable the function and PING IP 1 2 3 4 to keep alive For Dial Out Settings ctype It means Type of Server I am calling ctype t means PPTP ctype s means IPSec ctype l means L2TP IPSec ...

Page 708: ...In Type Available settings include itype t means PPTP itype s means IPSec itype L1 means L2TP None itype L1 means L2TP Nice to Have itype l2 means L2TP Must peer It means specify Peer VPN Server IP for Remote VPN Gateway Type 203 12 23 48 means to allow VPN dial in with IP address of 203 12 23 48 Type off means any remote IP is allowed to dial in peerid It means the peer ID for Remote VPN Gateway ...

Page 709: ...e It means to Change default route to this VPN tunnel Only single WAN supports this droute on off means to enable disable the function E Ex xa am mp pl le e vpn option 1 idle 250 Change Log Idle Timeout 250 T Te el ln ne et t C Co om mm ma an nd d v vp pn n m mr ro ou ut te e This command allows users to list add or delete static routes for a certain LAN to LAN VPN profile S Sy yn nt ta ax x vpn m...

Page 710: ... list common settings of the specified profile out It means to list dial out settings of the specified profile in It means to list dial in settings of the specified profile net It means to list Network Settings of the specified profile index It means the index number of the profile Available index numbers 1 32 E Ex xa am mp pl le e vpn list 32 all Common Settings Profile Name Profile Status Disabl...

Page 711: ... ax x vpn remote PPTP IPSec L2TP on off S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description PPTP IPSec L2TP There are four types to be selected on off on enable VPN remote setting off disable VPN remote setting E Ex xa am mp pl le e vpn remote PPTP on Set PPTP VPN Service On Please restart the router T Te el ln ne et t C Co om mm ma an nd d v vp pn n 2 2n nd ds su ub bn ne e...

Page 712: ...des of VPN Tunnel while connecting Block When there is conflict occurred between the hosts on both sides of VPN Tunnel in connecting set it block data transmission of Netbios Naming Packet inside the tunnel E Ex xa am mp pl le e vpn NetBios set H2l 1 Pass Remote Dial In Profile Index 1 NetBios Block Pass PASS T Te el ln ne et t C Co om mm ma an nd d v vp pn n m ms ss s This command allows users to...

Page 713: ...C Co om mm ma an nd d v vp pn n i ik ke e This command is used to display IKE memory status and leakage list S Sy yn nt ta ax x vpn ike q E Ex xa am mp pl le e vpn ike q IKE Memory Status and Leakage List of free L Buffer 95 minimum 94 leak 1 of free M Buffer 529 minimum 529 leak 3 of free S Buffer 1199 minimum 1198 leak 1 of free Msgid Buffer 1024 minimum 1024 T Te el ln ne et t C Co om mm ma an ...

Page 714: ...ss2nd on vpn pass2nd off S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description on off on the packets can pass through NAT off the packets cannot pass through NAT E Ex xa am mp pl le e vpn pass2nd on 2nd subnet is allowed to pass VPN tunnel T Te el ln ne et t C Co om mm ma an nd d v vp pn n p pa as ss s2 2n na at t This command allows users to determine if the packets passing t...

Page 715: ...m mp pl le e wan ppp_mru 1 Now 1492 wan ppp_mru 1 1490 wan ppp_mru 1 Now 1490 wan ppp_mru 1 1492 wan ppp_mru 1 Now 1492 T Te el ln ne et t C Co om mm ma an nd d w wa an n m mt tu u m mt tu u2 2 This command allows users to adjust the size of MTU for WAN1 WAN2 S Sy yn nt ta ax x wan mtu value wan mtu2 value S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description value It means th...

Page 716: ...nd allows you to disable WAN connection E Ex xa am mp pl le e wan disable WAN WAN disabled T Te el ln ne et t C Co om mm ma an nd d w wa an n e en na ab bl le e This command allows you to disable wan connection E Ex xa am mp pl le e wan enable WAN WAN1 enabled T Te el ln ne et t C Co om mm ma an nd d w wa an n f fo or rw wa ar rd d This command allows you to enable or disable the function of WAN f...

Page 717: ...ts 0 RX Rate Bps 0 PVC_WAN4 Offline stall N Mode Up Time 00 00 00 IP GW IP TX Packets 0 TX Rate Bps 0 RX Packets 0 RX Rate Bps 0 PVC_WAN5 Offline stall N Mode Up Time 00 00 00 IP GW IP TX Packets 0 TX Rate Bps 0 RX Packets 0 RX Rate Bps 0 T Te el ln ne et t C Co om mm ma an nd d w wa an n m mo od de em m This command wan modem allows you to configure 3G 4G USB Modem PPP mode of WAN5 S Sy yn nt ta ...

Page 718: ... PID match to bind the USB modem to specify WAN interface By default this match is not set 0x0 0x0 and the router specifies WAN interface by USB port status Display current status of USB modem E Ex xa am mp pl le e wan modem pin 0000 wan modem status Modem Link Speed 0 Current Signal Strength 0 Last Fail Message Current Connect Stage T Te el ln ne et t C Co om mm ma an nd d w wa an n d de et te ec...

Page 719: ...Target 192 168 1 78 TTL 255 WAN2 off WAN3 off WAN4 off WAN5 off T Te el ln ne et t C Co om mm ma an nd d w wa an n l lb b This command allows you to Enable Disable for each WAN to join auto load balance member S Sy yn nt ta ax x wan lb wan1 wan2 on wan lb wan1 wan2 off S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description wan1 wan2 It means to specify which WAN will be applied...

Page 720: ...or the specific channel clear It means to turn off clear the port tag tag_no It means to tag a number for the VLAN 1 No need to add tag number 1 4095 Available setting numbers used as tagged number service type It means to specify the service type for VLAN 0 Normal 1 IGMP vlan priority It means to specify the priority for the VALN setting Range is from 0 to 7 px It means LAN port Available setting...

Page 721: ...Channel 6 uplink ifno 3 Channel 7 uplink ifno 3 T Te el ln ne et t C Co om mm ma an nd d w wa an n v vl la an n This command allows you to tag packets on WAN VLAN with specified number S Sy yn nt ta ax x wan vlan wan tag value wan vlan wan enable disable wan vlan stat S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description It means the number of WAN interface 1 means WAN1 2 mean...

Page 722: ...ted WAN budget will be refreshed every 5 days and 10 hours enable disable enable Enable the function of wan budget disable Disable the function of wan budget thres budget limit MB Specify the maximum value for WAN budget limit Unit MB budget limit Type a number gthres budget limit GB Specify the maximum value of wan budget limit Unit GB budget limit Type a number mode monthly periodic none Specify...

Page 723: ... MTU size to decrease between detections decrease size Available setting is 1 100 c count Set the maximum times of ping failure during a Discovery count Available settings are 1 10 Default value is 3 E Ex xa am mp pl le e wan detect_mtu w 2 i 8 8 8 8 s 1500 d 30 c 10 detecting mtu size 1500 mtu size 1470 T Te el ln ne et t C Co om mm ma an nd d w wa an n d de et te ec ct t_ _m mt tu u6 6 This comm...

Page 724: ...d2 ssid3 ssid4 isolate It means to associate a MAC address to certain SSID interfaces access control settings The isolate setting will limit the wireless client s network capabilities to accessing the wireless LAN only MAC format xx xx xx xx xx xx or xx xx xx xx xx xx or xx xx xx xx xx xx del MAC It means to delete a MAC address entry defined in the access control list mode ssid1 ssid2 ssid3 ssid4...

Page 725: ...means to display what the current wireless mode is channel number It means the channel of frequency of the wireless LAN The available settings are 0 1 2 3 4 5 6 7 8 9 10 11 12 and 13 number 0 means Auto number 1 means Channel 1 number 13 means Channel 13 preamble enable It means to define the length of the sync field in an 802 11 packet Most modern wireless network uses short preamble with 56 bit ...

Page 726: ...SID4 enable It means to enable the function of the rate control for the specified SSID 0 disable and 1 enable upload It means to configure the rate control for data upload The unit is kbps download It means to configure the rate control for data download The unit is kbps isolate ssid_num lan member It means to isolate the wireless connection for LAN and or Member lan It can make the wireless clien...

Page 727: ... means to enhance the performance in data transmission about 40 more by enabling Tx Burst It is active only when both sides of Access Point and Station in wireless client invoke this function at the same time 0 disable the function 1 enable the function E Ex xa am mp pl le e wl set MKT 2 on New Wlan Setting is SSID MKT Chan 2 Wl is Enable T Te el ln ne et t C Co om mm ma an nd d w wl l a ac ct t T...

Page 728: ...ed in the end e g wl scan set time 5 del Remove white list block list e g wl scan del wlist 001122aabbcc filter Set which filter you want ssid scanning the AP based on SSID setting channel scanning the AP based on channel setting mac scanning the AP based on MAC address setting show 0 1 2 3 It is used to show AP list 0 display white list 1 display block list 2 display gray unknown list 3 display a...

Page 729: ...gt show 1 NO SSID BSSID Connect time Reconnect time 1 Draytek 00 11 22 aa bb cc 0d 0 58 26 0d 0 0 T Te el ln ne et t C Co om mm ma an nd d w wl l i is so o_ _v vp pn n This command allows users to activate the function of VPN isolation S Sy yn nt ta ax x wl iso_vpn ssid En S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description ssid It means the number of SSID 1 SSID1 2 SSID2 3 ...

Page 730: ...meter Description ap It means to set WMM for access point bss It means to set WMM for wireless clients ack It means to map to the Ack policy settings of AP WMM enable It means to enable the WMM for each SSID 0 disable 1 enable Apsd value It means to enable disable the ASPD automatic power save delivery function 0 disable 1 enable show It displays current status of WMM QueIdx It means the number of...

Page 731: ...kPolicy 3 0 T Te el ln ne et t C Co om mm ma an nd d w wl l h ht t This command allows you to configure wireless settings S Sy yn nt ta ax x wl ht bw value wl ht gi value wl ht badecline value wl ht autoba value wl ht rdg value wl ht msdu value wl ht txpower value wl ht antenna value wl ht greenfield value S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description wl ht bw value Th...

Page 732: ...nable E Ex xa am mp pl le e wl btnctl 1 Enable wireless botton control Current wireless botton control is on T Te el ln ne et t C Co om mm ma an nd d w wl l i iw wp pr ri iv v w wl l w wl la an nc co on nf fi ig g These two commands are reserved for RD debug Do not use them T Te el ln ne et t C Co om mm ma an nd d w wl l e ef fu us se e This command is used to configure parameters related to wirel...

Page 733: ...he use of the WoL packet ip address It means the WAN IP address mask It means the mask of the IP address E Ex xa am mp pl le e wol fromWan on wol fromWan_Setting 1 192 168 1 45 255 255 255 0 T Te el ln ne et t C Co om mm ma an nd d u us se er r The command is used to create new user account profiles S Sy yn nt ta ax x user set e d c l o a r b user edit PROFILE_IDX e d n p t u i q r w s m x v user ...

Page 734: ...er record user name type the name of the user profile all all of the user profile settings will be removed q It means to trigger the alert tool to do authentication s It means to set login service 0 HTTPS 1 HTTP e g s 1 User edit PROFILE_IDX Type the index number of the profile that you want to edit e Enable User profile function d Disable User profile function n It means to set a user name for a ...

Page 735: ...It means to set account data quota e g r 1000 w It means to set data quota unit MB GB E Ex xa am mp pl le e user account admin d 1 Enable the admin data quota limited T Te el ln ne et t C Co om mm ma an nd d n na an nd d b ba ad d n na an nd d u us sa ag ge e NAND usage is used to display NAND Flash usage nand bad is used to display NAND Flash bad blocks S Sy yn nt ta ax x nand bad nand usage E Ex...

Page 736: ... Management in Vigor3220 Information related to the registered AP will be send back to Vigor3220 for updating the web page of Central AP Management E Ex xa am mp pl le e apm clear Clear all clients done T Te el ln ne et t C Co om mm ma an nd d a ap pm m p pr ro of fi il le e This command allows to configure wireless profiles to be used in Central AP Management S Sy yn nt ta ax x apm profile clone ...

Page 737: ...file to the specified VigorAP E Ex xa am mp pl le e apm profile clone 1 2 forcarrie Done apm profile summary Name SSID Security ACL RateCtrl U D 0 Default DrayTek LAN A WPA WPA2 PSK x DrayTek LAN B WPA WPA2 PSK x 1 2 forcarrie DrayTek Disable x 3 4 T Te el ln ne et t C Co om mm ma an nd d a ap pm m c ca ac ch he e This command is used to display or remove the information of registered VigorAP incl...

Page 738: ... 1 enable station limit 0 disable station limit 3 The third number means the traffic limit function Type 1 enable traffic limit 0 disable traffic limit 4 The forth number means the limit num of station Available range is 3 64 5 The fifth number means the upload limit function Type 1 enable upload limit 0 disable upload limit 6 The sixth number means the download limit function Type 1 enable downlo...

Page 739: ...on by Signal strength 0 9 Traffic limit unit upload 1 10 Traffic limit unit download 1 flag 49 T Te el ln ne et t C Co om mm ma an nd d a ap pm m n na ap pd de et te ec ct t This command is used to enable disable AP detection function S Sy yn nt ta ax x apm napdetect get apm napdetect set enable disable AP Detection 1 0 Refresh Time S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter De...

Page 740: ...Method for HA 1 Active Standby 0 Hot Standby v 1 255 Specify the group ID VHID 1 255 Setting range R Set HA settings to Factory Default p 1 30 Specify the Priority ID 1 30 Setting range k key Specify the Authentication Key Key Max 31 Characters u 1 0 Enable or disable the function of Update DDNS 1 Enable When a router changes HA status to primary it will update DDNS automatically 0 Disable m inter...

Page 741: ...nfig sync and general setup S Sy yn nt ta ax x ha show c ha show g S Sy yn nt ta ax x D De es sc cr ri ip pt ti io on n Parameter Description c Show the settings of config sync g Show the settings of general setup E Ex xa am mp pl le e ha show g High Availability Disable Redundancy Method Active Standby Group ID 1 Priority ID 10 Preempt Mode Enable Update DDNS Disable Management Interface LAN1 Aut...

Page 742: ...AC address and etc 2 Basic information with some HA settings E Ex xa am mp pl le e ha status m 2 Local Router DrayTek IPv4 192 168 1 1 Status High Availability Disable Redundancy Method Active Standby Group ID 1 Priority ID 10 Preempt Mode Enable Update DDNS Disable Management Interface LAN1 Authentication Key draytek Virtual IP Max 7 Virtual IPs OFF Config Sync Disable Config Sync Interval 0 Day ...