LevelOne FBR-1404TX, User Manual

Page 1: ...LevelOne FBR 1404TX Broadband VPN Gateway w 4 port Switch User s Manual Version 1 1...

Page 2: ...ERATION AND STATUS 30 Operation 30 Status Screen 30 Connection Status PPPoE 32 Connection Status PPTP 34 Connection Status Telstra Big Pond 35 Connection Details SingTel RAS 36 Connection Details Fixe...

Page 3: ...Overview 104 PC Database 105 Remote Administration 109 Routing 110 Upgrade Firmware 114 UPnP 115 APPENDIX A TROUBLESHOOTING 116 Overview 116 General Problems 116 Internet Access 116 APPENDIX B SPECIF...

Page 4: ...LAN can access the Internet through the LevelOne Broadband VPN Gateway using only a single external IP Address The local invalid IP Addresses are hidden from external sources This process is called NA...

Page 5: ...Support Dynamic Host Configuration Protocol provides a dynamic IP address to PCs and other devices upon request The LevelOne Broadband VPN Gateway can act as a DHCP Server for devices on your local L...

Page 6: ...you can define your own firewall rules This can also be used to control the Internet services available to LAN users VPN Gateway Features IPSec Support for IPSec standards including IKE and certificat...

Page 7: ...On Corresponding LAN hub port is active Off No active connection on the corresponding LAN hub port Flashing Data is being transmitted or received via the corre sponding LAN hub port 100 Yellow On Cor...

Page 8: ...5 seconds until the Red Status LED has flashed TWICE 4 Release the Reset Button The LevelOne Broadband VPN Gateway is now using the factory default values WAN port 10 100BaseT Connect the DSL or Cable...

Page 9: ...e 4 Installation Diagram 1 Choose an Installation Site Select a suitable place on the network to install the LevelOne Broadband VPN Gateway Ensure the LevelOne Broadband VPN Gateway and the DSL Cable...

Page 10: ...wer Up Power on the Cable or DSL modem Connect the supplied power adapter to the LevelOne Broadband VPN Gateway and power up Use only the power adapter provided Using a different one may cause hardwar...

Page 11: ...e required functions To Do this Refer to Configure PCs on your LAN Chapter 4 PC Configuration Check LevelOne Broadband VPN Gateway operation and Status Chapter 5 Operation and Status Use any of the fo...

Page 12: ...the LevelOne Broadband VPN Gateway or on the same LAN segment The LevelOne Broadband VPN Gateway must be installed and powered ON If the LevelOne Broadband VPN Gateway s default IP Address 192 168 0 1...

Page 13: ...indow or command prompt window Enter the command ping 192 168 0 1 If no response is received either the connection is not working or your PC s IP address is not compatible with the LevelOne Broadband...

Page 14: ...PC Run the Wizard and on the Cable Modem screen use the Clone MAC ad dress button to copy the MAC address from your PC to the LevelOne Broadband VPN Gateway Common Connection Types Cable Modems Type...

Page 15: ...nd Wireless Type Details ISP Data required Dynamic IP Address Your IP Address is allocated automatically when you connect to you ISP Usually none However some ISP s may require you to use a particular...

Page 16: ...tion Data Input Use the menu bar on the top of the screen and the Back button on your Browser for navigation Changing to another screen without clicking Save does NOT save any changes you may have mad...

Page 17: ...value as the PCs on that LAN segment DHCP Server If Enabled the LevelOne Broadband VPN Gateway will allocate IP Addresses to PCs DHCP clients on your LAN when they start up The default and recommende...

Page 18: ...N Gateway s DHCP Server This is the default setting The DHCP Server settings are on the LAN screen On this screen you can Enable or Disable the LevelOne Broadband VPN Gateway s DHCP Server function Se...

Page 19: ...efault login name is admin Change this to the desired value 2 The default password is blank no password Enter the desired password in the New Password and Verify Password fields 3 Save your changes Yo...

Page 20: ...IP Settings Overview If using the default LevelOne Broadband VPN Gateway settings and the default Windows TCP IP settings no changes need to be made By default the LevelOne Broadband VPN Gateway will...

Page 21: ...ure 11 IP Address Win 95 Ensure your TCP IP settings are correct as follows Using DHCP To use DHCP select the radio button Obtain an IP Address automatically This is the default Windows setting Using...

Page 22: ...inistrator can advise you of the IP Address they assigned to the LevelOne Broadband VPN Gateway Figure 12 Gateway Tab Win 95 98 On the DNS Configuration tab ensure Enable DNS is selected If the DNS Se...

Page 23: ...de Checking TCP IP Settings Windows NT4 0 1 Select Control Panel Network and on the Protocols tab select the TCP IP protocol as shown below Figure 14 Windows NT4 0 TCP IP 2 Click the Properties button...

Page 24: ...e it obtains an IP Address from the LevelOne Broadband VPN Gate way Specify an IP Address If your PC is already configured check with your network administrator before making the following changes 1 T...

Page 25: ...ure 16 Windows NT4 0 Add Gateway 2 The DNS should be set to the address provided by your ISP as follows Click the DNS tab On the DNS screen shown below click the Add button under DNS Service Search Or...

Page 26: ...PC Configuration Figure 17 Windows NT4 0 DNS 23...

Page 27: ...and Dial up Connection 2 Right click the Local Area Connection icon and select Properties You should see a screen like the following Figure 18 Network Configuration Win 2000 3 Select the TCP IP proto...

Page 28: ...Address from the LevelOne Broadband VPN Gate way Using a fixed IP Address Use the following IP Address If your PC is already configured check with your network administrator before making the followi...

Page 29: ...Network Connection 2 Right click the Local Area Connection and choose Properties You should see a screen like the following Figure 20 Network Configuration Windows XP 3 Select the TCP IP protocol for...

Page 30: ...from the LevelOne Broadband VPN Gate way Using a fixed IP Address Use the following IP Address If your PC is already configured check with your network administrator before making the following chang...

Page 31: ...rnet Connections 2 Select Set up or change your Internet Connection 3 Select the Connection tab and click the Setup button 4 Cancel the pop up Location Information screen 5 Click Next on the New Conne...

Page 32: ...y changes Fixed IP Address By default most Unix installations use a fixed IP Address If you wish to continue using a fixed IP Address make the following changes to your configuration Set your Default...

Page 33: ...which PC receives an incoming connection Refer to Chapter 6 Internet Features for fur ther details Applications which use non standard connections or port numbers may be blocked by the LevelOne Broadb...

Page 34: ...ddress above DHCP Server This shows the status of the DHCP Server function either Enabled or Disabled For additional information about the PCs on your LAN and the IP addresses allocated to them use th...

Page 35: ...et users This address is allocated by your ISP Internet Service Provider Network Mask The Network Mask associated with the IP Address above PPPoE Link Status This indicates whether or not the connecti...

Page 36: ...ble to login to ISP s Server and establish a PPP connection Idle time out reached The connection has been idle for the time period specified in the Idle Time out field The connection will now be termi...

Page 37: ...Internet users This address is allocated by your ISP Internet Service Provider PPTP Status This indicates whether or not the connection is currently established If the connection does not exist the C...

Page 38: ...the hardware address seen by devices on the local LAN IP Address The IP Address of this device as seen by Internet users This address is allocated by your ISP Internet Service Provider Connection Stat...

Page 39: ...Refresh Update the data on screen Connection Details SingTel RAS If using the SingTel RAS access method a screen like the following example will be displayed when the Connection Details button is clic...

Page 40: ...ly Buttons Release Renew Button will display EITHER Release OR Renew This button is only useful if the IP address shown above is allocated automatically on connection Dynamic IP address If you have a...

Page 41: ...ter associated with the IP Address above DNS IP Address The IP Address of the Domain Name Server which is currently used DHCP Client This will show Enabled or Disabled depending on whether or not this...

Page 42: ...ddress has been allocated to the LevelOne Broadband VPN Gateway by the ISP s DHCP Server this button will say Release Clicking the Release button will break the connec tion and release the IP Address...

Page 43: ...use the LevelOne Broadband VPN Gateway s Internet Features Overview The following advanced features are covered in this Chapter WAN Port Advanced Internet Communication Applications Special Applicatio...

Page 44: ...cation Hostname Normally there is no need to change the default name but if your ISP requests that you use a particular Hostname enter it here Domain name If your ISP provided a domain name enter it h...

Page 45: ...d some software to connect and login This software is no longer re quired and should not be used PPTP this is mainly used in Europe You need to know the PPTP Server address as well as your name and pa...

Page 46: ...reen allows configuration of all advanced features relating to Internet access Communication Applications Special Applications DMZ URL filter Communication Applications Most applications are supported...

Page 47: ...by the LevelOne Broadband VPN Gateway s firewall In this case you can define the application as a Special Applica tion Special Applications Screen This screen can be reached by clicking the Special Ap...

Page 48: ...le port number enter it in both the Start and Finish fields Using a Special Application Configure the Special Applications screen as required On your PC use the application normally Remember that only...

Page 49: ...een to access the URL Filter screen An example screen is shown below Figure 31 URL Filter Screen Data URL Filter Screen Filter Strings Current Entries This lists any existing entries If you have not e...

Page 50: ...your data from www dyndns org in the LevelOne Broadband VPN Gateway s DDNS screen 4 The LevelOne Broadband VPN Gateway will then automatically ensure that your current IP Address is recorded at http...

Page 51: ...dyndns org The name should consist only of letters and the hyphen dash Using any other characters may cause problems DDNS Status This message is returned by the DDNS Server at www dyndns org Normally...

Page 52: ...t users to connect to your servers as illustrated below Figure 33 Virtual Servers IP Address seen by Internet Users Note that in this illustration both Internet users are connecting to the same IP Add...

Page 53: ...his to Enable or Disable support for this Server as required If Enabled any incoming connections will be forwarded to the selected PC If Disabled any incoming connection attempts will be blocked PC Se...

Page 54: ...ed to use this screen or change any settings Figure 35 Options Screen Data Options Screen Backup DNS IP Address Enter the IP Address of the DNS Domain Name Servers here These DNS will be used only if...

Page 55: ...s Chapter explains the settings available via the security configuration section of the Security menu Overview The following advanced configurations are provided Access Control Firewall Rules Logs Sec...

Page 56: ...oup 2 Set the desired restrictions on the other groups Group 1 Group 2 Group 3 and Group 4 as needed 3 Assign PC to the groups as required Restrictions are imposed by blocking Services or types of con...

Page 57: ...ss for a group Block by Schedule If Internet access is being blocked you can choose to apply the blocking only during scheduled times If access is not blocked no Scheduling is possible and this settin...

Page 58: ...t group Access Control Log To check the operation of the Access Control feature an Access Control Log is provided Click the View Log button on the Access Control screen to view this log This log shows...

Page 59: ...or advanced administrators only Firewall Rules Screen Click the Firewall Rules option on the Security menu to see a screen like the following exam ple This example contains two 2 rules for outgoing tr...

Page 60: ...tion for more details Edit To Edit or modify an existing rule select it and click the Edit button Move There are 2 ways to change the order of rules Use the up and down indicators on the right to move...

Page 61: ...ion Source IP These settings determine which traffic based on their source IP address is covered by this rule Select the desired option Any All traffic from the source port is covered by this rule Sin...

Page 62: ...address and Finish IP address fields You can ignore the Subnet Mask field Subnet address If this option is selected enter the required mask in the Subnet Mask field Services Select the desired Service...

Page 63: ...cked by the built in Firewall Internet Connections If selected Outgoing Internet connections are logged Normally the Internet Destination will be shown as an IP address But if the URL Filter is enable...

Page 64: ...elected the log is sent at the time specified If the day is specified the log is sent once per week on the specified day Select the time of day you wish the E mail to be sent If the log is full before...

Page 65: ...n so you can not use it the service is unavailable This device uses Stateful Inspection technology This system can detect situations where individual TCP IP packets are valid but collectively they bec...

Page 66: ...ons are allowed If not checked IPSec connections are blocked Allow PPTP PPTP Point to Point Tunneling Protocol is widely used by VPN Virtual Private Networking programs If checked PPTP connections are...

Page 67: ...ock If the time for a particular day is blank no action will be performed Define Schedule Screen This screen is accessed by the Scheduling link on the Security menu Figure 42 Define Schedule Screen Da...

Page 68: ...ice Name Enter a descriptive name to identify this service Type Select the protocol TCP UDP ICMP used to the remote system or service Start Port For TCP and UDP Services enter the beginning of the ran...

Page 69: ...LevelOne Broadband VPN Gateway User Guide Cancel Clear the Add New Service area ready for entering data for a new Service 66...

Page 70: ...As one in each direction If IKE Internet Key Exchange is used to generate and exchange keys there are also SA s for the IKE connection as well as the IPsec connection There are two security modes poss...

Page 71: ...ined in turn and the first matching policy will be used VPN Configuration The general rule is that each endpoint must have matching Policies as follows Remote VPN address Each VPN endpoint must be con...

Page 72: ...it is not acting as a VPN endpoint Client PC to VPN Gateway Figure 45 Client PC to VPN Server In this situation the PC must run appropriate VPN client software in order to connect via the Internet to...

Page 73: ...on each endpoint gain secure access to the remote LAN The 2 LANs MUST use different IP address ranges The VPN Policies at each end determine when a VPN tunnel will be established and what systems on...

Page 74: ...ticular traffic In that case the first matching policy for the traffic under consideration will be used Data VPN Policies Screen VPN List Policy Name The name of the policy When creating a policy you...

Page 75: ...the policy and click the Copy button Remember that the new policy must have a different name and there can only be one active enabled policy for each remote VPN endpoint Delete To delete an exiting p...

Page 76: ...e remote VPN endpoint Gateway or client Dynamic Select this if the Internet IP address is unknown In this case only incoming connections are possible Fixed Select this if the remote endpoint has a fix...

Page 77: ...LAN traffic So it would not be forwarded to the Gateway Local IP addresses Type Any no additional data is required Any IP address is accept able For outgoing connections this allows any PC on the LAN...

Page 78: ...nish IP ad dress field Subnet address enter the desired IP address in the Start IP address field and the network mask in the Subnet Mask field The remote VPN should have these IP addresses entered as...

Page 79: ...the payload data sent through the VPN tunnel Generally you will want to enable both Encryption and Authentication The 3DES algorithm provides greater security than DES but is slower The in key here m...

Page 80: ...oing connections are allowed Local Identity This setting must match the Remote Identity on the remote VPN IP address is the more common method Remote Identity This setting must match the Local Identit...

Page 81: ...gular intervals and ensuring that each key has no relationship to the previous key Thus breaking 1 key will not assist in breaking the next key This setting should match the remote endpoint Click Next...

Page 82: ...mote VPN endpoint uses the same method The 3DES algorithm provides greater security than DES but is slower ESP Authentication Generally you should enable ESP Authentication There is little difference...

Page 83: ...ll be a CA Issuer Name The CA Certification Authority which issued the Certificate Expiry Time The date on which the Certificate expires You should renew the Certificate before it expires Delete butto...

Page 84: ...e to the LevelOne Broadband VPN Gateway 6 Click Back to return to the Trusted Certificate list The new Certificate will appear in the list Adding a Self Certificate This process is different to obtain...

Page 85: ...at the data displayed in the Certificate Details section is correct This data is used to generate the Certificate request If the data is not correct click the Back button and correct the previous scre...

Page 86: ...nd locate the certificate file on your PC Select the file The name will appear in the Certificate File field Click Upload to upload the certificate file to the LevelOne Broadband VPN Gate way Click Fi...

Page 87: ...a New CRL 1 Obtain the CRL file from your CA 2 Select CRL from the VPN menu You will see a screen like the example below Figure 59 Certificate Revocation Lists 3 Click the Add New CRL button You will...

Page 88: ...Screen Current VPN SAs Policy Name The name of the VPN Policy which triggered this VPN connection SPI Each SA Security Association has a unique SPI For manual keys this SPI is specified by user input...

Page 89: ...licy 1 Policy 1 Name does not affect operation Select a mean ingful name Remote Endpoint 205 17 11 43 202 11 13 211 Other endpoint s WAN Internet IP address Local IP addresses Any Any Use a more restr...

Page 90: ...tch DH Group Group 1 768 bit Group 1 768 bit Must match IKE SA Life time 28800 28800 Does not have to match Shorter period will be used IKE PFS Disable Disable Must match IPSec SA Parameters IPSec SA...

Page 91: ...9 10 Other endpoint s WAN Internet IP address Local IP addresses Subnet address 192 168 0 0 255 255 255 0 Allows access to entire LAN Use a more restrictive definition if possible Remote IP addresses...

Page 92: ...le MD5 Must match client PC ESP encryption Enable DES Must match client PC Windows Client Configuration 1 Select Start Programs Administrative Tools Local Security Policy 2 Right click IP Security Pol...

Page 93: ...be added first 6 Deselect the Use Add Wizard checkbox then click Add to view the screen below Figure 66 IP Filter List 7 Type To DUT for the name then click Add to see a screen like the following Sin...

Page 94: ...P address and the Desti nation IP address is the address range used on the remote LAN Ensure the Mirrored option is checked 9 Click OK to save your settings and close this dialog Figure 68 New Rule Pr...

Page 95: ...ure 69 New Rule Properties Filter Action 11 Select Require Security then click the Edit button to view the Require Security Proper ties screen Figure 70 Require Security Properties 12 Select Negotiate...

Page 96: ...s screen Figure 72 Require Security Properties 14 Ensure the following settings are correct then click OK to return to the Filter Action tab of the Edit Rule Properties screen VPN Setting Windows Sett...

Page 97: ...as shown below Figure 73 Tunnel Setting 16 Click the Authentication Methods tab then click the Edit to see the screen like the example below Figure 74 Authentication Method 17 Select Use this string...

Page 98: ...cond outgoing rule click Add For the name enter To Win2K then click Add Figure 76 Windows 2000 XP Client to LevelOne Broadband VPN Gateway 21 Enter the Source IP address and the Destination IP address...

Page 99: ...adband VPN Gateway User Guide Figure 77 Filter Properties Addressing 22 Click OK to save your changes then Close Figure 78 Filter List 23 Ensure the To Win2K filter is selected then click the Filter A...

Page 100: ...elect Require Security then click Edit On the Require Security Methods screen below select Negotiate security Figure 80 Security Methods 25 Click the Add button On the resulting Modify Security Method...

Page 101: ...ur changes then click OK again to return to the Filter Action screen 27 Select the Tunnel Setting tab and enter the WAN Internet IP address of this PC 172 10 9 10 in this example Figure 82 Tunnel Sett...

Page 102: ...change preshared key then enter your pre shared key in the field provided 30 Click OK to save your settings then Close to return to the DUT to Win2K Properties screen There should now be 2 IP Filers l...

Page 103: ...Broadband VPN Gateway User Guide Figure 85 Properties General Tab 32 Click the Advanced button to see the screen below Figure 86 Key Exchange Settings 33 Click the Methods button to see the screen be...

Page 104: ...or Integrity Algorithm 3DES for Encryption algorithm and Low 1 for the Diffie Hellman Group 36 Click OK to save then OK again and then Close to return to the Local Security Settings screen 37 Right cl...

Page 105: ...igure 90 LevelOne Broadband VPN Gateway to Windows 2000 Server LevelOne Broadband VPN Gateway Configuration This is the same as for the client setup earlier with the exception of the IP address range...

Page 106: ...Filter Properties Addressing should be completed as follows Figure 91 Windows 2000 Server Addressing The Source Address should be set to A specific IP Subnet and the IP address and Subnet mask set to...

Page 107: ...en you select the DMZ PC Virtual Server or Internet Application This database is maintained automati cally but you can add and delete entries for PCs which use a Fixed Static IP Address Remote Adminis...

Page 108: ...tomatically added to the database and updated as required By default non Server versions of Windows act as DHCP Clients this setting is called Obtain an IP Address automatically The LevelOne Broadband...

Page 109: ...ot connected or not powered On you will not be able to add it Buttons Add This will add the new PC to the list The PC will be sent a ping to determine its hardware address If the PC is not available n...

Page 110: ...priate option Automatic The PC is set to be a DHCP client Windows Ob tain an IP address automatically The LevelOne Broadband VPN Gateway will allocate an IP address to this PC when requested to do so...

Page 111: ...each PC Because of this the MAC address can NOT be left blank Buttons Add as New Entry Add a new PC to the list using the data in the Properties box If Automatic discovery for MAC address is selected...

Page 112: ...ill prevent the use of a Web Virtual Server on your LAN See Advanced Internet Virtual Servers Current IP Address You must use this IP Address to connect see below This IP Address is allocated by your...

Page 113: ...n the Leve lOne Broadband VPN Gateway and ensure the following Windows 2000 settings are correct Open Routing and Remote Access In the console tree select Routing and Remote Access server name IP Rout...

Page 114: ...stination Network The network address of the remote LAN segment For standard class C LANs the network address is the first 3 fields of the Destination IP Address The 4th last field can be left at 0 Ne...

Page 115: ...r is the Router installed on the same LAN segment as the LevelOne Broadband VPN Gateway This router requires that the Default Route is the LevelOne Broadband VPN Gateway itself Typically routers have...

Page 116: ...C Gateway IP Address 192 168 0 100 LevelOne Broadband VPN Gateway s local Router Metric 2 Entry 2 Segment 2 Destination IP Address 192 168 2 0 Network Mask 255 255 255 0 Standard Class C Gateway IP A...

Page 117: ...e 97 Upgrade Firmware Screen To perform the Firmware Upgrade 1 Click the Browse button and navigate to the location of the upgrade file 2 Select the upgrade file It s name will appear in the Upgrade F...

Page 118: ...configuration If Disabled UPnP users can only view the configuration But currently this restriction only applies to users running Windows XP who access the Properties via UPnP e g Right click the Lev...

Page 119: ...Static IP address ensure that it is using an IP Address within the range 192 168 0 2 to 192 168 0 254 and thus com patible with the LevelOne Broadband VPN Gateway s default IP Address of 192 168 0 1 A...

Page 120: ...n 2 The LevelOne Broadband VPN Gateway processes the data passing through it so it is not transparent Use the Special Applications feature to allow the use of Internet applications which do not functi...

Page 121: ...s may cause harmful interference to radio communica tions However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference...

Page 122: ...of the FCC Rules Operation is subject to the following two conditions 1 This device may not cause harmful interference and 2 this device must accept any interference received including interference t...