Motorola Netopia Embedded Software, Handbook

Page 1: ...Administrator s Handbook Motorola Netopia Embedded Seftware Version 8 7 4 Enterprise Series Routers ...

Page 2: ... implied or expressed including but not limited to the implied warranties of merchantability and fitness for a particular purpose Motorola may make improvements or changes in the product s described in this manual at any time MOTOROLA and the Stylized M Logo are registered in the US Patent Trademark Office Microsoft Windows Windows Me and Windows NT are either trademarks or registered trademarks o...

Page 3: ...L Line Configuration screen 2 4 Creating a New Connection Profile 2 8 Advanced Connection Options 2 15 Configuration Changes Reset WAN Connection 2 15 Scheduled Connections 2 16 Backup Configuration 2 21 Diffserv Options 2 22 Priority Queuing TOS bit 2 25 VRRP Options WAN Link Failure Detection 2 26 Chapter 3 System Configuration 3 1 System Configuration Features 3 1 IP Setup 3 2 Filter Sets 3 2 I...

Page 4: ...imedia WMM 3 40 Enable Privacy 3 41 Multiple SSIDs 3 45 MAC Address Authentication 3 47 Console Configuration 3 49 SNMP Simple Network Management Protocol 3 50 Security 3 50 Upgrade Feature Set 3 50 Router Bridge Set 3 51 IGMP Internet Group Management Protocol 3 52 Logging 3 55 Log event dispositions 3 56 Procedure for Default Installation for ICSA firewall certification of Small Medium Business ...

Page 5: ...ciations 4 25 IP Passthrough 4 27 MultiNAT Configuration Example 4 30 Chapter 5 Virtual Private Networks VPNs 5 1 Overview 5 1 About PPTP Tunnels 5 4 PPTP configuration 5 4 About IPsec Tunnels 5 7 About L2TP Tunnels 5 7 L2TP configuration 5 8 About GRE Tunnels 5 10 VPN force all 5 12 About ATMP Tunnels 5 14 ATMP configuration 5 14 Encryption Support 5 16 MS CHAP V2 and 128 bit strong encryption 5 ...

Page 6: ...Phase 1 Profile 6 4 Changing an IKE Phase 1 Profile 6 9 Key Management 6 11 Advanced IPsec Options 6 14 IPsec WAN Configuration Screens 6 21 IPsec Manual Key Entry 6 22 VPN Quickview 6 23 WAN Event History Error Reporting 6 24 Chapter 7 IP Setup 7 1 IP Setup 7 1 IP subnets 7 3 Static routes 7 6 RIP Options 7 9 Overview 7 9 Authentication configuration 7 10 Connection Profiles and Default Profile 7...

Page 7: ...8 12 Backup Default Gateway 8 14 Backup Configuration screen 8 14 IP Setup screen 8 16 Backup Management Statistics 8 16 QuickView 8 18 Chapter 9 Monitoring Tools 9 1 Quick View Status Overview 9 1 General status 9 2 Current status 9 2 Status lights 9 3 Statistics Logs 9 3 Event Histories 9 4 IP Routing Table 9 6 General Statistics 9 6 System Information 9 8 Simple Network Management Protocol SNMP...

Page 8: ...Filter Sets 10 20 What s a filter and what s a filter set 10 20 How filter sets work 10 20 How individual filters work 10 21 Design guidelines 10 26 Working with IP Filters and Filter Sets 10 27 Adding a filter set 10 27 Deleting a filter set 10 32 A sample filter set 10 32 Policy based Routing using Filtersets 10 35 TOS field matching 10 37 Firewall Tutorial 10 38 General firewall terms 10 38 Bas...

Page 9: ...g software 11 7 Downloading configuration files 11 7 Uploading configuration files 11 8 Restarting the System 11 8 Appendix A Troubleshooting A 1 Configuration Problems A 1 Network problems A 2 How to Reset the Router to Factory Defaults A 2 Power Outages A 3 Technical Support A 3 Before contacting Motorola A 3 Environment profile A 3 How to reach us A 4 Online product information A 4 Index ...

Page 10: ...x Administrator s Handbook ...

Page 11: ...the following features Specify Source Address of Outbound Router Traffic See Enhanced Dead Peer Detection on page 6 15 Ability to support multiple networks over the same IPSec tunnel See Multiple Network IPsec on page 6 17 Backup timer can now be set in seconds instead of minutes Minimum failure setting has been reduced to 10 seconds See Chapter 8 Line Backup USB equipped models now support Macint...

Page 12: ...e 1 5 Motorola Netopia Telnet Menus Telnet based management screens contain the main entry points to Motorola Netopia Embedded Software Version 8 7 4 configuration and monitoring features The entry points are displayed in the Main Menu shown below The Easy Setup menus display and permit changing the values contained in the default connection profile You can use Easy Setup to initially configure th...

Page 13: ...out your Router your network and their history See Statistics Logs beginning on page 9 3 The Quick Menus screen is a shortcut entry point to a variety of the most commonly used configuration menus that are accessed through the other menu entry points The Quick View menu displays at a glance current real time operating information about your Router See Quick View Status Overview on page 9 1 Motorol...

Page 14: ...access to the Router Telnet software installed on the computer you will use to configure the Router Configuring Telnet software If you are configuring your device using a Telnet session your computer must be running a Telnet software program If you connect a PC with Microsoft Windows you can use a Windows Telnet application or run Telnet from the Start menu If you connect a Macintosh computer Mac ...

Page 15: ...uration and press Return The System Configuration screen appears 2 Select IP Setup and press Return The IP Setup screen appears To go back in this sequence of screens use the Escape key To Use These Keys Move through selectable items in a screen or pop up menu Up Down Left and Right Arrow Set a change to a selected item or open a pop up menu of options for a selected item like entering an upgrade ...

Page 16: ...1 6 Administrator s Handbook ...

Page 17: ...on page 2 8 Advanced Connection Options on page 2 15 Configuration Changes Reset WAN Connection on page 2 15 Scheduled Connections on page 2 16 Backup Configuration on page 2 21 Diffserv Options on page 2 22 Priority Queuing TOS bit on page 2 25 VRRP Options WAN Link Failure Detection on page 2 26 WAN Configuration To configure your Wide Area Network WAN connection navigate to the WAN Configuratio...

Page 18: ...rver List options are set to the defaults Easy PAT List and Easy Servers These provide standard NAT mappings For more advanced NAT configurations see Multi NAT on page 4 1 NAT Options allows you to specify IP Passthrough allowing a single PC on the LAN to have the router s public address assigned to it See IP Passthrough on page 4 27 If you set Stateful Inspection Enabled to Yes you can enable a s...

Page 19: ...ice providers require a specific MAC address as part of their authentication process In such a case you can enter the MAC address that your service provider requires If your service provider doesn t use this method you don t need to change this field The DHCP Client Mode setting depends on the type of access concentrator equipment your service provider uses Most use Standards Based Alternatively y...

Page 20: ... RIP and select v1 v2 broadcast or v2 multicast from the popup menu With Transmit RIP v1 selected the Motorola Netopia Embedded Software Version 8 7 4 will generate RIP packets only to other RIP v1 routers With Transmit RIP v2 broadcast selected the Motorola Netopia Embedded Software Version 8 7 4 will generate RIP packets to all other hosts on the network With Transmit RIP v2 multicast selected t...

Page 21: ...CI is a 16 bit value between 0 and 65535 inclusive Circuits support attributes in addition to their VPI and VCI values When configuring a circuit you can specify an optional circuit name of up to 14 characters The circuit name is used only to identify the circuit for management purposes as a convenience to aid in selecting circuits from lists The default circuit name is Circuit n where n is some n...

Page 22: ...able Motorola Netopia Embedded Software Version 8 7 4 supports three ATM classes of service for data connections Unspecified Bit Rate UBR Constant Bit Rate CBR and Variable Bit Rate VBR You can configure these classes of service on a per VC basis The ATM Circuits Configuration Show Change Circuit Add Circuit Delete Circuit Add Circuit Circuit Name Circuit 2 Circuit Enabled Yes Circuit VPI 0 255 0 ...

Page 23: ...han or equal to the Peak Cell Rate which should be less than or equal to the line rate VBR has two sub classes a VBR non real time VBR nrt Typical applications are non real time traffic such as IP data traffic This class yields a fair amount of Cell Delay Variation CDV b VBR real time VBR rt Typical applications are real time traffic such as compressed voice over IP and video conferencing This cla...

Page 24: ...atic binding when the link is brought up If there are no VCs when you add a VC for example if you deleted all your previous VCs and started adding them again dynamic binding will occur when the link comes up If you delete a VC leaving only one VC that VC resumes dynamically binding again Select ADD Circuit NOW and press Return 9 To display or change a circuit select Display Change Circuit select a...

Page 25: ... methods for connection profiles used for a variety of purposes PPP RFC1483 ATMP PPTP IPsec L2TP Multiple Data Link Encapsulation Settings 4 Select Encapsulation Options and press Return If you selected ATMP PPTP L2TP or IPSec see Chapter 5 Virtual Private Networks VPNs Main Menu WAN Configuration Add Connection Profile Add Connection Profile Profile Name Profile 1 Profile Enabled Yes Encapsulatio...

Page 26: ...ed 1483 IP Profile Parameters COMMIT CANCEL Add Connection Profile Profile Name Profile 1 Profile Enabled Yes Encapsulation Type PPP Underlying Encapsulation None PPP Mode VC Multiplexed Encapsulation Options IP Profile Parameters Interface Group Primary COMMIT CANCEL Configure a new Conn Profile Finished COMMIT or CANCEL to exit If you selected RFC1483 the screen allows you to choose Bridged 1483...

Page 27: ... Line Backup on page 8 1 for more information Datalink PPP MP Options Data Compression Standard LZS Send Authentication PAP Send User Name Send Password Receive User Name Receive Password Dial on Demand Yes Idle Timeout seconds 300 Data Compression defaults to Standard LZS You can select Ascend LZS if you are connecting to compatible equipment or None from the pop up menu The Send Authentication p...

Page 28: ...ptions selection displays the RIP Profile Parameters screen IP Profile Parameters Address Translation Enabled Yes IP Addressing Numbered NAT Map List Easy PAT List NAT Server List Easy Servers NAT Options Stateful Inspection Enabled No Local WAN IP Address 0 0 0 0 Local WAN IP Mask 0 0 0 0 Filter Set Remove Filter Set RIP Profile Options Return Enter to select among between Configure IP requiremen...

Page 29: ... s Ethernet port will accept routing information provided by RIP packets from other routers that use the same subnet mask Set to v2 the Motorola Netopia Embedded Software Version 8 7 4 will accept routing information provided by RIP packets from other routers that use different subnet masks For more information on v2 MD5 Authentication see RIP Options on page 7 9 PPPoE PPPoA Autodetection Beginnin...

Page 30: ...screen by pressing Escape 9 Select COMMIT and press Return Your new Connection Profile will be added If you want to view the Connection Profiles in your device return to the WAN Configuration screen and select Display Change Connection Profile The list of Connection Profiles is displayed in a scrolling pop up screen PPPoE Options PPPoA Autodetect No Return Enter accepts Tab toggles ESC cancels WAN...

Page 31: ...eature is to defer configuration changes only when remotely configuring or reconfiguring the Motorola Netopia Router to prevent premature Telnet disconnection When this feature is enabled no changes to the WAN setup datalink encapsulation Connection Profiles or Default Gateway will take effect until after the Motorola Netopia Router is restarted Until the Motorola Netopia Router is restarted the W...

Page 32: ...on Scheduled Connections Scheduled connections are useful for PPPoE PPTP and ATMP connection profiles To go to the Scheduled Connections screen from the WAN Configuration screen select Advanced Connection Options and then select Scheduled Connections Advanced Connection Options No The Router will now be restarted to allow this feature to function properly Are you sure you want to do this CANCEL CO...

Page 33: ...ay is capitalized the connection will be activated on that day a lower case letter means that the connection will not be activated on that day If the scheduled connection is configured for a once only connection the word once will appear instead of the days of the week The other columns show Scheduled Connections Display Change Scheduled Connection Add Scheduled Connection Delete Scheduled Connect...

Page 34: ...connection select Scheduled Connection Enable and toggle it to On You can make the scheduled connection inactive by toggling Scheduled Connection Enable to Off Decide how often the connection should take place by selecting How Often and choosing Weekly or Once Only from the pop up menu The Schedule Type allows you to set the exact weekly schedule or once only schedule Options are Forced Up meaning...

Page 35: ...pts for such connections will be slower Once the connection is up it will be forced to remain up If How Often is set to Weekly the item directly below How Often reads Set Weekly Schedule If How Often is set to Once Only the item directly below How Often reads Set Once Only Schedule Set Weekly Schedule If you set How Often to Weekly select Set Weekly Schedule and go to the Set Weekly Schedule scree...

Page 36: ...nutes With a setting of 5 minutes it will try every 0 300 seconds after the first three retries to bring up the connection You are finished configuring the weekly options Return to the Add Scheduled Connection screen to continue Set Once Only Schedule If you set How Often to Once Only select Set Once Only Schedule and go to the Set Once Only Schedule screen Select Place Call On Date and enter a da...

Page 37: ...s specified in the associated scheduled connection if any exists Select ADD SCHEDULED CONNECTION to save the current scheduled connection Select CANCEL to exit the Add Scheduled Connection screen without saving the new scheduled connection Modifying a scheduled connection To modify a scheduled connection select Display Change Scheduled Connection in the Scheduled Connections screen to display a ta...

Page 38: ...ravel across your network For example you may want streaming video conferencing to use high quality but more restrictive connections or you might want e mail to use less restrictive but less reliable connections When you select Diffserv Options the Diffserve Options configuration screen appears Differentiated Services is disabled by default To enable Differentiated Services toggle Diffserv Enabled...

Page 39: ...is case be completely suppressed If it is a TCP stream it probably will time out To keep low priority TCP connections alive with minimal throughput while other applications are loading the Gateway with high priority traffic you might try setting the parameter to 90 The means a low priority packet will be forwarded whenever the relative packet count asymmetry defined as low high low with is greater...

Page 40: ...e set to 80 This would cause more of the low priority traffic to be throughput at the expense of the high priority streams As a result the file downloads might proceed at a more satisfactory rate while the degradation to the 10 or 20 VoIP calls might not be noticeable The lo hi asymmetry parameter is therefore one means of balancing the traffic load to satisfy everyone You can then define custom R...

Page 41: ...dress is the source IP address When you are finished select COMMIT and press Return You will be returned to the Diffserv Options screen and your settings will take effect Priority Queuing TOS bit Motorola Netopia Embedded Software Version 8 7 4 offers the ability to prioritize delay sensitive data over the WAN link on DSL connections Certain types of IP packets such as voice or multimedia packets ...

Page 42: ...ola Netopia Router will continuously Ping one or two hosts that you specify to determine when a link fails even if the physical connection remains established If Layer 3 WAN Link Failure Detection is enabled the Motorola Netopia Router will send continuous Pings so the WAN link will stay up and idle timeout will not occur See Virtual Router Redundancy VRRP on page 7 34 for a detailed description o...

Page 43: ...ection is assumed to be lost and the Virtual Router will relinquish Master status The Delay s field allows you to specify the time in seconds between Pings The default is five 5 seconds The Ping failures field allows you to specify the number of Ping time outs or failures after which the connection is assumed to be lost The default is ten 10 VRRP Options WAN Link Failure Detection Ping Enable Off ...

Page 44: ...2 28 Administrator s Handbook ...

Page 45: ...system configuration options This section covers the following topics To access the system configuration screens select System Configuration in the Main Menu and press Return The System Configuration menu screen appears IP Setup on page 3 2 Wireless configuration on page 3 38 Filter Sets on page 3 2 Console Configuration on page 3 49 IP Address Serving on page 3 2 SNMP Simple Network Management Pr...

Page 46: ... DHCP WANIP and BootP Details are given in IP Address Serving on page 7 17 Network Address Translation NAT These screens allow you to configure the Multiple Network Address Translation MultiNAT features Details are given in Multi NAT on page 4 1 System Configuration IP Setup Filter Sets IP Address Serving Network Address Translation NAT Stateful Inspection VLAN Configuration Date and Time Wireless...

Page 47: ...ending packets may be discarded if it is determined to be a DoS attack Add Exposed Address List Accesses the Add Exposed Address List screen See Add Exposed Address List on page 3 3 Exposed Address Associations Accesses the Exposed Address Associations screen See Exposed Address Associations on page 3 7 The hosts specified in Exposed addresses will be allowed to receive inbound traffic even if the...

Page 48: ...ge appears Stateful Inspection UDP no activity timeout sec 180 TCP no activity timeout sec 14400 Add Exposed Address List Exposed Address Associations Return Enter goes to new screen Return Enter to configure Xposed IP addresses Add Exposed Address List Exposed Address List Name xposed_list_1 Return accepts ESC cancels Left Right moves insertion point Del deletes ...

Page 49: ... to expose The pop up Protocol menu offers the type of protocols to be assigned to this range Add Exposed Address List Exposed Address List Name xposed_list_1 Add Exposed Address Range Return Enter goes to new screen Add Exposed Address Range xposed_list_1 First Exposed Address 0 0 0 0 Last Exposed Address 0 0 0 0 Protocol ANY ADD EXPOSED ADDRESS RANGE CANCEL Enter an IP address in decimal and dot...

Page 50: ...e The acceptable range is from 1 65535 Port End End port of the range to be allowed to the host range The acceptable range is from 1 65535 Add Exposed Address Range xposed_list_1 First Exposed Address 192 168 1 10 Last Exposed Address Protocol TCP and UDP TCP UDP ANY ADD EXPOSED ADDRESS RANGE CANCEL Add Exposed Address Range xposed_list_1 First Exposed Address 192 168 1 10 Last Exposed Address 192...

Page 51: ...e Add Edit or Delete exposed addresses options are active only if NAT is disabled on a WAN interface The hosts specified in exposed addresses will be allowed to receive inbound traffic even if there is no corresponding outbound traffic Exposed Address Associations Enable and configure stateful inspection on a WAN interface Add Exposed Address List Exposed Address Range Protocol 192 168 1 10 192 16...

Page 52: ...arameters Address Translation Enabled Yes IP Addressing Numbered NAT Map List Easy PAT List NAT Server List Easy Servers NAT Options Stateful Inspection Enabled No Local WAN IP Address 0 0 0 0 Local WAN IP Mask 0 0 0 0 Filter Set Remove Filter Set RIP Profile Options Return Enter to select among between Configure IP requirements for a remote network connection here IP Profile Parameters Address Tr...

Page 53: ... Stateful Inspection is enabled on a base connection profile for example for PPP RFC1483 bridged routed or PPPoE Enable default mapping to router must be yes to allow inbound VPN terminations for example for PPTP ATMP client access to the router Deny Fragmented Packets Toggling this option to Yes causes the router to discard fragmented packets on this interface You can apply these parameters to yo...

Page 54: ... UDP Bootpc Yes No 80 TCP HTTP Yes No 137 UDP Netbios ns Yes No 138 UDP Netbios dgm Yes No 161 UDP SNMP Yes No 500 UDP ISAKMP Yes No 520 UDP Router Yes No 1701 UDP L2TP Yes No 1900 UDP UPnP Yes No 1723 TCP PPTP Yes No Stateful Inspection Parameters Exposed Address List N Max TCP Sequ xposed_list_1 0 None Enable defaul No Deny Fragment No Exposed Addre Up Down Arrows to select then Return Enter ESC...

Page 55: ...and prioritization parameters can be applied to each individual service delivering that service to the appropriate networked device with the required level of quality of service QoS In effect a single Motorola gateway acts as separate virtual gateways for each distinct service being delivered Motorola s VGx technology provides service segmentation and QoS controls and supports delivery of triple p...

Page 56: ...orwarded If traffic needs to be bridged between LAN and WAN you can create a single VLAN that encompasses the WAN port and LAN ports If traffic needs to be routed then you must define four elements LAN side VLANs WAN side VLANs Associate IP Interfaces to VLANs Inter VLAN Routing Groups configuration of routing between VLANs is done by association of a VLAN to a Routing Group Traffic will be routed...

Page 57: ...System Configuration 3 13 An example of multiple VLANs using a Netopia Router with VGx managed switch technology is shown below A VLAN Model Combining Bridging and Routing ...

Page 58: ... appears Toggle VLAN Enable to On and press Return The Add VLAN selection appears Select Add VLAN and press Return VLAN Configuration VLAN Enable Off Set Up VLAN from this and the following Menus VLAN Configuration VLAN Enable On Add VLAN Authentication Server Configuration Return Enter to select among between Set Up VLAN from this and the following Menus ...

Page 59: ...rded to other ports that are not within a common VLAN segment global Indicates that the ports joining this VLAN are part of a global 802 1q Ethernet VLAN This VLAN includes ports on this Router and may include ports within other devices throughout the network The VID in this case may define the behavior of traffic between all devices on the network having ports that are members of this VLAN segmen...

Page 60: ...ise it does not appear If you are configuring a VLAN for a Motorola Netopia Router model with VGx technology wired or wireless you can specify a RADIUS server for user authentication by toggling 802 1x to Yes See Adding a RADIUS Profile on page 3 18 The default is No Add VLAN Name IP Address Primary LAN 192 168 1 1 Additional LAN 1 0 0 0 0 Additional LAN 2 1 1 1 1 Easy Setup Profile 127 0 0 2 None...

Page 61: ...ow VLANs in the group to route traffic to the others as discussed on page 3 12 ungrouped VLANs cannot route traffic to each other When you select Inter VLAN Routing the Inter VLAN Routing screen appears For each VLAN Group that you want to route traffic to each other toggle VLAN Group n Enabled to On and press Return Press Escape to return to the Add VLAN screen Inter VLAN Routing VLAN Group 1 Ena...

Page 62: ... enabled with WPA 802 1x enabled in Wireless Privacy or have the VLANs set to 802 1x disabled and Wireless Privacy set to some other privacy setting In that case Wireless Privacy can be any setting Wireless does not currently support separate privacy modes per SSID When enabling WPA 802 1x wireless will default to the RADIUS configuration specified in Advanced Security Options see Advanced Securit...

Page 63: ... server CHAP secret here as above RADIUS Identifier Enter the RADIUS Network Access Server NAS identifier The default NAS identi fier is an ASCII representation of the server s base MAC address RADIUS Server Authentication Port Ordinarily the RADIUS server port number is 1812 If you are using a different port number enter it here Select ADD PROFILE and press Return You will be returned to the Add ...

Page 64: ...gy you can also associate a VLAN with each of the physical Ethernet managed switch ports When setting up a VLAN typically you will add one or more physical ports such as an Ethernet port or a wireless SSID Note You can associate two VLANs one of which is 802 1x authenticated and the other is not with the same port This allows you to have authenticated access for PCs on the wired or wireless LAN to...

Page 65: ...parameters Tag The Tag option is only available on global type ports Packets transmitted from this port through this VLAN must be tagged with the VLAN VID Packets received through this port destined for this VLAN must be tagged with the VLAN VID by the source Display Change VLAN VLAN ID 1 4094 1 VLAN Type port based VLAN Name Network A VLAN Network Easy Setup Profile Inter VLAN Routing 1 2 802 1x ...

Page 66: ... port for this VLAN All mappings between Ethernet 802 1p and IP TOS are made according to a pre defined QoS mapping policy The pre defined mapping can now be set in the CLI See the Command Line Interface Commands Reference for more information Select COMMIT and press Return Your VLAN settings will be associated with the port you have selected Example Note VLAN changes require a reboot to take effe...

Page 67: ...nd selecting Display Change VLAN or Delete VLAN In either case select the VLAN that you want to change or delete from the pop up menu and press Return VLAN Configuration VLAN Enable VLAN ID NAME Display Change VLAN 10 Network A Add VLAN Delete VLAN Authentication Server Up Down Arrow Keys to select ESC to dismiss Return Enter to Edit ...

Page 68: ...nt to change or delete from the pop up menu and press Return If you are deleting a profile you will be challenged to be sure that you want to delete the profile that you have selected If you select CONTINUE the profile will be deleted Authentication Server Configuration Profile Name Display Change Server ATE1 V1 Add Server Profile Delete Server Profile Up Down Arrow Keys to select ESC to dismiss R...

Page 69: ... Add Server Profile and press Return The Add Server Profile screen appears VLAN Configuration Display Change VLAN Add VLAN Delete VLAN Authentication Server Configuration Set Up VLAN from this and the following Menus Authentication Server Configuration Display Change Server Profile Add Server Profile Delete Server Profile Return Enter to modify an existing server profile Set Up Authentication Serv...

Page 70: ...Restarting the System on page 11 8 Add Server Profile Profile Name Authentication Profile 2 Remote Server Addr Name Remote Server Secret Alt Remote Server Addr Name Alt Remote Server Secret RADIUS Identifier RADIUS Server Authentication Port 1812 ADD PROFILE CANCEL Return accepts ESC cancels Left Right moves insertion point Del deletes Configure a new RADIUS or TACACS profile ...

Page 71: ...ur ports of the Ethernet Switch so that those two networks can communicate The second VLAN will be for a different SSID The third VLAN will be for communication with the Internet WAN This setup might be useful if you have a doctor s office or a coffee shop and you want to keep your customers separated from the rest of the network 1 In the VLAN Configuration screen toggle VLAN Enable to On select A...

Page 72: ...menu select Network A which you have just created Add VLAN VLAN ID 1 4094 1 VLAN Type port based VLAN Name Network A VLAN Network None Inter VLAN Routing 802 1x No Once a VLAN has been successfully added configure ports using the Add Port Interface option of the Display Change VLAN menu ADD VLAN CANCEL Return Enter to select among between Configure a new VLAN and its associated ports Add VLAN Name...

Page 73: ...the physical Ethernet ports Eth 0 1 through Eth 0 4 and wireless SSID 2 You must select the interfaces one at a time and press COMMIT for each one Inter VLAN Routing VLAN Group 1 Enabled On VLAN Group 2 Enabled Off VLAN Group 3 Enabled Off VLAN Group 4 Enabled Off VLAN Group 5 Enabled Off VLAN Group 6 Enabled Off VLAN Group 7 Enabled Off VLAN Group 8 Enabled Off Display Change VLAN VLAN ID 1 4094 ...

Page 74: ... 0 3 Port IPTOS Promote Eth 0 4 Port SSID 1 Port SSID 2 Port SSID 3 Port SSID 4 Port Easy Setup Profile Profile COMMIT CANCEL Up Down Arrow Keys to select ESC to dismiss Return Enter to Edit Display Change VLAN NAME TYPE VLAN ID 1 4094 Eth 0 1 Port VLAN Type Eth 0 2 Port VLAN Name Eth 0 3 Port VLAN Network Eth 0 4 Port Inter VLAN Routing SSID 2 Port 802 1x Add Port Interface Change Port Interface ...

Page 75: ...k B which you have just created Add VLAN VLAN ID 1 4094 2 VLAN Type port based VLAN Name Network B VLAN Network Primary LAN Inter VLAN Routing 802 1x No Once a VLAN has been successfully added configure ports using the Add Port Interface option of the Display Change VLAN menu ADD VLAN CANCEL Return Enter to select among between Configure a new VLAN and its associated ports Add VLAN Name IP Address...

Page 76: ...to the previous screen 12 Select Add Port Interface and press Return Inter VLAN Routing VLAN Group 1 Enabled Off VLAN Group 2 Enabled On VLAN Group 3 Enabled Off VLAN Group 4 Enabled Off VLAN Group 5 Enabled Off VLAN Group 6 Enabled Off VLAN Group 7 Enabled Off VLAN Group 8 Enabled Off Display Change VLAN VLAN ID 1 4094 2 VLAN Type port based VLAN Name Network B VLAN Network Primary LAN Inter VLAN...

Page 77: ...ape Add Port Interface NAME TYPE Port Interface Eth 0 1 Port Eth 0 2 Port TOS Priority Eth 0 3 Port IPTOS Promote Eth 0 4 Port SSID 1 Port SSID 2 Port SSID 3 Port SSID 4 Port Easy Setup Profile Profile COMMIT CANCEL Up Down Arrow Keys to select ESC to dismiss Return Enter to Edit Add Port Interface Port Interface SSID 1 TOS Priority No IPTOS Promote No COMMIT CANCEL Add A Port Interface to a VLAN ...

Page 78: ...n Add VLAN VLAN ID 1 4094 3 VLAN Type port based VLAN Name WAN VLAN VLAN Network None Inter VLAN Routing 802 1x No Once a VLAN has been successfully added configure ports using the Add Port Interface option of the Display Change VLAN menu ADD VLAN CANCEL Return Enter to select among between Configure a new VLAN and its associated ports Add VLAN Name IP Address Primary LAN 192 168 1 1 Additional LA...

Page 79: ... your Connection Profile in this case the Easy Setup Profile Select COMMIT and press Return Inter VLAN Routing VLAN Group 1 Enabled On VLAN Group 2 Enabled On VLAN Group 3 Enabled Off VLAN Group 4 Enabled Off VLAN Group 5 Enabled Off VLAN Group 6 Enabled Off VLAN Group 7 Enabled Off VLAN Group 8 Enabled Off Add Port Interface NAME TYPE Port Interface Eth 0 1 Port Eth 0 2 Port TOS Priority Eth 0 3 ...

Page 80: ...ce you have finished with the VLAN configuration restart the Motorola Netopia Router Display Change VLAN VLAN ID 1 4094 3 VLAN Type port based VLAN Name WAN VLAN VLAN Network Easy Setup Profile Inter VLAN Routing 1 2 802 1x No Add Port Interface Change Port Interface Display Delete Port Interface Return Enter to Add Port Interface to VLAN ...

Page 81: ...en will change to allow you to manually enter the time and date parameters Motorola Netopia Embedded Software Version 8 7 4 updates timestamps reported in the system logs with new timestamps as these are updated via NTP See Statistics Logs on page 9 3 Note If time and date are manually set that information will be lost upon reboot or loss of power 2 Enter the IP address of the time server in the f...

Page 82: ...ateway for the change to take effect See Restarting the System on page 11 8 SSID Wireless ID The SSID is preset to a number that is unique to your unit You can either leave it as is or change it by entering a freeform name of up to 32 characters for example Ed s Wireless LAN On client PCs software this might also be called the Network Name The SSID is used to identify this particular wireless LAN ...

Page 83: ... full two to three second scan and switch to the best channel it can find remaining on that channel until the next reboot Continuous performs the at startup scan and will continuously monitor the current channel for any other Access Point activity If Access Point activity is detected on the same channel the Motorola Netopia Router will initiate a scan of the other channels locate a less active one...

Page 84: ...manufacturers and different operating systems accomplish connecting to a wireless LAN and enabling WEP in a variety of ways Consult the documentation for your particular wireless card and or operating system Wireless Multimedia WMM Wireless Multimedia is an advanced feature that allows you to prioritize various types of data travelling over the wireless network Certain types of data that are sensi...

Page 85: ...an be between 8 and 63 characters but for best security it should be at least 20 characters Clients wishing to connect must also be configured to use WPA with this same key Wireless LAN Configuration Enable Wireless Yes SSID 0271 1000 Block Wireless Bridging No Channel 6 AutoChannel Closed System Wireless Multimedia WMM Off Enable Privacy diffserv Wireless Multiple SSID Setup MAC Address Authentic...

Page 86: ...roperability Wireless LAN Configuration Enable Wireless Yes SSID 0271 1000 Block Wireless Bridging No Channel 6 AutoChannel Off Closed System Open Enable Privacy WPA PSK Pre Shared Key Pre Shared Key Wireless Multiple SSID Setup MAC Address Authentication Select an 8 to 63 character passphrase At least 20 is ideal for best security Wireless LAN Configuration Enable Wireless Yes SSID 0271 1000 Bloc...

Page 87: ...fic on your LAN Wireless LAN Configuration Enable Wireless Yes SSID 7101 3245 Block Wireless Bridging No Channel AutoChannel Closed System All Enable Privacy WPA Version 1 WPA Version WPA Version 2 Pre Shared Key Wireless Multiple SSID Setup MAC Address Authentication Wireless LAN Configuration Enable Wireless Yes SSID 0271 1000 Block Wireless Bridging No Channel 6 AutoChannel Off Closed System Op...

Page 88: ...You can passphrase generate a set of keys on one and manually enter them on the other to get around this Select the Default Key 1 4 The longer the key the stronger the encryption and the more difficult it is to break the encryption On Manual allows you to enter your own encryption keys manually This is a difficult process but only needs to be done once Avoid the temptation to enter all the same ch...

Page 89: ...Enable Multiple SSIDs to Yes and enter names or other identifiers for up to three additional SSIDs you want to create Multiple SSID Configuration Enable Multiple SSIDs No Second SSID 0000 0000 Enable Privacy Off Third SSID 0000 0000 Enable Privacy Off Fourth SSID 0000 0000 Enable Privacy Off Configure additional wireless SSID s that clients can associate with Multiple SSID Configuration Enable Mul...

Page 90: ... clients is disabled for all members of these additional network IDs See Block Wireless Bridging on page 3 39 Multiple SSID Configuration Enable Multiple SSIDs On Second SSID GameRoom Enable Privacy WPA Version Key All WPA Version 1 Third SSID WPA Version 2 Enable Privacy Fourth SSID 0000 0000 Enable Privacy Off Multiple SSID Configuration Enable Multiple SSIDs On Second SSID GameRoom Enable Priva...

Page 91: ...t MAC Address Authentication and press Return The Authorized MAC Addresses screen appears From the MAC Authentication Mode pull down menu select the mode you want to implement Disabled turns MAC Authentication off Authorized MAC Addresses MAC Authentication Mode Disabled Wireless Only Yes Display Change MAC Addresses Add MAC Address Delete MAC Address Return Enter to select among between Add View ...

Page 92: ...dress screen appears Enter the MAC hardware address of the client PC you want to authorize for access to your wireless LAN MAC Allowed is set to Yes enabled by default Toggling this to No disabled specifically denies access from this MAC address Select ADD MAC NOW and press Return Your entry will be added to a list of up to 32 authorized addresses To display the list of authorized MAC addresses se...

Page 93: ...change the default terminal communications parameters to suit your requirements To go to the Console Configuration screen select Console Configuration in the System Configuration screen Follow these steps to change a parameter s value MAC Address Permission 00 0a 27 ae 71 a4 Allowed 00 0b 28 af 72 b5 Allowed 00 0c 29 bd 69 b3 Blocked Select an address to modify Console Configuration Baud Rate 9600...

Page 94: ...twork Management Protocol SNMP on page 9 8 Security These screens allow you to add users and define passwords on your network Details are given in Security on page 10 1 Upgrade Feature Set You can upgrade your Motorola Netopia Router by adding new feature sets through the Upgrade Feature Set utility See the release notes that came with your Router or feature set upgrade or visit the Motorola Web s...

Page 95: ...elect Router Bridge Set and form the pop up menu choose the option you want Router retains the full routing features and corresponding menus Bridge the device becomes a simple bridge offering no routing features Corresponding menus are hidden Mixed bridging routing allows concurrent bridging and routing and retains corresponding menus for routing features You will be challenged to confirm your cho...

Page 96: ...ternet Group Management Protocol IGMP Motorola Netopia Gateways support IGMP Version 1 Version 2 or Version 3 See Multicast Forwarding on page 7 32 for more information Unicasting multicast streams for a wireless link aims at improving the receipt of multicast data by a wireless client The router replaces the multicast MAC address with the physical MAC address of the wireless client If there is mo...

Page 97: ...group membership for the purpose of restricting multicast transmissions to only those ports which have requested them This helps to reduce overall network traffic from streaming media and other bandwidth intensive IP multicast applications Wireless M2U Wireless Multicast to Unicast if IGMP Snooping is set to On toggling this option to On permits mapping an IP multicast to a wireless unicast If IGM...

Page 98: ...uter is configured for IGMP forwarding If any IGMP v1 routers are present on the subnet the querier must use IGMP v1 The use of IGMP v1 must be administratively configured since there is no reliable way of dynamically determining whether IGMP v1 routers are present on a network IGMP forwarding is enabled per IP Profile and WAN Connection Profile See Multicast Forwarding on page 7 32 for more infor...

Page 99: ...ber of subsets of the events entered in the Router s WAN Event History See WAN Event History on page 9 4 Select Logging from the System Configuration menu The Logging Configuration screen appears By default all events are logged in the event history By toggling each event descriptor to either Yes or No you can determine which ones are logged and which are ignored You can enable or disable the sysl...

Page 100: ... tsnext netopia com Link 1 down No answer May 5 10 14 06 tsnext netopia com Device restarted May 5 10 14 06 tsnext netopia com Received Speech Setup Ind from DN not supplied May 5 10 14 06 tsnext netopia com Requested Connect to our DN 5108645534 May 5 10 14 06 tsnext netopia com ASYNC Modem carrier detected more Modem reports 26400 V34 May 5 10 14 06 tsnext netopia com WAN 56K Modem 1 activated a...

Page 101: ...access allowed 5 dropped violation of security policy 6 dropped invalid checksum 7 dropped invalid data length 8 dropped fragmented packet 9 dropped cannot fragment 10 dropped no route found 11 dropped possible land attack 12 dropped reassembly timeout 13 dropped illegal size 14 dropped invalid IP version 15 TCP SYN flood detected 16 Telnet receive DoS attack packets dropped 17 administrative acce...

Page 102: ...type Local mode mode Remote mode mode 12 PPP sessionID authentication failed Channel channelID Reason reason 13 PPP authentication type remote accepted us Channel ChannelID Remote name name 14 PPP authentication type we accepted remote Channel ChannelID Remote name name 15 PPP NCP up more Remote auth name name 16 PPP Remote auth name not found name 17 PPP BACP negotiated session sessionID Local MN...

Page 103: ...ocal addr profile Name spi SPI sg IP Address 50 IPsec rx spi mismatch profile Name spi SPI sg IP Address 51 IPsec rx auth fail profile Name spi SPI sg IP Address 52 IPsec rx crypt fail profile Name spi SPI sg IP Address 53 IPsec rx spi not found protocol Prot spi SPI sg IP Address 54 IPsec rx sg mismatch profile Name spi SPI sg IP Address 55 IPsec rx sa proto profile Name spi SPI sg IP Address 56 ...

Page 104: ... L2TP session result code Result error code Error 82 SCHED Next retry in Num seconds profile Name Procedure for Default Installation for ICSA firewall certification of Small Medium Business Category Module ADSL Routers Note The following installation procedure outlines steps needed to enable required features to comply with ICSA firewall certification For more information please go to the followin...

Page 105: ...ired by going to Add Access Name Pass word 5 Escape once back to Main Menu Setting up an encrypted communication channel PPTP with MS CHAP MPPE See Virtual Private Networks VPNs on page 5 1 for more information 1 From the Main Menu Go to Quick Menus 2 Select ATMP PPTP Default Profile 3 Set Answer ATMP PPTP Connections to Yes 4 Under PPTP Configuration Options set Receive Authentication to MS CHAP ...

Page 106: ...e Options f Escape to the Main Menu and go to Utilities and Diagnostics g Select Restart System and CONTINUE The router is now configured for incoming PPTP from a remote Dial Up Networking client Set up NTP See Date and time on page 3 37 for more information 1 NTP is enabled by default 2 To change NTP Settings Go to System Configuration and select Date and Time 3 Set Date and Time parameters if de...

Page 107: ...activity timeout sec can be adjusted b TCP no activity timeout sec can be adjusted c Set DoS Detect to Yes d Escape twice to get to the Main Menu 2 Go to WAN Configuration 3 Select Display Change Connection Profile 4 Select Easy Setup Profile if available or the desired Connection Profile you have created 5 Go to IP Profile Parameters 6 Under IP Profile Parameters Set Stateful Inspection Enabled t...

Page 108: ...3 64 Administrator s Handbook ...

Page 109: ...ns It allows the addresses of many computers on a LAN to be represented to the public Internet by only one or a few addresses saving you money It can be used as a security feature by obscuring the true addresses of important machines from potential hackers on the Internet To help you understand some of the concepts discussed here it may be helpful to introduce some NAT terminology The term mapping...

Page 110: ... make it possible to provide access from the public network to hosts on the LAN Server lists allow you to define particular services such as Web ftp or e mail which are available via a public IP address You define the type of service you would like to make available and the internal IP address to which you would like to provide access You may also define a specific public IP address to use for thi...

Page 111: ...otorola Netopia s NAT implementation makes it possible to have a static mapping of one public address to one private address thus allowing applications such as NetMeeting to work by assuring that any traffic sent back to the source IP address is forwarded through to the internal machine Static one to one mapping works well if you have enough IP addresses for all the workstations on your LAN If you...

Page 112: ...ade in this order 1 The Motorola Netopia Router first checks its internal NAT cache to see if the data is part of a previously initiated connection if not 2 The Motorola Netopia Router checks the configured server lists to see if this traffic is intended to be forwarded to an internal host based on the type of service 3 The Motorola Netopia Router then checks to see if there is a static dynamic or...

Page 113: ...urce or destination IP addresses in the data stream Support for AOL Instant Messenger AIM File Transfer Motorola Netopia Embedded Software Version 8 7 4 provides Application Level Gateway ALG support for AOL Instant Messenger AIM file transfer This allows AIM users to exchange files even when both users are behind NAT Previously the file transfer function would work only if one or neither of the t...

Page 114: ...s is used to configure a NAT public address range consisting of the Local WAN IP Address and all its ports The public address map list is named Easy PAT List and the port map list is named Easy Servers The two map lists Easy PAT List and Easy Servers are created by default and NAT configuration becomes effective This will map all your private addresses 0 0 0 0 through 255 255 255 255 to your publi...

Page 115: ...Server List to your WAN interface via a Connection Profile or the Default Profile The three NAT features all operate completely independently of each other although they can be used simultaneously on the same Connection Profile You can configure a simple 1 to many PAT often referred to simply as NAT mapping using Easy Setup More complex setups require configuration using the Network Address Transl...

Page 116: ... and ports so that connections initiated from the outside can access an interior server System Configuration IP Setup Filter Sets IP Address Serving Network Address Translation NAT Stateful Inspection VLAN Configuration Date and Time Wireless Configuration Console Configuration SNMP Simple Network Management Protocol Security Upgrade Feature Set Router Bridge Set Router IGMP Internet Group Managem...

Page 117: ...Public Port and enter the first and last exterior ports in the range These are the ports that will be used for traffic initiated from the private LAN to the out side world Note For PAT map lists and server lists if you use the Public Address 0 0 0 0 the list will acquire its public IP address from the WAN IP address specified by your WAN IP configuration in the Connection Profile If that is a stat...

Page 118: ... be returned to the Network Address Translation screen Once the public ranges have been assigned the next step is to bind interior addresses to them Because these bindings occur in ordered lists called map lists you must first define the list then add mappings to it From the Network Address Translation screen select Add Map List and press Return The Add NAT Map List screen appears Select Map List ...

Page 119: ...lic ranges you defined select the one that you want to map to the interior range for this mapping and press Return Add NAT Map my_map First Private Address 192 168 1 1 Last Private Address 192 168 1 254 Use NAT Public Range ADD NAT MAP CANCEL Add NAT Map my_map Public Address Range Type Name 0 0 0 0 pat Easy PAT 206 1 1 6 pat my_first_range 206 1 1 1 206 1 1 2 static my_second_range NEW RANGE Up D...

Page 120: ...P and press Return Your mapping is added to your map list Modifying map lists You can make changes to an existing map list after you have created it Since there may be more than one map list you must select which one you are modifying From the Network Address Translation screen select Show Change Map List and press Return Select the map list you want to modify from the pop up menu Add NAT Map my_m...

Page 121: ...lows you to delete a map from the list Selecting Show Change Maps or Delete Map displays the same pop up menu Network Address Translation NAT Map List Name Add Out Easy PAT List Show Ch my_map Delete Add Map Show Ch Delete Add Ser Show Ch Delete NAT Ass Up Down Arrow Keys to select ESC to dismiss Return Enter to Edit Show Change NAT Map List Map List Name my_map Add Map Show Change Maps Delete Map...

Page 122: ...NAT Map List screen Show Change NAT Map List Private Address Range Type Public Address Range 192 168 1 1 192 168 1 254 pat 206 1 1 6 192 168 1 253 192 168 1 254 static 206 1 1 1 206 1 1 2 192 168 1 1 192 168 1 252 dynamic 206 1 1 3 206 1 1 5 Change NAT Map my_map First Private Address 192 168 1 253 Last Private Address 192 168 1 254 Use NAT Public Range my_second_range Public Range Type is static ...

Page 123: ...gh other means such as a static mapping you must create a server list Select Add Server List from the Network Address Translation screen The Add NAT Server List screen appears Select Server List Name and type in a descriptive name A new menu item Add Server appears Select Add Server and press Return The Add NAT Server screen appears Add NAT Server List Server List Name my_servers Add Server ...

Page 124: ...enter the port number range for your customized service Add NAT Server my_servers External Service Server Private IP Address 0 0 0 0 Public IP Address 0 0 0 0 Protocol TCP and UDP Internal Port Start 0 ADD NAT SERVER CANCEL Return Enter to select among between Add NAT Server my_servers Type Port s External Service ftp 20 21 telnet 23 Server Private IP Address smtp 25 tftp 69 Public IP Address goph...

Page 125: ...st also be configured for static routes to these public addresses on the Motorola Netopia Router Enter the Public IP Address to which you are exporting the service Note For PAT map lists and server lists if you use the Public Address 0 0 0 0 the list will acquire its public IP address from the WAN IP address specified by your WAN IP configuration in the Connection Profile If that is a static IP ad...

Page 126: ... a port range export Without the export CUSeeMe will fail to work This is true unless a static mapping is in place for the host using CUSeeMe In that case no server list entry is necessary Modifying server lists Once a server list exists you can select it for modification or deletion Select Show Change Server List from the Network Address Translation screen Select the Server List Name you want to ...

Page 127: ...r or Delete Server displays the same pop up menu Network Address Translation NAT Server List Name A my_servers S D A S D A S D Up Down Arrow Keys to select ESC to dismiss Return Enter to Edit Show Change NAT Server List Server List Name my_servers Add Server Show Change Server Delete Server ...

Page 128: ...how Change NAT Server List menu and press Return Show Change NAT Server List Private Address Public Address Port Protocol 192 168 1 254 206 1 1 1 smtp TCP and UDP 192 168 1 254 206 1 1 2 ftp TCP and UDP 192 168 1 254 206 1 1 4 tftp TCP 192 168 1 254 206 1 1 3 gopher TCP and UDP 192 168 1 254 206 1 1 5 timbuktu TCP and UDP Up Down Arrow Keys to select ESC to dismiss Return Enter to Edit Change NAT ...

Page 129: ...ult Profile screen see page 4 23 of the Default Profile configuration menu the Binding Map Lists and Server Lists screen see page 4 21 IP profile parameters To bind a map list to a Connection Profile from the Main Menu go to the WAN Configuration screen then the Display Change Connection Profile screen From the pop up menu list of your Connection Profiles choose the one you want to bind your map l...

Page 130: ...y Servers NAT Options Stateful Inspection Enabled No Local WAN IP Address 0 0 0 0 Local WAN IP Mask 0 0 0 0 Remote IP Address 127 0 0 2 Remote IP Mask 255 255 255 255 Filter Set Remove Filter Set RIP Profile Options Toggle to Yes if this is a single IP address ISP account Configure IP requirements for a remote network connection here IP Profile Parameters NAT Map List Name Address Trans s IP Addre...

Page 131: ...itly configured Connection Profile The procedure is similar to the procedure to bind map lists and server lists to a Connection Profile From the Main Menu go to the WAN Configuration screen then the Default Profile screen Select IP Parameters and press Return The IP Parameters Default Profile screen appears IP Profile Parameters NAT Server List Name Address Trans s IP Addressing Easy Servers mbere...

Page 132: ...erver List and press Return A pop up menu displays a list of your defined server lists IP Parameters Default Profile Address Translation Enabled Yes NAT Map List Easy PAT List NAT Server List Easy Servers Filter Set Firewall Remove Filter Set Rip Options Return Enter accepts Tab toggles ESC cancels IP Parameters Default Profile NAT Map List Name Easy PAT List my_map Address Trans None s NAT Map Li...

Page 133: ...hernet interface a default profile or a default answer profile Once you have configured your map and server lists you may want to reassign them to different interface controlling profiles for example Connection Profiles To permit easy access to this IP Setup functionality you can use the NAT Associations screen You access the NAT Associations screen from the Network Address Translation screen Sele...

Page 134: ...u want to assign and press Return again Your selection will then be associated with the corresponding profile or interface NAT Associations Profile Interface Name Nat Map List Name Server List Name Default Answer Profile On my_first_map my_servers Easy Setup Profile On Easy PAT my_servers Profile 01 On my_second_map my_servers Profile 02 On my_first_map my_server_list Profile 03 On None None NAT A...

Page 135: ... configuration will default to a class C subnet mask Note Globally only one dynamically configured DHCP subnet is available If you configure multiple Connection Profiles to use IP Passthrough s DHCP option when any of these profiles is established the dynamic DHCP configuration will be overwritten IP passthrough is restricted to the primary LAN In the case of an Ethernet WAN router the IP passthro...

Page 136: ...mbered NAT Map List Easy PAT List NAT Server List Easy Servers NAT Options Stateful Inspection Enabled No Local WAN IP Address 0 0 0 0 Local WAN IP Mask 0 0 0 0 Filter Set Remove Filter Set RIP Profile Options Toggle to Yes if this is a single IP address ISP account Configure IP requirements for a remote network connection here NAT Options IP Passthrough Enabled No Toggle ON to allow local WAN IP ...

Page 137: ...nt will get the IP passthrough address Note that there is no way to control which PC has the IP passthrough address without releasing all other DHCP leases on the LAN Note If you specify a non zeroes MAC address the DHCP Client Identifier must be in the format specified above Macintosh computers allow the DHCP Client Identifier to be entered as a name or text however Motorola Netopia routers accep...

Page 138: ...ny PAT you can connect more than five devices but use only one of your addresses Using multiNAT you can make full use of the address range The example assumes the following range of addresses offered by a typical ISP Public IP addresses assigned by the ISP are 206 1 1 1 through 206 1 1 6 255 255 255 248 subnet mask Your internal devices have IP addresses of 192 168 1 1 through 192 168 1 254 255 25...

Page 139: ...P Address 206 1 1 6 Local WAN IP Mask 255 255 255 248 PREVIOUS SCREEN NEXT SCREEN Return Enter takes you back to previous screen Enter basic information about your WAN connection with this screen IP Easy Setup Ethernet IP Address 192 168 1 1 Ethernet Subnet Mask 255 255 255 0 Domain Name ISP net Primary Domain Name Server 173 166 101 1 Secondary Domain Name Server 173 166 102 1 Default IP Gateway ...

Page 140: ...range and list Select CHANGE NAT PUBLIC RANGE and press Return This returns you to the Network Address Translation screen Select Add Public Range and press Return Type a name for this static range as shown below Enter the first and last public addresses your ISP assigned in their respective fields as shown The first five public IP addresses 206 1 1 1 206 1 1 5 in this example are statically mapped...

Page 141: ...ss Select Use NAT Public Range and from the pop up menu choose Static Range Select ADD NAT MAP and press Return This will statically map the first five public IP addresses to the first five corresponding private IP addresses and will map 206 1 1 6 to the remaining private IP addresses using PAT Add NAT Public Range Range Name Static Range Type static First Public Address 206 1 1 1 Last Public Addr...

Page 142: ...Mail servers IP addresses are no longer included in the range of static mappings and are therefore no longer accessible to the outside world Users on the Internet will not be able to Telnet Web SNMP or ping to them It is best also to navigate to the public range screen and change the Static Range to go from 206 1 1 5 Next navigate to Show Change Server List and select Easy Servers and then Add Ser...

Page 143: ...about the happenings on opposite sides of the state or the continent that you are mutually interested in When your next door neighbor picks up the phone to call her daughter at college at the same time you are talking to your relatives your calls don t overlap but each is separate and private Neither house has a direct wire to the places they call Both share the same lines on the telephone poles o...

Page 144: ...ommon use for tunnelling Point to Point Tunnelling Protocol PPTP IP Security IPsec Layer 2 Transport Protocol L2TP Generic Routing Encapsulation GRE and Ascend Tunnel Management Protocol ATMP The Motorola Netopia Router can use any of these Point to Point Tunneling Protocol PPTP is an extension of Point to Point Protocol PPP and uses a client and server model Motorola Netopia s PPTP implementation...

Page 145: ...her in a wrapper called General Routing Encapsulation GRE at one end of the tunnel and unwraps or decapsulates it at the other end Configuring the Motorola Netopia Router for use with the different protocols is done through the Telnet based menu screens Each type is described in its own section About PPTP Tunnels on page 5 4 About IPsec Tunnels on page 5 7 About L2TP Tunnels on page 5 7 About GRE ...

Page 146: ...swer Profile See ATMP PPTP Default Profile on page 5 17 for more information PPTP is a Datalink Encapsulation option in Connection Profiles It is not an option in device or link configuration screens as PPTP is not a native encapsulation Consequently the Easy Setup Profile does not offer PPTP datalink encapsulation See the Creating a New Connection Profile on page 2 8 for information on creating C...

Page 147: ... WAN the Tunnel Via Gateway field allows this path to be resolved From the pop up menu select an Authentication protocol for the PPP connection Options are PAP CHAP or MS CHAP The default is PAP The authentication protocol must be the same on both ends of the tunnel You can specify a Data Compression algorithm either None or Standard LZS for the PPTP connection Note When the Authentication protoco...

Page 148: ... a PNS Tunnels are normally initiated On Demand however you can disable this feature When disabled the tunnel must be manually established or may be scheduled using the scheduled connections feature See Scheduled Connections on page 2 16 Some networks that use Microsoft Windows NT PPTP Network Servers require additional authentication information called Windows NT Domain Name when answering PPTP t...

Page 149: ...offer IPsec 3DES triple DES encryption as a standard option Some models support built in hardware acceleration of 3DES encryption at line speeds Internet Key Exchange IKE is an authentication and encryption key management protocol used in conjunction with the IPsec standard IPsec key management offers a wide variety of options which are explained in Chapter 6 Internet Key Exchange for VPNs About L...

Page 150: ...rofile as using L2TP by selecting L2TP as the datalink encapsulation method and then select Encapsulation Options the L2TP Tunnel Options screen appears Main Menu WAN Configuration Add Connection Profile Add Connection Profile Profile Name Profile 1 Profile Enabled Encapsulation Type PPP Encapsulation Options ATMP PPTP IPsec IP Profile Parameters L2TP COMMIT CANCEL ...

Page 151: ...thentication protocol for the PPP connection Options are PAP or CHAP The default is PAP The authentication protocol must be the same on both ends of the tunnel You can specify a Data Compression algorithm either None or Standard LZS for the L2TP connection You can specify a Send Host Name which is used with Send Secret for authenticating with a remote PNS when the profile is used for initiating a ...

Page 152: ...you want to tunnel Press Escape to return to the Connection Profile screen Select COMMIT and press Return The tunnel Connection Profile will be activated About GRE Tunnels Generic Routing Encapsulation GRE protocol is another form of tunneling that Motorola Netopia routers support A GRE tunnel is brought up when a valid GRE profile is installed and brought down when the profile is disabled or dele...

Page 153: ...nd Checksums to Yes to verify that no data corruption or loss is incurred in transmission Ordinarily it is not necessary to send checksums and you can leave the default No Add Connection Profile Profile Name Profile 2 Profile Enabled Encapsulation Type PPP Underlying Encapsulation ATMP PPTP Encapsulation Options IPsec L2TP GRE IP Profile Parameters Interface Group Primary COMMIT CANCEL GRE Tunnel ...

Page 154: ... want to tunnel Press Escape to return to the Add Connection profile screen select COMMIT and press Return Your GRE Connection Profile will be enabled VPN force all GRE tunnelling supports VPN force all which forces all traffic coming from the LAN onto the GRE tunnel You accomplish this by setting the default route to go through the GRE tunnel A secondary host route where all tunneled GRE packets ...

Page 155: ... End Point peer_tunnel_ IP_address Remote Member IP 127 0 0 2 Remote Member Mask cannot be 255 255 255 255 Dynamic WAN IP IP 0 0 0 0 Mask 0 0 0 0 IP Default Gateway 127 0 0 2 Gateway static route is recommended see above see above Static PPPoE Remote IP some_IP_address Remote Mask some_IP_mask see above see above see above Auto PPPoE Remote IP 127 0 0 2 Remote Mask 255 255 255 255 IP Default Gatew...

Page 156: ... Generic Routing Encapsulation GRE The GRE data is then routed using standard methods ATMP configuration ATMP is a Datalink Encapsulation option in Connection Profiles It is not an option in device or link configuration screens since ATMP is not a native encapsulation The Easy Setup Profile does not offer ATMP datalink encapsulation See Creating a New Connection Profile on page 2 8 for information...

Page 157: ...er and the Tunnel Via Gateway field is hidden If the partner should be reached via an alternate port i e the LAN instead of the WAN the Tunnel Via Gateway field allows this path to be resolved You can specify a Network Name When the tunnel partner is another Motorola Netopia Router this name may be used to match against a Connection Profile When the partner is an Ascend gateway in Gateway mode the...

Page 158: ...nt must have the means to decrypt the data to render it usable to them The encryption process protects the data by making it difficult for any third party to get at the original data Motorola Netopia PPTP is fully compatible with Microsoft Point to Point Encryption MPPE data encryption for user data transfer over the PPTP tunnel Microsoft Windows NT Server provides MPPE encryption capability only ...

Page 159: ... not support MS CHAPv2 the Motorola Netopia Router will fall back to MS CHAPv1 or if the gateway or VPN adapter client you are connecting to does not support MPPE at all the PPP session will be dropped This is done automatically and transparently ATMP PPTP Default Profile The WAN Configuration menu offers a ATMP PPTP Default Profile option Use this selection when your Router is acting as the serve...

Page 160: ...you chose PAP or CHAP authentication from the Data Compression pop up menu select either None the default or Standard LZS If you chose MS CHAP authentication the Data Compression option is not required and this menu item becomes hidden VPN QuickView You can view the status of your VPN connections in the VPN QuickView screen From the Main Menu select QuickView and then VPN QuickView The VPN QuickVi...

Page 161: ...d establish a VPN tunnel to for example a corporate headquarters remotely Motorola Netopia Routers also can serve as a PAC at the workstation s site making it unnecessary for the standalone workstation to initiate the tunnel In such a case the Dial Up Networking software is not required since the Motorola Netopia Router initiates the tunnel This section is provided for users who may require the VP...

Page 162: ... the latest software and release notes the Microsoft website at http www microsoft com Installing Dial Up Networking Check to see if Dial Up Networking is already installed on your PC Open your My Computer or whatever you have named it icon on your desktop If there is a folder named Dial Up Networking you don t have to install it If there is no such folder you must install it from your system disk...

Page 163: ... to your PC Click the Next button A screen appears with fields for you to enter telephone numbers for the computer you want to connect to 3 Type the directory number or the Virtual Circuit Identifier number This number is provided by your ISP or corporate administrator Depending on the type of device you are using the number may or may not resemble an ordinary telephone directory number 4 Click th...

Page 164: ...ea check TCP IP and uncheck all of the other checkboxes Note Motorola Netopia s PPTP implementation does not currently support tunnelling of IPX and NetBEUI protocols 4 Click the TCP IP Settings button If your ISP uses dynamic IP addressing DHCP select the Server assigned IP address radio button If your ISP uses static IP addressing select the Specify an IP address radio button and enter your assi...

Page 165: ...enever you run a TCP IP application such as a web browser or email client When you first run the application a Connect To dialog box appears in which you enter your User name and Password If you check the Save password checkbox the system will remember your User name and Password and you won t be prompted for them again Allowing VPNs through a Firewall An administrator interested in securing a net...

Page 166: ... allow PPTP traffic you must provision the firewall to allow inbound and outbound TCP packets specifically destined for port 1723 The source port may be dynamic so often it is not useful to apply a compare function upon this portion of the control negotiation packets You must also set the firewall to allow inbound and outbound GRE packets enabling transport of the tunnel payload From the Main Menu...

Page 167: ...k 0 Protocol Type TCP Source Port Compare No Compare Source Port ID 0 Dest Port Compare Equal Dest Port ID 1723 Established TCP Conns Only No Return Enter accepts Tab toggles ESC cancels Enter the packet specific information for this filter Change Input Filter 2 Enabled Yes Forward Yes Call Placement Idle Reset No Change Force Routing No Source IP Address 0 0 0 0 Source IP Address Mask 0 0 0 0 Des...

Page 168: ...as shown below Source IP Addr Dest IP Addr Proto Src Port D Port On Fwd 1 0 0 0 0 0 0 0 0 TCP NC 1723 Yes Yes 2 0 0 0 0 0 0 0 0 GRE Yes Yes Change Output Filter 1 Enabled Yes Forward Yes Call Placement Idle Reset No Change Force Routing No Source IP Address 0 0 0 0 Source IP Address Mask 0 0 0 0 Dest IP Address 0 0 0 0 Dest IP Address Mask 0 0 0 0 TOS 0 TOS Mask 0 Protocol Type TCP Source Port Com...

Page 169: ...up menu select Basic Firewall Select Display Change Input Filter Display Change Input Filter screen Select Input Filter 1 and press Return In the Change Input Filter 1 screen set the Destination Port information as shown below Change Output Filter 2 Enabled Yes Forward Yes Call Placement Idle Reset No Change Force Routing No Source IP Address 0 0 0 0 Source IP Address Mask 0 0 0 0 Dest IP Address ...

Page 170: ...0 Protocol Type TCP Source Port Compare No Compare Source Port ID 0 Dest Port Compare Equal Dest Port ID 1723 Established TCP Conns Only No Return Enter accepts Tab toggles ESC cancels Enter the packet specific information for this filter Change Input Filter 2 Enabled Yes Forward Yes Call Placement Idle Reset No Change Force Routing No Source IP Address 0 0 0 0 Source IP Address Mask 0 0 0 0 Dest ...

Page 171: ...o Src Port D Port On Fwd 1 0 0 0 0 0 0 0 0 TCP NC 1723 Yes Yes 2 0 0 0 0 0 0 0 0 GRE Yes Yes Change Output Filter 1 Enabled Yes Forward Yes Call Placement Idle Reset No Change Force Routing No Source IP Address 0 0 0 0 Source IP Address Mask 0 0 0 0 Dest IP Address 0 0 0 0 Dest IP Address Mask 0 0 0 0 TOS 0 TOS Mask 0 Protocol Type UDP Source Port Compare No Compare Source Port ID 0 Dest Port Comp...

Page 172: ...ile Parameters screen of your Connection Profile The IP Profile Parameters screen varies slightly depending on whether your model router connects directly to the Internet or if it connects via an Ethernet connection through a cable or DSL modem The enabling feature is the same for both Using the Tab key toggle NetBIOS Proxy Enabled from the default No to Yes and press Return Your remote Network Ne...

Page 173: ...ation IP 192 168 1 255 When Router A receives this broadcast it translates the destination of this broadcast to match the remote IP of the NetBIOS Proxy enabled VPN profiles and it forwards the broadcast through the VPN tunnel LAN IP 192 168 1 0 24 Tunnel PC A Router A 100 1 LAN IP 192 168 2 0 24 Router B PC B 1 100 ...

Page 174: ...e Network Address Translation Enabled No Stateful Inspection Enabled No Filter Set None Remove Filter Set NetBIOS Proxy Enabled Yes Advanced IP Profile Options COMMIT CANCEL IP Profile Parameters Remote Tunnel Endpoint 192 168 1 1 Add Network Display Change Network Delete Network Address Translation Enabled No Stateful Inspection Enabled No Filter Set None Remove Filter Set NetBIOS Proxy Enabled Y...

Page 175: ...king traffic Make sure the NetBIOS filter is not enabled in your Internet Connection Profile Motorola includes the NetBIOS Proxy feature as an enhancement and convenience for our customers It has been lab tested and many customers use it successfully However Motorola cannot guarantee that this feature will automatically give you the networking functionality you expect There are many possible issue...

Page 176: ...5 34 Administrator s Handbook ...

Page 177: ...the header and the payload On the receiving side an IPsec compliant device decrypts each packet Motorola Netopia Routers support Tunnel mode DES stands for Data Encryption Standard a popular symmetric key encryption method DES uses a 56 bit key Motorola Netopia Routers offer IPsec 3DES triple DES encryption as a standard option Internet Key Exchange IKE is an authentication and encryption key mana...

Page 178: ... tunnel configuration It is not possible to send traffic outside the tunnel by bypassing the tunnel and the remote security gateway Note To fully protect against IP address spoofing of local member addresses requires firewall rules to be installed on the WAN interface These must prevent packets coming in through that interface with local member source addresses since local member source addresses ...

Page 179: ...ey Entry on page 6 22 If you choose IKE the default continue below Select IKE Phase 1 Profile and press Return Add Connection Profile Profile Name Profile 1 Profile Enabled Encapsulation Type PPP RFC1483 RFC1483 Mode ATMP PPTP IPsec L2TP IP Profile Parameters COMMIT CANCEL IPsec Tunnel Options Key Management IKE IKE Phase 1 Profile Encapsulation ESP ESP Encryption Transform DES ESP Authentication ...

Page 180: ...nnection Profile all VPN traffic for that profile will be discarded Select ADD PH1 PROFILE The Add IKE Phase 1 Profile screen appears IKE Phase1 Profile ADD PH1 PROFILE NONE Key Management IKE Phase 1 Profile Encapsulation ESP Encryption Tran ESP Authentication 5 96 Compression Type Advanced IPsec Opti COMMIT Up Down Arrow Keys to select ESC to dismiss Return Enter to Edit Add IKE Phase 1 Profile ...

Page 181: ...otted quad IPv4 Range Two IPv4 addresses in dotted quad notation a b c d separated by a space Host Name A fully qualified domain name FQDN E Mail Address An RFC 822 e mail address in the form user hostname Key ID ASCII An opaque string consisting of printable ASCII characters represented as a sequence of printable ASCII characters Key ID HEX An opaque string consisting of arbitrary 8 bit ASCII val...

Page 182: ...its IP parameters The NAT PAT IP address can now be left at the default 0 0 0 0 indicating that the address is to be requested from the remote address server and dynamically applied to the profile Remote Members can be set to a subnet of 0 0 0 0 255 255 255 255 indicating that the network value is to be dynamically requested as well The acquired value will be applied to all VPN remote member range...

Page 183: ...the subnet mask is set to an even multiple of 8 bits based on the num ber of addresses in the local range See Multiple Network IPsec on page 6 17 From the Xauth Recipient Auth Check pop up menu select the database to be used for authentication Local If you choose this option the Gateway will use the locally configured username and password for both concentrator and client modes RADIUS If you choos...

Page 184: ...se 1 SAs until they expire and will begin using the newly created Phase 1 SAs only after the old ones are no longer valid Allow Dangling Phase 2 SAs toggles whether or not Phase 2 SAs are permitted to survive the expiration of the Phase 1 SAs under which they were created Phase 2 SAs dangle when the Phase 1 SA under which they were created expires before they do There is no requirement that the Ph...

Page 185: ... renegotiation of new IPSec SAs Traffic based Dead Peer Detection The default is No Toggling this option to Yes allows IKE to negotiate RFC3706 based IKE keepalives with a remote security gateway IKE peer that supports them If this feature is enabled and negotiated with its peer keepalive messages are sent when the IPSec link has not received anything in DPD Keepalive Idle Time seconds see below a...

Page 186: ...sing an IKE phase 1 profile name from the pop up list displays a confirmation alert asking you to confirm that you really want to delete the specified IKE phase 1 profile WAN Configuration WAN Wide Area Network Setup Display Change Connection Profile Add Connection Profile Delete Connection Profile ATMP PPTP Default Profile IKE Phase 1 Configuration Advanced Connection Options Return Enter to conf...

Page 187: ...tions on creating a Connection Profile if you don t already know how to do that You can access the Key Management menus from the Change Connection Profile menu under the WAN Configuration screen for a Connection Profile you have already created or you can create a new Connection Profile with your IKE settings included as you go The IKE Key management settings are part of the Data Link Options that...

Page 188: ... it to Any Port of the WAN interface by choosing the interface from the Interface Group pop up menu as shown below Example 2 Add Connection Profile menu showing Interface Group pop up Change Connection Profile Profile Name Easy Setup Profile Profile Enabled Encapsulation Type PPP Encapsulation Options ATMP PPTP IPsec IP Profile Parameters Telco Options COMMIT CANCEL Add Connection Profile Profile ...

Page 189: ...le is associated with the tunnel The pop up menu lists the names of all currently defined IKE Phase 1 Profiles The pop up menu also includes an ADD PH1 PROFILE item to allow you to define a new IKE Phase 1 Profile directly without first going to the IPsec Configuration screen and a NONE item to allow you to dissociate an existing IKE Phase 1 Profile from the IPsec tunnel The remainder of the scree...

Page 190: ...seconds 1 hour The value zero specifies the absence of an elapsed time lifetime SA Lifetime Kilobytes specifies the maximum number of kilobytes of data that may be secured encrypted decrypted or authenticated using the SA before it expires and becomes invalid The range of permissible values is the set of non negative integer values between 0 and 2 32 1 The default value is 0 Kilobytes The value ze...

Page 191: ...mount of time If the ICMP reply does not arrive within that time the peer is considered dead the current phase 2 SAs are torn down and the IKE SA starts a new phase 1 negotiation followed by the normal phase 2 negotiation thereafter When you toggle Dead Peer Detection to Yes on new options appear Ping host allows you to specify the host IP address of the host to ping and from which replies will be...

Page 192: ...ction Profile screen and select IP Profile Parameters If you enable IKE key management the IP Profile Parameters screen appears The Remote Tunnel Endpoint field accepts either an IP address in the familiar dotted quad notation a b c d or a hostname to be resolved using the Domain Name System DNS Note When the Remote Tunnel Endpoint is an IP address it will drop IKE packets if they are not sourced ...

Page 193: ...cy This is useful for example for branch office management of multiple IP subnets over an encrypted VPN tunnel The following diagram illustrates this feature Advantages of Multiple Network IPsec are scalability flexibility by adding any combination of remote local network ranges support for sub netting host and network range addressing modes works with manual keying and Internet Key Exchange IKE i...

Page 194: ...and the Local Mem ber Address the other fields are hidden Select COMMIT and press Return to add the configuration This returns you to the IP Profile Parameters screen Select COMMIT and press Return in the IP Profile Parameters screen This returns you to the Change Connection Profile screen Select COMMIT and press Return in the Change Connection Profile screen Note Any two IPsec tunnels differ only...

Page 195: ...rofile Parameters Remote Tunnel Endpoint 0 0 0 0 Add Network Display Change Network Delete Network Address Translation Enabled No Stateful Inspection Enabled No Filter Set None Remove Filter Set NetBIOS Proxy Enabled No Advanced IP Profile Options COMMIT CANCEL Define new local remote member s Display Change Network Configuration Local Members Remote Members Net Type Start Address Size Type Start ...

Page 196: ... Tunnel Endpoint Address the Router will use the default gateway to reach the partner If the partner should be reached via an alternate port for example the LAN instead of the WAN the Next Hop Gateway field allows this path to be resolved You can specify an Idle Timeout seconds value The idle timeout tells the Router that if no traffic passes through the tunnel for the specified number of seconds ...

Page 197: ...outer Normally the MTU only requires manual configuration if the ICMP error messages are blocked or otherwise not received by the router IPsec WAN Configuration Screens You can also configure IKE Phase 1 Profiles in the WAN Configuration menus The WAN Configuration screen now includes IKE Phase 1 Configuration as shown Select IKE Phase 1 Configuration and press Return The IKE Phase 1 Configuration...

Page 198: ...designed layout and additional options for manual key entry If you selected Manual Key Management in the IPsec Tunnel Options screen you will need to enter your encryption keys in the IPsec Manual Keys screen IKE Phase 1 Configuration Display Change IKE Phase 1 Profile Add IKE Phase 1 Profile Delete IKE Phase 1 Profile IPsec Tunnel Options Key Management Manual Encapsulation ESP ESP Encryption Tra...

Page 199: ...eys With Manual Keys you must manually configure identical authentication and encryption keys at both ends of the tunnel The authentication keys are either 32 for MD5 or 40 for SHA1 ascii hex characters while the encryption keys are 16 for DES or 48 for triple DES ascii hex characters VPN Quickview Statistics are displayed on the VPN Quick View screen The VPN Quick View screen has been modified sl...

Page 200: ...nd did not match any of the profiles stored in the local Router IKE no matching proposal An IKE phase 1 request was received and the proposal did not match an allowed parameter or else the remote rejected the local Router s proposal IKE phase 1 auth failure The phase 1 remote authentication failed IKE phase 1 resend timeout The attempt to resend the phase 1 remote authentication timed out IKE phas...

Page 201: ...er the local Router rejected the proposals of the remote or the remote rejected the local Router s IKE ph2 resend timeout The attempt to resend the phase 2 authentication timed out IKE phase 2 complete The phase 2 negotiation completed successfully Event message Meaning ...

Page 202: ...6 26 Administrator s Handbook ...

Page 203: ...account with separate IP addresses for each computer on the network Network Address Translation also provides increased security by hiding the local IP addresses of the LAN connected to the Motorola Netopia gateways from the outside world The setup is simpler so ISPs typically offer Internet accounts supporting Network Address Translation at a significant cost savings For a detailed discussion of ...

Page 204: ... C subnet your only option is multiple Class C subnets since it is virtually impossible to justify a Class A or Class B assignment If you are using NAT you can use the reserved Class A or Class B subnet Select Default IP Gateway and enter the IP address for a default gateway This can be the address of any major gateway accessible to the Router A default gateway should be able to successfully route...

Page 205: ...ransmit RIP v2 broadcast selected the router will generate RIP packets to all other hosts on the net work With Transmit RIP v2 multicast selected the router will generate RIP packets only to other rout ers capable of recognizing RIP v2 packets If you want to enable Multicast Forwarding select Multicast Forwarding and from the pop up menu choose the type that you want to enable See Multicast Forwar...

Page 206: ...herwise there will be one more row than the number of configured subnets The last row will have the value 0 0 0 0 in both the IP address and subnet mask fields to indicate that you can edit the values in this row to configure an additional subnet All eight row labels are always visible regardless of the number of subnets configured To add an IP subnet enter the Router s IP address on the subnet in...

Page 207: ...red on this screen will delete the corresponding address serving pool if any on the IP Address Pools screen If you have configured multiple Ethernet IP subnets the IP Setup screen changes slightly IP Subnets IP Address Subnet Mask 1 192 128 117 162 255 255 255 0 2 192 128 152 162 255 255 0 0 3 0 0 0 0 0 0 0 0 4 5 6 7 8 IP Setup Subnet Configuration Default IP Gateway 0 0 0 0 Backup IP Gateway 0 0 ...

Page 208: ...the IP routing table which contains all of the routes used by the Router see IP Routing Table on page 9 6 Static routes are helpful in situations where a route to a network must be used and other means of finding the route are unavailable For example static routes are useful when you cannot rely on RIP To go to the Static Routes screen select Static Routes in the IP Setup screen and press Return T...

Page 209: ...r the Router will use the static route when it conflicts with information received from RIP packets Enabled An indication of whether the static route should be installed in the IP routing table To return to the Static Routes screen press Escape Adding a static route To add a new static route select Add Static Route in the Static Routes screen The Add Static Route screen will appear Dest Network Su...

Page 210: ...n takes precedence over the static route If the static route conflicts with a connection profile the connection profile will always take precedence To make sure that the static route is known only to the Router select Advertise Route Via RIP and toggle it to No To allow other RIP capable gateways to know about the static route select Advertise Route Via RIP and toggle it to Yes When Advertise Rout...

Page 211: ...the Router The static route s route information conflicts with a connection profile s route information The connection profile associated with the static route has a disabled dial on demand setting and there is no current connection using that connection profile A static route that is already installed in the IP routing table will be removed if any of the conditions listed above become true for th...

Page 212: ...e next Whenever two keys are valid at the same time the Motorola Netopia router tries to determine if other peers devices that it has received an authenticated packet from in the past three minutes on its network are using the new key If any of the peers have not used the new key yet the Motorola Netopia router will send RIP updates twice once with each key If the last valid key expires the Device...

Page 213: ...se v2 MD5 Authentication You can also select Transmit RIP and choose v2 MD5 broadcast or v2 MD5 multicast from the pop up menu Ethernet LAN RIP Options Receive RIP Off v1 Transmit RIP v2 Both v1 and v2 v2 MD5 Authentication Ethernet LAN RIP Options Receive RIP v2 MD5 Authentication Transmit RIP Off RIP v2 Authentication Keys ...

Page 214: ...other interfaces are immediately effective If you set the RIP Receive option to Both v1 and v2 the interface will ignore authenticated RIP packets since authenticated v1 packets do not exist Only v2 packets can be authenticated Select RIP v2 Authentication Keys The RIP v2 Authentication Keys screen appears Ethernet LAN RIP Options Receive RIP n Transmit RIP Off v1 RIP v2 Authentication Keys v2 bro...

Page 215: ... the same key ID on an interface The Authentication Key may consist of from 1 16 ASCII characters These appear as asterisks when typed RIP v2 Authentication Keys Display Change Key Add Key Delete Key Add Key Key ID 0 Authentication Key Start Date MM DD YY 10 10 2002 Start Time hh mm 12 00 AM or PM AM End Time Mode Date End Date MM DD YY 10 10 2002 End Time hh mm 12 00 AM or PM AM COMMIT CANCEL ...

Page 216: ...end time range Changes to RIP Keys on all interfaces are immediately effective This differs from the remainder of the RIP configuration on the Ethernet LAN which requires a reboot It is important that the keys be able to change dynamically however because the purpose of entering more than one key on an interface is to insure a smooth transition between keys with no network outages Changing or dele...

Page 217: ... Default Profile Leased and Switched menus are the same as the Connection Profile RIP option and associated menus For brevity the following example shows only the Connection Profile RIP option and associated menus In either case navigate to the RIP Profile Parameters screen under the IP Profile Parameters menu of the Display Change or Add Connection Profile screen The connection profile RIP Profil...

Page 218: ... to the RIP v2 Authentication Keys screen where you can configure your keys in the same manner as in Adding a key on page 13 After configuring your key press COMMIT in the Add or Change Key screen then press Escape three times to return to the Add or Change Connection Profile screen Select COMMIT in the Connection Profile screen and press Return Your changes become effective for the specified Conn...

Page 219: ...llows older IP hosts to obtain most of the information that a DHCP client would obtain However in contrast BootP address assignments are permanent since there is no lease renewal mechanism in BootP The third protocol called Dynamic WAN is part of the PPP MP suite of wide area protocols used for WAN connections It allows remote terminal adapters and NAT enabled gateways to be assigned a temporary I...

Page 220: ... area network you may want to first figure out which machines are going to be allocated specific static IP addresses so that you can determine the pool of IP addresses that you will be serving addresses from via DHCP BootP and or Dynamic WAN Example Your ISP has given your Router the IP address 192 168 6 137 with a subnet mask of 255 255 255 248 The subnet mask allocated will give you six IP addre...

Page 221: ...f you explicitly configure the DHCP pool auto configuration of the DHCP pool is suppressed If you configure the gateway manually and you would like the gateway to auto configure DHCP you must explicitly set the IP Address and Subnet Mask to 0 0 0 0 and reboot If you have configured multiple Ethernet IP subnets the appearance of the IP Address Serving screen is altered slightly Three menu items are...

Page 222: ...nt Gateway column allows you to specify the default gateway address that will be provided to clients served an address from the corresponding pool The value defaults to the Router s IP address on the corresponding subnet or the Router s default gateway if that gateway is located on the subnet in question You can override the value by entering any address that is part of the subnet DHCP BootP and d...

Page 223: ...nets screen Changes to the IP Subnets screen may affect this screen In particular deleting a subnet on the IP Subnets screen will delete the corresponding address serving pool if any on this screen DHCP NetBIOS Options If your network uses NetBIOS you can enable the Router to use DHCP to distribute NetBIOS information NetBIOS stands for Network Basic Input Output System It is a layer of software o...

Page 224: ...IOS Scope and toggle it to Yes Select NetBIOS Scope and enter the scope DHCP NetBIOS Options Serve NetBIOS Type Yes NetBIOS Type Type B Serve NetBIOS Scope No NetBIOS Scope Serve NetBIOS Name Server No NetBIOS Name Server IP Addr 0 0 0 0 Configure DHCP served NetBIOS options here DHCP NetBIOS Options Serve NetBIOS Type NetBIOS Type Type B Type P Serve NetBIOS Scope Type M NetBIOS Scope Type H Serv...

Page 225: ...ated from the IP Address Serving pool until you release them To release these addresses navigate back to the Main Menu then Statistics Logs Served IP Addresses and Lease Management Select Release BootP Leases and press Return Back in IP Address Serving the Serve Dynamic WAN Clients toggle More Address Serving Options The Motorola Netopia Embedded Software Version 8 7 4 includes a number of enhance...

Page 226: ...Address Server options To access the enhanced DHCP server functions from the Main Menu navigate to Statistics Logs and then Served IP Addresses The following example shows the Served IP Addresses screen after three clients have leased IP addresses The first client did not provide a Host Name in its DHCP messages the second and third clients did The rightmost column displays the host name supplied ...

Page 227: ...and Reserve The action popup is context sensitive and lists only those operations that apply to the selected IP address in its current lease state Details is displayed if the entry is associated with both a host name and a client identifier Selecting Details displays a pop up menu that provides additional information associated with the IP address The pop up menu includes the IP address as well as...

Page 228: ...ses IP Address Type Expires Host Name Client Identifier SCROLL UP 192 168 1 100 192 168 1 101 IP Address is 192 168 1 108 Host Name is Barr s XPi 120 Client ID is EN 00 00 c5 45 89 ef OK 192 168 1 111 Reserve 192 168 1 112 192 168 1 113 SCROLL DOWN Lease Management Served IP Addresses IP Address Type Expires Host Name Client Identifier SCROLL UP 192 168 1 100 192 168 1 101 192 1 192 1 192 1 192 1 ...

Page 229: ...ess for a client with a particular Ethernet MAC address guarantees that a client with the specified MAC address will be offered or leased the specified IP address Moreover it prevents the specified IP address from being offered or leased to any other client Selecting Reserve displays a pop up dialog box that displays the IP address and editable item in which you can enter an Ethernet MAC address T...

Page 230: ...itself but instead forwards the request to one or more remote DHCP servers These servers process the request assign an address from an address pool configured on the remote server and forward the response back to the Motorola Netopia Router for delivery back to the client The agent then sends the response to the client on behalf of the DHCP server This process is transparent to the client which do...

Page 231: ...efault and DHCP Relay Agent If you select DHCP Relay Agent and press Return the screen changes as shown below Main Menu System Configuration IP Address Serving IP Address Serving IP Address Serving Mode Disabled DHCP Server Number of Client IP Addresses DHCP Relay Agent 1st Client Address Client Default Gateway 192 168 1 1 Serve DHCP Clients Yes DHCP NetBIOS Options Serve BOOTP Clients Yes ...

Page 232: ...Netopia Router s primary Ethernet LAN subnet There is no mechanism for DHCP clients to receive an address on a secondary subnet via a relayed DHCP request Connection Profiles Since you will probably only have a single connection to your ISP over the DSL link you may not need to create multiple connection profiles Additional profiles may be useful for creating VPNs Connection Profiles define the li...

Page 233: ...rs and press Return The IP Profile Parameters screen appears Add Connection Profile Profile Name Profile 1 Profile Enabled Yes Data Link Encapsulation PPP Data Link Options IP Profile Parameters COMMIT CANCEL Configure a new Conn Profile Finished COMMIT or CANCEL to exit IP Profile Parameters Address Translation Enabled Yes NAT Map List Easy PAT List NAT Server List Easy Servers NAT Options Statef...

Page 234: ...bute real time audio and video to the set of computers which have joined a distributed conference Multicasting is similar to radio or TV broadcasts in the sense that only those who have tuned in to a particular frequency receive the information You see and hear the channel you are interested in but not the others Since a router should not be used as a passive forwarding device Motorola Netopia Rou...

Page 235: ...Setup menu See IGMP Internet Group Management Protocol on page 3 52 Navigate to the IP Profile Parameters screen IP System Configuration Main Menu Setup IP Setup Ethernet IP Address 192 168 1 1 Ethernet Subnet Mask 255 255 255 0 Define Additional Subnets Default IP Gateway 0 0 0 0 Backup IP Gateway 0 0 0 0 Primary Domain Name Server 0 0 0 0 Secondary Domain Name Server 0 0 0 0 Domain Name Rip Opti...

Page 236: ...VRRP A Virtual Router is a software abstraction consisting of a group of two or more hardware routers protecting one or more IP addresses One of the routers is designated as the Master while the others are backups VRRP is a protocol that provides redundancy to routers within a local area network by allowing alternate paths for a PC without changing the IP address or MAC address by which the PC kno...

Page 237: ...ach Virtual Router can have one associated Virtual IP Address The Virtual IP Address VIP must be in the range of IP addresses covered by the IP interface or the subnets Ethernet LAN VRRP Options Display Change Virtual Routers Add Virtual Router Delete Virtual Router Monitor WAN Yes Serve Relay DHCP only if Virtual Router in Master state No DHCP Gateway IP Address 0 0 0 0 Add Virtual Router VRID 0 ...

Page 238: ...ity of 255 indicates that the Virtual Router should operate in Master mode Even a non owner can have a priority of 255 and thus operate in Master mode You can configure only one Virtual Router to be a Master by default priority of 255 for an interface Preempt Mode Toggle Preempt Mode either Yes or No This setting specifies whether the router should preempt the current Master for the ID if its prio...

Page 239: ...IP Address This field allows you to enter a Virtual IP address Entering a Virtual IP address causes the router to serve the Virtual IP address as the DHCP gateway and server IP instead of the configured DHCP gateway on the interface This behavior only happens if the Virtual Router associated with the configured DHCP gateway address is in Master state Press Escape to return to the IP Setup screen C...

Page 240: ...iles on the WAN connection You then associate physical or logical Ethernet encapsulated interfaces such as wired Ethernet ports wireless SSIDs and ATM RFC 1483 bridged VCs to these interfaces on platforms with more than one Ethernet encapsulated interface The additional LAN IP routed interfaces duplicate all the same parameters that apply to the primary LAN interface such as DHCP servers filterset...

Page 241: ...address of the interface This is assigned automatically by the system and cannot be modified Additional LAN Configuration Add ALAN Add Additional LAN Name Additional LAN 1 Enabled Yes MAC Address 00 00 00 00 00 00 Ethernet IP Address 0 0 0 0 Ethernet Subnet Mask 0 0 0 0 Define Additional Subnets IP Address Serving Rip Options Proxy Arp Enabled No Multicast Forwarding None VRRP Options Filter Set R...

Page 242: ...cast Forwarding Same as the primary interface See Multicast Forwarding on page 7 32 Filter Set Attaches a defined filter set to the LAN See About Filters and Filter Sets on page 10 20 When you are finished select COMMIT and press Return Your ALAN is configured Note ALAN creation or deletion takes effect only upon reboot See Restarting the System on page 11 8 if you don t know how to do this Editin...

Page 243: ...IP Setup 7 41 Additional LAN Configuration Name IP Address Additional LAN 1 1 1 1 1 Additional LAN 2 0 0 0 0 ...

Page 244: ...7 42 Administrator s Handbook ...

Page 245: ...failures causes the router to switch from using the primary DSL WAN connection to using a built in V 92 modem Alternatively you can choose backup to an alternate gateway on the Ethernet LAN In the event of a loss of primary connectivity you have the option of switching back to the primary port automatically once it has recovered its connection Configuring Backup The following menus support backup ...

Page 246: ...ar interface It should have switched characteristics for modem backup Navigate to the Add Connection Profile screen If you used Easy Setup to configure your DSL connection you have already created one Connection Profile For the backup modem you create a second Connection Profile and associate it with the backup modem interface Profile Name Give the profile a descriptive name for example Modem Back...

Page 247: ...sually need to be changed for a PPP connection From the Interface Group pop up menu select Backup Select Encapsulation Options The Datalink PPP MP Options screen appears Add Connection Profile Profile Name Profile 1 Profile Enabled Encapsulation Type PPP RFC1483 ATMP Encapsulation Options PPTP IPsec L2TP IP Profile Parameters COMMIT CANCEL Add Connection Profile Profile Name Modem Backup Profile E...

Page 248: ...you can leave the other defaults unchanged Press Escape Select IP Profile Parameters The IP Profile Parameters screen appears Datalink PPP MP Options Data Compression rd LZS Send Authentication None PAP Send User Name CHAP Send Password Receive User Name Receive Password Dial on Demand Yes PAP Password protection is used Passwords are exchanged in clear text Add Connection Profile Profile Name Mod...

Page 249: ... to set the parameters for the modem connection IP Profile Parameters Address Translation Enabled Yes IP Addressing Unnumbered NAT Map List Easy PAT List NAT Server List Easy Servers NAT Options Stateful Inspection Enabled No Local WAN IP Address 0 0 0 0 Remote IP Address 0 0 0 0 Remote IP Mask 0 0 0 0 Filter Set Remove Filter Set RIP Profile Options Toggle to Yes if this is a single IP address IS...

Page 250: ...od of inactivity You can also toggle Callback to No or Yes In most cases since this is a backup connection you can leave this set to the default No In some cases your service provider or corporate office may use the CompuServe Login protocol If so toggle CompuServe Login Enabled to Yes Otherwise leave the default No When enabled CompuServe Login requires that you enter a CompuServe Host Name a Com...

Page 251: ...WAN Configuration and then WAN Setup IP Setup Ethernet IP Address 192 168 1 1 Ethernet Subnet Mask 255 255 255 0 Define Additional Subnets Default IP Gateway 0 0 0 0 Backup IP Gateway 0 0 0 0 Primary Domain Name Server 0 0 0 0 Secondary Domain Name Server 0 0 0 0 Domain Name RIP Options Multicast Forwarding None Static Routes IP Address Serving Enter an IP address in decimal and dot form xxx xxx x...

Page 252: ...AN Configuration WAN Wide Area Network Setup ATM Circuits Configuration Display Change Connection Profile Add Connection Profile Delete Connection Profile WAN Default Profile ATMP PPTP Default Profile IKE Phase 1 Configuration Advanced Connection Options Return Enter to create a new Connection Profile From here you will configure yours and the remote sites WAN information Choose Interface to Confi...

Page 253: ...m the pop up menu Options are Never Until Carrier During Answer Always Speaker Volume You can set how loud the modem tones will be from the pop up menu 1 Softest 2 Medium 3 Loudest Answer Incoming calls You can determine whether or not the modem will respond to incoming calls on this line from the pop up menu Always or Never Country Select your country from the pop up menu When you are finished pr...

Page 254: ...ress 1 and 2 and enter IP address es or resolvable DNS name s that the Router will ping These are optional items that are particularly useful for testing if the remote end of a VPN connection has gone down The Router will ping both addresses simultaneously at five second intervals recording the ping responses from each host The Router will proceed into backup mode only if neither of the configured...

Page 255: ... be up recovered before the router will tear down the backup connection and revert to the primary interface Minimum value is 10 seconds Select Clear Backup Call only if idle The default Yes will prevent the backup call from being torn down if there is activity on the backup connection when the primary connection comes back up You can toggle this to No if you wish The Clear Backup Call only if Idle...

Page 256: ... up connection for the backup modem The backup modem will be activated upon primary WAN link failure and remain active until primary WAN link recovery To configure a Scheduled Connection from the Main Menu select WAN Configuration and then Scheduled Connections The Scheduled Connections screen appears Select Add Scheduled Connection and press Return The Add Scheduled Connection screen appears WAN ...

Page 257: ...7 connection Press Escape to return to the Add Scheduled Connection screen Add Scheduled Connection Scheduled Connection Enable On How Often Weekly Schedule Type Forced Up Set Weekly Schedule Use Connection Profile ADD SCHEDULED CONNECTION CANCEL Return Enter accepts Tab toggles ESC cancels Scheduled Connections dial remote Networks on a Weekly or Once Only basis Set Weekly Schedule Monday Yes Tue...

Page 258: ...tion from your ENT Enterprise Series Router to another gateway that has for example an ISDN or analog modem connection to the Internet and designating the second gateway as the backup gateway Should the primary WAN connection fail traffic would be automatically redirected through your alternate gateway device to maintain Internet connectivity Two menus control the backup gateway feature the Backup...

Page 259: ...the ping responses from each host The Router will proceed into backup mode only if neither of the configured remote hosts responds While the Router is in backup mode it will continue to ping both hosts via the primary interface If either host responds to a ping and Recovery is set to Automatic the Router will revert to the primary interface Note For best results enter an IP address and not a host ...

Page 260: ... WAN interface For more information on IP Setup see the IP Setup on page 7 1 Note Backup and Recovery have resolutions of five seconds This is how often the gateway evaluates the state of the connections and makes decisions Backup Management Statistics If backup is enabled the Statistics Logs menu offers a Backup Management Statistics option Main Menu System Configuration IP Setup IP Setup Etherne...

Page 261: ... the Primary interface is in progress During backup the following reasons may appear Loss of Layer 1 Indicates a loss of sync on the Primary link Loss of Layer 2 Indicates connection profile cannot come up Loss of Layer 2 ping Indicates Backup Ping Address not responding Loss of Layer 2 Protocol Failure Indicates Primary link not responding to Protocol check LCP Echo LMI Status Request Backup Mana...

Page 262: ...ace and a recovery condition exists it will display the Requires Recovery of value The displayed value does not change Rather it indicates how high the Time Since Detection must count before the switchover occurs The FORCE BACKUP FORCE RECOVERY option is a selectable option that depending on the current state of backup will force the switching of gateways If you are currently in backup mode the op...

Page 263: ... 9 1 Statistics Logs on page 9 3 Event Histories on page 9 4 IP Routing Table on page 9 6 General Statistics on page 9 6 System Information on page 9 8 Simple Network Management Protocol SNMP on page 9 8 Quick View Status Overview You can get a useful overall status report from the Motorola Netopia Embedded Software Version 8 7 4 in the Quick View screen To go to the Quick View screen select Quick...

Page 264: ...igned typically the name of your ISP MAC Address The Router s hardware address for those interfaces that support DHCP IP Address The Router s IP address entered in the IP Setup screen Current status The current status section is a table showing the current status of the DSL connection For example Profile Name Lists the name of the connection profile being used if any Quick View 10 11 2006 07 31 26...

Page 265: ... the corresponding display in the Telnet menu screen will vary by model Each LED representation can report one of four states The LED is off R The LED is red G The LED is green Y The LED is yellow Statistics Logs When you are troubleshooting your Router the Statistics Logs screens provide insight into the recent event activities of the gateway Motorola Netopia Embedded Software Version 8 7 4 updat...

Page 266: ...ear at the top Each entry in the list contains the following information Date Date of the event Time Time of the event Event A brief description of the event Ch The channel involved in the event WAN Event History Statistics Logs Main Menu Device Event History WAN Event History Current Date 05 11 2006 03 02 23 PM Date Time Event SCROLL UP 05 03 06 13 59 06 DSL IP up channel 1 gateway 173 166 107 1 ...

Page 267: ...evice Event History screen appears If the event history exceeds the size of the screen you can scroll through it by using SCROLL UP and SCROLL DOWN To scroll up select SCROLL UP at the top of the list and press Return To scroll down select SCROLL DOWN at the bottom of the list and press Return To obtain more information about any event listed in the Device Event History select the event and then p...

Page 268: ...useful for monitoring and troubleshooting your LAN Note that the counters roll over at their maximum field width that is they restart again at 0 Statistics Logs Main Menu IP Routing Table IP Routing Table Network Address Subnet Mask via Gateway Port Type SCROLL UP 0 0 0 0 255 0 0 0 0 0 0 0 Other 127 0 0 1 255 255 255 255 127 0 0 1 Loopback Local 192 168 1 0 255 255 255 240 192 168 1 1 Ethernet Loc...

Page 269: ... Bytes The number of bytes received Tx Bytes The number of bytes transmitted Rx Packets The number of packets received Tx Pkts The number of packets transmitted Rx Err The number of bad Ethernet packets received Tx Err The number of errors occurring when Ethernet packets are transmitted simultaneously by nodes on the LAN General Statistics Physical I F Rx Bytes Tx Bytes Rx Pkts Tx Pkts Rx Err Tx E...

Page 270: ...ia Embedded Software Version 8 7 4 Motorola Netopia Routers implement the following in the Motorola Netopia enterprise specific MIB Wireless privacy objects support wireless configuration and information about wireless clients associ ated with the router Virtual LAN VLAN configuration objects remote authentication profile RADIUS objects MIBs are available in a variety of formats Load this MIB into...

Page 271: ...pub router snmpinfo Load these MIBs into your SNMP management software in the order they are listed here The SNMP Setup screen From the Main Menu select SNMP in the System Configuration screen and press Return The SNMP Setup screen appears Follow these steps to configure the first three items in the screen System Main Menu Configuration SNMP SNMP Setup System Name System Location System Contact Re...

Page 272: ...rom the gateway but cannot modify the gateway s configuration An SNMP manager using the Read Write Community String can both examine and modify configuration parameters By default the read only and read write community strings are set to public and private respectively You should change both of the default community strings to values known only to you and trusted system adminis trators To change a...

Page 273: ...f the gateway s interfaces such as a port stops functioning or is disabled An interface up trap ifUp is generated when one of the gateway s interfaces such as a port begins functioning Motorola Netopia Embedded Software Version 8 7 4 sends traps using UDP for IP networks You can specify which SNMP managers are sent the IP traps generated by the Motorola Netopia Embedded Software Version 8 7 4 Up t...

Page 274: ...y table of IP trap receivers select Display Change IP Trap Receiver in the IP Trap Receivers screen Modifying IP trap receivers 1 To edit an IP trap receiver select Display Change IP Trap Receiver in the IP Trap Receivers screen 2 Select an IP trap receiver from the table and press Return 3 In the Change IP Trap Receiver screen edit the information as needed and press Return Deleting IP trap recei...

Page 275: ...based Routing using Filtersets on page 10 35 Firewall Tutorial on page 10 38 Configuration Management on page 10 45 Suggested Security Measures In addition to setting up user accounts Telnet access and filters all of which are covered later in this chapter there are other actions you can take to make the Router and your network more secure Change the SNMP community strings or passwords The default...

Page 276: ...on By default UPnP is enabled on the Motorola Netopia Gateway For Windows XP users the automatic discovery feature places an icon representing the Motorola Netopia Gateway automatically in the My Network Places folder PCs using UPnP can retrieve the Gateway s WAN IP address and automatically create NAT port maps This means that applications that support UPnP and are used with a UPnP enabled Motoro...

Page 277: ...y losing all of your configuration information You can disable Telnet Access This may be useful for extra security in preventing remote attempts to access the gateway Select ADD SUPERUSER and press Return The Superuser account is now configured You will be challenged for this name and password every time you attempt to log into the gateway Limited user configuration The Add Access Name Password an...

Page 278: ... customize these privileges further in order to limit access to only certain portions of those interfaces configuration by selecting Custom If you select Custom the Access Privileges Custom screen appears Add Access Name Password Name 19 characters max user Password Telnet Access Enabled Yes Access Privileges All LAN WAN Custom ADD USER CANCEL Access Privileges Custom WAN Data Configuration No Con...

Page 279: ...rs Select RADIUS or TACACS from the pop up menu Configuration information is given in the following sections RADIUS server authentication on page 10 6 Access Privilege Default WAN Data Configuration No Connection Profile Configuration No Circuit PVC DLCI Configuration No LAN Data Configuration Yes LAN Subnet Configuration Yes NAT Filters Configuration Yes Preferences Global Configuration Yes Advan...

Page 280: ...thentication database Choosing Remote then Lcl Ser Only causes the router to attempt to authenticate a user first using a RADIUS server and then if that fails using the local authentication database If RADIUS authentica tion fails the router will authenticate the user using the local authentication database only if the user is accessing the menu console or CLI through the built in serial console p...

Page 281: ...System DNS information configured in the router or by using an IP address in dotted quad notation The RADIUS Server Addr Name items are limited to 63 characters In addition to specifying the server s hostname or IP address you must also specify a Remote Server Secret and an Alt Remote Server Secret if configured known to both the router and the RADIUS server The secret is used to encrypt RADIUS tr...

Page 282: ... TACACS Accounting transaction The CLI command is then executed regardless of the return code from the server Warning alerts Certain security related configuration changes cause the router to display a warning alert Choosing either Local then Remote or Remote then Local from the Security Databases pop up menu when there are no configured username password pairs causes the router to present the fol...

Page 283: ...resent the following warning alert Advanced Security Options You have no local passwords defined If you continue you will be unable to configure this device unless a Remote Server is available to authenticate you CONTINUE CANCEL Security Options You are about to delete the only local password If you continue you will be unable to configure this device unless a Remote Server is available to authent...

Page 284: ...ion of remote users the WAN related defaults are preset to Yes Toggle any that should be changed Advanced Security Options Remote Authentication RADIUS Security Databases Local only Remote Server Addr Name Remote Server Secret Alt Remote Server Addr Name Alt Remote Server Secret RADIUS Identifier RADIUS Server Authentication Port Remote Access Privileges All LAN Telnet Server Port WAN Custom MAC A...

Page 285: ...layed is Change Access Password Selecting this option displays the Change Access Password screen When changing a password you will be challenged to enter it again to be sure you have entered it correctly System Configuration IP Setup Filter Sets IP Address Serving Network Address Translation NAT Date and Time Console Configuration Change Access Password Upgrade Feature Set Logging Use this screen ...

Page 286: ...s Configuration screen elements to which configuration access is forbidden are usually hidden The Quick Menus screen reflects the security access level of the user Menus to which configuration access is forbidden are hidden Main Menu The following is an example comparison of the Main Menu as seen by the Superuser and by a Limited user Based on access level the Main Menu displays its configuration ...

Page 287: ...ording to the following diagram Netopia Router Easy Setup WAN Configuration System Configuration Utilities Diagnostics Statistics Logs Quick Menus Quick View User Access Level Superuser WAN Conn Profiles PVC All All Global Voice All All WAN Configuration WAN Wide Area Network Setup ATM Circuits Configuration Display Change Connection Profile Add Connection Profile Delete Connection Profile WAN Def...

Page 288: ...e the user accessibility after creating a Connection Profile or a limited user in the Change Connection Profile screen Advanced Connection Options Configuration Changes Reset WAN Connection No Scheduled Connections Backup Configuration Prioritize Delay Sensitive Data No User Access Level WAN Connection Profiles Connection Profiles WAN Add Connection Profile Profile Name Profile 1 Profile Enabled Y...

Page 289: ...Change Access Password for non Superusers and provides access to the associated menu described previously IP Setup menu In the IP Setup menu users that do not have LAN Subnet Configuration access will see a screen similar to the following System Configuration IP Setup Filter Sets IP Address Serving Network Address Translation NAT Date and Time Console Configuration SNMP Simple Network Management P...

Page 290: ...opia gateways supported by the software Substantial differences exist among screens on a given gateway Here all selection options are shown Based on access level the Statistics Logs menu displays its options according to the following diagram IP Setup LAN IP Subnet is 192 168 1 1 24 Utilities Diagnostics Ping Trace Route Telnet Log off Serial Console Session Trivial File Transfer Protocol TFTP Res...

Page 291: ...N Event History Device Event History IP Routing Table Served IP Addresses Served IP Addresses Backup Management Statistics General Statistics System Information User Access Level Global Global Global Global Global Global Global Global ...

Page 292: ...figuration IP Setup Add Connection Profiles Fr Relay Config IP Address Serving Setup Change Connection Profiles Fr Relay DLCI Config IP Filter Sets Delete Connection Profiles Backup Config Static Routes WAN Default Profile Telephone Setup Network Address Translation ATMP PPTP Default Profile IKE Phase 1 Config Scheduled Connections Add Scheduled Connection Change Scheduled Connection MacIP Setup D...

Page 293: ... is a chance of tampering To password protect the configuration screens select Easy Setup from the Main Menu and go to the Easy Setup Security Configuration screen By entering a name and password pair in this screen all access via Telnet and SNMP will be password protected To restrict Telnet access select Security in the Advanced Configuration menu The Security Options screen will appear There are...

Page 294: ... lets you specify what sort of data can flow in and out of your network A particular filter can be either an input filter one that is used on data packets coming in to your network from the Internet or an output filter one that is used on data packets going out from your network to the Internet A filter set is a group of filters that work together to check incoming or outgoing data A filter set ca...

Page 295: ...pector to see it A package from Paris is ignored by the first inspector rejected by the second inspector and never seen by the others A package from London is ignored by the first two inspectors so it s seen by the third inspector In the same way filter sets apply their filters in a particular order The first filter applied can forward or discard a packet before that packet ever reaches any of the...

Page 296: ... criteria based on packet attributes A typical filter can match a packet on any one of the following attributes The source IP address where the packet was sent from The destination IP address where the packet is going The type of higher layer Internet protocol the packet is carrying such as TCP or UDP Port numbers A filter can also match a packet s port number attributes but only if the filter s p...

Page 297: ...ber must equal the port number specified in the filter Greater Than For the filter to match the packet s port number must be greater than the port number specified in the filter Greater Than or Equal For the filter to match the packet s port number must be greater than or equal to the port number specified in the filter Other filter attributes There are three other attributes to each filter The fi...

Page 298: ...ost for which the packet is intended On Displays Yes when the filter is in effect or No when it is not Fwd Shows whether the filter forwards Yes a packet or discards No it when there s a match Filtering example 1 Returning to our filtering rule example from above see page 10 22 look at how a rule is translated into a filter Start with the rule then fill in the filter s attributes Protocol Number t...

Page 299: ...0 22 find the destination port and protocol numbers the local Telnet port Proto TCP or 6 D Port 23 4 The filter should be enabled and instructed to block the Telnet packets containing the source address shown in step 2 On Yes Fwd No This four step process is how we produced the following filter from the original rule Filtering example 2 Suppose a filter is configured to block all incoming IP packe...

Page 300: ...rd Discarded if all the filters are configured to forward Discarded if the set contains a combination of forward and discard filters Disadvantages of filters Although using filter sets can greatly enhance network security there are disadvantages Filters are complex Combining them in filter sets introduces subtle interactions increasing the likelihood of implementation errors Enabling a large numbe...

Page 301: ...tion About Filters and Filter Sets beginning on page 10 20 The procedure for creating and maintaining filter sets is as follows 1 Add a new filter set 2 Create the filters for the new filter set 3 View change or delete individual filters and filter sets The sections below explain how to execute these steps Adding a filter set You can create up to eight different custom filter sets Each filter set ...

Page 302: ...ou add will be called Filter Set 1 the next filter will be Filter Set 2 and so on To give a new filter set a different name select Filter Set Name and enter a new name for the filter set To save the filter set select ADD FILTER SET The saved filter set is empty contains no filters but you can return to it later to add filters see Adding filters to a filter set on page 10 29 Add Filter Set Filter S...

Page 303: ...etween the two involves their reference to source and destination From the perspective of an input filter your local network is the destination of the packets it checks and the remote network is their source From the perspective of an output filter your local network is the source of the packets and the remote network is their destination To add a filter select Display Change Filter Set in the Fil...

Page 304: ... toggle it to Yes If Enabled is toggled to No the filter can still exist in the filter set but it will have no effect Display Change Filter Set Filter Set Name Filter Set 3 Add Input Filter to Filter Set Display Change Input Filter Delete Input Filter Move Input Filter Add Output Filter to Filter Set Display Change Output Filter Delete Output Filter Move Output Filter Add Input Filter Enabled Yes ...

Page 305: ... If Protocol Type is set to TCP or UDP the settings for port comparison that you configure in steps 8 and 9 will appear These settings only take effect if the Protocol Type is TCP or UDP 9 Select Source Port Compare and choose a comparison method for the filter to use on a packet s source port number Then select Source Port ID and enter the actual source port number to match on see the table on pa...

Page 306: ...a filter set all of the filters it contains are deleted as well To reuse any of these filters in another set before deleting the current filter set you ll have to note their configuration and then recreate them To delete a filter set select Delete Filter Set in the Filter Sets screen to display a list of filter sets Select a filter set from the list and press Return Select CONTINUE and press Retur...

Page 307: ...filter 3 This filter explicitly forwards all WAN originated ICMP traffic to permit devices on the WAN to ping devices on the LAN Ping is an Internet service that is useful for diagnostic purposes Input filters 4 and 5 These filters forward all TCP and UDP traffic respectively when the destination port is greater than 1023 This type of traffic generally does not allow a remote host to connect to th...

Page 308: ...odifications are not intended to be combined Each modification is to be the only one used with Basic Firewall The results of combining filter set modifications can be difficult to predict It is recommended that you take special care if you are making more than one modification to the sample filter set Trusted host To allow unlimited access by a trusted remote host with the IP address a b c d corre...

Page 309: ... does not delete the filters in that set However the filters in the deleted set are no longer in effect unless they are part of another set The deleted set will no longer appear in the answer profile or any connection profiles to which it was added Policy based Routing using Filtersets Previous software versions routed IP packets only by destination IP address Motorola Netopia Embedded Software Ve...

Page 310: ...e Call Placement Idle Reset pull down menu a match on this rule will keep the WAN connection alive by resetting the idle timeout status If you select Disabled a match on this rule will not reset the idle timeout status For example if you wanted ping traffic not to keep the link up you would create a filter which forwards a ping but with the Call Placement Idle Reset set to Disabled Toggle Force Ro...

Page 311: ...rwarding Filter If you create one or more filters that have a matching action of forward then action on a packet matching none of the filters is to block any traffic Therefore if the behavior you want is to force the routing of a certain type of packet and pass all others through the normal routing mechanism you must configure one filter to match the first type of packet and apply Force Routing A ...

Page 312: ...his header information is what the packet filter uses to make filtering decisions It is important to note that a packet filter does not look into the IP data stream the User Data from above to make filtering decisions Basic protocol types TCP Transmission Control Protocol TCP provides reliable packet delivery and has a retransmission mechanism so packets are not lost RFC 793 is the specification f...

Page 313: ...e ordering is critical If a packet is forwarded through a series of filter rules and then the packet matches a rule the appropriate action is taken The packet will not forward through the remainder of the filter rules For example if you had the following filter set Allow WWW access Allow FTP access Allow SMTP access Deny all other packets and a packet goes through these rules destined for FTP the ...

Page 314: ...se of AND are as follows 0 AND 0 0 0 AND 1 0 1 AND 0 0 1 AND 1 1 For example Filter rule Deny IP 163 176 1 15BINARY 10100011 10110000 00000001 00001111 Mask 255 255 255 255BINARY 11111111 11111111 11111111 11111111 Incoming Packet IP 163 176 1 15BINARY 10100011 10110000 00000001 00001111 If you put the incoming packet and subnet mask together with AND the result is 10100011 10110000 00000001 00001...

Page 315: ...mple filter set screen This is an example of the Motorola Netopia filter set screen Filter basics In the source or destination IP address fields the IP address that is entered must be the network address of the subnet A host address can be entered but the applied subnet mask must be 32 bits 255 255 255 255 The Motorola Netopia Embedded Software Version 8 7 4 has the ability to compare source and d...

Page 316: ...Than or Equal Matches the port or any port greater Greater Than Matches anything greater than the port defined Filter Rule 200 1 1 0 Source IP Network Address 255 255 255 128 Source IP Mask Forward No What happens on match IP Address Binary Representation 200 1 1 28 00011100 Source address in incoming IP packet AND 255 255 255 128 10000000 Perform the logical AND 00000000 Logical AND result Data I...

Page 317: ...e will forward this packet because the packet does not match Example 3 Incoming packet has the source address of 200 1 1 184 Filter Rule 200 1 1 0 Source IP Network Address 255 255 255 128 Source IP Mask Forward No What happens on match IP Address Binary Representation 200 1 1 184 10111000 Source address in incoming IP packet AND 255 255 255 128 10000000 Perform the logical AND 10000000 Logical AN...

Page 318: ...be forwarded Example 5 Incoming packet has the source address of 200 1 1 96 Filter Rule 200 1 1 96 Source IP Network Address 255 255 255 240 Source IP Mask Forward No What happens on match IP Address Binary Representation 200 1 1 104 01101000 Source address in incoming IP packet AND 255 255 255 240 11110000 Perform the logical AND 01100000 Logical AND result Filter Rule 200 1 1 96 Source IP Networ...

Page 319: ...onfiguration Whenever you choose you can reboot into one of these configurations the copy of which becomes the current configuration You name the saved configurations giving you a reference for identifying each one The naming operation occurs when you decide to save a configuration or when downloading a configuration via TFTP The configurations that are saved will persist across a Factory Default ...

Page 320: ...urations you can select it from a pop up menu If you select Boot from a Configuration and select a different one you can reboot the gateway with your selected configuration Configuration Management Save Current Configuration as Replace Existing Configuration Boot from a Configuration Delete a Configuration Factory Default from Configuration none Remove Factory Default Configuration Return Enter to...

Page 321: ...ration pop up menu select the configuration you want to designate as the Factory Default Configuration Management Configuration Name Type Save Current Configuration as Replace Existing Configuration HappyInternet Binary Boot from a Configuration Config1 Binary Delete a Configuration LesMizz Binary Factory Default from Configuration none Remove Factory Default Configuration Configuration Management...

Page 322: ...pop up menus in the TFTP File Transfer screen in the Utilities Diagnostics menu as shown Configuration Management Save Current Configuration as Replace Existing Configuration Boot from a Configuration Delete a Configuration Factory Default from Configuration HappyInternet Remove Factory Default Configuration Return Enter to select Factory Default Configuration Trivial File Transfer Protocol TFTP T...

Page 323: ...on and Software Files with TFTP on page 11 6 Restarting the System on page 11 8 Note These utilities and tests are accessible only through the Telnet based management screens See the Getting Started Guide chapter Telnet Based Management for information on accessing the Telnet based management screens You access the Utilities Diagnostics screens from the Main Menu Utilities Diagnostics Ping Trace R...

Page 324: ...1 to 4 294 967 295 3 Select Data Size to change the default setting This is the size in bytes of each Ping packet sent The default setting is adequate in most cases but you can change it to any value from 0 only header data to 1664 4 Select Delay seconds to change the default setting The delay in seconds determines the time between Ping packets sent The default setting is adequate in most cases bu...

Page 325: ...ge Description Resolving host name Finding the IP address for the domain name style address Can t resolve host name IP address can t be found for the domain name style address Pinging Ping test is in progress Complete Ping test was completed Cancelled by user Ping test was cancelled manually Destination unreachable from w x y z Ping test was able to reach the gateway with IP address w x y z which ...

Page 326: ...nd a destination unreachable notification is returned to the sender see the table on the previous page This ensures that no infinite routing loops occur The TTL value can be set and retrieved using the SNMP MIB II ip group s ipDefaultTTL object Trace Route You can count the number of gateways between your Motorola Netopia Router and a given destination with the Trace Route utility In the Statistic...

Page 327: ...Telnet from the Utilities Diagnostics menu The Telnet client screen appears Enter the host name or the IP address in dotted decimal format of the machine you want to Telnet into and press Return Either accept the default control character Q used to suspend the Telnet session or type a different one START A TELNET SESSION becomes highlighted Press Return and the Telnet session will be initiated To ...

Page 328: ...ed configuration on page 10 47 Transferring Configuration and Software Files with TFTP Trivial File Transfer Protocol TFTP is a method of transferring data over an IP network TFTP is a client server application with the gateway as the client To use the Router as a TFTP client a TFTP server must be available Motorola Inc has a public access TFTP server on the Internet where you can obtain the lates...

Page 329: ...e system will reset at the end of the file transfer to put the new software into effect While the system resets the LEDs will blink on and off Caution Be sure the software update you load onto your gateway is the correct version for your particular model Some models do not support all software versions Loading an incorrect software version can permanently damage the unit Do not manually power down...

Page 330: ...be useful for troubleshooting purposes The uploaded configuration file can be tested on a different Router unit by Motorola or your network administrator To upload a configuration file follow these steps 1 Select TFTP Server Name and enter the server name or IP address of the TFTP server you will use The server name or IP address is available from the site where the server is located 2 Select Conf...

Page 331: ...view the following suggestions before calling for technical support There are four zones to consider when troubleshooting initial configuration 1 The computer s connection to the gateway 2 The gateway s connection to the telecommunication line s 3 The telecommunication line s connection to your ISP 4 The ISP s connection to the Internet If the connection from the computer to the gateway was not su...

Page 332: ...names 198 34 7 1 but not garcia netopia com for example verify that the DNS server s IP address is correct and that it is reachable from the Router use Ping If you are using filters check that your filter sets are not blocking the type of connections you are trying to make Local routing problems Observe the Ethernet LEDs to see if data traffic flow appears to be normal Check the WAN statistics and...

Page 333: ...tch the Router off and then back on again After temporary power outages a connection that still seems to be up may actually be disconnected Rebooting the gateway should reestablish the connection Technical Support Motorola Inc is committed to providing its customers with reliable products and documentation backed by excellent technical support Before contacting Motorola Look in this guide for a so...

Page 334: ...ed to reproduce it and to try some troubleshooting steps When you are prepared contact Motorola Technical Support by e mail telephone fax or post Internet ask_netopia netopia com for technical support info netopia com for general information Phone 1 510 597 5400 Fax 1 510 420 7601 Motorola Inc Customer Services 6001 Shellmound Street Emeryville California 94608 USA Online product information Produ...

Page 335: ...guring terminal emulation software 1 4 configuring the console 3 49 Connection profiles 2 8 console configuring 3 49 console configuration 3 49 console based management configuring with 1 2 2 1 3 1 Constant Bit Rate CBR 2 6 D D port 10 24 Data Encryption Standard DES 5 17 date and time setting 3 37 dead peer detection 6 15 traffic based 6 9 delayed configuration 2 15 delete static route 7 9 DES 5 ...

Page 336: ...ng 10 32 disadvantages of 10 26 input 10 29 modifying 10 31 output 10 29 using 10 26 10 27 viewing 10 31 firewall 10 32 firmware files updating with TFTP 11 7 FTP sessions 10 35 G general statistics 9 6 Generic Routing Encapsulation GRE 5 10 H how to reach us A 4 I IGMP Snooping 3 53 IKE 6 1 input filter 3 10 33 input filters 1 and 2 10 33 input filters 4 and 5 10 33 Internet Key Exchange 6 1 Inte...

Page 337: ...Netopia distributing IP addresses 7 17 models 1 3 monitoring 9 1 security 10 1 system utilities and diagnostics 11 1 Network Address Translation see NAT 7 1 network problems A 2 network status overview 9 1 O output filter 1 10 34 P PAT Port Address Translation 4 2 permanent virtual circuit 2 5 ping 11 2 Ping Host Name 8 10 Ping source address 6 15 ping test configuring and initiating 11 2 policy b...

Page 338: ... 7 3 7 6 strong encryption 5 17 subnets multiple 7 3 support technical A 3 syslog 3 55 T technical support A 3 telnet 1 4 access 10 19 terminal emulation software configuring 1 4 TFTP defined 11 6 downloading configuration files 11 7 transferring files 11 6 updating firmware 11 7 uploading configuration files 11 8 tiered access 10 1 TOS bit 2 26 10 37 Trivial File Transfer Protocol TFTP 11 6 Trivi...

Page 339: ... through a firewall 5 23 ATMP tunnel options 5 14 default answer profile 5 17 encryption support 5 16 PPTP tunnel options 5 4 VRID 7 35 VRRP 7 34 VRRP Options 2 26 7 3 W WAN event history 9 4 WAN Ethernet Configuration 2 1 WAN event history 9 4 WAN Link Failure Detection 2 26 WEP Wired Equivalent Privacy 3 43 Wi Fi Protected Access 3 41 Windows NT Domain Name 5 6 Wireless Configuration 3 38 Wirele...

Page 340: ...Index 6 ...