Netopia 3342, Software User'S Manual

Page 1: ...Netopia Software User Guide April 2006 Netopia 2200 and 3300 Series Gateways Version 7 6 ...

Page 2: ... registered trademarks belonging to Netopia Inc registered U S Patent and Trademark Office Broadband Without Boundaries is a trademark belonging to Netopia Inc All other trademarks are the property of their respec tive owners All rights reserved Netopia Inc Part Number 6161227 00 01 ...

Page 3: ...Basic Mode Setup 19 Important Safety Instructions 20 POWER SUPPLY INSTALLATION 20 TELECOMMUNICATION INSTALLATION 20 Wichtige Sicherheitshinweise 21 NETZTEIL INSTALLIEREN 21 INSTALLATION DER TELEKOMMUNIKATION 21 Setting up the Netopia Gateway 22 Microsoft Windows 22 Macintosh MacOS 8 or higher or Mac OS X 24 Configuring the Netopia Gateway 26 MiAVo VDSL and Ethernet WAN models Quickstart 27 PPPoE Q...

Page 4: ... Restart 45 Alert Symbol 46 Help 47 Configure 48 Quickstart 48 How to Use the Quickstart Page 48 Setup Your Gateway using a PPP Connection 48 LAN 50 Wireless 53 Privacy 54 Advanced 57 About Closed System Mode 59 WPA Version Allowed 61 Multiple SSIDs 62 Wireless MAC Authorization 63 Use RADIUS Server 66 WAN 68 Advanced 72 IP Static Routes 73 IP Static ARP 75 Pinholes 75 Configure Specific Pinholes ...

Page 5: ... Differentiated Services 89 DNS 92 DHCP Server 92 RADIUS Server 94 SNMP 95 IGMP Internet Group Management Protocol 97 UPnP 100 LAN Management 101 Advanced Ethernet Bridge 102 Configuring for Bridge Mode 103 VLAN 106 System 111 Syslog Parameters 111 Log Event Messages 113 Internal Servers 116 Software Hosting 116 List of Supported Games and Software 117 Rename a User PC 119 Clear Options 120 Time Z...

Page 6: ... Example filter set page 150 Filter basics 151 Example network 151 Example filters 152 Example 1 152 Example 2 152 Example 3 152 Example 4 153 Example 5 153 Packet Filter 154 What s a filter and what s a filter set 155 How filter sets work 155 Filter priority 156 How individual filters work 156 A filtering rule 157 Parts of a filter 157 Port numbers 158 Port number comparisons 158 Other filter att...

Page 7: ...quired Files 181 Step 2 Netopia firmware Image File 181 Install Keys 184 Use Netopia Software Feature Keys 184 Obtaining Software Feature Keys 184 Procedure Install a New Feature Key File 184 To check your installed features 186 Install Certificate 188 CHAPTER 4 Basic Troubleshooting 191 Status Indicator Lights 192 LED Function Summary Matrix 201 Factory Reset Switch 203 CHAPTER 5 AdvancedTroubles...

Page 8: ...ting the CONFIG Hierarchy 237 Entering Commands in CONFIG Mode 239 Guidelines CONFIG Commands 240 Displaying Current Gateway Settings 240 Step Mode A CLI Configuration Technique 240 Validating Your Configuration 241 CONFIG Commands 242 DSL Commands 242 ATM Settings 242 Bridging Settings 244 Common Commands 244 DHCP Settings 245 Common Commands 245 DMT Settings 247 DSL Commands 247 Domain Name Syst...

Page 9: ...rface Preference Settings 267 Port Renumbering Settings 269 Security Settings 270 Firewall Settings for BreakWater Firewall 270 SafeHarbour IPSec Settings 270 Internet Key Exchange IKE Settings 275 Stateful Inspection 276 Example 277 Packet Filtering Settings 278 Example 281 SNMP Settings 282 SNMP Notify Type Settings 283 System Settings 283 Syslog 288 Default syslog installation procedure 288 Wir...

Page 10: ...ifications and Safety Information 327 Description 327 Dimensions 327 Communications interfaces 327 Power requirements 327 Environment 327 Operating temperature 327 Storage temperature 327 Relative storage humidity 328 Software and protocols 328 Software media 328 Routing 328 WAN support 328 Security 328 Management configuration methods 328 Diagnostics 328 Agency approvals 329 North America 329 ...

Page 11: ...33 FCC Statements 333 Electrical Safety Advisory 334 CHAPTER 9 Overview of Major Capabilities 335 Wide Area Network Termination 336 PPPoE PPPoA Point to Point Protocol over Ethernet ATM 336 Instant On PPP 336 Simplified Local Area Network Setup 337 DHCP Dynamic Host Configuration Protocol Server 337 DNS Proxy 337 Management 338 Embedded Web Server 338 Diagnostics 338 Security 339 Remote Access Con...

Page 12: ...Table of Contents 12 VPN IPSec Pass Through 343 VPN IPSec Tunnel Termination 344 Stateful Inspection Firewall 344 SSL Certificate Support 344 Index 345 ...

Page 13: ...nd See page 293 Wireless WPA Version 2 support for wireless models See WPA Version Allowed on page 61 Added web UI management control for IGMP Snooping See IGMP Internet Group Man agement Protocol on page 97 Changes and improvements that require no user intervention include Automatically purge old disassociated entries in the SNMP association table Onboard Access Controls removed replaced by Netop...

Page 14: ...of intelligent enterprise and consumer Gateways It consists of Software User Guide Dedicated Quickstart guides Specific White Papers The documents are available in electronic form as Portable Document Format PDF files They are viewed and printed from Adobe Acrobat Reader Exchange or any other applica tion that supports PDF files They are downloadable from Netopia s website http www netopia com Int...

Page 15: ...ic monospaced Menu commands bold italic sans serif Web GUI page links and button names terminal Computer display text bold terminal User entered text Italic Italic type indicates the complete titles of manuals Convention Graphics Description Denotes an excerpt from a Web page or the visual truncation of a Web page Denotes an area of emphasis on a Web page Convention Description straight brackets i...

Page 16: ...with vertical bars Alternative values for an argument are pre sented in curly brackets with values separated with vertical bars bold terminal type face User entered text italic terminal type face Variables for which you supply your own val ues ...

Page 17: ...on Chapter 5 Advanced Troubleshooting Gives suggestions and descriptions of expert tools to use to troubleshoot your Gateway s configuration Chapter 6 Command Line Interface Describes all the current text based com mands for both the SHELL and CONFIG modes A summary table and individual com mand examples for each mode is provided Chapter 7 Glossary Chapter 8 Technical Specifications and Safety Info...

Page 18: ...18 ...

Page 19: ...onfigure and use your Netopia Gateway The following instructions cover installation in Router Mode This section covers Important Safety Instructions on page 20 Wichtige Sicherheitshinweise on page 21 German Setting up the Netopia Gateway on page 22 Configuring the Netopia Gateway on page 26 Netopia Gateway Status Indicator Lights on page 30 Home Page Basic Mode on page 31 ...

Page 20: ...as till jordat uttag när den ansluts till ett nätverk Norway Apparatet må kun tilkoples jordet stikkontakt USB powered models For Use with Listed I T E Only TELECOMMUNICATION INSTALLATION When using your telephone equipment basic safety precautions should always be followed to reduce the risk of fire electric shock and injury to persons including the following Do not use this product near water fo...

Page 21: ...les jordet stikkontakt USB powered models For Use with Listed I T E Only INSTALLATION DER TELEKOMMUNIKATION Wenn Ihre Telefonausrüstung verwendet wird sollten grundlegende Sicherheitsanweisun gen immer befolgt werden um die Gefahr eines Feuers eines elektrischen Schlages und die Verletzung von Personen zu verringern Beachten Sie diese weiteren Hinweise Benutzen Sie dieses Produkt nicht in Wassernä...

Page 22: ...able modem Different Netopia Gateway models are supplied for any of these connections Be sure to enable Dynamic Addressing on your PC Perform the following Microsoft Windows Step 1 Navigate to the TCP IP Properties Control Panel a Some Windows versions follow a path like this Start menu Settings Control Panel Network or Network and Dial up Connections Local Area Connection Properties TCP IP your_n...

Page 23: ...address automatically if available Step 4 Remove any previously configured Gateways if available Step 5 OK the settings Restart if prompted b Some Windows versions follow a path like this Start menu Control Panel Network and Internet Connections Network Connections Local Area Connection Properties Inter net Protocol TCP IP Properties ...

Page 24: ...24 Macintosh MacOS 8 or higher or Mac OS X Step 1 Access the TCP IP or Network control panel a MacOS follows a path like this Apple Menu Control Panels TCP IP Control Panel ...

Page 25: ...go to Step 2 Step 2 Select Built in Ethernet Step 3 Select Configure Using DHCP Step 4 Close and Save if prompted Proceed to Configuring the Netopia Gateway on page 26 b Mac OS X follows a path like this Apple Menu System Preferences Network ...

Page 26: ...appears Access to your Netopia device can be controlled through two access control accounts Admin or User The Admin or administrative user performs all configuration management or mainte nance operations on the Gateway The User account provides monitor capability only A user may NOT change the configuration perform upgrades or invoke maintenance functions For the security of your connection an Adm...

Page 27: ...ays the Quickstart page 2 Click the Connect to the Internet button Once a connection is established your browser is redirected to your service provider s home page or a registration page on the Internet For MiAVo Series models your configuration is complete You can skip to Home Page Basic Mode on page 31 ...

Page 28: ...name and password supplied by your Internet Service Pro vider Click the Connect to the Internet button Once you enter your username and password here you will no longer need to enter them whenever you access the Internet The Netopia Gateway stores this information and automatically connects you to the Internet The Gateway displays a message while it configures itself ...

Page 29: ...nection is established your browser is redirected to your service provider s home page or a registration page on the Internet 5 Congratulations Your installation is complete You can now surf to your favorite Web sites by typing an URL in your browser s location box or by selecting one of your favorite Internet bookmarks ...

Page 30: ...f various port activity Different Gateway models have different ports for your connections and different indicator LEDs The Quickstart Guide accompanying your Netopia Gateway describes the behavior of the various indicator LEDs Example status indicator lights n e t o p i a Status Indicator Lights LEDs ...

Page 31: ...e performed the basic Quickstart configuration any time you log in to your Netopia Gateway you will access the Netopia Gateway Home Page You access the Home Page by typing http 192 168 1 254 in your Web browser s loca tion box The Basic Mode Home Page appears ...

Page 32: ...ge to Up within two minutes Up is displayed when the ADSL line is synched and the PPPoE session is established Down indicates inability to establish a connection possible line failure Local WAN IP Address This is the negotiated address of the Gateway s WAN interface This address is usually dynamically assigned Remote Gateway Address This is the negotiated address of the remote router to which this...

Page 33: ...t link The Manage My Account page appears If you have a PPPoE account enter your username and then your new password Confirm your new password For security your actual passwords are not displayed on the screen as you type You must enter the new password twice to be sure you have typed it correctly Click the Submit button If you have a non PPPoE account click the OK button You will be taken to your...

Page 34: ...everal aspects of your physical and electronic connection and reports its results on screen This can be useful for troubleshooting or when speaking with a technical support technician Click on the Status Details link The Diagnostics page appears Click the Run Diagnostics button to run your diagnostic tests For a detailed description of these tests see Diagnostics on page 215 ...

Page 35: ...Rmt Mgmt link The Enable Remote Management page appears Since you ve already has entered an Admin password you can use that Admin password or enter a new password If you enter a new password it becomes the temporary Admin pass word After the time out period has expired the Admin password reverts to the original Admin password you entered Enter a temporary password for the person you want to author...

Page 36: ...hrough the Expert Mode pages Click the Expert Mode link to display the Expert Mode Confirmation page You should carefully consider any configuration changes you want to make and be sure that your service provider supports them Once you click the OK button you will be taken to the Expert Mode Home Page The Expert Mode Home Page is the main access point for configuring and managing the advanced feat...

Page 37: ...features Your gateway includes its own onboard installation capability Your service provider may inform you when new firmware is available or you can check for yourself Click the Update Firmware link The Firmware Update Confirmation page appears If you click the Continue button the Gateway will check a remote Firmware Server for the latest firmware revision If a newer version is found your firmwar...

Page 38: ...ram the Netopia Gateway You can perform a factory reset to do this Click on Factory Reset to reset the Gateway back to its original factory default settings NOTE Exercise caution before performing a Factory Reset This will erase any config uration changes that you may have made and allow you to reprogram your Gateway ...

Page 39: ... you can use any recent version of the best known web browsers such as Netscape Navigator or Microsoft Internet Explorer from any LAN attached PC or workstation The procedure is 1 Enter the name or IP address of your Netopia Gateway in the Web browser s window and press Return For example you would enter http 192 168 1 254 2 If an administrator or user password has been assigned to the Netopia Gat...

Page 40: ...40 3 Click on the Expert Mode link in the left hand column of links You are challenged to confirm your choice Click OK The Home Page opens in Expert Mode ...

Page 41: ...Page Expert Mode The Home Page is the summary page for your Netopia Gateway The toolbar at the top pro vides links to controlling configuring and monitoring pages Critical configuration and oper ational status is displayed in the center section ...

Page 42: ...er Firewall ClearSailing SilentRunning or LANdLocked Safe Harbour If the optional feature key is installed SafeHarbour VPN IPsec Tunnel option if installed either On or Off WAN Status Wide Area Network may be Waiting for DSL or other waiting status Up or Down Data Rate Kbps Once connected displays DSL speed rate Downstream and Upstream Local Address IP address assigned to the WAN port Peer Address...

Page 43: ...or Off ON if using DHCP to get IP addresses for your LAN client machines DHCP Leases A lease is held by each LAN client that has obtained an IP address through DHCP Ethernet or USB Status Status of your Ethernet network connection if supported Up or Down ...

Page 44: ... trail is built in the light brown area beneath the toolbar As you navigate down a path within the site the trail is built from left to right To return anywhere along the path from which you came click on one of the links Home Configure Troubleshoot Security Install Restart Help Quickstart System Status Passwords Install Keys LAN Network Tools Firewall Install Software WAN Diagnostics IPSec Instal...

Page 45: ...art button on the toolbar allows you to restart the Gateway at any time You will be prompted to confirm the restart before any action is taken The Restart Confirmation mes sage explains the consequences of and reasons for restarting the Gateway ...

Page 46: ...the change will take effect You can make many changes on various pages and even leave the browser for up to 5 minutes but if the Gateway is restarted before the changes are applied they will be lost When you click on the Alert symbol the Save Changes page appears Here you can select various options to save or discard these changes If more than one Alert is triggered you will need to take action to...

Page 47: ...Help Context sensitive Help is provided in your Gateway The page shown here is displayed when you are on the Home page or other transitional pages To see a context help page example go to Security Passwords then click Help ...

Page 48: ...volved This button will not be available if you log on as User Link Quickstart How to Use the Quickstart Page Quickstart is normally used immediately after the new hardware is installed When you are first configuring your Gateway Quickstart appears first Once you have configured your Gateway logging on displays the Home page Thereafter if you need to use Quickstart choose it from the Expert Mode C...

Page 49: ...ile the Gateway attempts to establish a connection 3 When the connection succeeds your browser will display your Service Provider s home page If you encounter any problems connecting refer to the chapters Basic Troubleshooting on page 191 or Advanced Troubleshooting on page 205 ...

Page 50: ... TCP IP network connected to the virtual circuit The subnet mask specifies which bits of the 32 bit binary IP address represent net work information The default subnet mask for most networks is 255 255 255 0 Class C subnet mask Restrictions Specifies whether an administrator can open a Web Administrator or Telnet connection to the Gateway over the LAN interface in order to monitor and configure th...

Page 51: ...lementation of multicasting instead of broadcasting which reduces the load on hosts which do not support routing protocols RIP 1 compatibility Compatible with RIP version 1 RIP 2 with MD5 MD5 authentication is an extension of RIP 2 that increases security by requiring an authentication key when routes are advertised RIP MD5 Key Secret password when using RIP 2 with MD5 RIP Receive Mode Specifies w...

Page 52: ...P server on your LAN you should turn this service off If you want the Gateway to provide this ser vice click the Server Mode pull down menu choose Server then configure the range of IP addresses that you would like the Gateway to hand out to your computers You can also specify the length of time the computers can use the configuration informa tion DHCP calls this period the lease time Your Service...

Page 53: ...orm name of up to 32 characters for example Ed s Wireless LAN On client PCs software this might also be called the Net work Name The SSID is used to identify this particular wireless LAN Depending on their operating system or client wireless card users must either select from a list of available wireless LANs that appear in a scanned list on their client or if you are in Closed System Mode see Ena...

Page 54: ...gener ate WEP keys for connecting wireless client computers Privacy Off No Privacy provides no encryption on your wireless LAN data WPA 802 1x provides RADIUS server authentication support WPA PSK provides Wireless Protected Access the most secure option for your wire less network This mechanism provides the best data protection and access control ...

Page 55: ...nt Privacy for encryption of network data You can enable 40 128 or 256 bit WEP Encryption depending on the capability of your client wireless card for IP traffic on your LAN You select a single key for encryption of outbound traffic The WEP enabled client must have an identical key of the same length in the identical slot 1 4 as the Gateway in order to successfully receive and decrypt the traffic ...

Page 56: ...56 Click the Submit button The Alert icon appears Click the Alert icon and then the Save and Restart link ...

Page 57: ...57 Configure Advanced If you click the Advanced link the advanced 802 11 Wireless Settings page appears Note This page displays different options depending on which form of Privacy or other ...

Page 58: ...lection is not necessary at the client computers the clients will scan the available channels seeking access points using the same SSID as the client AutoChannel Setting For 802 11G models AutoChannel is a feature that allows the Netopia Gateway to determine the best channel to broadcast automatically Three settings are available from the pull down menu Off Use default At Startup and Continuous Of...

Page 59: ...evel of security since your wireless LAN will no longer appear as an available access point to client PCs that are casually scanning for one Your own wireless network clients however must log into the wireless LAN by using the exact SSID of the Netopia Gateway In addition if you have enabled WEP encryption on the Netopia Gateway your network cli ents must also have WEP encryption enabled and must ...

Page 60: ...eway WEP Manual allows you to enter your own encryption keys manually This is a difficult process but only needs to be done once Avoid the temptation to enter all the same characters Encryption Key Size 1 4 Selects the length of each encryption key The longer the key the stronger the encryption and the more difficult it is to break the encryption ...

Page 61: ...t transmitted traffic The default is key 1 You disable the wireless LAN by unchecking the Enable Wireless checkbox clicking the Submit button followed by the Save and Restart link WPA Version Allowed If you select either WPA 802 1x or WPA PSK as your privacy setting the WPA Version Allowed pull down menu appears to allow you to select the WPA version s that will be required for client connections ...

Page 62: ...rk Names for your wireless network To enable Multiple Wireless SSIDs click the Multiple SSIDs link When the Multiple Wireless SSIDs screen appears check the Enable SSID checkbox for each SSID you want to enable The screen expands to allow you to name each additional Wireless ID and specify a Pri vacy mode for each one ...

Page 63: ...eless bridging between clients is disabled for all members of these additional net work IDs Click the Submit button After your first entry the Alert icon will appear in the upper right corner of your screen When you are finished adding SSIDs click the Alert icon and Save your changes and restart the Gateway Wireless MAC Authorization Wireless MAC Authorization allows you to specify which client PC...

Page 64: ...lick the MAC Authorization link When the Wireless MAC Authentication screen appears check the Enable Wireless MAC Authorization checkbox The screen expands as follows Click the Add button The Authorized Wireless MAC Address Entry screen appears ...

Page 65: ...ion is enabled all wireless clients are blocked until their MAC addresses are added to the Authorized list Your entry will be added to a list of up to 32 authorized addresses as shown You can continue to Add Edit or Delete addresses to the list by clicking the respective buttons After your first entry the Alert icon will appear in the upper right corner of your screen When you are finished adding ...

Page 66: ...list maintained locally within the Gateway If you click the RADIUS link the screen expands to allow you to enter your RADIUS server information RADIUS Server Addr Name The default RADIUS server name or IP address that you want to use RADIUS Server Secret The RADIUS secret key used by this server The shared secret should have the same characteristics as a normal password RADIUS Server Port The port...

Page 67: ...67 Configure The Advanced Network Configuration page appears You access the RADIUS Server configuration screen from the Advanced Network Configura tion web page by clicking the RADIUS Server link ...

Page 68: ...have PPPoE enabled you can specify that packets destined for unknown hosts will be sent to the gateway being used by the remote PPP peer If you select ip address you must enter the IP address of a host on a local or remote network to receive the traffic Default Gateway The IP Address of the default gateway Other WAN Options PPPoE You can enable or disable PPPoE This link also allows configuration ...

Page 69: ...ts of eight static VPI VCI pair configurations These are 0 35 8 35 0 32 8 32 1 35 1 1 1 32 2 32 These eight VPI VCI pairs will be cre ated if the Gateway is configured for autodetection the Gateway does not establish a circuit using any of these preconfigured VPI VCI pairs then you can manually enter a VPI VCI pair in the ATM Circuits page ATM Traffic Shaping You can prioritize delay sensitive data...

Page 70: ... for real time applications such as real time voice video although it can be used for other applications VBR Variable Bit Rate This class is characterized by a Peak Cell Rate PCR which is a temporary burst not a sustained rate and a Sustained Cell Rate SCR a Burst Tolerance BT specified in terms of Maximum Burst Size MBS The MBS is the maximum number of cells that can be transmitted at the peak ce...

Page 71: ...s the tolerated Cell Delay Varia tion range and the provisioned Maximum Burst Size Class PCR SCR MBS Transmit Priority Comments UBR X N A N A Low PCR is a cap CBR X N A N A High PCR is a guaranteed rate VBR X X X High PCR SCR SCR is a guaranteed rate PCR is a cap ...

Page 72: ...72 Link Advanced Selected Advanced options are discussed in the pages that follow Many are self explana tory or are dictated by your service provider The following are links under Configure Advanced ...

Page 73: ...en you click the Static Routes link the IP Static Routes page appears You can configure as many as 32 static IP routes for the Gateway To add a static route click the Add button The IP Static Route Entry page appears Destination Network Enter the IP address of the static route It may not be 0 0 0 0 Netmask Enter the subnet mask for the IP network at the other end of the static route The subnet mas...

Page 74: ...ill be used to indicate The remote network is one router away and the static route is the best way to reach it The remote network is more than one router away but the static route should not be replaced by a dynamic route even if the dynamic route is more efficient RIP Advertise From the pull down menu choose how the static route should be adver tised via RIP Split Horizon Do not advertise route i...

Page 75: ...ike dynamic ARP table entries static ARP table entries do not time out The IP address cannot be 0 0 0 0 The Ethernet MAC address entry is in nn nn nn nn nn nn hexadecimal format Link Pinholes Pinholes allow you to transparently route selected types of network traffic such as FTP requests or HTTP Web connections to a specific host behind the Gateway Creating a pin hole allows access traffic origina...

Page 76: ... it With NAT On the only externally visible IP address on your network is the Gateway s WAN IP supplied by your Service Pro vider All traffic intended for that LAN Web server must be directed to that IP address Application 2 You want one of your LAN stations to act as the central repository for all email for all of the LAN users Application 3 One of your LAN stations is specially configured for ga...

Page 77: ...uired for Web services ensure that the embedded Web server s port number is re assigned PRIOR to any Pinhole data entry 2 Enter data for one Pinhole at a time 3 Use a unique name for each Pinhole If you choose a duplicate name it will overwrite the previous information without warning ...

Page 78: ...y 192 168 1 x 8100 to access the web and 192 168 1 x 23 to access the telnet server WAN LAN Ethernet Interface 192 168 1 1 192 168 1 2 192 168 1 3 my webserver my mailserver my games Gateway NAT NAT Pinholes Embedded Web Server 210 219 41 20 210 219 41 20 8100 Ethernet Interface Internet ...

Page 79: ...first NOTE The two text boxes Web HTTP Server Port and Telnet Server Port on this page refer to the port numbers of the Netopia Gateway s embedded admin istration ports To pass Web traffic through to your LAN station s select a Web HTTP Port number that is greater than 1024 In this example you choose 8100 2 Type 8100 in the Web HTTP Server Port text box 3 Click the Submit button 4 Click Advanced S...

Page 80: ...d Type your specific data into the Pinhole Entries table of this page Click Submit 6 Click on the Add or Edit more Pinholes link Click the Add button Add the next Pinhole Type the specific data for the second Pinhole ...

Page 81: ...or the third Pinhole NOTE Note the following parameters for the my games Pinhole 1 The Protocol ID is UDP 2 The external port is specified as a range 3 The Internal port is specified as the lower range entry 8 Click on the Add or Edit more Pinholes link Review your entries to be sure they are correct 9 Click the Alert button ...

Page 82: ...AN Gateway address new port number or in this case 210 219 41 20 8100 You can also use the LAN side address of the Gateway 192 168 1 x 8100 to access the web and 192 168 1 x 23 to access the telnet server Link IPMaps IPMaps supports one to one Network Address Translation NAT for IP addresses assigned to servers hosts or specific computers on the LAN side of the Netopia Gateway A single static or d...

Page 83: ... Locally hosted servers are supported by a public IP address while LAN users behind the NAT enabled IP address are protected IPMaps is compatible with the use of NAT with either a statically assigned IP address or DHCP PPP served IP address for the NAT table What types of servers are supported by IPMaps IPMaps allows a Netopia Gateway to support servers behind the Gateway for example web mail FTP ...

Page 84: ...a Gateway Static IP Addresses for IPMaps Applications 143 137 50 37 143 137 50 36 143 137 50 35 Static IP Addresses or DHCP PPP Served IP Address for Netopia s default NAT PAT Capabilities IPMaps One to One Multiple Address Mapping LAN stations with WAN IP traffic forwarded by Netopia s IPMaps LAN stations with WAN IP traffic forwarded by Netopia s NAT function WAN Interface LAN Interface 192 168 1 ...

Page 85: ...n specific traffic to a designated LAN station With NAT On in the Gateway these packets normally would be discarded For instance this could be application traffic where you don t know in advance the port or protocol that will be used Some game applications fit this profile Use the following steps to setup a NAT default server to receive this information 1 Select the Configure toolbar button then Ad...

Page 86: ...ination Application Netopia s NAT security feature allows you to con figure a sophisticated LAN layout that uses both the Pinhole and Default Server capabili ties WAN LAN Ethernet Interface 192 168 1 3 192 168 1 2 192 168 1 1 LAN STN 3 LAN STN 2 NAT Default Server Gateway NAT NAT Default Embedded Web Server 210 219 41 20 210 219 41 20 Port 80 default NAT protected Ethernet Interface Internet Serve...

Page 87: ...rovides PAT NAPT via the same public IP address for all other hosts on the private LAN subnet Using IP passthrough The public WAN IP is used to provide IP address translation for private LAN computers The public WAN IP is assigned and reused on a LAN computer DHCP address serving can automatically serve the WAN IP address to a LAN computer When DHCP is used for addressing the designated passthroug...

Page 88: ...IP address which will be a private IP address before the WAN connection is established After the WAN connection is established and has an address the passthrough host can renew its DHCP address binding to acquire the WAN IP address A restriction Since both the Gateway and the passthrough host will use the same IP address new sessions that conflict with existing sessions will be rejected by the Gat...

Page 89: ...use less restrictive but less reliable connections To enable Differentiated Services check the Enable checkbox Enter a value from 60 to 100 percent in the Low High Priority Ratio field The default is 92 Differentiated Services uses the low to high priority queue ratio to regulate traffic flow For example to provide the least possible latency and highest possible throughput for high priority traffi...

Page 90: ...ally specify a range of ports Enter the starting port here End Port Enter the ending port here Inside IP Address Netmask For outbound flows specify an IP address on your LAN For inbound flows this setting is ignored This setting marks packets from this LAN IP host network based on the address and netmask information For outbound flows the Inside IP Address Netmask is the source address If you ente...

Page 91: ... Setting TOS Bit Value Behavior Off TOS 000 This custom flow is disabled You can activate it by selecting one of the two settings below This setting allows you to pre define flows with out actually activating them Assure TOS 001 Use normal queuing and throughput rules but do not drop packets if possible Appropriate for applications with no guaranteed delivery mechanism Expedite TOS 101 Use minimum...

Page 92: ...an provide network configuration information to computers on your LAN using the Dynamic Host Configuration Protocol DHCP If you already have a DHCP server on your LAN you should turn this service off If you want the Gateway to provide this service click the Server Mode pull down menu then configure the range of IP addresses that you would like the Gateway to hand out to your computers You can also...

Page 93: ... Gateway will relay the DHCP requests from your computers to a DHCP server in the Service Provider s network Click the relay agent and enter the IP address of the Service Provider s DHCP server in the Server Address field This address is furnished by the Service Provider NOTE The relay agent option only works when NAT is off and the Gateway is in router mode ...

Page 94: ...orized user list maintained locally within the Gateway If you click the RADIUS link the RADIUS Servers screen appears RADIUS Server Addr Name The default RADIUS server name or IP address that you want to use RADIUS Server Secret The RADIUS secret key used by this server The shared secret should have the same characteristics as a normal password RADIUS Server Port The port on which the RADIUS serve...

Page 95: ...cally runs an SNMP management station program on a local host to obtain information from an SNMP agent In this case the Netopia Gateway is an SNMP agent Your Gateway supports SNMP V1 with the exception of most sets read only and traps and SNMP V2 For certain parts of the NPAV2TRAP MIB parameters under resNat Params resDslParams resSecParams set is supported You enter SNMP configuration information...

Page 96: ...ned about security you may leave the public community blank The Notification Type pull down menu allows you to configure the type of SNMP notifica tions that will be generated v1 Trap This selection will generate notifications containing an SNMPv1 Trap Protocol Data Unit PDU v2 Trap This selection will generate notifications containing an SNMPv2 Trap PDU Inform This selection will generate notifica...

Page 97: ...ive forwarding device Netopia Routers use a protocol for forwarding multicasting Internet Group Management Protocol IGMP Netopia Routers can use either IGMP Version 1 or Version 2 IGMP Snooping is a feature of Ethernet layer 2 switches that listens in on the IGMP conversation between computers and multicast routers Through this process it builds a database of where the multicast routers reside by ...

Page 98: ...c from streaming media and other bandwidth inten sive IP multicast applications Robustness a way of indicating how sensitive to lost packets the network is IGMP can recover from robustness minus 1 lost IGMP packet The default value is 2 Query Interval the amount of time in seconds between IGMP General Query mes sages sent by the querier gateway The default query interval is 125 seconds Query Respo...

Page 99: ...Query Interval the amount of time in tenths of a second that the IGMP gateway waits to receive a response to a Group Specific Query message The last mem ber query interval is also the amount of time in seconds between successive Group Specific Query messages The default last member query interval is 1 second 10 deci seconds Last Member Query Count the number of Group Specific Query messages sent b...

Page 100: ...ay automatically in the My Network Places folder Double clicking this icon opens the Gate way s web UI PCs using UPnP can retrieve the Gateway s WAN IP address and automatically create NAT port maps This means that applications that support UPnP and are used with a UPnP enabled Netopia Gateway will not need application layer gateway support on the Netopia Gateway to work through NAT You can disabl...

Page 101: ... UPnP allows open access to configure the Gateway s features TR 064 requires a password to execute any command that changes the Gateway s configuration TR 064 is enabled by default To disable it Uncheck the Enabled checkbox and click the Submit button The Alert icon will appear in the upper right corner of the web page Click the Alert icon and when prompted click the Save and Restart link ...

Page 102: ...512 MAC Media Access Control addresses each of which uniquely identifies an individual host on a network Your Gateway uses this bridging table to identify which hosts are acces sible through which of its network interfaces The bridging table contains the MAC address of each packet it sees along with the interface over which it received the packet Over time the Gateway learns which hosts are availa...

Page 103: ... bar 3 Click on the LAN link The LAN page appears 4 In the box titled LAN IP Inter face Ethernet 100BT Make note of the Ethernet IP Address and subnet mask You can use this address to access the router in the future 5 Click on the Advanced link in the left hand links toolbar 6 Under the heading of Services click on the Ethernet Bridge link ...

Page 104: ...ting checkbox When this mode is enabled the Gateway will appear to be a router but also bridge traf fic from the LAN if it has a valid LAN side address 9 Check the Enable System Bridge checkbox The window shrinks b Click Submit At this point you should be ready to do the final save on the configuration changes you have made The yellow Alert symbol will appear beneath the Help button on the right h...

Page 105: ...d it will bridge all traffic across the WAN You will need to make configurations to your machines on your LAN These settings must be made in accordance with your ISP If you ever need to get back into the Netopia Gateway again for management reasons you will need to manually configure your machine to be in the same subnet as the Ethernet interface of the Netopia since DHCP server is not operational...

Page 106: ...LANs by configuring the Gateway software rather than hard ware This makes VLANs very flexible An important advantage of VLANs is that when a computer is physically moved to another location it can stay on the same VLAN without hardware reconfiguration VLANs behave like separate and independent networks When you click the VLAN link the VLANs page appears If no VLANs are configured the VLANs page di...

Page 107: ...ple of multiple VLANs is shown below To create a VLAN click the Add button The VLAN Entry page appears You can create up to 32 VLANs and you can also restrict any VLAN and the computers on it from administering the Gateway ...

Page 108: ... access to the Gateway from this VLAN check the checkbox Click the Submit button The VLAN Port Configuration screen appears Port interfaces available for this VLAN are listed in the left hand screen Displayed port interfaces vary depending on the kinds of physical ports on your Gate way for example Ethernet USB and or wireless Also if you have multiple wireless SSIDs defined these may be displayed ...

Page 109: ...hed click the Alert icon in the upper right hand corner of the screen and in the resulting screen click the Save link If you want to create more VLANs click the Advanced link in the left hand toolbar and then the VLAN link in the resulting page and repeat the process When you are finished click the Alert icon in the upper right hand corner of the screen and in the resulting screen click the Save a...

Page 110: ...110 You can Add Edit or Delete your VLAN entries by returning to the VLANs page and selecting the appropriate entry from the displayed list ...

Page 111: ...special characters The Log Message Level alters the severity at which messages are collected in the Gate way s system log Do not alter this field unless instructed by your Support representative Link Syslog Parameters You can configure a UNIX compatible syslog client to report a number of subsets of the events entered in the Gateway s WAN Event History Syslog sends log messages to a host that you ...

Page 112: ...this checkbox the Gateway will generate mes sages whenever a packet attempts to access the router or tries to pass through the router This option is disabled by default Log Accepted Packets If you check this checkbox the Gateway will generate mes sages whenever a packet accesses the router or passes through the router This option is disabled by default NOTE Syslog needs to be enabled to comply wit...

Page 113: ...ncor rect user name 5 administrative access denied invalid password This log message is generated whenever the user tries to access the router s management interface and authentication fails due to incor rect password 6 administrative access denied telnet access not allowed This log message is generated whenever the user tries to access the router s Telnet management interface from a Public interf...

Page 114: ...sage is generated whenever a packet is allowed to traverse router interfaces or allowed to access the router itself 2 attempt This log message is generated whenever a packet attempts to traverse router interfaces or attempts to access the router itself 3 dropped violation of security policy This log message is generated whenever a packet traversing the router or destined to the router itself is dr...

Page 115: ... is generated whenever a packet traversing the router or destined to the router itself is dropped because the packet is TCP UDP packet and source IP Address and source port equals the destination IP Address and destination port 11 TCP SYN flood detected This log message is generated whenever a SYN packet destined to the router s management interface is dropped because the number of SYN sent and SYN...

Page 116: ... 8080 Telnet Server Port To reassign the port number used to access your Netopia embedded Telnet server change this value to a value greater than 1024 When you next access the Netopia embedded Telnet server append the IP address with port number e g telnet 210 219 41 20 2323 You can also use the LAN side address of the Gateway 192 168 1 x 8100 to access the web server and 192 168 1 x 2323 to acces...

Page 117: ...ck the Add button to select the soft ware that will be hosted To remove a game or software from the hosted list highlight the game or software you want to remove and click the Remove button List of Supported Games and Software Age of Empires v 1 0 Age of Empires The Rise of Rome v 1 0 Age of Wonders Asheron s Call Baldur s Gate Battlefield Communicator ...

Page 118: ...or Windows v 1 0 Heretic II Hexen II Hotline Server HTTP HTTPS ICQ 2001b ICQ Old IMAP Client IMAP Client v 3 Internet Phone IPSec IPSec IKE Jedi Knight II Jedi Outcast Kali KazaA LimeWire Links LS 2000 Mech Warrior 3 Mech Warrior 4 Vengeance Medal of Honor Allied Assault Microsoft Flight Simulator 98 Microsoft Flight Simulator 2000 Microsoft Golf 1998 Edition v 1 0 Microsoft Golf 1999 Edition Micr...

Page 119: ...save the new name PPTP Quake II Quake III Rainbow Six RealAudio Return to Castle Wolfenstein Roger Wilco Rogue Spear ShoutCast Server SMTP SNMP SSH server StarCraft Starfleet Command StarLancer v 1 0 Telnet TFTP Tiberian Sun Command and Conquer Timbuktu Total Annihilation Ultima Online Unreal Tournament Server Urban Assault v 1 0 VNC Virtual Network Comput ing Westwood Online Command and Conquer W...

Page 120: ...the factory configuration of the Gateway choose Clear Options You may want to upload your configuration to a file before performing this function You can do this using the upload command via the command line interface See the upload command on page 235 Clear Options does not clear feature keys or affect the software image You must restart the Gateway for Clear Options to take effect ...

Page 121: ...ne link the Time Zone page appears You can set your local time zone by selecting the number of hours your time zone is distant from Greenwich Mean Time GMT 12 12 from the pull down menu This allows you to set the time zone for access controls and in general ...

Page 122: ...122 Security Button Security The Security features are available by clicking on the Security toolbar button Some items of this category do not appear when you log on as User ...

Page 123: ...sswords You can establish different levels of access security to protect your Netopia Gateway settings from unauthorized display or modifica tion Admin level privileges let you display and modify all settings in the Netopia Gateway Read Write mode The Admin level password is created when you first access your Gateway User level privileges let you display but not change settings of the Netopia Gate...

Page 124: ...ously enter your current password in the Old Password field 3 Enter your new password in the New Password field Netopia s rules for a Password are It can have up to eight alphanumeric characters It is case sensitive 4 Enter your new password again in the Confirm Password field You confirm the new password to verify that you entered it correctly the first time 5 When you are finished click the Submit bu...

Page 125: ...ng Using this level of firewall protection allows transmission of outbound traffic on pre con figured TCP UDP ports It disables any attempt for inbound traffic to identify the Gate way This is the Internet equivalent of having an unlisted number LANdLocked The third option available turns off all inbound and outbound traffic isolating the LAN and disabling all WAN traffic NOTE BreakWater Basic Fir...

Page 126: ...the radio button to select the protection level you want Click Submit Changing the BreakWater setting does not require a restart to take effect This makes it easy to change the setting on the fly as your needs change ...

Page 127: ... their network from these types of attacks BreakWater offers three levels of increasing protection The following tables indicate the state of ports associated with session types both on the WAN side and the LAN side of the Gateway Application Select this Level Other Considerations Typical Internet usage browsing e mail SilentRunning Multi player online gaming ClearSailing Set Pinholes once defined...

Page 128: ...bled Disabled 80 http Netopia server Enabled Disabled Disabled 67 DHCP client Enabled Enabled Disabled 68 DHCP server Not Applicable Not Applicable Not Applicable 161 snmp Enabled Disabled Disabled ping ICMP Enabled Disabled Disabled Gateway LAN Side BreakWater Setting ClearSailing SilentRunning LANdLocked Port Session Type Port State 20 ftp data Enabled Enabled Disabled 21 ftp control Enabled Ena...

Page 129: ...e Gateway s WAN DHCP client port in SilentRunning mode is enabled This feature allows end users to continue using DHCP served IP addresses from their Service Providers while having no identifiable presence on the Internet ...

Page 130: ...irtual Private Network VPN clients running on LAN connected computers Normally this feature is enabled You can disable it if your LAN side VPN client includes its own NAT interoperability option Uncheck the Enable IPSec Passthrough checkbox SafeHarbour VPN IPSec is a keyed feature that you must purchase See Install Keys on page 184 It enables Gateway terminated VPN support ...

Page 131: ...ilable for all LAN connected users This imple mentation offers the following Eliminates the need for VPN client software on individual PCs Reduces the complexity of tunnel configuration Simplifies the ongoing maintenance for secure remote access If you have purchased the SafeHarbour IPSec feature key the IPSec configuration screen offers additional options ...

Page 132: ... your tunnel Not all of them need to be changed from the defaults for every VPN tunnel Consult with your network administrator 2 Complete the Parameter Setup worksheet IPSec Tunnel Details Parame ter Setup Worksheet on page 133 The worksheet provides spaces for you to enter your own specific values You can print the page for easy reference IPSec tunnel configuration requires precise parameter setu...

Page 133: ...tname ASCII Local ID Address Value Local ID Mask Remote ID Type IP Address Subnet Hostname ASCII Remote ID Address Value Remote ID Mask Pre Shared Key Type HEX ASCII Pre Shared Key DH Group 1 2 5 PFS Enable Off On SA Encrypt Type DES 3DES SA Hash Type MD5 SHA1 Invalid SPI Recovery Off On Soft MBytes 1 1000000 Soft Seconds 60 1000000 Hard MBytes 1 1000000 Hard Seconds 60 1000000 IPSec MTU 100 1500 ...

Page 134: ... SafeHarbour IPSec Tunnel Entry parameters Enter the initial group of tunnel parameters Refer to your Setup Worksheet and the Parameter Descriptions on page 136 as required 5 Enter the tunnel Name This is the only parameter that does not have to match the peer remote VPN device 6 Enter the Peer External IP Address 7 Select the Encryption Protocol from the pull down menu 8 Select the Authentication...

Page 135: ... or select the required set tings Refer to your IPSec Tunnel Details Parameter Setup Work sheet on page 133 11 Click Update The Alert button appears 12 Click the Alert button 13 Click Save and Restart Your SafeHarbour IPSec VPN tun nel is fully configured ...

Page 136: ...uthentication Protocol for IP packet header The three parameter values are None Encapsulating Security Payload ESP and Authentication Header AH Key Management The Key Management algorithm manages the exchange of security keys in the IPSec protocol architecture SafeHarbour supports the standard Inter net Key Exchange IKE Table 3 IPSec Tunnel Details page parameters Field Description Name The Name p...

Page 137: ... option appears Selection options are IP Address Subnet Hostname ASCII Remote ID Address Value If Aggressive mode is selected as the Negotiation Method this field appears This is the remote central office side IP address or Name Value if Subnet or Hostname are selected as the Local ID Type Remote ID Mask If Aggressive mode is selected as the Negotiation Method and Subnet as the Remote ID Type this...

Page 138: ... Security Associations SAs at the configured Hard MByte value The value can be configured between 1 and 1 000 000 MB and refers to data traffic passed This parameter does not need to match the peer gate way Hard Seconds Setting the Hard Seconds parameter forces the renegotiation of the IPSec Security Associations SAs at the configured Hard Seconds value The value can be configured between 60 and 1...

Page 139: ...access to the user s central office IKE establishes the tunnel and Xauth authenticates the specific remote user s Gateway Since NAT is sup ported over the tunnel the remote user network can have multiple PCs behind the client Gateway accessing the VPN By using XAuth network VPN managers can centrally control remote user authentication Xauth Username Password Xauth authentication credentials Table ...

Page 140: ... activity periods that will also apply to NAT time outs if stateful inspection is enabled on the interface Stateful Inspection param eters are active on a WAN interface only if enabled on your Gateway Stateful inspection can be enabled on a WAN interface whether NAT is enabled or not Stateful Inspection Firewall installation procedure NOTE Installing Stateful Inspection Firewall is mandatory to co...

Page 141: ...ere is no traffic on the session Exposed Addresses The hosts specified in Exposed Addresses will be allowed to receive inbound traffic even if there is no corresponding outbound traffic This is active only if NAT is disabled on a WAN interface Stateful Inspection Options Enable and configure stateful inspection on a WAN inter face Exposed Addresses You can specify the IP addresses you want to expo...

Page 142: ... Address of the exposed host range Protocol Select the Protocol of the traffic to be allowed to the host range from the pull down menu Options are Any TCP UDP or TCP UDP Start Port Start port of the range to be allowed to the host range The acceptable range is from 1 65535 End Port Protocol of the traffic to be allowed to the host range The acceptable range is from 1 65535 You can add more exposed...

Page 143: ...utton or delete the entry entirely by clicking the Delete button All configuration changes will trigger the Alert Icon Click on the Alert icon This allows you to validate the configuration and reboot the Gateway Click the Save and Restart link You will be asked to confirm your choice and the Gate way will reboot with the new configuration ...

Page 144: ... ICMP Echo requests NOTE If Stateful Inspection is enabled on a WAN interface Default Mapping to Router must be enabled to allow inbound VPN terminations to the router TCP Sequence Number Difference Enter a value in this field This value represents the maximum sequence number difference allowed between subsequent TCP packets If this number is exceeded the packet is dropped The acceptable range is ...

Page 145: ...tocol Description LAN Private Interface WAN Public Interface 23 TCP telnet Yes No 53 UDP DNS Yes No 67 UDP Bootps Yes No 68 UDP Bootpc Yes No 80 TCP HTTP Yes No 137 UDP Netbios ns Yes No 138 UDP Netbios dgm Yes No 161 UDP SNMP Yes No 500 UDP ISAKMP Yes No 520 UDP Router Yes No ...

Page 146: ...f components that restrict access between a protected net work and the Internet or between two networks Host A workstation on the network Packet Unit of communication on the Internet Packet filter Packet filters allow or deny packets based on source or destination IP addresses TCP or UDP ports Port A number that defines a particular type of service Basic IP packet components All IP packets contain ...

Page 147: ...col TCP provides reliable packet delivery and has a retransmission mechanism so packets are not lost RFC 793 is the specification for TCP UDP User Datagram Protocol Unlike TCP UDP does not guarantee reliable sequenced packet delivery If data does not reach its destination UDP does not retransmit the data RFC 768 is the specification for UDP There are many more ports defined in the Assigned Address...

Page 148: ... would have to figure out everything that you want to disallow now and in the future Firewall Logic Firewall design is a test of logic and filter rule ordering is critical If a packet is forwarded through a series of filter rules and then the packet matches a rule the appropriate action is taken The packet will not forward through the remainder of the filter rules For example if you had the follow...

Page 149: ... rule WWW match the second rule FTP and the packet is allowed through Even though the next rule is to deny all FTP traffic the FTP packet will never make it to this rule Implied rules With a given set of filter rules there is an Implied rule that may or may not be shown to the user The implied rule tells the filter set what to do with a packet that does not match any of the filter rules An example...

Page 150: ...150 Example filter set page This is an example of the Netopia filter set page ...

Page 151: ...and destination TCP or UDP ports These options are as follows Example network Item What it means No Compare Does not compare TCP or UDP port Not Equal To Matches any port other than what is defined Less Than Anything less than the port defined Less Than or Equal Any port less than or equal to the port defined Equal Matches only the port defined Greater Than or Equal Matches the port or any port gr...

Page 152: ...rk address in the Source IP Address field in Netopia Firmware Version 7 6 This rule will forward this packet because the packet does not match Example 3 Incoming packet has the source address of 200 1 1 184 This rule does not match and this packet will be forwarded Filter Rule 200 1 1 0 Source IP Network Address 255 255 255 128 Source IP Mask Forward No What happens on match Filter Rule 200 1 1 0 ...

Page 153: ...acket has the source address of 200 1 1 96 This rule does match and this packet will not be forwarded This rule masks off a single IP address Filter Rule 200 1 1 96 Source IP Network Address 255 255 255 240 Source IP Mask Forward No What happens on match Filter Rule 200 1 1 96 Source IP Network Address 255 255 255 255 Source IP Mask Forward No What happens on match ...

Page 154: ...t Never attempt to configure filters unless you are local to the Gate way Although using filter sets can enhance network security there are disadvan tages Filters are complex Combining them in filter sets introduces subtle interac tions increasing the likelihood of implementation errors Enabling a large number of filters can have a negative impact on perfor mance Processing of packets will take lo...

Page 155: ...m your network to the Internet A filter set is a group of filters that work together to check incoming or outgoing data A fil ter set can consist of a combination of input and output filters How filter sets work A filter set acts like a team of customs inspectors Each filter is an inspector through which incoming and outgoing packages must pass The inspectors work as a team but each inspects every ...

Page 156: ...pector and never seen by the others A package from London is ignored by the first two inspectors so it s seen by the third inspector In the same way filter sets apply their filters in a particular order The first filter applied can forward or discard a packet before that packet ever reaches any of the other filters If the first filter can neither forward nor discard the packet because it cannot ma...

Page 157: ... this particular fil ter look at the parts of a filter Parts of a filter A filter consists of criteria based on packet attributes A typical fil ter can match a packet on any one of the following attributes The source IP address and subnet mask where the packet was sent from The destination IP address and subnet mask where the packet is going The TOS bit setting of the packet Certain types of IP pac...

Page 158: ... World Wide Web The following tables show a few common ser vices and their associated port numbers Port number comparisons A filter can also use a comparison option to evaluate a packet s source or destination port number The comparison options are No Compare No comparison of the port number specified in the filter with the packet s port number Not Equal To For the filter to match the packet s por...

Page 159: ...port number specified in the filter Greater Than or Equal For the filter to match the packet s port number must be greater than or equal to the port number specified in the filter Other filter attributes There are three other attributes to each filter The filter s order i e priority in the filter set Whether the filter is currently active Whether the filter is set to forward packets or to block dis...

Page 160: ...ee page 157 look at how a rule is translated into a filter Start with the rule then fill in the filter s attributes The rule you want to implement as a filter is Block all Telnet attempts that originate from the remote host 199 211 211 17 The host 199 211 211 17 is the source of the Telnet packets you want to block while the destination address is any IP address How these IP addresses are masked d...

Page 161: ... 0 Using the tables on page 158 find the destination port and protocol numbers the local Telnet port Protocol TCP or 6 Destination Port 23 The filter should be enabled and instructed to block the Telnet packets containing the source address shown in step 2 Forward unchecked This four step process is how we produced the following filter from the original rule ...

Page 162: ...233 14 0 The 0 at the end of the address signifies any host on the class C IP net work 200 233 14 0 If for example the filter is applied to a packet with the source IP address 200 233 14 5 it will block it In this case the mask must be set to 255 255 255 0 This way all packets with a source address of 200 233 14 x will be matched correctly no matter what the final address byte is Note The protocol...

Page 163: ...ters If every filter in a set fails to match on a par ticular packet the packet is Forwarded if all the filters are configured to discard not forward Discarded if all the filters are configured to forward Discarded if the set contains a combination of forward and discard filters An approach to using filters The ultimate goal of network security is to prevent unauthorized access to the network with ...

Page 164: ...te the filters for the new filter set See Adding filters to a filter set on page 165 3 Associate the filter set with either the LAN or WAN interface See Associating a Filter Set with an Interface on page 171 The sections below explain how to execute these steps Adding a filter set You can create up to eight different custom filter sets Each filter set can contain up to 16 output filters and up to 16 i...

Page 165: ...your first entry the Alert icon will appear in the upper right corner of the web page It will remain until all of your changes are entered and validated You need not imme diately restart the Gateway until your filter set is complete See Associating a Filter Set with an Interface on page 171 Adding filters to a filter set There are two kinds of filters you can add to a filter set input and output Inp...

Page 166: ...t filter your local network is the destination of the packets it checks and the remote network is their source From the perspective of an output filter your local network is the source of the packets and the remote network is their destination To add a filter select the Filter Set Name to which you will add a filter and click the Edit button Type of filter Source means Destination means Input filt...

Page 167: ...ut filters and one for out put filters In this section you ll learn how to add an input filter to a filter set Adding an output filter works exactly the same way providing you keep the dif ferent source and destination perspectives in mind 1 To add a filter click the Add button under Input Rules The Input Rule Entry page appears ...

Page 168: ...ch on all source IP addresses or enter 255 255 255 255 to match the source IP address exclusively 5 Enter the Destination IP Address this filter will match on You can enter a subnet or a host address 6 Enter the Destination Mask for the destination IP address This allows you to further modify the way the filter will match on the destination address Enter 0 0 0 0 to force the filter to match on all ...

Page 169: ... to match on see the table on page 158 10 From the Destination Port Compare pull down menu choose a compari son method for the filter to use on a packet s destination port number Then select Destination Port and enter the actual destination port number to match on see the table on page 158 11 When you are finished configuring the filter click the Submit button to save the filter in the filter set Viewin...

Page 170: ... the Delete button Moving filters To reorganize the filters in a filter set select a filter from the table and click the Move Up or Move Down button to place the filter in the desired priority position Deleting a filter set If you delete a filter set all of the filters it contains are deleted as well To reuse any of these filters in another set before deleting the current filter set you ll have to n...

Page 171: ...th either the WAN usu ally the Internet interface or the LAN To associate an filter set with the LAN return to the Filter Sets page Click the Ethernet 100BT link The Ethernet 100BT page appears From the pull down menu select the filter set to associ ate with this interface Click the Submit button The Alert icon will appear in the upper right corner of the page Click the Alert icon to go to the val...

Page 172: ...172 You can repeat this process for both the WAN and LAN interfaces to associate your filter sets When you return to the Filter Sets page it will display your interface associations ...

Page 173: ... Force Routing options Check the Force Route checkbox Enter the Gateway IP address in standard dotted quad notation to which the traffic should be forwarded You can enter Source and Destination IP Address es and Mask s Protocol Type and Source and Destination Port ID s for the filter if desired TOS field matching Netopia Firmware Version 7 6 includes two parameters for an IP filter TOS and TOS Mask...

Page 174: ...s a ping but with the Idle Reset checkbox unchecked Example You want packets with the TOS low latency bit to go through VC 2 via gateway 127 0 0 3 the Netopia Gateway will use 127 0 0 x where x is the WAN port 1 instead of your normal gateway You would set up the filter as shown here NOTE Default Forwarding Filter If you create one or more filters that have a matching action of forward then action...

Page 175: ...lter is required to match and forward all other packets Management IP traffic If the Force Routing filter is applied to source IP addresses it may inadvert ently block communication with the router itself You can avoid this by preced ing the Force Routing filter with a filter that matches the destination IP address of the Gateway itself ...

Page 176: ...Using the Security Monitoring Log You can view the Security Log at any time Use the following steps 1 Click the Security toolbar button 2 Click the Security Log link 3 Click the Show link from the Security Log tool bar 4 An example of the Security Log is shown on the next page 5 When a new security event is detected you will see the Alert button The Security Alert remains until you view the inform...

Page 177: ...licy based Routing using Filtersets The capacity of the security log is 100 security alert messages When the log reaches capacity subsequent messages are not captured but they are noted in the log entry count ...

Page 178: ...nology NIST Uni versal Coordinated Time UTC reference signal and then adjusts it for your local time zone Once per hour the Gateway attempts to re acquire the NIST reference for re synchroniza tion or initial acquisition of the UTC information Once acquired all subsequent log entries display this date and time information UTC provides the equivalent of Greenwich Mean Time GMT information If the WA...

Page 179: ... Keys as updates become available On selected models you can install a Secure Sockets Layer SSL V3 0 certificate from a trusted Certification Authority CA for authentication purposes If this feature is available on your Gateway the Install Certificate link will appear in the Install page as shown Otherwise it will not appear ...

Page 180: ...his proced sure This page allows you to install an updated release of the Netopia Firmware Updating Your Gateway s Netopia Firmware Version You install a new oper ating system image in your unit from the Install Operating System Software page For this process the computer you are using to connect to the Netopia Gateway must be on the same local area network as the Netopia Gateway ...

Page 181: ... the Netopia website be sure to download the latest User Guide PDF files These are also posted on the Netopia website in the Docu mentation Center Confirm Netopia Firmware Image Files The Netopia firmware Image file is specific to the model and the product identification num ber 1 Confirm that you have received the appropriate Netopia Firmware Image file 2 Save the Netopia Firmware image file to a con...

Page 182: ...the Browse button select the file you want and click Open or b Enter the name and path of the software image you want to install in the text field 4 Click the Install Software button The Netopia Gateway copies the image file from your computer and installs it into its memory storage You see a progress bar appear on your screen as the image is copied and installed When the image has been installed ...

Page 183: ...with its new image Verify the Netopia Firmware Release To verify that the Netopia firmware image has loaded successfully use the following steps 1 Open a web connection to your Netopia Gateway from the computer on your LAN and return to the Home page 2 Verify your Netopia firmware release as shown on the Home Page This completes the upgrade process ...

Page 184: ...ware feature key properties are specific to a unit s serial number they will not be accepted on a platform with another serial number Once installed and the Gateway restarted the new feature s functionality becomes avail able This allows full access to configuration operation maintenance and administration of the new enhancement Obtaining Software Feature Keys Contact Netopia or your Service Provi...

Page 185: ...185 Install 4 Click the Install Key button 5 Click the Restart toolbar button The Confirmation screen appears ...

Page 186: ...186 6 Click the Restart the Gateway link to confirm To check your installed features 7 Click the Install toolbar button 8 Click the list of features link ...

Page 187: ...187 Install The System Status page appears with the information from the features link displayed below You can check that the feature you just installed is enabled ...

Page 188: ...dshake between a server and your Gateway occurs the client verifies that the server certificate was issued by a trusted CA If the CA is not trusted a warning will appear Certificates installed in your Gateway and servers to which it connects verify to each other that commu nications between them are encrypted and private Certificates are purchased from an issuing Certificate Authority usually by y...

Page 189: ...nstall The Install Certificate page appears 2 Browse to the location where you have saved your certificate and select the file or type the full path 3 Click the Install Certificate button 4 Restart your Gateway ...

Page 190: ...190 ...

Page 191: ...mple suggestions for troubleshooting problems with your Gate way s initial configuration Before troubleshooting make sure you have read the Quickstart Guide plugged in all the necessary cables and set your PC s TCP IP controls to obtain an IP address automatically ...

Page 192: ...alfunctions Ethernet Solid green when connected Flash green when there is activity on the LAN USB Model 2241N only Solid green when connected Flash green when there is activity on the LAN DSL Solid green when Internet connection is established Internet Solid green when Broadband device is connected Flashes green for activity on the WAN port If the physical link comes up but PPP or DHCP fail the LE...

Page 193: ... when connected Flash green when there is activity on the LAN DSL Solid green when Internet connection is established Internet Solid green when Broadband device is connected Flashes green for activity on the WAN port If the physical link comes up but PPP or DHCP fail the LED turns red O P W R E 1 2 3 4 ETHER NET S D L N I E T N R T E Power Ethernet 1 2 3 4 DSL Internet ...

Page 194: ... LAN Wireless Flashes green when there is activity on the wireless LAN DSL Solid green when Internet connection is established Internet Solid green when Broadband device is connected Flashes green for activity on the WAN port If the physical link comes up but PPP or DHCP fail the LED turns red O P W R E 1 2 3 4 ETHER NET W R I L E S E S S D L N I E T N R T E Power Ethernet 1 2 3 4 DSL Wireless Int...

Page 195: ...o w e r Power PPPoE Active DSL Traffic Solid green when the power is on Solid green when PPPoE is negotiated Blinks green when traffic is sent received DSL Sync Blinking green with no line attached or training Ethernet Traffic Flashes green when there is activity on the LAN Ethernet Link Solid green when connected otherwise not lit solid green when trained with the DSL line over the WAN ...

Page 196: ...Power USB Active DSL Traffic Solid green when the power is on Solid green when USB is connected Blinks green when traffic is sent received DSL Sync Blinking green with no line attached or training Ethernet Traffic Flashes green when there is activity on the LAN Ethernet Link Solid green when connected otherwise not lit solid green when trained with the DSL line over the WAN ...

Page 197: ... reboot When the 3342 3352 successfully boots up both LEDs flash green once Both LEDs are off when the Host OS suspends the device e g Windows standby reboot device disabled driver uninstalled etc U S B D S L USB Solid green when USB is connected DSL Blinking green with no line attached or training otherwise not lit solid green when trained with the DSL line ...

Page 198: ...N 4 D S L S Y N C P o w e r Power DSL Sync Solid green when trained with the DSL line Blinks green when traffic is sent or received LAN 1 2 3 4 over the Ethernet Solid green when the power is on Blinks green with no line attached or training Solid green when Ethernet link is established ...

Page 199: ... when power is applied Flashes green when training Solid green when connected Solid green when trained to each port on the LAN LAN 1 2 3 4 DSL SYNC Flash green when there is activity on each port Flashes green for DSL traffic Wireless Link Flashes green when there is activity on the wireless LAN ...

Page 200: ...Power Ethernet 1 2 3 4 Flash green when there is activity on the LAN Front View Solid green when connected Green when power is on Wireless Flashes green when there is activity on the wireless LAN Flashes green when training Solid green when trained DSL ...

Page 201: ...Broadband device is connected Activity on the WAN port Physical link estab lished but PPP or DHCP fails LED State Possible problems Power Unlit 1 Make sure the power switch is in the ON position 2 Make sure the power adapter is plugged into the 2200 and 3300 series DSL Gateway properly 3 Try a known good wall outlet 4 Replace the power supply and or unit DSL Sync Unlit 1 Make sure the you are usin...

Page 202: ...Internet over a LAN 5 Disable any installed network devices Ethernet HomePNA wireless that are not being used to connect to the 2200 and 3300 series DSL Gateway USB Active Unlit Note USB Active light is inactive if only using Ethernet 1 Make sure you have USB drivers installed on the PC 2 Make sure the PC s TCP IP Properties for the USB Network Control Panel is set to obtain an IP address via DHCP...

Page 203: ... This section shows how to reset the Netopia Gateway so that you can access the configuration screens once again NOTE Keep in mind that all of your settings will need to be reconfigured If you don t have a password the only way to access the Netopia Gateway is the following 1 Referring to the following diagram find the round Reset Switch opening ...

Page 204: ...gurations and reboot Power Off On LAN DSL 4 1 2 3 Factory Reset Switch 3347W 3357W 1 Power 4 USB 3 Ethernet 2 DSL On Off Factory Reset Switch 3341 3351 Power Off On LAN DSL 4 1 2 3 3346 3356 Factory Reset Switch 2247NWG 2240N 2241N 2246N Factory Reset Switch Push to clear all settings Push to clear all settings Push to clear all settings Push to clear all settings Factory Reset Switch Push to clea...

Page 205: ...ting can be accessed from the Gateway s Web UI Point your browser to http 192 168 1 254 The main page displays the device status If this does not make the Web UI appear then do a release and renew in Windows networking to see what the Gateway address really is ...

Page 206: ...way Address DNS 1 and DNS 2 If you are not able to connect to the Internet verify the following Item Description Local WAN IP Address This is the negotiated address of the Gateway s WAN interface This address is usually dynamically assigned Remote Gateway Address This is the negotiated address of the remote router to which this Gate way is connected ...

Page 207: ... assigned address go to Expert Mode and ver ify the PPPoE address has not been manually assigned Device Gateway This is the negotiated address of the remote router Make sure this is a valid address If this is not the correct address go to Expert Mode and verify the address has not been manually assigned Primary DNS Secondary DNS These are the negotiated DNS addresses Make sure they are valid DNS a...

Page 208: ... System Status Displays an overall view of the system and its condition Network Tools Includes NSLookup Ping and TraceRoute Diagnostics Runs a multi layer diagnostic test that checks the LAN WAN PPPoE and other connection issues Date Time If this is blank you likely lack a network connection or your NTP server information is incorrect If all of the above seem correct then access Expert Mode by cli...

Page 209: ...209 Link System Status In the system status screen there are several utilities that are useful for troubleshooting Some examples are given in the following pages ...

Page 210: ...RC Errors 0 Rx Frame Errors 0 Upper Layers Rx No Handler 0 Rx No Message 0 Rx Octets 975576 Rx Unicast Pkts 4156 Rx Multicast Pkts 203 Tx Discards 0 Tx Octets 2117992 Tx Unicast Pkts 3789 Tx Multicast Pkts 4073 Ethernet driver statistics USB Port Status Link down General Transmit OK 0 Receive OK 0 Tx Errors 0 Rx Errors 0 Tx Octets 0 Rx Octets 0 Ethernet driver statistics 10 100 Ethernet Type 100BA...

Page 211: ... configuration If it is not check the DSL cable and make sure it is plugged in correctly and not connected to a micro filter Below is an example ADSL Line State Up ADSL Startup Attempts 5 ADSL Modulation DMT Datapump Version 3 22 Downstream Upstream SNR Margin 18 6 14 0 dB Line Attenuation 0 4 4 0 dB Errored Seconds 14 3 Loss of Signal 4 4 Loss of Frame 0 0 CRC Errors 0 0 Data Rate 8000 800 ...

Page 212: ...es Ethernet 100BT up broadcast default rip send v1 rip receive v1 inet 192 168 1 1 netmask 255 255 255 0 broadcast 192 168 1 255 physical address 00 00 00 00 00 00 mtu 1500 PPP over Ethernet vcc1 up address mapping broadcast default admin disabled rip send v1 rip receive v1 inet 0 0 0 0 netmask 0 0 0 0 broadcast 0 0 0 0 physical address 00 00 00 00 00 00 mtu 1500 ...

Page 213: ...correct PVC is listed which should be 0 35 some providers use other values such as 8 35 Check with your provider If not go to the WAN setup and change the VPI VCI to its correct value Below is an example ATM port status Up Rx data rate bps 8000 Tx data rate bps 800 ATM Virtual Circuits VCC Type VPI VCI Encapsulation 1 PVC 8 35 PPP over Ethernet LLC SNAP encapsulation ATM Circuit Statistics Rx Fram...

Page 214: ...teway over PPP over Ethernet vcc1 00 00 00 00 L3 IP Initialization complete 00 00 00 00 L3 IPSec initializing service 00 00 00 00 L3 IPSec No feature key available service disabled 00 00 00 00 L3 PPP PPP over Ethernet vcc1 binding to PPPoE 00 00 00 00 L3 PPP PPP over Ethernet vcc1 Port listening for incoming PPP connection requests 00 00 00 24 L4 RFC1483 1 up 00 00 00 25 L3 Service Name ANY 00 00 ...

Page 215: ...quipment your Gateway connects to may not support this test Checking LAN Interfaces Check Ethernet LAN connect PASS Check IP connect to Ethernet LAN PASS Pinging Gateway PASS Check MAC Bridge connect to Ethernet LAN PASS Checking DSL WAN Interfaces Check DSL Synchronization PASS Check ATM Cell Delineation PASS ATM OAM Segment Ping through vcc1 WARNING Don t worry your service provider may not supp...

Page 216: ...owing the number of hops and the router addresses of these hops 1 To use the NSLookup capability type an address domain name or IP address in the text box and click the NSLookup button Example Show the IP Address for grosso com Result The DNS Server doing the lookup is displayed in the Server and Address fields If the Name Server can find your entry in its table it is displayed in the Name and Add...

Page 217: ...ectivity A PING could be either an IP address 163 176 4 32 or Domain Name www netopia com 2 To use the Ping capability type a destination address domain name or IP address in the text box and click the Ping button Example Ping to grosso com Result The host was reachable with four out of five packets sent ...

Page 218: ...ub net mask is incorrect site is down Ping an internet site by name DNS is not properly configured on the Gateway config ured DNS servers are down site is down From a LAN PC Ping the Gateway s LAN IP address IP address and subnet mask of PC are not on the same scheme as the Gateway cabling or other connectivity issue Ping the Gateway s WAN IP address Default gateway on PC is incorrect Ping the Gat...

Page 219: ...219 Example Show the path to the grosso com site Result It took 20 hops to get to the grosso com web site ...

Page 220: ...220 ...

Page 221: ...se the command line interface to enter and update the unit s configuration settings monitor its performance and restart it This chapter covers the following topics Overview on page 222 Starting and Ending a CLI Session on page 224 Using the CLI Help Facility on page 225 About SHELL Commands on page 225 SHELL Commands on page 226 About CONFIG Commands on page 237 CONFIG Commands on page 242 ...

Page 222: ... download to download config file exit to quit this shell help to get more help all or help help install to download and program an image into flash license to enter an upgrade key to add a feature log to add a message to the diagnostic log loglevel to report or change diagnostic log level netstat to show IP information nslookup to send DNS query for host ping to send ICMP Echo request quit to quit t...

Page 223: ...ions dns Domain Name System options dslf cpewan TR 069 CPE WAN management dslf lanmgnt TR 064 LAN management dynamic dns Dynamic DNS options ethernet Ethernet options igmp IGMP configuration options ip TCP IP protocol options ip maps IPmaps options nat default Network Address Translation default options pinhole Pinhole options ppp Peer to Peer Protocol options pppoe PPP over Ethernet options prefer...

Page 224: ...ine interface log in process emulates the log in process for a UNIX host To logon enter the username either admin or user and your password Entering the administrator password lets you display and update all Netopia Gateway settings Entering a user password lets you display but not update Netopia Gateway settings When you have logged in successfully the command line interface lists the username an...

Page 225: ...ut SHELL Commands You begin in SHELL mode when you start a CLI session SHELL mode lets you perform the following tasks with your Netopia Gateway Monitor its performance Display and reset Gateway statistics Issue administrative commands to restart Netopia Gateway functions SHELL Prompt When you are in SHELL mode the CLI prompt is the name of the Netopia Gateway followed by a right angle bracket For...

Page 226: ...n nnn Sends an Address Resolution Protocol ARP request to match the nnn nnn nnn nnn IP address to an Ethernet hardware address clear yes Clears the configuration settings in a Netopia Gateway If you do not use the optional yes qualifier you are prompted to confirm the clear command clear_certificate Removes an SSL certificate that has been installed clear_log Erases the log information stored in fl...

Page 227: ...network You can include one or more of the following arguments with the download command If you omit arguments the console prompts you for this information The server_address argument identifies the IP address of the TFTP server from which you want to copy the Netopia Gateway configuration file The filename argument identifies the path and name of the configuration file on the TFTP server If you i...

Page 228: ... operation license key This command installs a software upgrade key An upgrade key is a purchased item based on the serial number of the gateway log message_string Adds the message in the message_string argument to the Netopia Gateway diagnostic log loglevel level Displays or modifies the types of log messages you want the Netopia Gateway to record If you enter the loglevel command without the opt...

Page 229: ...nslookup hostname ip_address Performs a domain name system lookup for a specified host The hostname argument is the name of the host for which you want DNS information for example nslookup klaatu The ip_address argument is the IP address in dotted decimal notation of the device for which you want DNS information ping s size c count hostname ip_address Causes the Netopia Gateway to issue a series o...

Page 230: ...Netopia Gateway command line interface reset arp Clears the Address Resolution Protocol ARP cache on your unit reset atm Resets the Asynchronous Transfer Mode ATM statistics reset crash Clears crash dump information which identifies the contents of the Netopia Gateway regis ters at the point of system malfunction reset dhcp server Clears the DHCP lease table in the Netopia Gateway reset diffserv R...

Page 231: ...unction is only available if the number of WAN Users is restricted and NAT is on Use the all parameter to disconnect all users If you logon as Admin you can disconnect any or all users If you logon as User you can only disconnect yourself restart seconds Restarts your Netopia Gateway If you include the optional seconds argument your Neto pia Gateway will restart when the specified number of second...

Page 232: ...n RAM by your Netopia Gateway show diffserv Displays the Differentiated Services and QoS values configured in the Netopia Gateway show enet Displays Ethernet interfaces maintained by the Netopia Gateway show features Displays standard and keyed features installed in the Netopia Gateway show group mgmt Displays the IGMP Snooping Table See IGMP Internet Group Management Protocol on page 97 for detai...

Page 233: ...cs show ip firewall Displays firewall statistics show ip lan discovery Displays the LAN Host Discovery Table of hosts on the wired or wireless LAN and whether or not they are currently online show ip routes Displays the IP routes stored in your Netopia Gateway show ip state insp Displays whether stateful inspection is enabled on an interface or not exposed addresses and blocked packet statistics be...

Page 234: ...e names and host ID values show security log Displays blocks of information from the Netopia Gateway security log show status Displays the current status of a Netopia Gateway the device s hardware and software revi sion levels a summary of errors encountered and the length of time the Netopia Gateway has been running since it was last restarted Identical to the status command show summary Displays...

Page 235: ...ion upload server_address filename confirm Copies the current configuration settings of the Netopia Gateway to a TFTP Trivial File Transfer Protocol server The TFTP server must be accessible on your Ethernet network The server_address argument identifies the IP address of the TFTP server on which you want to store the Netopia Gateway settings The filename argument identifies the path and name of the...

Page 236: ... map to the VCC in use Enter the reset dhcp client release command without the variable to see the letter assigned to each virtual circuit reset dhcp client renew vcc id Releases the DHCP lease the Netopia Gateway is currently using to acquire the IP settings for the specified DSL port The vcc id identifier is an index letter in the range B I and does not directly map to the VCC in use Enter the r...

Page 237: ...pt consists of the name of the Netopia Gate way followed by your current node in the hierarchy and two right angle brackets For example when you enter CONFIG mode by typing config at the SHELL prompt the Netopia 3000 9437188 top prompt reminds you that you are at the top of the CONFIG hierarchy If you move to the ip node in the CONFIG hierarchy by typing ip at the CONFIG prompt the prompt changes t...

Page 238: ...ng down several nodes at once You can jump down several levels in the CONFIG hierarchy by entering the complete path to a node Moving up one node You can move up through the CONFIG hierarchy one node at a time by entering the up command Jumping to the top node You can jump to the top level from anywhere in the CON FIG hierarchy by entering the top command Moving from one subnode to another You can...

Page 239: ... which you want to act Arguments in a CONFIG command specify the values appropriate to your site For example the CONFIG command set ip ethernet A ip_address consists of two keywords ip and ethernet A and one argument ip_address When you use the command to configure your Gateway you would replace the argument with a value appropriate to your site For example set ip ethernet A 192 31 222 57 ...

Page 240: ...optional information You can then enter the configuration values appropriate for your site without having to enter complete CLI commands Command component Rules for entering CONFIG commands Command verbs CONFIG commands must start with a command verb set view delete You can truncate CONFIG verbs to three characters set vie del CONFIG verbs are case insensitive You can enter SET Set or set Keywords...

Page 241: ... entering set from the top node of the CONFIG hier archy You can enter step mode for a particular service by entering set service_name In stepping set mode press Control X Return Enter to exit For example Netopia 3000 9437188 top set system system name Netopia 3000 9437188 Mycroft Diagnostic Level High medium Stepping mode ended Validating Your Configuration You can use the validate CONFIG command ...

Page 242: ...iable vbr Bit Rate ubr No configuration is needed for UBR VCs Leave the default value 0 maximum line rate cbr One parameter is required for CBR VCs Enter the Peak Cell Rate that applies to the VC This value should be between 1 and the line rate You set this value according to specifications defined by your service provider vbr Three parameters are required for VBR VCs Enter the Peak Cell Rate the ...

Page 243: ...ircuit This value is the maximum number of cells that can be transmitted at the Peak Cell Rate after which the ATM VC transmission rate must drop to the Sustained Cell Rate set atm vcc n vpi 0 255 Select the virtual path identifier vpi for VCC n Your Service Provider will indicate the required vpi number set atm vcc n vci 0 65535 Select the virtual channel identifier vci for VCC n Your Service Pro...

Page 244: ...AC addresses Entries that are not used within 30 sec onds are dropped If the bridging table fills up the oldest table entries are dropped to make room for new entries Virtual circuits that use IP framing cannot be bridged NOTE For bridging in the 3341 or any model with a USB port you cannot set the bridge option off or bridge ethernet option off these are on by default because of the USB port Comm...

Page 245: ...tively set bridge table timeout 30 6000 Sets the timeout value for bridging table timeout Default 30 secs range 30 secs 6000 secs 5 100 mins DHCP Settings As a Dynamic Host Control Protocol DHCP server your Netopia Gateway can assign IP addresses and provide configuration information to other devices on your network dynami cally A device that acquires its IP address and other TCP IP configuration ...

Page 246: ...s for dynamic assignment set dhcp end address ip_address If you selected server specifies the last address in the DHCP address range set dhcp lease time lease time If you selected server specifies the default length for DHCP leases issued by the Netopia Gateway Enter lease time in dd hh mm ss day hour minute second format set dhcp server address ip_address If you selected relay agent specifies the...

Page 247: ...nables support for automatic VPI VCI detection and configuration When set to on the default a pre defined list of VPI VCI pairs are searched to find a valid configuration for your ADSL line Entering a value for the VPI or VCI setting will disable this feature set dmt wiringMode auto tip_ring A_A1 not supported on all models This command configures the wiring mode setting for your ADSL line Selecti...

Page 248: ...e domain name Specifies the default domain name for your network When an application needs to resolve a host name it appends the default domain name to the host name and asks the DNS server if it has an address for the fully qualified host name set dns primary address ip_address Specifies the IP address of the primary DNS name server set dns proxy enable This allows you to disable the default beha...

Page 249: ...y only www dyndns org is supported IGMP Settings These commands are supported beginning with Firmware Version 7 5 1 set igmp snooping off on Enables IGMP Snooping See IGMP Internet Group Management Protocol on page 97 for detailed explanation set igmp robustness value Sets IGMP robustness range from 2 255 The default is 2 See IGMP Internet Group Management Protocol on page 97 for detailed explanat...

Page 250: ...way If you turn off TCP IP services and save the new configuration the Netopia Gateway clears its TCP IP settings ARP Timeout Settings set ip arp timeout 60 6000 Sets the timeout value for ARP timeout Default 600 secs 10 mins range 60 secs 6000 secs 1 100 mins DSL Settings set ip dsl vccn address ip_address Assigns an IP address to the virtual circuit Enter 0 0 0 0 if you want the virtual circuit ...

Page 251: ...rk address translation NAT when communicating with remote routers Address mapping lets you conceal details of your network from remote routers It also permits all LAN devices to share a single IP address By default address mapping is turned On set ip dsl vccn rip send off v1 v2 v1 compat v2 MD5 Specifies whether the Netopia Gateway should use Routing Information Protocol RIP broadcasts to advertis...

Page 252: ...t A option on off Enables or disables communications through the designated Ethernet port in the Gateway You must enable TCP IP functions for an Ethernet port before you can configure its network settings set ip ethernet A address ip_address Assigns an IP address to the Netopia Gateway on the local area network The IP address you assign to the local Ethernet interface must be unique on your networ...

Page 253: ...p send off v1 v2 v1 compat v2 MD5 Specifies whether the Netopia Gateway should use Routing Information Protocol RIP broadcasts to advertise its routing tables to other routers on your network RIP Version 2 RIP 2 is an extension of the original Routing Information Protocol RIP 1 that expands the amount of useful information in the RIP packets While RIP 1 and RIP 2 share the same basic algorithms RI...

Page 254: ...ow to reach the destination host set ip gateway interface ip address ppp vccn Specifies how the Netopia Gateway should route information to the default Gateway If you select ip address you must enter the IP address of a host on a local or remote network If you specify ppp the Netopia unit uses the default gateway being used by the remote PPP peer IP over PPP Settings Use the following commands to ...

Page 255: ...otiate the remote peer s IP address If the remote peer does not accept the address in the ip_address argument as its IP address typically because it has been configured with another IP address the link will not come up The default value for the ip_address argument is 0 0 0 0 which indicates that the vir tual PPP interface will accept the IP address returned by the remote peer If you enter 0 0 0 0 ...

Page 256: ... MD5 authentication is an extension of RIP 2 that increases security by requiring an authentication key when routes are advertised This command is only available when address mapping for the specified virtual circuit is turned off If you specify v2 MD5 you must also specify a rip send key Keys are ASCII strings with a maximum of 31 characters and must match the other router s keys for proper opera...

Page 257: ...teway Use the following commands to add static ARP entries to the Netopia Gateway static ARP table set ip static arp ip address ip_address Specifies the IP address for the static ARP entry Enter an IP address in the ip_address argument in dotted decimal format The ip_address argument cannot be 0 0 0 0 set ip static arp ip address ip_address hardware address MAC_address Specifies the Ethernet hardw...

Page 258: ...d as one of the supported states the Gate way will handle it as if it actively marked the TOS field itself NOTE The Gateway itself will not override TOS bit settings made by the endpoints Support for source provided IP TOS priorities within the Gateway is achieved simply by turning the DiffServe option on and by setting the lohi asymmetry to adjust the behavior of the Gateway s internal queues set...

Page 259: ...ction is to mark the packets for high priority streams in the outbound direction start port end port Allows you to specify a range of ports to check for a particular flow if the protocol selection is TCP or UDP inside ip mask If you want packets originating from a certain LAN IP address to be marked enter the IP address and subnet mask here If you leave the address equal to zero this check is igno...

Page 260: ... Consequently static routes are useful when working with PPP since an intermittent PPP link may make maintenance of dynamic routes problematic You can configure as many as 32 static IP routes for a Netopia Gateway Use the following commands to maintain static routes to the Netopia Gateway routing table set ip static routes destination network net_address Specifies the network address for the stati...

Page 261: ...indicate the number of routers actual or best guess a packet must traverse to reach the remote network You can enter a metric of 1 to indicate either The remote network is one router away and the static route is the best way to reach it The remote network is more than one router away but the static route should not be replaced by a dynamic route even if the dynamic route is more efficient set ip s...

Page 262: ...cipate what port number an application might use For example some network games select arbitrary port numbers when a connection is being opened By identifying your computer or another host on your network as a NAT default server you can specify that NAT traffic that would otherwise be discarded by the Netopia Gateway should be directed to a specific hosts set nat default mode off default server ip...

Page 263: ...traffic you want to redirect by port num ber and you specify the internal host to which each specified type of traffic should be directed The following list identifies protocol type and port number for common TCP IP protocols FTP TCP 21 telnet TCP 23 SMTP TCP 25 TFTP UDP 69 SNMP TCP 161 UDP 161 set pinhole name name Specifies the identifier for the entry in the router s pinhole table You can name ...

Page 264: ... the same number for the exter nal and internal port PPPoE PPPoA Settings You can use the following commands to configure basic settings port authentication set tings and peer authentication settings for PPP interfaces on your Netopia Gateway Configuring Basic PPP Settings NOTE For the DSL platform you must identify the virtual PPP interface vccn a num ber from 1 to 8 set ppp module vccn option on ...

Page 265: ...ou should turn off LCP echoing if you do not want the Netopia Gateway to drop a PPP link to a nonre sponsive peer set ppp module vccn echo period integer Specifies the number of seconds the Netopia Gateway should wait before sending another echo from an LCP echo request The integer argument can be any number from between 5 and 300 seconds set ppp module vccn lost echoes max integer Specifies the m...

Page 266: ...y when it is unused for extended periods If you specify always on the Netopia Gateway never shuts down the PPP link If you specify instant on the Netopia Gateway shuts down the PPP link after the number of seconds specified in the time out setting below if no traffic is moving over the circuit set ppp module vccn time out integer If you specified a connection type of instant on specifies the numbe...

Page 267: ...rd password The password argument is 1 128 alphanumeric characters The information you enter must match the password used by the PPP peer Ethernet Port Settings set ethernet ethernet A mode auto 100M full 100M full fixed 100M half fixed 10M full fixed 10M half fixed 100M half 10M full 10M half Allows mode setting for the ethernet port Only supported on units without a LAN switch or dual ethernet produ...

Page 268: ...ecifies the number of lines you want to see at one time The range is 1 65535 By default the command line interface shows you 22 lines of text before displaying the prompt More y n If you enter 1000 for the lines argument the command line interface displays information as an uninterrupted stream which is useful for capturing information to a text file ...

Page 269: ...Netopia Gateway graphical user interface Similarly you would have to configure your telnet application to use the appropriate port when opening a configuration connection to your Netopia Gateway set servers web http 1 65534 Specifies the port number for HTTP web communication with the Netopia Gateway Because port numbers in the range 0 1024 are used by other protocols you should use numbers in the...

Page 270: ...is the key management protocol of IPsec that estab lishes keys for encryption and decryption Because this VPN software implementation is built to these standards the other side of the tunnel can be either another Netopia unit or another IPsec IKE based security product For VPN you can choose to have traffic authenti cated encrypted or both When connecting the Netopia unit in a telecommuting scenar...

Page 271: ...sk Specifies the subnet mask of the destination computer or internal network The subnet mask specifies which bits of the 32 bit IP address represents network information The default subnet mask for most networks is 255 255 255 0 class C subnet mask set security ipsec tunnels name 123 encrypt protocol ESP ESP none See page 130 for details about SafeHarbour IPsec tunnel capability set security ipsec...

Page 272: ... See page 130 for details about SafeHarbour IPsec tunnel capability set security ipsec tunnels name 123 IKE mode isakmp SA encrypt DES DES 3DES See page 130 for details about SafeHarbour IPsec tunnel capability set security ipsec tunnels name 123 IKE mode ipsec mtu mtu_value This command is supported beginning with Version 7 4 The Maximum Transmission Unit is a link layer restriction on the maximu...

Page 273: ...sive Default is off set security ipsec tunnels name 123 xauth username username Sets the Xauth username if Xauth is enabled set security ipsec tunnels name 123 xauth password password Sets the Xauth password if Xauth is enabled set security ipsec tunnels name 123 nat enable on off Enables or disables NAT on the specified IPsec tunnel The default is off set security ipsec tunnels name 123 nat pat a...

Page 274: ...mask ip mask set security ipsec tunnels name 123 remote id type IP address Subnet Hostname ASCII Specifies the NAT remote ID type for the specified IPsec tunnel when Aggressive Mode is set set security ipsec tunnels name 123 remote id id_value Specifies the NAT remote ID value as specified in the remote id type for the specified IPsec tunnel when Aggressive Mode is set Note If subnet is selected t...

Page 275: ...ds 86400 60 1000000 The soft parameters designate when the system negotiates a new key For example after 82800 seconds 23 hours or 1 Gbyte has been transferred whichever comes first the key will be renegotiated The hard parameters indicate that the renegotiation must be complete or the tunnel will be disabled For example 86400 seconds 24 hours means that the renegotiation must be complete within o...

Page 276: ...nspection default mapping to router option off or on on the specified inter face set security state insp ip ppp dsl vccn tcp seq diff 0 65535 set security state insp ethernet A B tcp seq diff 0 65535 Sets the acceptable TCP sequence difference on the specified interface The TCP sequence number difference maximum allowed value is 65535 If the value of tcp seq diff is 0 it means that this check is d...

Page 277: ...e exposed list address number set security state insp xposed addr exposed address n start ip ip_address Sets the exposed list range starting IP address in dotted quad format set security state insp xposed addr exposed address n end ip ip_address Sets the exposed list range ending IP address in dotted quad format 32 exposed addresses can be created The range for exposed address numbers are from 1 t...

Page 278: ... pkt filter filterset filterset name in out index forward on off Creates or edits a filter rule specifying whether packets will be forwarded or not NOTE If this is the first rule it will create the filter set called filterset name other wise it will edit the filterset If the index is not consecutive the system will select the next consecutive index If the index does not exist a rule will be created I...

Page 279: ...urce IP address to match packets where the packet was sent from set security pkt filter filterset filterset name in out index src mask mask Specifies the source IP mask to match packets where the packet was sent from set security pkt filter filterset filterset name in out index dest ip ip_addr Specifies the destination IP address to match packets where the packet is going set security pkt filter filterset...

Page 280: ...or UDP The value for protocol can be from 0 255 set security pkt filter filterset filterset name in out index src compare nc ne lt le eq gt ge Sets the source compare operator action for the specified filter rule set security pkt filter filterset filterset name in out index dst compare nc ne lt le eq gt ge Sets the destination compare operator action for the specified filter rule Operator Action nc No c...

Page 281: ...erset name in out index dst port value Specifies the destination IP port to match packets the port on the receiving host that the packet is destined for if the underlying protocol is TCP or UDP set security pkt filter interface assigned filterset filterset name Associates a filterset with a LAN or WAN interface Example set security pkt filter ethernet A assigned filterset set1 le Less than or equal t...

Page 282: ...dds the specified name to the list of communities associated with the Netopia Gateway set snmp trap ip traps ip address Identifies the destination for SNMP trap messages The ip address argument is the IP address of the host acting as an SNMP console set snmp sysgroup contact contact_info Identifies the system contact such as the name phone number beeper number or email address of the person respon...

Page 283: ... of messages you want the diagnostic log to record set system name name Specifies the name of your Netopia Gateway Each Netopia Gateway is assigned a name as part of its factory initialization The default name for a Netopia Gateway consists of the word Netopia 3000 XXX where XXX is the serial number of the device for example Netopia 3000 9437188 A system name can be 1 255 characters long Once you ...

Page 284: ...t do not constitute errors The default alerts Warnings or greater includes recoverable error conditions and useful opera tor information failures Failures includes messages describing error conditions that may not be recoverable set system log size 10240 65536 Specifies a size for the system log The most recent entries are posted to the beginning of the log When the log becomes full the oldest ent...

Page 285: ... through the device set system heartbeat option on off protocol udp tcp port client 1 65535 ip server ip_address dns_name port server 1 65535 url server server_name number 1 1073741823 interval 00 00 00 20 sleep 00 00 30 00 contact email string domain_name location string The heartbeat setting is used in conjunction with the configuration server to broadcast con tact and location information about...

Page 286: ...o have the Gateway send out packets forever this number can be set very high If it is 1440 and the interval is 1 minute say the heartbeat will go out every minute for 1440 minutes or one day before sleep ing The sleep setting is part of sequence control This is the time to sleep before starting another heartbeat sequence in d h m s ...

Page 287: ... that initial connection to the Internet will succeed If the zerotouch option is set to on HTTP requests to any destination IP address except the IP address es of the configured redirection URL s will access a redirection server DNS traf fic will not be blocked Other traffic from the LAN to all destinations will be dropped set system zerotouch redirect url redirection URL Specifies the URL s of th...

Page 288: ...olations off on Specifies whether violations are logged or ignored set system syslog log accepted off on Specifies whether acceptances are logged or ignored set system syslog log attempts off on Specifies whether connection attempts are logged or ignored Default syslog installation procedure 1 Access the router via telnet from the private LAN DHCP server is enabled on the LAN by default 2 The prod...

Page 289: ...1 set system syslog log violations on set system syslog log accepted on set system syslog log attempts on 4 Set NTP parameters Type config Set the time zone Default is 0 or GMT set system ntp time zone zone example set system ntp time zone 8 Set NTP server address if necessary default is 204 152 184 72 set system ntp server address ip addr example set system ntp server address 204 152 184 73 Set a...

Page 290: ...57 set wireless default channel 1 14 Specifies the wireless 2 4GHz sub channel on which the wireless Gateway will operate For US operation this is limited to channels 1 11 Other countries vary for example Japan is channel 14 only The default channel in the US is 6 Channel selection can have a signifi cant impact on performance depending on other wireless activity in proximity to this AP Channel se...

Page 291: ...mode you excluded will not be able to connect set wireless multi ssid option on off Beginning with Netopia Firmware Version 7 5 1 enables or disables the multi ssid feature which allows you to add additional network identifiers SSIDs or Network Names for your wireless network When enabled you can specify up to three additional SSIDs with sepa rate privacy settings for each See below set wireless m...

Page 292: ...reless multi ssid second ssid wpa ver all WPA1 only WPA2 only set wireless multi ssid third ssid wpa ver all WPA1 only WPA2 only set wireless multi ssid fourth ssid wpa ver all WPA1 only WPA2 only Specifies the type of WPA version enabled on multiple SSIDs when multi ssid option is set to on and privacy is set tp WPA PSK See Wireless Privacy Settings on page 293 for more information set wireless m...

Page 293: ...le wireless routers where you want to reuse channels Since there are only three non overlapping channels in the 802 11b spectrum it helps to size the router s cell to match the location This allows you to install a router to cover a small hole without conflicting with other routers nearby Wireless Privacy Settings set wireless network id privacy option off WEP WPA PSK WPA 802 1x Specifies the type...

Page 294: ...ted or enabled The passphrase can be 8 63 characters It is recommended to use at least 20 characters for best security set wireless network id privacy default keyid 1 4 Specifies which WEP encryption key of 4 the wireless Gateway will use to transmit data The client must have an identical matching key in the same numeric slot in order to suc cessfully decode Note that a client allows you to choose...

Page 295: ...acy encryption key4 hexadecimal digits The encryption keys Enter keys using hexadecimal digits For 40 64bit encryption you need 10 digits 26 digits for 128bit and 58 digits for 256bit WEP Valid hexadecimal char acters are 0 9 a f Example 40bit key 02468ACE02 Example 128bit key 0123456789ABCDEF0123456789 Example 256bit key 592CA140F0A238B0C61AE162F592CA140F0A238B0C61AE162F21A09C You must set at lea...

Page 296: ... mac address MAC address_string allow access on off Designates whether the MAC address is enabled or not for wireless network access Dis abled MAC addresses cannot be used for access until enabled RADIUS Server Settings set radius radius name server_name_string Specifies the default RADIUS server name or IP address set radius radius secret shared_secret Specifies the RADIUS secret key used by this...

Page 297: ...lect for editing Once a new VLAN name is specified presents the list of VLAN characteristics to define id numerical range of possible IDs is 1 4095 type by port currently the only selection is by port admin restricted off on default is off If you select on administrative access to the Gateway is blocked from this VLAN port VLAN s physical port or wireless SSID You must save the changes exit out of...

Page 298: ...s been added to the port list 1 interface lan uplink ethernet0 vcc1 ethernet0 Netopia 3000 9459252 vlan To make the VLAN vlan1 routable add the port lan uplink Netopia 3000 9459252 vlan name vlan1 Netopia 3000 9459252 vlan name vlan1 set vlan1 id 52 1 4095 type by port by port admin restricted off off on port port node list 1 Select port node to modify from list or enter new port to create port 2 ...

Page 299: ...e Netopia Gateway to work through NAT The default is on You can disable UPnP if you are not using any UPnP devices or applications DSL Forum settings TR 064 is a LAN side DSL CPE configuration specification and TR 069 is a WAN side DSL CPE Management specification TR 064 DSL Forum LAN Side CPE Configuration TR 064 is an extension of UPnP It defines more services to locally manage the Netopia Gatew...

Page 300: ... name acs_username set dslf cpewan acs user password acs_password set dslf cpewan acs filter1 ip filter1 ip_addr set dslf cpewan acs filter1 mask filter1 mask set dslf cpewan acs filter2 ip filter2 ip_addr set dslf cpewan acs filter2 mask filter2 mask set dslf cpewan acs filter3 ip filter3 ip_addr set dslf cpewan acs filter3 mask filter3 mask Turns TR 069 WAN side management services on or off For 3300 Series...

Page 301: ...301 CONFIG Commands On units that support SSL the format for the ACS URL can also be https some_url com port_number or https 123 45 678 910 port_number ...

Page 302: ...0xffffffff pbo k1_3 0x00000000 0xffffffff pbo k2_1 0x00000000 0xffffffff pbo k2_2 0x00000000 0xffffffff pbo k2_3 0x00000000 0xffffffff line type 0x00 0xff us max inter delay 0x00 0xff ds max inter delay 0x00 0xff us target noise margin 0x0000 0xffff ds target noise margin 0x0000 0xffff min noise margin 0x0000 0xffff port bandplan 0x00 xff framing mode 0x00 0xff band mod 0x00 0xff port option 0x00 ...

Page 303: ... back off k2_3 line type 0x81 VDSL port line type auto 0x80 vdsl 0x81 vdsl_etsi 0x82 us max inter delay 0x04 VDSL port upstream max inter delay ds max inter delay 0x04 VDSL port downstream max inter delay us target noise margin 0x0C VDSL port upstream target noise margin ds target noise margin 0x0C VDSL port downstream target noise margin min noise margin 0x0A VDSL port minimum noise margin port b...

Page 304: ...nd is reduced by up to 2 5 dB but never below a minimum of 4 dB Bit 2 SUPPORT_INI Bit 4 TLAN Enable Bit 5 PBO Weak mode Enable Applicable only when PBO Bit 3 0 Bit 6 ADSL_SAFE_MODE Enable Bit 7 TLAN_SAFE_MODE Enable Applicable only when TLAN Enable Bit 4 is set If TLAN_SAFE_MODE not set line will attempt to retrain at higher rates but less stable line ...

Page 305: ...0x08 BP10_998_2 0x09 BP998_2B_3_8M 0x09 BP11_998_2 0x0A BP12_998_2 0x0B BP13_MXU_3 0x0C BP14_MXU_3 0x0D BP15_MXU_3 0x0E BP16_997_4B_4P 0x0F BP17_998_138_4400 0x10 BP18_997_138_4400 0x11 BP19_997_32_4400 0x12 BP20_998_138_4400_opBand 0x15 BP21_997_138_4400_opBand 0x16 BP22_998_138_4400_opBand 0x16 BP23_998_138_16000 0x17 BP24_998_3B_8KHZ 0x18 BP25_998_138_17600 0x19 BP26_CH1_3 0x1A BP27_CH1_4 0x1B ...

Page 306: ...am band in the PSD Upstream Band 0 or Optional band Upstream band 1 Upstream band 2 and Upstream Band 3 Setting all K2 parameters to 0 and all K1 to a high power level ie low number will essentially disable UPBO pbo k1_2 pbo k1_3 pbo k2_1 pbo k2_2 pbo k2_3 line type VDSL_AUTO_DETECT 0x80 VDSL 0x81 VDSL_ETSI 0x82 us max inter delay Maximum upstream interleave delay Provisioned in steps of 0 5 ms Us...

Page 307: ... 0x08 BP10_998_2 0x09 BP998_2B_3_8M 0x09 BP11_998_2 0x0A BP12_998_2 0x0B BP13_MXU_3 0x0C BP14_MXU_3 0x0D BP15_MXU_3 0x0E BP16_997_4B_4P 0x0F BP17_998_138_4400 0x10 BP18_997_138_4400 0x11 BP19_997_32_4400 0x12 BP20_998_138_4400_opBand 0x15 BP21_997_138_4400_opBand 0x16 BP22_998_138_4400_opBand 0x16 BP23_998_138_16000 0x17 BP24_998_3B_8KHZ 0x18 BP25_998_138_17600 0x19 BP26_CH1_3 0x1A BP27_CH1_4 0x1B...

Page 308: ...38 KHz 2 ANNEX_B_32_64 ie 138 KHz to 276 KHz 3 ANNEX_B_6_64 ie 25KHz to 276 KHz port option Bit 0 I 43 G hs carrier set Bit 1 V 43 G hs carrier set Bit 2 A 43 G hs carrier set Bit 3 B 43 G hs carrier set Bit 4 7 shall be set to 0 power mode 0 8 5dBm power output 1 11 5 dBm power output tx filter 0 using internal filter in Tx path 1 using K1 external filter in Tx path for Korea VLR Application 2 using...

Page 309: ...th for US Korea VLR Application 3 using H1 external filter in Rx path for 100 100 Application dying gasp Dying Gasp is a message sent from CPE to CO using the indica tor bit It indicates that the CPE is experiencing an impending loss of power Off Dying Gasp off don t send a message to CO On Dying Gasp on VDSL Parameters Accepted Values Parameter Accepted Values ...

Page 310: ...310 ...

Page 311: ...ed pair UTP wiring with RJ 45 eight conductor plugs at each end Runs at 100 Mbps A ACK Acknowledgment Message sent from one network device to another to indicate that some event has occurred See NAK access rate Transmission speed in bits per second of the circuit between the end user and the network adapter Board installed in a computer system to provide network communi cation capability to and fr...

Page 312: ...ters such as letters numbers and punctuation marks used in text repre sentation and communication protocols asynchronous communication Network system that allows data to be sent at irregular intervals by preceding each octet with a start bit and follow ing it with a stop bit Compare synchronous communication Auth Protocol Authentication Protocol for IP packet header The three parameter values are ...

Page 313: ...éléphonique or Consultative Committee for International Telegraph and Telephone An inter national organization responsible for developing telecommunication stan dards CD Carrier Detect CHAP Challenge Handshake Authentication Protocol Security protocol in PPP that prevents unauthorized access to network services See RFC 1334 for PAP specifications Compare PAP client Network node that requests servi...

Page 314: ...nication circuit that is used exclusively to connect two network devices Compare dial on demand DES Data Encryption Standard is a 56 bit encryption algorithm developed by the U S National Bureau of Standards now the National Institute of Stan dards and Technology 3DES Triple DES with a 168 bit encryption key is the most accepted vari ant of DES DH Group Diffie Hellman is a public key algorithm use...

Page 315: ...mes to IP addresses in response to Domain Name System DNS requests Domain Name System DNS Standard method of identifying computers by name rather than by numeric IP address DSL Digital Subscriber Line Modems on either end of a single twisted pair wire that delivers ISDN Basic Rate Access DTE Data Terminal Equipment Network node that passes information to a DCE modem for transmission A computer or ...

Page 316: ...unwrapping the dat agram within another IP datagram Optionally ESP transformations may per form data integrity validation and compute an Integrity Check Value for the datagram being sent The complete IP datagram is enclosed within the ESP payload Ethernet crossover cable See crossover cable F FCS Frame Check Sequence Data included in frames for error control flow control Technique using hardware ci...

Page 317: ...ft threshold and renegotiation must happen by the hard limit or traffic over the tunnel is ter minated hardware handshake Method of flow control using two control lines usu ally Request to Send RTS and Clear to Send CTS header The portion of a packet preceding the actual data containing source and destination addresses and error checking fields HMAC Hash based Message Authentication Code hop A uni...

Page 318: ...ecting and filter ing out undesired traffic based on your security policy and resulting configu ration interface A connection between two devices or networks internet address IP address A 32 bit address used to route packets on a TCP IP network In dotted decimal notation each eight bits of the 32 bit number are presented as a decimal number with the four octets separated by periods IPCP Internet P...

Page 319: ...ent can be compared to what was received M magic number Random number generated by a router and included in packets it sends to other routers If the router receives a packet with the same magic number it is using the router sends and receives packets with new random numbers to determine if it is talking to itself MD5 A 128 bit message digest authentication algorithm used to create digital signatur...

Page 320: ... can be sent over a network interface MULTI LAYER The Open System Interconnection OSI model divides net work traffic into seven distinct levels from the Physical hardware layer to the Application software layer Those in between are the Presentation Ses sion Transport Network and Data Link layers Simple first and second gen eration firewall technologies inspect between 1 and 3 layers of the 7 layer...

Page 321: ...Peer Internal IP Network The Peer Internal IP Network is the private or Local Area Network LAN address of the remote gateway or VPN Server you are communicating with Peer Internal IP Netmask The Peer Internal IP Netmask is the subnet mask of the Peer Internal IP Network PFS Enable Enable Perfect Forward Secrecy PFS forces a DH negotiation during Phase II of IKE IPSec SA exchange You can disable th...

Page 322: ...of Service The ability of a network to prioritize certain kinds of network traffic to provide reserved bandwidth and reduced latency needed by some real time and interactive traffic such as voice and video over IP QoS also provides priority for one or more flows such that one flow does not make other flows fail R repeater Device that regenerates and propagates electrical signals between two networ...

Page 323: ...ormation is to be applied to a datagram and how The SA specifies The authentication algorithm for AH and ESP The encryption algorithm for ESP The encryption and authentication keys Lifetime of encryption keys The lifetime of the SA Replay prevention sequence number and the replay bit table An arbitrary 32 bit number called a Security Parameters Index SPI as well as the destination host s address a...

Page 324: ... to everyone and a private or secret key known only to the recipient of the message STATEFUL The Netopia Gateway monitors and maintains the state of any network transaction In terms of network request and reply state consists of the source IP address destination IP address communication ports and data sequence The Netopia Gateway processes the stream of a network conversation rather than just indi...

Page 325: ...f two copper strands twisted around each other The twisting provides protection against electromagnetic interference U UTP Unshielded twisted pair cable V VDSL Very high rate Digital Subscriber Line VDSL transmits high speed data over short reaches of twisted pair copper telephone lines with a range of speeds depending upon actual line length Both data channels will be separated in frequency from ...

Page 326: ...singly available from alternative access providers sometimes called Competitive Access Providers or CAPs that link business network nodes WWW World Wide Web X XAuth Extended Authentication An extension to the Internet Key Exchange IKE protocol for IPSec tunnelling Requires SafeHarbour IPsec tunneling feature key ...

Page 327: ... 2 3 0cm H 8 7 22 0 cm W 5 2 13 2cm L Communications interfaces The Netopia Gateways have an RJ 11 jack for DSL line connections or an RJ 45 jack for cable DSL modem connections and 1 or 4 port 10 100Base T Ethernet switch for your LAN connections Some models have a USB port that can be used to connect to your PC in some cases the USB port also serves as the power source Some models contain an 802...

Page 328: ...es not apply to 3342 3352 Routing TCP IP Internet Protocol Suite RIP WAN support PPPoA PPPoE DHCP static IP address Security PAP CHAP UI password security IPsec SSL certificate Management configuration methods HTTP Web server Telnet SNMP TR 069 DSL Forum CPE WAN Management Protocol Diagnostics Ping event logging routing table displays statistics counters web based management traceroute nslookup and...

Page 329: ...tage European directive 73 23 EN60950 Europe EMI Compatibility 89 336 EEC European directive EN55022 1994 CISPR22 Class B EN300 386 V1 2 1 non wireless products EN 301 489 wireless products Regulatory notices European Community This Netopia product conforms to the European Community CE Mark standard for the design and manufacturing of information technology equipment This standard covers a broad a...

Page 330: ...with the instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the followin...

Page 331: ...ng associated with a single line individual service may be extended by means of a certified connector assembly telephone extension cord The customer should be aware that compliance with the above conditions may not prevent degradation of service in some situations Repairs to the certified equipment should be made by an authorized Canadian maintenance facility designated by the supplier Any repairs...

Page 332: ... substantial compensation Caution The direct plug in power supply serves as the main power disconnect locate the direct plug in power supply near the product for easy access For use only with CSA Certified Class 2 power supply rated 12VDC Telecommunication installation cautions Never install telephone wiring during a lightning storm Never install telephone jacks in wet locations unless the jack is...

Page 333: ...ich this unit is connected b The ringer equivalence number 0 XB c The USOC jack required RJ11C d The FCC Registration Number XXXUSA XXXXX XX E Items b and d are indicated on the label The Ringer Equivalence Number REN is used to determine how many devices can be connected to your telephone line In most areas the sum of the REN s of all devices on any one line should not exceed five 5 0 If too many...

Page 334: ...f trouble is experienced with this equipment the Netopia 3300 or 2200 Series router for repair or warranty information please contact Netopia Technical Support 510 597 5400 www netopia com If the equipment is causing harm to the telephone network the telephone company may request that you disconnect the equipment until the problem is resolved h This equipment not intended to be repaired by the end...

Page 335: ... i e PPPoE Simplified Local Area Network Setup on page 337 Built in DHCP and DNS proxy features minimize or eliminate the need to program any network configuration into your home personal computer Management on page 338 A Web server built into the Netopia Operating System makes setup and maintenance easy using standard browsers Diagnostic tools facilitate troubleshooting Security on page 339 Netwo...

Page 336: ... to scramble a challenge string 2 The password is a shared secret known by both peers 3 The unit sends the scrambled challenge back to the peer PAP a less robust method of authentication sends a username and password to a PPP server to be authenticated PAP s username and password pair are not encrypted and are therefore sent unscrambled Instant On PPP You can configure your Gateway for one of two ...

Page 337: ...ver DHCP Server functionality enables the Gateway to assign to your LAN computer s a pri vate IP address and other parameters that allow network communication The default DHCP Server configuration of the Gateway supports up to 253 LAN IP addresses This feature simplifies network administration because the Gateway maintains a list of IP address assignments Additional computers can be added to your ...

Page 338: ... running a common web browser applica tion to configure and monitor the Gateway Diagnostics In addition to the Gateway s visual LED indicator lights you can run an extensive set of diagnostic tools from your Web browser Two of the facilities are Automated Multi Layer Test The Run Diagnostics link initiates a sequence of tests They examine the entire functionality of the Gateway from the physical c...

Page 339: ...our Gateway This access can be turned on or off in the Web interface Password Protection Access to your Netopia device can be controlled through two access control accounts Admin or User The Admin or administrative user performs all configuration management or mainte nance operations on the Gateway The User account provides monitor capability only A user may NOT change the configuration perform up...

Page 340: ... pretending to be the originating host for network communications from non originating networks The WAN interface address is the only IP address exposed The Netopia Gateway tracks which local hosts are communicating with which remote hosts It routes packets received from remote networks to the correct computer on the LAN Ethernet interface When NAT is OFF a Netopia Gateway acts as a traditional TC...

Page 341: ...ible by pass capabilities Some of these rules require coordination with the unit s embedded administration ser vices the internal Web HTTP Port TCP 80 and the internal Telnet Server Port TCP 23 Internal Servers The internal servers are the embedded Web and Telnet servers of the Gateway You would change the internal server ports for Web and Telnet of the Gateway if you wanted to have these services...

Page 342: ...lica tion might use For example some network games select arbitrary port numbers when a connection is opened When you want all unsolicited traffic to go to a specific LAN host Combination NAT Bypass Configuration Specific pinholes and Default Server settings each directed to different LAN devices can be used together WARNING Creating a pinhole or enabling a Default Server allows inbound access to t...

Page 343: ... Netopia has implemented an Application Layer Gateway ALG to support multiple PCs running IP Security protocols This feature has three elements 1 On power up or reset the address mapping function NAT of the Gate way s WAN configuration is turned on by default 2 When you use your third party VPN application the Gateway recognizes the traffic from your client and your unit It allows the packets to pas...

Page 344: ...its tunnelling from the Gateway without the use of third party VPN client software on your client PCs Stateful Inspection Firewall Stateful inspection is a security feature that prevents unsolicited inbound access when NAT is disabled You can configure UDP and TCP no activity periods that will also apply to NAT time outs if stateful inspection is enabled on the interface Technical details are disc...

Page 345: ...ommand truncation 238 Configuration mode 237 Keywords 239 Navigating 237 Prompt 225 237 Restart command 226 SHELL mode 225 View command 240 Command ARP 226 236 Ping 229 Telnet 235 Command line interface see CLI Community 282 Compression protocol 265 Concurrent Bridging Routing 104 244 CONFIG Command List 223 Configuration mode 237 D D port 160 Default IP address 39 denial of service 324 designing ...

Page 346: ...64 filtering example 1 160 filters actions a filter can take 156 adding to a filter set 166 defined 155 deleting 170 input 165 modifying 170 output 165 using 163 164 viewing 169 firewall 233 FTP 262 H Hardware address 244 hijacking 324 Hop count 261 HTTP traffic 269 I ICMP Echo 229 IGMP Snooping 98 Install 179 Install Certificate 188 IP address 250 252 Default 39 IP interfaces 233 IP routes 233 IP...

Page 347: ...p 338 O set upnp option 299 Operating Mode Wireless 58 291 P PAP 336 Password 123 Administrator 39 123 224 User 39 123 224 persistent log 284 Ping 338 Ping command 229 Pinholes 262 341 Planning 76 policy based routing 173 Port authentication 266 port number comparisons 158 port numbers 158 Port renumbering 269 PPP 237 PPPoE 336 Primary nameserver 248 Prompt CLI 225 237 Protocol compression 265 Q q...

Page 348: ...Set snmp sysgroup location command 282 Set snmp traps authentifica tion traps ip address command 282 Set system diagnostic level command 284 Set system heartbeat command 285 Set system name command 283 Set system NTP command 287 Set system password command 285 set system syslog 288 Set wireless option command 290 Set wireless user auth option command 296 SHELL Command Shortcuts 225 Commands 225 Pr...

Page 349: ...2 TFTP server 228 Toolbar 44 TOS bit 157 173 TraceRoute 216 339 Trap 282 Trivial File Transfer Protocol 228 Truncation 238 U UPnP 100 User name 224 User password 39 123 224 V set atm 242 243 View command 240 view config 235 VLAN Settings 297 VPN IPSec Pass Through 343 IPSec Tunnel Termination 344 W Wide Area Network 336 Wireless 53 Z Zero Touch 287 ...

Page 350: ...350 ...

Page 351: ...Netopia 2200 and 3300 series by Netopia Netopia Inc 6001 Shellmound Street Emeryville CA 94608 April 10 2006 ...