User Manual
Contents
1. 188 D your future life IPSec VPN QoS Router Appendix l User Interface and User Manual Chapter Cross Reference This appendix is to show the corresponding index for each chapter and user interface Users can find how to setup quickly and understand the VPN Router capability at the same time VPN Router overall interface is as below Home Network Qos IPIDHCP Firewall Adva nced Function System Tool Port Management VPN QnokKey QVM Log Category Sub category Chapter Home V Device Spec Verification Status Display and Login Password and Time Setting 5 1 Home Basic Setting VI Network Network 6 1 Network Connection ey Traffic 6 2 Multi WAN Setting Protocol Binding 6 2 Multi WAN Setting 189 4 your future life IPSec VPN QoS Router Bandwidth Management 8 1 Bandwidth Management 8 3 Smart QoS Session Control 8 2 Session Limit IP DHCP VII Port Management 7 3 DHCP IP 7 4 DHCP Status 7 5 IP amp MAC Binding Setup Status IP amp MAC Binding Firewall IX Firewall General Policy 9 1 General Policy 9 2 Restricted Application 9 3 Access Rule 9 4 Content Filter XI Advanced Setting DMZ Forwarding 11 1 DMZ Host Port Range Forwarding 11 2 UPnP Universal Plug and Play 11 3 Routing 11 4 One to One NAT 11 5 DDNS 11 6 MAC Clone XII System Tool Access Rule Content Filter Advanced Function UPnP Routing One to One NAT DDNS2. 170 D GNO your future life XIII Log From the log management and look up we can see the relevant operation status which is IPSec VPN QoS Router convenient for us to facilitate the setup and operation 12 1 System Log Its system log offers three options system log E mail alert and log setting Syslog System Log If this option is selected the System Log feature will be enabled View System Laz system Statistic Traffic Statistic IF Port Statistic C Enable Syslog syslog Server Pt ame or IF Address d Syn Flooding F IP Spoofing d Win Nuke L Fing Of Death Unauthorized Login Attempt L Deny Policies C Allow Policies Authorized Login Qutzgoing Log Table Incoming Log Table 171 D your future life IPSec VPN QoS Router Syslog Server The device provides external system log servers with log collection feature System log is an industrial standard communications protocol It is designed to dynamically capture related system message from the network The system log provides the source and the destination IP addresses during the connection service number and type To apply this feature enter the system log server name or the IP address into the empty system log server field Log Setting L Syn Flooding LIP Spoofing CJ Win Nuke Ping Of Death Unauthorized Login Attempt System Error Messages Deny Policies l Allow Policies Configuration Changes Authorized Logi
3. After the changes are completed click Apply to save the configuration or click Cancel to leave without making any changes DMZ Setting For some network environments an independent DMZ port may be required to set up externally connected servers such as WEB and Mail servers Therefore the device supports a set of independent DMZ ports for users to set up connections for servers with real IP addresses The DMZ ports act as bridges between the Internet and LANs 35 oa your future life IPSec VPN QoS Router enable DMZ DMZ Setting DMZ 0 0 0 0 Edit IP address Indicates the current default static IP address Config Indicates an advanced configuration modification Click Edit to enter the advanced configuration page The DMZ configuration can be classified by Subnet and Range Subnet The DMZ and WAN located in different Subnets For example If the ISP issued 16 real IP addresses 220 243 230 1 16 with Mask 255 255 255 240 users have to separate the 16 IP addresses into two groups 220 243 230 1 8 with Mask 255 255 255 248 and 220 243 230 9 16 with Mask 255 255 255 248 and then set the device and the gateway in the same group with the other group in the DMZ Interface DMZ E Subnet Range DMZ amp WAN within same subnet Specify DMZ IP Addressjo o o o Subnet Mask 255 255 25 0 Range DMZ and WAN within same Subnet 36 D your future life IPSec VPN QoS Rout
4. D your future life IPSec VPN QoS Router r Selfdefinedstrategy txt Notepad File Edt Format VYiew Help 146 115 17 1 146 115 1 255 146 116 11 1 146 116 11 31 216 66 161 54 216 66 161 54 China Netcom strategy and self defined strategy can coexist However if a destination IP is assigned by both China Netcom strategy and self defined strategy China Netcom strategy will take priority In other words traffic to that destination IP will be transmitted through the WAN or WAN group under China Netcom strategy Session Balance Advanced Function In general session balance is to equally and randomly distribute the session connections of each intranet IP For some special connections for example web banking encrypted connection Https or TCP443 is required to connect from the same WAN IP If one intranet IP visits web banking website and the connection is distributed into different WAN IP addresses there will be disconnection or failure Session balance advanced function targets at solving this issue Session balance advanced function can set the same intranet IP keeps having sessions from the same WAN IP for some specific service protocols Other service protocols can still adopt the original balance mechanism to distribute the sessions equally and randomly With the original session balance efficiency advanced function can ensure the connection running without error for some special service protocols
5. D your future life Remote Group Remote Gateway Control Config __ Tunnel s Enabled __ Tunnel s Defined VPN Group Tunnel Status IPSec VPN QoS Router Displays the setting for remote VPN connection secure group Set the IP address to connect the remote VPN device Please set the VPN device with a valid IP address or domain name Click Connect to verify the tunnel status The test result will be updated To disconnect click Disconnect to stop the VPN connection Setting items include Edit and Delete icon U Click on Edit to enter the setting items and users may change the settings Click on the trash bin icon and all the tunnel settings will be deleted This displays how many tunnels are enabled and how many tunnels are set If there is no setting for Group VPN there will be no display of VPN Group status VPN Group Tunnel Status Group Name Connected Tunnels Phase2 Encrypt Auth DH Local Group Remote Client Remote Client Status Displays the tunnel name of the Group VPN that is connected Displays the VPN Groups tunnel numbers Displays settings such as encryption DES 3DES authentication MD5 SHA1 and Group 1 2 5 If users select Manual setting for IPSec Phase 2 DH group will not be displayed Displays the VPN connection secure setting for the local group Displays the name of this group for remote VPN Connection secure group setting Clic
6. source IP Dest IP wt IPSec VPN QoS Router Show Priority service All Traffic CPF amp UDPH 65535 Semice Management Interface Enabled Delete selected item Shon Tahle raralhy Cancel This is to select the Binding Service Port to be activated The default such as ALL TCP amp UDP 0 65535 WWW 80 80 FTP 21 to 21 etc can be selected from the pull down option list The default Service is All 0 65535 Option List for Service Management Click the button to enter the Service Port configuration page to add or remove default Service Ports on the option list Users can assign packets of specific Intranet virtual IP to go through a specific WAN port for external connection In the boxes here input the Intranet virtual IP address range for example if 192 168 1 100 150 is input the binding range will be 100 150 If only specific Service Ports need to be designated while specific IP designation is not necessary input 0 in the IP boxes In the boxes input an external static IP address For example if 50 D your future life Interface Enable Add To List Delete selected item Moving Up amp Down Note IPSec VPN QoS Router connections to destination IP address 210 11 1 1 are to be restricted to WAN1 the external static IP address 210 1 1 1 210 1 1 1 should be input If a range of destinations is to be assigned input the range such as 210 11 1 1 210 11 25
7. Apply Cancel Exit Service Name l Traffic TCPRUDP 1 65535 NS UDP 53 53 TcoP 21 21 HTTP TcP s0 s0 Protocol HTTP Secondary ICP 8080 8080 HTTPS TcP 443 443 e F HTTPS Secondary ITCP B443 8443 TFTF Upp 6969 Port Range to Add to list TCP 25 25 TELNET TCP 23 23 TELNET Secondary TCF 8023 8023 In this box input the name of the Service Port which users want to activate such as BT etc This option list is for selecting a packet format such as TCP or UDP for the Service Ports users want to activate In the boxes input the range of Service Ports users want to add Click the button to add the configuration into the Services List Users can add up to 100 services into the list To remove the selected activated Services Click the Apply button to save the modification Click the Cancel button to cancel the modification This only works before Apply is clicked To quit this configuration window 52 D your future life IPSec VPN QoS Router Auto Load Balancing mode when enabled The collocation of the Auto Load Balance Mode and the Auto Load Mode will enable more flexible use of bandwidth Users can assign specific Intranet IP addresses to specific destination application service ports or assign specific destination IP addresses to a WAN users choose for external connections Example 1 How do set up Auto Load Balance Mode to assign
8. Dynamic IF Domain NamefFODN Authentication Pd 5 Dynamic IP E mail Addr USER FQDN Authentication If users use dynamic IP address to connect to the device users may select this option to connect to VPN without entering IP address When VPN Gateway requires for VPN connection the device will start authentication and respond to VPN tunnel connection If users select this option to link to VPN enter E Mail address to the empty field for E Mail authentication Local Security Group Type This option allows users to set the local VPN connection access type The following offers a few items for local settings Please select and set appropriate parameters 1 IP address This option allows the only IP address which is entered to build the VPN tunnel gress hal Reference When this VPN tunnel is connected computers with the 111 GINO your future life Remote Group Setup IPSec VPN QoS Router IP address of 192 168 1 0 can establish connection 2 Subnet This option allows local computers in this subnet can be connected to the VPN tunnel subnet w Acres 92 se e Sabet mate 255 255 255 fo Reference When this VPN tunnel is connected only computers with the session of 192 168 1 0 and with subnet mask as 255 255 255 0 can connect with remote VPN 3 IP Range This option allows connection only when IP address range which is entered after the
9. Source IF Destination IP Interface IPSec VPN QoS Router Show Priority HITE TCE 80 30 Service Management Enable E HITE TCF 80 80 gt 192 Update this Application 168 1 0 0 00 0 0 0 0 0 0 OW ANe Delete selected application Add Hew Example 2 How do configure Protocol Binding to keep traffic from all Intranet IP addresses from going through WAN2 when the destinations are IP 211 1 1 1 211 254 254 254 as well as the whole Class A group of 60 1 1 1 60 254 254 254 while traffic to other destinations goes through WAN1 As in the following figure there are two rules to be configured The first rule Select All Port TCP amp UDP 1 65535 from the pull down option list Service and then in the boxes of Source IP input 192 168 1 0 0 which means to include all Intranet IP addresses In the boxes for Destination IP input 211 1 1 1 211 254 254 254 Select WANZ2 from the pull down option list Interface and then click Enable Finally click Add New and the rule will be added to the mode The second rule Select All Port TCP amp UDP 1 65535 from the pull down option list Service and then in the boxes of Source IP input 192 168 1 0 0 which means to include all Intranet IP addresses In the boxes of Destination IP input 211 1 1 1 60 254 254 254 Select WAN2 from the pull down optio
10. The QVM series device provides three major convenient functions 1 Smart Link IPSec VPN Easy VPN setup replaces the conventional complicated VPN setup process by entering Server IP User Name and Password 2 Central Control Feature Displays a clear VPN connection status of all remote ends and branches Its central control screen allows setup from remote into external client ends 3 VPN Disconnection Backup Solves data transmission problem arising from failed ISP connection with remote ends or the branches 10 3 1 QVM Status Setup QVM Client Table No AccountiD Status interface StartTime EndTime Duration Control_ Config 1 tst Edit Reiesh Account Displays the remote client user Green means connection blue waiting for connection and red for QVM disconnection Status Displays the QVM VPN connection status Red means disconnection and green means connection Interface Shows which WAN port is applied to connect to this remote QVM Start Time Shows the starting time of QVM 141 D your future life IPSec VPN QoS Router End Time Shows the ending time of QVM Duration Shows the total time used from the Start to the End of this QVM Control Shows the status of this QVM waiting for connection Waiting stop the connection Disconnect and Disable this feature Enable this QVM to enter the status of waiting for connection Config Click Edit to enter th
11. _ EnabledLine Dropped Scheduling Line Dropped Period from 9 0 to o 24 Hour Format Line Dropped Scheduling minutes ahead line dropped to stat new session Ha transferring fo fo p p fo Backup Interface disable WAN IP address Input the available static IP address issued by ISP Subnet Mask Input the subnet mask of the static IP address issued by ISP such as Issued eight static IP addresses 255 255 255 248 Issued 16 static IP addresses 255 255 255 240 Input the default gateway issued by ISP For ADSL users it is usually an ATU R Default Gateway IP address As for optical fiber users please input the optical fiber switching IP DNS Server Input the DNS IP address issued by ISP At least one IP group should be input The maximum acceptable is two IP groups 28 D your future life Enable Line Dropped Scheduling Line Dropped Period Line Dropped Scheduling Backup Interface IPSec VPN QoS Router The WAN disconnection schedule will be activated by checking this option In some areas there is a time limitation for WAN connection service For example the optical fiber service will be disconnected from 0 00 am to 6 00 am Although there is a standby system in the device at the moment of WAN disconnection all the external connections that go through this WAN will be disconnected too Only after the disconnected lines are reconnected can they go through the standby system to connect wit
12. for load Balance IP Group This function allows users to assign packets from specific Intranet IP addresses or to specific destination Service Ports and to specific destination IP addresses through an assigned WAN to the Internet After being assigned the specific WAN will only support those assigned Intranet IP addresses destination Service Ports or destination IP addresses Those which are not configured will go through other WANs for external connection Only when this mode is collocated with Assigned Routing can it bring the function into full play Example 1 How do set up the Assigned Routing Mode to keep all Intranet IP addresses from going through WAN2 when the destination is Port 80 and keep all other services from going through WAN1 As in the figure below select HTTP TCP 80 80 from the pull down option list Service and then in the boxes of Source IP input 192 168 1 0 0 which means to include all Intranet IP addresses Retain the original numbers 0 0 0 0 in the boxes of Destination IP Which means to include all Internet IP addresses Select WAN2 from the pull down option list Interface and then click Enable Finally click Add New and the rule will be added to the mode After the rule is set up only packets that go to Port 80 will be transmitted through WAN2 while other traffics will be transmitted through WAN1 56 AY your future life Service
13. your future life Advanced Setting Exempted Source IP Exempted Dest IP IPSec VPN QoS Router WAN Theestos LAN Threshots lsa le meresmod counted by amp wom te aes e ae ASEN Singe Dest Teso o gt Sbowusser D peccessec Single Soure Tmesroid D0 ssmesser Bonnia P whereas mesoa Trresmoid cowed fy 9i sta SngeDesuP Tmesog D gt leaceeseses D00 Fsmesres SingeSowre P Tresmod EE Pecuette _ n Socems urera a mues Press ues PeresPom coucted Sy a fam a Paceecase 5 Pecke sse ee pecans ated Dinge Dest Tresroc Were ases Poceetssec SMe Source Tesno ix Pocaets sec Bonna F erenress Tresto E F Adawes v j i 2 a P soot y e a e ac 2 ic le le Ic ow Testi Ak ted cher Packet Type This device provides three types of data packet transmission TCP SYN Flood UDP Flood and ICMP Flood WAN Threshold When all packet values from external attack or from single external IP attack reach the maximum amount the default is 15000 packets Sec and 2000 packets Sec respectively if these conditions above occurs the IP will be blocked for 5 minutes the default is 5 minutes OBJ 176 Users can adjust the threshold value and the blocking duration to effectively deal with external attack The threshold value should be adjusted from high to low LAN Threshold When all packet values from internal attack or from single intern
14. MAC Clone System Tool V Device Spec Verification Status Display and Login Password and Time Setting Password 5 2 Change and Set Login Password and Time Diagnostic 12 1 Diagnostic Firmware Upgrade 12 2 Firmware Upgrade Configuration 12 3 Configuration Backup Backup Time 5 2 Change and Set Login Password and Time oF System Recover 12 5 System Recover 90 D your future life IPSec VPN QoS Router es Sep dA Po Management es es rss o Gateway to 10 1 2 1 Gateway to Gateway Gateway VPN Pess mouon 104 4 VPN Pass Thoun Summary 10 2 1 10 2 3 QnoKey Group and Client QVM Setup 10 3 1 QVM VPN Status isonet sty Traffic Statistic 13 3 Traffic Statistic LP Port statistic 13 4 IP Port statistic 191 D GING your future life IPSec VPN QoS Router Appendix II Troubleshooting 1 Block BT Download To block BT and prevent downloading by users go to the Firewall gt Content Filter and select Enable Website Block by Keywords followed by the input of torrent This will prevent the users from downloading Block Forbidden Domains Accept Allowed Domains ll Forbidden Domains Enabled Website Blocking by Keywords Enable Website Blocking by Keywords Exception IP address Add to list f torrent Forbidden all IF addresses 192 D ONO your future life IPSec VPN QoS Router 2 Shock Wave and Worm Virus Prevention Since
15. automatically filled into this space Users don t need to do further settings IP Only E Eere 2 IP Domain Name FQDN Authentication If users select IP domain name type please enter the domain name and IP address The WAN IP address will be automatically filled into this space Users don t need to do further settings FQDN refers to the combination of host name and domain name and can be retrieved from the Internet i e von server com This IP address and domain name must be identical to those of the VPN secure gateway setting type to establish successful connection IF Domain Namel F DN Authentication ise fe B fir 3 IP E mail Addr USER FQDN Authentication If users select IP address and E mail enter the IP address and E mail address to gain access to this tunnel and the WAN IP address will be automatically filled into this space Users don t need to do further settings 110 p y gt s I r Y your future life IPSec VPN QoS Router IP E maikUser FQDN Authentication el 4 Dynamic IP Domain Name FQDN Authentication If users use dynamic IP address to connect to the device users may select this option to link to VPN If the remote VPN gateway requires connection to the device for VPN connection this device will start authentication and respond to this VPN tunnel connection if users select this option to link to VPN please enter the domain name
16. Close 192 168 1 100 00 16 66 50 13 32 rs C Name Input the name or address of the client that is to be bound The maximum acceptable characters are 12 Enabled Choose the item to be bound Apply Activate the configuration Select All Choose all items on the list for binding Refresh Refresh the list Close Close the list 72 D your future life IPSec VPN QoS Router VIII QoS Quality of Service QoS is an abbreviation for Quality of Service The main function is to restrict bandwidth usage for some services and IP addresses to save bandwidth or provide priority to specific applications or services and also to enable other users to share bandwidth as well as to ensure stable and reliable network transmission To maximize the bandwidth efficiency network administrators should take account of the practical requirements of a company a community a building or a caf etc and modify bandwidth management according to the network environment application processes or services Session Control 73 D GNO your future life IPSec VPN QoS Router 8 1 Bandwidth Management The Maximum Bandwidth provided by ISP Quality of Service Interface wand O wan Semice All Traffic TOP amp UDP1 65535 Service Management P Address 0 f p p Joe Mini Rate Kbitsec Max Rate Kbitisec Share total bandwidth with all IP addresses Assign bandwidth for each IP a
17. IP Select the destination IP range such as Any Single Range or preset IP group name If Single or Range is selected please enter a single IP address or an IP address within a session Scheduling Select Always to apply the rule on a round the clock basis Select from and the operation will run according to the defined time Apply this rule Select Always to apply the rule on a round the clock basis If From is selected the activation time is introduced as below to This control rule has time limitation The setting method is in 24 hour format such as 08 00 18 00 8 a m to 6 p m Day Control Everyday means this period of time will be under control everyday If users only certain days of a week should be under control users may select the desired days directly Apply Click Apply to save the configuration Cancel Click Cancel to leave without making any change Example 1 How to block TCP135 139 virus port Firstly Add TCP 135 139 port in Add new service port Please refer to the chapter of how to add a new service port then have the configuration as below step Action Forbid Service Port TCP135 139 Source Interface ANY Meaning to block all traffic from intranet to internet and all attack from internet to intranet through the service port Source IP ANY Meaning to block all traffic from intranet to internet and all attack from internet to intranet throug
18. Interface Life Time Account Number Limitation Stolen Key Login Action C Enable this rule Forever O Day ax 100 Do Nothing 134 D your future life This page is designed for QnoKey group setup Group parameters for QnoKey include WAN ports valid time and number of users and protection actions for potential QnoKey losses These setting IPSec VPN QoS Router options facilitate classified management for QnoKey users and enhance security Enable this rule Group Account ID Interface Life Time select this option to activate this setting rule Enter the QnoKey group name that users would like to set up Select WAN port and enter the correct IP address which corresponds to WAN port or the domain name analyzed by DDNS If WAN ports are empty IP entry is not necessary so that VPN connection will not fail This option allows users to select which WAN port to make connection facilitating management If WAN1 is selected QnoKey group users can connect through only WAN1 If both WAN 1and WAN 2 are selected QnoKey group users are allowed to make connection via WAN tor WAN 2 When WAN is disconnected WAN2 will be automatically connected to back up VPN connection Note mE f WAN port is selected and the network connection type is set as static IP the system will automatically display this WAN IP Administrator does not need to enter it manually m f WAN por
19. Name Enabled _ Add to list Delst Selects item L Block MAC address on the list with wron g IF address L Block MAC address not on the list 69 GING your future life IPSec VPN QoS Router There are two methods for setting up this function 1 Block MAC address not on the list This method only allows MAC addresses on the list to receive IP addresses from DHCP and have Internet access When this method is applied please fill out Static IP with 0 0 0 0 as the figure below IP amp MAC Binding kg LEJ r 1D ima SOW New IP l Static IP 0 jo jo MACAddress _ _ Name Enabled ge E Delete selecte itern L Block MAC address on the list with wrong IP address Block MAC address not on the list Shaw Tabla Apply C Cancel 70 D your future life IPSec VPN QoS Router 2 gt IP amp MAC Binding IP amp MAC Binding cH seuss apes SOW NeW IP User Static IP 2 MACAddress J Name Enabled Dalis selecte iar Block MAC address on the list with wrong IF address Block MAC address not on the list Static IP There are two ways to input static IP 1 If users want to set up a MAC address to acquire IP from DHCP but the IP need not be a specific assigned IP input 0 0 0 0 in the boxes The boxes cannot be left empty 2 If users want DHCP to assign a sta
20. TES TE ae ROO e E andendaumencmanendunentennieneetnnesias 149 TES 2 Sae ROUN sssini E EEEa r Aa aa E aa ER i aE aSa AEA 150 WU SO OS NA Ea E EAE AE EAEE E EES 152 10 5 DDNS Dynamic Domain Name Service ccccecccceceeeeeeeeeccaeeeeeeeeeeeeeeeeessaeseeeeessaeeeeeessaneeeeeeans 154 TEO NAC 6g gt cinere E A E E E E E eee 160 IV D your future life IPSec VPN QoS Router XII WSM TOON E E E EE SAE 161 Te LOGOS oe E qipasssaninay qkiuaracrnausent uiiasmnsueensane emer els 161 122 FMW E LO ON ACS aese E E EEE 163 12 3 Configuration BACKUD isciacaetescscasdssssaedcbeetadececenndods tataesddsntandcbsase2ecaseradaddjasodaddestenddasatedecasesudedeteiestards 164 TA GNF e A EE A ance citeasenedh eu genssen A 165 12 95 SY SLOW IRC COV Ol ersi rinne EEEE EEO 167 MeO ceneo ICY e E E E E E nici 169 XIII Eo o EE E EEE A E E A A A A O E A O E A E E A 171 le oV omn LO ee E E T AS 171 122 y em IS IC ap etpeenae sa pecn eb aebaneeteuese cb yasanscyectcossbesnesoc canta byavereeeseseuse ones 176 D2 MAE ol ANS UC a et on pte cesete gece EE E EE EE a sees EE A EE E 177 12 FP Porn Sle SUC cteesedssnetteccsteacsee desceecsaese edactessnsdanesteeedasatarecenatodansseseddestasossdeteteuetacateteasectoriestetateceta 179 12 5 Connection Statistic Future Feature ccccccceescceeceseeeeeeeeceeeeeeeeseeeeeeeeeesseeseeeesseeeeeeessaeeeeeeeeaas 181 12 6 QRTG Qno Router Traffic Grapher cc cceeesseeesseeececeeceeeeeeeeeeeeae
21. This action will be effective before Apply to save the configuration 23 GING your future life IPSec VPN QoS Router Vi Network This Network page contains the basic settings For most users completing this general setting is enough for connecting with the Internet However some users need advanced information from their ISP Please refer to the following descriptions for specific configurations 6 1 Network Connection Host Name 2 Required by some ISPs LAN Setting go se fan a2 a0 30 Device IP Address 192 168 1 1 Subnet Mask 255 255 255 0 Multiple Subnet Setting Disabled Unified IP Management WAN Setting WAN 1 Obtain an IP automatically Edit WAN 2 Obtain an IP automatically Edit Enable DMZ Aaly o Cancel 6 1 1 Host Name and Domain Name HostName SMBs Required by some ISPs Domain Name smb com Required by some ISPs Device name and domain name can be input in the two boxes Though this configuration is not 24 GING your future life IPSec VPN QoS Router necessary in most environments some ISPs in some countries may require it 6 1 2 LAN Setting This is configuration information for the device current LAN IP address The default configuration is 192 168 1 1 and the default Subnet Mask is 255 255 255 0 It can be changed according to the actual network structure LAN Setting so fee fan foe foo fa Device IP Address 192
22. authentication and respond to this VPN tunnel connection if users select this option to link to VPN please enter the domain name Dynamic IF Domain Namel FOON Authentication Pd 5 Dynamic IP E mail Addr USER FQDN Authentication If users use dynamic IP address to connect to the device users may select this option to connect to VPN without entering IP address When VPN Gateway requires for VPN connection the device will start authentication and respond to VPN tunnel connection if users select this option to link to VPN enter E Mail address to the empty field for E Mail authentication Remote Security Gateway Type Dynamic IP E mail User FODOM Authentication kr Oooo ome aE S S 126 GING your future life IPSec VPN QoS Router IPSec Setup IPSec Setting IKE with Preshared Key w Group 1 DES ka MDS w seconds Group 1 DES w MD5 il aji seconds o Phase2saueTme 9 o Presharedkey Advanced If there is any encryption mechanism the encryption mechanism of these two VPN tunnels must be identical in order to create connection And the transmission data must be encrypted with IPSec key which is known as the encryption key The device provides the IKE automatic encryption mode IKE with Preshared Key automatic By using the drop down menu select the desired encryption mode as illustrated below Encryption Management Protocol When users set this
23. bandwidth The maximum bandwidth This rule is to restrict maximum available bandwidth The maximum bandwidth will not exceed the limit set up under this rule Attention The unit of calculation used in this rule is Kbit Some software indicates download upload speed by the unit KB 1KB 8Kbit 78 D your future life Bandwidth sharing Enable Add to list Move up amp Move down Delete selected items Show Table Apply Cancel Show Table IPSec VPN QoS Router Sharing total bandwidth with all IP addresses If this option is selected all IP addresses or Service Ports will share the bandwidth range from minimum to maximum bandwidth Assign bandwidth for each IP address If this option is selected every IP or Service Port in this range can have this bandwidth minimum to maximum For example If the rule is set for the IP of each PC the IP of each PC will have the same bandwidth Attention If Share Bandwidth is selected be aware of the actual usage conditions and avoid an improper configuration that might cause a malfunction of the network when the bandwidth is too small For example if users do not want an FTP to occupy too much bandwidth users can select the Share Bandwidth Mode so that no matter how much users use FTPs to download information the total occupied bandwidth is fixed Activate the rule Add this rule to the list QoS rules will be executed fro
24. 1 user admin type mgmt meg User Jan 1 09 51 07 2000 System Log login successful agent Mozilla 4 0 compatible MSIE 8 0 Windows NT 5 1 Trident4 0 NET CLR 2 0 50727 NET CLR 3 0 4506 2152 NET CLR 3 5 30729 id none time 2000 1 2 5 30 49 fw 192 168 1 1 pri 5 erc 192 168 1 100 dst 192 168 1 1 user admin type mgmt meg User Jan 2 13 30 49 2000 System Log login successful agent Mozilla 4 0 compatible MSIE 8 0 Windows NT 5 1 Trident 4 0 NET CLR 2 0 50727 NET CLR 3 0 4506 2152 NET CLR 3 5 30729 id none time 2000 1 2 6 42 47 fw 192 168 1 1 pri 5 src 192 166 1 100 dst 192 168 1 1 uzer admin type mgmt meg User Jan 2 14 42 47 2000 F i login successful agent Mozilla 4 0 compatible MSIE 8 0 Windows NT 5 1 Trident 4 0 NET CLR 2 0 50727 NET CLR 3 0 4506 2152 NET CLR 3 0 30 729 id none time 2000 1 2 7 10 49 fw 192 168 1 1 pri 5 erc 192 166 1 100 dst 192 168 1 1 user admin type mgmt meg User Jan 2 15 10 49 2000 login success fur agent Mozilla 4 0 compatible MSIE 8 0 Windows NT 5 1 Trident 4 0 NET CLR 2 0 50727 NET CLR 3 0 4506 2152 NET CLR 3 5 30729 Outgoing Packet Log View system packet log which is sent out from the internal PC to the Internet This log includes LAN IP destination IP and service port that is applied It is illustrated as below Outgoing Packet Log Windows Internet Explorer Time sSEventType ss s s s s s s s
25. 168 1 1 subnet Mask 255 255 255 0 Multiple Subnet Setting Disabled Unified IF Management Multiple Subnet Setting Click Unified IP Management to enter the configuration page as shown in the following figure Input the respective IP addresses and subnet masks LAN Setting Device IP Address 192 168 1 Subnet Mask255 255 255 0 _Muitiple Subnet Setting wuttiple Subnet LANIPAddress Add to list This function enables users to input IP segments that differ from the router network segment to the multi net segment configuration the Internet will then be directly accessible In other words if there are already different IP segment groups in the Intranet the Internet is still accessible without making any 25 D your future life IPSec VPN QoS Router changes to internal PCs Users can make changes according to their actual network structure 6 1 3 WAN amp DMZ Settings WAN Setting WAN Setting WAN 1 Obtain an IP automatically Edit WAN 2 Obtain an IP automatically Edit Interface An indication of which port is connected Connection Type Obtain an IP automatically Static IP connection PPPoE Point to Point Protocol over Ethernet PP TP Point to Point Tunneling Protocol or Transparent Bridge Config A modification in an advanced configuration Click Edit to enter the advanced configuration page Obtain an Automatic IP automatically This mode is oft
26. 9a Device IP Address ho fio fio i Subnet Mask 55 255 0 Therefore DCHP DNS IP address must be 10 10 10 1 to make DNS local database in effect DNS 3 After enabling DNS local database if there is no host domain names in the list the router will still use ISP DNS server or internal DNS server for lookup Test if DNS local database is effective Assumed tw yahoo com IP address is 10 10 10 199 as the following figure 67 D ONO your future life IPSec VPN QoS Router DNS Local Database Host Domain Name Exc www google com IP Address ho fio Mio fiss Update this Entry Wy gt 40 da i a fahoo com ET 70 10 199 Delete selected item 1 System Tool gt Diagnostic gt DNS Name Lookup DNS Name Lookup Ping Ping host or IF address Po 2 Enter tw yahoo com for lookup DNS Name Lookup Ping 3 The IP is 10 10 10 199 confirming the corresponding IP in DNS local database DNS Name Lookup Ping Ping host or IP address s i yahoo eom A Status 10 10 10 199 68 D GNO your future life IPSec VPN QoS Router 7 5 IP amp MAC Binding Administrators can apply IP amp MAC Binding function to make sure that users can not add extra PCs for Internet access or change private IP addresses IP DHCP DHCP Setup DHCP Status IP amp MAC binding show new IP user siatclP jf MACAddress J
27. Address Local Security Group Type adresse ee fe e Reference When this VPN tunnel is connected computers with the IP address of 192 168 1 0 can establish connection 2 Subnet This option allows local computers in this subnet to be connected to the VPN tunnel seta 25 25 2 Reference When this VPN tunnel is connected only computers with the session of 192 168 1 0 and with subnet mask as 255 255 255 0 can connect with remote VPN 3 IP Range This option allows connection only when IP address range which is entered after the VPN tunnel is connected IPRange v 192 183 1 0 ftol254 Reference When this VPN tunnel is connected computers with the IP address of 192 168 1 0 254 can establish connection 124 D your future life Remote Group Setup IPSec VPN QoS Router Remote VPN Group Setting IF Address Ww This remote gateway authentication type Remote Security Gateway Type must be identical to the remotely connected local security gateway authentication type Local Security Gateway Type Remote Security Gateway Type This local gateway authentication type comes with five operation modes which are IP only IP Domain Name FQDN Authentication IP E mail Addr USER FQDN Authentication Dynamic IP Domain Name FQDN Authentication Dynamic IP E mail Addr USER FQDN Authentication 1 IP only If users decide to use IP only entering the IP address
28. Address down to up Session down to up and Session up to down Jumpto__ Page Select this function to display the data by how many Entries per page___ entries of data per page will be displayed Also you can select the page you would like to see from the drop down menu Data List field IP Address Display PC s IP address which has outbound traffic Also you can click the IP hyperlink to display the current connection statistic and details As the following graph P Port Statistic W Enabled Search Type IP address Address P Address fisz jies B froo seo 192 168 8 100 50143 WAN1 65 54 4979 1863 192 168 9 100 TCP 51877 WANI 114 47 207 109 1257 0 0 192 168 8 100 TCP 51893 WAN4 192 168 3 10 1025 22 22 192 168 8 100 TCP 51897 WAN1 192 168 3 10 1318 44 44 192 168 8 100 TCP 51899 WAN1 192 168 3 10 4318 0 0 Host Name Display PC names that having outbound traffic It will show blank when the system cannot analyze Session Display PC connection sessions that having outbound traffic 182 D your future life IPSec VPN QoS Router Refresh Click the Refresh button that the latest data and list will be updated 12 6 QRTG Qno Router Traffic Grapher QRTG utilizes dynamic GUI and simple statistic to display system status of Qno Firewall Router presently including CPU Utilization Memory Utilization Session and WAN Traffic Enable QRTG The funcation is disabled b
29. Clone WAN 1 50 56 40 32 30 31 Edit WAN 2 50 56 4D 329 30 32 Edit Select the WAN port to which the configuration is to be edited click the hyperlink to enter and edit its configuration Users can input the MAC address manually Press Apply to save the setting and press Cancel to remove the setting Default MAC address is the WAN MAC address Interface AHI Asean Default 00 0c 41 00 00 02 MAC Address from this PC O 00 16 26 50 13 32 Beek Apki Cancel 160 D your future life IPSec VPN QoS Router XII System Tool This chapter introduces the management tool for controlling the device and testing network connection For security consideration we strongly suggest to change the password Password and Time setting is in Chapter 5 2 12 1 Diagnostic System Tool Password Setup Firmware Upgrade Configuration Backup SNMP Setup Network Time system Recover License Key The device provides a simple online network diagnostic tool to help users troubleshoot network related problems This tool includes DNS Name Lookup Domain Name Inquiry Test and Ping Packet Delivery Reception Test DNSLookup Ping DNS Lookup On this test screen please enter the host name of the network users want to test For example users may enter www abc com and press Go to start the test The result will be displayed on this page DNSLookup O Ping Look up doma
30. Dropped Period Line Dropped Scheduling Backup Interface IPSec VPN QoS Router Input the DNS IP address set by ISP At least one IP group should be input The maximum acceptable is two IP groups Input the available IP range issued by ISP If ISP issued two discontinuous IP address ranges users can input them into Internal LAN IP Range 1 and Internal LAN IP Range 2 respectively The WAN disconnection schedule will be activated by checking this option In some areas there is a time limitation for WAN connection service For example the optical fiber service will be disconnected from 0 00 am to 6 00 am Although there is a standby system in the device at the moment of WAN disconnection all the external connections that go through this WAN will be disconnected too Only after the disconnected lines are reconnected can they go through the standby system to connect with the Internet Therefore to avoid a huge number of disconnection users can activate this function to arrange new connections to be made through another WAN to the Internet In this way the effect of any disconnection can be minimized Input the time rule for disconnection of this WAN service Input how long the WAN service may be disconnected before the newly added connections should go through another WAN to connect with the Internet Select another WAN port as link backup when port binding is configured Users should select the port that employs the same ISP
31. Server synchronization function or set up a time reference Synchronize with external NTP server The device has embedded NTP server which will update the time spontaneously System Tool Password Setup Diagnostic Firmware Upgrade Configuration Backup SNMP Setup system Recover License Key Network Time Set the local time using Network Time Protocol NTP automatically Set the local time Manually Aga 0 Cancel D your future life IPSec VPN QoS Router Time Zone Select your location from the pull down time zone list to show correct local time Daylight Saving If there is Daylight Saving Time in your area input the date range The device will adjust the time for the Daylight Saving period automatically NTP Server If you have your own preferred time server input the server IP address Apply After the changes are completed click Apply to save the configuration Cancel Click Cancel to leave without making any change This action will be effective before Apply to save the configuration Select the Local Time Manually Input the correct time date and year in the boxes Set the local time using Network Time Protocel NTP automatically Set the local time Manually Hours Minutes seconds Month Day Year Ap D Cane After the changes are completed click Apply to save the configuration Click Cancel to leave without making any change
32. VPN tunnel to use any encryption and authentication mode users must set the parameter of this exchange password with that of the remote IKE Protocol Click the shared key generated by IKE to encrypt and authenticate the remote user If PFS Perfect Forward Secrecy is enabled the Phase 2 shared key generated during the IKE coordination will conduct further encryption and authentication When PFS is enabled hackers using brute force to capture the key will not be able to get the Phase 2 key in such a short period of time 127 D your future life IPSec VPN QoS Router Perfect Forward Secrecy When users check the PFS option don t forget to activate the PFS function of the VPN device and the VPN Client as well Phase 1 Phase 2 DH Group This option allows users to select Diffie Hellman groups Group 1 Group 2 Group 5 Phase 1 Phase 2 Encryption This option allows users to set this VPN tunnel to use any encryption mode Note that this parameter must be identical to that of the remote encryption parameter DES 64 bit encryption mode 3DES 128 bit encryption mode AES the standard of using security code to encrypt information It supports 128 bit 192 bit and 256 bit encryption keys Phase 1 Phase 2 Authentication This authentication option allows users to set this VPN tunnel to use any authentication mode Note that this parameter must be identical to that of the remote authentication mode MD5 o
33. actual IP addresses the Internet IP addresses with Port 80 the service port of WWW is Port 80 to access the internal server directly In the configuration page if a web server address such as 192 168 1 50 and the Port 80 has been set up in the configuration this web page will be accessible from the Internet by keying in the device actual IP address such as http 211 243 220 43 At this moment the device actual IP will be converted into 192 168 1 50 by Port 80 to access the web page In the same way to set up other services please input the server TCP or UDP port number and the virtual host IP addresses Port Range Forwarding Service IP Address Interface Enable Add to list service Management Deletes selected anpli gnti yn Service To select from this option the default list of service ports of the virtual host that users want to activate Such as All TCP amp UDP 0 65535 80 80 80 for WWW and 21 21 for FTP Please refer to the list of default service ports IP Address Input the virtual host IP address Enabled Activate this function Service Port Add or remove service ports from the list of service ports Management Add to list Add to the active service content 145 D GNO your future life IPSec VPN QoS Router Service Port Management The services in the list mentioned above are frequently used services If the service users want to activate is not in the list we
34. and GQnokey is 1 1 1 2 The conversion ratio between PPTP and IPSec VPN OVM Onokey is 1 10 Namely one PPTP tunnel is equal to tenfold IPSec VPN OVM OnokKey tunnel 3 The maximum weighting of total tunnels is equal to the specification limitation of PPTP tunnel number x PPTP weighting 10 4 Total tunnel weighting is equal to PPTP total tunnel number x PPTP weighting 10 IPSec VPN QVM Onokey total tunnel number x IPSec weighting 1 5 The conversion principle cant overrule the specification limitation of each type tunnel Total tunnel weighting 1400 Max 1500 PPTP Total Tunnel Number O Tunnels Used IPSec Setup QVM Total Tunnel Number 0 Tunnel s Used Qnokey Total Tunnel Number if Tunnels Used IPSec VPN Total Tunnel Number 0 Tunnel s Used Apay Cemcel Clase Detail Push this button to display the following information with regard to all current VPN configurations to facilitate VPN connection management WANT IP 192 168 4102 WAN IP 0 0 0 0 WANS IP 0 0 0 0 WAN4 IP 0 0 0 0 VPN Tunnel Status The following describes VPN Tunnel Status the current status of VPN tunnel in detail 104 D your future life IPSec VPN QoS Router VPN Tunnel Status 0 Tunnel s Enabled 0 Tunnelis Defined Jump tol 3 1Page 3 Glentries per page Add New Tunnel Previous Page Next Click Previous page or Next page to view the desired VPN tunnel page Or users can select the page number di
35. and doesn t go online through the normal device From the PC end the situation is disconnection For these two situations the device and client setup must be done to prevent ARP virus attack which is to guarantee the complete resolution of the issue The device selection is advised to take into consideration the one with anti ARP virus attack Qno products come squarely with such a feature which is very user friendly compared to other products 2 ARP Diagnostic If one or more computers are affected by the ARP virus we must learn how to diagnose and take appropriate measures The following is experience shared by Qno technical engineers with regard to the ARP prevention Through the ARP working principle it is known that if the ARP cache is changed and the device is constantly notified with the series of error IP or if there is cheat by fake gateway then the issue of disconnection will affect a great number of devices This is the typical ARP attack It is very easy to judge if there is ARP attack Once users find the PC point where there is problem users may enter the DOS system to 198 D your future life IPSec VPN QoS Router conduct operation pining the LAN IP to see the packet loss Enter the ping 192 168 1 1 Gateway IP address as illustrated eply from 192 168 1 1 hbytes 32 time lt ims eply from 192 168 1 1 hytes 32 time lt ims equest timed out equest timed out equest timed out equest timed o
36. by the use of IP only IP Domain Name FQDN Authentication IP Domain name IP E mail Addr USER FQDN Authentication IP Email address Dynamic IP Domain Name FQDN Authentication Dynamic IP address Domain name Dynamic IP E mail Addr USER FQDN Authentication Dynamic IP address Email address name 1 IP only If users decide to use IP only entering the IP address is the only way to gain access to this tunnel The WAN IP address will be automatically filled into this space Users don t need to do further settings Local Securty Gateway Type 2 IP Domain Name FQDN Authentication If users select IP domain name type please enter the domain name and IP address The WAN IP address will be automatically filled into this space Users don t need to do further settings FQDN refers to the combination of host name and domain name and can be retrieved from the Internet i e von server com This IP address and domain name must be identical to those of the VPN secure gateway setting type to establish successful connection IF Domain NamefFabN Authentication a Sec awa oe 122 D your future life Local Security Group Type IPSec VPN QoS Router 3 IP E mail Addr USER FQDN Authentication If users select IP address and E mail enter the IP address and E mail address to gain access to this tunnel and the WAN IP address will be automatically filled into this s
37. cache Moreover ARP virus attack can be briefly described as an internal attack to the PC which causes trouble to the ARP table of the PC In LAN IP address was transferred into the second physical address MAC address through ARP protocol ARP protocol is critical to network security ARP cheating is caused by fake IP addresses and MAC addresses and the massive ARP communications traffic will block the network The MAC address from the fake source sends ARP response attacking the high speed cache mechanism of ARP This usually happens to the cyber cafe users Some or all devices in the shop experience temporal disconnection or failure of going online It can be resolved by restarting the device however the problem repeats shortly after Cafe Administrators can use arp a command to check the ARP table If the device IP and MAC are changed it is the typical symptom of ARP virus attack Such virus program as PWSteal lemir or its transformation is worm virus of the Trojan programs affecting Windows 95 98 Me NT 2000 XP 2003 There are two attack methods affecting the network connection speed cheat on the ARP table in the device or LAN PC The former intercepts the gateway data and send ceaselessly a series of wrong MAC messages to the device which sends out wrong MAC address The PC thus cannot receive the messages The later is ARP attack by fake gateways A fake gateway is established The PC which is cheated sends data to this gateway
38. don t turn off the power or press the Reset button 3 Please don t close the window or disconnect the link during the upgrade process 163 D GING your future life IPSec VPN QoS Router 12 3 Configuration Backup System Tool Password Setup Diagnostic Firmware Upgrade m ay b tad r l l fi gurati NMF Setup Network Time system Recover License Key import Configuration File Browse Export Configuration File Import Configuration File This feature allows users to integrate all backup content of parameter settings into the device Before upgrade confirm all information about the software version Select and browse the backup parameter file config exp Select the file and click Import to import the file Export Configuration File This feature allows users to backup all parameter settings Click Export and select the location to save the config exp file 164 GING your future life 12 4 SNMP IPSec VPN QoS Router Simple Network Management Protocol SNMP refers to network management communications protocol and it is also an important network management item Through this SNMP communications protocol programs with network management i e SNMP Tools HP Open View can help communications of real time management The device supports standard SNMP vi v2c and is consistent with SNMP network management software so as to get hold on to the operation of the
39. enter the system because of the access rules for instance message will be recorded in the system log If remote users enter the system because of compliance with access rules for instance message will be recorded in the system log When the system settings are changed this message will be sent back to the system log Successful entry into the system includes login from the remote end or from the LAN into this device These messages will be recorded in the system log The following is the description of the four buttons allowing online inquiry into the log View System Log This option allows users to view system log The message content can be read online via the device They include All Log System Log Access Log and Firewall Log which is illustrated as below 173 GING your future life IPSec VPN QoS Router system Log Windows nternet Explorer E htt 192 168 1 Leyvs_log hin System Log Jan 1 08 00 Jan 1 08 00 09 2000 2000 lsystemLog ti sts lt SCS Log SMB SMB Systemisup ssss SSSSS is up id none time 2000 1 1 0 3 16 fw 192 168 1 1 pricS erc 192 166 1 100 dst 192 168 1 1 user admin type mgmt meg User Jan 1 08 03 16 2000 System Log login successful agent Mozilla 4 0 compatible MSIE 8 0 Windows NT 5 1 Trident 4 0 WET CLR 2 0 50727 MET CLR 3 0 4506 2152 NET CLR 3 5 30729 id none time 2000 1 1 1 51 7 fw 192 188 1 1 pri 5 erc 192 166 1 100 dst 192 166 1
40. exchange code is set to 3600 seconds or 1hours by default This allows the automatic generation of other exchange password within the valid time of the VPN connection so as to guarantee security Preshared Key For the Auto IKE option enter a password of any digit or characters in the text of Pre shared Key the example here is set as test and the system will automatically translate what users entered as exchange password and authentication mechanism during the VPN tunnel connection This exchange password can be made up of up to 30 characters 118 D your future life IPSec VPN QoS Router Advanced Setting for IKE Protocol Only Advanced Oo Aggressive Mode Compress Support IP Payload Compression Protocol iP Comp Keep Alive AH Hash Algorithm MDS v Allow NetBIOS Broadcast Pass Through NAT Traversal Dead Peer Detection DPD Interval 10 seconds Allow specific boardcast packet Pass through Sarvice Port Managamsri a OSeaasas es Heart Beat Remote Host Interval seconds Retry count The advanced settings include Main Mode and Aggressive mode For the Main mode the default setting is set to VPN operation mode The connection is the same to most of the VPN devices Aggressive Mode This mode is mostly adopted by remote devices The IP connection is designed to enhance the security control if dynamic IP is used for connection Use IP Header Compression Protocol If this option is selec
41. for external connections The network bandwidth is set by what users input for it For example if the upload bandwidth of both WANs is 512Kbit sec the automatic load ratio will be 1 1 if one of the upload bandwidths is 1024Kbit sec while the other is 512Kbit sec the automatic load ratio will be 2 1 Therefore to ensure that the device can balance the actual network load please input real upload and download bandwidths The section refers to QoS configuration Therefore it should be set in QoS page Please refer to 8 1 QoS bandwidth configuration Protocol Binding Users can define specific IP addresses or specific application service ports to go through a user assigned WAN for external connections For any other unassigned IP addresses and services WAN load balancing will still be carried out Note In the load balance mode of Assigned Routing the first WAN WAN1 cannot be assigned It is to be saved for the IP addresses and the application Service Ports that are not assigned to other WANs WAN2 for external connections In other words the first WAN WAN1 cannot be configured with the Protocol Binding rule This is to avoid a condition where all WANs are assigned to specific Intranet IP or Service Ports and destination IP no more WAN ports will be available for other IP addresses and Service Ports 49 D p 2 g 2 bh ae Y your future life Protocol Binding Service Source IP Dest IP
42. is done DMZ The DMZ port can be connected to servers that have legal IP addresses such as Web servers mail servers etc 13 D your future life IPSec VPN QoS Router IV Login This chapter is mainly introducing Web based Ul after conneting the device First check up the device s IP address by connecting to DOS through the LAN PC under the device Go to Start Run enter cmd to commend DOS and enter ipconfig for getting Default Gateway address as the graphic below 192 168 1 1 Make sure Default Gateway is also the default IP address of the router ea AWN DOW seyeten 2 MD ere Microsoft Windows KP Lia 5 1 2600 CC Copyright 1985 2661 Microsoft Corp C 5Documents and Settings PNA gt ipconfig Windows IP Configuration Connection specific DNS Suffix IP Address 2 192 168 1 168 Subnet Mask a 255 255 255 808 Default Gateway a a 192 168 1 1 GCoSDocuments and Settings PMAL gt m Attention When not getting IP address and default gateway by using ipconfig or the received IP address is 0 0 0 0 and 169 X X X we recommend that users should check if there is any problem with the circuits or the computer network card is connected nicely 14 D GNO your future life IPSec VPN QoS Router Then open webpage browser IE for example and key in 192 168 1 1 in the website column The login window will appear as below QNO The devi
43. numerals and the first character should be an English letter 158 D GNO your future life IPSec VPN QoS Router e BDNS User Data gt Application Rule 1 User appfied for the QnoDDNS service agrees with QnoDDNS service terms unconditionally 2 Usernaac has to ce betveen t and 63 characters long 3 Vsernaac contains only a z and 0 9 characters an the first character has to be owercase a_phacetic 4 Uscrnaac cannot contain qne ana dna 5 Username cannot contain special characters tke 5 _ and ele Exarnple c Username Test chaceactecs bas been ecceces O User Wane Denain Nare qneddn e ctg cn v Host s to Apply for 4 DDNS characters has been entered O User Kaac Domain Wane qnedding org cn Apsley characters has been entered WZ peer aac Domain Mane oddasz characters has been entered 0 ER v r Wane Donain Gare anocdns org cn characters has been entered O ER v r Kane Donain Hare anocdusorg cn 159 GING your future life IPSec VPN QoS Router 11 6 MAC Clone Some ISP will request for a fixed MAC address network card physical address for distributing IP address which is mostly suitable for cable mode users Users can input the network card physical address MAC address 00 xx xx xx xx xx here The device will adopt this MAC address when requesting IP address from ISP MAC
44. occupied thus overloading the device Therefore the device responds more slowly or is paralyzed If the login onto the QQLive Server is blocked the issue can be resolved The following relates to Qno products and provides users with solutions by introducing users how to set up the device a Log into the device web based UI and enter Firewall gt Access Rule Services Scheduling pty this ute to 24 Hour Format Everyday Sun Mon Tue Wed Thu Fri Sat b Click Add New Rule under Access Rule page Select Deny in Action under the Service rule setting followed by the selection of All Traffic TCP amp UDP 1 65535 from the service and select Any for Interface Any for source IP address users with relevant needs may select either Single or Range to block any QQLive login by using one single IP or IP range followed by the selection of Single of the Dest IP and enter the IP address as 121 14 75 155 for the QQLive Server note that there are more than one IP address for QQLive server Repeated addition may be needed Lastly select Always under the Scheduling setting so that the QQLive Login Time can be set If necessary specific time setting may be undertaken Click Apply to move to the next step 195 D your future life IPSec VPN QoS Router c Input the following IP address in Dest IP with repeat operation 121 14 75 115 60 28 234 117 60 28 235
45. online devices and the real time network information SNMP Enabled System Tool Password Setup Firmware Upgrade Configuration Backup Network Time system Recover public private public Aah Caneel T WAH QVM Router The UI might vary from model to model depending on different product lines 165 D your future life Enabled System Name System Contact System Location Get Community Name Set Community Name Trap Community Name Send SNMP Trap to Apply Cancel IPSec VPN QoS Router Activate SNMP feature The default is activated Set the name of the device such as Qno Set the name of the person who manages the device i e John Define the location of the device i e Taipei Set the name of the group or community that can view the device SNMP data The default setting is Public Set the name of the group or community that can receive the device SNMP data The default setting is Private Set user parameters password required by the Trap receiving host computer to receive Trap message Set one IP address or Domain Name for the Trap receiving host computer Press Apply to save the settings Press Cancel to keep the settings unchanged 166 GNO your future life IPSec VPN QoS Router 12 5 System Recover Users can restart the device with System Recover button System Tool Password Setup Dia
46. packet data of this specific port will be displayed Data include receive transmit packet count receive transmit packet Byte count and error packet count Users may press the refresh button to update all real time messages 62 GING your future life IPSec VPN QoS Router 7 3 IP DHCP With an embedded DHCP server it supports automatic IP assignation for LAN computers This function is similar to the DHCP service in NT servers It benefits users by freeing them from the inconvenience of recording and configuring IP addresses for each PC respectively When a computer is turned on it will acquire an IP address from the device automatically This function is to make management easier IP DHCP DHCP Status IP amp MAC binding Enabled DHCP Server Client Lease Time Minutes Subnet2 Enabled Disabled 192 168 1 100 192 168 2 100 192 168 1 149 92 168 2 149 63 D your future life IPSec VPN QoS Router Dynamic IP Client lease Time Check the option to activate the DHCP server automatic IP lease function If the function is activated all PCs will be able to acquire IP automatically Otherwise users should configure static virtual IP for each PC individually Range Start This is to set up a lease time for the IP address which is acquired by a PC The default is 1440 minutes a day Users can chan
47. selected the activation time is introduced as below Day Control This control rule has time limitation The setting method is in 24 hour format such as 08 00 18 00 8 a m to 6 p m 102 GING your future life IPSec VPN QoS Router X VPN Virtual Private Network 10 1 VPN Gateway to Gateway Clientto Gateway PPTP Setup PPTP Status VPN Pass Through Summary 0 Tunnel s Used 100 Tunnel s Available B detail VPNTunnel s Status fr Tunnel s Enabled E Tunnel s Defined Jump to nor Page 5 entries per page Add Tunnel is 10 1 1 Display All VPN Summary This VPN Summary displays the real time data with regard to VPN status These data include all tunnel numbers PPTP IPSec QnoKey and IPSec VPN setting parameters and Group VPN and so forth Advanced Setting Through Advanced setting users may adjust the tunnel number of IPSec and Qnokey PPTP Tunnel Number lo Tunnels Used 30 Tunnel s Available IPSec QnoKey Tunnel Number 0 Tunnels Used 200 Tunnel s Available IPSec VPN Tunnel Number lo Tunnel s Used 150 Tunnel s Available 103 lg gt e g Y T gt f Ked P LES y b i ADS i Be 6 ot your future life IPSec VPN QoS Router This shows how many VPN tunnels are in use or available PPTP IPSec Tunnel Number Setting Windows Internet Explorer Sikes E http 192 100 1 Lapses tunnel him Ww 1 The tunnel number conversion ratio among IPSec VPN QVM
48. set to VPN operation mode The connection is the same to most of the VPN devices Aggressive Mode This mode is mostly adopted by remote devices The IP connection is designed to enhance the security control if dynamic IP is used for connection Use IP Header Compression Protocol If this option is selected in the connected VPN tunnel the device supports IP Payload Compression Protocol Keep Alive If this option is selected VPN tunnel will keep this VPN connection This is mostly used to connect the remote node of the branch office and headquarter or used for the remote dynamic IP address AH hash calculation For AH Authentication Header users may select MD5 DSHA 1 NetBIOS Broadcast If this option is selected the connected VPN tunnel allows the passage of NetBIOS broadcast packet This facilitates the easy connection with other Microsoft network however the traffic using this VPN tunnel will increase Dead Peer Detection DPD If this option is selected the connected VPN tunnel will regularly transmit HELLO ACK message packet to detect whether there is connection between the two ends of the VPN tunnel If one end is disconnected the device will disconnect the tunnel automatically and then create new connection Users can define the transmission time for each 129 D your future life IPSec VPN QoS Router DPD message packet and the default value is 10 seconds Heart Beat VPN Tunnel Heart Beat Detection
49. source IP address network protocol type source port destination IP address destination port bytes per second and percentage Traffic Statistic Enable Traffic Statistic Ratesh 12 4 IP Port Statistic The device allows administrators to inquire a specific IP or from a specific port about the addresses that this IP had visited or the users source IP who used this service port This facilitates the identification of websites that needs authentication but allows a single WAN port rather than Multi WANs Administrators may find out the destination IP for protocol binding to solve this login problem For example when certain port software is denied inquiring about the IP address of this specific software server port may apply this feature Moreover to find out BT or P2P software users may select this feature to inquire users from the port 179 GINO your future life IPSec VPN QoS Router system Log system Statistic Traffic Statistic IP Port Statistic Enable IP Port Statistic Specific IP Port status for Paddress 9 o f j Specific IP Status Enter the IP address that users want to inquire and then the entire destination IP connected to remote devices as well as the number of ports will be displayed IPiPort Statistic Enabled IP Address Search Type IP Address v 192 168 1 100 WAN2 207 48 114 14 80 0o 0 192 168 1 100 4803 o O o o o 192 168 1 100 3 1
50. the Intranet IP 192 168 1 100 to WAN2 for the Internet As in the figure below select All Traffic from the pull down option list Service and then in the boxes of Source IP input the source IP address 192 168 1 100 to 100 Retain the original numbers 0 0 0 0 in the boxes of Destination IP which means to include all Internet IP addresses Select WAN2 from the pull down option list Interface and then click Enable Finally click Add New and the rule will be added to the mode Show Priority i ll Traffic Service SAR Service Management Source IF 192 165 1 _ 100 te 100 Destination IP 0 0 O0 0 to Interface AN2 Enable C All Traffic TCPAUDP 1 65535 3192 165 1 100710010 0 0 070 0 0 0 An2 Delate selected aoplieation D your future life IPSec VPN QoS Router Example 2 How do set up Auto Load Balance Mode to keep Intranet IP 192 168 1 150 200 from oing through WAN2 when the destination port is Port 80 As in the figure below select HTTP TCP 80 80 from the pull down option list Service and then in the boxes for Source IP input 192 168 1 150 to 200 Retain the original numbers 0 0 0 0 in the boxes of Destination IP which means to include all Internet IP addresses Select WAN2 from the pull down option list Interface and then click Enable Finally click Add Ne
51. the LAN port to be one or more disconnected network sessions All of them will be able to log on to the Internet through the device Members in the same network session within the same VLAN can see and communicate with each other Members in different VLAN will not know the existence of other members 60 D your future life VLAN All IPSec VPN QoS Router set VLAN All port to be the public area of VLAN so that it can be connected to other VLAN networks A server should be constructed for the intranet so that all VLAN group can visit this server Set one of the network ports as VLAN All Connect the server to VLAN All so that computers of different VLAN groups can be connected to this server Moreover the port where the administrator locates must be set as VLAN All so that it can be connected to the entire network to facilitate network management 61 GING your future life IPSec VPN QoS Router 7 2 Port Status Port Management Port Setup port LANA E Summary 10Base T 100Base TX LAN Down Port Enabled Normal 10 Mbps Half Enabled VLAN ALL Statistics j m 309071 ErorPacketsCount 0 Raiesh Summary There are Network Connection Type Interface Link Status Up Down Port Activity Port Enabled Priority Setting High or Normal Speed Status 10Mbps or 100Mbps Duplex Status half duplex or full duplex Auto Neg Enabled Disabled and VLAN Statistics The
52. the configured Retry Times it will be judged as External Connection Disconnected Delay time for external connection detection latency The default is 30 seconds After the retry timeout external service detection will restart D your future life When Fail IPSec VPN QoS Router 1 Generate the Error Condition in the System Log If an ISP connection failure is detected an error message will be recorded in the System Log This line will not be removed therefore the some of the users on this line will not have normal connections This option is suitable under the condition that one of the WAN connections has failed the traffic going through this WAN to the destination IP cannot shift to another WAN to reach the destination For example if users want the traffic to 10 0 0 1 10 254 254 254 to go only through WAN1 while WAN2 is not to support these destinations users should select this option When the WAN1 connection is disconnected packets for 10 0 0 1 10 254 254 254 cannot be transmitted through WAN 2 and there is no need to remove the connection when WAN 1 is disconnected 2 Keep System Log and Remove the Connection If an ISP connection failure is detected no error message will be recorded in the System Log The packet transmitted through this WAN will be shifted to the other WAN automatically and be shifted back again when the connection for the original WAN is repaired and reconnected This option
53. to activate the function Input the Private IP address for the Intranet One to One NAT function Input the Public IP address for the Internet One to One NAT function The numbers of final IP addresses of actual Internet IP addresses Please do not include IP addresses in use by WANs Add this configuration to the One to One NAT list Remove a selected One to One NAT list Click Apply to save the network configuration modification Click Cancel to leave without making any changes One to One NAT mode will change the firewall working mode If this function has been set up the Internet IP server or PC which is mapped with a LAN port will be exposed on the Internet To prevent Internet users from actively connecting with the One on One NAT server or PC please set up a proper denial rule for access as described Firewall 153 D your future life IPSec VPN QoS Router 10 5 DDNS Dynamic Domain Name Service DDNS supports the dynamic web address transfer for QnoDDNS org cn 3322 0org DynDNS org and DtDNS com This is for VPN connections to a website that is built with dynamic IP addresses and for dynamic IP remote control For example the actual IP address of an ADSL PPPoE time based system or the actual IP of a cable modem will be changed from time to time To overcome this problem for users who want to build services such as a website it offers the function of dynamic web address transfer This service ca
54. 1 D your future life IP Address Direction Min amp Max Rate Kbit Sec IPSec VPN QoS Router This is to select which user is to be controlled If only a single IP is to be restricted input this IP address such as 192 168 1 100 to 100 The rule will control only the IP 192 168 1 100 If an IP range is to be controlled input the range such as 192 168 1 100 149 The rule will control IP addresses from 192 168 1 100 to 149 If all Intranet users that connect with the device are to be controlled input O in the boxes of IP address This means all Intranet IP addresses will be restricted QoS can also control the range of Class C Upstream Means the upload bandwidth for Intranet IP Downstream Means the download bandwidth for Intranet IP Server in LAN Upstream If a Server for external connection has been built in the device this option is to control the bandwidth for the traffic coming from outside to this Server server in LAN Downstream If there are web sites built in the Intranet this option is to control the upload bandwidth for the connections from outside to this Server For example game servers have been built in many Internet caf s This rule can be used to control the bandwidth for connections from outside to the game server of a cafe to update data In this way game players inside the cafe will not be affected The minimum bandwidth The rule is to guarantee minimum available
55. 119 222 28 155 17 QQ LiveVersion QQ Live 2008 7 0 401 7 0 Tested on 2008 07 29 After repeated addition users may see the links to the QQLive Server blocked Click Apply to block QQLive video broadcast 196 D your future life IPSec VPN QoS Router 4 ARP Virus Attack Prevention 1 ARP Issue and Information Recently many cyber cafes in China experienced disconnection partially or totally for a short period of time but connection is resumed quickly This is caused by the clash with MAC address When virus contained MAC mirrors to such NAT equipments as host devices there is complete disconnection within the network If it mirrors to other devices of the network only devices of this affected network have problems This happens mostly to legendary games especially those with private servers Evidently the network is attacked by ARP which aims to crack the encryption method By doing so they hackers may intercept the packet data and user information through the analysis of the game s communication protocol Through the spread of this virus the detailed information of the game players within the local network can be obtained Their account and information are stolen The following describes how to prevent such virus attack First let us get down to the definition of ARP Address Resolution Protocol In LAN what is actually transmitted is frame in which there is MAC address of the destination host device So cal
56. 21 Nov 22 Nov 23 Nov 24 Nov 25 Nov 26 Nov 27 Unit Week Unit 100 Avg 32 50 Max 51 0 Nov 21 Nov 22 Nov 23 Nov 24 Nov 25 Nov 26 Nov 27 Unit Week 184 GINO your future life IPSec VPN QoS Router ll WAN Traffic Statistic hourly graphic and average up down stream As in the following figures MV Enabled QRTG WAN Traffic Statistics Hour WAN Downstream M wan1 wan2 M wan3 M wan4 M wans C wans M wan7 l wans Unit Kbps 7 5000 10 05 i a 10 10 10 15 10 20 10 25 10 30 10 35 10 40 10 45 10 50 10 55 11 00 WAN Upstream M want M wan2 M wan3 wan4 M wans I wans M wan7 I wang Unit Kbps 10 05 10 10 10 15 10 20 10 25 10 30 10 35 10 40 10 45 10 50 10 55 11 00 The UI might vary from model to model depending on different product lines 185 Average E 1328 E 1338 1690 E 1487 Eo E 1041 Kbps Kbps Kbps Kbps Kbps Kbps UnitMinutes Average E 411 388 431 E 516 E o E 434 Kbps Kbps Kbps Kbps Kbps Kbps Unit Minutes GINO your future life IPSec VPN QoS Router lll WAN Traffic Statistic Day graphic and average up down stream As in the following figures M Enabled QRTG WAN Traffic Statistics Day _ WAN Downstream M wan1 M wan2 M wan3 M wan4 M wans I wans M wan7 l wang Unit e900 Kbps 4000 2000 12 00 14 00 16 00 18 00 20 00 22 00 0 00 2 00 4 00 6 00 8 00 10 00 WAN Upstream M want M wan2 M wan3 M wan4 M wans C wans M wa
57. 5 2 Change and Set Login Password and Time 5 2 1 Password Setting When you login the device setting window every time you must enter the password The default value for the device username and password are both admin For security reasons we strongly recommend that you must change your password after first login Please keep the password safe or you might not login to the device You can press Reset button for more than 10 sec the device will return back to default System Tool Diagnostic Firmware Upgrade Configuration Backup SNMP Setup Network Time system Recover License Key Password Setup User Name admin User Name The default is admin Old Password Input the original password The default is admin i New User Name Input the new user name i e Qno New Password Input the new password Confirm New Input the new password again for verification Password 21 D your future life IPSec VPN QoS Router Apply Click Apply to save the configuration Cancel Click Cancel to leave without making any change This action will be effective before Apply to save the configuration 5 2 2 Time The device can adjust time setting Users can know the exact time of event occurrences that are recorded in the System Log and the time of closing or opening access for Internet resources You can either select the embedded NTP
58. 5 254 This means the Class B Network Segment of 210 11 x x will be restricted to a specific WAN If only specific Service Ports need to be designated while a specific IP destination assignment is not required input O into the IP boxes Select the WAN for which users want to set up the binding rule To activate the rule To add this rule to the list To remove the rules selected from the Service List The priority for rule execution depends on the rule order in the list A rule located at the top will be executed prior to those located below it Users can arrange the order according to their priorities The rules configured in Protocol Binding will be executed by the device according to their priorities too The higher up on the list the higher the priority of execution Show Priority Click the Show Table button A dialogue box as shown in the following figure will be displayed Users can choose to sort the list by priorities or by interface Click Refresh and the page will be refreshed click Close and the dialogue box will be closed Summary Add or Remove Service Port If the Service Port users want to activate is not in the list users can add or remove service ports D your future life IPSec VPN QoS Router from Service Management to arrange the list as described in the following Service Name Protocol Port range Add To List Delete selected service
59. 92 168 1 100 3 192 168 1 100 z 192 168 1 100 VAN 192 168 1 100 TCP 1763 1 180 GING your future life IPSec VPN QoS Router Specific Port Status Enter the service port number in the field and IP that are currently used by this port will be displayed P Port Statistic Enabled Search Type Service Pot Service Port 192 168 1 100 TC 1290 WAN2 207 46 111 14 192 168 1 100 TCP 1944 WAN2 203 69 138 19 80 D D Retreat 12 5 Connection Statistic Future Feature Connection Statistic function is used to record the numbers of network connections including outbound sessions and intranet users PC It also displays the user connection sessions Connection Statistic M Enabled 1 24 LAN PC Data Ordering By IP Address up to down gt Jump to 1 gt 4 Page 10 gt entries per page 192 165 3 100 QnoPM01 24 apes When enabling Connection Statistic function parts of system efficiency will be influenced Therefore the system will remind you the influence when you enable this function Lge gt rd g EN v Ked A r y bsec your future life IPSec VPN QoS Router PC there are currently traffic Display current PC amounts having outbound connections If the PC does not boot up or is not connected to internet it will not be counted in the Statistic LAN PC Data Ordering By Select this function to sort the data by IP Address up to down IP
60. 94 153 164 189 27310 on ixpo Feb 6 03 46 02 2006 eet oe EE SUS SWE UDP 192 168 1 100 7464 24 160 250 156 19343 on ixpo Clear Log Now This feature clears all the current information on the log 175 GING your future life IPSec VPN QoS Router 12 2 System Statistic The device has the real time surveillance management feature that provides system current operation information such as port location device name current WAN link status IP address MAC address subnet mask default gateway DNS number of received sent total packets number of received sent total Bytes Received and Sent Bytes Sec total number of error packets received total number of the packets dropped number of session number of the new Session Sec and upstream as well as downstream broadband usage system Log Traffic Statistic IF Port Statistic System Statistic WAN 1 WAN 2 LAN eth1 eth2 etho Connect Enabled 192 168 4245 0 0 0 0 192 168 1 1 00 17 16 01 84 B5 00 17 16 01 84 B6 00 17 16 01 84 B4 255 255 254 0 0 0 0 0 255 255 255 0 192 168 4 1 0 0 0 0 192 168 5 121 0 0 0 0 Test Succeeded Test Failed 831873 0 45286 38685 0 953609 870558 0 996895 100934825 0 5814573 5596477 0 69560574 106531302 0 75375147 344 0 afi 0 0 466 0 0 138 0 0 oO 0 0 eee Q g Soe g Retresh 176 GING your future life IPSec VPN QoS Router 12 3 Traffic Statistic Six messages will be displayed on the Traffic
61. AN GING your future life IPSec VPN QoS Router 2x100Mbps WAN 2x100Mbps Switch LAN WAN2 DMZ Fully Integrated SMB amp IPSec VPN Solution English User s Manual D your future life IPSec VPN QoS Router Product Manual Using Permit Agreement Product Manual hereafter the Manual Using Permit Agreement hereafter the Agreement is the using permit of the Manual and the relevant rights and obligations between the users and Qno Technology Inc hereafter Qno and is the exclusion to remit or limit the liability of Qno The users who obtain the file of this manual directly or indirectly and users who use the relevant services must obey this Agreement Important Notice Qno would like to remind the users to read the clauses of the Agreement before downloading and reading this Manual Unless you accept the clauses of this Agreement please return this Manual and relevant services The downloading or reading of this Manual is regarded as accepting this Agreement and the restriction of clauses in this Agreement 1 Statement of Intellectual Property Any text and corresponding combination diagram interface design printing materials or electronic file are protected by copyright of our country clauses of international copyright and other regulations of intellectual property When the user copies the Manual this statement of intellectual property must also be copied and indicated Otherwise Qno rega
62. All Enabled WAN Edit Example 1 How to set up the maximum download speed to 50 Kbit for the FTP protocol on all WAN interfaces Please refer to the following as a setup example Click before both WAN1 and WAN2 then choose FTP TCP 21 21 in Service for IP Address put your LAN IP range e g 192 168 1 1 254 in Direction part open the dropdown box and choose Downstream Import 2Kbit Sec in Mini Rate which guarantees the minimum bandwidth for FTP downloading And import 50Kbit Sec in Max Rate for a maximum limitation Choose Share total bandwidth with all IP addresses in Bandwidth sharing method which means that the whole LAN users share a maximum 50Kbits Sec download speed on the FTP protocol no matter how many users are using in intranet Click Enable and Add to list then this rule is successfully added Interface WAN WAN Service Service Management P Address 192 fee 1 1 to Mini Rate Kbitsec Max Rate 50 Kbitisec Share total bandwidth with all IP addresses Assign bandwidth for each IP address Enabled Bandwidth sharing Hage Deer flows Un Add to list 80 D your future life IPSec VPN QoS Router Example 2 How to set up the maximum download speed of each WAN to 512Kbit Sec for each LAN user One by one IP to set up No need to set up one by one Below is the example Click both WAN1 and WAN2 then choose No Check Port TCP amp UD
63. Amber LED flashing slowly Press Reset Button Over 10 Secs Factory Default DIAG indicator Amber LED flashing quickly System Built in Battery A system timing battery is built into the device The lifespan of the battery is about 1 2 years If the battery life is over or it can not be charged the device will not be able to record time correctly nor synchronize with internet NTP time server Please contact your system supplier for information on how to replace the battery Attention Do not replace the battery yourself otherwise irreparable damage to the product may be caused Installing Router on a Wall The Router has two wall mount slots on its bottom panel When mounting the device on a wall please ensure that the heat dissipation holes are facing sideways as shown in the following picture for safety reasons l1 GINO your future life IPSec VPN QoS Router Qno is not responsible for damages incurred by insecure wall mounting hardware 12 GINO your future life IPSec VPN QoS Router 3 2 VPN Router Network Connection Hub Switch Server internet WAN connection AWAN port can be connected with xDSL Modem Fiber Modem Switching Hub or through an external router to connect to the Internet LAN Connection The LAN port can be connected to a Switching Hub or directly to a PC Users can use servers for monitoring or filtering through the port after Physical Port Mangement configuration
64. Domains Allowed Domains Allowed Domains Enabled aol o Add to list Halata selected doamein Enabled Activate the function The default setting is Disabled Add Input the allowed domain name etc www google com Add to list Add the rule to list Delete selected item Users can select one or more rules and click to delete 101 D your future life IPSec VPN QoS Router Exception IP Here IP IP ranges are exempted from Accept Allowed Domain through this method Exception ej je e v P Add to list Exception IP address Input unrestricted IP IP Range Add to list Click this button to add new unrestricted IPs Delete selected item Select out one more unrestricted IPs click this button to delete them Content Filter Scheduling Select Always to apply the rule on a round the clock basis Select from and the operation will run according to the defined time For example if the control time runs from 8 a m to 6 p m Monday to Friday users may control the operation according to the following illustrated example Scheduling Apaly this rule Always to 24 Hour Format Everyday Sun Mon Tue Wad Thu Fri Sat FESN Cees Always Select Always to apply the rule on a round the clock basis Select from and the operation will run according to the defined time tO Select Always to apply the rule on a round the clock basis If From is
65. If the next destination is to 61 222 81 100 in the same Class B range the connection will also be through WAN2 200 10 10 2 If the destination is to other IP not in the same Class B range as 61 222 81 100 the session will be distributed in the orginal session balance mechanism Note Not all intranet IP will visit the same Class B range with the same WAN IP It depends on which WAN the first connection goes to If the destination IP is in the same Class B range the connection will go through with the same WAN IP based on the first time learning 44 D your future life IPSec VPN QoS Router User Define Dis Or Port Auto Indicates that the intranet IP will connect through the same WAN IP Binding when the service ports are self defined You can self define the service ports and destination IP If the destination IP is set as 0 0 0 0 to 0 this represents that the destination is to any IP range Note You can only choose either Destimation Auto Binding or User Define Dis Or Port Auto Binding Take default rules for As following figure example Destination Auto Binding ETTEI ETTTEETTI Service All Traffic TCP amp UDP 1 65535 v Dest IP v Enable HTTPS TCP 443 443 0 0 0 0 0 0 0 0 Halst selected Rntey When any intranet IP connects with TCP443 port or any destination 0 0 0 0 to 0 represents any destination it will go through the same WAN IP As for which WAN will be se
66. It will also have a limiting effect on bandwidth usage In addition if any Intranet PC is attacked by a virus like Worm Blaster and sends a huge number of session requests session control will restrict that as well Session Control and Scheduling Session Control Disabled Single IP cannot exceed 200 Session Single IP cannot exceed TCP hoo UDP Session When single IP exceed 200 Session block this IF s new sessions fr minutes block this IF s all sessions for5 minutes Disabled Disable Session Control function This option enables the restriction of maximum external sessions to each Single IP cannot Intranet PC When the number of external sessions reaches the limit to exceed __ session allow new sessions to be built some of the existing sessions must be closed For example when BT or P2P is being used to download information and the sessions exceed the limit the user will be unable to connect with other services until either BT or P2P is closed 82 D your future life When single IP exceed _ Apply Cancel IPSec VPN QoS Router block this IP to add new Session for Is Minutes If this function is selected when the user s port session reach the limit this user will not be able to make a new session for five minutes Even if the previous session has been closed new sessions cannot be made until the setting time ends block this F all connection for s Mi
67. Mirror Port All the traffic from LAN to WAN will be copied to mirror port Administrator can control or filter the traffic through mirror port Once this function is enabled LAN 1 will be shown as Mirror Port in Physical Port Status Home page 59 D your future life Physical Port Status DisabledPort Priority Speed Status Duplex Status Auto Neg VLAN IPSec VPN QoS Router 1 2 LAN Connect Enabled Internet Internet WAN 1 WAN 2 Connect Enabled This feature allows users turn on off the Ethernet port If selected the Ethernet port will be shut down immediately and no connection can be made The default value is on This feature allows users to set the high low priority of the packet delivery for the Ethernet port If it is set as High the port has the first priority to deliver the packet The default value is Normal This feature allows users to select the network hardware connection speed for the Ethernet port The options are 10Mbps and 100Mbps This feature allows users to select the network hardware connection speed working mode for the Ethernet The options are full duplex and half duplex The Auto Negotiation mode can enable each port to automatically adjust and gather the connection speed and duplex mode Therefore if Enabled Auto Neg selected the ports setup will be done without any manual setting by administrators This feature allows administrators to set
68. Mode Auto Load Balance Mode y Session oe Phos ass By IP Unbinding WAN Balance Un binding WAN Balance Mode Y Session Advanced Function By IP Strategy Routing Mode Advanced Function O By IF Set WAH Grouping Strategy Routing Disabled Import IP Range self defined Strategy 1 Disabled self defined Strategy 2 Disabled Click Advanced Function to enter the setting window D your future life IPSec VPN QoS Router O Destination Auto Binding O User Define Dest IP or Port Auto Binding No Aging Time Protocol Both Port Range to Add to list TCP 1863 1863 TCP 5050 5050 UDP 000 8005 Delete selected Hniry Destination Auto Binding Indicates that the session will be connected with the same WAN IP when the destination IP is in the same Class B range For example there are WAN1 1 200 10 10 1 and WAN2 200 10 10 2 and two intranet IP addresses When 192 168 1 100 visits Internet 61 222 81 100 for the first time the connection is through WAN1 200 10 10 1 If the next destination is to 61 222 81 101 in the same Class B range the connection will also be through WAN1 200 10 10 1 If the destination is to other IP not in the same Class B range as 61 222 81 100 the session will be distributed in the orginal session balance mechanism When the other intranet IP 192 168 1 101 visits 61 222 81 101 for the first time the connection is through WAN2 200 10 10 2
69. NAT As both the device and ATU R need only one actual IP if ISP issued more than one actual IP such as eight ADSL static IP addresses or more users can map the remaining real IP addresses to the intranet PC virtual IP addresses These PCs use private IP addresses in the Intranet but after having One to One NAT mapping these PCs will have their own public IP addresses For example if there are more than 2 web servers requiring public IP addresses administrators can map several public IP addresses directly to internal private IP addresses Example Users have five available IP addresses 210 11 1 1 5 one of which 210 11 1 1 has been configured as a real IP for WAN and is used in NAT Users can respectively configure the other four real IP addresses for Multi DMZ as follows 210 11 1 2 gt 192 168 1 3 210 11 1 3 gt 192 168 1 4 210 11 1 4 gt 192 168 1 5 210 11 1 5 gt 192 168 1 6 Attention The device WAN IP address can not be contained in the One to One NAT IP configuration 152 D your future life IPSec VPN QoS Router Enabled One to One HAT Private IP Range Begin Public IP Range Begin Enabled One to One NAT Private IP Range Begin Public IP Range Begin Range Length Add to List Delete Seleted Item Apply Cancel Attention Range Length Add to list Delete Selected itern To activate or close the One to One NAT function Check
70. P 0 0 in Service for IP Address put your LAN IP range e g 192 168 1 1 254 in Direction part open the dropdown box and choose Downstream Import 2Kbit Sec in Mini Rate which guarantees the minimum bandwidth And import 512Kbit Sec in Max Rate for a maximum limitation Choose Assign bandwidth for each IP address in Bandwidth sharing method which ensures each IP a minimum 2Kbits Sec download speed Click Enable and Add to list then this rule is successfully added Interface WAN 4 WAN 2 Service No Check Port All 0 0 Service Management IPAddress 192 fies 1 1 fto Mini Rate Kbit sec Max Rate 512 Kbit sec ae Share total bandwidth with all IP addresses Bandwidth sharing l Assign bandwidth for each IP address Enabled FERETE hoye Hopr Attention The action rule priority of the QoS bandwidth management is from the bottom to the top rule therefore you have to remove the rule what you want to implement first to the bottom 81 D your future life IPSec VPN QoS Router 8 2 Session control Session management controls the acceptable maximum simultaneous sessions of Intranet PCs This function is very useful for managing connection quantity when P2P software such as BT Thunder or emule is used in the Intranet causing large numbers of sessions Setting up proper limitations on sessions can effectively control the sessions created by P2P software
71. Q number list Press Exempted QQ Number button and enter the QQ number into the exempted QQ number list O 1 D ONO your future life IPSec VPN QoS Router User Name Exempted 00 Number Add to list User Name Input the information of the QQ number etc Exempted QQ Number Input the number Add to list Add the number to the list Delete selected item Delete the selected rule in the list 92 D your future life IPSec VPN QoS Router 9 3 Access Rule Users may turn on off the setting to permit or forbid any packet to access internet Users may select to set different network access rules from internal to external or from external to internal Users may set different packets for IP address and communication port numbers to filter Internet access rules Network access rule follows IP address destination IP address and IP communications protocol status to manage the network packet traffic and make sure whether their access is allowed by the firewall The device has a user friendly network access regulatory tool Users may define network access rules They can select to enable disable the network so as to protect all internet access The following describes the internet access rules All traffic from the LAN to the WAN is allowed by default All traffic from the WAN to the LAN is denied by default All traffic from the LAN to the DMZ is allowed by default All traff
72. Statistic page to provide better traffic management and control system Log system Statistic IP Port statistic Traffic Statistic Enable Traffic Statistic Retires Inbound IP Source Address The figure displays the source IP address bytes per second and percentage Traffic Statistic Enable Traffic Statistic Source Pits Retires Outbound IP Source Address The figure displays the source IP address bytes per second and percentage 177 GINO your future life IPSec VPN QoS Router Traffic Statistic Outbound IP Source Address Enable Traffic Statistic Inbound IP Service The figure displays the network protocol type destination IP address bytes per second and percentage Traffic Statistic Inbound IF Service we Enable Traffic Statistic Outbound IP Service The figure displays the network protocol type destination IP address bytes per second and percentage Traffic Statistic Outbound IF Service Ww Enable Traffic Statistic 178 GING your future life IPSec VPN QoS Router Inbound IP Session The figure displays the source IP address network protocol type source port destination IP address destination port bytes per second and percentage Traffic Statistic Enable Traffic Statistic _SourceIP Protocol SourcePort Dest iP_ Dest Port bytesisec Fle tie hl Outbound Session The figure displays the
73. Status Haf Alito Neg Enabed OO MN Y __Receive Packets Count _ 67 __ Transmit Packets Count _ 1384 Error Packets Count 2 The current port setting status information will be shown in the Port Information Table Examples type 10Base T 100Base TX iniferface WAN LAN DMZ link status Up Down physical port status Port Enabled Port Disabled priority high or normal speed status 10Mbps or 100Mbps duplex status Half Full auto negotiation Enabled or Disabled The tabble also shows statistics of Receive Transmit Packets Receive Transmit Packets Byte Count as well as Error Packets Count 18 a a gt LINCI your future life IPSec VPN QoS Router 5 1 3 System Information System Information 192 168 1 1 255 255 255 0 D E v1 0 11 04 May 27 2010 Gateway 10 27 24 0 Days 0 Hours 6 Minutes 45 P Sun Mar 18 2164 14 38 23 NA NA NA LAN IP Subnet Mask Identifies the current device IP address The default is 192 168 1 1 Working Mode Indicates the current working mode Can be NAT Gateway or Router mode The default is NAT Gateway mode System Active Time Indicates how long the Router has been running Serial Number This number is the Router serial number Firmware Version Information about the Router present software version Current Time Indicates the device present time Please note To have the correct time users must synchronize the device with the remote NTP s
74. VPN provides DES 3DES AES128 AES192 AES256 encryption MD5 SH1 certification IKE Pre Share Key or manual password interchange VPN Router also supports aggressive mode When a connection is lost VPN Router will automatically re connect In addition the device features NetBIOS transparency VPN Router offers the function of a standard PPTP server which is equipped with connection setting status Each WAN port can be set up with multiple DDNS at the same time It is also capable of establishing VPN connections with dynamic IP addresses VPN Router also has unique QVM VPN SmartLink IPSec VPN Just input VPN server IP user name and password and IPSec VPN will be automatically set up Through VPN Router exclusive QVM function it offers easy VPN allocation for users users can do it even without a network administrator VPN Router enables enterprises to benefit from VPN without being troubled with technical and network management problems The central control function enables the host to log in remote client computers at any time Security and secrecy are guaranteed to meet the IPSec standard so as to ensure the continuity of VPN service The advanced built in firewall function enables VPN Router to resist most attacks from the Internet lt utilizes active detection technology SPI Stateful Packet Inspection The SPI firewall functions mainly within the network by dynamically inspecting each link The SPI firewall also has a warning function f
75. VPN tunnel is connected IP Range E iaz 13a ft fo lto 24 Reference When this VPN tunnel is connected computers with the IP address of 192 168 1 0 254 can establish connection Remote VPN Group Setting IP Only This remote gateway authentication type Remote Security Gateway Type must be identical to the remotely connected local security gateway authentication type Local Security Gateway Type 112 D your future life Remote Security Gateway Type IPSec VPN QoS Router This remote gateway authentication type comes with five operation modes which are IP only Authentication by use of IP only IP Domain Name FQDN Authentication IP Domain name IP E mail Addr USER FQDN Authentication IP Email address Dynamic IP Domain Name FQDN Authentication Dynamic IP address Domain name Dynamic IP E mail Addr USER FQDN Authentication Dynamic IP address Email address name 1 IP only If users select the IP Only type entering this IP allows users to gain access to this tunnel omen Secty Gaway Te Pony Dlx ail J If the IP address of the remote client is unknown choose IP by DNS Resolved allowing DNS to translate IP address When users finish the setting the corresponding IP address will be displayed under the remote gateway of Summary 2 IP Domain Name FQDN Authentication If users select IP domain name please enter IP address and the
76. al IP attack reach the maximum amount the default is 15000 packets Sec and 2000 packets Sec respectively if these conditions above occurs the IP will be blocked for 5 minutes the default is 5 minutes Users can adjust the threshold value and the blocking duration to effectively deal with external attack The threshold value should be adjusted from high to low Input the exempted source IP Input the exempted Destination IP addresses 89 GING your future life Show Blocked IP Restricted WEB Features Apply Cancel IPSec VPN QoS Router DoS Block List Windows Internet Explorer E hitp192 168 1 1 dos_block_table htm Show the blocked IP list and the remained blocked time It supports the block that is connected through Java Cookies Active X and HTTP Proxy access Click Apply to save the configuration Click Cancel to leave without making any change 90 GING your future life IPSec VPN QoS Router 9 2 Restrict Application Users can check MSN Skype QQ BT and the device will block the service users checked However to provide this service for certain IP address in the intranet users may check the following item and then enter the specific IP address or IP address session to use the services which are checked above The UI might vary from model to model depending on different product lines In addition if Blocked QQ is activated users can set the exempted Q
77. amic Routing The abbreviation of Routing Information Protocol is RIP There are two kinds of RIP in the IP environment RIP and RIP Il Since there is usually only one router in a network ordinarily just Static Routing will be used RIP is used when there is more than one router in a network and if an administrator doesnt want to assign a path list one by one to all of the routers RIP can help refresh the paths 149 an Lg x LNF f gt y your future life IPSec VPN QoS Router RIP is a very simple routing protocol in which Distance Vector is used Distance Vector determines transmission distance in accordance with the number of routers rather than based on actual session speed Therefore sometimes it will select a path through the least number of routers rather than through the fastest routers Dynamic Routing Working Mode RIP Receive RIP versions Transmit RIP versions 11 3 2 Static Routing Gateway Router Enabled Disabled ime Select the working mode of the device NAT mode or router mode Click Enabled to open the RIP function Use Up Down button to select one of None RIPv1 RIPv2 Both RIPv1 and v2 as the TX function for transmitting dynamic RIP Use Up Down button to select one of None RIPv1 RIPv2 Broadcast RIPv2 Multicast as the RX function for receiving dynamic RIP When there are more than one router and IP su
78. ancel to keep the settings unchanged 143 D your future life IPSec VPN QoS Router XI Advanced Function 11 1 DMZ Host Port Range Forwarding DMZ Host DMZ Private IP Address 192 168 o Port Range Forwarding Service IF Address Interface Enabled All Traffic TCP amp UDP 1 85535 Y ey ye any Service Management Add to list All Traffic TCP amp UDP 1 65535 gt 192 168 1 101 WAN1 Delate selected application Snan Velie Aaah Cancel 11 1 1 DMZ Host When the NAT mode is activated sometimes users may need to use applications that do not support virtual IP addresses such as network games We recommend that users map the device actual WAN IP addresses directly to the Intranet virtual IP addresses as follows If the DMZ Host function is selected to cancel this function users must input 0 in the following DMZ Private IP This function will then be closed After the changes are completed click Apply to save the network configuration modification or click Cancel to leave without making any changes 11 1 2 Port Range Forwarding Setting up a Port Forwarding Virtual Host If the server function which means the server for an external service such as WWW FTP Mail etc is contained in the network we recommend that users 144 D your future life IPSec VPN QoS Router use the firewall function to set up the host as a virtual host and then convert the
79. ay is a protocol set by Microsoft If the virtual host supports UPnP system such as Windows XP users could also activate the PC UPnP function to work with the device UPnP Mapping Service Port Service Port Management Host Name or IP Address Po Enabled Dalis selected item Show Tebe C Apay Genea Service Port Select the UPnP service number default list here for example WWW is 80 80 FTP is 21 21 Please refer to the default service number list Host Name or IP Address Input the Intranet virtual IP address or name that maps with UPnP such as 192 168 1 100 Enabled Activate this function Service Port Management Add or remove service ports from the management list Add to List Add to active service content Delete Selected Item Remove selected services Show Table This is a list which displays the current active UPnP functions Apply Click Apply to save the network configuration modification Cancel Click Cancel to leave without making any change 148 GJING your future life IPSec VPN QoS Router 11 3 Routing In this chapter we introduce the Dynamic Routing Information Protocol and Static Routing Information Protocol Dynamic Routing Gateway Router Enabled Disabled Static Routing Dest P JO SubnetMask Gateway rf Hop Count _ Interface EEN ee ee Dalis selected its 11 3 1 Dyn
80. bnets the routing mode for the device should be configured as static routing Static routing enables different network nodes to seek necessary paths automatically It also enables different network nodes to access each other Click the button Show Routing Table as in the figure to display the current routing list 150 D your future life IPSec VPN QoS Router Static Routing Dest P subnet Mask Gateway Add to list Delete selected item Shaw Tabla Apply Cancel Dest IP Input the remote network IP locations and subnet that is to be Subnet Mask routed For example the IP subnet is 192 168 2 0 255 255 255 0 Gateway The default gateway location of the network node which is to be routed Hop Count This is the router layer count for the IP If there are two routers under the device users should input 2 for the router layer the default is 1 Max is 15 Interface This is to select WAN port or LAN port for network connection location Add to List Add the routing rule into the list Delete Selected Item Remove the selected routing rule from the list Show Table Show current routing table Apply Click Apply to save the network configuration modification Cancel Click Cancel to leave without making any changes 151 D your future life IPSec VPN QoS Router 11 4 One to One
81. ce s default username and password are both admin Users can change the login password in the setting later Attention For security we strongly suggest that users must change password after login Please keep the password safe or you can not login to the device Press Reset button for more than 10 sec all the setting will return to default After login the device s web based Ul will be shown Select the language on the upper right corner of the webpage The language chosen will be in blue Please select English as below Engish E 15 GING your future life IPSec VPN QoS Router V V Device Spec Verification Status Display and Login Password and Time Setting This chapter introduces the device specification and status after login as well as change password and system time settings for security 5 1 Home Page In the Home page all the device s parameters and status are listed for users reference 5 1 1 WAN Status WAN Status Interface WANT WANZ WAN IP Address 192 168 4 105 0 0 0 0 Default Gateway 192 168 4 1 0 0 0 0 DNS 1927 168 5 121 0 0 0 0 Session 3 0 Dyndns Disabled Dyndns Disabled 3322 Disabled 3322 Disabled Qnoddns Disabled Qnoddns Disabled O rules set Orules set Fclecse o Ra Rangw _ Ren IP Address Indicates the current IP configuration for WAN port Default Gateway Indicates current WAN gateway IP address from ISP DNS Server Indicates the current DNS IP conf
82. center Qno Official Website http www Qno com tw Dealer Contact Users may log on to the service webpage to check the contacts of dealers http www qno com tw web where_buy asp Taiwan Support Center E mail QnoFAE qno com tw 206
83. cline the connections which use non standard communication protocol 87 D your future life IPSec VPN QoS Router DoS Denial of Service This averts DoS attacks such as SYN Flooding Smurf LAND Ping of Death IP Spoofing and so on Block WAN request If set as Enabled then it will shut down outbound ICMP and abnormal packet responses in connection If users try to ping the WAN IP from the external this will not work because the default value is set as activated in order to decline the outbound responses Remote Management To enter the device web based UI by connecting to the remote Internet this feature must be activated In the field of remote browser IP a valid external IP address WAN IP for the device should be filled in and the modifiable default control port should be adjusted the default is set to 80 modifiable Multicast Pass Through There are many audio and visual streaming media on the network Broadcasting may allow the client end to receive this type of packet message format This feature is off by default Prevent ARP Virus This feature is designed to prevent the intranet from being attacked by Attack ARP spoofing causing the connection failure of the PC This ARP virus cheat mostly occurs in Internet cafes When attacked all the online computers disconnect immediately or some computers fail to go online Activating this feature may prevent the attack by this type of virus 88 GING
84. cn to select one of the four DDNS website address transfer functions Username The name which is set up for DDNS Input a complete website address such as abc qnoddns org cn as a user name for QnoDDNS Password The password which is set up for DDNS Dynamic Domain Name Input the website address which has been applied from DDNS Examples are abc dyndns org or xyz 3322 org WAN IP Address Input the actual dynamic IP address issued by the ISP Status An indication of the status of the current IP function refreshed by DDNS 155 D Ia J am R GJMNC your future life IPSec VPN QoS Router Apply After the changes are completed click Apply to save the network configuration modification Cancel Click Cancel to leave without making any changes Register for Qno DDNS Pe a g x LAFI URF your future lite Multi WAN VPN Security Router 1 Please go to Qno website and register the product at http www gno cn en register 156 D your future life a IPSec VPN QoS Router E GLOBAL Q your future life Product Registration l Herter Agreen Melcooms to the Goo Techkmolos Inc Sheresfter ssbreviated as Jin meksite To protest your rights pleage veed the feollow sg egresr nt E Tho or 0 Plea vun pml roi Pans aber hice cen rra 11 mori thet you heave slrssdy zarsa te the terre cf 1118s earesvant fer members aid the use cf the services Goo provides The wsssite mar
85. create settings if the QnoKey is lost Status D your future life IPSec VPN QoS Router Bind MAC If there is hardware binding QnoKey can only execute on the bound PC MAC Address If hardware binding function is enabled it will show the MAC address which Qnokey is bound with not the PC MAC address Delete Delete the user Qnokey connection information QnoSoftKey Beside Qno USB Key Qno also provide QnoSoftkey which supports the same connection mode now Physical USB Key is unneeded The encryption mode and configuration are the same as QnoKey Users can purchase License Key to enlarge tunnel numbers One QnoSoftKey tunnel is supported in default at present SoftKey Tunnel Number o Tunnel s Used E Tunnel s Available Tunnel Upgrade SoftKey Account ID User Type Common User Account IO Password Confirm Password Allow to Connect Time to 24 Hour Format MAC Address amp amp Add to list Dalata gelected item User Type There are three user types Common User Super User and Temporal User Common User which is default indicates new connection will not be allowed while all connections are occupied but won t affect other 138 D your future life Account ID Password Confirm Password Allow to Connect Time MAC Address Add to list Delete selected item IPSec VPN QoS Router users Super User Indicates
86. cusbusveurebunvarectanadesnes 103 ar Re Rene nee EAEE eee ee oe ee eee ae 103 10 1 1 Display All VPN SUMIMNANY sisi ce0c5cccenccceeoxssaceecuadscacpesiges qandecasdanssaceedsadeadeaeiseanonadeeantcacseeReneses 103 MOU OG a New VPN TUNNE racines E cea EEEE NA AERD 108 TORS EPI P OONO eaae E e E EAE A AAA EEE AARE 130 IOTA ING Ir cl Sl NOLIN esia E ESEE 132 MO 2 ONOR Eaa E geese ceucecunae apaeaas hessiest E 133 1021 ONOKY SUMAN V sseattecesaceteceeeseccossedeeceegend seas EE ia cede EAEE eni 133 10 2 2 Qnokey Group Setup isccccccsscccccscsetccssesadececenecedsascasscteescdedsscsnecceeesadeddassedsettecededacsandecdiaebecscenas 134 12 SOMO K CY ACCOUNT LIST sisie tie EE E a e EEEE 137 10 3 QVM VPN Function SOUNDS ic ccsieedsscdeasascnceandcecceusdecasasslebisnasnnanceaiaddedbesadadeatdobacgasseceneaaaseaeeesesadees 141 WO o ROYNT A a E E S 141 10 3 2 QVM Client Settings cccccccccccceecccceeeseeesseeeeeeeeesaeeeeseeeeeeeessaeeeseceeeeessseeeseeeeeeeessaaeeeeeeeeees 142 Advanced Function ssssssnnsnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn mnnn nnmnnn 144 11 1 DMZ Host Port Range Forwarding ccccccceccsseeeeeeceeeeeeeeeeeeeeeeeeesseeeeeeeseaeeeeeeseeeaeeeeesssageeeeeeaas 144 TEIDM AHO e E E E ET 144 11 1 2 Port Range Forwarding cccccccseseeecesseeeceeeeeeeseeeeeeeeeseeesseeeessaaeeeeseaseeessadeeessageeessegeeesaases 144 PO aa cae ee OA OE OA R 148 TES ROUI eeen E qranetusagiis 149
87. ddress Enabled Bandwidth sharing ilove Un Add to list floss owr C Enabled Smart Qos 74 D your future life IPSec VPN QoS Router Exception IP address O wan CO wan 2 i oO o CIOIL IL Do not control upstream bandwidth Do not control downstream bandwidth Do not control bi direction bandwidth Enabled Add to list Halata selected item Sno Table aak Cenza 8 1 1 The Maximum Bandwidth provided by ISP The Maximum Bandwidth provided by ISP In the boxes for WAN1 and WAN2 bandwidth input the upstream and downstream bandwidth which users applied for from bandwidth supplier The bandwidth QoS will make calculations according to the data users input In other words it will guarantee a minimum rate of upstream and downstream for each IP and Service Port based on the total actual bandwidth of WAN1 and WAN2 For example if the upstream bandwidths of both WAN1 and WAN2 are 512Kbit Sec the total upstream bandwidth will be WAN1 WAN2 1024Kbit Sec Therefore if there are 50 IP addresses in the Intranet the minimum guaranteed upstream bandwidth for each IP would be 1024Kbit 50 20Kbit Sec Thus 20Kbit Sec can be input for Mini Rate Downstream bandwidth can be calculated in the same way 75 D your future life IPSec VPN QoS Router Attention The unit of calculation in this example is Kbit Some software indicates the downstream upstream speed with the un
88. domain name to be verified FQDN refers to the combination of host name and domain name Users may enter any name that corresponds to the domain name of FQDN This IP address and domain name must be identical to those of the remote VPN security gateway setting type to establish successful connection IF Domain NamefFODN Authentication we nate Sect Gateway Toe B eres sl COED e If the remote IP address is unknown choose IP by DNS Resolved allowing DNS to translate the IP address This domain name must be available on the Internet When users finish the setting the 113 ONGO your future life IPSec VPN QoS Router corresponding IP address will be displayed under the remote gateway of Summary Remote Security Gateway Type IF Domain Name FOON Authentication IP by DNS Resolved 3 IP E mail Addr USER FQDN Authentication If users select IP address and E mail type entering the IP address and the E mail allows users to gain access to this tunnel Remote Security Gateway Type adress IIL _ L_J _J _ 7 IP E mail User FQDN Authentication If the remote IP address is unknown choose IP by DNS Resolved allowing DNS to translated the IP address This domain name must be available on the Internet When users finish the setting the corresponding IP address will be displayed under the remote gateway of Summary R
89. dsdexiiads 48 Intranet Configuration pemeencerecccerernet nner eter nner anne rece rn ncn ster anes ern nin sneer re sn nnmnnn mnnm 59 Fon Manageme esseer E EE ETE E 59 PON U er E E oeccseasasseentee cesemienaesetee eae 62 P DAC P aeee E E A EA E E E A 63 DACP la A E E ee ee eee 65 PENAC BINON anr aa E ahsaiolmnansarsauendepargumhayaumiueasautautind uname 69 QoS Quality of ServiCe ccceceeeeeesseeeeeeeeeenneeeeseceessseeesecoaasaeeesscoeasaeeesseoaanaeeesseoes 73 M D your future life xI IPSec VPN QoS Router 9 1 Bandwidth MANAGSMES Maines diesicinard diwuadievawseatisvaindtswiuinnediuviersa wiusvadeanediadidedoiarebiauiwdiavisuuaWacuedede 74 8 1 1 The Maximum Bandwidth provided by ISP ccccccecccccecsseeeeeeceseeeeeeeeeeeeeeeeeseeaeeeeeseeeeeeeneas 75 MO rg sae ys ese sg ne ying AE eases EEEE 76 B22 CS SION COMIN Ol ssi tc2capcenetete satanedacssascenseactennnean2edssabeesteestarcostesetecarecudatustoredseatareceuasatsaeseuatads secotedacnene 82 NV ess act ct ctc cs nec pce cs sg seine te en A E A 85 OW QU ea E E 87 a GENE PROI Veera E E E EEE 87 9 2 Restrict Application cccccccssecccceeseeeeseeeeeeceeeeeeeseeeeeeseeueeeseaeeeessaaeeeeseaueeeseaeeessaceeeessaeeeessaeeeseaaaeees 91 AS CCS SNS aee E E E E E A E R 93 931 Ada NeWwAccess RUIG eee rea en eee ee eee 95 OA OTN PC iriri n EE E EE E EEEE 98 VPN Virt al Private INGCUW OPI servos coe ciiseetenunce a eevere vou veverseuesventarsa
90. e Key the device will check whether current time is correct and whether License Key is still in valid period In order to prevent from dysfuction problems we strongly recommend you to check and update the time correctly before attempting a feature and entering License Key Input License Key you purchase Generally the key is composed by several alphanumeric characters Enter the key and click Submit and the system will check whether the License Key is valid If the key is valid users will be allowed to use the feature The Official Version column of that feature will be checked List value added features If there is no Trial Version button in the Trial Version column it means the feature has no trail version or it just supports the amount of VPN tunnels such as QnoSoftKey Display Trial button in the Trial Version column at default if the functions have trial versions Users can try the functions for certain period of time by pressing the button After entering and registering License Key successfully Official Version column will be checked The feature will be in official version and not be limited by trial expiration date 169 D your future life IPSec VPN QoS Router Registration Time Display successfully inputted and registered time Status Information Indicate remaining trial date or supported amount of QnoSoftkey VPN Tunnels Refresh Refresh current system status and time
91. e setting items to be changed 10 3 2 QVM Client Settings Select QVM feature as Client mode Setup Mode QVM Client QVM Client Setup password OOO IP Address or Dynamic Domain Name Status C Keep Alive Redial Period Min L QVM Backup Tunnel Advanced Function Change QVM Client s Service Port 10443 w Apply Cancel Account ID Must be identical to that of the server account ID Password Must be identical to that of the server password 142 D your future life Confirm Password QVM VPN IP Address or Dynamic Domain Name Status Keep Alive Redial Period E Mins QVM Backup Tunnel Advanced Function Change QVM Client s Service Port IPSec VPN QoS Router Please enter the password and confirm again Input QVM VPN Server IP address or domain name Displays QVN connection status This function is to set re connect duration if QVM contention drops The range is 1 60 mins You can input at most 3 backup IP addresses or domain names for backup Once the connection is dropped the function will be automatically enabled to backup the VPN connection and ensure data transition security In some environment port 443 has been used for example E Mail Forwarding To avoid the conflict with QVM QVM port can be changed to other encryption ports such as 10443 After modification press Apply to save the network setting or press C
92. ect the WAN or WAN group which is connected with Netcom the device will then automatically dispatch the traffic for Netcom through that WAN to connect with the Internet and dispatch traffic for Telecom to go through the WAN connected with Telecom to the Internet accordingly In this way the traffic for Netcom and Telecom can be divided Set WAN Grouping If more than one WAN is connected with Netcom to apply a similar division of traffic policy to these WANs a combination for the WANs must be made Click Set WAN Grouping an interactive window as shown in the figure below will be displayed Name Interface L WAN 1 C wWAaN2 Add to list Deletes selected Name To define a name for the WAN grouping in the box such as Education etc The name is for recognizing different WAN groups Interface Check the boxes for the WANs to be added into this combination Add To List To add a WAN group to the grouping list Delete selected To remove selected WANs from the WAN grouping Apply Click Apply to save the modification 41 D your future life IPSec VPN QoS Router Cancel Click Cancel to cancel the modification This only works before Apply is clicked After the configuration is completed in the China Netcom Policy window users can select WANs in combination to connect with Netcom Import Strategy A division of traffic policy can be defined by users too In the Imp
93. eessesseeeceeeeeeeeseesesseeaaasaeseeeeees 183 XIV LOG OUL aeea EEE sede sees ean E EES 188 Appendix I User Interface and User Manual Chapter Cross Reference ssssesseeees 189 ADDENGIX Ile TRFOUDICSNOOUING wsicsesicccciccceencesicccenccrressdecicsecesenseacesiiassccenresasaeredeucessnssecaasteenseeas 192 1 OC K DF IO WMO AC een sad mmiaaerphasial ein tach iusnedeamenned ahatbelanaacersncseaberes 192 2 Shock Wave and Worm Virus Prevention ccceeececceeeceeceeeceeeneeceeeueeceecaeeceeeaeeceesaueseeeaeeseeeaeesees 193 3 Block QQLive Video Broadcast Setting cccccccsssssseceecececeeeseeceeeeeeeeeeeseceeeseeeeaeenseceeeeeeesaaanssss 195 4 ARP Virus Attack Prevention cccccecceccecceeceeeceeeeeeceeeaeeceeeueeceeaeecesaeeceesaeeceeeaeeneeeaeeseesneeaeeseees 197 Appendix Ill Qno Technical Support Information cccccceeseesseeeeeeenseeeeeenseeeseeeneeesees 206 D your future life IPSec VPN QoS Router Introduction IPSec VPN QoS Router referred as VPN Router hereby is a business level security router that efficiently integrates new generation multiple WAN port devices It meets the needs of medium enterprises internet caf s campus dorm and communities etc Apart from its internet connectivity that suits the broadband market VPN Router has a built in QoS and VLAN switching board which enables it to fulfill most enterprise and internet cafe firewall needs VPN Route
94. egy Disabled v Auto Load Balance Mode When Auto Load Balance mode is selected the device will use sessions or IP and the WAN bandwidth automatically allocate connections to achieve load balancing for external connections The network bandwidth is set by what users input for it For example if the upload bandwidth of both WANs is 512kKbit sec the automatic load ratio will be 1 1 if one of the upload bandwidths is 1024Kbit sec while the other is 512Kbit sec the automatic load ratio will be 2 1 Therefore to ensure that the device can balance the actual network load please input real upload and download bandwidths Session Balance If By Session is selected the WAN bandwidth will automatically allocate connections based on session number to achieve network load balance IP Session Balance If By IP is selected the WAN bandwidth will automatically allocate connections based on IP amount to achieve network load balance Note For either session balancing or IP connection balancing collocation with Protocol Binding will provide a more flexible application for bandwidth Users can assign a specific Intranet IP to go through a specific service provider for connection or assign an IP for a specific destination to go through the WAN users assign to connect with the Internet For example if users want to assign IP 192 168 1 100 to go through WAN 1 when connecting with the Internet or assign all Intranet IP to g
95. emote Security Gateway Type IP E mailiUser FQDN Authentication IP by DNS Resolved A 4 Dynamic IP Domain Name FQDN Authentication If users use dynamic IP address to connect with the device users may select the combination of the dynamic IP address host name and domain name Dynamic IF Domain NamefFoODN Authentication Domainname OO 5 Dynamic IP E mail Addr USER FQDN Authentication If users use dynamic IP address to connect with the device users may select this type to link to VPN When the remote VPN gateway requires connection to facilitate VPN connection the device will start 114 GINO your future life IPSec VPN QoS Router authentication and respond to the VPN tunnel connection Please enter the E Mail to the empty space 115 GING your future life Remote Security Group Type IPSec VPN QoS Router type The following offers a few items for remote settings Please select and set appropriate parameters 1 IP address This option allows the only IP address which is entered to build the VPN tunnel IP Address a Reference When this VPN tunnel is connected computers with the IP address of 192 168 2 1 can establish connection 2 Subnet This option allows local computers in this subnet can be connected to the VPN tunnel az fies i Jo 55 255 fz55 fo Reference When this VPN tunnel is connec
96. en used in the connection mode to obtain an automatic DHCP IP This is the device system default connection mode It is a connection mode in which DHCP clients obtain an IP address automatically If having a different connection mode please refer to the following introduction for selection of appropriate configurations Users can also set up their own DNS IP address Check the options and input the user defined DNS IP addresses Interface WAND WAN Connection Type Obtain an IF automatically Use the Followi ng DNS Server Addresses DNSServer Required 9 Jo fe DNsServer Optional o e e 1f _ EnabledLine Dropped Scheduling Line Dropped Period from o i o to o 24 Hour Format Line Dropped Scheduling minutes ahead line dropped to start new session transferring Backup Interface 26 D your future life Use the following DNS Server Addresses DNS Server Enable Line Dropped Scheduling Line Dropped Period Line Dropped Scheduling Backup Interface IPSec VPN QoS Router Select a user defined DNS server IP address Input the DNS IP address set by ISP At least one IP group should be input The maximum acceptable groups is two IP groups The WAN disconnection schedule will be activated by checking this option In some areas there is a time limitation for WAN connection service For example the optical fiber service will be disconnected from 0 00 am to 6 00 am Al
97. er Interface Imz Subnet Range DMZ amp WAN within same subnet Interface IP Range for DMZ poto fo p o bo IP Range Input the IP range located at the DMZ port After the changes are completed click Apply to save the configuration or click Cancel to leave without making any changes 37 GNO your future life IPSec VPN QoS Router 6 2 Multi WAN Setting When you have multiple WAN gateways you can use Traffic Management and Protocol Binding function to fulfill WAN road balancing so that we can have highest network bandwidth efficiency O Mode Auto Load Balance hlode res Advanced Function Unbinding WAN Balance Un binding WAN Balance Mode By Session Advanced Funetion Strategy Routing de Space Advanced Function Set WAN Grouping Strategy Routing Disabled Import IP Range Self defined Strategy 1 Disabled v Self defined Strategy 2 Disabled v Interface te Retry timeout When Fail rie Default Gateway Lior FF 38 AY your future life IPSec VPN QoS Router 6 2 1 Load Balance Mode Mode Auto Load Balance Mode Mode By Session Advanced Function By IP Unbinding WAN Balance Un binding WAN Balance Mode oC By Session Advanced Function By IP Strategy Routin g hlode O By Session Advanced Function O By IF Set WAH Grouping China Netcom Disabled Import IP Range seltdefined Strategy 1 Disabled self defined Strat
98. er Clauses 5 1 The potency of this Agreement is over any other verbal or written record The invalidation of part or whole of any clause does not affect the potency of other clauses 5 2 The power of interpretation potency and dispute are applicable for the law of Taiwan If there is any dissension or dispute between the users and Qno it should be attempted to solve by consultation first If it is not solved by consultation user agrees that the dissension or dispute is brought to trial in the jurisdiction of the court in the location of Qno In Mainland China the China International Economic and Trade Arbitration Commission is the arbitration organization II Vi VII VIII D your future life 2 1 2 2 3 1 3 2 5 1 5 2 6 1 6 2 7 1 7 2 7 3 7 4 7 9 IPSec VPN QoS Router Content STAT OGUICTIO IN seeren Ea ea ENa Sa 6 Multi WAN VPN Router Installation ccccceccseseeeceeeceseeesenssessonseeesonsseesonsonseoneoees 8 Systematic Setting PrOC SS cccccccsssssssccceeeeeeseeseeeceeeeeesueeseeeeeeeeesseeeseeeeeeessseaeseeeeeeeeeesaeeeeeeeeeaaas 8 BS TEN FION CA acct see tasers EE E EEEE AE EEEE AEE 8 Hardware Installation assnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnn 11 EED INe E E E 11 VPN Router Network COnnection ccccccccccccsseseeecceeeeeeeeeeeecceeeeeeseeeeseeceeeeesseeaseeeeeeesessaeaeeeeeeenaas 13 LOGIN an cue cau
99. erver first CPU Usage Indicates the current router CPU usage percentage Memory Usage Indicates the current router memory usage percentage Total Session Indicates the current router session connection quantity 19 ze aoe m LINCI your future life IPSec VPN QoS Router 5 1 4 Firewall Status Security Status Status n On Off On Off O rules set SPI Stateful Packet Inspection Indicates whether SPI Stateful Packet Inspection is on or off The default configuration is On DoS Denial of Service Indicates if DoS attack prevention is activated The default configuration is On Block WAN Request Indicates that denying the connection from Internet is activated The default configuration is On Prevent ARP Virus Attack Indicates that preventing Arp virus attack is acitvated The default configuration is Off Remote Management Indicates if remote management is activated on or off Click the hyperlink to enter and manage the configuration The default configuration is Off Access Rule Indicates the number of access rule applied in the device 5 1 5 Log Setting Status Log Send Log To Disabled External Indicates the sever setting to receive the syslog SyslogServer Send Log by future feature E mail Indicates the E mail setting Syslog will be sent to the specific E mail 20 P 2 gt I af Y your future life IPSec VPN QoS Router
100. esenea ceca nue auc aseecnecanweseucueweceecutwesaucedeeceacutweseacuesecanwaxeens 14 V Device Spec Verification Status Display and Login Password and Time Setting16 POMO AC ear EE E E E E 16 Dele WAN Statis scriniis iaae iia ir ARa AT aar a nA ania aia 16 e RSC AFON ola WS ea E E EEE EE EA OEE 17 5 1 3 Sysilem INOrmaliol scesscecesxascc ascsscancendeseccacssnceeesndcedaneienensenddeas EET EEE EE 19 Sa FEN U a E 20 Sko LOG Seting StAtUs asisikie aE aiaia aiaa Taa AEREE ANRE ASAD 20 Change and Set Login Password and TimMe cccccccccccccseeseeeeceeeeeeaeeeeeeeceeeseseeeseeeeesesssuaaeeeeeeees 21 521 Password Gelin esac geeectecentaseaecepieeccoae sie Ea EEE eaii 21 Dee TE a E E E EE 22 INTO ciroen E EEE E E E a a a 24 Network COnnectUoN sessirnar AR E eeN a AEN orrara K osie neiaie anibani 24 6 1 1 Host Name and Domain Name cccccseeccecsseeeeeeeeeeeeceeseeeseeeeeeesseeeeesseeeeessaeeeesaeaeeeesseeeeeeas 24 Oke CAN eO e E E E E steer 25 61 3 WAN amp DMZ SE MUNG asctacacenatsonttoecannentesesantanatatncsvadsvsthoncinneatonesintaineasraavadsasesenanseaenenamaanatsenviats 26 Multi WAN Setting Rien on een eet ee ee ne es KEE eee ee 38 621 ee aC MOOG oa scenes cepa tect E EE 39 6 2 2 Network Service Detection ccccccccccsssseceecceeseeceeceeeueeeeeeseeueeeeesseeeeeeesseaeeeeessaagesesssaeaeess 46 6 2 3 Prolocol BINGING wii sersissussrarcccteredidssanesondiateiedsiarisasdieredilasaoasatdiadaiwiedeuargndiebulddataraieiisakese
101. essfully connected users including username remote IP address and PPTP address 10 1 4 VPN Pass Through VPN Pass Through Enabled Disabled ____PPIPPass Through Enabled Disabled Enabled Disabled IPSec Pass Through If this option is enabled the PC is allowed to use VPN IPSec packet to pass in order to connect to external VPN device PPTP Pass Through If this option is enabled the PC is allowed to use VPN PPTP packet to pass in order to connect with external VPN device L2TP Pass Through If this option is enabled the PC end is allowed to use VPN L2TP packet to pass in order to connect with external VPN device After modification push Apply button to save the network setting or push Cancel to keep the settings unchanged 132 GING your future life IPSec VPN QoS Router 10 2 QnoKey Introduces how Qno VPN devices conducts preliminary configuration of the data from the user end and how to set the QnoKey user to successfully create QnoKey by using QnoKey management software 10 2 1 QnoKey Summary Login to the web based UI and click on the QnoKey menu to display the page that summarizes the current status information of QnoKey as illustrated below IPSec QnoKey OVM Tunnel Number io Tunnel s Used 40 Tunnel s Available Advanced QnoKey Tunnel Number p Tunnel s Used p Tunnel s Available Jump to 1 MPage 5 w ki 5 entries per page te
102. f IP still available in the DHCP server Total The total IP which the DHCP server is configured to lease Host Name The name of the current computer 65 D your future life IPSec VPN QoS Router IP Address The IP address acquired by the current computer MAC Address The actual MAC network location of the current computer Client Lease Time The lease time of the IP released by DHCP Delete Remove a record of an IP lease DNS Local Database Feature Normally DNS sever will be directed to ISP DNS server or internal self defined DNS server Qno router also provides easy self defined DNS services called DNS Local Database which can map website host domain names and the corresponding IP addresses DNS Local Database Host Domain Name Po Ex www google com IP Address Yr oy I Add to list Halata selected itam Host Domain Name Enter the website host domain name i e www google com IP Address Enter the corresponding IP address of the host domain above Add to Llist Add the items into the list below 66 D your future life IPSec VPN QoS Router Delete selected item Delete the items chosen X Note 1 Users MUST enable DCHP server service to enable DNS local database 2 Users must set DHCP server DNS IP address as the router LAN IP For example LAN is 10 10 10 1 as shown in the following figure LAN Setting MAC Address Default 1 06 61 95 de
103. f the MAC address of the gateway is the same with the device MAC address If not the PC corresponding to the MAC address is the source of attack Solutions for other device users are to make a two way binding of the IP address and MAC address from both of the PC and device ends in order to carry out the prevention work However this is more complicated because the search for the IP and address and MAC increases the workload Moreover there is greater possibility of making errors during the operation c Bind the IP MAC Address from Device End Enter Setup under DHCP page On the down right corner of the screen there is IP and MAC Binding where users may create IP and MAC binding On Enabled click on V and select Add to List Repeat these steps to add other IP addresses and MAC binding followed by clicking Apply at the bottom of the page 201 D your future life IPSec VPN QoS Router IP amp MAC binding Show new IF user IP amp MAC binding Static IP Address l MAC Address o0 17 16 o1 ler _ Aa Enable Update this Entry 192 168 1 110 gt 00 17 16 01 BF AA 2PCO01 Fnabled Delete selected Entry Add New After an item is added to the list the corresponding message will be displayed in the white block on the bottom However such method is not recommended because the inquiry of IP MAC addresses of all hosts creates heavy workload An
104. function If this option is selected the system will sent ICMP ACK packet to the remote host with VPN tunnel regularly the remote host will also send an ICMP ACK reply packet toward the originator If there is still no received ICMP ACK reply after exceeding the setting retry the Heart Beat Originator will terminate this VPN tunnel Under this situation if you are the VPN tunnel initiator the system will try to reconnect the tunnel if you are the passive party the system will wait for the initiator to establish the tunnel again Remote Host The remote end point for the Heart Beat Detection It is always sensible to select an end point for the Heart Beat detection the end point should be a strong and stable server which is able to send reply quickly We suggest using the LAN IP address of the VPN remote end point device as the target of the Heart Beat detection Interval The default time for the Heart Beat interval is 30 seconds The system will send back an ICMP echo request in every 30 seconds after the VPN tunnel is established Retry The default retry times are 5 The system will terminate the VPN tunnel if the Heart Beat is still failure over the retry default The VPN Heart Beat detection and DPD features are both used to provide a stabile VPN solution for customers The difference between them is that we can use the Heart Beat detection in a non IPSec protocol With the Heart Beat detection we can monitor the VPN t
105. ge or termination will be announced in the relevant block of the Qno website 4 3 All the set parameters are examples and they are for reference only You may also purpose your opinion or suggestion We will take it as reference and they may be amended in the next version 4 4 This Manual explains the configuration of all functions for the products of the same series The actual functions of the product may vary with the model Therefore some functions may not be found on the product you purchased 4 5 Qno reserves the right to change the file content of this Manual and the Manual content may not be updated instantly To Know more about the updated information of the product please visit Qno official website 4 6 Qno and or distributors hereby declares that no liability will be born for any guarantee and condition of the corresponding information The guarantee and condition include tacit guarantee and condition about marketability suitability for special purposes ownership and non infringement The name of the companies and products mentioned may be the trademark of the owners Qno and or the distributors do not provide the product or software of any third party company Under any circumstance Qno and or distributors bear no liability for special indirect derivative loss or any type of loss in the lawsuit caused by usage or information on the file no matter the lawsuit is related to agreement omission or other tort 5 Oth
106. ge it according to their needs The time unit is minute Range End This is an initial IP automatically leased by DHCP It means DHCP will start the lease from this IP The default initial IP is 192 168 1 100 DNS Domain Name Service This is for checking the DNS from which an IP address has been leased to a PC port Input the IP address of this server directly DNS Required 1 Input the IP address of the DNS server DNS Optional 2 Input the IP address of the DNS server WINS If there is a WIN server in the network users can input the IP address of that server directly WINS Server Input the IP address of WINS Apply Click Apply to save the network configuration modification Cancel Click Cancel to leave without making any changes 64 GING your future life IPSec VPN QoS Router 7 4 DHCP Status This is an indication list of the current status and setup record of the DHCP server The indications are for the administrator s reference when a network modification is needed IP DHCP DHCP Setup IP amp MAC binding Status Subnet Subnet 192 168 1 1 192 168 2 1 1 0 0 0 49 50 50 50 Client Table NB roos 192 168 1 100 O0 1fcb b 8a bd 22 Hours 59 Minutes 16 Seconds il Raiesh DHCP Server This is the current DHCP IP Dynamic IP Used The amount of dynamic IP leased by DHCP Static IP Used The amount of static IP assigned by DHCP DHCP Available The amount o
107. generated during the IKE coordination will conduct further encryption and authentication When PFS is enabled hackers using brute force to capture the key will not be able to get the Phase 2 key in such a short period of time 117 D your future life IPSec VPN QoS Router Perfect Forward Secrecy When users check the PFS option don t forget to activate the PFS function of the VPN device and the VPN Client as well Phase 1 Phase 2 DH Group This option allows users to select Diffie Hellman groups Group 1 Group 2 Group 5 Phase 1 Phase 2 Encryption This option allows users to set this VPN tunnel to use any encryption mode Note that this parameter must be identical to that of the remote encryption parameter DES 64 bit encryption mode 3DES 128 bit encryption mode AES the standard of using security code to encrypt information It Supports 128 bit 192 bit and 256 bit encryption keys Phase 1 Phase 2 Authentication This authentication option allows users to set this VPN tunnel to use any authentication mode Note that this parameter must be identical to that of the remote authentication mode MD5 or SHA1 Phase 1 SA Life Time The life time for this exchange code is set to 28800 seconds or 8hours by default This allows the automatic generation of other exchange password within the valid time of the VPN connection so as to guarantee security Phase2 SA Life Time The life time for this
108. gnostic Firmware Upgrade Configuration Backup SMMP Setup Network Time System Recover Eestart Eouter Factory Default Return to Factory Default Setting System Recover As the figure below if clicking Restart Router button the dialog block will pop out confirming if users would like to restart the device 167 D GNO your future life IPSec VPN QoS Router Restart Windows Internet Explorer f Factory Default Ar you sure you want to restart router Return to Factory Default Setting If clicking Return to Factory Default Setting the dialog block will pop out if the device will return to factory default Factory Default Windows intemet Explorer Y Are you sure you want io retum to default setting 168 D your future life 12 6 License Key IPSec VPN QoS Router Users have to purchase License Key to enable some functions in Qno Firwalls Routers series or upgrade to Official Version not trial version such as QnoSniff or Inbound Load Balance etc License Key Current Time License Key Number Current Time License Key Number Feature Name Trial Version Official Version 2010 11 05 _NTP Server Trial Official Registration status And Information Version Version Time License expire ee eee Left 416 Days 15 Hours Rares Before inputing Licens
109. h the Internet Therefore to avoid a huge number of disconnection users can activate this function to arrange new connections to be made through another WAN to the Internet In this way the effect of any disconnection can be minimized Input the time rule for disconnection of this WAN service Input how long the WAN service may be disconnected before the newly added connections should go through another WAN to connect with the Internet Select another WAN port as link backup when port binding is configured Users should select the port that employs the same ISP After the changes are completed click Apply to save the configuration or click Cancel to leave without making any changes PPPoE This option is for an ADSL virtual dial up connection suitable for ADSL PPPoE Input the user connection name and password issued by ISP Then use the PPP Over Ethernet software built into the device to connect with the Internet If the PC has been installed with the PPPoE dialing software provided by ISP remove it This software will no longer be used for network connection 29 D your future life IPSec VPN QoS Router Interface WAHL WAN Connection Type paoa Connect on Demand Max Idle Time Min Keep Alive Redial Period Sec EnabledLine Dropped Scheduling Line Dropped Period from o o to o 24 Hour Format Line Dropped Scheduling minutes ahead line dropped to start new ses
110. h the service port Dest IP ANY Meaning to block all traffic from intranet to internet and all attack from internet to intranet through the service port 96 GINO your future life IPSec VPN QoS Router Service TOP 135 139 TCP 135 139 No log Example 2 How to forbid intranet IP range from 192 168 1 200 to 230 to access service port 80 Action Forbid Service Port TCP 80 Source Interface LAN Meaning to service port 80 which blocks the traffic from intranet to internet Source IP 192 168 1 200 192 168 1 230 Dest IP ANY Meaning to any service port 80 which blocks the traffic from intranet to internet among 192 168 1 200 230 Service cervice Management em lise g e 97 om i on LaS i sy your future life IPSec VPN QoS Router 9 4 Content Filter The device supports two webpage restriction modes one is to block certain forbidden domains and the other is to give access to certain web pages Only one of these two modes can be selected Block Forbidden Domains Accept Allowed Domains LJ Forbidden Domains Enabled LJ Enable Website Blocking by Keywords Scheduling ee Apply this rule Always oo 00 to eo 00 24 Hour Format Everyday Sun Mon Tue Wed Thu Fri Sat Aaa Camel Block Forbidden Domain Fill in the complete website such as www sex com to have it blocked 98 D GNO your future life IPSec VPN QoS Ro
111. here is a time limitation for WAN connection service For example the optical fiber service will be disconnected from 0 00 am to 6 00 am Although there is a standby system in the device at the moment of WAN disconnection all the external connections that go through this WAN will be disconnected too Only after the disconnected lines are reconnected can they go through the standby system to connect with the Internet Therefore to avoid a huge number of disconnection users can activate this function to arrange new connections to be made through another WAN to the Internet In this way the effect of any disconnection can be minimized Input the time rule for disconnection of this WAN service Input how long the WAN service may be disconnected before the newly added connections should go through another WAN to connect with the Internet Select another WAN port as link backup when port binding is configured Users should select the port that employs the same ISP After the changes are completed click Apply to save the configuration or click Cancel to leave without making any changes Transparent Bridge If all Intranet IP addresses are applied as Internet IP addresses and users don t want to substitute private network IP addresses for all Intranet IP addresses ex 192 168 1 X this function will enable users to 33 D your future life IPSec VPN QoS Router integrate existing networks without changing
112. ic from the DMZ to the LAN is denied by default All traffic from the WAN to the DMZ is allowed by default All traffic from the DMZ to the WAN is allowed by default Users may define access rules and do more than the default rules However the following four extra service items are always on and are not affected by other user defined settings HTTP Service from LAN to Device is on by default for management DHCP Service from LAN to Device is set to on by default for the automatic IP retrieval DNS Service from LAN to Device is on by default for DNS service analysis Ping Service from LAN to Device is on by default for connection and test 93 D your future life IPSec VPN QoS Router Access Rule Jump tol 1 Page 5 entries per page Priority Enabled Action Service Source Interface Source Destination Time Day Delete Allow All Traffic 1 LAN Any Any Always Deny All Traffic 1 WAN Any Any Always Deny All Traffic 1 WAN Any Any Always Add Hew Rule Restore Default Rules In addition to the default rules all the network access rules will be displayed as illustrated above Users may follow or self define the priority of each network access rule The device will follow the rule priorities one by one so please make sure the priority for all the rules can suit the setting rules Edit Define the network access rule item Denia Remove the item Add New Rule Create a new netwo
113. iguration Indicates the current session number for each WAN in the device Downstream Indicates the current downstream bandwidth usage for each WAN Bandwidth Usage Upstream Indicates the current upstream bandwidth usage for each WAN Bandwidth 16 D your future life IPSec VPN QoS Router Usage DDNS Indicates if Dynamic Domain Name is activated The default configuration is Off Quality of Service 1 dicates how many QoS rules are set Manual Connect When Obtain an IP automatically is selected two buttons Release and Renew will appear If a WAN connection such as PPPoE or PPTP is selected Disconnect and Connect will appear DMZ IP Address Indicates the current DMZ IP address 5 1 2 Physical Port Status Physical Port Status L 2 LAN Connect Enabled Internet Internet WAN 1 WAN 2 Connect Enabled The status of all system ports including each connected and enabled port will be shown on this Home page see above table Click the respective status button and a separate window will appeare to show detailed data including setting status summary and statisitcs of the selected port 17 GING your future life IPSec VPN QoS Router Port Information Summary Type _ 108 ase T 1008a86 T O intema LAN Link Status Dow Physical Port Status Port Enabledb name broad Cast Speed Status 10Mbs Duplex
114. in name Name www gno com Address 74 117 114 82 161 D your future life IPSec VPN QoS Router Ping DNSLookup Ping Status Test Succeeded Packets 4 4 transmitted 4 4 received 0 loss Minimum 0 9 ms Round Trip Time Maximum 1 1 ms Average 0 9 ms This item informs users of the status quo of the outbound session and allows the user to know the existence of computers online On this test screen please enter the host IP that users want to test such as 192 168 5 20 Press Go to start the test The result will be displayed on this screen 162 D lt a gT GJMNC your future life IPSec VPN QoS Router 12 2 Firmware Upgrade Users may directly upgrade the device firmware on the Firmware Upgrade page Please confirm all information about the software version in advance Select and browse the software file click Firmware Upgrade Right Now to complete the upgrade of the designated file Note Please read the warning before firmware upgrade Users must not exit this screen during upgrade Otherwise the upgrade may fail System Tool Password Setup Diagnostic Configuration Backup SNMP Setup E Network Time system Recover License Key Firmware Upgrade Browse mieein 18 DOrsoe Higi tea Warning 1 When choosing previous firmware versions al settings will restore back to default value 2 Upgrading firmware may take a few minutes please
115. is suitable when one of the WAN connections fails and the traffic going through this WAN to the destination IP should go through the other WAN to reach the destination In this way when any of the WAN connections is broken other WANs can serve as a backup traffic can be shifted to a WAN that is still connected Detecting Feedback Servers Default Gateway ISP Host The local default communication gateway location such as the IP address of an ADSL router will be input automatically by the device Therefore users just need to check the option if this function is needed Attention Some gateways of an ADSL network will not affect packet detection If users have an optical fiber box or the IP issued by ISP is a public IP and the gateway is located at the port of the net cafe rather than at the IP provider s port do not activate this option This is the detected location for the ISP port such as the DNS IP address of ISP When configuring an IP address for this function make 47 D your future life IPSec VPN QoS Router sure this IP is capable of receiving feedback stably and speedily Please input the DNS IP of the ISP port Remote Host This is the detected location for the remote Network Segment This Remote Host IP should better be capable of receiving feedback stably l and speedily Please input the DNS IP of the ISP port DNS Lookup Host This is the detect location for DNS Only a web address such as ww
116. is the only way to gain access to this tunnel The WAN IP address will be automatically filled into this space Users don t need to do further settings oom ele 2 IP Domain Name FQDN Authentication If users select IP domain name type please enter the domain name and IP address The WAN IP address will be automatically filled into this space Users don t need to do further settings FQDN refers to the combination of host name and domain name and can be retrieved from the Internet i e von server com This IP address and domain name must be identical to those of the VPN secure 125 nie r 4 w g f raS J Late F BS boes your future life IPSec VPN QoS Router gateway setting type to establish successful connection IF Domain Namel FQDN Authentication w IP Address aI i J 3 IP E mail Addr USER FQDN Authentication If users select IP address and E mail enter the IP address and E mail address to gain access to this tunnel and the WAN IP address will be automatically filled into this soace Users don t need to do further settings IP E mail User FQDN Authentication oe eo mat 4 Dynamic IP Domain Name FQDN Authentication If users use dynamic IP address to connect to the device users may select this option to link to VPN If the remote VPN gateway requires connection to the device for VPN connection this device will start
117. it KB 1KB 8Kbit 8 1 2 QoS To satisfy the bandwidth requirements of certain users the device enables users to set up QoS Rate Control and Priority Control Users can select only one of the above QoS choices Rate Control The network administrator can set up bandwidth or usage limitations for each IP or IP range according to the actual bandwidth The network administrator can also set bandwidth control for certain Service Ports A guarantee bandwidth control for external connections can also be configured if there is an internal server 76 GNO your future life IPSec VPN QoS Router Quality of Service Interface wand C wane Semice All Traffic TCP amp UDP 1 65535 Service Management Paces a e e e e ee Direction Upstream w i Mini Rate Kbitsec Max Rate _ Kbit sec O share total bandwidth with all IF addresses Bandwidth sharing O Assign bandwidth for each IF address Enabled Add to list heye Dawi Dalate selected itam C Enabled Smart Qos emage Select on which WAN the QoS rule should be executed It can be a single selection or multiple selections Service Port Select what bandwidth control is to be configured in the QoS rule If the bandwidth for all services of each IP is to be controlled select All TCP amp UDP 1 65535 If only FTP uploads or downloads need to be controlled select FTP Port 21 21 Refer to the Default Service Port Number List 1
118. k on Detail List and more information such as Group Name IP address and the connection time will be displayed 106 D your future life IPSec VPN QoS Router Control Click Connect to verify the status of the tunnel The test result will be updated in this status Config As illustrated below configurations include Edit and Delete icon Click on Edit to enter the setting items to be changed Click on the trash bin icon i and all the tunnel settings will be deleted 107 D GING your future life IPSec VPN QoS Router 10 1 2 Add a New VPN Tunnel The device supports Gateway to Gateway tunnel or Client to Gateway tunnel The VPN tunnel connections are done by 2 VPN devices via the Internet When a new tunnel is added the setting page for Gateway to Gateway or Client to Gateway will be displayed Gateway to Gateway Click Add to enter the setting page of Gateway to Gateway Gateway to Gateway REMOTE VPN Device Pe ee Ser LOCAL Gateway to Gateway VPN Device Client to Gateway Click Add to enter the setting page of Client to Gateway Client to Gateway CLIENT sO Mobile Users LOCAL Client to Gateway VPN Device 108 GING your future life IPSec VPN QoS Router 10 1 2 1 Gateway to Gateway Setting Gateway to Gateway WAN 1 4 Ji The following instructions will guide users to set a VPN tunnel between two devices Set the embedded VPN featu
119. l prevent attack and improper access to network resources Content Configure the network to meet user s demand Verify Firmware version and working status Set time and re new password Verify WAN connection setting bandwidth allocation and protocol binding Set mirror port and VLAN Allocate and manage LAN IP Restrict bandwidth and session of WAN ports LAN IP and application Block attack Set Access rule and restrict Web access IPSec VPN QoS Router Purpose Install the device hardware based on user physical requirements Verify the device specification Firmware version and working status Modify the login password considering safe issue Synchronize time with WAN Connect to WAN Configure bandwidth to optimize data transmission Provide mirror port port management and VLAN setting functions Support Static DHCP IP allocation to meet different needs To assure transmission of important information manage and allocate the bandwidth further to achieve best efficiency Administrators can block BT to avoid bandwidth occupation and enable access rules to restrict employee accessing internet improperly or using MSN QQ and P2P during working time They can also protect network from Worm or ARP attacking your future life IPSec VPN QoS Router Advanced Settings DMZ Forwarding DMZ Forwarding UPnP Routing Mode DMZ Forwarding UpnP Routing Mode m
120. lected this follows the first chosen WAN IP distributed by the original session balance mechanism For example there are two intranet IP 192 168 100 1 and 192 168 100 2 When these intranet IPs first connects with TCP443 port 192 168 100 1 45 D your future life IPSec VPN QoS Router will go through WAN1 and 192 168 100 2 will go through WAN2 Afterwards 192 168 100 1 will go through WAN1 when there are TCP443 port connections 192 168 100 2 will go through WAN2 when there are TCP443 port connections This rule is by default You can delete or add rules to meet your connection requirement 6 2 2 Network Service Detection This is a detection system for network external services If this option is selected information such Retry or Retry Timeout will be displayed If two WANs are used for external connection be sure to activate the NSD system so as to avoid any unwanted break caused by the device misjudgment of the overload traffic for the WAN Network service detection Interface Retry Retry Timeout s C O b Interface WAHI Enable Retry count Retry timeout Second When Fai When In Out bandwidth is over 9 Default Gateway ISP Host PSY Remote Host fs DNSLockupHost sd Select the WAN Port that enables Network Service Detection This selects the retry times for network service detection The default is five times If there is no feedback from the Internet in
121. led Address Analysis refers to the transferring process of the target IP address into the target MAC address before the host sends out the frame The basic function of ARP protocol aims to inquire the MAC address of the target equipment via the IP address of the target equipment so as to facilitate the communications The Working Principle of ARP Protocol Computers with TCP IP protocol have an ARP cache in which the IP address corresponds to the MAC address as illustrated IP Address MAC 192 168 1 1 00 0f 3d 83 74 28 192 168 1 3 03 aa 01 75 c3 06 For example host A 192 168 1 5 transmits data to Host B 192 168 1 1 Transmitting data Host A searches for the destination IP address from the ARP Cache If it is located MAC address is known Simply fill 192 168 1 2 00 aa 00 62 c5 03 in the MAC address for transmission If no corresponding IP address is found in ARP cache Host A will send a broadcast The MAC address is FF FF FF FF FF FF which is to inquire all the host devices in the same network session about What is the MAC address of 192 168 1 1 Other host devices do not respond to the 197 D your future life IPSec VPN QoS Router ARP inquiry except host device B which responds to host device A when receiving this frame The MAC address of 192 168 1 1 is 00 aa 00 62 c6 09 So Host A knows the MAC address of Host B and it can send data to Host B Meanwhile it will update its ARP
122. m the bottom of the list to the top of the list In other words the lower down the list the higher the priority of execution Users can arrange the sequence according to their priorities Usually the service ports which need to be restricted such as BT e mule etc will be moved to the bottom of the list The rules for certain IP addresses would then be moved upward Remove the rules selected from the Service List Display all the Rate Control Rules users made for the bandwidth Click Edit to modify Click Apply to save the configuration Click Cancel to leave without making any change Below to the left is Show Table button Click it a dialog as below will pop up Users can select Rule or Interface button to display the configured rules Click Refresh to renew the table and Close to close it For reconfiguring the rule click Edit 79 D your future life IPSec VPN QoS Router Summary Windows Internet Explorer fE http 192 168 1 1 oskate_table htm Summary Rule Interface RSE All Traffic 192 168 1 11 ALL 65535 192 1681150 Upstream 1024 A Enabled WANT Edit 192 168 1200 a FTP TCP 21 21 192 1531 254 Downstream 2 512 All Enabled WAN1 Edit All Traffic 192 168 1 11 E ex Jean ears 5 ALL 1 65535 1921681150 Downstream 2 1024 All Disabled WAN Edit 192 166 1 200 FTP TCP 21 21 197 168 1 754 Downstream 2 512
123. many users have been attacked by Shock Wave and Worm viruses recently the internet transmission speed was brought down and the Session bulky increase result in the massive processing load of the device The following guides users to block this virus corresponding port for prevention a Add this TCP135 139 UDP135 139 and TCP445 Port Service Name i Protocol TELNET Secondary TCF 80238023 TELNET SSL TCP o92 992 Port Range pO DHCP UDP 67 67 L2TF UDP 1701 1701 PPIP TCP 1723 1722 tof TCP TCP i35 UDF UDF 135 ICPLTCP 445 44 Add to list Dele selected garyi oa b Use the Access Rule in the firewall and set to block these three ports 193 GINO your future life IPSec VPN QoS Router Services Scheduling C E lol _ i2s Hour Forman Everyday Sun Mon Tue Wed Thu Fri Use the same method to add UDP UDP135 139 and TCP 445 445 Ports c Enhance the priority level of these three to the highest Jump to l2 Page entries per page l a Dew rema aw aw a E O vopna t amy ay aas era o o ow O o ae 194 your future life f Be IPSec VPN QoS Router 3 Block QQLive Video Broadcast Setting QQLive Video broadcast software is a stream media broadcast software Many clients are bothered by the same problem When several users apply QQLive Video broadcast software a greater share of the bandwidth is
124. n Alert Log The device provides the following warning message Click to activate these features Syn Flooding IP Spoofing Win Nuke Ping of Death Unauthorized Login Attempt Syn Flooding Bulky syn packet transmission in a short time causes the overload of the system storage of record in connection information IP Spoofing Through the packet sniffing hackers intercept data transmitted on the network After they access the information the IP address from the sender is changed so that they can access the resource in the source system Win Nuke Servers are attacked or trapped by the Trojan program Ping of Death The system fails because the sent data exceeds the maximum packet that can be handled by the IP protocol Unauthorized If intruders into the device are identified the message will be sent to the Login system log 172 D your future life General Log IPSec VPN QoS Router The device provides the following warning message Click to activate the feature System error message blocked regulations regulation of passage permission system configuration change and registration verification system Error Message Deny Policies Allow Policies Configuration Change Authorized Login Provides the system log with all kinds of error messages For example wrong settings occurrence of abnormal functions system reactivation disconnection of PPPoE and so on If remote users fail to
125. n be applied from http www qno cn en ddns www 3322 org www dyndns org or www didns com and these are free Also in order to solve the issue that DDNS server is not stable the device can update the dynamic IP address with different services at the same time DDNS Dyndns Dyndns Disabled J322 3322 Disabled n MR Dtdns Dtdns Disabled Qnoddns Qnoddns Disabled Dyndns Dyndns Disabled 3322 3322 Disabled cs Dtdns Dtdns Disabled 2i Qnoddns Qnoddns Disabled Dyndns Dyndns Disabled 3322 3322 Disabled aoe Dtdns Dtdns Disabled 5 Qnoddns Qnoddns Disabled Dyndns Dyndns Disabled 332A 3322 Disabled eee Dtdns Dtdns Disabled 2 Qnoddns Qnoddns Disabled The Ul might vary from model to model depending on different product lines Select the WAN port to which the configuration is to be edited for example WAN 1 Click the hyperlink to enter and edit the settings 154 GING your future life IPSec VPN QoS Router DynDN5 org 0 0 0 0 Stats DDNS function is disabled or No Internet connection 0 0 0 0 Stats DONS function is disabled or No Internet connection C DtDNS com QnoDDNS org cn Eee make 0 Genedl The UI might vary from model to model depending on different product lines Interface This is an indication of the WAN port the user has selected DDNS Check either of the boxes before DynDNS org 3322 org DtDNS com and QnoDDNS org
126. n list Interface and then click Enable Finally click Add New and the rule will be added to the mode After the rule has been set up all traffic that is not going to the assigned destinations will only be transmitted through WAN1 57 D GNO your future life IPSec VPN QoS Router Show Friority All Traffic Service service Management Source IF Destination IP 211 254 254 254 Interface WAHE w Enable Hove Up Update this Application Move Down All Traffic TCPAUDP f 65535 192 168 1 000 211 1 1 17211 254 254 254 WAN All Traffic TCFAUDP 1 65535 3192 166 1 0 0 60 1 1 1 60 254 254 2541 WAH 58 D your future life IPSec VPN QoS Router VII Intranet Configuration This chapter introduces how to configure ports and understand how to configure intranet IP addresses 7 1 Port Management Through the device users can easily manage the setup for WAN ports LAN ports and the DMZ port by choosing the number of ports speed priority duplex and enable disable the auto negotiation feature for connection setting of each port Port Management Fort Status Port Setup C Enable Port 1 as Mirror Port 1 10M 100M Half Full Z Enabled 2 LAN O 10M 100M Half Full Enabled 3 WAN 1 LI 10M 100M Half Full Enabled 4 WAN 2 E 10M 100M Half Full Enabled Mirror Port Users can configure LAN 1 as mirror port by choosing Enable Port 1 as
127. n7 wans Unit Kbps 1000 500 12 00 14 00 16 00 18 00 20 00 22 00 0 00 2 00 4 00 6 00 8 00 10 00 The UI might vary from model to model depending on different product lines 186 H Average E 2342 E 2568 E 2050 E 2179 E o0 E 2619 UnitHours Average M698 E 673 E 607 E 603 0 E 669 UnitHours Kbps Kbps Kbps Kbps Kbps Kbps Kbps Kbps Kbps Kbps Kbps Kbps GINO your future life IPSec VPN QoS Router IV WAN Traffic Statistic Week graphic and average up down stream As in the following figures M Enabled QRTG WAN Traffic Statistics Week v Refresh WAN Downstream M wan1 M wan2 M wan3 M wan4 M wans M wans M wan7 l wang Average Unit 6000 Kbps Kbps 4000 Kbps Kbps l Kbps Aaii Kbps Kbps 0 Nov 21 Nov 22 Nov 23 Nov 24 Nov 25 Nov 26 Nov 27 Unit Day WAN Upstream M wan1 M wan2 M wan3 M wan4 M wans l wans wan7 l wans Average Unit 1500 Kbps E 676 Kbps 1000 696 Kbps E 636 Kbps M616 Kbps 500 Eo Kbps 621 Kbps 0 Nov 21 Nov 22 Nov 23 Nov 24 Nov 25 Nov 26 Nov 27 Unit Day The UI might vary from model to model depending on different product lines 187 D your future life IPSec VPN QoS Router XIV Log out On the top right corner of the web based Ul there is a Logout button Click on it to log out of the web based Ul To enter next time open the Web browser and enter the IP address user name and password to log in English
128. nabled Disabled O C Enabled Disabled Enabled Disabled Enabled Disabled O Router sends ARP 20 times per second Dis bled b Bind the Gateway IP and MAC address for each PC This prevents the ARP from cheating IP and its MAC address First find out the gateway IP and MAC address on the device end LAN Setting 1 1 Subnet Mask 255 255 255 0 Disabled On every PC start or operate cmd to enter the dos operation Enter arp s 192 168 1 1 Oa Of d4 9e fb Ob so as to finish the binding of pc01 as illustrated Microsoft Windows RP hitch 5 1 2600 CG Copyright 19785 2601 Microsoft Corp C Documents and Settings PMNB1l gt arp s 192 168 1 1 1c hb1 88 9a ce 2h For other host devices within the network follow the same way to enter the IP and MAC address of the corresponding device to complete the binding work However if this act restarts the computer the setting will be cancelled Therefore this command can be regarded as a batch of processing documents placed in the activation of the operation system The batch processing documents can be put in this way echo off arp d arp s Router LAN IP Router LAN MAC For those internal network attacked by Arp the source must be identified Method If the PC fails to 200 D your future life IPSec VPN QoS Router go online or there is packet loss of ping in the DOS screen input arp a command to check i
129. nator will terminate this VPN tunnel Under this situation if you are the VPN tunnel initiator the system will try to reconnect the tunnel if you are the passive party the system will wait for the initiator to establish the tunnel again Remote Host The remote end point for the Heart Beat Detection It is always sensible to select an end point for the Heart Beat detection the end point should be a strong and stable server which is able to send reply quickly We suggest using the LAN IP address of the VPN remote end point device as the target of the Heart Beat detection Interval The default time for the Heart Beat interval is 30 seconds The system will send back an ICMP echo request in every 30 seconds after the VPN tunnel is established Retry The default retry times are 5 The system will terminate the VPN tunnel if the Heart Beat is still failure over the retry default The VPN Heart Beat detection and DPD features are both used to provide a stabile VPN solution for customers The difference between them is that we can use the Heart Beat detection in a non IPSec protocol With the Heart Beat detection we can monitor the VPN tunnel and make sure whether the tunnel exists and smooth or not However with the DPD feature it is only available under the IPSec protocol 120 D T Po your future life IPSec VPN QoS Router 10 1 2 2 Client to Gateway Setting The following describes how an administrator builds a VPN tu
130. nnel between devices Users can set this VPN tunnel to be used by one client at the client end If it is used by a group of clients the individual setting for remote clients can be reduced Only one tunnel will be set and used by a group of clients which allows easy setting Situation in Tunnel Client to Gateway WAN 7 Ji Tunnel No Set the embedded VPN feature please select the Tunnel number Displays the current VPN tunnel connection name such as XXX Office Users are well advised to give them different names to avoid confusion Tunnel Name Note If this tunnel is to be connected to the other VPN device some __ device requires that the tunnel name is identical to the name of the host end to facilitate verification This tunnel can thus be successfully enabled Interface Users may select which port to be the node for this VPN channel They can be applied for VPN connections Enabled Click to Enable to activate the VPN tunnel This option is set to Enable by default After users set up users may select to activate this tunnel feature 121 D your future life Local Group Setup IPSec VPN QoS Router This local gateway authentication type Local Security Gateway Type must be identical with that of the remote type Remote Security Gateway Type Local Security Gateway Type This local gateway authentication type comes with five operation modes which are IP only Authentication
131. nutes If this function is selected when the user s port connections reach the limit all the lines that this user is connected with will be removed and the user will not be able to connect with the Internet for five minutes New connections cannot be made until the delay time ends Click Apply to save the configuration Click Cancel to leave without making any change 83 AY ONO your future life Exempted Service Port or IP Address Exempted Service Port or IP Address Service Port Source IP Enabled Add to list Delete seleted item Apply Cancel service All Traffic TOCP amp UDPAM 65535 Service Management Swer a CICC e lee Enabled Maximum connections limit Unlimited Not exceed 200 Add to list Neleis selected itap Appi Caneel Choose the service port Input the IP address range or IP group Activate the rule Add this rule to the list Remove the rules selected from the Service List Click Apply to save the configuration Click Cancel to leave without making any change 84 IPSec VPN QoS Router D your future life 8 3 Smart QoS IPSec VPN QoS Router The smart QoS function enables the administrators to constrain the bandwidth occupied automatically without any configuring Each IF s upstream bandwidth threshold 500 Kbitsec Each IF s downstream bandwidth threshold 1000 Kbitsec Each IF
132. o through WAN 2 when connecting with servers with port 80 or assign all Intranet IP to go through WAN 1 when connecting with IP 211 1 1 1 users can do that by configuring Protocol Binding Attention When the Auto Load Balance mode is collocated with Protocol Binding only IP 39 D your future life IPSec VPN QoS Router addresses or servers that are configured in the connection rule will follow the rule for external connections those which are not configured in the rule will still follow the device Auto Load Balance system Please refer to the explanations in 6 2 3 Configuring Protocol Binding for setting up Protocol Binding and for examples of collocating router modes with Protocol Binding Specify WAN Binding Mode This mode enables users to assign specific intranet IP addresses destination application service ports or destination IP addresses to go through an assigned WAN for external connection After being assigned the specific WAN will only support those assigned Intranet IP addresses specific destination application service ports or specific destination IP addresses Intranet IP specific destination application service ports and specific destination IP that is not configured under the rules will go through other WANs for external connection For unassigned WANs users can select Load Balance mode and select session or IP for load balancing Session Balance If By Session is selected the WAN band
133. on of the virus Some users of the pirate version of Windows cannot install patches successfully Users are advised to use network firewall and other measures for protection 6 Close some unnecessary services and some unnecessary sharing if the condition is applicable which includes such management sharing as C and D Single device user can directly close Server service 7 Do not open QQ or the link messages sent by MSN online chatting tools in a causal manner Do not open or execute any strange suspicious documents and procedures such as the unknown attachment enclosed in E mail and plug in 4 Summary ARP attack prevention is a serious and long term undertaking The above methods can basically resolve the network problems caused by ARP virus attack Moreover clients who adopted similar methods witness good results However it is important that network administrators pay special attention to this problem rather than overlooking the issue It is suggested that the above measures can be adopted to prevent ARP attack reduce the damage enhance the work efficiency and minimize economic loss 205 D your future life IPSec VPN QoS Router Appendix Ill Qno Technical Support Information For more information about the Qno s product and technology please log onto the Qno s bandwidth forum refer to the examples of the FTP server or contact the technical department of Qno s dealers as well as the Qno s Mainland technical
134. onfigured could be one issued by ISP The IP address is usually provided by the ISP when the PC is installed Contact ISP for relevant information Subnet Mask Input the subnet mask of the static IP address issued by ISP such as Issued eight static IP addresses 255 255 255 248 Issued 16 static IP addresses 255 255 255 240 Default Gateway Input the default gateway of the static IP address issued by ISP For ADSL Address users it is usually an ATU R IP address User Name Input the user name issued by ISP Password Input the password issued by ISP 32 D your future life Connect on Demand Keep Alive Enable Line Dropped Scheduling Line Dropped Period Line Dropped Scheduling Backup Interface IPSec VPN QoS Router This function enables the auto dialing function to be used for a PPTP dial connection When the client port attempts to connect with the Internet the device will automatically connect with the default ISP auto dial connection when the network has been idle for a period of time the system will break the connection automatically The default time for automatic break off when no packets have been transmitted is five minutes This function enables the PPTP dial connection to redial automatically when the connection has been disconnected Users can set up the redialing time The default is 30 seconds The WAN disconnection schedule will be activated by checking this option In some areas t
135. or the application process therefore it can refuse links to non standard communication protocols VPN Router supports network address translation NAT function and routing modes It makes the network D your future life IPSec VPN QoS Router environment more flexible and easier to manage Through web based UI VPN Router enables enterprises to have their own network access rules To control web access users can build and edit filter lists It also enables users to ban or monitor websites according to their needs By the filter setting and complete OS management school and business internet management will be clearly improved VPN Router offers various on line SysLog records It supports on line management setup tools it makes setting up networks easy to understand It also reinforces the management of network access rules VPN and all other network services VPN Router fully protects the safety of communication between all offices and branches of an organization It helps to free enterprises from increasing hacker intrusion With an exclusive independent operation platform users are able to set up and use a firewall without professional network knowledge VPN Router setting up and management can be carried out through web browsers such as IE Netscape etc D your future life IPSec VPN QoS Router Il Multi WAN VPN Router Installation In this chapter we are going to introduce hardware installation Through the unde
136. or example if the time control is from Monday to Friday 8 00am to 6 00pm users can refer to the following figure to set up the rule 86 GING your future life IPSec VPN QoS Router IX Firewall This chapter introduces firewall general policy access rule and content filter settings to ensure network security 9 1 General Policy The firewall is enabled by default If the firewall is set as disabled features such as SPI DoS and outbound packet responses will be turned off automatically Meanwhile the remote management feature will be activated The network access rules and content filter will be turned off Enabled Disabled Enabled O Disabled Enabled O disabled EED o Enabled Disabled 7 O Enabled Disabled Port 50 O Enabled Disabled O Enabled Disabled Router sends ARP 20 times per second Restrict WEB Features _U Java C Cookies C Activex L Access to HTTP Proxy Servers Dont block Java Activex Cookies Proxy to Trusted Domains Firewall This feature allows users to turn on off the firewall SPI Stateful Packet This enables the packet automatic authentication detection technology Inspection The Firewall operates mainly at the network layer By executing the dynamic authentication for each connection it will also perform an alarming function for application procedure Meanwhile the packet authentication firewall may de
137. ort Strategy window select the WAN or WAN group ex WAN 1 to be assigned and click the Import IP Range button the dialogue box for document importation will be displayed accordingly A policy document is an editable text document It may contain a destination IP users designated After the path for document importation has been selected click Import and then at the bottom of the configuration window click Apply The device will then dispatch the traffic to the assigned destination IP through the WAN ex WAN 1 or WAN grouping users designated to the Internet Strategy Routing Self defined Strategy 1 Self defined Strategy 2 To build a policy document users can use a text based editor such as Notepad which is included with Windows system Follow the text format in the figure below to key in the destination IP addresses users want to assign For example if the destination IP address range users want to designate is 140 115 1 1 140 115 1 255 key in 140 115 1 1 140 115 1 255 in Notepad The next destination IP address range should be keyed in the next line Attention Even if only one destination IP address is to be assigned it should follow the same format For example if the destination IP address is 210 66 161 54 it should be keyed in as 210 66 161 54 210 66 161 54 After the document has been saved the extension file name is txt users can import the IP range of self defined strategy 42
138. other method to bind IP and MAC is more recommended because of easy operation reducing workload and time efficiency It is described in the following Enter Setup under the DHCP page and look for IP and MAC binding On the right there is an option of Show new IP user and click to enter 202 D GNO your future life IPSec VPN QoS Router IP amp MAC binding Show new LP user IP amp MAC binding StaticIPAddress JC MAC Address J JT Name fs Enable Add to list J Block MAC address on the list with wron g IF address LJ Block MAC address not on the list Click to display IP and MAC binding list dialog box In this box the unbinding IP and MAC address corresponding to the PC are displayed Enter the Name of the computer and click on Enabled with the display of the V icon and push the option on the top right corner of the screen to confirm 192 168 1 100 Now the bound options will display on the IP and MAC binding list as illustrated in Figure 5 and click Apply to finish binding 203 D your future life IPSec VPN QoS Router IP amp MAC binding Show new LP user IP amp MAC binding Static IP Address MAC Address o0 _ 20 _jed _ 41 _ eb _ 9 Enable Update this Entry 192 138 1 110 00 20 ed 41 ecb 9d 2PCO01 Enabled 192 165 1 130 gt O00 3e 4a 64 3d 24 2PCO02 gt Enabled ed Entry Add He
139. pace Users don t need to do further settings IP E maikUser FQDN Authentication Local Security Gateway Type address Z fa OOOO omw e SOO 4 Dynamic IP Domain Name FQDN Authentication If users use dynamic IP address to connect to the device users may select this option to link to VPN If the remote VPN gateway requires connection to the device for VPN connection this device will start authentication and respond to this VPN tunnel connection if users select this option to link to VPN please enter the domain name Dynamic IP Domain Name FQDN Authentication 5 Dynamic IP E mail Addr USER FQDN Authentication If users use dynamic IP address to connect to the device users may select this option to connect to VPN without entering IP address When VPN Gateway requires for VPN connection the device will start authentication and respond to VPN tunnel connection if users select this option to link to VPN enter E Mail address to the empty field for E Mail authentication Local Security Gateway Type Dynamic IP E mail User FQDN Authentication i This option allows users to set the local VPN connection access type The following offers a few items for local settings Please select and set appropriate parameters 1 IP address This option allows the only IP address which is entered to build the VPN tunnel 123 GINO your future life IPSec VPN QoS Router IF
140. r SHA1 Phase 1 SA Life Time The life time for this exchange code is set to 28800 seconds or 8hours by default This allows the automatic generation of other exchange password within the valid time of the VPN connection so as to guarantee security Phase2 SA Life Time The life time for this exchange code is set to 3600 seconds or 1hours by default This allows the automatic generation of other exchange password within the valid time of the VPN connection so as to guarantee security Preshared Key For the Auto IKE option enter a password of any digit or characters in the text of Pre shared Key the example here is set as test and the system will automatically translate what users entered as exchange password and authentication mechanism during the VPN tunnel connection This exchange password can be made up of up to 30 characters 128 D your future life IPSec VPN QoS Router Advanced Setting for IKE Protocol Only Advanced Oo Aggressive Mode Compress Support IP Payload Compression Protocol iP Comp Keep Alive AH Hash Algorithm MDS v Allow NetBIOS Broadcast Pass Through NAT Traversal Dead Peer Detection DPD Interval 10 seconds Allow specific boardcast packet Pass through Sarvice Port Managamsri a OSeaasas es Heart Beat Remote Host Interval seconds Retry count The advanced settings include Main Mode and Aggressive mode For the Main mode the default setting is
141. r has 2 10 100 Base T TX Ethernets RJ45 WAN ports These WAN ports can support auto load balance mode exclusive mode remaining WAN balance and stategy routing mode for high efficiency network They offer super flexibility for network set up Moreover these WAN ports also support DHCP fixed IP PPPoE transparent bridge VPN connection port binding static routing dynamic routing NAT one to one NAT PAT MAC Clone as well as DDNS As for LAN ports including one DMZ they support 2 10 100 Base T TX Ethernet RJ45 ports and provide the features of virtual route Microsoft UPnP VLAN Multi Subnet and transparent bridge mode Internet IP addresses can also be used in intranet To fulfill the requirement for a highly secure and integrated firewall VPN Router has a 64 bit hardware acceleration high speed high efficiency processor embedded With high processing speed plusing high standard SDRAM and Flash VPN Router brings users super networking efficiency Its processing speed and capacity are almost equal to those of expensive enterprise level VPN Routers This is why the device is so popular with modern enterprises In addition to internet connectability for the broadband market VPN Router has the function of VPN virtual network connection It is equipped with a virtual private network hardware acceleration mode which is widely used in modern enterprises and offers full VPN functionality Qno is a supporter of the IPSec Protocol IPSec
142. rds it as tort and relevant duty will be prosecuted as well 2 Scope of Authority of Manual The user may install use display and read this Manual on the complete set of computer 3 User Notice If users obey the law and this Agreement they may use this Manual in accordance with Agreement The hardcopy or softcopy of this Manual is restricted using for information non commercial and personal purpose Besides it is not allowed to copy or announce on any network computer Furthermore it is not allowed to disseminate on any media It is not allowed to modify any part of the file Using for other purposes is prohibited by law and it may cause serious civil and criminal punishment The transgressor will receive the accusation possibly 4 Legal Liability and Exclusion 4 1 Qno will check the mistake of the texts and diagrams with all strength However Qno distributors and resellers do not bear any liability for direct or indirect economic loss data loss or other corresponding commercial loss to the user or relevant personnel due to the possible omission D your future life IPSec VPN QoS Router 4 2 In order to protect the autonomy of the business development and adjustment of Qno Qno reserves the right to adjust or terminate the software Manual any time without informing the users There will be no further notice regarding the product upgrade or change of technical specification If it is necessary the chan
143. re please select the Tunnel number Tu nelName Displays the current VPN tunnel connection name such as XXX Office Users are well advised to give them different names to avoid confusion Note If this tunnel is to be connected to the other VPN device some device requires that the tunnel name is identical to the name of the host end to facilitate verification This tunnel can thus be successfully enabled From the pull down menu users can select the Interface for this VPN tunnel Enabled Click to activate the VPN tunnel This option is set to activate by default Afterwards users may select to activate this tunnel feature Local Group Setup Local VPN Group Setting IP Only az fies 5 i O j e stat con ii 209 ool D9 d BIE et This Local Security Gateway Type must be identical with that of the remote type Remote Security Gateway Type 10 O D your future life Local Security GatewayType IPSec VPN QoS Router This local gateway authentication type comes with five operation modes which are IP only IP Domain Name FQDN Authentication IP E mail Addr USER FQDN Authentication Dynamic IP Domain Name FQDN Authentication Dynamic IP E mail Addr USER FQDN Authentication Dynamic IP address Email address name 1 IP only If users decide to use IP only entering the IP address is the only way to gain access to this tunnel The WAN IP address will be
144. recommend that users use Service Port Management to add or remove ports as follows Service Manazement Windows Internet Explorer E http 4192 168 1 1 srvicel htm Service Name k l All Traffic TCPRUDP 1 65535 DNS UDP 53 53 FIP TCP 21721 HTTP TCP S080 Brotocol HTTP Secondary TCP 80808080 HTTPS TCP 4437443 ICP we HTTPS Secondary TCP S443 B443 IFIP UDP 6969 Port Range IMAP TCP 143 143 fo NNTP TCP 119119 POPS TCP 1107110 SNMP UDP 161161 SMTP TCP 25 25 TELNET TCP 23 23 TELNET Secondary TCP 8023 8023 Add to list Service Name Input the name of the service port users want to activate on the list such as E donkey etc Protocol To select whether a service port is TCP or UDP Port Range To activate this function input the range of the service port locations users want to activate such as 500 500 or 2300 2310 etc Add to list Add the service to the service list It supports up to 100 rules 146 D your future life Delete selected item Apply Cancel Close IPSec VPN QoS Router To remove the selected services Click the Apply button to save the modification Click the Cancel button to cancel the modification This only works before Apply is clicked Quit this configuration window 147 D your future life IPSec VPN QoS Router 11 2 UPnP UPnP Universal Plug and Pl
145. rectly to view all VPN Page Jumpto_ ___ _ tunnel statuses such as 3 5 10 20 or All Page _ Entries Per Page Tunnel No To set the embedded VPN feature please select the tunnel number It supports up to 300 IPSec VPN tunnel Setting gateway to gateway as well as client to gateway Status Successful connection is indicated as Connected Failing hostname resolution is indicated as Hostname Resolution Failed Resolving hostname is indicated as Resolving Hostname Waiting to be connected is indicated as Waiting for Connection If users select Manual setting for IPSec setup the status message will display as Manual and there is no Tunnel test function available for this manual setting Account ID Displays the current VPN tunnel connection name such as XXX Office Users are well advised to give them different names to avoid confusion should users have more than one tunnel settings Note If this tunnel is to be connected to other VPN device not this device some device requires that the tunnel name is identical to the name of the host end to facilitate verification This tunnel can thus be successfully enabled Phase2 Displays settings such as encryption DES 3DES authentication Encrypt Auth Group MD5 SHA1 and Group 1 2 5 If users select Manual setting for IPSec Phase 2 DH group will not display Local Group Displays the setting for VPN connection secure group of the local end 105
146. rk access rule Restore to Default Restore all settings to the default values and delete all the self defined Rule settings 94 Lge gt g I FRE J LAF i 5 S your future life IPSec VPN QoS Router 9 3 1 Add New Access Rule Service Management ANY ka Scheduling Apply this rule to 24 Hour Format Everyday Sun Mon Tue Wed Thu Fri Sat Action Allow Permits the pass of packets compliant with this control rule Deny Prevents the pass of packets not compliant with this control rule Service From the drop down menu select the service that users grant or do not give permission Service Management If the service that users wish to manage does not exist in the drop down menu press Service Management to add the new service From the pop up window enter a service name and communications protocol and port and then click the Add to list button to add the new Service Log No Log There will be no log record Create Log when matched Event will be recorded in the log Source Interface Select the source port whether users are permitted or not for example LAN WAN1 WAN2 or Any Select from the drop down menu Source IP Select the source IP range for example Any Single Range or preset IP group name If Single or Range is selected please enter a single IP address or an IP address within a session 95 D your future life IPSec VPN QoS Router Dest
147. rstanding of multi WAN setting process users can easily setup and manage the network making VPN Router functioning and having best performance 2 1 Systematic Setting Process Users can set up and enable the network by utilizing bandwidth efficiently The network can achieve the ideal efficientness block attacks and prevent security risks at the same time Through the process settings users can install and operate VPN Router easily This simplifies the management and maintenance making the user network settings be done at one time The main process is as below 1 Hardware installation 2 Login 3 Verify device specification and set up password and time 4 Set WAN connection 5 Set LAN connection physical port and IP address settings 6 Set QoS bandwidth management avoid bandwidth occupation 7 Set Firewall prevent attack and improper access to network resources 8 Other settings UPnP DDNS MAC Clone 9 Management and maintenance settings Syslog SNMP and configuration backup 10 VPN Virtual Private Network QnoKey QVM VPN function setting 11 Logout 2 2 Setting Flow Chart Below is the description for each setting process and the crospondent contents and purposes For detailed functions please refer to Appendix Setting Inferface and Chapter Index Q your future life Setting Set LAN connection physical port and IP address settings Set QoS bandwidth management avoid bandwidth occupation Set Firewal
148. s s s C C iMeSSG i ss Feb 6 03 46 03 2006 Pr Refused Policy UDP 192 168 1 100 7464 gt 77 239 233 64 20301 on ixp2 Connection Refused Policy Feb 6 03 46 06 2006 violation UDP 192 168 1 100 7464 84 10 118 17 10682 on ixp Connection Refused Policy Feb 6 06 27 54 27006 violation TCP 192 168 1 1 80 192 168 1 100 1224 on ixp Ebner ee Ey violation TCP 192 166 1 101 18195 163 253 104 146 1234 on ixp Connection Refused Policy Feb608 19 53 2006 violation TCP 192 166 1 101 51671 3 139 56 12 1234 on ixp1 174 a r gt id qua A GJMNCG your future life IPSec VPN QoS Router Incoming Packet Log View system packet log of those entering the firewall The log includes information about the external source IP addresses destination IP addresses and service ports It is illustrated as below Incoming Packet Loz Windows Internet Explorer le http192 165 1 1 mecoming log hin Feb 6 02 34 31 2006 ee ee ee UDP 192 168 2 1 67 255 255 255 255 68 on ixp2 Feb 6 02 57 54 2006 oe oR SEI UDP 192 168 1 100 137 192 168 1 255 137 on ixpo Feb 6 03 06 39 2006 eee ni Bit UDP 192 168 2 1 67 192 168 2 102 68 on ixp2 Feb 6 03 15 31 2006 Brine Boot EOR UDP 192 168 2 1 67 192 168 2 100 68 on ixp4 Feb 6 03 45 58 2006 oe Be Zee ho UDP 192 168 1 100 7464 gt 75 128 47 253 27220 on ixp0 Feb 6 03 46 00 2006 Pes TEER AES UDP 192 168 1 100 7464
149. s Maximum bandwith Upstream WAN 1 Kbitisec WAN 2 Kbit sec Downstream WAN 1 Kbitisec WAN 2 Kbit sec L Penalty mechanism Show Panelty IP Advance Enabled QoS When the usage of any WAN s bandwidth is over than _ Enable Smart QoS Each IP s upstream bandwidth threshold for all WAN Each IP s downstream bandwidth threshold for all WAN If any IP s bandwidth is over maximum threshold its maximum bandwidth will remain Enabled Penalty Mechanism Show Penalty IP Choose to apply QoS function Input the required rate value into the column The default is 60 Input the max upstream rate for intranet IPs Input the max downstream rate for intranet IPs When any IP uses more bandwidth than the above upstream or downstream settings the IP will be restricted for the following upstream or downstream bandwidth settings After choosing Enabled Penalty Mechanism the device will enable the penalty conditions internally When the IP still uses more upstream or downstream bandwidth than the setting the device will execute the penalty conditions automatically The IPs which are under penalty mechanism will be shown on the list 85 D your future life scheduling IPSec VPN QoS Router If Always is selected the rule will be executed around the clock If From is selected the rule will be executed according to the configured time range F
150. sion transferring Backup Interface User Name Input the user name issued by ISP Password Input the password issued by ISP This function enables the auto dialing function to be used in a PPPoE dial Connect on Demand connection When the client port attempts to connect with the Internet the device will automatically make a dial connection If the line has been idle for a period of time the system will break the connection automatically The default time for automatic break off resulting from no packet transmissions is five minutes This function enables the PPPoE dial connection to keep connected and Keep Alive to automatically redial if the line is disconnected It also enables a user to set up a time for redialing The default is 30 seconds 30 D your future life Enable Line Dropped Scheduling Line Dropped Period Line Dropped Scheduling Backup Interface IPSec VPN QoS Router The WAN disconnection schedule will be activated by checking this option In some areas there is a time limitation for WAN connection service For example the optical fiber service will be disconnected from 0 00 am to 6 00 am Although there is a standby system in the device at the moment of WAN disconnection all the external connections that go through this WAN will be disconnected too Only after the disconnected lines are reconnected can they go through the standby system to connect with the Internet Therefore to a
151. st 192 168 4 106 Forever 0 o Show List Eait jj Add Hew Rule Delete All Group QnoKey Tunnel Number Displays how many tunnels are applied and the total tunnel number of QnoKey tunnel Through advanced setting users can set the tunnel number of IPSec and QnoKey Enabled Displays whether QnoKey username is enabled Account ID Displays the user name group of QnoKey Local IP Address Domain Server IP address or the applied domain name Name Life Time The present valid time of QnoKey permanent use is displayed as Forever 133 D your future life Available Time Account Number Limitation Used Number Online Number Delete Go to H page Entries per page Add Qnokey Group Delete All Group 10 2 2 Qnokey Group Setup IPSec VPN QoS Router If the number of days of using QnoKey is set the remaining time is displayed here The upper limited number of QnoKey users The number of QnoKey in use Displays the number of connected devices that are using QnoKey Deletes one user name group setting rule Goes to the page where summarized information is needed Each summary page displays several group messages Add new group settings Delete all the group settings Press Add New Qnokey Group to enter Group Setup page as illustrated below Qnokey Group Setup Group Account D
152. t is selected and the network connection is set to other types such as DHCP PPPoE administrator needs to enter the IP address or domain name through DDNS analysis Set the valid time for QnoKey group If the QnoKey is for normal and frequent use the option Forever may be selected so the user end valid time is infinite If the user is more complicated or if it is meant for mobile users who travel on business the VPN security can be guaranteed by setting 135 D your future life Account Number Limitation Stolen Key Login Action IPSec VPN QoS Router the valid time of QnoKey as 1 99 days according to the desired number of days to be set Set the maximum number of QnoKey users from 1 100 allowed by the group setting rules In the drop down list select operation options for the missing QnoKey In the event of losing QnoKey there are three options for selection Do Nothing Clear Key and Lock Key Setting this feature on QnoKey can enhance VPN security Select Do Nothing to do no change after the Key is lost Select Clear Key to clean up the QnoKey settings when the VPN connection is established again after the QnoKey is lost Select Block Key to block the VPN connection after the QnoKey is lost Press Apply to confirm the group settings and press Cancel to cancel the setting Press Back to return the previous page Pressing Apply to display a dialog bo
153. ted in the connected VPN tunnel the device supports IP Payload Compression Protocol Keep Alive If this option is selected VPN tunnel will keep this VPN connection This is mostly used to connect the remote node of the branch office and headquarter or used for the remote dynamic IP address AH hash calculation For AH Authentication Header users may select MD5 DSHA 1 NetBIOS Broadcast If this option is selected the connected VPN tunnel allows the passage of NetBIOS broadcast packet This facilitates the easy connection with other Microsoft network however the traffic using this VPN tunnel will increase Dead Peer Detection DPD If this option is selected the connected VPN tunnel will regularly transmit HELLO ACK message packet to detect whether there is connection between the two ends of the VPN tunnel If one end is disconnected the device will disconnect the tunnel automatically and then create new connection Users can define the transmission time for each 119 D your future life IPSec VPN QoS Router DPD message packet and the default value is 10 seconds Heart Beat VPN Tunnel Heart Beat Detection function If this option is selected the system will sent ICMP ACK packet to the remote host with VPN tunnel regularly the remote host will also send an ICMP ACK reply packet toward the originator If there is still no received ICMP ACK reply after exceeding the setting retry the Heart Beat Origi
154. ted only computers with the session of 192 168 2 0 and with subnet mask as 255 255 255 0 can connect with remote VPN Po 3 IP Address Range This option allows connection only when IP address range which is entered after the VPN tunnel is connected IPRanoe 192 188 2 it itosi Reference When this VPN channel is connected computers with the IP address range between 192 168 2 1 and 192 168 1 254 can establish connection 116 GING your future life IPSec VPN QoS Router IPSec Setup IPSec Setting Group 1 m MDS seconds croup Group 1 J m oo lt MDS i seconds If there is any encryption mechanism the encryption mechanism of these two VPN tunnels must be identical in order to create connection And the transmission data must be encrypted with IPSec key which is known as the encryption key The device provides the IKE automatic encryption mode IKE with Preshared Key automatic By using the drop down menu select the desired encryption mode as illustrated below Encryption Management Protocol When users set this VPN tunnel to use any encryption and authentication mode users must set the parameter of this exchange password with that of the remote Use IKE Protocol Click the shared key generated by IKE to encrypt and authenticate the remote user If PFS Perfect Forward Secrecy is enabled the Phase 2 shared key
155. that will disconnect the temporal user to build the new connection when all connections are occupied Nevertheless Super Users cannot link successfully when there is no Temporal User to disconnect Temporal User When all allowed connections are occupied Temporal Users will be disconnected by Super Users possibly Otherwise they can t create a new connection in this situation Input account name Input password Input password again Input allowed connect time If 24 hours is allowed please enter 00 00 to 00 00 Input Client PC MAC address if it needs to be checked binded to improve security Leave blank if checking is unnecessary Add the account ID into the list To remove selected account ID from the list QnoSoftKey Tunnel Upgrade If more QnoSoftKey Tunnels are needed please check and purchase from your agent or Qno A set of License Key number will be generated while paying procedure is finished Input License Key Number and click submit the system will check whether the License Key is valid If the key is valid the amount of QnoSoftKey Tunnels can be upgraded successfully 139 GINO your future life IPSec VPN QoS Router License Key Current Time 2010 11 05 NTP Server Trial Official Registration Status And Ink ti Version Version Time License expire ulna Left 416 Days 15 Hours 140 D your future life IPSec VPN QoS Router 10 3 QVM VPN Function Setup
156. the original structure Select the Transparent Bridge mode for the WAN connection mode In this way users will be able to connect normally with the Internet while keeping the original Internet IP addresses in Intranet IP configuration If there are two WANs configured users still can select Transparent Bridge mode for WAN connection mode and load balancing will be achieved as usual Interface WAN il WAN Connection Type WAN IP Address subnet Mask Default Gateway DNS Server Required DNS Server Optional intemal LAN IP Range 1 intemal LAN IP Range intemal LAN IP Range 3 intemal LAN IP Range 4 intemal LAN IP Range 5 TEREE PERE F SESE cry SOOO OACC PIPE ae Eel BBB EnabledLine Dropped Scheduling Line Dropped Period from 0 tolt 0 24 Hour Format Line Dropped Scheduling B minutes ahead line dropped to start new session transferring Backup Interface WAN IP Address Input one of the static IP addresses issued by ISP Subnet Mask Input the subnet mask of the static IP address issued by ISP such as Issued eight static IP addresses 255 255 255 248 Issued 16 static IP addresses 255 255 255 240 Default Gateway Input the default gateway of the static IP address issued by ISP For Address ADSL users it is usually an ATU R IP address 34 D your future life DNS Server Internal LAN IP Range Enable Line Dropped Scheduling Line
157. though there is a standby system in the device at the moment of WAN disconnection all the external connections that go through this WAN will be disconnected too Only after the disconnected lines are reconnected can they go through the standby system to connect with the Internet Therefore to avoid a huge number of disconnection users can activate this function to arrange new connections to be made through another WAN to the Internet In this way the effect of any disconnection can be minimized Input the time rule for disconnection of this WAN service Input how long the WAN service may be disconnected before the newly added connections should go through another WAN to connect with the Internet select another WAN port as link backup when port binding is configured Users should select the port that employs the same ISP After the changes are completed click Apply to save the configuration or click Cancel to leave without making any changes Static IP If an ISP issues a static IP such as one IP or eight IP addresses etc please select this connection mode and follow the steps below to input the IP numbers issued by an ISP into the relevant boxes 21 D your future life IPSec VPN QoS Router Interface HAN 1 WAN Connection Type Static IF WAN IP Address 0 o fe Subnet Mask 255 255 255 Default Gateway 0 o jo DNSServer Required 0 Jo fe DNSServer Optional 0 o a
158. tic IP for a PC every single time users should input the IP address users want to assign to this computer in the boxes The server or PC which is to be bound will then acquire a static virtual IP whenever it restarts MAC Address Input the static real MAC the address on the network card for the server or PC which is to be bound 71 D your future life IPSec VPN QoS Router Name For distinguishing clients input the name or address of the client that is to be bound The maximum acceptable characters are 12 Enabled Activate this configuration Add to list Add the configuration or modification to the list Delete selected item Remove the selected binding from the list Add Add new binding Block MAC address on the list with wrong IP address When this option is activated MAC addresses which are not included in the list will not be able to connect with the Internet Show New IP user This function can reduce administrator s effort on checking MAC addresses one by one for the binding Furthermore it is easy to make mistakes to fill out MAC addresses on the list manually By checking this list administrator can see all MAC addresses which have traffic and are not bound yet Also if administrators find that one specific bound MAC address is shown on the list it means that the user changes the private IP address Hew IP List Windows Intermet Explorer SEE vw E http 192 166 1 1 Dhep_tablel btn
159. tion list Service and then input 192 168 1 2 254 in the boxes of Source IP Retain the original numbers 0 0 0 0 in the boxes of Destination IP which means to include all Internet IP addresses Select WAN1 from the pull down option list Interface and then click Enable Finally click Add New and the rule will be added to the mode The device will transmit packets that are not going to Port 80 to the Internet through WAN1 Show Priority HITE TCE 80 80 Service Service Management Source IF w 192 168 1 o to Destination IP 0 D D Interface WAWe Enable C loge In Update this Application i eer eT ae HITE TCE 80780 2192 168 1 070 00 0 0 0 0 0 0 WANE All Traffic TCPA amp UDP 1 65535 7192 168 1 2 254 10 0 0 000 0 0 55 D your future life IPSec VPN QoS Router Show Priority HITE TCP s0 80 Service Service Manazement Source IP 192 1688 1 150 ty 200 Destination IP 9 ao 0 0 to Interface AN2 Enable C Up date this Appli cation HITE ICP 80 80 2192 168 1 150200 00 0 0 0 0 0 0 01wAH All Traffic TCPFAUDF 1 65535 7192 168 1 2 254 0 0 0 0 0 0 0 01WAH1 Delete selected application Add Hew Beck Aap 9 Caneel Configuring Assigned Routing Mode
160. ugate the terma if necesaary without further notice Geeereiss Explanscion Orne aod ites msebsites including Rttp sve goo rom ty http fsa gees ad fo on preside the services like merher Die on ee odie AIRS sel ere To atin Peas eerie you bees to bees asiverk asvicee arj pay the rslated charges In arger ta preside srofessioisl ane personalized services Gmc mar use cecki Files and check your related Tesseges uas yeu sari Gre Pelotesd wehsd tres Faten Herter fave to woderctand mii apres thet acne adverticetent en ressa inclidiac test sofia v den gbl ai Oo ne Techmdiogy Imz All nights reserezgd Input the e mail address which users used to register this product and the serial number of the product to log in to the QnoDDNS Service System Be sure to input an available e mail address so that the password sent from the system to activate QnoDDNS service can be received after the domain name registration 157 D GNO your future life IPSec VPN QoS Router GING your future life Ono Uynamic UNS Service Login E mail Senal Number Security Image S7SSSLS Enter the numbers from the above image Where is the serial number Register Please register your Ono product before you submit QnoDDNS service 3 Rules for Applying a Domain Name e he Domain should have at least 4 letters and no more than 63 letters e he Domain name should only consist of a z lowercase letter and 0 9
161. ultiple WAN IP DDNS and MAC Clone UPnP DDNS MAC multiple WAN IP Clone DDNS and MAC Clone Monitor VPN Router Administrators can look up system log and Management and working status and monitor system status and inbound outbound maintenance seitings l l l l configuration backup flow in real time Syslog SNMP and configuration backup Configure VPN Configure different types of VPN to meet VPN Virtual Private tunnels e g PPTP different application environment Network QnoKey QnoKey and QVM VPN QVM VPN function setting Logout Close configuration Logout VPN Router web based Ul window We will follow the process flow to complete the network setting in the following chapters 10 D your future life IPSec VPN QoS Router Ill Hardware Installation In this chapter we are going to introduce hardware interface as well as physical installation 3 1 LED Signal LED Signal Description Power Green Green LED on Power ON DIAG Amber Amber LED on System self test is running Amber LED blinking System not ready Amber LED off System self test is completed successfully Link Act Green Green LED on Port has been connected amp Get IP Green LED blinking Packets are transmitting through Ethernet port 100M Speed Amber Amber LED on Ethernet is running at 100Mbps Amber LED off Ethernet is running at 10Mbps Reset Press Reset Button For 5 Secs Warm Start DIAG indicator
162. unnel and make sure whether the tunnel exists and smooth or not However with the DPD feature it is only available under the IPSec protocol 10 1 3 PPTP Server It supports the PPTP of Window XP 2000 to create point to point tunnel protocol for single device users to create VPN connection 130 GNO your future life IPSec VPN QoS Router Enable PPTP Server PPTP IP Address Range IF Range Starts 192 168 1 150 IF Range Ends 192 168 1 189 Unified IF Management New User Account io User s Defined New Password fs confirm Password Oooo IP Address Automatically assigniPAddress J Add to list Connection List p Tunnelis Used fio Tunnels Available Enabled PPTP Server When this option is selected the point to point tunnel protocol PPTP server can be enabled 131 D your future life IPSec VPN QoS Router PPTP IP Address Range Please enter PPTP IP address range so as to provide the remote users with an entrance IP into the local network Enter Range Start Enter the value into the last field Enter Range End Enter the value into the last field User name Please enter the name of the remote user Password Enter the password and confirm again by entering the new password Confirm Password Add to list Add a new account and password Delete selected item Delete Selected Item Connection List All PPTP Status Displays all succ
163. ut eply from 192 168 1 1 bytes 32 time lt ims eply from 192 168 1 1 bytes 32 timetims If there are cases of packet loss of the ping LAN IP and If later there is connection it is possible that the system is attacked by ARP To verify the situation we may judge by checking ARP table Enter the ARP a command as illustrated below Interface 192 168 1 72 x2 Internet Address Physical Address Type 192 168 1 i HA BF 3d 83 74 268 dynamic 192 168 1 43 p 13 d3 ef b2 c dynamic 192 168 1 252 HA Bf J3d 83 74 28 dynamic Ge WWIANDOWS Syustems2 arp a It is found that the IP of 192 168 1 1 and 192 168 252 points to the same MAC address as 00 0f 3d 83 74 28 Evidently this is a cheat by ARP 3 ARP Solution Now we understand ARP ARP cheat and attack as well as how to identify this type of attack What comes next Is to find out effective prevention measures to stop the network from being attacked The general solution provided by Qno can be divided into the following three options a Enable Prevent ARP Virus Attack Enter the device IP address to log in the management webpage of the device Enter Firewall gt General and find the option Prevent ARP Virus Attack to the right of the page Click on the option to activate it and click Apply at the bottom of the page see illustrated 199 D your future life IPSec VPN QoS Router Enabled Disabled Enabled Disabled E
164. uter Block Forbidden Domains Accept Allowed Domains Forbidden Domains Enabled Forbidden Domains Exception IP address v o o jo jjo jti Add to li et Add Enter the websites to be controlled such as www playboy com Add to list Click Add to list to create a new website to be controlled Delete selected item Click to select one or more controlled websites and click this option to delete 99 D your future life IPSec VPN QoS Router Website Blocking by Keywords Enable Website Blocking by Keywords Website Blocking by Keywords Add Boepton Pacaress SJ P LE E hol Add to list Nelets selected beywords Enabled Click to activate this feature The default setting is disabled For example If users enter the string sex any websites containing sex will be blocked Keywords Only for English Enter keywords keyword Add to List Add this new service item content to the list Delete selected item Delete the service item content from the list Apply Click Apply to save the modified parameters Cancel Click Cancel to cancel all the changes made to the parameters Accept Allowed Domains In some companies or schools employees and students are only allowed to access some specific websites This is the purpose of the function 100 D your future life IPSec VPN QoS Router O Block Forbidden Domains Accept Allowed
165. void a huge number of disconnection users can activate this function to arrange new connections to be made through another WAN to the Internet In this way the effect of any disconnection can be minimized Input the time rule for disconnection of this WAN service Input how long the WAN service may be disconnected before the newly added connections should go through another WAN to connect with the Internet select another WAN port as link backup when port binding is configured Users should select the port that employs the same ISP After the changes are completed click Apply to save the configuration or click Cancel to leave without making any change PPTP This option is for the PPTP time counting system Input the user s connection name and password issued by ISP and use the built in PPTP software to connect with the Internet 31 D your future life IPSec VPN QoS Router Interface Wani o WAN Connection Type PPTF WAN IP Address 0 jo o Subnet Mask 285 Default Gateway 0 lo 1 UserName OoOo Connect on Demand Max Idle Time Min Keep Alive Redial Period Sec HL AEE C EnabledLine Dropped Scheduling Line Dropped Period from 9 to 2 24 Hour Format minutes ahead line dropped to stat new session transferring Line Dropped Scheduling Backup Interface WAN IP Address This option is to configure a static IP address The IP address to be c
166. w Block MAC address on the list with wrong IP address Block MAC address not on the list Though these basic operations can help solve the problem but Qno s technical engineers suggest that further measures should be taken to prevent the ARP attack 1 Deal with virus source as well as the source device affected by virus through virus killing and the system re installation This operation is more important because it solves the source PC which is attacked by ARP This can better shelter the network from being attacked 2 Cyber caf administrators should check the LAN virus install anti virus software Ginshan Virus Reixin must update the virus codes and conduct virus scanning for the device 3 Install the patch program for the system Through Windows Update the system patch program critical update security update and Service Pack 204 D your future life IPSec VPN QoS Router 4 Provide system administrators with a sophisticated and strong password for different accounts It would be best if the password consists of a combination of more than 12 letters digits and symbols Forbid and delete some redundant accounts 5 Frequently update anti virus software virus data base and set the daily upgrade that allows regular and automatic update Install and use the network firewall software Network firewall is important for the process of anti virus It can effectively avert the attack from the network and invasi
167. w and the rule will be added to the mode Show Priority HITF TCF 80 80 S rvice Service Management Source IP 192 168 1 150 jg 200 Destination IP 9 O 0 0 to Interface WANZ w Enable E HITE TCE80 80 2192 169 1 1507200 10 0 0 070 0 0 DRAN Delete selected application Add Hew Back Apply Cenegi Example 3 How do set up Auto Load Balance Mode to keep all Intranet IP addresses from going through WAN2 when the destination port is Port 80 and keep all other services from going through WAN1 As in the figure below there are two rules to be configured The first rule select HTTP TCP 80 80 from the pull down option list Service and then in the boxes of Source IP input 192 168 1 0 to 0 which means to include all Intranet IP addresses Retain the original numbers 0 0 0 0 in the boxes of Destination IP Which means to include all Internet IP addresses Select WAN2 from the pull down option list Interface and then click Enable Finally click Add New and the rule will be added to the mode The device will transmit packets to Port 80 through WANZ2 However 54 D ONO your future life IPSec VPN QoS Router with only the above rule packets that do not go to Port 80 may be transmitted through WAN2 therefore a second rule is necessary The second rule Select All Ports TCP amp UDP 1 65535 from the pull down op
168. w hinet net is acceptable here Do not input an IP address In addition do not input the same web address in this box for two different WANSs Note In the load balance mode for Assigned Routing the first WAN port WAN1 will be saved for the traffic of the IP addresses or the application service ports that are not assigned to other WANs WAN2 Therefore in this mode we recommend assigning one of the connections to the first WAN When other WANs WAN2 are broken and connection error remove Remove the Connection has been selected for the connection detection system traffic will be shifted to the first WAN WAN1 In addition if the first WAN WAN1 is broken the traffic will be shifted to other WANs in turn For example the traffic will be shifted to WAN2 6 2 3 Protocol Binding Interface Configuration Router allows maximum two WAN interface the bandwidth and real connection of every WAN will impact the load balance mechanism therefore you need to set the Bandwidth and the Network service detection by each WAN Port correctly In WAN Setting click Edit to enter the WAN port configuration WAN Setting WAN 1 Static IP Edit WAN 2 Obtain an IP automatically Edit 48 D your future life IPSec VPN QoS Router Bandwidth Configuration When Auto Load Balance mode is selected the device will select sessions or IP and the WAN bandwidth will automatically allocate connections to achieve load balancing
169. width will automatically allocate connections based on session number to achieve network load balance IP Balance If By IP is selected the WAN bandwidth will automatically allocate connections based on the number of IP addresses to achieve network load balance Note Only when a device assignment is collocated with Protocol Binding can the balancing function be brought into full play For example an assignment requiring all Intranet IP addresses to go through WAN 1 when connecting with service port 80 or go through WAN 1 when connecting with IP 211 1 1 1 must be set up in the Protocol Binding Configuration Attention When assigning mode is selected as in the above example the IP s or service provider s configured in the connection rule will follow the rule for external connections but those which are not configured in the rule will still follow the device Load Balance system to go through other WAN ports to connect with the Internet Please refer to the explanations in 6 2 3 Configuring Protocol Binding for setting up Protocol Binding and for examples of collocating router mode with Protocol Binding Strategy Routing Mode If strategy Routing is selected the device will automatically allocate external connections based on 40 D your future life IPSec VPN QoS Router routing policy Division of traffic between Telecom and Netcom is to be used in China embedded in the device All you have to do is to sel
170. x in which it will ask if users want to continue to add new setting group Click Ok to add another group setting or Cancel to return to the QnoKey Summary page It is illustrated as below Windows Intemet Explorer Settings ae successful Press Ok to add another USB Key Group or press Cancel to retum to the page of USB Key 2 Status LOK Cancel On the QnoKey Summary page the defined group will be displayed which is illustrated as below 136 GING your future life IPSec VPN QoS Router Qnokey Client Table Jump to 1 441 Page 5 V entries per page 1 test 19216323733 Forever 30 0 o S o List Eat fj AEBS When a new rule is created Show List and Edit button will be displayed behind the rule Click on Show List to show the list of users applying this group rule Click Edit to change settings Click the trash can icon M to delete this setting 10 2 3 Qnokey Account List Click Show List to show the Account List page applying this rule Group Account list Group Account ID Group Account ID Displays the group ID to which the user belongs to Enabled Click this option to activate QnoKey user QnoKey SN Displays the QnoKey serial number Displays the QnoKey user name Displays the QnoKey connection status Connect means the user is connected and online Disconnect means no connection and offline Stolen Key Login Action Select this option to
171. y default When you are going to enable the QRTG function system will pop up a warning massage to remind you this function will be enabled which may influence router efficiency You can use drop down menu to select current status that including statistic and graphics of the following items when this function is enabled System will refresh the statistic and graphics to latest data timing when you click Refresh button I CPU Usage As in the the following figure 1 CPU Hours Usage Rate graphic average maximum 2 CPU Days Usage Rate graphic average maximum 3 CPU Week Usage Rate graphic average maximum V Enabled QRTG CPU Usage ind oQ CPU Hours Usage Rate Total Session 4942 Memory Usage 22 Unit nn Session Avg 5257 Session 100 59 Max 10416 Session 0 10 05 10 10 10 15 10 20 10 25 10 30 10 35 10 40 10 45 10 50 10 55 11 00 UnitMinutes Unit 100 Avg 17 50 Max 36 0 10 05 10 10 10 15 10 20 10 25 10 20 10 35 10 40 10 45 10 50 10 55 11 00 UnitMinutes 183 GINO your future life IPSec VPN QoS Router o CPU Days Usage Rate Unit Session nn Avg 10771 Session 100 Max 17143 Session 100 50 12 00 14 00 16 00 18 00 20 00 22 00 0 00 2 00 4 00 6 00 8 00 10 00 UnitHours Unit 100 Avg 31 50 Max 48 0 12 00 14 00 16 00 18 00 20 00 22 00 0 00 2 00 4 00 6 00 8 00 10 00 UnitHours CPU Week Usage Rate Unit Session 700 Avg 10138 Session 10 100 ne Max 22088 Session 100 50 0 Nov
Download Pdf Manuals
Related Search