HotBrick VPN 800 / 2 User's Manual
Contents
1. Bystem Information Contect Permon Nene Bresitead Load Physical locaton eeg oie Communi Cu mmority Marre 1 Abtei Control i Ces Community hare 2 Eu spose Conte z Orly Trap Targets Target adress 1 heoc WX Tanget IP Address 2 Pena Target IP address 3 heno Figure 8 1 SNMP Page 61 HotBrick Network Solutions Settings SNMP System e Contact Person The name of the person responsible for this device Information e Device name The name of VPN 800 2 Firewall Router e Physical Location The location of the VPN 800 2 Firewall Router Community It is a relationship between a SNMP agent and a set of SNMP manager that defines authentication access control and proxy characteristics Trap Targets Enter the IP address of any targets PCs running SNMP software to which you want traps to be sent All traps are level 1 Email Alert This feature will send a warning Email inform system administrator that one of the WAN ports was disconnected Email Alert You can choose to enable or disable it to send a warning email Email Sender Address It is an email address which will send the warning email Email SMTP Server Address It is an email server address the warning email will be sent to Email Recipient Address It is an email address of system administrator the em2. ENTF n u Cunfiguratiun Fore fi GM T 13 nas Kwajalein E dudes s Gerver 1 J Garver 7 Arial View Syslog Figure 8 3 Syslog Page 64 HotBrick Network Solutions Syslog Configuration Syslog Delivery Sending out Check this if you want to send syslog messages to other machine Keep Send messages Check this if you want to keep sent messages otherwise the sent message will be delete Syslog Server IP address Up to 3 syslog servers can be used Enable You can enable or disable each server temporarily Port If your syslog server does not use the default port you can change it Log Priority For The syslog messages are divided into 8 levels from Emergency to Debug Modules level The lower level the less messages will be generated Emergency is the lowest priority level and Debug is the highest one SNTP Configuration Time Zone You can setup system up time using SNTP Simple Network Time Protocol and there are 3 SNTP server that you can define on the SNTP configuration Page 65 HotBrick Network Solutions Admin Password The password screen allows you to assign a password to the Firewall Router Assistent Adin Patani Alori zip Administrator Password vaniy Hest
3. PPPOE PPTP Diep Far PPTP Enable POTD Address ler Hama barpwerd Hane COptanal POPE DM Opthoned tor inamla IP pus pna bus png bus 3 png Optional Kost Mare Dacre 0 Domar ame bunc z0 p2 3 51 00 Figure 2 4 Primary Setup Screen VPN 800 2 Firewall Router Settings Primary Setup Connection Mode Select the appropriate setting e Enable Select this if you have connected a broadband modem to this port e Disable Select this if there is no broadband modem connected to this port Backup Use this if you have a broadband modem on each port and wish to normally use only one Select Enable for the primary port and Backup for the secondary port The Backup port will only be used if the primary port fails Page 13 Connection Type Address Info PPPoE PPTP Dialup DNS Optional HotBrick Network Solutions Check the data supplied by your ISP and select the appropriate option e Static IP Select this if your ISP has provided a Fixed or Static IP address Then enter the data into the Address Info fields e Dynamic IP Select this if your ISP provides an IP address automatically when you connect You can ignore
4. 75 APPENDIX 5 77 APPENDIX B WINDOWS TCP IP SETUP 78 78 TCP IP i e ito iii eu Sette ad 78 APPENDIX C 84 eeu AV 84 General aa RR aa RR Osa RR 84 Internet ACCESS aai etie eee ps tee 84 Copyright 2004 All Rights Reserved Document Version 1 4 All trademarks and trade names are the properties of their respective owners HotBrick Network Solutions 1 Introduction Congratulations on the purchase of your new HotBrick VPN 800 2 Firewall Router The VPN 800 2 Firewall Router provides Shared Broadband Internet Access and VPN tunnels for LAN users ISP2 Cablc x DSL Modem YPN 80022 Firewall Router GigaBrick 2600 PC User Managed Switch Figure 1 1 VPN
5. Segment 1 m 192 168 200 192 168 2 80 192 168 1 100 EE Segmento 5 Router ENS 122 168 1 192 168 1 1 Router 192 168 2 90 L 192 168 3 70 Segment 2 192 168 3 xx Figure 9 2 Routing Example Page 69 HotBrick Network Solutions For the VPN 800 2 Firewall Router Gateway s Routing Table For the LAN shown above with 2 routers and 3 LAN segments the VPN 800 2 Firewall Router requires 2 entries as follows Entry 1 Segment 1 Destination IP Address 192 168 2 0 Network Mask 255 255 255 0 Gateway IP Address 192 168 1 100 Interface LAN Metric 2 Entry 2 Segment 2 Destination IP 192 168 3 0 Address Network Mask 255 255 255 0 Standard Class C Gateway IP Address 192 168 1 100 For Router A s Default Route For Router B s Default Route Interface LAN Metric 3 Destination IP 0 0 0 0 Address Network Mask 0 0 0 0 Gateway IP Address 192 168 1 1 Metric 2 Destination IP 0 0 0 0 Address Network Mask 0 0 0 0 Gateway IP Address 192 168 2 80 Interface LAN Metric 3 Page 70 HotBrick Network Solutions 10 Operation and Status Operation Once both the VPN 800 2 Firewall Router and the PCs are configured operation is automatic However there are some situations where additional Internet configuration may be required Refer to Chapter
6. 3 4 i 2 2 7 E E x T HEHE ajja jjaja 19 1 a I 1 L 1 hh y Li Figure 5 4 System Filter Exception Setting System Filter Exception Enable The check box can allow you enable or disable firewall exception Interface You can select LAN WAN1 WAN or ALL interfaces to be process by the system protocol stack If you enable check box Protocol There are six protocols UDP TCP ICMP GRE ESP AH to choose to let the packets directly process by the system protocol stack System Filter Exception Rules Foreign Port Range Select foreign port number range directly process by system protocol stack If enable check box Device Port Range Select device port number range directly process by system protocol stack If enable check box Page 49 HotBrick Network Solutions 6 VPN Configuration Overview Virtual Private Network VPN is a connection between two end points It allows private data to be sent securely over a public network such as Internet VPN establishes a private network that can send data securely between two networks We call this is by creating a tunnel A VPN tunnel connects the two PCs or networks Planning the VPN When planning your VPN you must make following choices first 1 the remote end were a network the two endpoint netwo
7. Local Lan 32 Wan JB 1 m pr 0 AB ze 3 paso pano aji 4 r oar Paco u x mj 5 r hann r I TOTE TE E 7 r BEDS au usn Figure 4 9 NAT Settings NAT NAT Configuration e NAT Routing You can enable or disable NAT through the check box If you disable NAT checkbox it will act as a bridge or Static Router Most features will be unavailable TCP Timeout Enter the desired value to use on both WAN ports The default is 300 UDP Timeout Enter the desired value to use on both WAN ports The default is 120 e TCP Window Limit Enter the desired value to use on both WAN ports The default is O no limit MSS Limit Enter the required MSS Maximum Segment Size to use on both WAN ports The default is O no limit Disable Port Translation some packets whose port number cannot be translated for special applications you must input value in port range for Disable Port Translation NAT Alias e For each alias entry the Wan IP acts as an alias IP of the host with Local Lan IP to internet via the specified WAN port for the specified Protocol packets Page 40 Advanced Features This screen allows you to change some advanced settings HotBrick Network Solutions Remote Access Configuration This feature allow
8. aient Deis 30 Speclal ApplicatioM m 32 Dynamlc iue onte e MINI Le 34 37 D e E E EEEE EREA N AT AE A A A I RA NEA E E OE EATS I AES T ETT 39 NAT NE EIE ET EAE 40 AdVanGed Feature E E E E E E A TE A 41 SECURITY MANAGEMENT 44 iode A EEE EEE EE N E A A EA A 44 EETA A avast E sa tec E AE I AEE CB Rak EA LAE E ES ETE 44 ACCESS ITER LS E EE EE E E E EE 46 Session EMMI E E E E E E I N EENE AAS NA A AAE ORTAR A EES EE 48 System 49 VPN CONFIGURATION 50 50 IPSec Global Sete 51 EU LIU LE LIH Ie RE 53 QOS CONFIGURATION isses or D OF rae EX RR D OF aded gen 58 OvervieW 58 QOS SOU X 58 Polley Configuratio ut hee idee he bti ctu IN ott ier 59 MANAGEMENT
9. Det Help States Figure 1 4 Windows TFTP utility VPN F 800 2 Firewall Router e Enter the name of the firmware upgrade file on your PC or click the Browse button to locate the file e Enter the LAN IP address of the VPN 800 2 Firewall Router in the Server IP field e Click Download to send the file to the VPN 800 2 Firewall Router 3 When downloading is finished It should then work normally using the default settings Page 6 HotBrick Network Solutions Note The supplied Windows TFTP utility also allows you to perform three 3 other operations e Save current configuration settings to your PC use the Upload button e Restore a previously saved configuration file to the VPN 800 2 Firewall Router use the Download button e VPN 800 2 Firewall Router to its default values use the Set to Default button Page 7 HotBrick Network Solutions 2 Basic Setup Overview Basic Setup of your HotBrick VPN 800 2 Firewall Router involves the following steps 1 2 Attach the HotBrick VPN 800 2 Firewall Router to one 1 PC and configure it for your LAN Install your HotBrick VPN 800 2 Firewall Router in your LAN and connect the Broadband Modem or Modems Configure your HotBrick VPN 800 2 Firewall Router Internet Access Configure PCs on your LAN to use the VPN 800 2 Firewall Router Requirements One 1 or two 2 DSL or Cable modems each with an Internet Access account with an
10. Figure 8 4 Admin Password Screen Enter the desired password re enter it in the Verify Password field then save it When you connect to the Load Balancer with your Browser you will be prompted for the password when you connect as shown below Enter Mebwork Fanuew ord Pichi Sem 152181 1 Fiend nr Pa Feri pel ftir Fares V Hum poe ec Figure 8 5 Password Dialog e Enter Admin for the User Name e Enter the password for the VPN 800 2 Firewall Router as set on the Admin Password screen above Page 66 HotBrick Network Solutions Upgrade Firmware This Upgrade Firmware Screen allows you to upgrade firmware or backup system configuration by using HTTP upgrade VWanagement Assistant hilir Pair Alari Byystem Configuration Eyshem Configarabnn pyrago Fiia User Name basicword Upgrade Solteare or Configuration Figure 8 6 Upgrade Firmware You can backup your system configuration by press save button of Save System Configuration It will save the system configuration for you Notice You have to refresh the browser after you saved the system configuration file You also can do firmware upgrade by input the correct password and the file name of your firmware Remember do not Reset or Restart the device while update new firmware because it may ca
11. Page 74 HotBrick Network Solutions NAT Status This screen is displayed when you click the Check NAT Detail button on the WAN Status screen SLAE LAN IP Todo IP fcr 192 150 1 1 Mask Address 255 255 258 0 Actien WAN IP Indo IP i9z rhn 9 133 Mask Addmes 235 358 358 0 IP t02 66 0 72 hask Addrazz 255 255 255 NAT TCR TEP Property Mai Segment Sine Traffic Inteme et To Local hy lae Augu Packets Goomections Tce View Comection Lind Dpinted Errurs T Packers Misc Pacare Figure 10 4 NAT Status Data NAT Status LAN IP Info e IP Address The LAN IP Address of the VPN 800 2 Firewall Router e Mask Address The Network Mask Subnet Mask for the IP Address above Active WAN IP Info There is one 1 row for each active connection For each connection the following data is shown e IP Address The WAN Internet IP Address of the VPN 800 2 Firewall Router e Mask Address The Network Mask Subnet Mask for the IP Address above NAT Timeouts This displays the current timeout values for TCP and UDP connections TCP Prosperity This displays the MSS Maximum Segment Size and Maximum Windows size for TCP packets Page 75 HotBrick Network Solutions NAT Traffic This section displays statistics for both outgoing LAN to Internet and Incoming Internet to Local traffic NAT Conn
12. Congue This connection uses the Inflceang iem Cieri Shanna Hor v 225 Packet Scheduler Digscap un Tasse son Cordial Peobocot nigis The vade ama network probocol thet provides communication across intenconnecbed networks Show icon in nasi sinn ares when connected Figure B 7 Network Configuration Windows XP 3 Select the TCP IP protocol for your network card 4 Click on the Properties button You should then see a screen like the following Page 82 HotBrick Network Solutions Inter met Protncal Properties Geral Conigualion You can get IP matings audimalically d scs rabak Mes capabi Bos ace pour seiings bte an IP autemalicallu Uge the addes 8 Obtain server addiert automaticaly C Ung he D HS rene addresses Figure B 8 TCP IP Properties Windows XP 5 Ensure your TCP IP settings are correct Using DHCP To use DHCP select the radio button obtain an IP Address automatically This is the default Windows settings Restart your PC to ensure it obtains an IP Address from the VPN 800 2 Firewall Router Using a fixed IP Address Use the following
13. Enahie piahia V Brahis 1 grahe piahia Brahe 7 Dis Bnahbe 7 V 7 Enahie prahi Donate Grable pinana 7 paaie gnahie 1 Brahe 12 prahe Figure 5 1 Block URL Settings Block URL Access Group This allows you have different blocking rules for different Groups of PCs e PCs users are in the Default Group unless moved to another group the Host IP screen e you want the same restrictions to apply to everyone select Default for the Group In this case there is no need to enter any Hosts on the Host IP Screen e f you wish to apply different restrictions on different Groups select the desired Group and click the Select button The screen will update with data for the selected Group Block Internet Enable Disable Use this to Enable or Disable each setting as required Access e Block URL IP Keyword Enter the URL IP address or keyword you wish to block Page 45 HotBrick Network Solutions Access Filter The network Administrator can use the Access Filter to gain fine control over the Internet access and applications available to LAN users e Five 5 user groups are available and each group can have different access rights e PCs users in the Default group unless assigned to another group on the Host screen Securiby Management Wick LIAL
14. Fille y tarium Fabr amp cpoess Select Inefaur Select Piltar batting f un Filtering Block Aces C Seek Sue bed Itu Block Well Krsien Poet s pas amp udn Filt rs F P quait E Timaiamp fiii Bock Selected Packet Types E Information Request gt adier Request User Defined Porta Tao tiid Mama UOP Parkatr Figure 5 2 Access Filter Settings Block URL Setup Access Group Select Group This allows you have different access rights for different Groups of PCs e f you want the same restrictions to apply to everyone select Default for the Group In this case there is no need to enter any Hosts on the Host IP screen e f you wish to apply different restrictions on different Groups select the desired Group and click the Select button The screen will update with data for the selected Group Page 46 Filter Setting Block Well known ports HotBrick Network Solutions Select the desired option for this Group No filtering Nothing is blocked Internet access is not restricted Block Access Everything is blocked Internet access is not available Block selected items Items selected on this screen are blocked You can block well known services by using the checkboxes or define your own fil
15. IP address for a particular PC on your LAN This allows the PC to use DHCP Windows calls this Obtain an IP address automatically while gaining the benefits of a fixed IP address The PC s IP address will never change so it can be provided to other people and applications Page 25 Advanced Sena T muon Riit sg Hast Motwiork Lint Hia Ackirewa Group Reserve in DHCP Reserved IF Adria Host Network Binding fending Wal Pork Season finding Method Select ah Port Select PPPOE Sesion Virtual HotBrick Network Solutions Sating Ca oie Virtua Sore LIP ra ide Application select pe 01 00 20 10 20 FF FF FF FF FF FFj Defadt palle i na en Boi Enable Disable Stict Binding Loose Bring wan 1 Session 1 Delete Wadala Horii ote Binding tutus Grup Ackfres Figure 4 1 Host IP Setup Settings Host IP Setup Host Network This section identifies each Host PC Identity Host List When adding a new Host ignore this list To edit an existing entry select it from the list and click the Select button The data fields will then be updated with data for the selected entry H
16. Remember that only one 1 PC can use each Special application at any time Also when 1 PC is finished using a particular Special Application there may need to be a Time out period before another PC can use the same Special Application If an application still cannot function correctly try using the DMZ feature if possible Page 33 HotBrick Network Solutions Dynamic DNS Dynamic DNS is very useful when combined with the Virtual Server feature It allows Internet users to connect to your Virtual Servers using a URL rather than an IP Address This also solves the problem of having a dynamic IP address With a dynamic IP address your IP address may change whenever you connect to your ISP which makes it difficult to connect to you You must register for the Dynamic DNS service The VPN 800 2 Firewall Router supports 4 types of service providers e Hotbrick dynamic DNS is available at http www hotbrick dns4biz com hotbrick php3 TZO http Awww tzo com 3322 is available in China at http www 3322 org e Standard client available at http www dyndns org Other sites may offer the same service but can not be guaranteed to work To use the Dynamic DNS feature 1 Register for the service from your preferred service provider 2 Follow the service provider s procedure to have a Domain Name Host name allocated to you 3 Configure the Dynamic DNS screen as described below 4 The VPN 800 2 Firewall Route
17. 4 Advanced Features for further details System Status Use the System Status link on the main menu to view this screen Network Infarmmmaton System Status GE aris linr lur 7 Connection Status Connection Type accross Subnet Gale DNS Address LAN Information Addes Subnet Wask d er DHCP Sarwar Davie Infurenatiun Famasans Verion Load Balance Vrtum Sem Application buhi DZ ub Hardware Exzimm UpTima CPU Usum Mig mary Hb Tyee Dezconnec bad 192 15B 9 133 255 25 25 0 192 158 9 1 182 168 91 0 08 192 068 21 255 255 265 0 00 Wer 3z Rp 24 Date Oct 08 2004 Gnabied Cessika igm 1 195 Figure 10 1 System Status Page 71 DHO _ ws 19215821 132 1063 1 0 HotBrick Network Solutions Data System Status WAN Information LAN Information Device Information Connection Status Current status either Connected or Not connected Connection Type The type of connection used DHCP Fixed IP PPPoE or PPTP Force Renew button Only available if using a dynamic IP a
18. GAER Te 70 0 2 9 0 Casabled 500 500 500 500 0 0 0 0 Drahied 110 110 0 00 0 25 25 25 m 25 1 00 0 Disabled NAITP LIS 119 115 10 0 0 Pere 1723 1723 1T23 1723 TELMET 03 za 1 23 3 0 0 0 0 gm un n n Coca bi heed EET 5577 raan Figure 4 8 UPnP Settings UPnP UPnP Option If you Enable UPnP then this two wan router will become one of the entire local network You can find out there is an icon show up on network neighborhood on the window XP OS Every time you add a new network device with port mapping The new network device will appear on the mapping list Page 39 HotBrick Network Solutions NAT Setting NAT Network Address Translation is the technology which allows one 1 WAN Internet IP address to be used by many LAN users Adwanced Sena Ebgnnrnir TES Mulli LIBE Tip Fm ing MAT NAT Boubng Enable Timeout LF Timenut 20 TCP Lint o na Veit TO Limit ft uuum 0 indicating knit Disable Port Transiatun toh Enable Foma Th Alias
19. Limit Session Limit Outgoing New session Session Limit Enable or disable Session Limit function The default is Disable Sampling Time The period to count the new session Only those new sessions occurred in the most recently sampling time were be count for limit checking Default is 400 mil sec If the number of new sessions for system exceed the maximum in the Sampling Time Any new sessions in the system will be dropped Default 65535 session sec Maximum of Total New session If the number of new sessions for the host exceeds the maximum in the sampling time Any new session of the host will be dropped Default session sec Maximum of New Sessions for Host If the number of dropped new sessions for the host exceeds the Maximum in the sampling time any new session of the host will be dropped for the pause time Maximum of Dropped New Sessions for Host Pause Time Within the pause time no new session of the suspended host could be served by system Default is 5 minutes Page 48 HotBrick Network Solutions System Filter Exception System Firewall Exception Rules The rules with which any received packets is complied the packets will not processed by Firewall or NAT module but to be processed directly by system protocol stack Management E ACCES F iter Limit Filter Exception By stem Filter Exceptian Homs
20. Pec Traffic Minding WEN Tunnel List Turre fame Dort Loca Traffic Belactar Secunty Remote Gecunty Network Bunte Security Gateway Security Lineal Encrypten Method Method Boy Managemnt kay Phase 1 Foward Sacrat Preshared Key Lifeline Action Immer amp arurity Aesndation List State Name Becunty Gateway Remohe Site Prolecni Type Local address Port Range Remnnbs Port Range IP Me Mode Angnessres Mode PFS Characters In Time 2620 Geconds Rote fur na mpry Wolume F Eirias AEH Add Delete seen Poly Key Type Tage intrest WEN Status Figure 6 2 Policy Setup Page 53 HotBrick Network Solutions VPN Policy Setup VPN Tunnel List It shows the tunnels that you have entered The IPSec Traffic Binding router can setup up to 20 tunnels Tunnel In order to distinguish the tunnel you have to give Tunnel a name Tunnel Only enable tunnel check box the tunnel can be connected WAN port You can choose WAN1 WAN or Any to make the VPN connection PPPoE S
21. entry Custom Server This data defines the Custom Virtual Server Contiguraton e Server Name Enter a suitable name for this server e State Use this to Enable or Disable the server as required e Server IP Enter the IP address of the PC on you LAN which is running the required Server software Each PC should have a fixed IP address or have a reserved IP address See the Host IP section earlier in this Chapter for details on reserving an IP address Page 30 Buttons Custom Virtual Server List HotBrick Network Solutions Each PC must be running the appropriate Server software e Protocol Type Select the network protocol used by this sever type LAN Port Range Enter the range of port number used for outgoing traffic from this Server If only a single port is required enter it in both fields WAN Port Range Enter the range of port number used for incoming traffic to this Server If only a single port is required enter it in both fields e Interface Binding This selection allows severs binding WAN1 port or port or even both WAN1 and WAN ports together e Add Create a new Special Application entry e Delete Delete the selected entry e Update Save any changes you have made to the current entry Cancel Cancel any changes you have made since the last save operation This table shows details of all Custom Virtual Servers which have been defined Pag
22. from the list and click the Select button The data fields will then be updated with data for the selected entry Policy Name Enter a suitable name Generally you should use the Policy Name for the network traffic e Source Address Define the source address of packets here It has two types like IP address or MAC address If you select IP address you can define IP address range otherwise define up to four MAC addresses e Destination Address Define the destination address of packets here The explanation is as the same as above Protocol Type The field defines traffic packet type i e IP TCP and UDP Source Port Define the source port of packets here e Destination Port Define the destination port of packets here e Priority Queue It defines a packet if it meets all conditions defined above it will be serviced with some priority level Page 60 HotBrick Network Solutions 8 Management Assistant Overview The following advanced features are provided SNMP Email Alert SNMP Syslog Upgrade Firmware This chapter contains details of the configuration and use of each of these features SNMP This section is only useful if you have SNMP Simple Network Management Protocol software on your PC If you have SNMP software you can use a standard MIB II file with the VPN 800 2 Firewall Router Wanaqgemnent juin Paid Al ri gt
23. recommended value is Enable Windows systems by default act as DHCP clients This setting is called Obtain an IP address automatically e DHCP Server Setup If you are already using a DHCP Server the DHCP Server setting must be disabled and the existing DHCP server must be set to provide the IP address of the VPN 800 2 Firewall Router as the Default Gateway e Client Lease Time It is a finite period of time for a DHCP server lease an IP address to a client Client Default DNS An IP address of the default DNS server for the client requesting DHCP service e Offered Range fields set the values used by the DHCP server when allocating IP Addresses to DHCP clients This range also determines the number of DHCP clients supported e Free Entries indicates how many DHCP entries are not currently allocated and still available ARP Proxy Enable this ONLY if the LAN port has an IP address in the same address range as the WAN port s This means that all PCs using this Gateway must have valid fixed external Internet IP addresses If enabled enter the IP address range used on your LAN LAN Any IP Setup DHCP Client List By default is disabled If you enable LAN any IP that means no matter what static IP address hold on the client your PC The clients do not need to change the IP address even though it has different IP segment than LAN segment it still can access Internet through NAT This table show
24. required You can also define you own Server types if required Multiple DMZ PC will receive incoming connection requests which would otherwise be blocked For each IP address allocated by your ISP a separate DMZ PC can be specified So if your ISP has given you multiple IP addresses you can have multiple DMZ PCs Each DMZ PC has unrestricted 2 way Internet access providing the ability to run programs that are otherwise incompatible with NAT routers like the Load Balancer Access Filter The network Administrator can use the Access Filter to gain fine control over the Internet access and applications available to LAN users Five 5 user groups are available and each group can have different access rights Block URL Use this feature to block access to undesirable Web sites by LAN users You can even have different settings for different groups of PCs Session Limit With Session Limit feature if the numbers of new sessions for system exceed the maximum in the sampling time any new session in the system will be drop System Filter Exception With firewall exception the packets will not be processed by firewall or NAT module but be processed directly by system protocol stack Page 2 HotBrick Network Solutions Other Features 8 Port Switching Hub The VPN 800 2 Firewall Router incorporates with 8 port 10 100BaseT switching hub making it easy to create or extend your LAN e DHCP Server Su
25. root before attempting any changes Page 16 HotBrick Network Solutions Fixed IP Address By default most Unix installations use a fixed IP Address If you wish to continue using a fixed IP Address make the following changes to your configuration e Set your Default Gateway to the IP Address of the VPN 800 2 Firewall Router e Ensure your DNS Name server settings are correct To act as a DHCP Client recommended The procedure below may vary according to your version of Linux and X windows shell 1 Start your X Windows client Select Control Panel Network Select the Interface entry for your Network card Normally this will be called ethO Click the Edit button set the protocol to DHCP and save this data To apply your changes wie ee Use the Deactivate and Activate buttons if available OR restart your system Page 17 HotBrick Network Solutions 3 Advanced Port Setup Overview e Port Options contains some options which can be set on either or both WAN ports For most situations the default values are satisfactory e Load Balance screen is only functional if you are using both WAN ports It allows you to determine the proportion of WAN traffic sent through each port e Advanced PPPoE setup is required if you wish to use multiple sessions on one or both of the WAN ports It can also be used to manually connect or disconnect a session Otherwise this screen can be ignored e A
26. the Address Info fields PPPoE Select this if your ISP uses this method Usually your ISP will provide some PPPoE software This software is no longer required and should not be used If this method is selected you must complete the dialup fields Note If using the PPTP connection method select Static IP or Dynamic IP as appropriate according to the IP address method used by your ISP This is for Static IP users only Enter the address information provided by your ISP If your ISP provided multiple IP address you can use the Multi DMZ screen to assign the additional IP addresses This is for PPPoE and PPTP users only e Enter the Username and Password provided by your ISP lfusing PPTP enable the PPTP Connection checkbox and enter the IP address of the PPTP server Host name Optional For PPPoE This field is used by a Host to uniquely associate an access concentrator to a particular Host request Note There are additional PPPoE PPTP options on the Port Options screen To use multiple PPPoE sessions on either port configure the Advanced PPPoE screen If using a Fixed IP address you MUST enter at least 1 DNS address If using Dynamic IP or PPPoE DNS information is optional e Host name This is required by some ISPs If your ISP provided Host Name enter it here Otherwise you can use the default value e Domain name This is required by some ISPs If your ISP provided a Domain Nam
27. 800 2 Firewall Router Internet Features Shared Broadband Internet Access All LAN users can access the Internet through the VPN 800 2 Firewall Router by sharing one 1 or two 2 Broadband modems and connections High Performance Dual Modem Support The VPN 800 2 Firewall Router has two 2 WAN ports allowing connection of two 2 Broadband modems This gives twice the bandwidth of a single modem Flexible configuration allows each port to use a different type of modem and connection method Also you can determine how the Internet traffic is shared between the 2 modems Supports all common Connection Methods All popular DSL and Cable Modems and connection methods are supported including Fixed IP Dynamic IP PPPoE and PPTP Page 1 HotBrick Network Solutions PPPoE Session Management Multiple sessions are supported and you can choose to map sessions to individual PCs if desired Multiple IP Address Support If your ISP allocates you multiple IP addresses these are also supported and you can map IP addresses to individual PCs if desired Special Applications This feature allows you to use some non standard applications where the port number used for the response is different to the port number used by the sender Virtual Servers This feature allows Internet users to access Internet servers on your LAN For standard servers such as Web FTP or E Mail servers only the IP address of the server PC is
28. ASSISTANT 61 OVEFVICW EMEN E E E E EEA 61 SNMP 61 eet cha etna ac eee a IMBRE 62 I BEEBE EEE UU iu 64 Admin 25 A uu va deno ia Cena E 66 Upgrade 55 au wes sata cea asa a Exi dre FE 67 HotBrick Network Solutions 9 ADVANCED LAN CONFIGURATION 68 E EA E E AEE T EN EE E 68 Existing eEL JRI dE eet 68 Liege ec ETE 68 10 OPERATION AND STATUS 71 ERR 71 System SATUS ineo ioi usd sescenti LLL 71 74 ees Mele el
29. Dual WAN Firewall Router VPN 800 2 User s Guide HotBrick Network Solutions HotBrick Network Solutions TABLE OF CONTENTS mc ERES 1 1 Other Featir88S 7 4 5 4 3 Package 4 Physical PISCIS 4 SETUP nidis i e an ea A oat hens 8 eiu mE U O em 8 ee MEDICUM E HERE 8 CADVANGED PORT SETUP satin eine noeh 18 lead EE 18 dien see 19 Load Balance gt tek re acco ire ne diu ae d DR Ede 20 Advanced PPPOE n AE A A AS EE E ES AE Ee nA ERU EUN 22 22 M 24 25 ee Beate dao cess beds Sutin Desa Seow bead bec 25 HOSEIP Setup ee ee ee 25 MIRUETIBZJAISEDHPEMERIEEICIEHIECIEIBERIDEIEEEPI 28 G ustom Virtual
30. IP Address If your PC is already configured check with your network administrator before making the following changes e Enter the VPN 800 2 Firewall Router s IP address in the Default gateway field and click OK Your LAN administrator can advise you of the IP Address they assigned to the VPN 800 2 Firewall Router e If the DNS Server fields are empty select Use the following DNS server addresses and enter the DNS address or addresses provided by your ISP then click OK Page 83 HotBrick Network Solutions Appendix C Troubleshooting Overview This chapter covers some common problems that may be encountered while using the VPN 800 2 Firewall Router and some possible solutions to them If you follow the suggested steps and the VPN 800 2 Firewall Router still does not function properly contact your dealer for further advice General Problems Problem 1 Can t connect to the VPN 800 2 Firewall Router to configure it Solution 1 Check the following e The Load Balancer is properly installed LAN connections are OK and it is powered ON e Ensure that your PC and the VPN 800 2 Firewall Router are on the same network segment If you don t have a router this must be the case e f your PC is set to Obtain an IP Address automatically DHCP client restart it e f your PC uses a Fixed Static IP address ensure that it is using an IP Address within the range 192 168 1 2 to 192 168 1 254 and thus comp
31. ISP Network cables Use standard 10 100BaseT network UTP cables with RJ45 connectors TCP IP network protocol must be installed on all PCs Procedure 1 Configuring the VPN 800 2 Firewall Router for your LAN 1 Use a standard LAN cable to connect your PC to any Hub port on the VPN 800 2 Firewall Router 2 Connect the power cord and power up the VPN 800 2 Firewall Router Only use the power cord provided using a different one may cause hardware damage 3 Start your PC If your PC is already running restart it It will then obtain an IP address from the VPN 800 2 Firewall Router 4 Start your WEB browser 5 In the Address or Location box enter HTTP 192 168 1 1 6 You will be prompted for the User Name and password as shown below Enbar ua tracer Prasad Bi Tt Peet ee EE Tae E 182 ee Kore Save ihe paged ir ysar paa pasci Figure 2 1 Password Dialog Page 8 HotBrick Network Solutions 7 Enter admin for the User Name and leave the Password blank e The User Name is always admin e You and should set a password using the following Admin Password screen No Response e ls your PC using a Fixed IP address If so you must configure your PC to use an IP address within the range 192 168 1 2 to 192 168 1 254 with a Network Mask of 255 255 255 0 See Appendix B Windows TCP IP Setup for details e Che
32. N 800 2 Firewall Router for Internet access follow this procedure For Windows 9x 2000 1 Select Start Menu Settings Control Panel Internet Options 2 Select the Connection tab and click the Setup button Select I want to set up my Internet connection manually or want to connect through local area network LAN and click Next 4 Select I connect through a local area network LAN and click Next 5 Ensure all of the boxes on the following Loca area network Internet Configuration screen are unchecked 6 Check the No option when prompted Do you want to set up an Internet mail account now 7 Click Finish to close the Internet Connection Wizard Setup is now completed For Windows XP Select Start Menu Control Panel Network and Internet Connections Select Set up or change your Internet Connection Select the Connection tab and click the Setup button Cancel the pop up Location Information screen Click Next on the New Connection Wizard screen Select Connect to the Internet and click Next E CC a Page 15 HotBrick Network Solutions 7 Select Set up my connection manually and click Next Check Connect using a broadband connection that is always on and click Next 9 Click Finish to close the New Connection Wizard Setup is now completed eo Accessing AOL To access AOL America On Line through the VPN 800 2 Firewall Router the AOL for Windows software must be configur
33. ail will be sent to Wanaqgemnent Assistant fbn Parii Vipera Emable Email Alurt ajet Email Alert Configuration Senda EMT Sarver Emai SMTP Sarvar Uam Nama Beal EMT Sarver Panra Email Adres ExcpssPen Ping Sotificatimm fing amp Hark Badcen icy C Enaka Diablo WANT M m m m Schill eset Figure 8 2 Email Alert Page 62 HotBrick Network Solutions Settings Email Alert Configuration Enable Disable Enable This will enable email alert to send a warning email when Email Alert WAN port was disconnected e Disable This will disable email alert not to send a warning email when WAN port was disconnected Email Alert Email Sender Address It is an email address that sends a warning email to a recipient Inform that a recipient checks if there is any problem on WAN ports or not Email SMTP Server Address It is an email sever a warning email will be sent to If you are enabled email alert For example mail domain com Email SMTP server user name This is the user name of email sender for authentication optional Email SMTP server password This is the user password Email SMTP Server Address is an email sever a warning email will be sent to If you are enabled email alert For example mail domain com Email Recipient Addre
34. atible with the VPN 800 2 Firewall Router s default IP Address of 192 168 1 1 Also the Network Mask should be set to 255 255 255 0 to match the VPN 800 2 Firewall Router In Windows you can check these settings by using Control Panel Network to check the Properties for the TCP IP protocol Internet Access Problem 1 When I enter a URL or IP address get a time out error Solution 1 A number of things could be causing this Try the following troubleshooting steps e Check if other PCs work If they do ensure that your PCs IP settings are correct If using a Fixed Static IP Address check the Network Mask Default gateway and DNS as well as the IP Address e fthe PCs are configured correctly but still not working check the VPN 800 2 Firewall Router Ensure that it is connected and ON Connect to it and check its settings If you can t connect to it check the LAN and power connections e Ifthe VPN 800 2 Firewall Router is configured correctly check your Internet connection DSL Cable modem etc to see that it is working correctly Problem 2 Some applications do not run properly when using the VPN 800 2 Firewall Router Page 84 HotBrick Network Solutions Solution 2 The VPN 800 2 Firewall Router processes the data passing through it so it is not transparent Use the Special Applications feature to allow the use of Internet applications which do not function correctly If this
35. block all Internet access or select block well known port or block user define ports by groups Session Limit t can eliminate users access Internet and send email alert to the administrator If the device detect new sessions that is exceed the maximum sampling time System Filter Exception t can eliminate users access Internet and send email alert to the administrator If the device detect new sessions that is exceed the maximum sampling time Block URL This feature allows you to block access to undesirable Web sites You can block by URL IP address or Keyword You can also have different blocking settings for different groups of PCs In operation every URL is searched to see if it matches or contains any of the URL or keywords entered here Then after a DNS lookup determines the IP address of the requested site the site s IP address is checked against IP address entries on this screen Note that a single IP address may host many Web sites Entering the IP address on this screen will block all Web sites hosted on that IP address Page 44 HotBrick Network Solutions Management Accoss Filtor Limiit Aces Saket One Grup E Block Internet atatum LEL On isb site Grable Digable M prabis 1 ale V prabis 7 niacin gnahie piahia grabie Grable Digable V
36. ck that the VPN 800 2 Firewall Router is properly installed LAN connection is OK and it is powered ON 8 After the login you will then see the Admin Password screen as shown below Assign a password by entering it in the Password and Verify Fields Bathe Setup Management Assistant Advancod Fart Amin Passwort Email nyshen Upgrade Firmware Ail abel eid focii tial Pil riri loben adc ee rni Viens Qoi Cesfigeraban ust Admin Passrezedi Sitil Rest Email Alert vaniy Pasxennt lFirmearm fom bel Figure 2 2 Home Screen Admin Password VPN 800 2 Page 9 HotBrick Network Solutions 9 Select LAN amp DHCP from the menu You will see a screen like the example below Basic Setup Primary LAN 1P Cmnfigaration kiask DHCP Esrear Configueatinn DHCP Server Setup Chant Lee Tma Chant Default Dh DHCP IP Aidracs Offered Parse Free Entries ARP uad end LAN amd WARN on the same IP agnam intemal LAN Range LAN 128 1 EN EXE WERDE 245 2440 5 05 255 01 pus 1 192 14514 52 16811 TA 15216912215 BB ied RE E 64 F table LAN Any TP oniy w
37. d Setup Hist Li Wirtual tarvar Dynamic Tre Lips Batting NAT Sutting Dust Virtual Sorge Airaid Fitur Emable Name Public IP Private IP LAN Ormap Direction orum pr woe 2 S as orn oan 2 A 5 5 C outgoing 5 a 0 autgana E paso 0 outgoing r 14 MONE r EO T autgaina Far Static IP Uca ed oem Huc KR S Enable Name MANI Session Private IP LAN Acces Direction For EP dme Simit Reset E Figure 4 7 Multi DMZ Page 37 HotBrick Network Solutions Settings Multi DMZ Enable Name For Static IP Public IP address Private IP Address LAN For Dynamic IP WAN Session Private IP Address LAN Access Group Direction Use this to enable or disable the DMZ setting as required Enter a name to assist you to remember this setting This name has no effect on the operation Enter the WAN port Internet IP address you wish to associate to a PC This IP address must have been allocated to you by your ISP Enter the IP address of the PC you wish to associate with this WAN port IP address This IP address should be fixed or reserved See the Host IP sec
38. ddress DHCP Clicking this button will perform a DHCP Renew transaction with the ISP s DHCP server This will extend the period for which the current WAN IP address is allocated to you IP Address The IP address of the VPN 800 2 Firewall Router as seen from the Internet This IP Address is allocated by the ISP Internet Service Provider Subnet Mask The Network Mask Subnet Mask for the IP Address above Domain Name IP Address The address of the current DNS Domain Name Server MAC Address The MAC physical address of the VPN 800 2 Firewall Router as seen from the Internet IP Address The LAN IP Address of the VPN 800 2 Firewall Router Subnet Mask The Network Mask Subnet Mask for the IP Address above MAC Address The MAC physical address of the VPN 800 2 Firewall Router as seen from the local LAN DHCP Server The status of the DHCP Server function either Enabled or Disabled Firmware Version Version of the Firmware currently installed NAT Status of the NAT feature either Enable or Disable Load Balance Status of the Load Balance feature either Enable or Disable Virtual Server Status of the Virtual Server feature either Enabled or Disabled Special Applications Status of the Special Applications feature either Enabled or Disabled DMZ Status of the DMZ feature either Enabled or Disabled Block URL Status of the Block URL fea
39. does solve the problem you can use the DMZ function This should work with most applications but e tis a security risk since the firewall is disabled for the DMZ PC e Only one 1 PC can use this feature Page 85
40. dvanced PPTP setup is required if using the PPTP connection method Port Options Advanced Por Part Opiini thalamis Conmmaction Validation Health Check Alive PFPPnhE PPTP Cannertion Auto amp fter idle for Echo Time Echo Viridis Option Bricksa Mode Wathos Trafic Management PPP ot WARN F p T HTTP usar Bytes F Enable Do i tire Enabla amp finding Loose Binding Load Balancing auto Detected eer Defnad Clear Figure 3 1 Port Options Page 18 Pulvimicui PPTP FF a Bytes Enable aeennix imm Fnab Na Tranziaban Loose binding cr Load Balancing Mods s Entnes het View Tables Settings Port Options Connection Validation PPPoE PPTP Connection Options Transparent Bridge Option HotBrick Network Solutions Health Check Disable will not do Alive Indicator Check By default health check is enable Health checking is performing an ICMP echo request and HTTP packets to the specific destination that could be either 1 Name or IP Address user specified in the Alive Indicator input box or gateway of WAN interface if Alive Indicator i
41. e enter it here Otherwise you can use the default value address Some ISP s record your MAC address also called Physical address or Network Adapter address If so you can enter the MAC address expected by your ISP in this field Otherwise this should be left at the default value Setup of the HotBrick VPN 800 2 Firewall Router is now complete PCs on your LAN must now be configured See the following section for details Page 14 HotBrick Network Solutions 4 Configure PCs on your LAN Overview For each PC the following may need to be configured e TCP IP network settings e Internet Access configuration TCP IP Settings If using the default VPN 800 2 Firewall Router settings and the default Windows 95 98 ME 2000 XP TCP IP settings no changes need to be made Just start or restart your PC e By default the VPN 800 2 Firewall Router will act as a DHCP Server automatically providing a suitable IP Address and related information to each PC when the PC boots e For all non Server versions of Windows the default TCP IP setting is to act as a DHCP client In Windows this is called Obtain an IP address automatically Just start or restart your PC and it will obtain an IP address from the VPN 800 2 Firewall Router e f using fixed IP addresses on your LAN or you wish to check your TCP IP settings refer to Appendix B Windows TCP IP Setup Internet Access To configure your PCs to use the VP
42. e 31 HotBrick Network Solutions Special Applications If you use Internet applications which have non standard connections or port numbers you may find that they do not function correctly because they are blocked by the firewall in the Load Balancer In this case you can define the application as a Special Application in order to make it work Note that the terms Incoming and Outgoing on this screen refer to traffic from the client PC viewpoint Avance Senp EAA icone Multi tki SOLING Avance rer oi Sore Epo Apolication Balaci Mame s sees Special Application Canfsguratiae Enable hare Qubgoing Prnbacol Cutgmng Port Range Inc aman Probacu Incoming Esngg rcr Lp m rcr BR _ elute Cancel Application List san Range Figure 4 5 Special Applications Settings Special Applications Select Special Select Name Item This lists any special applications which are Application Name currently defined f adding a new Special Application ignore this list Just enter your data in the Special Application Configuration section and click the Add button e To edit an existing entry select it from this list and click the Select button The data for the selected application will then be displayed in the Special Applicati
43. ections This displays the current number of active connections For further details click the View Connection list button Errors Statistics are displayed for Checksum errors number of retries and number of bad packets Misc This displays the total IP packets and reserved address Page 76 Appendix A HotBrick Network Solutions e e Specifications Model Hotbrick VPN 800 2 Firewall Router Dimensions 120mm W x 427mm D x 43 4mm H Operating 0 C to 40 C Temperature Storage 10 C to 70 C Temperature Network TCP IP Protocol Network 10 Ethernet Interface TA 8 10 100BaseT RJ45 auto Switching Hub ports for LAN devices 2 10 100BaseT RJ45 for WAN LEDs 8 LAN 2 WAN 2 Status 1 Power Power Input AC 115V 230V 9 0 5A FCC Statement This device complies with Part 15 of the FCC Rules Operation is subject to the following two conditions 1 This device may not cause harmful interference 2 This device must accept any interference received including interference that may cause undesired operation CE Marking Warning This is a Class B product In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures Page 77 Appendix B HotBrick Network Solutions Windows TCP IP Setup Overview TCP IP Settings If using the default Load Balancer settings and the default Windows 95 98 ME 2000 TCP IP settings no change
44. ed the selected packet types are blocked Otherwise they are accepted Echo Request Timestamp Request Select the packet types you wish to block using the checkboxes When you have some servers on LAN and their domain names have already registered on public DNS To avoid DNS loopback problem please enter the following fields Domain Name Enter the domain name specified by you for local host server Private IP Enter the private IP address of your local host server Page 42 HotBrick Network Solutions Interface SMTP Simple Mail Transport Protocol Binding Binding Unless you are using E mail accounts from different ISPs on each port you can ignore these settings Some ISPs configure their E mail Servers so they will not accept E mail from IP addresses not allocated by themselves If you are using accounts from different ISPs sending E mail over the wrong port may result in non acceptance of the mail In this case you can use these settings to correct the problem e Enable If enabled the port you specify below will be used for all outgoing SMTP traffic If not enabled either port will be used e WAN1 WAN 2 Select the desired port Protocol amp Protocol and Port Binding Port Binding Use these settings if you wish to ensure that particular traffic is sent by a particular WAN port and thereby a particular ISP account e Enable Enable or disable each item as required e Source IP IP addres
45. ed to use TCP IP network access rather than a dial up connection The configuration process is as follows Start the AOL for Windows communication software Ensure that it is Version 2 5 3 0 or later This procedure will not work with earlier versions e Click the Setup button e Select Create Location and change the location name from New Locality to VPN 800 2 Firewall Router e Click Edit Location Select TCP IP for the Network field Leave the Phone Number blank e Click Save then OK Configuration is now complete e Before clicking Sign On always ensure that you are using the VPN 800 2 Firewall Router location Macintosh Clients From your Macintosh you can access the Internet via the VPN 800 2 Firewall Router The procedure is as follows 1 Open the TCP IP Control Panel 2 Select Ethernet from the Connect via pop up menu 3 Select Using DHCP Server from the Configure pop up menu The DHCP Client ID field can be left blank 4 Close the TCP IP panel saving your settings Note If using manually assigned IP addresses instead of DHCP the required changes are Setthe Router Address field to the VPN 800 2 Firewall Router IP Address e Ensure your DNS settings are correct Linux Clients To access the Internet via the VPN 800 2 Firewall Router it is only necessary to set the VPN 800 2 Firewall Router as the Gateway and ensure your Name Server settings are correct Ensure you are logged in as
46. een Buttons Add Use this to add a new entry to the database using the data shown screen e Delete Click this to delete the selected entry Update Use this to update the selected entry after making the desired changes Reset Reverse any changes you have made since loading the data from the VPN 800 2 Firewall Router Host amp Group This table shows the current bindings List Page 27 HotBrick Network Solutions Virtual Servers This feature allows you to make Servers on your LAN accessible to Internet users Normally Internet users would not be able to access a server on your LAN because Your Server s IP address is only valid on your LAN not on the Internet e Attempts to connect to devices on your LAN are blocked by the firewall in the VPN 800 2 Firewall Router The Virtual Server feature solves these problems and allows Internet users to connect to your servers as illustrated below using FTP Server x 216 22 71 193 FTP Server 492 168 1 17 216 22 71 103 WAN 192 168 1 0 24 LAN PC using Web Server T ee VPN 800 2 Firewall Router Figure 4 2 Virtual Servers Note that in this illustration both Internet users are connecting to the same IP Address but using different protocols Connecting to the Virtual Servers Once configured anyone on the Internet can connect to your Virtual Servers They must use
47. efresh Update the data on screen Restart Counters Restart the counters used in the Interface Statistics section Page 21 HotBrick Network Solutions Advanced PPPoE The screen is required in order to use multiple PPPoE sessions on the same WAN port It can also be used to manually connect or disconnect a PPPoE session Advanced Pert Part Ludi deal dite PPPOE WAN Port Por Geen unt MTU Bytus WAR P A ccpit eer DL 7 Ban word Venti Password NENNEN Address F Mercure Host iOptional ry Ano Cui Dict Status Ard Figure 3 3 Advanced PPPoE Settings Advanced PPPoE Select the desired WAN Port and Session then click the Select button The data for the selected Port Session will then be displayed in the WAN P Account section Select WAN Port amp Session Session MTU The Maximum Transfer Unit for PPPoE packets data Leave it as default unless the ISP offers different PPPoE packets data size WAN IP Account e User Name Enter the PPPoE user name assigned by your ISP e Password Enter the PPPoE password assigned by your ISP e Verify Password Re enter the PPPoE password assigned by your ISP IP Address If you have a fixed IP addre
48. ession If you are using PPPoE to make the connection and some ISP offers multiple PPPoE session you can select these PPPoE session to construct VPN tunnels Local Identity Type You can either choose your Local WAN IP or Domain name Distinguished Name as your local identity Traffic Selector Service Protocol Type You can choose either TCP UDP ICMP GRE protocol as your connection protocol By default the protocol type is Any Local Security Network These entries identify the private network on this VPN router the hosts of which can use the LAN to LAN connection You can choose a single IP address the subnet or a selected IP range to make VPN LAN to LAN connection Remote Security Network These entries identify the private network on the remote peer VPN router whose hosts can use the LAN to LAN connection You can choose a single IP address the subnet or a selected IP range to make VPN connection Remote Security Gateway You can either select remote side domain name or remote side IP address WAN IP address as your remote side security gateway Security Level Encryption Method It specifies the encryption mechanism to use Data encryption makes the data unreadable if intercepted There are three encryption method available DES 3DES and AES The default is null Authentication It specifies the packets authentication mechanism to use Packets authentication proves that data comes from source you think it co
49. h the User Name above This is assigned by your ISP and used to login to the PPTP Server Verify Password Re enter the PPTP password assigned by your ISP e Server IP Address Enter the IP address of the PPTP Server as provided by your ISP e Static IP Address If you have a fixed IP address enter if here Otherwise this field should be left at 0 0 0 0 Action Use the Connect and Disconnect buttons to establish or terminate a connection on this session if required Connection This displays the current connection status Status Page 24 HotBrick Network Solutions 4 Advanced Setup Overview The following advanced features are provided Host IP Setup Virtual Servers Custom Virtual Server Special Applications Dynamic DNS Multi DMZ Advanced Features UpnP NAT Setting This chapter contains details of the configuration and use of each of these features Host IP Setup This feature is used in the following situations You have Multi Session PPPoE and wish to bind each session to a particular PC on your LAN You wish to use the Access Filter feature This requires that each PC be identified by using the Host IP Setup screen You wish to have different Block URL settings for different PCs This requires that each PC be identified by using the Host IP Setup screen You do not have to use the Host IP feature to apply the same Block URL settings to all PCs You wish to reserve a particular LAN
50. hen LAN and AS arent nn fe same TP smgment LAM Ari 1 Setup DHCP Clan List Aarne E THAN Enable F pessble Misc Address TP Type ststum Time Lett an Do E2 h F 7 im 192 180 1 2 Previne Page lew Flags Hriresh lu rm lM Figure 2 3 LAN amp DHCP 10 Ensure these settings are suitable for your LAN e The default settings are suitable for many situations e See following table for details of each setting 11 Save your data then go to Step 2 Installing the VPN 800 2 Firewall Router in your LAN Settings LAN 8 DHCP LAN IP Configuration IP address for the VPN 800 2 Firewall Router as seen from the local LAN Use the default value unless the address is already in use or your LAN is using a different IP address range In the latter case enter an unused IP Address from within the range used by your LAN Subnet Mask The default value 255 255 255 0 is standard for small class C networks For other networks use the Subnet Mask for the LAN segment to which the VPN 800 2 Firewall Router is attached the same value as the PCs on that LAN segment Page 10 DHCP Server Configuration DHCP IP Address Range HotBrick Network Solutions e DHCP Server Setup If enabled the VPN 800 2 Firewall Router will allocate IP Addresses to PCs DHCP clients on your LAN when they start up The default and
51. hood If you enable the NetBIOS Broadcast function Traffic Management Strict Binding traffic from bridge hosts eg transparent to want can only go thru that specified wan eg wan1 interface Loose Binding Traffic from bridge hosts eg transparent to want can go thru alternative wan eg wan interface when bind interface eg want is down it s acting like a fail over mechanism for transparent bridge mode Load Balancing Traffic from bridge hosts eg transparent to wan1 can go thru either wan eg wan1 or wan2 interface based on loading mechanism specified in the load balance section it s acting like a load balancing mechanism for transparent bridge mode ARP Table ARP table is used by the device to determine the bridge hosts location eg inside outside wan and which wan its size can be adjusted if needed Page 19 HotBrick Network Solutions Load Balance This screen is only operational if using Internet connections on both WAN ports Advanced Pert Parl 1 Aie amicu PTE Lua Balance Configuratiom Based on Bytes rx Shere nn WaN fen lindas Etntistics baridi Loadng Share Curent inadng Share Loading Grnt Banded Bytes Packets Dowd nme Saeed Upinad speed Desconnec bed 46 1 1 1 Dres Dites Doconmected i i 1 In
52. lds beside the Add button then click Aad TCP IP Proparties Gateway WINS Configuration IPAddess Bindings Advanced DNS Configuration C DNS DHS Host Domain Server Search Order E Mau Eee Figure B 4 DNS Tab Win 95 98 Checking TCP IP Settings Windows 2000 1 Select Control Panel Network and Dial up Connection 2 Right click the Local Area Connection icon and select Properties You should see a screen like the following Local Area Connection Properties i21 x General Connect using 9 SMC EZ Card 10 100 SMC1211TX Components checked are used by this connection Client for Microsoft Networks v il File and Printer Sharing for Microsoft Networks Internet Protocol TCP IP Install Uninstall Properties Description Transmission Control Protocol Internet Protocol The default wide area network protocol that provides communication across diverse interconnected networks Show icon in taskbar when connected OK Cancel Figure B 5 Network Configuration Win 2000 3 Select the TCP IP protocol for your network card 4 Click on the Properties button You should then see a screen like the following Page 80 HotBrick Network Solutions Internet Protocol TCP IP Peoperkirz You can gel IP d your suppo
53. mes from There are three authentications available MD5 SHA1 and SHA2 Page 54 HotBrick Network Solutions Key Management Key Key Type there are two key types manual key and auto key available for the key exchange management Manual Key If manual key is selected no key negotiation is needed AutoKey IKE There are two types of operation modes can be used Main mode accomplishes a phase one IKE exchange by establishing a secure channel Aggressive Mode is another way of accomplishing a phase one exchange It is faster and simpler than main mode but does not provide identity protection for the negotiating nodes Perfect Forward Secrecy PFS If PFS is enable IKE phase 2 negotiation will generate a new key material for IP traffic encryption amp authentication Preshared Key This field is to authenticate the remote IKE peer Key Lifetime This is specified the lifetime of the IKE generated Key If the time expires or data is passed over this volumn a new key will be renegotiated By default 0 is for no limit Page 55 IPSec Policy options HotBrick Network Solutions Brick mpm Tim Basic Setup Advancod Part Aid aisi Sth rrur y FF QoS Cesfigerabean Thi emma IPSec Policy options Tumne Nama Enable tunnel Deed Beer Detection Feature Crack Chech Afte
54. n the web page or a particular machine It is useful to monitor the device QoS Configuration This function will make some specified packets with higher priority for pass through Especially you use real time applications like Internet phone videoconference etc e UPnP To Enable UpnP Universal Plug amp Play the load balancer will become one of the network devices It is useful to discovery and control network devices such as Internet gateway Page 3 HotBrick Network Solutions Package Contents The following items should be included e he VPN 800 2 Firewall Router Unit e Power Cord e Quick Installation Guide e CD ROM containing the on line manual If any of the above items are damaged or missing please contact your dealer immediately Physical Details Front Panel HotBrick om SEES m Figure 1 2 Front Panel VPN 800 2 Firewall Router Operation of the Front Panel LEDs is as follows LAN LED 100M Green The corresponding LAN port is using 100BaseT OFF No physical connection 10M Yellow ON The corresponding LAN port is using 10BaseT OFF No physical connection WAN LED Green 100M Yellow 10M Flash Active Status LED WAN Status Green Flash WAN Active LAN Status Yellow Error Green Flash LAN Active Yellow Error Blinking Data in out Reset Button When pressed the reset button around 3 seconds and release it The VPN 800 2 Firewall R
55. nput box is left blank Alive Indicator This is the IP address used to check if the WAN connection is operating The VPN 800 2 Firewall Router will contact this system to check if the WAN connection is working Change this address if you wish Default is the gateway IP Note This is not used for PPPoE connections MTU The Maximum Transmission Unit is used when determining the packet size to be used on the WAN interface Normally this does not need to be changed but if your ISP advises you to use a particular MTU enter it here Auto Dialup If set to Enable a connection will be established whenever outgoing WAN traffic is detected If not Enabled you must establish a connection manually Auto Disconnect This determines when an idle connection will be terminated Enter the required time period Echo Time This determines how often an Echo request is sent to the PPPoE server The Echo request is used to determine if the connection is still valid Normally there is no need to change the default value Echo Retry The number of time the Echo request will be sent if there is no response to the first request Normally there is no need to change the default value Bridge Mode If set to Enable this WAN port doesn t use NAT amp Load Balance function when LAN WAN IP have the real IP addresses on the same network segment NetBIOS Broadcast This function can allow you access files through Microsoft network neighbor
56. on ECN ECN is a standard proposed by the IETF that will cut down on network congestion and routers dropping packets Copy DF Flag When an IP packet is encapsulated as payload inside another IP packet some of the outer header fields can be newly written and others are determined by the inner header Among these fields is the IP DF don t fragment flag When the inner packet DF flag is clear the outer packet may copy it or set it however when the inner DF flag is set the outer header MUST copy it Set DF Flag If this DF Do not Fragment flag is set it means the fragmentation of this packet at the IP level is not permitted Page 57 HotBrick Network Solutions 7 QoS Configuration Overview The VPN 800 2 Firewall Router provides QoS which supports the high quality of network service Because it will classify outgoing packets based on some policies defined by users make some real time applications to get better response or performance QoS Setup The following web page management are guiding you how to setup QoS and make QoS work Qas Configurator Sotup Policy Canliguration Qof Features Brake Creare IP of service Features Pmcmis TOR Fiski Dwverwnta Pn cy Ponty Figure 7 1 QoS Setup Page 58 HotBrick Network Solutions Data QoS Setup QoS Feature Enable QoS This will allow users enable QoS function Queuing Method The methods
57. on Configuration section Make any required changes and then click the Update button Page 32 Special Application Configuration Buttons Special Application List HotBrick Network Solutions Enable Use this to Enable or Disable this Special Application as required Name Enter a descriptive name to identify this Special Application Outgoing Protocol Select the protocol used by this application when sending data to the remote server or PC Outgoing Port Range Enter the beginning and end of the range of port numbers used by the application server for data you send If the application uses a single port number enter it in both fields Incoming Protocol Select the protocol used by this application when receiving data from the remote server or PC Incoming Port Range Enter the beginning and end of the range of port numbers used by the application server for data you receive If the application uses a single port number enter it in both fields Add Create a new Special Application entry Delete Delete the selected entry Update Save any changes you have made to the current entry Cancel Cancel any changes you have made since the last save operation This shows details of all Special Applications which are currently defined Using a Special Application on your PC Once the Special Applications screen is configured correctly you can use the application on your PC normally
58. ost name Enter a suitable name Generally you should use the Hostname computer name defined on the Host itself MAC Address Also called Physical Address or Network Adapter Adaress Enter the MAC address of this host Select Group Select the group you wish to put this host into Reserve in DHCP Select Enable to reserve a particular LAN IP address for a particular PC on your LAN This allows the PC to use DHCP Windows calls this obtain an IP address automatically while having an IP address which never changes Reserved IP Enter the IP address you wish to reserve if the setting above is Enable Otherwise ignore this field Page 26 HotBrick Network Solutions Host Network e Bind WAN port Session Select Enable if you wish to associate this PC with Binding a particular PPPoE Session All traffic for that PC will then use the selected PPPoE port and session e Binding Method Suppose your PC is bound to WAN1 port now you are selecting Strict Binding If WAN1 port is disconnected your packets cannot go out through port if WAN port is still alive If you are selecting Loose Binding then when WAN1 port is disconnected your packets will automatically go to WAN2 if is alive Select WAN Port Select PPPoE session If the setting above is Enable select the desired Port and Session Otherwise ignore these settings Note Multiple PPPoE sessions are defined on the Advanced PPPoE scr
59. outer will reset to factory default value Page 4 HotBrick Network Solutions Also some Status and Error conditions are indicated by combinations of LEDs as shown below LED Action Condition WAN LAN Status LEDs flash alternatively Firmware Download in progress WAN amp LAN LEDs flash concurrently MAC address not assigned Caution To re plug the VPN 800 2 Firewall Router it should be apart from unplug time more than 20 seconds Page 5 HotBrick Network Solutions Rear Panel VPN 800 2 Firewall Router Figure 1 3 Rear Panel VPN 800 2 Firewall Router AC power socket Connect the supplied power here Default Settings When the VPN 800 2 Firewall Router has finished booting all configuration settings will be set to the factory defaults including e Address set to its default value of 192 168 1 1 with a Network Mask of 255 255 255 0 e DHCP Server is enabled e User Name admin Password cleared no password TFTP Download This setting should be used only if your VPN 800 2 Firewall Router is unusable and you wish to restore it by downloading new firmware Follow this procedure 1 Power On the VPN 800 2 Firewall Router 2 Use the supplied Windows utility or a TFTP client program applies the new firmware If using the supplied Windows TFTP program the screen will look like the following example locs Bde Server IF 1
60. pport Dynamic Host Configuration Protocol provides a dynamic IP address to PCs and other devices upon request The VPN 800 2 Firewall Router acts as a DHCP Server for devices on your local LAN e Multi Segment LAN Support LANs containing one or more segments are supported via the VPN 800 2 Firewall Router s built in static routing table e ARP proxy The ARP proxy feature allows you to assign an external Internet IP address to the VPN 800 2 Firewall Router s LAN port This allows Servers on your LAN to have external Internet IP addresses e Easy Setup Use your favorite WEB browser for configuration e Remote Management The VPN 800 2 Firewall Router can be managed from any PC on your LAN And if the Internet connection exists it can also optionally be configured via the Internet e Password protected Configuration Optional password protection is provided to prevent unauthorized users from modifying the configuration data and settings e HTTP Firmware Upgrade and backup The web management feature allows you to use HTTP upgrade new firmware and backup system configuration from local or even from remote site As long as you enable Remote upgrade and Remote web based setup from Advanced feature web page e Email Alert It will send a warning email to the system administrator if one of the WAN ports was disconnected when both WAN ports are enabled e Syslog It can generate real time system information o
61. r provider You must configure the Standard Client section of this screen 3322 China This is available in China It is similar to Standard client e User Defined DDNS Server This is the user define DDNS server If the DDNS other than TZO dyndns org and 3322 Page 35 HotBrick Network Solutions WAN Port e Select the WAN port on which the Dynamic DNS is used Binding e The Force Update button will update your record on the Dynamic DNS Server immediately Additional These options are available if using the standard client Setting Enable Wildcard If selected traffic sent to sub domains of your Domain name will also be forwarded to you e Enable backup MX If enabled you must enter the Mail Exchanger address below e Mail Exchanger If the setting above is enabled enter the address of the backup Mail Exchanger Page 36 HotBrick Network Solutions Multi DMZ This feature allows each WAN port IP address to be associated with one 1 computer on your LAN All outgoing traffic from that PC will be associated with that WAN port IP address Any traffic sent to that IP address will be forwarded to the specified PC allowing unrestricted 2 way communication between the DMZ PC and other Internet users or Servers Note The DMZ is effectively outside the Firewall making it more vulnerable to attacks For this reason you should only enable the DMZ feature when required Advance
62. r tele Tarees Min Log Broadcast A Triggered rt Replay Mida Barcurity 9 122 Site T Enable Enable Ensble 132 068 11 0 Secunty Status CESME bey Type hutoke y PRES Idir Tunnel Check ESP alos Full Copy DF Flag Set OF Flag Se Cebek reset Figure 6 3 IPSec Policy Options Tunnel Attribute The current tunnel attribute that you just setup Dead Peer Detection If you like to utilize one of the wan port as a backup or plan failover function you can enable Dead Peer Detection function Check Method You can either choose ICMP Heartbeat detecting the remote site VPN tunnel if it is alive or not Page 56 HotBrick Network Solutions Set Options NetBIOS Broadcast This is used to forward NetBIOS broadcast across the Internet Auto Trigger This is help to keep up the IPSec connection tunnel It can be re established immediately if a connection is dropped and detected Anti Replay It ensures to keep track of IP packet level security in order Passive mode This means that your PC establishes the data connection If you enable passive mode Check ESP Pad If enable ESP Encapsulating Security Payload it will check ESP padding Allow Full ECN Enable will allow full Explicit Congestion Notificati
63. r will then automatically update your IP Address recorded by the Dynamic DNS service provider 5 From the Internet users will now be able to connect to your Virtual Servers or DMZ PC using your Domain name Page 34 HotBrick Network Solutions Click here bo register vour fires iial Hust in Virtual garvar Chit piis Sarar feel Dsemarnir Weg Lippi Banting NAT Fa miari Advanced Setup Dynamic DNB Bervicn Bareur hama User Names Password Password Dama WAN Part nimding 1 Faros Update Settings Wildcard Ensbis Backup Exchanger Reset Figure 4 6 Dynamic DNS Settings Dynamic DNS Dynamic DNS Service Use this to Enable Disable the Dynamic DNS feature and select the required service provider Disable Dynamic DNS is not used DNS4BIZ Hotbrick Premium It provides reliability for normal business requirement e DNS4BIZ Hotbrick Business Designed for VPN connections amp mission critical applications your DNS service is hosted on dedicated high end servers with 24 7 Monitoring to ensure the highest possible availability amp reliability e TZO Select this to use the TZO service www tzo com You must configure the TZO section of this screen e Standard Client Select this to use the standard service from www dyndns org or othe
64. rk must have different LAN IP address ranges If the remote endpoint is a single PC running a VPN client its destination address must be a single IP address with subnet mask of 255 255 255 255 2 Will you be using the Internet Key Exchange IKE setup or Manual Keying in which you must specify each phase of the connection 3 What encryption level you are going to use DES or 3DES Note The VPN 800 2 Firewall Router uses industry standard VPN protocol However due to variations in how manufactures interpret these standard many VPN products are not interoperable Although the VPN 800 2 Firewall Router can interoperate with many other VPN products It is not possible for VPN 800 2 Firewall Router to provide specific technical support for every other product Page 50 HotBrick Network Solutions IPSec Global Setting VPA Global VER Log Global Paranentars Enat m Setting Making Bert Phase 1 Group per Group 2 1024 671 31 Phase 1 trcryption Mathed xs H Phasa 1 authentication Matra Phara 1 SA Lifa tir Butny Courter fap Petry Interval be complere Phase conplete Ahaia 3 Count Per Fome after Erpry Log Lowel Lr Lau infomation Samii nesat Figure 6 1 IPSec Global Setting Page 51 HotBrick Network Solutions IP Global Setting Global Parameters Enable If
65. rt Othe pou eed asc your network administrator lor Ihe appropiate IP settings Obtain an IP address sulomatically PL the E DMS adtomata qoe tha DHS param Figure B 6 TCP IP Properties Win 2000 5 Ensure your TCP IP settings are correct Using DHCP To use DHCP select the radio button obtain an IP Address automatically This is the default Windows settings Restart your PC to ensure it obtains an IP Address from the VPN 800 2 Firewall Router Using a fixed IP Address Use the following IP Address If your PC is already configured check with your network administrator before making the following changes e Enter the VPN 800 2 Firewall Router s IP address in the Default gateway field and click OK Your LAN administrator can advise you of the IP Address they assigned to the VPN 800 2 Firewall Router e Ifthe DNS Server fields are empty select Use the following DNS server addresses and enter the DNS address or addresses provided by your ISP then click OK Page 81 HotBrick Network Solutions Checking TCP IP Settings Windows XP 1 Select Control Panel Network Connection 2 Right click the Local Area Connection and choose Properties You should see a screen like the following Local Area Connection Properties General Authentication Acanced Connect usin D Link DFE 5300 4 PCI Fast Elheerset Adag ne B
66. rtual Server screen to define your own type LAN IP Address Enter the IP address of the PC on your LAN which is running the required Server software Each PC should have a fixed IP address or have a reserved IP address See the Host IP section earlier in this chapter for details on reserving an IP address Page 29 HotBrick Network Solutions Custom Virtual Servers This screen allows you to define your own Server types for situations when the desired Server type is not listed on the Virtual Servers screen Advanced Senup mamie TEE Multi NAT Mns p Entire Viral Server Cuan Virtual Server imn felt Nani Sarrar Lict Custom server Configuration armes Slate Enable Disabile Sarvar baso SEE EUG Protenol Type LAM Fort Range Port Range m Binding marita Lipide Cancel Custom Virtiunl meer List Gtabe Eereer Hare Prutocnol LAN Port Range WM Port Range Interface Binding Figure 4 4 Custom Virtual Servers Settings Custom Virtual Servers Select Custom Server Server List If creating new entry ignore this list To edit an existing entry select it and then click the Select button The screen will update with data for the selected
67. s Configuration External Filters Configuration DNS Loopback Remote Upgrade If enabled you can use the supplied Windows program to remotely upgrade the Firmware If not enabled upgrades must be performed by a PC on the LAN Remote Web based setup If enabled access to the Web based interface is available via the Internet See below for details If not enabled access is only available to PCs on the LAN Port The port number used when connecting remotely See below for details Allowed IP range Remote access is only available to the IP addresses entered here e Leaving these fields blank will allow access by all PCs e These addresses must be Internet IP addresses not addresses on the local LAN To specify a single address enter it in both fields IDENT Port Port 113 is associated with the Internet s Identification Authentication service When a client program in your computer contacts a remote server for services such as POP IMAP SMTP that remote server sends back a query to the Ident server running in many systems listening for these queries on port 113 This means that port 113 is often probed by attackers as a rich source of your personal information By default it is Disable These settings determine whether or not the VPN 800 2 Firewall Router should respond to ICMP ping requests received from the WAN port Block Selected packet types This acts as master switch If check
68. s need to be made By default the VPN 800 2 Firewall Router will act as a DHCP Server automatically providing a suitable IP Address and related information to each PC when the PC boots For all non Server versions of Windows the default TCP IP setting is to act as a DHCP client If you wish to check your TCP IP settings the procedure is described in the following sections If your LAN has a Router the LAN Administrator must re configure the Router itself Checking TCP IP Settings Windows 9x ME Select Control Panel Network You should see a screen like the following Network TL X Configuration identification Access Control Tha following network components are installer 4 gt PCI Fast Ethamet Adapter 11 gt 4 Adagia M2 v FI M Dial Up Adapter gt Disi Lip Adspter a Support Figure B 1 Network Configuration 2 Select the TCP IP protocol for your network card 3 Click on the Properties button You should then see a screen like the following Page 78 HotBrick Network Solutions Prapenries Bindings Advenced DMSCen qureion MINS Coviguration IP Address An amp idress cen be assigned ta this computer your network dogs not automaticaly assign IP addresses mk sour riabwark mdrninistreipr iar an addre
69. s of source which packets are sent from e Destination IP IP address of destination which packets are sent to e Subnet Mask With subnet mask other than 255 255 255 255 you can make an IP sub network as your destination e Protocol Select the protocol used by the traffic you wish to configure e Port Range Enter the beginning and end of the port range used by the traffic you wish to configure If only a single port is used enter the port number in both fields WAN Select the port you wish this traffic to use Using Remote Web based Setup To connect to the Load Balancer from a remote PC via the Internet 1 2 3 Ensure that both your PC and the VPN 800 2 Firewall Router are connected to the Internet Start your Web Browser In the Address bar enter HTTP followed by the Internet IP Address of the VPN 800 2 Firewall Router If the port number is not 80 the port number is also required After the IP Address enter followed by the port number e g HTIP 123 123 123 123 8080 This example assumes the WAN IP Address is 123 123 123 123 and the port number is 8080 e If using the Dynamic DNS feature you can connect using the domain name allocated to you e g HTTP domain name dyndns org 8080 Page 43 HotBrick Network Solutions 5 Security Management Overview Block URL can block specific website by configure IP address URL or Key words Access filter You can
70. s the IP addresses which have been allocated by the DHCP Server function For each address which has been allocated the following information is shown e Name The hostname of the PC In some cases this may not be known e MAC Address The physical address network adapter address of the PC e IP Address The IP address allocated to this PC e Type Indicates IP address to be dynamic or static Status If Dynamic the IP address was allocated by this DHCP Server If Sniffed the IP address was detected by examining the LAN rather than allocated by the DHCP Server In this case the Name is usually not known e Time Left The time expired since which IP address is leased Page 11 HotBrick Network Solutions Installing the HotBrick VPN 800 2 Firewall Router in your LAN Ensure the HotBrick VPN 800 2 Firewall Router and the DSL Cable modem are powered OFF Leave the modem or modems connected to their data line Connect the Broadband modem or modems to the VPN 800 2 Firewall Router e If using only 1 Broadband modem connect it to the WAN 1 port e Use the cable supplied with your DSL Cable modem If no cable was supplied use a standard cable Use standard LAN cables to connect PCs to the Switching Hub ports on the VPN 800 2 Firewall Router e Both 10BaseT and 100BaseT connections can be used simultaneously e f you need to connect the VPN 800 2 Firewall Router to another Hub just use a
71. s you to manage the VPN 800 2 Firewall Router via the Internet You can restrict access to a specified IP address or address range External Filters Configuration These settings determine whether or not the VPN 800 2 Firewall Router should respond to ICMP ping requests received from the WAN port Interface Binding Use these to ensure that certain traffic is sent by a particular WAN port and thereby a particular ISP account These settings are only useful if using both WAN ports Protocol Port Binding This allows you binding WAN1 or WAN2 ports by selecting TCP UDP protocol J vita server Reste Access Bembs Upgrade Remote Wab bazad Setup Apneud I Pare IDENT Port External Fllters Estmmal ICAP Fibers Bnrk Swarted Packet Types DNS Loopback Doman kame Intertace Binding binding Protopnal f Port Binding Virtuel Sarver NAT Enabin Grable Part im nam ng ict iori sies Grable hisis ot ssam chose nnt risallis ocho Request Timestamp Faguest infcrmaban Request diais Ragusii IP Oestrustion Surat Mask Figure 4 10 Advanced Feature Page 41 Port Range AH HotBrick Network Solutions Settings Advanced Features Remote Acces
72. ss It is an email address a warning email will be sent to Usually it is system administrator email address For example admin mail domain com Excessive Ping Notification This feature is useful to prevent ICMP attack from WAN or LAN It will drop the packets if the ping times are excessive the threshold value It will send email to the administrator if email is enabled Page 63 HotBrick Network Solutions Syslog This feature can send real time system information on the web page or to the specified PC Syslog Configuration Syslog Configuration allow you where to send system information to other machine or not There are up to three machines you can choose to send your system log Message Status Messages send only keep when keep send message checked Currently we keep last 100 messages in the RAM area they will clear when reboot or power off Epari d inner Dolivery Gaming Gut Kamp Gert esse Enable Enable EP Address Port Dafaut h14 Leg Priority Lowel Sarvar 1 Eid imag barer 2 Gyalog Server 3 a c1 Log Priory for Modules EERHEL MSIL rio ALITH 2 53 ATE Emara SECURITY Emera PPFUE trn PRP Into fic DAS HTTP nup info Info upun
73. ss and than it the spaca below C an IP addrass Figure B 2 IP Address Win 95 Ensure your TCP IP settings are correct as follows Using DHCP To use DHCP select the radio button Obtain an IP Address automatically This is the default Windows settings Restart your PC to ensure it obtains an IP Address from the VPN 800 2 Firewall Router Using Specify an IP Address If your PC is already configured check with your network administrator before making the following changes e If the DNS Server fields are empty select Use the following DNS server addresses and enter the DNS address or addresses provided by your ISP then click OK e Gateway tab enter the VPN 800 2 Firewall Router s IP address in the New Gateway field and click Add as shown below Your LAN administrator can advise you of the IP Address they assigned to the VPN 800 2 Firewall Router Properties Bindings Advenced ONS Configuration yaw WINS IP Address The tre qatewe in the Installed Galewery bet wall ee the default The address onder inthe fet wall be the order i which these machines are weed Hee goiawes aeu Figure B 3 Gateway Tab Win 95 98 Page 79 HotBrick Network Solutions e DNS Configuration tab ensure Enable DNS is selected If the DNS Server Search Order list is empty enter the DNS address provided by your ISP in the fie
74. ss enter if here Otherwise this field should be left at 0 0 0 0 e Host Name This field is used by a Host to uniquely associate an access concentrator to a particular Host request Page 22 HotBrick Network Solutions Use the Connect and Disconnect buttons to establish or terminate a connection on this session if required Connection This displays the current connection status for each session Status Page 23 HotBrick Network Solutions Advanced PPTP This screen is only useful if using the PPTP connection method Pubenanced Port Port Options Lies falarsce Advanced IPEDE PPTP Feind WAN Port Bart wan 1 PPTP WTU mse Bytes WAP IP Account User Nama M Password Verify Password P booa Sabie adores BIE fnr static acemi Action Disrannert Cnneuctinm gustus WAN IP Address for MTU PRT ED Figure 3 4 Advanced PPTP Settings Advanced PPTP Select WAN Port Select the desired Port and then click the Select button The data for the selected Port will then be displayed in the WAN P Account section PPTP MTU Maximum transfer unit for PPTP The default value is 1456 WAN IP Account User Name The PPTP user name login name assigned by your ISP e Password The PPTP password associated wit
75. standard LAN cable to connect any port on the VPN 800 2 Firewall Router to a standard port on another hub Any LAN port on the VPN 800 2 Firewall Router will automatically act as an Uplink port when required Power Up e Power on the Cable or DSL modem or modems e Connect the supplied power cord to the VPN 800 2 Firewall Router and power up Check the LEDs The Power LED should be ON e The WAN Link LED should be ON if the corresponding WAN port is connected to a broadband modem e The Error LED will flash during start up but will then turn off If it stays on there is an error condition e For each PC connected to the LAN ports the corresponding LAN LED either 10 or 100 should be ON 3 Configuring the HotBrick VPN 800 2 Firewall Router for Internet Access Select Primary Setup from the menu to see a screen like the example below Configure WAN 1 and or WAN 2 as required For any of the following situations refer to Chapter 3 Advanced Port Setup for any further configuration which may be required e Using both ports e Multiple IP addresses on either port e Multiple PPPoE sessions e PPTP connection method Page 12 HotBrick Network Solutions Basic Setup Primary LAN DHOM Gnnaertinn WANT Muda Enable Bacup State 2m Address Infn Htatic IP IP Gubret
76. tarfnca Haiistics Wage 0 cairat Quer Bytes tracemittad OHE Tel mE Figure 3 2 Load Balance These settings are only functional if using both WAN ports If using both WAN ports these settings determine the proportion of traffic sent over each port Page 20 HotBrick Network Solutions Settings Load Balance Load Balance Configuration NAT Statistics Interface Statistics Buttons Enable Use this to enable your Load Balance settings Unless this is checked the other settings on this screen have no effect Balance Type Select the desired option Bytes rx tx Traffic is measured by Bytes e Packets rx tx Traffic is measured by Packets e Sessions established Traffic is measured by Sessions e Address Traffic is measured by IP Address Loading Share on WAN 1 Enter the percentage of traffic to be sent over WAN 1 If one WAN port connection has greater bandwidth than the other the one with the greater bandwidth should be given a higher percentage of traffic than the other Click the Update button to save your changes This section displays the current data about WAN 1 and WAN 2 You can use this information to help you fine tune the settings above This section displays cumulative statistics Use the Restart Counters button to restart these counters when required Update Save the settings on this screen R
77. ters Select the services you wish to block The current group will not be able to use any services which are checked ICMP Filters User defined Ports to Block IF you enable ICMP Filters function that mean it will block ICMP packets from local host send to remote site This section is optional It allows you to define your own filters if required For each filter the following information is required Name Enter a meaningful name for this filter TPC UDP Packets Select either TCP or UDP depending on which protocol is used by the service you wish to block Port No Range Enter the range of port numbers used by the service you wish to block If only a single port is required enter it in both fields Page 47 HotBrick Network Solutions Session Limit This new feature allows to drop the new sessions from both WAN and LAN side If the new sessions number are exceed the maximum sessions in a sampling time Securiby Managenhent bsc Accus litur Limit Fitter Cuigoing Mow Sossion Limit Enable Tima 400 of Total haw Seasons gees ser biasimare of New Sessione for Hast 101 gees per sec of Dr pzed Hee Seckions for Host snes sec Pausa Time for Host whio on Dropped Wow Sessions comm Figure 5 3 Session
78. that how you manage your queue Priority queuing It is one of the first queuing variations to be wildly implemented IP TOS Type of Service Feature Process TOS Field An 8 bits field in the IP packet header designed to contain values indicating how each packet should be handled in the network If you choose enable then it will enable this function to process IP Type of Service field Overwrite policy priority Choose yes to set the priority of TOS field in IP packet overwrite the priority defined in policy configuration Policy Configuration When you use QoS you must define some policies to make some packets to have higher priority to pass through Configuration Dra hoic Configuratinm Priority Policy Liz Policy Addrsik Destination Address Source Dustinalian Port Pnoy Queue Select ip j From 0 0 0 0 2002 iP address Roos Fmm h Ta E add Dele ied arta anuli Barta amp ddrass Port Desbnabun Port Figure 7 2 Policy Configuration Page 59 HotBrick Network Solutions Data Policy Configuration Policy Priority This section identifies each policy e Policy Name List When adding a new Policy ignore this list To edit an existing entry select it
79. the VPN 800 2 Firewall Router s Internet IP Address the IP Address allocated by your ISP e g http 205 20 45 34 ftp 205 20 45 34 e Internet users all virtual Servers on your LAN have the same IP Address This IP Address is allocated by your ISP Page 28 HotBrick Network Solutions e This address should be static rather than dynamic to make it easier for Internet users to connect to your Servers However you can use the Dynamic DNS feature explained later in this chapter to allow users to connect to your Virtual Servers using a URL instead of an IP Address e g HTTP my domain name dyndns org FTP domain name dyndns org Sen DAAC ine Multi ter MAT Sutting Fai ac uan irit pit lr Custom Virtual fiurwar Application Virtual Sever LAM Andres 02 60 ioc nox cu too Finger 2 2 00 Barrar fpa ba no 0 ja a p n Server POET para Sarrar Haws HATED 2 0 0 0 1 0 0 Tanet 02 00 West Server HT 0 00 EET Heset Figure 4 3 Virtual Server Settings Virtual Server Virtual Server Enable Use this to Enable or Disable each Virtual server as required Server Type Select the desired Server type If the type of Server you wish to use is not listed use the Custom Vi
80. tion for details on reserving an IP address Select the desired WAN port e Select DHCP if the IP address on this WAN port is dynamically assigned You can only select assign one 1 Private LAN IP address to each port e f using multi session PPPoE select the desired PPPoE session These sessions are defined on the Advanced PPPoE screen You can assign one 1 one 1 Private LAN IP address to each PPPoE session Enter the IP address of the PC you wish to associate with this WAN port IP address This IP address should be fixed or reserved See the Host IP section for details on reserving an IP address You can decide the users to have the authority of using DMZ by define the groups For DMZ you can allow inbound outbound only or both inbound and outbound both Page 38 HotBrick Network Solutions UPnP With UPNP Universal Plug amp Play function it can easily setup and configure an entire network enable discovery and control of networked devices and services Avance Sena irbual Garver virtus Burser fea cial Application Dynamic AE Multi DARE Option LenB Reset Line Hort Mapping List Enabin Appicatan Names Enema Por Pr taccl itara Por Internal Drahied BAS 0 6 0 FINGER 70 gt 78 0 0 Disabled of 21 0 0 0 0
81. tored to the factory default values The DCHP server function will be enabled Page 73 HotBrick Network Solutions These changes may mean that the current connection is invalid and you will have to re connect to the VPN 800 2 Firewall Router using its default IP address 192 168 1 1 WAN Status Use the WAN Status link on the main menu to view this screen Webwork Imformatinn System Utara MAT ELATI hos Connection Stabus Discconngr tod Cannectad Defeat Loading Sere Curent Loading Shana 9 Current Inburfara Inturfaca Usage ier Bytes Total Check Decal Rrirush octet Caumer Figure 10 3 WAN Status Data System Status NAT This section displays data for each WAN port statistics e Connection status This will display either Connected or Not Connected e Default Loading Share The default traffic loading between the WAN ports e Current Loading Share The current traffic loading between the WAN ports Current Loading The number of sessions Bytes and Packets currently being processed on each port Current Bandwidth The current Download and Upload speeds on each WAN port e Check NAT Detail will display the NAT Status screen described below Interface This section displays cumulative statistics Use the Restart Counter button to restart these counters when required
82. ture either Enable or Disable Hardware ID The manufacturers ID for this particular device Device Statistics System UpTime The time since the system of a device was last reinitialized CPU Usage The current usage percentage of CPU Memory Usage The current usage percentage of Memory Heap amp Queue Page 72 HotBrick Network Solutions Refresh Update the data on screen Restart Restart reboot the VPN 800 2 Firewall Router Restore Factory Defaults This will delete all existing settings and restore the factory default settings See below for details Restore Factory Defaults When the Restore Factory Defaults button on the Status screen above is clicked the following screen is displayed rumes EO gt Rusut To Factory Dofault Values restore thes factory setting wales you can click on the RESTORE tebe mei to Careful of cur this ell erase al your setting and sat to factory default rrurn y anaggmrent wie Datir atan tigkagsmest amp actabank Advanced Fart hebaark bode talus Figure 10 2 Restore Factory Defaults If the Restore Default Value button on this screen is clicked ALL of your settings will be erased e The default IP address password and ALL other settings will be res
83. u cannot modify or delete these entries Settings Routing Dynamic e RIP v2 This acts as master switch If enabled the selected WAN or LAN Routing will run RIPv1 v2 otherwise they don t have RIP function LAN WAN1 WAN2 If enabled any WAN or LAN can execute RIP function Static Network Address The network address of the remote LAN segments For Routing standard class C LANs the network address is the first 3 fields of the Destination IP Address The 4th last field can be left at O Netmask The Network Mask for the remote LAN segments For class C networks the default mask is 255 255 255 0 Gateway The IP Address of the Gateway or Router which the VPN 800 2 Firewall Router must use to communicate with the destination above NOT the router attached to the remote segment Interface Select the correct interface usually LAN The WAN interface is only available if NAT Network Address Translation is disabled Metric The number of hops routers to pass through to reach the remote LAN segment The shortest path will be used Configuring Other Routers on your LAN All traffic for devices not on the local LAN must be forwarded to the Load Balancer so that they can be forwarded to the Internet This is done by configuring other Routers to use the VPN 800 2 Firewall Router as the Default Route or Default Gateway as illustrated by the example below Static Routing Example
84. use system to crash Page 67 HotBrick Network Solutions 9 Advanced LAN Configuration Overview These screens and settings are provided to deal with non standard situations or to provide additional options for advanced users Existing DHCP Server If your LAN already has a DHCP Server and you wish to continue using it the following configuration is required e The DHCP Server function in the Load Balancer must be disabled This setting is on the LAN amp DHCP screen e Your DHCP Server must be configured to provide the VPN 800 2 Firewall Router s LAN IP address as the Default Gateway e Your DHCP Server must provide correct DNS addresses to the PCs Routing This section is only relevant if your LAN has other Routers or Gateways e f you don t have other Routers or Gateways on your LAN you can ignore the Routing page completely e f your LAN has other Gateways and Routers you must configure the Static Routing screen as described below You also need to configure the other Routers Advanced Setup Dynamic ness THEE LPR Setting er B anom yi Special Application LU Adiresi kat mask LLLI n Destination Figure 9 1 Routing Page 68 HotBrick Network Solutions Note If there is an entry or entries in the Routing table with an Index of zero 0 these are System entries Yo
85. you enable check box either WAN1 WAN or both this will start VPN global setting ISAkmp Port Internet Security Association and Key Protocol Management ISAkmp is designed to negotiate establish modify and delete security associations and their attributes In particular it was assigned UDP port 500 by the IANA Phase 1 DH Group Use DH Group 1 768 bits DH Group 2 1024 bits Group 5 1536 bits to generate IPSec SA keys Phase 1 Encryption Method There are three data encryption methods available DES 3DES and AES Phase 1 Authentication Method There are two authentication available MD5 and SHA1 Secure Hash Algorithm Phase 1 SA Life Time By default the Security Association lifetime is 28800 Sec Maxtime to complete phase 1 The aim of phase 1 is to authenticate and establish a secure tunnel which will protect further IKE negotiation The maximum time default is 30 sec Maxtime to complete phase 2 Really establish the IPSec SAs default the maximum time is 30 sec Count Per Send Number of duplicated packets for resend Force Deletion after Expiry Once SA get expired tunnel will be removed and related resources will be released to the system Log Level It VPN Log Level Select a VPN log level that you like to display on VPN log Page 52 HotBrick Network Solutions Policy Setup Policy Setup VEA fark Policy Silip VIN Ling
Download Pdf Manuals
Related Search