TP-LINK TL-ER604W router
Contents
1. Manual Always on MTU Upstream Bandwidth Downstream Bandwidth BigPond Status Status IP Address Subnet Mask Default Gateway BigPond wt 1500 576 1500 1000000 Kbps 1000000 Kbps Disabled Figure 3 12 WAN Bigpond The following items are displayed on this screen gt BigPond Settings Connection Type Account Name Password Auth Server Auth Domain Select BigPond if your ISP provides a BigPond connection Click lt Connect gt to dial up to the Internet and obtain the IP address Click lt Disconnect gt to disconnect the Internet connection and release the current IP address Enter the Account Name provided by your ISP If you are not clear please consult your ISP Enter the Password provided by your ISP If you are not clear please consult your ISP Enter the address of authentication server It can be IP address or server name Enter the domain name of authentication server It s only required when the address of Auth Server is a server name 25 Auth Mode MTU Upstream Downstream Bandwidth gt BigPond Status Status IP Address Subnet Mask Default Gateway You can select the proper Active mode according to your need e Manual Select this option to manually activate or terminate the Internet connection by the lt Connect gt or lt Disconnect gt button It is optimum for the dial up connection charged on time e Always on S2. Layer 3 Switch 1P 192 168 0 0 24 LAN Subnet IP 192 168 2 0 24 IP 192 168 3 0 24 VLAN2 VLAN3 Configuration procedure 1 Establish the Multi Nets NAT entries with Subnet Mask of VLAN2 and VLANS Multi Nets NAT Subnet Mask 192 168 2 0 ra Interface LAM kad Description VLAN Optional Status Activate Inactivate 58 The configured entries are as follows List of Rules Mo Network Address Interface Description Status E 1 192 168 2 0 24 LAN VLAN2 Active 2 192 168 3 0 24 LAN VLANS Active Action OY OE 2 Then set the corresponding Static Route entry enter the IP address of the interface connecting the Router and the three layer switch into the Next Hop field Choose the menu Advanced Routing Static Route to load the following page Static Route Destination Subnet Mask Next Hop Interface Metric noo OS 0 253 Description Optional Status Activate Inactivate The Static Route entry is as follows List of Rules No Destination Subnet Mask Next Hop Interface Metric Status L 1 192 168 2 0 an ec a 2530 192 166 0 2 Lah o Active L zZ 192 165 3 0 aca ca 192 165 0 2 LAN 0 Active 3 p 3 4 1 4 Virtual Server Clear Help Description Action VLANZ Ow VLAN Ow Virtual server sets up public services in your private network such as DNS Email and FTP and defines a service port All the service requests to this port will be transmitted to the LAN server appoint
3. Transmit Power Here you can specify the transmit power of Router You can select High Middle or Low which you would like High is the default setting and is recommended 49 Beacon Interval RTS Threshold Fragmentation Threshold DTIM Interval Tips Enter a value between 40 1000 milliseconds for Beacon Interval here The beacons are the packets sent by the router to synchronize a wireless network Beacon Interval value determines the time interval of the beacons The default value is 100 Here you can specify the RTS Request to Send Threshold If the packet is larger than the specified RTS Threshold size the router will send RTS frames to a particular receiving station and negotiate the sending of a data frame The default value is 2346 This value is the maximum size determining whether packets will be fragmented Setting the Fragmentation Threshold too low may result in poor network performance since excessive packets 2346 is the default setting and is recommended This value determines the interval of the Delivery Traffic Indication Message DTIM A DTIM field is a countdown field informing clients of the next window for listening to broadcast and multicast messages When the Router has buffered broadcast or multicast messages for associated clients it sends the next DTIM with a DTIM Interval value You can specify the value between 1 255 Beacon Intervals The default value is 1 which indicates the DTIM
4. Choose the menu Network gt LAN gt LAN to load the following page LAN IP Address 192 165 0 1 Subnet Mask isis esis call Figure 3 13 LAN The following items are displayed on this screen gt LAN IP Address Enter the LAN IP address of the Router 192 168 0 1 is the default IP address The Hosts in LAN can access the Router via this IP address It can be changed according to your network Subnet Mask Enter the Subnet Mask The default subnet mask is 255 255 255 0 A Note If the LAN IP address is changed you must use the new IP address to log into the Router To guarantee a normal communication be sure to set the Gateway address and the Subnet Mask of the Hosts on the LAN to the new LAN IP address and the Subnet Mask of the Router 3 1 4 2 DHCP The Router with its DHCP Dynamic Host Configuration Protocol server enabled can automatically assign an IP address to the computers in the local area network Choose the menu Network gt LAN gt DHCP to load the following page 7 DHCP Settings DHCP Server Start IP Address End IP Address Lease Time Default Gateway Default Domain Primarw MAIS Enable Disable 192 168 0 254 120 Min 1 28801 192 168 0 1 Optional Optional oo00 f ptional Figure 3 14 DHCP Settings The following items are displayed on this screen gt DHCP Settings DHCP Server Start IP Address End IP Address Lease Time
5. Default Gateway Default Domain Primary DNS Enable or disable the DHCP server on your Router To enable the Router to assign the TCP IP parameters to the computers in the LAN automatically please select Enable Enter the Start IP address to define a range for the DHCP server to assign dynamic IP addresses This address should be in the same IP address subnet with the Router s LAN IP address The default address is 192 168 0 2 Enter the End IP address to define a range for the DHCP server to assign dynamic IP addresses This address should be in the same IP address subnet with the Router s LAN IP address The default address is 192 168 0 254 Specify the length of time the DHCP server will reserve the IP address for each computer After the IP address expired the client will be automatically assigned a new one Optional Enter the Gateway address to be assigned It is recommended to enter the IP address of the LAN port of the Router Optional Enter the domain name of your network Optional Enter the Primary DNS server address provided by your ISP It is recommended to enter the IP address of the LAN port of the Router 28 Secondary DNS Optional If a Secondary DNS Server address is available enter it 3 1 4 3 DHCP Client On this page you can view the information about all the DHCP clients connected to the Router Choose the menu Network LAN DHCP Client to load the following page List of DHCP Cli
6. TP LINK User ulde TL ER604W SafeStream Wireless N Gigabit Broadband VPN Router A 13 Va F Rev1 0 1 1910010844 COPYRIGHT amp TRADEMARKS Specifications are subject to change without notice TP LINK is a registered trademark of TP LINK TECHNOLOGIES CO LTD Other brands and product names are trademarks of their respective holders No part of the specifications may be reproduced in any form or by any means or used to make any derivative such as translation transformation or adaptation without permission from TP LINK TECHNOLOGIES CO LTD Copyright O 2013 TP LINK TECHNOLOGIES CO LTD All rights reserved http www tp link com FCC STATEMENT HE This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction manual may cause harmful interference to radio communications Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense This device complies with part 15 of the FCC Rules Operation is subject to the following two cond
7. Tue wed e Thu Fri e Sat Description Optional Status Activate Inactivate Figure 4 11 App Rules 4 3 3 3 Bandwidth Control To enable Bandwidth Control you should configure the total bandwidth of interfaces and the detailed bandwidth control rule first 1 Enable Bandwidth Control Choose the menu Advanced gt Traffic Control gt Setup to load the configuration page Check the box before Enable Bandwidth Control and click the lt Save gt button to apply General O Disable Bandwidth Control Enable Bandwidth Control all the time Enable Bandwidth Control when bandwidth usage reaches o Default Limit Direction Limited Bandwidth Kbps Upstream po Downstream CT Interface Bandwidth Interface Upstream Bandwidth Kbps Downstream Bandwidth Kbps Ma AL 1000000 1000000 Mara 1000000 1000000 Total 2000000 000000 View IP Traffic Statistics Figure 4 12 Bandwidth Setup 2 Interface Bandwidth Choose the menu Network gt WAN WANT to load the configuration page Configure the Upstream Bandwidth and Downstream Bandwidth of the interface as Figure 4 13 shows The entered bandwidth value should be consistent with the actual bandwidth value 141 3 Bandwidth Control Rule Choose the menu Advanced gt Traffic Control Bandwidth Control to load the configuration page Then continue with the following settings Settings Direction Group Mode Guaranteed Bandwidth Up Down Limi
8. 1 0 0 0 0 0 Treal 2u 1 GS ethl WAMI o 2 172 31 20 0 24 MA E ethl warni 0 3 192 168 0 0 24 MA E etho LAN 0 4 192 168 2 0 24 192 168 0 2 GSM ethd LAN 0 5 192 168 3 0 24 192 168 0 2 GSM ethd LAN o 6 192 168 5 0 24 MA Cc eths DMZ o Figure 3 49 RIP The following items are displayed on this screen gt Route Table Destination The Destination of route entry Gateway The Gateway of route entry Flags The Flags of route entry The Flags describe certain characteristics of the route Logical Interface The logical interface of route entry Physical The physical interface of route entry Interface Metric The Metric of route entry 76 3 5 Firewall 3 5 1 Anti ARP Spoofing ARP Address Resolution Protocol is used for analyzing and mapping IP addresses to the corresponding MAC addresses so that packets can be delivered to their destinations correctly ARP functions to translate the IP address into the corresponding MAC address and maintain an ARP Table in which the latest used IP address to MAC address mapping entries are stored ARP protocol can facilitate the Hosts in the same network segment to communicate with one another or access to external network via Gateway However since ARP protocol is implemented with the premise that all the Hosts and Gateways are trusted there are high security risks during ARP Implementation Procedure in the actual complex network The attacker may send the ARP spoofing packets with false IP address
9. Activate or inactivate DDNS service here WAN Port Displays the WAN port for which No IP DDNS is selected DDNS Status Displays the current status of DDNS service e Offline DDNS service is disabled e Connecting client is connecting to the server e Online DDNS works normally e Authorization fails The Account Name or Password is incorrect Please check and enter it again gt List of No IP Account In this table you can view the existing DDNS entries or edit them by the Action button 3 7 3 3 PeanutHull On this page you can configure PeanutHull DDNS client Choose the menu Services Dynamic DNS gt PeanutHull to load the following page PeanutHull DONS Account Mame Go to register Password DONS Service Activate Inactivate Wahl Port Ward Service Type DONS Status Offline Domain Name View All List of Peanuthull Account Ww AN Account Name Domain Name Status Action 1 useri cae offline Fa O 2 userz Offline F O Figure 3 78 PeanutHull DDNS The following items are displayed on this screen gt PeanutHull DDNS Account Name Enter the Account Name of your DDNS account If you have not registered click lt Go to register gt to go to the website of PeanutHull for register 114 Password DDNS Service WAN Port Service Type DDNS Status Domain Name gt List of PeanutHull Account Enter the password of your DDNS account Activate or inactivate DDNS service h
10. BC Auth Type The Min value is 30 0 means no update You can choose the Auth type of the WPA WPA2 security on the drop down list The default setting is Automatic which can select WPA Wi Fi Protected Access or WPA2 WPA version 2 automatically based on the wireless station s capability and request 45 3 Encryption Radius Server IP Radius Port Radius Password Group Key Update Period WEP Select the Encryption type which including Automatic TKIP AES The default setting is Automatic which can select TKIP Temporal Key Integrity Protocol or AES Advanced Encryption Standard automatically based on the wireless station s capability and request TKIP TKIP is a security protocol used in the IEEE 802 11 wireless networking standard AES AES is a specification for the encryption of electronic data established by the U S National Institute of Standards and Technology Enter the IP address of the Radius server Enter the port number of the Radius server Enter the password for the Radius server Specify the group key update interval in seconds The value should be 30 or above Enter 0 to disable the update It is based on the IEEE 802 11 standard Security Auth Type key Format Key Selected key 1 Key i Key 3 Key 4 Auth Type Key Format WEP Key Key Type eS a ER You can choose the Auth type of the WPA WPA2 security on the drop down l
11. Enter the IP address of DNS server in Manual mode 0 0 0 0 means DNS Lookup is disabled Displays the detected WAN port Displays whether the Online Detection is enabled Display the detecting results System Time is the time displayed while the Router is running On this page you can configure the system time and the settings here will be used for other time based functions like Access Rule PPPoE and Logs Choose the menu Maintenance gt Time gt Time to load the following page Current Time System Time Time Zone Status Config Get GMT Time Zone Primary NTP Server Secondary NTP Server Manual Date Time 2009 05 26 11 45 36 Tus SMT 08 00 Beijing Ururgi Hong Kong Taipei Succeeded to get GMT GMT 08 00 Beijing Urumagi Hong Kong Taipei 0 0 0 0 0 0 0 0 Eo J C errrr mm oD gt SS E ea hh mm ss Figure 3 93 Time The following items are displayed on this screen 127 gt Current Time System Time Time Zone Status gt Config Get GMT Manual Synchronize with PC S Clock PIN Note Displays the current date and time of the Router Displays the current time zone of the Router Displays the status of time capturing When this option is selected you can configure the time zone and the IP Address for the NTP Server The Router will get GMT automatically if it has connected to a NTP Server e Time Zone Select your local time e
12. Ethernet by the RJ45 cable WAN 152 The LAN port is for connecting the Router to the local PCs or switches by the RJ45 cable LAN 25 o Reset button Use the button to restore the Router to the factory defaults With the Router powered on use a pin to press and hold the Reset button about 4 5 seconds After the SYS LED goes out release the Reset button If the SYS LED is flashing with a high frequency about two or three seconds it means the Router is restored successfully eo Wifi button Press this button to enable or disable WI FI 2 3 2 Rear Panel The rear panel of TL ER604W is shown as the following figure gt o A POWER ON OFF Lam WAN LAN WAN Figure 2 2 Rear Panel eo Antenna The router provides two external detachable antennas for receiving and transmitting the wireless data o Power The power socket is where you will connect the power adapter Please use the power adapter provided with this TL ER604W SafeStream Wireless N Gigabit Broadband VPN Router e On Off Press this button to turn on or turn off the Router Note Please use only the power cord provided with this Router 7 Chapter 3 Configuration 3 1 Network 3 1 1 Status The Status page shows the system information the port connection status and other information related to this Router Choose the menu Network
13. New User Name Enter a new user name for the Router New Password Enter a new password for the Router Confirm New Password Re enter the new password for confirmation 4 Note e The factory default password and user name are both admin e You should enter the new user name and password when next login if the current username and password has been changed e The new user name and password must not exceed 31 characters in length and must consist of numbers or letters All the fields are case sensitive 3 8 1 2 Login Parameter On this page you can configure and modify the Web and Telnet port Choose the menu Maintenance gt Admin Setup Login Parameter to load the following page General Web Management Port Telnet Management Port Web Idle Timeout Min 5 60 Telnet Idle Timeout Min 5 60 Figure 3 82 Login Parameter 118 The following items are displayed on this screen gt General Web Management Port Enter the Web Management Port for the Router Telnet Management Port Enter the Telnet Management Port for the Router Web Idle Timeout Enter a timeout period that the Router will log you out of the Web based Utility after a specified period Web Idle Timeout of inactivity Telnet Idle Timeout Enter a timeout period that the Router will log the remote PCs out of the Web based Utility after a specified period Telnet Idle Timeout of inactivity 4 Note e The default Web Management Port is 80 If t
14. On this page you can view the information of all the hosts connected to the wireless network Choose the menu User Wireless Host Status to load the following page 51 General Host List ALL v Host Status No MAC Address SSID Current Status Received Transmitted Bytes Tx Bytes Rx Rate Tx Rate Rx 3 fogs oz eid i songs Packets Packets Byte Byte KB s KB s 1 4C 80 93 7D DA 75 TP LINK_61BBC4 WPA 41949672 429496 174467440 1844674 20 00 1D FE D2 5B F0 TP LINK_61BBC4 STA ASSOC 423696 672952 429423 229491 2255 58 9 The amount of current connected hosts 2 Figure 3 29 Host Status gt General Select a SSID the status of the host in this wireless network will display on the following table gt Host Status MAC Address Displays the MAC address of the host which access the Router by wireless connection SSID Displays the name of the SSID to which the host connects Current Status Displays the Status of the wireless connection Received Packets Displays the total packets received by the host Transmitted Packets Displays the total packets transmitted by the host Bytes Tx Displays the total bytes transmitted by the host Bytes Rx Displays the total bytes received by the host Rate Tx Displays the rate for transmitting data frames Rate Rx Displays the rate for receiving data frames 3 3 User Group The User Group function is used to group different users for unified management so that you can perform othe
15. SSID Description Specify a name for the wireless network Enter a description for this SSID 43 1 Security SSID Broadcast Guest Network AP Isolation Enable Disable this SSID WPA PSK WPA2 PSK Specify the security option of the wireless network If you do not want to use wireless security select Disable Security otherwise select one Security option from the drop down list It s strongly recommended to choose one of the security options to enable security There are three wireless security options supported by the Router WPA PSK WPA2 PSK WPA WPA2 and WEP It is recommend to choose WPA PSK WPA2 PSK The detail information of the three security options will be introduced below Enable or disable the SSID Broadcast If you enable the SSID Broadcast the Wireless Router will broadcast its name SSID on the air Enable or disable the Guest Network If the Guest Network is enabled the hosts in this network cannot communicate with the LAN port or other SSIDs This function can isolate wireless stations on your network from each other Wireless devices will be able to communicate with the Router but not with each other Enable or disable this SSID If you select this option the host which passed the validation will be allowed to connect to this SSID otherwise the Router will refuse this host s request Its the WPA WPAZ2 authentication type based on pre shared passphrase Secur
16. Status to load the following page Device Info Firmware Version 1 0 0 Build 20120926 Rel 35714n Hardware Version TL ER 604 Ww v1 0 System Time System Time 2012 08 23 04 50 09 Thursday Running Time 13 Day 4 Hour 50 Min 13 Sec WAN WANL Link Up WAN Disabled Primary Connection Static IP Primary Connection Dynamic IP Status Connected Status Connecting Online Time 116 10 20 116 y IP Address 0 0 0 0 IP Address 255 255 255 0 Subnet Mask 0 0 0 0 Subnet Mask 116 10 20 1 Gateway 0 0 0 0 MAC Address 40 61 86 FC 75 B9 MAC Address 44 00 01 02 05 07 Secondary Connection Secondary Connection Status Status IP Address IP Address Subnet Mask Subnet Mask Wireless Wireless Enabled Channel Automatic i Current 6 3 Mode 1ibgn mixed SSIDs TP LINK_FFFFFF TP LINK_FFFFFF wos Disabled LAN Interface IP Address Subnet Mask DHCP Server MAC Address LAN 192 1685 0 1 55 55 55 0 Enabled 44 00 01 02 05 05 CPU Usage Core Usage Corea AAA las Figure 3 1 Status 3 1 2 System Mode The TL ER604W Router can work in three modes NAT Non NAT and Classic If your Router is hosting your local network s connection to the Internet with a network topology as the Figure 3 2 shown you can set it to NAT mode Figure 3 2 Network Topology NAT Mode If your Router is connecting the two networks of different areas in a large network environment with a network topology as the Figure 3 3 shown and forwards the
17. You can import the configuration file to restore the saved setting File C Figure 3 85 Export and Import The following items are displayed on this screen gt Configuration Version Displays the current Configuration version of the Router gt Export Click the lt Export gt button to save the current configuration as a file to your computer You are suggested to take this measure before upgrading or modifying the configuration gt Import Click the lt Browse gt button to locate the update file for the device or enter the exact path to the saved file in the text box Then click the lt Import gt button to restore the saved setting You should login the device again after importing the new configuration file Anote e To avoid any damage please don t power down the Router while being restored e Configurations may be lost if the configuration file you imported varies greatly from current configurations 3 8 2 3 Reboot Choose the menu Maintenance Management Reboot to load the following page 121 Reboot Click the button below to reboot the device Figure 3 86 Reboot Click the lt Reboot gt button to reboot the Router The configuration will not be lost after rebooting The Internet connection will be temporarily interrupted while rebooting Note To avoid damage please don t turn off the device while rebooting 3 8 2 4 Firmware Upgrade Choose the menu Maintenance Management Firmware Upgr
18. be encrypted by MPPE Enter the Pre shared Key for IKE authentication This item is available for L2TP tunnel Enter the IP address of the client which is allowed to connect to this L2TP PPTP server The default IP 0 0 0 0 means any IP address is acceptable Select the IP Pool Name to specify the address range for the server s IP assignment This item is available for Server mode Enter the IP address range of your remote network It s always the IP address range of LAN on the remote peer of VPN tunnel It s the combination of IP address and subnet mask 102 Status Activate or inactivate the entry gt List of Configurations In this table you can view your configurations of the tunnels and edit them by the action buttons The No 1 entry in Figure 3 67 indicates this tunnel is encapsulated by using L2TP Its user name is test the password can be configured and the Router is configured in Client mode The remote server is 172 30 70 161 and the remote subnet is 192 168 2 0 24 This entry is enabled 3 6 3 2 IP Address Pool On this page you can configure the IP Address Pool Choose the menu VPN gt L2TP PPTP IP Address Pool to load the following page IP Address Pool Pool Name P IP Address Range NI gt WA List of IP Address Pool Mo Pool Mame IP Address Range Action Fl oi a 10 0 0 1 10 0 0 10 ENE Figure 3 68 IP Address Pool The following items are displayed on this screen gt IP Address Pool
19. channel is automatic and the Router will choose the best channel automatically It is not necessary to change the wireless channel unless you notice interference problems with another nearby access point Select the desired mode 11b only Select if all of your wireless clients are 802 11b 11g only Select if all of your wireless clients are 802 11g 11n only Select only if all of your wireless clients are 802 11n 11bg mixed Select if you are using both 802 11b and 802 11g wireless clients 11bgn mixed Select if you are using a mix of 802 11b 11g and 11n wireless clients Select the desired wireless mode When 802 11b mode is selected only 802 11b wireless stations can connect to the Router When 802 11g mode is selected only 802 11g wireless stations can connect to the Router When 802 11n mode is selected only 802 11n wireless stations can connect to the Router lt is strongly recommended that you set the Mode 11bng mixed and all of 802 11b 802 11g and 802 11n wireless stations can connect to the Router Select the channel width from the drop down list The default setting is automatic which can adjust the channel width for your clients automatically 38 SSID Description SSID Broadcast AP Isolation Security 1 WPA PSK WPA2 PSK Enter a name for the wireless network The same name of SSID Service Set Identification must be assigned to all wireless device in your network Considering y
20. provides an authentication for dial up users Enter the Radius Server address for Remote authentication Shared Key Enter the Shared Key for Remote authentication It should be the same to the shared key of the Radius Server 3 7 1 2 IP Address Pool On this page you can define or edit the IP Address Pool Choose the menu Services PPPoE Server IP Address Pool to load the following page IP Address Pool Pool Name E IP Address Range he Eee List of IP Pool Clear Help Mo Pool Mame IP Address Range Action O i addi 10 20 1 100 10 20 1 199 P Figure 3 71 IP Address Pool The following items are displayed on this screen gt IP Address Pool Pool Name Specify a unique name to the IP Address Pool for identification and management purposes 106 IP Address Range Specify the start and the end IP address for IP Pool The start IP address should not exceed the end address and the IP address ranges must not overlap gt List of IP Pool In this table you can view the information of IP Address Pools and edit them by the Action buttons 3 1 3 Account On this page you can configure the PPPoE account Choose the menu Services PPPoE Server Account to load the following page Account Account Name Password IP Address Assigned Mode Dynamic Static IP Address Pool addi vi Max Sessions FS 1 256 Expiration Date 2099 1 1 rrrr mm DD ear
21. 11n up to 300Mbps Automatic Radio Data Rate 11g 54 48 36 24 18 12 9 6M Automatic 11b 11 5 5 2 1M Automatic Frequency Expansion DSSS Direct Sequence Spread Spectrum 11b CCK QPSK BPSK Modulation 11g OFDM 11n QPSK BPSK 16 QAM 64 QAM WPA WPA2 64 128 152 WEP TKIP AES 5dBi 2 Environmental and Physical Operating O 40 32 104 Storage 40 70 40 158 Operating 10 90 RH Non condensing Storage 5 90 RH Non condensing Antenna Gain Temperature Humidity 148 Appendix B FAQ Q1 What can do if cannot access the web based configuration page 1 For the first login please try the following steps 1 Make sure the cable is well connected to the LAN port of the Router The corresponding LED should flash or be solid light 2 Make sure the IP address of your PC is set in the same subnet addresses of the Router It s recommended to set your PC to get the IP address automatically Then the Router with DHCP enabled can automatically assign the IP address to your PC If you want to configure your PC manually please set 192 168 0 x x is any number between 2 to 254 for the IP address and 255 255 255 0 for the Subnet Mask 3 Test the connection between your PC and TL ER604W via Ping command 4 If you still cannot access the configuration page please restore your Router to its factory default settings and try to log in again 2 If your
22. 3 IEEE 802 3u IEEE 802 3ab IEEE 802 11 b g n standards gt Supports AH ESP IKE PPP protocols gt Supports TCP IP DHCP ICMP NAT NAPT protocols gt Supports PPPoE SNTP HTTP DDNS UPnP NTP protocols Basic Functions gt Supports Static IP Dynamic IP PPPoE Russian PPPoE L2TP Russian L2TP PPTP Russian PPTP Dual Access BigPond Internet connections _4 gt Supports Virtual Server Port Triggering ALG Static Route and RIP v1 v2 gt Built in Switch supporting Port Mirror Port VLAN Rate Control and so on gt Supports to change the MAC address of LAN and WAN port gt Supports Logs Statistics Time setting gt Supports Remote and Web management gt Supports Diagnostic Ping Tracert and Online Detection Wireless gt Supports Wireless N speed and 2 detachable 5dBi antennas gt Supports WEP WPA WPA2 WPA PSK WPA2 PSK Encryption gt Supports WDS Multi SSID Guest Network VPN gt Supports IPsec VPN and provides up to 30 IPsec VPN tunnels gt Supports IPSec VPN in LAN to LAN or Client to LAN gt Provides DES 3DES AES128 AES152 AES256 encryption MD5 SHA1 authentication gt Supports IKE Pre Share Key and DH1 DH2 DH5 Key Exchanges gt Supports PPTP L2TP Server Client Traffic Control gt Supports Bandwidth Control gt Supports Session Limit Security gt Built in firewall supporting URL MAC Filtering gt Supports Access Control gt Supports Attack Defense gt Supports IP MAC
23. 3 4 4 Traffic Monitoring 1 Port Mirror Choose the menu Network Switch Port Mirror to load the configuration page Check the box before Enable Port Mirror and select the Ingress amp Egress mode Select the Port 5 for the Mirroring Port and the Port 3 and the Port 4 for the Mirrored ports Click the lt Save gt button to apply Port WLAN Port Status Port Mirror Rate Control Port Config General Enable Port Mirror Mode Ingress amp Egress Port Mirror Port Mirroring Port Mirrored Port 1 O A 2 O LI 3 O 4 5 Figure 4 21 Port Mirror 2 Statistics Choose the menu Maintenance Statistics to load the page Load the Interface Traffic Statistics page to view the traffic statistics of each physical interface of the Router as Figure 4 22 shows Interface Traffic Statistics Rate Rx Rate Tx Packets Rx Packets Tx Interface ene Kbps Pkt Pkt Bytes Rx Byte Bytes Tx Byte Wy OP 1 5 341 1 095 37470 23035 0069554 10329316 wW ANZ 0 0 0 192 0 59136 LAM o 0 1296 15605 4991716 14113055 Advanced WAN Information Interface IP Fragments Rx Pkt Abnormal IP Packets Rx Pkt WAL 0 0 e 0 0 Figure 4 22 Interface Traffic Statistics Load the IP Traffic Statistics page and Check the box before Enable IP Traffic Statistics and Enable Auto refresh then click the lt Save gt button to apply Select the data direction the corresponding IP traffic statistics will display in the Statistics table as Figure 4 23 show
24. 79 ARP List No IP Address MAC Address Status 1 192 168 1 101 00 19 66 83 53 CF 5 2 192 168 1 10 2 00 19 566 83 53 CE a 3 192 168 1 101 00 19 566 83 53 F2 4 Select Al Figure 3 52 ARP List The configurations for the entries is the same as the configuration of List of Scanning Result on 3 5 1 2 ARP Scanning page The unbound IP MAC information will be replaced by new IP MAC information or be automatically removed from the list if it has not been communicated with others for a long time This period is regarded as the aging time of the ARP information 3 5 2 Attack Defense With Attack Defense function enabled the Router can distinguish the malicious packets and prevent the port scanning from external network so as to guarantee the network security Choose the menu Firewall Attack Defense Attack Defense to load the following page 80 General Flood Defense Multi connections TCP SYN Flood Threshold Pkts Multi connections UDP Flood Threshold 4000 Pkty s Multi connections ICMP Flood Threshold Pkt s Stationary source TCP SYN Flood Threshold 4000 Pits Stationary source UDP Flood Threshold Pkt s Stationary source ICMP Flood Threshold Pkt s Facket Anomaly Defense Block Fragment Traffic Block TCP Scan Stealth FIM mas Mull Block Ping of Death Block Large Ping Block WinNuke attack Block Ping from WAN Block TCP packets with SYN and FIN Bits set Block TCP packets with FIN Bit set but no ACE Bi
25. A E at eausaaaumat el Sundanese E 93 3 3 3 MEW A A A Ai 54 3 4 3 5 3 6 3 3 8 AVANCE 3 4 1 A o cece ae etre ne eee nena eee eer eet ee ete eee Renee oe 3 4 2 Tra CONTOR csacsi ser a E 3 4 3 Session LIMIT aturdido ida 3 4 4 Load Balacera da 3 4 5 A A anata a anls anal caslmn ears cede cena taal tins 3 5 1 AMARE SD OO UMNO acct eth eran seceded Sealed lc 3 9 2 Attack DETeASO ide riada 30 3 MAG FIKEN a ohana hee ba eee ease 3 5 4 ACCESS COMMOl is c h cose ieee ted 3 0 0 APO CO da VPN aE 3 6 1 Ed a tol drenado 3 6 2 A tne eein aot 3 6 3 EZ Py PP A eee ideas A eaieeesananlas dasa deme stot aT 3 7 1 PPPOE SCIVO Rennes a 3 7 2 E BUNE Uos a E a 3 153 Dynamic DNS add 3 7 4 ed eae RC eee RPE ee Te REE en RPO RR ns ee LD Malena nora dois 3 8 1 AMI SO Ucrania a dci 3 8 2 Management tail ida 3 8 3 A A A 3 8 4 o O Pe aoe 3 8 5 A sie ache AR 3 8 6 A o Po A 3 8 7 A nee eee rere 128 Chapter 4 Applications 130 4 1 Network REQUIFEMENIS ccccceecceeceeeeeceeeceeteeceeecnececaeesuesseceeseeeaeeceeseeecseeseeteeseeeseetaees 130 4 2 NetWork TOPOLOGY ssrin ido 131 A COMTIQUIa OA qa is o o os rl nr a 131 4 3 1 PGE FET Secta nd 131 4 3 2 VPN SO e e Lo e cdo de od 133 4 3 3 Network Manageme nl ccccccsecceeccecccecceeececccueceeesaeecueeauecseseeesueesesseesseeeseeeaaes 139 4 3 4 NeIWOK SECUN a td talas 143 Appendix A Hardware Specifications oconcncococononononcacararananononcanararananoncanar
26. Configuration Procedure Type 210 10 10 0 24 in the Subnet Mask field on Remote Management page and enable the entry as the following figure shows Remote Management Subnet Mask 210 10 10 0 f 24 Statys Activate O Inactiwate Elp Then type the corresponding port number in Web Management Port and Telnet Management Port fields as the following figure shows General Web Management Port Telnet Management Port Web Idle Timeout E Min 5 60 Telnet Idle Timeout Min 5 60 Finally start the web browser and type 210 10 10 50 in the URL field to log in the Web management page of the Router 3 8 2 Management 3 8 2 1 Factory Defaults Choose the menu Maintenance gt Management gt Factory Defaults to load the following page Factory Defaults Click the button below to reset the device to defaults Restore to Factory Defaults Figure 3 84 Factory Defaults 120 Click the lt Restore to Factory Defaults gt button to reset all configuration settings to their default values The default IP address is 192 168 0 1 the default login user name and password are both admin 3 8 2 2 Export and Import Choose the menu Maintenance Management Export and Import to load the following page Configuration Yersion Current Version 1 1 0 Export Click lt Export gt to save your current configuration to your computer It is recommended to export the configuration before Firmware Upgrade or configuration modification Import
27. MTU is 1500 It is recommended to keep the default value if no other MTU value is provided by your ISP Enter the IP address of your ISP s Primary DNS Domain Name Server If you are not clear please consult your ISP It s not allowed to access the Internet via domain name if the Primary DNS field is blank Optional If a Secondary DNS Server address is available enter it Specify the bandwidth for transmitting packets on the port a Downstream Bandwidth Specify the bandwidth for receiving packets on the port 2 Dynamic IP If your ISP Internet Service Provider assigns the IP address automatically please choose the Dynamic IP connection type to obtain the parameters for WAN port automatically Dynamic IP Settings Connection Type Dynamic IP wt Host Name Po MTU 576 1500 C Use the following DNS Server Primary DNS ooo Secondary DNS ooo Optional C Get IP address by Unicast enable it only when required Upstream Bandwidth Kbps Downstream Bandwidth Kbps Dynamic 1P Status Status Connecting IF Address Subnet Mask Default Gateway Primary DNS Secondary DONS Figure 3 8 WAN Dynamic IP The following items are displayed on this screen gt Dynamic IP Connection Type Select Dynamic IP if your ISP assigns the IP address automatically Click lt Obtain gt to get the IP address from your ISP s server Click lt Release gt to release the current IP address of WAN port
28. Pool Name Specify a unique name to the IP Address Pool for identification and management purposes IP Address Range Specify the start and the end IP address for IP Pool The start IP address should not exceed the end address and the IP ranges must not overlap gt List of IP Pool In this table you can view the information of IP Pools and edit them by the action buttons 3 6 3 3 List of L2TP PPTP Tunnel This page displays the information and status of the tunnels Choose the menu VPN gt L2TP PPTP List of L2TP PPTP Tunnel to load the following page 103 List of Tunnel Mo Protocol Account Mode Tunnel ID Session ID Peer IP Peer Name Status Action 1 L2TP test Client 17 13 41 41 172 50 70 161 TL ER 6120 Connected Figure 3 69 List of L2TP PPTP Tunnel Figure 3 69 displays the connection status of the NO 1 entry in the list of tunnel in Figure 3 68 This tunnel has been successfully established Each tunnel has a Tunnel ID and a Session ID The ID value in client corresponds to that in server The connection information of this tunnel in the server is shown as the figure below List of Tunnel Mo Protocol Username Mode Tunnel ID session ID Peer IP Peer Name Status Actian 1 L2TP test Server 13 17 41 41 172 30 T0 151 TL ER6120 Connected Every time a tunnel connection is established a tunnel ID and a session ID are created In a Router the ID values of different tunnels are different A tunnel can create differe
29. Primary Secondary NTP Server Enter the IP Address for the NTP server With this option selected you can set the date and time manually With this option selected the administrator PC s clock is utilized e If Get GMT function cannot be used properly please add an entry with UDP port of 123 to the firewall software of the PC e The time will be lost when the Router is restarted The Router will obtain GMT time automatically from Internet 3 8 7 Logs The Log system of Router can record classify and manage the system information effectively Choose the menu Maintenance gt Logs Logs to load the following page 128 List of Logs No Content No entries Config Enable Auto refresh Save lt 0 gt Emergency lt 4 gt Warning lt 1 gt Alert lt 5 gt Notice lt 2 gt Critical lt 6 gt Informational fs s E El lt 3 gt Error lt 7 gt Debug Send System Logs Server IP 0 0 0 0 l Figure 3 94 Logs gt List of Logs List of Logs displays the system log information in log buffer An entry of log contains the following four parts gt Config Enable Auto refresh With this option selected the page will refresh automatically every 5 seconds Severity Displays the severity level of the log information You can select a severity level to display the log information with the same level Send System Logs Select Send System Logs and specify the server IP then the new added logs will be sen
30. Proposal The inbound key here must match the outbound ESP authentication key at the other end of the tunnel and vice versa Specify the inbound ESP Encryption Key manually if ESP protocol is used in the corresponding IPsec Proposal The inbound key here must match the outbound ESP encryption key at the other end of the tunnel and vice versa Specify the Outgoing SPI Security Parameter Index manually The Outgoing SPI here must match the Incoming SPI value at the other end of the tunnel and vice versa Specify the outbound AH Authentication Key manually if AH protocol is used in the corresponding IPsec Proposal The outbound key here must match the inbound AH authentication key at the other end of the tunnel and vice versa Specify the outbound ESP Authentication Key manually if ESP protocol is used in the corresponding IPsec Proposal The outbound key here must match the inbound ESP authentication key at the other end of the tunnel and vice versa 97 ESP Encryption Key Out gt List of IPsec Policy IPsec Specify the outbound ESP Encryption Key manually if ESP protocol is used in the corresponding IPsec Proposal The outbound key here must match the inbound ESP encryption key at the other end of the tunnel and vice versa In this table you can view the information of IPsec policies and edit them by the action buttons The first entry in Figure 3 64 indicates this is an IPsec tunnel the local subnet is 19
31. The start port number cannot be greater than the end port number gt List of Service You can view the information of the entries and edit them by the Action buttons A Note The service types predefined by the system cannot be modified 87 3 5 5 App Control 3 5 5 1 Control Rules On this page you can enable the Application Rules function Choose the menu Firewall App Control gt Control Rules to load the following page General Enable Application Control Save Control Rules Object Group ANY Group Clear Application Application List Help Effective Time Sun Mon Tue wed e Thu Fri Sat Description EN Optional Status Activate Inactivate List of Rules No Object o Effective Tirne Status Description Action F i groupi VIEN a Active E T Sun Mon Tue Fri Figure 3 59 Application Rules The following items are displayed on this screen gt General Check the box before Enable Application Control to make the Application Control function take effect The specified application used by the specified local users will be not allowed to access the Internet if the Application Control entry is enabled gt Control Rules Object Specify the object for the entry You can select Group to limit the predefined group or select ANY to limit all the users Group If select Group as object you can select the group in the drop down list To establis
32. Upstream Bandwidth Downstream Bandwidth L2TP Status status IP Address Primary DNS Secondary DNS 1460 576 1460 Static IP Dynamic IP Kbps Kbps Disabled 0 0 0 0 0 0 0 0 0 0 0 0 Figure 3 10 WAN L2TP The following items are displayed on this screen gt L2TP Settings Connection Type Account Name Password Server IP Select L2TP if your ISP provides a L2TP connection Click lt Connect gt to dial up to the Internet and obtain the IP address Click lt Disconnect gt to disconnect the Internet connection and release the current IP address Enter the Account Name provided by your ISP If you are not clear please consult your ISP Enter the Password provided by your ISP Enter the Server IP provided by your ISP 19 MTU Active Mode Secondary Connection Connection Type IP Address Subnet Mask Default Gateway Primary DNS Secondary DNS Upstream Bandwidth Downstream Bandwidth MTU Maximum Transmission Unit is the maximum data unit transmitted by the physical network It can be set in the range of 576 1460 The default MTU is 1460 It is recommended to keep the default value if no other MTU value is provided by your ISP You can select the proper Active Mode according to your need e Manual Select this option to manually activate or terminate the Internet connection by the lt Connect gt or lt Disconnect gt button It is opti
33. VPN to Internet to allow the PPTP clients to access the local enterprise network and the Internet Then continue with the following settings for the PPTP Tunnel Settings L2TP PPTP Enable Protocol PPTP Mode Server Username PPTP Password abcdefg Tunnel Client to LAN IP Pool PPTP_Dialup User you just created Click the lt Save gt button to apply 138 General Enable VPN to Internet Hello Interval Sec 60 1000 L2TP PPTP Tunnel Protocol LeTp PPTP Made Server Client Account Name PPTP Tunnel Client to LA ly w Encryption Enable Disable Pre shared Key Client IP IP Address Pool PPTP_Dialup User Remote Subnet iH Status Activate Inactivate List of Configurations No Protocol Account Mode Tunnel Server IP IP Address Remote Subnet Encry Status Action Name Pool No entries 4 3 3 Network Management To manage the enterprise network effectively and forbid the Hosts within the IP range of 192 168 0 30 192 168 0 50 to use IM P2P application you can set up a User Group and specify the network bandwidth limit and session limit for this group The detailed configurations are as follows 4 3 3 1 User Group Create a User Group with all the Hosts in the IP range of 192 168 0 30 192 168 0 50 as its group members e Group Choose the menu User Group Group to load the following page Enter the Group Name and the Description to create a Group as the following
34. WAN 116 31 88 5 WAN 116 31 88 16 LAN 192 168 0 1 LAN 192 168 2 1 LANI LANZ 192 168 0 0 24 192 168 2 0 24 Gateway 192 168 1 1 Gateway 192 168 2 1 If the LAN port of TL ER604W with Non NAT or Classic system model is connected to LAN1 with subnet of 192 168 0 0 24 while the LAN port of another Router R1 is connected to LAN2 with network of 192 168 2 0 24 Meanwhile the WAN ports of the two routers are interconnected and within the same network Now a host under TL ER604W and within network of LAN1 desires to communicate with the host within network of LAN2 You can set a Static Route entry Enter the WAN IP address of R1 116 31 88 16 in the Next Hop field on the Static Route page of TL ER604W as the following figure shown then click the lt Add gt button to save the entry Static Route Destination 192 168 2 0 Subnet Mask 255 255 255 gssassasso Next Hop 116 31 55 16 Interface LAN wt Metric 0 0 15 Description LANZ Optional Status Activate Inactivate RIP Routing Information Protocol is a dynamic route protocol using distance vector algorithm to select the optimal path With features of easy configuration management and implementation it is widely used in small and medium sized networks such as the campus network The distance of RIP refers to the hop counts that a data packet passes through before reaching its destination the value range of which is 1 15 It means the destinati
35. a remote mobile office which enables the staff on business to access the FTP server and Mail server in the headquarters via PPTP dial up connection 4 3 2 1 IPsec VPN 1 IKE Setting To configure the IKE function you should create an IKE Proposal firstly e IKE Proposal Choose the menu VPN gt IKE IKE Proposal to load the configuration page Settings Proposal Name proposal IKE 1 Authentication MD5 Encryption 3DES DH Group DH2 133 Click the lt Add gt button to apply IKE Proposal Proposal Mame Authentication Encryption DH Group DHZ wt Figure 4 4 IKE Proposal e IKE Policy Choose the menu VPN gt IKE IKE Policy to load the configuration page Settings Policy Name IKE 1 Exchange Mode Main IKE Proposal proposal_IKE_1 you just created Pre shared Key aabbccddee SA Lifetime 3600 DPD Enable DPD Interval 10 Click the lt Add gt button to apply 134 Clear Help IKE Policy Policy Name Exchange Mode Local ID Type Local ID Remote ID Type Remote ID IKE Proposal 1 IKE Proposal 2 IKE Proposal 3 IKE Proposal 4 Pre shared Key SA Lifetime DPD DPD Interval List of IKE Policy Tips For the VPN Router in the remote branch office the IKE settings should be the same as the Router in Mo Mame the headquarters 2 IPsec Setting kE 1 Main Aggressive Clear IF Address FODN Help ds IF Address FODN pro
36. data and exchange the key to data de encryption IPsec has two important security protocols AH Authentication Header and ESP Encapsulating Security Payload AH is used to guarantee the data integrity If the packet has been tampered during transmission the receiver will drop this packet when validating the data integrity ESP is used to check the data integrity and encrypt the packets Even if the encrypted packet is intercepted the third party still cannot get the actual information 3 6 2 1 IPsec Policy On this page you can define and edit the IPsec policy Choose the menu VPN I IPsec Psec Policy to load the following page 94 General IPsec IPsec Policy Policy Name Mode Local Subnet Remote Subnet w AM Remote Gateway Policy Mode IKE Policy IPsec Proposal 1 IPsec Proposal 2 IPsec Proposal 3 IPsec Proposal 4 PFS SA Lifetime Status List of IPsec Policy Ho Mame wi IPsex 1 Enable Disable Save I LAN to LAN A po ALY WANI OEE IF Address Domain Mame IKE Manual Clear Help Sec 120 604800 Activate Inactivate Mode Local Subnet Remote Subnet Policy Mode Status Action LAN to Lan 192 168 0 0 24 192 168 3 0 24 IKE Active Ow Figure 3 64 IPsec Policy The following items are displayed on this screen gt General You can enable disable IPsec function for the Router here gt IPsec Policy Policy Name Mode Loca
37. entered Interface Select an interface for forwarding data packets Trigger Port Enter the trigger port number or the range of port Only when the trigger port initiates connection will all the corresponding incoming ports open and provide service for the applications otherwise the incoming ports will not open 61 Trigger Protocol Select the protocol used for trigger port Incoming Port Enter the incoming port number or range of port numbers The incoming port will open for follow up connection after the trigger port initiates connection Incoming Protocol Select the protocol used for incoming port Status Activate or inactivate the entry A Note e The Trigger Port and Incoming Port should be set in the range of 1 65535 The Incoming Port can be set in a continuous range such as 8690 8696 e The Router supports up to 16 Port Triggering entries Each entry supports at most 5 groups of trigger ports and overlapping between the ports is not allowed e Each entry supports at most 5 groups of incoming ports and the sum of incoming ports you set for each entry should not be more than 100 gt List of Rules In this table you can view the information of the entries and edit them by the Action buttons The first entry in Figure 3 37 indicates that This is a Port Triggering entry named host1 When the LAN host initiates a TCP request via port of 5354 the incoming port 5355 of WAN1 will open for TCP and UDP pr
38. example if you select Block for Policy and only FTP for Service the packets of other service types can still pass through the Router You can add new service types on 3 5 4 4 Service Interface Select interface for the entry The entry will take effect when the interface to which the data is flowing is selected WAN and LAN refers to all the WAN and LAN interfaces Source Select the Source IP Range for the entries including the following three ways e IP MASK Enter an IP address or subnet mask 0 0 0 0 32 85 means any IP e Group Select a predefined group of users You can set the group on3 3 1 Group e ANY means for any users Destination Select the Destination IP Range for the entries including the following two ways e IP MASK Enter an IP address or subnet mask 0 0 0 0 32 means any IP is acceptable e ANY means for any users Effective Time Specify the time for the entry to take effect Description Give a description for the entry Priority Select this option to specify the priority for the added entries The latest enabled entry will be displayed at the end of the list by default gt List of Rules You can view the information of the entries and edit them by the Action buttons The smaller the value is the higher the priority is The first entry in Figure 3 57 indicates The TELNET packets transmitted from the hosts within the network of 192 168 0 0 24 will be
39. figure shows Group Config lana 1 28 Char Description IM P2P Blocking Optional 1 28 Char Help Figure 4 9 Group Config e User Choose the menu User Group User to load the configuration page Click the lt Batch gt button to enter the batch processing screen Then continue with the following settings Settings 139 Action Add Start IP Address 192 168 0 30 End IP Address 192 168 0 50 Prefix Username User Start No 1 Step 1 Click the OK button to add the Users in bulk Action Add 44 IP Address Start IP Address 192 168 0 30 e End IP Address 192 168 0 50 Description Prefix Username T Step eae Wu CIIS Figure 4 10 User Config Batch e View Choose the menu User Group gt View to load the configuration page Add all the Users you just created into the Group 1 and click the lt Save gt button to apply 4 3 3 2 App Control Choose the menu Firewall App Control gt Control Rules to load the configuration page Check the box before Enable Application Control and click lt Save gt to apply Then continue with the following settings Settings Object Group Group group Application Click the lt Application List gt button and select the applications desired to be blocked on the popup window Status Activate 140 General Enable Application Control SAVE Control Rules Object Group ANY Group a Clear Application Help Effective Time Sun Mon
40. hosts Flexible Traffic Control Featured Bandwidth Control with flexible bandwidth management to automatically control the bandwidth of the host in bi direction to avoid bandwidth over occupation as well as optimize bandwidth usage Supporting Session Limit to avoid the complaint of a few people to force whole sessions Dual WAN Ports Providing two 10 100 1000M WAN ports for users to connect two Internet lines for bandwidth expansion Supporting multiple Load Balance modes including Bandwidth Based Balance Routing Application Optimized Routing and Policy Routing to optimize bandwidth usage Featured Link Backup to switch all the new sessions from dropped line automatically to another for keeping an always on line network Easy to use Providing easy to use GUI with clear configuration steps and detailed help information for the users to configure the Router simply Helping administrators to monitor the whole network status and take actions to malfunctions according to the recorded log information Supporting remote management to manage the Router from remote places 2 2 Features Hardware gt 1 fixed gigabit WAN port 1 interchangeable gigabit WAN LAN port 3 fixed gigabit LAN ports gt Fanless Design for Quiet Operation gt Hardware Wi Fi On Off button provides an easy way to turn wireless radio on or off gt Supports Professional 4kV common mode lightning protection gt Complies with IEEE 802
41. message of arbitrary length and generates a 128 bit message digest e SHA SHA Secure Hash Algorithm takes a message less than the 64th power of 2 in bits and generates a 160 bit message digest ESP Authentication Select the algorithm used to verify the integrity of the data for ESP authentication Options include e MD5 MD5 Message Digest Algorithm takes a message of arbitrary length and generates a 128 bit message digest e SHA SHA Secure Hash Algorithm takes a message less than the 64th power of 2 in bits and generates a 160 bit message digest ESP Encryption Select the algorithm used to encrypt the data for ESP encryption Options include NONE Performs no encryption DES DES Data Encryption Standard encrypts a 64 bit block of plain text with a 56 bit key The key should be 8 characters 3DES Triple DES encrypts a plain text with 168 bit key The key should be 24 characters AES128 Uses the AES algorithm and 128 bit key for encryption The key should be 16 characters gt List of IPsec Proposal In this table you can view the information of IPsec Proposals and edit them by the action buttons 99 3 6 2 3 IPsec SA This page displays the information of the IPsec SA Security Association Choose the menu VPN gt IPsec Psec SA to load the following page List of IPsec SA No Name SPI Tunnel Data Flow Protocol AH Auth ESP Auth ESP Encr Status 38846281 lt gt 172 30 70 151 l
42. not allowed to pass through the Router at 8 00 20 00 from Tuesday to Saturday 7 iN Note e For the users in the private network and not being set access rule the default Policy is Allow e To specify all IP addresses type 0 0 0 0 32 in the Policy field e For detailed setting of subnet mask please refer to Appendix B FAQ 3 9 4 4 Service The Service function allows you to specify the protocol and port number to be filtered for Firewall function conveniently Protocol name and port range constitute a service type The Router predefines three commonly used services such as HTTP FTP and TELNET and you can also add customized 86 services if needed Choose the menu Firewall Access Control Service to load the following page Service Name PA Protocol TCP UDP wl List of Service No Name Protocol Dest Port Action 1 ICMP ICMP MA 2 FTP TCP l 3 H TCP ee 4 TELNET TCP 3 5 SMTP TEF 25 6 DAS UDF a E HTTP TCP oo POPS TCP 110 3 SMTP UDF 125 10 H 3253 TZP 1720 Figure 3 58 Service The following items are displayed on this screen gt Service Name Enter a name for the service The name should not be more than 28 characters The name will display in the drop down list of Protocol on Access Rule page Protocol Select the protocol for the service The system predefined protocols include TCP UDP and TCP UDP Dest Port Enter the start and end ports to make a destination port range for the service
43. o o o o 0 o o o o 0 o o o o bob3l4Y o o Figure 3 18 Statistics 31 The following items are displayed on this screen gt Statistics Unicast Broadcast Pause Multicast Undersize Normal Oversize Total Bytes Displays the number of normal unicast packets received or transmitted on the port Displays the number of normal broadcast packets received or transmitted on the port Displays the number of flow control frames received or transmitted on the port Displays the number of normal multicast packets received or transmitted on the port Displays the number of the received frames including error frames that are less than 64 bytes long Displays the number of the received packets including error frames that are between 64 bytes and the maximum frame length The maximum untagged frame this Router can support is 1518 bytes long and the maximum tagged frame is 1522 bytes long Displays the number of the received packets including error frames that are longer than the maximum frame Displays the total number of the received or transmitted packets including error frames Click the lt Clear All gt button to clear all the traffic statistics Tips The Port 1 2 3 4 5 mentioned in this User Guide refers to the WAN1 2 port and LAN1 2 3 port on the Router 3 1 6 2 Port Mirror Port Mirror the packets obtaining technology functions to forward copies of packets from
44. of bandwidth of the enabled WAN ports Displays the bandwidth of each WAN port for transmitting data The Upstream Bandwidth of WAN port can be configured on WAN page Displays the bandwidth of each WAN port for receiving data The Downstream Bandwidth of WAN port can be configured on WAN page provided by ISP Otherwise the Traffic Control will be invalid If there are data flowing into the Router from interface A and out from interface B while the downstream bandwidth of A is different from the upstream bandwidth of B then the smaller one should be considered as the effective bandwidth and vice versa Click the lt View IP Traffic Statistics gt button to jump to IP Traffic Statistics page 64 3 4 2 2 Bandwidth Control On this page you can configure the Bandwidth Control function Choose the menu Advanced Traffic Control Bandwidth Control to load the following page Bandwidth Control Rule Direction LAN gt WAN Y Group groupi wj clear Mode Individual Shared Guaranteed Bandwidth Up ETS Kbps 10 1000000 Limited Bandwidth Up 0 Kbps 0 or 10 1000000 0 means no limit Guaranteed Bandwidth Down 10 Kbps 10 1000000 Limited Bandwidth Down oO Kbps 0 or 10 1000000 0 means no limit Effective Time 00 00 24 00 f Sun Y Mon Y Tue V Wed Y Thu Fri V Sat Description Optional Status Activate Inactivate List of Rules No Di
45. packets between these two networks by the Routing rules you can set it to Non NAT mode Figure 3 3 Network Topology Non NAT Mode If your Router is connected in a combined network topology as the Figure 3 4 shown you can set it to Classic Mode Internet Area A Communicate with Internet via static routing rules Figure 3 4 Network Topology Classic Mode Choose the menu Network System Mode to load the following page 9 System Mode System Mode NAT Non NAT Classic Help Figure 3 5 System Mode You can select a System Mode for your Router according to your network need e NAT Mode NAT Network Address Translation mode allows the Router to translate private IP addresses within internal networks to public IP addresses for traffic transport over external networks such as the Internet Incoming traffic is translated back for delivery within the internal network However the Router will drop all the packets whose source IP addresses are in different subnet of LAN port For example If the LAN port of the Router is set to 192 168 0 1 for IP address and 255 255 255 0 for the Subnet Mask then the subnet of LAN port is 192 168 0 0 24 The packet with 192 168 0 123 as its source IP address can be transported by NAT whereas the packet with 20 31 76 80 as its source IP address will be dropped e Non NAT Mode In this mode the Router functions as the traditional Gateway and forwards the packets via routin
46. set for the object at the same time Enter the name of the bulletin s publisher Enter the description for the bulletin Activate or inactivate the entry In this table you can view the existing bulletins and edit them by the Action button The No 1 entry in Figure 3 75 indicates this bulletin is released by the administrator and it is released to the Group1 from 8am to 20pm on Thursday and Friday every a bulletin interval the interval in the figure is 30 min This entry is enabled Tips For the configuration for groups and users please refer to the User Group section 3 3 Dynamic DNS DDNS Dynamic DNS service allows you to assign a fixed domain name to a dynamic WAN IP address which enables the Internet hosts to access the Router or the hosts in LAN using the domain names As many ISPs use DHCP to assign public IP addresses in WAN the public IP address assigned to the client is unfixed In this way it s very difficult for other clients to get the latest IP address of this client for access DDNS Dynamic DNS server provides a fixed domain name for DDNS client and maps its latest IP address to this domain name When DDNS server works DDNS client informs the DDNS server of the latest IP address the server will update the mappings between the domain name and IP address in DNS database Therefore the users can use the same domain name to access the DDNS client even 111 if the IP address
47. the following page Ping Destination IP Domain 192 168 1 128 WANI Pinging 192 168 1 128 with 64 bytes of data 1 Reply from 192 168 1 125 Size 64bytes Time ims 2 Reply from 197 168 1 126 Size 64bytes Time ims 3 Reply from 192 168 1 125 Size 64bytes Time ims 4d Reply from 1927 168 1 126 Size 64bytes Time ims lt Completed gt Ping statistics for 192 168 1 128 Packets Sentid Recelved d Lost 0 0 loss Approximate round trip times in milli seconds Minimum ims Maximum ims Average ims Tracert Destination IP Domain 202 116 64 226 WANI Tracerting 202 116 64 226 Maximum hops 25 al ims ims ims 192 168 1 1 lt Completed gt Figure 3 91 Diagnostics The following items are displayed on this screen 125 gt Ping Destination IP Domain gt Tracert Destination IP Domain 3 8 5 2 Online Detection Enter destination IP address or Domain name here Then select a port for testing if you select Auto the Router will select the interface of destination automatically After clicking lt Start gt button the Router will send Ping packets to test the network connectivity and reachability of the host and the results will be displayed in the box below Enter destination IP address or Domain name here Then select a port for testing if Auto is selected the Router will select the interface of destination automatically After clicking the lt Start gt button the Router
48. your DDNS account Activate or inactivate DDNS service here Displays the WAN port for which Comexe DDNS is selected Displays the current status of DDNS service Offline DDNS service is disabled Connecting client is connecting to the server Online DDNS works normally Authorization fails The Account Name or Password is incorrect Please check and enter it again Displays the domain names obtained from the DDNS server Up to 5 domain names can be displayed here In this table you can view the existing DDNS entries or edit them by the Action button 3 7 4 UPnP Devices based on UPnP Universal Plug and Play protocol from different manufacturer can automatically discover and communicate with one another lf UPnP groupware are installed in the host in LAN and UPnP function is enabled for the Router the host in LAN can automatically open the corresponding port to allow the UPnP application in WAN to access the resource of the host in LAN via this port so that the functions limited to NAT can work normally For example MSN Messenger installed in Windows XP and Windows ME system is using UPnP protocol when audio and video communications are processing On this page you can configure UPnP service Choose the menu Services UPnP to load the following page 116 General UPnP Function Enable Disable Help List of UPnP Mapping Mo Description Protocol IP Address External Port Internal Port Status A
49. your device 1 3 Overview of this Guide Chapter 1 About This Guide Introduces the guide structure and conventions Chapter 2 Introduction Introduces the features and appearance of this router Chapter 3 Configuration Introduces how to configure the Router via Web management page Chapter 4 Application Introduces the practical application of the Router on the enterprise network Appendix A Hardware Specifications Lists the hardware specifications of this router Appendix B FAQ Provides the possible solutions to the problems that may occur during the installation and operation of the router Appendix C Glossary Lists the glossary used in this guide De Chapter 2 Introduction Thanks for choosing the SafeStream Wireless N Gigabit Broadband VPN Router TL ER604W 2 1 Overview of the Router The SafeStream Wireless N Gigabit Broadband VPN Router TL ER604W from TP LINK supports Wireless N speed and Gigabit wired speeds on all ports It integrates multiple VPN protocols high security and high performance VPN capabilities making it an ideal choice for branch offices in need of cost effective secure remote connections to headquarters or remote offices Furthermore together with many useful features including hardware based WiFi On Off button Guest Networking App Control and PPPoE Server functions TL ER604W is an ideal network solution for home or small office consumers e Powerful Data Processing Capability Built in MIPS 32
50. 101 00 19 66 83 53 CF oF 2 192 168 1 102 00 19 66 65 53 D4 a 3 192 168 1 103 00 19 66 83 53 F2 4 4 192 168 1 104 00 19 66 62 94 4D 5 192 168 1 105 00 19 66 83 94 6A Figure 3 51 ARP Scanning Enter the start and the end IP addresses into the Scanning IP Range field Then click the lt Scan gt button the Router will scan all the active hosts within the scanning range and display the result in the list The entries displayed on the List of Scanning Result do not mean the IP and MAC addresses are already bound The current status for the entry will display in the Status field se Indicates that the IP and MAC address of this entry are not bound and may be replaced by error ARP information 4 Indicates that this entry is imported to the list on IP MAC Binding page but not effective yet 5 Indicates that the IP and MAC address of this entry are already bound To bind the entries in the list check these entries and click the lt Import gt button then the settings will take effect if the entries do not conflict with the existed entries A Note If the local hosts suffered from ARP attack you cannot add IP MAC Binding entries on this page Please add entries manually on 3 5 1 1 IP MAC Binding 3 5 1 3 ARP List On this page the IP MAC information of the hosts which communicated with the Router recently will be saved in the ARP list Choose the menu Firewall Anti ARP Spoofing ARP List to load the following page
51. 2 168 0 0 24 the remote subnet is 192 168 3 0 24 and this tunnel is using IKE automatic negotiation It is enabled Tips e 0 0 0 0 0 32 indicates all IP addresses e Refer to Appendix Troubleshooting 5 for the configuration of subnet 3 6 2 2 IPsec Proposal On this page you can define and edit the IPsec proposal Choose the menu VPN gt IPsec Psec Proposal to load the following page IPsec Proposal Proposal Name Security Protocol ESP Authentication ESP Encryption List of IPsec Proposal No Name PJ 1 proposal 1 ESP Clear Help SIDES si IA S Action SN Protocol AH Auth ESP Auth ESP Encr ESP MOS SIDES Figure 3 65 IPsec Proposal The following items are displayed on this screen gt IPsec Proposal Proposal Name Specify a unique name to the IPsec Proposal for identification and management purposes The IPsec proposal can be applied to IPsec policy 98 Security Protocol Select the security protocol to be used Options include e AH AH Authentication Header provides data origin authentication data integrity and anti replay services e ESP ESP Encapsulating Security Payload provides data encryption in addition to origin authentication data integrity and anti replay services AH Authentication Select the algorithm used to verify the integrity of the data for AH authentication Options include e MD5 MD5 Message Digest Algorithm takes a
52. 34 One to One NAT The following items are displayed on this screen gt One to One NAT Mapping IP Address Enter the Original IP Address in the first checkbox and Translated IP Address in the second checkbox TL ER604W allows mapping from LAN port to WAN port in LAN Mode Interface Select an interface for forwarding data packets DMZ Forwarding Enable or disable DMZ Forwarding The packets transmitted to the Translated IP Address will be forwarded to the host of Original IP if DMZ Forwarding is enabled Description Give a description for the entry 56 Status Activate or inactivate the entry gt List of Rules In this table you can view the information of the entries and edit them by the Action buttons The first entry in Figure 3 34 indicates The IP address of host1 in local network is 192 168 0 128 and the WAN IP address after NAT mapping is specified to be 222 135 48 128 The data packets are transmitted from WAN1 port DMZ Forwarding and this entry are both activated Note One to One NAT entries take effect only when the Connection Type of WAN is Static IP Changing the Connection type from Static IP to other ones will make the entries attached to the interface disabled 3 4 1 3 Multi Nets NAT Multi Nets NAT function allows the IP under LAN port within multiple subnets to access the Internet via NAT Choose the menu Advanced NAT Multi Nets NAT to load the following page Multi Nets NAT Subnet
53. 4
54. 58 51 128 2 Subnet Mask 255 255 255 0 Default Gateway 28 51 128 254 Optional MTU 1500 576 1500 Primary DNS 202 22 53 5 Optional Secondary DNS 0 0 0 0 Optional Upstream Bandwidth 100000 Kbps Downstream Bandwidth 100000 Kbps Figure 4 2 WAN Static IP 4 3 1 3 Link Backup Set the connection of WAN1 as the primary link the connection of WAN 2 as the secondary link Choose the menu Advanced Load Balance Link Backup to load the configuration page Select WAN1 as Primary WAN WAN2 as Backup WAN select the Failover mode as Figure 4 3 shown and then click the lt Add gt button to apply 132 General Wahl Wah WaN por e Primary WAN Backup WAN want 52 wanz z Wah Config Mode Timing Failover Failover Active Backup WAN when any primary WAN port failed Active Backup WAN when all the primary WAN ports failed Status Activate Inactivate List of Rules Mo Primary Wah Backup WAM Mode Effective Time Status Action No entries Figure 4 3 Link Backup 4 3 2 VPN Setting To enable the hosts in the remote branch office WAN 116 31 85 133 LAN 172 31 10 1 to access the servers in the headquarters you can create the VPN tunnel via the TP LINK VPN routers between the headquarters and the remote branch office to guarantee a secured communication The following takes IPsec settings of the Router in the headquarters for example Moreover you can configure the PPTP VPN Server to establish
55. AC Address The following items are displayed on this screen 30 gt MAC Address Port Current MAC Address MAC Clone A Note Displays the port type of the Router Displays the current MAC address of the port It s only available for WAN port Click the lt Restore Factory MAC gt button to restore the MAC address to the factory default value or click the lt Clone Current PC s MAC gt button to clone the MAC address of the PC you are currently using to configure the router Then click lt Save gt to apply To avoid a conflict of MAC address on the local area network it s not allowed to set the MAC address of the Router s LAN port to the MAC address of the current management PC 3 1 6 Switch Some basic switch port management functions are provided by TL ER604W which facilitates you to monitor the traffic and manage the network effectively 3 1 6 1 Statistics Statistics screen displays the detailed traffic information of each port which allows you to monitor the traffic and locate faults promptly Choose the menu Network Switch Statistics to load the following page Statistics Packets Unicast Broadcast Pause Multicast Received Undersize Normal Oversize Total Bytes Unicast Broadcast Transmitted Pause Multicast Total Bytes Fort 1 Port 2 Fort 3 Fort 4 Fort 5 o o 201 o o o o 376 o o o o 0 o o o o 10 o o o o 0 0 0 o o 3367 o o o o 0 o o o o 323960 o o o o aed o o o o 0
56. Binding gt Supports GARP Gratuitous ARP gt Deploys One Click restricting of IM P2P applications 2 3 Appearance 2 3 1 Front Panel The front panel of TL ER604W is shown as the following figure L N TP LINK Erow WAN WANILAN LAN PWR SYS WLAN 1 2 3 SafeStream m 1000Mbps Wireless N Gigabit Broadband VPN Router m 10 100Mbps Figure 2 1 Front Panel eo LEDs LED Status Indication On The Router is powered on PWR Off The Router is powered off or power supply is abnormal Flashing The Router works properly SYS On Off The Router works improperly On Green The wireless function is enabled WLAN Off The wireless function is disabled Flashing Green There is data being transferred through wireless On There is a device linked to the corresponding port but no activity Green light indicates the linked device is running at 1000Mbps Green Yellow and yellow indicates the linked device is running at 10 100Mbps WAN LAN Off There is no device linked to the corresponding port The corresponding port is transmitting or receiving data Green light indicates the linked device is running at 1000Mbps and yellow indicates the linked device is running at 10 100Mbps Flashing Green Yellow eo Interface Description Interface Port Description The WAN port is for connecting the Router to a DSL Cable modem or
57. Description Optional Status Activate Inactivate Enable Advanced Account Features MAC Binding MAC Address ARALAR AA Session Timeout 48 Hour 0 168 List of Account No Account Name IP Address Pool noice aga MAC Address Stacey Description Status Action Fl 1 useri addi 1 2099 01 01 o ee Active 4 Q Figure 3 72 Account The following items are displayed on this screen gt Account Account Name Enter the account name This name should not be the same with the one in L2TP PPTP connection settings Password Enter the password IP Address Assigned Select the IP Address Assigned Mode for IP assignment Mode e Static Select this option to assign a static IP address to the client e Dynamic Select this option to assign available IP addresses to the client automatically Static IP Address It s available on Static mode Enter a static IP address for the client 107 IP Address Pool Max Sessions Expiration Date Description Status MAC Binding MAC Address Session Timeout gt List of Account It s available on Dynamic mode Select an IP Address Pool to make a range to assign dynamic IPs Specify the maximum number of sessions for the client The default value is 1 Specify the Expiration Date of the account The default is 2099 1 1 Enter the description for management and search purposes Up to 28 characters can be entered Activate or inactivate the entry Sele
58. Domain Name Policy Mode IKE Manual IKE Policy IPsec Proposal 1 IPsec Proposal 2 IPsec Proposal 3 IPsec Proposal 4 PFS DH1 wt SA Lifetime Sec 120 604800 Status Activate Inactivate Figure 4 7 IPsec Policy Tips For the VPN Router in the remote branch office the IPsec settings should be consistent with the Router in the headquarters The Remote Gateway of the remote Router should be set to the IP address of the Router in the headquarters After the IPsec VPN tunnel of the two peers is established successfully you can view the connection information on the VPN IPsec Psec SA page List of IPsec SA No Name SPI Tunnel Data Flow Protocol 4H Auth ESP Auth ESP Ener Status 675513875 lt gt 58 51 128 2 lt gt 192 168 0 0 24 lt gt 1 Ipsec_l ESP MDS 3DES Connected 663198743 116 31 85 133 172 31 10 0 24 Figure 4 8 List of IPsec SA 4 3 2 2 PPTP VPN Setting e IP Address Pool Choose the menu VPN gt L2TP PPTP IP Address Pool to load the following page Enter the Pool Name and the IP Address Range as the following figure shown Click the lt Add gt button to apply 137 IP Address Pool Pool Name PPTP_Dialup User IP Address Range 10 10 10 2 10 10 10 33 3 Help p List of IP Address Pool Mo Pool Name IP Address Range Action No entries e L2TP PPTP Tunnel Choose the menu VPN gt L2TP PPTP L2TP PPTP Tunnel to load the following page Check the box of Enable
59. Gratuitous ARP packets thus the error ARP information of the device will be replaced You can set the packets sending rate in the Interval field With the box before Enable ARP Logs checked the Router will send ARP logs to the specified server The IP address of server is the Server IP set on 3 8 7 Logs gt IP MAC Binding IP Address Enter the IP Address to be bound MAC Address Enter the MAC Address corresponding to the IP Address Description Give a description for the entry Status Activate or inactivate the entry gt List of Rules You can view the information of the entries and edit them by the Action buttons The first entry in Figure 3 50 indicates The IP address of 192 168 1 101 and MAC address of 00 19 66 83 53 CF have been bound and this entry is activated A Note If all the entries in the binding list are disabled and Permit the packets of IP MAC Binding entries only option is selected and saved the WEB management page of the Router cannot be login At the moment you should restore the Router to factory default and login again 3 5 1 2 ARP Scanning ARP Scanning feature enables the Router to scan the IP address and corresponding MAC address and display them on the List of Scanning Result Choose the menu Firewall Anti ARP Spoofing ARP Scanning to load the following page 78 General Scanning IP Range 192 168 1 100 Scanning Result Mo IP Address MAC Address Status 1 192 168 1
60. Group Key Update Period SBC Auth Type The Min value is 30 0 means no update You can choose the Auth type of the WPA WPA2 security on the drop down list The default setting is Automatic which can select WPA Wi Fi Protected Access or WPA2 WPA version 2 automatically based on the wireless station s capability and request 40 3 Encryption Radius Server IP Radius Port Radius Password Group Key Update Period WEP Select the Encryption type which including Automatic TKIP AES The default setting is Automatic which can select TKIP Temporal Key Integrity Protocol or AES Advanced Encryption Standard automatically based on the wireless station s capability and request TKIP TKIP is a security protocol used in the IEEE 802 11 wireless networking standard AES AES is a Specification for the encryption of electronic data established by the U S National Institute of Standards and Technology Enter the IP address of the Radius server Enter the port number of the Radius server Enter the password for the Radius server Specify the group key update interval in seconds The value should be 30 or above Enter 0 to disable the update It is based on the IEEE 802 11 standard Security Guth Type key Format Key Selected key 1 Key i Key 3 Key 4 Auth Type yy EP ka WEP Key Key Type M You can choose the Auth type of the WPA WPA2 security on the
61. Host Name Optional This field allows you to give a name for the Router It s blank by default MTU MTU Maximum Transmission Unit is the maximum data unit transmitted by the physical network It can be set in the range of 576 1500 The default MTU is 1500 It is recommended to keep 13 Get IP Address by Unicast Use the following DNS Server Primary DNS Secondary DNS Upstream Bandwidth Downstream Bandwidth gt Dynamic IP Status Status IP Address Subnet Mask the default value if no other MTU value is provided by your ISP The broadcast requirement may not be supported by a few ISPs Select this option if you can not get the IP address from your ISP even if with a normal network connection This option is not required generally Select this option to enter the DNS Domain Name Server address manually Enter the IP address of your ISP s Primary DNS Domain Name Server If you are not clear please consult your ISP Optional If a Secondary DNS Server address is available enter it Specify the bandwidth for transmitting packets on the port Specify the bandwidth for receiving packets on the port Displays the status of obtaining an IP address from your ISP e Disabled indicates that the Dynamic IP connection type is not applied e Connecting indicates that the Router is obtaining the IP parameters from your ISP e Connected indicates that the Rou
62. II characters between 8 and 63 or hexadecimal characters between 6 and 64 Group Key Update Period 06400 eC The Min value is 30 0 means no update 39 2 Auth Type Encryption Password Group Key Update Period WPA WPA2 Choose the Auth type of the WPA PSK WPA2 PSK security on the drop down list The default setting is Automatic which can select WPA PSK Pre shared key of WPA or WPA2 PSK Pre shared key of WPA automatically based on the wireless station s capability and request Select the Encryption type including Automatic TKIP AES The default setting is Automatic which can select TKIP Temporal Key Integrity Protocol or AES Advanced Encryption Standard automatically based on the wireless station s capability and request TKIP TKIP is a security protocol used in the IEEE 802 11 wireless networking standard AES AES is a specification for the encryption of electronic data established by the U S National Institute of Standards and Technology Enter ASCII characters between 8 and 63 characters or 8 to 64 Hexadecimal characters The default password is the same with the default PIN code which is labeled on the bottom of the Router Specify the group key update interval in seconds The value should be 30 or above Enter 0 to disable the update It s based on Radius Server Radius Server IP Radius Port AA 1 65535 0 means the default port 1817 Radius Password
63. IKE negotiation Options include e MD5 MD5 Message Digest Algorithm takes a message of arbitrary length and generates a 128 bit message digest e SHA1 SHA1 Secure Hash Algorithm takes a message less than 2 64 the 64th power of 2 in bits and generates a 160 bit message digest Encryption Specify the encryption algorithm for IKE negotiation Options include e DES DES Data Encryption Standard encrypts a 64 bit block of plain text with a 56 bit key e 3DES Triple DES encrypts a plain text with 168 bit key e AES128 Uses the AES algorithm and 128 bit key for encryption e AES192 Uses the AES algorithm and 192 bit key for encryption e AES256 Uses the AES algorithm and 256 bit key for encryption DH Group Select the DH Diffie Hellman group to be used in key negotiation phase 1 The DH Group sets the strength of the algorithm in bits Options include DH1 DH2 and DH5 93 e DH1 768 bits e DH2 1024 bits e DHS 1536 bits gt List of IKE Proposal In this table you can view the information of IKE Proposals and edit them by the action buttons 3 6 2 IPsec IPsec IP Security is a set of services and protocols defined by IETF Internet Engineering Task Force to provide high security for IP packets and prevent attacks To ensure a secured communication the two IPsec peers use IPsec protocol to negotiate the data encryption algorithm and the security protocols for checking the integrity of the transmission
64. Interval is the same as Beacon Interval The modification of the Wireless Advanced will take effect only after the router is rebooted 3 2 2 MAC Filtering On this page you can control the wireless access by configuring the MAC Filtering Choose the menu User Wireless gt MAC Filtering to load the following page 50 General SSID TP LINK_FFFFFF ka C Enable Wireless MAC Address Filtering Save Allow the MAC adress in the rule list to access the local wireless network Deny the MAC adress in the rule list to access the local wireless network Filtering Rules MAC Address Description Optional Rule List Mo MAC Address Description Action O 1 11 22 DD FF 33 44 1 ra i Figure 3 28 MAC Filtering gt General Each SSID can be configured the MAC Address Filtering rules You can select a SSID in the SSID drop down list To create a new SSID please refer to 3 2 1 2 Multi SSID To control some of the hosts to access the wireless network it is recommended to select Enable Wireless MAC Address Filtering and select one filtering rule according to need Click lt Save gt button to apply the setting gt Filtering Rules MAC Address Enter the MAC Address of the host to be filtered Description Enter a description for the entry Up to 28 characters can be entered gt Rule List In this table you can view the information of the Filtering Rules and edit them by the Action buttons 3 2 3 Host Status
65. Mask A A E Status Activate Inactivate List of Rules Mo Network Address Description Status Action aa 192 168 2 0 24 tplink1 Active OW Figure 3 35 Multi Nets NAT The following items are displayed on this screen gt Multi Nets NAT Subnet Mask Enter the subnet mask to make the address range for the entry Description Give a description for the entry Status Activate or inactivate the entry gt list of Rules You can view the information of the entries and edit them by the Action buttons 57 The first entry in Figure 3 35 indicates that This is a Multi Nets NAT entry named tplink1 The subnet under the LAN port of the Router is 192 168 2 0 24 and this entry is activated After the corresponding Static Route entry is set the hosts within this subnet can access the Internet through the Router via NAT A Note e Multi Nets NAT entry takes effect only when cooperating with the corresponding Static Route entries e For detailed setting of subnet mask please refer to the Appendix BFAQ Application Example Network Requirements The LAN subnet of TL ER604W is 192 168 0 0 24 the subnet of VLAN2 under a three layer switch is 192 168 2 0 24 while the subnet of VLAN3 is 192 168 3 0 24 The IP of VLAN for cascading the switch to the Router is 192 168 0 2 Now the hosts within VLAN2 and VLAN3 desire to access the Internet The network topology is shown as the following Internet 192 168 0 2 24
66. N Local Area Network security of the network since the address of LAN host never appears on the Internet 3 4 1 1 NAT Setup On this page you can set up the NAT function Choose the menu Advanced NAT NAT Setup to load the following page MAPT Source Port Range NAT DOM NAT DMz Enable Disable Host IP Address Figure 3 33 NAT Setup The following items are displayed on this screen gt NAPT Source Port Range Enter the source port range between 2049 and 65000 the span of which must be not less than 100 gt NAT DMZ 55 NAT DMZ Enable or disable NAT DMZ NAT DMZ is a special service of NAT application which can be considered as a default forwarding rule When NAT DMZ Pseudo DMZ is enabled all the data initiated by external network falling short of the current connections or forwarding rules will be forwarded to the preset NAT DMZ host Host IP Address Enter the IP address of the host specified as NAT DMZ server 3 4 1 2 One to One NAT On this page you can configure the One to One NAT Choose the menu Advanced gt NAT One to One NAT to load the following page One to One NAT Mapping IP Address Interface WNL v DMZ Forwarding O Enable Disable Description DO 7 ptional Status Activate Inactivate List of Rules No Original IP Translated IP Interface DMZ Description Status Action Forwarding PJ 1 192 168 0128 222 135 48 128 WAN Enable hosti Active g COW Figure 3
67. On this page you can configure the User View or Group View Choose the menu User Group View to load the following page Yiew Config view User Group Group Name Group Structure Available Member Selected Member Figure 3 32 View Configuration The following items are displayed on this screen gt View Config View Select the desired view for configuration User Name Select the name of the desired User Available Group Displays the Groups that the User can join Selected Group Displays the Groups to which this User belongs Group Name Select the name of the desired Group Group Structure Click this button to view the tree structure of this group All the members of this group will be displayed including Users and sub Groups The Group Names are displayed in bold Available Member Displays the Users and the Groups which can be added into this group Selected Member Displays the members of this group including Users and Groups 3 4 Advanced 3 4 1 NAT NAT Network Address Translation is the translation between private IP and public IP which allows private network users to visit the public network using private IP addresses With the explosion of the Internet the number of available IP addresses is not enough NAT provides a way to allow multiple private hosts to access the public network with one public IP at the same time which alleviates the shortage of IP addresses Furthermore NAT strengthens the LA
68. abled 4 Link down 5 Link down Figure 3 22 Port Status 3 1 6 6 Port VLAN A VLAN Virtual Local Area Network is a network topology configured according to a logical scheme rather than the physical layout which allows you to divide the physical LAN into multiple logical LANs so as to control the communication among the ports The VLAN function can prevent the broadcast storm in LANs and enhance the network security By creating VLANs in a physical LAN you can divide the LAN into multiple logical LANs each of which has a broadcast domain of its own Hosts in the same VLAN communicate with one another as if they are in a LAN However hosts in different VLANs cannot communicate with one another directly Therefore broadcast packets are limited in a VLAN TL ER604W provides the Port VLAN function which allows you to create multiple logical VLANs for the LAN ports based on their port numbers Choose the menu Network Switch Port VLAN to load the following page Port VLAN Port Port 1 Port 2 Port 3 Port 4 Port 5 Network WAN WAN LAN LAN LAN VLAN NA NA NA Figure 3 23 Port VLAN The following items are displayed on this screen gt Port VLAN Network Displays the current logical network of the physical port 36 VLAN Select the desired VLAN for the port Tips The Port VLAN can only be created among the LAN ports 3 2 Wireless 3 2 1 Wireless Setting 3 2 1 1 Wireless Setting On this page you can configure the basi
69. activated A Note It s recommended that users bind the IP address and the MAC address in 3 5 1 1 IP MAC Binding then import the entries from the IP MAC binding table to the List of Reserved Address in buck by clicking lt Import gt button in Figure 3 16 DHCP Reservation 3 1 5 MAC Address The MAC Media Access Control address as the unique identifier of the router in network does not need to be changed commonly Set the MAC Address for LAN port In a complex network topology with all the ARP bound devices if you want to use TL ER604W instead of the current router in a network node you can just set the MAC address of TL ER604W s LAN port the same to the MAC address of the previous router which can avoid all the devices under this network node to update their ARP binding tables Set the MAC Address for WAN port In the condition that your ISP has bound the account and the MAC address of the dial up device if you want to change the dial up device to be TL ER604W you can just set the MAC address of TL ER604W s WAN port the same to the MAC address of the previous dial up device for a normal Internet connection Choose the menu Network MAC Address gt MAC Address to load the following page MAC Port Current MAC Address MAC Clone WAL 44 00 01 02 05 06 Restore Factory M4c Clone Current PC s MAC Wane 44 00 01 02 03 07 Restore Factory MAC Clone Current PC s MAC LAN 44 00 01 02 03 05 Restore Factory MAC Figure 3 17 M
70. ade to load the following page Firmware Upgrade Firmware Version 1 0 0 Build 20120926 Rel 35714n Hardware Version TL ER 604 Wy v1 0 rile ii Figure 3 87 Firmware Upgrade To upgrade the Router is to get more functions and better performance Go to http www tp link com to download the updated firmware Type the path and file name of the update file into the File field Or click the lt Browse gt button to locate the update file Then click the lt Upgrade gt button to complete 4 Note e After upgrading the device will reboot automatically e To avoid damage please don t turn off the device while upgrading e You are suggested to backup the configuration before upgrading 3 8 3 License Choose the menu Maintenance gt License to load the following page On this page you can view the licensed features for the device 122 License Info Information Wersion 1 0 0 Auth Type official Status normal Model ID 06020000 Issue Date 2012 06 29 15 21 10 Device_ID B2ABD748F3D32954B9543D67AC4E12B2DC2F2991 Serial Number 60200000010 Factory MAC 00 14 76 00 00 9E Features BASIC ROUTING Y desc Basic routing features A version 1 0 0 status enabled A expire permanent SENIOR ROUTING desc Senior routing features version 1 0 0 4 K Figure 3 88 License 3 8 4 Statistics 3 8 4 1 Interface Traffic Statistics Interface Traffic Statistics screen displa
71. affic Statistics to load the following page General Enable IF Traffic Statistics C Enable Auto refresh Traffic Statistics Direction LAN gt WAN1 v LAN gt wWAM1 Statistics Transmiting Rate KB s Packets Rate Pkt s Total Packets Pkt Total Bytes Byte IP Address Sessions Upstream Downstream Upstream Downstream Upstream Downstream Upstream Downstream 192 168 0 102 Oo 0 2 16 1600 2 94e 9 5000 60 6000 1000 192 168 0 123 0 03 3 2 22 3240 2222 491637 2050 463660 3000 192 166 0 141 240000 320020 20000000 282220000 50 6 56e 9 3 05e 9 66666000 2000 Sorted by Downstream Packets Rate Increasing Order Figure 3 90 IP Traffic Statistics The following items are displayed on this screen gt General Enable IP Traffic Statistics Allows you to enable or disable IP Traffic Statistics Enable Auto refresh Allows you to enable disable refreshing the IP Traffic Statistics automatically The default refresh interval is 10 seconds 124 gt Traffic Statistics Direction Select the direction in the drop down list to get the Flow Statistics of the specified direction gt IP Traffic Statistics This table displays the detailed traffic information of corresponding PCs Sorted by Select the rule for displaying the traffic information 3 8 5 Diagnostics 3 8 5 1 Diagnostics This Router provides Ping test and Tracert test functions for network diagnose Choose the menu Maintenance Diagnostics Diagnostics to load
72. and PPTP Mode Specify the working mode for this Router Options include e Client In this mode the device sends a request to the remote L2TP PPTP server initiatively for establishing a tunnel e Server In this mode the Router responds the request from the remote client for establishing a tunnel 101 Account Name Password Tunnel Max Connections WAN L2TP PPTP Server Encryption Pre shard Key Client IP Pool Remote Subnet Enter the account name of L2TP PPTP tunnel It should be configured identically on server and client Enter the password of L2TP PPTP tunnel It should be configured identically on server and client Select the network mode for the tunnel Options include e LAN to LAN Select this option when the L2TP PPTP client is a LAN The tunneling request is always initiated by a router e Client to LAN Select this option when the L2TP PPTP client is a single PC Specify the maximum connections that the tunnel can support This item is available for Client to LAN tunnel type on Server mode Specify the WAN port to transmit the packets This item is available for Client mode Enter the IP address of L2TP PPTP server It s always the WAN IP address of the remote peer of L2TP PPTP tunnel This item is available for Client mode Specify whether to enable the encryption for the tunnel If enabled the L2TP tunnel will be encrypted by IPsec and the PPTP tunnel will
73. and then click the lt Upgrade gt button to upgrade the database 3 6 VPN VPN Virtual Private Network is a private network established via the public network generally via the Internet However the private network is a logical network without any physical network lines so it is called Virtual Private Network With the wide application of the Internet more and more data are needed to be shared through the Internet Connecting the local network to the Internet directly though can allow the data exchange will 89 cause the private data to be exposed to all the users on the Internet The VPN Virtual Private Network technology is developed and used to establish the private network through the public network which can guarantee a secured data exchange VPN adopts the tunneling technology to establish a private connection between two endpoints It is a connection secured by encrypting the data and using point to point authentication The following diagram is a typical VPN topology Router Router Client Server Remote PC Server Figure 3 61 VPN Network Topology As the packets are encapsulated and de encapsulated in the Router the tunneling topology implemented by encapsulating packets is transparent to users The tunneling protocols supported by TL ER604W contain Layer 3 IPsec and Layer 2 L2TP PPTP 3 6 1 IKE In the IPsec VPN to ensure a secure communication the two peers should encapsulate and de
74. arnrnnnnnnnananaos 148 Appendix B FAQ ati O O tases Wa elas eE 149 Appendix C GIOSSALY sanitaria 151 Package Contents The following items should be found in your package gt One TL ER604W Router gt One Power Adapter gt One RJ45 Ethernet Cable gt Quick Installation Guide gt Resource CD b Note Make sure that the package contains the above items If any of the listed items is damaged or missing please contact with your distributor Chapter 1 About this Guide This User Guide contains information for setup and management of TL ER604W Router Please read this guide carefully before operation 1 1 Intended Readers This Guide is intended for Network Engineer and Network Administrator 1 2 Conventions In this Guide the following conventions are used gt The Router or TL ER604W mentioned in this Guide stands for TL ER604W SafeStream Wireless N Gigabit Broadband VPN Router without any explanation gt Menu Name Submenu Name gt Tab page indicates the menu structure Advanced NAT Basic NAT means the Basic NAT page under the NAT menu option that is located under the Advanced menu gt Bold font indicates a toolbar icon menu or menu item gt lt Font gt indicate a button Symbols in 5 Guide Symbol Symbol Description A oro Ignoring this type of note might result in a malfunction or damage to the device Tips This format indicates important information that helps you make better use of
75. ase consult your ISP Password Enter the Password provided by your ISP Server IP Enter the Server IP provided by your ISP 9 MTU Active Mode Secondary Connection Connection Type IP Address Subnet Mask Default Gateway Primary DNS Secondary DNS Upstream Bandwidth Downstream Bandwidth MTU Maximum Transmission Unit is the maximum data unit transmitted by the physical network It can be set in the range of 576 1460 The default MTU is 1460 It is recommended to keep the default value if no other MTU value is provided by your ISP You can select the proper Active mode according to your need e Manual Select this option to manually activate or terminate the Internet connection by the lt Connect gt or lt Disconnect gt button It s optimum for the dial up connection charged on time e Always on Select this option to keep the connection always on The connection can be re established automatically when it is down Here allows you to configure the secondary connection Dynamic IP and Static IP connection types are provided Select the secondary connection type Options include Disable Dynamic IP and Static IP If Static IP is selected configure the IP address of WAN port If Dynamic IP is selected the IP address of WAN port obtained is displayed If Static IP is selected configure the subnet mask of WAN port If Dynamic IP is select the subnet mask of WAN port obtained is di
76. ayed on this screen gt General To control the access to Internet for hosts in you private network it is recommended to check the box before Enable MAC Filtering and select a filtering mode according to actual situation gt MAC Filtering MAC Address Enter the MAC Address to be filtered Description Give a description for the entry gt List of Rules You can view the information of the entries and edit them by the Action buttons 3 5 4 Access Control 3 9 4 1 URL Filtering URL Uniform Resource Locator specifies where an identified resource is available and the mechanism for retrieving it URL Filter functions to filter the Internet URL address so as to provide a convenient way for controlling the access to Internet from LAN hosts Choose the menu Firewall Access Control gt URL Filtering to load the following page 82 General Enable URL Filtering Permit URL listed below and deny the rest Deny URL listed below and permit the rest URL Filtering Rule Object Group ANY Mode Keywords URL Path Keywords ES Description AAA Optional List of Rules Mo Object Mode Keywords URL Path Description Mo entries Figure 3 55 URL Filtering The following items are displayed on this screen gt General Save Clear Help Action To control the access to Internet for hosts in your private network you are recommended to check the box before Enable URL Filtering and select a filterin
77. be selected if 11n only mode is selected The router will not work in 11n mode if bgn mixed mode and TKIP encryption are both selected TKIP is an encryption option of the WPA PSK WPA2 PSK2 and WPA WPA2 Auth type 3 2 1 2 Multi SSID On this page you can configure the Multi SSID Choose the menu Wireless Wireless Setting Multi SSID to load the following page 49 General Multi SSID SSID Insulation Multi SSID Config SSID Description Security Auth Type Encryption PSK Password Group Key Update Period SSID Broadcast Guest Network AR Isolation Enable Disable this SSID Multi SSID List Mo y E zhangsan Enable Disable Enable Disable Save Clear Help fou can enter ASCII characters between 8 and 63 or hexadecimal characters between 8 and 64 Sec The Min value is 30 0 means no update Enable Disable Enable Disable Enable Disable Enable Disable Description Security Option WPA PSK WP A2 PSE 1 Figure 3 25 Multi SSID The following items are displayed on this screen gt General Multi SSID networks if Multi SSID is enabled SSID Insulation Status Action Enabled p E i Enable or disable the Multi SSID You can establish multiple wireless Enable or disable the SSID Insulation If enabled the hosts accessing to the different SSID cannot be communicate with each other gt Multi SSID Config
78. buttons The first entry in Figure 3 40 indicates The users within group group1 share the bandwidth and the Downstream Upstream Guaranteed Bandwidth is 5000kbps while the Downstream Upstream Limited bandwidth is 10000kbps This entry takes effect at 8 a m to 10 p m from Monday to Friday Note e The premise for single rule taking effect is that the bandwidth of the interface for this rule is sufficient and not used up e tis impossible to satisfy all the guaranteed bandwidth if the total guaranteed bandwidth specified by all Bandwidth Control rules for certain interface exceeds the physical bandwidth of this interface 3 4 3 Session Limit The amount of TCP and UDP sessions supported by the Router is finite If some local hosts transmit too many TCP and UDP sessions to the public network the communication quality of the other local hosts will be affected thus it is necessary to limit the sessions of those hosts 3 4 3 1 Session Limit On this page you can configure the session limit to specified PCs Choose the menu Advanced Session Limit Session Limit to load the following page 66 General C Enable Session Limit Save Session Limit Group Max Sessions CI 30 1000 Clear Description O Optional Help Status Activate Inactivate List of Session Limit Mo Group Max Sessions Status Description Action Pi Groupi 100 Active hosti OVW Figure 3 41 Session Limit The fo
79. c parameters of the wireless network Choose the menu Wireless Wireless Setting Wireless Setting to load the following page Wireless Setting Wireless Region Channel Mode Channel Width Wireless Parameter SSID Description SSID Broadcast AF Isolation Security Auth Type Encryption Password Group Key Update Period Enable Disable United States Automatic 11bgn mixed Automatic 4 a Lo H E F a si IA 4 4 a A at b H F P J Enable Disable Enable Disable WPA PSK WPO2 PSK e Automatic Automatic wn 6350513 rou can enter ASCII characters between 8 and 63 or hexadecimal characters between amp and 64 6400 Sec The Min value is 30 0 means no update Figure 3 24 Wireless Setting The following items are displayed on this screen gt Wireless Setting Wireless Enable or disable the Wireless function 37 gt Region Channel Mode Channel Width Wireless Parameter Select your region from the drop down list This field specifies the region where the wireless function of the Router can be used It may be illegal to use the wireless function of the Router in a region other than one of those specified in this field If your country or region is not listed please contact your local government agency for assistance This field determines which operating frequency will be used The default
80. ckets sent by port 1 port 2 port 3 and port 5 mirrored ports will be copied to port 4 mirroring port 33 Application Example To monitor all the traffic and analyze the network abnormity for an enterprise s network please set the Port Mirror function as below General Enable Port Mirror Mode IngresskEgress Port Mirror Port Mirroring Port Mirrored Port 1 O 2 O 3 O 4 5 O 1 Check the box before Enable Port Mirror to enable the Port Mirror function and select the Ingress amp Egress mode 2 Select Port 3 to be the Mirroring Port to monitor all the packets of the other ports 3 Select all the other ports to be the Mirrored Ports 4 Click the lt Save gt button to apply 3 1 6 3 Rate Control On this page you can control the traffic rate for the specific packets on each port so as to manage your network flow Choose the menu Network Switch Rate Control to load the following page Rate Control Port Ingress Limit Ingress Rate Mbps Egress Limit Egress Rate Mbps 1 Enable Enable 2 L Enable i L Enable is 3 O Enable i enable i 4 L Enable i L Enable i 3 L Enable i L Enable i Save Figure 3 20 Rate Control The following items are displayed on this screen gt Rate Control 34 Port Ingress Limit Ingress Rate Egress Limit Egress Rate Displays the port number Specify whether to enable the Ingress Limit feature Specify the limit rate for the ingress pac
81. ct a MAC Binding type from the pull down list Options include e Disable Select this option to disable the MAC Binding function e Manual Select this option to bind the account to a MAC address manually Only from the Host with this MAC address can the account log on to the server e Automatical Select this option to bind the account to the MAC address of its first login automatically Only from the Host with this MAC address can the account log on to the server It is available when Manually is selected Enter the MAC address of the Host to bind with the account Enter a time after which the connection will be dropped To keep the connection always on enter 0 in the Session Timeout field The default is 48 If Enable Advanced Account Features is not selected the Session Timeout value is O by default In this table you can view the information of accounts and edit them by the Action buttons 3 1 4 Exceptional IP When the Dial up Access Only function is enabled only the Dial in Users and the user with Exceptional IP can access the Internet On this page you can specify the Exceptional IP Choose the menu Services PPPoE Server Exceptional IP to load the following page 108 Exceptional IP IP Address Range e ARAN ee Clear Description o Optional Help Status Activate Inactivate List of Exceptional IP Mo IP Address Range Description Status Action Fl oi 192 168 0 200 192 168 0 210 _ Active
82. ction i host TCE 192 168 0 101 12856 12856 active Figure 3 80 UPnP The following items are displayed on this screen gt General UPnP Function Enable or disable the UPnP function globally gt List of UPnP Mapping After UPnP is enabled all UPnP connection rules will be displayed in the list of UPnP Mapping Up to 64 UPnP service connections are supported in TL ER604W The NO 1 entry in Figure 3 80 indicates TCP data received on port 12856 of the WAN port in the Router will be forwarded to port 12856 in 192 168 0 101 server in LAN A Note e When using UPnP function make sure the UPnP is enabled for the Router and the operating system and applications in the host support UPnP service e As some Trojan and viruses can open the specific port using UPnP service resulting in hacker attack on the host be careful of using UPnP service 3 8 Maintenance 3 8 1 Admin Setup 3 8 1 1 Administrator On this page you can modify the factory default user name and password of the Router Choose the menu Maintenance gt Admin Setup Administrator to load the following page 117 Administrator Current User Name Current Password New User Name New Password as Confirm New Password CE Figure 3 81 Administrator The following items are displayed on this screen gt Administrator Current User Name Enter the current user name of the Router Current Password Enter the current password of the Router
83. d with your DDNS service provider Activate or inactivate DDNS service here 112 WAN Port DDNS Status Displays the WAN port for which Dyndns DDNS is selected Displays the current status of DDNS service gt List of DynDNS Account Offline DDNS service is disabled Connecting client is connecting to the server Online DDNS works normally Authorization fails The Account Name or Password is incorrect Please check and enter it again In this table you can view the existing DDNS entries or edit them by the Action button 3 7 3 2 No IP On this page you can configure NO IP DDNS client Choose the menu Services Dynamic DNS No IP to load the following page Mo IP DDNS Account Name userla tp link com Go to register Domain Name DONS Service Activate Inactivate Wah Port Wan 1 DONS Status Offline List of No IP Account Wy a Account Name Domain Name Status Action 1 userLoltp link com userl no ip inta Offline Fd O Z userz tp link com userz no ip info Offline E O Figure 3 77 NO IP DDNS The following items are displayed on this screen gt No IP DDNS Account Name Password Domain Name Enter the Account Name of your DDNS account If you have not registered click lt Go to register gt to go to the website of No IP for register Enter the password of your DDNS account Enter the Domain Name that you registered with your DDNS service provider 113 DDNS Service
84. dress FQDN IP Address FODN ni aand Sec 60 6048800 Enable Disable Sec 1 300 Mode Proposal 1 Proposal 2 Proposal 3 Proposal 4 Action No entries Figure 3 62 IKE Policy The following items are displayed on this screen gt IKE Policy Policy Name Exchange Mode Local ID Type Specify a unique name to the IKE policy for identification and management purposes The IKE policy can be applied to IPsec policy Select the IKE Exchange Mode in phase 1 and ensure the remote VPN peer uses the same mode e Main Main mode provides identity protection and exchanges more information which applies to the scenarios with higher requirement for identity protection e Aggressive Aggressive Mode establishes a faster connection but with lower security which applies to scenarios with lower requirement for identity protection Select the local ID type for IKE negotiation IP Address uses an IP address as the ID in IKE negotiation FQDN uses a name as the ID 91 Local ID The local WAN IP will be inputted automatically if IP Address type is selected If Name type is selected enter a name for the local device as the ID in IKE negotiation Remote ID Type Select the remote ID type for IKE negotiation IP Address uses an IP address as the ID in IKE negotiation FQDN uses a name as the ID Remote ID The remote gateway IP will be inputted automatically if IP Address type
85. dress MAC Address Status E 1 192 165 5 100 40 61 56 FE 73 42 E Z 192 1168 0 2 40 61 566 FE 75 23 F 3 192 168 0 5 40 61 56 FE 75 B9 Figure 4 18 ARP List 2 Set IP MAC Binding Entry Manually Configure the IP MAC Binding entry manually and add it to ARP List Choose the menu Firewall Anti ARP Spoofing IP MAC Binding to load the configuration page To add the host with IP address of 192 168 1 20 and MAC address of 00 11 22 33 44 aa to the list you can follow the settings below Settings IP Address 192 168 0 20 MAC Address 00 11 22 33 44 aa Status Activate Click the lt Add gt button to apply The other entries can be added in the same way 3 Set Attack Defense Choose the menu Firewall gt Anti ARP Spoofing gt IP MAC Binding to load the configuration page Select all the items for General and set the GARP packets sending interval to be 1ms as the following figure shows Then click the lt Save gt button to apply General Enable ARF Spoofing Defense E eee Save Permit the packets matching the IP M4C Binding entries only Send GARP packets when ARP attack is detected Interval ms Enable ARF logs Figure 4 19 IP MAC Binding 4 3 4 2 WAN ARP Defense To prevent the WAN ARP attack you can bind the default gateway and IP address of WAN port Obtain the MAC address of WAN port by ARP Scanning first 144 Choose the menu Firewall gt Anti ARP Spoofing ARP Scanning to load the configuration page Enter the d
86. drop down list The default setting is Automatic which can select WPA Wi Fi Protected Access or WPA2 WPA version 2 automatically based on the wireless station s capability and request 41 Key Format Key Selected WEP Key Key Type Tips Hexadecimal and ASCII formats are provided Hexadecimal format stands for any combination of hexadecimal digits 0 9 a f A F in the specified length ASCII format stands for any combination of keyboard characters in the specified length You can select the key based on need Select which of the four keys will be used and enter the matching WEP key that you create Make sure these values are identical on all wireless stations in your network You can select the WEP key length 64 bit or 128 bit or 152 bit for encryption Disabled means this WEP key entry is invalid 64 bit You can enter 10 hexadecimal digits any combination of 0 9 a f A F zero key is not promoted or 5 ASCII characters 128 bit You can enter 26 hexadecimal digits any combination of 0 9 a f A F zero key is not promoted or 13 ASCII characters 152 bit You can enter 32 hexadecimal digits any combination of 0 9 a f A F zero key is not promoted or 16 ASCII characters e The modification of the Wireless Setting will take effect only after the router is rebooted e The WEP Auth type is not supported by 802 11n mode e The TKIP is not supported by 802 11n mode The TKIP cannot
87. e Select the PFS Perfect Forward Security for IKE mode to enhance security This setting should match the remote peer With PFS feature IKE negotiates to create a new key in Phase2 As it is independent of the key created in Phase this key can be secure even when the key in Phase is de encrypted Without PFS the key in Phase2 is created based on the key in Phase1 and thus once the key in Phase is de encrypted the key in Phase2 is easy to be de encrypted in this case the communication secrecy is threatened Specify IPsec SA Lifetime for IKE mode 96 Status e Manual Mode IPsec Proposal Incoming SPI AH Authentication Key In ESP Authentication Key In ESP Encryption Key In Outgoing SPI AH Authentication Key Out ESP Authentication Key Out Activate or inactivate the entry Select the IPsec Proposal Only one proposal can be selected on Manual mode You need to first create the IPsec Proposal Specify the Incoming SPI Security Parameter Index manually The Incoming SPI here must match the Outgoing SPI value at the other end of the tunnel and vice versa Specify the inbound AH Authentication Key manually if AH protocol is used in the corresponding IPsec Proposal The inbound key here must match the outbound AH authentication key at the other end of the tunnel and vice versa Specify the inbound ESP Authentication Key manually if ESP protocol is used in the corresponding IPsec
88. e Inactivate List of Rules No Src IP Dest IP Src Port Dest Port Protocol WAN Effective Time Description Status Action 192 168 0 100 116 10 20 28 all 08 00 22 00 l pa Ma ae WANL l Active J OY 192 168 0 199 116 10 20 29 Protocols Mon Tue Wed Thu Fri Figure 3 44 Policy Routing The following items are displayed on this screen gt General Protocol Select the protocol for the entry in the drop down list If the protocol you want to set is not in the list you can add it to the list on 3 4 4 4 Protocol page Source IP Enter the source IP range for the entry 0 0 0 0 0 0 0 0 means any IP is Destination IP Source Port Destination Port WAN Effective Time Status acceptable Enter the destination IP range for the entry 0 0 0 0 0 0 0 0 means any IP is acceptable Enter the source Port range for the entry which is effective only when the protocol is TCP UDP or TCP UDP The default value is 1 65535 which means any port is acceptable Enter the destination port range for the entry which is effective only when the protocol is TCP UDP or TCP UDP The default value is 1 65535 which means any port is acceptable Select the WAN port for transmitting packets Specify the time for the entry to take effect Activate or inactivate the entry 69 gt List of Rules You can view the information of the entries and edit them by the Action buttons The first entry in Figure 3 44 indica
89. ease the Reset button When the M1 and M2 LEDs flash simultaneously for about one second the Router is restored successfully The default management address of the Router is http 192 168 0 1 and the default username and the password are both admin 149 Q3 What can do if the Router with the remote management function enabled cannot be accessed by the remote computer 1 Make sure that the IP address of the remote computer is in the subnet allowed to remotely access the router 2 If the router s management port has been modified please log into the Router with the new address such as http 192 168 0 1 XX XX is the new management port number 3 Check to see if the management port has been mapped to the service port of the LAN host in the Virtual Server function If so you should change the router s management port or virtual server s service port A Make sure that the NAT DMZ service is disabled Q4 Some functions of the Router need to define the IP address subnet with Subnet Mask What are the common values of the Subnet Mask Subnet Mask is a 32 bit binary address used for distinguishing the network address and the host address When dividing the network the different Subnet Mask defines different subnet and the amount of hosts in each subnet is different After conversed from 32 bit binary address to decimal address the common Subnet Mask values can be 8 which represents the default Subnet Mas
90. econdary DNS server address The default is 0 0 0 0 Specify the maximum number of the sessions for PPPoE server The default is 256 Specify the maximum number of Echo Requests sent by the server to wait for response The default is 10 The link will be dropped when the number of the unacknowledged LCP echo requests reaches your specified Max Echo Requests Enter the maximum idle time The session will be terminated after it has been inactive for this specified period It can be 0 10080 minutes If you want your Internet connection to remain on at all times enter 0 in the Idle Timeout field The default value is 30 105 Authentication Select the Authentication type It can be Local authentication and Remote authentication Select Local authentication for authentication in PPPoE server and select Remote authentication for authentication in the remote server Auth Protocol Select at least one authentication protocol for Local Authentication e PAP transferring username and password in plain text in the network is used in a less secured network e CHAP is more secured for it adopts three handshakes and does not transfer password in plain text e MS CHAP put forward by Microsoft adopts a different encryption algorithm of CHAP e MS CHAP v2 with a higher security is an improved version of MS CHAP Radius Server It is available when Remote Authentication is selected RADIUS Remote Authentication Dial In User Service
91. ed by the Router via IP address Choose the menu Advanced NAT Virtual Server to load the following page 59 Virtual Server Interface WANI y External Port o J C Protocol TCP UDP y Internal Server IP Status Activate Inactivate List of Rules No Name Interface Protocol External Port Internal Port di do Status Action O 1 host WAN1 TCP UDP 65534 65535 65534 65535 192 168 0 103 Active y Sela Al Figure 3 36 Virtual Server The following items are displayed on this screen gt Virtual Server Name Enter a name for Virtual Server entries Up to 28 characters can be entered Interface Select an interface for forwarding data packets External Port Internal Port Protocol Internal Server IP Status Enter the service port or port range the Router provided for accessing external network All the requests from Internet to this service port or port range will be redirected to the specified server in local network Specify the service port of the LAN host as virtual server Specify the protocol used for the entry Enter the IP address of the specified internal server for the entry All the requests from the Internet to the specified LAN port will be redirected to this host Activate or inactivate the entry A Note e The External port and Internal Port should be set in the range of 1 65535 e The external ports of different entries should be different whereas the in
92. ed to implement the online behavior management and to specify the network bandwidth limit for each staff member Network Security This enterprise network should be able to defend the common attacks from the internal or the external network such as ARP Attack and DoS Attack Moreover the real time monitoring on the network traffic is required 130 4 2 Network Topology gt Port 1 Main Line e F Pots PA A ntemel Monitoring Server Port 3 Port 4 Port 2 Backup Line JU et LT Core Layer Switch esr r Access Layer Switch fom Access Layer Switch Access Layer Switch Headquarters Remote Branch Office 4 3 Configurations You can configure the Router via the PC connected to the LAN port of this Router To log in to the Router the IP address of your PC should be in the same subnet of the LAN port of this Router The default subnet of LAN port is 192 168 0 0 24 The IP address of your PC can be obtained automatically or configured manually To access the configuration utility open a web browser and type in the default address http 192 168 0 1 in the address field of the browser then press the Enter key In the login window enter admin for the User Name and Password both in lower case letters Then click the lt Login gt button to log into the Router Tips If the LAN IP address is changed you must use the new IP address to log into the Router 4 3 1 I
93. efault gateway of the WAN port such as 58 51 128 254 in the Scanning Range field and click the lt Scan gt button the MAC address of the WAN port will display in the Scanning Result table General Scanning Range 58 51 1258 254 1586 51 1258 254 help After obtaining the MAC address of WAN port from Scanning Result table select this entry then click the lt Import gt button to finish the binding operation 4 3 4 3 Attack Defense Choose the menu Firewall gt Attack Defense Attack Defense to load the configuration page Select the options desired to be enabled as Figure 4 20 shows and then click the lt Save gt button General Flood Defense Multi connections TCP SYN Flood Threshold 3000 Pktis Multi connections UDP Flood Threshold Pktrs Multi connections ICMP Flood Threshold Pkt s Stationary source TOP SYN Flood Threshold Pkt s Stationary source UDP Flood Threshold Pkt s Stationary source ICMP Flood Threshold Pkt s Packet Anomaly Defense Block Fragment Traffic Block TEP Scan Stealth FIN mas Null Block Ping of Death Block Large Ping Block WinNuke attack Block Ping from Wah Block TEP packets with SYN and FIN Bits set Block TEP packets with FIN Bit set but no ACK Bit set Block IP options Security Option Loose Source Route Option Strict Source Route Option Record Route Option Stream Option Timestamp Option Mo Operation Option Enable Attack Defense Logs Figure 4 20 Attack Defense 145 4
94. elect the type of Internet connection provided by your ISP Internet Service Provider Tips It s allowed to set the IP addresses of both the WAN ports within the same subnet However to guarantee a normal communication make sure that the WAN ports can access the same network such as Internet or a local area network Choose the menu Network WAN WAN to load the configuration page 1 Static IP If a static IP address has been provided by your ISP please choose the Static IP connection type to configure the parameters for WAN port manually 11 Static IP Settings Connection Type IP Address Subnet Mask Default Gateway MTU Primary DNS Secondary DNS Upstream Bandwidth Downstream Bandwidth Optional 576 1500 Optional Optional Kbps Kbps Save Figure 3 7 WAN Static IP The following items are displayed on this screen gt Static IP Connection Type IP Address Subnet Mask Default Gateway MTU Primary DNS Secondary DNS Upstream Bandwidth Select Static IP if your ISP has assigned a static IP address for your computer Enter the IP address assigned by your ISP If you are not clear please consult your ISP Enter the Subnet Mask assigned by your ISP Optional Enter the Gateway assigned by your ISP MTU Maximum Transmission Unit is the maximum data unit transmitted by the physical network It can be set in the range of 576 1500 The default
95. elect this option to keep the connection always on The connection can be re established automatically when it is down MTU Maximum Transmission Unit is the maximum data unit transmitted by the physical network lt can be set in the range of 576 1500 The default MTU is 1500 Specify the Upstream Downstream Bandwidth for the port To make Load Balance and Bandwidth Control take effect please set these parameters correctly Displays the status of BigPond connection e Disabled indicates that the BigPond connection type is not applied e Connecting indicates that the Router is obtaining the IP parameters from your ISP e Connected indicates that the Router has successfully obtained the IP parameters from your ISP e Disconnected indicates that the connection has been manually terminated or the request of the Router has no response from your ISP Please ensure that your settings are correct and your network is connected well Consult your ISP if this problem remains Displays the IP address assigned by your ISP Displays the Subnet Mask assigned by your ISP Displays the IP address of the default gateway assigned by your ISP 26 4h Note To ensure the BigPond connection re established normally please restart the connection at least 5 seconds after the connection is off 3 1 4 LAN 3 1 4 1 LAN On this page you can configure the parameters for LAN port of this router
96. encapsulate the packets using the information both known Therefore the two peers need to negotiate a security key for communication with IKE Internet Key Exchange protocols Actually IKE is a hybrid protocol based on three underlying security protocols ISAKMP Internet Security Association and Key Management Protocol Oakley Key Determination Protocol and SKEME Security Key Exchange Protocol ISAKMP provides a framework for Key Exchange and SA Security Association negotiation Oakley describes a series of key exchange modes SKEME describes another key exchange mode different from those described by Oakley IKE consists of two phases Phase 1 is used to negotiate the parameters key exchange algorithm and encryption to establish an ISAKMP SA for securely exchanging more information in Phase 2 During phase 2 the IKE peers use the ISAKMP SA established in Phase 1 to negotiate the parameters for security protocols in IPsec and create IPsec SA to secure the transmission data 3 6 1 1 IKE Policy On this page you can configure the related parameters for IKE negotiation Choose the menu VPN gt IKE IKE Policy to load the following page 90 IKE Policy Policy Name Exchange Mode Local ID Type Local ID Remote ID Type Remote ID IKE Proposal 1 IKE Proposal 2 IKE Proposal 3 IKE Proposal 4 Pre shared Key SA Lifetime OPO DFD Interval List of IKE Policy Mo Mame Main Aggressive IP Ad
97. ent Mo Host Name MAC Address IP Address Lease Time 1 TP 113E4910272 40 61 86 FC 75 C3 197 168 0 2 01 27 04 Figure 3 15 DHCP Client You can view the information of the DHCP clients in this table Click the Refresh button for the updated information 3 1 4 4 DHCP Reservation DHCP Reservation feature allows you to reserve an IP address for the specified MAC address The client with this MAC address will always get the same IP address every time when it accesses the DHCP server Choose the menu Network LAN DHCP Reservation to load the following page DHCP Reservation MAC Address o RRA IP Address a Description Optional Status Activate Inactivate List of Reserved Address Mo MAC Address IP Address Status Description Action Figure 3 16 DHCP Reservation The following items are displayed on this screen gt DHCP Reservation MAC Address Enter the MAC address of the computer for which you want to reserve the IP address IP Address Enter the reserved IP address Description Optional Enter a description for the entry Up to 28 characters can be entered 29 Status Activate or Inactivate the corresponding entry gt List of Reserved Address In this table you can view the information of the entries and edit them by the Action buttons The first entry in Figure 3 16 indicates The IP address 192 168 0 101 is reserved for the computer with the MAC address 00 19 66 83 53 CF and this entry is
98. enu Advanced Traffic Control Setup to load the following page General Disable Bandwidth Control O Enable Bandwidth Control all the time Enable Bandwidth Control when bandwidth usage reaches We Default Limit Direction Limited Bandwidth Kbps Upstream OO Downstream ooo Interface Bandwidth Interface Upstream Bandwidth Kbps Downstream Bandwidth Kbps WAR 1000000 1000000 Wah 2 1000000 1000000 Total 000000 2000000 View IP Traffic Statistics Figure 3 39 Configuration 63 The following items are displayed on this screen gt General Disable Bandwidth Control Enable Bandwidth Control all the time Enable Bandwidth Control When gt Default Limit gt Limited Bandwidth Interface Bandwidth Interface Upstream Bandwidth Downstream Bandwidth Ab Note The Upstream Downstream Bandwidth of WAN port you set must not be more than the bandwidth Select this option to disable Bandwidth Control Select this option to enable Bandwidth Control all the time With this option selected the Bandwidth Control will take effect when the bandwidth usage reaches the specified value Default Limit applies only for users that are not constrained by Bandwidth Control Rules These users share certain bandwidth with upper limit configured here Value O means all the remained bandwidth is available to use Displays the current enabled WAN port s The Total bandwidth is equal to the sum
99. ere Displays the WAN port for which PeanutHull DDNS is selected Displays the DDNS service type including Professional service and Standard service Displays the current status of DDNS service Offline DDNS service is disabled Connecting client is connecting to the server Online DDNS works normally Authorization fails The Account Name or Password is incorrect Please check and enter it again Displays the domain names obtained from the DDNS server Up to 16 domain names can be displayed here In this table you can view the existing DDNS entries or edit them by the Action button 3 7 3 4 Comexe On this page you can configure Comexe DDNS client Choose the menu Services Dynamic DNS Comexe to load the following page Comexe DDNS Account Name Password DONS Service WAN Port DONS Status Domain Name List of Comexe Account WAN Account Name 1 smbtestuser4 2 user Go to register Save Activate Inactivate ee Offline View All Domain Name Status Action Offline P O offline YO Figure 3 79 Comexe DDNS The following items are displayed on this screen 115 gt Comexe DDNS Account Name Password DDNS Service WAN Port DDNS Status Domain Name gt List of Comexe Account Enter the Account Name of your DDNS account If you have not registered click lt Go to register gt to go to the website of Comexe for register Enter the password of
100. f Ow Figure 3 73 Exceptional IP The following items are displayed on this screen gt Exceptional IP IP Address Range Specify the start and the end IP address to make an exceptional IP address range This range should be in the same IP range with LAN port of the Router The start IP address should not exceed the end address and the IP address ranges must not overlap Description Give a description to the exceptional IP address range for identification Status Activate or inactivate the entry gt List of Account In this table you can view the information of Exceptional IPs and edit them by the Action buttons 3 7 1 5 List of Account On this page you can view the detailed information of all accounts you have established Choose the menu Services PPPoE Server gt List of Account to load the following page List of Account No Account Name Status IP Address MAC Address Online Time Interface Description Action 1 userl Connected 10 20 1 100 40 61 86 FC T5 C3 2Hour 45Min LAN san Figure 3 74 List of Account Figure 3 74 displays the connection information of PPPoE users Click to disconnect the account Click the lt Disconnect All gt button to disconnect all accounts 3 2 E Bulletin With E Bulletin function bulletin information can be released to the specified users On this page you can edit the bulletin content and specify the receiving user group 109 Choose the menu Services E Bulletin to load the
101. f secondary connection Specify the bandwidth for transmitting packets on the port Specify the bandwidth for receiving packets on the port Displays the status of PPPoE connection e Disabled indicates that the PPPoE connection type is not applied e Connecting indicates that the Router is obtaining the IP parameters from your ISP 17 IP Address Gateway Address Primary DNS Secondary DNS 4 L2TP e Connected indicates that the Router has successfully obtained the IP parameters from your ISP e Disconnected indicates that the connection has been manually terminated or the request of the Router has no response from your ISP Please ensure that your settings are correct and your network is connected well Consult your ISP if this problem remains Displays the IP address assigned by your ISP Displays the Gateway Address assigned by your ISP Displays the IP address of your ISP s Primary DNS Displays the IP address of your ISP s Secondary DNS If your ISP Internet Service Provider has provided the account information for the L2TP connection please choose the L2TP connection type 18 L2TP Settings Connection Type L2TP Connection Account Name Password server IP MTU Active Mode Manual Always on L2TP Russian L2TP ka Secondary Connection Connection Type IP Address Subnet Mask Default Gateway Primary DNS Secondary DNS
102. following page General Enable E Bulletin Interval Min Enable Logs E Bulletin Title E id Object Group ANY Available Group Selected Group Groupl Group Effective Time 00 00 24 00 Sun e Mon Tue wed Thu Fri Sat Publisher Po Description SSS Optional Status Activate Inactivate List of E Bulletin Mo Title Object Effective Time Publisher Description Action 08 00 20 00 Administ s mn P i Notice Groupl ge y Thu Fri rator Figure 3 75 E Bulletin The following items are displayed on this screen gt General Enable E Bulletin Interval Enable Logs gt E Bulletin Title Content Specify whether to enable electronic bulletin function Specify the interval to release the bulletin Specify whether to log the E Bulletin Enter a title for the bulletin Enter the content of the bulletin 110 Object Effective Time Publisher Description Status gt List of E Bulletin Select the object of this bulletin Options include e ANY The bulletin will be released to all the users and the PCs on the LAN e Group The bulletin will be released to the users in the selected group You can click lt L_2_J gt button to add a group to the selected group and click lt L_ lt lt _J gt to remove a group from the selected group Group is created on User Group gt Group page Specify the effective time for the bulletin Only one bulletin can be
103. g protocol The Hosts in different subnets can communicate with one another via the routing rules whereas no NAT is employed 4 Note In Non NAT mode all the NAT forwarding rules will be disabled e Classic Mode It s the combined mode of NAT mode and Non NAT mode In Classic mode the Router will first transport the packets which are compliant with NAT forwarding rules and then match the other packets to the static routing rules The matched packets will be transmitted based on the static routing rules and the unmatched ones will be dropped In this way the Router can implement NAT for the packets without blocking the packets in the different subnet of the ports 3 1 3 WAN 3 1 3 1 WAN Mode TL ER604W provides two adjustable WAN ports You can set the number of WAN ports on this page Choose the menu Network WAN WAN Mode to load the following page 10 WAN Mode Wan Ports 01 0 Figure 3 6 WAN Mode gt WAN Mode WAN Ports Select the total number of WAN ports you prefer to use The Router support one WAN and dual WAN The Router will adjust the physical ports accordingly which can be illustrated on the following port sketch 4 Note By default TL ER604W is set to work in the mode of dual WAN ports 3 1 3 2 WAN1 TL ER604W provides the following six Internet connection types Static IP Dynamic IP PPPoE Russian PPPoE L2TP Russian L2TP PPTP Russian PPTP and BigPond To configure the WAN please first s
104. g page 72 Static Route Destination Subnet Mask Next Hop Interface Metric Description Status List of Rules No Destination F i 211 162 1 0 7 o 0 18 Optional Activate Inactivate Subnet Mask Next Hop Interface Metric Status Description Action 255 755 755 0 211 200 1 1 WAN 0 Active tplink1 f Ow Figure 3 47 Static Route The following items are displayed on this screen gt Static Route Destination Subnet Mask Next Hop Interface Metric Description Status gt List of Rules Enter the destination host the route leads to Enter the Subnet Mask of the destination network Enter the gateway IP address to which the packet should be sent next Select the physical network interface through which this route is accessible Defines the priority of the route The smaller the value is the higher the priority is The default value is 0 It is recommended to keep the default value Give a description for the entry Activate or inactivate the entry You can view the information of the entries and edit them by the Action buttons The first entry in Figure 3 47 indicates If there are packets being sent to a device with IP address of 211 162 1 0 and subnet mask of 255 255 255 0 the Router will forward the packets from WAN1 port to the next hop of 211 200 1 1 73 Application Example There is a network topology as the following figure shown
105. g rule based on the actual situation gt URL Filtering Rule Object Select the range in which the URL Filtering takes effect e ANY URL Filtering will take effect to all the users e Group URL Filtering will take effect to all the users in group Mode Select the mode for URL Filtering Keyword indicates that all the URL addresses including the specified keywords will be filtered URL Path indicates that the URL address will be filtered only when it exactly matches the specified URL Description Give a description for the entry gt List of Rules You can view the information of the entries and edit them by the Action buttons 83 Application Example Network Requirements Prevent the local hosts from accessing Internet website www aabbcc com and downloading the files with suffix of exe Configuration Procedure Select Keywords mode and type exe in the field select URL mode and type www aabbcc com as the following figure shows and then click the lt Add gt button to make the setting take effect General C Enable URL Filtering Save Permit URL listed below and deny the rest Deny URL listed below and permit the rest URL Filtering Rule Object Group ANY a Mode Keywords URL Path Keywords Description Optional List of Rules Mo Object Mode Keywords URL Path Description Action F i sales Keywords exe P Y O 2 sales URL Path WANA aabbec corm
106. h new group please refer to 3 3 1 Group Application Click the lt Application List gt button to select applications from the popup checkbox The applications include IM Web IM SNS P2P Media Basic 88 and Proxy The default setting is to limit all the applications in the application list except for Basic and Proxy Effective Time Specify the time for the entry to take effect Description Give a description for the entry Status Activate or inactivate the entry gt List of Rules You can view the information of the entries and edit them by the Action buttons The first entry in Figure 3 59 indicates The group1 is applied with Application Rules You can click lt View gt to view the limited applications in the popup checkbox The effective time of this entry is 7 00 9 00 on Monday Tuesday Friday Saturday and Sunday This entry is enabled 7 iN Note To set the group and group members please refer to 3 3 1 Group 3 5 9 2 Database On this page you can upgrade the application database Choose the menu Firewall App Control Database to load the following page Application Database Upgrade Current Version 1 1 0 Save Expiration Date Permanent Database File ri Figure 3 60 Database The database refers to all the applications in the application list on the Application Rules page you can download the latest database from http www tp link com Click the lt Browse gt button and select the file
107. he BSSID of the AP your Router is going to connect to as a client You can also use the search function to select the BSSID to join This option should be chosen according to the AP s security configuration It is recommended that the security type is the same as your AP s security type This option should be chosen if the key type is WEP ASCII or WEP HEX It indicates the index of the WEP key This option should be chosen if the key type is WEP ASCII or WEP HEX It indicates the authorization type of the Root AP 48 Key If the AP your Router is going to connect needs password you need to fill the key in this blank Tips The Multi SSID function will be disabled if WDS is enabled 3 2 1 4 Wireless Advanced On this page you can configure the wireless advanced parameters Choose the menu Wireless Wireless Setting Wireless Advanced to load the following page General Wt MIM Enable Disable Short Gl Enable Disable Wireless Advanced Transmit Power Beacon Interval 40 1000 RTS Threshold 1 2346 Fragmentation Threshold 2348 256 2346 DTIM Interval 1 255 Figure 3 27 Wireless Advanced gt General WMM WMM function can guarantee the packets with high priority messages being transmitted preferentially It is strongly recommended enabled Short GI This function is recommended for it will increase the data capacity by reducing the guard interval time gt Wireless Advanced
108. he port is changed you should type in the new address such as http 192 168 0 1 XX XX is the new management port number E g If the Web Management Port is changed to 88 type http 192 168 0 1 88 in the address filed to login the Router e The new timeout period will take effect when next login 3 8 1 3 Remote Management On this page you can configure the Remote Management function This feature allows managing your Router from a remote location via the Internet Choose the menu Maintenance Setup Remote Management to load the following page Remote Management Subnet Mask 0 0 0 0 z 22 status Activate Inactivate Elp List of Subnet Mo Subnet Mask Status Action O 1 192 168 2 0 24 Active OW Figure 3 83 Remote Management The following items are displayed on this screen gt Remote Management 119 Subnet Mask Specify a single IP address or network address for the hosts desired to access the Router from external network Status Activate or inactivate the entry gt List of Subnet In this list you can view the Remote Management entries and edit them by the Action buttons The first entry in Figure 3 83 indicates that The hosts with IP address in subnet of 192 168 2 0 24 are allowed to access the Router and this entry is activated Application Example Network Requirements Allow the IP address within 210 10 10 0 24 segment to manage the Router with IP address of 210 10 10 50 remotely
109. is selected If Name type is selected enter the name of the remote peer as the ID in IKE negotiation IKE Proposal Select the Proposal for IKE negotiation phase 1 Up to four proposals can be selected Pre shared Key Enter the Pre shared Key for IKE authentication and ensure both the two peers use the same key The key should consist of visible characters without blank space SA Lifetime Specify ISAKMP SA Lifetime in IKE negotiation DPD Enable or disable DPD Dead Peer Detect function If enabled the IKE endpoint can send a DPD request to the peer to inspect whether the IKE peer is alive DPD Interval Enter the interval after which the DPD is triggered gt List of IKE Policy In this table you can view the information of IKE Policies and edit them by the action buttons 3 6 1 2 IKE Proposal On this page you can define and edit the IKE Proposal Choose the menu VPN gt IKE IKE Proposal to load the following page 92 IKE Proposal Proposal Name Authentication Encryption 3DES il Help DH Group DHZ bl List of IKE Proposal o lt E al No Name Auth Encr DH No entries Figure 3 63 IKE Proposal The following items are displayed on this screen gt IKE Proposal Proposal Name Specify a unique name to the IKE proposal for identification and management purposes The IKE proposal can be applied to IPsec proposal Authentication Select the authentication algorithm for
110. ist The default setting is Automatic which can select WPA Wi Fi Protected Access or WPA2 WPA version 2 automatically based on the wireless station s capability and request Hexadecimal and ASCII formats are provided Hexadecimal format stands for any combination of hexadecimal digits 0 9 a f A F in the specified length ASCII format stands for any combination of keyboard characters in the specified length 46 Key Selected You can select the key based on need WEP Key Select which of the four keys will be used and enter the matching WEP key that you create Make sure these values are identical on all wireless stations in your network Key Type You can select the WEP key length 64 bit or 128 bit or 152 bit for encryption Disabled means this WEP key entry is invalid 64 bit You can enter 10 hexadecimal digits any combination of 0 9 a f A F zero key is not promoted or 5 ASCII characters 128 bit You can enter 26 hexadecimal digits any combination of 0 9 a f A F zero key is not promoted or 13 ASCII characters 152 bit You can enter 32 hexadecimal digits any combination of 0 9 a f A F zero key is not promoted or 16 ASCII characters Tips e The parameters of the host which desires to connect to the router must be the same as the parameter configured here e The WEP Auth type is not supported by 802 11n mode e The TKIP is not supported by 802 11n mode The TKIP cannot be selec
111. itions 1 This device may not cause harmful interference 2 This device must accept any interference received including interference that may cause undesired operation Any changes or modifications not expressly approved by the party responsible for compliance could void the user s authority to operate the equipment CE Mark Warning CE This is a class A product In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures CONTENTS PACKAGE C OGG INS ios 1 Chapter 1 About this Guide sima on 2 1 1 IntendediReaders ins dd AS 2 k2 A a thd a a 2 1 3 Overview Of this Guides 2 Chapter 2 Introduccion ass 3 2 1 Overview Of the Router cccoccccocnccccnccoconcocnccnncnnonconnnnonnnnnnnnnonnnnnnnnornnnnnnnnnrnrnonnnnnnnnnenncinnns 3 2 2 A a E Oy erva casei a a a 4 2 APPEN PR ne eT Sas ee Po ne 6 2 3 1 Front FP ANG sic 2euxtuedase deat uo a NA ARA 6 2 3 2 Neal a None Suc aese T Chapter 3 Co onfiguratl N adidas 8 3 1 NOW ia 8 3 1 1 A ee a Oe E ee a eee eta eee 8 3 1 2 SyS MOUE iaa e a aa 8 3 1 3 WAN CO DE e S T eee eee eee 10 3 1 4 A eastmawedtiiesendae walaetareeuamceadtadeteee 27 S15 MAC Addres S sita rd E OE 30 3 1 6 SA o alae wei P AT TEE EEIT EAE EE 31 SoZ WIESO A NS a ace Mie vase aes 37 22 1 Wireless Setting arosine cb 37 3 2 2 MAC NS MING ss tii idos 50 3 2 3 nn A E 51 33 USEF U Dea EOS aka 52 33 O 52 3 032 UNG Sl
112. ity WPA PSKMPAz PSK ow Auth Type Encryption Password II Crou can enter ASCII characters between 8 and 63 or hexadecimal characters between 8 and 64 Group Key Update Period 06400 SEC The Min value is 30 0 means no update Auth Type Choose the Auth type of the WPA PSK WPA2 PSK security on the drop down list The default setting is Automatic which can select WPA PSK Pre shared key of WPA or WPA2 PSK Pre shared key of WPA automatically based on the wireless station s capability and request A4 2 Encryption Password Group Key Update Period WPA WPA2 Select the Encryption type which including Automatic TKIP AES The default setting is Automatic which can select TKIP Temporal Key Integrity Protocol or AES Advanced Encryption Standard automatically based on the wireless station s capability and request TKIP TKIP is a security protocol used in the IEEE 802 11 wireless networking standard AES AES is a specification for the encryption of electronic data established by the U S National Institute of Standards and Technology Enter ASCII characters between 8 and 63 characters or 8 to 64 Hexadecimal characters Specify the group key update interval in seconds The value should be 30 or above Enter O to disable the update Its based on Radius Server Radius Server IP AA Radius Port ee 1 65535 0 means the default port 1817 Radius Password Group Key Update Period
113. k value of class A 255 0 0 0 16 which represents the default Subnet Mask value of class B 255 255 0 0 24 which represents the default Subnet Mask value of class C 255 255 255 0 or 32 which represents the default Subnet Mask value of class D 255 255 255 255 150 Appendix C Glossary etme anton ALG Application Layer ARP Address Resolution Protocol AH Authentication Header DDNS Dynamic Domain Name Server DHCP Dynamic Host Configuration Protocol DMZ Demilitarized Zone DNS Domain Name Server DSL Digital Subscriber Line ESP Encapsulating Security Payload FTP File Transfer Protocol GMT Greenwich Mean Time Application Level Gateway ALG is application specific translation agent that allows an application on a host in one address realm to connect to its counterpart running on a host in different realm transparently Internet protocol used to map an IP address to a MAC address A security protocol that provides data authentication and optional anti replay services AH is embedded in the data to be protected a full IP datagram The capability of assigning a fixed host and domain name to a dynamic Internet IP address A protocol that automatically configure the TCP IP parameters for the all the PCs that are connected to a DHCP server A Demilitarized Zone allows one local host to be exposed to the Internet for a special purpose service
114. kets Specify whether to enable Egress Limit feature Specify the limit rate for the egress packets The first entry in Figure 3 20 indicates The Ingress and Egress Limits are enabled for port 1 The Ingress and Egress Rates are 1Mbps That is the receiving rate for the ingress packets will not exceed 1Mbps and the transmitting rate for all the egress packets will not exceed 1Mbps 3 1 6 4 Port Config On this page you can configure the basic parameters for the ports Choose the menu Network Switch Port Config to load the following page Port Config Port Status Flow Control Negotiation Mode 1 Enable Enable z Enable Enable 3 Enable Enable 4 Enable Enable v Enable Enable All Ports Figure 3 21 Port Config The following items are displayed on this screen gt Port Config Status Flow Control Negotiation Mode All Ports Specify whether to enable the port The packets can be transported via this port after being enabled Allows you to enable disable the Flow Control function Select the Negotiation Mode for the port Allows you to configure the parameters for all the ports at one time 35 3 1 6 5 Port Status On this page you can view the current status of each port Choose the menu Network Switch Port Status to load the following page Port Status Port Status SpeediMbps Duplex Mode Flow Control 1 Link down 2 Link down 3 Link up 100 FD En
115. l Subnet Specify a unique name to the IPsec policy Up to 28 characters can be entered Select the network mode for IPsec policy Options include e LAN to LAN Select this option when the client is a network e Client to LAN Select this option when the client is a host Specify IP address range on your local LAN to identify which PCs on your LAN are covered by this policy It s formed by IP address and subnet mask 95 Remote Subnet WAN Remote Gateway Policy Mode e IKE Mode IKE Policy IPsec Proposal PFS SA Lifetime Specify IP address range on your remote network to identify which PCs on the remote network are covered by this policy It s formed by IP address and subnet mask Specify the local WAN port for this Policy The Remote Gateway of the remote peer should be set to the IP address of this WAN port Enter the Remote Gateway It can be IP address or Domain name Select the negotiation mode for the policy e IKE The parameters for the VPN tunnel are generated automatically via IKE negotiations e Manual All settings including the keys for the VPN tunnel are manually inputted and no key negotiation is needed It is available when IKE is selected as the negotiation mode Specify the IKE policy If there is no policy selection add new policy on VPN IKE IKE Policy page Select IPsec Proposal on IKE mode Up to four IPsec Proposals can be selected on IKE mod
116. llowing items are displayed on this screen gt General Enable Session Check here to enable Session Limit otherwise all the Session Limit Limit entries will be disabled gt Session Limit Group Select a group to define the controlled users Max Sessions Enter the max Sessions for the users Description Give a description for the entry Status Activate or inactivate the entry gt List of Session Limit You can view the information of the entries and edit them by the Action buttons The first entry in Figure 3 41 indicates The amount of maximum sessions for the hosts within group1 is 100 and this entry is enabled 3 4 3 2 Session List On this page you can view the Session Limit information of hosts configured with Session Limit Choose the menu Advanced Session Limit Session List to load the following page 67 List of Limited Sessions Mo User Max Sessions Current Sessions Mo entries Figure 3 42 Session List In this table you can view the session limit information of users configured with Session Limit Click the lt Refresh gt button to get the latest information 3 4 4 Load Balance In this part you can configure the traffic sharing mode of the WAN ports to optimize the resource utilization 3 4 4 1 Configuration Choose the menu Advanced Load Balance Configuration to load the following page General Enable Application Optimized Routing Enable Bandwidth Based Balance Routing Selec
117. management port has been changed please log into the Router with the new address such as http 192 168 0 1 XX XX is the new management port number 3 If you had successfully logged into the Router before but now you cannot access the Router It s quite possible that the configuration of your Router has been changed by others especially when the Remote Web Management function is enabled You re recommended to restore your Router and reconfigure the management port number and the username as well as the password for your network security 4 If you cannot access the Router even after restoring the Router to its defaults or your login is dropped down just after a while it s quite possible that your Router is attacked by ARP cheating Its recommended to locate and quarantine the source of ARP cheating so as to prevent your network from the attacks 5 Check to see if you have configured the proxy server for IE browser If so please disable the IE proxy server first Q2 What can do if forgot the username and the password of the Router How to restore the Router to its factory default settings You can restore the Router to its factory default settings by the Reset button It must be noted that once the Router is reset all the current configuration settings will be lost With the Router powered on use a pin to press and hold the Reset button for about 5 10 seconds After the M1 LED is solid light for 2 5 seconds rel
118. mum for the dial up connection charged on time e Always on Select this option to keep the connection always on The connection can be re established automatically when it is down Here allows you to configure the secondary connection Dynamic IP and Static IP connection types are provided Select the secondary connection type Options include Disable Dynamic IP and Static IP If Static IP is selected configure the IP address of WAN port If Dynamic IP is selected the IP address of WAN port obtained is displayed If Static IP is selected configure the subnet mask of WAN port If Dynamic IP is select the subnet mask of WAN port obtained is displayed If Static IP is selected configure the default gateway If Dynamic IP is selected the obtained default gateway is displayed If Static IP is selected configure the DNS If Dynamic IP is selected the obtained DNS is displayed Specify the bandwidth for transmitting packets on the port Specify the bandwidth for receiving packets on the port 20 gt L2TP Status Status Displays the status of PPPoE connection e Disabled indicates that the L2TP connection type is not applied e Connecting indicates that the Router is obtaining the IP parameters from your ISP e Connected indicates that the Router has successfully obtained the IP parameters from your ISP e Disconnected indicates that the connection has been manually terminated
119. n Fa v 3 5 4 2 Web Filtering On this page you can filter the desired web components Choose the menu Firewall Access Control gt Web Filtering to load the following page Web Filtering Enable Web Filtering Java Activex Cookie Figure 3 56 Web Filtering Check the box before Enable Web Filtering and select the web components to be filtered 3 5 4 3 Access Rules Choose the menu Firewall Access Control Access Rules to load the following page 84 Access Rules Policy Select policy w Service All Services w Interface LAM w Source IP MASsk we 0 0 0 0 f Destination IP MASK w 0 0 0 0 laz Effective Time 00 00 24 00 sun Mon t Tue Wed i Thu Fri Sat Description E Optional C Priority Insert as No Entry List of Rules Mo Source Destination Policy Service Interface Effective Time Description Action 0s 00 20 00 E 1 192 168 0 0 24 116 10 20 0 24 Block TELNET LAN Mon Tue Wed Thu Fri Figure 3 57 Access Rule The following items are displayed on this screen gt Access Rules Policy Select a policy for the entry e Block When this option is selected the packets obeyed the rule will not be permitted to pass through the Router e Allow When this option is selected the packets obeyed the rule will be allowed to pass through the Router Service Select the service for the entry Only the service belonging to the specified service type is limited by the entry For
120. network processor and 64MB DDRII high speed RAM allows the stability and reliability for operation e Wireless Feature Wireless N speed provides an incredible high speed experience Supporting Guest Networking feature which provides a secure network for guests outside of the existing potentially sensitive LAN Hardware Wi Fi On Off button provides an easy way to turn wireless radio on or off e Virtual Private Network VPN Providing comprehensive IPsec VPN with DES 3DES AES encryptions MD5 SHA1 identifications and automatically manually IKE Pre Share Key exchanges Supporting PPTP L2TP VPN Server mode to allow the staff on business or remote branch office to access the headquarter network e Online Behavior Management Complete Functions of Access Rules can allow managers to select the network service levels to block or allow applications of FTP downloading Email Web browsing and so on Deploying One Click restricting of IM P2P applications to save time amp energy while reserving exceptional groups for certain users Supporting URL Filtering to prevent potential hazards from visiting the malicious Web sites e Powerful Firewall Supporting One Click IP MAC Binding to avoid ARP spoofing and guarantee a network without stagnation Featured Attack Defense to protect the network from a variety of flood attack and packet anomaly attack Possessing MAC Filtering function to block the access of illegal
121. nt ID values when it is reconnected 3 7 Services 3 7 1 PPPoE Server The Router can be configured as a PPPoE server to specify account and IP address to users in LAN and thus you can control the dial up of users for a high efficiency in network management The PPPoE configuration can be implemented on General IP Address Pool Account Exceptional IP and List of Account pages 3 7 1 1 General On this page you can configure PPPoE function globally Choose the menu Services gt PPPoE Server General to load the following page 104 General PPPoE Server Dial up Access Only PPPoE User Isolation Primary DNS Secondary DNS Max Sessions Max Echo Requests Idle Timeout Authentication Auth Protocol Enable Disable Enable Disable Enable Disable 256 sdf 258 aot 60 B00 Min Local Remote PaP Y char Y MS CcHAP Y MS CHAP v2 Figure 3 70 General The following items are displayed on this screen gt General PPPoE Server Dial up Access Only PPPoE User Isolation Primary Secondary DNS Max Sessions Max Echo Requests Idle Timeout Specify whether to enable the PPPoE Server function Specify whether to enable the Dial up Access Only function If enabled only the Dial in Users and the user with Exceptional IP can access the Internet Specify whether to allow the Dial in Users to communicate with one another Enter the Primary S
122. nternet Setting You can connect the Fiber Optic Modem and the dedicated line to the WAN1 port and the WAN2 port separately Suppose both the two connections are the Static IP connections The Line Backup function enables you to set the connection of WAN1 as the main line and the connection of WAN2 as the backup line which allows the Router to switch to the connection of WANZ2 once the connection of WAN1 is broken down The detailed configurations are as follows 4 3 1 1 System Mode Set the system mode of the Router to the NAT mode Choose the menu Network System Mode to load the following page Select the NAT mode and the lt Save gt button to apply 131 System Mode System Mode NAT Non NAT Classic Help Figure 4 1 System Mode 4 3 1 2 Internet Connection Configure the Static IP connection type for the WAN1 and WAN2 ports of the Router Choose the menu Network gt WAN WANT1 to load the following page Select the Static IP connection type and enter the IP address Subnet Mask and Default Gateway provided by your ISP Set both the Upstream Bandwidth and the Downstream Bandwidth to 100000Kbps The Upstream Downstream Bandwidth of WAN port you set must not be more than the bandwidth provided by ISP Otherwise the Traffic Control will be invalid Then click the lt Save gt button to apply The configuration method for the WAN2 port is the same as the WAN1 Static IP Settings Connection Type Static IP wt IP Address
123. ocuses on research and standardization based on real life use Network layer protocol in the TCP IP stack offering a connectionless Internetwork service IP provides features for addressing type of service specification fragmentation and reassembly and security Company that provides Internet access to other companies and individuals IKE establishes a shared security policy and authenticates keys for services such as IPSec that require keys Before any IPSec traffic can be passed each Router firewall host must verify the identity of its peer A framework of open standards that provides data confidentiality data integrity and data authentication between participating peers High speed low error data network covering a relatively small geographic area up to a few thousand meters LANs connect workstations peripherals terminals and other devices in a single building or other geographically limited area 152 Glossary Description Standardized data link layer address that is required for every port or device that connects to a LAN Other devices in the MAC address Media network use these addresses to locate specific ports in the Access Control address network and to create and update routing tables and data structures MAC addresses are 6 bytes long and are controlled by the IEEE MTU Maximum Transmission Unit The size in bytes of the largest packet that can be transmitted Mechanism for
124. of the DDNS client has changed DDNS is usually used for the Internet users to access the private website and FTP server both of which are established based on Web server The Router as a DDNS client cannot provide DDNS service Prior to using this function be sure you have registered on the official websites of DDNS service providers for username password and domain name TL ER604W Router offers PeanutHull DDNS client Dyndns DDNS client NO IP DDNS client and Comexe DDNS client The Dynamic DNS can be implemented on DynDNS DDNS No IP DDNS Peanuthull DDNS and Comexe DDNS pages 3 7 3 1 DynDNS On this page you can configure DynDNS client Choose the menu Services Dynamic DNS DynDNS to load the following page DynDNS Account Name Password Domain Name DONS Service Go to register oe userl dyndns info O Activate a Inactiwate WAN Port war 1 DONS Status Offline List of Dyn DNS Account yt AT Account Mame Domain Name Status Action 1 userl userlL dyndns into Offline Fa O z Usera user2 dvndns info Offline Fd O Figure 3 76 DynDNS DDNS The following items are displayed on this screen gt Dyndns DDNS Account Name Password Domain Name DDNS Service Enter the Account Name of your DDNS account If you have not registered click lt Go to register gt to go to the website of Dyndns for register Enter the password of your DDNS account Enter the Domain Name that you registere
125. on cannot be reached if the value is more than 15 Optimal path indicates the path with the fewest hop counts RIP exchanges the route information every 30 seconds by broadcasting UDP packets If one Router has not sent route information in 180 seconds the RIP of the other routers would set the distance to this Router into infinity and delete the corresponding information from route table RIP develops from initial RIPv1 to RIPv2 gradually Compared with RIPv1 RIPv2 supports VLSM Variable Length Subnet Mask simple plain text authentication MD5 cryptograph authentication CIDR Classless Inter Domain Routing and multicast 74 TL ER604W supports both RIPv1 version and RIPv2 version thus you can configure the RIP version based on the actual need to improve the network performance Choose the menu Advanced Routing RIP to load the following page General Interface Status RIP Version Password Authentication WANZ 7 Enable V2 Broadcast Simple Auth we LAN Enable V1 Broadcast Disable All Interfaces F on Save List of RIP No Destination Subnet Mask Next Hop Interface Hop Count Effective Time sec 1 116 10 20 28 255 255 255 0 116 10 1 254 WANT 1 1 2 192 168 10 1 255 255 255 0 192 168 70 1 LAN 1 1 3 211 162 1 1 255 255 0 0 211 200 1 1 DMZ 2 23 Figure 3 48 RIP The following items are displayed on this screen gt General Interface Displays the interfaces which has been physically connected or assigned s
126. one multiple ports mirrored port to a specific port mirroring port Usually the mirroring port is connected to a data diagnose device which is used to analyze the mirrored packets for monitoring and troubleshooting the network 00 Choose the menu Network Switch Port Mirror to load the following page General Enable Port Mirror Mode Fort Mirror Fort Mirroring Port Mirrored Port 1 O E a 0000 Figure 3 19 Port Mirror The following items are displayed on this screen gt General Enable Port Mirror Check the box to enable the Port Mirror function If unchecked it will be disabled Mode Select the mode for the port mirror function Options include e Ingress When this mode is selected only the incoming packets received by the mirrored port will be copied to the mirroring port e Egress When this mode is selected only the outgoing packets sent by the mirrored port will be copied to the mirroring port e Ingress amp Egress When this mode is selected both the incoming and outgoing packets through the mirrored port will be copied to the mirroring port gt Port Mirror Mirroring Port Select the Mirroring Port to which the traffic is copied Only one port can be selected as the mirroring port Mirrored Port Select the Mirrored Port from which the traffic is mirrored One or multiple ports can be selected as the mirrored ports The entry in Figure 3 19 indicates The outgoing pa
127. or public network and enable Sending GARP packets function to defend ARP attack Moreover you can enable DoS Defense function to implement flood defense and Packet Anomaly Defense Moreover you can enable Port Mirror function and Statistics function to monitor the real time traffic of the local network 4 3 4 1 LAN ARP Defense You can configure IP MAC Binding manually or by ARP Scanning For the first time configuration please bind most of the ARP information by ARP Scanning For some special items not bound you can bind them manually 1 Scan and import the entries to ARP List Specify ARP Scanning range Choose the menu Firewall gt Anti ARP Spoofing gt ARP Scanning to load the configuration page No ARP attack in the local network is the premise of ARP Scanning General Scanning IP Range 192 168 0 1 192 165 0 254 help Figure 4 16 ARP Scanning Turn on all the hosts that need to be bound Then click the lt Scan gt button the scanning result will display as below Scanning Result No IF Address MAC Address Status C 1 192 168 0 2 40 61 86 FC 75 C3 E 192 168 0 3 40 61 86 FC 75 B9 Figure 4 17 Scanning Result 143 Choose the menu Firewall Anti ARP Spoofing IP MAC Binding to load the configuration page Select the ARP entries needed to be bound or click the lt Select All gt button and then click the lt Import gt button The ARP List will display as the following figure shows ARP List Po IP Ad
128. or the request of the Router has no response from your ISP Please ensure that your settings are correct and your network is connected well Consult your ISP if this problem remains IP Address Displays the IP address assigned by your ISP Primary DNS Displays the IP address of your ISP s Primary DNS Secondary DNS Displays the IP address of your ISP s Secondary DNS 5 PPTP If your ISP Internet Service Provider has provided the account information for the PPTP connection please choose the PP TP connection type 2 f PPTP Settings Connection Type PPTP Russian PPTP PPTP Connection Account Name Password Server IP 0 0 0 0 MTU 1460 576 1460 Active Mode Manual Always on Secondary Connection Connection Type Static IF Dynamic IP IP Address Subnet Mask Default Gateway Primary DNS Secondary ONS Upstream Bandwidth Kbps Downstream Bandwidth Kbps PPTP Status Status Disabled IP Address 0 0 0 0 Primary DNS 0 0 0 0 Secondary DNS 0 0 0 0 Figure 3 11 WAN PPTP The following items are displayed on this screen gt PPTP Settings Connection Type Select PPTP if your ISP provides a PPTP connection Click lt Connect gt to dial up to the Internet and obtain the IP address Click lt Disconnect gt to disconnect the Internet connection and release the current IP address Account Name Enter the Account Name provided by your ISP If you are not clear ple
129. otocol This entry is activated 3 4 1 6 ALG Some special protocols such as FTP H 323 SIP IPsec and PPTP will work properly only when ALG Application Layer Gateway service is enabled Choose the menu Advanced gt NAT ALG to load the following page ALG FTP ALG Enable Disable H 323 ALG Enable Disable SIP ALG Enable Disable IPsec ALG Enable Disable PPTP ALG Enable Disable Figure 3 38 ALG The following items are displayed on this screen 62 gt ALG FTP ALG Enable or disable FTP ALG The default setting is enabled It is recommended to keep the default setting if no special requirement H 323 ALG Enable or disable H 323 ALG The default setting is enabled H 323 is used for various applications such as NetMeeting and VoIP SIP ALG Enable or disable SIP ALG The default setting is enabled It is recommended to keep the default setting if no special requirement IPsec ALG Enable or disable IPsec ALG The default setting is enabled It is recommended to keep default if no special requirement PPTP ALG Enable or disable PPTP ALG The default setting is enabled It is recommended to keep default if no special requirement 3 4 2 Traffic Control Traffic Control functions to control the bandwidth by configuring rules for limiting various data flows In this way the network bandwidth can be reasonably distributed and utilized 3 4 2 1 Setup Choose the m
130. our wireless network security the default SSID is set to be TP LINK_XXXXXX XXXXXX indicates the last unique six numbers of each Router s MAC address This value is case sensitive For example TEST is NOT the same as test Enter the description for the SSID Enable or disable the SSID Broadcast When wireless clients survey the local area for wireless networks to associate with they will detect the SSID broadcast by the Router If the SSID Broadcast is enabled the Wireless Router will broadcast its name SSID on the air Enable or disable the AP Isolation This function can isolate wireless stations on your network from each other Wireless devices will be able to communicate with the Router but not with each other Specify the security option of the wireless network If you do not want to use wireless security select Disable Security otherwise select one Security option from the drop down list It s strongly recommended to choose one of the security options to enable security There are three wireless security options supported by the Router WPA PSK WPA2 PSK WPA WPA2 and WEP It is recommend to choose WPA PSK WPA2 PSK The detail information of the three security options will be introduced below Its the WPA WPA2 authentication type based on pre shared passphrase The default security option of the router is WPA PSK WPA2 PSK Security WPO PSKVAWWPOZ PSK Auth Type Password sb sa0515 rou can enter ASC
131. posal IKE 1 we aabbecddee 600 Sec 60 604800 tu 1 1 Enable Disable 5 Sec 1 300 Mode Proposal 1 Proposal 2 Proposal 3 Proposal 4 Action No entries Figure 4 5 IKE Policy To configure the IPsec function you should create an IPsec Proposal firstly e IPsec Proposal Choose the menu VPN gt IPsec Psec Proposal to load the following page Settings Proposal Name Security Protocol ESP Authentication ESP Encryption proposal IPsec 1 ESP MD5 3DES Click the lt Save gt button to apply 135 IPsec Proposal Proposal Name Security Protocol ESP ln ESP Authentication MOS ha ESP Encryption e IPsec Policy proposal IPsec_1 Clear Help SIDES Figure 4 6 IPsec Proposal Choose the menu VPN gt IPsec Psec Policy to load the configuration page Settings IPsec Policy Name Status Mode Local Subnet Remote Subnet WAN Remote Gateway Exchange Mode IKE Policy IPsec Proposal PFS SA Lifetime Enable IPsec_1 Activate LAN to LAN 192 168 0 0 24 172 31 10 0 24 WAN1 116 31 85 133 IKE IKKE_1 proposal lPsec_1 you just created DH1 3600 Click the lt Add gt button to add the new entry to the list and click the lt Save gt button to apply 136 General IPsec Enable Disable IPsec Policy Policy Name Mode Local Subnet Remote Subnet WAN Remote Gateway IP Address
132. r applications such as Bandwidth Control Session Limit and Access Control etc on per group 3 3 1 Group On this page you can define the group for management Choose the menu User Group Group to load the following page 5 2 Group Config Pane a ee ee e List of Group Mo Group Name Description Action z C 1 Groupi ane a i Figure 3 30 Group Configuration The following items are displayed on this screen gt Group Config Group Name Specify a unique name for the group Description Give a description for the group It s optional gt List of Group In this table you can view the information of the Groups and edit them by the Action buttons 3 3 2 User On this page you can configure the User for the group Choose the menu User Group User to load the following page User Config User Name 4 28 Char IP Address Description lo Optional 1 28 Char List of User Mo User Name IP Address Description Action No entries Figure 3 31 User Configuration The following items are displayed on this screen gt User Config User Name Specify a unique name for the user IP Address Enter the IP Address of the user lt cannot be the network address or broadcast address of the port 53 Description Give a description to the user for identification It s optional gt List of User In this table you can view the information of the Users and edit them by the Action buttons 3 3 3 View
133. r to the packet by using PPP Point to Point Protocol Table depicts the difference between L2TP and PPTP Protocol Media Tunnel Length of Header Authentication PPTP IP network Single tunnel 6 bytes at least Not supported IP network of UDP frame relay L2TP virtual circuit Multiple tunnels 4 bytes at least Supported X 25 virtual circuit 100 3 6 3 1 L2TP PPTP Tunnel On this page you can configure the L2TP PPTP VPN Choose the menu VPN gt L2TP PPTP gt L2TP PPTP Tunnel to load the following page General FP Enable YPN to Internet Hello Interval Sec 60 1000 L2TP PPTP Tunnel Protocol L2TP PPTP Mode Server Client Account Name po Tunnel LAN to Lon w Max Connections 1 1 10 Encryption Enable Disable Pre shared Key po Client IP 0 0 0 0 Remote Subnet po J L_ Status Activate Inactivate List of Configurations No Protocol Rieu Mode Tunnel Server IP ule ae Remote Subnet Encry Status Action mM 1 L2TP test Client 172 31 70 161 192 168 2 0 24 Enabled Active Y Q E Figure 3 67 L2TP PPTP Tunnel The following items are displayed on this screen gt General Enable VPN to Internet Specify whether to enable VPN to Internet function If enabled the VPN client is permitted to access the LAN of the server and Internet Hello Interval Specify the interval to send hello packets gt L2TP PPTP Tunnel Protocol Select the protocol for VPN tunnel Options include L2TP
134. rection Group aah aa Guaranteed pias Effective Time Status Description Action LAN gt 08 00 22 00 m s F ai sales Shared 5000 10000 5000 10000 Active hosti FA L WANT Mon Tue Wed Thu Fri Figure 3 40 Bandwidth Control The following items are displayed on this screen gt Bandwidth Control Rule Direction Group Mode Guaranteed Bandwidth Up Limited Bandwidth Up Guaranteed Bandwidth Down Select the data stream direction for the entry The direction of arrowhead indicates the data stream direction WAN ALL means all WAN ports through which the data flow might pass Individual WAN port cannot be selected if WAN ALL rules are added Select the group to define the controlled users Individual The bandwidth of each user equals to the current bandwidth of this entry Shared The total bandwidth of all controlled IP addresses equals to the current bandwidth of this entry Specify the Guaranteed Upstream Bandwidth for this entry Specify the Limited Upstream Bandwidth for this entry Specify the Guaranteed Downstream Bandwidth for this entry 65 Limited Bandwidth Down Effective Time Description Status gt List of Rules Specify the Limited Downstream Bandwidth for this entry Specify the time for the entry to take effect Give a description for the entry Activate or inactivate the entry You can view the information of the entries and edit them by the Action
135. reducing the need for globally unique IP NAT Network Address addresses NAT allows an organization with addresses that are Translator not globally unique to connect to the Internet by translating those addresses into globally routable address space NTP Server is used for synchronising the time across computer NTP Server networks POP3 Post Office Protocol 3 POP3 is intended to permit a workstation to dynamically access a maildrop on a server host in a useful fashion PPPoE Point to Point Protocol over Ethernet PPPoE is a network protocol for encapsulating Point to Point Protocol PPP frames inside Ethernet frames SMTP Simple Mail SMTP is an Internet standard for electronic mail e mail Transfer Protocoll transmission SSH Secure Shell Protocol SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices SA is the establishment of shared security attributes between SA Security Association e two network entities to support secure communication TCP Transfer Control Protocol Connection oriented transport layer protocol that provides reliable full duplex data transmission Common name for the suite of protocols to support the construction of worldwide Internet works TCP and IP are the two best known protocols in the suite TCP IP Transmission Control Protocol Internet T Protocol Telnet Telecomm
136. rotocol constitutes of the name and number The Router predefines three commonly used protocols such as TCP UDP and TCP UDP Moreover you can also add new protocols as your wish Choose the menu Advanced gt Load Balance gt Protocol to load the following page 71 Protocol Add Name ol Number ss List of Protocol No Name Number Action 1 TCP 6 2 UDP 17 3 TCP UDP 4 TELNET 23 NE 5 RAV 56 EN Figure 3 46 Protocol The following items are displayed on this screen gt Protocol Name Enter a name to indicate a protocol The name will display in the drop down list of Protocol on Access Rule page Number Enter the Number of the protocol in the range of 0 255 gt List of Protocol You can view the information of the entries and edit them by the Action buttons A Note The system predefined protocols cannot be configured 3 4 5 Routing 3 4 5 1 Static Route Routing is the process of selecting optimized paths in a network along which to send network traffic Static Route is a kind of special routing configured by the administrator which is simple efficient and reliable Commonly used in small sized network with fixed topology Static Route does not change along with the network topology automatically The administrator should modify the static route information manually as long as the network topology or link status is changed Choose the menu Advanced Routing Static Route to load the followin
137. s 146 General Enable IP Traffic Statistics C Enable Auto refresh Traffic Statistics Direction LAN WAML Ae LAN gt WAN1 Statistics Transmiting Rate KB s Packets Rate Pkt s Total Packets Pkt Total Bytes Byte IP Address Sessions Upstream Downstream Upstream Downstream Upstream Downstream Upstream Downstream 192 168 0 102 a 0 2 16 1600 1602 s000 60 6000 1000 192 165 0 123 0 03 sie 22 3240 zzz 491637 050 465660 3000 Sorted by Downstream Packets Rate Increasing Order Figure 4 23 IP Traffic Statistics After all the above steps the enterprise network will be operated based on planning 147 Appendix A Hardware Specifications IEEE 802 3 IEEE 802 3u IEEE 802 3ab IEEE 802 3x IEEE 802 11b IEEE 802 119 and IEEE 802 11n TCP IP DHCP ICMP NAT PPPoE Standards SNTP HTTP DNS L2TP PPTP IPsec One fixed 10 100 1000Mbps Auto Negotiation WAN RJ45 port Auto MDI MDIX Ports One interchangeable 10 100 1000Mbps Auto Negotiation WAN LAN RJ45 port Auto MDI MDIX Three fixed 10 100 1000Mbps Auto Negotiation LAN RJ45 ports Auto MDI MDIX 10BASE T UTP category 3 4 5 cable maximum 100m EIA TIA 568 1000 STP maximum 100m Cabling Type 100BASE TX UTP category 5 5e cable maximum 100m EIA TIA 568 1000 STP maximum 100m 1000BASE T UTP STP of Category 5 5e 6 or above maximum 100m LEDs PWR SYS WLAN WAN LAN Safety amp Emissions FCC CE Frequency Band 2 4 2 4835GHz
138. splayed If Static IP is selected configure the default gateway If Dynamic IP is selected the obtained default gateway is displayed If Static IP is selected configure the DNS If Dynamic IP is selected the obtained DNS is displayed Specify the bandwidth for transmitting packets on the port Specify the bandwidth for receiving packets on the port 293 gt PPTP Status 6 Status IP Address Primary DNS Secondary DNS BigPond Displays the status of PPTP connection Disabled indicates that the PPTP connection type is not applied Connecting indicates that the Router is obtaining the IP parameters from your ISP Connected indicates that the Router has successfully obtained the IP parameters from your ISP Disconnected indicates that the connection has been manually terminated or the request of the Router has no response from your ISP Please ensure that your settings are correct and your network is connected well Consult your ISP if this problem remains Displays the IP address assigned by your ISP Displays the IP address of your ISP s Primary DNS Displays the IP address of your ISP s Secondary DNS If your ISP Internet Service Provider has provided the account information for the BigPond connection please choose the BigPond connection type 24 BigPond Settings Connection Type Account Name Password Auth Server Auth Domain Active Mode
139. such as Internet gaming or videoconferencing An Internet Server that translates the names of websites into IP addresses A technology that allows data to be sent or received over existing traditional phone lines Security protocol that provides data privacy services optional data authentication and anti replay services ESP encapsulates the data to be protected Application protocol part of the TCP IP protocol stack used for transferring files between network nodes It is a term originally referring to mean solar time at the Royal Observatory in Greenwich London 151 Glossary HTTP Hypertext Transfer Protocol ICMP Internet Control Messages Protocol Internet IP Internet Protocol ISP Internet Service Provider IKE Internet Key Exchange IPsec IP Security LAN Local Area Network Description H 323 allows dissimilar communication devices to communicate with each other by using a standardized communication protocol H 323 defines a common set of CODECs call setup and negotiating procedures and basic data transport methods The protocol used by Web browsers and Web servers to transfer files such as text and graphic files Network layer Internet protocol that reports errors and provides other information relevant to IP packet processing Largest global Internetwork connecting tens of thousands of networks worldwide and having a culture that f
140. t gt 192 168 0 0 24 lt gt 1 Ipsec_i ESP MDS 3DES Connected 801628175 172 30 70 161 192 168 3 0 24 Figure 3 66 IPsec SA Figure 3 66 displays the connection status of the NO 1 entry in the List of IPsec policy in Figure 3 64 As shown in the figure the Router is using WANZ2 for tunnel connection and the IP address of WAN2 and the default gateway of remote peer are 172 30 70 151 and 172 30 70 161 respectively Security protocol and other parameters for IPsec tunnel and the remote router should be configured the same As Security Association is unidirectional an ingoing SA and an outgoing SA are created to protect data flows for each tunnel after IPsec tunnel is successfully established The ingoing SPI value and outgoing SPI value are different However the Incoming SPI value must match the Outgoing SPI value at the other end of the tunnel and vice versa The connection status on the remote endpoint of this tunnel is as the following figure shows The SPI value is obtained via auto negotiation List of IPsec SA No Name SPI Tunnel Data Flow Protocol AH Auth ESP Auth ESP Encr Status 801628175 lt gt 172 30 70 161 lt gt 192 168 3 0 24 lt gt 1 Ipsec_i ESP MDS 3DES Connected 388462817 172 30 70 151 192 168 0 0 24 3 6 3 L2TP PPTP Layer 2 VPN tunneling protocol consists of L2TP Layer 2 Tunneling Protocol and PPTP Point to Point Tunneling Protocol Both L2TP and PPTP encapsulate packet and add extra heade
141. t Bandwidth Based Balance Routing ports C wani wane Figure 3 43 Configuration With the box before Enable Application Optimized Routing checked the Router will consider the source IP address and destination IP address of the packets as a whole and record the WAN port they pass through And then the packets with the same source IP address and destination IP address or destination port will be forwarded to the recorded WAN port This feature is to ensure the multi connected applications to work properly Check the box before Enable Bandwidth Based Balance Routing and select the WAN port below Load Balance of the specified WAN port will be enabled automatically if no routing rules are set Then click the lt Save gt button to apply A Note The WAN ports not connecting to the Internet don t support Intelligent Balance please do not select them 3 4 4 2 Policy Routing Policy Routing provides an accurate way to control the routing based on the policy defined by the network administrator Choose the menu Advanced Load Balance gt Policy Routing to load the following page 68 General Protocol All Protocols v Source IP 0 0 0 0 0 0 0 0 j Destination IP 0 0 0 0 0 0 0 0 l L Help Source Port 0 i o E Destination Port 0 0 WAN C wani wanz Effective Time 00 00 7 A 24 00 Sun Mon Tue Y Wed Y Thu Fri V Sat Description Optional Status Activat
142. t Gateway Primary DNS Secondary DNS Dynamic IP wt aa a eee 200 200 200 0 Connecting 30000 kbps 30000 Kbps Disconnected 116 10 20 28 116 10 20 1 211 162 78 1 211 162 78 2 Figure 3 9 WAN PPPoE 15 The following items are displayed on this screen gt PPPoE Settings Connection Type Account Name Password Active Mode PPPoE Advanced Settings Keep Alive MTU Select PPPoE if your ISP provides xDSL Virtual Dial up connection Click lt Connect gt to dial up to the Internet and obtain the IP address Click lt Disconnect gt to disconnect the Internet connection and release the current IP address Enter the Account Name provided by your ISP If you are not clear please consult your ISP Enter the Password provided by your ISP You can select the proper Active mode according to your need e Manual Select this option to manually activate or terminate the Internet connection by the lt Connect gt or lt Disconnect gt button It is optimum for the dial up connection charged on time e Always on Select this option to keep the connection always on The connection can be re established automatically when it is down e Time based Select this option to keep the connection on during the Active time you set Check here to enable PPPoE advanced settings Once PPPOE is connected the Router will send keep alive packets every Keep Alive Interval sec and Keep Alive Re
143. t set lt s e el El e Block IP options Security Option Loose Source Route Option Strict Source Route Option Record Route Option Stream Option Timestamp Option lt s el El Mo Operation Option Enable Attack Defense Logs Figure 3 53 Attack Defense The following items are displayed on this screen gt General Flood Defense Flood attack is a commonly used DoS Denial of Service attack including TCP SYN UDP ICMP and so on It is recommended to select all the Flood Defense options and specify the corresponding thresholds Keep the default settings if you are not sure Packet Anomaly Packet Anomaly refers to the abnormal packets It is Defense recommended to select all the Packet Anomaly Defense options Enable Attack With this box checked the Router will record the defense logs Defense Logs 81 3 5 3 MAC Filtering On this page you can control the Internet access of local hosts by specifying their MAC addresses Choose the menu Firewall MAC Filtering MAC Filtering to load the following page General Enable MAC Filtering O Permit MAC Addresses listed below and deny the rest Save Deny MAC Addresses listed below and permit the rest MAC Address MAC Address EA e Clear Description Optional Help List of Rules Mo MAC Address Description Action An a O0 11 22 33 44 55 Drea EN P gt 00 11 22 33 44 6F Drw EN Figure 3 54 MAC Filtering The following items are displ
144. t to the specified server The Logs of switch are classified into the following eight levels Emergency o The system is unusable Alert Action must be taken immediately Critical Critical conditions Error Notice Debug 129 Chapter 4 Application 4 1 Network Requirements The company has established the server farms in the headquarters to provide the Web Mail and FTP services for all the staff in the headquarters and the branch offices and to transmit the commercial confidential data to its partners The dedicated line access service was used by this company which costs greatly in network maintain and cable layout With the business development of the company it s required to establish an effective safe and stable network with low cost for this company The detailed requirements are as follows gt Internet Access This company has terminated the dedicated line access service but maintained one dedicated line as the backup line and has applied a high bandwidth Fiber Access as the main line Remote Access It s required to build an effective and safe communication among the headquarters and the branch offices allow the staff on business to access the Mail Server and FTP Server in LAN and provide the remote access services for the cooperated partners Network Management To avoid some of the staff using IM P2P application at the working time to occupy a lot of network bandwidth it s requir
145. tatic IP Status Enable or disable RIP protocol RIP Version Select RIPv1 or RIPv2 RIPv2 supports multicast and broadcast Password If RIPv2 is enabled set the Password Authentication according to the actual Authentication network situation and the password should not be more than 15 characters All Interfaces Here you can operate all the interfaces in bulk All the interfaces will not apply RIP if Enable option for All Interfaces is selected gt List of RIP After RIP is enabled the information of RIP forwarding the packets received by the Router will be displayed in the list The first entry in Figure 3 48 indicates when receiving packets with destination IP is 116 10 20 28 the Router will select WAN1 which is in the same network with the destination IP as next hop and forward 75 data via this port The IP address of next hop is 116 10 1 254 and the hop count is 1 The effective time of this entry is 1 second A Note e RIP function cannot be set if the Router is in NAT Mode To set RIP function please change the System Mode to Routing or Full Mode e The RIP function of WAN port takes effects only when the Connection Type of this WAN port is Static IP 3 4 5 3 Route Table This page displays the information of the system route table Choose the menu Advanced Routing Route Table to load the following page Route Table Mo Destination Gateway Flags Logical Interface Physical Interface Metric
146. ted Bandwidth Up Down Effective Time Status Click the lt Add gt button to apply Bandwidth Control Rule Direction Group Mode Guaranteed Bandwidth Up Limited Bandwidth Up Guaranteed Bandwidth Down Limited Bandwidth Down Effective Time Description Status 4 3 3 4 LAN gt WAN1 group1 Individual 100 800 Keep the default value Activate groupi LAN ee ee Individual Shared 100 800 100 800 00 00 24 00 Kbps 10 1000000 Kbps 0 or 10 1000000 0 means no limit Kbps 10 1000000 Kbps 0 or 10 1000000 0 means no limit Sun Y Mon V Tue Y Wed Y Thu Fri V Sat Optional Activate Inactivate Session Limit Figure 4 14 Bandwidth Control Rule Choose the menu Advanced gt Session Limit gt Session Limit to load the configuration page Check the box before Enable Session Limit and click the lt Save gt button to apply Then continue with the following settings Settings Group Max Sessions Status Click the lt Add gt button to apply group1 250 Activate 142 General Enable Session Limit Save Session Limit Max Sessions 250 30 1000 Clear Description A Optional Help Status Activate Inactivate Figure 4 15 Session Limit 4 3 4 Network Security You can enable the IP MAC Binding function to defend the ARP attack from local
147. ted if 11n only mode is selected The router will not work in 11n mode If bgn mixed mode and TKIP encryption are both selected TKIP is a encryption option of the WPA PSK WPA2 PSK2 and WPA WPA2 Auth type gt List of Group In this table you can view the information of the multi SSID and edit them by the Action buttons The first entry in Figure 3 25 cannot be configured here To edit it please go to 3 2 1 1 Wireless Setting Tips e The WDS function will be disabled if Multi SSID is enabled e UP to 7 new SSIDs can be added to the router e The router allows only one SSID to use WEP Auth 3 2 1 3 WDS With the WDS function the Router can bridge two or more WLANs 47 Choose the menu Wireless Wireless Setting WDS to load the following page General WOS Parameter SSID ito be bridged BSSID to be bridged Key Type WEP Key Index Auth Type Key gt General WDS Scan gt Parameter SSID to be bridged BSSID to be bridged Key Type WEP Key Index Auth Type Enable Disable TPLINE 1 TPLINE 2 WPA PSK WP AS PSK ka 123456 Figure 3 26 WDS Configuration Enable or disable the WDS function With this function the Router can bridge two or more WLANs Click this button you can search the AP which runs in the current channel The SSID of the AP your Router is going to connect to as a client You can also use the search function to select the SSID to join T
148. ter has successfully obtained the IP parameters from your ISP e Disconnected indicates that the IP address has been manually released or the request of the Router gets no response from your ISP Please check your network connection and consult your ISP if this problem remains Displays the IP address assigned by your ISP Displays the Subnet Mask assigned by your ISP 14 Gateway Address Primary DNS Secondary DNS 3 PPPoE Displays the Gateway Address assigned by your ISP Displays the IP address of your ISP s Primary DNS Displays the IP address of your ISP s Secondary DNS If your ISP Internet Service Provider has provided the account information for the PPPoE connection please choose the PPPoE connection type Used mainly for DSL Internet service PPPoE Settings Connection Type PPPoE Connection Account Mame Password Active Mode Manual Always on Time based PPPoE Russian PPPoE bss Active Time o o HH MM o HH MM PPPoE Advanced Settings Keep Alive Interval O 0 120 second O for not sending Keep Alive Retry Times 1 30 MTU 576 1492 Static IP Optional Service Name fi Fill in only when required Primary DNS Secondary DNS Optional Secondary Connection Connection Type IF Address Subnet Address Status Upstream Bandwidth Downstream Bandwidth PPPoE Status status IP Address Defaul
149. ternal ports can be the same gt List of Rules In this table you can view the information of the entries and edit them by the Action buttons The first entry in Figure 3 36 indicates This is a Virtual Server entry named host all the TCP data packets from WAN1 to port 65534 65535 of the Router will be redirected to the port 65534 65535 of the LAN host with IP address of 192 168 0 103 and this entry is activated 3 4 1 5 Port Triggering Some applications require multiple connections such as Internet games video conferencing Internet calling P2P download and so on Port Triggering is used for those applications requiring multiple connections When an application initiates a connection to the trigger port all the ports corresponding to the incoming port will open for follow up connections Choose the menu Advanced NAT Port Triggering to load the following page Port Triggering Add Interface WAN ka Trigger Port E In XX XAX XX format Trigger Protocol TCP UDP bal Incoming Port E In XX XX XX format Incoming Protocol TCP UDP ka Status Activate Inactivate List of Rules No Name Interface 99er Trigger Port aa ia Incoming Port Status Action Protocol Protocol F hosti WANI TCP 5354 TCP UDP 5355 Active Ow Sioa Al Figure 3 37 Port Triggering The following items are displayed on this screen gt Port Triggering Name Enter a name for Port Triggering entries Up to 28 characters can be
150. tes All the packets with Source IP between 192 168 0 100 and 192 168 0 199 and Destination IP between 116 10 20 28 and 116 10 20 29 will be forwarded from WANT1 port regardless of the port and protocol This entry is activated d and will take effect at 8 am to 10 pm from Monday to Friday 3 4 4 3 Link Backup With Link Backup function the Router will switch all the new sessions from dropped line automatically to another to keep an always on line network On this page you can configure the Link Backup function based on actual need to reduce the traffic burden of WAN port and improve the network efficiency Choose the menu Advanced gt Load Balance gt Link Backup to load the following page General WAND WAnz sale a a Primary WAN Backup WAN o a E Mode 25 Timing Failover Backup Effective Time 00 00 24 00 sun Mon Tus Wed e Thu Fri Sat Status Activate Inactivate List of Rules Mo Primary Wah Backup WAN Mode Effective Time Status Action Backup when any ES A O 1 WANI WANZ nee Active fOr primary WAN failed Figure 3 45 Link Backup The following items are displayed on this screen gt General WAN Ports Displays all the WAN ports in use You can drag the light blue WAN button to primary and backup WAN list The color of WAN button changing to gray indicates that the WAN port is already in the primary and backup WAN list 70 WAN Config The WAN port in the secondary WAN list
151. to MAC address mapping entries and then the device will automatically update the ARP table after receiving wrong ARP packets which results in a breakdown of the normal communication Thus ARP defense technology is generated to prevent the network from this kind of attack 3 5 1 1 IP MAC Binding IP MAC Binding functions to bind the IP address MAC address of the host together and only allows the Hosts matching the bound entries to access the network Choose the menu Firewall Anti ARP Spoofing IP MAC Binding to load the following page General Enable SRP Spoofing Defense E Save Permit the packets matching the IP 94C Binding entries only Send GARP packets when SRP attack is detected Interval ms Enable ARF logs IP MAC Binding IP Address Eh MAC Address o RARO Description Optional Status Activate Inactivate List of Rules Mo IP Address MAC Address Status Description Action wi 192 168 0 101 00 19 66 83 53 CF Active hosti f Ow Figure 3 50 IP MAC Binding The following items are displayed on this screen gt General By da It is recommended to check all the options You should import the IP and MAC address of the host to IP MAC Binding List and enable the corresponding entry before enabling Permit the packets matching the IP MAC Binding entries only When suffered ARP attack the correct ARP information will be sent to the device suffering attack initiatively by GARP
152. try Times to make sure the connection is still alive If the Router does not get the response from ISP after sending keep alive packets then the Router will terminate the connection MTU Maximum Transmission Unit is the maximum data unit transmitted by the physical network It can be set in the range of 576 1492 The default MTU is 1480 It is recommended to keep the default value if no other MTU value is provided by your ISP 16 ISP Address Service Name Primary DNS Secondary DNS Secondary Connection Connection Type IP Address Subnet Address Status Upstream Bandwidth Downstream Bandwidth PPPoE Status Status Optional Enter the ISP address provided by your ISP It s null by default Optional Enter the Service Name provided by your ISP It s null by default Enter the IP address of your ISP s Primary DNS Optional Enter the IP address of your ISP s Secondary DNS Here allows you to configure the secondary connection Dynamic IP and Static IP connection types are provided Select the secondary connection type Options include Disable Dynamic IP and Static IP If Static IP is selected configure the IP address of WAN port If Dynamic IP is selected the obtained IP address of WAN port is displayed If Static IP is selected configure the subnet address of WAN port If Dynamic IP is selected the obtained subnet address of WAN port is displayed Displays the status o
153. unication Telnet is used for remote terminal connection enabling users to 153 Glossary Network protocol UDP User Datagram Protocol UPnP Universal Plug and Play URL Uniform Resource Locator VLAN Virtual Local Area Network VPN Virtual Private Network Description log in to remote systems and use resources as if they were connected to a local system UDP is a simple protocol that exchanges datagram without acknowledgments or guaranteed delivery requiring that error processing and retransmission be handled by other protocols UPnP is a set of networking protocols for primarily residential networks without enterprise class devices that permits networked devices URL describes the access method and the location of an information resource object on the Internet Group of devices on one or more LANs that are configured using management software so that they can communicate as if they were attached to the same wire when in fact they are located on a number of different LAN segments Because VLANs are based on logical instead of physical connections they are extremely flexible Enables IP traffic to travel securely over a public TCP IP network by encrypting all traffic from one network to another Data communications network that serves users across a broad WANT Wide Area Network geographic area and often uses transmission devices provided by common carriers 15
154. will send Tracert packets to test the connectivity of the gateways during the journey from the source to destination of the test data and the results will be displayed in the box below On this page you can detect the WAN port is online or not Choose the menu Maintenance Diagnostics Online Detection to load the following page General Port WANL Detecting Activate Inactivate Mode Auto Manual DNS Lookup booo List of WAN Status Fort Detecting Status WEL Active WAN is online Wahl Active Physical Connection is off Figure 3 92 Online Detection The following items are displayed on this screen gt General Port Detecting Select the port to be detected Activate or inactivate Online Detection function When Online Detection is active WAN status will depend on the result of both PING and DNS Lookup When Online Detection is inactive WAN status will be detected according to physical connection status and 126 Mode Ping DNS Lookup gt List of WAN status Port Detection WAN Status 3 8 6 Time dial up status Detect automatically or Manually In Auto mode gateway will be selected as destination for PING detection DNS server of WAN port will be selected as destination for DNS Lookup In Manual Mode you can configure the destination for PING and DNS Lookup manually Enter the destination IP for Ping in Manual mode 0 0 0 0 means PING detection is disabled
155. will share the traffic for the WAN in the primary WAN list under the specified condition Mode You can select Timing or Failover Mode Timing Link Backup will be enabled if the specified effective time is reached All the traffic on the primary WAN will switch to the backup WAN at the beginning of the effective time the traffic on the backup WAN will switch to the primary WAN at the ending of the effective time Failover Specify the premise for Failover Mode The backup WAN port will be enabled only when the premise is met Backup Effective Time Specify the backup effective time if Timing Mode has been selected Then the backup WAN port will be enabled while the primary WAN port is disabled in the specified time period When the start time you enter is not earlier than the end time the default effective time is from the start time of the day to the end time of the next day Status Activate or inactivate the entry gt List of Rules You can view the information of the entries and edit them by the Action buttons The first entry in Figure 3 45 indicates WAN1 is the primary port and WANZ is the backup port WAN2 will be enabled while WAN is failed This entry is enabled A Note The same WAN port cannot be added to the primary and secondary WAN lists at the same time and one WAN port should be added to only one list 3 4 4 4 Protocol On this page you can specify the protocol for routing rules conveniently A p
156. ys the detailed traffic information of each port and extra information of WAN ports Choose the menu Maintenance gt Statistics Interface Traffic Statistics to load the following page Interface Traffic Statistics Rate Rx Rate Tx Packets Rix Packets Tx Interface Kbps eae Plt Pkt Bytes Rx Byte Bytes Tx Byte Why 0 0 0 0 0 Wea he j j o 0 o o LAM 1 72 1 912 12106 13092 96507 f463403 Advanced WAN Information Interface IP Fragments Rx Pkt Abnormal IP Packets Rx Pkt WAMI 0 0 Wo he j o Figure 3 89 Interface Traffic Statistics The following items are displayed on this screen gt Interface Traffic Statistics Interface Displays the interface Rate Rx Displays the rate for receiving data frames Rate Tx Displays the rate for transmitting data frames 123 Packets Rx Displays the number of packets received on the interface Packets Tx Displays the number of packets transmitted on the interface Bytes Rx Displays the bytes of packets received on the interface Bytes Tx Displays the bytes of packets transmitted on the interface gt Advanced WAN Information Interface Displays the interface IP Fragment Rx Displays the amount of IP Fragments received by WAN port Abnormal IP Packets Rx Displays the rate for transmitting data frames 3 8 4 2 IP Traffic Statistics IP Traffic Statistics screen displays the detailed traffic information of each PC on LAN Choose the menu Maintenance Statistics IP Tr
Download Pdf Manuals
Related Search
Related Contents
USER MANUAL Mares Puck Pro Eizo T57S User's Manual Lire l`article complet Guía de Instalación y Operación con la Llave Maestra para Manual - Forestry Suppliers, Inc. Poulan 532 43 84-93 Lawn Mower User Manual [364-64ー 9LTZ 説明書 T3 (サオ) RL49]- https://telegra.ph/Wire-Size-Calculator-From-Voltage-Drop-522fa1a3-11-16
- https://telegra.ph/Round-Column-Concrete-Volume-Calculator-3ce5b665-11-17
- https://telegra.ph/1-4-8-Concrete-Mix-Calculator-0c8bd2cf-11-17
- https://telegra.ph/Concrete-Volume-Calculator-for-Steps-e84bf1c4-11-17
- https://telegra.ph/Round-Column-Concrete-Volume-Calculator-533f5484-11-13
- https://telegra.ph/Square-Column-Concrete-Volume-Calculator-ffdaa047-11-13
- https://telegra.ph/Concrete-Volume-Calculator-for-Curbs-Gutters-fb1d0919-11-13
- https://telegra.ph/profile-weight-calculator-f69e0d25-11-07
- https://telegra.ph/Calculat-Wire-Area-From-Voltage-Drop-41cd5501-11-18
- https://telegra.ph/Calculate-Wire-Resistor-from-Voltage-Drop-0c6462d1-11-18