User manual INTELLINET 516211

Broadband Router User Guide Broadband Router User Guide March, 2001 Limitation of Liability Information in this document is subject to change without notice. The material contained herein is supplied without representation or warranty of any kind. Therefore assumes no responsibility and shall have no liability of any kind arising from the supply or use of this document or the material contained herein. 1 About This User Guide Welcome to the Networking world of multifunction routers! Thank you for investing in a Broadband Router. We are dedicated to provide the most efficient, easy to configure, and trouble free equipment in the networking industry. This manual is intended as a basic introduction to your Broadband Router. It supplies enough information to make the Broadband Router operational in most common environments: connecting to the Internet , receiving calls from dial-in users, or connecting to another network through the telephone network. We'll describe how to use your web browser to configure the Broadband Router and to perform some basic operations, e.g. upgrading the software, or viewing the connection log, a task which may be useful in ongoing operations. Finally, we'll tell you how to obtain information and help for subjects that are beyond the scope of this manual. This manual consists of seven chapters and three appendixes: Chapter One: Introduction, explains the features and capabilities of the Broadband Router. Chapter Two: Installing the Broadband Router, gives the simple steps you follow to install the Broadband Router and configure your workstations. Chapter Three: Configuring the Broadband Router, explains how to log in to the ARM Manager, describes the browser screen, and provides the steps needed to configure your Broadband Router for specific applications. It provides easy-to-follow instructions for quick Internet access and provides a guide to the most popular Broadband Router configurations. Chapter Four: Advanced Configuration, provides information on advanced router configuration setup. Chapter Five: Managing the Broadband Router, explains the management features of the Broadband Router. Chapter Six: Messages, lists messages you may see in the ARM message window, and what they mean. Appendix A: Specifications Appendix B: Glossary Appendix C: Warranty, Copyright, FCC Notice Safety Warnings · · The Broadband Router is not intended to be serviced by the user. Do not open the case. This product is intended to be supplied by a Listed Direct Plug-In Power Unit marked "Class 2" and rated 9 V ac, 1 A. Contents Chapter 1 Introduction? Overview of the Broadband Router Multifunction Router Broadband Router Applications Accessing the Internet Accessing Servers from the Public Network Creating a Virtual Private Network (VPN) A Configuration Example A Security Overview A Physical Look at the Broadband Router The Connectors on the Back The LEDs on the Front Chapter 2 Installing the Broadband Router Installing the Broadband Router Setting Up a Windows PC for Configuring the Broadband Router Connecting more Devices through a Hub to the Broadband Router Chapter 3 Configuring the Broadband Router Internet Access in Five Minutes Using Different Browsers for Broadband Router Configuration Logging On Customizing the ARM for Your Specific Needs Overview of The ARM Browser Screen What is a Connection Profile? Selecting Internet Access Interface Configuring a Basic Internet Access Profile via EWAN Setting Up Internet Access with Advanced Features Modifying Public and Private IP Addresses Setting the System Time Setting Internet Access Time Restrictions Chapter 4 Advanced Configuration Configuring and Using Port Address Translation Configuring Port Address Translation Static DHCP Assignments Creating VPN Connection Profiles To Configure VPN Remote Office Access Profiles Set up a VPN Connection Profile Advanced Options Setup Packet Filtering A Packet Filtering Overview Configuring IP Packet Rules Configuring IPX Packet Rules To Configure Advanced IP Settings iii To Configure Advanced IP Settings The IP Routing Table To Configure IPX Settings The IPX Routing Table The IPX SAP Table To Enable Bridging Learning Chapter 5 Managing the Broadband Router How to View the Connection Log How to Upgrade the Broadband Router Features/Software How to Save or Clear Configuration Changes How to Reset the Broadband Router How to Change the ARM Password What if I Forget the Password? How to Customize the ARM Interface How to Configure General System Settings Chapter 6 Messages Messages Appendix A Broadband Router Specifications Appendix B Glossary Appendix C Warranty, Copyrights, FCC Notice Warranty Copyrights FCC Part 15 Notice iv 1Broadband Router 1 Introduction This chapter gives the introduction to the Broadband Router. What' in the Box? s Your Broadband Router box should contain the items listed below · · · · 1 Broadband Router 1 AC Adapter, AC 9V 1A 1 female to female 9 pin cable to connect PC COM port and Broadband Router Console port. 1 UTP CAT5 crossover LAN cable to connect EWAN port and ADSL / Cable Modem Note: · · · Some Cable Modems use straight through cable 1 CD-ROM containing the online documentation 1 Quick Start Guide 1 Warranty and registration card Overview of the Broadband Router The Broadband Router is a small desktop router that sits between your local Ethernet network and a remote network (e.g., the Internet or a remote office). The Broadband Router contains an EWAN port connecting to Internet via external ADSL/Cable modem , a COM port worked as a managemant Console , and a one-port 10/100 Ethernet switch. Data comes into the Broadband Router from the local LAN and then is "routed" to the remote network . In addition to its capability to route IP/IPX traffic, the Broadband Router also acts as a bridge for other network protocols, such as Appletalk or SNA. Broadband Router Applications The main functions of the Broadband Router -to allow devices on your LAN to access the Internet, -to access servers from the public network, -to create Virtual Private Network (VPN). Accessing the Internet The most common use for the Broadband Router is to provide Internet access, so that everyone on your LAN can surf the web and send/receive email or files. 1-1 The Broadband Router automatically acquires the necessary IP address when the connection to the Internet is established. You don't need to apply for and assign an IP address to each PC or workstation on your network. ivate wide area network with Broadband Router via external ISDN TA/modem and provide Internet access for everyone on your LAN to surf the web and send/receive email or files simultaneously Figure 1-1 Internet Access Accessing Servers from the Public Network If you want special servers to be accessible by remote users across the Internet (e.g., an e-mail server, an FTP server, or a web server), you can configure the Broadband Router to proxy the service from its own address. This means that the remote user can address the router as if it were the special server and the Broadband Router will redirect this connection to the appropriate computer on the network. Creating a Virtual Private Network (VPN) Virtual Private Networking (VPN) provides a means to connect remote LANs over the Internet, while only local toll charges to an Internet Service Provider are incurred even if the two LANs are physically remote to each other. To create a VPN between two sites, a special connection called "tunnel" followed by a VPN data session has to be set up over the Internet. After a VPN data session is set up, data can be sent over it, optionally encrypted to prevent unauthorized access. Additionally, VPN tunnels allow IP, IPX and Bridging traffic to flow across the Internet, including NetBIOS information (for Windows networking) encapsulated within IP or IPX packets. All information required for a VPN is defined in a VPN profile, which contains, for example, the IP address of the VPN partner and authentication information (including the encryption key that is used). When a PC from one site tries to communicate with a device on the other site for the 1-2 first time, the VPN tunnel and data session establishment process will be triggered automatically. For the originating side, first the destination IP address will be used to search for the corresponding VPN profile. Based on the information conifgured in the matched VPN profile, a VPN tunnel is created, a VPN data session will be created and authentication information exchanged, then data traffic can start to flow. For the destination side, when a VPN data session creation is requested, the router will base on the originating IP address to search for a matched profile. Once found, the Broadband Router will use the information in the matched profile to authenticate the incoming "call", after which data transfer can begin. More than one VPN data sessions can be established over the same tunnel. See chapter 4 for detailed configuration instructions. Figure 1-2 Creating a Virtual Private Network A Configuration Example In Figure 1-3, two Broadband Routers are installed in two different locations. They are connected to the Internet via ADSL/Cable modem, allowing users to surf the Web. They are also connected to each other through the telephone network, forming a private company network. Figure 1-3 Connecting Two Private Networks This example also illustrates an important feature of the Broadband Router that a private device can be accessed from the Internet by mapping the application port number to a port number on the Broadband Router. In this case, an Internet user references the URL http://206.112.113.6, which was assigned to the Broadband 1-3 Router by the ISP, and the Broadband Router will translate that address to 192.168.168.112, port 80. All devices on both LANs (except for the Web servers) are configured to obtain their IP addresses automatically (i.e., from the built-in DHCP server in the Broadband Router). Since the Web Server on LAN #1 must have the same address all the time, this machine has a statically configured DHCP address. These IP addresses are only used in the local LAN environment, these devices naturally form a private network (with default IP network address of 192.168.168.0) and are not accessible by users across the Internet (if they are not mapped). In Broadband Router, it is possible to assign public IP addresses obtained from your ISP and they will be accessible by users across the Internet. These public addresses can co-exist in the same LAN private address segment. In order to let the LAN to LAN communications work, the default private network address (192.168.168.0) for one of the above Broadband Router has to be changed (to 192.168.170.0 in the above example). The traffic between these two networks is secure because data are sent across the telephone network via a direct phone call. A Security Overview More and more people are concerned about security of their data in the Internet The Broadband Router provides many ways to help make your network and your data secure: · · · · · · All dial-in users and LAN-to-LAN communications require PPP PAP/CHAP/ MS-CHAP authentication (basically user name and password) The Broadband Router also supports call-back for dial-in users - so that remote user are really who they say they are The Broadband Router uses a private IP addressing scheme to prevent devices on your LAN from access by outside users Console, Telnet and ARM support password protection DES encryption with PPP/ECP negotiation is supported for VPN connections IP packet filtering may be used to futher enhance security requirements A Physical Look at the Broadband Router The Connectors on the Back The following illustration shows the rear panel of Broadband Router. (1 )1 RJ-45 10/100 Switch connectors for connecting to PCs and workstations or connecting external Ethernet hub, or switch with uplink switch on port 1. (2) 1 RJ-45 EWAN connector for connecting to Internet via ADSL/Cable modem (3) 1 RS-232 DB-9 connector to be a Console port connecting to PC. (4) 1 AC power connector for connecting through an AC power adapter (included as part of the product) to the wall power outlet (5) 1 power ON/OFF switch 1-4 Figure 1-4 Broadband Router Connectors The LEDs on the Front There are 7 LEDs on the front of the Broadband Router that show connection and traffic status of Power, PPPoE, EWAN and LAN ports: Figure 1-5 LEDs EWAN LED1 LED2 LED3 LED4 LAN LED5 LED6 POWER LED7 ON OFF FLASH PPPoE COL PPPoE Linkage N/A No PPPoE Linkage N/A Sending or Receiving Packet Collision ACT N/A COL N/A ACT N/A 10/100 Power 100Mbps Power On N/A N/A Sending or Receiving Packet Collision N/A 10 Mbps Sending or Receiving Packet N/A Power Off N/A Note: Some of the features above are optional. Please refer to Appendix A for the details. 1-5 2Broadband Router 2 Installing the Broadband Router Now you should be ready to connect your Broadband Router devices on your LAN . Follow these steps to install the Broadband Router: Step 1 Connect ADSL/Cable modem to the Broadband Router EWAN port using crossover UTP CAT-5 LAN Cable. Note: Some Cable Modems use straight through cable Step 2 Connect PCs/Workstations to the LAN port of the Broadband Router. If you are connecting a hub or switch, see "Connecting more Devices through a Hub or switch to the Broadband Router " later in this chapter. Connect the AC adapter t the Broadband Routerand an electrical outlet. Step 3 Figure 2-1 Broadband Router Connectors 2-1 Setting Up a Windows PC for Configuring the Broadband Router This section describes how to configure a PC on the LAN in order to communicate with the Broadband Router These PCs need to have an Ethernet interface cards installed, and be connected to the Broadband Router either directly( to its LAN ports) or indirectly through an external hub or switch. It shoud also have TCP/IP installed, enabled, and configured to obtain an IP address automatically( i.e., through a DHCP server). If TCP/IP is not already installed, follow the steps below for its installation. Note: Any TCP/IP capable workstation can communicate with the Broadband Router. To configure workstations other than Windows 95/98/NT, please consult the manufacturer's documentation. Step 1 Connect your PC to one of the Broadband Router Switch ports. If you connect to LAN port , you should use a straight LAN cable and set the Uplink switch to the Normal position. or use a crossover LAN cable and set the Uplink switch to Uplink. See Figure 2-3.. From the Win95/98 Start Button, select Settings, then Control Panel. The Win95/98 Control Panel displays. Double-click on the Network icon. Step 2 Step 3 Step 4 Check your list of Network Components in the Network window Configuration tab. If TCP/IP has already been installed, go to Step 8. Otherwise, select Add to install it now. Installed components Look for TCP/IP Add button Client for Microsoft Networks 2-2 Step 5 Step 6 In the new Network Component Type window, select Protocol. In the new Select Network Protocol window, select Microsoft in the Manufacturers area. Select Microsoft Select TCP/IP Step 7 In the Network Protocols area of the same window, select TCP/IP, then click OK. You may need your Win95/98 CD to complete the installation. After TCP/IP installation is complete, go back to the Network window shown in Step 4. Select TCP/IP in the list of Network Components. Click Properties, and check the settings in each of the TCP/IP Properties window: Step 8 Step 9 TCP/IP Properties Tabs (IP Address Tab shown) -Bindings Tab: both Client for Microsoft Networks and File and printer sharing for Microsoft Networks should be selected. -Gateway Tab: All fields should be blank -DNS Configuration Tab: Disable DNS should be selected -IP Address Tab: Obtain IP address automatically should be selected Step 10 When the Broadband Router connected to the LAN (and powered on), reboot the PC. After the PC is re-booted, you should be ready to configure the Broadband Router. See Chapter 3. 2-3 Connecting more Devices through a Hub to the Broadband Router The Broadband Router provides four switch ports to allow up to four PCs or Workstations to be connected to it directly. If you want to connect more devices, you can connect an external hub or switch to LAN port , provided LAN port has been configured as an Uplink port. Figure 2-2 Connecting a Hub or Switch to the Broadband Router The uplink switch is used to set LAN port as an uplink port. To set the uplink switch: Step 1 Plug one end of a normal UTP CAT-5 cable into Port of the Broadband Router , and the other end of the UTP CAT-5 cable into any normal Ethernet hub, or switch. Set the switch to the Uplink position. See Figure 2-3 Step 2 Figure 2-3 Uplink Switch 2-4 3Broadband Router 3 Configuring the Broadband Router Once you have completed the installation stage and have configured a PC properly as described in chapter two, you are ready to configure the Broadband Router for actual applications. This chapter describes how to configure your Broadband Router for basic Internet access, as well as for the following configurations: · · · To set up Internet access with advanced features To set the system time To configure Internet access time restrictions Internet Access in Five Minutes In this section you will be shown how to configure the Broadband Router for basic Internet access in less than five minutes using the web browser-based Acess Router Manager (ARM). Using Different Browsers for Broadband Router Configuration To configure your Broadband Router, you can use popular browsers such as Netscape 4.5 and Internet Explorer 5.x. The following describes, after each browser is brought up, how to use it to start the ARM interface: Netscape Navigator 4.5 (or newer): In the Location box (where you normally enter the URL address), enter the default private IP address of the Broadband Router followed by hitting the return key: http://192.168.168.230 Internet Explorer 5.0 (or newer): In the Address box (where you normally enter the URL address), enter the default private IP address of the Broadband Router followed by hitting the return key: http://192.168.168.230 Logging On After entering the default IP address as described above, a password prompt screen 3-1 will ask you to log on. If you are logging on for the first time, you should accept the factory default password (which is "password"). The password is always displayed as a string of asterisks ("*"). Clicking the Log On button will begin a Access Router Manager (ARM) session. The next time you log in, even if you have modified the password , the default password ("password") will still be used as the default. You need to change it to the correct password before you will be let in. No matter what password you use, each character will always be displayed in the logon prompt as a "*". If you forget the password, you need to follow steps described in chapter 5 to be able to log on. The Broadband Router comes with a basic feature set installed. If you have purchased additional features from your distributor, you will also be given a "feature key". In this case, you will need to click the box below the Log On button that says "Check here to install additional features" before you click the Log On button. 3-2 Customizing the ARM for Your Specific Needs When you log on for the first time, the ARM Customization screen will be automatically displayed, allowing you to customize the ARM session to suit your own specific needs: The choices available depend on what feature keys have been installed. The selections you make determine what configuration menu and buttons will appear in the ARM interface. For example, if you select Basic Internet Access only, the ARM interface will display only buttons and screens that you need for basic Internet access. If you subsequently use ARM to configure the Broadband Router for other applications, you can return to this ARM Customization screen to "re-customize" your ARM interface by selecting Customize User Interface from the ARM Menu (on the left hand side of the ARM interface). Basic Internet Access Select this option if you need basic Internet access. This will enable you to configure Internet Access for all of your LAN users. Internet Access with Advanced Configuration Select this option if you want to configure advanced options, such as changing the private IP address (e.g., when you intend to create your own private WAN among multiple Broadband Router ), or adding a public IP address (e.g., when you want to install servers on the LAN which are accessible from the Internet). Share Netware (IPX) Resource(optional) Select this option if you use Novell servers on your network and want to allow dial-in users or remote offices to share them. Note: The choice displayed in this screen depend on the feature keys which are installed in your system. Overview of The ARM Browser Screen Before you begin the configuration, take a moment to look at the ARM screen. Look for these areas: 3-3 · · · · ARM Menu Configuration Window Message Window Status Window AAARM Menu AAMessage Window AAConfiguration Window ARM Menu This part of the browser screen contains items you can click to display the various screens for configuring your Broadband Router, including EWAN, connection profiles, and protocols, as well as system monitoring, tools, and help. Configuration Window This is the window where the actual configuration screens appear. Before any selection of the configuration is made, the window shows a picture of the Broadband Router with cables and peripheral devices that can be connected to it. Message Window Whenever appropriate, the Broadband Router will display system status or error messages in this window. For example, when you try to connect to the Internet, if you had configured your password incorrectly, the message window will display an appropriate message. System Status Monitoring Window This section displays statistics and the status of all interfaces.This window is invoked 3-4 as a separate browser screen from the main ARM browser screen and appears automatically each time you start ARM. If you close this window, you can always restart it or bringing it to the foreground by clicking Monitoring - System Status from the ARM Menu. It does not contain any toolbars or browser menu buttons. Although the main ARM screen will timeout, this screen will not, and will continue to be operational as long as it is active. Device LAN EWAN Status Up Down Xmt Pkts 192 0 Rcv Pkts 191 0 Err Pkts 0 0 Disconnect Clear The following statistics are reported for each interface: Device: lists all interfaces, including both the physical interface (i.e., the LAN port, the EWAN port). Status: indicates the current state of the interface: (I) For LAN: this will always show Up. (II) For EWAN: (i) PPPoE: profile name: Sow the profile you used if the interface is up and funtioning. No call: Means that this interface is not connected and the profile of EWAN port is idle. Down: Means that this interface is not connected and no EWAN profile added. (ii) DHCP & No: profile name: Show the profile you used if the interface is up and funtioning. Down: Means that this interface is not connected. Xmt Pkts: indicates the number of packets that have been transmitted through the interface. Rcv Pkts: indicates the number of packets that the interface has received. Err Pkts: indicates the number of error (bad) packets that have been received. Disconnect: if an active interface has been selected (highlighted), clicking this button will cause the connection to be taken down. The LAN interface is not affected by this operation. Clear: resets the selected statistics values to zero. 3-5 What is a Connection Profile? To access the Internet, you need to apply for an account with an ISP (Internet Service Provider), who will provide you the ISP Account name and ISP Account Password that you need to call, as well as phone number if necessary to dial-up to your ISP. You need to enter such information into a "connection profile" in the Broadband Router. Likewise, a connection profile needs to be created for each dial-in user, each remote office, or each VPN user. Essentially, a connection profile contains all information that the Broadband Router needs to access the Internet, or support a remote dial-in user, or set up a connection with a remote office, or create a VPN. Such information includes dial-up phone numbers, authentication information (the local user name and password and possibly the remote site user name password), plus other information that may be required for the communication. Selecting Internet Access Interface Select EWAN port to connect ADSL/Cable Modem. The following screen show you the interface configuration ,please select EWAN to be your interface from the Broadband Router. Configuring a Basic Internet Access Profile (via EWAN) To configure an Internet access connection profile, from the ARM menu, press Connection Profiles. If there are no other profiles at this point, you will immediately enter a profile configuration screen. First decide what interface to use for Internet access. Step 1 Note: The ARM Customization screen is displayed the very first time you invoke the ARM tool. To return to this screen, select Customize User Interface from the ARM Menu. 3-6 Enter the following information: Profile Name: the name that you will use to identify this Internet access profile. Obtain IP Addresses Automatically: Please specify IP address , netmask,gateway and domain name server assigned by ISP. EWAN IP Address: the IP address of your EWAN. EWAN IP Netmask: the IP Netmask of your EWAN. ISP Gateway IP Address: the IP address of your ISP Gateway Primary DNS IP Address: the IP address of primary domain name server Secondary DNS IP Address: the IP address of secondary domain name server Note: Step 2 After configuring each item, please go to step 4. If you choose "via DHCP" the following items will appear. Please enter the following information: Profile Name: the name that you will use to identify this Internet access profile. Obtain IP Addresses Automatically: get the IP address via DHCP 3-7 (Optional) Host Name (System Name): the Host Name provided by your system. Note: After configuring each item, please go to step 4. Step 3 If you choose "via PPP over Ethernet" the following items will appear. Please enter the following information: Profile Name: the name that you will use to identify this Internet access profile. Obtain IP Addresses Automatically: Some DSL-based ISPs use PPPoE to establish communication with end-users. ISP Account Name: the username of your ISP account ISP Account Password: the password of your ISP account (Optional) Service Name: the Service Name provided by your ISP, if one is required, otherwise, leave it empty (Optional) Access Concentrator Name: the Access Concentrator Name provided by your ISP, if one is required, otherwise, leave it empty Idle Timeout(0-3600 seconds): The default value of the idle timeout is 120 seconds. It represents the number of seconds of inactivity over the connection: when this value is reached, the Broadband Router will disconnect the call. You can change the idle timeout value to anything between 0 to 3600 seconds. But if you select 0, the connection will never time out. (Optional) Host Name (System Name): the Host Name provided by your system. Note: Step 4 After configuring each item, please go to step 4. Click APPLY or APPLY and Test 3-8 Note: When you click Apply or Apply and Test , the Broadband Router connects to your Internet Service Provider. Watch the Message Window for any messages. If the test is successful, your users will be ready to access the Internet. If not, the Broadband Router will try to give you enough information to let you know why the connection is not successful. If Apply or Apply and Test is successful, users on your LAN can now start to access the Internet. However, it is required that these devices have also been configured to obtain IP addresses automatically, as described in Chapter 2. Users may need to re-boot their computers in order to obtain the DNS information obtained dSetting Up Internet Access with Advanced Features When you check the box, Internet Access with Advanced Configuration on the ARM Customization Screen, additional configuration choices become available during your ARM configuration session. For example, some of these choices will allow you to , modify the Broadband Router private IP address, and/or assign a public IP address. Note: After you change the private IP address of a Broadband Router , all devices on your LAN will no longer be able to communicate with it. You need to reboot all devices in order for them to be able to communicate with the Broadband Router again. (Rebooting each device will cause them to acquire a new private IP address and default Gateway within the re-configured network from the Broadband Router). In order for the Broadband Router to support public servers for access by the Internet, you need to create a "public" network on your LAN. This can be done in one of two ways. Use Network Address Translation to map the application to be accessed from the Internet. This procedure is described in the section "Port Address Translation" in Chapter 5, or acquire public IP addresses., from your ISP and assign it to the router and to the public devices on your LAN. The procedure to assign a public IP address to the router is described below. Note: The ARM Customization screen displays the very first time you invoke the ARM tool. To return to this screen, select Customize User Interface from the ARM Menu. Modifying Public and Private IP Addresses You can use the IP screen to enter a public IP address, modify a private IP address, modify or enter DNS addresses configure WINS addresses and node type or enable or disable the DHCP service. Step 1 Select IP from the ARM menu: Configuration - Advanced IP 3-9 Then the following screen displays: Step 2 Enter the following information: Note: To install publicly addressed servers on your network (e.g., Web or ftp servers), you need to apply for an IP address for each server plus one for the LAN port of the Broadband Router. All these public IP addresses have to belong to the same IP network. Public IP Address: the public IP address for the LAN interface on the Broadband Router. Internet EWAN Interface (IP address usually assigned by ISP) LAN Interface Public IP address Private IP address Public computers on your public network Private workstations on your private network Public IP Netmask: the network mask for the public network address on your LAN. Private IP Address: the private IP address for the LAN interface on the Broadband Router. The default private IP address is 192.168.168.230. If you want to create your own private network through other Broadband Router at remote office locations, you need to make sure that each Broadband Router on each LAN is assigned an address in a unique private IP network . Note: Once you change the private IP address (e.g., from the default of 192.168.168.230 to 192.168.167.230) either from the browser or through a telnet session (which is based on the IP address), you will no longer be able to communicate with your Broadband Router. To reconnect, you need to re-boot 3-10 your computer. This is so that your device will re-acquire the IP address and default Gateway from the Broadband Router based on the new private IP network. Your device will then again be able to communicate with your Broadband Router. For the same reason, all devices on the LAN need to be restarted before they can access the Internet again. Private IP Netmask: the network mask for your private network. Its value is 255.255.255.0 and cannot be changed. The Broadband Router private address of 192.168.xxx.yyy is called a "Class C" IP address. This means that changing xxx will change the network while changing yyy will assign a different address in the same network. Primary DNS IP Address: the IP address of the primary Domain Name Server (DNS). If properly configured, when a computer re-boots and acquires the IP address from the Broadband Router, the IP addresses of both the primary and the secondary DNS server will be provided to requesting client workstations. This field will reflect the DNS addresses acquired from the ISP and will be used to assign to requesting DHCP clients (see below). You may change this address if you want another address to be assigned instead. The Broadband Router will pave any manually configured DNS addresses. Secondary DNS IP Address: the IP address of the secondary Domain Name Server. Note: When a Broadband Router connects to the ISP, it will automatically be assigned the IP address of a primary Domain Name Server (DNS), as well as the IP address for a secondary DNS. DHCP: this enables or disables the Broadband Router Dynamic Host Configuration Protocol (DHCP) feature. If you want the Broadband Router to act as a DHCP server and assign private IP addresses to any requesting DHCP client, make sure DHCP is enabled (the default). When enabled, the Broadband Router will provide an IP address, network mask, gateway address (the Broadband Router private IP address), DNS addresses WINS server address and windows node type to any workstations on the local area network that are configured as a DHCP client. Note: Devices on your network that are configured with public IP addresses are not DHCP clients. Therefore, you need to assign their IP addresses, network mask, default gateway's IP address, primary and secondary DNS IP addresses manually. MAC Address cloning: Some ISPs may require you to register the MAC address of your card/adapter, please refer to the CLI manual. 3-11 Setting the System Time The Broadband Router maintains a real-time clock which is automatically set to the local time of the management PC the first time a connection is made to ARM. To modify the Broadband Router clock, follow the steps below. The time is used to provide time stamps for Connection Log and System Log entries. It is also used for determining Internet access restrictions (see the section, "Setting Internet Access Time Restrictions", below). Since the Broadband Router does not contain a backup battery for the real-time clock, the time will not be maintained across system resets or power cycles. Therefore, after a reset or power cycle, the clock will not be correct. To set the clock once again, simply log on to ARM. Note that the time zone and daylight savings time indicator are saved across power cycles. Note: The System Time menu choice will not be shown if only Basic Internet Access was selected in the ARM Configuration screen To view or change the system time settings, select System Time from the menu: Configuration - Advanced - System Time The following screen displays: System Time Setting Current Router Time 04/13/99 16:20:09 and Time Zone: GMT -8, Daylight Saving Time Proposed Router Time Daylight Savings Time 04/13/99 16:20:09 Select to Change the Time Zone for the Router Location (GMT-08:00)Pacific Time(US & Canada); Tijuana APPLY Step 1 Step 2 Select the Time Zone of the router location from the selections in the dropdown list (if needed). Check the Daylight Savings Time box, if appropriate. Note that the setting for Daylight Savings Time does not change automatically. Setting the system time between Standard Time and Daylight Savings Time must be done manually. Click Apply. The Broadband Router time and Time Zone is now reflected in the "Current Router Time" box. Step 3 Note: The proposed Router Time is always based upon the time set in the management PC, adjusted for the selected Time Zone. 3-12 Setting Internet Access Time Restrictions For cost, security and efficiency reasons, you may want to adjust the times when the Broadband Router will be allowed to automatically connect to the Internet. A simple setup screen is used to enter the days of the week and the hours of the day during which Internet access is allowed. The Broadband Router will not connect to the Internet outside of the configured times. In order for this feature to be effective, the Broadband Router must be configured for the current local time. To do this, see the section, "Setting the System Time" , above. Note, however, that if for some reason the Broadband Router is reset or powercycled, the previous time setting will be lost. Until you once again set the time, the Broadband Router will either allow Internet access or not, depending upon a setting which is configured below. To view or change Internet access time restriction settings, select Internet Access Time from the menu: Configuration - Internet Access Time The following screen is displayed: Step 1 Set the days of the week during which Internet access is allowed. Select Day Range if you want to specify a range of days. If you select All, Internet access will be allowed every day. Set the time during which Internet access will be allowed. Not that this setting is based upon a 24 hour clock. Select Time Range to enter a consecutive period of time between which Internet access is allowed. If you select All, Internet access will be allowed from midnight to midnight on the days selected in Step 1. Enter the default setting for Internet access if the router is power-cycled or reset. If you enter "Yes" (the default), then Internet access will be allowed unconditionally until the clock is set. If you enter "No", then Internet access will not be allowed until the clock is set. Click Apply to enable your settings. Step 2 Step 3 Step 4 3-13 4 4 Advanced Configuration This section covers advanced configuration of the Broadband Router. These functions include: · · · · · · · Configuring and Using Port Address Translation Static DHCP Assignments Creating Virtual Private Networking Connections Using Packet Filtering Configuring IP Settings Configuring IPX Settings Configuring Bridging Settings Configuring and Using Port Address Translation The Port Address Translation (PAT) feature of Broadband Router is a powerful and economical way of allowing Internet access to public machines on your LAN without applying for or configuring public IP addresses. It complements single IP address translation so that not only does it give users the benefits and administrative simplicity of a using a single IP address ISP account, it also provides the flexibility of a configurable combination of secure, privately addressed workstations and port mapped publicly accessible applications. You have already read about private addressing on your LAN in Chapter 1. PAT extends this concept to provide a way to specify the applications on LAN which you want Internet users to be able to access. This is done by configuring the router to reroute an Internet packet that Broadband Router receives from the Internet into the TCP or UDP port that the application uses on the privately addressed LAN machine that is actually running that application. In this manner, a privately addressed PC on your LAN that is running a Web Server, for example, may be accessed from the Internet by configuring the Broadband Router to translate all packets addressed to its public address containing the destination port 80 (the standard HTTP port), to a privately addressed NT Server, perhaps, which is running a Web Server application. The remote Internet user never knows about, nor can access, any other services running on the actual PC with which he or she is communicating. In this way a PC application is "mapped" to a port on the Broadband Router. Note: When port 80 (HTTP) and/or port 23 (telnet) is mapped to a private IP address, special consideration must given for remote administration of the Broadband Router since those are the ports which are normally used for the browser-based ARM interface , respectively.When port 80 is re-mapped, remote administrators must remap port 80 on the router to another port. Thus, the remote administrator may then invoke ARM using the re-mapped port. Note that, using the extended URL format, if ARM were re-mapped to port 8080, the URL for accessing this location is http:// 192.168.168.230:8080.When port 23 is re-mapped, remote administrators must re- 4-1 map port 23 on the router to another port. Configuring Port Address Translation Each application that is to be mapped requires an entry to be configured in the Address Translation Table. To access this table perform the following steps: Step 1 Select Internet Access with Advanced Configuration in the ARM Configuration screen. Note: The ARM Configuration screen is displayed the very first time you run the ARM software. To return to this screen, select Customize User Interface from the menu. Step 2 Select IP from the Menu: Configuration - Advanced - IP Step 3 At the bottom of the System IP Configuration screen press the button marked Address Translation. Step 4 Add an entry to the IP Address Translation Table by clicking the Add button at the bottom of the table. 4-2 IP Address Translation Configuration Static Address Translation Public Port Number 123 Private IP Address 192.168.168.101 Private Port Number 1201 Add Edit Delete Refresh Step 5 From Add a Static Entry screen configure the following information: IP Address Translation Configuration Add a Static Entry Add Address Translation Public Port Number Private IP Address Private Port Number 236 192 . 168 . 168 . 122 Default Entry Static Entry 8236 APPLY CANCEL Add Address Translation: Select the type of entry being configured. There may be one and only one Default Entry configured in the router. The Default Entry is a device to which Internet requests will be sent if no other match is found in the Address Translation Table. If you select Default Entry, the Private Port Number selection does not appear. The Static Entry selection is used to define a device which will receive the request whose target port number is specified in Public Port Number. Public Port Number: This is the TCP or UDP port contained in the received IP packet from the Internet. This port number will be translated into the port number specified in the Private Port Number field. Private IP Address: The private address specified here will be the translated destination of the IP packet received from the Internet. Private Port Number: This is the port number on the device with the IP address specified in Private IP Address to which the IP packet will be sent. Step 6 Step 7 Press Apply to enter the configured Address Translation Table entry. The screen will revert to the Address Translation Table display with the new entry added. From this screen, you may select an entry and then press 4-3 Edit to edit the selected entry, press Delete to delete the selected entry, press Refresh to refresh the display, or press Add to add another entry. Static DHCP Assignments In certain LAN environments, it is desirable for some PCs to be assigned the same address each time it queries a DHCP server. Broadband Router is capable of configuring up to 20 such PCs for static assignments. Each PC that is to be assigned a static address requires an entry to be configured in the DHCP Static Assignment Table. To access this table perform the following steps: Step 1 Select Internet Access with Advanced Configuration in the ARM Configuration screen. Note: The ARM Configuration screen is displayed the very first time you run the ARM software. To return to this screen, select Customize User Interface from the menu. Step 2 Select IP from the Menu: Configuration - Advanced Features - IP Step 3 At the bottom of the System IP Configuration screen press the button marked Static DHCP. Step 4 Add an entry to the DHCP Static Assignment Table by clicking the Add 4-4 button at the bottom of the table. DHCP Configuration Static Assignment Table Name Bing IP Address 192.168.168.95 MAC Address 00-aa-00-62-c6-09 Add Edit Delete Step 5 From the Add a Static Entry screen configure the following information: DHCP Configuration Add a Static Entry Name IP Address MAC Address Julia 192 . 168 . 168 . 122 00-40-05-35-db-4a APPLY CANCEL Name: Enter a convenient display name for this resource. IP Address: The IP address to be consistently assigned to this device MAC Address: The hardware address associated with the Ethernet adapter which is permanently assigned to this machine. Note that dashes must separate each pair of hexadecimal digits. Step 6 Step 7 Press Apply to enter the configured DHCP Static Assignment Table entry. The screen will revert to the DHCP Static Assignment Table display with the new entry added. From this screen, you may select an entry and then press Edit to edit the selected entry, press Delete to delete the selected entry, or press Add to add another entry. Creating VPN Connection Profiles Before continuing on with this section, be sure you've reviewed the section, "Accessing Servers from the Public Network" in Chapter 1. Also, make sure you have properly configured the Internet access profile( as detailed in Chapter 3) before attempting to send traffic through VPN tunnels. 4-5 Note: To configure VPN connection, you must have the VPN feature key installed. When you set up your VPN, keep in mind that the VPN connection (the "tunnel") emulates an actual hardware wide area network port. After setting up your VPN tunnel, you can create a connection profile to allow access to and from a remote site. VPN connections are created automatically as a result of a reference by a LAN user to a resource reachable through a VPN connection. To Configure VPN Remote Office Access Profiles In order to set up access to and from a remote site, be sure to configure both ends of the VPN tunnel appropriately (the remote router and the local router). Broadband Router supports for the Layer 2 Tunneling Protocol(L2TP), which was the original open standard for Vitual Private Networking. If you selected Access to/from Remote Site from the ARM Configuration screen, follow the steps in this section. Note: When communicating with a remote office, the private IP network must be different on both sides of the connection. To do this, follow the steps indicated in the section, "To Configure Advanced IP Settings", below. Step 1 Select Access to/from Remote Site in the ARM Configuration screen. Note: The ARM Configuration screen is displayed the very first time you run the ARM software. To return to this screen, select Customize User Interface from the menu. Step 2 Configure a VPN tunnel. Select VPN-L2TP Tunnel from the menu: Configuration - WAN Interface - VPN-L2TP Tunnel Step 3 Enter the following information: Tunnel ID: a ID by which you will refer to this VPN tunnel. Call Direction: the direction of the call in the tunnel. If the remote site 4-6 will always be creating the tunnel, select Incoming Only. If the Broadband Router will always initiate the connection to the remote site, select Outgoing Only. Select Both if either side can initiate the connection.The default setting is Both. Remote IP Address: Key in your remote side IP address when you set Call Direction to Both or Outgoing Note: If you set Call Direction to Incoming Only, the Remote IP Address field does not display. My Tunnel Name: the name that the remote system will use to recognize your network. My Tunnel Password: the password the remote system will use to authenticate your system.If the remote site does not require tunnel authentication, leave this field blank. Note: Make sure the remote site is configured with your Tunnel Name (and Tunnel Password, if used). Remote Tunnel Name: the name of the remote network that is dialing in. Remote Tunnel Password: the password that your Broadband Router will expect to see from the remote system. If you do not require tunnel authentication, leave this field blank. Step 4 Click APPLY. Set up a VPN Connection Profile Step 1 Set up a VPN Connection Profile. Select Connection Profiles from the Menu: Configuration - Connection Profiles Step 2 When you select Connection Profiles, the Connection Profile Summary screen appears only if you have existing Connection Profiles. Connection Profile Summary New New York Select a Connection Profile NEXT DELETE Step 3 Select New from the pull-down menu, and click NEXT. The Interface 4-7 Configuration screen appears. For example: Interface Configuration Select an Interface Select a Configuration Type VPN-L2TP Remote Office Access NEXT Note: If VPN-L2TP is selected as the interface, the Remote Office Access is the only Configuration Type displayed. Step 4 Step 5 Select VPN-L2TP as the interface, and check Remote Office Access from the list of configuration types. Click NEXT to continue. The Connection Profile Configuration screen appears. Connection Profile Configuration Remote Office Access by VPN-L2TP Profile Name Call Direction My Account Name My Account Password Incoming Authentication Remote Account Name Remote Account Password VPN-L2TP Tunnel APPLY and TEST NewYork CANCEL ADVANCED Both CHAP/PAP/MS-CHAP Step 6 Enter the following information: Profile Name: the name that you will use to identify this remote office dial-in/dial-out profile. Call Direction: the direction of the call in the tunnel. If the remote site will be dialing in, select Incoming Only. If the Broadband Router will be dialing out to the remote site, select Outgoing Only. Select Both if either side can initiate the connection.The default setting is Both. Note: If you set Call Direction to Incoming Only, the My Account Name and My Account Password fields do not display. If you set Call Direction to Outgoing Only, the Remote Account Name and Remote Account Password fields do not display My Account Name: the name that the remote system will use to recognize your network. My Account Password: the password the remote system will use to authenticate your system 4-8 Note: Make sure the VPN Connection Profile at the remote site is configured with your Account Name and Account Password. Remote Account Name: the name of the remote network that is dialing in. Remote Account Password: the password that your Broadband Router will expect to see from the remote system. VPN-L2TP Tunnel: the VPN Tunnel you will use for this profile. This is one of the tunnel configurations set up earlier. Step 7 Click APPLY and TEST when you are done, or select Advanced to enter advanced options. Advanced Options Setup Note: The IPX options shown in this screen only appear if you selected Share NetWare (IPX) Resource on the ARM Configuration screen. Connection Profile Configuration Remote Office Access by VPN Enable IP (Optional) Remote IP Address (Optional) Remote IP Netmask Enable IPX IPX RIP/SAP Set as IPX Default Route Yes . . Yes Enable Yes No . . . . No Disable No (Optional) Remote IPX Network Number Enable Bridging Enable Encryption Encryption Key Confirm Encryption Key CANCEL OK Enable No Disable DES Step 1 Enter the following information: Enable IP: allows IP routing over a connection using this profile. Remote IP Address: the IP address of a destination computer on a network reachable through this connection. Remote IP Netmask: the IP subnet mask of the Remote IP Address. Enable IPX: allows IPX routing over a connection using this profile. IPX RIP/SAP: enables or disables IPX Routing Information Protocol and Service Advertising Protocol. 4-9 Set as IPX Default Route: specifies whether this connection is used as the default IPX route if no other route for an IPX packet can be found in the routing table. Remote IPX Network Number: the IPX network number of a network reachable through this connection. If you set this connection as the default IPX route, this field is not displayed. Enable Bridging: enables or disables bridging to bridge other protocols, for example, SNA, Appletalk, and NetBEUI. Enable Encryption: allows DES encryption. If you select DES encryption you must enter a DES Encryption key. Encryption key: the DES encryption key used by other systems to establish contact with your system. This must be a hexadecimal number (0-9, a-f) with up to 14 digits, depending upon the strength of encryption licensed for your site. Confirm Encryption key: re-enter the DES encryption key to confirm its correct entry. Note: For security reasons, encryption options only appear if you are connected to the Broadband Router over a local LAN and if encryption is enabled on your system. Step 2 Step 3 Click OK. Click APPLY. Packet Filtering This section describes the packet filtering feature. Note: Packet filtering is a sophisticated feature that can substantially impact your Broadband Router operation. Therefore be sure that you fully understand the description in this chapter before you start to configure and use this feature, since if you make any mistakes, it may produce drastic and potentially undesired results. A Packet Filtering Overview The Broadband Router already provides you with many different ways to ensure the security of your data in your local environment. Packet filtering is a security feature that allows you to selectively pass or throw away data traffic between your local LAN and the wide area network (e.g., the Internet). Packet Filtering allows each IP or IPX packet exiting a router interface to be examined for a match with a configured set of rules and an action to be taken depending upon whether the packet statisfies any rule or not. In the browser manager, a set of rules may be configured over any existing interface as represented by a WAN profile. To configure a set of rules for packets exiting the LAN interface (in addition to any WAN interface), you must use the Filtering commands in the Command Line Interface. If the contents of the packet do not match any rule for that interface, then the packet is either forwarded or discarded, depending upon the filter default for that interface. Otherwise, the exception action is taken, i.e., the packet is discarded or forwarded, the opposite of the default action. The Broadband Router maintains separate filtering tables for IP and IPX traffic. These filters are configured separately. Configuration commands allow you to define: 4-10 - each and every IP or IPX packet to be inspected to determine if it should be allowed or disallowed to be transmitted over a WAN interface alternatively. Due to the conflicting nature of allow and disallow, only one of the above two choices can be made for each WAN interface. After the choice is made, you can define selection rules to "select" which packets will be allowed (or disallowed). Each packet selection rule consists of an IP protocol and set of local IP addresses/ports or an IPX Packet Type and a set of local IPX network number(s), node(s) and socket(s) a set of remote IP addresses/ports or remote IPX network numbers/nodes/ sockets The following table indicates the types of values that may be configured for each rule condition. 4-11 Protocol IP Condition Parameter Configuration Formats Protocol TCP/UDP/ ICMP/IGMP/ Any Single/Range/ Network/Any Single/Range/ Any Address Port IPX Packet Type Network Number Node Number Socket Single/Any Single/Range/ Any Single/Any Single/Range/ Any Therefore packet filtering simply defines sets of rules of what to allow or disallow through a set of parameters highlighted below: For IP, remote devices with IP addresses/port numbers are allowed (or disallowed) to communicate with local devices with IP addresses/port numbers over a WAN connection and using a specific IP protocol. For IPX, remote devices with IPX network numbers/nodes/sockets are allowed (or disallowed) to communicate with local devices with IPX network numbers/nodes/sockets over a WAN connection. Examples of packet filtering requirements are: 1. "I want to block any user in my remote office from being able to access my local NetWare server". The corresponding "translated" packet rule is: All IPX communication with my remote office is allowed EXCEPT remote devices with Any IPX network number and Any IPX node number and Any IPX socket which are disallowed from communicating with the local NetWare server (identified by its IPX network number, IPX Node Number and Any socket number over my specified remote office connection profile 4-12 using any IPX packet type. 2. "I want to disallow people in the manufacturing department to access the Internet". The corresponding "translated" packet rule is: All access to the Internet is allowed EXCEPT remote devices with the range of IP addresses in the manufacturing department and any port number which are disallowed to communicate with any IP address/port number over my Internet connection using any IP protocol. Configuring IP Packet Rules To add a new IP packet rule or to edit an existing one, select IP Filter from the ARM menu: Configuration - Advanced - IP Filter Step 1 From the IP Filtering Configuration screen, select the WAN profile of interest from the pull down menu. For example, if your only need is to control access to the Internet, you should only select the Internet access profile. Step 2 Step 3 Select send or discarded as the default action as desired, which is equivalent to allow and disallow, respectively. If you are just starting, click Add to add a new selection rule. If you have previously defined rules, you will see those rules shown as entries in the rule table, and you can edit the rule by first highlighting the desired entry in the rule table followed by clicking the Edit button. 4-13 Step 4 In case of adding a new selection rule, the following screen shows: IP Filter Configuration Add a new rule Rule No. Rule Name Interface IP Protocol Local IP Address Local Port Remote IP Address Remote Port 1 WL test any any any any any APPLY CANCEL Step 5 Enter the following information: Rule No.: a number used for identification purposes. Rule Name: a name by which you will refer to this rule. Interface: the specific WAN interface to which this new selection rule applies. IP Protocol: the IP protocol to which this rule applies. You can select TCP, UDP, ICMP, IGMP, or any of these protocols. Local IP Address: the IP address(es) of the local devices this new rule will apply to. You can select a single IP address, a range of IP addresses, a network, or any IP addresses. The screen may change to show fields you need to fill out accordingly. For example, if you select range, you will also see (From) and (To) fields where you need to fill out the starting IP address and the ending IP address. Local Port: the port number(s) of the local devices this new rule will apply to. See Table 4-1 for some examples of TCP/IP port assignments. This field does not appear if either ICMP or IGMP is selected as the IP Protocol. Remote IP Address: the IP address(es) of the remote devices this new rule will apply to. You can select a single IP address, a range of IP addresses, a network, or any IP addresses. The screen may change to show fields you need to fill out accordingly. For example, if you select range, you will also see (From) and (To) fields where you need to fill out the starting IP address and the ending IP address. Remote Port: the port number(s) of the remote devices this new rule will apply to. See Table 4-1 for some examples of TCP/IP port assignments. This field does not appear if either ICMP or IGMP is selected as the IP Protocol. If you highlighted an existing entry (by selecting the Select to Edit button) and clicked Edit instead, a similar screen will display, with all fields already filled out by you previously. Then you can make changes as 4-14 necessary.If you highlighted an existing entry and clicked Delete instead, the corresponding entry in the rule table will be removed. TCP/IP Service Type BootP/DHCP DNS Finger FTP HTTP NetBIOS NNTP RIP SMTP SNMP Sun RPC Telnet TFTP Whois Port Range 67-68 53 79 20-21 80/8080 137-139 119 520 25 161-162 111 23 69 43 Table 4-1 TCP/IP Port Assignments Configuring IPX Packet Rules(Optioanl) To add a new IPX packet rule or to edit an existing one, select IPX Filter from the ARM menu: Configuration - Advanced - IPX Filter Step 1 Step 2 Step 3 From the IPX Filtering Configuration screen, select the WAN profile of interest from the pull down menu. Select send or discarded as the default action as desired, which is equivalent to allow and disallow, respectively. If you are just starting, click Add to add a new selection rule. If you have previously defined rules, you will see those rules shown as entries in the rule table, and you can edit the rule by first highlighting the desired entry 4-15 in the rule table followed by clicking the Edit button. Step 4 In case of adding a new selection rule, the following screen shows: IPX Filter Configuration Add a new rule Rule No. Rule Name Interface IPX Packet Type Local IPX Network Number Local IPX Node Number Local IPX Socket Number Remote IPX Network Number Remote IPX Node Number Remote IPX Socket Number APPLY test any any any any any any any 1 CANCEL Step 5 Enter the following information: Rule No.: a number used for identification purposes. Rule Name: a name by which you will refer to this rule. Interface: the specific WAN interface this new selection rule will apply to. IPX Packet Type: The packet type to which the rule applies. This value is specified as a two digit hexadecimal number. Some standard IPX Packet Types are listed in Table 4-2 4-16 Local IPX Network Number: the IPX Network Number(s) of the local devices to which this new rule applies. You can select a single IPX Network Number, a range of IPX Network Numbers, or any IPX Network Number. The screen may change to show fields you need to fill out accordingly. For example, if you select range, you will also see (From) and (To) fields where you need to fill out the starting IPX Network Number and the ending IPX Network Number. Local IPX Node Number: the IPX Node Number of the local device(s) to which this new rule applies. You may select an individual Network Node or any Network Node. An individual Network Node is entered as six pairs of hexadecimal digits, such as 11-22-33-aa-bb-cc. Local IPX Socket Number: the local IPX Socket Number(s) of the local devices to which this rule applies. You can select a single IPX Socket Number, a range of IPX Socket Numbers, or any IPX Socket Number. This value is specified as a four digit hexadecimal number. Remote IPX Network Number: the IPX Network Number(s) of the remote devices to which this new rule applies. You can select a single IPX Network Number, a range of IPX Network Numbers, or any IPX Network Number. The screen may change to show fields you need to fill out accordingly. For example, if you select range, you will also see (From) and (To) fields where you need to fill out the starting IPX Network Number and the ending IPX Network Number. Remote IPX Node Number: the IPX Node Number of the remote device(s) to which this new rule applies. You may select an individual Network Node or any Network Node. An individual Network Node is entered as six pairs of hexadecimal digits, such as 11-22-33-aa-bb-cc. Remote IPX Socket Number: the remote IPX Socket Number(s) of the local devices to which this rule applies. You can select a single IPX Socket Number, a range of IPX Socket Numbers, or any IPX Socket Number. This value is specified as a four digit hexadecimal number. Hexadecimal Value 00 01 04 05 11 14 Packet Type Unknown Routing Information Service Advertising Sequenced Packet NetWare Core Protocol Propagated (NetBIOS) If you highlighted an existing entry (by selecting the Select to Edit button) and clicked Edit instead, a similar screen will display, with all fields already filled out by you previously. Then you can make changes as necessary. If you highlighted an existing entry and clicked Delete instead, the corresponding entry in the rule table will be removed. 4-17 To Configure Advanced IP Settings Step 1 Select IP from the Menu: Note: This option is not available if you selected "Basic Internet Access" only from the ARM Customization screen. Unless you have working experience with networking and protocols, we recommend that you do not change any of the default settings. Configuration - Features - IP Step 2 Enter the following information: Note: To install public servers on your network (e.g., Web or ftp servers), you need to apply for an IP address for each server plus one for the LAN port of the Broadband Router. All these public IP addresses have to belong to the same IP network. Public IP Address: the public IP address for the LAN interface on the Broadband Router. 4-18 Internet EWAN Interface (IP address usually assigned by ISP) LAN Interface Public IP address Private IP address Public computers on your public network Private workstations on your private network Public IP Netmask: the network mask for the public network address on your LAN. Private IP Address: the private IP address for the LAN interface on the Broadband Router. The default private IP address is 192.168.168.230. If you want to create your own private network through other Broadband Router with remote offices, you need to make sure that each Broadband Router router on each LAN is assigned a unique private IP network address. The default IP private address is 192.168.168.230 with a network mask of 255.255.255.0. This private address may be changed to any private address and network mask as specified in the following table: Default Network Mask Maximum Number of Host Addresses 16,777,214 Network Address Network Prefix Lowest/ Highest Address 10.0.0.1/ 10.255.255.254 172.xx.0.1/ 172.xx.255.254 A 10.0.0.0 8 bits 255.0.0.0 B 172.xx.0.0 12 bits 255.255.0.0 65534 C 192.168.xx.0 16 bits 255.255.255.0 254