Administrator’s Handbook Embedded Software Version 7.7.
Administrator’s Handbook Copyright Copyright © 2007 by Motorola, Inc. All rights reserved. No part of this publication may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation or adaptation) without written permission from Motorola, Inc. Motorola reserves the right to revise this publication and to make changes in content from time to time without obligation on the part of Motorola to provide notification of such revision or change.
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.
Administrator’s Handbook RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided “as is” without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software. Portions of this software are based in part on the work of the following: Copyright (c) 1989 Carnegie Mellon University. All rights reserved.
Table of Contents CHAPTER 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 What’s New in 7.7.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 About Motorola Netopia® Documentation . . . . . . . . . . . . . . . . 15 Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . 15 General. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Administrator’s Handbook Home Page - Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Navigating the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . 43 Breadcrumb Trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 IGMP (Internet Group Management Protocol) . . . . . . . . . . . . . . . . . . 100 UPnP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 LAN Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Ethernet Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Administrator’s Handbook Example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Example 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Example 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Packet Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 What’s a filter and what’s a filter set?. . . . . . . . . . . . . . . . . . . . . . .
CHAPTER 5 Advanced Troubleshooting . . . . . . . . . . . . . . . . . . . . . 207 Home Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 Expert Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Ports: Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Ports: DSL . . . .
Administrator’s Handbook IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Common Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 ARP Timeout Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 DSL Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Ethernet LAN Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example 2: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 VoIP settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 UPnP settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 DSL Forum settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 TR-064 . .
Administrator’s Handbook North America . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 International . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 Regulatory notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 European Community. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 Manufacturer’s Declaration of Conformance . . . . . . . . . . . . . 344 United States . . . . . . .
CHAPTER 1 Introduction What’s New in 7.7.4 New in Motorola Netopia® Embedded Software Version 7.7.4 are the following features: • Internet Group Management Protocol (IGMP) Version 3 support. See “IGMP (Internet Group Management Protocol)” on page 100. • TR-101 Support: • Concurrent support for PPPoE and IPoE connections on the WAN. See “WAN” on page 67. • Multiple LAN IP Subnet support. See “LAN” on page 49. • Additional DHCP range support.
Administrator’s Handbook • Provide Bandwidth Management using Weighted Fair Queueing. • • • • 14 See “Queue Configuration” on page 271. New CLI command for disabling Dying Gasp. See “DMT Settings” on page 254. Ethernet in the First Mile Operations Administration and Maintenance (802.3ah EFM OAM) Support. See “802.3ah Ethernet OAM Settings” on page 284. IP multicast to layer 2 unicast mapping. See “IGMP Settings” on page 257.
About Motorola Netopia® Documentation ☛ NOTE: This guide describes the wide variety of features and functionality of the Motorola Netopia® Gateway, when used in Router mode. The Motorola Netopia® Gateway may also be delivered in Bridge mode. In Bridge mode, the Gateway acts as a pass-through device and allows the workstations on your LAN to have public addresses directly on the Internet. Motorola, Inc.
Administrator’s Handbook terminal bold terminal Computer display text Italic Italic type indicates the complete titles of manuals.
Organization This guide consists of nine chapters, including a glossary, and an index. It is organized as follows: • Chapter 1, “Introduction” — Describes the Motorola Netopia® document suite, the purpose of, the audience for, and structure of this guide. It gives a table of conventions. • Chapter 2, “Basic Mode Setup” — Describes how to get up and running with your Motorola Netopia® • • • • • • • • Gateway.
Administrator’s Handbook 18
CHAPTER 2 Basic Mode Setup Most users will find that the basic Quickstart configuration is all that they ever need to use. This section may be all that you ever need to configure and use your Motorola Netopia® Gateway. The following instructions cover installation in Router Mode.
Administrator’s Handbook Important Safety Instructions POWER SUPPLY INSTALLATION Connect the power supply cord to the power jack on the Motorola Netopia® Gateway. Plug the power supply into an appropriate electrical outlet. ☛ CAUTION: Depending on the power supply provided with the product, either the direct plug-in power supply blades, power supply cord plug or the appliance coupler serves as the mains power disconnect.
Wichtige Sicherheitshinweise NETZTEIL INSTALLIEREN Verbinden Sie das Kabel vom Netzteil mit dem Power-Anschluss an dem Motorola Netopia® Gateway. Stecken Sie dann das Netzteil in eine Netzsteckdose. ☛ Achtung: Abhängig von dem mit dem Produkt gelieferten Netzteil, entweder die direkten Steckernetzgeräte, Stecker vom Netzkabel oder der Gerätekoppler dienen als Hauptspannungsunterbrechung. Es ist wichtig, dass das Steckernetzgerät, Steckdose oder Gerätekoppler frei zugänglich sind.
Administrator’s Handbook Setting up the Motorola Netopia® Gateway Refer to your Quickstart Guide for instructions on how to connect your Motorola Netopia® gateway to your power source, PC or local area network, and your Internet access point, whether it is a dedicated DSL outlet or a DSL or cable modem. Different Motorola Netopia® Gateway models are supplied for any of these connections. Be sure to enable Dynamic Addressing on your PC. Perform the following: Microsoft Windows: Step 1.
c. Windows Vista is set to obtain an IP address automatically by default. You may not need to configure it at all. To check, open the Networking Control Panel and select Internet Protocol Version 4 (TCP/IPv4). Click the Properties button. The Internet Protocol Version 4 (TCP/IPv4) Properties window should appear as shown. If not, select the radio buttons shown above, and click the OK button.
Administrator’s Handbook Macintosh MacOS 8 or higher or Mac OS X: Step 1. Access the TCP/IP or Network control panel. a. MacOS follows a path like this: Apple Menu -> Control Panels -> TCP/IP Control Panel b. Mac OS X follows a path like this: Apple Menu -> System Preferences -> Network Then go to Step 2. Step 2. Select Built-in Ethernet Step 3. Select Configure Using DHCP Step 4. Close and Save, if prompted. Proceed to “Configuring the Motorola Netopia® Gateway” on page 25.
Configuring the Motorola Netopia® Gateway 1. Run your Web browser application, such as Firefox or Microsoft Internet Explorer, from the computer connected to the Motorola Netopia® Gateway. Enter http://192.168.1.254 in the Location text box. The Admin Password page appears. Access to your Motorola Netopia® device can be controlled through two access control accounts, Admin or User. • The Admin, or administrative user, performs all configuration, management or maintenance operations on the Gateway.
Administrator’s Handbook Once a connection is established, your browser is redirected to your service provider’s home page or a registration page on the Internet. ☛ NOTE: For MiAVo Series (3397GP) models, skip the rest of this section. Congratulations! Your configuration is complete. You can skip to “Home Page - Basic Mode” on page 31.
PPPoE Quickstart For a PPPoE connection, your browser will display a different series of web pages: The browser then displays the Quickstart web page. 3. Enter the username and password supplied by your Internet Service Provider. Click the Connect to the Internet button. Once you enter your username and password here, you will no longer need to enter them whenever you access the Internet. The Motorola Netopia® Gateway stores this information and automatically connects you to the Internet.
Administrator’s Handbook Set up the Motorola Netopia® Pocket Gateway Your Motorola Netopia® 3342N/3352N Pocket Gateway comes with its own installation wizard. • If you are using Windows 98, insert the CD. • If you are using Windows XP, Windows 2000, Windows NT or Windows Vista, you don’t even need the CD. Follow these easy setup steps: 1. 2. 3. 4. Plug the Motorola Netopia® Pocket Gateway into a USB port on your PC.
5. The Wizard displays a success message when the settings are configured. The Motorola Netopia® Installation Wizard will then launch your web browser and display the Welcome page where you configure your Motorola Netopia® Pocket Gateway.
Administrator’s Handbook Motorola Netopia® Gateway Status Indicator Lights Colored LEDs on your Motorola Netopia® Gateway indicate the status of various port activity. Different Gateway models have different ports for your connections and different indicator LEDs. The Quickstart Guide accompanying your Motorola Netopia® Gateway describes the behavior of the various indicator LEDs.
Home Page - Basic Mode After you have performed the basic Quickstart configuration, any time you log in to your Motorola Netopia® Gateway you will access the Motorola Netopia® Gateway Home Page. You access the Home Page by typing http://192.168.1.254 in your Web browser’s location box. The Basic Mode Home Page appears. ☛ VoIP-enabled Gateways also display VoIP phone information, as well.
Administrator’s Handbook The Home Page displays the following information in the center section: Item Serial Number Software Release Description This is the unique serial number of your Gateway. This is the version number of the current embedded software in your Gateway. Warranty Date This is the date that your Gateway was installed and enabled.
Link: Manage My Account You can change your ISP account information for the Motorola Netopia® Gateway. You can also manage other aspects of your account on your service provider’s account management Web site. Click on the Manage My Account link. The Manage My Account page appears. If you have a PPPoE account, enter your username, and then your new password. Confirm your new password. For security, your actual passwords are not displayed on the screen as you type.
Administrator’s Handbook Link: Status Details If you need to diagnose any problems with your Motorola Netopia® Gateway or its connection to the Internet, you can run a sophisticated diagnostic tool. It checks several aspects of your physical and electronic connection and reports its results on-screen. This can be useful for troubleshooting, or when speaking with a technical support technician. Click on the Status Details link. The Diagnostics page appears.
Link: Enable Remote Management This link allows you to authorize a remotely-located person, such as a support technician, to directly access your Motorola Netopia® Gateway. This is useful for fixing configuration problems when you need expert help. You can limit the amount of time such a person will have access to your Gateway. This will prevent unauthorized individuals from gaining access after the time limit has expired. Click the Enable Rmt Mgmt link. The Enable Remote Management page appears.
Administrator’s Handbook Link: Expert Mode Most users will find that the basic Quickstart configuration is all that they ever need to use. Some users, however, may want to do more advanced configuration. The Motorola Netopia® Gateway has many advanced features that can be accessed and configured through the Expert Mode pages. Click the Expert Mode link to display the Expert Mode Confirmation page.
Link: Update Firmware ☛ NOTE: (This link is not available on the 3342/3352 models, since firmware updates must be upgraded via the USB host driver. 3342N/3352N models do support this feature.) Periodically, the embedded firmware in your Gateway may be updated to improve the operation or add new features. Your gateway includes its own onboard installation capability. Your service provider may inform you when new firmware is available, or you can check for yourself. Click the Update Firmware link.
Administrator’s Handbook Link: Factory Reset In some cases, you may need to clear all the configuration settings and start over again to program the Motorola Netopia® Gateway. You can perform a factory reset to do this. Click on Factory Reset to reset the Gateway back to its original factory default settings. ☛ NOTE: Exercise caution before performing a Factory Reset. This will erase any configuration changes that you may have made and allow you to reprogram your Gateway.
CHAPTER 3 Expert Mode Using the Expert Mode Web-based user interface for the Motorola Netopia® 2200-, 3300- and 7000-series Gateway you can configure, troubleshoot, and monitor the status of your Gateway. Accessing the Expert Web Interface Open the Web Connection Once your Gateway is powered up, you can use any recent version of the best-known web browsers such as Netscape Navigator or Microsoft Internet Explorer from any LAN-attached PC or workstation. The procedure is: 1. 2.
Administrator’s Handbook You are challenged to confirm your choice. Click OK. The Home Page opens in Expert Mode.
Home Page - Expert Mode The Home Page is the summary page for your Motorola Netopia® Gateway. The toolbar at the top provides links to controlling, configuring, and monitoring pages. Critical configuration and operational status is displayed in the center section. Home Page - Information The Home page’s center section contains a summary of the Gateway’s configuration settings and operational status.
Administrator’s Handbook Status Data Rate (Kbps) Local Address Peer Address Connection Type NAT WAN Users Wide Area Network may be Waiting for DSL (or other waiting status), Up or Down Once connected, displays DSL speed rate, Downstream and Upstream IP address assigned to the WAN port. The IP address of the gateway to which the connection defaults. If doing DHCP, this info will be acquired. If doing PPP, this info will be negotiated. May be either Instant On or Always On. On or Off.
Toolbar The toolbar is the dark blue bar at the top of the page containing the major navigation buttons. These buttons are available from almost every page, allowing you to move freely about the site.
Administrator’s Handbook Restart Button: Restart The Restart button on the toolbar allows you to restart the Gateway at any time. You will be prompted to confirm the restart before any action is taken. The Restart Confirmation message explains the consequences of and reasons for restarting the Gateway.
Link: Alert Symbol The Alert symbol appears in the upper right corner if you make a database change; one in which a change is made to the Gateway’s configuration. The Alert serves as a reminder that you must Save the changes and Restart the Gateway before the change will take effect. You can make many changes on various pages, and even leave the browser for up to 5 minutes, but if the Gateway is restarted before the changes are applied, they will be lost.
Administrator’s Handbook Help Button: Help Context-sensitive Help is provided in your Gateway. The page shown here is displayed when you are on the Home page or other transitional pages. To see a context help page example, go to Security -> Passwords, then click Help.
Configure Button: Configure The Configuration options are presented in the order of likelihood you will need to use them. Quickstart is typically accessed during the hardware installation and initial configuration phase. Often, these settings should be changed only in accordance with information from your Service Provider. LAN and WAN settings are available to fine-tune your system.
Administrator’s Handbook A brief message is displayed while the Gateway attempts to establish a connection. 3. When the connection succeeds, your browser will display your Service Provider’s home page. If you encounter any problems connecting, refer to the chapters “Basic Troubleshooting” on page 193 or “Advanced Troubleshooting” on page 207.
Link: LAN * Enable Interface: Enables all LAN-connected computers to share resources and to connect to the WAN. The Interface should always be enabled unless you are instructed to disable it by your Service Provider during troubleshooting. * IP Address: The LAN IP Address of the Gateway. The IP Address you assign to your LAN interface must not be used by another device on your LAN network. * IP Netmask: Specifies the subnet mask for the TCP/IP network connected to the virtual circuit.
Administrator’s Handbook • IGMP Forwarding: The default setting is Disabled. If you check this option, it will enable Internet Group • • • • Management Protocol (IGMP) multicast forwarding. IGMP allows a router to determine which host groups have members on a given network segment. See “IGMP (Internet Group Management Protocol)” on page 100 for more information.
☛ Note: You need not use this screen if you have only a single Ethernet IP subnet. This screen displays seven rows of editable columns. All seven row labels are always visible, regardless of the number of subnets configured. • To add an IP subnet, select one of the rows, and click the Edit button. Check the Enabled checkbox and click the Submit button. The screen expands to allow you to enter subnet information.
Administrator’s Handbook • DHCP Server: Your Gateway can provide network configuration information to computers on your LAN, using the Dynamic Host Configuration Protocol (DHCP). If you already have a DHCP server on your LAN, you should turn this service off. If you want the Gateway to provide this service, click the Server Mode pull-down menu, choose Server, then configure the range of IP addresses that you would like the Gateway to hand out to your computers.
Wireless (supported models) If your Gateway is a wireless model (such as a 3347W) you can enable or disable the wireless LAN (WLAN) by clicking the Wireless link. Wireless functionality is enabled by default. If you uncheck the Enable Wireless checkbox, the Wireless Options are disabled, and the Gateway will not provide or broadcast any wireless LAN services. SSID (Network ID): The SSID is preset to a number that is unique to your unit.
Administrator’s Handbook Privacy • Off - No Privacy provides no encryption on your wireless LAN data. • WPA-802.1x provides RADIUS server authentication support. • WPA-PSK provides Wireless Protected Access, the most secure option for your wireless network. This mechanism provides the best data protection and access control. The Pre Shared Key is a passphrase shared between the Router and the clients and is used to generate dynamically changing keys.
You select a single key for encryption of outbound traffic. The WEP-enabled client must have an identical key of the same length, in the identical slot (1 – 4) as the Gateway, in order to successfully receive and decrypt the traffic. Similarly, the client also has a ‘default’ key that it uses to encrypt its transmissions. In order for the Gateway to receive the client’s data, it must likewise have the identical key of the same length, in the same slot.
Administrator’s Handbook Advanced If you click the Advanced link, the advanced 802.11 Wireless Settings page appears. Note: This page displays different options depending on which form of Privacy or other options you have enabled. You can then configure: Operating Mode: The pull-down menu allows you to select and lock the Gateway into the wireless transmission mode you want. For compatibility with clients using 802.11b (up to 11 Mbps transmission) and 802.11g (up to 20+ Mbps), select Normal (802.11b + g).
France, Spain and Japan will differ. Channel selection can have a significant impact on performance, depending on other wireless activity close to this Gateway. Channel selection is not necessary at the client computers; the clients will scan the available channels seeking access points using the same SSID as the client. AutoChannel Setting: For 802.11G models, AutoChannel is a feature that allows the Motorola Netopia® Gateway to determine the best channel to broadcast automatically.
Administrator’s Handbook ☛ NOTE: While clients may also have a passphrase feature, these are vendor-specific and may not necessarily create the same keys. You can passphrase generate a set of keys on one, and manually enter them on the other to get around this. Block Wireless Bridging: Check the checkbox to block wireless clients from communicating with other wireless clients on the LAN side of the Gateway. • WEP - Manual allows you to enter your own encryption keys manually.
Encryption Key #1 – #4: The encryption keys. You enter keys using hexadecimal digits. For 40/64bit encryption, you need ten digits; 26 digits for 128bit, and 58 digits for 256bit WEP. Hexadecimal characters are 0 – 9, and a – f. Examples: • 40bit: 02468ACE02 • 128bit: 0123456789ABCDEF0123456789 • 256bit: 592CA140F0A238B0C61AE162F592CA140F0A238B0C61AE162F21A09C Use WEP encryption key (1 – 4) #: Specifies which key the Gateway will use to encrypt transmitted traffic. The default is key #1.
Administrator’s Handbook The screen expands to allow you to name each additional Wireless ID, and specify a Privacy mode for each one.
Privacy modes available from the pull-down menu for the multiple SSIDs are: WPA-PSK, WPA-802.1x, or Off-No Privacy. WEP can also be selected on the additional SSIDs as long as it is not used on the primary SSID. WEP can only be used on one SSID, so any others will not have WEP available. These additional Wireless IDs are “Closed System Mode” Wireless IDs that will not be shown by a client scan, and therefore must be manually configured at the client.
Administrator’s Handbook WiFi Multimedia WiFi Multimedia is an advanced feature that allows you to prioritize various types of data travelling over the wireless network. Certain types of data that are sensitive to delays, such as voice or video, must be prioritized ahead of other, less delay-sensitive types, such as email. WiFi Multimedia currently implements wireless Quality of Service (QoS) by transmitting data depending on Diffserv priority settings.
The screen expands. Router EDCA Parameters (Enhanced Distributed Channel Access) govern wireless data from your Gateway to the client; Client EDCA Parameters govern wireless data from the client to your Gateway. ☛ NOTE: It is not recommended that you modify these settings without direct knowledge or instructions to do so. Modifying these settings inappropriately could seriously degrade network performance. • AIFs: (Arbitration Interframe Spacing) the wait time in milliseconds for data frames.
Administrator’s Handbook be accepted onto the wireless LAN. All unlisted addresses will be blocked, in addition to the listed addresses with Allow disabled. To enable Wireless MAC Authentication, click the MAC Authorization link. When the Wireless MAC Authentication screen appears, check the Enable Wireless MAC Authorization checkbox: The screen expands as follows: Click the Add button. The Authorized Wireless MAC Address Entry screen appears.
are added to the Authorized list. Your entry will be added to a list of up to 32 authorized addresses as shown: You can continue to Add, Edit, or Delete addresses to the list by clicking the respective buttons. After your first entry, the Alert icon will appear in the upper right corner of your screen. When you are finished adding addresses to the list, click the Alert icon, and Save your changes and restart the Gateway.
Administrator’s Handbook • RADIUS Server Addr/Name: The default RADIUS server name or IP address that you want to use. • RADIUS Server Secret: The RADIUS secret key used by this server. The shared secret should have the same characteristics as a normal password. • RADIUS Server Port: The port on which the RADIUS server is listening, typically, the default 1812. Click the Submit button.
Link: WAN When you click the WAN link, the WAN IP configuration page appears. This page varies depending on the WAN interface of your Motorola Netopia® Gateway. WAN IP Interfaces: Your IP interfaces are listed. PPP over Ethernet interface Click the PPP over Ethernet link to configure it. The WAN IP Interface page appears. Enable Interface: You can disable the interface by unchecking the checkbox. However, doing so will disable all ability for your LAN users to connect to the WAN using the Gateway.
Administrator’s Handbook Restrictions: This setting determines the types of traffic the Gateway accepts from the WAN. Admin Disabled means that Gateway traffic is accepted but administrative commands are ignored. None means that all traffic is accepted. When PPP is enabled, Admin Disabled is the default. DHCP/PPPoE/PPPoA Autosensing: The pull-down menu allows you to select an autosensing feature, or to disable it.
Advanced: If you click the Advanced link, the Advanced WAN IP Interface configuration page appears. Local Address: If this value is 0.0.0.0, the Gateway will acquire its IP address from your ISP. Otherwise this address is assigned to the virtual PPP interface. Peer Address: Address of the server on the Service Provider side of the ppp link. This peer will attempt to negotiate the local IP address if IP Address = 0.0.0.0. If the remote peer does not accept the IP address, the link will not come up.
Administrator’s Handbook LCP Settings: Authentication: Select Off, PAP and/or CHAP, PAP only, or CHAP only from the pull-down menu. The settings for port authentication on the Gateway must match the authentication expected by the remote system. The username and passwords are available on the WAN IP Interfaces page. MRU: Specifies the Maximum Receive Unit for the PPP Interface. Magic Number: Enables or disables LCP magic number negotiation.
The WAN IP Interface page appears. Enable Interface: You can disable the interface by unchecking the checkbox. However, doing so will disable all ability for your LAN users to connect to the WAN using the Gateway. Obtain IP Address Automatically: Your service provider may tell you that the WAN IP Address for your Gateway is static. In this case, disable this checkbox and enter the IP Address and IP Netmask from your Service Provider in the appropriate fields.
Administrator’s Handbook Address Mapping (NAT): Specifies whether you want the Gateway to use network address translation (NAT) when communicating with remote routers. NAT lets you conceal details of your network from remote routers. By default, address mapping is enabled. Restrictions: This setting determines the types of traffic the Gateway accepts from the WAN. Admin Disabled means that Gateway traffic is accepted but administrative commands are ignored. None means that all traffic is accepted.
WAN Ethernet and VDSL Gateways To allow for concurrent PPPoE and IPoE support on WAN Ethernet Gateways, including VDSL units, PPPoE with IPoE is available on the PPPoE configuration page. Checking the checkbox will provide this concurrent support. When you enable PPPoE with IPoE, the additional WAN interface becomes available for configuration. ☛ NOTE: Enabling pppoe-with-ipoe disables support for multiple PPPoE sessions.
Administrator’s Handbook Your Motorola Netopia® ADSL Gateway supports VPI/VCI autodetection by default. If VPI/VCI autodetection is enabled, the ATM Circuits page displays VPI/VCI = 0. If you configure a new ATM VPI/VCI pair, upon saving and restarting, autodetection is disabled and only the new VPI/VCI pair configuration will be enabled. VPI/VCI Autodetection consists of eight static VPI/VCI pair configurations. These are 0/35, 8/35, 0/32, 8/32, 1/35, 1/1, 1/32, 2/32.
Once the VCCs have been configured, the WAN IP Interfaces screen displays the additional interface which you can then configure as required.
Administrator’s Handbook ATM Traffic Shaping: You can prioritize delay-sensitive data by configuring the Quality of Service (QoS) characteristics of the virtual circuit. Click the ATM Traffic Shaping link. You can choose UBR (Unspecified Bit Rate), CBR (Constant Bit Rate), or VBR (Variable Bit Rate) from the pull-down menu and set the Peak Cell Rate (PCR) in the editable field. UBR (Unspecified Bit Rate) guarantees no minimum transmission rate. Cells are transmitted on a “best effort” basis.
Class PCR SCR MBS Transmit Priority Comments UBR X N/A N/A Low PCR is a cap CBR X N/A N/A High PCR is a guaranteed rate VBR X X X High PCR > SCR. SCR is a guaranteed rate. PCR is a cap.
Administrator’s Handbook Link: Advanced Selected Advanced options are discussed in the pages that follow. Many are self-explanatory or are dictated by your service provider.
Link: IP Static Routes A static route identifies a manually configured pathway to a remote network. Unlike dynamic routes, which are acquired and confirmed periodically from other routers, static routes do not time out. Consequently, static routes are useful when working with PPP, since an intermittent PPP link may make maintenance of dynamic routes problematic. When you click the Static Routes link, the IP Static Routes page appears. You can configure as many as 32 static IP routes for the Gateway.
Administrator’s Handbook • RIP Advertise: From the pull-down menu, choose how the static route should be advertised via RIP: • Split Horizon: Do not advertise route if the gateway is on the same subnet. • Always: Advertise route in all RIP messages. • Never: Do not advertise route. Click the Submit button. The Alert icon page, when you are finished. will appear, so that you can switch to the Save Changes Once you save your changes, you will be returned to the IP Static Routes entry screen.
Link: IP Static ARP Your Gateway maintains a dynamic Address Resolution Protocol (ARP) table to map IP addresses to Ethernet (MAC) addresses. It populates this ARP table dynamically, by retrieving IP address/MAC address pairs only when it needs them. Optionally, you can define static ARP entries to map IP addresses to their corresponding Ethernet MAC addresses. Unlike dynamic ARP table entries, static ARP table entries do not time out. The IP address cannot be 0.0.0.0.
Administrator’s Handbook Link: Pinholes Pinholes allow you to transparently route selected types of network traffic, such as FTP requests or HTTP (Web) connections, to a specific host behind the Gateway. Creating a pinhole allows access traffic originating from a remote connection (WAN) to be sent to the internal computer (LAN) that is specified in the Pinhole page. Pinholes are common for applications like multiplayer online games.
☛ TIPS for making Pinhole Entries: 1. If the port forwarding feature is required for Web services, ensure that the embedded Web server’s port number is re-assigned PRIOR to any Pinhole data entry. 2. Enter data for one Pinhole at a time. 3. Use a unique name for each Pinhole. If you choose a duplicate name, it will overwrite the previous information without warning. A diagram of this LAN example is: Gateway my-webserver Internet 192.168.1.1 WAN Ethernet Interface 210.219.41.
Administrator’s Handbook Pinhole Configuration Procedure. Use the following steps: 1. From the Configure toolbar button -> Advanced link, select the Internal Servers link. Since Port Forwarding is required for this example, the Motorola Netopia® embedded Web server is configured first. ☛ NOTE: The two text boxes, Web (HTTP) Server Port and Telnet Server Port, on this page refer to the port numbers of the Motorola Netopia® Gateway’s embedded administration ports.
6. Click on the Add or Edit more Pinholes link. Click the Add button. Add the next Pinhole. Type the specific data for the second Pinhole. 7. Click on the Add or Edit more Pinholes link. Click the Add button. Add the next Pinhole. Type the specific data for the third Pinhole. ☛ NOTE: Note the following parameters for the “my-games” Pinhole: 1. The Protocol ID is UDP. 2. The external port is specified as a range. 3. The Internal port is specified as the lower range entry.
Administrator’s Handbook 8. Click on the Add or Edit more Pinholes link. Review your entries to be sure they are correct. Click the Alert icon. 10. Click the Save and Restart link to complete the entire Pinhole creation task and ensure that the parameters are properly saved. 9. ☛ NOTE: REMEMBER: When you have re-assigned the port address for the embedded Web server, you can still access this facility. Use the Gateway’s WAN address plus the new port number.
Link: IPMaps IPMaps supports one-to-one Network Address Translation (NAT) for IP addresses assigned to servers, hosts, or specific computers on the LAN side of the Motorola Netopia® Gateway. A single static or dynamic (DHCP) WAN IP address must be assigned to support other devices on the LAN. These devices utilize Motorola Netopia®’s default NAT/PAT capabilities.
Administrator’s Handbook IPMaps Block Diagram The following diagram shows the IPMaps principle in conjunction with existing Motorola Netopia® NAT operations: Motorola Netopia® Gateway Static IP Addresses for IPMaps Applications WAN Interface LAN Interface 192.168.1.1 NAT/PAT Table 143.137.50.37 143.137.50.36 143.137.50.37 192.168.1.1 143.137.50.36 192.168.1.2 192.168.1.2 143.137.50.35 ... 192.168.1.3 ... 143.137.50.
Link: Default Server This feature allows you to: • Direct your Gateway to forward all externally initiated IP traffic (TCP and UDP protocols only) to a default host on the LAN. Enable it for certain situations: – Where you cannot anticipate what port number or packet protocol an in-bound application might use. For example, some network games select arbitrary port numbers when a connection is opened. – When you want all unsolicited traffic to go to a specific LAN host. • Configure for IP Passthrough.
Administrator’s Handbook Internet Gateway LAN STN #3 192.168.1.3 WAN Ethernet Interface 210.219.41.20 LAN Ethernet Interface NAT LAN STN #2 192.168.1.2 NAT protected Embedded Web Server 210.219.41.20 (Port 80 default) NAT Default Server NAT Default Server 192.168.1.1 You can also use the LAN-side address of the Gateway, 192.168.1.x to access the web and telnet server. NAT Combination Application.
• DHCP address serving can automatically serve the WAN IP address to a LAN computer. When DHCP is used for addressing the designated passthrough PC, the acquired or configured WAN address is passed to DHCP, which will dynamically configure a single-servable-address subnet, and reserve the address for the configured MAC address. This dynamic subnet configuration is based on the local and remote WAN address and subnet mask.
Administrator’s Handbook Link: Differentiated Services When you click the Differentiated Services link, the Differentiated Services configuration screen appears. Differentiated Services (Diffserv) allow your Gateway to make Quality of Service (QoS) decisions about what path Internet traffic, such as Voice over IP (VoIP), should travel across your network.
• To define a custom flow, click the Add button. The Custom Flow Entry screen appears. • Name – Enter a name in this field to label the flow. • Protocol – Select the protocol from the pull-down menu: TCP (default), UDP, ICMP, or Other. “Other” is appropriate for setting up flows on protocols with nonstandard port definitions. IPSEC and PPTP are common examples. • Numerical Protocol – If you select “Other” protocol, this field appears for you to provide its actual protocol number, with a range of 0 – 255.
Administrator’s Handbook • Quality of Service (QoS) – This is the Quality of Service setting for the flow, based on the TOS bit information. Select Expedite, Assure, or Off (default) from the pull-down menu. The following table outlines the TOS bit settings and behavior: QoS Setting 94 TOS Bit Value Behavior Off TOS=000 This custom flow is disabled. You can activate it by selecting one of the two settings below. This setting allows you to pre-define flows without actually activating them.
Link: DNS Your Service Provider may maintain a Domain Name server. If you have the information for the DNS servers, enter it on the DNS page. If your Gateway is configured to use DHCP to obtain its WAN IP address, the DNS information is automatically obtained from that same DHCP Server.
Administrator’s Handbook Link: DHCP Server Your Gateway can provide network configuration information to computers on your LAN, using the Dynamic Host Configuration Protocol (DHCP). If you already have a DHCP server on your LAN, you should turn this service off. If you want the Gateway to provide this service, select Server from the Server Mode pull-down menu, then configure the range of IP addresses that you would like the Gateway to hand out to your computers.
Link: RADIUS Server RADIUS servers allow external authentication of users by means of a remote authentication database. The remote authentication database is maintained by a Remote Authentication Dial-In User Service (RADIUS) server. In conjunction with Wireless User Authentication, you can use a RADIUS server database to authenticate users seeking access to the wireless services, as well as the authorized user list maintained locally within the Gateway.
Administrator’s Handbook Link: SNMP When you click the SNMP link, the SNMP configuration page appears. The Simple Network Management Protocol (SNMP) lets a network administrator monitor problems on a network by retrieving settings on remote network devices. The network administrator typically runs an SNMP management station program on a local host to obtain information from an SNMP agent. In this case, the Motorola Netopia® Gateway is an SNMP agent.
The Notification Type pull-down menu allows you to configure the type of SNMP notifications that will be generated: • v1 Trap – This selection will generate notifications containing an SNMPv1 Trap Protocol Data Unit (PDU) • v2 Trap – This selection will generate notifications containing an SNMPv2 Trap PDU • Inform – This selection will generate notifications containing an SNMPv2 InformRequest PDU. To send SNMP traps, you must add IP addresses for each trap receiver you want to have. Click the Add button.
Administrator’s Handbook Link: IGMP (Internet Group Management Protocol) Multicasting is a method for transmitting large amounts of information to many, but not all, computers over an internet. One common use is to distribute real time voice, video, and data services to the set of computers which have joined a distributed conference. Other uses include updating the address books of mobile computer users in the field, or sending out company newsletters to a distribution list.
The IGMP page appears. You can set the following options: •IGMP Snooping – checking this checkbox enables the • • • • • • Motorola Netopia® Gateway to “listen in” to IGMP traffic. The Gateway discovers multicast group membership for the purpose of restricting multicast transmissions to only those ports which have requested them. This helps to reduce overall network traffic from streaming media and other bandwidth-intensive IP multicast applications.
Administrator’s Handbook Link: UPnP Universal Plug and Play (UPnP™) is a set of protocols that allows a PC to automatically discover other UPnP devices (anything from an internet gateway device to a light switch), retrieve an XML description of the device and its services, control the device, and subscribe to real-time event notification. By default, UPnP is enabled on the Motorola Netopia® Gateway.
Link: LAN Management TR-064 is a LAN-side DSL Gateway configuration specification. It is an extension of UPnP. It defines more services to locally manage the Motorola Netopia® Gateway. While UPnP allows open access to configure the Gateway's features, TR-064 requires a password to execute any command that changes the Gateway's configuration. TR-064 is enabled by default. To disable it: • Uncheck the Enabled checkbox, and click the Submit button.
Administrator’s Handbook Link: Ethernet Bridge The Motorola Netopia® Gateway can be used as a bridge, rather than a router. A bridge is a device that joins two networks. As an Internet access device, a bridge connects the home computer directly to the service provider’s network equipment with no intervening routing functionality, such as Network Address Translation. Your home computer becomes just another address on the service provider’s network.
Configuring for Bridge Mode 1. 2. 3. Browse into the Motorola Netopia® Gateway’s web interface. Click on the Configure button in the upper Menu bar. Click on the LAN link. The LAN page appears. 4. In the box titled LAN IP Interface (Ethernet 100BT): Make note of the Ethernet IP Address and subnet mask. You can use this address to access the router in the future. 5. 6. Click on the Advanced link in the left-hand links toolbar. Under the heading of Services, click on the Ethernet Bridge link.
Administrator’s Handbook b. Click Submit. At this point you should be ready to do the final save on the configuration changes you have made. The yellow Alert symbol will appear beneath the Help button on the right-hand end of the menu bar. Click on the Alert symbol and you will see whether your changes have been validated. 11. If you are satisfied with the changes you have made, click Save and Restart in the Save Database box to Apply changes and restart Gateway. 10.
Link: VLAN When you click the VLAN link the VLANs page appears. Overview A Virtual Local Area Network (VLAN) is a network of computers or other devices that behave as if they are connected to the same wire even though they may be physically located on different segments of a LAN. You set up VLANs by configuring the Gateway software rather than hardware. This makes VLANs very flexible. VLANs behave like separate and independent networks. Beginning with Version 7.7.4, VLANs are now strictly layer 2 entities.
Administrator’s Handbook - WAN-side VLAN with Multiple WAN IPoE interface support and IP interface-to-VLAN binding - LAN-side VLAN with IP interface-to-VLAN binding - Inter-VLAN routing • Bridged VLANs - these VLANs are used to bridge traffic from LAN to WAN • Prioritization per VLAN and per port Ethernet Switching/Policy Setup Before you configure any VLANs, the unconfigured Gateway is set up as a router composed of a LAN switch, a WAN switch, and a router in the middle, with LAN and WAN IP interfaces co
An example of multiple VLANs, using a Motorola Netopia® Gateway with VGx managed switch technology, is shown below: A VLAN Model Combining Bridging and Routing To configure VLANs check the Enable checkbox. To create a VLAN select a list item from the main VLAN page and click the Edit button.
Administrator’s Handbook The VLAN Entry page appears. Check the Enable checkbox, and enter a descriptive name for the VLAN. You can create up to 16 VLANs, and you can also restrict any VLAN, and the computers on it, from administering the Gateway. • VLAN Name – A descriptive name for the VLAN. • Type – LAN or WAN Port(s) can be enabled on the VLAN. You can choose a type designation as follows: By-Port: indicates that the VLAN is port-based.
• VLAN ID – If you select Global as the VLAN Type, the VLAN ID field appears for you to enter a VID. This must be a unique identifying number between 1 and 4094. (A VID of zero (0) is permitted on the Ethernet WAN port only.) • Admin Restricted – If you want to prevent administrative access to the Gateway from this VLAN, check the checkbox. • 802.
Administrator’s Handbook Tag – Packets transmitted from this port through this VLAN must be tagged with the VLAN VID. Packets received through this port destined for this VLAN must be tagged with the VLAN VID by the source. The Tag option is only available on Global type ports. Priority – Use any 802.1p priority bits in the VLAN header to prioritize packets within the Gateway’s internal queues, according to DiffServ priority mapping rules. See “Differentiated Services” on page 92 for more information.
• When you select an IP interface, the screen expands to allow you to configure Inter-Vlan-Groups. Inter-VLAN groups allow VLANs in the group to route traffic to the others; ungrouped VLANs cannot route traffic to each other. • Click the Submit button. • When you are finished, click the Alert icon in the upper right-hand corner of the screen, and in the resulting screen, click the Save link.
Administrator’s Handbook You can Edit, Clear, Enable, or Disable your VLAN entries by returning to the VLANs page, and selecting the appropriate entry from the displayed list. • When you are finished, click the Alert icon in the upper right-hand corner of the screen, and in the resulting screen, click the Save and Restart link. To view the settings for each VLAN, select the desired VLAN from the list and click the Details button.
The screen expands to display the VLAN settings.
Administrator’s Handbook Example The following is a simple example of how you might configure some VLANs: You want to configure a 3347NWG-VGx Gateway with two SSIDs (see “Multiple SSIDs” on page 59 for more information) for two VLANs, allowing both access to the Internet. One SSID will be in the same VLAN as the four ports of the Ethernet Switch, so that those two networks can communicate. The second VLAN will be for the other SSID.
In this case, select all the physical Ethernet ports: eth0.1 through eth0.4, and wireless ssid1. Select ip-eth-a, the IP interface for the group. This will be Inter-Vlan-Group #1. Check the Group-1 checkbox. These ports will be able to communicate with each other. 5. 6. Click the Submit button. In the VLAN page, select VLAN #2 in the VLANs list, and click the Edit button. The VLAN Name must be given another unique name. For example, call it Network B.
Administrator’s Handbook 7. 8. Click the Submit button. In the Port Configuration for VLAN: 2 page, you add the Port Interfaces you want associated with the VLAN. Select the ip-eth-a port interface and check the ssid2 port interface. Make this VLAN a member of Inter-Vlan-Group Group-2. Click the Submit button. 10. Next, create a VLAN to provide the Inter-Vlan-Groups access to the Internet (WAN). 9. For example, call it WAN VLAN.
Check the vcc1 checkbox, select the ip-vcc1 IP interface, and check the Inter-Vlan-Group Group-1 and Group-2 checkboxes. Members of Groups 1 and 2 will now be able to communicate with the Internet (WAN), but not with each other. 11. Once you have finished with the configuration of the VLANs, click the Alert icon in the upper right hand corner. This will validate that the settings are legal for your network. 12. Click the Save and Restart link.
Administrator’s Handbook Link: VoIP (supported models only) Voice-over-IP (VoIP) refers to the ability to make voice telephone calls over the Internet. This differs from traditional phone calls that use the Public Switched Telephone Network (PSTN). VoIP calls use an Internet protocol, Session Initiation Protocol (SIP), to transmit sound over a network or the Internet in the form of data packets. Certain Motorola Netopia® Gateway models have two separate voice ports for connecting telephone handsets.
SIP Line Entry Registration Interval (in secs) Length of time the VoIP registration will be valid before it will be renewed. Default is 1 hour. Registrar Server Registration Server name or IP address. Registrar Port Registration Server port. Default is 5060. Proxy Server Proxy server name or IP address.
Administrator’s Handbook SIP Line Entry Proxy Port Proxy server port, if required. Default is 5060. Outbound Proxy Server Outbound Proxy server name or IP address, if required. Outbound Proxy Port Outbound Proxy server port, if required. Default is 5060. User Display Name Name of this phone’s user to be displayed on the Home page. Example: “Jacob Q. Smith” SIP User Name Registration user ID. Example: “jqsmith” SIP User Password Registration user password.
The Home page for a VoIP-enabled Gateway with both phone lines registered is shown below.
Administrator’s Handbook Link: System The System Name defaults to your Gateway's factory identifier combined with its serial number. Some cable-oriented Service Providers use the System Name as an important identification and support parameter. The System Name can be 1 – 255 characters long; it can include embedded spaces and special characters. The Log Message Level alters the severity at which messages are collected in the Gateway's system log.
Link: Syslog Parameters You can configure a UNIX-compatible syslog client to report a number of subsets of the events entered in the Gateway’s WAN Event History. Syslog sends log-messages to a host that you specify. To enable syslog logging, click on the Syslog Parameters link. Check the Syslog checkbox. The screen expands. • Syslog: Enable syslog logging in the system. • Syslog Host Name/IP Address: Enter the name or the IP Address of the host that should receive sys• • • • log messages.
Administrator’s Handbook Log Event Messages Administration Related Log Messages 1. administrative access attempted: This log-message is generated whenever the user attempts to access the router's management interface. 2. administrative access authenticated and allowed: This log-message is generated whenever the user attempts to access the router's management interface and is successfully authenticated and allowed access to the management interface. 3.
DSL Log Messages (most common): 5. PPP: Channel up Dialout Profile name: This log message is generated when a PPP channel comes up. 6. PPP- down: This log message is generated when a PPP channel goes down. The reason for the channel going down is displayed as well. Access-related Log Messages 1. permitted: This log-message is generated whenever a packet is allowed to traverse router-interfaces or allowed to access the router itself. 2.
Administrator’s Handbook Access-related Log Messages 128 13. dropped - reassembly timeout: This log-message is generated whenever packets, traversing the router or destined to the router itself, are dropped because of reassembly timeout. 14. dropped - illegal size: This log-message is generated whenever packets, traversing the router or destined to the router itself, are dropped during reassembly because of illegal packet size in a fragment.
Link: Internal Servers Your Gateway ships with an embedded Web server and support for a Telnet session, to allow ease of use for configuration and maintenance. The default ports of 80 for HTTP and 23 for Telnet may be reassigned. This is necessary if a pinhole is created to support applications using port 80 or 23. See “Pinholes” on page 82. for more information on Pinhole configuration.
Administrator’s Handbook Link: Software Hosting Software Hosting allows you to host internet applications when NAT is enabled. User(PC) specifies the machine on which the selected software is hosted. You can host different games and software on different PCs. To select the games or software that you want to host for a specific PC, highlight the name(s) in the box on the left side of the screen. Click the Add button to select the software that will be hosted.
List of Supported Games and Software Age of Empires, v.1.0 Age of Empires: The Rise of Rome, v.1.0 Age of Wonders Asheron's Call Baldur's Gate Battlefield Communicator Buddy Phone Calista IP Phone CART Precision Racing, v 1.0 Citrix Metaframe/ICA Client Close Combat for Windows 1.0 Close Combat: A Bridge Too Far, v 2.0 Close Combat III: The Russian Front, v 1.0 Combat Flight Sim: WWII Europe Series, v 1.0 Combat Flight Sim 2: WWII Pacific Thr, v 1.
Administrator’s Handbook Roger Wilco Rogue Spear ShoutCast Server SMTP SNMP SSH server StarCraft Starfleet Command StarLancer, v 1.0 Telnet TFTP Tiberian Sun: Command and Conquer Timbuktu Total Annihilation Ultima Online Unreal Tournament Server Urban Assault, v 1.
Link: Backup The purpose of Backup is to provide a recovery mechanism in the event that the primary connection fails. A failure can be either line loss, for example by central site switch failure or physical cable breakage, or loss of end-to-end connectivity. Detection of one of these failures causes the Gateway to switch from using the primary DSL WAN connection to an alternate gateway on the Ethernet LAN.
Administrator’s Handbook Once Backup is configured, a new field appears in the Home Page. If your DSL WAN link fails, you can switch to your Backup Gateway by clicking the Force Backup button. Automatic options If you select automatic as your Backup option, the screen expands to allow you to enter additional information. •Failure Timeout (minutes 1-10) – Enter the number of minutes you want the system to wait before the backup port becomes enabled in the event of primary line failure.
• From the pull-down menu, select the Interface Type to which you want to direct the backup connection. If you have defined multiple VCCs, you can choose a secondary one. Otherwise, to backup to an IP device on the LAN, choose IP Address. The screen expands to allow you to enter an IP address of your Backup Gateway. Click the Submit button; click the Alert icon, and in the resulting page, click the Save and Restart link. Once Backup is configured, a new field appears in the Home Page.
Administrator’s Handbook Link: Ethernet MAC Override (Only available on models with Ethernet WAN interfaces, such as the 338X-series or VDSL Gateways.) Your Gateway comes with its own MAC (Media Access Control) address, also called the Hardware Address, a 12 character number unique for each LAN-connected device. Your Service Provider, particularly cable service providers, may instruct you to override the default MAC address.
Link: Clear Options To restore the factory configuration of the Gateway, choose Clear Options. You may want to upload your configuration to a file before performing this function. You can do this using the upload command via the command-line interface. See the upload command on page 238. Clear Options does not clear feature keys or affect the software image. You must restart the Gateway for Clear Options to take effect.
Administrator’s Handbook Link: Time Zone When you click the Time Zone link, the Time Zone page appears. You can set your local time zone by selecting the number of hours your time zone is distant from Greenwich Mean Time (GMT +12 – -12) from the pull-down menu. This allows you to set the time zone for access controls and in general.
Security Button: Security The Security features are available by clicking on the Security toolbar button. Some items of this category do not appear when you log on as User.
Administrator’s Handbook Link: Passwords Access to your Gateway may be controlled through two optional user accounts, Admin and User. When you first power up your Gateway, you create a password for the Admin account. The User account does not exist by default. As the Admin, a password for the User account can be entered or existing passwords changed. Create and Change Passwords.
• It can have up to eight alphanumeric characters. • It is case-sensitive. 4. Enter your new password again in the Confirm Password field. You confirm the new password to verify that you entered it correctly the first time. 5. When you are finished, click the Submit button to store your modified configuration in the Motorola Netopia® unit’s memory. Password changes are automatically saved, and take effect immediately.
Administrator’s Handbook Link: Firewall Use a Motorola Netopia® Firewall BreakWater Basic Firewall. BreakWater delivers an easily selectable set of pre-configured firewall protection levels. For simple implementation these settings (comprised of three levels) are readily available through Motorola Netopia®’s embedded web server interface. BreakWater Basic Firewall’s three settings are: • ClearSailing ClearSailing, BreakWater's default setting, supports both inbound and outbound traffic.
4. Click on the radio button to select the protection level you want. Click Submit. Changing the BreakWater setting does not require a restart to take effect. This makes it easy to change the setting “on the fly,” as your needs change.
Administrator’s Handbook To protect LAN users and their network from these types of attacks, BreakWater offers three levels of increasing protection. The following tables indicate the state of ports associated with session types, both on the WAN side and the LAN side of the Gateway. This table shows how inbound traffic is treated. Inbound means the traffic is coming from the WAN into the WAN side of the Gateway.
☛ NOTE: The Gateway’s WAN DHCP client port in SilentRunning mode is enabled. This feature allows end users to continue using DHCP-served IP addresses from their Service Providers, while having no identifiable presence on the Internet.
Administrator’s Handbook Link: IPSec When you click on the IPSec link, the IPSec configuration screen appears. Your Gateway can support two mechanisms for IPSec tunnels: • IPSec PassThrough supports Virtual Private Network (VPN) clients running on LAN-connected computers. Normally, this feature is enabled. You can disable it if your LAN-side VPN client includes its own NAT interoperability option. Uncheck the Enable IPSec Passthrough checkbox.
SafeHarbour IPSec VPN SafeHarbour VPN IPSec Tunnel provides a single, encrypted tunnel to be terminated on the Gateway, making a secure tunnel available for all LAN- connected users. This implementation offers the following: • Eliminates the need for VPN client software on individual PCs. • Reduces the complexity of tunnel configuration. • Simplifies the ongoing maintenance for secure remote access.
Administrator’s Handbook Configuring a SafeHarbour VPN Use the following procedure to configure your SafeHarbour tunnel. 1. Obtain your configuration information from your network administrator. The tables “Parameter Descriptions” on page 151 describe the various parameters that may be required for your tunnel. Not all of them need to be changed from the defaults for every VPN tunnel. Consult with your network administrator. 2.
Table 1: IPSec Tunnel Details Parameter Setup Worksheet Parameter Name Peer Internal Network Peer Internal Netmask NAT Enable PAT Address Negotiation Method Local ID Type Local ID Address/Value Local ID Mask Remote ID Type Remote ID Address/Value Remote ID Mask Pre-Shared Key Type Pre-Shared Key DH Group PFS Enable SA Encrypt Type SA Hash Type Invalid SPI Recovery Soft MBytes Soft Seconds Hard MBytes Hard Seconds IPSec MTU Xauth Enable Xauth Username Xauth Password Motorola Netopia® Gateway Peer Gateway
Administrator’s Handbook 3. Be sure that you have SafeHarbour VPN enabled. SafeHarbour is a keyed feature. See “Install Key” on page 187. for information concerning installing Motorola Netopia® Software Feature Keys. 4. Check the Enable SafeHarbour IPSec checkbox. Checking this box will automatically display the SafeHarbour IPSec Tunnel Entry parameters. Enter the initial group of tunnel parameters. Refer to your Setup Worksheet and the “Parameter Descriptions” on page 151 as required. 5.
Parameter Descriptions The following tables describe SafeHarbour’s parameters that are used for an IPSec VPN tunnel configuration: Table 2: IPSec Configuration page parameters Field Description Name The Name parameter refers to the name of the configured tunnel. This is mainly used as an identifier for the administrator. The Name parameter is an ASCII value and is limited to 31 characters. The tunnel name does not need to match the peer gateway.
Administrator’s Handbook Table 3: IPSec Tunnel Details page parameters 152 Local ID Mask If Aggressive mode is selected as the Negotiation Method, and Subnet as the Local ID Type, this field appears. This is the local (Gateway-side) subnet mask. Remote ID Type If Aggressive mode is selected as the Negotiation Method, this option appears. Selection options are: IP Address, Subnet, Hostname, ASCII. Remote ID Address/Value If Aggressive mode is selected as the Negotiation Method, this field appears.
Table 3: IPSec Tunnel Details page parameters IPSec MTU Some ISPs require a setting of e.g. 1492 (or other value). The default 1500 is the most common and you usually don’t need to change this unless otherwise instructed. Accepted values are from 100 – 1500. This is the starting value that is used for the MTU when the IPSec tunnel is installed. It specifies the maximum IP packet length for the encapsulated AH or ESP packets sent by the router.
Administrator’s Handbook Link: Stateful Inspection All computer operating systems are vulnerable to attack from outside sources, typically at the operating system or Internet Protocol (IP) layers. Stateful Inspection firewalls intercept and analyze incoming data packets to determine whether they should be admitted to your private LAN, based on multiple criteria, or blocked. Stateful inspection improves security by tracking data packets over a period of time, examining incoming and outgoing packets.
• DoS Detect: If you check this checkbox, the Gateway will monitor packets for Denial of Service attacks. • Exposed Addresses: The hosts specified in Exposed Addresses will be allowed to receive inbound traffic even if there is no corresponding outbound traffic. This is active only if NAT is disabled on a WAN interface. • Stateful Inspection Options: Enable and configure stateful inspection on a WAN interface.
Administrator’s Handbook You can add more exposed addresses by clicking the Add more Exposed Addresses link. A list of previously configured exposed addresses appears. Click the Add button to add a new range of exposed addresses. You can edit a previously configured range by clicking the Edit button, or delete the entry entirely by clicking the Delete button. All configuration changes will trigger the Alert Icon. Click on the Alert icon.
Stateful Inspection Options Stateful Inspection Parameters are active on a WAN interface only if you enable them on your Gateway. • Stateful Inspection: To enable stateful inspection on this WAN interface, check the checkbox. • Default Mapping to Router: This is disabled by default. This option will allow the router to respond to traffic received on this interface, for example, ICMP Echo requests.
Administrator’s Handbook Firewall Tutorial General firewall terms ☛ Note: Breakwater Basic Firewall (see “BreakWater Basic Firewall” on page 142) does not make use of the packet filter support and can be used in addition to filtersets Filter rule: A filter set is comprised of individual filter rules. Filter set: A grouping of individual filter rules. Firewall: A component or set of components that restrict access between a protected network and the Internet, or between two networks.
UDP: User Datagram Protocol. Unlike TCP, UDP does not guarantee reliable, sequenced packet delivery. If data does not reach its destination, UDP does not retransmit the data. RFC 768 is the specification for UDP. There are many more ports defined in the Assigned Addresses RFC. The table that follows shows some of these port assignments.
Administrator’s Handbook Allow FTP access; Deny FTP access; Deny all other packets. and a packet goes through these rules destined for FTP, the packet would forward through the first filter rule (WWW), match the second rule (FTP), and the packet is allowed through. Even though the next rule is to deny all FTP traffic, the FTP packet will never make it to this rule. Implied rules With a given set of filter rules, there is an Implied rule that may or may not be shown to the user.
Filter basics In the source or destination IP address fields, the IP address that is entered must be the network address of the subnet. A host address can be entered, but the applied subnet mask must be 32 bits (255.255.255.255). Netopia Embedded Software Version 7.7.4 has the ability to compare source and destination TCP or UDP ports.
Administrator’s Handbook This incoming IP packet has a source IP address that matches the network address in the Source IP Address field in Netopia Embedded Software Version 7.7.4. This will not forward this packet. Example 2 Filter Rule: 200.1.1.0 (Source IP Network Address) 255.255.255.128 (Source IP Mask) Forward = No (What happens on match) Incoming packet has the source address of 200.1.1.184.
Link: Packet Filter When you click the Packet Filter link the Filter Sets screen appears. Security should be a high priority for anyone administering a network connected to the Internet. Using packet filters to control network communications can greatly improve your network’s security. The Packet Filter engine allows creation of a maximum of eight Filter Sets. Each Filter Set can consist of many rules. There can be a maximum of 32 filter rules in the system.
Administrator’s Handbook How filter sets work A filter set acts like a team of customs inspectors. Each filter is an inspector through which incoming and outgoing packages must pass. The inspectors work as a team, but each inspects every package individually. Each inspector has a specific task. One inspector’s task may be to examine the destination address of all outgoing packages.
How individual filters work As described above, a filter applies criteria to an IP packet and then takes one of three actions: • Forwards the packet to the local or remote network • Blocks (discards) the packet • Ignores the packet A filter forwards or blocks a packet only if it finds a match after applying its criteria. When no match occurs, the filter ignores the packet. A filtering rule The criteria are based on information contained in the packets.
Administrator’s Handbook By matching on a port number, a filter can be applied to selected TCP or UDP services, such as Telnet, FTP, and World Wide Web.
Putting the parts together When you display a filter set, its filters are displayed as rows in a table: The table’s columns correspond to each filter’s attributes: • • • • • • • #: The filter’s priority in the set. Filter number 1, with the highest priority, is first in the table. Fwd: Shows whether the filter forwards (Yes) a packet or discards (No) it when there’s a match. Src-IP: The packet source IP address to match. Src-Mask: The packet source subnet mask to match.
Administrator’s Handbook • The host 199.211.211.17 is the source of the Telnet packets you want to block, while the destination address is any IP address. How these IP addresses are masked determines what the final match will be, although the mask is not displayed in the table that displays the filter sets (you set it when you create the filter). In fact, since the mask for the destination IP address is 0.0.0.0, the address for Destination IP address could have been anything.
Filtering example #2 Suppose a filter is configured to block all incoming IP packets with the source IP address of 200.233.14.0, regardless of the type of connection or its destination. The filter would look like this: This filter blocks any packets coming from a remote network with the IP network address 200.233.14.0. The 0 at the end of the address signifies any host on the class C IP network 200.233.14.0. If, for example, the filter is applied to a packet with the source IP address 200.233.14.
Administrator’s Handbook An approach to using filters The ultimate goal of network security is to prevent unauthorized access to the network without compromising authorized access. Using filter sets is part of reaching that goal. Each filter set you design will be based on one of the following approaches: • That which is not expressly prohibited is permitted. • That which is not expressly permitted is prohibited.
