by 3 consecutive fails, the router will determine failover to WAN2 (backup port)). 2).The failback setting follow the same decision policy as the failover. For example, according to settings above in the screenshot, the connection probe will be carried out every 30 seconds, and 3 consecutive times of probe success is found, the router will determine failback to WAN1 (main WAN).
5.5.2 Outbound Load Balance (7600NX only) The connections are distributed over WAN1 and WAN2 so that it can utilize bandwidth of both WAN ports. With Outbound load balance, traffic may be routed to a faster link when one of the WAN is slower or congested so that user gains better throughput and less delay. User can distribute outbound traffic based on Session Mechanism or IP Hash Mechanism. Based on Session Mechanism Balance by Session (Round Robin): Balance session traffic based on a round robin method.
5.5.3 Protocol Binding (7600NX only) Protocol Binding lets you direct specific traffic to go out from a specific WAN port. Policies determine how specific types of internet traffic are routed, for example, traffic from a particular IP(es) granted access to only one WAN port rather than using both of the WAN ports as with load balancing. Rule Index: The index marking the rule. Maximum entries can be 16. Active: Select whether to enable the rule.
5.6 Advanced Setup 5.6.1 Firewall Your router includes a firewall for helping to prevent attacks from hackers. In addition to this, when using NAT (Network Address Translation) the router acts as a “natural” Internet firewall, since all PCs on your LAN use private IP addresses that cannot be directly accessed from the Internet. Firewall: To automatically detect and block Denial of Service (DoS) attacks, such as Ping of Death, SYN Flood, Port Scan and Land Attack.
.6.2 Routing This is static route feature. You are equipped with the capability to control the routing of all the traffic across your network. With each routing rule created, user can specifically assign the destination where the traffic will be routed to. #: Item number Dest IP: IP address of the destination network Mask: The subnet mask of destination network. Gateway IP: IP address of the gateway or existing interface that this route uses.
ADD Route Destination IP Address: This is the destination subnet IP address. IP Subnet Mask: The subnet mask of destination network. Gateway IP Address/Interface:This is the gateway IP address or existing interface to which packets are to be forwarded. Metric:It represents the cost of transmission for routing purposes. The number need not be precise, but it must be between 1 and 15.
5.6.3 NAT The NAT (Network Address Translation) feature transforms a private IP into a public IP, allowing multiple users to access the internet through a single IP account, sharing the single IP address. NAT break the originally envisioned model of IP end-to-end connectivity across the internet so NAT can cause problems where IPSec/ PPTP encryption is applied or some application layer protocols such as SIP phones are located behind a NAT.
DMZ The DMZ Host is a local computer exposed to the Internet. When setting a particular internal IP address as the DMZ Host, all incoming packets will be checked by the Firewall and NAT algorithms then passed to the DMZ host, when a packet received does not use a port number used by any other Virtual Server entries. DMZ setting for: Indicate the related WAN interface which allows outside network to connect in and communicate. Note: Here you can see the Sing IP Account/EWAN.
Virtual Server In TCP/IP and UDP networks a port is a 16-bit number used to identify which application program (usually a server) incoming connections should be delivered to. Some ports have numbers that are pre-assigned to them by the IANA (the Internet Assigned Numbers Authority), and these are referred to as “well-known ports”. Servers follow the well-known port assignments so clients can locate them. If you wish to run a server on your network that can be accessed from the WAN (i.e.
Examples of well-known and registered port numbers are shown below. For further information, please see IANA’s website at at: http://www.iana.
Some tips for using DMZ and Virtual Server: Using port forwarding does have security implications, as outside users will be able to connect to PCs on your network. For this reason you are advised to use specific Virtual Server entries just for the ports your application requires, instead of using DMZ. As doing so will result in all connections from the WAN attempt to access to your public IP of the DMZ PC specified.
5.6.4 Static DNS The Domain Name System (DNS) is a hierarchical naming system built on a distributed database for computers, services, or any resource connected to the Internet or a private network associates various information with domain names assigned to each of the participating entities. Most importantly, it translates domain names meaningful to humans into the numerical identifiers associated with networking equipment for the purpose of locating and addressing these devices worldwide.
5.6.5 ADSL SRA: Enable to allow seamless rate adaptation. ADSL Mode: The default setting is Auto Sync-Up. This mode will automatically detect your ADSL2+, ADSL2, G.DMT, G.lite and T1.413. But in some area, multimode cannot detect the ADSL2+ line code well. If it is the case, please adjust the ADSL2+ line code to G.DMT or T1.413 first. ADSLType: There are five modes ”Annex A”, ”Annex I”, “Annex A/L”, ”Annex M” and “Annex A/I/J/L/M” that user can select for this connection.
5.6.6 QoS QoS helps you control the upload traffic of each application from LAN(Ethernet and/or Wireless) to WAN (Internet). It facilitates you the features to control the quality of throughput for each application. This is useful when there on certain types of data you want giver higher priority to, such as voice data packets given higher priority than web data packets. QoS can be toggled Activated and Deactivated. QoS must be activated before you can edit the following options.
5.6.7 Interface Grouping (7600NXL only) Interface grouping is a function to group interfaces, known as VLAN. A Virtual LAN, commonly known as a VLAN, is a group of hosts with the common set of requirements that communicate as if they were attached to the same broadcast domain, regardless of the physical location. A VLAN has the same attributes as a physical LAN, but it allows for end stations to be grouped together even if they are not located on the same network switch.
You are going to group the ports and services into two working group, as shown below. Group Index 0 1 Group Port ewan0_0,e3,e4,w2,w3,w4 ewan0_1,e1,e2,w1 Click PortBinding Summary to show the configuration results.
5.6.7 IPSEC Setting (7600NX only) A virtual private network (VPN) is a private network that interconnects remote (and often geographically separate) networks through primarily public communication infrastructures such as the Internet. VPNs provide security through tunneling protocols and security procedures such as encryption. For example, a VPN could be used to securely connect the branch offices of an organization to a head office network through the public Internet.
Click Add New Connection to create IPSec connections. VPN Connection Setting Active: Select Yes to activate the tunnel. Connection Name: A given name for the connection (e.g. “connection to office”). Interface: Select the set used interface for the IPSec connection, when you select EWAN interface, the IPSec tunnel would transmit data via this interface to connect to the remote peer. Remote Gateway IP: The WAN IP address of the remote VPN gateway that is to be connected, establishing a VPN tunnel.
(IPv4 and IPv6 supported). Encryption Algorithm: Select the encryption algorithm from the drop-down menu. There are several options: DES and AES (128, 192 and 256). 3DES and AES are more powerful but increase latency. DES: Stands for Data Encryption Standard, it uses 56 bits as an encryption method. 3DES: Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits as an encryption method. AES: Stands for Advanced Encryption Standards, you can use 128, 192 or 256 bits as encryption method.
required. Default setting is 0.0.0.0 which disables the function Interval: This sets the time interval between Pings to the IP function to monitor the connection status. Default interval setting is 10 seconds. Time interval can be set from 0 to 3600 second, 0 second disables the function. Ping to the IP Interval (sec) Ping to the IP Action 0.0.0.0 0 No 0.0.0.0 2000 No xxx.xxx.xxx.xxx (A valid IP Address) 0 No xxx.xxx.xxx.xxx(A valid IP Address) 2000 Yes, activate it in every 2000 second.
Examples: 1. LAN-to-LAN connection Two BiPAC 7600NXs want to setup a secure IPSec VPN tunnel Note: The IPSec Settings shall be consistent between the two routers.
Head Office Side: Setup details: Item Function Connection Name 1 Description H-to-B Give a name for IPSec connection Local Network 2 3 Subnet Select Subnet IP Address 192.168.1.0 Netmask Secure Gateway Address(Hostanme ) Remote Network 255.255.255.0 Head Office network IP address of the Branch office router (on WAN side) 69.121.1.30 Subnet 4 Select Subnet IP Address 192.168.0.0 Netmask 255.255.255.
Branch Office Side: Setup details: the same operation as done in Head Office side Item Function 1 Connection Name Description B-to-H Give a name for IPSec connection Local Network 2 3 Subnet Select Subnet IP Address 192.168.0.0 Netmask Remote Secure Gateway Address(Hostanme ) Remote Network 255.255.255.0 Branch Office network IP address of the Head office router (on WAN side) 69.121.1.3 Subnet 4 Select Subnet IP Address 192.168.1.0 Netmask 255.255.255.
2. Host to LAN Router servers as VPN server, and host should install the IPSec client to connect to head office through IPSec VPN. Item Function 1 Connection Name Description Host-to-Headoff Give a name for IPSec connection Local Network 2 3 4 5 Subnet Select Subnet IP Address 192.168.1.0 Netmask Remote Secure Gateway (Hostanme) Remote Network Single Address Proposal 255.255.255.0 Head Office network 69.121.1.30 IP address of the Branch office router (on WAN side) 69.121.1.
99
5.6.8 PPTP (7600NX only) The Point-to-Point Tunneling Protocol (PPTP) is a Layer2 tunneling protocol for implementing virtual private networks through IP network. PPTP uses an enhanced GRE (Generic Routing Encapsulation) mechanism to provide a flow- and congestion-controlled encapsulated datagram service for carrying PPP packets. In the Microsoft implementation, the tunneled PPP traffic can be authenticated with PAP, CHAP, and Microsoft CHAP V1/V2 .
and the IP should be in the same subnet as local LAN, but not occupied. Peer Network IP: Please input the subnet IP for remote network. Peer Netmask: Please input the Netmask for remote network.
5.6.9 PPTP Client (7600NX only) PPTP client can help you dial-in the PPTP server to establish PPTP tunnel over Internet. A total of 4 sessions can be created for PPTP client. User select: 4 sessions for client connection by default, user1 stands for the first session, and so does user2, etc. Connection Name: user-defined name for identification. Auth. Type: The authentication type, Pap or Chap, and MPPE 128bit Encryption.
Example: PPTP Remote Access with Windows7 (Note: inside test with 172.16.1.233, just an example for illustration) Server Side: 1. Please move to Configuration > PPTP Server, Enable the PPTP Server and add an account as “test”. The exact setting can be found in the screenshot shown below.
Client Side: 1. In Windows7 click Start > Control Panel> Network and Sharing Center, Click Set up a new connection or network.
2. Click Connect to a workplace, and press Next. 3. Select Use my Internet connection (VPN) and press Next.
4. Input Internet address and Destination name for this connection and press Next.
5. Input the account (user name and password) and press Create.
6. Connect to the server.
7. Successfully connected. PS: You can also go to Network Connections shown below to check the detail of the connection.
110
Example: Configuring a LAN-to-LAN PPTP VPN Connection The branch office establishes a PPTP VPN tunnel with head office to connect two private networks over the Internet. The routers are installed in the head office and branch offices accordingly. Note: Both office LAN networks must be in different subnets with the LAN-LAN application. Server side: Head Office Set an account of “test” in PPTP server waiting to connect in from PPTP client (192.168.0.0/24).
Client Side: Branch Office The client user can set up a session connecting to the PPTP server.
5.6.10 L2TP (7600NX only) L2TP, Layer 2 Tunneling Protocol is a tunneling protocol used to support virtual private networks (VPNs). It does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide. Note: 4 sessions for dial-in connections and 4 sessions for dial-out connections Name: User-defined name for the connection. Rule Index: The Index to mark the session.
Active as default route: Commonly used in dialout setting, enabled to let the tunnel to be the default route for traffic, under this circumstance, all packets will be forwarded to this tunnel and routed to the next hop. Remote Host Name: Enter hostname of remote VPN device. It is a tunnel identifier from the Remote VPN device matches with the Remote hostname provided. If remote hostname matches, tunnel will be connected; otherwise, it will be dropped.
Examples: 1. Configuring a L2TP VPN - Remote Access Dial-in Connection A remote worker establishes a L2TP VPN connection with the head office using Microsoft's VPN Adapter (included with Windows XP/2000/ME, etc.). The router is installed in the head office, connected to a couple of PCs and Servers.
Configuring L2TP VPN in the Office The input IP address 192.168.1.200 will be assigned to the remote worker. Please make sure this IP is not used in the Office LAN. Function Description Name VPN_Server Give a name of L2TP Connection Connection Type Remote Access Select Remote Access from the Connection Type drop-down menu Type Dial in Select Dial in from the Type drop down menu IP Address 192.168.1.
2. Configuring a Remote Access L2TP VPN Dial-out Connection A company’s office establishes a L2TP VPN connection with a file server located at a separate location. The router is installed in the office, connected to a couple of PCs and Servers.
Configuring L2TP VPN in the Office Function Description Name VPN_Client Give a name of L2TP Connection Connection Type Remote Access Select Remote Access from the Connection Type drop-down menu Type Dial out Select Dial out from the Type drop down menu IP Address (or Domain Name) Username 69.121.1.33 A Dialed Server IP Password test Auth. Type Chap (Auto) test An assigned username and password Keep this as the default value for most cases .
Example: Configuring L2TP LAN-to-LAN VPN Connection The branch office establishes a L2TP VPN tunnel with head office to connect two private networks over the Internet. The routers are installed in the head office and branch office accordingly. Note: Both office LAN networks must be in different subnets with the LAN-LAN application.
Configuring L2TP VPN in the Head Office The IP address 192.168.1.200 will be assigned to the router located in the branch office. Please make sure this IP is not used in the head office LAN. Function Description Name HeadOffice Give a name of L2TP Connection Connection Type LAN to LAN Type Dial in Select LAN to LAN from the Connection Type d d Select Dial in from the Type drop down menu IP Address 192.168.1.200 IP address assigned to branch office network Peer Network IP 192.168.0.
Configuring L2TP VPN in the Branch Office The IP address 69.1.121.33 is the Public IP address of the router located in head office. If you registered the DDNS (please refer to the DDNS section of this manual), you can also use the domain name instead of the IP address to reach the router.
5.6.11 Port Isolation Port isolation is a mechanism to allow or block devices in one port (indicates the P1-P4 and WP1 – WP4) to access other devices in other ports. By default, all ports (LAN port and WLAN port) are sharing one group, and devices in all these ports can have access to each other. The most typical one example is to isolate all port from each other shown below.
5.7 Access Management 5.7.1 SNMP Simple Network Management Protocol (SNMP) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. BiPAC 7600NX(L) serves as a SNMP agent which allows a manager station to manage and monitor the router through the network. SNMP: Select to enable SNMP feature. Get Community: Type the Get Community, which is the password for the incoming Get-and GetNext requests from the management station.
5.7.2 UPnP UPnP offers peer-to-peer network connectivity for PCs and other network devices, along with control and data transfer between devices. UPnP offers many advantages for users running NAT routers through UPnP NAT Traversal, and on supported systems makes tasks such as port forwarding much easier by letting the application control the required settings, removing the need for the user to control advanced configuration of their device.
5.7.3 DDNS The Dynamic DNS function allows you to alias a dynamic IP address to a static hostname, allowing users whose ISP does not assign them a static IP address to use a domain name. This is especially useful for hosting servers via your internet connection, so that anyone wishing to connect to you may use your domain name, rather than having to use your dynamic IP address, which changes from time to time. This dynamic IP address is the WAN IP address of the router, which is assigned to you by your ISP.
User can register different DDNS to different interfaces. Examples: Note first users have to go to the Dynamic DNS registration service provider to register an account. User test register two Dynamic Domain Names in DDNS provider http://www.dyndns.org/ . DDNS: www.hometest.
5.7.4 ACL Access Control Listing allows you to determine which services/protocols can access BiPAC 7600NX(L) interface from which computers. It is a management tool aimed to allow IPs(set in secure IP address) to access specified embedded applications (Web, etc, user can set) through some specified interface (LAN, WAN or both). User can have an elaborate understanding in the examples below. The maximum number of entries is 16. ACL Rule Index: This is item number Secure IP Address: The default 0.0.0.
Examples: 1). Set a rule to allow only clients from LAN to have access to all embedded applications (Web, FTP, etc). Under this situation, clients from WAN can not access the router even from Ping. 2). Generally, we always open Ping to WAN side, and user can now add another ACL rule granting Ping service to WAN side clients.
5.7.5 Filter You can filter the packages by MAC address, IP address, Protocol, Port number and Application or URL. IP & MAC Filter Packet Filter Filter Type: There are three types “IP & MAC Filter”, “Application Filter”, and “URL Filter” that user can select for this filter rule. Here we set IP & MAC Filter. IP & MAC Filter Editing Rule Index: This is item number Individual Active: Select Yes to activate the rule. Action: This is how to deal with the packets matching the rule.
application. It is recommended that this option be configured by an advanced user. 0 means “Don’t care”. Destination IP Address: The destination IP address of packets to be monitored. 0.0.0.0 means “Don’t care”. Destination SubnetMask: It is the destination IP addresses based on above destination subnet IP Destination Port Number: This is the Port that defines the application. (E.g. HTTP port 80.
Application Filter Application Filter: Select this option to Activated/Deactivated the Application filter. ICQ: Select this option to Allow/Deny ICQ. MSN: Select this option to Allow/Deny MSN. YMSG: Select this option to Allow/Deny Yahoo messenger. Real Audio/Video(RTSP): Select this option to Allow/Deny Real Audio/Video (RTSP).
URL Filter URL Filter: Select Activated to enable URL Filter. URL Filter Rule Index: This is item number. Individual active: To give control to the specific URL access individually, for example, you want to prohibit access to www.yahoo.com, please first Yes in Active field, and also Yes in individual active field; if some time you want to allow access to this URL, you simply select No in individual active field.
5.7.6 CWMP (TR-069) CWMP, short for CPE WAN Management Protocol, also called TR069 is a Broadband Forum technical specification entitled CPE WAN Management Protocol (CWMP). It defines an application layer protocol for remote management of end-user devices. It defines an application layer protocol for remote management of end-user devices. As a bidirectional SOAP/HTTP based protocol it can provides the communication between customer premises equipment (CPE) and Auto Configuration Server (ACS).
Periodic Inform Config Periodic Inform: Select activated to enable to let CPE be authorized to send Inform message to automatically connect to ACS. Interval(s): Specify the inform interval time (sec) which CPE used to periodically send inform message to automatically connect to ACS. When the inform interval time arrives, the CPE will send inform message to automatically connect to ACS.
5.7.7 Parental Control With this feature, router can reject to provide internet services to the specified computer during some specified time interval. This can be very useful for parents to give control to children using computer without restraint. Parent Control: Select Activated to enable this feature. MAC Address: Type the MAC address(es) you want to block to access the internet (access to the router is sustained). The format of MAC address could be: xx:xx:xx:xx:xx:xx .
5.7.8 SAMBA & FTP Server Samba and FTP are served as network sharing. SAMBA Server: Activated to enable Samba sharing. Work Group: The same mechanism like in miscrosoft work group, please set the Work Group name. NetBIOS Name: The sharing NetBIOS name. FTP Server: Activated to enable FTP sharing. FTP Server Port: Set the working port. Well-known one is 21. User can change it.
Samba Usage: 1. Go directly to Start > Run (enter \\192,168,1,254 (from LAN side), \\WAN IP (from WAN side), \\SambaSvr , but if you enter \\SambaSvr, please be sure your working PC is in the same workgroup as set in the samba server set above.
2. Enter the Username and password.
FTP usage: 1. Access via FTP tools Take popular FTP tool of FlashFXP for example: 1) Open FlashFXP 2) Create ftp sites (LAN IP / WAN IP, 192.168.1.254, and set the account, port). 3) Connect to the ftp site.
2. Web ftp access ftp:// LAN IP(ftp:192.168.1.254) or ftp://WAN IP 1) Enter ftp://192.168.1.254 at the address bar of the web page. 2) Enter the account's username and password.
5.8 Maintenance 5.8.1 User Management In factory setting, the default accounts are admin/admin and user/user. The default account admin has been authorized to web access of router, Samba access, and FTP access. The user user/user has only access to the FTP and Samba server, but disabled by default. A total of 6 other accounts can be created to grant access to the access of Samba and FTP but not router's web. Note: Please go to 5.7.
5.8.2 Time Zone The router does not have a real time clock on board; instead, it uses the Simple Network Time Protocol (SNTP) to get the current time from an SNTP server outside your network. Choose your local time zone. After a successful connection to the Internet, the router will retrieve the correct local time from the SNTP server you have specified. If you prefer to specify an SNTP server other than those default, simply enter its IP address as shown above.
5.8.3 Firmware Your router’s “firmware” is the software that allows it to operate and provides all its functionality. Think of your router as a dedicated computer, and the firmware as the software it runs. Over time this software may be improved and modified, and your router allows you to upgrade the software it runs to take advantage of these changes. To upgrade the firmware of BiPAC 7600NX(L), you should download or copy the firmware to your local environment first.
UPGRADE: Click UPGRADE to begin the upload process. This process may take up to two minutes. If the upload was not successful, the following screen will appear. Click Back to go back to the Firmware screen. DO NOT power down the router or interrupt the firmware upgrading while it is still in process. Improper operation could damage the router. If you accidentally power down the router, resulting in the failed upgrading, please refer to steps in restoration to restore your router to a functional state.
5.8.4 System Restart Click System Restart with option Current Settings to reboot your router. If you wish to restart the router using the factory default settings (for example, after a firmware upgrade or if you have saved an incorrect configuration), select Factory Default Settings to restore to factory default settings. You may also restore your router to factory settings by holding the small Reset pinhole button on the back of your router in about more than 6s seconds whilst the router is turned on.
5.8.5 Diagnostics Tool The Diagnostic Test page shows the test results for the connectivity of the physical layer and protocol layer for both LAN and WAN sides.
EWAN: Click START to begin to diagnose the connection.
Chapter 6 Troubleshooting If the router is not functioning properly, you can refer first to this chapter for simple troubleshooting before contacting your service provider. This could save your time and effort but if the symptoms persist, then consult your service provider. Problems starting up the router Problem Corrective Action None of the LEDs are on when you turn on the router. Check the connection between the adapter and the router. If the error persists, you may have a hardware problem.
Frequent loss of DSL linesync (disconnections). Ensure that all other devices connected to the same telephone line as your router (e.g. telephones, fax machines, analogue modems) have a line filter connected between them and the wall socket (unless you are using a Central Splitter or Central Filter installed by a qualified and licensed electrician), and ensure that all line filters are correctly installed and the right way around.
APPENDIX Product Support and Contact Information Most problems can be solved by referring to the Troubleshooting section in the User’s Manual. If you cannot resolve the problem with the Troubleshooting chapter, please contact the dealer where you purchased this product. Contact Billion WORLDWIDE http://www.billion.com MAC OS is a registered Trademark of Apple Inc. Windows 7, Windows Vista, Windows XP, Windows 2000, Windows 98/Me and Windows NT are registered Trademarks of Microsoft Corporation.
Federal Communication Commission Interference Statement This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.
