Administrator’s Handbook Motorola Netopia Embedded Seftware Version 8.7.
Administrator’s Handbook Copyright Copyright © 2007 by Motorola, Inc. All rights reserved. No part of this publication may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation or adaptation) without written permission from Motorola, Inc. Motorola reserves the right to revise this publication and to make changes in content from time to time without obligation on the part of Motorola to provide notification of such revision or change.
Contents Contents iii Chapter 1 — Introduction..........................................................1-1 What’s New in 8.7.4 ...................................................... 1-1 Telnet-based Management.............................................. 1-2 Motorola Netopia® Telnet Menus.................................... 1-2 Motorola Netopia® Models............................................. 1-3 Screen differences ..............................................
iv Administrator’s Handbook Ethernet Switching/Policy Setup ......................... 3-12 Associating Inter-VLAN Routing Groups ................ 3-17 Adding a RADIUS Profile ..................................... 3-18 Adding Port interfaces ....................................... 3-20 Changing or Deleting a VLAN............................... 3-23 Changing or Deleting an Authentication Server Configuration .....................................................
Contents v MultiNAT Configuration ................................................... 4-6 Easy Setup Profile configuration ............................ 4-6 Server Lists and Dynamic NAT configuration........... 4-7 System Configuration ........................................... 4-7 Modifying map lists ............................................ 4-12 Adding Server Lists...................................................... 4-15 Modifying server lists .........................................
vi Administrator’s Handbook Configuring a Dial-Up Networking profile ............... Windows XP Client Configuration ......................... Connecting using Dial-Up Networking................... Allowing VPNs through a Firewall ................................... PPTP example.................................................... ATMP example ................................................... Windows Networking Broadcasts...................................
Contents Connection Profiles ...................................................... Multicast Forwarding.................................................... Virtual Router Redundancy (VRRP) ...................... Additional LANs ................................................. vii 7-30 7-32 7-34 7-38 Chapter 8 — Line Backup .........................................................8-1 Configuring Backup ........................................................ 8-1 Connection Profiles ....................
viii Administrator’s Handbook Telnet Tiered Access – Two Password Levels ................. 10-1 UPnP Support.................................................... 10-2 Superuser configuration ..................................... 10-3 Limited user configuration .................................. 10-3 Advanced Security Options ........................................... 10-5 RADIUS server authentication ............................. 10-6 TACACS+ server authentication...........................
Contents ix Chapter 11 — Utilities and Diagnostics ...................................11-1 Ping ............................................................................ 11-2 Trace Route................................................................. 11-4 Telnet Client ................................................................ 11-5 Factory Defaults .......................................................... 11-6 Transferring Configuration and Software Files with TFTP .. 11-6 Updating software....
x Administrator’s Handbook
Introduction 1-1 Chapter 1 Introduction This Administrator’s Handbook covers the advanced features of the Motorola Netopia® ENT Enterprise-Series Router family. Your Motorola Netopia® equipment offers advanced configuration features accessed through the Main Menu of the Telnet configuration screen. This Administrator’s Handbook documents the advanced features, including advanced testing, security, monitoring, and configuration.
1-2 Administrator’s Handbook Telnet-based Management Telnet-based management is a fast menu-driven interface for the capabilities built into Motorola Netopia® Embedded Software Version 8.7.4. Telnet-based management provides access to a wide variety of features that the Router supports. You can customize these features for your individual setup. This chapter describes how to access the Telnet-based management screens.
Introduction 1-3 • The WAN Configuration menu displays and permits changing your connection profile(s), Virtual Private Networks (VPNs) and default profile, creating or deleting additional connection profiles, and configuring or reconfiguring the manner in which you may be using the Router to connect to more than one service provider or remote site. See “WAN Configuration,” beginning on page 2-1. See also Chapter 5, “Virtual Private Networks (VPNs).
1-4 Administrator’s Handbook Connecting through a Telnet Session Features of Motorola Netopia® Embedded Software Version 8.7.4 can be configured through the Telnet screens. Before you can access the console screens through Telnet, you must have: • A network connection locally to the Router or IP access to the Router.
Introduction 1-5 Navigating through the Telnet Screens Use your keyboard to navigate the Motorola Netopia® Embedded Software Version 8.7.4’s configuration screens, enter and edit information, and make choices. The following table lists the keys to use to navigate through the Telnet screens. To... Use These Keys...
1-6 Administrator’s Handbook
WAN Configuration 2-1 Chapter 2 WAN Configuration This chapter describes how to use the Telnet-based management screens to access and configure advanced features of your equipment. You can customize these features for your individual setup. These menus provide a powerful method for experienced users to set up their Router’s connection profiles configuration.
2-2 Administrator’s Handbook WAN Ethernet Configuration Address Translation Enabled: Obtain WAN address via DHCP: Yes On NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Easy-PAT List Easy-Servers No Filter Set... Remove Filter Set WAN Ethernet Speed Setting... Wan Ethernet MAC Address: Auto-Negotiation 00:0f:cc:0b:9d:ce DHCP Client Mode: Standards-Based RIP Options... Set up the basic IP attributes of your Ethernet Module in this screen.
WAN Configuration 2-3 • 100 Mbps Full Duplex • 100 Mbps Half Duplex • 10 Mbps Full Duplex • 10 Mbps Half Duplex • 100 Mbps, Full Duplex, Fixed • 100 Mbps, Half Duplex, Fixed • 10 Mbps, Full Duplex, Fixed • 10 Mbps, Half Duplex, Fixed This may be useful in mixed networks, where multiple routers have different ethernet speed capability.
2-4 Administrator’s Handbook The Transmit RIP pop-up menu is hidden if NAT is enabled. Routing Information Protocol (RIP) is needed if there are IP routers on other segments of your Ethernet network that the Motorola Netopia® Router needs to recognize. Set to “Both” (the default) Motorola Netopia® Embedded Software Version 8.7.4 will accept information from either RIP v1 or v2 routers. Alternatively, select Receive RIP and select v1, v2, or v2 MD5 Authentication from the popup menu.
WAN Configuration 2-5 5. For model 3341 and 3366C ADSL modems, a Wiring Type pop-up menu allows you to choose the type of copper pair wiring in use at your location. For all other models this option is preset and does not appear. Usually, the default AutoSense will detect the type and adjust itself accordingly. If you want to set it yourself, and you know the type of wiring you have, choose either Tip/Ring (Inner Pair) or A/A1 (Outer Pair) from the pop-up menu. 6.
2-6 Administrator’s Handbook ATM Circuits Configuration Show/Change Circuit... Add Circuit... Delete Circuit... 8. To add a circuit, select Add Circuit and press Return. The Add Circuit screen appears. Add Circuit Circuit Name: Circuit 2 Circuit Enabled: Yes Circuit VPI (0-255): 0 Circuit VCI (32-65535): QoS... Peak Cell Rate (0 = line rate): Use Connection Profile...
WAN Configuration 2-7 default ATM class of service is UBR. Quality of Service (QoS) settings Note: QoS settings are not available on Ethernet-to-Ethernet WAN models. • Select the QoS (Quality of Service) setting from the pop-up menu: UBR. CBR, or VBR. UBR: No configuration is needed for UBR VCs. Leave the default value 0 (maximum line rate). CBR: One parameter is required for CBR VCs. Enter the Peak Cell Rate that applies to the VC. This value should be between 1 and the line rate.
2-8 Administrator’s Handbook Note: With multiple VCs you must explicitly statically bind the second (and all subsequent) VCs to a profile. The first VC will automatically statically bind according to pre-defined dynamic binding rules when you add the second VC. It will revert back to dynamic binding if the number of VCs is reduced to one; for example, by deleting previously defined VCs.
WAN Configuration 2-9 WAN Configuration Main Menu Add Connection Profile The Add Connection Profile screen appears. Add Connection Profile Profile Name: Profile Enabled: Profile 1 Yes Encapsulation Type... RFC1483 RFC1483 Mode... Bridged 1483 IP Profile Parameters... COMMIT CANCEL Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. Configure a new Conn. Profile. Finished? COMMIT or CANCEL to exit. 1. Select Profile Name and enter a name for this connection profile.
2-10 Administrator’s Handbook • If you selected PPP or RFC1483, the screen offers different options: Add Connection Profile Profile Name: Profile Enabled: Encapsulation Type... RFC1483 Mode... Add Connection Profile Profile 1 Yes +--------------+ +--------------+ | Bridged 1483 | | Routed 1483 | +--------------+ IP Profile Parameters... COMMIT Profile Name: Profile Enabled: Profile 1 Yes Encapsulation Type... Underlying Encapsulation... PPP Mode... Encapsulation Options...
WAN Configuration 2-11 Datalink (PPP/MP) Options Datalink (PPP/MP) Options Data Compression... Standard LZS Data Compression... Standard LZS Send Authentication... PAP Send Authentication... PAP Send User Name: Send Password: Receive User Name: Receive Password: • Data Compression defaults to Standard LZS. You can select Ascend LZS, if you are connecting to compatible equipment, or None from the pop-up menu. • The Send Authentication pop-up menu lets you select PAP, CHAP, or None.
2-12 Administrator’s Handbook IP Profile Parameters Address Translation Enabled: IP Addressing... NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Yes Numbered Easy-PAT List Easy-Servers Local WAN IP Address: Local WAN IP Mask: 0.0.0.0 0.0.0.0 No Filter Set... Remove Filter Set RIP Profile Options... Return/Enter to select ... Configure IP requirements for a remote network connection here. 6. Toggle or enter your IP Parameters.
WAN Configuration 2-13 Receive RIP: • RIP Profile Parameters +-----------------------+ +-----------------------+ | Off | | v1 | | v2 | | Both v1 and v2 | | v2 MD5 Authentication | +-----------------------+ The Receive RIP pop-up menu controls the reception and transmission of Routing Information Protocol (RIP) packets on the WAN port. The default is Both v1 and v2. A Transmit RIP pop-up menu is hidden if NAT is enabled.
2-14 Administrator’s Handbook PPPoE Options PPPoA Autodetect: No Return/Enter accepts * Tab toggles * ESC cancels. Toggle PPPoA Autodetect to On. If your ISP is using PPPoE, the connection will be made normally. If your ISP is using PPPoA, when the Motorola Netopia® Gateway detects this, it will automatically switch to PPPoA transparently. 8. Return to the Add Connection Profile screen by pressing Escape. 9. Select COMMIT and press Return. Your new Connection Profile will be added.
WAN Configuration 2-15 You can also delete Connection Profiles by selecting them in the same manner using the Delete Connection Profile option in the WAN Configuration screen. Advanced Connection Options Depending on your model, the Advanced Connection Options screen offers a variety of powerful options for advanced users. Screens shown in this section may vary from what your particular model displays.
2-16 Administrator’s Handbook Advanced Connection Options +----------------------------------------------------+ +----------------------------------------------------+ | The Router will now be restarted to allow this | | feature to function properly. | | Are you sure you want to do this? | | | | CANCEL CONTINUE | | | +----------------------------------------------------+ No Toggling from Yes to No makes the router ready to be configured.
WAN Configuration 2-17 Scheduled Connections Display/Change Scheduled Connection... Add Scheduled Connection... Delete Scheduled Connection... Navigate from here to add/modify/change/delete Scheduled Connections. Viewing scheduled connections To display a table of scheduled connections, select Display/Change Scheduled Connection in the Scheduled Connections screen. Each scheduled connection occupies one row of the table. Scheduled Connections +-Days----Begin At---HH:MM---When----Conn. Prof.
2-18 Administrator’s Handbook • The time of day that the connection will Begin At • The duration of the connection (HH:MM) • Whether it’s a recurring Weekly connection or used Once Only • Which connection profile (Conn. Prof.) is used to connect • Whether the scheduled connection is currently Enabled The Router checks the date and time set in scheduled connections against the system date and time.
WAN Configuration 2-19 • Demand-Allowed, meaning that this schedule will permit a demand call on the line. • Demand-Blocked, meaning that this schedule will prevent a demand call on the line. • Periodic, meaning that the connection is retried several times during the scheduled time.
2-20 Administrator’s Handbook 1:3 (or 1:03) would be accepted as 3 minutes after one o’clock. The entry 7:0 (or 7:00) would be accepted as seven o’clock, exactly. The entries 44, :5, and 2: would be rejected. • Select AM or PM and choose AM or PM from the pop-up menu. • Select Scheduled Window Duration Per Day and enter the maximum duration allowed for this scheduled connection, per call. • Retry interval (minutes) becomes visible if you have selected Random Retry.
WAN Configuration 2-21 Note: You must enter the time in the format H:M, where H is a one- or two-digit number representing the hour and M is a one- or two-digit number representing the minutes. The colon is mandatory. For example, the entry 1:3 (or 1:03) would be accepted as 3 minutes after one o’clock. The entry 7:0 (or 7:00) would be accepted as seven o’clock, exactly. The entries 44, :5, and 2: would be rejected. • Select AM or PM and choose AM or PM.
2-22 Administrator’s Handbook Diffserv Options Motorola Netopia® Embedded Software Version 8.7.4 offers Differentiated Services (Diffserv) enhancements. These enhancements allow your Router to make Quality of Service (QoS) decisions about what path Internet traffic, such as Voice over IP (VoIP), should travel across your network.
WAN Configuration 2-23 Diffserv Options Diffserv Enabled: Lo/Hi Ratio: Yes 0 Show/Change Rules... Add Rules... Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. • Enter a value from 60 to 100 (percent) in the Lo/Hi Ratio field. Differentiated Services uses the low-to-high priority queue ratio to regulate traffic flow. For example, to provide the least possible latency and highest possible throughput for high priority traffic, you could set the ratio to 100(%).
2-24 Administrator’s Handbook bandwidths from 20 kbps to 90 kbps, depending on the CODEC setting – compared to the total throughput bandwidth of the Gateway and the network. There will usually be fewer than two or three packets pending in the Gateway in any queue in the Gateway during the conversation.
WAN Configuration 2-25 • Priority – This is the Quality of Service setting for the rule, based on the TOS bit information. Select assure, expedite, or off (default) from the pop-up menu. The following table outlines the TOS bit settings and behavior: QoS Setting TOS Bit Value Behavior off TOS=000 This custom rule is disabled. You can activate it by selecting one of the two settings below. This setting allows you to pre-define flows without actually activating them.
2-26 Administrator’s Handbook Main Menu WAN Configuration Advanced Connection Options The Advanced Connection Options screen appears. Advanced Connection Options Configuration Changes Reset WAN Connection: Yes Scheduled Connections... Backup Configuration... Prioritize Delay-Sensitive Data: No Diffserv Options... VRRP Options... Return/Enter to configure SA Backup Parameters. The Router will recognize a delay-sensitive packet as having the low-latency bit set in the TOS field of the IP header.
WAN Configuration 2-27 VRRP Options WAN Link Failure Detection: Ping Enable: Off Return/Enter accepts * Tab toggles * ESC cancels. Toggle Ping Enable to On and press Return. The Ping settings options appear.
2-28 Administrator’s Handbook
System Configuration 3-1 Chapter 3 System Configuration This chapter describes how to use the Telnet-based management screens to access and configure advanced features of your equipment. You can customize these features for your individual setup. These menus provide a powerful method for experienced users to set up their Router’s system configuration. System Configuration Features The Motorola Netopia® Router’s default settings may be all you need to configure.
3-2 Administrator’s Handbook System Configuration IP Setup... Filter Sets... IP Address Serving... Network Address Translation (NAT)... Stateful Inspection... VLAN Configuration... Date and Time... Wireless Configuration... Console Configuration SNMP (Simple Network Management Protocol)... Security... Upgrade Feature Set... Router/Bridge Set... Router IGMP (Internet Group Management Protocol)... Logging... Use this screen if you want options beyond Easy Setup.
System Configuration 3-3 Stateful Inspection Stateful inspection is a security feature that prevents unsolicited inbound access when NAT is disabled. Stateful inspection can be enabled on a Connection Profile whether NAT is enabled or not. You can configure UDP and TCP “no-activity” periods that will also apply to NAT time-outs if stateful inspection is enabled on the interface. Stateful Inspection parameters are active on a WAN interface only if enabled on your Gateway.
3-4 Administrator’s Handbook Stateful Inspection UDP no-activity timeout (sec): 180 TCP no-activity timeout (sec): 14400 Add Exposed Address List... Exposed Address Associations... Return/Enter goes to new screen. Return/Enter to configure Xposed IP addresses. The Add Exposed Address List screen appears. Add Exposed Address List Exposed Address List Name: xposed_list_1 Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes.
System Configuration 3-5 Add Exposed Address List Exposed Address List Name: xposed_list_1 Add Exposed Address Range... Return/Enter goes to new screen. Select Add Exposed Address Range and press Return. The Exposed Address Range screen appears. Add Exposed Address Range ("xposed_list_1") First Exposed Address: 0.0.0.0 Last Exposed Address: 0.0.0.0 Protocol... ANY ADD EXPOSED ADDRESS RANGE CANCEL Enter an IP address in decimal and dot form (xxx.xxx.xxx.xxx).
3-6 Administrator’s Handbook Add Exposed Address Range ("xposed_list_1") First Exposed Address: 192.168.1.10 Last Exposed Address: +-------------+ +-------------+ | TCP and UDP | | TCP | | UDP | | ANY | +-------------+ Protocol... ADD EXPOSED ADDRESS RANGE CANCEL Add Exposed Address Range ("xposed_list_1") First Exposed Address: 192.168.1.10 Last Exposed Address: 192.168.1.12 Protocol...
System Configuration 3-7 You can edit or delete exposed address lists by selecting Show/Change Exposed Address List or Delete Exposed Address List. A list of previously configured exposed addresses appears. This allows you to select an exposed address list for editing or deletion. Add Exposed Address List +------Exposed Address Range---------Protocol-------------------+ +---------------------------------------------------------------+ | 192.168.1.10 192.168.1.
3-8 Administrator’s Handbook IP Profile Parameters Address Translation Enabled: IP Addressing... NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Yes Numbered Easy-PAT List Easy-Servers Local WAN IP Address: Local WAN IP Mask: 0.0.0.0 0.0.0.0 No Filter Set... Remove Filter Set RIP Profile Options... Return/Enter to select ... Configure IP requirements for a remote network connection here.
System Configuration 3-9 Stateful Inspection Parameters Max. TCP Sequence Number Difference: 0 Enable default mapping to router: No Deny Fragmented Packets: No Exposed Address List... Enter max. allowed TCP sequence number difference (1 - 65535), 0 to disable. • Max. TCP Sequence Number Difference: Enter a value in this field. This value represents the maximum sequence number difference allowed between subsequent TCP packets. If this number is exceeded, the packet is dropped.
3-10 Administrator’s Handbook Stateful Inspection Parameters +Exposed Address List N+ +----------------------+ Max. TCP Sequ| xposed_list_1 | 0 | <> | Enable defaul| | No | | Deny Fragment| | No | | Exposed Addre| | | | | | | | | | | | | | | | | | | | +----------------------+ Up/Down Arrows to select, then Return/Enter; ESC to cancel.
System Configuration 3-11 VLAN Configuration Overview A Virtual Local Area Network (VLAN) is a network of computers or other devices that behave as if they are connected to the same wire even though they may be physically located on different segments of a LAN. You set up VLANs by configuring the Gateway software rather than hardware. This makes VLANs very flexible. VLANs behave like separate and independent networks. Beginning with Version 8.7.4, VLANs are now strictly layer 2 entities.
3-12 Administrator’s Handbook Ethernet Switching/Policy Setup Before you configure any VLANs, an unconfigured Gateway is set up as a router composed of a LAN switch, a WAN switch, and a router in the middle, with LAN and WAN IP interfaces connected to their respective switches. These bindings between Ethernet switch ports, IP LAN interface, IP WAN interface and WAN physical ports are automatically created.
System Configuration 3-13 An example of multiple VLANs, using a Netopia Router with VGx managed switch technology, is shown below: A VLAN Model Combining Bridging and Routing
3-14 Administrator’s Handbook To configure VLANs, select VLAN Configuration in the System Configuration screen and press Return. The VLAN Configuration screen appears. VLAN Configuration VLAN Enable: Off Set Up VLAN from this and the following Menus. Toggle VLAN Enable to On and press Return. The Add VLAN selection appears. VLAN Configuration VLAN Enable: On Add VLAN... Authentication Server Configuration... Return/Enter to select ... Set Up VLAN from this and the following Menus.
System Configuration 3-15 The Add VLAN screen appears. Add VLAN... VLAN ID (1-4094): VLAN Type... VLAN Name: VLAN Network: Inter-VLAN-Routing... 0 port-based 802.1x: No Once a VLAN has been successfully added, configure ports using the "Add Port Interface" option of the "Display/Change VLAN" menu. ADD VLAN CANCEL Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. Configure a new VLAN and its associated ports.
3-16 Administrator’s Handbook • VLAN Network – From the VLAN Network pop-up menu select None, Primary LAN, a Connection Profile (for the IP networking configuration) or, if you have configured an Additional LAN (ALAN), an Additional LAN. See “Additional LANs” on page 7-38. Add VLAN... +-Name---------------------------IP Address------+ +------------------------------------------------+ | Primary LAN 192.168.1.1 | | Additional LAN 1 0.0.0.0 | | Additional LAN 2 1.1.1.1 | | Easy Setup Profile 127.0.0.
System Configuration 3-17 Associating Inter-VLAN Routing Groups Note: You must first ADD the VLAN before associating the Inter-VLAN-Routing Groups or the Port Interfaces. Once you have added the VLAN, you access the Inter-VLAN-Routing screen and the Add Port Interface screen by selecting Display/Change VLAN from the VLAN Configuration screen.
3-18 Administrator’s Handbook Adding a RADIUS Profile • Authentication Profile – If you toggle 802.1x to Yes, this option displays. Select Authentication Profile and press Return. If you have RADIUS server profiles already defined, the pop-up menu allows you to select one for use with this VLAN. If none are defined, the pop-up menu offers the option to configure a RADIUS Profile. Caution!If you enable 802.
System Configuration 3-19 Add Server Profile Profile Name: Authentication Profile 1 Remote Server Addr/Name: Remote Server Secret: Alt Remote Server Addr/Name: Alt Remote Server Secret: RADIUS Identifier: RADIUS Server Authentication Port: 1812 ADD PROFILE CANCEL Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. Configure a new RADIUS or TACACS profile.
3-20 Administrator’s Handbook Adding Port interfaces Note: You must first ADD the VLAN before associating the Inter-VLAN-Routing Groups or the Port Interfaces. Once you have added the VLAN, you access the Inter-VLAN-Routing screen and the Add Port Interface screen by selecting Display/Change VLAN from the VLAN Configuration screen. Once you have created a VLAN entry you must associate it with a port interface.
System Configuration 3-21 Display/Change VLAN... VLAN ID (1-4094): VLAN Type... VLAN Name: VLAN Network: Inter-VLAN-Routing... 1 port-based Network A Easy Setup Profile 1, 2 802.1x: No Add Port Interface... Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. Select Add Port Interface and press Return. The Add Port Interface screen appears. The Add Port Interface screen varies depending on the types of ports available on your Motorola Netopia® Router.
3-22 Administrator’s Handbook • TOS-Priority – Use any 802.1p priority bits in the VLAN header to prioritize packets within the Gateway’s internal queues, according to DiffServ priority mapping rules. See “Diffserv Options” on page 2-22 for more information. • IPTOS-Promote – Write any 802.1p priority bits into the IP-TOS header bit field for received IP packets on this port destined for this VLAN. Write any IP-TOS priority bits into the 802.
System Configuration 3-23 Changing or Deleting a VLAN You can change or delete a VLAN by returning to the VLAN Configuration screen and selecting Display/Change VLAN or Delete VLAN. In either case, select the VLAN that you want to change or delete from the pop-up menu, and press Return. VLAN Configuration VLAN Enable: +----------VLAN ID: NAME----------+ +---------------------------------+ Display/Change VLAN... | 10: Network A | Add VLAN... | | Delete VLAN...
3-24 Administrator’s Handbook Changing or Deleting an Authentication Server Configuration You can change or delete a RADIUS or TACACS server profile by returning to the VLAN Configuration screen and selecting Authentication Server Configuration, then Display/Change Server Profile or Delete Server Profile. In either case, select the Server Profile that you want to change or delete from the pop-up menu, and press Return.
System Configuration 3-25 Configuring additional Authentication Servers You can configure additional (or your first) Authentication Server from the main VLAN Configuration screen. VLAN Configuration Display/Change VLAN... Add VLAN... Delete VLAN... Authentication Server Configuration... Set Up VLAN from this and the following Menus. Select Authentication Server Configuration and press Return. Authentication Server Configuration Display/Change Server Profile... Add Server Profile...
3-26 Administrator’s Handbook Add Server Profile Profile Name: Authentication Profile 2 Remote Server Addr/Name: Remote Server Secret: Alt Remote Server Addr/Name: Alt Remote Server Secret: RADIUS Identifier: RADIUS Server Authentication Port: 1812 ADD PROFILE CANCEL Return accepts * ESC cancels * Left/Right moves insertion point * Del deletes. Configure a new RADIUS or TACACS profile. Configure your profile in the same way as described in “Adding a RADIUS Profile” on page 3-18.
System Configuration 3-27 VLAN Example The following is a simple example of how you might configure some VLANs: You want to configure a 3347NWG-VGx Gateway with two SSIDs (see “Multiple SSIDs” on page 3-45 for more information) for two VLANs, allowing both access to the Internet, which will be via a third VLAN. • One SSID will be in the same VLAN as the four ports of the Ethernet Switch, so that those two networks can communicate. • The second VLAN will be for a different SSID.
3-28 Administrator’s Handbook 2. Enter a VLAN ID (1 – 4094) and enter the VLAN Name you would like. Add VLAN... VLAN ID (1-4094): VLAN Type... VLAN Name: VLAN Network: Inter-VLAN-Routing... 1 port-based Network A 802.1x: No Once a VLAN has been successfully added, configure ports using the "Add Port Interface" option of the "Display/Change VLAN" menu. ADD VLAN CANCEL Return/Enter to select ... Configure a new VLAN and its associated ports. For example, call it Network A.
System Configuration 3-29 Then select Inter-VLAN-Routing. The Inter-VLAN-Routing screen appears. Inter-VLAN-Routing VLAN VLAN VLAN VLAN VLAN VLAN VLAN VLAN Group-1 Group-2 Group-3 Group-4 Group-5 Group-6 Group-7 Group-8 Enabled: Enabled: Enabled: Enabled: Enabled: Enabled: Enabled: Enabled: On Off Off Off Off Off Off Off Toggle VLAN Group-1 Enabled to On and press Return. Press Escape to return to the previous screen. 6. Select Add Port Interface and press Return. Display/Change VLAN...
3-30 Administrator’s Handbook Port Interface... TOS-Priority: IPTOS-Promote: COMMIT Add Port Interface... +-NAME-----------------TYPE----+ +------------------------------+ | Eth 0/1 Port | | Eth 0/2 Port | | Eth 0/3 Port | | Eth 0/4 Port | | SSID 1 Port | | SSID 2 Port | | SSID 3 Port | | SSID 4 Port | | Easy Setup Profile Profile | | | | | | | | | | | | | +------------------------------+ CANCEL Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit.
System Configuration 3-31 7. In the Add VLAN screen, create your second VLAN. Add VLAN... VLAN ID (1-4094): VLAN Type... VLAN Name: VLAN Network: Inter-VLAN-Routing... 2 port-based Network B Primary LAN 802.1x: No Once a VLAN has been successfully added, configure ports using the "Add Port Interface" option of the "Display/Change VLAN" menu. ADD VLAN CANCEL Return/Enter to select ... Configure a new VLAN and its associated ports. The VLAN Name must be given another unique name.
3-32 Administrator’s Handbook 11. Select Inter-VLAN-Routing and press Return. Toggle VLAN Group-2 Enabled to On and press Return. Since we do not want this VLAN to communicate with the other LAN ports, it must be made part of a different Inter-VLAN-Routing group, Group-2.
System Configuration 3-33 In the Add Port Interface screen, you add the Port Interfaces you want associated with this VLAN. Port Interface... TOS-Priority: IPTOS-Promote: COMMIT Add Port Interface...
3-34 Administrator’s Handbook 14. Next, create a VLAN to provide the Inter-VLAN-Routing Groups access to the Internet (WAN). Add VLAN... VLAN ID (1-4094): VLAN Type... VLAN Name: VLAN Network: Inter-VLAN-Routing... 3 port-based WAN VLAN 802.1x: No Once a VLAN has been successfully added, configure ports using the "Add Port Interface" option of the "Display/Change VLAN" menu. ADD VLAN CANCEL Return/Enter to select ... Configure a new VLAN and its associated ports.
System Configuration 3-35 15. In the VLAN Configuration screen select Display/Change VLAN, and from the pop-up menu select WAN VLAN (which you have just created). For Inter-VLAN-Routing, toggle VLAN Group-1 Enabled and VLAN Group-2 Enabled to On and press Return. Inter-VLAN-Routing VLAN VLAN VLAN VLAN VLAN VLAN VLAN VLAN Group-1 Group-2 Group-3 Group-4 Group-5 Group-6 Group-7 Group-8 Enabled: Enabled: Enabled: Enabled: Enabled: Enabled: Enabled: Enabled: On On Off Off Off Off Off Off Press Escape.
3-36 Administrator’s Handbook Display/Change VLAN... VLAN ID (1-4094): VLAN Type... VLAN Name: VLAN Network: Inter-VLAN-Routing... 3 port-based WAN VLAN Easy Setup Profile 1, 2 802.1x: No Add Port Interface... Change Port Interface... Display/Delete Port Interface... Return/Enter to Add Port Interface to VLAN. Members of Groups 1 and 2 will now be able to communicate with the Internet (WAN), but not with each other. 17.
System Configuration 3-37 Date and time You can set the system’s date and time parameters in the Set Date and Time screen. Date and Time parameters govern the reporting of system events. These events are recorded in the system logs. Select Date and Time in the System Configuration screen and press Return. The Set Date and Time screen appears. By default, Network Time Protocol (NTP) is enabled, allowing your Router to obtain Date and Time information periodically over the Internet.
3-38 Administrator’s Handbook 5. Select a System Date Format; the options are MM/DD/YY, DD/MM/YY, and YY/MM/DD, where M is month, D is day, and Y is year. 6. Select a System Time Format, either AM/PM or 24hrs. 7. Press Escape to return to the System Configuration menu. Note: NTP can be blocked by some firewall configurations. To ensure that this feature works, create a filterset rule to allow UDP port 123 to be open.
System Configuration 3-39 • Block Wireless Bridging: Toggle this setting to Yes to block wireless clients from communicating with other wireless clients on the LAN side of the Gateway. • Channel: (1 through 11) on which the network will broadcast. This is a frequency range within the 2.4Ghz band. Channel selection depends on government regulated radio frequencies that vary from region to region. The widest range available is from 1 to 14. However, in North America only 1 to 11 may be selected.
3-40 Administrator’s Handbook Note: Enabling Closed System Mode on your wireless Gateway provides another level of security, since your wireless LAN will no longer appear as an available access point to client PCs that are casually scanning for one. Your own wireless network clients, however, must log into the wireless LAN by using the exact SSID of the Motorola Netopia® Gateway.
System Configuration 3-41 Wireless LAN Configuration Enable Wireless: SSID: Block Wireless Bridging: Channel... AutoChannel... Closed System... Wireless Multimedia (WMM)... Enable Privacy... Yes 0271 1000 No 6 +------------+ +------------+ | Off | | diffserv | +------------+ Wireless Multiple SSID Setup... MAC Address Authentication... To enable the Wireless Multimedia custom settings, select diffserv from the pull-down menu. Enable Privacy By default, Enable Privacy is set to Off.
3-42 Administrator’s Handbook Wireless LAN Configuration Enable Wireless: SSID: Block Wireless Bridging: Channel... AutoChannel... Closed System... Enable Privacy... Yes 0271 1000 No 6 Off Open WPA - PSK (Pre-Shared Key) Pre Shared Key: Wireless Multiple SSID Setup... MAC Address Authentication... Select an 8 to 63 character passphrase. • At least 20 is ideal for best security. WPA - 802.1x: If you select WPA - 802.
System Configuration 3-43 • WPA Version 1, for backward compatibility, • WPA Version 2, for maximum security. All clients must support the version(s) selected in order to successfully connect. Wireless LAN Configuration Enable Wireless: SSID: Block Wireless Bridging: Channel... AutoChannel... Closed System... Enable Privacy... WPA Version...
3-44 Administrator’s Handbook You select a single key for encryption of outbound traffic. The WEP-enabled client must have an identical key of the same length, in the identical slot (1 – 4) as the Gateway, in order to successfully receive and decrypt the traffic. Similarly, the client also has a ‘default’ key that it uses to encrypt its transmissions. In order for the Gateway to receive the client’s data, it must likewise have the identical key of the same length, in the same slot.
System Configuration 3-45 256bit: 592CA140F0A238B0C61AE162F592CA140F0A238B0C61AE162F21A09C Multiple SSIDs • Wireless Multiple SSID Setup: This feature allows you to add additional network identifiers (SSIDs or Network Names) for your wireless network. To enable it, select Wireless Multiple SSID Setup and press Return. The Multiple SSID Configuration screen appears. Multiple SSID Configuration Enable Multiple SSIDs: No Second SSID: Enable Privacy... 0000 0000 Off Third SSID: Enable Privacy...
3-46 Administrator’s Handbook You can then specify a Privacy mode for each one from the pop-up menu. Privacy modes available from the pull-down menu for the multiple SSIDs are: WPA-PSK, WPA-802.1x, or Off. Multiple SSID Configuration Enable Multiple SSIDs: Second SSID: Enable Privacy... WPA Version... Key: Third SSID: Enable Privacy... Fourth SSID: Enable Privacy...
System Configuration 3-47 MAC Address Authentication Enhanced in Software Version 8.5, MAC Address Authentication allows you to specify which client PCs are allowed to join the LAN by specific hardware address. Once it is enabled, only entered MAC addresses that have been set to Allow will be accepted onto the LAN. Alternatively, you can prevent access by certain client PCs by specifying only those to be denied. To enable MAC Address Authentication, select MAC Address Authentication, and press Return.
3-48 Administrator’s Handbook • Allow only specified addresses - limits access to only those addresses that you enter. • Deny only specified addresses - prevents access from only those addresses that you enter. If you want to apply MAC Authentication to addresses on the wired LAN as well as the wireless LAN, toggle Wireless Only to No. Note: The Wireless Only option appears only on models equipped with a wireless interface. Select Add MAC Address and press Return. The Add MAC Address screen appears.
System Configuration 3-49 +-MAC Address -------------------- Permission ---------------------+ +------------------------------------------------------------------+ | 00-0a-27-ae-71-a4 Allowed | | 00-0b-28-af-72-b5 Allowed | | 00-0c-29-bd-69-b3 Blocked | | | | | | | | | | | | | | | | | | | | | | | | | | | +------------------------------------------------------------------+ Select an address to modify.
3-50 Administrator’s Handbook 1. Select 57600, 38400, 19200, or 9600. Console Configuration +-------+ +-------+ Baud Rate... | 57600 | | 38400 | Hardware Flow Control: | 19200 | | 9600 | +-------+ SET CONFIG NOW 2. CANCEL Select SET CONFIG NOW to save the new parameter settings. Select CANCEL to leave the parameter unchanged and exit the Console Configuration screen.
System Configuration 3-51 Router/Bridge Set For Motorola Netopia® DSL Routers, this feature allows you to turn off the routing features and use your device as a bridge. It is not an option for Ethernet WAN models. Motorola Netopia® Embedded Software Version 8.7.4 further allows you to choose to have the Router both bridge and route IP traffic. If you select either option, the device will restart itself, and reset all the settings to factory defaults. Any configurations you have made will be erased.
3-52 Administrator’s Handbook If you chose CONTINUE, the device will reboot and restart in the selected mode. Routing features will be disabled or changed and the Telnet menus corresponding configuration items, such as Easy Setup, will be removed. Example of Bridge-only mode menus Netopia Router WAN Configuration... System Configuration... Utilities & Diagnostics... Statistics & Logs... Quick View... If you decide to return to the previous mode, you can repeat the process.
System Configuration 3-53 From the host point of view, the snooping function listens at a port level for an IGMP report. The switch then processes the IGMP report and starts forwarding the relevant multicast stream onto the host's port. When the switch receives an IGMP leave message, it processes the leave message, and if appropriate stops the multicast stream to that particular port. Basically, customer IGMP messages although processed by the switch are also sent to the multicast routers.
3-54 Administrator’s Handbook • Query Response Interval (deci-sec) – the maximum amount of time in tenths of a second that the IGMP router waits to receive a response to a General Query message. The default query response interval is 10 seconds and must be less than the query interval. • Unsolicited Report Interval(s) – the amount of time in seconds between repetitions of a particular computer’s initial report of membership in a group. The default unsolicited report interval is 10 seconds.
System Configuration 3-55 • Last Member Query Count – the number of Group-Specific Query messages sent before the router assumes that there are no members of the host group being queried on this interface. The default last member query count is 2. • Fast Leave – Toggling this option to On enables a non-standard expedited leave mechanism. The querier keeps track of which client is requesting which channel by IP address.
3-56 Administrator’s Handbook • The following three fields allow you to log exceptions based on your filter policies: • Filter Violations, • Accepted Packets, and • Access Attempts See “About Filters and Filter Sets” on page 10-20 for more information. You will need to install a Syslog client daemon program on your PC and configure it to report the WAN events you specified in the Logging Configuration screen. The following screen shows a sample syslog dump of WAN events: May 5 10:14:06 tsnext.
System Configuration 3-57 Message format Protocol: srcIP: dstIP: srcPort: dstPort Protocol: srcIP: dstIP: type: code: Protocol: srcIP: dstIP: The following syslog messages may be generated by the Router based on system-events: 1. permitted 2. attempt 3. administrative access authenticated and allowed 4. administrative access allowed 5.
3-58 Administrator’s Handbook The following syslog messages may be generated by the router if WAN Event Log Options are enabled: 1. Device Restarted 2. EN: IP up, WAN 1, gateway: local: 3. Received NTP Date and Time [mon][dd][hh][mm][ss][year] 4. NTP configuration has been changed 5. System Date/Time configuration changed 6. PPP: IPCP negotiated, session [sessionID], rem: [IP Address] local: [IP Address] 7.
System Configuration 3-59 33. PPPOE: PADS Received 34. PPPOE: PADT Received 35. PPPOE: PADT Sent 36. PPPOE: Discovery state started profile [Profile Name] 37. PPPOE: Session state started profile [Profile Name] 38. PPPoE: Auth. Failed with Server: [Server] 39. PPTP: IP up, rem: [IP Address], via: [IP Address] tunnel id: [ID] 40. PPTP: IP down, rem: [IP Address] tunnel id: [ID] 41. IPsec: VPN installed:profile: [Name], spi: [SPI], rem sg: [IP Address] 42. IPsec: VPN fail: profile: [Name] 43.
3-60 Administrator’s Handbook 66. IKE: phase 1 auth failure sg [IP Address] profile [Name], sg [IP Address] code [code] 67. IKE: phase 1 resend timeout sg [IP Address] profile [Name], sg [IP Address] 68. IKE: phase 1 complete sg [IP Address] profile [Name], sg [IP Address] 69. IKE: phase 2 hash failure sg [IP Address] profile [Name] sg [IP Address] 70. IKE: no matching ph2 proposal sg [IP Address] profile [Name] sg [IP Address] 71. IKE: ph2 resend timeout sg [IP Address] profile [Name], sg [IP Address] 72.
System Configuration 3-61 6. Choose None as the value for Underlying Encapsulation… 7. Local WAN IP Address and Local WAN IP Mask can be left at 0.0.0.0 if WAN interface can receive IP Address from a DHCP server 8. Select NEXT SCREEN 9. Primary Domain Name Server and Secondary Domain Name Server can be left at 0.0.0.0, if dynamic address is used on WAN 10.
3-62 Administrator’s Handbook g. Escape once back to the Add Connection Profile screen. h. Press Enter on COMMIT to save this profile 10. Select Display/Change Connection Profile... and press Enter on the VPN profile you have just created. 11. Set Profile Enabled: to Yes 12. Select IP Profile Parameters... a. Set Address Translation to No b. If Stateful Inspection Enabled is set to Yes, make sure that Enable default mapping to router under Stateful Inspection Options... is enabled. c.
System Configuration 3-63 a. Set Syslog Enabled to Yes b. Set Hostname or IP Address to the Syslog Server c. Facility… can be changed (default to Local 0) d. Set Log Filter Violations to Yes - this will log packets that are dropped by the Router due to violations e. Set Log Accepted Packets to Yes f. Set Log Access Attempts to Yes g. Escape twice to the Main Menu and go to Utilities and Diagnostics... h. Select Restart System...
3-64 Administrator’s Handbook
Multi-NAT 4-1 Chapter 4 Multi-NAT Motorola Netopia® Embedded Software Version 8.7.4 offers advanced Multiple Network Address Translation functionality. You should read this chapter completely before attempting to configure any of the advanced NAT features.
4-2 Administrator’s Handbook Features MultiNAT features can be divided into several categories that can be used simultaneously in different combinations on a per-Connection Profile basis. The following is a general description of these features: Port Address Translation The simplest form of classic Network Address Translation is PAT (Port Address Translation).
Multi-NAT 4-3 Dynamic mapping Dynamic mapping, often referred to as many-to-few, offers an extension to the advantages provided by static mapping. Instead of requiring a one-to-one association of public addresses and private addresses, as is required in static mapping, dynamic mapping uses a group of public IP addresses to dynamically allocate static mappings to private hosts that are communicating with the public network.
4-4 Administrator’s Handbook Available for Dynamic NAT Used for Normal NAT 172.16.1.29 172.16.1.28 172.16.1.27 172.16.1.26 172.16.1.25 WAN Network 192.168.1.16 192.168.1.15 192.168.1.14 192.168.1.13 192.168.1.12 192.168.1.11 192.168.1.10 192.168.1.9 192.168.1.8 192.168.1.7 192.168.1.6 192.168.1.5 192.168.1.4 192.168.1.3 LAN Network 192.168.1.
Multi-NAT 4-5 206.1.1.1 206.1.1.2 206.1.1.3 206.1.1.4 206.1.1.5 206.1.1.6 192.168.1.1 Public Addresses } 206.1.2.1 – 6 (possible later) Private Addresses IP Host NAT Type 192.168.1.253 192.168.1.254 Web/FTP Server E-mail Server 1:1 Static 1:1 Static 192.168.1.1 – 252 LAN Users 1:1 Dynamic 192.168.1.1 – 252 LAN Users 1:Many PAT 192.168.1.1 – 252 LAN Users 1:1 Dynamic In order to support this type of mapping, you define two address ranges.
4-6 Administrator’s Handbook Currently there is a restriction that the remote user must be routed to via the WAN interface, otherwise the connections will fail. There is no restriction as to the number of connections. There is no user configuration required for this feature. MultiNAT Configuration You configure the MultiNAT features through the Telnet menu: • For a simple 1-to-many NAT configuration (classic NAT or PAT), use the Easy Setup Profile configuration, described below.
Multi-NAT 4-7 Server Lists and Dynamic NAT configuration You use the advanced NAT feature sets by first defining a series of mapping rules and then grouping them into a list. There are two kinds of lists -- map lists, made up of dynamic, PAT and static mapping rules, and server lists, a list of internal services to be presented to the external world. Creating these lists is a four-step process: 1. Define the public range of addresses that external computers should use to get to the NAT internal machines.
4-8 Administrator’s Handbook System Configuration IP Setup... Filter Sets... IP Address Serving... Network Address Translation (NAT)... Stateful Inspection... VLAN Configuration... Date and Time... Wireless Configuration... Console Configuration SNMP (Simple Network Management Protocol)... Security... Upgrade Feature Set... Router/Bridge Set... Router IGMP (Internet Group Management Protocol)... Logging... Use this screen if you want options beyond Easy Setup.
Multi-NAT 4-9 NAT rules The following rules apply to assigning NAT ranges and server lists: • Static public address ranges must not overlap other static, PAT, public addresses, or the public address assigned to the Router’s WAN interface. • A PAT public address must not overlap any static address ranges. It may be the same as another PAT address or server list address, but the port range must not overlap. You configure the ranges of exterior addresses by first adding public ranges.
4-10 Administrator’s Handbook • • If you choose static as the range type, a new menu item, First Public Address, becomes visible. Select First Public Address and enter the first exterior IP address in the range you want to assign. Select Last Public Address and enter an IP address at the end of the range. Select ADD NAT PUBLIC RANGE and press Return. The range will be added to your list and you will be returned to the Network Address Translation screen.
Multi-NAT 4-11 Add NAT Map ("my_map") First Private Address: 192.168.1.1 Last Private Address: 192.168.1.254 Use NAT Public Range... ADD NAT MAP CANCEL • Select First and Last Private Address and enter the first and last interior IP addresses you want to assign to this mapping. • Select Use NAT Public Range and press Return. A screen appears displaying the public ranges you have defined.
4-12 Administrator’s Handbook If none of your preconfigured ranges are suitable for this mapping, you can select <> and create a new range. If you choose <>, the Add NAT Public Range screen displays and you can create a new public range to be used by this map. See Add NAT Public Range on page 4-9. • The Add NAT Map screen now displays the range you have assigned. Add NAT Map ("my_map") First Private Address: 192.168.1.1 Last Private Address: 192.168.1.254 Use NAT Public Range...
Multi-NAT 4-13 Network Address Translation +-NAT Map List Name--+ +--------------------+ Add Out| Easy-PAT List | Show/Ch| my_map | Delete | | | | Add Map| | Show/Ch| | Delete | | | | Add Ser| | Show/Ch| | Delete | | | | NAT Ass| | | | | | | | +--------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. The Show/Change NAT Map List screen appears. Show/Change NAT Map List Map List Name: my_map Add Map... Show/Change Maps... Delete Map...
4-14 Administrator’s Handbook Show/Change NAT Map List +---Private Address Range---------Type----Public Address Range------------+ +-------------------------------------------------------------------------+ | 192.168.1.1 192.168.1.254 pat 206.1.1.6 -| | 192.168.1.253 192.168.1.254 static 206.1.1.1 206.1.1.2 | | 192.168.1.1 192.168.1.252 dynamic 206.1.1.3 206.1.1.
Multi-NAT 4-15 Adding Server Lists Server lists, also known as Exports, are handled similarly to map lists. If you want to make a particular server’s port accessible (and it isn’t accessible through other means, such as a static mapping), you must create a server list. Select Add Server List from the Network Address Translation screen. The Add NAT Server List screen appears. Add NAT Server List Server List Name: my_servers Add Server... • Select Server List Name and type in a descriptive name.
4-16 Administrator’s Handbook Add NAT Server ("my_servers") External Service... Server Private IP Address: 0.0.0.0 Public IP Address: 0.0.0.0 Protocol... TCP and UDP Internal Port Start: 0 ADD NAT SERVER CANCEL Return/Enter to select ... • Select External Service and press Return. A pop-up menu appears listing a selection of commonly exported services. Add NAT Server ("my_servers") +-Type------Port(s)-------+ +-------------------------+ External Service...
Multi-NAT 4-17 Other Exported Port First Port Number (1..65535): 31337 Last Port Number (1..65535): 31337 OK • • CANCEL Enter the First and Last Port Number between ports 1 and 65535. Select OK and press Return. You will be returned to the Add NAT Server screen. Enter the Server Private IP Address of the server whose service you are exporting.
4-18 Administrator’s Handbook Add NAT Server ("my_servers") External Service... Server Private IP Address: Public IP Address: Protocol... Internal Port Start: ADD NAT SERVER 192.168.1.45 +-------------+ +-------------+ | TCP and UDP | | TCP | | UDP | +-------------+ CANCEL • Enter the Internal Port Start, if different from and not already preselected from the External Service type list. • Select ADD NAT SERVER and press Return.
Multi-NAT 4-19 Network Address Translation +-NAT Server List Name-+ +----------------------+ A| my_servers | S| |.. D| | | | A| | S| | D| | | | A| | S| |. D| | | | | | | | | | | | +----------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. The Show/Change NAT Server List screen appears. Show/Change NAT Server List Server List Name: my_servers Add Server... Show/Change Server... Delete Server...
4-20 Administrator’s Handbook Show/Change NAT Server List +Private Address--Public Address---Port------------Protocol------+ +----------------------------------------------------------------+ | 192.168.1.254 206.1.1.1 smtp TCP and UDP | | 192.168.1.254 206.1.1.2 ftp TCP and UDP | | 192.168.1.254 206.1.1.4 tftp TCP | | 192.168.1.254 206.1.1.3 gopher TCP and UDP | | 192.168.1.254 206.1.1.
Multi-NAT 4-21 A pop-up menu lists your configured servers. Select the one you want to delete and press Return. A dialog box asks you to confirm your choice. Show/Change NAT Server List +Private Address--Public Address---Port------------Protocol------+ +----------------------------------------------------------------+ | 192.168.1.254 206.1.1.1 smtp TCP and UDP | | 192.168.+----------------------------------------------+ UDP | | 192.168.+----------------------------------------------+ | | 192.168.
4-22 Administrator’s Handbook IP Profile Parameters Address Translation Enabled: IP Addressing... NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Yes Numbered Easy-PAT List Easy-Servers Local WAN IP Address: Local WAN IP Mask: Remote IP Address: Remote IP Mask: Filter Set... Remove Filter Set 0.0.0.0 0.0.0.0 127.0.0.2 255.255.255.255 No RIP Profile Options... Toggle to Yes if this is a single IP address ISP account.
Multi-NAT 4-23 IP Profile Parameters +-NAT Server List Name-+ Address Trans+----------------------+s IP Addressing| Easy-Servers |mbered NAT Map List.| my_servers |sy-PAT List NAT Server Li| <> |sy-Servers NAT Options..| | Stateful Insp| | | | Local WAN IP | |0.0.0 Local WAN IP | |0.0.0 Remote IP Add| |7.0.0.2 Remote IP Mas| |5.255.255.255 Filter Set...| | Remove Filter| | | | | | | | | | RIP Profile O+----------------------+ Up/Down Arrows to select, then Return/Enter; ESC to cancel.
4-24 Administrator’s Handbook IP Parameters (Default Profile) Address Translation Enabled: Yes NAT Map List... NAT Server List... Easy-PAT List Easy-Servers Filter Set (Firewall)... Remove Filter Set Rip Options... Return/Enter accepts * Tab toggles * ESC cancels. • Toggle Address Translation Enabled to Yes. • Select NAT Map List and press Return. A pop-up menu displays a list of your defined map lists.
Multi-NAT 4-25 IP Parameters (Default Profile) +-NAT Server List Name-+ +----------------------+ | Easy-Servers | | my_servers | Address Trans| <> |s | | NAT Map List.| |_first_map NAT Server Li| | | | Filter Set (F| | Remove Filter| | | | Rip Options: | |th | | | | | | | | | | +----------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. • Select the server list you want to bind to the default profile and press Return.
4-26 Administrator’s Handbook NAT Associations Profile/Interface Name-------------Nat?-Map List Name-----Server List Name Default Answer Profile On my_first_map my_servers Easy Setup Profile On Easy-PAT my_servers Profile 01 On my_second_map my_servers Profile 02 On my_first_map my_server_list Profile 03 On <> <> • You can toggle NAT? On or Off for each Profile/Interface name. You do this by navigating to the NAT? field associated with each profile using the arrow keys.
Multi-NAT 4-27 IP Passthrough Motorola Netopia® Embedded Software Version 8.7.4 offers an IP passthrough feature. The IP passthrough feature allows for a single PC on the LAN to have the router’s public address assigned to it. It also provides PAT (NAPT) via the same public IP address for all other hosts on the private LAN subnet. Using IP passthrough: • The public WAN IP is used to provide IP address translation for private LAN computers. • The public WAN IP is assigned and reused on a LAN computer.
4-28 Administrator’s Handbook IP Profile Parameters Address Translation Enabled: IP Addressing... NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Yes Numbered Easy-PAT List Easy-Servers Local WAN IP Address: Local WAN IP Mask: 0.0.0.0 0.0.0.0 No Filter Set... Remove Filter Set RIP Profile Options... Toggle to Yes if this is a single IP address ISP account. Configure IP requirements for a remote network connection here.
Multi-NAT 4-29 NAT Options IP Passthrough Enabled: IP Passthrough DHCP Enabled: IP Passthrough DHCP MAC address: Yes Yes 00-00-00-00-00-00 Enter MAC addr. of IP passthrough host, or zeroes for first come first serve. Toggling IP Passthrough DHCP Enabled to Yes displays the IP Passthrough DHCP MAC address field. This is an editable field in which you can enter the MAC (hardware) address of the designated PC be used as the DHCP Client Identifier for dynamic address reservation.
4-30 Administrator’s Handbook A restriction Since both the router and the passthrough host will use same IP address, new sessions that conflict with existing sessions will be rejected by the router. For example, suppose you are a teleworker using an IPSec tunnel from the router and from the passthrough host. Both tunnels go to the same remote endpoint, such as the VPN access concentrator at your employer’s office.
Multi-NAT 4-31 Easy Setup Main Menu Connection Profile Enter your ISP-supplied values as shown below. Connection Profile 1: Easy Setup Profile Underlying Encapsulation... RFC1483 Mode... None Bridged 1483 Address Translation Enabled: IP Addressing... Yes Numbered Local WAN IP Address: Local WAN IP Mask: 206.1.1.6 255.255.255.248 PREVIOUS SCREEN NEXT SCREEN Return/Enter takes you back to previous screen. Enter basic information about your WAN connection with this screen.
4-32 Administrator’s Handbook System Configuration Main Menu Network Address Translation (NAT) Select Show/Change Public Range, then Easy-PAT Range, and press Return. Enter the value your ISP assigned for your public address (206.1.1.6, in this example). Toggle Type to pat. Your public address is then mapped to the remaining private IP addresses using PAT.
Multi-NAT 4-33 Add NAT Public Range Range Name: Static Range Type... static First Public Address: 206.1.1.1 Last Public Address: 206.1.1.5 ADD NAT PUBLIC RANGE CANCEL Return/Enter to commit changes. Select ADD NAT PUBLIC RANGE and press Return. You are returned to the Network Address Translation screen. Next, select Show/Change Map List and choose Easy-PAT List. Select Add Map. The Add NAT Map screen appears.
4-34 Administrator’s Handbook Notes on the example The Easy-Map List and the Easy-PAT List are attached to any new Connection Profile by default. If you want to use this NAT configuration on a previously defined Connection Profile then you need to bind the Map List to the profile. You do this through either the NAT Associations screen or the profile’s configuration screens. The PAT part of this example setup will allow any user on the Motorola Netopia® Router's LAN with an IP address in the range of 192.
Virtual Private Networks (VPNs) 5-1 Chapter 5 Virtual Private Networks (VPNs) The Motorola Netopia® Embedded Software Version 8.7.4 offers IPsec, PPTP, and ATMP tunneling support for Virtual Private Networks (VPN).
5-2 Administrator’s Handbook Motorola Netopia® Embedded Software Version 8.7.4 can be used in VPNs either to initiate the connection or to answer it. When used in this way, the Routers are said to be tunnelling through the public network (Internet).
Virtual Private Networks (VPNs) 5-3 modes: Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPsec-compliant device decrypts each packet. The Motorola Netopia® Embedded Software Version 8.7.4 supports the more secure Tunnel mode. DES stands for Data Encryption Standard, a popular symmetric-key encryption method. DES uses a 56-bit key.
5-4 Administrator’s Handbook This feature provides individuals at home, on the road, or in branch offices with a cost-effective and secure way to access resources on remote LANs connected to the Internet with Motorola Netopia® Routers. About PPTP Tunnels To set up a PPTP tunnel, you create a Connection Profile including the IP address and other relevant information for the remote PPTP partner.
Virtual Private Networks (VPNs) 5-5 When you define a Connection Profile as using PPTP by selecting PPTP as the datalink encapsulation method, and then select Data Link Options, the PPTP Tunnel Options screen appears. PPTP Tunnel Options PPTP Partner IP Address: Tunnel Via Gateway: 173.167.8.134 0.0.0.0 Authentication... Data Compression...
5-6 Administrator’s Handbook Note: Motorola Netopia® Embedded Software Version 8.7.4 supports 128-bit (“strong”) encryption. Unlike MS-CHAP version 1, which supports one-way authentication, MS-CHAP version 2 supports mutual authentication between connected gateways and is incompatible with MS-CHAP version 1 (MS-CHAP-V1). When you choose MS-CHAP as the authentication method for the PPTP tunnel, the Motorola Netopia® Router will start negotiating MS-CHAP-V2.
Virtual Private Networks (VPNs) 5-7 IP Profile Parameters Address Translation Enabled: Yes NAT Map List... NAT Server List... Easy-PAT Easy-Servers Local WAN IP Address: 0.0.0.0 Remote IP Address: Remote IP Mask: 173.167.8.10 255.255.0.0 Filter Set... Remove Filter Set RIP Profile Options... • Enter the Remote IP Address and Remote IP Mask for the host to which you want to tunnel.
5-8 Administrator’s Handbook L2TP configuration To define an L2TP tunnel, navigate to the Add Connection Profile menu from the Main Menu. Main Menu WAN Configuration Add Connection Profile Add Connection Profile Profile Name: Profile Enabled: Encapsulation Type... Encapsulation Options... IP Profile Parameters...
Virtual Private Networks (VPNs) 5-9 L2TP Tunnel Options L2TP Partner IP Address: 0.0.0.0 L2TP Tunnel Authentication: No PPP Authentication: Data Compression... PAP Standard LZS Send Host Name: Send Password: Receive Host Name: Receive Password: Initiate Connections: On Demand: Yes Yes Idle Timeout (seconds): 300 Enter an IP address in decimal and dot form (xxx.xxx.xxx.xxx). • Enter the L2TP Partner IP Address. This specifies the address of the other end of the tunnel.
5-10 Administrator’s Handbook • Tunnels are normally initiated On Demand; however, you can disable this feature. When disabled, the tunnel must be manually established or may be scheduled using the scheduled connections feature. See "Scheduled Connections" on page 2-16. • You can specify the Idle Timeout (in seconds), an inactivity timer, whose expiration will terminate the tunnel. A value of zero disables the timer.
Virtual Private Networks (VPNs) 5-11 Add Connection Profile Profile Name: Profile Enabled: Encapsulation Type... Underlying Encapsulation... Encapsulation Options... IP Profile Parameters... Profile 2 +-------------+ +-------------+ | PPP | | ATMP | | PPTP | | IPsec | | L2TP | | GRE | +-------------+ Interface Group...
5-12 Administrator’s Handbook • Sequence Datagrams can also be left at the default No, unless you are otherwise instructed. Datagram sequencing is mainly needed if compression is being used. • You can enter a 32- bit Key of up to 10-digits (numbers only). The receiver can use this key to identify the source of the packet. The key is a way to match a packet to a tunnel connection. If you choose to enter a key, be sure that both tunnel endpoints' configurations have matching keys.
Virtual Private Networks (VPNs) 5-13 Static WAN IP Easy Setup System Configuration Menu IP = some_IP_address IP Default Gateway = 127.0.0.2 Mask = some_IP_mask Gateway Static Route: Destination Network = GRE Remote_Tunnel_End_Point Data Link Encapsulation = 1483, 1490, HDLC, PPP GRE Profile Encapsulation Menu Remote Tunnel End Point = peer_tunnel_ IP_address GRE Profile IP Parameters Menu Remote Member IP = 127.0.0.2 Remote Member Mask cannot be 255.255.255.
5-14 Administrator’s Handbook About ATMP Tunnels To set up an ATMP tunnel, you create a Connection Profile including the IP address and other relevant information for the remote ATMP partner. ATMP uses the terminology of a foreign agent that initiates tunnels and a home agent that terminates them. You use the same procedure to initiate or terminate an ATMP tunnel. Used in this way, the terms initiate and terminate mean the beginning and end of the tunnel; they do not mean activate and deactivate.
Virtual Private Networks (VPNs) 5-15 When you define a Connection Profile as using ATMP by selecting ATMP as the datalink encapsulation method, and then select Data Link Options, the ATMP Tunnel Options screen appears. ATMP Tunnel Options ATMP Partner IP Address: Tunnel Via Gateway: 173.167.8.134 0.0.0.0 Network Name: Password: sam.net **** Data Encryption...
5-16 Administrator’s Handbook • You can specify that this Router will Initiate Connections, acting as a foreign agent (Yes), or only answer them, acting as a home agent (No). • Tunnels are normally initiated On Demand; however, you can disable this feature. When disabled, the tunnel must be manually established through the call management screens. • You can specify the Idle Timeout, an inactivity timer, whose expiration will terminate the tunnel. A value of zero disables the timer.
Virtual Private Networks (VPNs) 5-17 Motorola Netopia®’s ATMP implementation supports Data Encryption Standard (DES) data encryption for user data transfer over the ATMP tunnel between two Motorola Netopia® Routers. The encryption option, none or DES, is a selectable option in the ATMP Tunnel Options screen. MS-CHAP V2 and 128-bit strong encryption Notes: • Motorola Netopia® Embedded Software Version 8.7.4 supports 128-bit (“strong”) encryption when using PPTP tunnels.
5-18 Administrator’s Handbook ATMP/PPTP Default Profile Answer ATMP/PPTP Connections: No PPTP Configuration Options Receive Authentication... Data Compression... PAP None • Toggle Answer ATMP/PPTP Connections to Yes if you want the Router to accept VPN connections or No (the default) if you do not. • For PPTP tunnel connections only, you must define what type of authentication these connections will use. Select Receive Authentication and press Return.
Virtual Private Networks (VPNs) 5-19 VPN Quick View Profile Name----------Type----Rx Pckts---Tx Pckts--RxDiscard--Remote Address-HA <-> FA1 (Jony Fon ATMP 99 99 0 173.166.82.8 HA <-> FA3 (Sleve M. ATMP 13 14 0 173.166.117.91 Profile Name: Lists the name of the Connection Profile being used, if any. Type: Shows the data link encapsulation method (PPTP or ATMP). Rx Pckts: Shows the number of packets received via the VPN tunnel. Tx Pckts: Shows the number of packets transmitted via the VPN tunnel.
5-20 Administrator’s Handbook DUN is a free add-on available for Windows 95, and comes standard with Windows 98, Windows NT, and Windows XP. The VPN tunnel behaves as a private network connection, unrelated to other traffic on the network. Once you have installed Dial-Up Networking, you will be able to connect to your remote site as if you had a direct private connection, regardless of the intervening network(s) through which your data passes.
Virtual Private Networks (VPNs) 5-21 Creating a new Dial-Up Networking profile A Dial-Up Networking profile is like an address book entry that contains the information and parameters you need for a secure private connection. You can create this profile by using either the Internet Connection Wizard or the Make New Connection feature of Dial-Up Networking. The following instructions tell you how to create the profile with the Make New Connection feature. Do the following: 1.
5-22 Administrator’s Handbook From the Type of Dial-up Server pull-down menu select the appropriate type of server for your system version: • Windows 95 users select PPP: Windows 95, Windows NT 3.5, Internet • Windows 98 users select PPP: Windows 98, Windows NT Server, Internet In the Allowed network protocols area check TCP/IP and uncheck all of the other checkboxes. Note: Motorola Netopia®’s PPTP implementation does not currently support tunnelling of IPX and NetBEUI protocols. 4.
Virtual Private Networks (VPNs) 5-23 5. Click the OK button in this window and the next two windows. Windows XP Client Configuration 1. From your Windows XP desktop, click on Start ---> My Network Places and select View Network Connections from the Network Tasks area. 2. Click Create a New Connection in the Network Tasks area to start the New Connection Wizard. Click Next. 3. In the Network Connection Type box that appears, select the Connect to the network at my workplace radio button. Click Next.
5-24 Administrator’s Handbook For PPTP negotiation to work, TCP packets inbound and outbound destined for port 1723 must be allowed. Likewise, for ATMP negotiation to work, UDP packets inbound and outbound destined for port 5150 must be allowed. Source ports are dynamic, so, if possible, make this flexible, too. Additionally, PPTP and ATMP both require a firewall to allow GRE bi-directionally.
Virtual Private Networks (VPNs) 5-25 Change Input Filter 1 Enabled: Yes Forward: Yes Call Placement/Idle Reset: No Change Force Routing: No Source IP Address: Source IP Address Mask: Dest. IP Address: Dest. IP Address Mask: TOS: TOS Mask: Protocol Type: Source Port Compare... Source Port ID: Dest. Port Compare... Dest. Port ID: Established TCP Conns. Only: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0 0 TCP No Compare 0 Equal 1723 No Return/Enter accepts * Tab toggles * ESC cancels.
5-26 Administrator’s Handbook In the Display/Change Filter Set screen select Display/Change Output Filter. Display/Change Output Filter screen +-#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd-+ +-------------------------------------------------------------------------+ | 1 0.0.0.0 0.0.0.0 TCP NC =1723 Yes Yes | | 2 0.0.0.0 0.0.0.0 GRE --Yes Yes | | | +-------------------------------------------------------------------------+ Select Output Filter 1 and press Return.
Virtual Private Networks (VPNs) 5-27 Change Output Filter 2 Enabled: Yes Forward: Yes Call Placement/Idle Reset: No Change Force Routing: No Source IP Address: Source IP Address Mask: Dest. IP Address: Dest. IP Address Mask: TOS: TOS Mask: Protocol Type: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0 0 GRE Return/Enter accepts * Tab toggles * ESC cancels. Enter the packet specific information for this filter.
5-28 Administrator’s Handbook Change Input Filter 1 Enabled: Yes Forward: Yes Call Placement/Idle Reset: No Change Force Routing: No Source IP Address: Source IP Address Mask: Dest. IP Address: Dest. IP Address Mask: TOS: TOS Mask: Protocol Type: Source Port Compare... Source Port ID: Dest. Port Compare... Dest. Port ID: Established TCP Conns. Only: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0 0 TCP No Compare 0 Equal 1723 No Return/Enter accepts * Tab toggles * ESC cancels.
Virtual Private Networks (VPNs) 5-29 In the Display/Change IP Filter Set screen select Display/Change Output Filter. Display/Change Output Filter screen +-#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd-+ +-------------------------------------------------------------------------+ | 1 0.0.0.0 0.0.0.0 TCP NC =1723 Yes Yes | | 2 0.0.0.0 0.0.0.0 GRE --Yes Yes | | | +-------------------------------------------------------------------------+ Select Output Filter 1 and press Return.
5-30 Administrator’s Handbook Select Output Filter 2 and press Return. In the Change Output Filter 2 screen, set the Protocol Type to allow GRE as shown below. Change Output Filter 2 Enabled: Yes Forward: Yes Call Placement/Idle Reset: No Change Force Routing: No Source IP Address: Source IP Address Mask: Dest. IP Address: Dest. IP Address Mask: TOS: TOS Mask: Protocol Type: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0 0 GRE Return/Enter accepts * Tab toggles * ESC cancels.
Virtual Private Networks (VPNs) 5-31 Example: LAN IP 192.168.1.0/24 PC # A --------- Router A .100 .1 LAN IP 192.168.2.0/24 Tunnel Router B --------- PC # B .1 .100 When PC #A sends a Windows networking broadcast it sends it with a destination IP 192.168.1.255. When Router A receives this broadcast it translates the destination of this broadcast to match the remote IP of the NetBIOS Proxy-enabled VPN profiles and it forwards the broadcast through the VPN tunnel.
5-32 Administrator’s Handbook When Router B receives this broadcast, it sends it on its LAN. Configuration for Router A IP Profile Parameters Remote Tunnel Endpoint: Add Network... Display/Change Network... Delete Network... 192.168.2.1 Address Translation Enabled: No Stateful Inspection Enabled: No Filter Set... Remove Filter Set NetBIOS Proxy Enabled Advanced IP Profile Options... <> COMMIT Yes CANCEL Configuration for Router B IP Profile Parameters Remote Tunnel Endpoint: Add Network...
Virtual Private Networks (VPNs) 5-33 Note: Microsoft Network browsing is available with or without a Windows Internet Name Service (WINS) server. Shared volumes on the remote network are accessible with or without a WINS server. Local LAN shared volumes that have Port Address Translation (PAT) applied to them are not available to hosts on the remote LAN. For tunnelled traffic, NAT on the WAN has no effect on the Microsoft Networking traffic.
5-34 Administrator’s Handbook
Internet Key Exchange for VPNs 6-1 Chapter 6 Internet Key Exchange for VPNs IPsec stands for IP Security, a set of protocols that supports secure exchange of IP packets at the IP layer. IPsec is deployed widely to implement Virtual Private Networks (VPNs). See “Virtual Private Networks (VPNs)” on page 5-1 for more information. The Motorola Netopia® Embedded Software Version 8.7.4 supports Internet Key Exchange (IKE) for secure encrypted communication over a VPN tunnel.
6-2 Administrator’s Handbook The advantage of using IKE is that it automatically negotiates IPsec Security Associations and enables IPsec secure communications without having to manually enter the lengthy encryption keys at both ends of the connection. You enter a human-readable pass phrase or shared secret English sentence, like “my dog has fleas” on each end once. This pass phrase is used to authenticate each end to the other.
Internet Key Exchange for VPNs 6-3 Add Connection Profile Profile Name: Profile Enabled: Encapsulation Type... RFC1483 Mode... IP Profile Parameters... COMMIT Profile 1 +-------------+ +-------------+ | PPP | | RFC1483 | | ATMP | | PPTP | | IPsec | | L2TP | +-------------+ CANCEL • From the Encapsulation Type pop-up menu select IPsec. • Then select Encapsulation Options. The IPsec Tunnel Options screen appears. IPsec Tunnel Options Key Management... IKE Phase 1 Profile... IKE Encapsulation...
6-4 Administrator’s Handbook +-IKE Phase1 Profile--+ +---------------------+ | <> | | <> | Key Management... | | IKE Phase 1 Profile| | | | Encapsulation... | | | | | | | | ESP Encryption Tran| | ESP Authentication | |5-96 | | Compression Type...| | | | | | | | Advanced IPsec Opti| | | | COMMIT +---------------------+ Up/Down Arrow Keys to select, ESC to dismiss, Return/Enter to Edit. • A pop-up window displays a list of IKE Phase 1 Profiles that you have configured.
Internet Key Exchange for VPNs 6-5 • The Profile Name field accepts any name of up to 16 characters. Sixteen IKE Phase 1 profiles are supported, since each of the potential sixteen Connection Profiles may be associated with a separate IKE Phase 1 profile. • The Mode pop-up menu allows you to choose between Main Mode (the default) and Aggressive Mode.
6-6 Administrator’s Handbook Xauth Options XAuth Xauth XAuth XAuth mode of operation: Recipient Auth Check: Local Username: Local Password: VPN concentrator Local John Doe ******************** Extended Authentication (Xauth), is an extension to the IKE protocol, for IPSec tunnelling. The Xauth extension provides dual authentication for a remote user’s Motorola Netopia® Gateway to establish a VPN, authorizing network access to the user’s central office.
Internet Key Exchange for VPNs 6-7 • VPN concentrator – This configures Xauth to expect to receive authentication credentials, and to possibly serve VPN IP parameters.
6-8 Administrator’s Handbook Advanced IKE Phase 1 Options Negotiation... Normal SA Use Policy... Allow Dangling Phase 2 SAs: Phase 1 SA Lifetime (seconds): Phase 1 SA Lifetime (Kbytes): Newest SAs Immediately No 28800 0 Send Initial Contact Message: Include Vendor ID Payload: Independent Phase 2 Re-keys: Strict Port Policy: Invalid SPI recovery: Traffic based Dead Peer Detection: DPD Keepalive Idle Time (seconds): Yes Yes Yes No No Yes 20 Return/Enter to select ...
Internet Key Exchange for VPNs 6-9 • Include Vendor-ID Payload toggles whether or not the Router includes the vendor-ID payload in its IKE Phase 1 messages. • Independent Phase 2 Re-keys toggles whether or not a Phase 2 re-keys requires a Phase 1 re-key. If this item is set to Yes (the default), Phase 2 re-keys will be performed independently when necessary without requiring a Phase 1 re-key. If this item is set to No, each Phase 2 re-key will be preceded by a Phase 1 re-key.
6-10 Administrator’s Handbook WAN Configuration WAN (Wide Area Network) Setup... Display/Change Connection Profile... Add Connection Profile... Delete Connection Profile... ATMP/PPTP Default Profile... IKE Phase 1 Configuration... Advanced Connection Options... Return/Enter to configure IPSec tunnel configuration options. From here you will configure yours and the remote sites' WAN information.
Internet Key Exchange for VPNs 6-11 IPsec Configuration +--IKE Phase1 Profile--+ Display+----------------------+ Add IKE| Netopia | +------------------------------------------------------------+ | | | Are you sure you want to delete this IKE Phase 1 Profile? | | | | CANCEL CONTINUE | | | +------------------------------------------------------------+ | | | | | | | | | | | | | | | | | | | | | | | | +----------------------+ Key Management You specify your IKE key management on a per-Connection Profile basis.
6-12 Administrator’s Handbook A Change Connection Profile screen is shown below. Example #1: Change Connection Profile menu, showing Encapsulation Type pop-up: Change Connection Profile Profile Name: Profile Enabled: Encapsulation Type... Encapsulation Options... IP Profile Parameters... Easy Setup Profile +-------------+ +-------------+ | PPP | | ATMP | | PPTP | | IPsec | +-------------+ Telco Options...
Internet Key Exchange for VPNs 6-13 From the Encapsulation Type pop-up menu, select IPsec. Then select Encapsulation Options and press Return. The IPsec Tunnel Options screen appears. IPsec Tunnel Options Key Management... IKE Phase 1 Profile... IKE Encapsulation... ESP ESP Encryption Transform... ESP Authentication Transform... DES HMAC-MD5-96 Advanced IPsec Options...
6-14 Administrator’s Handbook • The ESP Encryption Transform pop-up menu (which is visible only if you have selected ESP or AH+ESP encapsulation) allows you to specify the type of ESP encryption: DES, 3DES, or NULL (no encryption). • The ESP Authentication Transform pop-up menu (which is visible only if you have selected ESP or AH+ESP encapsulation) allows you to specify the type of ESP authentication: None, HMAC-MD5-96, or HMAC-SHA1–96.
Internet Key Exchange for VPNs 6-15 re-key. Because the additional Diffie-Hellman exchanges required for Perfect Forward Secrecy introduce additional overhead, it may be good to disable Perfect Forward Secrecy when security does not require it. • Dead Peer Detection toggles whether or not the Router will detect a remote peer being offline. Enhanced Dead Peer Detection Motorola Netopia® Embedded Software Version 8.7.4 adds new Dead Peer Detection mechanisms.
6-16 Administrator’s Handbook The defaults are 5 seconds and 90 seconds, respectively. You may adjust these to suit your network’s tolerances. Note: • ICMP Dead Peer Detection is not available when using manual re-keying. • ICMP Dead Peer Detection does not initiate a series of phase 2 exchanges upon detecting a dead peer; it instead initiates a new phase 1 negotiation, followed by a new phase 2 negotiation once contact with the peer has been re-established.
Internet Key Exchange for VPNs 6-17 Multiple Network IPsec Motorola Netopia® Embedded Software Version 8.7.4 offers an enhancement to IPsec VPN tunnels allowing multiple network support. This feature enhances your Motorola Netopia® Router’s Virtual Private Networking functionality. This feature allows you to define many local and remote network ranges for a given IPsec VPN profile. Each of these ranges has its own IPsec tunnel. However, each tunnel has a common tunneling endpoint and encryption policy.
6-18 Administrator’s Handbook Add Network Configuration +--------------+ +--------------+ Remote Member Format... | Subnet | Remote Member Address: | Range | Remote Member Mask: | Host Address | Local Member Format... +--------------+ Local Member Address: 0.0.0.0 Local Member Mask: 0.0.0.0 COMMIT • • CANCEL The Remote Member Format and Local Member Format pop-up menus allow you to choose a format for your network end points: Subnet, Range, or a single Host Address.
Internet Key Exchange for VPNs 6-19 IP Profile Parameters Remote Tunnel Endpoint: Add Network... Display/Change Network... Delete Network... 0.0.0.0 Address Translation Enabled: No Stateful Inspection Enabled: No Filter Set... Remove Filter Set NetBIOS Proxy Enabled Advanced IP Profile Options... <> COMMIT No CANCEL Define new local/remote member(s) • Display/Change Network allows you to make changes to existing network configurations you have made.
6-20 Administrator’s Handbook • If you select Delete Network in the IP Profile Parameters screen, the same scrolling list will display.
Internet Key Exchange for VPNs 6-21 • Maximum Packet Size permits you to modify the MTU setting for the tunnel. Some ISPs require a setting of e.g. 1492 (or other value). The default 1500 is the most common and you usually don’t need to change this unless otherwise instructed. Accepted values are from 100 – 1500. This is the starting value that is used for the MTU when the IPSec tunnel is installed. It specifies the maximum IP packet length for the encapsulated AH or ESP packets sent by the router.
6-22 Administrator’s Handbook IKE Phase 1 Configuration Display/Change IKE Phase 1 Profile... Add IKE Phase 1 Profile... Delete IKE Phase 1 Profile... The IKE Phase 1 Configuration screen allows configuration of global (non-connection-profile-specific) IPsec parameters. This screen allows you to Display, Change, Add, or Delete an IKE Phase 1 profile. IPsec Manual Key Entry The Version 8.6 software has a redesigned layout and additional options for manual key entry.
Internet Key Exchange for VPNs 6-23 Select IPsec Manual Keys and press Return. IPsec Manual Keys SHA1 ESP Auth. Key: SHA1 AH Auth. Key: Depending on your selections of Encapsulation, Encryption Transform, and Authentication Transform in the IPsec Tunnel Options screen, the IPsec Manual Keys screen will display differing entry fields to enter authorization keys and encryption keys. With Manual Keys, you must manually configure identical authentication and encryption keys at both ends of the tunnel.
6-24 Administrator’s Handbook VPN Quick View Profile Name----------Type--Rx Pckts--Tx Pckts--Discard--Remote Address-HA <-> FA1 (Jony Fon ATMP 99 99 173.166.82.8 HA <-> FA3 (Sleve M. ATMP 13 14 63.193.117.91 My IPsec Tunnel IPsec 23 12 0.0.0.0 Bangalore PPTP 45 35 1.1.1.1 If the remote tunnel end point is a hostname (or “0.0.0.0”) 0.0.0.0 is displayed until a Security Association is established. Previously the remote members network was displayed.
Internet Key Exchange for VPNs 6-25 Event message: Meaning: IKE: no matching ph2 proposal Either the local Router rejected the proposals of the remote or the remote rejected the local Router’s. IKE: ph2 resend timeout The attempt to resend the phase 2 authentication timed out. IKE: phase 2 complete The phase 2 negotiation completed successfully.
6-26 Administrator’s Handbook
IP Setup 7-1 Chapter 7 IP Setup Motorola Netopia® Embedded Software Version 8.7.4 uses Internet Protocol (IP) to communicate both locally and with remote networks. This chapter shows you how to configure the gateway to route IP traffic. You also learn how to configure the gateway to serve IP addresses to hosts on your local network. Motorola’s IP routing features Network Address Translation and IP address serving.
7-2 Administrator’s Handbook To go to the IP Setup options screen, from the Main Menu, select System Configuration, then IP Setup. The IP Setup screen appears. IP Setup Ethernet IP Address: Ethernet Subnet Mask: Define Additional Subnets... 192.168.1.1 255.255.255.0 Default IP Gateway: Backup IP Gateway: Primary Domain Name Server: Secondary Domain Name Server: Domain Name: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Rip Options... Proxy Arp Enabled: Multicast Forwarding... No None VRRP Options... Static Routes.
IP Setup 7-3 • Select Primary Domain Name Server and enter the IP address for a domain name server. The domain name server matches the alphabetic addresses favored by people (for example, robin.hood.com) to the IP addresses actually used by IP gateways (for example, 163.7.8.202). • If a secondary DNS server is available, select Secondary Domain Name Server and enter its IP address. The secondary DNS server is used by the Router when the primary DNS server is inaccessible.
7-4 Administrator’s Handbook IP Subnets #1: IP Address ---------------192.128.117.162 Subnet Mask --------------255.255.255.0 #2: 0.0.0.0 0.0.0.0 #3: #4: #5: #6: #7: #8: Note: You need not use this screen if you have only a single Ethernet IP subnet. In that case, you can continue to enter or edit the IP address and subnet mask for the single subnet on the IP Setup screen. This screen displays up to eight rows of two editable columns, preceded by a row number between one and eight.
IP Setup 7-5 IP Subnets #1: IP Address ---------------192.128.117.162 Subnet Mask --------------255.255.255.0 #2: 192.128.152.162 255.255.0.0 #3: 0.0.0.0 0.0.0.0 #4: #5: #6: #7: #8: • To delete a configured subnet, set both the IP address and subnet mask values to 0.0.0.0, either explicitly or by clearing each field and pressing Return to commit the change. When a configured subnet is deleted, the values in subsequent rows adjust up to fill the vacant fields.
7-6 Administrator’s Handbook The IP address and Subnet mask items are hidden, and the Define Additional Subnets... item becomes Subnet Configuration.... If you select Subnet Configuration, you will return to the IP Subnets screen that allows you to define IP addresses and masks for additional Ethernet IP subnets. Static routes Static routes are IP routes that are maintained manually. Each static route acts as a pointer that tells the Router how to reach a particular network.
IP Setup 7-7 +-Dest. Network---Subnet Mask-----Next Gateway----Priority-Enabled-+ +------------------------------------------------------------------+ | 0.0.0.0 0.0.0.0 163.176.8.1 Low Yes | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +------------------------------------------------------------------+ Select a Static Route to modify. The table has the following columns: Dest. Network: The network IP address of the destination network.
7-8 Administrator’s Handbook Add Static Route Static Route Enabled: Yes Destination Network IP Address: 0.0.0.0 Destination Network Subnet Mask: 0.0.0.0 Next Gateway IP Address: 0.0.0.0 Route Priority... High Advertise Route Via RIP: No ADD STATIC ROUTE NOW CANCEL Configure a new Static Route in this Screen. • To install the static route in the IP routing table, select Static Route Enabled and toggle it to Yes.
IP Setup 7-9 • Up to 32 static routes can be created, but one is always reserved for the default gateway, which is configured using either Easy Setup or the IP Setup screen in system configuration. Modifying a static route To modify a static route, in the Static Routes screen select Display/Change Static Route to display a table of static routes. Select a static route from the table and go to the Change Static Route screen.
7-10 Administrator’s Handbook On a Motorola Netopia® router, every interface will be allowed to have up to two keys. RIP-2 MD5 authentication can be configured on the Ethernet LAN (all models), Ethernet WAN models, Connection Profiles, and the Default Profile. Keys can have lifetimes, defined as a start date and time and an end date and time, or infinite. Key management Typically, you configure only one key on a given interface and all of the interfaces that interact with that interface.
IP Setup 7-11 • Select RIP Options. The Ethernet LAN RIP Options screen appears. Ethernet LAN RIP Options +-----------------------+ +-----------------------+ Receive RIP... | Off | | v1 | Transmit RIP... | v2 | | Both v1 and v2 | | v2 MD5 Authentication | +-----------------------+ • Select Receive RIP, and from the pop-up menu choose v2 MD5 Authentication. Ethernet LAN RIP Options Receive RIP... v2 MD5 Authentication Transmit RIP... Off RIP v2 Authentication Keys...
7-12 Administrator’s Handbook Ethernet LAN RIP Options Receive RIP... Transmit RIP... RIP v2 Authentication Keys... • +--------------------+n +--------------------+ | Off | | v1 | | v2 (broadcast) | | v2 (multicast) | | v2 MD5 (broadcast) | | v2 MD5 (multicast) | +--------------------+ RIP v2 Authentication Keys is visible only if v2 MD5 Authentication is enabled for either Receive or Transmit RIP. Note: • All of the changes on this menu require a reboot. This is unique to the Ethernet LAN.
IP Setup 7-13 RIP v2 Authentication Keys Display/Change Key... Add Key... Delete Key... Adding a key Select Add Key. The Add Key Screen appears. Add Key Key ID: 0 Authentication Key: Start Date (MM/DD/YY): Start Time (hh:mm): AM or PM: 10/10/2002 12:00 AM End Time Mode: End Date (MM/DD/YY): End Time (hh/mm): AM or PM: Date 10/10/2002 12:00 AM COMMIT CANCEL • The key identifier Key ID can be any numeric value from 0 – 255, and must be unique per interface.
7-14 Administrator’s Handbook • The Start Date and End Date formats are determined by the System Date Format, set on the Set Date and Time menu under the System Configuration menus. • The Start Time and End Time formats are determined by the System Time Format. The AM or PM pop-up menus do not appear if the time format is 24 hour time. • The End Time Mode pop-up menu allows you to select either Date or Infinite.
IP Setup 7-15 +----------------------------------------------------------+ +----------------------------------------------------------+ | Are you sure you want to delete this RIP MD5 Key? | | | | CANCEL CONTINUE | | | | | +----------------------------------------------------------+ Connection Profiles and Default Profile RIP-2 MD5 authentication may be configured in Connection Profiles, as well.
7-16 Administrator’s Handbook RIP Profile Parameters Receive RIP: v2 MD5 Authentication Transmit RIP: TX RIP Policy... v2 MD5 (multicast) Poison Reverse RIP v2 Authentication Keys... • Receive RIP is always visible. Here you select Off, v1, v2, Both v1 and v2, or v2 MD5 Authentication from the pop-up menu. For MD5 authentication, you must select v2 MD5 Authentication. • If NAT is disabled, Transmit RIP is visible.
IP Setup 7-17 IP Address Serving Main Menu System Configuration IP Address Serving • Serve DHCP Clients • Serve BootP Clients • Serve Dynamic WAN Clients In addition to being a gateway, the Router is also an IP address server. There are three protocols it can use to distribute IP addresses. • The first, called Dynamic Host Configuration Protocol (DHCP), is widely supported on PC networks, as well as Apple Macintosh computers using Open Transport and computers using the UNIX operating system.
7-18 Administrator’s Handbook IP Address Serving +------------------+ +------------------+ IP Address Serving Mode... | Disabled | | DHCP Server | Number of Client IP Addresses: | DHCP Relay Agent | 1st Client Address: +------------------+ Client Default Gateway... 192.168.1.1 Serve DHCP Clients: DHCP Next-Server: DHCP Lease Time (Hours): DHCP NetBIOS Options... Serve BOOTP Clients: Yes 0.0.0.
IP Setup 7-19 • The default DHCP Lease time is one hour. This may be unnecessarily brief in your network environment. Consequently, the DHCP lease time is configurable. The DHCP Lease Time (Hours) setting allows you to modify the gateway’s default lease time of one hour. You can enter any number up to and including 168 hours (one week) for the DHCP lease.
7-20 Administrator’s Handbook IP Address Pools Subnet (# host addrs) --------------------192.128.117.0 (253) 1st Client Addr --------------192.128.117.196 Clients ------16 Client Gateway -------------192.128.117.162 192.129.117.0 192.129.117.110 8 192.129.117.4 (253) This screen consists of between two and eight rows of four columns each. There are exactly as many rows as there are Ethernet IP subnets configured on the IP Subnets screen.
IP Setup 7-21 • When requesting an address, a client will often suggest an address to be assigned, such as the one it was last served. The Router will attempt to honor this request if the address is available. The client stores this address in non-volatile storage, for example, on disk, and the specific storage method/location differs depending on the client operating system.
7-22 Administrator’s Handbook DHCP NetBIOS Options Serve NetBIOS Type: NetBIOS Type... Yes Type B Serve NetBIOS Scope: NetBIOS Scope: No Serve NetBIOS Name Server: NetBIOS Name Server IP Addr: No 0.0.0.0 Configure DHCP-served NetBIOS options here. • To serve DHCP clients with the type of NetBIOS used on your network, select Serve NetBIOS Type and toggle it to Yes. • From the NetBIOS Type pop-up menu, select the type of NetBIOS used on your network.
IP Setup 7-23 • To serve DHCP clients with the IP address of a NetBIOS name server, select Serve NetBIOS Name Server and toggle it to Yes. Select NetBIOS Name Server IP Addr and enter the IP address for the NetBIOS name server. You are now finished setting up DHCP NetBIOS Options. To return to the IP Address Serving screen, press Escape. • To enable BootP’s address serving capability, select Serve BOOTP Clients and toggle to Yes.
7-24 Administrator’s Handbook • The ability to exclude one or more IP addresses from the address serving pool so the addresses will not be served to clients. • The ability to reserve a particular IP address for a client with a particular Ethernet MAC address. • The ability to view the host name associated with a client to which the gateway has leased an IP address. • The ability for the gateway’s Ethernet IP address(es) to overlap the DHCP address serving pool(s).
IP Setup 7-25 Note: The server does not query the client for its host name. Macintosh computers running versions of MacOS prior to MacOS version 8.5 (OT 2.0.1, TCP/IP 2.0.1) do not supply a host name option in their DHCP messages, so no host name will appear in the Served IP Addresses list. You can select the entries in the Served IP Addresses screen. Use the up and down arrow keys to move the selection to one of the entries in the list of served IP addresses.
7-26 Administrator’s Handbook Served IP Addresses -IP Address------Type----Expires—-Host Name/Client Identifier--------------------------------------------------SCROLL UP----------------------------------192.168.1.100 192.168.1.101 +----------------------------------------------------------------------------+ +----------------------------------------------------------------------------+ | | | IP Address is 192.168.1.
IP Setup 7-27 An IP address is marked declined when a client to whom the DHCP server offers the address declines the address. A client declines an address if it determines that a leased address is already in use by another device. Selecting Include restores the selected IP address to the address serving pool so that the IP address is once again eligible to be served to a client. • Release is displayed if the entry is currently offered, leased, or reserved.
7-28 Administrator’s Handbook Served IP Addresses -IP Address------Type----Expires--Host Name/Client Identifier--------------------------------------------------SCROLL UP----------------------------------192.168.1.1 Excluded for the gateway's IP address 192.168.1.2 Excluded 192.168.1.3 DHCP 00:24 Barr's XPi 120 192.168.1.4 192.168.1.5 192.168.1.6 192.168.1.7 192.168.1.8 192.168.1.9 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 192.168.1.
IP Setup 7-29 Main Menu System Configuration IP Address Serving Select IP Address Serving and press Return. The IP Address Serving screen appears. IP Address Serving +------------------+ +------------------+ IP Address Serving Mode... | Disabled | | DHCP Server | Number of Client IP Addresses: | DHCP Relay Agent | 1st Client Address: +------------------+ Client Default Gateway... 192.168.1.1 Serve DHCP Clients: DHCP NetBIOS Options... Yes Serve BOOTP Clients: Yes Select IP Address Serving Mode.
7-30 Administrator’s Handbook IP Address Serving IP Address Serving Mode... DHCP Relay Agent Relay Relay Relay Relay 10.1.1.1 20.1.1.1 30.1.1.1 40.1.1.1 Server Server Server Server #1: #2: #3: #4: Configure Address Serving (DHCP, BOOTP, etc.) here. Now you can enter the IP address(es) of your remote DHCP server(s), such as might be located in your company’s corporate headquarters. Each time you enter an IP address and press Return, an additional field appears.
IP Setup 7-31 The Add Connection Profile screen appears. Add Connection Profile Profile Name: Profile Enabled: Profile 1 Yes Data Link Encapsulation... Data Link Options... PPP IP Profile Parameters... COMMIT CANCEL Configure a new Conn. Profile. Finished? COMMIT or CANCEL to exit. On a Router you can add up to 15 more connection profiles, for a total of 16, although only one can be used at a time, unless you are using VPNs. 1. Select Profile Name and enter a name for this connection profile.
7-32 Administrator’s Handbook 4. Toggle or enter any IP parameters you require and return to the Add Connection Profile screen by pressing Escape. For more information on NAT, see “Multi-NAT,” beginning on page 4-1. The Local WAN IP Address is displayed for numbered or NAT profiles. The Local WAN IP Mask is displayed for numbered profiles. The Remote IP Address and Remote IP Mask are displayed for unnumbered profiles. 5. Select ADD PROFILE NOW and press Return. Your new connection profile will be added.
IP Setup 7-33 • Then you associate it with a Connection Profile in the IP Profile Parameters screen in the Add/Display/Change Connection Profile menus. Navigate to the IP Setup screen. Main Menu IP Setup System Configuration By default, Multicast Forwarding is tuned off (None). You enable the gateway to transmit multicast data by selecting Tx. from the pop-up menu. IP Setup Ethernet IP Address: Ethernet Subnet Mask: Define Additional Subnets... 192.168.1.1 255.255.255.
7-34 Administrator’s Handbook IP Profile Parameters Address Translation Enabled: IP Addressing... Yes Numbered NAT Map List... NAT Server List... Easy-PAT List Easy-Servers Local WAN Local WAN Remote IP Remote IP 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 IP Address: IP Mask: Address: Mask: Filter Set... Remove Filter Set +----------------+ +----------------+ | None | | Rx. | +----------------+ Multicast Forwarding... RIP Profile Options...
IP Setup 7-35 Ethernet LAN VRRP Options Display/Change Virtual Routers... Add Virtual Router... Delete Virtual Router... Monitor WAN: Yes Serve/Relay DHCP only if Virtual Router in Master state: No DHCP Gateway IP Address: 0.0.0.0 Select Add Virtual Router and press Return. The Add Virtual Router screen appears. Add Virtual Router VRID: Virtual IP Address: Priority: Preempt Mode: Advertisement-Interval: Enable: 0 0.0.0.0 100 Yes 1 No ADD VIRTUAL ROUTER NOW CANCEL Enter a value between 1 and 255.
7-36 Administrator’s Handbook • must not match the IP address of any other VIP If it matches the local IP address of that interface or the subnets, the Virtual Router will be defaulted to have a priority of 255. See below. Note: A router currently in VRRP Master mode is the only device which will respond on the Virtual IP address. Consequently, a router using the Virtual IP address as its Ethernet address will be non-responsive when not in VRRP Master mode.
IP Setup 7-37 Ethernet LAN VRRP Options Display/Change Virtual Routers... Add Virtual Router... Delete Virtual Router... Monitor WAN: Yes Serve/Relay DHCP only if Virtual Router in Master state: No DHCP Gateway IP Address: 0.0.0.0 • Monitor WAN – Toggle this option to Yes (the default) to enable VRRP routers on the interface to relinquish Master status if the WAN connection is down. If you do not want the VRRP routers to relinquish Master status, toggle this option to No.
7-38 Administrator’s Handbook Ethernet LAN VRRP Options +-----Virtual Router ID--------VIP------Enabled?--------+ +-------------------------------------------------------+ | 1 192.168.1.25 Yes | | 2 192.168.1.26 Yes | | | | | | | | | | | | | +-------------------------------------------------------+ Virtual Router in Master state: No DHCP Gateway IP Address: 0.0.0.0 Additional LANs Motorola Netopia® Embedded Software Version 8.7.4 includes support for creating additional logical local area networks.
IP Setup 7-39 Additional LAN Configuration Add ALAN... Select Add ALAN and press Return. The Add Additional LAN screen appears. Add Additional LAN Name: Enabled: Additional LAN 1 Yes MAC Address: 00:00:00:00:00:00 Ethernet IP Address: Ethernet Subnet Mask: Define Additional Subnets... IP Address Serving... Rip Options... Proxy Arp Enabled: Multicast Forwarding... VRRP Options... Filter Set... Remove Filter Set 0.0.0.0 0.0.0.
7-40 Administrator’s Handbook • Ethernet IP Address – The IP address of the additional LAN. • Ethernet Subnet Mask – The IP subnet mask address of the additional LAN. • Define Additional Subnets – Additional subnets for multi-homing (same as the primary interface). See “IP Address Pools” on page 7-19. • IP Address Serving – Same as the global link to address serving. See “IP Address Serving” on page 7-17. • RIP Options – Same as the primary interface. See “RIP Options” on page 7-9.
IP Setup 7-41 Additional LAN Configuration +-Name---------------------------IP Address------+ +------------------------------------------------+ | Additional LAN 1 1.1.1.1 | | Additional LAN 2 0.0.0.
7-42 Administrator’s Handbook
Line Backup 8-1 Chapter 8 Line Backup Motorola Netopia® Embedded Software Version 8.7.4 offers line backup functionality in the event of a line failure on the primary WAN link: • to an internal V.92 modem (supported models) or • to a backup default gateway.
8-2 Administrator’s Handbook Here you can select Backup is = Automatic, and Recovery is Automatic. See “Backup Configuration screen” on page 8-9. • the Backup IP Gateway menu item in the IP Setup screen under the System Configuration menu Here you enter a Backup Gateway IP address. See “IP Setup” on page 8-6. Alternatively, you can choose a different backup gateway device; see “Backup Default Gateway” on page 8-14. Detailed descriptions follow.
Line Backup 8-3 • Encapsulation Type: From the pop-up menu select the encapsulation type. Usually, for modem dial-up connections, this will be PPP, but you can also select ATMP, PPTP, or IPsec for VPN connections. These are the options needed for dial-up. Add Connection Profile Profile Name: Profile Enabled: Encapsulation Type... Encapsulation Options... IP Profile Parameters...
8-4 Administrator’s Handbook Datalink (PPP/MP) Options Data Compression... +------+rd LZS +------+ | None | | PAP | | CHAP | +------+ Send Authentication... Send User Name: Send Password: Receive User Name: Receive Password: Dial on Demand: PAP-- Yes Password protection is used. Passwords are exchanged in clear text. • Data Compression should remain set to Standard LZS. • Usually, you use PAP Authentication, with a dial-up connection, but you can also use CHAP, or None.
Line Backup 8-5 IP Profile Parameters Address Translation Enabled: IP Addressing... NAT Map List... NAT Server List... NAT Options... Stateful Inspection Enabled: Yes Unnumbered Easy-PAT List Easy-Servers Local WAN IP Address: 0.0.0.0 Remote Remote Filter Remove 0.0.0.0 0.0.0.0 IP Address: IP Mask: Set... Filter Set No RIP Profile Options... Toggle to Yes if this is a single IP address ISP account. Configure IP requirements for a remote network connection here.
8-6 Administrator’s Handbook • From the Dial pop-up menu, you can choose whether to Dial Out Only, Dial In Only, or Dial In/Out (default). • Dialing Prefix: If you are connected to a Centrex or PBX phone system that requires you to dial a prefix number (such as “9” for an outside line), enter it here. • You can add the Number to Dial and an Alternate Site to Dial, if available. • You can toggle Dial on Demand to Yes or No.
Line Backup 8-7 IP Setup Ethernet IP Address: Ethernet Subnet Mask: Define Additional Subnets... 192.168.1.1 255.255.255.0 Default IP Gateway: Backup IP Gateway: Primary Domain Name Server: Secondary Domain Name Server: Domain Name: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 RIP Options... Multicast Forwarding... Static Routes... None IP Address Serving... Enter an IP address in decimal and dot form (xxx.xxx.xxx.xxx). Set up the basic IP attributes of your Netopia in this screen.
8-8 Administrator’s Handbook WAN Configuration WAN (Wide Area Network) Setup... ATM Circuits Configuration... Display/Change Connection Profile... Add Connection Profile... Delete Connection Profile... WAN Default Profile... ATMP/PPTP Default Profile... IKE Phase 1 Configuration... Advanced Connection Options... Return/Enter to create a new Connection Profile. From here you will configure yours and the remote sites' WAN information. The Choose Interface to Configure screen appears.
Line Backup 8-9 Internal Modem Setup Modem Dialing Prefix: PBX Dialing Prefix: Line Directory Number: Speaker On... Speaker Volume... Answer Incoming calls... Country... ATDT Until Carrier 2-Medium Always United States Enter the dialing prefix to be sent to all modems. • Modem Dialing Prefix: ATDT is the standard Hayes-compatible code for alerting the modem itself. You probably don’t need to change this, unless you have a good reason and are familiar with the Hayes modem command set.
8-10 Administrator’s Handbook This screen is used to configure the conditions under which backup will occur, if it will recover, and how the modem is configured. For the internal V.92 modem, the Backup Configuration screen appears as follows, when all options are enabled (default screen shows fewer menu items until some are enabled): Backup Configuration Backup Parameters Backup is... Requires Failure of (seconds): Ping Host Name or IP Address #1: Ping Host Name or IP Address #2: Recovery to ADSL...
Line Backup 8-11 Note: For best results, enter an IP address and not a host name. If a host name is used it may not be resolvable, and may keep the interface down. Set the Ping Host Name or IP Address to the router's Default Gateway, or other reliable IP address elsewhere on the backbone – for example, a DNS server. This will ensure that the router will initiate backup connection on loss of Layer 3.
8-12 Administrator’s Handbook When you are finished, press Escape. Using Scheduled Connections with Backup The backup link is a PPP dial-up connection and only connects to the Internet service provider when traffic is initiated from the LAN. If you want to use the backup link to provide redundancy for services, such as a Web service that you provide to the outside world, you must force the connection to stay up.
Line Backup 8-13 Add Scheduled Connection Scheduled Connection Enable: On How Often... Weekly Schedule Type... Forced Up Set Weekly Schedule... Use Connection Profile... ADD SCHEDULED CONNECTION CANCEL Return/Enter accepts * Tab toggles * ESC cancels. Scheduled Connections dial remote Networks on a Weekly or Once-Only basis. • Toggle Scheduled Connection Enable to On. • From the How Often pop-up menu, select Weekly and press Return.
8-14 Administrator’s Handbook • Select Use Connection Profile, and press Return. A screen displays all of your Connection Profiles. Select the one you want to apply this scheduled connection to and press Return. Your selection becomes effective. Now, if your primary WAN link fails, the backup link will become active and remain active until the primary link recovers.
Line Backup 8-15 Backup Configuration +-----------+ Backup Parameters +-----------+ Backup is... | Disabled | Requires Failure of (seconds): | Manual | Ping Host Name or IP Address #1: | Automatic | Ping Host Name or IP Address #2: +-----------+ Recovery to ADSL... Automatic Requires Recovery of (seconds): 60 Auto-Recovery on loss of Layer 2: No Automatically switches to Backup Port on loss of Layer 1 or 2.
8-16 Administrator’s Handbook the system to wait before attempting to switch back to the WAN connection. This allows you to be sure that the WAN connection is well re-established before the gateway switches back to it from the backup mode. • Press Escape twice to return to the Main Menu. IP Setup screen To configure the backup gateway, from the Main Menu select System Configuration then IP Setup. Main Menu System Configuration IP Setup The IP Setup screen appears.
Line Backup 8-17 To view Backup Management/Statistics, from the Main Menu select Statistics & Logs then Backup Management/Statistics and press Return. Main Menu Backup Management/ Statistics Statistics & Logs The Backup Management/Statistics screen appears.
8-18 Administrator’s Handbook During recovery, the following reasons may appear: Recovery of Layer 1 Indicates sync restored on the Primary link Layer 2 Override Indicates the backup occurred on layer 2, and ‘Auto-Recovery on loss of Layer 2’ was set to YES Layer 2 Recovery Indicates that backup was on Layer 2 and the interface is fully restored (including Backup Ping) • Time Since Detection is a display-only field that is only visible if backup or recovery is in progress.
Monitoring Tools 9-1 Chapter 9 Monitoring Tools This chapter discusses the Router’s device and network monitoring tools. These tools can provide statistical information, report on current network status, record events, and help in diagnosing and locating problems.
9-2 Administrator’s Handbook General status Quick View Default IP Gateway: 0.0.0.0 Primary DNS Server: 0.0.0.0 Secondary DNS Server: 0.0.0.0 10/11/2006 07:31:26 AM Gateway installed -- Backup Domain Name: netopia.com ----------------MAC Address--------IP Address-------Status-------------------Ethernet LAN: 00-00-c5-ff-70-00 192.168.1.1 100Mbps Full Duplex ATM ADSL WAN: 00-00-c5-ff-70-02 0.0.0.0 USB LAN: 00-00-c5-9a-09-a9 192.168.1.
Monitoring Tools 9-3 Rate: Shows the line rate for this connection. %Use: Indicates the average percent utilization of the maximum capacity of the channels in use for the connection. Remote Address: Shows the IP address of the connected remote gateway. Est: Indicates whether the connection was locally (“Lcl”) or remotely (“Rmt”) established. More Info: Indicates the NAT address in use for this connection. Status lights This section shows the current real-time status of the Router’s status lights (LEDs).
9-4 Administrator’s Handbook Event Histories Main Menu Statistics & Logs • WAN Event History • Device Event History Motorola Netopia® Embedded Software Version 8.7.4 records certain relevant occurrences in event histories. Event histories are useful for diagnosing problems because they list what happened before, during, and after a problem occurs. You can view two different event histories: one for the gateway’s system and one for the WAN.
Monitoring Tools 9-5 The first event in each call sequence is marked with double arrows (>>). Failures are marked with an asterisk (*). If the event history exceeds the size of the screen, you can scroll through it by using the SCROLL UP and SCROLL DOWN items. To scroll up, select SCROLL UP at the top of the list and press Return. To scroll down, select SCROLL DOWN at the bottom of the list and press Return.
9-6 Administrator’s Handbook IP Routing Table Main Menu Statistics & Logs • IP Routing Table The IP routing table displays all of the IP routes currently known to the Router. IP Routing Table Network Address-Subnet Mask-----via Gateway------Port------------------Type-------------------------------------SCROLL UP----------------------------------0.0.0.0 255.0.0.0 0.0.0.0 -Other 127.0.0.1 255.255.255.255 127.0.0.1 Loopback Local 192.168.1.0 255.255.255.240 192.168.1.1 Ethernet Local 192.168.1.1 255.255.
Monitoring Tools 9-7 General Statistics Physical I/F-----Rx Bytes---Tx Bytes---Rx Pkts---Tx Pkts----Rx Err----Tx Err Ethernet Hub 1234567 123456 123456 123456 123456 12345 ATM ADSL 1 1234567 123456 123456 123456 123456 12345 Network----------Rx Bytes---Tx Bytes---Rx Pkts---Tx Pkts----Rx Err----Tx Err IP 1234567 123456 123456 123456 123456 12345 VC Traffic Statistics...
9-8 Administrator’s Handbook System Information The System Information screen gives a summary view of the general system level values in the Router. From the Statistics & Logs menu select System Information. The System Information screen appears. System Information Serial Number Firmware Version ModelNumber Processor Speed (Mhz) Flash Rom Capacity (MBytes) DRAM Capacity (MBytes) 00-aa-77-94 (11171732) 8.7.
Monitoring Tools 9-9 • MIB II (RFC 1213) • Interface MIB (RFC 1229) • Ethernet MIB (RFC 1643) • Netopia MIB • SNMP-v2 Traps: SNMP v2 MIB (RFC1907) v2 traps only; NPAV2TRAP.MIB (Motorola Netopia®-specific) • ATM: ATM TC (RFC2514); ATM MIB (RFC2515) • ADSL: ADSL MIB (RFC2662) You can obtain the latest SNMP MIBs from the Motorola Netopia® anonymous FTP server. FTP to: ftp.netopia.com/pub/router/snmpinfo. Load these MIBs into your SNMP management software in the order they are listed here.
9-10 Administrator’s Handbook 1. Select System Name and enter a descriptive name for the Router’s SNMP agent. 2. Select System Location and enter the gateway’s physical location (room, floor, building, etc.). 3. Select System Contact and enter the name of the person responsible for maintaining the gateway. 4.
Monitoring Tools 9-11 SNMP traps An SNMP trap is an informational message sent from an SNMP agent (in this case, the Router) to a manager. When a manager receives a trap, it may log the trap as well as generate an alert message of its own. Standard traps generated by Motorola Netopia® Embedded Software Version 8.7.4 include the following: • An authentication failure trap is generated when the gateway detects an incorrect community string in a received SNMP packet.
9-12 Administrator’s Handbook Add IP Trap Receiver Receiver IP Address or Domain Name: Community String: Send Heartbeat Trap: Yes ADD TRAP RECEIVER NOW CANCEL 2. Select Receiver IP Address or Domain Name. Enter the IP address or domain name of the SNMP manager you want to receive the trap. 3. Select Community String if you enabled one in the SNMP Setup screen, and enter the appropriate password. 4. Toggle Send Heartbeat Trap on (Yes) or off (No).
Security 10-1 Chapter 10 Security Motorola Netopia® Embedded Software Version 8.7.4 provides a number of security features to help protect its configuration screens and your local network from unauthorized access. Although these features are optional, it is strongly recommended that you use them.
10-2 Administrator’s Handbook The access privileges of various users that may be assigned are governed by a Superuser administrative account. The Superuser can assign different privileges to Limited users who will be accessing the gateway functions in some way. Configuration access names and passwords are specified in the Security Options screen. From the Main Menu, select System Configuration, then Security. Main Menu System Configuration Security Options Security The Security Options screen appears.
Security 10-3 Superuser configuration The access privileges of the Superuser account are not modifiable. It is possible, however, to control who can log in as Superuser. Select Superuser Configuration and press Return. The Superuser Configuration screen appears. Superuser Configuration Name (19 characters max): admin Password: Telnet Access Enabled: Yes ADD SUPERUSER CANCEL • Assign a Superuser Name. It can be up to 19 characters long.
10-4 Administrator’s Handbook Add Access Name/Password Name (19 characters max): Password: Telnet Access Enabled: user ******************** Yes +-----------+ +-----------+ | All | | LAN | | WAN | | Custom... | +-----------+ Access Privileges... ADD USER CANCEL • Assign a User Name and Password, and enable or disable Telnet and Web access as in the Superuser Configuration screen.
Security 10-5 You can toggle the default user privileges for each user. The defaults are set to minimize the possibility of an individual user inadvertently damaging the WAN connection. Exercise caution in assigning privileges other than these defaults to limited users.
10-6 Administrator’s Handbook • “TACACS+ server authentication” on page 10-7 RADIUS server authentication Advanced Security Options +---------------------------+ +---------------------------+ Remote Authentication... | Local only | Security Databases... | Remote only | Remote Server Addr/Name: | Remote then Local | Remote Server Secret: | Remote then Lcl/Ser.
Security 10-7 Note: In the latter two modes that involve both RADIUS and the local database, if the local database includes no username/password pairs, authentication will succeed only if the RADIUS server authenticates the user. This differs from the Local Only mode where no authentication is performed when the local database is empty. If the primary RADIUS server responds with an access rejection or an access challenge, the alternate RADIUS server is not contacted.
10-8 Administrator’s Handbook Advanced Security Options Remote Authentication... Security Databases... Remote Server Addr/Name: Remote Server Secret: Alt Remote Server Addr/Name: Alt Remote Server Secret: TACACS+ Local only TACACS+ Accounting: Remote Access Privileges... No Custom Telnet Server Port: 23 MAC Address Authentication... LAN (Ethernet) IP Filter Set... Remove Filter Set Configuration is similar to RADIUS server configuration.
Security 10-9 Advanced Security Options +---------------------------------------------------------------+ +---------------------------------------------------------------+ | | | You have no local passwords defined. If you continue you will | | be unable to configure this device unless a Remote Server is | | available to authenticate you.
10-10 Administrator’s Handbook Advanced Security Options Remote Authentication... RADIUS Security Databases... Local only Remote Server Addr/Name: Remote Server Secret: Alt Remote Server Addr/Name: Alt Remote Server Secret: RADIUS Identifier: RADIUS Server Authentication Port+-----------+ +-----------+ Remote Access Privileges... | All | | LAN | Telnet Server Port: | WAN | | Custom... | MAC Address Authentication... +-----------+ LAN (Ethernet) IP Filter Set...
Security 10-11 User access password Users must be able to change their names and passwords, regardless of other security access restrictions. If a user does not have security access, then they will only be able to modify the password for their account. When a limited-access user logs into the gateway. and accesses the System Configuration menus, the only Security option displayed is Change Access Password. System Configuration IP Setup... Filter Sets... IP Address Serving...
10-12 Administrator’s Handbook User menu differences Menus reflect the security access level of the user. Consequently, configuration menus will display differing options based upon the parameters a particular user is allowed to change. Some differences include: • Limited users (non-Superusers) do not have access to Easy Setup. • All users have access to System Configuration, Quick Menus, and Quick View, but limited users have only limited access to configuration elements in their descendant menus.
Security 10-13 User Access Level Netopia Router Superuser WAN, Conn. Profiles, PVC All All Global, Voice All All Easy Setup... WAN Configuration... System Configuration... Utilities & Diagnostics... Statistics & Logs... Quick Menus... Quick View... WAN Configuration screens If a limited user is allowed WAN, Connection Profile, or PVC configuration access, the WAN Configuration option in the Main Menu is visible.
10-14 Administrator’s Handbook Advanced Connection Options User Access Level WAN Configuration Changes Reset WAN Connection: No Connection Profiles WAN Scheduled Connections... Connection Profiles Backup Configuration... Prioritize Delay-Sensitive Data: No Connection Profiles The Superuser can disallow limited user access to a particular Connection Profile.
Security 10-15 System Configuration menu The System Configuration menu is always available to all users. Based on access level, the System Configuration menu displays its configuration options according to the following diagram: System Configuration User Access Level LAN NAT LAN NAT IP Setup... Filter Sets... IP Address Serving... Network Address Translation (NAT)... Global Date and Time... All Superuser Superuser, All Console Configuration... SNMP (Simple Network Management Protocol)...
10-16 Administrator’s Handbook IP Setup LAN IP Subnet is... . . . 192.168.1.1/24 Utilities & Diagnostics menu Based on access level, the Utilities & Diagnostics menu displays its configuration options according to the following diagram: Utilities & Diagnostics User Access Level Global Global Global Ping... Trace Route... Telnet... All Global Log off Serial Console Session... Trivial File Transfer Protocol (TFTP)... All Superuser Restart System... Defaults...
Security 10-17 User Access Level Statistics & Logs Global Global WAN Event History... Device Event History... Global IP Routing Table... Global Served IP Addresses... Global Served IP Addresses... Global Global Global Backup Management/Statistics... General Statistics... System Information...
10-18 Administrator’s Handbook Quick Menus Quick Menus vary considerably between models, features, and access levels. The following is an example comparison of the Quick Menu as seen by the Superuser and by a Limited user.
Security 10-19 ATM Circuits Configuration Display/Change WAN 1 Circuit... Add WAN 1 Circuit... Delete WAN 1 Circuit... Display/Change WAN 2 Circuit... Add WAN 2 Circuit... Delete WAN 2 Circuit... Note: Multiple ATM circuit configuration is supported on multiple ATM-capable gateways.
10-20 Administrator’s Handbook About Filters and Filter Sets Security should be a high priority for anyone administering a network connected to the Internet. Using packet filters to control network communications can greatly improve your network’s security. The Motorola Netopia® Embedded Software Version 8.7.4’s packet filters are designed to provide security for the Internet connections made to and from your network.
Security 10-21 Filter priority Continuing the customs inspectors analogy, imagine the inspectors lined up to examine a package. If the package matches the first inspector’s criteria, the package is either rejected or passed on to its destination, depending on the first inspector’s particular orders. In this case, the package is never seen by the remaining inspectors.
10-22 Administrator’s Handbook • Blocks (discards) the packet • Ignores the packet A filter forwards or blocks a packet only if it finds a match after applying its criteria. When no match occurs, the filter ignores the packet. A filtering rule The criteria are based on information contained in the packets. A filter is simply a rule that prescribes certain actions based on certain conditions.
Security 10-23 Internet service TCP port Internet service TCP port Telnet 23 World Wide Web 80 SMTP (mail) 25 News 144 Gopher 70 rlogin 513 Internet service UDP port Internet service UDP port Who Is 43 TFTP 69 World Wide Web 80 who 513 SNMP 161 Port number comparisons A filter can also use a comparison option to evaluate a packet’s source or destination port number.
10-24 Administrator’s Handbook +-#---Source IP Addr---Dest IP Addr-----Proto-Src.Port-D.Port--On?-Fwd-+ +----------------------------------------------------------------------+ | 1 192.211.211.17 0.0.0.0 TCP 0 23 Yes No | | 2 0.0.0.0 0.0.0.0 TCP NC =6000 Yes No | | 3 0.0.0.0 0.0.0.0 ICMP --Yes Yes | | 4 0.0.0.0 0.0.0.0 TCP NC >1023 Yes Yes | | 5 0.0.0.0 0.0.0.
Security 10-25 1. The rule you want to implement as a filter is: Block all Telnet attempts that originate from the remote host 199.211.211.17. 2. 3. 4. The host 199.211.211.17 is the source of the Telnet packets you want to block, while the destination address is any IP address. How these IP addresses are masked determines what the final match will be, although the mask is not displayed in the table that displays the filter sets (you set it when you create the filter).
10-26 Administrator’s Handbook In this case, the mask, which does not appear in the table, must be set to 255.255.255.0. This way, all packets with a source address of 200.233.14.x will be matched correctly, no matter what the final address byte is. Note: The protocol attribute for this filter is 0 by default. This tells the filter to ignore the IP protocol or type of IP packet. Design guidelines Careful thought must go into designing a new filter set.
Security 10-27 It is strongly recommended that you take the latter, and safer, approach to all of your filter set designs. Working with IP Filters and Filter Sets This section covers IP filters and filter sets. System Configuration Main Menu Filter Sets To work with filters and filter sets, begin by accessing the filter set screens. Note: Make sure you understand how filters work before attempting to use them. Read the section “About Filters and Filter Sets,” beginning on page 10-20.
10-28 Administrator’s Handbook To add a new filter set, select Add Filter Set in the Filter Sets screen and press Return. The Add Filter Set screen appears. Add Filter Set... Filter Set Name: Filter Set 3 ADD FILTER SET CANCEL Naming a new filter set All new filter sets have a default name. The first filter set you add will be called Filter Set 1, the next filter will be Filter Set 2, and so on. To give a new filter set a different name, select Filter Set Name and enter a new name for the filter set.
Security 10-29 Adding filters to a filter set There are two kinds of filters you can add to a filter set: input and output. Input filters check packets received from the Internet, destined for your network. Output filters check packets transmitted from your network to the Internet. packet WAN input filter LAN packet output filter The Motorola Netopia® Router Packets in the Motorola Netopia® Embedded Software Version 8.7.
10-30 Administrator’s Handbook Display/Change Filter Set... Filter Set Name: Filter Set 3 Add Input Filter to Filter Set... Display/Change Input Filter... Delete Input Filter... Move Input Filter... Add Output Filter to Filter Set... Display/Change Output Filter... Delete Output Filter... Move Output Filter... Note: There are two groups of items in this screen, one for input filters and one for output filters. In this section, you’ll learn how to add an input filter to a filter set.
Security 10-31 3. If you want the filter to forward packets that match its criteria to the destination IP address, select Forward and toggle it to Yes. If Forward is toggled to No, packets matching the filter’s criteria will be discarded. 4. Select Source IP Address and enter the source IP address this filter will match on. You can enter a subnet or a host address. 5. Select Source IP Address Mask and enter a mask for the source IP address.
10-32 Administrator’s Handbook Change Filter Enabled: Forward: No No Source IP Address: Source IP Address Mask: 0.0.0.0 0.0.0.0 Dest. IP Address: Dest. IP Address Mask: 0.0.0.0 0.0.0.0 Protocol Type: 0 Source Port Compare... Source Port ID: Dest. Port Compare... Dest. Port ID: No Compare 0 No Compare 0 Enter the IP specific information for this filter.
Security 10-33 Basic Firewall blocks undesirable traffic originating from the WAN (in most cases, the Internet), but forwards all traffic originating from the LAN. It follows the conservative “that which is not expressly permitted is prohibited” approach: unless an incoming packet expressly matches one of the constituent input filters, it will not be forwarded to the LAN. The five input filters and one output filter that make up Basic Firewall are shown in the table below.
10-34 Administrator’s Handbook Output filter 1: This filter forwards all outgoing traffic to make sure that no outgoing connections from the LAN are blocked. Basic Firewall is suitable for a LAN containing only client hosts that want to access servers on the WAN, but not for a LAN containing servers providing services to clients on the WAN. Basic Firewall’s general strategy is to explicitly forward WAN-originated TCP and UDP traffic to ports greater than 1023.
Security 10-35 FTP sessions. To allow WAN-originated FTP sessions to a LAN-based FTP server with the IP address a.b.c.d (corresponding to a numbered IP address such as 163.176.8.243), insert the following input filter ahead of the current input filter 1: • Enabled: Yes • Forward: Yes • Source IP Address: 0.0.0.0 • Source IP Address Mask: 0.0.0.0 • Dest. IP Address: a.b.c.d • Dest. IP Address Mask: 255.255.255.
10-36 Administrator’s Handbook In previous software versions, a filter would either pass or block the specified traffic. Motorola Netopia® Embedded Software Version 8.7.4 adds a third option, force routing. You specify a gateway IP address, and each packet matching the filter is routed according to that gateway address, rather than by means of the global routing table. In addition, the TOS field has been added to the classifier list in a filter.
Security 10-37 TOS field matching Motorola Netopia® Embedded Software Version 8.7.4 supports two additional parameters in an IP filter: TOS and TOS Mask. Both fields accept values in the range 0 – 255. Certain types of IP packets, such as voice or multimedia packets, are sensitive to latency introduced by the network. A delay-sensitive packet is one that has the low-latency bit set in the TOS field of the IP header. This means that if such packets are not received rapidly, the quality of service degrades.
10-38 Administrator’s Handbook Firewall Tutorial General firewall terms Filter rule: A filter set is comprised of individual filter rules. Filter set: A grouping of individual filter rules. Firewall: A component or set of components that restrict access between a protected network and the Internet, or between two networks. Host: A workstation on the network. Packet: Unit of communication on the Internet.
Security 10-39 Example TCP/UDP Ports TCP Port Service UDP Port Service 20/21 FTP 161 SNMP 23 Telnet 69 TFTP 25 SMTP 387 AURP 80 WWW 144 News Firewall design rules There are two basic rules to firewall design: • “What is not explicitly allowed is denied.” and • “What is not explicitly denied is allowed.” The first rule is far more secure, and is the best approach to firewall design. It is far easier (and more secure) to allow in or out only certain services and deny anything else.
10-40 Administrator’s Handbook and a packet goes through these rules destined for FTP, the packet would forward through the first filter rule (WWW), match the second rule (FTP), and the packet is allowed through. Even though the next rule is to deny all FTP traffic, the FTP packet will never make it to this rule. Binary representation It is easiest when doing filtering to convert the IP address and mask in question to binary.
Security 10-41 Established connections The TCP header contains one bit called the ACK bit (or TCP Ack bit). This ACK bit appears only with TCP, not UDP. The ACK bit is part of the TCP mechanism that guarantees the delivery of data. The ACK bit is set whenever one side of a connection has received data from the other side. Only the first TCP packet will not have the ACK bit set; once the TCP connection is in place, the remainder of the TCP packets with have the ACK bit set.
10-42 Administrator’s Handbook Less Than or Equal Any port less than or equal to the port defined Equal Matches only the port defined Greater Than or Equal Matches the port or any port greater Greater Than Matches anything greater than the port defined Example network Input Packet Filter Internet IP 200.1.1.?? Data Example filters Example 1 Filter Rule: 200.1.1.0 (Source IP Network Address) 255.255.255.
Security 10-43 This incoming IP packet has a source IP address that matches the network address in the Source IP Address field (00000000) in the Motorola Netopia® Embedded Software Version 8.7.4. This will not forward this packet. Example 2 Filter Rule: 200.1.1.0 (Source IP Network Address) 255.255.255.128 (Source IP Mask) Forward = No (What happens on match) Incoming packet has the source address of 200.1.1.184. IP Address 200.1.1.
10-44 Administrator’s Handbook Since the Source IP Network Address in the Router is 01100000, and the source IP address after the logical AND is 1011000, this rule does not match and this packet will be forwarded. Example 4 Filter Rule: 200.1.1.96 (Source IP Network Address) 255.255.255.240 (Source IP Mask) Forward = No (What happens on match) Incoming packet has the source address of 200.1.1.104. IP Address 200.1.1.
Security 10-45 Since the Source IP Network Address in the Router is 01100000, and the source IP address after the logical AND is 01100000, this rule does match and this packet will not be forwarded. This rule masks off a single IP address. Configuration Management Motorola Netopia® Embedded Software Version 8.7.4 offers a Configuration Management feature. Configuration Management provides a way to store several gateway configurations in a single device for use at different times.
10-46 Administrator’s Handbook Configuration Management Save Current Configuration as... Replace Existing Configuration... Boot from a Configuration... Delete a Configuration... Factory Default from Configuration: Remove Factory Default Configuration Return/Enter to select Factory Default Configuration. Select Save Current Configuration as, and press Return. The Save Current Configuration screen appears.
Security 10-47 Configuration Management Save Current Configuration as... Replace Existing Configuration... Boot from a Configuration... Delete a Configuration... +-Configuration Name---Type---+ +-----------------------------+ | HappyInternet Binary | | Config1 Binary | | LesMizz Binary | +-----------------------------+ Factory Default from Configuration: Remove Factory Default Configuration A warning screen will ask you to confirm your choice.
10-48 Administrator’s Handbook Once you make the selection, if you factory Default the Router, it will reboot with the saved configuration you have selected. Configuration Management Save Current Configuration as... Replace Existing Configuration... Boot from a Configuration... Delete a Configuration... Factory Default from Configuration: Remove Factory Default Configuration HappyInternet Return/Enter to select Factory Default Configuration.
Utilities and Diagnostics 11-1 Chapter 11 Utilities and Diagnostics A number of utilities and tests are available for system diagnostic and control purposes.
11-2 Administrator’s Handbook Ping The Motorola Netopia® Embedded Software Version 8.7.4 includes a standard Ping test utility. A Ping test generates IP packets destined for a particular (Ping-capable) IP host. Each time the target host receives a Ping packet, it returns a packet to the original sender. Ping allows you to see whether a particular IP destination is reachable from the Router.
Utilities and Diagnostics 11-3 Status: The current status of the Ping test. This item can display the status messages shown in the able below: Description Message Resolving host name Finding the IP address for the domain name-style address Can’t resolve host name IP address can’t be found for the domain name–style address Pinging Ping test is in progress Complete Ping test was completed Cancelled by user Ping test was cancelled manually Destination unreachable from w.x.y.
11-4 Administrator’s Handbook Packets Lost: The number of packets unaccounted for, shown in total and as a percentage of total packets sent. This statistic may be updated during the Ping test, and may not be accurate until after the test is over. However, if an escalating one-to-one correspondence is seen between Packets Out and Packets Lost, and Packets In is noticeably lagging behind Packets Out, the destination is probably unreachable. In this case, use STOP PING.
Utilities and Diagnostics 11-5 4. Select Use Reverse DNS to learn the names of the gateways between the Motorola Netopia® Router and the destination gateway. The default is Yes. 5. Select START TRACE ROUTE and press Return. A scrolling screen will appear that lists the destination, number of hops, IP addresses of each hop, and DNS names, if selected. 6. Cancel the trace by pressing Escape. Return to the Trace Route screen by pressing Escape twice.
11-6 Administrator’s Handbook Factory Defaults You can reset the Router to its factory default settings. In the Utilities & Diagnostics screen, select Revert to Factory Defaults and press Return. Select CONTINUE in the dialog box and press Return. The Router will reboot and its settings will return to the factory defaults, deleting your configurations. In an emergency, you can also use the Reset switch to return the gateway to its factory default settings.
Utilities and Diagnostics 11-7 Updating software Software updates may be available periodically from Motorola or from a site maintained by your organization’s network administrator. The software governs how the device communicates with your network and the WAN or remote site. Software updates are periodically posted on the Motorola Netopia® website. To update the gateway’s software, follow these steps: • Select TFTP Server Name and enter the server name or IP address of the TFTP server you will use.
11-8 Administrator’s Handbook • Select Config File Name and enter the name of the file you will download. The name of the file is available from the site where the server is located. You may need to enter a file path along with the file name (for example, bigroot/config/myfile). • Select GET CONFIG FROM SERVER and press Return.
Troubleshooting A-1 Appendix A Troubleshooting This appendix is intended to help you troubleshoot problems you may encounter while setting up and using Motorola Netopia® Embedded Software Version 8.7.4. It also includes information on how to contact Motorola Technical Support. Important information on these problems can be found in the event histories kept by the Router. These event histories can be accessed in the Statistics & Logs screen.
A-2 Administrator’s Handbook Note: If you are attempting to modify the IP address or subnet mask from a previous, successful configuration attempt, you will need to clear the IP address or reset your Router to the factory default before reinitiating the configuration process. For further information on resetting your Router to factory default, see “How to Reset the Router to Factory Defaults” on page A-2.
Troubleshooting A-3 2. Carefully insert the point of a pen or an unwound paperclip into the opening. 3. Press this switch. • If you press the factory default button for less than 1/2 a second, the unit will continue to run as normal. • If you press the factory default button for 3 seconds, when you release it, the Gateway will perform a factory reset, clear all settings and configurations, except those saved as Saved Configuration(s). (See “Factory Default to a saved configuration” on page 10-47.
A-4 Administrator’s Handbook How to reach us We can help you with your problem more effectively if you have completed the environment profile in the previous section. If you contact us by telephone, please be ready to supply Motorola Technical Support with the information you used to configure the Router. Also, please be at the site of the problem and prepared to reproduce it and to try some troubleshooting steps.
Index-1 Index 1-4 A add static route 7-7 Additional LANs 7-3, 7-38 ADSL Line Configuration 2-4 advanced configuration features 3-1 ALANs 7-38 ATMP 5-17 tunnel options 5-14 AutoChannel Wireless 3-39 B backup default gateway 8-14 backup, line 8-1 basic firewall 10-33 BootP 7-17 clients 7-23 C change static route 7-9 community strings 9-10 configuration troubleshooting PC A-1 configuration files downloading with TFTP 11-7 uploading with TFTP 11-8 Configuration Management 10-45 configuring with console-bas
Index-2 navigating 1-5 encryption 5-2, 5-7, 5-16, 6-1 event history device 9-5 WAN 9-4 Exposed Addresses 3-3 Extended Authentication 6-6 firewall 10-32 firmware files updating with TFTP 11-7 FTP sessions 10-35 F 10 factory default A-3 Factory Default from Configuration 10-47 filter parts 10-22 parts of 10-22 filter priority 10-21 filter sets adding 10-27 defined 10-20 deleting 10-32 disadvantages 10-26 display 10-23 sample (Basic Firewall) 10-32 using 10-27 filtering example #1 10-24 filters actions a
Index-3 line backup 8-1 backup IP gateway 8-16 connection profiles 8-2 management and statistics 8-16 scheduled connections 8-12 WAN configuration 8-7, 8-8 Logging 3-55 security 10-1 system utilities and diagnostics 11-1 Network Address Translation see NAT 7-1 network problems A-2 network status overview 9-1 M output filter 1 10-34 MAC Address Authentication 3-47 MIBs supported 9-8 Mixed-bridging-routing 3-51 model numbers 1-3 MPPE 5-16 MS-CHAPv2 5-17 Multicast Forwarding 7-32 Multiple SSIDs 3-45 multi
Index-4 routing tables IP 7-6, 9-6 technical A-3 syslog 3-55 S T scheduled connections 2-16 adding 2-18 deleting 2-21 modifying 2-21 once-only 2-20 viewing 2-17 weekly 2-19 security filters 10-20–10-35 measures to increase 10-1 telnet 10-19 Security Policy Database (SPD) 6-2 Simple Network Management Protocol, see SNMP SNMP community strings 9-10 MIBs supported 9-8 setup screen 9-9 traps 9-11 SNMP-V2c 9-8 src.
Index-5 uploading configuration files 11-8 with TFTP 11-8 utilities and diagnostics 11-1 V Variable Bit Rate (VBR) 2-6 viewing scheduled connections 2-17 Virtual Private Networks (VPN) 5-1 Virtual Redundant Routers 7-3 Virtual Router Redundancy Protocol 7-34 VPN 5-1 allowing through a firewall 5-23 ATMP tunnel options 5-14 default answer profile 5-17 encryption support 5-16 PPTP tunnel options 5-4 VRID 7-35 VRRP 7-34 VRRP Options 2-26, 7-3 W WAN event history 9-4 WAN Ethernet Configuration 2-1 WAN event
Index-6
