airlive rs-2500fs.airlive.com/manual/airlive_rs-2500_manual.pdf · dual wan security vpn gateway ....
TRANSCRIPT
User’s Manual
Dual WAN Security VPN Gateway
RS-2500
Copyright and Disclaimer
AirLive RS-2500 User’s Manual
Copyright & Disclaimer No part of this publication may be reproduced in any form or by any means, whether electronic, mechanical, photocopying, or recording without the written consent of OvisLink Corp. OvisLink Corp. has made the best effort to ensure the accuracy of the information in this user’s guide. However, we are not liable for the inaccuracies or errors in this guide. Please use with caution. All information is subject to change without notice. All Trademarks are properties of their respective holders.
Table of Contents
i AirLive RS-2500 User’s Manual
Table of Contents 1. Introduction ................................................................................................1
1.1 Overview..............................................................................................1
1.2 How to Use This Guide ........................................................................1
1.3 Firmware Upgrade and Tech Support ..................................................4
1.4 Features...............................................................................................5
2. Installing the RS-2500................................................................................6
2.1 Before You Start ...................................................................................6
2.2 Package Content .................................................................................6
2.3 Knowing your RS-2500........................................................................7
2.4 Hardware Installation ...........................................................................7
2.5 LED Table ............................................................................................8
2.6 Restore Settings to Default ..................................................................8
3. Configuring the RS-2500 ...........................................................................9
3.1 Important Information...........................................................................9
3.2 Prepare your PC ..................................................................................9
3.3 Management Interface.......................................................................10
3.4 Introduction to Web Management......................................................11
3.4.1 Getting into Web Management ................................................................................ 11
3.5 Initial Configurations ..........................................................................14
4. Web Management ....................................................................................18
4.1 About RS-2500’s Menu Structure.......................................................18
4.2 Remote Web Management ................................................................19
5. Administration..........................................................................................20
5.1 Admin.................................................................................................20
5.2 Permitted IP .......................................................................................22
5.3 Software Update ................................................................................23
5.4 Logout................................................................................................23
6. Configure ..................................................................................................24
Table of Contents
AirLive RS-2500 User’s Manual
ii
6.1 Setting................................................................................................24
6.2 Date/Time ..........................................................................................29
6.3 Multiple Subnet ..................................................................................30
6.4 Route Table........................................................................................33
6.5 DHCP.................................................................................................34
6.6 Dynamic DNS ....................................................................................36
6.7 Host Table ..........................................................................................37
6.8 Language...........................................................................................37
7. Interface ....................................................................................................38
7.1 LAN....................................................................................................40
7.2 WAN...................................................................................................41
7.3 DMZ ...................................................................................................46
8. Address.....................................................................................................47
8.1 LAN....................................................................................................48
8.2 LAN Group.........................................................................................50
9. Service ......................................................................................................53
9.1 Pre-defined ........................................................................................54
9.2 Custom ..............................................................................................55
9.3 Group.................................................................................................58
10. Schedule .................................................................................................60
11. QoS..........................................................................................................62
12. Authentication........................................................................................68
12.1 Auth Setting .....................................................................................68
12.2 Auth User .........................................................................................71
13. Content Blocking ...................................................................................75
13.1 URL..................................................................................................75
13.2 Script................................................................................................77
13.3 Download.........................................................................................79
13.4 Upload .............................................................................................81
14. Application Blocking .............................................................................83
Table of Contents
iii AirLive RS-2500 User’s Manual
15. Virtual Server..........................................................................................89
15.1 Mapped IP .......................................................................................90
15.2 Virtual Server ...................................................................................92
16. VPN..........................................................................................................99
16.1 One-Step IPSec .............................................................................100
16.2 IPSec Autokey ...............................................................................102
16.3 PPTP Server ..................................................................................105
16.4 PPTP Client ...................................................................................106
17. Configuration Example: IPSec & PPTP VPN .....................................107
17.1 IPSec VPN - Office to Office (1).....................................................107
17.2 IPSec VPN - Office to Office (2).....................................................117
17.3 IPSec VPN - Office to Client ..........................................................127
17.4 PPTP VPN - Office to Office ..........................................................134
17.5 PPTP VPN - Office to Client ..........................................................143
18. Policy ....................................................................................................152
19. Configuration Example: Policy Setting..............................................156
19.1 Configuration Example (1) - Traffic Log, Statistic ...........................156
19.2 Configuration Example (2) - Specific WAN Addresses, Content Blocking, Application Blocking ...............................................................159
19.3 Configuration Example (3) - Authentication, Schedule ..................164
19.4 Configuration Example (4) - Virtual Server ....................................167
19.5 Configuration Example (5) - QoS, Virtual Server, MAX. Concurrent Sessions ................................................................................................169
20. Web VPN / SSL VPN.............................................................................171
20.1 Setting............................................................................................171
20.2 Hardware Auth ...............................................................................174
20.3 Status.............................................................................................175
20.4 Configuration Example...................................................................176
21. Anomaly Flow IP ..................................................................................184
22. Monitor..................................................................................................190
Table of Contents
AirLive RS-2500 User’s Manual
iv
22.1 Log.................................................................................................190
22.2 Accounting Report .........................................................................202
22.3 Statistic ..........................................................................................211
22.4 Diagnostic ......................................................................................216
22.5 Wake On Lan .................................................................................220
22.6 Status.............................................................................................221
23. Frequent Asked Questions .................................................................225
24. Specifications.......................................................................................229
24.1 Hardware Features ........................................................................229
25. Network Glossary ................................................................................234
25.1 Interface.........................................................................................234
25.2 System...........................................................................................235
25.3 VPN ...............................................................................................238
25.4 Anomaly Flow IP ............................................................................240
1. Introduction
1 AirLive RS-2500 User’s Manual
1 1. Introduction
1.1 Overview
The RS-2500 is powered by a powerful IXP425 533 MHz RISC processor, and increased of
memory capacity in order to make the performance better. Furthermore, it also provides
Web VPN/ SSL VPN Sever function, so remote users can easily connect to IPSec server by
using IE browser and access LAN resource.
Meanwhile, RS-2500 is also improved IM/P2P Blocking function, so it is not just able to
block IM and P2P program, the new Application Blocking is promoted to support the
blocking of Video/Audio Application, Webmail, Game Application, Tunnel Application, and
Remote Control Application. With omnibus advanced security function makes RS-2500 to
be an outstanding Security VPN Gateway than before.
1.2 How to Use This Guide
RS-2500 is an advanced VPN Security Gateway with many functions. It is recommended
that you read through the entire user’s guide whenever possible. The user guide is
divided into different chapters. You should read at least go through the first 3 chapters
before attempting to install the device.
Chapter 1 Introduction: This chapter is an introduction about the user’s manual.
It can help your to know the chapter’s contents, and how to get help from AirLive
Tech Support.
Chapter 2 Installing the RS-2500: This chapter is about hardware installation.
You should read through the entire chapter.
Chapter 3 Configuring the RS-2500: This chapter is the basic information
about preparation before you access RS-2500. It also includes the basic but
important information of RS-2500.
Chapter 4 Web Management: This chapter explains how to access RS-2500 via
web console.
1. Introduction
AirLive RS-2500 User’s Manual 2
Chapter 5 Administration: In this chapter, you can know how to create a
sub-admin account, change password, and upgrade firmware.
Chapter 6 Configure:
6.1 Setting: You can backup or restore RS-2500 config file, reset device to
default setting, define the mail address for notification, change the port
number of web management, change MTU value, enable RIP, SIP
pass-through function, and else.
6.3 Multiple Subnet: You can create the further subnet for LAN or DMZ
interface, and define those subnet as NAT mode or Routing mode.
6.5 DHCP: You can change DHCP client IP range for LAN or DMZ, or enable
DHCP Relay function to get the IP from upper DHCP server.
Chapter 7 Interface: This chapter is about interface configuration, and enable
Remote Management function.
Chapter 8 Address: The administrator can define the specific IP address, IP
range, IP subnet, or MAC address for the specific device in LAN, WAN, or DMZ,
so the Policy setting can be modified to restrict the service precisely.
Chapter 9 Service: In this chapter, it lists the standard protocol for user’s
reference, and it also allows user creating non-standard port number for the
request. In the end, the Address setting will be assigned to Mapped IP, Virtual
Server, or enabled by Policy setting.
Chapter 10 Schedule: This chapter can allow user defining the time schedule for
Policy setting.
Chapter 11 QoS: It is recommended to read this chapter if you would like to
configure the setting. This chapter will tell you how to configure QoS setting
correctly.
Chapter 12 Authentication: If you would like to ask user passing authentication
before to access Internet, you can read this chapter and follow the guide to
configure it.
Chapter 13 Content Blocking: You can configure the Content Blocking setting
and enable the function at Policy.
13.1 URL: You can define the key word or domain name to be blocked or be
allowed to access for the website.
13.3 Download: The specific type or extension name of files can be blocked.
1. Introduction
3 AirLive RS-2500 User’s Manual
Chapter 14 Application Blocking: You can select the application type and
software, and enable to block those applications at Policy.
Chapter 15 Virtual Server: When you install server in LAN and allow Internet
users accessing, you should define the Virtual Server function.
Chapter 16 VPN: This chapter is an introduction for IPSec and PPTP server. You
can read next chapter to know how to configure them.
Chapter 17 Configuration Example - IPSec & PPTP VPN: We list several
examples for the VPN connection, and you can find the one and refer to the
example to configure your own setting.
Chapter 18 Policy: It is recommended to read this chapter, because it is the most
important setting for RS-2500. No matter how you configure QoS, VPN, or else
function, you have to enable them at Policy setting.
Chapter 19 Configuration Example - Policy Setting: We list several Policy
setting for your reference, and you can know better how to configure it.
Chapter 20 Web VPN / SSL VPN: This chapter will explain you the Web VPN /
SSL VPN function, and we also list the example for your reference about how to
configure it.
Chapter 21 Anomaly Flow IP: This chapter is an introduction to tell user how to
configure RS-2500 for the protection from being intrusion by the known malware.
Chapter 22 Monitor:
22.1 Log: Display kinds of log records for user’s reference.
22.2 Accounting Report: Display the calculation of Internet access result per
Source IP, Destination IP, and Service.
22.3 Statistic: Display WAN or Policy Statistic result for user’s reference.
22.4 Diagnostic: RS-2500 offers Ping and Traceroute tools to diagnostic
connection’s status per WAN, LAN, DMZ, or VPN.
22.5 Wake On Lan: This chapter is an introduction about the Wake On Lan
function, so Internet user can wake on LAN PC.
22.6 Status: You can find out the real-time status about Interface,
Authentication, ARP table, and DHCP Clients.
1. Introduction
AirLive RS-2500 User’s Manual 4
1.3 Firmware Upgrade and Tech Support
If you encounter a technical issue that can not be resolved by information on this guide, we
recommend that you visit our comprehensive website support at www.airlive.com. The
tech support FAQ are frequently updated with latest information.
In addition, you might find new firmware that either increase software functions or provide
bug fixes for RS-2500. You can reach our on-line support center at the following link:
http://www.airlive.com/support/support_2.jsp
Since 2009, AirLive has added the “Newsletter Instant Support System” on our website.
AirLive Newsletter subscribers receives instant email notifications when there are new
download or tech support FAQ updates for their subscribed airlive models. To become an
AirLive newsletter member, please visit: http://www.airlive.com/member/member_3.jsp
Figure: AirLive Newsletter Support System
1. Introduction
5 AirLive RS-2500 User’s Manual
1.4 Features
Web VPN/SSL VPN, IPSec and PPTP VPN Server
VPN Trunk
Application Blocking, IM / P2P Blocking, Content Blocking
User Authentication
QoS, Max. Bandwidth Per Source IP, Max. Concurrent Sessions Per Source IP
Dual WAN Load Balance and Fail-over
Multiple Subnet
Custom Service Definition for IP, TCP, UDP
Detect and block the anomaly flow IP
Policy based Firewall
DMZ Transparent
Schedule
Static Route, RIPv2
Web Management
2. Install the RS-2500
AirLive RS-2500 User’s Manual 6
2 2. Installing the RS-2500
This section describes the hardware features and the hardware installation procedure for
the RS-2500. For software configuration, please go to chapter 3 for more details.
2.1 Before You Start
It is important to read through this section before you install the RS-2500
The RS-2500 comes with everything you need to start installation. You can use
CAT-5 Ethernet cable according to the length you need.
The RS-2500 must be installed with 5V adapter. Please do not use the other
voltage of adapter.
During upgrading firmware, please do not renew or close the webpage, otherwise
it could crash the firmware.
Please do not use FTP to transfer firmware file, because the firmware could be
transferred incompletely. If user upgrades RS-2500 with incomplete firmware it
will damage the device.
2.2 Package Content
The RS-2500 package contains the following items:
One RS-2500 main unit
One 5V 2.5A DC power adapter
2 x RJ-45 Ethernet Cable
User’s Guide CD
Quick Start Guide
2. Install the RS-2500
7 AirLive RS-2500 User’s Manual
2.3 Knowing your RS-2500
Below are descriptions and diagrams of the product:
2.4 Hardware Installation
1. Plug in power adapter to RS-2500 and electric outlet at wall
2. Connect an Ethernet cable to PC and RS-2500 LAN port
3. Wait for RS-2500 Status LED to stop blinking the light
4. PC should get the IP address from RS-2500 DHCP server, and now you can login to RS-2500 and configure the setting.
2. Install the RS-2500
AirLive RS-2500 User’s Manual 8
2.5 LED Table
This section describes the LED behavior of RS-2500.
You can find the LED on the Front side of the RS-2500.
Power
Steady Green – Power On device OFF – No Power
Status Steady Green – Ready to use Blinking – At the booting process
WAN1/2, LAN, DMZ
Steady Green – Cable is connected Blinking – Packets is sending/receiving
2.6 Restore Settings to Default
If you have forgotten your RS-2500’s IP address or password, you can restore your
RS-2500 to the default settings by pressing on the “reset button” for more than 10 seconds.
You can find the reset button at back panel. Please see diagram below for details.
3. Configuring the RS-2500
9 AirLive RS-2500 User’s Manual
3 3. Configuring the RS-2500
To use this product correctly, you have to properly configure the network settings of your
computers and install the attached setup program into your MS Windows platform
(Windows 95/98/NT/2000/XP).
3.1 Important Information
The following information will help you to get start quickly. However, we recommend you
to read through the entire manual before you start. Please note the password are case
sensitive.
The default IP address is: 192.168.1.1 Subnet Mask: 255.255.255.0 The default user name is: admin The default password is: airlive After power on, please wait for 2 minutes for RS-2500 to finish boot up
3.2 Prepare your PC
The default IP address of this product is 192.168.1.1, and the default subnet mask is
255.255.255.0. These addresses can be changed on your need, but the default values are
used in this manual. If the TCP/IP environment of your computer has not yet been
configured, you can refer to the example:
1. Configure IP as 192.168.1.2, subnet mask as 255.255.255.0 and gateway as
192.168.1.1, or more easier,
2. Configure your computers to load TCP/IP setting automatically, that is, via DHCP
server of this product.
After installing the TCP/IP communication protocol, you can use the ping command to
check if your computer has successfully connected to this product. The following example
shows the ping procedure for Windows platforms. First, execute the ping command
ping 192.168.1.1
3. Configuring the RS-2500
AirLive RS-2500 User’s Manual 10
If the following messages appear:
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=2ms TTL=64
A communication link between your computer and this product has been successfully
established. Otherwise, if you get the following messages,
Pinging 192.168.1.1 with 32 bytes of data:
Request timed out.
There must be something wrong in your installation procedure. You have to check the
following items in sequence:
1. Is the Ethernet cable correctly connected between this product and your computer?
Tip: The LAN LED of this product and the link LED of network card on your computer must
be lighted.
2. Is the TCP/IP environment of your computers properly configured?
Tip: If the IP address of this product is 192.168.1.1, the IP address of your computer must
be 192.168.1.X and default gateway must be 192.168.1.1.
3.3 Management Interface
The RS-2500 can be configured using one the management interfaces below:
Web Management (HTTP): You can manage your RS-2500 by simply typing its IP
address in the web browser. We recommend using this interface for initial
configurations. To begin, simply enter RS-2500 IP address (default is 192.168.1.1) on
the web browser. The default password is “airlive”.
Secure Web Management (HTTPS): HTTPS is also using web browser for
configuration. But all the data transactions are securely encrypted using SSL
encryption. Therefore it is safe and easy way to manage your RS-2500.
3. Configuring the RS-2500
11 AirLive RS-2500 User’s Manual
3.4 Introduction to Web Management
The RS-2500 offers both normal (http) and secured (https) Web Management interfaces.
Their share the same interface and functions, and they can both be accessed through web
browsers. The only difference is HTTPS are encrypted for extra security. Therefore, we
will discuss them together as “Web Management” on this guide.
If you are placing the RS-2500 behind router or firewall, you might need to open virtual
server ports to RS-2500 on your firewall/router
HTTP: TCP Port 80
HTTPS: TCP/UDP Port 443
3.4.1 Getting into Web Management
Normal Web Management (HTTP)
To get into the Normal Web Management, simply type in the RS-2500’s IP address (default
IP is 192.168.1.1) into the web browser’s address field.
3. Configuring the RS-2500
AirLive RS-2500 User’s Manual 12
Secured Web Management (HTTPS)
To get into the Secured Web Management, just type “https://192.168.1.1” into the web
browser’s address field. The “192.168.1.1” is RS-2500’s default IP address. If the IP
address is changed, the address entered in the browser should change also.
A security warning screen from your browser will then pop-up depending on the browser
you use. Please follow step below to clear the security screen.
Internet Explorer: Select “Yes” to proceed
Firefox:
1. Select “or you can add an exception”
1
3. Configuring the RS-2500
13 AirLive RS-2500 User’s Manual
2. Click on “Add Exception”
2
3. Click on “Get Certificate”. Then, please enter RS-2500’s IP address. Finally,
please click on “Confirm Security Exception.”
3
4
3. Configuring the RS-2500
AirLive RS-2500 User’s Manual 14
3.5 Initial Configurations
We recommend users to browse through RS-2500’s web management interface to get an
overall picture of the functions and interface. Below are the recommended initial
configurations for first time login:
STEP 1:
1. Connect the Admin’s PC and the LAN port of the Security VPN Gateway.
2. Open an Internet web browser and type the default IP address of the Security VPN
Gateway as 192.168.1.1 in the address bar.
3. A pop-up screen will appear and prompt for a username and password. Enter the
default login username (admin) and password (airlive) of Administrator.
STEP 2:
After entering the username and password, the Security VPN Gateway WEB UI screen will
display. Select the Interface tab on the left menu and a sub-function list will be displayed.
Click on WAN from the sub-function list, enter proper the network setup information
Click Modify to modify WAN1/2 settings (i.e. WAN1 Interface)
WAN1 interface IP Address 60.250.158.64
NetMask 255.255.255.0
Default Gateway 60.250.158.254
DNS Server1 168.95.1.1
3. Configuring the RS-2500
15 AirLive RS-2500 User’s Manual
STEP 3:
Click on the Policy tab from the main function menu, and then click on Outgoing from the
sub-function list.
STEP 4:
Click on New Entry button.
STEP 5:
When the New Entry option appears, enter the following configuration:
Source Address – select Inside_Any
Destination Address – select Outside_Any
Service - select ANY
Action - select Permit ALL
Click on OK to apply the changes.
3. Configuring the RS-2500
AirLive RS-2500 User’s Manual 16
STEP 6:
The configuration is successful when the screen below is displayed. Make sure that all the
computers that are connected to the LAN port have their Default Gateway IP Address set to
the Security VPN Gateway’s LAN IP Address (i.e. 192.168.1.1). At this point, all the
computers on the LAN network should gain access to the Internet immediately.
4. Web Management
AirLive RS-2500 User’s Manual 18
4 4. Web Management
In this chapter, we will explain about the Administration settings in web management
interface. Please be sure to read through Chapter 3’s “Introduction to Web Management”
and “Initial Configurations” first.
4.1 About RS-2500’s Menu Structure
The RS-2500’s web management menu is divided into 7 main subjects: System, Interface,
Policy Object, Policy, Web VPN / SSL VPN, Anomaly IP Flow, and Monitor. Each subject
includes several sub-object settings, and each sub-object also includes several functions
for user’s configuration.
RS-2500 was designed as the policy based firewall, it means user should configure Policy
Object setting, and enable the function at Policy.
Main Subject
Sub-Object
Functions
System: It includes Administration, Configure, and Logout sub-objects. The
System subject allows you configuring basic setting of the RS-2500. Please refer to
chapter 5 Administration and chapter 6 Configure.
Interface: It includes WAN, LAN and DMZ sub-objects. For more configuration
information please refer to chapter 7.
4. Web Management
19 AirLive RS-2500 User’s Manual
Policy Object: It includes Address, Service, Schedule, QoS, Authentication,
Content Blocking, Application Blocking, Virtual Server, and VPN sub-objects.
Before to enable the function at Policy, you need to configure the Policy Object
setting first. Please refer to chapter 8 ~ 17.
Policy: It includes Outgoing, Incoming, WAN To DMZ, LAN To DMZ, DMZ To
WAN, and DMZ To LAN sub-objects. Please make sure to Logout after you finish
all settings. You must configure Policy setting to enable the Policy Object settings.
Please refer to chapter 18.
Web VPN / SSL VPN: RS-2500 provides Web VPN / SSL VPN function to allow
remote user connecting and accessing to router’s LAN resource. Please refer to
chapter 20.
Anomaly IP Flow: It works to define the rule to block hacker from Internet or
Intranet. Please refer to chapter 21.
Monitor: It includes Log, Accounting Report, Statistic, Diagnostic, Wake on Lan,
and Status sub-objects. The function works to offer the report or log for user to
realize device and network’s current status. Please refer to chapter 22.
4.2 Remote Web Management
RS-2500 allows you accessing the web management page from remote site, and you can
choose to use HTTP or HTTPS. In Interface WAN, enable HTTP or HTTPS or both.
5. Administration
AirLive RS-2500 User’s Manual 20
“System” is the managing of settings such as the privileges of packets that pass through
the RS-2500 and monitoring controls. The System Administrators can manage, monitor,
and configure RS-2500 settings. But all configurations are “read-only” for all users other
than the System Administrator; those users are not able to change any setting of the
RS-2500.
5.1 Admin
Admin Name: The username of Administrators and Sub Administrator for the RS-2500.
The admin user name cannot be removed; and the sub-admin user can be removed or
modified.
The default Account: admin; Password: airlive
5 5. Administration
Privilege: The privileges of Administrators (Admin or Sub Admin). The username of
the main Administrator is Administrator with reading / writing privilege. Administrator
also can change the system setting, log system status, and to increase or delete
sub-administrator. Sub-Admin may be created by the Admin by clicking New Sub
Admin. Sub Admin have only read and monitor privilege and cannot change any
system setting value.
Configure: Click Modify to change the “Sub-Administrator’s” password or click
Remove to delete a “Sub Administrator.”
5. Administration
21 AirLive RS-2500 User’s Manual
Adding a new Sub Administrator
STEP 1﹒In the Admin WebUI, click the New Sub Admin button to create a new Sub
Administrator.
STEP 2﹒In the Add New Sub Administrator WebUI (Figure 5-1) and enter the following
setting:
Sub Admin Name: sub_admin
Password: 12345
Confirm Password: 12345
STEP 3﹒Click OK to add the user or click Cancel to cancel it.
Figure 5-1 Add New Sub Admin
Modify the Administrator’s Password
STEP 1﹒In the Admin WebUI, locate the Administrator name you want to edit, and click on
Modify in the Configure field.
STEP 2﹒The Modify Administrator Password WebUI will appear. Enter the following
information:
Password: admin
New Password: 52364
Confirm Password: 52364 (Figure 5-2)
STEP 3﹒Click OK to confirm password change.
Figure 5-2 Modify Admin Password
5. Administration
AirLive RS-2500 User’s Manual 22
5.2 Permitted IP
Add Permitted IPs
STEP 1﹒Add the following setting in Permitted IPs of Administration: (Figure 5-3)
Name: Enter master
IP Address: Enter 163.173.56.11
Netmask: Enter 255.255.255.255
Service: Select Ping, HTTP and HTTPS
Click OK
Complete add new permitted IPs (Figure 5-4)
Figure 5-3 Setting Permitted IPs WebUI
Figure 5-4 Complete Add New Permitted IPs
To make Permitted IPs be effective, it is suggested to cancel the Ping,
HTTP, and HTTPS selection in LAN, WAN, or DMZ Interface setting.
Before canceling the WebUI selection of Interface, user must set up
the Permitted IPs first, otherwise, it would cause the situation that
user cannot enter WebUI by appointed Interface.
5. Administration
23 AirLive RS-2500 User’s Manual
5.3 Software Update
STEP 1﹒Select Software Update in System, and follow the steps below:
To obtain the version number from Version Number and obtain the latest
version from Internet. And save the latest version in the hardware of the PC,
which manage the RS-2500
Click Browse and choose the latest software version file.
Click OK and the system will update automatically. (Figure 5-5)
Figure 5-5 Software Update
It takes 4 minutes to update software. The system will reboot after
update. During the updating time, please don’t turn off the PC or close
WebUI. It may cause some unexpected mistakes. (Strong suggests
updating the software from LAN to avoid unexpected mistakes.)
5.4 Logout
STEP 1﹒Click Logout in System to protect the system while admin is away. (Figure 5-6)
Figure 5-6 Confirm Logout WebUI
STEP 2﹒Click OK and the logout message will appear in WebUI. (Figure 5-7)
Figure 5-7 Logout WebUI Message
6. Configure
AirLive RS-2500 User’s Manual 24
6 6. Configure
The Configure is according to the basic setting of the RS-2500. In this chapter the definition
is Setting, Date/Time, Multiple Subnet, Route Table, DHCP, Dynamic DNS, Hosts Table,
and Language settings.
6.1 Setting
System Settings- Exporting
STEP 1﹒In System Setting WebUI, click on button next to Export System
Setting to Client.
STEP 2﹒When the File Download pop-up window appears, choose the destination place
where to save the exported file and click on Save. The setting value of RS-2500
will copy to the appointed site instantly. (Figure 6-1)
Figure 6-1 Select the Destination Place to Save the Exported File
6. Configure
25 AirLive RS-2500 User’s Manual
System Settings- Importing
STEP 1﹒In System Setting WebUI, click on the Browse button next to Import System
Setting from Client. When the Choose File pop-up window appears, select the file
to which contains the saved RS-2500 Settings, then click OK. (Figure 6-2)
STEP 2﹒Click OK to import the file into the RS-2500 (Figure 6-3)
Figure 6-2 Enter the File Name and Destination of the Imported File
Figure 6-3 Upload the Setting File WebUI
6. Configure
AirLive RS-2500 User’s Manual 26
Restoring Factory Default Settings
STEP 1﹒Select Reset System to Factory Setting in RS-2500 Configuration WebUI
STEP 2﹒Click OK at the bottom-right of the page to restore the factory settings. (Figure 6-4)
Figure 6-4 Reset Factory Settings
Email Settings
Select Enable E-mail Alert Notification under E-mail Settings. This function will enable
the RS-2500 to send e-mail alerts to the System Administrator when the network is being
attacked by hackers or when emergency conditions occur. (It can be set from Anomaly Flow
IP Setting to detect Hacker Attacks)
Enabling E-mail Alert Notification
STEP 1﹒Select Enable E-mail Alert Notification under E-Mail Settings.
STEP 2﹒Sender Address (Required by some ISPs): Enter the Sender Address.
STEP 3﹒SMTP Server IP: Enter SMTP server’s IP address
STEP 4﹒E-Mail Address 1: Enter the e-mail address of the first user to be notified.
STEP 5﹒E-Mail Address 2: Enter the e-mail address of the second user to be notified.
(Optional)
STEP 6﹒Click OK on the bottom-right of the screen to enable E-mail Alert Notification.
(Figure 6-5)
6. Configure
27 AirLive RS-2500 User’s Manual
Figure 6-5 Enable E-mail Alert Notification
Click on Mail Test to test if E-mail Address 1 and E-mail Address 2
can receive the Alert Notification correctly.
Web Management (WAN Interface)
The System Manager can change the port number used by HTTP or HTTPS port anytime.
(Remote WebUI management)
After HTTP port has changed, if the administrator wants to enter
WebUI from WAN, will have to change the port number of browser.
(For example: http://61.62.108.172:8080)
MTU Setting
It provides the Administrator to modify the networking package length anytime. Its default
value is 1500 Bytes.
Link Speed / Duplex Mode Setting
By this function can set the transmission speed and mode of WAN Port when connecting
other device.
Dynamic Routing (RIPv2)
Select to enable the function of AirLive RS-2500 LAN, WAN1, WAN2 or DMZ Port to
send/receive RIPv2 packets, and communication between Internal Router or External
Router, to update Dynamic Routing.
6. Configure
AirLive RS-2500 User’s Manual 28
SIP protocol pass-through
Select to enable the function of RS-2500 of passing SIP protocol. It is also possible that the
SIP protocol can pass through RS-2500 without enabling this function depends on the SIP
device’s type you have.
Administration Packet Logging
After enable this function, the RS-2500 will record packet which source or destination IP
address is RS-2500, and record in Traffic Log for System Manager to inquire about.
System Reboot
Once this function is enabled, the RS-2500 will be rebooted. STEP 1﹒Reboot RS-2500:Click Reboot button next to Reboot RS-2500 Appliance.
STEP 2﹒A confirmation pop-up page will appear.
STEP 3﹒Follow the confirmation pop-up page; click OK to restart RS-2500.
(Figure 6-6)
Figure 6-6 The else Function Settings
6. Configure
29 AirLive RS-2500 User’s Manual
6.2 Date/Time
Synchronize system clock
The administrator can configure the RS-2500’s date and time by either syncing to an
Internet Network Time Server (NTP) or by syncing to your computer’s clock.
STEP 1﹒Select Enable synchronize with an Internet time Server (Figure 6-7)
STEP 2﹒Click the down arrow to select the offset time from GMT.
STEP 3﹒If necessary, select Enable daylight saving time setting
STEP 4﹒Enter the Server IP / Name with which you want to synchronize.
STEP 5﹒Set the interval time to synchronize with outside servers.
Figure 6-7 System Time Setting
Click on the Sync button and then the RS-2500’s date and time will be
synchronized to the Administrator’s PC.
The value of Set Offset hours From GMT and Server IP / Name can
be looking for from Assist.
6. Configure
AirLive RS-2500 User’s Manual 30
6.3 Multiple Subnet
Connect to the Internet through Multiple Subnet NAT or Routing Mode by the IP address
that set by the LAN user’s network card. (Figure 6-8)
Figure 6-8 Multiple Subnet UI
WAN Interface IP / Forwarding Mode
The WAN IP address corresponds with Multiple Subnet
The system mode of Multiple Subnet (NAT mode or Routing Mode)
Interface
The interface of Multiple Subnet (LAN or DMZ)
Alias IP of Interface / Netmask
The Multiple Subnet IP address range setting
Configuration Example
RS-2500 WAN1 (10.10.10.1) connect to the ISP Router (10.10.10.2) and the subnet that
provided by ISP is 162.172.50.0/24
To connect to Internet, WAN2 IP (211.22.22.22) connects with ATUR.
Adding Multiple Subnet
Add the following settings in Multiple Subnet of System function:
Click on New Entry Alias IP of LAN Interface: Enter 162.172.50.1
Netmask:Enter 255.255.255.0
WAN1: Choose Routing in Forwarding Mode, and press Assist to select
Interface IP 1010.10.1. WAN2:Enter Interface IP 211.22.22.22, and choose NAT in Forwarding
Mode
Click OK
Complete Adding Multiple Subnet (Figure 6-9)
6. Configure
31 AirLive RS-2500 User’s Manual
Figure 6-9 Add Multiple Subnet WebUI
WAN1 and WAN2 Interface can use Assist to enter the data.
After setting, there will be two subnets in LAN: 192.168.1.0/24 (default
LAN subnet) and 162.172.50.0/24. So if LAN IP is:
192.168.1.xx, it must use NAT Mode to access to the Internet.
(In Policy it only can setup to access to Internet by WAN2. If by WAN1
Routing mode, then it cannot access to Internet by its virtual IP)
162.172.50.xx, it uses Routing mode through WAN1 (The Internet
Server can see your IP 162.172.50.xx directly). And uses NAT mode
through WAN2 (The Internet Server can see your IP as WAN2 IP)
6. Configure
AirLive RS-2500 User’s Manual 32
NAT Mode
It allows Internal Network to set multiple subnet address and connect with the Internet
through different WAN IP Addresses.
For example, the lease line of a company applies several real IP Addresses 168.85.88.0/24,
and the company is divided into Service, Sales, Procurement, and Accounting
department, the company can distinguish each department by different subnet for the purpose of managing conveniently. The settings are as the following:
1. R&D department subnet:192.168.1.1/24 (LAN) 168.85.88.253 (WAN)
2. Service department subnet:192.168.2.1/24 (LAN) 168.85.88.252 (WAN)
3. Sales department subnet:192.168.3.1/24 (LAN) 168.85.88.251 (WAN)
4. Procurement department subnet:192.168.4.1/24 (LAN) 168.85.88.250 (WAN)
5. Accounting department subnet:192.168.5.1/24 (LAN) 168.85.88.249 (WAN)
The first department (R&D department) had set while setting interface IP; the other four
ones have to be added in Multiple Subnet. After completing the settings, each department
uses the different WAN IP Address to connect to the Internet. The settings of each
department are as following:
Service Sales Procurement Accounting
IP Address 192.168.2.2~254 192.168.3.2~254 192.168.4.2~254 192.168.5.2~254
Subnet
Netmask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
Gateway 192.168.2.1 192.168.3.1 192.168.4.1 192.168.5.1
Routing Mode
It is the same as NAT mode approximately but does not have to correspond to the real
WAN IP address, which let internal PC to access to Internet by its own IP. (External user
also can use the IP to connect with the Internet)
6. Configure
33 AirLive RS-2500 User’s Manual
6.4 Route Table
Route Table works to connect RS-2500 with another router, and make those users with
different IP subnet can access Internet at the same time. (Figure 6-10, 11)
Figure 6-10 Route Table UI
Figure 6-11 Route Table UI
Destination IP / Netmask
The target IP subnet of routing rule
Gateway
Indicate the IP address of router that will route packets to target subnet
Interface
Indicate the interface to send out the routing packets
6. Configure
AirLive RS-2500 User’s Manual 34
6.5 DHCP
Subnet
The domain name of LAN
NetMask
The LAN Netmask
Gateway
The default Gateway IP address of LAN
Broadcast IP
The Broadcast IP of LAN
STEP 1﹒Select DHCP in System and enter the following settings:
DHCP Relay Interface: Select the interface connected to WAN DHCP server
DHCP Server IP: Enter the IP address of DHCP server
Domain Name: Enter the Domain Name
DNS Server 1: Enter the distributed IP address of DNS Server1.
DNS Server 2: Enter the distributed IP address of DNS Server2.
WINS Server 1: Enter the distributed IP address of WINS Server1.
WINS Server 2: Enter the distributed IP address of WINS Server2.
LAN Interface:
Client IP Address Range 1:
Enter the starting and the ending IP address dynamically assigning to
DHCP clients. The default value is 192.168.1.2 to 192.168.1.254 (it must
be in the same subnet)
Client IP Address Range 2:
Enter the starting and the ending IP address dynamically assigning to
DHCP clients. But it must be within the same subnet as Client IP
Address Range 1 and the range cannot be repeated.
DMZ Interface: the same as LAN Interface. (DMZ works only if to enable DMZ
Interface)
Leased Time: Enter the leased time for Dynamic IP. The default time is 24 hours.
Click OK and DHCP setting is completed. (Figure 6-12)
6. Configure
35 AirLive RS-2500 User’s Manual
Figure 6-12 DHCP WebUI
When selecting Automatically Get DNS, the DNS Server will be
locked as LAN Interface IP. (Using Occasion: When the system
Administrator starts Authentication, the users’ first DNS Server must
be the same as LAN Interface IP in order to enter Authentication
WebUI)
6. Configure
AirLive RS-2500 User’s Manual 36
6.6 Dynamic DNS
STEP 1﹒Select Dynamic DNS in System function (Figure 6-13). Click New Entry button
Service providers:Select service providers.
Automatically fill in the WAN 1/2 IP:Check to automatically fill in the WAN
1/2 IP. User Name:Enter the registered user name.
Password:Enter the password
Domain name:Enter Your host domain name
Click OK to add Dynamic DNS. (Figure 6-14)
Figure 6-13 DDNS WebUI
Figure 6-14 Complete DDNS Setting
Chart
Meaning Update
successfully Incorrect username
or password Connecting to
server Unknown error
If System Administrator had not registered a DDNS account, click on
Sign up then can enter the website of the provider.
If you do not select Automatically in WAN IP and then you can enter
a specific IP in WAN IP. DDNS corresponds to that specific IP
address.
6. Configure
37 AirLive RS-2500 User’s Manual
6.7 Host Table
Host Name
It can be set by System Manager, to allow internal user accessing the information provided
by the host of the domain.
Virtual IP Address
The virtual IP address is corresponding to the Host. It must be LAN or DMZ IP address.
STEP 1﹒ Select Host Table in Settings function and click on New Entry
Host Name: The domain name of the server
Virtual IP Address: The virtual IP address is corresponding to the Host.
Click OK to add Host Table. (Figure 6-15)
Figure 6-15 Add New Host Table
To use Host Table, the user PC’s first DNS Server must be the same
as the LAN Port or DMZ Port IP of RS-2500. That is, the default
gateway.
6.8 Language
Select the Language version (English Version/ Traditional Chinese Version or
Simplified Chinese Version) and click OK. (Figure 6-16)
Figure 6-16 Language Setting WebUI
7. Interface
AirLive RS-2500 User’s Manual 38
7 7. Interface
In this chapter, you can set up the IP addresses for the office network, and you may also
configure the IP addresses of the LAN network, the WAN1 and WAN2 network, and the
DMZ network.
The Netmask and gateway IP addresses are also configured in this chapter.
Define the required fields of Interface
LAN: Using the LAN Interface, the Administrator can set up the LAN network of
RS-2500
WAN: The System Administrator can set up the WAN network of RS-2500.
Connection Test: The function works to identify WAN port’s connection
status. The testing ways are as following: ICMP:User can define the IP address and RS-2500 will ping the
address to verify WAN port’s connection status. DNS:Another way to verify the connection status by checking the
DNS server and Domain Name configured by user.
Upstream/Downstream Bandwidth: The System Administrator can set
up the correct Bandwidth of WAN network Interface here.
Auto Disconnect: The PPPoE connection will automatically disconnect
after a length of idle time (no activities). Enter “0” means the PPPoE
connection will not disconnect at all.
DMZ: The Administrator uses the DMZ Interface to set up the DMZ network. NAT Mode:In this mode, the DMZ is an independent virtual subnet. This
virtual subnet can be set by the Administrator but cannot be the same as
LAN Interface
Transparent Mode: In this mode, the DMZ and WAN Interface are in the
same subnet
7. Interface
39 AirLive RS-2500 User’s Manual
Balance Mode
Auto: The RS-2500 will adjust the WAN 1/2 utility rate automatically according to
the downstream/upstream of WAN. (For users who are using various download
bandwidth)
Round-Robin: The RS-2500 distributes the WAN 1/2 download bandwidth 1:1, in
other words, it selects the agent by order. (For users who are using same
download bandwidths)
By Traffic: The RS-2500 distributes the WAN 1/2 download bandwidth by
accumulative traffic
By Session: The RS-2500 distributes the WAN 1/2 download bandwidth by
saturated connections
By Packet: The RS-2500 distributes the WAN 1/2 download bandwidth by
accumulated packets and saturated connection
By Source IP: The RS-2500 distributes the WAN 1/2 connection by source IP
address, once the connection is built up, all the packets from the same source IP
will pass through the same WAN interface
By Destination IP: The RS-2500 will allocate the WAN connection corresponding
to the destination IP, once the connection is built up, all the packets to the same
destination IP will pass through the same WAN interface. The connection will be
re-assigned with WAN interface when the connections are stopped.
Connect Mode
Display the current connection mode
PPPoE (ADSL user)
Dynamic IP Address (Cable Modem User)
Static IP Address
PPTP (European User Only)
Saturated Connections
Set the number for saturation whenever session numbers reach it, the RS-2500
switches to the next agent on the list
Ping: Select this function to allow the LAN users to ping the Interface IP Address.
HTTP: Select to enable the user to enter the WebUI of RS-2500 from Interface IP.
HTTPS: Select to enable the user to enter the secure WebUI of RS-2500 from Interface
IP.
Priority
Set priority of WAN for Internet Access
7. Interface
AirLive RS-2500 User’s Manual 40
7.1 LAN
Modify LAN Interface Settings
STEP 1﹒Select LAN in Interface and enter the following setting:
Enter the new IP Address and Netmask
Select Ping, HTTP and HTTPS
Click OK (Figure 7-1)
Figure 7-1 Setting LAN Interface WebUI
The default LAN IP Address is 192.168.1.1. After the Administrator
setting the new LAN IP Address on the computer, he/she have to
restart the System to make the new IP address effective. (when the
computer obtain IP by DHCP)
Do not cancel WebUI selection before not setting Permitted IPs yet,
because the Administrator cannot be allowed to enter the RS-2500
WebUI from LAN.
7. Interface
41 AirLive RS-2500 User’s Manual
7.2 WAN
WAN Interface Address Setting
STEP 1﹒Select WAN in Interface and click Modify in WAN1 Interface. (Figure 7-2)
Figure 7-2 Setting WAN Interface WebUI
STEP 2﹒Setting the Connection Service (ICMP or DNS way):
ICMP:Enter an Alive Indicator Site IP (can select from Assist) (Figure 7-3)
DNS:Enter two different DNS Server IP Address and Domain Name (can
select from Assist) (Figure 7-4)
Setting time of seconds between sending alive packet.
Figure 7-3 ICMP Connection
Figure 7-4 DNS Service
Connection test is used for RS-2500 to detect if the WAN can connect
or not. So the Alive Indicator Site IP, DNS Server IP Address, or
Domain Name must be able to use permanently. Or it will cause
judgmental mistakes of the device.
7. Interface
AirLive RS-2500 User’s Manual 42
STEP 3﹒Select the Connecting way:
PPPoE (ADSL User) (Figure 7-5):
1. Select PPPoE
2. Enter User Name and Password information provided by ISP.
4. Select Dynamic or Fixed in IP Address provided by ISP.
If you select Fixed, please enter IP Address, Netmask, and Default Gateway.
5. Enter Max. Downstream Bandwidth and Max. Upstream Bandwidth
(According to the flow that user applies) 6. Enter the value on the setting of “Auto Disconnect if idle for □ minutes
(Range: 1-99999, 0 means always connected)”, the default value is 0
(Always connected).
7. Select Ping, HTTP and HTTPS, and click OK (Figure 7-6)
Figure 7-5 PPPoE Connection
7. Interface
43 AirLive RS-2500 User’s Manual
Figure 7-6 Complete PPPoE Connection Setting
Dynamic IP Address (Cable Modem User) (Figure 7-7):
1. Select Dynamic IP Address (Cable Modem User)
2. Click Renew in the right side of IP Address and then can obtain IP
automatically.
3. If the MAC Address is required for ISP then click on Clone MAC Address to
obtain MAC IP automatically.
4. Hostname: Enter the hostname provided by ISP.
5. Domain Name: Enter the domain name provided by ISP.
6. User Name and Password are the IP distribution method according to
Authentication way of DHCP + protocol
7. Enter Max. Downstream Bandwidth and Max. Upstream Bandwidth
(According to the flow applied by user)
8. Select Ping, HTTP and HTTPS, and click OK (Figure 7-8)
Figure 7-7 Dynamic IP Address Connection
7. Interface
AirLive RS-2500 User’s Manual 44
Figure 7-8 Complete Dynamic IP Connection Setting
Static IP Address (Figure 7-9)
1. Select Static IP Address
2. Enter IP Address, Netmask, and Default Gateway that provided by ISP
3. Enter DNS Server1 and DNS Server2
4. Enter Max. Downstream Bandwidth and Max. Upstream Bandwidth
(According to the flow applied by user)
5. Select Ping, HTTP and HTTPS, and click OK (Figure 7-10)
Figure 7-9 Static IP Address Connection
Figure 7-10 Complete Static IP Address Connection Setting
7. Interface
45 AirLive RS-2500 User’s Manual
WAN2 Interface does not provide DNS Server setting, it will analyze
the domain name and its dedicated IP address based on the DNS
Server setting of WAN1 Interface.
When selecting Ping, HTTP, and HTTPS on WAN network Interface,
users will be able to ping the RS-2500 and enter the WebUI WAN
network. It may influence network security. The suggestion is to
Cancel Ping, HTTP, and HTTPS after all the settings have finished.
And if the System Administrator needs to enter UI from WAN, he/she
can use Permitted IPs to enter.
The setting of WAN2 Interface is almost the same as WAN1, except
that WAN2 has a selection of Disable. The System Administrator can
close WAN2 Interface by this selection. (Figure 7-11)
Figure 7-11 Disable WAN2 Interface
7. Interface
AirLive RS-2500 User’s Manual 46
7.3 DMZ
Setting DMZ Interface Address (NAT Mode)
STEP 1﹒Click DMZ Interface
STEP 2﹒Select NAT Mode in DMZ Interface
Select NAT in DMZ Interface
Enter IP Address and Netmask
STEP 3﹒Select Ping, HTTP and HTTPS
STEP 4﹒Click OK (Figure 7-12)
Figure 7-12 Setting DMZ Interface Address (NAT Mode) WebUI
Setting DMZ Interface Address (Transparent Mode)
STEP 1﹒Select DMZ Interface
STEP 2﹒Select Transparent Mode in DMZ Interface
Select DMZ_Transparent in DMZ Interface
STEP 3﹒Select Ping, HTTP and HTTPS
STEP 4﹒Click OK (Figure 7-13)
Figure 7-13 Setting DMZ Interface Address (Transparent Mode) WebUI
The Transparent Mode of DMZ setting is only available when WAN
interface is set to Static IP.
8. Address
47 AirLive RS-2500 User’s Manual
The RS-2500 allows the Administrator to set Interface addresses of the LAN network, LAN
network group, WAN network, WAN network group, DMZ and DMZ group.
An IP address in the Address Table can be an address of a computer or a sub network. The
Administrator can assign an easily recognized name to an IP address. Based on the
network it belongs to, an IP address can be an LAN IP address, WAN IP address or DMZ IP
address. If the Administrator needs to create a control policy for packets of different IP
addresses, he can first add a new group in the LAN Group or the WAN Group and assign
those IP addresses into the newly created group. Using group addresses can greatly
simplify the process of building control policies.
With easily recognized names of IP addresses and names of address
groups shown in the address table, the Administrator can use these
names as the source address or destination address of control
policies. The address table should be setup before creating control
policies, so that the Administrator can pick the names of correct IP
addresses from the address table when setting up control policies.
8 8. Address
Name
The System Administrator set up a name as IP Address that is easily recognized.
IP Address
It can be a PC’s IP Address or several IP Address of Subnet. Different network
area can be: Internal IP Address, External IP Address, and DMZ IP Address.
Netmask
When correspond to a specific IP, it should be set as: 255.255.255.255.
When correspond to several IP of a specific Domain. Take 192.168.100.1 (C Class
subnet) as an example, it should be set as: 255.255.255.0.
MAC Address
Correspond a specific PC’s MAC Address to its IP; it can prevent users changing
IP and accessing to the net service through policy without authorizing.
8. Address
AirLive RS-2500 User’s Manual 48
Get Static IP address from DHCP Server
When enable this function and then the IP obtain from DHCP Server automatically
under LAN or DMZ will be distributed to the IP that correspond to the MAC
Address.
8.1 LAN
Under DHCP situation, assign the specific IP to static users and restrict them to access FTP
net service only through policy.
STEP 1﹒Select LAN in Address and enter the following settings:
Click New Entry button (Figure 8-1)
Name: Enter Jacky
IP Address: Enter 192.168.1.2
Netmask: Enter 255.255.255.255
MAC Address : Enter the user’s MAC Address (00:4F:F3:F5:D3:54)
Select Get static IP address from DHCP Server
Click OK (Figure 8-2)
Figure 8-1 Setting LAN Address Book WebUI
Figure 8-2 Complete the Setting of LAN
8. Address
49 AirLive RS-2500 User’s Manual
STEP 2﹒Adding the LAN Address setting in Source Address of Outgoing Policy, and only
assign FTP service in the Policy rule. (Figure 8-3)
Figure 8-3 Add a Policy of Restricting the Specific IP to Access to Internet
STEP 3﹒Complete assigning the specific IP to static users in Outgoing Policy and restrict
them to access FTP net service only through policy: (Figure 8-4)
Figure 8-4 Complete the Policy of Restricting the Specific IP to Access to Internet
When the System Administrator creates the Address list, he/she can
choose the way of clicking on to make the RS-2500
to fill out the user’s MAC Address automatically.
The setting mode of WAN and DMZ of Address are the same as
LAN; the only difference is WAN cannot set up MAC Address.
8. Address
AirLive RS-2500 User’s Manual 50
In LAN of Address function, the RS-2500 will default an Inside Any
address represents the whole LAN network automatically. Others like
WAN, DMZ also have the Outside Any and DMZ Any default address
setting to represent the whole subnet.
8.2 LAN Group
Setup a Policy that only allows partial users to connect with specific IP (External Specific IP)
STEP 1﹒Setting several LAN network Address. (Figure 8-5)
Figure 8-5 Setting Several LAN Network Address
STEP 2﹒ Enter the following settings in LAN Group of Address:
Click New Entry (Figure 8-6)
Enter the Name of the group
Select the users in the Available Address column and click Add
Click OK (Figure 8-7)
8. Address
51 AirLive RS-2500 User’s Manual
Figure 8-6 Add New LAN Address Group
Figure 8-7 Complete Adding LAN Address Group
The setting mode of WAN Group and DMZ Group of Address are
the same as LAN Group.
STEP 3﹒Enter the following settings in WAN of Address function:
Click New Entry (Figure 8-8)
Enter the following data (Name, IP Address, Netmask)
Click OK (Figure 8-9)
Figure 8-8 Add New WAN Address
8. Address
AirLive RS-2500 User’s Manual 52
Figure 8-9 Complete the Setting of WAN Address
STEP 4﹒In Outgoing Policy, select LAN Group as Source Address, and select WAN
Address as the Destination Address. (Figure 8-10, 8-11)
Figure 8-10 To Exercise Address Setting in Policy
Figure 8-11 Complete the Policy Setting
The Address function really takes effect only if uses with Policy.
9. Service
53 AirLive RS-2500 User’s Manual
9 9. Service
TCP and UDP protocols support varieties of services, and each service consists of a TCP
Port or UDP port number, such as TELNET (23), SMTP (21), SMTP (25), POP3 (110), etc.
The RS-2500 includes two services:
Pre-defined Service and Custom Service
The common-use services like TCP and UDP are defined in the Pre-defined Service and
cannot be modified or removed. In the custom menu, users can define other TCP port and
UDP port numbers that are not in the pre-defined menu according to their needs. When
defining custom services, the client port ranges from 1024 to 65535 and the server port
ranges from 0 to 65535
In this chapter, network services are defined and new network services can be added.
There are three sub menus under Service which are: Pre-defined, Custom, and Group.
The Administrator can simply follow the instructions below to define the protocols and port
numbers for network communication applications. Users then can connect to servers and
other computers through these available network services.
How to use Service?
The Administrator can add new service group names in the Group option under Service
menu, and assign desired services into that new group. Using service group the
Administrator can simplify the processes of setting up control policies. For example, there
are 10 different computers that want to access 5 different services on a server, such as
HTTP, FTP, SMTP, POP3, and TELNET. Without the help of service groups, the
Administrator needs to set up 50 (10x5) control policies, but by applying all 5 services to a
single group name in the Service field, it takes only one control policy to achieve the same
effect as the 50 control policies.
9. Service
AirLive RS-2500 User’s Manual 54
9.1 Pre-defined
Pre-defined WebUI’s Chart and Illustration
Chart Illustration
Any Service
TCP Service, For example:AFPoverTCP, AOL, BGP, FTP, FINGER, HTTP, HTTPS, IMAP, SMTP, POP3, GOPHER, InterLocator, IRC, L2TP, LDAP, NetMeeting, NNTP, PPTP, Real-Media, RLOGIN, SSH, TCP-ANY, TELNET, VDO-Live, WAIS, WINFRAME, X-WINDOWS, MSN, …etc.
UDP Service, For example : IKE, DNS, NFS, NTP, PC-Anywhere, RIP, SNMP, SYSLOG, TALK, TFTP,
ICMP Service, Foe example:PING, TRACEROUTE…etc.
9. Service
55 AirLive RS-2500 User’s Manual
9.2 Custom
New Service Name
The System Manager can name the custom service.
Protocol
The protocol type to be used in connection for device, such as TCP, UDP, IP
mode
Client Port
The port number of network card of clients. (The range is 0 ~ 65535, suggest to
use the default range)
Server Port
The port number of custom service
Configuration Example
Allow external user to communicate with internal user by VoIP through policy. (VoIP Port:
TCP 1720, TCP 15328-15333, UDP 15328-15333)
STEP 1﹒Set LAN and LAN Group in Address function as follows: (Figure 9-1, 9-2)
Figure 9-1 Setting LAN Address Book WebUI
Figure 9-2 Setting LAN Group Address Book WebUI
9. Service
AirLive RS-2500 User’s Manual 56
STEP 2﹒Enter the following setting in Custom of Service function:
Click New Entry (Figure 9-3)
Service Name: Enter the preset name VoIP
Protocol#1 select TCP, do not change the Client Port, and set the Server
Port as: 1720:1720
Protocol#2 select TCP, do not change the Client Port, and set the Server
Port as: 15328:15333
Protocol#3 select UDP, do not change the Client Port, and set the Server
Port as: 15328:15333
Click OK (Figure 9-4)
Figure 9-3 Add User Define Service
Figure 9-4 Complete the Setting of User Define Service of VoIP
Under general circumstances, the range of port number of client is
0-65535. Change the client range in Custom of is not suggested.
If the port numbers that enter in the two spaces are different port
number, then enable the port number under the range between the
two different port numbers (for example: 15328:15333). And if the port
number that enters in the two spaces is the same port number, then
enable the port number as one (for example: 1720:1720).
9. Service
57 AirLive RS-2500 User’s Manual
STEP 3﹒Assign the Custom Service to Virtual Server. (Figure 9-5)
Figure 9-5 Assign Custom Service to Virtual Server
STEP 4﹒Assign Virtual Server to Incoming Policy. (Figure 9-6)
Figure 9-6 Configure Incoming Policy and allow External VoIP connecting with Internal VoIP
STEP 5﹒In Outgoing Policy, complete the setting of internal users using VoIP to connect
with external network VoIP: (Figure 9-7)
Figure 9-7 Complete the Policy for Internal VoIP to connect with External VoIP
Service must cooperate with Policy and Virtual Server that the
function can take effect.
9. Service
AirLive RS-2500 User’s Manual 58
9.3 Group
Create a service group to collect service port for certain source or destination addresses
can simplify RS-2500 setting, and also improve the performance of RS-2500. Because
more Policy rules you create, the less performance you get.
Configuration Example
Restrict the specific users can only access specific service resources (HTTP, POP3, SMTP,
DNS).
STEP 1﹒Enter the following setting in Group of Service:
Click New Entry
Name: Enter Main_Service
Select HTTP, POP3, SMTP, DNS in Available Service and click Add
(Figure 9-8)
Click OK (Figure 9-9)
Figure 9-8 Add Service Group
Figure 9-9 Complete the setting of Adding Service Group
9. Service
59 AirLive RS-2500 User’s Manual
If you want to remove the service you choose from Selected Service,
choose the service you want to delete and click Remove.
STEP 2﹒In LAN Group of Address function, set up an Address Group that can include the
service of access to Internet. (Figure 9-10)
Figure 9-10 Setting Address Book Group
STEP 3﹒Compare Service Group to Outgoing Policy. (Figure 9-11)
Figure 9-11 Setting Policy
10. Schedule
AirLive RS-2500 User’s Manual 60
10 10. Schedule
In this chapter, the RS-2500 provides the Administrator to configure a schedule for policy to
take effect and allow the policies to be used at those designated times. And then the
Administrator can set the start time and stop time or VPN connection in Policy or VPN. By
using the Schedule function, the Administrator can save a lot of management time and
make the network system most effective.
How to use the Schedule?
The system Administrator can use schedule to set up the device to carry out the connection
of Policy or VPN during several different time division automatically.
Configuration Example
Configure the valid time periods for LAN users to access to Internet in a day
STEP 1﹒Enter the following in Schedule:
Click New Entry (Figure 10-1)
Enter Schedule Name
Set up the working time of Schedule for each day
Click OK (Figure 10-2)
Figure 10-1 Setting Schedule WebUI
10. Schedule
61 AirLive RS-2500 User’s Manual
Figure 10-2 Complete the Setting of Schedule
STEP 2﹒Compare Schedule with Outgoing Policy (Figure 10-3)
Figure 10-3 Complete the Setting of Comparing Schedule with Policy
The Schedule must compare with Policy.
11. QoS
AirLive RS-2500 User’s Manual 62
11 11. QoS
By configuring the QoS, you can control the OutBound and InBound
Upstream/Downstream Bandwidth. The administrator can configure the bandwidth
according to the WAN bandwidth.
Downstream Bandwidth: To configure the Guaranteed Bandwidth and Maximum
Bandwidth.
Upstream Bandwidth: To configure the Guaranteed Bandwidth and Maximum
Bandwidth.
QoS Priority: To configure the priority of distributing Upstream/Downstream and
unused bandwidth.
The RS-2500 configures the bandwidth by different QoS, and selects the suitable QoS
through Policy to control and efficiently distribute bandwidth. The RS-2500 also makes it
convenient for the administrator to make the Bandwidth to reach the best utility.
(Figure 11-1, 11-2)
Figure 11-1 the Flow Before Using QoS
11. QoS
63 AirLive RS-2500 User’s Manual
Figure 11-2 the Flow After Using QoS (Max. Bandwidth: 400Kbps, Guaranteed Bandwidth: 200Kbps)
QoS Definition
WAN
Display WAN1 and WAN2
Downstream Bandwidth
Configure the Guaranteed Bandwidth and Maximum Bandwidth according to the
bandwidth range you applied from ISP
Upstream Bandwidth
Configure the Guaranteed Bandwidth and Maximum Bandwidth according to the
bandwidth range you applied from ISP
Priority
Configure the priority of distributing Upstream/Downstream and unused
bandwidth.
Guaranteed Bandwidth
The basic bandwidth of QoS. The connection that uses the IPSec Autokey of VPN
or Policy will preserve the basic bandwidth.
Maximum Bandwidth
The maximum bandwidth of QoS. The connection that uses the IPSec Autokey of
VPN or Policy, which bandwidth will not exceed the amount you set.
11. QoS
AirLive RS-2500 User’s Manual 64
Configuration Example
1. Assign User1 with the Guarantee bandwidth 128/64Kbps and Maximum bandwidth
256/128Kbps, the priority level is Middle.
2. Assign User2 with the Guarantee bandwidth 64/64Kbps and Maximum bandwidth
128/128Kbps, the priority level is High. STEP 1﹒Interface WAN: Enter the correct WAN speed provided by ISP. (Figure 11-3)
Figure 11-3 QoS WebUI Setting
When the administrator are setting QoS, the bandwidth range that can
be set is the value that system administrator set in the WAN of
Interface. So when the System Administrator sets the downstream
and upstream bandwidth in WAN of Interface, he/she must set up
precisely.
11. QoS
65 AirLive RS-2500 User’s Manual
STEP 2﹒Policy Object Address LAN: Define User1 and User2 IP address.
(Figure 11-4)
Figure 11-4 Define Users’ IP address on Address setting
STEP 3﹒Policy Object QoS: Create first QoS rule
Click New Entry (Figure 11-5)
Name: The name of the QoS you want to configure.
Enter the bandwidth in WAN1
Select QoS Priority as Middle
Click OK (Figure 11-6)
Figure 11-5 First QoS WebUI Setting
Figure 11-6 Complete the first QoS Setting
STEP 4﹒Policy Object QoS: Create second QoS rule
Click New Entry (Figure 11-7)
Name: The name of the QoS you want to configure.
Enter the bandwidth in WAN1
Select QoS Priority as High
Click OK (Figure 11-8)
11. QoS
AirLive RS-2500 User’s Manual 66
Figure 11-7 Second QoS WebUI Setting
Figure 11-8 Complete the both QoS Setting
STEP 5﹒Policy Outgoing: Create Outgoing Policy and assign each user with its QoS
rule. (Figure 11-9)
Figure 11-9 Setting the QoS in Policy
11. QoS
67 AirLive RS-2500 User’s Manual
How the Priority function can work?
1. WAN speed is defined 2048/2048 Kbps.
2. QoS_1 rule is defined the Guarantee Bandwidth with 1024/512
Kbps
3. QoS_2 rule is defined the Guarantee Bandwidth with 512/256
Kbps
4. The undefined WAN bandwidth has 512/256 Kbps
5. When G. Bandwidth is not enough, system will assign undefined
bandwidth to support QoS rule
6. QoS rule with high priority can get extra bandwidth first
7. G. Bandwidth + extra bandwidth will not exceed M.
Bandwidth
8. If all QoS rules were set to same level priority, the first user who
needs the extra bandwidth can get the bandwidth
12. Authentication
AirLive RS-2500 User’s Manual 68
12 12. Authentication
By configuring the Authentication, you can control the user’s connection authority. The user
has to pass the authentication to access to Internet.
The RS-2500 configures the authentication of LAN’s user by setting account and password
to identify the privilege.
12.1 Auth Setting
Provide the Administrator the port number and valid time to setup RS-2500 authentication.
(Have to setup the Authentication first)
Authentication Port: The port number to allow internal users to connect to the
authentication page. The port number is allowed to be changed.
Re-Login if Idle: The function works to force internal user to login again when the idle
time is exceeded after passing the authentication. The default value is 30 minutes.
Re-Login after user login successfully: The function works to permit user to re-login
within a period of time. The default value is 0, means unlimited.
Deny multi-login if the auth user has login: The function works to prevent the system
had login twice per same user account.
12. Authentication
69 AirLive RS-2500 User’s Manual
URL to redirect when authentication succeed: The function works to redirect the
homepage to the specific website, after the user had passes Authentication. The default
value is blank.
Messages to display when user login: It will display the login message in the
authentication WebUI. (Support HTML) The default value is blank (display no message in
authentication WebUI)
Configuration Example
1. Add the following setting in this function: (Figure 12-1)
Figure 12-1 Authentication Setting WebUI
2. When the user connect to external network by Authentication, the following page will
be displayed: (Figure 12-2)
Figure 12-2 Authentication Login WebUI
12. Authentication
AirLive RS-2500 User’s Manual 70
3. It will connect to the appointed website after passing Authentication: (Figure 12-3)
Figure 12-3 Connecting to the Appointed Website After Authentication
If user asks for authentication positively, he/she can enter the LAN IP
with the Authentication port number. And then the Authentication
WebUI will be displayed.
12. Authentication
71 AirLive RS-2500 User’s Manual
12.2 Auth User
Authentication-User Name
The user account for Authentication you want to set.
Password
The password when setting up Authentication.
Confirm Password
Retype the password to confirm it.
Configuration Example
Configure specific users to connect with external network only when they pass the authentication of policy.(Adopt the built-in Auth User and Auth Group, RADIUS, or POP3
Function)
STEP 1﹒Setup several Auth User in Authentication. (Figure 12-4)
Figure 12-4 Setting Several Auth Users WebUI
To use Authentication, the DNS Server of the user’s network card
must be the same as the LAN Interface Address of RS-2500.
STEP 2﹒User also can select to authenticate user with RADIUS server. Just need to enter
the Server IP, Port number, password, and enable the function.
Enable RADIUS Server Authentication
Enter RADIUS Server IP
Enter RADIUS Server Port
Enter password in Shared Secret
Complete the setting of RADIUS Server (Figure 12-5)
Figure 12-5 Setting RADIUS WebUI
12. Authentication
AirLive RS-2500 User’s Manual 72
STEP 3﹒The third method of Authentication is to check the account with POP3 Server.
Enable POP3 Server Authentication
Enter POP3 Server IP
Enter POP3 Server Port
Complete the setting of POP3 Server (Figure 12-6)
Figure 12-6 Setting POP3 WebUI
STEP 4﹒Add Auth User Group Setting in Authentication function and enter the following
settings:
Click New Entry
Name: Enter Product_dept
Select the Auth User you want and Add to Selected Auth User
Click OK
Complete the setting of Auth User Group (Figure 12-7)
Figure 12-7 Setting Auth Group WebUI
12. Authentication
73 AirLive RS-2500 User’s Manual
STEP 5﹒Add first policy in Outgoing Policy to allow DNS service passing through Internet.
(Figure 12-8)
Figure 12-8 Add first Policy rule to allow DNS passing through
STEP 6﹒Add second policy in Outgoing Policy and select the Authentication item.
(Figure 12-9, 12-10)
Figure 12-9 Auth-User Policy Setting
12. Authentication
AirLive RS-2500 User’s Manual 74
Figure 12-10 Complete the Policy Setting of Auth-User
STEP 7﹒When user is going to access to Internet through browser, the authentication UI will
appear in Browser. After entering the correct user name and password, click OK to
access to Internet. (Figure 12-11)
Figure 12-11 Access to Internet through Authentication WebUI
STEP 8﹒ If the user does not need to access to Internet anymore and is going to logout,
he/she can click LOGOUT Auth-User to logout the system. Or enter the Logout
Authentication WebUI (http:// LAN Interface: Authentication port number/
logout.html) to logout (Figure 12-12)
Figure 12-12 Logout Auth-User WebUI
13. Content Blocking
75 AirLive RS-2500 User’s Manual
Content Filtering includes「URL」,「Script」,「Download」,「Upload」.
URL Blocking: The administrator can set up to “Allow” or “Restrict” entering the specific
website by complete domain name, key words, and meta-character ( ~ and * ).
Script Blocking: Restrict the access authority of Popup, ActiveX, Java, or Cookie.
Download Blocking: Restrict the authority of download specific sub-name file, audio,
and some common video by http protocol directly.
Upload Blocking: Restrict the authority of upload specific sub-name file, or restrict all
types of the files.
13.1 URL
Restrict the Internal Users only can access to some specific Website
※ URL Blocking:
Symbol: ~ means open up; * means meta-character
Restrict to block specific website: Type the “complete domain name” or “key
word” of the website you want to restrict in URL String. For example:
www.kcg.gov.tw or gov.
Restrict to access specific website:
1. Type the symbol “~” in front of the “complete domain name” or “key word” that
represents to access the specific website only. For example: ~www.kcg.gov.tw
or ~gov.
2. After setting up the website you want to access, user needs to input an order to
forbid all in the last URL String; just type in * in URL String.
Warning! The order to forbid all must be placed at the last. If you want
to open a new website, you must delete the order of forbidding all and
then input the new domain name. At last, re-type in the “forbid all”
order again.
13 13. Content Blocking
13. Content Blocking
AirLive RS-2500 User’s Manual 76
STEP 1﹒Policy Object Content Blocking URL: Enter the following in URL of
Content Filtering function.
Click New Entry
URL String: Enter ~yahoo, and click OK
Click New Entry
URL String: Enter ~google, and click OK
Click New Entry
URL String: Enter *, and click OK
Complete setting a URL Blocking policy (Figure 13-1)
Figure 13-1 Content Filtering Table
STEP 2﹒Policy Outgoing: Add a Outgoing Policy and use in Content Blocking
function: (Figure 13-2)
Figure 13-2 URL Blocking Policy Setting
13. Content Blocking
77 AirLive RS-2500 User’s Manual
STEP 3﹒Complete the policy of permitting the internal users only can access to some
specific website in Outgoing Policy function: (Figure 13-3)
Figure 13-3 Complete Policy Settings
The users only can browse the website that includes “yahoo” and
“google” in domain name by the above policy.
13.2 Script
Restrict the Internal Users to access to Script file of Website
STEP 1﹒Policy Object Content Blocking Script: Select the following data in Script
of Content Blocking function
Select Popup Blocking
Select ActiveX Blocking
Select Java Blocking
Select Cookie Blocking
Click OK
Complete the setting of Script Blocking (Figure 13-4)
Figure 13-4 Script Blocking WebUI
13. Content Blocking
AirLive RS-2500 User’s Manual 78
STEP 2﹒Policy Outgoing: Add a new Outgoing Policy and use in Content Blocking
function. (Figure 13-5)
Figure 13-5 New Policy of Script Blocking Setting
STEP 3﹒Complete the policy of restricting the internal users to access to Script file of
Website in Outgoing Policy: (Figure 13-6)
Figure 13-6 Complete Script Blocking Policy Setting
The users may not use the specific function (like JAVA, cookie…etc.)
to browse the website through this policy. It can forbid the user
browsing stock exchange website…etc.
13. Content Blocking
79 AirLive RS-2500 User’s Manual
13.3 Download
Restrict the Internal Users to download video, audio and some specific sub-name file from
http or ftp protocol directly
STEP 1﹒Policy Object Content Blocking Download: Enter the following settings in
Download of Content Blocking function
Select All Types Blocking
Click OK
Complete the setting of Download Blocking. (Figure 13-7)
Figure 13-7 Download Blocking WebUI
STEP 2﹒Policy Outgoing: Add a new Outgoing Policy and use in Content Blocking
function. (Figure 13-8)
13. Content Blocking
AirLive RS-2500 User’s Manual 80
Figure 13-8 Add New Download Blocking Policy Setting
STEP 3﹒Complete the Outgoing Policy of restricting the internal users to download video,
audio, and some specific sub-name file by http protocol directly: (Figure 13-9)
Figure 13-9 Complete Download Blocking Policy Setting
13. Content Blocking
81 AirLive RS-2500 User’s Manual
13.4 Upload
Restrict the Internal Users to upload some specific sub-name file from http or ftp protocol
directly
STEP 1﹒Policy Object Content Blocking Upload: Enter the following settings in
Upload of Content Blocking function.
Select All Types Blocking
Click OK
Complete the setting of Upload Blocking. (Figure 13-10)
Figure 13-10 Upload Blocking WebUI
STEP 2﹒Policy Outgoing: Add a new Outgoing Policy and use in Content Blocking
function. (Figure 13-11)
13. Content Blocking
AirLive RS-2500 User’s Manual 82
Figure 13-11 Add New Upload Blocking Policy Setting
STEP 3﹒Complete the Outgoing Policy of restricting the internal users to upload some
specific sub-name file by http protocol directly: (Figure 13-12)
Figure 13-12 Complete Upload Blocking Policy Setting
14. Application Blocking
83 AirLive RS-2500 User’s Manual
14 14. Application Blocking
RS-2500 Application Blocking offers the system to block the connection of applications,
such as IM, P2P, Video/Audio Application, Webmail, Game Application, Tunnel
Application, and Remote Control Application.
Application Signature Definition: System will automatically check new signature per
every one hour, or user can also click “Update NOW” button to check new signature.
(Figure 14-1)
Figure 14-1 Application Signature Definition WebUI
Instant Message Login: Restrict the authority to login MSN, Yahoo Messenger,
ICQ/AIM, QQ/TM2008, Skype, Google Talk, Gadu-Gadu, Rediff, WebIM, and AllSoft.
(Figure 14-2)
Figure 14-2 Instant Message Login WebUI
Instant Message File Transfer: Restrict the authority to transfer file from MSN, Yahoo
Messenger, ICQ/AIM, QQ, Skype, Google Talk, and Gadu-Gadu. (Figure 14-3)
Figure 14-3 Instant Message File Transfer WebUI
14. Application Blocking
AirLive RS-2500 User’s Manual 84
Due to RS-2500 hardware limitation, it is not possible to block all
kinds of application in the world, so we just choose to block some
popular application. If you require RS-2500 to block a specific
application please contact with AirLive Support Team. We will
evaluate the application and try to improve it.
Peer-to-Peer Application: Restrict the authority to send files connection by using
eDonkey, Bit Torrent, WinMX, Foxy, KuGoo, AppleJuice, AudioGalaxy, DirectConnect,
iMesh, MUTE, Thunder5, GoGoBox, QQDownload, Ares, Shareaza, BearShare, Morpheus,
Limewire, and KaZaa. (Figure 14-4)
Figure 14-4 Peer-to-Peer Application WebUI
Video / Audio Application: Restrict the authority to watch video or listen audio from
Internet by using PPLive, PPStream, UUSee, QQLive, ezPeer, and qvodplayer.
(Figure 14-5)
Figure 14-5 Video / Audio Application WebUI
Webmail: Restrict the authority to access web mail service, such as Gmail, Hotmail,
Yahoo, Hinet, PChome, URL, Yam, Seednet, 163/126/Yeah, Tom, Sina, Sohu, and
QQ/Foxmail. (Figure 14-6)
Figure 14-6 Webmail WebUI
14. Application Blocking
85 AirLive RS-2500 User’s Manual
Game Application: Restrict the authority to access Internet Game such as GLWorld
and QQGame. (Figure 14-7)
Figure 14-7 Game Application WebUI
Tunnel Application: Restrict the authority to access Internet via tunnel application such
as VNN Client, Ultra-Surf, Tor, and Hamachi. (Figure 14-8)
Figure 14-8 Tunnel Application WebUI
Remote Control Application: Restrict the authority to access remote control
application such as TeamViewer, VNC, and RemoteDestop. (Figure 14-9)
Figure 14-9 Tunnel Application WebUI
14. Application Blocking
AirLive RS-2500 User’s Manual 86
Configuration Example
GroupA users are not allowed to use MSN, Yahoo, and Skype.
GroupB users are allowed to use MSN, but they can not transfer file by MSN.
GroupC users are not allowed to use MSN, Yahoo, Skype, eDnokey, Bit Torrent.
STEP 1﹒Policy Object Address LAN: Enter the name and IP address of LAN users.
STEP 2﹒Policy Object Address LAN Group: Allocate the users to the dedicated
group, and create GroupA, GroupB, GroupC. (Figure 14-10)
Figure 14-10 Create Groups
STEP 3﹒Policy Object Application Blocking Setting: Create first Application
Blocking rule for GroupA to block MSN, Yahoo and Skype. (Figure 14-11)
Figure 14-11 Create first Application Groups
STEP 4﹒Policy Object Application Blocking Setting: Create Second Application
Blocking rule for GroupB. So the user in GroupB can access MSN, but can not
send files using MSN. (Figure 14-12)
Figure 14-12 Create Second Application Groups
14. Application Blocking
87 AirLive RS-2500 User’s Manual
STEP 5﹒Policy Object Application Blocking Setting: Create Second Application
Blocking rule for GroupC to block MSN, Yahoo, Skype, eDonkey, and Bit Torrent.
(Figure 14-13)
Figure 14-13 Create Second Application Groups
STEP 6﹒Policy Outgoing: Create three Outgoing Policy rules and assign the group with
its Application Blocking setting. (Figure 14-14)
Figure 14-14 Create Policy rules with groups and enable Application Blocking
14. Application Blocking
AirLive RS-2500 User’s Manual 88
It is recommended to set up ready IM File Transfer Blocking setting
before user’s IM software login successfully, or part of IM software
could be still able to transfer file unless user logout IM software.
P2P Transfer will occupy large bandwidth so that it may influence
other users. And P2P Transfer can change the service port free so it is
invalid to restrict P2P Transfer by Service. Therefore, the system
manager must use Application Blocking to restrict users to use P2P
Transfer efficiently.
It is suggested not to enable all Application Blocking, just select the
Application type you need to block it. Because RS-2500 will examine
every packet and analyze the packets’ behavior, so more application
item you select to block, less performance you will have.
15. Virtual Server
89 AirLive RS-2500 User’s Manual
he real IP address provided from ISP is always not enough for all the users when the
he RS-2500’s Virtual Server function can solve this problem. A Virtual Server has set the
irtual Server owns another feature know as one-to-many mapping. This is when one real
this chapter, we will have detailed introduction and instruction of Mapped IP and Server
15 15. Virtual Server
T
system manager applies the network connection from ISP. Generally speaking, in order to
allocate enough IP addresses for all computers, an enterprise assigns each computer a
private IP address, and converts it into a real IP address through RS-2500’s NAT (Network
Address Translation) function. If a server that provides service to WAN network is located
in LAN networks, external users cannot directly connect to the server by using the server’s
private IP address.
T
real IP address of the RS-2500’s WAN network interface to be the Virtual Server IP.
Through the Virtual Server function, the RS-2500 translates the Virtual Server’s IP address
into the private IP address in the LAN network.
V
server IP address on the WAN interface can be mapped into four LAN network servers
provide the same service private IP addresses. This option is useful for Load Balancing,
which causes the Virtual Server to distribute data packets to each private IP addresses
(which are the real servers) by session. Therefore, it can reduce the loading of a single
server and lower the crash risk. And can improve the work efficiency.
In
1/2/3/4.
15. Virtual Server
AirLive RS-2500 User’s Manual 90
15.1 Mapped IP
Because the Intranet is transferring the private IP by NAT Mode (Network Address
Translation), and if the server is in LAN, its IP Address is belonging to Private IP Address.
Then the external users cannot connect to its private IP Address directly. The user must
connect to the RS-2500’s WAN subnet’s Real IP and then map Real IP to Private IP of LAN
by the RS-2500. It is a one-to-one mapping. That is, to map all the service of one WAN Real
IP Address to one LAN Private IP Address.
WAN IP:
WAN IP Address (Real IP Address)
Map to Virtual IP:
Map the WAN Real IP Address into the LAN Private IP Address
Configuration Example
Map a specific WAN IP address to LAN server, so Internet users can access the services.
STEP 1﹒Setting a server that provides several services in LAN, and set up the network
card’s IP as 192.168.1.100. DNS is External DNS Server.
STEP 2﹒Policy Object Address LAN: Enter the following setting in LAN of Address
function. (Figure 15-1)
Figure 15-1 Mapped IP Settings of Server in Address
15. Virtual Server
91 AirLive RS-2500 User’s Manual
STEP 3﹒Policy Object Virtual Server Mapped IP: Enter the following data in
Mapped IP of Virtual Server function
Click New Entry
WAN IP: Enter 60.250.158.64 (click Assist for assistance)
Map to Virtual IP: Enter 192.168.1.100
Click OK
Complete the setting of adding new mapped IP (Figure 15-2)
Figure 15-2 Mapped IP Setting WebUI
STEP 4﹒Policy Object Service Group: Group the services (DNS, HTTP, PPTP …)
that provided and used by server in Service function. And add a new service group
for server to send mails at the same time. (Figure 15-3)
Figure 15-3 Service Setting
STEP 5﹒Policy Incoming: Add a policy that includes settings of STEP3, 4 in Incoming
Policy. (Figure 15-4)
Figure 15-4 Complete the Incoming Policy
STEP 6﹒Policy Outgoing: Add a policy that includes STEP2, 4 in Outgoing Policy. It
makes the server to send e-mail to external mail server by mail service.
(Figure 15-5)
Figure 15-5 Complete the Outgoing Policy
15. Virtual Server
AirLive RS-2500 User’s Manual 92
STEP 7﹒Complete the setting of providing several services by mapped IP.
Strong suggests not to choose ANY when setting Mapped IP and
choosing service. Otherwise the Mapped IP will be exposed to
Internet easily and may be attacked by Hacker.
Be careful when you assign WAN interface IP address to Mapped IP
function, the remote user may not access RS-2500 web console
again. If you only apply one real IP address from ISP, we suggest
choosing Virtual Server function instead of Mapped IP.
15.2 Virtual Server
Its function resembles Mapped IP’s. But the Virtual Server maps one to many. That is, to
map a Real IP Address to 1~4 LAN Private IP Address and provide the service item in
Service.
Virtual Server Real IP:
The WAN IP address which mapped by the Virtual Server
Service name (Port Number):
The service name that provided by the Virtual Server
WAN Port:
The WAN Service Port that provided by the virtual server. If the services you
choose only have one port and then you can change the port number here. (If
change the port number to 8080 and then when the external users going to
browse the Website; he/she must change the port number first to enter the
Website.)
Server Virtual IP:
The virtual IP which mapped by the Virtual Server
15. Virtual Server
93 AirLive RS-2500 User’s Manual
Configuration Example - Server Load Balance
Create a Web Server and three mirror sites on LAN, configure RS-2500 Virtual Server
function and assign 4 Server IP addresses to it. The Server Load Balance function works as
Round Robin type, so each server will receives the access session in turn.
STEP 1﹒Setting several servers that provide Web service in LAN network, which IP Address
is 192.168.1.101, 192.168.1.102, 192.168.1.103, and 192.168.1.104.
STEP 2﹒Enter the following data in Server 1 of Virtual Server function:
Click the button next to Virtual Server Real IP (“click here to configure”) in
Server1 (Figure 15-6)
Figure 15-6 Virtual Server Real IP Setting-1
Virtual Server Real IP: Enter 60.250.158.66 (click Assist for assistance)
Click OK (Figure 15-7)
Figure 15-7 Virtual Server Real IP Setting-2
Click New Entry
Service: Select HTTP (80)
External Service Port: Type in 80
Load Balance Server1: Enter 192.168.1.101
Load Balance Server2: Enter 192.168.1.102
Load Balance Server3: Enter 192.168.1.103
Load Balance Server4: Enter 192.168.1.104
Click OK and complete the setting of Virtual Server (Figure 15-8)
15. Virtual Server
AirLive RS-2500 User’s Manual 94
Figure 15-8 Virtual Server Configuration WebUI
STEP 3﹒Add a new policy in Incoming Policy, which includes the virtual server, set by
STEP2. (Figure 15-9)
Figure 15-9 Complete Virtual Server Policy Setting
STEP 4﹒Complete the setting of providing a single service by virtual server.
15. Virtual Server
95 AirLive RS-2500 User’s Manual
Configuration Example - Virtual server setting for Custom Service
The external user use VoIP to connect with VoIP of LAN (VoIP Port: TCP 1720, TCP
15328-15333, UDP 15328-15333)
STEP 1﹒Set up VoIP in LAN network, and its IP is 192.168.1.100
STEP 2﹒Policy Object Address LAN: Enter the following setting in LAN of Address
function. (Figure 15-10)
Figure 15-10 Setting LAN Address WebUI
STEP 3﹒Policy Object Service Custom: Add new VoIP service group in Custom of
Service function. (Figure 15-11)
Figure 15-11 Add Custom Service
STEP 4﹒Policy Object Virtual Server Server 1: Enter the following setting in
Server1 of Virtual Server function
Click the button next to Virtual Server Real IP (“click here to configure”) in
Server1
Virtual Server Real IP: Enter 60.250.158.65 (click Assist for assistance)
(Use WAN)
Click OK (Figure 15-12)
Figure15-12 Virtual Server Real IP Setting WebUI
15. Virtual Server
AirLive RS-2500 User’s Manual 96
Click New Entry
Service: Select (Custom Service) VoIP_Service
External Service Port: From-Service (Custom)
Load Balance Server1: Enter 192.168.1.100
Click OK
Complete the setting of Virtual Server (Figure 15-13)
Figure 15-13 Virtual Server Configuration WebUI
When the custom service only has one port number, then the external
network port of Virtual Server is changeable; On the contrary, if the
custom service has more than one port network number, then the
external network port of Virtual Server cannot be changed.
STEP 5﹒Policy Incoming: Add a new Incoming Policy, which includes the virtual
server that set by STEP4: (Figure 15-14)
Figure 15-14 Complete the Policy includes Virtual Server Setting
STEP 6﹒Policy Outgoing: Enter the following setting of the internal users using VoIP to
connect with external network VoIP in Outgoing Policy (Figure 15-15)
Figure 15-15 Complete the Policy Setting of VoIP Connection
STEP 7﹒Complete the setting of the external/internal user using specific service to
communicate with each other by Virtual Server.
15. Virtual Server
97 AirLive RS-2500 User’s Manual
Configuration Example - PAT
RS-2500 also supports Port Address Translation function. Some system administrator
might change the standard port number of service in order to protect LAN server, and
RS-2500 must translate the port so Internet user can access LAN service as well.
STEP 1﹒Create a Web server on LAN site, and specify IP address 192.168.1.10 to the
server.
STEP 2﹒Policy Object Address LAN: Enter the following setting in LAN of Address
function. (Figure15-16)
Figure 15-16 Setting LAN Address WebUI
STEP 3﹒Policy Object Service Custom: Create Custom Service (TCP 8080) for
Web Server. (Figure 15-17)
Figure 15-17 Add Custom Service
STEP 4﹒Policy Object Virtual Server Server 1: Enter the following data in Server1
of Virtual Server
Click the button next to Virtual Server Real IP (“click here to configure”) in
Server1
Virtual Server Real IP: Enter 60.250.158.65 (click Assist for assistance)
Click OK (Figure 15-18)
Figure 15-18Virtual Server Real IP Setting
15. Virtual Server
AirLive RS-2500 User’s Manual 98
Click New Entry
Service: Select (Custom Service) Custom_Web
External Service Port: Change External Server Port to 80.
Enter the server IP in Load Balance Server
Click OK
Complete the setting of Virtual Server (Figure 15-19)
Figure 15-19 Virtual Server Configuration WebUI
STEP 5﹒Policy Incoming: Add a new Incoming Policy, which includes the virtual
server that set by STEP 4 (Figure 15-20)
Figure 15-20 Complete Incoming Policy Setting
STEP 6﹒Policy Outgoing: Add a new policy that includes the settings of STEP2, 3 in
Outgoing Policy. It makes server can send e-mail to external mail server by mail
service. (Figure 15-21)
Figure 15-21 Complete Outgoing Policy Setting
STEP 7﹒Complete the setting of providing several services by Virtual Server.
16. VPN
99 AirLive RS-2500 User’s Manual
16 16. VPN
The RS-2500 adopts VPN to set up safe and private network service. And combine the
remote Authentication system in order to integrate the remote network and PC of the
enterprise. Also provide the enterprise and remote users a safe encryption way to have
best efficiency and encryption when delivering data. Therefore, it can save lots of problem
for manager.
【IPSec Autokey】:The system manager can create a VPN connection using Autokey IKE.
Autokey IKE (Internet Key Exchange) provides a standard method to negotiate keys
between two security gateways. Also set up IPSec Lifetime and Preshared Key of the
RS-2500.
【PPTP Server】: The System Manager can set up VPN-PPTP Server functions in this
chapter.
【PPTP Client】: The System Manager can set up VPN-PPTP Client functions in this
chapter
How to use VPN?
To set up a Virtual Private Network (VPN), you need to configure an Access Policy include
IPSec Autokey, PPTP Server, or PPTP Client settings of Tunnel to make a VPN connection.
16. VPN
AirLive RS-2500 User’s Manual 100
16.1 One-Step IPSec
This feature facilitates the configuration of IPSec encryption by reserving the essential
setting fields and using default on the rest.
The default settings are:
Mode: Main mode
Authentication Method: Preshare
ISAKMP Algorithm: DES + MD5 + Group 1
IPSec Algorithm: DES + MD5
One-step IPSec literally means it merely takes one step to complete the configuration of
IPSec encryption. The device will automatically create a corresponding policy after
configuration. (Figure 16-1)
Figure 16-1 One-Step IPSec WebUI Configuration Example
STEP 1﹒Policy Object VPN One-Step IPSec: Enter following information on
One-Step IPSec setting.
Name: Quick_1
WAN Interface: WAN1
Subnet / Mask: 192.168.1.0 / 255.255.255.0
Remote Gateway: airlive15.dyndns.org
Subnet Mask: 192.168.100.0 / 255.255.255.0
Preshared Key: 12345678 (Figure 16-2)
16. VPN
101 AirLive RS-2500 User’s Manual
Figure 16-2 One-Step IPSec Example
STEP 2﹒Click OK and wait for the message “VPN settings completed” shows up. The
default and custom IPSec VPN settings will be created automatically as following:
Policy Object VPN IPSec Autokey (Figure 16-3)
Policy Object VPN Trunk (Figure 16-4)
Policy Outgoing (Figure 16-5)
Policy Incoming (Figure 16-6)
Figure 16-3 One-Step IPSec Example - Autokey
Figure 16-4 One-Step IPSec Example - Trunk
Figure 16-5 One-Step IPSec Example - Outgoing Policy
Figure 16-6 One-Step IPSec Example - Incoming Policy
The Incoming and Outgoing Policy rule with VPN enabled will be
added to the top one automatically.
16. VPN
AirLive RS-2500 User’s Manual 102
16.2 IPSec Autokey
i:
To display the VPN connection status via icon.
Chart -- Meaning Not be applied Disconnect Connecting
Name:
The VPN name to identify the IPSec Autokey definition. The name must be the
only one and cannot be repeated.
Gateway IP:
The WAN interface IP address of the remote Gateway.
IPSec Algorithm:
To display the Algorithm way.
Configure:
Click Modify to change the argument of IPSec; click Remove to remote the
setting. (Figure 16-7).
Figure 16-7 IPSec Autokey WebUI
Necessary Item (Figure 16-8)
Figure 16-8 Necessary Item WebUI
16. VPN
103 AirLive RS-2500 User’s Manual
Preshare Key:
The IKE VPN must be defined with a Preshared Key. The Key may be up to 128
bytes long.
ISAKMP (Internet Security Association Key Management Protocol):
An extensible protocol-encoding scheme that complies to the Internet Key
Exchange (IKE) framework for establishment of Security Associations (SAs).
AH (Authentication Header):
One of the IPSec standards that allows for data integrity of data packets.
ESP (Encapsulating Security Payload):
One of the IPSec standards that provides for the confidentiality of data packets.
DES (Data Encryption Standard):
The Data Encryption Standard developed by IBM in 1977 is a 64-bit block
encryption block cipher using a 56-bit key.
Triple-DES (3DES):
The DES function performed three times with either two or three cryptographic
keys.
AES (Advanced Encryption Standard):
An encryption algorithm yet to be decided that will be used to replace the aging
DES encryption algorithm and that the NIST hopes will last for the next 20 to 30
years.
NULL Algorithm:
It is a fast and convenient connecting mode to make sure its privacy and
authentication without encryption. NULL Algorithm doesn’t provide any other
safety services but a way to substitute ESP Encryption.
SHA-1 (Secure Hash Algorithm-1):
A message-digest hash algorithm that takes a message less than 264 bits and
produces a 160-bit digest.
MD5:
MD5 is a common message digests algorithm that produces a 128-bit message
digest from an arbitrary length input, developed by Ron Rivest.
16. VPN
AirLive RS-2500 User’s Manual 104
Optional Item (Figure 16-9).
Figure 16-9 Optional Item WebUI
Main Mode:
This is another first phase of the Oakley protocol in establishing a security
association, but instead of using three packets like in aggressive mode, it uses six
packets.
Aggressive mode:
This is the first phase of the Oakley protocol in establishing a security association
using three data packets.
GRE/IPSec:
The device Select GRE/IPSec (Generic Routing Encapsulation) packet seal
technology.
16. VPN
105 AirLive RS-2500 User’s Manual
16.3 PPTP Server
PPTP Server:
To select Enable or Disable
Client IP Range:
Setting the IP addresses range for PPTP Client connection
i:
Display the VPN connection status via icon
Chart -- Meaning Not be applied Disconnect Connecting
User Name:
Displays the PPTP Client user’s name when connecting to PPTP Server
Client IP:
Displays the PPTP Client’s IP address when connecting to PPTP Server
Uptime:
Displays the connection time between PPTP Server and Client
Configure:
Click Modify to modify the PPTP Server Settings or click Remove to remove the
setting. (Figure 16-10)
Figure 14-10 PPTP Server WebUI
16. VPN
AirLive RS-2500 User’s Manual 106
16.4 PPTP Client
i:
Display the VPN connection status via icon
Chart -- Meaning Not be applied Disconnect Connecting
User Name:
Ddisplays the PPTP Client user’s name when connecting to PPTP Server
Server IP or Domain Name:
Displays the PPTP Server IP addresses or Domain Name when connecting to
PPTP Server
Encryption:
Displays PPTP Client and PPTP Server transmission, whether opens the
encryption authentication mechanism
Uptime:
Displays the connection time between PPTP Server and Client
Configure:
Click Modify to change the argument of PPTP Client; click Remove to remote the
setting. (Figure 16-11)
Figure 16-11 PPTP Client WebUI
17. Configuration Example: IPSec & PPTP VPN
107 AirLive RS-2500 User’s Manual
17 17. Configuration Example: IPSec & PPTP VPN
17.1 IPSec VPN - Office to Office (1)
Preparation:
Company A - WAN IP: 61.11.11.11, LAN IP: 192.168.10.x
Company B - WAN IP: 211.22.22.22, LAN IP: 192.168.20.x
This example takes two RS-2500s as work platform. Suppose Company A 192.168.10.x
create a VPN connection with Company B 192.168.20.x for downloading the sharing file.
(Figure 17-1)
Figure 17-1 Example 1 Topology
RS-2500 configuration of Company A:
STEP 1﹒Enter the default IP of Gateway of Company A’s RS-2500 with 192.168.10.1, and
select IPSec Autokey in VPN. Click New Entry. (Figure 17-2)
Figure 17-2 IPSec Autokey WebUI
STEP 2﹒In the list of IPSec Autokey, fill in Name with VPN_A. (Figure 17-3)
Figure 17-3 IPSec Autokey Name Setting
17. Configuration Example: IPSec & PPTP VPN
AirLive RS-2500 User’s Manual 108
STEP 3﹒Select Remote Gateway-Fixed IP or Domain Name In To Remote list and enter
the IP Address.(Figure 17-4)
Figure 17-4 IPSec To Destination Setting
STEP 4﹒ Select Preshare in Authentication Method and enter the Preshared Key. (Figure 17-5)
Figure 17-5 IPSec Authentication Method Setting
STEP 5﹒Select ISAKMP Algorithm in Encapsulation list. Choose the Algorithm when
setup connection. Please select ENC Algorithm (3DES/DES/AES), AUTH
Algorithm (MD5/SHA1), and Group (GROUP1, 2, 5). Both sides have to choose
the same group. Here we select 3DES for ENC Algorithm, MD5 for AUTH
Algorithm and GROUP1 for Group. (Figure 17-6)
Figure 17-6 IPSec Encapsulation Setting
STEP 6﹒You can choose Data Encryption + Authentication or Authentication Only to
communicate in IPSec Algorithm list.
ENC Algorithm: 3DES/DES/AES/NULL
AUTH Algorithm: MD5/SHA1
Here we select 3DES for ENC Algorithm and MD5 for AUTH Algorithm to make
sure the encapsulation way for data transmission (Figure 17-7)
Figure 17-7 IPSec Algorithm Setting
17. Configuration Example: IPSec & PPTP VPN
109 AirLive RS-2500 User’s Manual
STEP 7﹒Select GROUP1 in Perfect Forward Secrecy, enter 3600 seconds in ISAKMP
Lifetime, enter 28800 seconds in IPSec Lifetime, and selecting Main mode in
Mode. (Figure 17-8)
Figure 17-8 IPSec Perfect Forward Secrecy Setting
STEP 8﹒ Complete the IPSec Autokey setting. (Figure 17-9)
Figure 17-9 Complete Company A IPSec Autokey Setting
STEP 9﹒Enter the following setting in Trunk of VPN function: (Figure 15-10)
Enter a specific Trunk Name, for example VPN_Tunnel_A.
From Local: Select LAN
From Local Subnet / Mask: Enter 192.168.10.0 / 255.255.255.0.
To Remote: Select To Remote Subnet / Mask.
To Remote Subnet / Mask: Enter 192.168.20.0 / 255.255.255.0.
Tunnel: Select VPN_A.
Enter 192.168.20.1 (the Default Gateway of Company B) as the Keep alive IP
Select Show remote Network Neighborhood and Click OK. (Figure 17-11)
Figure 17-10 New Entry Trunk Setting
17. Configuration Example: IPSec & PPTP VPN
AirLive RS-2500 User’s Manual 110
Figure 17-11 Complete New Entry Trunk Setting
STEP 10﹒Enter the following setting in Outgoing Policy:(Figure 17-12)
Trunk: Select VPN_Tunnel_A.
Click OK.(Figure 17-13)
Figure 17-12 Setting the VPN Tunnel Outgoing Policy
Figure 17-13 Complete the VPN Tunnel Outgoing Policy Setting
17. Configuration Example: IPSec & PPTP VPN
111 AirLive RS-2500 User’s Manual
STEP 11﹒Enter the following setting in Incoming Policy: (Figure 17-14)
Trunk: Select VPN_Tunnel_A.
Click OK.(Figure 17-15)
Figure 17-14 Setting the VPN Tunnel Incoming Policy
Figure 17-15 Complete the VPN Tunnel Incoming Policy Setting
17. Configuration Example: IPSec & PPTP VPN
AirLive RS-2500 User’s Manual 112
RS-2500 configuration of Company B:
STEP 1. Enter the default IP of Gateway of Company B’s RS-2500, 192.168.20.1 and select
IPSec Autokey in VPN. Click New Entry. (Figure 17-16)
Figure 17-16 IPSec Autokey Web UI
STEP 2. In the list of IPSec Autokey, fill in Name with VPN_B. (Figure 17-17)
Figure 17-17 IPSec Autokey Name Setting
STEP 3. Select Remote Gateway-Fixed IP or Domain Name In To Remote list and enter
the IP Address.(Figure 17-18)
Figure 17-18 IPSec To Destination Setting
STEP 4. Select Preshare in Authentication Method and enter the Preshared Key (max:
100 bits) (Figure 17-19)
Figure 17-19 IPSec Authentication Method Setting
17. Configuration Example: IPSec & PPTP VPN
113 AirLive RS-2500 User’s Manual
STEP 5. Select ISAKMP Algorithm in Encapsulation list. Choose the Algorithm when
setup connection. Please select ENC Algorithm (3DES/DES/AES), AUTH
Algorithm (MD5/SHA1), and Group (GROUP1, 2, 5). Both sides have to choose the
same group. Here we select 3DES for ENC Algorithm, MD5 for AUTH Algorithm,
and GROUP1 for group. (Figure 17-20)
Figure 17-20 IPSec Encapsulation Setting
STEP 6. You can choose Data Encryption + Authentication or Authentication Only to
communicate in IPSec Algorithm list.
ENC Algorithm: 3DES/DES/AES/NULL
AUTH Algorithm: MD5/SHA1
Here we select 3DES for ENC Algorithm and MD5 for AUTH Algorithm to make
sure the encapsulation way for data transmission. (Figure 17-21)
Figure 17-21 IPSec Algorithm Setting
STEP 7. After selecting GROUP1 in Perfect Forward Secrecy, enter 3600 seconds in
ISAKMP Lifetime, enter 28800 seconds in IPSec Lifetime, and selecting Main
mode in Mode. (Figure 17-22)
Figure 17-22 IPSec Perfect Forward Secrecy Setting
17. Configuration Example: IPSec & PPTP VPN
AirLive RS-2500 User’s Manual 114
STEP 8. Complete the IPSec Autokey setting. (Figure 17-23)
Figure 17-23 Complete Company B IPSec Autokey Setting
STEP 9. Enter the following setting in Trunk of VPN function: (Figure 17-24)
Enter a specific Trunk Name, for example VPN_Tunnel_B.
From Local: Select LAN
From Local Subnet / Mask: Enter 192.168.20.0 / 255.255.255.0.
To Remote: Select To Remote Subnet / Mask.
To Remote Subnet / Mask: Enter 192.168.10.0 / 255.255.255.0.
Tunnel: Select VPN_B.
Enter 192.168.10.1 (the Default Gateway of Company A) as the Keep alive IP
Select Show remote Network Neighborhood.
Click OK. (Figure 17-25)
Figure 17-24 New Entry Trunk Setting
Figure 17-25 Complete New Entry Trunk Setting
17. Configuration Example: IPSec & PPTP VPN
115 AirLive RS-2500 User’s Manual
STEP 10. Enter the following setting in Outgoing Policy: (Figure 17-26)
Trunk: Select VPN_Tunnel_B.
Click OK.(Figure 17-27)
Figure 17-26 Setting the VPN Tunnel Outgoing Policy
Figure 17-27 Complete the VPN Tunnel Outgoing Policy Setting
17. Configuration Example: IPSec & PPTP VPN
AirLive RS-2500 User’s Manual 116
STEP 11. Enter the following setting in Incoming Policy: (Figure 17-28)
Trunk: Select VPN_Tunnel_B.
Click OK.(Figure 17-29)
Figure 17-28 Setting the VPN Tunnel Incoming Policy
Figure 17-29 Complete the VPN Tunnel Incoming Policy Setting
STEP 12. Complete IPSec VPN Connection.
If WAN IP address will be changed after a certain time, user can apply
DDNS service and configure the domain name on VPN setting. So,
user should type in the domain name in Remote Gateway item,
instead of typing IP address.
17. Configuration Example: IPSec & PPTP VPN
117 AirLive RS-2500 User’s Manual
17.2 IPSec VPN - Office to Office (2)
Preparation:
Company A - RS-2500 - WAN IP: 60.250.158.66, LAN IP: 192.168.10.x
Company B -
1. PPPoA Modem Router - WAN IP: PPPoA with DDNS service enabled
(airlive15.dyndns.org), LAN IP: 192.168.20.x
2. RS-2500 - WAN IP: 192.168.20.254, LAN IP: 192.168.30.x
This example takes two RS-2500s as work platform. The Company B of RS-2500 is
installed behind a PPPoA modem router and the WAN interface is set to private IP address.
So, the RS-2500 in Company B can create an IPSec VPN tunnel to RS-2500 in Company A.
(Figure 17-30)
Figure 17-30 Example 2 Topology
RS-2500 configuration of Company A:
STEP 1﹒Enter the default IP of Gateway of Company A’s RS-2500 with 192.168.10.1, and
select IPSec Autokey in VPN. Click New Entry. (Figure 17-31)
Figure 17-31 IPSec Autokey WebUI
STEP 2﹒In the list of IPSec Autokey, fill in Name with VPN_A. (Figure 17-32)
Figure 17-32 IPSec Autokey Name Setting
17. Configuration Example: IPSec & PPTP VPN
AirLive RS-2500 User’s Manual 118
STEP 3﹒Select Remote Gateway-Fixed IP or Domain Name In To Remote list and enter
the domain name.(Figure 17-33)
Figure 17-33 IPSec To Destination Setting
STEP 4﹒ Select Preshare in Authentication Method and enter the Preshared Key
(Figure 17-34)
Figure 17-34 IPSec Authentication Method Setting
STEP 5﹒Select ISAKMP Algorithm in Encapsulation list. Choose the Algorithm when
setup connection. Please select ENC Algorithm (3DES/DES/AES), AUTH
Algorithm (MD5/SHA1), and Group (GROUP1, 2, 5). Both sides have to choose
the same group. Here we select 3DES for ENC Algorithm, MD5 for AUTH
Algorithm and GROUP1 for Group. (Figure 17-35)
Figure 17-35 IPSec Encapsulation Setting
STEP 6﹒You can choose Data Encryption + Authentication or Authentication Only to
communicate in IPSec Algorithm list.
ENC Algorithm: 3DES/DES/AES/NULL
AUTH Algorithm: MD5/SHA1
Here we select 3DES for ENC Algorithm and MD5 for AUTH Algorithm to make
sure the encapsulation way for data transmission (Figure 17-36)
Figure 17-36 IPSec Algorithm Setting
17. Configuration Example: IPSec & PPTP VPN
119 AirLive RS-2500 User’s Manual
STEP 7﹒Select GROUP1 in Perfect Forward Secrecy, enter 3600 seconds in ISAKMP
Lifetime, enter 28800 seconds in IPSec Lifetime, and selecting Main mode in
Mode. Enter Company B’s RS-2500 WAN IP address as the peer ID of Company
A’s RS-2500 VPN setting. (Figure 17-37)
Figure 17-37 IPSec Perfect Forward Secrecy Setting
STEP 8﹒ Complete the IPSec Autokey setting. (Figure 17-38)
Figure 17-38 Complete Company A IPSec Autokey Setting
STEP 9﹒Enter the following setting in Trunk of VPN function: (Figure 17-39)
Enter a specific Trunk Name, for example VPN_Tunnel_A.
From Local: Select LAN
From Local Subnet / Mask: Enter 192.168.10.0 / 255.255.255.0.
To Remote: Select To Remote Subnet / Mask.
To Remote Subnet / Mask: Enter 192.168.30.0 / 255.255.255.0.
Tunnel: Select VPN_A.
Enter 192.168.30.1 (the RS-2500 Default Gateway of Company B) as the
Keep alive IP
Select Show remote Network Neighborhood and Click OK. (Figure 17-40)
17. Configuration Example: IPSec & PPTP VPN
AirLive RS-2500 User’s Manual 120
Figure 17-39 New Entry Trunk Setting
Figure 17-40 Complete New Entry Trunk Setting
STEP 10﹒Enter the following setting in Outgoing Policy:(Figure 17-41)
Trunk: Select VPN_Tunnel_A.
Click OK.(Figure 17-42)
Figure 17-41 Setting the VPN Tunnel Outgoing Policy
17. Configuration Example: IPSec & PPTP VPN
121 AirLive RS-2500 User’s Manual
Figure 17-42 Complete the VPN Tunnel Outgoing Policy Setting
STEP 11﹒Enter the following setting in Incoming Policy: (Figure 17-43)
Trunk: Select VPN_Tunnel_A.
Click OK.(Figure 17-44)
Figure 17-43 Setting the VPN Tunnel Incoming Policy
Figure 17-44 Complete the VPN Tunnel Incoming Policy Setting
17. Configuration Example: IPSec & PPTP VPN
AirLive RS-2500 User’s Manual 122
RS-2500 configuration of Company B:
STEP 1. Enter the default IP of Gateway of Company B’s RS-2500, 192.168.30.1 and select
IPSec Autokey in VPN. Click New Entry. (Figure 17-45)
Figure 17-45 IPSec Autokey Web UI
STEP 2. In the list of IPSec Autokey, fill in Name with VPN_B. (Figure 17-46)
Figure 17-46 IPSec Autokey Name Setting
STEP 3. Select Remote Gateway-Fixed IP or Domain Name In To Remote list and enter
the IP Address.(Figure 17-47)
Figure 17-47 IPSec To Destination Setting
STEP 4. Select Preshare in Authentication Method and enter the Preshared Key (max:
100 bits) (Figure 17-48)
Figure 17-48 IPSec Authentication Method Setting
17. Configuration Example: IPSec & PPTP VPN
123 AirLive RS-2500 User’s Manual
STEP 5. Select ISAKMP Algorithm in Encapsulation list. Choose the Algorithm when
setup connection. Please select ENC Algorithm (3DES/DES/AES), AUTH
Algorithm (MD5/SHA1), and Group (GROUP1, 2, 5). Both sides have to choose the
same group. Here we select 3DES for ENC Algorithm, MD5 for AUTH Algorithm,
and GROUP1 for group. (Figure 17-49)
Figure 17-49 IPSec Encapsulation Setting
STEP 6. You can choose Data Encryption + Authentication or Authentication Only to
communicate in IPSec Algorithm list.
ENC Algorithm: 3DES/DES/AES/NULL
AUTH Algorithm: MD5/SHA1
Here we select 3DES for ENC Algorithm and MD5 for AUTH Algorithm to make
sure the encapsulation way for data transmission. (Figure 17-50)
Figure 17-50 IPSec Algorithm Setting
STEP 7. After selecting GROUP1 in Perfect Forward Secrecy, enter 3600 seconds in
ISAKMP Lifetime, enter 28800 seconds in IPSec Lifetime, and selecting Main
mode in Mode. (Figure 17-51)
Figure 17-51 IPSec Perfect Forward Secrecy Setting
STEP 8. Complete the IPSec Autokey setting. (Figure 17-52)
Figure 17-52 Complete Company B IPSec Autokey Setting
17. Configuration Example: IPSec & PPTP VPN
AirLive RS-2500 User’s Manual 124
STEP 9. Enter the following setting in Trunk of VPN function: (Figure 17-53)
Enter a specific Trunk Name, for example VPN_Tunnel_B.
From Local: Select LAN
From Local Subnet / Mask: Enter 192.168.30.0 / 255.255.255.0.
To Remote: Select To Remote Subnet / Mask.
To Remote Subnet / Mask: Enter 192.168.10.0 / 255.255.255.0.
Tunnel: Select VPN_B.
Enter 192.168.10.1 (the Default Gateway of Company A) as the Keep alive IP
Select Show remote Network Neighborhood.
Click OK. (Figure 17-54)
Figure 17-53 New Entry Trunk Setting
Figure 17-54 Complete New Entry Trunk Setting
17. Configuration Example: IPSec & PPTP VPN
125 AirLive RS-2500 User’s Manual
STEP 10. Enter the following setting in Outgoing Policy: (Figure 17-55)
Trunk: Select VPN_Tunnel_B.
Click OK.(Figure 17-56)
Figure 17-55 Setting the VPN Tunnel Outgoing Policy
Figure 17-56 Complete the VPN Tunnel Outgoing Policy Setting
17. Configuration Example: IPSec & PPTP VPN
AirLive RS-2500 User’s Manual 126
STEP 11. Enter the following setting in Incoming Policy: (Figure 17-57)
Trunk: Select VPN_Tunnel_B.
Click OK.(Figure 17-58)
Figure 17-57 Setting the VPN Tunnel Incoming Policy
Figure 17-58 Complete the VPN Tunnel Incoming Policy Setting
STEP 12. Complete IPSec VPN Connection.
17. Configuration Example: IPSec & PPTP VPN
127 AirLive RS-2500 User’s Manual
17.3 IPSec VPN - Office to Client
Preparation:
RS-2500 - WAN IP: 61.11.11.11, LAN IP: 192.168.10.x
SOHO Router - WAN IP: PPPoE with any IP, LAN IP: 192.168.1.x
User installs VPN client software at PC, and create IPSec VPN tunnel from home or any
place to RS-2500, so user can access RS-2500 LAN resource safely. (Figure 17-59)
Figure 17-59 Example 3 Topology
User can download 30 days trial version of IPSec VPN software from
AirLive Security Product web page, or to purchase the official software
and license from Greenbow website:
(http://www.thegreenbow.com/buy.html?product=vpn)
RS-2500 configuration:
STEP 1. Enter the default IP of Gateway of RS-2500, 192.168.30.1 and select IPSec
Autokey in VPN. Click New Entry. (Figure 17-60)
Figure 17-60 IPSec Autokey Web UI
STEP 2﹒In the list of IPSec Autokey, fill in Name with VPN_A. (Figure 17-61)
Figure 17-61 IPSec Autokey Name Setting
17. Configuration Example: IPSec & PPTP VPN
AirLive RS-2500 User’s Manual 128
STEP 3﹒Select Remote Gateway or Client -- Dynamic IP in To Remote list.
(Figure 17-62)
Figure 17-62 IPSec To Remote Setting
STEP 4﹒ Select Preshare in Authentication Method and enter the Preshared Key
(Figure 17-63)
Figure 17-63 IPSec Authentication Method Setting
STEP 5﹒Select ISAKMP Algorithm in Encapsulation list. Choose the Algorithm when
setup connection. Please select ENC Algorithm (3DES/DES/AES), AUTH
Algorithm (MD5/SHA1), and Group (GROUP1, 2, 5). Both sides have to choose
the same group. Here we select 3DES for ENC Algorithm, MD5 for AUTH
Algorithm and GROUP1 for Group. (Figure 17-64)
Figure 17-64 IPSec Encapsulation Setting
STEP 6﹒You can choose Data Encryption + Authentication or Authentication Only to
communicate in IPSec Algorithm list.
ENC Algorithm: 3DES/DES/AES/NULL
AUTH Algorithm: MD5/SHA1
Here we select 3DES for ENC Algorithm and MD5 for AUTH Algorithm to make
sure the encapsulation way for data transmission (Figure 17-65)
Figure 17-65 IPSec Algorithm Setting
17. Configuration Example: IPSec & PPTP VPN
129 AirLive RS-2500 User’s Manual
STEP 7﹒Select GROUP1 in Perfect Forward Secrecy, enter 3600 seconds in ISAKMP
Lifetime, enter 28800 seconds in IPSec Lifetime, and selecting Main mode in
Mode. (Figure 17-66)
Figure 17-66 IPSec Perfect Forward Secrecy Setting
STEP 8﹒ Complete the IPSec Autokey setting. (Figure 17-67)
Figure 17-67 Complete RS-2500 IPSec Autokey Setting
STEP 9﹒Enter the following setting in Trunk of VPN function: (Figure 17-68)
Enter a specific Trunk Name, for example VPN_Tunnel_A.
From Local: Select LAN
From Local Subnet / Mask: Enter 192.168.10.0 / 255.255.255.0.
To Remote: Select Remote Client
Tunnel: Select VPN_A.
Select Show remote Network Neighborhood and Click OK. (Figure 17-69)
Figure 17-68 New Entry Trunk Setting
17. Configuration Example: IPSec & PPTP VPN
AirLive RS-2500 User’s Manual 130
Figure 17-69 Complete New Entry Trunk Setting
STEP 10﹒Enter the following setting in Outgoing Policy:(Figure 17-70)
Trunk: Select VPN_Tunnel_A.
Click OK.(Figure 17-71)
Figure 17-70 Setting the VPN Tunnel Outgoing Policy
Figure 17-71 Complete the VPN Tunnel Outgoing Policy Setting
17. Configuration Example: IPSec & PPTP VPN
131 AirLive RS-2500 User’s Manual
STEP 11﹒Enter the following setting in Incoming Policy: (Figure 17-72)
Trunk: Select VPN_Tunnel_A.
Click OK.(Figure 17-73)
Figure 17-72 Setting the VPN Tunnel Incoming Policy
Figure 17-73 Complete the VPN Tunnel Incoming Policy Setting
17. Configuration Example: IPSec & PPTP VPN
AirLive RS-2500 User’s Manual 132
VPN Client Software configuration:
STEP 1﹒Right click Root and select “New Phase 1”, then enter following information at
Phase 1 page: (Figure 17-74)
Name: To_RS25.
Interface: 192.168.1.2
Remote Gateway: 61.11.11.11
Preshared Key: 123456789
IKE Encryption: 3DES
IKE Authentication: MD5
IKE Key Group: Group 1
Figure 17-74 Phase1 setting of IPSec VPN Client Software
STEP 2﹒Press “Save & Apply” button save Phase 1 setting.
STEP 3﹒Right click “To_RS25” (Phase 1) and select “Add Phase 2”.
STEP 4﹒Enter following information at Phase 2 page: (Figure 17-75)
Name: To_RS25_Tunnel
VPN Client Address: 192.168.1.2
Remote Address Type: Subnet Address
Remote LAN Address: 192.168.10.0
17. Configuration Example: IPSec & PPTP VPN
133 AirLive RS-2500 User’s Manual
Subnet Mask: 255.255.255.0
ESP Encryption: 3DES
ESP Authentication: MD5
ESP Mode: Tunnel
PFS: Enable, Group 1
Press “Save & Apply” button save Phase 2 setting.
Figure 17-75 Phase2 setting of IPSec VPN Client Software
STEP 5﹒Press “Open Tunnel” to build up IPSec VPN connection.
STEP 6﹒When VPN Tunnel is established, the icon in tool bar will be changed to .
17. Configuration Example: IPSec & PPTP VPN
AirLive RS-2500 User’s Manual 134
17.4 PPTP VPN - Office to Office
Preparation:
Company A WAN IP: 61.11.11.11
LAN IP: 192.168.10.X
Company B WAN IP: 211.22.22.22
LAN IP: 192.168.20.X
This example takes two RS-2500s as flattop. Suppose Company B 192.168.20.100 is going
to have VPN connection with Company A 192.168.10.100 and download the resource.
(Figure 17-76)
Figure 17-76 PPTP connection Example-1
RS-2500 configuration of Company A:
STEP 1. Enter PPTP Server of VPN function in the RS-2500 of Company A. Select Modify
and enable PPTP Server:
Client IP Range: Keep the setting with original, ex. 192.3.106.1-254.
Enter DNS Server or WINS Server IP if necessary.
Idle Time: Enter 0. (Figure 17-77)
17. Configuration Example: IPSec & PPTP VPN
135 AirLive RS-2500 User’s Manual
Figure 17-77 Enable PPTP VPN Server Settings
Client IP Range: the setting can not be the same as LAN IP subnet,
or the PPTP function will not be workable.
Idle Time: the setting time that the VPN Connection will
auto-disconnect under unused situation. (Unit: minute)
STEP 2. Add the following settings in PPTP Server of VPN function in the RS-2500 of
Company A:
Select New Entry. (Figure 17-78)
User Name: Enter jacky.
Password: Enter 123456789.
Client IP assigned by: Select IP Range.
Click OK. (Figure 17-79)
Figure 17-78 PPTP VPN Server Setting
17. Configuration Example: IPSec & PPTP VPN
AirLive RS-2500 User’s Manual 136
Figure 17-79 Complete PPTP VPN Server Setting
STEP 3. Enter the following setting in Trunk of VPN function: (Figure 17-80)
Enter a specific Trunk Name, for example PPTP_Tunnel.
From Local: Select LAN
From Local Subnet / Mask: Enter 192.168.10.0 / 255.255.255.0.
To Remote: Select To Remote Subnet / Mask.
To Remote Subnet / Mask: Enter 192.168.20.0 / 255.255.255.0.
Tunnel: Select PPTP_Server_jacky.
Select Show remote Network Neighborhood.
Click OK. (Figure 17-81)
Figure 17-80 New Entry Trunk Setting
Figure 17-81- Complete New Entry Trunk Setting
17. Configuration Example: IPSec & PPTP VPN
137 AirLive RS-2500 User’s Manual
STEP 4. Enter the following setting in Outgoing Policy: (Figure 17-82)
Trunk: Select PPTP_Tunnel.
Click OK.(Figure 17-83)
Figure 17-82 Setting the VPN Tunnel Outgoing Policy
Figure 17-83 Complete the VPN Tunnel Outgoing Policy Setting
17. Configuration Example: IPSec & PPTP VPN
AirLive RS-2500 User’s Manual 138
STEP 5. Enter the following setting in Incoming Policy: (Figure 17-84)
Trunk: Select PPTP_Tunnel.
Click OK.(Figure 17-85)
Figure 17-84 Setting the VPN Tunnel Incoming Policy
Figure 17-85 Complete the VPN Tunnel Incoming Policy Setting
17. Configuration Example: IPSec & PPTP VPN
139 AirLive RS-2500 User’s Manual
RS-2500 configuration of Company B:
STEP 1. Add the following settings in PPTP Client of VPN function in the RS-2500 of
Company B:
Click New Entry Button. (Figure 17-86)
User Name: Enter jacky.
Password: Enter123456789.
Server IP or Domain Name: Enter 61.11.11.11.
Select Encryption.
Click OK. (Figure 17-87)
Figure 17-86 PPTP VPN Client Setting
Figure 17-87 Complete PPTP VPN Client Setting
17. Configuration Example: IPSec & PPTP VPN
AirLive RS-2500 User’s Manual 140
STEP 2. Enter the following setting in Trunk of VPN function: (Figure 17-88)
Enter a specific Trunk Name, for example PPTP_Client.
From Local: Select LAN
From Local Subnet / Mask: Enter 192.168.20.0 / 255.255.255.0.
To Remote: Select To Remote Subnet / Mask.
To Remote Subnet / Mask: Enter 192.168.10.0 / 255.255.255.0.
IPSec / PPTP Setting: Select PPTP_Client_jacky.
Select Show remote Network Neighborhood.
Click OK. (Figure 17-89)
Figure 17-88 New Entry Trunk Setting
Figure 17-89 Complete New Entry Trunk Setting
17. Configuration Example: IPSec & PPTP VPN
141 AirLive RS-2500 User’s Manual
STEP 3. Enter the following setting in Outgoing Policy: (Figure 17-90)
Trunk: Select PPTP_Client.
Click OK.(Figure 17-91)
Figure 17-90 Setting the VPN Tunnel Outgoing Policy
Figure 17-91 Complete the VPN Tunnel Outgoing Policy Setting
17. Configuration Example: IPSec & PPTP VPN
AirLive RS-2500 User’s Manual 142
STEP 4. Enter the following setting in Incoming Policy: (Figure 17-92)
Trunk: Select PPTP_Client.
Click OK.(Figure 17-93)
Figure 17-92 Setting the VPN Tunnel Incoming Policy
Figure 17-93 Complete the VPN Tunnel Incoming Policy Setting
STEP 5. Complete PPTP VPN Connection.
17. Configuration Example: IPSec & PPTP VPN
143 AirLive RS-2500 User’s Manual
17.5 PPTP VPN - Office to Client
Preparation:
RS-2500 WAN IP: 61.11.11.11
LAN IP: 192.168.10.X
PPTP Client WAN IP: PPPoE with any IP
LAN IP: 192.168.20.X
This example presents how the home user can connect to remote PPTP server.
(Figure 17-94)
Figure 17-94 PPTP connection Example-1
RS-2500 configuration:
STEP 1. Enter PPTP Server of VPN function in the RS-2500 of Company A. Select Modify
and enable PPTP Server:
Client IP Range: Keep the setting with original, ex. 192.3.106.1-254.
Enter DNS Server or WINS Server IP if necessary.
Idle Time: Enter 0. (Figure 17-95)
Figure 17-95 Enable PPTP VPN Server Settings
17. Configuration Example: IPSec & PPTP VPN
AirLive RS-2500 User’s Manual 144
Client IP Range: the setting can not be the same as LAN IP subnet,
or the PPTP function will not be workable.
Idle Time: the setting time that the VPN Connection will
auto-disconnect under unused situation. (Unit: minute)
STEP 2. Add the following settings in PPTP Server of VPN function in the RS-2500 of
Company A:
Select New Entry. (Figure 17-96)
User Name: Enter jacky.
Password: Enter 123456789.
Client IP assigned by: Select IP Range.
Click OK. (Figure 17-97)
Figure 17-96 PPTP VPN Server Setting
Figure 17-97 Complete PPTP VPN Server Setting
17. Configuration Example: IPSec & PPTP VPN
145 AirLive RS-2500 User’s Manual
STEP 3. Enter the following setting in Trunk of VPN function: (Figure 17-98)
Enter a specific Trunk Name, for example PPTP_Tunnel.
From Local: Select LAN
From Local Subnet / Mask: Enter 192.168.10.0 / 255.255.255.0.
To Remote: Select To Remote Subnet / Mask.
To Remote Subnet / Mask: Enter 192.168.20.0 / 255.255.255.0.
Tunnel: Select PPTP_Server_jacky.
Select Show remote Network Neighborhood.
Click OK. (Figure 17-99)
Figure 17-98 New Entry Trunk Setting
Figure 17-99- Complete New Entry Trunk Setting
17. Configuration Example: IPSec & PPTP VPN
AirLive RS-2500 User’s Manual 146
STEP 4. Enter the following setting in Outgoing Policy: (Figure 17-100)
Trunk: Select PPTP_Tunnel.
Click OK.(Figure 17-101)
Figure 17-100 Setting the VPN Tunnel Outgoing Policy
Figure 17-101 Complete the VPN Tunnel Outgoing Policy Setting
17. Configuration Example: IPSec & PPTP VPN
147 AirLive RS-2500 User’s Manual
STEP 5. Enter the following setting in Incoming Policy: (Figure 17-102)
Trunk: Select PPTP_Tunnel.
Click OK.(Figure 17-103)
Figure 17-102 Setting the VPN Tunnel Incoming Policy
Figure 17-103 Complete the VPN Tunnel Incoming Policy Setting
17. Configuration Example: IPSec & PPTP VPN
AirLive RS-2500 User’s Manual 148
PPTP client setting on WinXP configuration:
STEP 1. Control Panel Network Connections: Press Create a new connection on left
banner. (Figure 17-104)
Figure 17-104 Control Panel > Network Connections
STEP 2. Press Next. (Figure 17-105)
Figure 17-105 Network Connections Wizard-1
17. Configuration Example: IPSec & PPTP VPN
149 AirLive RS-2500 User’s Manual
STEP 3. Select Connect to the network at my workplace, and press Next.
(Figure 17-106)
Figure 17-106 Network Connections Wizard-2
STEP 4. Select Virtual Private Network connection, and press Next. (Figure 17-107)
Figure 17-107 Network Connections Wizard-3
17. Configuration Example: IPSec & PPTP VPN
AirLive RS-2500 User’s Manual 150
STEP 5. Enter a name for the connection, and press Next. (Figure 17-108)
Figure 17-108 Network Connections Wizard-4
STEP 6. Enter PPTP server IP address, and press Next. (Figure 17-109)
Figure 17-109 Network Connections Wizard-5
17. Configuration Example: IPSec & PPTP VPN
151 AirLive RS-2500 User’s Manual
STEP 7. Press Finish to complete WinXP PPTP client setting. (Figure 17-110)
Figure 17-110 Network Connections Wizard-6
STEP 8. Enter user name and password, and press Connect to connect PPTP server.
(Figure 17-111)
Figure 17-111 Connect to PPTP server
18. Policy
AirLive RS-2500 User’s Manual 152
18 18. Policy
Every packet has to be detected if it corresponds with Policy or not when it passes the
RS-2500. When the conditions correspond with certain policy, it will pass the RS-2500 by
the setting of Policy without being detected by other policy. But if the packet cannot
correspond with any Policy, the packet will be intercepted.
The parameter of the policy includes Source Address, Destination Address, Service,
Schedule, Authentication User, Trunk, Action-WAN Port, Traffic Log, Statistics, Content
Blocking, Application Blocking, QoS, MAX. Bandwidth Per Source IP, MAX. Concurrent
Sessions Per IP, and MAX. Concurrent Sessions. Control policies decide whether packets
from different network objects, network services, and applications are able to pass through
the RS-2500.
How to use Policy?
The device uses policies to filter packets. The policy settings are: source address,
destination address, services, permission, packet log, packet statistics, and flow control.
Based on its source addresses, a packet can be categorized into:
(1) Outgoing: The source IP is in LAN network; the destination is in WAN network.
The system manager can set all the policy rules of Outgoing packets in this function
(2) Incoming: The source IP is in WAN network; the destination is in LAN network.
(For example: Mapped IP, Virtual Server) The system manager can set all the
policy rules of Incoming packets in this function
(3) WAN to DMZ: The source IP is in WAN network; the destination is in DMZ network.
(For example: Mapped IP, Virtual Server) The system manager can set all the
policy rules of WAN to DMZ packets in this function
(4) LAN to DMZ: The source IP is in LAN network; the destination is in DMZ network.
The system manager can set all the policy rules of LAN to DMZ packets in this
function
(5) DMZ to LAN: The source IP is in DMZ network; the destination is in LAN network.
The system manager can set all the policy rules of DMZ to LAN packets in this
function
18. Policy
153 AirLive RS-2500 User’s Manual
(6) DMZ to WAN: The source IP is in DMZ network; the destination is in WAN network.
The system manager can set all the policy rules of DMZ to WAN packets in this
function
All the packets that go through RS-2500 must pass the policy
permission. Therefore, the LAN, WAN, and DMZ network have to set
the applicable policy when establish network connection.
Define the required fields of Policy
Source and Destination
Source IP and Destination IP is according to the RS-2500’s point of view. The
active side is the source; passive side is destination.
Service
It is the service item that controlled by Policy. The user can choose default value
or the custom services that the system manager set in Service function.
Action, WAN Port
Control actions to permit or reject packets that delivered between LAN network
and WAN network when pass through RS-2500 (See the chart and illustration
below).
Chart Name Illustration
Permit all WAN
network Interface Allow the packets that correspond with policy to be transferred by WAN1/2 Port
Permit WAN1 Allow the packets that correspond with policy to be transferred by WAN1 Port
Permit WAN2 Allow the packets that correspond with policy to be transferred by WAN2 Port
DENY Reject the packets that correspond with policy to be transferred by WAN Port
Permit VPN Allow the VPN packets that correspond with policy to be transferred
18. Policy
AirLive RS-2500 User’s Manual 154
Option
It displays whether every function of Policy is enabled or not. If the function is
enabled and then the chart of the function will appear (See the chart and
illustration below)
Chart Name Illustration
Schedule Enable the policy to automatically execute the function in a certain time
Authentication User Enable Authentication User
Traffic Log Enable traffic log
Statistics Enable traffic statistics
Content Blocking Enable Content Blocking
Application Blocking Enable Application Blocking
QoS Enable QoS
Schedule
Setting the policy to automatically execute the function in a certain time.
Authentication User
The user have to pass the authentication to connect by Policy
Trunk
Select the specific VPN setting to allow the packets passing through.
Traffic Log
Record all the packets that go through policy.
Statistics
Chart of the traffic that go through policy.
Content Blocking
To restrict the packets that passes through the policy.
Application Blocking
To restrict the packets passing via IM, P2P, or the else application..
QoS
Setting the Guarantee Bandwidth and Maximum Bandwidth of the Policy (the
bandwidth is shared by the users who correspond to the Policy).
MAX. Bandwidth Per Source IP
Set the maximum bandwidth that permitted by policy. And if the IP bandwidth
exceed the setting value, the surplus connection cannot be set successfully.
18. Policy
155 AirLive RS-2500 User’s Manual
MAX. Concurrent Sessions Per IP
Set the concurrent sessions that permitted by policy. And if the IP sessions exceed
the setting value, the surplus connection cannot be set successfully.
MAX. Concurrent Sessions
Set the concurrent sessions that permitted by policy. And if the whole Policy
sessions exceed the setting value, the surplus connection cannot be set
successfully.
NAT
The NAT function is available for Incoming, WAN To DMZ, LAN to DMZ, DMZ to
WAN Policy. It works to transfer the Source IP address to be the same IP subnet
of Destination. User can enable this function only when destination server requires
to be allowed accessing with same IP subnet.
Move
Every packet that passes the RS-2500 is detected from the front policy to the last
one. So it can modify the priority of the policy from the selection.
19. Configuration Example: Policy
AirLive RS-2500 User’s Manual 156
19 19. Configuration Example: Policy Setting
19.1 Configuration Example (1) - Traffic Log, Statistic
Set up the policy that can monitor the internal users. (Take Traffic Log and Statistics for
example)
STEP 1﹒Enter the following setting in Outgoing Policy:
Click New Entry
Select Traffic Log
Select Statistics
Click OK (Figure 19-1)
Figure 19-1 Setting the different Policies
STEP 2﹒Complete the setting of Logging, Statistics, and Alarm Threshold in Outgoing
Policy: (Figure 19-2)
Figure 19-2 Complete Policy Setting
19. Configuration Example: Policy
157 AirLive RS-2500 User’s Manual
STEP 3﹒Obtain the information in Traffic of Log function if you want to monitor all the
packets of the RS-2500. (Figure 19-3)
Figure 19-3 Traffic Log Monitor WebUI
19. Configuration Example: Policy
AirLive RS-2500 User’s Manual 158
STEP 4﹒To display the traffic record that through Policy to access to Internet in Policy
Statistics of Statistics function. (Figure 19-4)
Figure 19-4 Statistics WebUI
19. Configuration Example: Policy
159 AirLive RS-2500 User’s Manual
19.2 Configuration Example (2) - Specific WAN Addresses, Content Blocking, Application Blocking
Forbid the users to access to specific network. (Take specific WAN IP, Content Blocking
and Application Blocking for example)
STEP 1﹒Enter the following setting in URL Blocking, Script Blocking, and Download
Blocking in Content Blocking function, and Application Blocking Function:
(Figure 19-5, 19-6, 19-7, 19-8)
Figure 19-5 URL Blocking Setting
Figure 19-6 Script Blocking Setting
Figure 19-7 Download Blocking Setting
19. Configuration Example: Policy
AirLive RS-2500 User’s Manual 160
Figure 19-8 Application Blocking Setting
URL Blocking can restrict the Internal Users only can access some
specific Website.
Script Blocking can restrict the Internal Users to access to Script file of
Website. (Java, Cookies…, etc.)
19. Configuration Example: Policy
161 AirLive RS-2500 User’s Manual
Download Blocking can restrict the Internal Users to access to video,
audio, and some specific sub-name file by http protocol directly.
Application Blocking can restrict the Internal Users to send message,
files, audio, and video by instant messaging (Ex: MSN, Yahoo
Messenger, QQ, ICQ, Skype, Google Talk, and Gadu-Gadu), and to
access to the file on Internet by P2P (eDonkey, BT, WinMX).
STEP 2﹒Enter as following in WAN and WAN Group of Address function:
(Figure 19-9, 19-10)
Figure 19-9 Setting the WAN IP that going to block
Figure 19-10 WAN Address Group
The Administrator can group the custom address in Address. It is
more convenient when setting policy rule.
19. Configuration Example: Policy
AirLive RS-2500 User’s Manual 162
STEP 3﹒Create the first Outgoing Policy rule with following steps to restrict user accessing
specific network.
Click New Entry
Destination Address: Select WAN_Group that set by STEP 2. (Blocking by
IP)
Action, WAN Port: Select Deny
Click OK (Figure 19-11)
Figure 19-11 Setting first Policy rule to restrict accessing specific WAN Network
19. Configuration Example: Policy
163 AirLive RS-2500 User’s Manual
STEP 4﹒Create second Outgoing Policy rule to enable Content Blocking and Application
Blocking.
Click New Entry
Select to enable Content Blocking
Select to enable Application Blocking
Click OK (Figure 19-12)
Figure 19-12 Setting second Blocking Policy rule
STEP 5﹒Complete the setting of forbidding the users to access to specific network.
(Figure 19-13)
Figure 19-13 Complete Policy Setting
Deny in Policy can block the packets that correspond to the policy
rule. The System Administrator can put the policy rule in the front to
prevent the user connecting with specific IP.
19. Configuration Example: Policy
AirLive RS-2500 User’s Manual 164
19.3 Configuration Example (3) - Authentication, Schedule
Only allow the users who pass Authentication to access to Internet in particular time
STEP 1﹒Enter the following in Schedule function: (Figure 19-14)
Figure 19-14 Add New Schedule
STEP 2﹒Enter the following in Auth User and Auth User Group in Authentication function:
(Figure 19-15)
Figure 19-15 Setting Auth User Group
19. Configuration Example: Policy
165 AirLive RS-2500 User’s Manual
The Administrator can use group function the Authentication and
Service. It is more convenient when setting policy.
STEP 3﹒Create first Outgoing Policy to allow DNS service passing through:
Click New Entry
Service: Select DNS.
Click OK (Figure 19-16)
Figure 19-16 DNS Policy Setting
19. Configuration Example: Policy
AirLive RS-2500 User’s Manual 166
STEP 4﹒Enter the following setting in Outgoing Policy:
Click New Entry
Authentication User: Select laboratory
Schedule: Select Working_Time
Click OK (Figure 19-17)
Figure 19-17 Setting a Policy of Authentication and Schedule
STEP 5﹒Complete the policy rule of only allows the users who pass authentication to
access to Internet in particular time. (Figure 19-18)
Figure 19-18 Complete Policy Setting
19. Configuration Example: Policy
167 AirLive RS-2500 User’s Manual
19.4 Configuration Example (4) - Virtual Server
The external user controls the internal PC through remote control software (Take VNC for
example)
STEP 1﹒Create a custom service of VNC port. (TCP 5800, 5900) (Figure 19-19)
Figure 19-19 Setting Custom Service
STEP 2﹒Select the following setting in Virtual Server1 of Virtual Server function, and
assign to LAN IP 192.168.1.2 device. (Figure 19-20)
Figure 19-20 Setting Virtual Server
19. Configuration Example: Policy
AirLive RS-2500 User’s Manual 168
STEP 3﹒Enter the following in Incoming Policy:
Click New Entry, system will auto select the Virtual Server setting and enter
the fields.
Click OK (Figure 19-21)
Figure 19-21 Setting the External User Control the Internal PC Policy
STEP 4﹒Complete the policy for the external user to control the internal PC through remote
control software. (Figure 19-22)
Figure 19-22 Complete Policy Setting
19. Configuration Example: Policy
169 AirLive RS-2500 User’s Manual
19.5 Configuration Example (5) - QoS, Virtual Server, MAX. Concurrent Sessions
Set a FTP Server under DMZ NAT Mode and restrict the download bandwidth and the MAX.
Concurrent Sessions.
STEP 1﹒Set a FTP Server under DMZ, which IP is 192.168.254.2. (The DMZ Interface
Address is 192.168.254.1/24)
STEP 2﹒Enter the following setting in Virtual Server1 of Virtual Server function:
(Figure 19-23)
Figure 19-23 Setting up Virtual Server Corresponds to FTP Server
When using the function of Incoming or WAN to DMZ in Policy,
strong suggests that cannot select ANY in Service. It may be
attacked by Hacker easily.
STEP 3﹒Enter the following in QoS: (Figure 19-24)
Figure 19-24 QoS Setting
19. Configuration Example: Policy
AirLive RS-2500 User’s Manual 170
STEP 4﹒Enter the following in WAN to DMZ Policy:
Click New Entry
Destination Address: Select Virtual Server1 (61.11.11.12)
Service: Select FTP (21)
QoS: Select FTP_QoS
MAX. Concurrent Sessions: Enter 100
Click OK (Figure 19-25)
Figure 19-25 Add New Policy
STEP 5﹒Complete the policy of restricting the external users to access to internal network
server (which may occupy the resource of network) (Figure 19-26)
Figure 19-26 Complete the Policy Setting
20. Web VPN / SSL VPN
171 AirLive RS-2500 User’s Manual
Since the Internet is in widespread use these days, the demand for secure remote
connections is increasing. To meet this demand, using SSL VPN is the best solution. Using
SSL VPN and just a standard browser, clients can transfer data securely by utilizing its SSL
security protocol, eliminating the need to install any software or hardware.
20.1 Setting
Term of Setting (Figure 20-1)
VPN IP of Client: Various settings between the client and the RS-2500 can be set
when establishing an SSL VPN including IP range, encryption algorithm,
communication protocol, port number, allocated DNS and WINS servers, whether
NAT is being at used by the internal subnet, hardware authentication, client/group
authentication and the connection time.
Internet Subnet of Server: Set the subnet of server that can be accessed by the
client user. It is allowed to define several IP subnets for remote Web/SSL VPN
client.
Figure 20-1 Web/SSL VPN Setting-1
The SSL VPN IP address range cannot overlap with the address from
any of the following internal network segments or servers: LAN, DMZ
and PPTP server.
20 20. Web VPN / SSL VPN
20. Web VPN / SSL VPN
AirLive RS-2500 User’s Manual 172
Term of Setting (Figure 20-2)
VPN IP Range: The IP subnet of Web/SSL VPN connection. When user connects
to RS-2500 via Web/SSL VPN, he will obtain the IP address of this IP range. By
default, the VPN IP Range is set to the different IP subnet with RS-2500 LAN IP,
but remote user can still access RS-2500 LAN resource.
DES: DES, an acronym for Data Encryption Standard, is a cipher that was
selected by NIST (National Institute of Standard and Technology), using a 56-bit
key for encryption.
3DES: 3DES, an acronym for Triple Data Encryption Standard, providing
significantly enhanced security by executing the core DES algorithm three times in
a row, is more difficult to break than DES, using a 168-bit key size.
AES: AES, an acronym for Advanced Encryption Standard, is more difficult to
break than DES. The DES encryption key is 56 bits long; on the contrary, AES
keys can be 128, 192 or 256 bits long.
Server Port: The port number is changeable. With Server port, the Web/SSL VPN
Server can transfer data to client side. If RS-2500 is deployed behind a router, the
router must define to allow HTTPS and Server Port passing through to RS-2500,
otherwise the Web/SSL VPN may not work well.
Enable DNS and WINS server addresses to clients: If user enables this
function, the DNS server IP and WINS Server IP will be assigned to remote client
PC.
Enable NAT mode: If user enables this function, the outside packets will be added
the LAN port IP address of RS-2500 in packet’s header. It is designed for a
specific server that had such request. Mostly user does not need to enable it.
Enable hardware authentication: This function can make the login process more
easily if user often use Web/SSL VPN function. By default, system will assign
client PC to the Dropped list when it is the first time the client PC connect to it.
Authentication User or Group: RS-2500 Web/SSL VPN can co-work with
Authentication function to authorize the access right of VPN client.
Enable hardware authentication only: If the client PC is moved to Accepted
list, then he can access RS-2500 LAN resource without passing
authentication.
Enable Authentication User or Group only: If the client PC passes the
authentication, then he can access RS-2500 LAN resource.
Hardware Authentication set to Accepted and enable Authentication
User or Group: The client PC can access RS-2500 LAN resource without
passing authentication.
20. Web VPN / SSL VPN
173 AirLive RS-2500 User’s Manual
Hardware Authentication set to Dropped and enable Authentication
User or Group: The client PC may not pass hardware authentication,
however, if he can pass authentication User or Group, the client pc can still
access RS-2500 LAN resource. Auto-disconnect if idle for □ Minutes: When client user does not access
Web/SSL VPN for a certain time, system will disconnect to VPN automatically. (0
means always connected)
Figure 20-2 Web/SSL VPN setting-2
20. Web VPN / SSL VPN
AirLive RS-2500 User’s Manual 174
20.2 Hardware Auth
igure 20-3)
Accepted Hardware Authentication User: A list of the permitted client hardware
tion to the RS-2500.
RS-2500.
Term of Hardware Auth (F
can establish an SSL VPN connec
Dropped Hardware Authentication User: A list of the client hardware is not
permitted to establish an SSL VPN connection with the
Figure 20-3 Web/SSL VPN Hardware Auth
Hardware authentication provides a convenient alternative to
username/password authentication. Clients only need to be added to
the Accepted User list for the system to authenticate their computer
based on their hardware (MAC address).
20. Web VPN / SSL VPN
175 AirLive RS-2500 User’s Manual
20.3 Status
Term of Status (Figure 20-4)
me: Shows the user name of the client user.
Real IP: Show the real IP of the client user.
P addresses allocated by the RS-2500.
lient and RS-2500.
tion between the RS-2500 and SSL
Figure 20-4 Web/SSL VPN Status
User Na
VPN IP: Shows the client I
Uptime: Shows the connection duration between the c
Configuration change: To stop the connec
VPN.
User can only use Microsof
Web/SSL VPN.
t Windows system to connect RS-2500
Web / SSL VPN are supported for IE, Firefox, Safari, and Google
Chrome browser.
When user connects to RS-2500 Web/SSL VPN Server at first time,
server will download java program to client pc. What if the client pc
had pre-installed the other version of java program, and encountered
the error to display Web/SSL VPN connection, please remove the
pre-installed java program, and accept to install java from Web/SSL
VPN server, or download the latest version program from java
website.
20. Web VPN / SSL VPN
AirLive RS-2500 User’s Manual 176
20.4 Configuration Example
onfiguring Web/ SSL VPN Connection settings for External Clients
the HTTPS function. (Figure 20-5)
Figure 20-5 WAN Interface
STEP 2﹒Click Policy Object Authentication User, add the following entries:
(Figure 20-6)
Figure 20-6 User Authentication entries
C
STEP 1﹒Click Interface WAN, activate
20. Web VPN / SSL VPN
177 AirLive RS-2500 User’s Manual
STEP 3﹒Click Policy Object Authentication User Group, add the following entries:
(Figure 20-7)
Figure 20-7 Group Authentication users
TEP 4﹒Click Web VPN/ SSL VPN > Setting
Click Modify.
Check the Enab
Enter 192.168.222.0/ 255.255.255.0 in the VPN IP Range field.
list, choose 3DES.
col drop-down list, choose TCP.
le field.
subnet that
to access. (Figure 20-9)
S
le Web VPN checkbox.
From the Encryption algorithm drop-down
From the Proto
Enter 1194 in the Server Port field.
Check Enable hardware authentication.
From the Authentication user or group drop-down list, choose
Web_VPN_Group.
Enter 0 in the Auto- disconnect if id
Click OK. (Figure 20-8)
A new Internal Subnet of Server appears that shows the internal
the client is permitted
20. Web VPN / SSL VPN
AirLive RS-2500 User’s Manual 178
Figure 20-8 Enable Web VPN Setting
Figure 20-9 New Web/SSL VPN is created
20. Web VPN / SSL VPN
179 AirLive RS-2500 User’s Manual
STEP 5﹒Configure the setting from a browser
Enter http://61.11.11.11/sslvpn or http://59.124.36.170/webvpn
:
in the URL
field (the RS-2500 interface address plus sslvpn or webvpn). (Figure 20-10)
Figure 20-10 Login SSL VPN Screen
Click Yes in the Security Alert window. (Figure 20-11)
Figure 20-11 Security Alert Window
20. Web VPN / SSL VPN
AirLive RS-2500 User’s Manual 180
Click Yes in the Warning-HTTPS window. (Figure 20-12)
Figure 20-12 Warning HTTPS Window
In the Authentication window, enter josh in the User Name field. Enter 3333 in
the Password field. Click OK. (Figure 20-13)
Figure 20-13 Authentication Window
Installation in progress. (Figure 20-14)
Figure 20 rogress -14 SSL VPN Software installation in p
20. Web VPN / SSL VPN
181 AirLive RS-2500 User’s Manual
Connection success. (Figure 20-15)
Figure 20-15 Connection Complete
STEP 6 n, click Web VPN/ SSL VPN Status.
(Figure 20-16)
Figure 20-16 Connection Complete
STEP 7﹒Web VPN / SSL VPN > Hardware Auth it displays the Not Accepted User list. The
user can be selected and moved to the Accepted User list by clicking on to Accept.
(Figure 20-17, 18, 19)
Figure 20-17 Select the er and move to Accept
Figure 20-18 Confirming To Move the User to the Accepted User List
﹒To see the following connection informatio
us
20. Web VPN / SSL VPN
AirLive RS-2500 User’s Manual 182
Figure 20-19 User to Moved to the Accepted List
STEP 8﹒The accepted user settings have now been complete. When a user establishes an
SSL VPN conn dware can be directly
authenticated without the need for entering a username and password again.
ection through the RS-2500, the har
When hardware authentication and user/group authentication are
both enabled, the device will first try to authenticate by hardware
auth
1. If the PC hardware information is on the Accepted User list, then
they are permitted to establish a Web VPN connection.
2. If the PC hardware information is on the Not Accepted User list
then they will need to be authenticated by username/password to
establish
3. If the PC is on neither list, the device will automatically add the
entication.
a Web VPN connection.
hardware information to the Not Accepted User list. The user will
have to be authenticated by username/password to establish a
Web VPN connection.
When only hardware authentication is enabled:
1. If the hardware information is on the accepted list, the user will be
able to establish a Web VPN connection.
2. If the PC hardware is on the Not Accepted User list, then they will
not be able to establish a Web VPN connection.
20. Web VPN / SSL VPN
183 AirLive RS-2500 User’s Manual
If hardware authentication is disabled, then the user will need to
authenticate using a username/password to establish a Web VPN
connection.
If the client users' PC doesn't have SUN JAVA Runtime Environment
.
software installed then it will automatically be downloaded and
installed during the SSL VPN connection login phase
21. Anomaly Flow IP
AirLive RS-2500 User’s Manual 184
hen the RS-2500 had detected attacks from hackers and internal PC who are sending
rge DDoS attacks. The Anomaly Flow IP will start on blocking these packets to maintain
e whole network.
this chapter, we will have the detailed illustration about Anomaly Flow IP:
Define the required fields of Virus-infected IP
The threshold sessions of virus-infected (per source IP):
When the session number (per source IP) has exceeded the limitation of anomaly
o be anom ly flow IP
flow IP or send the
n.
ected IP Blocking:
RS-2500 can block the sessions of virus-infected IP
as any anomaly flow occurred.
21 21. Anomaly Flow IP
W
la
th
In
flow sess
and mak
notificatio
Virus-inf
ions per source IP, RS-2500 will take this kind of IP t
e some actions. For example, block the anomaly
a
Notification:
RS-2500 can notice the user and system administrator by e-mail or NetBIOS
notification
d
After System Manager enable Anomaly Flow IP, if the RS-2500 has
arm message will appear in
mail Alert
etected any abnormal situation, the al
Virus-infected IP. And if the system manager starts the E-
Notification in Settings, the device will send e-mail to alarm the
system manager automatically.
21. Anomaly Flow IP
185 AirLive RS-2500 User’s Manual
21. Anomaly Flow IP
185 AirLive RS-2500 User’s Manual
Configuration Example
Prevent the c
STEP 1﹒Sele
) (the
ec)
Select Enable Virus-infected IP Blocking and enter the Blocking Time
(the default time is 600 seconds)
Select Enable E-Mail Alert Notification
Select Enable NetBIOS Alert Notification
IP Address of Administrator: Enter 192.168.1.10
Click OK
Anomaly Flow IP Setting is completed. (Figure 21-1)
w IP Setting
omputer which being attacked to send DDoS packets to LAN network.
ct Anomaly Flow IP setting and enter as the following:
Enter The threshold sessions of anomaly flow (per Source IP
default value is 100 Sessions/S
Figure 21-1 Anomaly Flo
After complete the Internal Alert Settings, if the device had detected
ttack packets and then
ted IP or send
the internal computer sending large DDoS a
the alarm message will appear in the Virus-infec
NetBIOS Alert notification to the infected PC Administrator’s PC.
in Setting, the
RS-2500 will send e-mail to Administrator automatically.
If the Administrator starts the E-Mail Alert Notification
21. Anomaly Flow IP
AirLive RS-2500 User’s Manual 186
Define th
D t
Sele server
com the servers.
The m Administrator can
enter the maximum number of SYN packets per second that is allowed to
enter the network/RS-2500. If the value exceeds the setting one, and then the
device will determine it as an attack. 【SYN Flood Threshold (Per Source IP) Pkts/Sec】: The system Administrator
can enter the maximum number of SYN packets per second from attacking
source IP Address that is allowed to enter the network/RS-2500. And if value
exceeds the setting one, and then the device will determine it as an attack. 【SYN Flood Threshold Blocking Time (Per Source IP) Seconds】: When the
RS-2500 determines as being attacked, it will block the attacking source IP
ing for certain seconds, the
calculate the max number of SYN packets from attacking
RS-2500 determines as being attacked, it will block the attacking source IP
king time you set. After blocking for certain seconds, the
e required fields of DoS / Anti-attack Setting
ect SYN Attack:
ct this option to detect TCP SYN attacks that hackers send to
puters continuously to block or cut down all the connections of
e
se attacks will cause valid users cannot connect to the servers. 【SYN Flood Threshold (Total) Pkts/Sec】: The syste
address in the blocking time you set. After block
device will start to
source IP Address. And if the max number still exceed the define value, it will
block the attacking IP Address continuously.
Detect ICMP Flood:
When Hackers continuously send PING packets to all the machines of the LAN
networks or to the RS-2500 via broadcasting, your network is experiencing an
ICMP flood attack. 【ICMP Flood Threshold (Total) Pkts/Sec】: The System Administrator can
enter the maximum number of ICMP packets per second that is allow to enter
the network/RS-2500. If the value exceeds the setting one, and then the
device will determine it as an attack. 【 ICMP Flood Threshold (Per Source IP)Pkts/Sec 】 : The System
Administrator can enter the maximum number of ICMP packets per second
from attacking source IP Address that is allow to enter the network / RS-2500.
If the value exceeds the setting one, and then the device will determine it as
an attack. 【ICMP Flood Threshold Blocking Time (Per Source IP)Seconds】: When the
address in the bloc
device will start to calculate the max number of ICMP packets from attacking
21. Anomaly Flow IP
187 AirLive RS-2500 User’s Manual
ing IP Address continuously.
sting, your network is experiencing an
determine it as an attack.
r Source IP) Seconds】: When
RS-2500 determines as being attacked, it will block the attacking source IP in
you set. After blocking for certain seconds, the device will
continuously.
ack can cause network
twork in Spoof attacks. They use a fake identity to try to pass
source IP Address. And if the max number still exceed the define value, it will
block the attack
Detect UDP Flood:
When Hackers continuously send PING packets to all the machines of the LAN
networks or to the RS-2500 via broadca
UDP attack. 【UDP Flood Threshold (Total) Pkts/Sec】: The System Administrator can
enter the maximum number of UDP packets per second that is allow to enter
the network/RS-2500. If the value exceeds the setting one, and then the
device will 【 UDP Flood Threshold (Per Source IP) Pkts/Sec 】 : The System
Administrator can enter the maximum number of UDP packets per second
from attacking source IP Address that is allow to enter the network/RS-2500.
If the value exceeds the setting one, and then the device will determine it as
an attack. 【UDP Flood Threshold Blocking Time (Pe
the blocking time
start to calculate the max number of UPD packets from attacking source IP. If
the max number still exceed the define value, it will block the attacking IP
Address
Detect Ping of Death Attack:
Select this option to detect the attacks of tremendous trash data in PING packets
that hackers send to cause System malfunction. This att
speed to slow down, or even make it necessary to restart the computer to get a
normal operation.
Detect IP Spoofing Attack:
Select this option to detect spoof attacks. Hackers disguise themselves as trusted
users of the ne
through the RS-2500 System and invade the network.
Detect Port Scan Attack:
Select this option to detect the port scans hackers use to continuously scan
networks on the Internet to detect computers and vulnerable ports that are opened
by those computers.
21. Anomaly Flow IP
AirLive RS-2500 User’s Manual 188
Detect Tear Drop Attack:
ar drop attacks. These are packets that are
e LAN networks and send
em.
hut down when receiving packets with the same source and
destination addresses, the same source port and destination port, and when SYN
ed. Enable this function to detect such abnormal
etected IP, because
some of these IP provide amount of services, and it is possible to be judged as the
se this function to avoid the problem.
Select this option to detect te
segmented to small packets with negative length. Some Systems treat the
negative value as a very large number, and copy enormous data into the System
to cause System damage, such as a shut down or a restart.
Filter IP Route Option:
Each IP packet can carry an optional field that specifies the replying address that
can be different from the source address specified in packet’s header. Hackers
can use this address field on disguised packets to invad
LAN networks’ data back to th
Detect Land Attack:
Some Systems may s
on the TCP header is mark
packets.
Non-detected IP:
System administrator can set up IP address to be the non-d
anomaly flow IP. We can u
After System Manager enable Anomaly Flow IP, if the RS-2500 has
detected any abnormal situation, the alarm message will appear in
Virus-infected IP or Attack Event. And if the system manager starts
ification in Settings, the device will send e-mail to the E-mail Alert Not
alarm the system manager automatically.
21. Anomaly Flow IP
189 AirLive RS-2500 User’s Manual
Configuration Example
To record the attack alarm about Hacker attacks the RS-2500 and Intranet.
STEP 1﹒Se 1-2)
lect the following settings in DoS / Anti-Attack Setting function: (Figure 2
Figure 21-2 DoS / Anti-Attack Setting WebUI
STEP 2﹒When Hacker attacks the RS-2500 and Intranet, select Attack Event function to
have detailed records about the hacker attacks. (Figure 21-3)
Figure 21-3 Attack Event WebUI
22. Monitor
AirLive RS-2500 User’s Manual 190
22 22. Monitor
22.1 Log
Log records all connections that pass through the RS-2500’s control policies. The
information is classified as Traff ction Log, Application Blocking
og, and Content Blocking Log.
Traffic Log’s parameters are setup when setting up policies. Traffic logs record the
etails of packets such as the start and stop time of connection, the duration of connection,
e source address, the destination address and services requested, for each control
policy.
Event Log record the contents of System Configurations changes made by the
Administrator such as the time of change, settings that change, the IP address used to log
in…etc.
Connection Log records all of the connections of RS-2500. When the connection
occurs some problem, the Administrator can trace back the problem from the information.
Application Blocking Log records the contents of Application Blocking result when
RS-2500 is configured to block Application connections.
Content Blocking Log records the contents of Content Blocking result when RS-2500
is enabled Content Blocking function.
ic Log, Event Log, Conne
L
d
th
How to use the Log
The Administrator can use the log data to monitor and manage the device and the networks.
The Administrator can view the logged data to evaluate and troubleshoot the network, such
as pinpointing the source of traffic congestions.
22. Monitor
191 AirLive RS-2500 User’s Manual
raffic Log
To mation a access Internet or Intranet by
R
TEP 1﹒Add new policy setting and select to enable Traffic Log.
e 22-1)
Configuration Example (1) - T
detect the infor
S-2500
nd Protocol port that users use to
S
(Figur
Figure 22-1 Logging Policy Setting
STEP 2﹒Complete the Logging Setting in Policy: (Figure 22-2)
Figure 22-2 Complete the Logging Setting
22. Monitor
AirLive RS-2500 User’s Manual 192
ackets records that pass this policy.
(Figure 22-3)
STEP 3﹒Click Traffic Log. It will show up the p
Figure 22-3 Traffic Log WebUI
22. Monitor
193 AirLive RS-2500 User’s Manual
rompt
bout Protocol and Port of the IP. (Figure 22-4)
STEP 4﹒Click on a specific IP of Source IP or Destination IP in Figure22-3, it will p
out a WebUI a
Figure 22-4 The WebUI of detecting the Traffic Log by IP Address
22. Monitor
AirLive RS-2500 User’s Manual 194
5)
STEP 5﹒ Click on Download Logs, RS-2500 will pop up a notepad file with the log recorded.
User can choose the place to save in PC instantly. (Figure 22-
Figure 22-5 Download Traffic Log Records WebUI
22. Monitor
195 AirLive RS-2500 User’s Manual
To record the detailed management events (such as Interface and event description of
RS-2500) of the Administrator
STEP 1﹒Click Event log of LOG. The management event records of the administrator will
show up (Figure 22-6)
Configuration Example (2) - Event Log
Figure 22-6 Event Log WebUI
22. Monitor
AirLive RS-2500 User’s Manual 196
ill pop up a notepad file with the log recorded.
User can choose the place to save in PC instantly. (Figure 22-7)
STEP 2﹒Click on Download Logs, RS-2500 w
Figure 22-7 Download Event Log Records WebUI
22. Monitor
197 AirLive RS-2500 User’s Manual
Click Connection in LOG. It can show up WAN Connection records of the RS-2500.
(Figure 22-8)
Configuration Example (3) - Connection Log
Figure 22-8 Connection records WebUI
22. Monitor
AirLive RS-2500 User’s Manual 198
up a notepad file with the log recorded.
User can choose the place to save in PC instantly. (Figure 22-9)
STEP 1﹒Click on Download Logs, RS-2500 will pop
Figure 22-9 Download Connection Log Records WebUI
If the content of notepad file is not in order, user can read the file with
WordPad or MS Word, Excel program, the logs will be displayed with
good order.
22. Monitor
199 AirLive RS-2500 User’s Manual
STEP 1﹒Click IM / P2P Blocking in LOG. It can show up Application Blocking records of the
RS-2500. (Figure 22-10)
Configuration Example (4) - Application Blocking Log
Figure 22-10 Application Blocking records WebUI
STEP 2﹒Click on Download Logs, RS-2500 will pop up a notepad file with the log recorded.
User can choose the place to save in PC instantly. (Figure 22-11)
Figure 22-11 Download Application Blocking Log Records WebUI
22. Monitor
AirLive RS-2500 User’s Manual 200
Configuration Example (5) - Content Blocking Log
STEP 1﹒Click Content Blocking in LOG. It can show up Content Blocking records of the
RS-2500. (Figure 22-12)
Figure 22-12 Content Blocking records WebUI
TEP 2﹒Click on Download Logs, RS-2500 will pop up a notepad file with the log recorded. S
User can choose the place to save in PC instantly. (Figure 22-13)
Figure 22-13 Download Content Blocking Log Records WebUI
22. Monitor
201 AirLive RS-2500 User’s Manual
ttings. (Figure 22-14)
Configuration Example (6) - Log Backup
STEP 1﹒Enter Setting in System Configure, select Enable E-mail Alert Notification
function and set up the se
Figure 22-14 E-mail Setting WebUI
﹒ Enter Log Backup in Log, select Enable Log Mail Support and click STEP 2 OK.
(Figure 22-15)
STEP 3﹒Enter Log Backup in Log, enter the following settings in Syslog Settings:
Select Enable Syslog Messages
Enter the IP in Syslog Host IP Address that can receive Syslog
Enter the receive port in Syslog Host Port
Click OK
Complete the setting (Figure 22-15)
Figure 22-15 Log Mail and Syslog Configuration WebUI
After Enable Log Mail Support, every time when LOG is up to
300Kbytes and it will accumulate the log records instantly. And the
device will e-mail to the Administrator and clear logs automatically.
22. Monitor
AirLive RS-2500 User’s Manual 202
22.2 Accounting Report
Administrator can use this Accounting Report to inquire the LAN IP users and WAN IP
sers, and to gather the statistics of Downstreau m/Upstream, First packet/Last
packet/Duration and the Service for the entire user’s IPs that pass the RS-2500.
Accounting Report Setting
By accounting report function can record the sending information about Intranet
and the external PC via RS-2500.
Accounting Report can be divided into two parts: Outbound Accounting Report and
Inbound Accounting Report
Outbound Accounting Report
It is the statistics of the downstream and upstream of the LAN, WAN and all kinds of
communication network services
Source IP:
The IP address used by LAN users who use RS-2500 Destination IP:
The IP addres -2500. Service:
The s use
R -
s used by WAN service server which uses RS
communication service which listed in the menu when LAN user
2500 to connect to WAN service server. S
22. Monitor
203 AirLive RS-2500 User’s Manual
Inbound Accounting Report
pstream for all kinds of communication services; the
Inbound Accounting report will be shown if Internet user connects to LAN Service Server
via RS-2500.
Source IP:
The IP address used by WAN users who use RS-2500 Destination IP:
The IP address used by LAN service server which uses RS-2500. Service:
The communication service which listed in the menu when WAN users use
RS-2500 to connect to LAN service server.
It is the statistics of downstream / u
22. Monitor
AirLive RS-2500 User’s Manual 204
ound Accounting Report
STEP 1﹒Select to enable the items for Outbound Accounting Report in Setting of
Accounting Report function. (Figure 22-16)
Configuration Example - Outb
Figure 22-16 Accounting Report Setting
STEP 2﹒Enter Outbound in Accounting Report and select Source IP to inquire the
statistics of Send/Receive packets, Downstream / Upstream, First packet /Last
uration from the LAN or DMZ user’s IP that pass the RS-2500.
page.
IP:To display the report sorted by Source IP, the LAN users who access
and the value of each WAN service
server which passes through RS-2500 to LAN user.
Upstream:The percentage of upstream and the value of each LAN user who passes
through RS-2500 to WAN service server.
First Packet:When the first packet is sent to WAN service server from LAN user, the
sent time will be recorded by the RS-2500.
Last Packet:When the last packet sent from WAN service server is received by the
LAN user, the sent time will be recorded by the RS-2500.
Duration:The period of time between the first packet and the last packet.
Total Traffic:The RS-2500 will record and display the amount of Downstream and
Upstream packets passing from LAN user to WAN Server.
Reset Counter:Click Reset Counter button to refresh Accounting Report.
packet/D
(Figure 22-17)
TOP: Select the data you want to review; it presents 10 results in one
Source
WAN service server via RS-2500.
Downstream:The percentage of downstream
22. Monitor
205 AirLive RS-2500 User’s Manual
Figure 22-17 Outbound Source IP Statistics Report
STEP 3﹒Enter Outbound in Accounting Report and select Destination IP to inquire the
statistics of Send/Receive packets, Downstream/Upstream, First packet/Last
packet/Duration from the WAN Server to pass the RS-2500. (Figure 22-18)
TOP:Select the data you want to view; it presents 10 results in one page.
Destination IP:To display the report sorted by Destination IP, the IP address used
by WAN service serve
Downstream:The percentage of downstream and the value of each WAN service
hen the first packet is sent from WAN service server to LAN users,
n to refresh Accounting Report.
r connecting to RS-2500.
server which passes through RS-2500 to LAN user.
Upstream:The percentage of upstream and the value of each LAN user who passes
through RS-2500 to WAN service server.
First Packet:W
the sent time will be recorded by the RS-2500.
Last Packet:When the last packet from LAN user is sent to WAN service server, the
sent time will be recorded by the RS-2500.
Duration:The period of time between the first packet and the last packet.
Total Traffic:The RS-2500 will record and display the amount of Downstream and
Upstream packets passing from WAN Server to LAN user.
Reset Counter:Click Reset Counter butto
Figure 22-18 Outbound Destination IP Statistics Report
22. Monitor
AirLive RS-2500 User’s Manual 206
STEP 4﹒Enter Outbound in Accounting Report and select Top Services to inquire the
statistics webpage of Send/Receive packets, Downstream/Upstream, First
packet/Last packet/Duration and the service from the WAN Server to pass the
RS-2500. (Figure 22-19) TOP:Select the d s in one page. ata you want to view. It presents 10 result
: According to the downstream / upstream report of the selected TOP
numbering to draw the Protocol Distribution chart. (Figure 22-20)
Service:To display the report sorted by Port, which LAN users use the RS-2500 to
connect to WAN service server.
Downstream:The percentage of downstream and the value of each WAN service
server who passes through RS-2500 and connects to LAN user.
Upstream:The percentage of upstream and the value of each LAN user who passes
through RS-2500 to WAN service server.
First Packet:When the first packet is sent to the WAN Service Server, the sent time
will be recorded by the RS-2500.
Last Packet:When the last packet is sent from the WAN Service Server, the sent
time will be recorded by the RS-2500.
Duration:The period of time starts from the first packet to the last packet to be
recorded.
Total Traffic:The RS-2500 will record and display the amount of Downstream and
Upstream packets passing from LAN users to WAN service server.
Reset Counter:Click the Reset Counter button to refresh the Accounting Report.
Figure 22-19 Outbound Services Statistics Report
22. Monitor
207 AirLive RS-2500 User’s Manual
Figure 22-20 The Pizza chart of Accounting report published base on Service
Press to return to List Table of Accounting Report window.
Accounting Report function will occupy lots of hardware resource, so
users must take care to choose the necessary items, in order to avoid
slowing down the total performance.
22. Monitor
AirLive RS-2500 User’s Manual 208
Configuration Exam
STEP 1﹒Select to enable the items for Inbound Accounting Report in Setting of
Accounting Report function. (Figure 22-21)
ple - Inbound Accounting Report
Figure 22-21 Accounting Report Setting
STEP 2﹒Enter Inbound in Accounting Report and select Top Users to inquire the
statistics of Send/Receive packets, Downstream/Upstream, First packet / Last
packet / Duration from the WAN user to pass the RS-2500.
TOP:S ge.
Source IP:To display the report sorted by Source IP, the IP address used by WAN
user connecting to RS-2500.
Dow stream:Th AN user
which passes through RS-2500 to LAN service server.
Upstream:The percentage of Upstream and the value of each LAN service server
whi
First P ,
the sent time will be recorded by the RS-2500.
Last Packet:When the last packet is sent from LAN service server to WAN users,
the sent time will be recorded by the RS-2500.
Duration:The period of time starts from the first packet to the last packet to be
recorded.
Total Traffic:The RS-2500 will record and display the amount of Downstream and
Upstream packets passing from WAN users to LAN service server.
elect the data you want to view. It presents 10 pages in one pa
n e percentage of Downstream and the value of each W
ch passes through RS-2500 to WAN users.
acket:When the first packet is sent from WAN users to LAN service server
22. Monitor
209 AirLive RS-2500 User’s Manual
resh the Accounting Report.
eam / Upstream, First packet / Last
packet / Duration from the WAN user to pass the RS-2500. (Figure 19-24)
TOP:Select the data you want to view. It presents 10 pages in one page.
Destination IP:To display the report sorted by Destination IP, the IP address used
by LAN service server passing through RS-2500 to WAN users.
Downstream:The percentage of Downstream and the value of each WAN user who
passes through RS-2500 to LAN service server.
Upstream:The percentage of Upstream and the value of each LAN service server
who passes through RS-2500 to WAN users.
First Packet:When t users to LAN service server,
the sent time will be recorded by the RS-2500.
Duration: arts from the first packet to the last packet to be
wnstream to LAN service server.
ts, Downstream/Upstream, First
nts 10 results in one page.
Reset Counter:Click the Reset Counter button to ref
STEP 3﹒Enter Inbound in Accounting Report and select Top Sites to inquire the statistics
website of Send / Receive packets, Downstr
he first packet is sent from WAN
Last Packet:When the last packet is sent from LAN service server to WAN users,
the sent time will be recorded by the RS-2500.
The period of time st
recorded.
Total Traffic:The RS-2500 will record the sum of time and show the percentage of
each WAN user’s upstream / do
Reset Counter:Click the Reset Counter button to refresh the Accounting Report.
STEP 4﹒Enter Inbound in Accounting Report and select Top Services to inquire the
statistics website of Send/Receive packe
packet/Last packet/Duration and the service from the WAN Server to pass the
RS-2500. (Figure 19-25)
TOP:Select the data you want to view. It prese
: According to the downstream / upstream report of the selected TOP
numbering to draw the Protocol
Distribution chart. (Figure 19-26)
Service:The report of Communication Service when WAN users use the RS-2500
to connect to LAN service server.
22. Monitor
AirLive RS-2500 User’s Manual 210
uses RS-2500 to LAN service server.
t time
will be recorded by the RS-2500.
last packet to be
f time and show the percentage of
on to refresh the Accounting Report.
Downstream:The percentage of downstream and the value of each WAN user who
Upstream:The percentage of upstream and the value of each LAN service server
who uses RS-2500 to WAN user.
First Packet:When the first packet is sent to the LAN Service Server, the sen
Last Packet:When the last packet is sent from the LAN Service Server, the sent
time will be recorded by the RS-2500.
Duration:The period of time starts from the first packet to the
recorded.
Total Traffic:The RS-2500 will record the sum o
each Communication Service’s upstream / downstream to LAN service server.
Reset Counter:Click the Reset Counter butt
Accounting Report function will occupy lots of hardware resource, so
users must take care to choose the necessary items, in order to avoid
slowing down the total performance.
22. Monitor
211 AirLive RS-2500 User’s Manual
22.3 Statistic
In this chapter, the Administrator can inquire the RS-2500 for statistics of packets and data
that passes across the RS-2500. The statistics provides the Administrator with information
about network traffics and network loads.
pass WAN Interface
stream packets and Downstream / Upstream traffic record
X-Coordinate:Time(Hour/Minute)
Source IP, Destination IP, Service, and Action:
These fields record the original data of Policy. From the information above, the
A m
Time:
To d days, week, months, or years.
Bits/sec, Bytes/sec, Utilization, Total:
The unit that used by Y-Coordinate, which the Administrator can change the unit of
the Statistics Chart here. Utilization:The percentage of the traffic of the Max. Bandwidth that System
Manager set in Interface function.
Total: To consider the accumulative total traffic during a unit time as
Y-Coordinate
WAN Statistics:
The statistics of Downstream / Upstream packets
and Downstream/Upstream traffic record that
Policy Statistics:
The statistics of Downstream / Up
that pass Policy
Statistics Chart: Y-Coordinate:Network Traffic(Kbytes/Sec)
d inistrator can know which Policy is the Policy Statistics belonged to.
etect the statistics by minutes, hours,
22. Monitor
AirLive RS-2500 User’s Manual 212
WAN Statistics:
STEP 1﹒Enter WAN in Statistics function, it will display all the statistics of
Downstream/Upstream packets and Downstream/Upstream record that pass WAN
Interface. (Figure 22-22)
Figure 22-22 WAN Statistics function
Time: To detect the statistics by minutes, hours, days, week, months, or years.
e
WAN Statistics is the additional function of WAN Interface. When
atistics too. nable WAN Interface, it will enable WAN St
﹒STEP 2 inute on
right side, and then you will be able to check the Statistics figure every minute;
tatistics
the Statistics figure every week; click Month
STEP 3
:Network Traffic(Kbytes/Sec)
X-Coordinate:Time(Hour/Minute)
In the Statistics window, find the network you want to check and click M
the
click Hour to check the Statistics figure every hour; click Day to check the S
figure every day; click Week to check
to check the Statistics figure every month; click Year to check the Statistics figure
every year.
﹒Statistics Chart (Figure 22-23)
Y-Coordinate
22. Monitor
213 AirLive RS-2500 User’s Manual
Figure 22-23 To Detect WAN Statistics
22. Monitor
AirLive RS-2500 User’s Manual 214
Policy Statistics:
STEP 1﹒If you had select Statistics in Policy, it will start to record the chart of that policy in
Policy Statistics. (Figure 22-24)
Figure 22-24 Policy Statistics Function
If you are going to use Policy Statistics function, the System
Manager has to enable the Statistics in Policy first.
STEP 2﹒In the Statistics WebUI, find the network you want to check and click Minute on
the right side, and then you will be able to check the Statistics chart every minute;
click Hour to check the Statistics chart every hour; click Day to check the Statistics
chart every day; click Week to check the Statistics figure every week; click Month
to check the Statistics figure every month; click Year to check the Statistics figure
every year.
STEP 3﹒Statistics Chart (Figure 22-25)
Y-Coordinate:Network Traffic(Kbytes/Sec)
X-Coordinate:Time(Hour/Minute/Day)
22. Monitor
215 AirLive RS-2500 User’s Manual
Figure 22-25 To Detect Policy Statistics
22. Monitor
AirLive RS-2500 User’s Manual 216
22.4 Diagnostic
The device can trace the route of a packet by Traceroute command to diagnose the quality
of the traversed network, and ensure that a host computer it is trying to reach is actually
operating by ping.
This chapter will be discussing the functionality and application of Diagnostic.
Ping
STEP 1﹒To test whether a host is reachable across an IP network, navigate to Monitor
Diagnostic Ping, and then configure as below: (Figure 22-26)
Type the Destination IP or Domain name in the Destination IP / Domain
name field.
In Packet size configure the size of each packet. (32 Bytes by default)
In Count, configure the quantity of packets to send out. (4 by default)
In Wait time, specify the duration to wait between successive pings.
(1 second by default)
Select the interface from the Interface drop-down list.
Click OK. (Figure 22-27)
Figure 22-26 Ping Settings
22. Monitor
217 AirLive RS-2500 User’s Manual
Figure 22-27 Ping result
Note. If VPN is selected from the Interface must enter the local
LAN IP address in the Interface field. Enter the IP address that is under the same
subnet range in the Destination IP / Domain name field.
When the VPN connection is established between the local subnet and remote
subnet, the following method can be employed to test the packet transfer
between the two subnets. (Figure 22-28)
drop-down list, the user
22. Monitor
AirLive RS-2500 User’s Manual 218
Figure 22-28 Ping results for VPN Connection
Traceroute
STEP 1﹒Under Monitor > Diagnostic Traceroute, the Traceroute command can be
used by the RS-2500 to send out packets to a specific address to diagnose the
quality of the traversed network. (Figure 22-29)
In Destination IP / Domain name enter the destination address for the
packets.
In Packet size configure the size of each packet. (40 Bytes by default)
In Max Time-to-Live enter the maximum number of hops (30 by default)
In Wait time, specify the duration to wait between successive pings.
(2 seconds by default)
In Interface select the interface that the packets will originate from.
Click OK. (Figure 22-30)
Figure 22-29 Traceroute settings
22. Monitor
219 AirLive RS-2500 User’s Manual
Figure 22-30 Traceroute Results
22. Monitor
AirLive RS-2500 User’s Manual 220
22.5 Wake On Lan
Wake on Lan (WOL) function works to power on the computer remotely. The computer’s
network card must also support WOL function, when it receive the waked up packets and
the computer will auto boot up.
Normally the broadcast packets are not allowed to transfer within Internet, but user can
login RS-2500 remotely and enable Wake on Lan function to boot up the LAN computer.
Configuration Example - Wake On Lan
STEP 1﹒ Select Setting in Wake on Lan, and enter MAC Address to specify the computer
who needs to be booted up remotely. User can press Assist to obtain the MAC
Address from the table list. (Figure 22-31)
Figure 22-31 Wake on Lan Setting
STEP 2﹒ User only needs to press Wake Up button to boot up the specific LAN computer.
(Figure 22-32)
Figure 22-32 Complete Wake on Lan Setting
22. Monitor
221 AirLive RS-2500 User’s Manual
22.6 Status
The users can know the connection status in Status. For example: LAN IP, WAN IP, Subnet
Netmask, Default Gateway, DNS Server Connection,
and its IP…etc.
Interface: Display all of the current Interface status of the RS-2500
Authentication: The Authentication information of RS-2500
ARP Table: Record all the ARP that connect to the RS-2500
clients that are connected to the RS-2500.
STEP 1 the setting for each Interface:
(Figure 22-33)
Forwarding Mode: The connection mode of the Interface
WAN Connection: To display the connection status of WAN
Max. Downstream / Upstream Kbps: To display the Maximum
Downstream/Upstream Bandwidth of that WAN (set from Interface)
Downstream All tage of Downstream according
to WAN traffic
ffic
PPPoE Con. Time: The last time of the RS-2500 to be enabled
MAC Address: The MAC Address of the Interface
IP Address/ tmask of the Interface
Default Gateway: To display the Gateway of WAN
DNS1/2: The DNS1/2 Server Address provided by ISP
Rx/Tx Pkts, Error Pkts: To display the received/sending packets and error
packets of the Interface
Ping, HTTP: To display whether the users can Ping to the RS-2500 from the
Interface or not; or enter its WebUI
DHCP Clients: Display the table of DHCP
Status - Interface
﹒Enter Interface in Status function; it will list
oca.: The distribution percen
Upstream Alloca.: The distribution percentage of Upstream according to
WAN tra
Netmask: The IP Address and its Ne
22. Monitor
AirLive RS-2500 User’s Manual 222
Figure 22-33 Interface Status
STEP 1 in status:
e authentication user IP
The login time of the user
Status - Authentication
﹒ Enter Authentication in Status function; it will display the record of log
(Figure 22-34)
IP Address: Th
Auth-User Name: The account of the auth-user to login
Login Time:
(Year/Month/DayHour/Minute/Second)
Figure 22-34 Authentication Status WebUI
22. Monitor
223 AirLive RS-2500 User’s Manual
Status - ARP Table
STEP 1﹒Enter ARP Table in Status function; it will display a table about IP Address, MAC
Address, and the Interface information which is connecting to the RS-2500:
(Figure 22-35)
Anti-ARP virus software: Works to rewrite LAN ARP table as default
IP Address: The IP Address of the network
MAC Address: The identified number of the network card
Interface: The Interface of the computer
Figure 22-35 ARP Table WebUI
22. Monitor
AirLive RS-2500 User’s Manual 224
Status - DHCP Clients
ss: The dynamic IP that provided by DHCP Server
IP (Start/End)
Figure 22-36 DHCP Clients WebUI
STEP 1﹒ In DHCP Clients of Status function, it will display the table of DHCP Clients that
are connected to the RS-2500: (Figure 22-36)
IP Addre
MAC Address: The IP that corresponds to the dynamic IP
Leased Time: The valid time of the dynamic
(Year/Month/Day/Hour/Minute/Second)
23. Frequent Asked Questions
225 AirLive RS-2500 User’s Manual
In t 500
Question: I forgot my password or the IP address of RS-2500.
Answer: Please restore your settings to default by press the reset button for more than
10 seconds. You should be able to find your RS-2500 at 192.168.1.1 with
password “airlive”.
his chapter, we will address some frequent asked questions about RS-2
====================================================================
Question: Why I reboot RS-2500, the time setting will be reset to default setting?
Answer: RS-2500 is not built-in with battery, so it can not save the data permanently,
and that is reason why the time will be reset to default every time you reboot
the device.
So, you can configure NTP server function for RS-2500 to refresh time when it
boot up, but you have to make sure in advance that the WAN port of RS-2500
is working, and the time server you select is also working, or the time still will
be reset as default setting after you reboot RS-2500.
====================================================================
23 Quest23. Frequent Asked
ions
23. Frequent Asked Questions
AirLive RS-2500 User’s Manual 226
Q m works t assign
A say the Pr obtaining free or available
bandwidth.
eam). You
create two QoS rules:
1. 256/128 Kbps, the priority is low
ser Group access Internet and their usage bandwidth are
reached to the limitation, then system will assign the free bandwidth to User
Group B because its priority is higher than User Group A. Another example for
your reference, the line speed is still 512/256 Kbps.
You create three QoS rules:
1. 256/128 Kbps, the priority is low
2. 128/64 Kbps, the priority is middle
3. 128/64 Kbps, the priority is high
So, there is not any free bandwidth. Presume the User Group A was assigned
with first QoS rule, and User Group B was assigned with second QoS rule, and
bandwidth of User Group A does not reach to QoS limitation, so it will have
roup B.
th, no matter the priority
===================================================================
uestion: How
bandw
nswer: Simp
the QoS priority function of RS series gateway syste
idth?
iority of QoS works to allow user
o
ly
For example the line speed is 512/256 Kbps (downstream/upstr
2. 128/64 Kbps, the priority is middle
So, there is 128/64 Kbps bandwidth is free. Presume the User Group A was
assigned with first QoS rule, and User Group B was assigned with second QoS
rule. What if both U
User Group C was assigned with third QoS rule. What if the accessed
some available bandwidth;
but User Group B and C exhaust the bandwidth they have, now system will
assign the available bandwidth to User Group C because its priority is higher
than User G
Once User Group A needs more bandwidth, the available bandwidth will be
taken back from User Group C and assign to User Group A, because User
Group A is designed to have the guarantee bandwid
level is.
=
23. Frequent Asked Questions
227 AirLive RS-2500 User’s Manual
n
an I get authenticated?
o your web browser's address:
l IP>:82 For example: 192.168.1.1:82. Then enter
en you can get authenticated. For HTTP
r web browser and try to go to any
ite. Please remember to group the DNS service with HTTP service, so users
=========
Question:
Answer: y setting. If you only create an Outgoing Policy
le to allow DNS service passing through,
.
========= ================================
Question:
Answer:
cation. When the modification is done,
=========
Question: Application Blocking, why the performance will become slow?
Answer:
items, just select the application type you would like to block.
Question: For authentication function. If authentication is required for services other tha
HTTP, how c
Answer: The default port for authentication is port 82. Therefore, please type the
following int
<The gateway's loca
your username and password. Th
service, you just need to open you
s
can access the web normally.
===========================================================
I did configure Authentication setting, but why the client user can access
Internet without passing authentication?
Please check Outgoing Polic
rule, you need to create another ru
and the rule must move to the top one
===========================
I would like to block a specific IM or P2P connection, but I did not find the
blocking item at Application Blocking function, how can I block it?
Please notice us which IM or P2P connection you would like to block, and we
will evaluate the possibility for the modifi
the Application Blocking can be upgraded the signature automatically.
===========================================================
When I enable
RS-2500 must check every packet to collect the data, in order to analyze the
application type. So we strongly suggests user not to enable all Application
Blocking
23. Frequent Asked Questions
AirLive RS-2500 User’s Manual 228
uestion: Can I connect Web / SSL VPN from my Linux or MAC PC to RS-2500?
Answer: Vista system to connect RS-2500
eb / SSL VPN server.
=========
Question:
nswer: ome browser.
from java website; or connect to RS-2500 Web / SSL VPN and RS-2500
=========
:
nswer: You can remove it from Device Manager setting. Uninstall “TAP-Win32
====================================================================
Q
No, you can only use Microsoft Windows or
W
===========================================================
Which browser’s type I can use to connect Web / SSL VPN?
Windows IE, FireFox, Safari and Google ChrA
=================================================================== =
Question: Why I can not access Web / SSL VPN correctly?
Answer: The reason could be related to java program. You can try to do following things
before to connect Web / SSL VPN:
1. Clean browser’s temporary file.
2. Uninstall java program, download and install the latest version java software
system will download java program to client user’s PC.
========================================================== =
Question When I connect to RS-2500 Web / SSL VPN, the Network Connections setting
in PC system will be created a connection named “Web VPN (SSL VPN)”, how
can I remove it?
A
Adapter V8” from Networks adapters list.
24. Specifications
229 AirLive RS-2500 User’s Manual
The specification of RS-2500 is subject to change without notice. Please use the information with caution.
24.1 Hardware Features
Hardware
CPU Intel IXP 425, 533MHz
DRAM 128 MB
Flash ROM 16MB (Flash)
Shield RJ-45 Ethernet UTP port 1 (10/100) LAN port (Switch Hub)
Modify the MAC address ○
Shield RJ-45 Ethernet UTP port 2 (10/100)
Support xDSL/Cable/Leased Line Service ○ WAN port
○ Modify the MAC address
Shield RJ-45 Ethernet UTP port 1 (10/100) DMZ port
Modify the MAC address ○
Factory Reset B ○ utton
Dimensions W x D x H (cm) 22.0 x 15.0 x 4.0
Size Desktop
Weight Kgs 0.94
Power DC 5V, 2.4A
Performance
WAN-LAN / Zone 1-Zone 2 / Port 1-Port 2 100 Mbps
3DES Encryption 35 Mbps Throughput VPN
SSL VPN 10 Mbps
Max Concurrent Sessions 110,000
New Sessions / Second 10,000
Corporation Size SMB
(clients 30~70)
Unlimited User ○
24 24. Specifications
24. Specifications
AirLive RS-2500 User’s Manual 230
Security Function
SPI, SYN, ICMP, DoS, UDP, Ping of Death,Port Scan
○ Hacker Alert
Email Alert ○
Enable Blaster Blocking ○ Blaster Alarm
E-Mail / SNMP Trap / NetBIOS Alert Notification ○/╳/○
An
d IP ○
omaly Flow
Un-detecte
Static ARP ○
Management
Web Based UI Traditional Chinese , Simplified Chinese and English Web UI ○
Web Management HTTP ○
Firmware Upgrade From LAN & WAN (Web UI) ○
Sub-Administrator Max entry 10
Remote Monitor ○
Web Management (Port Number) can be changeable ○
Permitted IPs(Max entry) 32
Web UI Logout ○
Remote management
MTU changeable for WAN ○
Interface Statistics ○
Traffic Statistics WAN / Policy ○
Multiple Subnet ( NAT ) Routing / NAT (Max entry) ○ / ○ (16)
Route Table(Max entry) 10
Dynamic Routing (RIPv2) ○
Host Table(Max entry) 20
DDNS(Max entry) 16
Save configuration to files ○
Load configuration from files ○
Configuration
Load Default (Factory Reset) ○
DHCP Client / S ○ ( LAN & DMZ ) erver
DHCP Server assign dynamic IP Up to 512
DHCP Server assign static IP (MAC+IP) ○ Protocols Supported
NTP ( Network Time Protocol) ○
Wake on Lan ○
24. Specifications
231 AirLive RS-2500 User’s Manual
Bandwidth Manager Function
Guaranteed Ban ○dwidth
P d ○riority-bandwi th utilization
QoS(Max entry 100 )
M ax. Bandwidth (MB) 50
QoS
Personal QoS ○
Accounting Report Ranki ○ ng by IP / Port
Authentication User(Max entry) 200
Authentication Group(Max entry) 20
R ○ADIUS
POP3 ○
URL to redirect ○
Messages to display ○
Authentication
AStatus
Disable re-login ○
uthentication
Inbound / Outbound Function
Load-balancing OAuto(AI) Mode,By Session,By
ure IP, By Destination IP
○utBound Packet,Round-Robin,Auto Backup, By Sec
I ○CMP WAN Port connection status D ○NS
VPN Function
One-Step IPSec ○
IPSec Dead Peer Detection ○
Show remote Network Neighborhood ○
IKE, SHA-1, MD5 Authentication ○ IPSec Autokey
E/ISAKMP ○Auto Key management via IK
IPSec(Max entry) 200 / 100
PPT 32 / 32 P Server(Max entry)Allow to Configure / Connection Tunnels
16 /PPTP Client(Max entry) 16
Stateful Packet Inspectio ○n
Supports Windows VPN ○ Client
VPN Hub ○
VPN Trunk(Max entry) 50
Internal Su 10 bnet of Server
Connection Tunnels(Max entry) 50 SSL VPN (Web VPN)
Hardware Auth ○
24. Specifications
AirLive RS-2500 User’s Manual 232
Firewall Function
NAT ○ Deployment
isable) Transparent Mode (Enable / D ○
Internal Max entry 200
Internal Group(Max entry) 20
External(Max entry) 100
China Telecom & CNC ○ External Group Max entry 20
DMZ Max y entr 100
Address Book
DMZ Group(Max entry) 20
Custom(Max entry) 20 Service Book
Group(Max entry) 20
Schedule(Max entry) 20
Mapped IP(Max entry) 16
Multiple Virtual Servers 4
Virtual Server Service Name (Max entry) 16 Virtual Server
Multi-Servers Load Balancing 4
SPI (Stateful Pa ○ cket Inspection)
MAC Address Filtering ○
Assign WAN Link by Source IP ○
Assign WAN Link by Destination IP ○
Assign WAN Link by Port ○
Packet Filtering by Source IP ○
Packet Filtering by Destination IP ○
Packet Filtering by Port ○
Access y groucontrol b p ○
Time-Schedul Managemee nt ○
Max. Concurr nt Sessions e ○
Incoming NAT mode & External To DMZ NAT mode ○
Outgoing(Max entry) 300
Incoming(Max entry) 100
o DMZ(Max entry) 50 LAN T
WAN To DMZ(Max entry) 100
DMZ To LAN(Max y) entr 50
DMZ To WAN(Max entry) 50
Policy Control
Tips ○
24. Specifications
233 AirLive RS-2500 User’s Manual
URL Blocking(Max entry) 300
Script Blocking (Java / ActiveX / Cookie / Popup) ○
All Types Block ○
Audio and Video Types Block ○
Download Blocking nsions BloExte ck (exe, zip, rar, iso, bin, rpm,
ppt, pdf, tgz, gz, bat, com, dll, hta, scr,g, mp3, mpeg, mpg)
doc, xl?,vb?, wps, pif, com, msi, re
○
All Types Block ○
Content Filtering
Block (exe, zip, rar, iso, bin, rpm, , pdf, tgz, gz, bat, com, dll, hta, scr,
s, pif, com, msi, reg, mp3, mpeg, mpg)
Upload Blocking doc, xl?, ppt
Extensions
vb?, wp○
Auto Update Definitions 30 min
eDonkey ○
BT ○
WinMX ○
Foxy ○
KuGoo ○
AppleJuice ○
AudioGalaxy ○
DirectConnect ○
iMesh ○
MUTE ○
Thunder5 ○
P2P Blocking
VNN Client ○
MSN Messenger ○
Yahoo Messenger ○
ICQ ○
QQ ○
Skype VoIP ○
Google Talk ○
IM Blocking
Gadu-Gadu ○
IM / P2P Blocking
IM / P2P Rule ○
Drop Intruding Packets ○
Traffic Log / Event Log / Connection Log ○/○/○
Syslog Settings ○ Log
E-mail alert when WAN link failure Log Backup
○
H/W Watch-Dog Auto rebooting when detecting system fails ○
25. Network Glossary
AirLive RS-2500 User’s Manual 234
The network glossary contain n
networking produc ome of information in this glossary might be outdated, please use
with caution.
s explanation or information about common terms used i
ts. S
25 Network Glossary
25.
25.1 Interface
RJ-45
Standard connectors for Twisted Pair copper cable used in Ethernet networks. Although
they look similar to standard RJ-11 telephone connectors, RJ-45 connectors can have up to
eight wires, whereas telephone c
100Base-TX
802.3u. The IEEE standard defines how to transmit Fast Ethernet 100Mbps
data using Cat.5 UTP/STP cab 100Base-TX standard is backward compatible with
the 10Mbps 10-BaseT standar
WAN
Wide Area Netwo m cation system of connecting PCs and other computing
devices across a large local, regional, national or international geographic are
LAN
It is a computer network covering a small physical area or small
group of buildings.
MZ
Demilitarized Zone. When a router opens a DMZ port to an internal network device, it
opens all the TCP/UDP service ports to this particular device.
onnectors have only four.
Also known as
le. The
d.
rk. A com uni
a.
Local Area Network.
D
24. Specifications
235 AirLive RS-2500 User’s Manual
P
P ndards PPP and
E s a specification for connecting the users on an Ethernet to the Internet
through a common broadband medium, such as single DSL line, wireless device or cable
modem.
ode works to transfer real IP address from WAN interface to the device that
onnects to DMZ port. So the DMZ device can also get real IP address and offer the service
PPoE
oint-to-Point ove
thernet. PPPoE i
r Ethernet. PPPoE relies on two widely accepted sta ;
Transparent
Transparent m
c
with Internet users.
25.2 System
IP that a router gets from the
P side is called Real IP, the IP assigned to PC under the NAT environment is called
rivate IP.
P is used, whenever a computer logs onto the network, it
utomatically gets an IP address assigned to it by DHCP server. A DHCP server can
ither be a designated PC on the network or another network device, such as router.
program that translates URLs to IP addresses by accessing a database maintained on a
ollection or Internet servers.
ynamic Domain Name System. An Algorithm that allows the use of dynamic IP address
r hosting Internet Server. DDNS service provides each user account with a domain name.
r with DDNS capability has a built-in DDNS client that updates the IP address
ixed IP connection.
NAT
Network Address Translation. A network algorithm used by Routers to enables several
PCs to share single IP address provided by the ISP. The
IS
P
DHCP
Dynamic Host Configuration Protocol. A protocol that enables a server to dynamically
assign IP addresses. When DHC
a
e
DNS
A
c
DDNS
D
fo
Route
information to DDNS service provider whenever there is a change. Therefore, users can
build website or other Internet servers even if they don’t have f
25. Network Glossary
AirLive RS-2500 User’s Manual 236
ork or Subnet
s it talks to.
nt across the Internet. An IP address has two parts: an identifier of a
on the Internet and an identifier of the particular device (which can be a
tion) within that network. The new IPv6 specification supports 128-bit IP
ss format.
ss Control. MAC address provides layer-2 identification for Networking Devices.
ach Ethernet device has its own unique address. The first 6 digits are unique for each
cturer. When a network device have MAC access control feature, only the devices
layre-4 protocol used along with the IP to send data between computers over the Internet.
hile IP takes care of handling the actual delivery of the data, TCP takes care of keeping
f the packets that a message is divided into for efficient routing through the Internet.
DP
ser Datagram Protocol. A layer-4 network protocol for transmitting data that does not
acknowledgement from the recipient of the data.
Subnetw
Found in larger networks, these smaller networks are used to simplify addressing between
numerous computers. Subnets connect to the central network through a router, switch or
gateway. Each individual wireless LAN will probably use the same subnet for all the local
computer
IP Address
IP (Internet Protocol) is a layrer-3 network protocol that is the basis of all Internet
communication. An IP address is 32-bit number that identifies each sender or receiver of
information that is se
particular network
server or a worksta
addre
MAC
Media Acce
E
manufa
with the approved MAC address can connect with the network.
TCP
A
W
track o
U
U
require
24. Specifications
237 AirLive RS-2500 User’s Manual
ement)
ess - a crucial feature of QoS (Quality of Service) function. For
witch's bandwidth management, please see "Rate Control".
uses port 1812 and port 1813 for authentication and accounting port.
hough not an official standard, the RADIUS specification is maintained by a working group
f the IETF.
the waked up packets and
e computer will auto boot up.
QoS (Bandwidth Manag
Bandwidth Management controls the transmission speed of a port, user, IP address, and
application. Router can use bandwidth control to limit the Internet connection speed of
individual IP or Application. It can also guarantee the speed of certain special application
or privileged IP addr
s
RADIUS
Remote Authentication Dial-In User Service. An authentication and accounting system
used by many Internet Service Providers (ISPs). When you dial in to the ISP, you must
enter your username and password. This information is passed to a RADIUS server, which
checks that the information is correct, and then authorizes access to the ISP system.
RADIUS typically
T
o
Wake on Lan
Wake on Lan (WOL) function works to power on the computer remotely. The computer’s
network card must also support WOL function, when it receive
th
25. Network Glossary
AirLive RS-2500 User’s Manual 238
25.3 VPN
VPN
Virtual Private Network. A type of technology designed to increase the security of
information over the Internet. VPN creates a private encrypted tunnel from the end user’s
computer, through the local wireless network, through the Internet, all the way to the
orporate network.
sec
set of protocols developed by the IETF to support secure exchange of
e data of each packet, but leaves the header untouched.
Tunnel mode encrypts both the header and the payload. On the receiving
ide, an IPSec-compliant device decrypts each packet.
PTP
oint-to-Point Tunneling Protocol: A VPN protocol developed by PPTP Forum. With
PTP, users can dial in to their corporate network via the Internet. If users require data
ncryption when using the Windows PPTP client, the remote VPN server must support
PPE (Microsoft Point-To-Point Encryption Protocol) encryption. PPTP is also used by
ome ISP for user authentication, particularly when pairing with legacy Alcatel / Thomson
DSL modem.
reshare Key
he IKE VPN must be defined with a Preshared Key. The Key may be up to 128 bytes long.
c
SSL
Security Sockets Layer. Commonly used encryption scheme used by many online retail and
banking sites to protect the financial integrity of transactions. When a SSL session begins,
the server sends its public key to the browser. The browser then sends a randomly
generated secret key back to the server in order to have a secret key exchange for that
session. SSL VPN is also known as Web VPN.
IP
IP Security. A
packets at the IP layer. IPsec has been deployed widely to implement Virtual Private
Networks (VPNs). IPsec supports two encryption modes: Transport and Tunnel.
Transport mode encrypts only th
The more secure
s
P
P
P
e
M
s
A
P
T
24. Specifications
239 AirLive RS-2500 User’s Manual
rnet Security Association Key Management Protocol)
An extensible protocol-encoding scheme that complies to the Internet Key Exchange (IKE)
work for establishment of Security Associations (SAs).
that allows for data integrity of data packets.
Encapsulating Security Payload)
in 1977 is a 64-bit block encryption block
ipher using a 56-bit key.
used to replace the aging DES
ncryption algorithm and that the NIST hopes will last for the next 20 to 30 years.
HA-1 (Secure Hash Algorithm-1)
message-digest hash algorithm that takes a message less than 264 bits and produces a
ISAKMP (Inte
frame
AH (Authentication Header)
One of the IPSec standards
ESP (
One of the IPSec standards that provides for the confidentiality of data packets.
DES (Data Encryption Standard)
The Data Encryption Standard developed by IBM
c
Triple-DES (3DES)
The DES function performed three times with either two or three cryptographic keys.
AES (Advanced Encryption Standard)
An encryption algorithm yet to be decided that will be
e
NULL Algorithm
It is a fast and convenient connecting mode to make sure its privacy and authentication
without encryption. NULL Algorithm doesn’t provide any other safety services but a way to
substitute ESP Encryption.
S
A
160-bit digest.
25. Network Glossary
AirLive RS-2500 User’s Manual 240
association, but
stead of using three packets like in aggressive mode, it uses six packets.
his is the first phase of the Oakley protocol in establishing a security association using
ree data packets.
he device Select GRE/IPSec (Generic Routing Encapsulation) packet seal technology.
MD5
MD5 is a common message digests algorithm that produces a 128-bit message digest from
an arbitrary length input, developed by Ron Rivest.
Main Mode
This is another first phase of the Oakley protocol in establishing a security
in
Aggressive mode
T
th
GRE/IPSec
T
25.4 Anomaly Flow IP
asser computers running vulnerable versions of the
). Thus it particularly virulent in that it can spread without user intervention, but it is also easily topped by a properly configured firewall or by downloading system updates from Windows
wn as Lovsan or Lovesan) was a computer worm that spread n computers running the Microsoft operating systems: Windows XP and Windows 2000.
worm was a computer worm observed on the Internet on July 13, 2001. It ttacked computers running Microsoft's IIS web server.
SSasser is a computer worm that affectsMicrosoft operating systems Windows XP and Windows 2000. Sasser spreads by exploiting the system through a vulnerable network port (as do certain other wormsissUpdate. MSBlaster The Blaster Worm (also knoo Code Red The Code Reda
24. Specifications
241 AirLive RS-2500 User’s Manual
h as Code Red. Multiple propagation
inutes.
succession of YN requests to a target's system.
e particular variant of a flooding DoS attack on the public Internet. It lies on misconfigured network devices that allow packets to be sent to all computer hosts
n a particular network via the broadcast address of the network, rather than a specific urf amplifier. In such an attack, the
g
gitimate packets from getting through to their destination.
lood attack is a denial-of-service (DoS) attack using the User Datagram Protocol
ing of Death is the attacks of tremendous trash data in PING packets that hackers send to cause
function. This attack can cause network speed to slow down, or even make it
Spoofing guise themselves as trusted users of the network in Spoof attacks. They use a
NimdaNimda is a computer worm, and is also a file infector. It quickly spread, eclipsing the economic damage caused by past outbreaks sucectors allowed Nimda to become the Internet’s most widespread virus/worm within 22 v
m SYN Flood A SYN flood is a form of denial-of-service attack in which an attacker sends aS ICMP Flood A smurf attack is onreomachine. The network then serves as a smperpetrators will send large numbers of IP packets with the source address faked to appearto be the address of the victim. The network's bandwidth is quickly used up, preventinle UDP Flood A UDP f(UDP), a sessionless/connectionless computer networking protocol. Using UDP for denial-of-service attacks is not as straightforward as with the Transmission Control Protocol (TCP). However, a UDP flood attack can be initiated by sending a large number of UDP packets to random ports on a remote host. PItSystem malnecessary to restart the computer to get a normal operation. IPHackers disfake identity to try to pass through the firewall system and invade the network.
25. Network Glossary
AirLive RS-2500 User’s Manual 242
an
ear Drop he Tear Drop attacks are packets that are segmented to small packets with negative
Systems treat the negative value as a very large number, and copy enormous
Attack:
p attacks, exploit limitations in e TCP/IP protocols.
Port ScHackers use to continuously scan networks on the Internet to detect computers and vulnerable ports that are opened by those computers. TTlength. Somedata into the System to cause System damage, such as a shut down or a restart.
Detect Land
Some Systems may shut down when receiving packets with the same source and
destination addresses, the same source port and destination port, and when SYN on the
TCP header is marked. Enable this function to detect such abnormal packets. DoS Attack Denial of Service. A type of network attack that floods the network with useless traffic.
any DoS attacks, such as the Ping of Death and TeardroMth