airlive rs-2500fs.airlive.com/manual/airlive_rs-2500_manual.pdf · dual wan security vpn gateway ....

User’s Manual

Dual WAN Security VPN Gateway

RS-2500

Copyright and Disclaimer

AirLive RS-2500 User’s Manual

Copyright & Disclaimer No part of this publication may be reproduced in any form or by any means, whether electronic, mechanical, photocopying, or recording without the written consent of OvisLink Corp. OvisLink Corp. has made the best effort to ensure the accuracy of the information in this user’s guide. However, we are not liable for the inaccuracies or errors in this guide. Please use with caution. All information is subject to change without notice. All Trademarks are properties of their respective holders.

Table of Contents

i AirLive RS-2500 User’s Manual

Table of Contents 1. Introduction ................................................................................................1

1.1 Overview..............................................................................................1

1.2 How to Use This Guide ........................................................................1

1.3 Firmware Upgrade and Tech Support ..................................................4

1.4 Features...............................................................................................5

2. Installing the RS-2500................................................................................6

2.1 Before You Start ...................................................................................6

2.2 Package Content .................................................................................6

2.3 Knowing your RS-2500........................................................................7

2.4 Hardware Installation ...........................................................................7

2.5 LED Table ............................................................................................8

2.6 Restore Settings to Default ..................................................................8

3. Configuring the RS-2500 ...........................................................................9

3.1 Important Information...........................................................................9

3.2 Prepare your PC ..................................................................................9

3.3 Management Interface.......................................................................10

3.4 Introduction to Web Management......................................................11

3.4.1 Getting into Web Management ................................................................................ 11

3.5 Initial Configurations ..........................................................................14

4. Web Management ....................................................................................18

4.1 About RS-2500’s Menu Structure.......................................................18

4.2 Remote Web Management ................................................................19

5. Administration..........................................................................................20

5.1 Admin.................................................................................................20

5.2 Permitted IP .......................................................................................22

5.3 Software Update ................................................................................23

5.4 Logout................................................................................................23

6. Configure ..................................................................................................24

Table of Contents


ii

6.1 Setting................................................................................................24

6.2 Date/Time ..........................................................................................29

6.3 Multiple Subnet ..................................................................................30

6.4 Route Table........................................................................................33

6.5 DHCP.................................................................................................34

6.6 Dynamic DNS ....................................................................................36

6.7 Host Table ..........................................................................................37

6.8 Language...........................................................................................37

7. Interface ....................................................................................................38

7.1 LAN....................................................................................................40

7.2 WAN...................................................................................................41

7.3 DMZ ...................................................................................................46

8. Address.....................................................................................................47

8.1 LAN....................................................................................................48

8.2 LAN Group.........................................................................................50

9. Service ......................................................................................................53

9.1 Pre-defined ........................................................................................54

9.2 Custom ..............................................................................................55

9.3 Group.................................................................................................58

10. Schedule .................................................................................................60

11. QoS..........................................................................................................62

12. Authentication........................................................................................68

12.1 Auth Setting .....................................................................................68

12.2 Auth User .........................................................................................71

13. Content Blocking ...................................................................................75

13.1 URL..................................................................................................75

13.2 Script................................................................................................77

13.3 Download.........................................................................................79

13.4 Upload .............................................................................................81

14. Application Blocking .............................................................................83

Table of Contents

iii AirLive RS-2500 User’s Manual

15. Virtual Server..........................................................................................89

15.1 Mapped IP .......................................................................................90

15.2 Virtual Server ...................................................................................92

16. VPN..........................................................................................................99

16.1 One-Step IPSec .............................................................................100

16.2 IPSec Autokey ...............................................................................102

16.3 PPTP Server ..................................................................................105

16.4 PPTP Client ...................................................................................106

17. Configuration Example: IPSec & PPTP VPN .....................................107

17.1 IPSec VPN - Office to Office (1).....................................................107

17.2 IPSec VPN - Office to Office (2).....................................................117

17.3 IPSec VPN - Office to Client ..........................................................127

17.4 PPTP VPN - Office to Office ..........................................................134

17.5 PPTP VPN - Office to Client ..........................................................143

18. Policy ....................................................................................................152

19. Configuration Example: Policy Setting..............................................156

19.1 Configuration Example (1) - Traffic Log, Statistic ...........................156

19.2 Configuration Example (2) - Specific WAN Addresses, Content Blocking, Application Blocking ...............................................................159

19.3 Configuration Example (3) - Authentication, Schedule ..................164

19.4 Configuration Example (4) - Virtual Server ....................................167

19.5 Configuration Example (5) - QoS, Virtual Server, MAX. Concurrent Sessions ................................................................................................169

20. Web VPN / SSL VPN.............................................................................171

20.1 Setting............................................................................................171

20.2 Hardware Auth ...............................................................................174

20.3 Status.............................................................................................175

20.4 Configuration Example...................................................................176

21. Anomaly Flow IP ..................................................................................184

22. Monitor..................................................................................................190

Table of Contents


iv

22.1 Log.................................................................................................190

22.2 Accounting Report .........................................................................202

22.3 Statistic ..........................................................................................211

22.4 Diagnostic ......................................................................................216

22.5 Wake On Lan .................................................................................220

22.6 Status.............................................................................................221

23. Frequent Asked Questions .................................................................225

24. Specifications.......................................................................................229

24.1 Hardware Features ........................................................................229

25. Network Glossary ................................................................................234

25.1 Interface.........................................................................................234

25.2 System...........................................................................................235

25.3 VPN ...............................................................................................238

25.4 Anomaly Flow IP ............................................................................240

1. Introduction

1 AirLive RS-2500 User’s Manual

1 1. Introduction

1.1 Overview

The RS-2500 is powered by a powerful IXP425 533 MHz RISC processor, and increased of

memory capacity in order to make the performance better. Furthermore, it also provides

Web VPN/ SSL VPN Sever function, so remote users can easily connect to IPSec server by

using IE browser and access LAN resource.

Meanwhile, RS-2500 is also improved IM/P2P Blocking function, so it is not just able to

block IM and P2P program, the new Application Blocking is promoted to support the

blocking of Video/Audio Application, Webmail, Game Application, Tunnel Application, and

Remote Control Application. With omnibus advanced security function makes RS-2500 to

be an outstanding Security VPN Gateway than before.

1.2 How to Use This Guide

RS-2500 is an advanced VPN Security Gateway with many functions. It is recommended

that you read through the entire user’s guide whenever possible. The user guide is

divided into different chapters. You should read at least go through the first 3 chapters

before attempting to install the device.

Chapter 1 Introduction: This chapter is an introduction about the user’s manual.

It can help your to know the chapter’s contents, and how to get help from AirLive

Tech Support.

Chapter 2 Installing the RS-2500: This chapter is about hardware installation.

You should read through the entire chapter.

Chapter 3 Configuring the RS-2500: This chapter is the basic information

about preparation before you access RS-2500. It also includes the basic but

important information of RS-2500.

Chapter 4 Web Management: This chapter explains how to access RS-2500 via

web console.

1. Introduction

AirLive RS-2500 User’s Manual 2

Chapter 5 Administration: In this chapter, you can know how to create a

sub-admin account, change password, and upgrade firmware.

Chapter 6 Configure:

6.1 Setting: You can backup or restore RS-2500 config file, reset device to

default setting, define the mail address for notification, change the port

number of web management, change MTU value, enable RIP, SIP

pass-through function, and else.

6.3 Multiple Subnet: You can create the further subnet for LAN or DMZ

interface, and define those subnet as NAT mode or Routing mode.

6.5 DHCP: You can change DHCP client IP range for LAN or DMZ, or enable

DHCP Relay function to get the IP from upper DHCP server.

Chapter 7 Interface: This chapter is about interface configuration, and enable

Remote Management function.

Chapter 8 Address: The administrator can define the specific IP address, IP

range, IP subnet, or MAC address for the specific device in LAN, WAN, or DMZ,

so the Policy setting can be modified to restrict the service precisely.

Chapter 9 Service: In this chapter, it lists the standard protocol for user’s

reference, and it also allows user creating non-standard port number for the

request. In the end, the Address setting will be assigned to Mapped IP, Virtual

Server, or enabled by Policy setting.

Chapter 10 Schedule: This chapter can allow user defining the time schedule for

Policy setting.

Chapter 11 QoS: It is recommended to read this chapter if you would like to

configure the setting. This chapter will tell you how to configure QoS setting

correctly.

Chapter 12 Authentication: If you would like to ask user passing authentication

before to access Internet, you can read this chapter and follow the guide to

configure it.

Chapter 13 Content Blocking: You can configure the Content Blocking setting

and enable the function at Policy.

13.1 URL: You can define the key word or domain name to be blocked or be

allowed to access for the website.

13.3 Download: The specific type or extension name of files can be blocked.

1. Introduction


Chapter 14 Application Blocking: You can select the application type and

software, and enable to block those applications at Policy.

Chapter 15 Virtual Server: When you install server in LAN and allow Internet

users accessing, you should define the Virtual Server function.

Chapter 16 VPN: This chapter is an introduction for IPSec and PPTP server. You

can read next chapter to know how to configure them.

Chapter 17 Configuration Example - IPSec & PPTP VPN: We list several

examples for the VPN connection, and you can find the one and refer to the

example to configure your own setting.

Chapter 18 Policy: It is recommended to read this chapter, because it is the most

important setting for RS-2500. No matter how you configure QoS, VPN, or else

function, you have to enable them at Policy setting.

Chapter 19 Configuration Example - Policy Setting: We list several Policy

setting for your reference, and you can know better how to configure it.

Chapter 20 Web VPN / SSL VPN: This chapter will explain you the Web VPN /

SSL VPN function, and we also list the example for your reference about how to

configure it.

Chapter 21 Anomaly Flow IP: This chapter is an introduction to tell user how to

configure RS-2500 for the protection from being intrusion by the known malware.

Chapter 22 Monitor:

22.1 Log: Display kinds of log records for user’s reference.

22.2 Accounting Report: Display the calculation of Internet access result per

Source IP, Destination IP, and Service.

22.3 Statistic: Display WAN or Policy Statistic result for user’s reference.

22.4 Diagnostic: RS-2500 offers Ping and Traceroute tools to diagnostic

connection’s status per WAN, LAN, DMZ, or VPN.

22.5 Wake On Lan: This chapter is an introduction about the Wake On Lan

function, so Internet user can wake on LAN PC.

22.6 Status: You can find out the real-time status about Interface,

Authentication, ARP table, and DHCP Clients.

1. Introduction


1.3 Firmware Upgrade and Tech Support

If you encounter a technical issue that can not be resolved by information on this guide, we

recommend that you visit our comprehensive website support at www.airlive.com. The

tech support FAQ are frequently updated with latest information.

In addition, you might find new firmware that either increase software functions or provide

bug fixes for RS-2500. You can reach our on-line support center at the following link:

http://www.airlive.com/support/support_2.jsp

Since 2009, AirLive has added the “Newsletter Instant Support System” on our website.

AirLive Newsletter subscribers receives instant email notifications when there are new

download or tech support FAQ updates for their subscribed airlive models. To become an

AirLive newsletter member, please visit: http://www.airlive.com/member/member_3.jsp

Figure: AirLive Newsletter Support System

http://www.airlive.com/

http://www.airlive.com/support/support_2.jsp

http://www.airlive.com/member/member_3.jsp

1. Introduction


1.4 Features

Web VPN/SSL VPN, IPSec and PPTP VPN Server

VPN Trunk

Application Blocking, IM / P2P Blocking, Content Blocking

User Authentication

QoS, Max. Bandwidth Per Source IP, Max. Concurrent Sessions Per Source IP

Dual WAN Load Balance and Fail-over

Multiple Subnet

Custom Service Definition for IP, TCP, UDP

Detect and block the anomaly flow IP

Policy based Firewall

DMZ Transparent

Schedule

Static Route, RIPv2

Web Management

2. Install the RS-2500


2 2. Installing the RS-2500

This section describes the hardware features and the hardware installation procedure for

the RS-2500. For software configuration, please go to chapter 3 for more details.

2.1 Before You Start

It is important to read through this section before you install the RS-2500

The RS-2500 comes with everything you need to start installation. You can use

CAT-5 Ethernet cable according to the length you need.

The RS-2500 must be installed with 5V adapter. Please do not use the other

voltage of adapter.

During upgrading firmware, please do not renew or close the webpage, otherwise

it could crash the firmware.

Please do not use FTP to transfer firmware file, because the firmware could be

transferred incompletely. If user upgrades RS-2500 with incomplete firmware it

will damage the device.

2.2 Package Content

The RS-2500 package contains the following items:

One RS-2500 main unit

One 5V 2.5A DC power adapter

2 x RJ-45 Ethernet Cable

User’s Guide CD

Quick Start Guide



2.3 Knowing your RS-2500

Below are descriptions and diagrams of the product:

2.4 Hardware Installation

1. Plug in power adapter to RS-2500 and electric outlet at wall

2. Connect an Ethernet cable to PC and RS-2500 LAN port

3. Wait for RS-2500 Status LED to stop blinking the light

4. PC should get the IP address from RS-2500 DHCP server, and now you can login to RS-2500 and configure the setting.



2.5 LED Table

This section describes the LED behavior of RS-2500.

You can find the LED on the Front side of the RS-2500.

Power

Steady Green – Power On device OFF – No Power

Status Steady Green – Ready to use Blinking – At the booting process

WAN1/2, LAN, DMZ

Steady Green – Cable is connected Blinking – Packets is sending/receiving

2.6 Restore Settings to Default

If you have forgotten your RS-2500’s IP address or password, you can restore your

RS-2500 to the default settings by pressing on the “reset button” for more than 10 seconds.

You can find the reset button at back panel. Please see diagram below for details.

3. Configuring the RS-2500


3 3. Configuring the RS-2500

To use this product correctly, you have to properly configure the network settings of your

computers and install the attached setup program into your MS Windows platform

(Windows 95/98/NT/2000/XP).

3.1 Important Information

The following information will help you to get start quickly. However, we recommend you

to read through the entire manual before you start. Please note the password are case

sensitive.

The default IP address is: 192.168.1.1 Subnet Mask: 255.255.255.0 The default user name is: admin The default password is: airlive After power on, please wait for 2 minutes for RS-2500 to finish boot up

3.2 Prepare your PC

The default IP address of this product is 192.168.1.1, and the default subnet mask is

255.255.255.0. These addresses can be changed on your need, but the default values are

used in this manual. If the TCP/IP environment of your computer has not yet been

configured, you can refer to the example:

1. Configure IP as 192.168.1.2, subnet mask as 255.255.255.0 and gateway as

192.168.1.1, or more easier,

2. Configure your computers to load TCP/IP setting automatically, that is, via DHCP

server of this product.

After installing the TCP/IP communication protocol, you can use the ping command to

check if your computer has successfully connected to this product. The following example

shows the ping procedure for Windows platforms. First, execute the ping command

ping 192.168.1.1



If the following messages appear:

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 192.168.1.1: bytes=32 time=2ms TTL=64

A communication link between your computer and this product has been successfully

established. Otherwise, if you get the following messages,

Pinging 192.168.1.1 with 32 bytes of data:

Request timed out.

There must be something wrong in your installation procedure. You have to check the

following items in sequence:

1. Is the Ethernet cable correctly connected between this product and your computer?

Tip: The LAN LED of this product and the link LED of network card on your computer must

be lighted.

2. Is the TCP/IP environment of your computers properly configured?

Tip: If the IP address of this product is 192.168.1.1, the IP address of your computer must

be 192.168.1.X and default gateway must be 192.168.1.1.

3.3 Management Interface

The RS-2500 can be configured using one the management interfaces below:

Web Management (HTTP): You can manage your RS-2500 by simply typing its IP

address in the web browser. We recommend using this interface for initial

configurations. To begin, simply enter RS-2500 IP address (default is 192.168.1.1) on

the web browser. The default password is “airlive”.

Secure Web Management (HTTPS): HTTPS is also using web browser for

configuration. But all the data transactions are securely encrypted using SSL

encryption. Therefore it is safe and easy way to manage your RS-2500.



3.4 Introduction to Web Management

The RS-2500 offers both normal (http) and secured (https) Web Management interfaces.

Their share the same interface and functions, and they can both be accessed through web

browsers. The only difference is HTTPS are encrypted for extra security. Therefore, we

will discuss them together as “Web Management” on this guide.

If you are placing the RS-2500 behind router or firewall, you might need to open virtual

server ports to RS-2500 on your firewall/router

HTTP: TCP Port 80

HTTPS: TCP/UDP Port 443

3.4.1 Getting into Web Management

Normal Web Management (HTTP)

To get into the Normal Web Management, simply type in the RS-2500’s IP address (default

IP is 192.168.1.1) into the web browser’s address field.



Secured Web Management (HTTPS)

To get into the Secured Web Management, just type “https://192.168.1.1” into the web

browser’s address field. The “192.168.1.1” is RS-2500’s default IP address. If the IP

address is changed, the address entered in the browser should change also.

A security warning screen from your browser will then pop-up depending on the browser

you use. Please follow step below to clear the security screen.

Internet Explorer: Select “Yes” to proceed

Firefox:

1. Select “or you can add an exception”

1



2. Click on “Add Exception”

2

3. Click on “Get Certificate”. Then, please enter RS-2500’s IP address. Finally,

please click on “Confirm Security Exception.”

3

4



3.5 Initial Configurations

We recommend users to browse through RS-2500’s web management interface to get an

overall picture of the functions and interface. Below are the recommended initial

configurations for first time login:

STEP 1:

1. Connect the Admin’s PC and the LAN port of the Security VPN Gateway.

2. Open an Internet web browser and type the default IP address of the Security VPN

Gateway as 192.168.1.1 in the address bar.

3. A pop-up screen will appear and prompt for a username and password. Enter the

default login username (admin) and password (airlive) of Administrator.

STEP 2:

After entering the username and password, the Security VPN Gateway WEB UI screen will

display. Select the Interface tab on the left menu and a sub-function list will be displayed.

Click on WAN from the sub-function list, enter proper the network setup information

Click Modify to modify WAN1/2 settings (i.e. WAN1 Interface)

WAN1 interface IP Address 60.250.158.64

NetMask 255.255.255.0

Default Gateway 60.250.158.254

DNS Server1 168.95.1.1



STEP 3:

Click on the Policy tab from the main function menu, and then click on Outgoing from the

sub-function list.

STEP 4:

Click on New Entry button.

STEP 5:

When the New Entry option appears, enter the following configuration:

Source Address – select Inside_Any

Destination Address – select Outside_Any

Service - select ANY

Action - select Permit ALL

Click on OK to apply the changes.



STEP 6:

The configuration is successful when the screen below is displayed. Make sure that all the

computers that are connected to the LAN port have their Default Gateway IP Address set to

the Security VPN Gateway’s LAN IP Address (i.e. 192.168.1.1). At this point, all the

computers on the LAN network should gain access to the Internet immediately.

4. Web Management


4 4. Web Management

In this chapter, we will explain about the Administration settings in web management

interface. Please be sure to read through Chapter 3’s “Introduction to Web Management”

and “Initial Configurations” first.

4.1 About RS-2500’s Menu Structure

The RS-2500’s web management menu is divided into 7 main subjects: System, Interface,

Policy Object, Policy, Web VPN / SSL VPN, Anomaly IP Flow, and Monitor. Each subject

includes several sub-object settings, and each sub-object also includes several functions

for user’s configuration.

RS-2500 was designed as the policy based firewall, it means user should configure Policy

Object setting, and enable the function at Policy.

Main Subject

Sub-Object

Functions

System: It includes Administration, Configure, and Logout sub-objects. The

System subject allows you configuring basic setting of the RS-2500. Please refer to

chapter 5 Administration and chapter 6 Configure.

Interface: It includes WAN, LAN and DMZ sub-objects. For more configuration

information please refer to chapter 7.

4. Web Management


Policy Object: It includes Address, Service, Schedule, QoS, Authentication,

Content Blocking, Application Blocking, Virtual Server, and VPN sub-objects.

Before to enable the function at Policy, you need to configure the Policy Object

setting first. Please refer to chapter 8 ~ 17.

Policy: It includes Outgoing, Incoming, WAN To DMZ, LAN To DMZ, DMZ To

WAN, and DMZ To LAN sub-objects. Please make sure to Logout after you finish

all settings. You must configure Policy setting to enable the Policy Object settings.

Please refer to chapter 18.

Web VPN / SSL VPN: RS-2500 provides Web VPN / SSL VPN function to allow

remote user connecting and accessing to router’s LAN resource. Please refer to

chapter 20.

Anomaly IP Flow: It works to define the rule to block hacker from Internet or

Intranet. Please refer to chapter 21.

Monitor: It includes Log, Accounting Report, Statistic, Diagnostic, Wake on Lan,

and Status sub-objects. The function works to offer the report or log for user to

realize device and network’s current status. Please refer to chapter 22.

4.2 Remote Web Management

RS-2500 allows you accessing the web management page from remote site, and you can

choose to use HTTP or HTTPS. In Interface WAN, enable HTTP or HTTPS or both.

5. Administration


“System” is the managing of settings such as the privileges of packets that pass through

the RS-2500 and monitoring controls. The System Administrators can manage, monitor,

and configure RS-2500 settings. But all configurations are “read-only” for all users other

than the System Administrator; those users are not able to change any setting of the

RS-2500.

5.1 Admin

Admin Name: The username of Administrators and Sub Administrator for the RS-2500.

The admin user name cannot be removed; and the sub-admin user can be removed or

modified.

The default Account: admin; Password: airlive

5 5. Administration

Privilege: The privileges of Administrators (Admin or Sub Admin). The username of

the main Administrator is Administrator with reading / writing privilege. Administrator

also can change the system setting, log system status, and to increase or delete

sub-administrator. Sub-Admin may be created by the Admin by clicking New Sub

Admin. Sub Admin have only read and monitor privilege and cannot change any

system setting value.

Configure: Click Modify to change the “Sub-Administrator’s” password or click

Remove to delete a “Sub Administrator.”

5. Administration


Adding a new Sub Administrator

STEP 1﹒In the Admin WebUI, click the New Sub Admin button to create a new Sub

Administrator.

STEP 2﹒In the Add New Sub Administrator WebUI (Figure 5-1) and enter the following

setting:

Sub Admin Name: sub_admin

Password: 12345

Confirm Password: 12345

STEP 3﹒Click OK to add the user or click Cancel to cancel it.

Figure 5-1 Add New Sub Admin

Modify the Administrator’s Password

STEP 1﹒In the Admin WebUI, locate the Administrator name you want to edit, and click on

Modify in the Configure field.

STEP 2﹒The Modify Administrator Password WebUI will appear. Enter the following

information:

Password: admin

New Password: 52364

Confirm Password: 52364 (Figure 5-2)

STEP 3﹒Click OK to confirm password change.

Figure 5-2 Modify Admin Password

5. Administration


5.2 Permitted IP

Add Permitted IPs

STEP 1﹒Add the following setting in Permitted IPs of Administration: (Figure 5-3)

Name: Enter master

IP Address: Enter 163.173.56.11

Netmask: Enter 255.255.255.255

Service: Select Ping, HTTP and HTTPS

Click OK

Complete add new permitted IPs (Figure 5-4)

Figure 5-3 Setting Permitted IPs WebUI

Figure 5-4 Complete Add New Permitted IPs

To make Permitted IPs be effective, it is suggested to cancel the Ping,

HTTP, and HTTPS selection in LAN, WAN, or DMZ Interface setting.

Before canceling the WebUI selection of Interface, user must set up

the Permitted IPs first, otherwise, it would cause the situation that

user cannot enter WebUI by appointed Interface.

5. Administration


5.3 Software Update

STEP 1﹒Select Software Update in System, and follow the steps below:

To obtain the version number from Version Number and obtain the latest

version from Internet. And save the latest version in the hardware of the PC,

which manage the RS-2500

Click Browse and choose the latest software version file.

Click OK and the system will update automatically. (Figure 5-5)

Figure 5-5 Software Update

It takes 4 minutes to update software. The system will reboot after

update. During the updating time, please don’t turn off the PC or close

WebUI. It may cause some unexpected mistakes. (Strong suggests

updating the software from LAN to avoid unexpected mistakes.)

5.4 Logout

STEP 1﹒Click Logout in System to protect the system while admin is away. (Figure 5-6)

Figure 5-6 Confirm Logout WebUI

STEP 2﹒Click OK and the logout message will appear in WebUI. (Figure 5-7)

Figure 5-7 Logout WebUI Message

6. Configure


6 6. Configure

The Configure is according to the basic setting of the RS-2500. In this chapter the definition

is Setting, Date/Time, Multiple Subnet, Route Table, DHCP, Dynamic DNS, Hosts Table,

and Language settings.

6.1 Setting

System Settings- Exporting

STEP 1﹒In System Setting WebUI, click on button next to Export System

Setting to Client.

STEP 2﹒When the File Download pop-up window appears, choose the destination place

where to save the exported file and click on Save. The setting value of RS-2500

will copy to the appointed site instantly. (Figure 6-1)

Figure 6-1 Select the Destination Place to Save the Exported File

6. Configure


System Settings- Importing

STEP 1﹒In System Setting WebUI, click on the Browse button next to Import System

Setting from Client. When the Choose File pop-up window appears, select the file

to which contains the saved RS-2500 Settings, then click OK. (Figure 6-2)

STEP 2﹒Click OK to import the file into the RS-2500 (Figure 6-3)

Figure 6-2 Enter the File Name and Destination of the Imported File

Figure 6-3 Upload the Setting File WebUI

6. Configure


Restoring Factory Default Settings

STEP 1﹒Select Reset System to Factory Setting in RS-2500 Configuration WebUI

STEP 2﹒Click OK at the bottom-right of the page to restore the factory settings. (Figure 6-4)

Figure 6-4 Reset Factory Settings

Email Settings

Select Enable E-mail Alert Notification under E-mail Settings. This function will enable

the RS-2500 to send e-mail alerts to the System Administrator when the network is being

attacked by hackers or when emergency conditions occur. (It can be set from Anomaly Flow

IP Setting to detect Hacker Attacks)

Enabling E-mail Alert Notification

STEP 1﹒Select Enable E-mail Alert Notification under E-Mail Settings.

STEP 2﹒Sender Address (Required by some ISPs): Enter the Sender Address.

STEP 3﹒SMTP Server IP: Enter SMTP server’s IP address

STEP 4﹒E-Mail Address 1: Enter the e-mail address of the first user to be notified.

STEP 5﹒E-Mail Address 2: Enter the e-mail address of the second user to be notified.

(Optional)

STEP 6﹒Click OK on the bottom-right of the screen to enable E-mail Alert Notification.

(Figure 6-5)

6. Configure


Figure 6-5 Enable E-mail Alert Notification

Click on Mail Test to test if E-mail Address 1 and E-mail Address 2

can receive the Alert Notification correctly.

Web Management (WAN Interface)

The System Manager can change the port number used by HTTP or HTTPS port anytime.

(Remote WebUI management)

After HTTP port has changed, if the administrator wants to enter

WebUI from WAN, will have to change the port number of browser.

(For example: http://61.62.108.172:8080)

MTU Setting

It provides the Administrator to modify the networking package length anytime. Its default

value is 1500 Bytes.

Link Speed / Duplex Mode Setting

By this function can set the transmission speed and mode of WAN Port when connecting

other device.

Dynamic Routing (RIPv2)

Select to enable the function of AirLive RS-2500 LAN, WAN1, WAN2 or DMZ Port to

send/receive RIPv2 packets, and communication between Internal Router or External

Router, to update Dynamic Routing.

http://61.62.108.172:8080/

6. Configure


SIP protocol pass-through

Select to enable the function of RS-2500 of passing SIP protocol. It is also possible that the

SIP protocol can pass through RS-2500 without enabling this function depends on the SIP

device’s type you have.

Administration Packet Logging

After enable this function, the RS-2500 will record packet which source or destination IP

address is RS-2500, and record in Traffic Log for System Manager to inquire about.

System Reboot

Once this function is enabled, the RS-2500 will be rebooted. STEP 1﹒Reboot RS-2500：Click Reboot button next to Reboot RS-2500 Appliance.

STEP 2﹒A confirmation pop-up page will appear.

STEP 3﹒Follow the confirmation pop-up page; click OK to restart RS-2500.

(Figure 6-6)

Figure 6-6 The else Function Settings

6. Configure


6.2 Date/Time

Synchronize system clock

The administrator can configure the RS-2500’s date and time by either syncing to an

Internet Network Time Server (NTP) or by syncing to your computer’s clock.

STEP 1﹒Select Enable synchronize with an Internet time Server (Figure 6-7)

STEP 2﹒Click the down arrow to select the offset time from GMT.

STEP 3﹒If necessary, select Enable daylight saving time setting

STEP 4﹒Enter the Server IP / Name with which you want to synchronize.

STEP 5﹒Set the interval time to synchronize with outside servers.

Figure 6-7 System Time Setting

Click on the Sync button and then the RS-2500’s date and time will be

synchronized to the Administrator’s PC.

The value of Set Offset hours From GMT and Server IP / Name can

be looking for from Assist.

6. Configure


6.3 Multiple Subnet

Connect to the Internet through Multiple Subnet NAT or Routing Mode by the IP address

that set by the LAN user’s network card. (Figure 6-8)

Figure 6-8 Multiple Subnet UI

WAN Interface IP / Forwarding Mode

The WAN IP address corresponds with Multiple Subnet

The system mode of Multiple Subnet (NAT mode or Routing Mode)

Interface

The interface of Multiple Subnet (LAN or DMZ)

Alias IP of Interface / Netmask

The Multiple Subnet IP address range setting

Configuration Example

RS-2500 WAN1 (10.10.10.1) connect to the ISP Router (10.10.10.2) and the subnet that

provided by ISP is 162.172.50.0/24

To connect to Internet, WAN2 IP (211.22.22.22) connects with ATUR.

Adding Multiple Subnet

Add the following settings in Multiple Subnet of System function:

Click on New Entry Alias IP of LAN Interface： Enter 162.172.50.1

Netmask：Enter 255.255.255.0

WAN1: Choose Routing in Forwarding Mode, and press Assist to select

Interface IP 1010.10.1. WAN2：Enter Interface IP 211.22.22.22, and choose NAT in Forwarding

Mode

Click OK

Complete Adding Multiple Subnet (Figure 6-9)

6. Configure


Figure 6-9 Add Multiple Subnet WebUI

WAN1 and WAN2 Interface can use Assist to enter the data.

After setting, there will be two subnets in LAN: 192.168.1.0/24 (default

LAN subnet) and 162.172.50.0/24. So if LAN IP is:

192.168.1.xx, it must use NAT Mode to access to the Internet.

(In Policy it only can setup to access to Internet by WAN2. If by WAN1

Routing mode, then it cannot access to Internet by its virtual IP)

162.172.50.xx, it uses Routing mode through WAN1 (The Internet

Server can see your IP 162.172.50.xx directly). And uses NAT mode

through WAN2 (The Internet Server can see your IP as WAN2 IP)

6. Configure


NAT Mode

It allows Internal Network to set multiple subnet address and connect with the Internet

through different WAN IP Addresses.

For example, the lease line of a company applies several real IP Addresses 168.85.88.0/24,

and the company is divided into Service, Sales, Procurement, and Accounting

department, the company can distinguish each department by different subnet for the purpose of managing conveniently. The settings are as the following：

1. R&D department subnet：192.168.1.1/24 (LAN) 168.85.88.253 (WAN)

2. Service department subnet：192.168.2.1/24 (LAN) 168.85.88.252 (WAN)

3. Sales department subnet：192.168.3.1/24 (LAN) 168.85.88.251 (WAN)

4. Procurement department subnet：192.168.4.1/24 (LAN) 168.85.88.250 (WAN)

5. Accounting department subnet：192.168.5.1/24 (LAN) 168.85.88.249 (WAN)

The first department (R&D department) had set while setting interface IP; the other four

ones have to be added in Multiple Subnet. After completing the settings, each department

uses the different WAN IP Address to connect to the Internet. The settings of each

department are as following:

Service Sales Procurement Accounting

IP Address 192.168.2.2~254 192.168.3.2~254 192.168.4.2~254 192.168.5.2~254

Subnet

Netmask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

Gateway 192.168.2.1 192.168.3.1 192.168.4.1 192.168.5.1

Routing Mode

It is the same as NAT mode approximately but does not have to correspond to the real

WAN IP address, which let internal PC to access to Internet by its own IP. (External user

also can use the IP to connect with the Internet)

6. Configure


6.4 Route Table

Route Table works to connect RS-2500 with another router, and make those users with

different IP subnet can access Internet at the same time. (Figure 6-10, 11)

Figure 6-10 Route Table UI

Figure 6-11 Route Table UI

Destination IP / Netmask

The target IP subnet of routing rule

Gateway

Indicate the IP address of router that will route packets to target subnet

Interface

Indicate the interface to send out the routing packets

6. Configure


6.5 DHCP

Subnet

The domain name of LAN

NetMask

The LAN Netmask

Gateway

The default Gateway IP address of LAN

Broadcast IP

The Broadcast IP of LAN

STEP 1﹒Select DHCP in System and enter the following settings:

DHCP Relay Interface: Select the interface connected to WAN DHCP server

DHCP Server IP: Enter the IP address of DHCP server

Domain Name: Enter the Domain Name

DNS Server 1: Enter the distributed IP address of DNS Server1.

DNS Server 2: Enter the distributed IP address of DNS Server2.

WINS Server 1: Enter the distributed IP address of WINS Server1.

WINS Server 2: Enter the distributed IP address of WINS Server2.

LAN Interface:

Client IP Address Range 1:

Enter the starting and the ending IP address dynamically assigning to

DHCP clients. The default value is 192.168.1.2 to 192.168.1.254 (it must

be in the same subnet)

Client IP Address Range 2:

Enter the starting and the ending IP address dynamically assigning to

DHCP clients. But it must be within the same subnet as Client IP

Address Range 1 and the range cannot be repeated.

DMZ Interface: the same as LAN Interface. (DMZ works only if to enable DMZ

Interface)

Leased Time: Enter the leased time for Dynamic IP. The default time is 24 hours.

Click OK and DHCP setting is completed. (Figure 6-12)

6. Configure


Figure 6-12 DHCP WebUI

When selecting Automatically Get DNS, the DNS Server will be

locked as LAN Interface IP. (Using Occasion: When the system

Administrator starts Authentication, the users’ first DNS Server must

be the same as LAN Interface IP in order to enter Authentication

WebUI)

6. Configure


6.6 Dynamic DNS

STEP 1﹒Select Dynamic DNS in System function (Figure 6-13). Click New Entry button

Service providers：Select service providers.

Automatically fill in the WAN 1/2 IP：Check to automatically fill in the WAN

1/2 IP. User Name：Enter the registered user name.

Password：Enter the password

Domain name：Enter Your host domain name

Click OK to add Dynamic DNS. (Figure 6-14)

Figure 6-13 DDNS WebUI

Figure 6-14 Complete DDNS Setting

Chart

Meaning Update

successfully Incorrect username

or password Connecting to

server Unknown error

If System Administrator had not registered a DDNS account, click on

Sign up then can enter the website of the provider.

If you do not select Automatically in WAN IP and then you can enter

a specific IP in WAN IP. DDNS corresponds to that specific IP

address.

6. Configure


6.7 Host Table

Host Name

It can be set by System Manager, to allow internal user accessing the information provided

by the host of the domain.

Virtual IP Address

The virtual IP address is corresponding to the Host. It must be LAN or DMZ IP address.

STEP 1﹒ Select Host Table in Settings function and click on New Entry

Host Name: The domain name of the server

Virtual IP Address: The virtual IP address is corresponding to the Host.

Click OK to add Host Table. (Figure 6-15)

Figure 6-15 Add New Host Table

To use Host Table, the user PC’s first DNS Server must be the same

as the LAN Port or DMZ Port IP of RS-2500. That is, the default

gateway.

6.8 Language

Select the Language version (English Version/ Traditional Chinese Version or

Simplified Chinese Version) and click OK. (Figure 6-16)

Figure 6-16 Language Setting WebUI

7. Interface


7 7. Interface

In this chapter, you can set up the IP addresses for the office network, and you may also

configure the IP addresses of the LAN network, the WAN1 and WAN2 network, and the

DMZ network.

The Netmask and gateway IP addresses are also configured in this chapter.

Define the required fields of Interface

LAN: Using the LAN Interface, the Administrator can set up the LAN network of

RS-2500

WAN: The System Administrator can set up the WAN network of RS-2500.

Connection Test: The function works to identify WAN port’s connection

status. The testing ways are as following: ICMP：User can define the IP address and RS-2500 will ping the

address to verify WAN port’s connection status. DNS：Another way to verify the connection status by checking the

DNS server and Domain Name configured by user.

Upstream/Downstream Bandwidth: The System Administrator can set

up the correct Bandwidth of WAN network Interface here.

Auto Disconnect: The PPPoE connection will automatically disconnect

after a length of idle time (no activities). Enter “0” means the PPPoE

connection will not disconnect at all.

DMZ: The Administrator uses the DMZ Interface to set up the DMZ network. NAT Mode：In this mode, the DMZ is an independent virtual subnet. This

virtual subnet can be set by the Administrator but cannot be the same as

LAN Interface

Transparent Mode: In this mode, the DMZ and WAN Interface are in the

same subnet

7. Interface


Balance Mode

Auto: The RS-2500 will adjust the WAN 1/2 utility rate automatically according to

the downstream/upstream of WAN. (For users who are using various download

bandwidth)

Round-Robin: The RS-2500 distributes the WAN 1/2 download bandwidth 1:1, in

other words, it selects the agent by order. (For users who are using same

download bandwidths)

By Traffic: The RS-2500 distributes the WAN 1/2 download bandwidth by

accumulative traffic

By Session: The RS-2500 distributes the WAN 1/2 download bandwidth by

saturated connections

By Packet: The RS-2500 distributes the WAN 1/2 download bandwidth by

accumulated packets and saturated connection

By Source IP: The RS-2500 distributes the WAN 1/2 connection by source IP

address, once the connection is built up, all the packets from the same source IP

will pass through the same WAN interface

By Destination IP: The RS-2500 will allocate the WAN connection corresponding

to the destination IP, once the connection is built up, all the packets to the same

destination IP will pass through the same WAN interface. The connection will be

re-assigned with WAN interface when the connections are stopped.

Connect Mode

Display the current connection mode

PPPoE (ADSL user)

Dynamic IP Address (Cable Modem User)

Static IP Address

PPTP (European User Only)

Saturated Connections

Set the number for saturation whenever session numbers reach it, the RS-2500

switches to the next agent on the list

Ping: Select this function to allow the LAN users to ping the Interface IP Address.

HTTP: Select to enable the user to enter the WebUI of RS-2500 from Interface IP.

HTTPS: Select to enable the user to enter the secure WebUI of RS-2500 from Interface

IP.

Priority

Set priority of WAN for Internet Access

7. Interface


7.1 LAN

Modify LAN Interface Settings

STEP 1﹒Select LAN in Interface and enter the following setting:

Enter the new IP Address and Netmask

Select Ping, HTTP and HTTPS

Click OK (Figure 7-1)

Figure 7-1 Setting LAN Interface WebUI

The default LAN IP Address is 192.168.1.1. After the Administrator

setting the new LAN IP Address on the computer, he/she have to

restart the System to make the new IP address effective. (when the

computer obtain IP by DHCP)

Do not cancel WebUI selection before not setting Permitted IPs yet,

because the Administrator cannot be allowed to enter the RS-2500

WebUI from LAN.

7. Interface


7.2 WAN

WAN Interface Address Setting

STEP 1﹒Select WAN in Interface and click Modify in WAN1 Interface. (Figure 7-2)

Figure 7-2 Setting WAN Interface WebUI

STEP 2﹒Setting the Connection Service (ICMP or DNS way)：

ICMP：Enter an Alive Indicator Site IP (can select from Assist) (Figure 7-3)

DNS：Enter two different DNS Server IP Address and Domain Name (can

select from Assist) (Figure 7-4)

Setting time of seconds between sending alive packet.

Figure 7-3 ICMP Connection

Figure 7-4 DNS Service

Connection test is used for RS-2500 to detect if the WAN can connect

or not. So the Alive Indicator Site IP, DNS Server IP Address, or

Domain Name must be able to use permanently. Or it will cause

judgmental mistakes of the device.

7. Interface


STEP 3﹒Select the Connecting way:

PPPoE (ADSL User) (Figure 7-5):

1. Select PPPoE

2. Enter User Name and Password information provided by ISP.

4. Select Dynamic or Fixed in IP Address provided by ISP.

If you select Fixed, please enter IP Address, Netmask, and Default Gateway.

5. Enter Max. Downstream Bandwidth and Max. Upstream Bandwidth

(According to the flow that user applies) 6. Enter the value on the setting of “Auto Disconnect if idle for □ minutes

(Range: 1-99999, 0 means always connected)”, the default value is 0

(Always connected).

7. Select Ping, HTTP and HTTPS, and click OK (Figure 7-6)

Figure 7-5 PPPoE Connection

7. Interface


Figure 7-6 Complete PPPoE Connection Setting

Dynamic IP Address (Cable Modem User) (Figure 7-7):

1. Select Dynamic IP Address (Cable Modem User)

2. Click Renew in the right side of IP Address and then can obtain IP

automatically.

3. If the MAC Address is required for ISP then click on Clone MAC Address to

obtain MAC IP automatically.

4. Hostname: Enter the hostname provided by ISP.

5. Domain Name: Enter the domain name provided by ISP.

6. User Name and Password are the IP distribution method according to

Authentication way of DHCP + protocol


(According to the flow applied by user)


Figure 7-7 Dynamic IP Address Connection

7. Interface


Figure 7-8 Complete Dynamic IP Connection Setting

Static IP Address (Figure 7-9)

1. Select Static IP Address

2. Enter IP Address, Netmask, and Default Gateway that provided by ISP

3. Enter DNS Server1 and DNS Server2


(According to the flow applied by user)


Figure 7-9 Static IP Address Connection

Figure 7-10 Complete Static IP Address Connection Setting

7. Interface


WAN2 Interface does not provide DNS Server setting, it will analyze

the domain name and its dedicated IP address based on the DNS

Server setting of WAN1 Interface.

When selecting Ping, HTTP, and HTTPS on WAN network Interface,

users will be able to ping the RS-2500 and enter the WebUI WAN

network. It may influence network security. The suggestion is to

Cancel Ping, HTTP, and HTTPS after all the settings have finished.

And if the System Administrator needs to enter UI from WAN, he/she

can use Permitted IPs to enter.

The setting of WAN2 Interface is almost the same as WAN1, except

that WAN2 has a selection of Disable. The System Administrator can

close WAN2 Interface by this selection. (Figure 7-11)

Figure 7-11 Disable WAN2 Interface

7. Interface


7.3 DMZ

Setting DMZ Interface Address (NAT Mode)

STEP 1﹒Click DMZ Interface

STEP 2﹒Select NAT Mode in DMZ Interface

Select NAT in DMZ Interface

Enter IP Address and Netmask

STEP 3﹒Select Ping, HTTP and HTTPS

STEP 4﹒Click OK (Figure 7-12)

Figure 7-12 Setting DMZ Interface Address (NAT Mode) WebUI

Setting DMZ Interface Address (Transparent Mode)

STEP 1﹒Select DMZ Interface

STEP 2﹒Select Transparent Mode in DMZ Interface

Select DMZ_Transparent in DMZ Interface

STEP 3﹒Select Ping, HTTP and HTTPS

STEP 4﹒Click OK (Figure 7-13)

Figure 7-13 Setting DMZ Interface Address (Transparent Mode) WebUI

The Transparent Mode of DMZ setting is only available when WAN

interface is set to Static IP.

8. Address


The RS-2500 allows the Administrator to set Interface addresses of the LAN network, LAN

network group, WAN network, WAN network group, DMZ and DMZ group.

An IP address in the Address Table can be an address of a computer or a sub network. The

Administrator can assign an easily recognized name to an IP address. Based on the

network it belongs to, an IP address can be an LAN IP address, WAN IP address or DMZ IP

address. If the Administrator needs to create a control policy for packets of different IP

addresses, he can first add a new group in the LAN Group or the WAN Group and assign

those IP addresses into the newly created group. Using group addresses can greatly

simplify the process of building control policies.

With easily recognized names of IP addresses and names of address

groups shown in the address table, the Administrator can use these

names as the source address or destination address of control

policies. The address table should be setup before creating control

policies, so that the Administrator can pick the names of correct IP

addresses from the address table when setting up control policies.

8 8. Address

Name

The System Administrator set up a name as IP Address that is easily recognized.

IP Address

It can be a PC’s IP Address or several IP Address of Subnet. Different network

area can be: Internal IP Address, External IP Address, and DMZ IP Address.

Netmask

When correspond to a specific IP, it should be set as: 255.255.255.255.

When correspond to several IP of a specific Domain. Take 192.168.100.1 (C Class

subnet) as an example, it should be set as: 255.255.255.0.

MAC Address

Correspond a specific PC’s MAC Address to its IP; it can prevent users changing

IP and accessing to the net service through policy without authorizing.

8. Address


Get Static IP address from DHCP Server

When enable this function and then the IP obtain from DHCP Server automatically

under LAN or DMZ will be distributed to the IP that correspond to the MAC

Address.

8.1 LAN

Under DHCP situation, assign the specific IP to static users and restrict them to access FTP

net service only through policy.

STEP 1﹒Select LAN in Address and enter the following settings:

Click New Entry button (Figure 8-1)

Name: Enter Jacky

IP Address: Enter 192.168.1.2

Netmask: Enter 255.255.255.255

MAC Address : Enter the user’s MAC Address (00:4F:F3:F5:D3:54)

Select Get static IP address from DHCP Server


Figure 8-1 Setting LAN Address Book WebUI

Figure 8-2 Complete the Setting of LAN

8. Address


STEP 2﹒Adding the LAN Address setting in Source Address of Outgoing Policy, and only

assign FTP service in the Policy rule. (Figure 8-3)

Figure 8-3 Add a Policy of Restricting the Specific IP to Access to Internet

STEP 3﹒Complete assigning the specific IP to static users in Outgoing Policy and restrict

them to access FTP net service only through policy: (Figure 8-4)

Figure 8-4 Complete the Policy of Restricting the Specific IP to Access to Internet

When the System Administrator creates the Address list, he/she can

choose the way of clicking on to make the RS-2500

to fill out the user’s MAC Address automatically.

The setting mode of WAN and DMZ of Address are the same as

LAN; the only difference is WAN cannot set up MAC Address.

8. Address


In LAN of Address function, the RS-2500 will default an Inside Any

address represents the whole LAN network automatically. Others like

WAN, DMZ also have the Outside Any and DMZ Any default address

setting to represent the whole subnet.

8.2 LAN Group

Setup a Policy that only allows partial users to connect with specific IP (External Specific IP)

STEP 1﹒Setting several LAN network Address. (Figure 8-5)

Figure 8-5 Setting Several LAN Network Address

STEP 2﹒ Enter the following settings in LAN Group of Address:

Click New Entry (Figure 8-6)

Enter the Name of the group

Select the users in the Available Address column and click Add


8. Address


Figure 8-6 Add New LAN Address Group

Figure 8-7 Complete Adding LAN Address Group

The setting mode of WAN Group and DMZ Group of Address are

the same as LAN Group.

STEP 3﹒Enter the following settings in WAN of Address function:


Enter the following data (Name, IP Address, Netmask)


Figure 8-8 Add New WAN Address

8. Address


Figure 8-9 Complete the Setting of WAN Address

STEP 4﹒In Outgoing Policy, select LAN Group as Source Address, and select WAN

Address as the Destination Address. (Figure 8-10, 8-11)

Figure 8-10 To Exercise Address Setting in Policy

Figure 8-11 Complete the Policy Setting

The Address function really takes effect only if uses with Policy.

9. Service


9 9. Service

TCP and UDP protocols support varieties of services, and each service consists of a TCP

Port or UDP port number, such as TELNET (23), SMTP (21), SMTP (25), POP3 (110), etc.

The RS-2500 includes two services:

Pre-defined Service and Custom Service

The common-use services like TCP and UDP are defined in the Pre-defined Service and

cannot be modified or removed. In the custom menu, users can define other TCP port and

UDP port numbers that are not in the pre-defined menu according to their needs. When

defining custom services, the client port ranges from 1024 to 65535 and the server port

ranges from 0 to 65535

In this chapter, network services are defined and new network services can be added.

There are three sub menus under Service which are: Pre-defined, Custom, and Group.

The Administrator can simply follow the instructions below to define the protocols and port

numbers for network communication applications. Users then can connect to servers and

other computers through these available network services.

How to use Service?

The Administrator can add new service group names in the Group option under Service

menu, and assign desired services into that new group. Using service group the

Administrator can simplify the processes of setting up control policies. For example, there

are 10 different computers that want to access 5 different services on a server, such as

HTTP, FTP, SMTP, POP3, and TELNET. Without the help of service groups, the

Administrator needs to set up 50 (10x5) control policies, but by applying all 5 services to a

single group name in the Service field, it takes only one control policy to achieve the same

effect as the 50 control policies.

9. Service


9.1 Pre-defined

Pre-defined WebUI’s Chart and Illustration

Chart Illustration

Any Service

TCP Service, For example：AFPoverTCP, AOL, BGP, FTP, FINGER, HTTP, HTTPS, IMAP, SMTP, POP3, GOPHER, InterLocator, IRC, L2TP, LDAP, NetMeeting, NNTP, PPTP, Real-Media, RLOGIN, SSH, TCP-ANY, TELNET, VDO-Live, WAIS, WINFRAME, X-WINDOWS, MSN, …etc.

UDP Service, For example ： IKE, DNS, NFS, NTP, PC-Anywhere, RIP, SNMP, SYSLOG, TALK, TFTP,

ICMP Service, Foe example：PING, TRACEROUTE…etc.

9. Service


9.2 Custom

New Service Name

The System Manager can name the custom service.

Protocol

The protocol type to be used in connection for device, such as TCP, UDP, IP

mode

Client Port

The port number of network card of clients. (The range is 0 ~ 65535, suggest to

use the default range)

Server Port

The port number of custom service


Allow external user to communicate with internal user by VoIP through policy. (VoIP Port:

TCP 1720, TCP 15328-15333, UDP 15328-15333)

STEP 1﹒Set LAN and LAN Group in Address function as follows: (Figure 9-1, 9-2)

Figure 9-1 Setting LAN Address Book WebUI

Figure 9-2 Setting LAN Group Address Book WebUI

9. Service


STEP 2﹒Enter the following setting in Custom of Service function:


Service Name: Enter the preset name VoIP

Protocol#1 select TCP, do not change the Client Port, and set the Server

Port as: 1720:1720

Protocol#2 select TCP, do not change the Client Port, and set the Server

Port as: 15328:15333

Protocol#3 select UDP, do not change the Client Port, and set the Server

Port as: 15328:15333


Figure 9-3 Add User Define Service

Figure 9-4 Complete the Setting of User Define Service of VoIP

Under general circumstances, the range of port number of client is

0-65535. Change the client range in Custom of is not suggested.

If the port numbers that enter in the two spaces are different port

number, then enable the port number under the range between the

two different port numbers (for example: 15328:15333). And if the port

number that enters in the two spaces is the same port number, then

enable the port number as one (for example: 1720:1720).

9. Service


STEP 3﹒Assign the Custom Service to Virtual Server. (Figure 9-5)

Figure 9-5 Assign Custom Service to Virtual Server

STEP 4﹒Assign Virtual Server to Incoming Policy. (Figure 9-6)

Figure 9-6 Configure Incoming Policy and allow External VoIP connecting with Internal VoIP

STEP 5﹒In Outgoing Policy, complete the setting of internal users using VoIP to connect

with external network VoIP: (Figure 9-7)

Figure 9-7 Complete the Policy for Internal VoIP to connect with External VoIP

Service must cooperate with Policy and Virtual Server that the

function can take effect.

9. Service


9.3 Group

Create a service group to collect service port for certain source or destination addresses

can simplify RS-2500 setting, and also improve the performance of RS-2500. Because

more Policy rules you create, the less performance you get.


Restrict the specific users can only access specific service resources (HTTP, POP3, SMTP,

DNS).

STEP 1﹒Enter the following setting in Group of Service:

Click New Entry

Name: Enter Main_Service

Select HTTP, POP3, SMTP, DNS in Available Service and click Add

(Figure 9-8)


Figure 9-8 Add Service Group

Figure 9-9 Complete the setting of Adding Service Group

9. Service


If you want to remove the service you choose from Selected Service,

choose the service you want to delete and click Remove.

STEP 2﹒In LAN Group of Address function, set up an Address Group that can include the

service of access to Internet. (Figure 9-10)

Figure 9-10 Setting Address Book Group

STEP 3﹒Compare Service Group to Outgoing Policy. (Figure 9-11)

Figure 9-11 Setting Policy

10. Schedule


10 10. Schedule

In this chapter, the RS-2500 provides the Administrator to configure a schedule for policy to

take effect and allow the policies to be used at those designated times. And then the

Administrator can set the start time and stop time or VPN connection in Policy or VPN. By

using the Schedule function, the Administrator can save a lot of management time and

make the network system most effective.

How to use the Schedule?

The system Administrator can use schedule to set up the device to carry out the connection

of Policy or VPN during several different time division automatically.


Configure the valid time periods for LAN users to access to Internet in a day

STEP 1﹒Enter the following in Schedule:


Enter Schedule Name

Set up the working time of Schedule for each day


Figure 10-1 Setting Schedule WebUI

10. Schedule


Figure 10-2 Complete the Setting of Schedule

STEP 2﹒Compare Schedule with Outgoing Policy (Figure 10-3)

Figure 10-3 Complete the Setting of Comparing Schedule with Policy

The Schedule must compare with Policy.

11. QoS


11 11. QoS

By configuring the QoS, you can control the OutBound and InBound

Upstream/Downstream Bandwidth. The administrator can configure the bandwidth

according to the WAN bandwidth.

Downstream Bandwidth: To configure the Guaranteed Bandwidth and Maximum

Bandwidth.

Upstream Bandwidth: To configure the Guaranteed Bandwidth and Maximum

Bandwidth.

QoS Priority: To configure the priority of distributing Upstream/Downstream and

unused bandwidth.

The RS-2500 configures the bandwidth by different QoS, and selects the suitable QoS

through Policy to control and efficiently distribute bandwidth. The RS-2500 also makes it

convenient for the administrator to make the Bandwidth to reach the best utility.

(Figure 11-1, 11-2)

Figure 11-1 the Flow Before Using QoS

11. QoS


Figure 11-2 the Flow After Using QoS (Max. Bandwidth: 400Kbps, Guaranteed Bandwidth: 200Kbps)

QoS Definition

WAN

Display WAN1 and WAN2

Downstream Bandwidth

Configure the Guaranteed Bandwidth and Maximum Bandwidth according to the

bandwidth range you applied from ISP

Upstream Bandwidth

Configure the Guaranteed Bandwidth and Maximum Bandwidth according to the

bandwidth range you applied from ISP

Priority

Configure the priority of distributing Upstream/Downstream and unused

bandwidth.

Guaranteed Bandwidth

The basic bandwidth of QoS. The connection that uses the IPSec Autokey of VPN

or Policy will preserve the basic bandwidth.

Maximum Bandwidth

The maximum bandwidth of QoS. The connection that uses the IPSec Autokey of

VPN or Policy, which bandwidth will not exceed the amount you set.

11. QoS



1. Assign User1 with the Guarantee bandwidth 128/64Kbps and Maximum bandwidth

256/128Kbps, the priority level is Middle.

2. Assign User2 with the Guarantee bandwidth 64/64Kbps and Maximum bandwidth

128/128Kbps, the priority level is High. STEP 1﹒Interface WAN: Enter the correct WAN speed provided by ISP. (Figure 11-3)

Figure 11-3 QoS WebUI Setting

When the administrator are setting QoS, the bandwidth range that can

be set is the value that system administrator set in the WAN of

Interface. So when the System Administrator sets the downstream

and upstream bandwidth in WAN of Interface, he/she must set up

precisely.

11. QoS


STEP 2﹒Policy Object Address LAN: Define User1 and User2 IP address.

(Figure 11-4)

Figure 11-4 Define Users’ IP address on Address setting

STEP 3﹒Policy Object QoS: Create first QoS rule


Name: The name of the QoS you want to configure.

Enter the bandwidth in WAN1

Select QoS Priority as Middle


Figure 11-5 First QoS WebUI Setting

Figure 11-6 Complete the first QoS Setting

STEP 4﹒Policy Object QoS: Create second QoS rule


Name: The name of the QoS you want to configure.

Enter the bandwidth in WAN1

Select QoS Priority as High


11. QoS


Figure 11-7 Second QoS WebUI Setting

Figure 11-8 Complete the both QoS Setting

STEP 5﹒Policy Outgoing: Create Outgoing Policy and assign each user with its QoS

rule. (Figure 11-9)

Figure 11-9 Setting the QoS in Policy

11. QoS


How the Priority function can work?

1. WAN speed is defined 2048/2048 Kbps.

2. QoS_1 rule is defined the Guarantee Bandwidth with 1024/512

Kbps

3. QoS_2 rule is defined the Guarantee Bandwidth with 512/256

Kbps

4. The undefined WAN bandwidth has 512/256 Kbps

5. When G. Bandwidth is not enough, system will assign undefined

bandwidth to support QoS rule

6. QoS rule with high priority can get extra bandwidth first

7. G. Bandwidth + extra bandwidth will not exceed M.

Bandwidth

8. If all QoS rules were set to same level priority, the first user who

needs the extra bandwidth can get the bandwidth

12. Authentication


12 12. Authentication

By configuring the Authentication, you can control the user’s connection authority. The user

has to pass the authentication to access to Internet.

The RS-2500 configures the authentication of LAN’s user by setting account and password

to identify the privilege.

12.1 Auth Setting

Provide the Administrator the port number and valid time to setup RS-2500 authentication.

(Have to setup the Authentication first)

Authentication Port: The port number to allow internal users to connect to the

authentication page. The port number is allowed to be changed.

Re-Login if Idle: The function works to force internal user to login again when the idle

time is exceeded after passing the authentication. The default value is 30 minutes.

Re-Login after user login successfully: The function works to permit user to re-login

within a period of time. The default value is 0, means unlimited.

Deny multi-login if the auth user has login: The function works to prevent the system

had login twice per same user account.

12. Authentication


URL to redirect when authentication succeed: The function works to redirect the

homepage to the specific website, after the user had passes Authentication. The default

value is blank.

Messages to display when user login: It will display the login message in the

authentication WebUI. (Support HTML) The default value is blank (display no message in

authentication WebUI)


1. Add the following setting in this function: (Figure 12-1)

Figure 12-1 Authentication Setting WebUI

2. When the user connect to external network by Authentication, the following page will

be displayed: (Figure 12-2)

Figure 12-2 Authentication Login WebUI

12. Authentication


3. It will connect to the appointed website after passing Authentication: (Figure 12-3)

Figure 12-3 Connecting to the Appointed Website After Authentication

If user asks for authentication positively, he/she can enter the LAN IP

with the Authentication port number. And then the Authentication

WebUI will be displayed.

12. Authentication


12.2 Auth User

Authentication-User Name

The user account for Authentication you want to set.

Password

The password when setting up Authentication.

Confirm Password

Retype the password to confirm it.


Configure specific users to connect with external network only when they pass the authentication of policy.（Adopt the built-in Auth User and Auth Group, RADIUS, or POP3

Function）

STEP 1﹒Setup several Auth User in Authentication. (Figure 12-4)

Figure 12-4 Setting Several Auth Users WebUI

To use Authentication, the DNS Server of the user’s network card

must be the same as the LAN Interface Address of RS-2500.

STEP 2﹒User also can select to authenticate user with RADIUS server. Just need to enter

the Server IP, Port number, password, and enable the function.

Enable RADIUS Server Authentication

Enter RADIUS Server IP

Enter RADIUS Server Port

Enter password in Shared Secret

Complete the setting of RADIUS Server (Figure 12-5)

Figure 12-5 Setting RADIUS WebUI

12. Authentication


STEP 3﹒The third method of Authentication is to check the account with POP3 Server.

Enable POP3 Server Authentication

Enter POP3 Server IP

Enter POP3 Server Port

Complete the setting of POP3 Server (Figure 12-6)

Figure 12-6 Setting POP3 WebUI

STEP 4﹒Add Auth User Group Setting in Authentication function and enter the following

settings:

Click New Entry

Name: Enter Product_dept

Select the Auth User you want and Add to Selected Auth User

Click OK

Complete the setting of Auth User Group (Figure 12-7)

Figure 12-7 Setting Auth Group WebUI

12. Authentication


STEP 5﹒Add first policy in Outgoing Policy to allow DNS service passing through Internet.

(Figure 12-8)

Figure 12-8 Add first Policy rule to allow DNS passing through

STEP 6﹒Add second policy in Outgoing Policy and select the Authentication item.

(Figure 12-9, 12-10)

Figure 12-9 Auth-User Policy Setting

12. Authentication


Figure 12-10 Complete the Policy Setting of Auth-User

STEP 7﹒When user is going to access to Internet through browser, the authentication UI will

appear in Browser. After entering the correct user name and password, click OK to

access to Internet. (Figure 12-11)

Figure 12-11 Access to Internet through Authentication WebUI

STEP 8﹒ If the user does not need to access to Internet anymore and is going to logout,

he/she can click LOGOUT Auth-User to logout the system. Or enter the Logout

Authentication WebUI (http:// LAN Interface: Authentication port number/

logout.html) to logout (Figure 12-12)

Figure 12-12 Logout Auth-User WebUI

13. Content Blocking


Content Filtering includes「URL」,「Script」,「Download」,「Upload」.

URL Blocking: The administrator can set up to “Allow” or “Restrict” entering the specific

website by complete domain name, key words, and meta-character ( ~ and * ).

Script Blocking: Restrict the access authority of Popup, ActiveX, Java, or Cookie.

Download Blocking: Restrict the authority of download specific sub-name file, audio,

and some common video by http protocol directly.

Upload Blocking: Restrict the authority of upload specific sub-name file, or restrict all

types of the files.

13.1 URL

Restrict the Internal Users only can access to some specific Website

※ URL Blocking:

Symbol: ~ means open up; * means meta-character

Restrict to block specific website: Type the “complete domain name” or “key

word” of the website you want to restrict in URL String. For example:

www.kcg.gov.tw or gov.

Restrict to access specific website:

1. Type the symbol “~” in front of the “complete domain name” or “key word” that

represents to access the specific website only. For example: ~www.kcg.gov.tw

or ~gov.

2. After setting up the website you want to access, user needs to input an order to

forbid all in the last URL String; just type in * in URL String.

Warning! The order to forbid all must be placed at the last. If you want

to open a new website, you must delete the order of forbidding all and

then input the new domain name. At last, re-type in the “forbid all”

order again.

13 13. Content Blocking



STEP 1﹒Policy Object Content Blocking URL: Enter the following in URL of

Content Filtering function.

Click New Entry

URL String: Enter ~yahoo, and click OK

Click New Entry

URL String: Enter ~google, and click OK

Click New Entry

URL String: Enter *, and click OK

Complete setting a URL Blocking policy (Figure 13-1)

Figure 13-1 Content Filtering Table

STEP 2﹒Policy Outgoing: Add a Outgoing Policy and use in Content Blocking

function: (Figure 13-2)

Figure 13-2 URL Blocking Policy Setting



STEP 3﹒Complete the policy of permitting the internal users only can access to some

specific website in Outgoing Policy function: (Figure 13-3)

Figure 13-3 Complete Policy Settings

The users only can browse the website that includes “yahoo” and

“google” in domain name by the above policy.

13.2 Script

Restrict the Internal Users to access to Script file of Website

STEP 1﹒Policy Object Content Blocking Script: Select the following data in Script

of Content Blocking function

Select Popup Blocking

Select ActiveX Blocking

Select Java Blocking

Select Cookie Blocking

Click OK

Complete the setting of Script Blocking (Figure 13-4)

Figure 13-4 Script Blocking WebUI



STEP 2﹒Policy Outgoing: Add a new Outgoing Policy and use in Content Blocking

function. (Figure 13-5)

Figure 13-5 New Policy of Script Blocking Setting

STEP 3﹒Complete the policy of restricting the internal users to access to Script file of

Website in Outgoing Policy: (Figure 13-6)

Figure 13-6 Complete Script Blocking Policy Setting

The users may not use the specific function (like JAVA, cookie…etc.)

to browse the website through this policy. It can forbid the user

browsing stock exchange website…etc.



13.3 Download

Restrict the Internal Users to download video, audio and some specific sub-name file from

http or ftp protocol directly

STEP 1﹒Policy Object Content Blocking Download: Enter the following settings in

Download of Content Blocking function

Select All Types Blocking

Click OK

Complete the setting of Download Blocking. (Figure 13-7)

Figure 13-7 Download Blocking WebUI





Figure 13-8 Add New Download Blocking Policy Setting

STEP 3﹒Complete the Outgoing Policy of restricting the internal users to download video,

audio, and some specific sub-name file by http protocol directly: (Figure 13-9)

Figure 13-9 Complete Download Blocking Policy Setting



13.4 Upload

Restrict the Internal Users to upload some specific sub-name file from http or ftp protocol

directly

STEP 1﹒Policy Object Content Blocking Upload: Enter the following settings in

Upload of Content Blocking function.

Select All Types Blocking

Click OK

Complete the setting of Upload Blocking. (Figure 13-10)

Figure 13-10 Upload Blocking WebUI





Figure 13-11 Add New Upload Blocking Policy Setting

STEP 3﹒Complete the Outgoing Policy of restricting the internal users to upload some

specific sub-name file by http protocol directly: (Figure 13-12)

Figure 13-12 Complete Upload Blocking Policy Setting

14. Application Blocking


14 14. Application Blocking

RS-2500 Application Blocking offers the system to block the connection of applications,

such as IM, P2P, Video/Audio Application, Webmail, Game Application, Tunnel

Application, and Remote Control Application.

Application Signature Definition: System will automatically check new signature per

every one hour, or user can also click “Update NOW” button to check new signature.

(Figure 14-1)

Figure 14-1 Application Signature Definition WebUI

Instant Message Login: Restrict the authority to login MSN, Yahoo Messenger,

ICQ/AIM, QQ/TM2008, Skype, Google Talk, Gadu-Gadu, Rediff, WebIM, and AllSoft.

(Figure 14-2)

Figure 14-2 Instant Message Login WebUI

Instant Message File Transfer: Restrict the authority to transfer file from MSN, Yahoo

Messenger, ICQ/AIM, QQ, Skype, Google Talk, and Gadu-Gadu. (Figure 14-3)

Figure 14-3 Instant Message File Transfer WebUI



Due to RS-2500 hardware limitation, it is not possible to block all

kinds of application in the world, so we just choose to block some

popular application. If you require RS-2500 to block a specific

application please contact with AirLive Support Team. We will

evaluate the application and try to improve it.

Peer-to-Peer Application: Restrict the authority to send files connection by using

eDonkey, Bit Torrent, WinMX, Foxy, KuGoo, AppleJuice, AudioGalaxy, DirectConnect,

iMesh, MUTE, Thunder5, GoGoBox, QQDownload, Ares, Shareaza, BearShare, Morpheus,

Limewire, and KaZaa. (Figure 14-4)

Figure 14-4 Peer-to-Peer Application WebUI

Video / Audio Application: Restrict the authority to watch video or listen audio from

Internet by using PPLive, PPStream, UUSee, QQLive, ezPeer, and qvodplayer.

(Figure 14-5)

Figure 14-5 Video / Audio Application WebUI

Webmail: Restrict the authority to access web mail service, such as Gmail, Hotmail,

Yahoo, Hinet, PChome, URL, Yam, Seednet, 163/126/Yeah, Tom, Sina, Sohu, and

QQ/Foxmail. (Figure 14-6)

Figure 14-6 Webmail WebUI



Game Application: Restrict the authority to access Internet Game such as GLWorld

and QQGame. (Figure 14-7)

Figure 14-7 Game Application WebUI

Tunnel Application: Restrict the authority to access Internet via tunnel application such

as VNN Client, Ultra-Surf, Tor, and Hamachi. (Figure 14-8)

Figure 14-8 Tunnel Application WebUI

Remote Control Application: Restrict the authority to access remote control

application such as TeamViewer, VNC, and RemoteDestop. (Figure 14-9)

Figure 14-9 Tunnel Application WebUI




GroupA users are not allowed to use MSN, Yahoo, and Skype.

GroupB users are allowed to use MSN, but they can not transfer file by MSN.

GroupC users are not allowed to use MSN, Yahoo, Skype, eDnokey, Bit Torrent.

STEP 1﹒Policy Object Address LAN: Enter the name and IP address of LAN users.

STEP 2﹒Policy Object Address LAN Group: Allocate the users to the dedicated

group, and create GroupA, GroupB, GroupC. (Figure 14-10)

Figure 14-10 Create Groups

STEP 3﹒Policy Object Application Blocking Setting: Create first Application

Blocking rule for GroupA to block MSN, Yahoo and Skype. (Figure 14-11)

Figure 14-11 Create first Application Groups

STEP 4﹒Policy Object Application Blocking Setting: Create Second Application

Blocking rule for GroupB. So the user in GroupB can access MSN, but can not

send files using MSN. (Figure 14-12)

Figure 14-12 Create Second Application Groups



STEP 5﹒Policy Object Application Blocking Setting: Create Second Application

Blocking rule for GroupC to block MSN, Yahoo, Skype, eDonkey, and Bit Torrent.

(Figure 14-13)

Figure 14-13 Create Second Application Groups

STEP 6﹒Policy Outgoing: Create three Outgoing Policy rules and assign the group with

its Application Blocking setting. (Figure 14-14)

Figure 14-14 Create Policy rules with groups and enable Application Blocking



It is recommended to set up ready IM File Transfer Blocking setting

before user’s IM software login successfully, or part of IM software

could be still able to transfer file unless user logout IM software.

P2P Transfer will occupy large bandwidth so that it may influence

other users. And P2P Transfer can change the service port free so it is

invalid to restrict P2P Transfer by Service. Therefore, the system

manager must use Application Blocking to restrict users to use P2P

Transfer efficiently.

It is suggested not to enable all Application Blocking, just select the

Application type you need to block it. Because RS-2500 will examine

every packet and analyze the packets’ behavior, so more application

item you select to block, less performance you will have.

15. Virtual Server


he real IP address provided from ISP is always not enough for all the users when the

he RS-2500’s Virtual Server function can solve this problem. A Virtual Server has set the

irtual Server owns another feature know as one-to-many mapping. This is when one real

this chapter, we will have detailed introduction and instruction of Mapped IP and Server

15 15. Virtual Server

T

system manager applies the network connection from ISP. Generally speaking, in order to

allocate enough IP addresses for all computers, an enterprise assigns each computer a

private IP address, and converts it into a real IP address through RS-2500’s NAT (Network

Address Translation) function. If a server that provides service to WAN network is located

in LAN networks, external users cannot directly connect to the server by using the server’s

private IP address.

T

real IP address of the RS-2500’s WAN network interface to be the Virtual Server IP.

Through the Virtual Server function, the RS-2500 translates the Virtual Server’s IP address

into the private IP address in the LAN network.

V

server IP address on the WAN interface can be mapped into four LAN network servers

provide the same service private IP addresses. This option is useful for Load Balancing,

which causes the Virtual Server to distribute data packets to each private IP addresses

(which are the real servers) by session. Therefore, it can reduce the loading of a single

server and lower the crash risk. And can improve the work efficiency.

In

1/2/3/4.

15. Virtual Server


15.1 Mapped IP

Because the Intranet is transferring the private IP by NAT Mode (Network Address

Translation), and if the server is in LAN, its IP Address is belonging to Private IP Address.

Then the external users cannot connect to its private IP Address directly. The user must

connect to the RS-2500’s WAN subnet’s Real IP and then map Real IP to Private IP of LAN

by the RS-2500. It is a one-to-one mapping. That is, to map all the service of one WAN Real

IP Address to one LAN Private IP Address.

WAN IP:

WAN IP Address (Real IP Address)

Map to Virtual IP:

Map the WAN Real IP Address into the LAN Private IP Address


Map a specific WAN IP address to LAN server, so Internet users can access the services.

STEP 1﹒Setting a server that provides several services in LAN, and set up the network

card’s IP as 192.168.1.100. DNS is External DNS Server.

STEP 2﹒Policy Object Address LAN: Enter the following setting in LAN of Address


Figure 15-1 Mapped IP Settings of Server in Address

15. Virtual Server


STEP 3﹒Policy Object Virtual Server Mapped IP: Enter the following data in

Mapped IP of Virtual Server function

Click New Entry

WAN IP: Enter 60.250.158.64 (click Assist for assistance)

Map to Virtual IP: Enter 192.168.1.100

Click OK

Complete the setting of adding new mapped IP (Figure 15-2)

Figure 15-2 Mapped IP Setting WebUI

STEP 4﹒Policy Object Service Group: Group the services (DNS, HTTP, PPTP …)

that provided and used by server in Service function. And add a new service group

for server to send mails at the same time. (Figure 15-3)

Figure 15-3 Service Setting

STEP 5﹒Policy Incoming: Add a policy that includes settings of STEP3, 4 in Incoming

Policy. (Figure 15-4)

Figure 15-4 Complete the Incoming Policy

STEP 6﹒Policy Outgoing: Add a policy that includes STEP2, 4 in Outgoing Policy. It

makes the server to send e-mail to external mail server by mail service.

(Figure 15-5)

Figure 15-5 Complete the Outgoing Policy

15. Virtual Server


STEP 7﹒Complete the setting of providing several services by mapped IP.

Strong suggests not to choose ANY when setting Mapped IP and

choosing service. Otherwise the Mapped IP will be exposed to

Internet easily and may be attacked by Hacker.

Be careful when you assign WAN interface IP address to Mapped IP

function, the remote user may not access RS-2500 web console

again. If you only apply one real IP address from ISP, we suggest

choosing Virtual Server function instead of Mapped IP.

15.2 Virtual Server

Its function resembles Mapped IP’s. But the Virtual Server maps one to many. That is, to

map a Real IP Address to 1~4 LAN Private IP Address and provide the service item in

Service.

Virtual Server Real IP:

The WAN IP address which mapped by the Virtual Server

Service name (Port Number):

The service name that provided by the Virtual Server

WAN Port:

The WAN Service Port that provided by the virtual server. If the services you

choose only have one port and then you can change the port number here. (If

change the port number to 8080 and then when the external users going to

browse the Website; he/she must change the port number first to enter the

Website.)

Server Virtual IP:

The virtual IP which mapped by the Virtual Server

15. Virtual Server


Configuration Example - Server Load Balance

Create a Web Server and three mirror sites on LAN, configure RS-2500 Virtual Server

function and assign 4 Server IP addresses to it. The Server Load Balance function works as

Round Robin type, so each server will receives the access session in turn.

STEP 1﹒Setting several servers that provide Web service in LAN network, which IP Address

is 192.168.1.101, 192.168.1.102, 192.168.1.103, and 192.168.1.104.

STEP 2﹒Enter the following data in Server 1 of Virtual Server function:

Click the button next to Virtual Server Real IP (“click here to configure”) in

Server1 (Figure 15-6)

Figure 15-6 Virtual Server Real IP Setting-1

Virtual Server Real IP: Enter 60.250.158.66 (click Assist for assistance)


Figure 15-7 Virtual Server Real IP Setting-2

Click New Entry

Service: Select HTTP (80)

External Service Port: Type in 80

Load Balance Server1: Enter 192.168.1.101




Click OK and complete the setting of Virtual Server (Figure 15-8)

15. Virtual Server


Figure 15-8 Virtual Server Configuration WebUI

STEP 3﹒Add a new policy in Incoming Policy, which includes the virtual server, set by

STEP2. (Figure 15-9)

Figure 15-9 Complete Virtual Server Policy Setting

STEP 4﹒Complete the setting of providing a single service by virtual server.

15. Virtual Server


Configuration Example - Virtual server setting for Custom Service

The external user use VoIP to connect with VoIP of LAN (VoIP Port: TCP 1720, TCP

15328-15333, UDP 15328-15333)

STEP 1﹒Set up VoIP in LAN network, and its IP is 192.168.1.100



Figure 15-10 Setting LAN Address WebUI

STEP 3﹒Policy Object Service Custom: Add new VoIP service group in Custom of

Service function. (Figure 15-11)

Figure 15-11 Add Custom Service

STEP 4﹒Policy Object Virtual Server Server 1: Enter the following setting in

Server1 of Virtual Server function


Server1


(Use WAN)


Figure15-12 Virtual Server Real IP Setting WebUI

15. Virtual Server


Click New Entry

Service: Select (Custom Service) VoIP_Service

External Service Port: From-Service (Custom)


Click OK

Complete the setting of Virtual Server (Figure 15-13)


When the custom service only has one port number, then the external

network port of Virtual Server is changeable; On the contrary, if the

custom service has more than one port network number, then the

external network port of Virtual Server cannot be changed.

STEP 5﹒Policy Incoming: Add a new Incoming Policy, which includes the virtual

server that set by STEP4: (Figure 15-14)

Figure 15-14 Complete the Policy includes Virtual Server Setting

STEP 6﹒Policy Outgoing: Enter the following setting of the internal users using VoIP to

connect with external network VoIP in Outgoing Policy (Figure 15-15)

Figure 15-15 Complete the Policy Setting of VoIP Connection

STEP 7﹒Complete the setting of the external/internal user using specific service to

communicate with each other by Virtual Server.

15. Virtual Server


Configuration Example - PAT

RS-2500 also supports Port Address Translation function. Some system administrator

might change the standard port number of service in order to protect LAN server, and

RS-2500 must translate the port so Internet user can access LAN service as well.

STEP 1﹒Create a Web server on LAN site, and specify IP address 192.168.1.10 to the

server.


function. (Figure15-16)

Figure 15-16 Setting LAN Address WebUI

STEP 3﹒Policy Object Service Custom: Create Custom Service (TCP 8080) for

Web Server. (Figure 15-17)

Figure 15-17 Add Custom Service

STEP 4﹒Policy Object Virtual Server Server 1: Enter the following data in Server1

of Virtual Server


Server1



Figure 15-18Virtual Server Real IP Setting

15. Virtual Server


Click New Entry

Service: Select (Custom Service) Custom_Web

External Service Port: Change External Server Port to 80.

Enter the server IP in Load Balance Server

Click OK

Complete the setting of Virtual Server (Figure 15-19)


STEP 5﹒Policy Incoming: Add a new Incoming Policy, which includes the virtual

server that set by STEP 4 (Figure 15-20)

Figure 15-20 Complete Incoming Policy Setting

STEP 6﹒Policy Outgoing: Add a new policy that includes the settings of STEP2, 3 in

Outgoing Policy. It makes server can send e-mail to external mail server by mail

service. (Figure 15-21)

Figure 15-21 Complete Outgoing Policy Setting

STEP 7﹒Complete the setting of providing several services by Virtual Server.

16. VPN


16 16. VPN

The RS-2500 adopts VPN to set up safe and private network service. And combine the

remote Authentication system in order to integrate the remote network and PC of the

enterprise. Also provide the enterprise and remote users a safe encryption way to have

best efficiency and encryption when delivering data. Therefore, it can save lots of problem

for manager.

【IPSec Autokey】：The system manager can create a VPN connection using Autokey IKE.

Autokey IKE (Internet Key Exchange) provides a standard method to negotiate keys

between two security gateways. Also set up IPSec Lifetime and Preshared Key of the

RS-2500.

【PPTP Server】： The System Manager can set up VPN-PPTP Server functions in this

chapter.

【PPTP Client】： The System Manager can set up VPN-PPTP Client functions in this

chapter

How to use VPN?

To set up a Virtual Private Network (VPN), you need to configure an Access Policy include

IPSec Autokey, PPTP Server, or PPTP Client settings of Tunnel to make a VPN connection.

16. VPN


16.1 One-Step IPSec

This feature facilitates the configuration of IPSec encryption by reserving the essential

setting fields and using default on the rest.

The default settings are:

Mode: Main mode

Authentication Method: Preshare

ISAKMP Algorithm: DES + MD5 + Group 1

IPSec Algorithm: DES + MD5

One-step IPSec literally means it merely takes one step to complete the configuration of

IPSec encryption. The device will automatically create a corresponding policy after

configuration. (Figure 16-1)

Figure 16-1 One-Step IPSec WebUI Configuration Example

STEP 1﹒Policy Object VPN One-Step IPSec: Enter following information on

One-Step IPSec setting.

Name: Quick_1

WAN Interface: WAN1

Subnet / Mask: 192.168.1.0 / 255.255.255.0

Remote Gateway: airlive15.dyndns.org

Subnet Mask: 192.168.100.0 / 255.255.255.0

Preshared Key: 12345678 (Figure 16-2)

16. VPN


Figure 16-2 One-Step IPSec Example

STEP 2﹒Click OK and wait for the message “VPN settings completed” shows up. The

default and custom IPSec VPN settings will be created automatically as following:

Policy Object VPN IPSec Autokey (Figure 16-3)

Policy Object VPN Trunk (Figure 16-4)

Policy Outgoing (Figure 16-5)

Policy Incoming (Figure 16-6)

Figure 16-3 One-Step IPSec Example - Autokey

Figure 16-4 One-Step IPSec Example - Trunk

Figure 16-5 One-Step IPSec Example - Outgoing Policy

Figure 16-6 One-Step IPSec Example - Incoming Policy

The Incoming and Outgoing Policy rule with VPN enabled will be

added to the top one automatically.

16. VPN


16.2 IPSec Autokey

i:

To display the VPN connection status via icon.

Chart -- Meaning Not be applied Disconnect Connecting

Name:

The VPN name to identify the IPSec Autokey definition. The name must be the

only one and cannot be repeated.

Gateway IP:

The WAN interface IP address of the remote Gateway.

IPSec Algorithm:

To display the Algorithm way.

Configure:

Click Modify to change the argument of IPSec; click Remove to remote the

setting. (Figure 16-7).

Figure 16-7 IPSec Autokey WebUI

Necessary Item (Figure 16-8)

Figure 16-8 Necessary Item WebUI

16. VPN


Preshare Key:

The IKE VPN must be defined with a Preshared Key. The Key may be up to 128

bytes long.

ISAKMP (Internet Security Association Key Management Protocol):

An extensible protocol-encoding scheme that complies to the Internet Key

Exchange (IKE) framework for establishment of Security Associations (SAs).

AH (Authentication Header):

One of the IPSec standards that allows for data integrity of data packets.

ESP (Encapsulating Security Payload):

One of the IPSec standards that provides for the confidentiality of data packets.

DES (Data Encryption Standard):

The Data Encryption Standard developed by IBM in 1977 is a 64-bit block

encryption block cipher using a 56-bit key.

Triple-DES (3DES):

The DES function performed three times with either two or three cryptographic

keys.

AES (Advanced Encryption Standard):

An encryption algorithm yet to be decided that will be used to replace the aging

DES encryption algorithm and that the NIST hopes will last for the next 20 to 30

years.

NULL Algorithm:

It is a fast and convenient connecting mode to make sure its privacy and

authentication without encryption. NULL Algorithm doesn’t provide any other

safety services but a way to substitute ESP Encryption.

SHA-1 (Secure Hash Algorithm-1):

A message-digest hash algorithm that takes a message less than 264 bits and

produces a 160-bit digest.

MD5:

MD5 is a common message digests algorithm that produces a 128-bit message

digest from an arbitrary length input, developed by Ron Rivest.

16. VPN


Optional Item (Figure 16-9).

Figure 16-9 Optional Item WebUI

Main Mode:

This is another first phase of the Oakley protocol in establishing a security

association, but instead of using three packets like in aggressive mode, it uses six

packets.

Aggressive mode:

This is the first phase of the Oakley protocol in establishing a security association

using three data packets.

GRE/IPSec:

The device Select GRE/IPSec (Generic Routing Encapsulation) packet seal

technology.

16. VPN


16.3 PPTP Server

PPTP Server:

To select Enable or Disable

Client IP Range:

Setting the IP addresses range for PPTP Client connection

i:

Display the VPN connection status via icon


User Name:

Displays the PPTP Client user’s name when connecting to PPTP Server

Client IP:

Displays the PPTP Client’s IP address when connecting to PPTP Server

Uptime:

Displays the connection time between PPTP Server and Client

Configure:

Click Modify to modify the PPTP Server Settings or click Remove to remove the

setting. (Figure 16-10)

Figure 14-10 PPTP Server WebUI

16. VPN


16.4 PPTP Client

i:

Display the VPN connection status via icon


User Name:

Ddisplays the PPTP Client user’s name when connecting to PPTP Server

Server IP or Domain Name:

Displays the PPTP Server IP addresses or Domain Name when connecting to

PPTP Server

Encryption:

Displays PPTP Client and PPTP Server transmission, whether opens the

encryption authentication mechanism

Uptime:

Displays the connection time between PPTP Server and Client

Configure:

Click Modify to change the argument of PPTP Client; click Remove to remote the

setting. (Figure 16-11)

Figure 16-11 PPTP Client WebUI

17. Configuration Example: IPSec & PPTP VPN


17 17. Configuration Example: IPSec & PPTP VPN

17.1 IPSec VPN - Office to Office (1)

Preparation:

Company A - WAN IP: 61.11.11.11, LAN IP: 192.168.10.x

Company B - WAN IP: 211.22.22.22, LAN IP: 192.168.20.x

This example takes two RS-2500s as work platform. Suppose Company A 192.168.10.x

create a VPN connection with Company B 192.168.20.x for downloading the sharing file.

(Figure 17-1)

Figure 17-1 Example 1 Topology

RS-2500 configuration of Company A:

STEP 1﹒Enter the default IP of Gateway of Company A’s RS-2500 with 192.168.10.1, and

select IPSec Autokey in VPN. Click New Entry. (Figure 17-2)


STEP 2﹒In the list of IPSec Autokey, fill in Name with VPN_A. (Figure 17-3)

Figure 17-3 IPSec Autokey Name Setting



STEP 3﹒Select Remote Gateway-Fixed IP or Domain Name In To Remote list and enter

the IP Address.(Figure 17-4)

Figure 17-4 IPSec To Destination Setting

STEP 4﹒ Select Preshare in Authentication Method and enter the Preshared Key. (Figure 17-5)

Figure 17-5 IPSec Authentication Method Setting

STEP 5﹒Select ISAKMP Algorithm in Encapsulation list. Choose the Algorithm when

setup connection. Please select ENC Algorithm (3DES/DES/AES), AUTH

Algorithm (MD5/SHA1), and Group (GROUP1, 2, 5). Both sides have to choose

the same group. Here we select 3DES for ENC Algorithm, MD5 for AUTH

Algorithm and GROUP1 for Group. (Figure 17-6)

Figure 17-6 IPSec Encapsulation Setting

STEP 6﹒You can choose Data Encryption + Authentication or Authentication Only to

communicate in IPSec Algorithm list.

ENC Algorithm: 3DES/DES/AES/NULL

AUTH Algorithm: MD5/SHA1

Here we select 3DES for ENC Algorithm and MD5 for AUTH Algorithm to make

sure the encapsulation way for data transmission (Figure 17-7)

Figure 17-7 IPSec Algorithm Setting



STEP 7﹒Select GROUP1 in Perfect Forward Secrecy, enter 3600 seconds in ISAKMP

Lifetime, enter 28800 seconds in IPSec Lifetime, and selecting Main mode in

Mode. (Figure 17-8)

Figure 17-8 IPSec Perfect Forward Secrecy Setting

STEP 8﹒ Complete the IPSec Autokey setting. (Figure 17-9)

Figure 17-9 Complete Company A IPSec Autokey Setting

STEP 9﹒Enter the following setting in Trunk of VPN function: (Figure 15-10)

Enter a specific Trunk Name, for example VPN_Tunnel_A.

From Local: Select LAN

From Local Subnet / Mask: Enter 192.168.10.0 / 255.255.255.0.

To Remote: Select To Remote Subnet / Mask.

To Remote Subnet / Mask: Enter 192.168.20.0 / 255.255.255.0.

Tunnel: Select VPN_A.

Enter 192.168.20.1 (the Default Gateway of Company B) as the Keep alive IP

Select Show remote Network Neighborhood and Click OK. (Figure 17-11)

Figure 17-10 New Entry Trunk Setting



Figure 17-11 Complete New Entry Trunk Setting

STEP 10﹒Enter the following setting in Outgoing Policy:(Figure 17-12)

Trunk: Select VPN_Tunnel_A.

Click OK.(Figure 17-13)

Figure 17-12 Setting the VPN Tunnel Outgoing Policy

Figure 17-13 Complete the VPN Tunnel Outgoing Policy Setting



STEP 11﹒Enter the following setting in Incoming Policy: (Figure 17-14)



Figure 17-14 Setting the VPN Tunnel Incoming Policy

Figure 17-15 Complete the VPN Tunnel Incoming Policy Setting



RS-2500 configuration of Company B:

STEP 1. Enter the default IP of Gateway of Company B’s RS-2500, 192.168.20.1 and select

IPSec Autokey in VPN. Click New Entry. (Figure 17-16)

Figure 17-16 IPSec Autokey Web UI

STEP 2. In the list of IPSec Autokey, fill in Name with VPN_B. (Figure 17-17)


STEP 3. Select Remote Gateway-Fixed IP or Domain Name In To Remote list and enter



STEP 4. Select Preshare in Authentication Method and enter the Preshared Key (max:

100 bits) (Figure 17-19)




STEP 5. Select ISAKMP Algorithm in Encapsulation list. Choose the Algorithm when


Algorithm (MD5/SHA1), and Group (GROUP1, 2, 5). Both sides have to choose the

same group. Here we select 3DES for ENC Algorithm, MD5 for AUTH Algorithm,

and GROUP1 for group. (Figure 17-20)


STEP 6. You can choose Data Encryption + Authentication or Authentication Only to





sure the encapsulation way for data transmission. (Figure 17-21)


STEP 7. After selecting GROUP1 in Perfect Forward Secrecy, enter 3600 seconds in

ISAKMP Lifetime, enter 28800 seconds in IPSec Lifetime, and selecting Main

mode in Mode. (Figure 17-22)




STEP 8. Complete the IPSec Autokey setting. (Figure 17-23)

Figure 17-23 Complete Company B IPSec Autokey Setting

STEP 9. Enter the following setting in Trunk of VPN function: (Figure 17-24)

Enter a specific Trunk Name, for example VPN_Tunnel_B.





Tunnel: Select VPN_B.

Enter 192.168.10.1 (the Default Gateway of Company A) as the Keep alive IP

Select Show remote Network Neighborhood.

Click OK. (Figure 17-25)





STEP 10. Enter the following setting in Outgoing Policy: (Figure 17-26)

Trunk: Select VPN_Tunnel_B.






STEP 11. Enter the following setting in Incoming Policy: (Figure 17-28)





STEP 12. Complete IPSec VPN Connection.

If WAN IP address will be changed after a certain time, user can apply

DDNS service and configure the domain name on VPN setting. So,

user should type in the domain name in Remote Gateway item,

instead of typing IP address.



17.2 IPSec VPN - Office to Office (2)

Preparation:

Company A - RS-2500 - WAN IP: 60.250.158.66, LAN IP: 192.168.10.x

Company B -

1. PPPoA Modem Router - WAN IP: PPPoA with DDNS service enabled

(airlive15.dyndns.org), LAN IP: 192.168.20.x

2. RS-2500 - WAN IP: 192.168.20.254, LAN IP: 192.168.30.x

This example takes two RS-2500s as work platform. The Company B of RS-2500 is

installed behind a PPPoA modem router and the WAN interface is set to private IP address.

So, the RS-2500 in Company B can create an IPSec VPN tunnel to RS-2500 in Company A.

(Figure 17-30)



STEP 1﹒Enter the default IP of Gateway of Company A’s RS-2500 with 192.168.10.1, and

select IPSec Autokey in VPN. Click New Entry. (Figure 17-31)






STEP 3﹒Select Remote Gateway-Fixed IP or Domain Name In To Remote list and enter

the domain name.(Figure 17-33)


STEP 4﹒ Select Preshare in Authentication Method and enter the Preshared Key

(Figure 17-34)



















Mode. Enter Company B’s RS-2500 WAN IP address as the peer ID of Company

A’s RS-2500 VPN setting. (Figure 17-37)



Figure 17-38 Complete Company A IPSec Autokey Setting








Enter 192.168.30.1 (the RS-2500 Default Gateway of Company B) as the

Keep alive IP





STEP 1. Enter the default IP of Gateway of Company B’s RS-2500, 192.168.30.1 and select

IPSec Autokey in VPN. Click New Entry. (Figure 17-45)


STEP 2. In the list of IPSec Autokey, fill in Name with VPN_B. (Figure 17-46)


STEP 3. Select Remote Gateway-Fixed IP or Domain Name In To Remote list and enter



STEP 4. Select Preshare in Authentication Method and enter the Preshared Key (max:

100 bits) (Figure 17-48)




STEP 5. Select ISAKMP Algorithm in Encapsulation list. Choose the Algorithm when


Algorithm (MD5/SHA1), and Group (GROUP1, 2, 5). Both sides have to choose the

same group. Here we select 3DES for ENC Algorithm, MD5 for AUTH Algorithm,

and GROUP1 for group. (Figure 17-49)


STEP 6. You can choose Data Encryption + Authentication or Authentication Only to





sure the encapsulation way for data transmission. (Figure 17-50)


STEP 7. After selecting GROUP1 in Perfect Forward Secrecy, enter 3600 seconds in

ISAKMP Lifetime, enter 28800 seconds in IPSec Lifetime, and selecting Main

mode in Mode. (Figure 17-51)


STEP 8. Complete the IPSec Autokey setting. (Figure 17-52)

Figure 17-52 Complete Company B IPSec Autokey Setting




Enter a specific Trunk Name, for example VPN_Tunnel_B.





Tunnel: Select VPN_B.

Enter 192.168.10.1 (the Default Gateway of Company A) as the Keep alive IP












STEP 12. Complete IPSec VPN Connection.



17.3 IPSec VPN - Office to Client

Preparation:

RS-2500 - WAN IP: 61.11.11.11, LAN IP: 192.168.10.x

SOHO Router - WAN IP: PPPoE with any IP, LAN IP: 192.168.1.x

User installs VPN client software at PC, and create IPSec VPN tunnel from home or any

place to RS-2500, so user can access RS-2500 LAN resource safely. (Figure 17-59)


User can download 30 days trial version of IPSec VPN software from

AirLive Security Product web page, or to purchase the official software

and license from Greenbow website:

(http://www.thegreenbow.com/buy.html?product=vpn)

RS-2500 configuration:

STEP 1. Enter the default IP of Gateway of RS-2500, 192.168.30.1 and select IPSec

Autokey in VPN. Click New Entry. (Figure 17-60)






STEP 3﹒Select Remote Gateway or Client -- Dynamic IP in To Remote list.

(Figure 17-62)

Figure 17-62 IPSec To Remote Setting

STEP 4﹒ Select Preshare in Authentication Method and enter the Preshared Key

(Figure 17-63)



















Mode. (Figure 17-66)



Figure 17-67 Complete RS-2500 IPSec Autokey Setting





To Remote: Select Remote Client






VPN Client Software configuration:

STEP 1﹒Right click Root and select “New Phase 1”, then enter following information at

Phase 1 page: (Figure 17-74)

Name: To_RS25.

Interface: 192.168.1.2

Remote Gateway: 61.11.11.11

Preshared Key: 123456789

IKE Encryption: 3DES

IKE Authentication: MD5

IKE Key Group: Group 1

Figure 17-74 Phase1 setting of IPSec VPN Client Software

STEP 2﹒Press “Save & Apply” button save Phase 1 setting.

STEP 3﹒Right click “To_RS25” (Phase 1) and select “Add Phase 2”.

STEP 4﹒Enter following information at Phase 2 page: (Figure 17-75)

Name: To_RS25_Tunnel

VPN Client Address: 192.168.1.2

Remote Address Type: Subnet Address

Remote LAN Address: 192.168.10.0



Subnet Mask: 255.255.255.0

ESP Encryption: 3DES

ESP Authentication: MD5

ESP Mode: Tunnel

PFS: Enable, Group 1

Press “Save & Apply” button save Phase 2 setting.

Figure 17-75 Phase2 setting of IPSec VPN Client Software

STEP 5﹒Press “Open Tunnel” to build up IPSec VPN connection.

STEP 6﹒When VPN Tunnel is established, the icon in tool bar will be changed to .



17.4 PPTP VPN - Office to Office

Preparation:

Company A WAN IP: 61.11.11.11

LAN IP: 192.168.10.X

Company B WAN IP: 211.22.22.22

LAN IP: 192.168.20.X

This example takes two RS-2500s as flattop. Suppose Company B 192.168.20.100 is going

to have VPN connection with Company A 192.168.10.100 and download the resource.

(Figure 17-76)

Figure 17-76 PPTP connection Example-1


STEP 1. Enter PPTP Server of VPN function in the RS-2500 of Company A. Select Modify

and enable PPTP Server:

Client IP Range: Keep the setting with original, ex. 192.3.106.1-254.

Enter DNS Server or WINS Server IP if necessary.

Idle Time: Enter 0. (Figure 17-77)



Figure 17-77 Enable PPTP VPN Server Settings

Client IP Range: the setting can not be the same as LAN IP subnet,

or the PPTP function will not be workable.

Idle Time: the setting time that the VPN Connection will

auto-disconnect under unused situation. (Unit: minute)

STEP 2. Add the following settings in PPTP Server of VPN function in the RS-2500 of

Company A:

Select New Entry. (Figure 17-78)

User Name: Enter jacky.

Password: Enter 123456789.

Client IP assigned by: Select IP Range.


Figure 17-78 PPTP VPN Server Setting



Figure 17-79 Complete PPTP VPN Server Setting


Enter a specific Trunk Name, for example PPTP_Tunnel.





Tunnel: Select PPTP_Server_jacky.




Figure 17-81- Complete New Entry Trunk Setting




Trunk: Select PPTP_Tunnel.







STEP 1. Add the following settings in PPTP Client of VPN function in the RS-2500 of

Company B:

Click New Entry Button. (Figure 17-86)


Password: Enter123456789.

Server IP or Domain Name: Enter 61.11.11.11.

Select Encryption.


Figure 17-86 PPTP VPN Client Setting

Figure 17-87 Complete PPTP VPN Client Setting




Enter a specific Trunk Name, for example PPTP_Client.





IPSec / PPTP Setting: Select PPTP_Client_jacky.








Trunk: Select PPTP_Client.







Trunk: Select PPTP_Client.




STEP 5. Complete PPTP VPN Connection.



17.5 PPTP VPN - Office to Client

Preparation:

RS-2500 WAN IP: 61.11.11.11

LAN IP: 192.168.10.X

PPTP Client WAN IP: PPPoE with any IP

LAN IP: 192.168.20.X

This example presents how the home user can connect to remote PPTP server.

(Figure 17-94)

Figure 17-94 PPTP connection Example-1

RS-2500 configuration:

STEP 1. Enter PPTP Server of VPN function in the RS-2500 of Company A. Select Modify

and enable PPTP Server:

Client IP Range: Keep the setting with original, ex. 192.3.106.1-254.

Enter DNS Server or WINS Server IP if necessary.

Idle Time: Enter 0. (Figure 17-95)

Figure 17-95 Enable PPTP VPN Server Settings



Client IP Range: the setting can not be the same as LAN IP subnet,

or the PPTP function will not be workable.

Idle Time: the setting time that the VPN Connection will

auto-disconnect under unused situation. (Unit: minute)

STEP 2. Add the following settings in PPTP Server of VPN function in the RS-2500 of

Company A:

Select New Entry. (Figure 17-96)


Password: Enter 123456789.

Client IP assigned by: Select IP Range.


Figure 17-96 PPTP VPN Server Setting

Figure 17-97 Complete PPTP VPN Server Setting




Enter a specific Trunk Name, for example PPTP_Tunnel.





Tunnel: Select PPTP_Server_jacky.




Figure 17-99- Complete New Entry Trunk Setting



PPTP client setting on WinXP configuration:

STEP 1. Control Panel Network Connections: Press Create a new connection on left

banner. (Figure 17-104)

Figure 17-104 Control Panel > Network Connections

STEP 2. Press Next. (Figure 17-105)

Figure 17-105 Network Connections Wizard-1



STEP 3. Select Connect to the network at my workplace, and press Next.

(Figure 17-106)


STEP 4. Select Virtual Private Network connection, and press Next. (Figure 17-107)




STEP 5. Enter a name for the connection, and press Next. (Figure 17-108)


STEP 6. Enter PPTP server IP address, and press Next. (Figure 17-109)




STEP 7. Press Finish to complete WinXP PPTP client setting. (Figure 17-110)


STEP 8. Enter user name and password, and press Connect to connect PPTP server.

(Figure 17-111)

Figure 17-111 Connect to PPTP server

18. Policy


18 18. Policy

Every packet has to be detected if it corresponds with Policy or not when it passes the

RS-2500. When the conditions correspond with certain policy, it will pass the RS-2500 by

the setting of Policy without being detected by other policy. But if the packet cannot

correspond with any Policy, the packet will be intercepted.

The parameter of the policy includes Source Address, Destination Address, Service,

Schedule, Authentication User, Trunk, Action-WAN Port, Traffic Log, Statistics, Content

Blocking, Application Blocking, QoS, MAX. Bandwidth Per Source IP, MAX. Concurrent

Sessions Per IP, and MAX. Concurrent Sessions. Control policies decide whether packets

from different network objects, network services, and applications are able to pass through

the RS-2500.

How to use Policy?

The device uses policies to filter packets. The policy settings are: source address,

destination address, services, permission, packet log, packet statistics, and flow control.

Based on its source addresses, a packet can be categorized into:

(1) Outgoing: The source IP is in LAN network; the destination is in WAN network.

The system manager can set all the policy rules of Outgoing packets in this function

(2) Incoming: The source IP is in WAN network; the destination is in LAN network.

(For example: Mapped IP, Virtual Server) The system manager can set all the

policy rules of Incoming packets in this function

(3) WAN to DMZ: The source IP is in WAN network; the destination is in DMZ network.

(For example: Mapped IP, Virtual Server) The system manager can set all the

policy rules of WAN to DMZ packets in this function

(4) LAN to DMZ: The source IP is in LAN network; the destination is in DMZ network.

The system manager can set all the policy rules of LAN to DMZ packets in this

function

(5) DMZ to LAN: The source IP is in DMZ network; the destination is in LAN network.

The system manager can set all the policy rules of DMZ to LAN packets in this

function

18. Policy


(6) DMZ to WAN: The source IP is in DMZ network; the destination is in WAN network.

The system manager can set all the policy rules of DMZ to WAN packets in this

function

All the packets that go through RS-2500 must pass the policy

permission. Therefore, the LAN, WAN, and DMZ network have to set

the applicable policy when establish network connection.

Define the required fields of Policy

Source and Destination

Source IP and Destination IP is according to the RS-2500’s point of view. The

active side is the source; passive side is destination.

Service

It is the service item that controlled by Policy. The user can choose default value

or the custom services that the system manager set in Service function.

Action, WAN Port

Control actions to permit or reject packets that delivered between LAN network

and WAN network when pass through RS-2500 (See the chart and illustration

below).

Chart Name Illustration

Permit all WAN

network Interface Allow the packets that correspond with policy to be transferred by WAN1/2 Port

Permit WAN1 Allow the packets that correspond with policy to be transferred by WAN1 Port

Permit WAN2 Allow the packets that correspond with policy to be transferred by WAN2 Port

DENY Reject the packets that correspond with policy to be transferred by WAN Port

Permit VPN Allow the VPN packets that correspond with policy to be transferred

18. Policy


Option

It displays whether every function of Policy is enabled or not. If the function is

enabled and then the chart of the function will appear (See the chart and

illustration below)

Chart Name Illustration

Schedule Enable the policy to automatically execute the function in a certain time

Authentication User Enable Authentication User

Traffic Log Enable traffic log

Statistics Enable traffic statistics

Content Blocking Enable Content Blocking

Application Blocking Enable Application Blocking

QoS Enable QoS

Schedule

Setting the policy to automatically execute the function in a certain time.

Authentication User

The user have to pass the authentication to connect by Policy

Trunk

Select the specific VPN setting to allow the packets passing through.

Traffic Log

Record all the packets that go through policy.

Statistics

Chart of the traffic that go through policy.

Content Blocking

To restrict the packets that passes through the policy.

Application Blocking

To restrict the packets passing via IM, P2P, or the else application..

QoS

Setting the Guarantee Bandwidth and Maximum Bandwidth of the Policy (the

bandwidth is shared by the users who correspond to the Policy).

MAX. Bandwidth Per Source IP

Set the maximum bandwidth that permitted by policy. And if the IP bandwidth

exceed the setting value, the surplus connection cannot be set successfully.

18. Policy


MAX. Concurrent Sessions Per IP

Set the concurrent sessions that permitted by policy. And if the IP sessions exceed

the setting value, the surplus connection cannot be set successfully.

MAX. Concurrent Sessions

Set the concurrent sessions that permitted by policy. And if the whole Policy

sessions exceed the setting value, the surplus connection cannot be set

successfully.

NAT

The NAT function is available for Incoming, WAN To DMZ, LAN to DMZ, DMZ to

WAN Policy. It works to transfer the Source IP address to be the same IP subnet

of Destination. User can enable this function only when destination server requires

to be allowed accessing with same IP subnet.

Move

Every packet that passes the RS-2500 is detected from the front policy to the last

one. So it can modify the priority of the policy from the selection.

19. Configuration Example: Policy


19 19. Configuration Example: Policy Setting

19.1 Configuration Example (1) - Traffic Log, Statistic

Set up the policy that can monitor the internal users. (Take Traffic Log and Statistics for

example)

STEP 1﹒Enter the following setting in Outgoing Policy:

Click New Entry

Select Traffic Log

Select Statistics


Figure 19-1 Setting the different Policies

STEP 2﹒Complete the setting of Logging, Statistics, and Alarm Threshold in Outgoing

Policy: (Figure 19-2)

Figure 19-2 Complete Policy Setting



STEP 3﹒Obtain the information in Traffic of Log function if you want to monitor all the

packets of the RS-2500. (Figure 19-3)

Figure 19-3 Traffic Log Monitor WebUI



STEP 4﹒To display the traffic record that through Policy to access to Internet in Policy

Statistics of Statistics function. (Figure 19-4)

Figure 19-4 Statistics WebUI



19.2 Configuration Example (2) - Specific WAN Addresses, Content Blocking, Application Blocking

Forbid the users to access to specific network. (Take specific WAN IP, Content Blocking

and Application Blocking for example)

STEP 1﹒Enter the following setting in URL Blocking, Script Blocking, and Download

Blocking in Content Blocking function, and Application Blocking Function:

(Figure 19-5, 19-6, 19-7, 19-8)

Figure 19-5 URL Blocking Setting

Figure 19-6 Script Blocking Setting

Figure 19-7 Download Blocking Setting



Figure 19-8 Application Blocking Setting

URL Blocking can restrict the Internal Users only can access some

specific Website.

Script Blocking can restrict the Internal Users to access to Script file of

Website. (Java, Cookies…, etc.)



Download Blocking can restrict the Internal Users to access to video,

audio, and some specific sub-name file by http protocol directly.

Application Blocking can restrict the Internal Users to send message,

files, audio, and video by instant messaging (Ex: MSN, Yahoo

Messenger, QQ, ICQ, Skype, Google Talk, and Gadu-Gadu), and to

access to the file on Internet by P2P (eDonkey, BT, WinMX).

STEP 2﹒Enter as following in WAN and WAN Group of Address function:

(Figure 19-9, 19-10)

Figure 19-9 Setting the WAN IP that going to block

Figure 19-10 WAN Address Group

The Administrator can group the custom address in Address. It is

more convenient when setting policy rule.



STEP 3﹒Create the first Outgoing Policy rule with following steps to restrict user accessing

specific network.

Click New Entry

Destination Address: Select WAN_Group that set by STEP 2. (Blocking by

IP)

Action, WAN Port: Select Deny


Figure 19-11 Setting first Policy rule to restrict accessing specific WAN Network



STEP 4﹒Create second Outgoing Policy rule to enable Content Blocking and Application

Blocking.

Click New Entry

Select to enable Content Blocking

Select to enable Application Blocking


Figure 19-12 Setting second Blocking Policy rule

STEP 5﹒Complete the setting of forbidding the users to access to specific network.

(Figure 19-13)


Deny in Policy can block the packets that correspond to the policy

rule. The System Administrator can put the policy rule in the front to

prevent the user connecting with specific IP.



19.3 Configuration Example (3) - Authentication, Schedule

Only allow the users who pass Authentication to access to Internet in particular time

STEP 1﹒Enter the following in Schedule function: (Figure 19-14)

Figure 19-14 Add New Schedule

STEP 2﹒Enter the following in Auth User and Auth User Group in Authentication function:

(Figure 19-15)

Figure 19-15 Setting Auth User Group



The Administrator can use group function the Authentication and

Service. It is more convenient when setting policy.

STEP 3﹒Create first Outgoing Policy to allow DNS service passing through:

Click New Entry

Service: Select DNS.


Figure 19-16 DNS Policy Setting



STEP 4﹒Enter the following setting in Outgoing Policy:

Click New Entry

Authentication User: Select laboratory

Schedule: Select Working_Time


Figure 19-17 Setting a Policy of Authentication and Schedule

STEP 5﹒Complete the policy rule of only allows the users who pass authentication to

access to Internet in particular time. (Figure 19-18)




19.4 Configuration Example (4) - Virtual Server

The external user controls the internal PC through remote control software (Take VNC for

example)

STEP 1﹒Create a custom service of VNC port. (TCP 5800, 5900) (Figure 19-19)

Figure 19-19 Setting Custom Service

STEP 2﹒Select the following setting in Virtual Server1 of Virtual Server function, and

assign to LAN IP 192.168.1.2 device. (Figure 19-20)

Figure 19-20 Setting Virtual Server



STEP 3﹒Enter the following in Incoming Policy:

Click New Entry, system will auto select the Virtual Server setting and enter

the fields.


Figure 19-21 Setting the External User Control the Internal PC Policy

STEP 4﹒Complete the policy for the external user to control the internal PC through remote

control software. (Figure 19-22)




19.5 Configuration Example (5) - QoS, Virtual Server, MAX. Concurrent Sessions

Set a FTP Server under DMZ NAT Mode and restrict the download bandwidth and the MAX.

Concurrent Sessions.

STEP 1﹒Set a FTP Server under DMZ, which IP is 192.168.254.2. (The DMZ Interface

Address is 192.168.254.1/24)

STEP 2﹒Enter the following setting in Virtual Server1 of Virtual Server function:

(Figure 19-23)

Figure 19-23 Setting up Virtual Server Corresponds to FTP Server

When using the function of Incoming or WAN to DMZ in Policy,

strong suggests that cannot select ANY in Service. It may be

attacked by Hacker easily.

STEP 3﹒Enter the following in QoS: (Figure 19-24)

Figure 19-24 QoS Setting



STEP 4﹒Enter the following in WAN to DMZ Policy:

Click New Entry

Destination Address: Select Virtual Server1 (61.11.11.12)

Service: Select FTP (21)

QoS: Select FTP_QoS

MAX. Concurrent Sessions: Enter 100


Figure 19-25 Add New Policy

STEP 5﹒Complete the policy of restricting the external users to access to internal network

server (which may occupy the resource of network) (Figure 19-26)

Figure 19-26 Complete the Policy Setting

20. Web VPN / SSL VPN


Since the Internet is in widespread use these days, the demand for secure remote

connections is increasing. To meet this demand, using SSL VPN is the best solution. Using

SSL VPN and just a standard browser, clients can transfer data securely by utilizing its SSL

security protocol, eliminating the need to install any software or hardware.

20.1 Setting

Term of Setting (Figure 20-1)

VPN IP of Client: Various settings between the client and the RS-2500 can be set

when establishing an SSL VPN including IP range, encryption algorithm,

communication protocol, port number, allocated DNS and WINS servers, whether

NAT is being at used by the internal subnet, hardware authentication, client/group

authentication and the connection time.

Internet Subnet of Server: Set the subnet of server that can be accessed by the

client user. It is allowed to define several IP subnets for remote Web/SSL VPN

client.

Figure 20-1 Web/SSL VPN Setting-1

The SSL VPN IP address range cannot overlap with the address from

any of the following internal network segments or servers: LAN, DMZ

and PPTP server.

20 20. Web VPN / SSL VPN



Term of Setting (Figure 20-2)

VPN IP Range: The IP subnet of Web/SSL VPN connection. When user connects

to RS-2500 via Web/SSL VPN, he will obtain the IP address of this IP range. By

default, the VPN IP Range is set to the different IP subnet with RS-2500 LAN IP,

but remote user can still access RS-2500 LAN resource.

DES: DES, an acronym for Data Encryption Standard, is a cipher that was

selected by NIST (National Institute of Standard and Technology), using a 56-bit

key for encryption.

3DES: 3DES, an acronym for Triple Data Encryption Standard, providing

significantly enhanced security by executing the core DES algorithm three times in

a row, is more difficult to break than DES, using a 168-bit key size.

AES: AES, an acronym for Advanced Encryption Standard, is more difficult to

break than DES. The DES encryption key is 56 bits long; on the contrary, AES

keys can be 128, 192 or 256 bits long.

Server Port: The port number is changeable. With Server port, the Web/SSL VPN

Server can transfer data to client side. If RS-2500 is deployed behind a router, the

router must define to allow HTTPS and Server Port passing through to RS-2500,

otherwise the Web/SSL VPN may not work well.

Enable DNS and WINS server addresses to clients: If user enables this

function, the DNS server IP and WINS Server IP will be assigned to remote client

PC.

Enable NAT mode: If user enables this function, the outside packets will be added

the LAN port IP address of RS-2500 in packet’s header. It is designed for a

specific server that had such request. Mostly user does not need to enable it.

Enable hardware authentication: This function can make the login process more

easily if user often use Web/SSL VPN function. By default, system will assign

client PC to the Dropped list when it is the first time the client PC connect to it.

Authentication User or Group: RS-2500 Web/SSL VPN can co-work with

Authentication function to authorize the access right of VPN client.

Enable hardware authentication only: If the client PC is moved to Accepted

list, then he can access RS-2500 LAN resource without passing

authentication.

Enable Authentication User or Group only: If the client PC passes the

authentication, then he can access RS-2500 LAN resource.

Hardware Authentication set to Accepted and enable Authentication

User or Group: The client PC can access RS-2500 LAN resource without

passing authentication.



Hardware Authentication set to Dropped and enable Authentication

User or Group: The client PC may not pass hardware authentication,

however, if he can pass authentication User or Group, the client pc can still

access RS-2500 LAN resource. Auto-disconnect if idle for □ Minutes: When client user does not access

Web/SSL VPN for a certain time, system will disconnect to VPN automatically. (0

means always connected)

Figure 20-2 Web/SSL VPN setting-2



20.2 Hardware Auth

igure 20-3)

Accepted Hardware Authentication User: A list of the permitted client hardware

tion to the RS-2500.

RS-2500.

Term of Hardware Auth (F

can establish an SSL VPN connec

Dropped Hardware Authentication User: A list of the client hardware is not

permitted to establish an SSL VPN connection with the

Figure 20-3 Web/SSL VPN Hardware Auth

Hardware authentication provides a convenient alternative to

username/password authentication. Clients only need to be added to

the Accepted User list for the system to authenticate their computer

based on their hardware (MAC address).



20.3 Status

Term of Status (Figure 20-4)

me: Shows the user name of the client user.

Real IP: Show the real IP of the client user.

P addresses allocated by the RS-2500.

lient and RS-2500.

tion between the RS-2500 and SSL

Figure 20-4 Web/SSL VPN Status

User Na

VPN IP: Shows the client I

Uptime: Shows the connection duration between the c

Configuration change: To stop the connec

VPN.

User can only use Microsof

Web/SSL VPN.

t Windows system to connect RS-2500

Web / SSL VPN are supported for IE, Firefox, Safari, and Google

Chrome browser.

When user connects to RS-2500 Web/SSL VPN Server at first time,

server will download java program to client pc. What if the client pc

had pre-installed the other version of java program, and encountered

the error to display Web/SSL VPN connection, please remove the

pre-installed java program, and accept to install java from Web/SSL

VPN server, or download the latest version program from java

website.



20.4 Configuration Example

onfiguring Web/ SSL VPN Connection settings for External Clients

the HTTPS function. (Figure 20-5)

Figure 20-5 WAN Interface

STEP 2﹒Click Policy Object Authentication User, add the following entries:

(Figure 20-6)

Figure 20-6 User Authentication entries

C

STEP 1﹒Click Interface WAN, activate



STEP 3﹒Click Policy Object Authentication User Group, add the following entries:

(Figure 20-7)

Figure 20-7 Group Authentication users

TEP 4﹒Click Web VPN/ SSL VPN > Setting

Click Modify.

Check the Enab

Enter 192.168.222.0/ 255.255.255.0 in the VPN IP Range field.

list, choose 3DES.

col drop-down list, choose TCP.

le field.

subnet that

to access. (Figure 20-9)

S

le Web VPN checkbox.

From the Encryption algorithm drop-down

From the Proto

Enter 1194 in the Server Port field.

Check Enable hardware authentication.

From the Authentication user or group drop-down list, choose

Web_VPN_Group.

Enter 0 in the Auto- disconnect if id


A new Internal Subnet of Server appears that shows the internal

the client is permitted



Figure 20-8 Enable Web VPN Setting

Figure 20-9 New Web/SSL VPN is created



STEP 5﹒Configure the setting from a browser

Enter http://61.11.11.11/sslvpn or http://59.124.36.170/webvpn

:

in the URL

field (the RS-2500 interface address plus sslvpn or webvpn). (Figure 20-10)

Figure 20-10 Login SSL VPN Screen

Click Yes in the Security Alert window. (Figure 20-11)

Figure 20-11 Security Alert Window



Click Yes in the Warning-HTTPS window. (Figure 20-12)

Figure 20-12 Warning HTTPS Window

In the Authentication window, enter josh in the User Name field. Enter 3333 in

the Password field. Click OK. (Figure 20-13)

Figure 20-13 Authentication Window

Installation in progress. (Figure 20-14)

Figure 20 rogress -14 SSL VPN Software installation in p



Connection success. (Figure 20-15)

Figure 20-15 Connection Complete

STEP 6 n, click Web VPN/ SSL VPN Status.

(Figure 20-16)

Figure 20-16 Connection Complete

STEP 7﹒Web VPN / SSL VPN > Hardware Auth it displays the Not Accepted User list. The

user can be selected and moved to the Accepted User list by clicking on to Accept.

(Figure 20-17, 18, 19)

Figure 20-17 Select the er and move to Accept

Figure 20-18 Confirming To Move the User to the Accepted User List

﹒To see the following connection informatio

us



Figure 20-19 User to Moved to the Accepted List

STEP 8﹒The accepted user settings have now been complete. When a user establishes an

SSL VPN conn dware can be directly

authenticated without the need for entering a username and password again.

ection through the RS-2500, the har

When hardware authentication and user/group authentication are

both enabled, the device will first try to authenticate by hardware

auth

1. If the PC hardware information is on the Accepted User list, then

they are permitted to establish a Web VPN connection.

2. If the PC hardware information is on the Not Accepted User list

then they will need to be authenticated by username/password to

establish

3. If the PC is on neither list, the device will automatically add the

entication.

a Web VPN connection.

hardware information to the Not Accepted User list. The user will

have to be authenticated by username/password to establish a

Web VPN connection.

When only hardware authentication is enabled:

1. If the hardware information is on the accepted list, the user will be

able to establish a Web VPN connection.

2. If the PC hardware is on the Not Accepted User list, then they will

not be able to establish a Web VPN connection.



If hardware authentication is disabled, then the user will need to

authenticate using a username/password to establish a Web VPN

connection.

If the client users' PC doesn't have SUN JAVA Runtime Environment

.

software installed then it will automatically be downloaded and

installed during the SSL VPN connection login phase

21. Anomaly Flow IP


hen the RS-2500 had detected attacks from hackers and internal PC who are sending

rge DDoS attacks. The Anomaly Flow IP will start on blocking these packets to maintain

e whole network.

this chapter, we will have the detailed illustration about Anomaly Flow IP:

Define the required fields of Virus-infected IP

The threshold sessions of virus-infected (per source IP):

When the session number (per source IP) has exceeded the limitation of anomaly

o be anom ly flow IP

flow IP or send the

n.

ected IP Blocking:

RS-2500 can block the sessions of virus-infected IP

as any anomaly flow occurred.

21 21. Anomaly Flow IP

W

la

th

In

flow sess

and mak

notificatio

Virus-inf

ions per source IP, RS-2500 will take this kind of IP t

e some actions. For example, block the anomaly

a

Notification:

RS-2500 can notice the user and system administrator by e-mail or NetBIOS

notification

d

After System Manager enable Anomaly Flow IP, if the RS-2500 has

arm message will appear in

mail Alert

etected any abnormal situation, the al

Virus-infected IP. And if the system manager starts the E-

Notification in Settings, the device will send e-mail to alarm the

system manager automatically.

21. Anomaly Flow IP


21. Anomaly Flow IP



Prevent the c

STEP 1﹒Sele

) (the

ec)

Select Enable Virus-infected IP Blocking and enter the Blocking Time

(the default time is 600 seconds)

Select Enable E-Mail Alert Notification

Select Enable NetBIOS Alert Notification

IP Address of Administrator: Enter 192.168.1.10

Click OK

Anomaly Flow IP Setting is completed. (Figure 21-1)

w IP Setting

omputer which being attacked to send DDoS packets to LAN network.

ct Anomaly Flow IP setting and enter as the following:

Enter The threshold sessions of anomaly flow (per Source IP

default value is 100 Sessions/S

Figure 21-1 Anomaly Flo

After complete the Internal Alert Settings, if the device had detected

ttack packets and then

ted IP or send

the internal computer sending large DDoS a

the alarm message will appear in the Virus-infec

NetBIOS Alert notification to the infected PC Administrator’s PC.

in Setting, the

RS-2500 will send e-mail to Administrator automatically.

If the Administrator starts the E-Mail Alert Notification

21. Anomaly Flow IP


Define th

D t

Sele server

com the servers.

The m Administrator can

enter the maximum number of SYN packets per second that is allowed to

enter the network/RS-2500. If the value exceeds the setting one, and then the

device will determine it as an attack. 【SYN Flood Threshold (Per Source IP) Pkts/Sec】: The system Administrator

can enter the maximum number of SYN packets per second from attacking

source IP Address that is allowed to enter the network/RS-2500. And if value

exceeds the setting one, and then the device will determine it as an attack. 【SYN Flood Threshold Blocking Time (Per Source IP) Seconds】: When the

RS-2500 determines as being attacked, it will block the attacking source IP

ing for certain seconds, the

calculate the max number of SYN packets from attacking

RS-2500 determines as being attacked, it will block the attacking source IP

king time you set. After blocking for certain seconds, the

e required fields of DoS / Anti-attack Setting

ect SYN Attack:

ct this option to detect TCP SYN attacks that hackers send to

puters continuously to block or cut down all the connections of

e

se attacks will cause valid users cannot connect to the servers. 【SYN Flood Threshold (Total) Pkts/Sec】: The syste

address in the blocking time you set. After block

device will start to

source IP Address. And if the max number still exceed the define value, it will

block the attacking IP Address continuously.

Detect ICMP Flood:

When Hackers continuously send PING packets to all the machines of the LAN

networks or to the RS-2500 via broadcasting, your network is experiencing an

ICMP flood attack. 【ICMP Flood Threshold (Total) Pkts/Sec】: The System Administrator can

enter the maximum number of ICMP packets per second that is allow to enter

the network/RS-2500. If the value exceeds the setting one, and then the

device will determine it as an attack. 【 ICMP Flood Threshold (Per Source IP)Pkts/Sec 】 : The System

Administrator can enter the maximum number of ICMP packets per second

from attacking source IP Address that is allow to enter the network / RS-2500.

If the value exceeds the setting one, and then the device will determine it as

an attack. 【ICMP Flood Threshold Blocking Time (Per Source IP)Seconds】: When the

address in the bloc

device will start to calculate the max number of ICMP packets from attacking

21. Anomaly Flow IP


ing IP Address continuously.

sting, your network is experiencing an

determine it as an attack.

r Source IP) Seconds】: When

RS-2500 determines as being attacked, it will block the attacking source IP in

you set. After blocking for certain seconds, the device will

continuously.

ack can cause network

twork in Spoof attacks. They use a fake identity to try to pass

source IP Address. And if the max number still exceed the define value, it will

block the attack

Detect UDP Flood:

When Hackers continuously send PING packets to all the machines of the LAN

networks or to the RS-2500 via broadca

UDP attack. 【UDP Flood Threshold (Total) Pkts/Sec】: The System Administrator can

enter the maximum number of UDP packets per second that is allow to enter

the network/RS-2500. If the value exceeds the setting one, and then the

device will 【 UDP Flood Threshold (Per Source IP) Pkts/Sec 】 : The System

Administrator can enter the maximum number of UDP packets per second

from attacking source IP Address that is allow to enter the network/RS-2500.

If the value exceeds the setting one, and then the device will determine it as

an attack. 【UDP Flood Threshold Blocking Time (Pe

the blocking time

start to calculate the max number of UPD packets from attacking source IP. If

the max number still exceed the define value, it will block the attacking IP

Address

Detect Ping of Death Attack:

Select this option to detect the attacks of tremendous trash data in PING packets

that hackers send to cause System malfunction. This att

speed to slow down, or even make it necessary to restart the computer to get a

normal operation.

Detect IP Spoofing Attack:

Select this option to detect spoof attacks. Hackers disguise themselves as trusted

users of the ne

through the RS-2500 System and invade the network.

Detect Port Scan Attack:

Select this option to detect the port scans hackers use to continuously scan

networks on the Internet to detect computers and vulnerable ports that are opened

by those computers.

21. Anomaly Flow IP


Detect Tear Drop Attack:

ar drop attacks. These are packets that are

e LAN networks and send

em.

hut down when receiving packets with the same source and

destination addresses, the same source port and destination port, and when SYN

ed. Enable this function to detect such abnormal

etected IP, because

some of these IP provide amount of services, and it is possible to be judged as the

se this function to avoid the problem.

Select this option to detect te

segmented to small packets with negative length. Some Systems treat the

negative value as a very large number, and copy enormous data into the System

to cause System damage, such as a shut down or a restart.

Filter IP Route Option:

Each IP packet can carry an optional field that specifies the replying address that

can be different from the source address specified in packet’s header. Hackers

can use this address field on disguised packets to invad

LAN networks’ data back to th

Detect Land Attack:

Some Systems may s

on the TCP header is mark

packets.

Non-detected IP:

System administrator can set up IP address to be the non-d

anomaly flow IP. We can u

After System Manager enable Anomaly Flow IP, if the RS-2500 has

detected any abnormal situation, the alarm message will appear in

Virus-infected IP or Attack Event. And if the system manager starts

ification in Settings, the device will send e-mail to the E-mail Alert Not

alarm the system manager automatically.

21. Anomaly Flow IP



To record the attack alarm about Hacker attacks the RS-2500 and Intranet.

STEP 1﹒Se 1-2)

lect the following settings in DoS / Anti-Attack Setting function: (Figure 2

Figure 21-2 DoS / Anti-Attack Setting WebUI

STEP 2﹒When Hacker attacks the RS-2500 and Intranet, select Attack Event function to

have detailed records about the hacker attacks. (Figure 21-3)

Figure 21-3 Attack Event WebUI

22. Monitor


22 22. Monitor

22.1 Log

Log records all connections that pass through the RS-2500’s control policies. The

information is classified as Traff ction Log, Application Blocking

og, and Content Blocking Log.

Traffic Log’s parameters are setup when setting up policies. Traffic logs record the

etails of packets such as the start and stop time of connection, the duration of connection,

e source address, the destination address and services requested, for each control

policy.

Event Log record the contents of System Configurations changes made by the

Administrator such as the time of change, settings that change, the IP address used to log

in…etc.

Connection Log records all of the connections of RS-2500. When the connection

occurs some problem, the Administrator can trace back the problem from the information.

Application Blocking Log records the contents of Application Blocking result when

RS-2500 is configured to block Application connections.

Content Blocking Log records the contents of Content Blocking result when RS-2500

is enabled Content Blocking function.

ic Log, Event Log, Conne

L

d

th

How to use the Log

The Administrator can use the log data to monitor and manage the device and the networks.

The Administrator can view the logged data to evaluate and troubleshoot the network, such

as pinpointing the source of traffic congestions.

22. Monitor


raffic Log

To mation a access Internet or Intranet by

R

TEP 1﹒Add new policy setting and select to enable Traffic Log.

e 22-1)

Configuration Example (1) - T

detect the infor

S-2500

nd Protocol port that users use to

S

(Figur

Figure 22-1 Logging Policy Setting

STEP 2﹒Complete the Logging Setting in Policy: (Figure 22-2)

Figure 22-2 Complete the Logging Setting

22. Monitor


ackets records that pass this policy.

(Figure 22-3)

STEP 3﹒Click Traffic Log. It will show up the p

Figure 22-3 Traffic Log WebUI

22. Monitor


rompt

bout Protocol and Port of the IP. (Figure 22-4)

STEP 4﹒Click on a specific IP of Source IP or Destination IP in Figure22-3, it will p

out a WebUI a

Figure 22-4 The WebUI of detecting the Traffic Log by IP Address

22. Monitor


5)

STEP 5﹒ Click on Download Logs, RS-2500 will pop up a notepad file with the log recorded.

User can choose the place to save in PC instantly. (Figure 22-

Figure 22-5 Download Traffic Log Records WebUI

22. Monitor


To record the detailed management events (such as Interface and event description of

RS-2500) of the Administrator

STEP 1﹒Click Event log of LOG. The management event records of the administrator will

show up (Figure 22-6)

Configuration Example (2) - Event Log

Figure 22-6 Event Log WebUI

22. Monitor


ill pop up a notepad file with the log recorded.

User can choose the place to save in PC instantly. (Figure 22-7)

STEP 2﹒Click on Download Logs, RS-2500 w

Figure 22-7 Download Event Log Records WebUI

22. Monitor


Click Connection in LOG. It can show up WAN Connection records of the RS-2500.

(Figure 22-8)

Configuration Example (3) - Connection Log

Figure 22-8 Connection records WebUI

22. Monitor


up a notepad file with the log recorded.


STEP 1﹒Click on Download Logs, RS-2500 will pop

Figure 22-9 Download Connection Log Records WebUI

If the content of notepad file is not in order, user can read the file with

WordPad or MS Word, Excel program, the logs will be displayed with

good order.

22. Monitor


STEP 1﹒Click IM / P2P Blocking in LOG. It can show up Application Blocking records of the

RS-2500. (Figure 22-10)

Configuration Example (4) - Application Blocking Log

Figure 22-10 Application Blocking records WebUI

STEP 2﹒Click on Download Logs, RS-2500 will pop up a notepad file with the log recorded.


Figure 22-11 Download Application Blocking Log Records WebUI

22. Monitor


Configuration Example (5) - Content Blocking Log

STEP 1﹒Click Content Blocking in LOG. It can show up Content Blocking records of the

RS-2500. (Figure 22-12)

Figure 22-12 Content Blocking records WebUI

TEP 2﹒Click on Download Logs, RS-2500 will pop up a notepad file with the log recorded. S


Figure 22-13 Download Content Blocking Log Records WebUI

22. Monitor


ttings. (Figure 22-14)

Configuration Example (6) - Log Backup

STEP 1﹒Enter Setting in System Configure, select Enable E-mail Alert Notification

function and set up the se

Figure 22-14 E-mail Setting WebUI

﹒ Enter Log Backup in Log, select Enable Log Mail Support and click STEP 2 OK.

(Figure 22-15)

STEP 3﹒Enter Log Backup in Log, enter the following settings in Syslog Settings:

Select Enable Syslog Messages

Enter the IP in Syslog Host IP Address that can receive Syslog

Enter the receive port in Syslog Host Port

Click OK

Complete the setting (Figure 22-15)

Figure 22-15 Log Mail and Syslog Configuration WebUI

After Enable Log Mail Support, every time when LOG is up to

300Kbytes and it will accumulate the log records instantly. And the

device will e-mail to the Administrator and clear logs automatically.

22. Monitor


22.2 Accounting Report

Administrator can use this Accounting Report to inquire the LAN IP users and WAN IP

sers, and to gather the statistics of Downstreau m/Upstream, First packet/Last

packet/Duration and the Service for the entire user’s IPs that pass the RS-2500.

Accounting Report Setting

By accounting report function can record the sending information about Intranet

and the external PC via RS-2500.

Accounting Report can be divided into two parts: Outbound Accounting Report and

Inbound Accounting Report

Outbound Accounting Report

It is the statistics of the downstream and upstream of the LAN, WAN and all kinds of

communication network services

Source IP：

The IP address used by LAN users who use RS-2500 Destination IP：

The IP addres -2500. Service：

The s use

R -

s used by WAN service server which uses RS

communication service which listed in the menu when LAN user

2500 to connect to WAN service server. S

22. Monitor


Inbound Accounting Report

pstream for all kinds of communication services; the

Inbound Accounting report will be shown if Internet user connects to LAN Service Server

via RS-2500.

Source IP：

The IP address used by WAN users who use RS-2500 Destination IP：

The IP address used by LAN service server which uses RS-2500. Service：

The communication service which listed in the menu when WAN users use

RS-2500 to connect to LAN service server.

It is the statistics of downstream / u

22. Monitor


ound Accounting Report

STEP 1﹒Select to enable the items for Outbound Accounting Report in Setting of

Accounting Report function. (Figure 22-16)

Configuration Example - Outb

Figure 22-16 Accounting Report Setting

STEP 2﹒Enter Outbound in Accounting Report and select Source IP to inquire the

statistics of Send/Receive packets, Downstream / Upstream, First packet /Last

uration from the LAN or DMZ user’s IP that pass the RS-2500.

page.

IP：To display the report sorted by Source IP, the LAN users who access

and the value of each WAN service

server which passes through RS-2500 to LAN user.

Upstream：The percentage of upstream and the value of each LAN user who passes

through RS-2500 to WAN service server.

First Packet：When the first packet is sent to WAN service server from LAN user, the

sent time will be recorded by the RS-2500.

Last Packet：When the last packet sent from WAN service server is received by the

LAN user, the sent time will be recorded by the RS-2500.

Duration：The period of time between the first packet and the last packet.

Total Traffic：The RS-2500 will record and display the amount of Downstream and

Upstream packets passing from LAN user to WAN Server.

Reset Counter：Click Reset Counter button to refresh Accounting Report.

packet/D

(Figure 22-17)

TOP: Select the data you want to review; it presents 10 results in one

Source

WAN service server via RS-2500.

Downstream：The percentage of downstream

22. Monitor


Figure 22-17 Outbound Source IP Statistics Report

STEP 3﹒Enter Outbound in Accounting Report and select Destination IP to inquire the

statistics of Send/Receive packets, Downstream/Upstream, First packet/Last

packet/Duration from the WAN Server to pass the RS-2500. (Figure 22-18)

TOP：Select the data you want to view; it presents 10 results in one page.

Destination IP：To display the report sorted by Destination IP, the IP address used

by WAN service serve

Downstream：The percentage of downstream and the value of each WAN service

hen the first packet is sent from WAN service server to LAN users,

n to refresh Accounting Report.

r connecting to RS-2500.

server which passes through RS-2500 to LAN user.



First Packet：W

the sent time will be recorded by the RS-2500.

Last Packet：When the last packet from LAN user is sent to WAN service server, the

sent time will be recorded by the RS-2500.

Duration：The period of time between the first packet and the last packet.


Upstream packets passing from WAN Server to LAN user.

Reset Counter：Click Reset Counter butto

Figure 22-18 Outbound Destination IP Statistics Report

22. Monitor


STEP 4﹒Enter Outbound in Accounting Report and select Top Services to inquire the

statistics webpage of Send/Receive packets, Downstream/Upstream, First

packet/Last packet/Duration and the service from the WAN Server to pass the

RS-2500. (Figure 22-19) TOP：Select the d s in one page. ata you want to view. It presents 10 result

： According to the downstream / upstream report of the selected TOP

numbering to draw the Protocol Distribution chart. (Figure 22-20)

Service：To display the report sorted by Port, which LAN users use the RS-2500 to

connect to WAN service server.

Downstream：The percentage of downstream and the value of each WAN service

server who passes through RS-2500 and connects to LAN user.



First Packet：When the first packet is sent to the WAN Service Server, the sent time

will be recorded by the RS-2500.

Last Packet：When the last packet is sent from the WAN Service Server, the sent

time will be recorded by the RS-2500.

Duration：The period of time starts from the first packet to the last packet to be

recorded.


Upstream packets passing from LAN users to WAN service server.

Reset Counter：Click the Reset Counter button to refresh the Accounting Report.

Figure 22-19 Outbound Services Statistics Report

22. Monitor


Figure 22-20 The Pizza chart of Accounting report published base on Service

Press to return to List Table of Accounting Report window.

Accounting Report function will occupy lots of hardware resource, so

users must take care to choose the necessary items, in order to avoid

slowing down the total performance.

22. Monitor


Configuration Exam

STEP 1﹒Select to enable the items for Inbound Accounting Report in Setting of

Accounting Report function. (Figure 22-21)

ple - Inbound Accounting Report

Figure 22-21 Accounting Report Setting

STEP 2﹒Enter Inbound in Accounting Report and select Top Users to inquire the

statistics of Send/Receive packets, Downstream/Upstream, First packet / Last

packet / Duration from the WAN user to pass the RS-2500.

TOP：S ge.

Source IP：To display the report sorted by Source IP, the IP address used by WAN

user connecting to RS-2500.

Dow stream：Th AN user

which passes through RS-2500 to LAN service server.

Upstream：The percentage of Upstream and the value of each LAN service server

whi

First P ,


Last Packet：When the last packet is sent from LAN service server to WAN users,


Duration：The period of time starts from the first packet to the last packet to be

recorded.


Upstream packets passing from WAN users to LAN service server.

elect the data you want to view. It presents 10 pages in one pa

n e percentage of Downstream and the value of each W

ch passes through RS-2500 to WAN users.

acket：When the first packet is sent from WAN users to LAN service server

22. Monitor


resh the Accounting Report.

eam / Upstream, First packet / Last

packet / Duration from the WAN user to pass the RS-2500. (Figure 19-24)

TOP：Select the data you want to view. It presents 10 pages in one page.

Destination IP：To display the report sorted by Destination IP, the IP address used

by LAN service server passing through RS-2500 to WAN users.

Downstream：The percentage of Downstream and the value of each WAN user who

passes through RS-2500 to LAN service server.

Upstream：The percentage of Upstream and the value of each LAN service server

who passes through RS-2500 to WAN users.

First Packet：When t users to LAN service server,


Duration： arts from the first packet to the last packet to be

wnstream to LAN service server.

ts, Downstream/Upstream, First

nts 10 results in one page.

Reset Counter：Click the Reset Counter button to ref

STEP 3﹒Enter Inbound in Accounting Report and select Top Sites to inquire the statistics

website of Send / Receive packets, Downstr

he first packet is sent from WAN

Last Packet：When the last packet is sent from LAN service server to WAN users,


The period of time st

recorded.

Total Traffic：The RS-2500 will record the sum of time and show the percentage of

each WAN user’s upstream / do

Reset Counter：Click the Reset Counter button to refresh the Accounting Report.

STEP 4﹒Enter Inbound in Accounting Report and select Top Services to inquire the

statistics website of Send/Receive packe

packet/Last packet/Duration and the service from the WAN Server to pass the

RS-2500. (Figure 19-25)

TOP：Select the data you want to view. It prese

： According to the downstream / upstream report of the selected TOP

numbering to draw the Protocol

Distribution chart. (Figure 19-26)

Service：The report of Communication Service when WAN users use the RS-2500

to connect to LAN service server.

22. Monitor


uses RS-2500 to LAN service server.

t time

will be recorded by the RS-2500.

last packet to be

f time and show the percentage of

on to refresh the Accounting Report.

Downstream：The percentage of downstream and the value of each WAN user who

Upstream：The percentage of upstream and the value of each LAN service server

who uses RS-2500 to WAN user.

First Packet：When the first packet is sent to the LAN Service Server, the sen

Last Packet：When the last packet is sent from the LAN Service Server, the sent

time will be recorded by the RS-2500.

Duration：The period of time starts from the first packet to the

recorded.

Total Traffic：The RS-2500 will record the sum o

each Communication Service’s upstream / downstream to LAN service server.

Reset Counter：Click the Reset Counter butt

Accounting Report function will occupy lots of hardware resource, so

users must take care to choose the necessary items, in order to avoid

slowing down the total performance.

22. Monitor


22.3 Statistic

In this chapter, the Administrator can inquire the RS-2500 for statistics of packets and data

that passes across the RS-2500. The statistics provides the Administrator with information

about network traffics and network loads.

pass WAN Interface

stream packets and Downstream / Upstream traffic record

X-Coordinate：Time（Hour/Minute）

Source IP, Destination IP, Service, and Action:

These fields record the original data of Policy. From the information above, the

A m

Time:

To d days, week, months, or years.

Bits/sec, Bytes/sec, Utilization, Total:

The unit that used by Y-Coordinate, which the Administrator can change the unit of

the Statistics Chart here. Utilization：The percentage of the traffic of the Max. Bandwidth that System

Manager set in Interface function.

Total: To consider the accumulative total traffic during a unit time as

Y-Coordinate

WAN Statistics:

The statistics of Downstream / Upstream packets

and Downstream/Upstream traffic record that

Policy Statistics:

The statistics of Downstream / Up

that pass Policy

Statistics Chart: Y-Coordinate：Network Traffic（Kbytes/Sec）

d inistrator can know which Policy is the Policy Statistics belonged to.

etect the statistics by minutes, hours,

22. Monitor


WAN Statistics:

STEP 1﹒Enter WAN in Statistics function, it will display all the statistics of

Downstream/Upstream packets and Downstream/Upstream record that pass WAN

Interface. (Figure 22-22)

Figure 22-22 WAN Statistics function

Time: To detect the statistics by minutes, hours, days, week, months, or years.

e

WAN Statistics is the additional function of WAN Interface. When

atistics too. nable WAN Interface, it will enable WAN St

﹒STEP 2 inute on

right side, and then you will be able to check the Statistics figure every minute;

tatistics

the Statistics figure every week; click Month

STEP 3

：Network Traffic（Kbytes/Sec）

X-Coordinate：Time（Hour/Minute）

In the Statistics window, find the network you want to check and click M

the

click Hour to check the Statistics figure every hour; click Day to check the S

figure every day; click Week to check

to check the Statistics figure every month; click Year to check the Statistics figure

every year.

﹒Statistics Chart (Figure 22-23)

Y-Coordinate

22. Monitor


Figure 22-23 To Detect WAN Statistics

22. Monitor


Policy Statistics:

STEP 1﹒If you had select Statistics in Policy, it will start to record the chart of that policy in

Policy Statistics. (Figure 22-24)

Figure 22-24 Policy Statistics Function

If you are going to use Policy Statistics function, the System

Manager has to enable the Statistics in Policy first.

STEP 2﹒In the Statistics WebUI, find the network you want to check and click Minute on

the right side, and then you will be able to check the Statistics chart every minute;

click Hour to check the Statistics chart every hour; click Day to check the Statistics

chart every day; click Week to check the Statistics figure every week; click Month

to check the Statistics figure every month; click Year to check the Statistics figure

every year.

STEP 3﹒Statistics Chart (Figure 22-25)

Y-Coordinate：Network Traffic（Kbytes/Sec）

X-Coordinate：Time（Hour/Minute/Day）

22. Monitor


Figure 22-25 To Detect Policy Statistics

22. Monitor


22.4 Diagnostic

The device can trace the route of a packet by Traceroute command to diagnose the quality

of the traversed network, and ensure that a host computer it is trying to reach is actually

operating by ping.

This chapter will be discussing the functionality and application of Diagnostic.

Ping

STEP 1﹒To test whether a host is reachable across an IP network, navigate to Monitor

Diagnostic Ping, and then configure as below: (Figure 22-26)

Type the Destination IP or Domain name in the Destination IP / Domain

name field.

In Packet size configure the size of each packet. (32 Bytes by default)

In Count, configure the quantity of packets to send out. (4 by default)

In Wait time, specify the duration to wait between successive pings.

(1 second by default)

Select the interface from the Interface drop-down list.


Figure 22-26 Ping Settings

22. Monitor


Figure 22-27 Ping result

Note. If VPN is selected from the Interface must enter the local

LAN IP address in the Interface field. Enter the IP address that is under the same

subnet range in the Destination IP / Domain name field.

When the VPN connection is established between the local subnet and remote

subnet, the following method can be employed to test the packet transfer

between the two subnets. (Figure 22-28)

drop-down list, the user

22. Monitor


Figure 22-28 Ping results for VPN Connection

Traceroute

STEP 1﹒Under Monitor > Diagnostic Traceroute, the Traceroute command can be

used by the RS-2500 to send out packets to a specific address to diagnose the

quality of the traversed network. (Figure 22-29)

In Destination IP / Domain name enter the destination address for the

packets.

In Packet size configure the size of each packet. (40 Bytes by default)

In Max Time-to-Live enter the maximum number of hops (30 by default)

In Wait time, specify the duration to wait between successive pings.

(2 seconds by default)

In Interface select the interface that the packets will originate from.


Figure 22-29 Traceroute settings

22. Monitor


Figure 22-30 Traceroute Results

22. Monitor


22.5 Wake On Lan

Wake on Lan (WOL) function works to power on the computer remotely. The computer’s

network card must also support WOL function, when it receive the waked up packets and

the computer will auto boot up.

Normally the broadcast packets are not allowed to transfer within Internet, but user can

login RS-2500 remotely and enable Wake on Lan function to boot up the LAN computer.

Configuration Example - Wake On Lan

STEP 1﹒ Select Setting in Wake on Lan, and enter MAC Address to specify the computer

who needs to be booted up remotely. User can press Assist to obtain the MAC

Address from the table list. (Figure 22-31)

Figure 22-31 Wake on Lan Setting

STEP 2﹒ User only needs to press Wake Up button to boot up the specific LAN computer.

(Figure 22-32)

Figure 22-32 Complete Wake on Lan Setting

22. Monitor


22.6 Status

The users can know the connection status in Status. For example: LAN IP, WAN IP, Subnet

Netmask, Default Gateway, DNS Server Connection,

and its IP…etc.

Interface: Display all of the current Interface status of the RS-2500

Authentication: The Authentication information of RS-2500

ARP Table: Record all the ARP that connect to the RS-2500

clients that are connected to the RS-2500.

STEP 1 the setting for each Interface:

(Figure 22-33)

Forwarding Mode: The connection mode of the Interface

WAN Connection: To display the connection status of WAN

Max. Downstream / Upstream Kbps: To display the Maximum

Downstream/Upstream Bandwidth of that WAN (set from Interface)

Downstream All tage of Downstream according

to WAN traffic

ffic

PPPoE Con. Time: The last time of the RS-2500 to be enabled

MAC Address: The MAC Address of the Interface

IP Address/ tmask of the Interface

Default Gateway: To display the Gateway of WAN

DNS1/2: The DNS1/2 Server Address provided by ISP

Rx/Tx Pkts, Error Pkts: To display the received/sending packets and error

packets of the Interface

Ping, HTTP: To display whether the users can Ping to the RS-2500 from the

Interface or not; or enter its WebUI

DHCP Clients: Display the table of DHCP

Status - Interface

﹒Enter Interface in Status function; it will list

oca.: The distribution percen

Upstream Alloca.: The distribution percentage of Upstream according to

WAN tra

Netmask: The IP Address and its Ne

22. Monitor


Figure 22-33 Interface Status

STEP 1 in status:

e authentication user IP

The login time of the user

Status - Authentication

﹒ Enter Authentication in Status function; it will display the record of log

(Figure 22-34)

IP Address: Th

Auth-User Name: The account of the auth-user to login

Login Time:

(Year/Month/DayHour/Minute/Second)

Figure 22-34 Authentication Status WebUI

22. Monitor


Status - ARP Table

STEP 1﹒Enter ARP Table in Status function; it will display a table about IP Address, MAC

Address, and the Interface information which is connecting to the RS-2500:

(Figure 22-35)

Anti-ARP virus software: Works to rewrite LAN ARP table as default

IP Address: The IP Address of the network

MAC Address: The identified number of the network card

Interface: The Interface of the computer

Figure 22-35 ARP Table WebUI

22. Monitor


Status - DHCP Clients

ss: The dynamic IP that provided by DHCP Server

IP (Start/End)

Figure 22-36 DHCP Clients WebUI

STEP 1﹒ In DHCP Clients of Status function, it will display the table of DHCP Clients that

are connected to the RS-2500: (Figure 22-36)

IP Addre

MAC Address: The IP that corresponds to the dynamic IP

Leased Time: The valid time of the dynamic

(Year/Month/Day/Hour/Minute/Second)

23. Frequent Asked Questions


In t 500

Question: I forgot my password or the IP address of RS-2500.

Answer: Please restore your settings to default by press the reset button for more than

10 seconds. You should be able to find your RS-2500 at 192.168.1.1 with

password “airlive”.

his chapter, we will address some frequent asked questions about RS-2

====================================================================

Question: Why I reboot RS-2500, the time setting will be reset to default setting?

Answer: RS-2500 is not built-in with battery, so it can not save the data permanently,

and that is reason why the time will be reset to default every time you reboot

the device.

So, you can configure NTP server function for RS-2500 to refresh time when it

boot up, but you have to make sure in advance that the WAN port of RS-2500

is working, and the time server you select is also working, or the time still will

be reset as default setting after you reboot RS-2500.

====================================================================

23 Quest23. Frequent Asked

ions



Q m works t assign

A say the Pr obtaining free or available

bandwidth.

eam). You

create two QoS rules:

1. 256/128 Kbps, the priority is low

ser Group access Internet and their usage bandwidth are

reached to the limitation, then system will assign the free bandwidth to User

Group B because its priority is higher than User Group A. Another example for

your reference, the line speed is still 512/256 Kbps.

You create three QoS rules:

1. 256/128 Kbps, the priority is low

2. 128/64 Kbps, the priority is middle

3. 128/64 Kbps, the priority is high

So, there is not any free bandwidth. Presume the User Group A was assigned

with first QoS rule, and User Group B was assigned with second QoS rule, and

bandwidth of User Group A does not reach to QoS limitation, so it will have

roup B.

th, no matter the priority

===================================================================

uestion: How

bandw

nswer: Simp

the QoS priority function of RS series gateway syste

idth?

iority of QoS works to allow user

o

ly

For example the line speed is 512/256 Kbps (downstream/upstr

2. 128/64 Kbps, the priority is middle

So, there is 128/64 Kbps bandwidth is free. Presume the User Group A was

assigned with first QoS rule, and User Group B was assigned with second QoS

rule. What if both U

User Group C was assigned with third QoS rule. What if the accessed

some available bandwidth;

but User Group B and C exhaust the bandwidth they have, now system will

assign the available bandwidth to User Group C because its priority is higher

than User G

Once User Group A needs more bandwidth, the available bandwidth will be

taken back from User Group C and assign to User Group A, because User

Group A is designed to have the guarantee bandwid

level is.

=



n

an I get authenticated?

o your web browser's address:

l IP>:82 For example: 192.168.1.1:82. Then enter

en you can get authenticated. For HTTP

r web browser and try to go to any

ite. Please remember to group the DNS service with HTTP service, so users

=========

Question:

Answer: y setting. If you only create an Outgoing Policy

le to allow DNS service passing through,

.

========= ================================

Question:

Answer:

cation. When the modification is done,

=========

Question: Application Blocking, why the performance will become slow?

Answer:

items, just select the application type you would like to block.

Question: For authentication function. If authentication is required for services other tha

HTTP, how c

Answer: The default port for authentication is port 82. Therefore, please type the

following int

<The gateway's loca

your username and password. Th

service, you just need to open you

s

can access the web normally.

===========================================================

I did configure Authentication setting, but why the client user can access

Internet without passing authentication?

Please check Outgoing Polic

rule, you need to create another ru

and the rule must move to the top one

===========================

I would like to block a specific IM or P2P connection, but I did not find the

blocking item at Application Blocking function, how can I block it?

Please notice us which IM or P2P connection you would like to block, and we

will evaluate the possibility for the modifi

the Application Blocking can be upgraded the signature automatically.

===========================================================

When I enable

RS-2500 must check every packet to collect the data, in order to analyze the

application type. So we strongly suggests user not to enable all Application

Blocking



uestion: Can I connect Web / SSL VPN from my Linux or MAC PC to RS-2500?

Answer: Vista system to connect RS-2500

eb / SSL VPN server.

=========

Question:

nswer: ome browser.

from java website; or connect to RS-2500 Web / SSL VPN and RS-2500

=========

:

nswer: You can remove it from Device Manager setting. Uninstall “TAP-Win32

====================================================================

Q

No, you can only use Microsoft Windows or

W

===========================================================

Which browser’s type I can use to connect Web / SSL VPN?

Windows IE, FireFox, Safari and Google ChrA

=================================================================== =

Question: Why I can not access Web / SSL VPN correctly?

Answer: The reason could be related to java program. You can try to do following things

before to connect Web / SSL VPN:

1. Clean browser’s temporary file.

2. Uninstall java program, download and install the latest version java software

system will download java program to client user’s PC.

========================================================== =

Question When I connect to RS-2500 Web / SSL VPN, the Network Connections setting

in PC system will be created a connection named “Web VPN (SSL VPN)”, how

can I remove it?

A

Adapter V8” from Networks adapters list.

24. Specifications


The specification of RS-2500 is subject to change without notice. Please use the information with caution.

24.1 Hardware Features

Hardware

CPU Intel IXP 425, 533MHz

DRAM 128 MB

Flash ROM 16MB (Flash)

Shield RJ-45 Ethernet UTP port 1 (10/100) LAN port (Switch Hub)

Modify the MAC address ○

Shield RJ-45 Ethernet UTP port 2 (10/100)

Support xDSL/Cable/Leased Line Service ○ WAN port

○ Modify the MAC address

Shield RJ-45 Ethernet UTP port 1 (10/100) DMZ port

Modify the MAC address ○

Factory Reset B ○ utton

Dimensions W x D x H (cm) 22.0 x 15.0 x 4.0

Size Desktop

Weight Kgs 0.94

Power DC 5V, 2.4A

Performance

WAN-LAN / Zone 1-Zone 2 / Port 1-Port 2 100 Mbps

3DES Encryption 35 Mbps Throughput VPN

SSL VPN 10 Mbps

Max Concurrent Sessions 110,000

New Sessions / Second 10,000

Corporation Size SMB

(clients 30~70)

Unlimited User ○

24 24. Specifications

24. Specifications


Security Function

SPI, SYN, ICMP, DoS, UDP, Ping of Death,Port Scan

○ Hacker Alert

Email Alert ○

Enable Blaster Blocking ○ Blaster Alarm

E-Mail / SNMP Trap / NetBIOS Alert Notification ○/╳/○

An

d IP ○

omaly Flow

Un-detecte

Static ARP ○

Management

Web Based UI Traditional Chinese , Simplified Chinese and English Web UI ○

Web Management HTTP ○

Firmware Upgrade From LAN & WAN (Web UI) ○

Sub-Administrator Max entry 10

Remote Monitor ○

Web Management (Port Number) can be changeable ○

Permitted IPs（Max entry） 32

Web UI Logout ○

Remote management

MTU changeable for WAN ○

Interface Statistics ○

Traffic Statistics WAN / Policy ○

Multiple Subnet ( NAT ) Routing / NAT (Max entry) ○ / ○ (16)

Route Table（Max entry） 10

Dynamic Routing (RIPv2) ○

Host Table（Max entry） 20

DDNS（Max entry） 16

Save configuration to files ○

Load configuration from files ○

Configuration

Load Default (Factory Reset) ○

DHCP Client / S ○ ( LAN & DMZ ) erver

DHCP Server assign dynamic IP Up to 512

DHCP Server assign static IP (MAC+IP) ○ Protocols Supported

NTP ( Network Time Protocol) ○

Wake on Lan ○

24. Specifications


Bandwidth Manager Function

Guaranteed Ban ○dwidth

P d ○riority-bandwi th utilization

QoS（Max entry 100 ）

M ax. Bandwidth (MB) 50

QoS

Personal QoS ○

Accounting Report Ranki ○ ng by IP / Port

Authentication User（Max entry） 200

Authentication Group（Max entry） 20

R ○ADIUS

POP3 ○

URL to redirect ○

Messages to display ○

Authentication

AStatus

Disable re-login ○

uthentication

Inbound / Outbound Function

Load-balancing OAuto(AI) Mode,By Session,By

ure IP, By Destination IP

○utBound Packet,Round-Robin,Auto Backup, By Sec

I ○CMP WAN Port connection status D ○NS

VPN Function

One-Step IPSec ○

IPSec Dead Peer Detection ○

Show remote Network Neighborhood ○

IKE, SHA-1, MD5 Authentication ○ IPSec Autokey

E/ISAKMP ○Auto Key management via IK

IPSec（Max entry） 200 / 100

PPT 32 / 32 P Server（Max entry）Allow to Configure / Connection Tunnels

16 /PPTP Client（Max entry） 16

Stateful Packet Inspectio ○n

Supports Windows VPN ○ Client

VPN Hub ○

VPN Trunk（Max entry） 50

Internal Su 10 bnet of Server

Connection Tunnels（Max entry） 50 SSL VPN (Web VPN)

Hardware Auth ○

24. Specifications


Firewall Function

NAT ○ Deployment

isable) Transparent Mode (Enable / D ○

Internal Max entry 200

Internal Group（Max entry） 20

External（Max entry） 100

China Telecom & CNC ○ External Group Max entry 20

DMZ Max y entr 100

Address Book

DMZ Group（Max entry） 20

Custom（Max entry） 20 Service Book

Group（Max entry） 20

Schedule（Max entry） 20

Mapped IP（Max entry） 16

Multiple Virtual Servers 4

Virtual Server Service Name （Max entry） 16 Virtual Server

Multi-Servers Load Balancing 4

SPI (Stateful Pa ○ cket Inspection)

MAC Address Filtering ○

Assign WAN Link by Source IP ○

Assign WAN Link by Destination IP ○

Assign WAN Link by Port ○

Packet Filtering by Source IP ○

Packet Filtering by Destination IP ○

Packet Filtering by Port ○

Access y groucontrol b p ○

Time-Schedul Managemee nt ○

Max. Concurr nt Sessions e ○

Incoming NAT mode & External To DMZ NAT mode ○

Outgoing（Max entry） 300

Incoming（Max entry） 100

o DMZ（Max entry） 50 LAN T

WAN To DMZ（Max entry） 100

DMZ To LAN（Max y） entr 50

DMZ To WAN（Max entry） 50

Policy Control

Tips ○

24. Specifications


URL Blocking（Max entry） 300

Script Blocking (Java / ActiveX / Cookie / Popup) ○

All Types Block ○

Audio and Video Types Block ○

Download Blocking nsions BloExte ck (exe, zip, rar, iso, bin, rpm,

ppt, pdf, tgz, gz, bat, com, dll, hta, scr,g, mp3, mpeg, mpg)

doc, xl?,vb?, wps, pif, com, msi, re

○

All Types Block ○

Content Filtering

Block (exe, zip, rar, iso, bin, rpm, , pdf, tgz, gz, bat, com, dll, hta, scr,

s, pif, com, msi, reg, mp3, mpeg, mpg)

Upload Blocking doc, xl?, ppt

Extensions

vb?, wp○

Auto Update Definitions 30 min

eDonkey ○

BT ○

WinMX ○

Foxy ○

KuGoo ○

AppleJuice ○

AudioGalaxy ○

DirectConnect ○

iMesh ○

MUTE ○

Thunder5 ○

P2P Blocking

VNN Client ○

MSN Messenger ○

Yahoo Messenger ○

ICQ ○

QQ ○

Skype VoIP ○

Google Talk ○

IM Blocking

Gadu-Gadu ○

IM / P2P Blocking

IM / P2P Rule ○

Drop Intruding Packets ○

Traffic Log / Event Log / Connection Log ○/○/○

Syslog Settings ○ Log

E-mail alert when WAN link failure Log Backup

○

H/W Watch-Dog Auto rebooting when detecting system fails ○

25. Network Glossary


The network glossary contain n

networking produc ome of information in this glossary might be outdated, please use

with caution.

s explanation or information about common terms used i

ts. S

25 Network Glossary

25.

25.1 Interface

RJ-45

Standard connectors for Twisted Pair copper cable used in Ethernet networks. Although

they look similar to standard RJ-11 telephone connectors, RJ-45 connectors can have up to

eight wires, whereas telephone c

100Base-TX

802.3u. The IEEE standard defines how to transmit Fast Ethernet 100Mbps

data using Cat.5 UTP/STP cab 100Base-TX standard is backward compatible with

the 10Mbps 10-BaseT standar

WAN

Wide Area Netwo m cation system of connecting PCs and other computing

devices across a large local, regional, national or international geographic are

LAN

It is a computer network covering a small physical area or small

group of buildings.

MZ

Demilitarized Zone. When a router opens a DMZ port to an internal network device, it

opens all the TCP/UDP service ports to this particular device.

onnectors have only four.

Also known as

le. The

d.

rk. A com uni

a.

Local Area Network.

D

24. Specifications


P

P ndards PPP and

E s a specification for connecting the users on an Ethernet to the Internet

through a common broadband medium, such as single DSL line, wireless device or cable

modem.

ode works to transfer real IP address from WAN interface to the device that

onnects to DMZ port. So the DMZ device can also get real IP address and offer the service

PPoE

oint-to-Point ove

thernet. PPPoE i

r Ethernet. PPPoE relies on two widely accepted sta ;

Transparent

Transparent m

c

with Internet users.

25.2 System

IP that a router gets from the

P side is called Real IP, the IP assigned to PC under the NAT environment is called

rivate IP.

P is used, whenever a computer logs onto the network, it

utomatically gets an IP address assigned to it by DHCP server. A DHCP server can

ither be a designated PC on the network or another network device, such as router.

program that translates URLs to IP addresses by accessing a database maintained on a

ollection or Internet servers.

ynamic Domain Name System. An Algorithm that allows the use of dynamic IP address

r hosting Internet Server. DDNS service provides each user account with a domain name.

r with DDNS capability has a built-in DDNS client that updates the IP address

ixed IP connection.

NAT

Network Address Translation. A network algorithm used by Routers to enables several

PCs to share single IP address provided by the ISP. The

IS

P

DHCP

Dynamic Host Configuration Protocol. A protocol that enables a server to dynamically

assign IP addresses. When DHC

a

e

DNS

A

c

DDNS

D

fo

Route

information to DDNS service provider whenever there is a change. Therefore, users can

build website or other Internet servers even if they don’t have f



ork or Subnet

s it talks to.

nt across the Internet. An IP address has two parts: an identifier of a

on the Internet and an identifier of the particular device (which can be a

tion) within that network. The new IPv6 specification supports 128-bit IP

ss format.

ss Control. MAC address provides layer-2 identification for Networking Devices.

ach Ethernet device has its own unique address. The first 6 digits are unique for each

cturer. When a network device have MAC access control feature, only the devices

layre-4 protocol used along with the IP to send data between computers over the Internet.

hile IP takes care of handling the actual delivery of the data, TCP takes care of keeping

f the packets that a message is divided into for efficient routing through the Internet.

DP

ser Datagram Protocol. A layer-4 network protocol for transmitting data that does not

acknowledgement from the recipient of the data.

Subnetw

Found in larger networks, these smaller networks are used to simplify addressing between

numerous computers. Subnets connect to the central network through a router, switch or

gateway. Each individual wireless LAN will probably use the same subnet for all the local

computer

IP Address

IP (Internet Protocol) is a layrer-3 network protocol that is the basis of all Internet

communication. An IP address is 32-bit number that identifies each sender or receiver of

information that is se

particular network

server or a worksta

addre

MAC

Media Acce

E

manufa

with the approved MAC address can connect with the network.

TCP

A

W

track o

U

U

require

24. Specifications


ement)

ess - a crucial feature of QoS (Quality of Service) function. For

witch's bandwidth management, please see "Rate Control".

uses port 1812 and port 1813 for authentication and accounting port.

hough not an official standard, the RADIUS specification is maintained by a working group

f the IETF.

the waked up packets and

e computer will auto boot up.

QoS (Bandwidth Manag

Bandwidth Management controls the transmission speed of a port, user, IP address, and

application. Router can use bandwidth control to limit the Internet connection speed of

individual IP or Application. It can also guarantee the speed of certain special application

or privileged IP addr

s

RADIUS

Remote Authentication Dial-In User Service. An authentication and accounting system

used by many Internet Service Providers (ISPs). When you dial in to the ISP, you must

enter your username and password. This information is passed to a RADIUS server, which

checks that the information is correct, and then authorizes access to the ISP system.

RADIUS typically

T

o

Wake on Lan

Wake on Lan (WOL) function works to power on the computer remotely. The computer’s

network card must also support WOL function, when it receive

th



25.3 VPN

VPN

Virtual Private Network. A type of technology designed to increase the security of

information over the Internet. VPN creates a private encrypted tunnel from the end user’s

computer, through the local wireless network, through the Internet, all the way to the

orporate network.

sec

set of protocols developed by the IETF to support secure exchange of

e data of each packet, but leaves the header untouched.

Tunnel mode encrypts both the header and the payload. On the receiving

ide, an IPSec-compliant device decrypts each packet.

PTP

oint-to-Point Tunneling Protocol: A VPN protocol developed by PPTP Forum. With

PTP, users can dial in to their corporate network via the Internet. If users require data

ncryption when using the Windows PPTP client, the remote VPN server must support

PPE (Microsoft Point-To-Point Encryption Protocol) encryption. PPTP is also used by

ome ISP for user authentication, particularly when pairing with legacy Alcatel / Thomson

DSL modem.

reshare Key

he IKE VPN must be defined with a Preshared Key. The Key may be up to 128 bytes long.

c

SSL

Security Sockets Layer. Commonly used encryption scheme used by many online retail and

banking sites to protect the financial integrity of transactions. When a SSL session begins,

the server sends its public key to the browser. The browser then sends a randomly

generated secret key back to the server in order to have a secret key exchange for that

session. SSL VPN is also known as Web VPN.

IP

IP Security. A

packets at the IP layer. IPsec has been deployed widely to implement Virtual Private

Networks (VPNs). IPsec supports two encryption modes: Transport and Tunnel.

Transport mode encrypts only th

The more secure

s

P

P

P

e

M

s

A

P

T

24. Specifications


rnet Security Association Key Management Protocol)

An extensible protocol-encoding scheme that complies to the Internet Key Exchange (IKE)

work for establishment of Security Associations (SAs).

that allows for data integrity of data packets.

Encapsulating Security Payload)

in 1977 is a 64-bit block encryption block

ipher using a 56-bit key.

used to replace the aging DES

ncryption algorithm and that the NIST hopes will last for the next 20 to 30 years.

HA-1 (Secure Hash Algorithm-1)

message-digest hash algorithm that takes a message less than 264 bits and produces a

ISAKMP (Inte

frame

AH (Authentication Header)

One of the IPSec standards

ESP (

One of the IPSec standards that provides for the confidentiality of data packets.

DES (Data Encryption Standard)

The Data Encryption Standard developed by IBM

c

Triple-DES (3DES)

The DES function performed three times with either two or three cryptographic keys.

AES (Advanced Encryption Standard)

An encryption algorithm yet to be decided that will be

e

NULL Algorithm

It is a fast and convenient connecting mode to make sure its privacy and authentication

without encryption. NULL Algorithm doesn’t provide any other safety services but a way to

substitute ESP Encryption.

S

A

160-bit digest.



association, but

stead of using three packets like in aggressive mode, it uses six packets.

his is the first phase of the Oakley protocol in establishing a security association using

ree data packets.

he device Select GRE/IPSec (Generic Routing Encapsulation) packet seal technology.

MD5

MD5 is a common message digests algorithm that produces a 128-bit message digest from

an arbitrary length input, developed by Ron Rivest.

Main Mode

This is another first phase of the Oakley protocol in establishing a security

in

Aggressive mode

T

th

GRE/IPSec

T

25.4 Anomaly Flow IP

asser computers running vulnerable versions of the

). Thus it particularly virulent in that it can spread without user intervention, but it is also easily topped by a properly configured firewall or by downloading system updates from Windows

wn as Lovsan or Lovesan) was a computer worm that spread n computers running the Microsoft operating systems: Windows XP and Windows 2000.

worm was a computer worm observed on the Internet on July 13, 2001. It ttacked computers running Microsoft's IIS web server.

SSasser is a computer worm that affectsMicrosoft operating systems Windows XP and Windows 2000. Sasser spreads by exploiting the system through a vulnerable network port (as do certain other wormsissUpdate. MSBlaster The Blaster Worm (also knoo Code Red The Code Reda

24. Specifications


h as Code Red. Multiple propagation

inutes.

succession of YN requests to a target's system.

e particular variant of a flooding DoS attack on the public Internet. It lies on misconfigured network devices that allow packets to be sent to all computer hosts

n a particular network via the broadcast address of the network, rather than a specific urf amplifier. In such an attack, the

g

gitimate packets from getting through to their destination.

lood attack is a denial-of-service (DoS) attack using the User Datagram Protocol

ing of Death is the attacks of tremendous trash data in PING packets that hackers send to cause

function. This attack can cause network speed to slow down, or even make it

Spoofing guise themselves as trusted users of the network in Spoof attacks. They use a

NimdaNimda is a computer worm, and is also a file infector. It quickly spread, eclipsing the economic damage caused by past outbreaks sucectors allowed Nimda to become the Internet’s most widespread virus/worm within 22 v

m SYN Flood A SYN flood is a form of denial-of-service attack in which an attacker sends aS ICMP Flood A smurf attack is onreomachine. The network then serves as a smperpetrators will send large numbers of IP packets with the source address faked to appearto be the address of the victim. The network's bandwidth is quickly used up, preventinle UDP Flood A UDP f(UDP), a sessionless/connectionless computer networking protocol. Using UDP for denial-of-service attacks is not as straightforward as with the Transmission Control Protocol (TCP). However, a UDP flood attack can be initiated by sending a large number of UDP packets to random ports on a remote host. PItSystem malnecessary to restart the computer to get a normal operation. IPHackers disfake identity to try to pass through the firewall system and invade the network.



an

ear Drop he Tear Drop attacks are packets that are segmented to small packets with negative

Systems treat the negative value as a very large number, and copy enormous

Attack:

p attacks, exploit limitations in e TCP/IP protocols.

Port ScHackers use to continuously scan networks on the Internet to detect computers and vulnerable ports that are opened by those computers. TTlength. Somedata into the System to cause System damage, such as a shut down or a restart.

Detect Land

Some Systems may shut down when receiving packets with the same source and

destination addresses, the same source port and destination port, and when SYN on the

TCP header is marked. Enable this function to detect such abnormal packets. DoS Attack Denial of Service. A type of network attack that floods the network with useless traffic.

any DoS attacks, such as the Ping of Death and TeardroMth

airlive rs-2500fs.airlive.com/manual/airlive_rs-2500_manual.pdf · dual wan security vpn gateway ....

Documents