Advance Multimedia Internet Technology WIQ318 Wireless Broadband Router User Manual II

Advance Multimedia Internet Technology Inc. Wireless Broadband Router Users Manual II

UserManual.wiki >

Advance Multimedia Internet Technology >

WIQ318 User Manual >

Users Manual II

Contents

Users Manual II

WPA2-PSK(AES) 1. Select Pre-share Key Mode If you select HEX, you have to fill in 64 hexadecimal (0, 1, 2…8, 9, A, B…F) digits If ASCII, the length of Pre-share key is from 8 to 63. 2. Fill in the key, Ex 12345678 26

WPA2(AES) Check Box was used to switch the function of the WPA. When the WPA function is enabled, the Wireless user must authenticate to this router first to use the Network service. RADIUS Server IP address or the 802.1X server’s domain-name. Select RADIUS Shared Key If you select HEX, you have to fill in 64 hexadecimal (0, 1, 2…8, 9, A, B…F) digits If ASCII, the length of Pre-share key is from 8 to 63. Key value shared by the RADIUS server and this router. This key value is consistent with the key value in the RADIUS server. 27

WPA-PSK /WPA2-PSK The router will detect automatically which Security type the client uses to encrypt. 1. Select Pre-share Key Mode If you select HEX, you have to fill in 64 hexadecimal (0, 1, 2…8, 9, A, B…F) digits If ASCII, the length of Pre-share key is from 8 to 63. 2. Fill in the key, Ex 12345678 28

WPA/WPA2 Check Box was used to switch the function of the WPA. When the WPA function is enabled, the Wireless user must authenticate to this router first to use the Network service. RADIUS Server The router will detect automatically which Security type(Wpa-psk version 1 or 2) the client uses to encrypt. IP address or the 802.1X server’s domain-name. Select RADIUS Shared Key If you select HEX, you have to fill in 64 hexadecimal (0, 1, 2…8, 9, A, B…F) digits If ASCII, the length of Pre-share key is from 8 to 63. Key value shared by the RADIUS server and this router. This key value is consistent with the key value in the RADIUS server. 29

WDS(Wireless Distribution System) WDS operation as defined by the IEEE802.11 standard has been made available. Using WDS it is possible to wirelessly connect Access Points, and in doing so extend a wired infrastructure to locations where cabling is not possible or inefficient to implement. 30

4.4.4 Change Password You can change Password here. We strongly recommend you to change the system password for security reason. 31

4.5 Forwarding Rules 32

4.5.1 Virtual Server This product’s NAT firewall filters out unrecognized packets to protect your Intranet, so all hosts behind this product are invisible to the outside world. If you wish, you can make some of them accessible by enabling the Virtual Server Mapping. A virtual server is defined as a Service Port, and all requests to this port will be redirected to the computer specified by the Server IP. Virtual Server can work with Scheduling Rules, and give user more flexibility on Access control. For Detail, please refer to Scheduling Rule. For example, if you have an FTP server (port 21) at 192.168.123.1, a Web server (port 80) at 192.168.123.2, and a VPN server at 192.168.123.6, then you need to specify the following virtual server mapping table: Service Port Server IP Enable 21 192.168.123.1 V 80 192.168.123.2 V 1723 192.168.123.6 V 33

4.5.2 Special AP Some applications require multiple connections, like Internet games, Video conferencing, Internet telephony, etc. Because of the firewall function, these applications cannot work with a pure NAT router. The Special Applications feature allows some of these applications to work with this product. If the mechanism of Special Applications fails to make an application work, try setting your computer as the DMZ host instead. 1. Trigger: the outbound port number issued by the application.. 2. Incoming Ports: when the trigger packet is detected, the inbound packets sent to the specified port numbers are allowed to pass through the firewall. This product provides some predefined settings Select your application and click Copy to to add the predefined setting to your list. Note! At any given time, only one PC can use each Special Application tunnel. 34

4.5.3 Miscellaneous Items IP Address of DMZ Host DMZ (DeMilitarized Zone) Host is a host without the protection of firewall. It allows a computer to be exposed to unrestricted 2-way communication for Internet games, Video conferencing, Internet telephony and other special applications. NOTE: This feature should be used only when needed. Non-standard FTP port You have to configure this item if you want to access an FTP server whose port number is not 21. This setting will be lost after rebooting. UpnP Setting The device also supports this function.If the OS supports this function enable it,like Windows Xp.When the user get ip from Device and will see icon as below: 35

4.6 Security Settings 36

4.6.1 Packet Filter Packet Filter enables you to control what packets are allowed to pass the router. Outbound filter applies on all outbound packets. However, Inbound filter applies on packets that destined to Virtual Servers or DMZ host only. You can select one of the two filtering policies: 1. Allow all to pass except those match the specified rules 2. Deny all to pass except those match the specified rules You can specify 8 rules for each direction: inbound or outbound. For each rule, you can define the following: • Source IP address • Source port address • Destination IP address • Destination port address • Protocol: TCP or UDP or both. • Use Rule# 37

For source or destination IP address, you can define a single IP address (4.3.2.1) or a range of IP addresses (4.3.2.1-4.3.2.254). An empty implies all IP addresses. For source or destination port, you can define a single port (80) or a range of ports (1000-1999). Add prefix "T" or "U" to specify TCP or UDP protocol. For example, T80, U53, U2000-2999. No prefix indicates both TCP and UDP are defined. An empty implies all port addresses. Packet Filter can work with Scheduling Rules, and give user more flexibility on Access control. For Detail, please refer to Scheduling Rule. Each rule can be enabled or disabled individually. Inbound Filter: To enable Inbound Packet Filter click the check box next to Enable in the Inbound Packet Filter field. Suppose you have SMTP Server (25), POP Server (110), Web Server (80), FTP Server (21), and News Server (119) defined in Virtual Server or DMZ Host. Example 1: 38

(1.2.3.100-1.2.3.149) They are allow to send mail (port 25), receive mail (port 110), and browse the Internet (port 80) (1.2.3.10-1.2.3.20) They can do everything (block nothing) Others are all blocked. Example 2: (1.2.3.100-1.2.3.119) They can do everything except read net news (port 119) and transfer files via FTP (port 21) Others are all allowed. After Inbound Packet Filter setting is configured, click the save button. Outbound Filter: To enable Outbound Packet Filter click the check box next to Enable in the Outbound Packet Filter field. 39

Example 1: (192.168.123.100-192.168.123.149) They are allowed to send mail (port 25), receive mail (port 110), and browse Internet (port 80); port 53 (DNS) is necessary to resolve the domain name. (192.168.123.10-192.168.123.20) They can do everything (block nothing) Others are all blocked. 40

Example 2: (192.168.123.100-192.168.123.119) They can do everything except read net news (port 119) and transfer files via FTP (port 21) Others are allowed After Outbound Packet Filter setting is configured, click the save button. 41

4.6.2 Domain Filter Domain Filter Let you prevent users under this device from accessing specific URLs. Domain Filter Enable Check if you want to enable Domain Filter. Log DNS Query Check if you want to log the action when someone accesses the specific URLs. Privilege IP Addresses Range Setting a group of hosts and privilege these hosts to access network without restriction. Domain Suffix A suffix of URL to be restricted. For example, ".com", "xxx.com". Action When someone is accessing the URL met the domain-suffix, what kind of action you want. Check drop to block the access. Check log to log these access. Enable Check to enable each rule. 42

Example: In this example: 1. URL include “www.msn.com” will be blocked, and the action will be record in log-file. 2. URL include “www.sina.com” will not be blocked, but the action will be record in log-file. 3. URL include “www.google.com” will be blocked, but the action will not be record in log-file. 4. IP address X.X.X.1~ X.X.X.20 can access network without restriction. 43

4.6.3 URL Blocking URL Blocking will block LAN computers to connect to pre-defined Websites. The major difference between “Domain filter” and “URL Blocking” is Domain filter require user to input suffix (like .com or .org, etc), while URL Blocking require user to input a keyword only. In other words, Domain filter can block specific website, while URL Blocking can block hundreds of websites by simply a keyword. URL Blocking Enable Checked if you want to enable URL Blocking. URL If any part of the Website's URL matches the pre-defined word, the connection will be blocked. For example, you can use pre-defined word "sex" to block all websites if their URLs contain pre-defined word "sex". Enable Checked to enable each rule. 44

In this example: 1. URL include “msn” will be blocked, and the action will be record in log-file. 2. URL include “sina” will be blocked, but the action will be record in log-file 3. URL include “cnnsi” will not be blocked, but the action will be record in log-file. 4. URL include “espn” will be blocked, but the action will be record in log-file 45

4.6.4 MAC Address Control MAC Address Control allows you to assign different access right for different users and to assign a specific IP address to a certain MAC address. MAC Address Control Check “Enable” to enable the “MAC Address Control”. All of the settings in this page will take effect only when “Enable” is checked. Connection control Check "Connection control" to enable the controlling of which wired and wireless clients can connect to this device. If a client is denied to connect to this device, it means the client can't access to the Internet either. Choose "allow" or "deny" to allow or deny the clients, whose MAC addresses are not in the "Control table" (please see below), to connect to this device. Association control Check "Association control" to enable the controlling of which wireless client can associate to the wireless LAN. If a client is denied to associate to the wireless LAN, it means the client can't send or receive any data 46

via this device. Choose "allow" or "deny" to allow or deny the clients, whose MAC addresses are not in the "Control table", to associate to the wireless LAN. Control table "Control table" is the table at the bottom of the "MAC Address Control" page. Each row of this table indicates the MAC address and the expected IP address mapping of a client. There are four columns in this table: MAC Address MAC address indicates a specific client. IP Address Expected IP address of the corresponding client. Keep it empty if you don't care its IP address. C When "Connection control" is checked, check "C" will allow the corresponding client to connect to this device. A When "Association control" is checked, check "A" will allow the corresponding client to associate to the wireless LAN. In this page, we provide the following Combobox and button to help you to input the MAC address. You can select a specific client in the “DHCP clients” Combobox, and then click on the “Copy to” button to copy the MAC address of the client you select to the ID selected in the “ID” Combobox. Previous page and Next Page To make this setup page simple and clear, we have divided the “Control table” into several pages. You can use these buttons to navigate to different pages. 47

Example: In this scenario, there are three clients listed in the Control Table. Clients 1 and 2 are wireless, and client 3 is wired. 1.The "MAC Address Control" function is enabled. 2."Connection control" is enabled, and all of the wired and wireless clients not listed in the "Control table" are "allowed" to connect to this device. 3."Association control" is enabled, and all of the wireless clients not listed in the "Control table" are "denied" to associate to the wireless LAN. 4.Clients 1 and 3 have fixed IP addresses either from the DHCP server of this device or manually assigned: ID 1 - "00-12-34-56-78-90" --> 192.168.122.100 ID 3 - "00-98-76-54-32-10" --> 192.168.122.101 Client 2 will obtain its IP address from the IP Address pool specified in the "DHCP Server" page or can use a manually assigned static IP address. If, for example, client 3 tries to use an IP address different from the address listed in the Control table (192.168.122.101), it will be denied to connect to this device. 48

5.Clients 2 and 3 and other wired clients with a MAC address unspecified in the Control table are all allowed to connect to this device. But client 1 is denied to connect to this device. 6.Clients 1 and 2 are allowed to associate to the wireless LAN, but a wireless client with a MAC address not specified in the Control table is denied to associate to the wireless LAN. Client 3 is a wired client and so is not affected by Association control. 4.6.5 Miscellaneous Items Remote Administrator Host/Port In general, only Intranet user can browse the built-in web pages to perform administration task. This feature enables you to perform administration task from remote host. If this feature is enabled, only the specified IP address can perform remote administration. If the specified IP address is 0.0.0.0, any host can connect to this product to perform administration task. You can use subnet mask bits "/nn" notation to specified a group of trusted IP addresses. For example, "10.1.2.0/24". NOTE: When Remote Administration is enabled, the web server port will be shifted to 88. You can change web server port to other port, too. Administrator Time-out The time of no activity to logout automatically. Set it to zero to disable this feature. Discard PING from WAN side When this feature is enabled, any host on the WAN cannot ping this product. SPI Mode When this feature is enabled, the router will record the packet information pass through the router like 49

IP address, port address, ACK, SEQ number and so on. And the router will check every incoming packet to detect if this packet is valid. DoS Attack Detection When this feature is enabled, the router will detect and log the DoS attack comes from the Internet. Currently, the router can detect the following DoS attack: SYN Attack, WinNuke, Port Scan, Ping of Death, Land Attack etc. 4.7 Advanced Settings 50