MitraStar Technology HES209M1H WiMAX Indoor VoIP IAD User Manual User s guide

MitraStar Technology Corporation WiMAX Indoor VoIP IAD User s guide

UserManual.wiki >

MitraStar Technology >

HES209M1H User Manual

User Manual

www.huawei.comBM2022WiMAX IEEE 802.16 Indoor CPECopyright  2011Huawei Technologies Co., LTD.Firmware Version V2.00Edition 1, 4/2011Default Login DetailsIP Address: http://192.168.1.1Username adminPassword 1234 HES-209M1H

About This User's GuideBM2022 Users Guide 3About This User's GuideIntended AudienceThis manual is intended for people who want to configure the Huawei BM2022 using the Huawei Web Configurator. You should have at least a basic knowledge of TCP/IP networking concepts and topology.Related Documentation Quick Start Guide The Quick Start Guide is designed to help you get up and running right away. It contains information on setting up your network and configuring for Internet access.Support DiscRefer to the included CD for support documents. Huawei Web SitePlease refer to www.huawei.com for additional support documentation and product certifications. Document ConventionsWarnings and NotesThese are how warnings and notes are shown in this Users Guide. Warnings tell you about things that could harm you or your BM2022.Note: Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.Syntax Conventions The product(s) described in this book may be referred to as the BM2022, the device, the system or the product in this Users Guide. Product labels, screen names, field labels and field choices are all in bold font. A key stroke is denoted by square brackets and uppercase text, for example, [ENTER] means the enter or return key on your keyboard. Enter means for you to type one or more characters and then press the [ENTER] key. Select or choose means for you to use one of the predefined choices. A right angle bracket ( > ) within a screen name denotes a mouse click. For example, TOOLS > Logs > Log Settings means you first click Tools in the navigation panel, then the Logs sub menu and finally the Log Settings tab to get to that screen. Units of measurement may denote the metric value or the scientific value. For example, k for kilo may denote 1000 or 1024, M for mega may denote 1000000 or 1048576 and so on. e.g., is a shorthand for for instance, and i.e., means that is or in other words.

About This User's GuideBM2022 Users Guide4Icons Used in FiguresFigures in this Users Guide may use the following generic icons. The BM2022 icon is not an exact representation of your product.Table 1 Common IconsBM2022 Computer Wireless SignalNotebook Server Base StationTelephone Switch RouterInternet Cloud Network Cloud

Safety WarningsBM2022 Users Guide 5Safety WarningsFor your safety, be sure to read and follow all warning notices and instructions. Do NOT use this product near water, for example, in a wet basement or near a swimming pool. Do NOT expose your device to dampness, dust or corrosive liquids. Do NOT store things on the device. Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning. Connect ONLY suitable accessories to the device. Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel should service or disassemble this device. Please contact your vendor for further information. Make sure to connect the cables to the correct ports. Place connecting cables carefully so that no one will step on them or stumble over them. Always disconnect all cables from this device before servicing or disassembling. Use ONLY an appropriate power adaptor or cord for your device. Connect it to the right supply voltage (for example, 110V AC in North America or 230V AC in Europe). Do NOT remove the plug and connect it to a power outlet by itself; always attach the plug to the power adaptor first before connecting it to a power outlet. Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord. Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution. If the power adaptor or cord is damaged, remove it from the device and the power source. Do NOT attempt to repair the power adaptor or cord. Contact your local vendor to order a new one.Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning. Do NOT obstruct the device ventilation slots, as insufficient airflow may harm your device.Use only No. 26 AWG (American Wire Gauge) or larger telecommunication line cord. Antenna Warning! This device meets ETSI and FCC certification requirements when using the included antenna(s). Only use the included antenna(s). If you wall mount your device, make sure that no electrical lines, gas or water pipes will be damaged. Make sure that the cable system is grounded so as to provide some protection against voltage surges.Your product is marked with this symbol, which is known as the WEEE mark. WEEE stands for Waste Electronics and Electrical Equipment. It means that used electrical and electronic products should not be mixed with general waste. Used electrical and electronic equipment should be treated separately.

Contents OverviewBM2022 Users Guide 7Contents OverviewUsers Guide ........................................................................................................................... 15Getting Started ...........................................................................................................................17Introducing the Web Configurator ..............................................................................................21Setup Wizard.............................................................................................................................. 27Tutorials .....................................................................................................................................35Technical Reference .............................................................................................................. 59System Status ............................................................................................................................61WiMAX .......................................................................................................................................65Network Setting ..........................................................................................................................91Security ....................................................................................................................................121The VoIP General Screens ......................................................................................................147The VoIP Account Screens ......................................................................................................153The VoIP Line Screens ............................................................................................................167Maintenance .............................................................................................................................171Troubleshooting .......................................................................................................................193Product Specifications ..............................................................................................................199

ContentsBM2022 Users Guide 9ContentsAbout This User's Guide.......................................................................................................... 3Safety Warnings........................................................................................................................ 5Contents Overview .................................................................................................................. 7Contents .................................................................................................................................... 9Part I: Users Guide ................................................................................15Chapter 1Getting Started ........................................................................................................................ 171.1 About Your BM2022 .............................................................................................................171.1.1 WiMAX Internet Access ..............................................................................................171.1.2 Make Calls via Internet Telephony Service Provider ..................................................181.2 BM2022 Hardware ...............................................................................................................181.2.1 LEDs ...........................................................................................................................191.3 Good Habits for Managing the BM2022 ...............................................................................20Chapter 2Introducing the Web Configurator ........................................................................................ 212.1 Overview ..............................................................................................................................212.1.1 Accessing the Web Configurator ................................................................................212.1.2 The Reset Button ........................................................................................................222.1.3 Saving and Canceling Changes .................................................................................222.1.4 Working with Tables ....................................................................................................232.2 The Main Screen ..................................................................................................................23Chapter 3Setup Wizard ........................................................................................................................... 273.1 Overview ..............................................................................................................................273.1.1 Welcome to the Setup Wizard ....................................................................................273.1.2 LAN Settings ...............................................................................................................283.1.3 WiMAX Frequency Settings ........................................................................................293.1.4 WiMAX Authentication Settings ..................................................................................303.1.5 VoIP Settings ..............................................................................................................323.1.6 Setup Complete ..........................................................................................................34

ContentsBM2022 Users Guide10Chapter 4Tutorials................................................................................................................................... 354.1 Overview ..............................................................................................................................354.2 WiMAX Connection Settings ................................................................................................354.3 Configuring LAN DHCP ........................................................................................................364.4 Changing Certificate .............................................................................................................384.5 Blocking Web Access ...........................................................................................................394.6 Configuring the MAC Address Filter .....................................................................................394.7 Setting Up NAT Port Forwarding ..........................................................................................414.8 Access the BM2022 Using DDNS ........................................................................................434.8.1 Registering a DDNS Account on www.dyndns.org .....................................................444.8.2 Configuring DDNS on Your BM2022 ..........................................................................444.8.3 Testing the DDNS Setting ...........................................................................................454.9 Configuring Static Route for Routing to Another Network ....................................................454.10 Remotely Managing Your BM2022 ....................................................................................474.11 VLAN Configuration Examples ...........................................................................................484.11.1 Scenario 1 .................................................................................................................494.11.2 Scenario 2 .................................................................................................................504.11.3 Scenario 3 .................................................................................................................524.11.4 Scenario 4 .................................................................................................................544.11.5 Scenario 5 .................................................................................................................56Part II: Technical Reference...................................................................59Chapter 5System Status ......................................................................................................................... 615.1 Overview ..............................................................................................................................615.2 System Status ......................................................................................................................61Chapter 6WiMAX ..................................................................................................................................... 656.1 Overview ..............................................................................................................................656.1.1 What You Need to Know .............................................................................................656.2 Connection Settings .............................................................................................................686.3 Frequency Settings ..............................................................................................................706.4 Authentication Settings ........................................................................................................726.5 Channel Plan Settings ..........................................................................................................756.6 CAPL Settings ......................................................................................................................776.6.1 CAPL Settings: Add ....................................................................................................786.7 RAPL Settings ......................................................................................................................796.8 Home NSP Settings .............................................................................................................80

ContentsBM2022 Users Guide 116.9 Connect ................................................................................................................................816.10 Wide Scan ..........................................................................................................................846.11 Link Status ..........................................................................................................................866.12 Link Statistics .....................................................................................................................876.13 Connection Info ..................................................................................................................886.14 Service Flow .......................................................................................................................89Chapter 7Network Setting ...................................................................................................................... 917.1 Overview ..............................................................................................................................917.1.1 What You Need to Know .............................................................................................917.2 WAN .....................................................................................................................................947.3 PPPoE ..................................................................................................................................967.4 GRE .....................................................................................................................................977.5 EtherIP .................................................................................................................................987.6 IP ..........................................................................................................................................987.7 DHCP ...................................................................................................................................997.8 Static Route ........................................................................................................................1007.9 Static Route Add ................................................................................................................1017.10 RIP ...................................................................................................................................1017.11 Port Forwarding ................................................................................................................1037.11.1 Port Forwarding Wizard ..........................................................................................1047.12 Port Trigger ......................................................................................................................1057.12.1 Port Trigger Wizard .................................................................................................1067.12.2 Trigger Port Forwarding Example ...........................................................................1077.13 DMZ .................................................................................................................................1077.14 ALG ..................................................................................................................................1087.15 QoS ..................................................................................................................................1097.16 UPnP ................................................................................................................................1097.16.1 Installing UPnP in Windows XP ..............................................................................1107.16.2 Web Configurator Easy Access .............................................................................. 1147.17 VLAN ................................................................................................................................ 1157.18 DDNS ............................................................................................................................... 1177.19 IGMP Proxy ...................................................................................................................... 1187.20 Content Filter .................................................................................................................... 119Chapter 8Security.................................................................................................................................. 1218.1 Overview ............................................................................................................................1218.1.1 What You Need to Know ...........................................................................................1218.2 IP Filter ...............................................................................................................................1218.3 MAC Filter ..........................................................................................................................1228.4 DDOS .................................................................................................................................123

ContentsBM2022 Users Guide128.5 PPTP VPN Server ..............................................................................................................1258.6 PPTP VPN Client ...............................................................................................................1278.7 PPTP VPN Client: Add .......................................................................................................1278.8 L2TP VPN Server ...............................................................................................................1298.9 L2TP VPN Client ................................................................................................................1318.10 L2TP VPN Client: Add ......................................................................................................1318.11 IPSec VPN .......................................................................................................................1338.11.1 The General Screen ................................................................................................1338.11.2 IPSec VPN: Add ......................................................................................................1358.12 Technical Reference .........................................................................................................1408.12.1 IPSec Architecture ..................................................................................................1408.12.2 Encapsulation .........................................................................................................1418.12.3 IKE Phases ............................................................................................................1428.12.4 Negotiation Mode ...................................................................................................1438.12.5 IPSec and NAT .......................................................................................................1438.12.6 VPN, NAT, and NAT Traversal ................................................................................1448.12.7 ID Type and Content ...............................................................................................1448.12.8 Pre-Shared Key ......................................................................................................1468.12.9 Diffie-Hellman (DH) Key Groups .............................................................................146Chapter 9The VoIP General Screens ................................................................................................... 1479.1 VoIP Overview ....................................................................................................................1479.1.1 What You Can Do in This Chapter ............................................................................1479.1.2 What You Need to Know ...........................................................................................1479.1.3 Before you Begin ......................................................................................................1499.2 Media .................................................................................................................................1499.3 QoS ....................................................................................................................................1509.4 SIP Settings .......................................................................................................................1519.5 Speed Dial ..........................................................................................................................1519.6 Technical Reference ...........................................................................................................1529.6.1 DSCP and Per-Hop Behavior ...................................................................................152Chapter 10The VoIP Account Screens .................................................................................................. 15310.1 Overview ..........................................................................................................................15310.1.1 What You Can Do in This Chapter ..........................................................................15310.1.2 What You Need to Know .........................................................................................15310.2 Status ...............................................................................................................................15610.3 Server ...............................................................................................................................15810.4 SIP ...................................................................................................................................15910.5 Feature .............................................................................................................................16110.6 Dialing ..............................................................................................................................162

ContentsBM2022 Users Guide 1310.7 FAX ..................................................................................................................................16310.8 Technical Reference .........................................................................................................16310.8.1 SIP Call Progression with Session Timer ...............................................................16310.8.2 SIP Client Server ....................................................................................................166Chapter 11The VoIP Line Screens ......................................................................................................... 16711.1 Overview ..........................................................................................................................16711.1.1 What You Can Do in This Chapter ..........................................................................16711.1.2 What You Need to Know .........................................................................................16711.2 Phone ...............................................................................................................................16811.3 Voice .................................................................................................................................16811.4 Region ..............................................................................................................................169Chapter 12Maintenance .......................................................................................................................... 17112.1 Overview ..........................................................................................................................17112.1.1 What You Need to Know .........................................................................................17112.2 Password .........................................................................................................................17612.3 HTTP ................................................................................................................................17712.4 Telnet ................................................................................................................................17712.5 SSH ..................................................................................................................................17812.6 SNMP ...............................................................................................................................17912.7 CWMP ..............................................................................................................................17912.8 OMA-DM ..........................................................................................................................18112.9 Date ..................................................................................................................................18312.10 Time Zone ......................................................................................................................18312.11 Upgrade File ...................................................................................................................18412.11.1 The Firmware Upload Process .............................................................................18412.12 Upgrade Link ..................................................................................................................18512.13 CWMP Upgrade .............................................................................................................18512.14 Backup ...........................................................................................................................18612.15 Restore ...........................................................................................................................18612.15.1 The Restore Configuration Process .....................................................................18712.16 Factory Defaults .............................................................................................................18712.17 Log Setting .....................................................................................................................18812.18 Log Display ....................................................................................................................18812.19 Ping Test ........................................................................................................................18912.20 Traceroute Test ..............................................................................................................19012.21 About ..............................................................................................................................19012.22 Reboot ............................................................................................................................191Chapter 13Troubleshooting.................................................................................................................... 193

ContentsBM2022 Users Guide1413.1 Power, Hardware Connections, and LEDs .......................................................................19313.2 BM2022 Access and Login ..............................................................................................19413.3 Internet Access ................................................................................................................19513.4 Reset the BM2022 to Its Factory Defaults .......................................................................19713.4.1 Pop-up Windows, JavaScript and Java Permissions .............................................197Chapter 14Product Specifications.........................................................................................................199Appendix A WiMAX Security ............................................................................................... 205Appendix B Setting Up Your Computers IP Address .......................................................... 209Appendix C Pop-up Windows, JavaScript and Java Permissions ....................................... 233Appendix D IP Addresses and Subnetting........................................................................... 243Appendix E Importing Certificates ....................................................................................... 253Appendix F Common Services ............................................................................................ 279Index ...................................................................................................................................... 283

BM2022 Users Guide 17CHAPTER 1Getting Started1.1 About Your BM2022 The BM2022 allows you to access the Internet by connecting to a WiMAX wireless network. You can use a traditional analog telephone to make Internet calls using the BM2022s Voice over IP (VoIP) communication capabilities. Additionally, The web browser-based Graphical User Interface (GUI), also known as the web configurator, provides easy management of the device and its features.See Chapter 14 on page 199 for a complete list of features for your model.1.1.1 WiMAX Internet AccessConnect your computer or network to the BM2022 for WiMAX Internet access. See the Quick Start Guide for instructions on hardware connection.In a wireless metropolitan area network (MAN), the BM2022 connects to a WiMAX base station (BS) for Internet access. The following diagram shows a notebook computer equipped with the BM2022 connecting to the Internet through a WiMAX base station (marked BS).Figure 1 Mobile Station and Base StationWhen the firewall is on, all incoming traffic from the Internet to your network is blocked unless it is initiated from your network. Use content filtering to block access to web sites with URLs containing keywords that you specify. You can define time periods and days during which content filtering is enabled and include or exclude particular computers on your network from content filtering. For example, you could block access to certain web sites for the kids.

Chapter 1 Getting StartedBM2022 Users Guide181.1.2 Make Calls via Internet Telephony Service ProviderIn a home or small office environment, you can use the BM2022 to make and receive the following type of VoIP telephone calls: Calls via a VoIP service provider - The BM2022 sends your call to a VoIP service providers SIP server which forwards your calls to either VoIP or PSTN phones.Figure 2 Calls via VoIP Service Provider1.2 BM2022 HardwareFollow the instructions in the Quick Start Guide to make hardware connections.

Chapter 1 Getting StartedBM2022 Users Guide 191.2.1 LEDsThe following figure shows the LEDs (lights) on the BM2022.Figure 3 The BM2022s LEDsThe following table describes your BM2022s LEDs (from top to bottom). Table 2 The BM2022 LEDs behaviorLED STATE DESCRIPTIONPower Off The BM2022 is not receiving power.Red The BM2022 is receiving power but has been unable to start up correctly or is not receiving enough power. See the Troubleshooting section for more information.Green Solid: The BM2022 is receiving power and functioning correctly.Flashing: the device is self-testing (startup)WiMAX Link Off The BM2022 is not connected to a wireless (WiMAX) network.Green The BM2022 is successfully connected to a wireless (WiMAX) network.Green (Blinking Slowly)The BM2022 is searching for a wireless (WiMAX) network.Green (Blinking Quickly)The BM2022 has found a wireless (WiMAX) network and is connecting.Signal Strength IndicatorThe Strength Indicator LEDs display the Interference-plus-Noise Ratio (CINR) of the wireless (WiMAX) connection.No Signal LEDs On Ths signal strength is less than -90dBmSignal 1 On The signal strength is between -89dBm and -80dBm.Signal 1 and 2 On The signal strength is between -79dBm and -70dBm.Signal 1, 2 and 3 On The signal strength is greater than or equal to -69dBm.STRENGTHINDICATORSVOICELEDPOWERLEDSIGNALWIMAXLINK

Chapter 1 Getting StartedBM2022 Users Guide201.3 Good Habits for Managing the BM2022Do the following things regularly to make the BM2022 more secure and to manage the BM2022 more effectively. Change the password. Use a password thats not easy to guess and that consists of different types of characters, such as numbers and letters. Write down the password and put it in a safe place. Back up the configuration (and make sure you know how to restore it). Restoring an earlier working configuration may be useful if the BM2022 becomes unstable or even crashes. If you forget your password, you will have to reset the BM2022 to its factory default settings. If you backed up an earlier configuration file, you would not have to totally re-configure the BM2022. You could simply restore your last configuration.Voice Off No SIP account is registered, or the BM2022 is not receiving power.Green A SIP account is registered.Green (Blinking) A SIP account is registered, and the phone attached to the VoIP port is in use (off the hook).Yellow A SIP account is registered and has a voice message on the SIP server.Yellow (Blinking) A SIP account is registered and has a voice message on the SIP server, and the phone attached to the VoIP port is in use (off the hook).Table 2 The BM2022 LEDs behaviorLED STATE DESCRIPTION

BM2022 Users Guide 21CHAPTER 2Introducing the Web Configurator2.1 OverviewThe Web Configurator is an HTML-based management interface that allows easy device set up and management via any web browser that supports: HTML 4.0, CSS 2.0, and JavaScript 1.5, and higher. The recommended screen resolution for using the web configurator is 1024 by 768 pixels and 16-bit color, or higher.In order to use the Web Configurator you need to allow: Web browser pop-up windows from your device. Web pop-up blocking is enabled by default in many operating systems and web browsers. JavaScript (enabled by default in most web browsers). Java permissions (enabled by default in most web browsers).See the Appendix C on page 233 for more information on configuring your web browser.2.1.1 Accessing the Web Configurator1Make sure your BM2022 hardware is properly connected (refer to the Quick Start Guide for more information).2Launch your web browser.3Enter 192.168.1.1" as the URL.4A login screen displays. Enter the default Username (admin) and Password (1234), then click Login.Figure 4 Login screenNote: For security reasons, the BM2022 automatically logs you out if you do not use the Web Configurator for five minutes. If this happens, log in again.

Chapter 2 Introducing the Web ConfiguratorBM2022 Users Guide222.1.2 The Reset ButtonIf you forget your password or cannot access the Web Configurator, you will need to use the Reset button to reload the factory-default configuration file. This means that you will lose all configurations that you had previously and the password will be reset to 1234.2.1.2.1 Using The Reset Button1Make sure the Power light is on (not blinking).2To set the device back to the factory default settings, press the Reset button for five seconds or until all LED lights blink one time, then release it. The device restarts when the defaults have been restored. 3Reconfigure the BM2022 following the steps in your Quick Start Guide.2.1.3 Saving and Canceling ChangesAll screens to which you can make configuration changes must be saved before those changes can go into effect. If you make a mistake while configuring the BM2022, you can cancel those changes and start over.Figure 5 Saving and Canceling ChangesThis screen contains the following fields:Note: If you make changes to a page but do not save before switching to another page or exiting the Web Configurator, those changes are discarded.Table 3 Saving and Canceling ChangesLABEL DESCRIPTIONSave Click this to save your changes.Cancel Click this to restore the settings on this page to their last saved values.

Chapter 2 Introducing the Web ConfiguratorBM2022 Users Guide 232.1.4 Working with TablesMany screens in the BM2022 contain tables to provide information or additional configuration options.Figure 6 Tables ExampleThis screen contains the following fields:2.2 The Main ScreenWhen you first log into the Web Configurator, the Main screen appears. Here you can view a summary of your BM2022s connection status. This is also the default home page for the Web Configurator and it contains conveniently-placed shortcuts to all of the other screens.Note: Some features in the Web Configurator may not be available depending on your firmware version and/or configuration.Note: The available menus and screens vary depending on the user account you use for login.Table 4 Saving and Canceling ChangesLABEL DESCRIPTIONItems per PageThis displays the number of items displayed per table page. Use the menu to change this value.First PageClick this to go to the first page in the table.Previous PageClick this to go to the previous page in the table.Page Indicator / Jump to PageThis indicates which page is currently displayed in the table. Use the menu to jump to another page. You can only jump to other pages if those pages exist.Next PageClick this to go to the previous page in the table.Last PageClick this to go to the last page in the table.# This indicates an items position in the table. It has no bearing on that items importance or lack there of.Total Num This indicates the total number of items in the table, including items on pages that are not visible.

Chapter 2 Introducing the Web ConfiguratorBM2022 Users Guide24Figure 7 Main ScreenThe following table describes the icons in this screen.Table 5 Main > IconsICON DESCRIPTIONSystem StatusClick this to open the Main screen, which shows your BM2022 status and other information.WiMAXClick this to open the WiMAX menu, which gives you options for configuring your WiMAX settings.Network SettingClick this to open the Network menu, which gives you options for configuring your network settings.SecurityClick this to open the Security menu, which gives you options for configuring your firewall and security settings.VoIPClick this icon to open the VoIP menu, which gives you options on how to use the device to make phone calls.

Chapter 2 Introducing the Web ConfiguratorBM2022 Users Guide 25MaintenanceClick this to open the Maintenance menu, which gives you options for maintaining your BM2022 and performing basic network connectivity tests.LanguageUse this menu to select the Web Configurators language.Setup WizardClick this to open the Setup Wizard, where you can configure the most essential settings for your BM2022 to work.LogoutClick this to log out of the Web Configurator.Table 5 Main > Icons (continued)ICON DESCRIPTION

Chapter 2 Introducing the Web ConfiguratorBM2022 Users Guide26

BM2022 Users Guide 27CHAPTER 3Setup Wizard3.1 OverviewThis chapter provides information on the Huawei Setup Wizard. The wizard guides you through several steps for configuring your network settings.3.1.1 Welcome to the Setup WizardThis screen provides a quick summary of the configuration tasks the wizard helps you to perform. They are:1Set up your Local Area Network (LAN) options, which determine how the devices in your home or office connect to the BM2022.2Set up your BM2022s broadcast frequency, which is the radio channel it uses to communicate with the ISPs base station.3Set up your BM2022s login options, which are used to connect your LAN to the ISPs network and verify your account. 4Set up your BM2022s VoIP Settings, which will allow you to make calls over the nternet.Figure 8 Setup Wizard > Welcome

Chapter 3 Setup WizardBM2022 Users Guide283.1.2 LAN SettingsThe LAN Settings screen allows you to configure your local network options.Figure 9 Setup Wizard > LAN SettingsThe following table describes the labels in this screen.Table 6 Setup Wizard > LAN SettingsLABEL DESCRIPTIONLAN TCP/IPIP Address Enter the IP address of the BM2022 on the LAN.Note: This field is the IP address you use to access the BM2022 on the LAN. If the web configurator is running on a computer on the LAN, you lose access to it as soon as you change this field. You can access the web configurator again by typing the new IP address in the browser.IP Subnet MaskEnter the subnet mask of the LAN.DHCP ServerEnable Select this if you want the BM2022 to be the DHCP server on the LAN. As a DHCP server, the BM2022 assigns IP addresses to DHCP clients on the LAN and provides the subnet mask and DNS server information.Start IP Enter the IP address from which the BM2022 begins allocating IP addresses.End IP Enter the IP address at which the BM2022 stops allocating IP addresses.Lease TimeEnter the duration in minutes before the device requests a new IP address from the DHCP server.DNS Server assigned by DHCP ServerFirst DNS ServerSpecify the first IP address of three DNS servers that the network can use. The BM2022 provides these IP addresses to DHCP clients.

Chapter 3 Setup WizardBM2022 Users Guide 293.1.3 WiMAX Frequency SettingsThe WiMAX Frequency Settings screen allows you to configure the broadcast radio frequency used by the BM2022.Note: These settings should be provided by your ISP.Figure 10 Setup Wizard > WiMAX Frequency SettingsSecond DNS ServerSpecify the second IP address of three DNS servers that the network can use. The BM2022 provides these IP addresses to DHCP clients.Third DNS ServerSpecify the third IP address of three DNS servers that the network can use. The BM2022 provides these IP addresses to DHCP clients.Back Click to display the previous screen.Next Click to proceed to the next screen. Table 6 Setup Wizard > LAN Settings (continued)LABEL DESCRIPTION

Chapter 3 Setup WizardBM2022 Users Guide30The following table describes the labels in this screen.3.1.4 WiMAX Authentication SettingsThe WiMAX Authentication Settings screen allows you to configure how your BM2022 logs into the service providers network.Note: These settings should be provided by your ISP.Note: The EAP supplicant settings on this screen vary depending on the authentication mode your select.Table 7 Setup Wizard > WiMAX Frequency SettingsLABEL DESCRIPTIONSetting Type Select the WiMAX frequency setting type from the list.By Range - Select this to set up the frequency based on a range of MHz.By List - Select this to set up the frequency on an individual MHz basis. You can add multiple MHz values to the list.Step Enter the increments in MHz by which to increase the frequency range.Note: This field only appears when you select By Range under Setting Type.Start Frequency Enter the frequency value at the beginning of the frequency range to use. The frequency is increased in increments equal to the Step value until the End Frequency is reached, at which time the cycle starts over with the Start Frequency.Note: This field only appears when you select By Range under Setting Type.End Frequency Enter the frequency value at the end of the frequency range to use. Note: This field only appears when you select By Range under Setting Type.Bandwidth Set the frequency bandwidth in MHz that this BM2022 uses.# This is an index number for enumeration purposes only.Frequency (MHz) Displays the frequency MHz for the item in the list.Total Num Displays the total number of items in the list.Delete Click this to remove an item from the list.Add Click this to add an item to the list.OK Click this to save an newly added item to the list.# This is an index number for enumeration purposes only.Band Start (KHz) Indicates the beginning of the frequency band in KHz.Band End (KHz) Indicates the end of the frequency band in KHz.Total Num Displays the total number of items in the list.Back Click to display the previous screen.Next Click to proceed to the next screen.

Chapter 3 Setup WizardBM2022 Users Guide 31Figure 11 Setup Wizard > WiMAX Authentication SettingsThe following table describes the labels in this screen.Table 8 Setup Wizard > WiMAX Authentication SettingsLABEL DESCRIPTIONAuthenticationAuthentication ModeSelect a WiMAX authentication mode for authentication network sessions with the ISP. Options are: No authentication User authentication Device authentication User and Device authenticationEAP SupplicationEAP Mode Select an EAP authentication mode. See Table 13 on page 74 if you need more information.

Chapter 3 Setup WizardBM2022 Users Guide323.1.5 VoIP SettingsThe VoIP Settings screen allows you to configure how your BM2022 connects to the VoIP service providers network and makes calls over the Internet.Anonymous IdEnter your anonymous ID. Note: Some modes may not require this.Ignore Cert VerificationSelect this to ignore base station certification verification when a certificate is received during EAP-TLS or EAP-TTLS.Server Root CA Cert. FileBrowse for and choose a server root certificate file, if required.Server Root CA Cert. InfoThis field displays information about the assigned server root certificate.Device Cert. FileBrowse for and choose a device certificate file, if required.Before you import certificate from WebGUI, the certificate file must be signed by chipset vendor due to security reason.Device Cert. Info.This field displays information about the assigned device certificate.Device Private KeyBrowse for and choose a device private key, if required.Device Private KeyInfoThis field displays information about the assigned device private key.Device Private Key PasswordEnter the device private key, if required.Inner Mode Select an inner authentication mode (MS-CHAP, MS-CHAPV2, CHAP, MD5, PAP. See Table 13 on page 74 if you need more information.Username Enter your authentication username.Password Enter your authentication password.Back Click to display the previous screen.Next Click to proceed to the next screen. Table 8 Setup Wizard > WiMAX Authentication Settings (continued)LABEL DESCRIPTION

Chapter 3 Setup WizardBM2022 Users Guide 33Note: This settings should be provided by your VoIP service provider.Figure 12 Setup Wizard > VoIP SettingsThe following table describes the labels in this screen.Table 9 Setup Wizard > VoIP SettingsLABEL DESCRIPTIONLine 1 SIP Account - Configure this section to use the PHONE 1 port.Enable Select this to activate the SIP account.SIP Server Enter the IP address or domain name of the SIP server.Port Number Enter the SIP servers listening port number.Subscriber Number Enter your SIP number. In the full SIP URI, this is the part before the @ symbol.Display Name Enter the name that appears on the other partys device if they have Caller ID enabled.Authentication NameType the SIP user name associated with this account for authentication to the SIP server.Password Type the SIP password associated with this account.Back Click to display the previous screen.Next Click to proceed to the next screen.

Chapter 3 Setup WizardBM2022 Users Guide343.1.6 Setup CompleteClick Save to save the Setup Wizard settings and close it.Figure 13 Setup Wizard > Setup CompleteLaunch your web browser and navigate to www.huawei.com. If everything was configured properly, the web page should display. You can now surf the Internet!Refer to the rest of this guide for more detailed information on the complete range of BM2022 features available in the more advanced web configurator. Note: If you cannot access the Internet, open the web configurator again to confirm that the Internet settings you configured in the wizard setup are correct.

BM2022 Users Guide 35CHAPTER 4Tutorials4.1 OverviewThis chapter shows you how to configure some of the BM2022s features.Note: Be sure to read Introducing the Web Configurator on page 21 before working through the tutorials presented here. For field descriptions for individual screens, see the related technical reference in this User's Guide.This chapter includes the following configuration examples:WiMAX Connection Settings on page 35Configuring LAN DHCP on page 36Changing Certificate on page 38Blocking Web Access on page 39Configuring the MAC Address Filter, see page 39Setting Up NAT Port Forwarding, see page 41Access the BM2022 Using DDNS, see page 43Configuring Static Route for Routing to Another Network, see page 45Remotely Managing Your BM2022 on page 47VLAN Configuration Examples on page 484.2 WiMAX Connection SettingsThis tutorial provides you with pointers for configuring the BM2022 to connect to an ISP.1Connect the BM2022 to the ISPs nearest base station. See Section 6.2 on page 68.2Configure the BM2022s broadcast frequency. Section 6.3 on page 70.3Configure the BM2022 to connect securely to the ISPs authentication servers. See Section 6.4 on page 72.4Check the BM2022s connection status to ensure everything is working properly. See Section 6.11 on page 86.

Chapter 4 TutorialsBM2022 Users Guide364.3 Configuring LAN DHCPThis tutorial shows you how to set up a small network in your office or home.Goal: Connect three computers to your BM2022 to form a small network. Required: The following table provides a summary of the information you will need to complete the tasks in this tutorial. 1In the Web Configurator, open the Network Setting > LAN screen and set the IP Address to 192.168.100.1. Use the default IP Subnet Mask of 255.255.255.0. Click Save.2Manually change the IP address of your computer that your are using to 192.168.100.x (for example, 192.168.100.5) and keep the subnet set to 255.255.255.0.3Type http://192.168.100.1 in your browser after the BM2022 finishes starting up completely.INFORMATION VALUE SEE ALSOLAN IP Address 192.168.100.1 Chapter 7 on page 98Starting IP Address 192.168.100.10 Chapter 7 on page 99Ending IP Address 192.168.100.30DNS Servers From ISP

Chapter 4 TutorialsBM2022 Users Guide 374Log into the Web Configurator and open the Network Setting > LAN > DHCP screen.5Select Server for the DHCP mode, then enter 192.168.100.10 and 192.168.100.30 as your DHCP starting and ending IP addresses.6Leave the other settings as their defaults and click Save.7Next, go to the Network Setting > WAN screen and select NAT in the Operation Mode field. Click Save.8Connect your computers to the BM2022s Ethernet ports and youre all set!Note: You may need to configure the computers on your LAN to automatically obtain IP addresses. For information on how to do this, see Appendix B on page 209.Once your network is configured and hooked up, you will want to connect it to the Internet next. To do this, just run the Internet Connection Wizard (Chapter 3 on page 27), which walks you through the process.

Chapter 4 TutorialsBM2022 Users Guide 394.5 Blocking Web AccessIf your BM2022 is in a home or office environment you may decide that you want to block an Internet website access. You may need to block both the websites IP address and domain name.Goal: Configure the BM2022s content filter to block a website with a domain name www.example.com.See Also: Section 7.20 on page 119.1Open the Network Setting > Content Filter.2Select Enable URL Filter.3Select Blacklist.4Click Add and configure a URL filter rule by selecting Active and entering www.example.com as the URL.5Click OK.6Click Save.Open a browser from your computer in the BM2022s LAN network, you should get an Access Violation message when you try to access to http://www.example.com. You may also need to block the IP address of the website if you do not want users to access to the website through its IP address.4.6 Configuring the MAC Address FilterThis tutorial shows you how to use the MAC filter to block a DHCP clients access to hosts and to the WiMAX network.

Chapter 4 TutorialsBM2022 Users Guide401First of all, you have to know the MAC address of the computer. If not, you can look for the MAC address in the Network Setting > LAN > DHCP screen. (192.168.100.3 mapping to 00:02:E3:53:16:95 in this example). 2Click Security > Firewall > MAC Filter. Select Blacklist and click the Add button in the MAC Filter Rules table.

Chapter 4 TutorialsBM2022 Users Guide 413An empty entry appears. Enter the computers MAC address in the Source MAC field and leave the other fields set to their defaults. Click Save.The computer will no longer be able to access any host on the WiMAX network through the BM2022.4.7 Setting Up NAT Port ForwardingThomas recently received an Xbox 360 as his birthday gift. His friends invited him to play online games with them on Xbox LIVE. In order to communicate and play with other gamers on Xbox LIVE, Thomas needs to configure the port settings on his BM2022.Xbox 360 requires the following ports to be available in order to operate Xbox LIVE correctly:TCP: 53, 80, 3074UDP: 53, 88, 30741You have to know the Xbox 360s IP address first. You can check it through the Xbox 360 console. You may be able to check the IP address on the BM2022 if the BM2022 has assigned a DHCP IP address to the Xbox 360. Check the DHCP Leased Hosts table in the Network > LAN > DHCP screen. Look for the IP address for the Xbox 360.

Chapter 4 TutorialsBM2022 Users Guide422NAT mode is required to use port forwarding. Click Network Setting > WAN and make sure NAT is selected in the Operation Mode field. Click Save.3Click Network Setting > NAT > Port Forwarding and then click the first entry to edit the rule.4Configure the screen as follows to open TCP/UDP port 53 for the Xbox 360. Click OK.

Chapter 4 TutorialsBM2022 Users Guide 435Repeat steps 2 and 3 to open the rest of the ports for the Xbox 360. The port forwarding settings you configured are listed in the Port Forwarding screen.6Click Save.Thomas can then connect his Xbox 360 to the Internet and play online games with his friends.In this tutorial, all port 80 traffic is forwarded to the Xbox 360, but port 80 is also the default listening port for remote management via WWW. If Thomas also wants to manage the BM2022 from the Internet, he has to assign an unused port to WWW remote access.Click Maintenance > Remote MGMT. Enter an unused port in the Port field (81 in this example). Click Save.4.8 Access the BM2022 Using DDNSIf you connect your BM2022 to the Internet and it uses a dynamic WAN IP address, it is inconvenient for you to manage the device from the Internet. The BM2022s WAN IP address

Chapter 4 TutorialsBM2022 Users Guide44changes dynamically. Dynamic DNS (DDNS) allows you to access the BM2022 using a domain name. To use this feature, you have to apply for DDNS service at www.dyndns.org.This tutorial covers:Registering a DDNS Account on www.dyndns.orgConfiguring DDNS on Your BM2022Testing the DDNS SettingNote: If you have a private WAN IP address (see Private IP Addresses on page 250), then you cannot use DDNS.4.8.1 Registering a DDNS Account on www.dyndns.org1Open a browser and type http://www.dyndns.org.2Apply for a user account. This tutorial uses UserName1 and 12345 as the username and password.3Log into www.dyndns.org using your account.4Add a new DDNS host name. This tutorial uses the following settings as an example.Hostname: mywimax.dyndns.orgService Type: Host with IP address IP Address: Enter the WAN IP address that your BM2022 is currently using. You can find the IP address on the BM2022s Web Configurator Status page.Then you will need to configure the same account and host name on the BM2022 later.4.8.2 Configuring DDNS on Your BM2022Configure the following settings in the Network Setting > DDNS screen.w.x.y.z a.b.c.dhttp://mywimax.dyndns.orgA

Chapter 4 TutorialsBM2022 Users Guide 451Select Enable Dynamic DNS.2Select dyndns.org for the service provider.3Select Dynamic for the service type.4Type mywimax.dyndns.org in the Domain Name field.5Enter the user name (UserName1) and password (12345).6Select WAN IP for the IP update policy.7Click Save.4.8.3 Testing the DDNS SettingNow you should be able to access the BM2022 from the Internet. To test this:1Open a web browser on the computer (using the IP address a.b.c.d) that is connected to the Internet.2Type http://mywimax.dyndns.org and press [Enter].3The BM2022s login page should appear. You can then log into the BM2022 and manage it.4.9 Configuring Static Route for Routing to Another NetworkIn order to extend your Intranet and control traffic flowing directions, you may connect a router to the BM2022s LAN. The router may be used to separate two department networks. This tutorial shows how to configure a static routing rule for two network routings.In the following figure, router R is connected to the BM2022s LAN. R connects to two networks, N1 (192.168.1.x/24) and N2 (192.168.10.x/24). If you want to send traffic from computer A (in N1

Chapter 4 TutorialsBM2022 Users Guide46network) to computer B (in N2 network), the traffic is sent to the BM2022s WAN default gateway by default. In this case, computer B will never receive the traffic.You need to specify a static routing rule on the BM2022 to specify R as the router in charge of forwarding traffic to N2. In this case, the BM2022 routes traffic from computer A to R and then R routes the traffic to computer B.This tutorial uses the following example IP settings: DEVICE / COMPUTER IP ADDRESSThe BM2022s WAN 172.16.1.1The BM2022s LAN 192.168.1.1A192.168.1.34Rs IP address on N1 192.168.1.253Rs IP address on N2 192.168.10.2B192.168.10.33N2BARN1N2BN1AR

Chapter 4 TutorialsBM2022 Users Guide 47To configure a static route to route traffic from N1 to N2:1Click Network Setting > Route > Static Route.2Click Add to create a new route.3Configure the Edit Static Route screen using the following settings:3a Enter 192.168.10.0 and subnet mask 255.255.255.0 for the destination, N2.3b Enter 192.168.1.253 (Rs IP address on N1) in the IP Address field under Next Hop.3a Click Save.Now computer B should be able to receive traffic from computer A. You may need to additionally configure Rs firewall settings to accept specific traffic to pass through.4.10 Remotely Managing Your BM2022The remote management feature allows you to log into the device through the Internet.Goal: Set up the BM2022 to allow management requests from the WAN (Internet).See Also: Section 12.3 on page 177.

Chapter 4 TutorialsBM2022 Users Guide481Open the Maintenance > Remote MGMT > HTTP screen.2Select Enable in both HTTP Server and HTTPS Server sections and leave the Port Number settings as 80 and 443.3Select Allow Connection from WAN. This allows remote management connections not only from the local network but also the WAN network (Internet).4Click Save.4.11 VLAN Configuration ExamplesThis section shows VLAN configuration scenarios.See Section 7.17 on page 115 if you need more information about VLAN.Before enabling VLANs you will need to change the BM2022 to bridge mode.

Chapter 4 TutorialsBM2022 Users Guide 49Click Network Setting > WAN. Change the BM2022 to bridge mode and then click Save. If you cannot obtain IP address settings from a WAN DHCP server, select User as the Get IP Method and enter the WAN IP Address, WAN IP Subnet Mask and Gateway IP Address.4.11.1 Scenario 1In this scenario, PC A is connected directly to interface LAN1 on the BM2022. PC B is connected to interface WiMAX and interface IAD for managing the BM2022. ABNo VLAN TagNo VLAN TagNo VLAN TagCPELANManager IP No VLAN TagNo VLAN TagNo VLAN TagUser NetworkPCManager IP: No VLAN TagLAN: TransparentNetworkoperatorsTransparent

Chapter 4 TutorialsBM2022 Users Guide501Configure the Link Type, PVID and Tag/Untag settings for the interfaces as below by clicking each row. Then press OK. 2Next, configure the Name, VID and Ports for the Filter Setting. The BM2022 will tag packets it receives on each interface so that they are recognized in VLAN 5. Tagged packets will be untagged when they are forwarded out of each interface since the devices attached to these interfaces do not support VLAN tagged packets.4.11.2 Scenario 2In this scenario, PC A and PC C are on VLAN 5, while PC B and PC D are on VLAN 10. PC A and PC B are connected to interface LAN1 through VLAN supporting switch S1. PC C is connected to interface WiMAX and interface IAD for managing the BM2022, through VLAN supporting switch S2. PC D is connected to interface WiMAX through VLAN supporting switch S2.

Chapter 4 TutorialsBM2022 Users Guide 51Note: You will need to configure the VLAN supporting switches to tag the received packets with the appropriate VLAN IDs. For example, packets received on switch S1 from PC A on the LAN would be tagged to VLAN 5. 1Configure the Link Type, PVID and Tag/Untag settings for the interfaces as below by clicking each row. Then press OK. VLAN TagID = 5VLAN TagID = 10ABNo VLAN TagNo VLAN TagVLAN TagID = 5VLAN TagID = 5VLAN TagID = 10VLAN TagID = 10 No VLAN TagNo VLAN TagCDS1 S2CPELANManager IPUser NetworkRouterManager IP: Enable VLAN LAN: TransparentNetworkoperatorsTransparentNote: Manager IP VLAN ID is the same as one of the LAN transparent VLAN IDVLAN Tag ID=5VLAN Tag ID=5VLAN Tag ID=10 VLAN Tag ID=10VLAN Tag ID=5

Chapter 4 TutorialsBM2022 Users Guide522Next, configure the Name, VID and Ports for the Filter Setting. Interfaces LAN1 and WiMAX are Trunk links, so the BM2022 will recognize VLAN 5 and VLAN 10 tagged packets it receives on these interfaces from the VLAN supporting switches. VLAN tagged packets will also be forwarded out of these interfaces. Interface IAD is configured as an Access port, so tagged packets will be untagged when they are forwarded.4.11.3 Scenario 3In this scenario, PC A and PC C are on VLAN 5, PC B and PC D are on VLAN 10, and PC E is on VLAN 3. PC A and PC B are connected to interface LAN1 through VLAN supporting switch S1. PC C and PC D are connected to interface WiMAX through VLAN supporting switch S2. PC E is connected to interface IAD through VLAN supporting switch S2 for managing the BM2022. Note: You will need to configure the VLAN supporting switches to tag the received packets with the appropriate VLAN IDs. For example, packets received on switch S1 from PC A on the LAN would be tagged to VLAN 5.

Chapter 4 TutorialsBM2022 Users Guide 531Configure the Link Type, PVID and Tag/Untag settings for the interfaces as below by clicking each row. Then press OK. VLAN TagID = 5VLAN TagID = 10ABNo VLAN TagNo VLAN TagVLAN TagID = 5VLAN TagID = 5VLAN TagID = 10VLAN TagID = 10 No VLAN TagNo VLAN TagCDNo VLAN Tag EVLAN TagID = 3VLAN TagID = 3S1 S2CPELANManager IPUser NetworkRouterManager IP: Enable VLAN LAN: TransparentNetworkoperatorsTransparentNote: Manager IP VLAN ID is different fromVLAN Tag ID=5VLAN Tag ID=5VLAN Tag ID=10VLAN Tag ID=10VLAN Tag ID=3 VLAN Tag ID=3the LAN transparent VLAN ID

Chapter 4 TutorialsBM2022 Users Guide542Next, configure the Name, VID and Ports for the Filter Setting. Interfaces LAN1 and WiMAX are Trunk links, so the BM2022 will recognize VLAN 5 and VLAN 10 tagged packets it receives on these interfaces from the VLAN supporting switches. VLAN tagged packets will also be forwarded out of these interfaces. Interface IAD is configured as an Access port, so tagged packets will be untagged when they are forwarded.4.11.4 Scenario 4In this scenario, PC A is connected directly to interface LAN1 on the BM2022, while PC B is on VLAN 5. PC B is connected to interface WiMAX and interface IAD for managing the BM2022, through VLAN supporting switch S1.Note: You will need to configure the VLAN supporting switches to tag the received packets with the appropriate VLAN IDs. For example, packets received on switch S1 from PC B on the LAN would be tagged to VLAN 5.

Chapter 4 TutorialsBM2022 Users Guide 551Configure the Link Type, PVID and Tag/Untag settings for the interfaces as below by clicking each row. Then press OK.AVLAN TagID = 5VLAN TagID = 5BS1No VLAN Tag No VLAN TagCPELANManager IPNo VLAN TagUser NetworkPCNetworkoperatorsManager IP: Enable VLAN LAN: Transparent Note: Manager IP VLAN ID is the same as the LAN transparent VLAN IDVLAN Tag ID=5VLAN Tag ID=5VLAN Tag ID=5

Chapter 4 TutorialsBM2022 Users Guide562Next, configure the Name, VID and Ports for the Filter Setting. Interfaces LAN1 and WiMAX are Trunk links. On the WiMAX interface, the BM2022 will recognize VLAN 5 tagged packets it receives from the VLAN supporting switch. VLAN tagged packets will also be forwarded out of this interface. On the LAN1 interface, the BM2022 will tag packets it receives so that they are recognized in VLAN 5. On LAN1, tagged packets will be untagged when they are forwarded out since PC A does not support VLAN tagged packets. Interface IAD is configured as an Access port, so tagged packets will be untagged when they are forwarded.4.11.5 Scenario 5In this scenario, PC A is directly connected to interface LAN1 on the BM2022. PC B is on VLAN 5 while PC C is on VLAN 10. PC B is connected to interface WiMAX and interface IAD for managing the BM2022, through VLAN supporting switch S1. PC C is connected to interface WiMAX through VLAN supporting switch S1.Note: You will need to configure the VLAN supporting switches to tag the received packets with the appropriate VLAN IDs. For example, packets received on switch S1 from PC C on the LAN would be tagged to VLAN 10.

Chapter 4 TutorialsBM2022 Users Guide 571Configure the Link Type, PVID and Tag/Untag settings for the interfaces as below by clicking each row. Then press OK.AVLAN TagID = 5VLAN TagID = 5VLAN TagID = 10VLAN TagID = 10No VLAN TagBCS1No VLAN TagNo VLAN TagCPELANManager IPNo VLAN TagUser NetworkPCNetworkoperatorsManager IP: Enable VLAN LAN: TransparentVLAN Tag ID=5VLAN Tag ID=5VLAN Tag ID=10VLAN Tag ID=10Note: Manager IP VLAN ID is different fromthe LAN transparent VLAN ID

Chapter 4 TutorialsBM2022 Users Guide582Next, configure the Name, VID and Ports for the Filter Setting. Interfaces LAN1 and WiMAX are Trunk links. On the WiMAX interface the BM2022 will recognize VLAN 5 and VLAN 10 tagged packets it receives from the VLAN supporting switch. VLAN tagged packets will also be forwarded out of these interfaces. On the LAN1 interface, the BM2022 will tag packets it receives so that they are recognized in VLAN 10. On LAN1, tagged packets will be untagged when they are forwarded out, since PC A does not support VLAN tagged packets. Interface IAD is configured as an Access port, so tagged packets will be untagged when they are forwarded.

BM2022 Users Guide 61CHAPTER 5System Status5.1 OverviewUse this screen to view a summary of your BM2022 connection status.5.2 System StatusThis screen allows you to view the current status of the device, system resources, and interfaces (LAN and WAN).Click System Status to open this screen as shown next.Figure 14 System Status

Chapter 5 System StatusBM2022 Users Guide62The following tables describe the labels in this screen. Table 10 StatusLABEL DESCRIPTIONSystem InformationSystem Model NameThis field displays the BM2022 system model name. It is used for identification. Software VersionThis field displays the Web Configurator version number.CROM Version This field displays the CROM version number.Firmware VersionThis field displays the current version of the firmware inside the device.Firmware Date This field shows the date the firmware version was created. System Time This field displays the current system time.Uptime This field displays how long the BM2022 has been running since it last started up. System ResourcesMemory This field displays what percentage of the BM2022s memory is currently used. The higher the memory usage, the more likely the BM2022 is to slow down. Some memory is required just to start the BM2022 and to run the web configurator. You can reduce the memory usage by disabling some services; by reducing the amount of memory allocated to NAT and firewall rules (you may have to reduce the number of NAT rules or firewall rules to do so); or by deleting rules in functions such as incoming call policies, speed dial entries, and static routes.CPU This field displays what percentage of the BM2022s CPU is currently used. The higher the CPU usage, the more likely the BM2022 is to slow down. WiMAXDevice Status This field displays the BM2022 current status for connecting to the selected base station.Scanning - The BM2022 is scanning for available base stations.Ready - The BM2022 has finished a scanning and you can connect to a base station.Connecting - The BM2022 attempts to connect to the selected base station.Connected - The BM2022 has successfully connected to the selected base station.Connection StatusThis field displays the status of the WiMAX connection between the BM2022 and the base station.Network Search - The BM2022 is scanning for any available WiMAX connections.Disconnected - No WiMAX connection is available.Network Entry - A WiMAX connection is initializing.Normal - The WiMAX connection has successfully established.BSID This field displays the MAC address of the base station to which the device is connected.Frequency This field indicates the frequency the BM2022 is using.Signal Strength This field indicates the strength of the connection that the BM2022 has with the base station.Link Quality This field indicates the relative quality of the link the BM2022 has with the base station.

Chapter 5 System StatusBM2022 Users Guide 63WANStatus This field indicates the status of the WAN connection to the BM2022.MAC Address This field indicates the MAC address of the port making the WAN connection on the BM2022.IP Address This field indicates the current IP address of the BM2022 in the WAN.Subnet Mask This field indicates the current subnet mask on the WAN.Gateway This field indicates the IP address of the gateway to which the BM2022 is connected.MTU This field indicates the Maximum Transmission Unit (MTU) between the BM2022 and the ISP servers to which it is connected.DNS This field indicates the Domain Name Server (DNS) to which your BM2022 is connected.LAN MAC Address This field indicates the MAC address of the port making the LAN connection on the BM2022.IP Address This field displays the current IP address of the BM2022 in the LAN.Subnet Mask This field displays the current subnet mask in the LAN.MTU This field indicates the Maximum Transmission Unit (MTU) between the BM2022 and the client devices to which it is connected.VOIP PhoneAccount1 SubscriberThis field displays the SIP number for the SIP account.Registered StatusThis field displays whether the SIP account is already registered with a SIP server (Up or Disabled).Phone1 Status This field displays whether the phone line (mapping to the VoIP port) is in use or not (idle).Table 10 Status (continued)LABEL DESCRIPTION

Chapter 5 System StatusBM2022 Users Guide64

BM2022 Users Guide 65CHAPTER 6WiMAX6.1 OverviewThis chapter shows you how to set up and manage the connection between the BM2022 and your ISPs base stations.6.1.1 What You Need to KnowThe following terms and concepts may help as you read through this chapter.WiMAX WiMAX (Worldwide Interoperability for Microwave Access) is the IEEE 802.16 wireless networking standard, which provides high-bandwidth, wide-range wireless service across wireless Metropolitan Area Networks (MANs). Huawei is a member of the WiMAX Forum, the industry group dedicated to promoting and certifying interoperability of wireless broadband products.In a wireless MAN, a wireless-equipped computer is known either as a mobile station (MS) or a subscriber station (SS). Mobile stations use the IEEE 802.16e standard and are able to maintain connectivity while switching their connection from one base station to another base station (handover) while subscriber stations use other standards that do not have this capability (IEEE 802.16-2004, for example). The following figure shows an MS-equipped notebook computer MS1 moving from base station BS1s coverage area and connecting to BS2.Figure 15 WiMax: Mobile Station

Chapter 6 WiMAXBM2022 Users Guide66WiMAX technology uses radio signals (around 2 to 10 GHz) to connect subscriber stations and mobile stations to local base stations. Numerous subscriber stations and mobile stations connect to the network through a single base station (BS), as in the following figure. Figure 16 WiMAX: Multiple Mobile StationsA base stations coverage area can extend over many hundreds of meters, even under poor conditions. A base station provides network access to subscriber stations and mobile stations, and communicates with other base stations.The radio frequency and bandwidth of the link between the BM2022 and the base station are controlled by the base station. The BM2022 follows the base stations configuration. AuthenticationWhen authenticating a user, the base station uses a third-party RADIUS or Diameter server known as an AAA (Authentication, Authorization and Accounting) server to authenticate the mobile or subscriber stations. The following figure shows a base station using an AAA server to authenticate mobile station MS, allowing it to access the Internet.Figure 17 Using an AAA ServerIn this figure, the dashed arrow shows the PKM (Privacy Key Management) secured connection between the mobile station and the base station, and the solid arrow shows the EAP secured connection between the mobile station, the base station and the AAA server. See the WiMAX security appendix for more details.

Chapter 6 WiMAXBM2022 Users Guide 67Frequency RangesThe following figure shows the BM2022 searching a range of frequencies to find a connection to a base station. Figure 18 Frequency RangesIn this figure, A is the WiMAX frequency range. WiMAX frequency range refers to the entire range of frequencies the BM2022 is capable of using to transmit and receive (see the Product Specifications appendix for details). In the figure, B shows the operator frequency range. This is the range of frequencies within the WiMAX frequency range supported by your operator (service provider).The operator range is subdivided into bandwidth steps. In the figure, each C is a bandwidth step.The arrow D shows the BM2022 searching for a connection.Have the BM2022 search only certain frequencies by configuring the downlink frequencies. Your operator can give you information on the supported frequencies. The downlink frequencies are points of the frequency range your BM2022 searches for an available connection. Use the Site Survey screen to set these bands. You can set the downlink frequencies anywhere within the WiMAX frequency range. In this example, the downlink frequencies have been set to search all of the operator range for a connection.Certification AuthorityA Certification Authority (CA) issues certificates and guarantees the identity of each certificate owner. There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities. You can use the BM2022 to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority.Certificate File FormatsThe certification authority certificate that you want to import has to be in one of these file formats: Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates. PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable form. Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that may be encrypted. The BM2022 currently allows the importation of a PKS#7 file that contains a single certificate.

Chapter 6 WiMAXBM2022 Users Guide706.3 Frequency SettingsUse this screen to have the WiMAX Device to scan one or more specific radio frequencies (given by your WiMAX service provider) to find available connections to base stations.Mode Select Select how the BM2022 connects to the base station.Auto Connect Mode - The device connects automatically to the first base station in range.Network Search Mode - The device scans for available base stations then connects to the best one it can.BSID This displays the MAC address of a base station within range of the BM2022.Preamble ID The preamble ID is the index identifier in the header of the base stations broadcast messages. In the beginning of a mobile stationss network entry process, it searches for the preamble and uses it to additional channel information. The preamble ID is used to synchronize the upstream and downstream transmission timing with the base station.Frequency (MHz)This field displays the radio frequency of the BM2022s connection to the base station.Bandwidth (MHz)This field displays the bandwidth of the base station in megahertz (MHz).RSSI (dBm) This field displays the Received Signal Strength Indication (RSSI), which is an overall measurement of radio signal strength. A higher RSSI level indicates a stronger signal.CINR (dB) R3/R1This field displays the average Carrier to Interference plus Noise Ratio for the current connection. This value is an indication of overall radio signal quality, where a higher value means a better quality signal.Search Click this to have the BM2022 scan for base stations.Table 11 Connection Settings (continued)LABEL DESCRIPTION

Chapter 6 WiMAXBM2022 Users Guide726.4 Authentication SettingsThese settings allow the WiMAX Device to establish a secure (authenticated) connection with the service provider.Delete Click this button to remove an item from the list.Add Click this button to add an item to the list.OK Click this button to save any changes made to the list.A (When By Range is selected in the Setting Type field)Start Frequency (KHz)This indicates the beginning of a frequency band in kilohertz (KHz).Click this field to modify it.Enter the beginning frequency when you are adding an entry.End Frequency (KHz)This indicates the end of the frequency band in kilohertz (KHz).Click this field to modify it.Step (KHz) This indicates the frequency step within each band in kilohertz (KHz).Click this field to modify it.Bandwidth (MHz)This indicates the bandwidth in megahertz (MHz).Click this field to modify it.OK Click this button to save any changes made to the list.Valid Band Info (B)This table displays the entire frequency band the BM2022 supports. The frequenc(ies) to scan that you configured in table A must be within this range.Band Start (KHz)This indicates the beginning of the frequency band in kilohertz (KHz).Band End (KHz)This indicates the end of the frequency band in kilohertz (KHz).Table 12 Frequency Settings (continued)LABEL DESCRIPTION

Chapter 6 WiMAXBM2022 Users Guide74This screen contains the following fields:Table 13 Authentication SettingsLABEL DESCRIPTIONAuthentication ModeSelect the authentication mode from the list.The BM2022 supports the following authentication modes: No authentication User authentication Device authentication User and device authenticationData EncryptionAES-CCM Select this to enable AES-CCM encryption. CCM combines counter-mode encryption with CBC-MAC authentication.AES-CBC Select this to enable AES-CBC encryption. CBC creates message authentication code from a block cipher.Key EncryptionAES-key wrap Select this encapsulate cryptographic keys in a symmetric encryption algorithm.AES-ECB Select this to divide cryptographic keys into blocks and encrypt them separately.EAP SupplicantEAP Mode Select an Extensible Authentication Protocol (EAP) mode.The BM2022 supports the following:EAP-TLS - In this protocol, digital certifications are needed by both the server and the wireless clients for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the senders identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management overhead.EAP-TTLS - This protocol is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2. Anonymous IDEnter the anonymous ID used for EAP supplicant authentication.Server Root CA Cert FileBrowse for and choose a server root certificate file, if required.Server Root CA InfoThis field displays information about the assigned server root certificate.Device Cert FileBrowse for and choose a device certificate file, if required.Before you import certificate from WebGUI, the certificate file must be signed by chipset vendor due to security reason.Device Cert InfoThis field displays information about the assigned device certificate.Device Private KeyBrowse for and choose a device private key, if required.Device Private Key InfoThis field displays information about the assigned device private key.Device Private Key PasswordEnter the device private key, if required.

Chapter 6 WiMAXBM2022 Users Guide 756.5 Channel Plan SettingsThis screen allows you to specify channel plan settings for Network Discovery and Selection (ND&S). The BM2022 uses ND&S to establish connections when it is roaming. To do this, the BM2022 will scan for base stations that are operated by Network Access Providers (NAP) that have service agreements with the subscribers service provider (Home-Network Service Provider or Inner Mode Sets the EAP-TTLS inner mode.The BM2022 supports the following:MS-CHAP v2 - This is version 2 of Microsofts variant of Challenge Handshake Authentication Protocol (CHAP). It allows for mutual authentication between devices.MS-CHAP - This is Microsofts variant of Challenge Handshake Authentication Protocol (CHAP). It allows for mutual authentication between devices.CHAP - The Challenge Handshake Authentication Protocol (CHAP) uses PPP to authenticate remote devices using a three-way handshake and shared secret verification.MD5 - Message-Digest, algorithm 5, (MD5) encryption is typically used for checking file integrity. Because this encryption protocol contains a number of serious security flaws it is generally not recommended that you use it for authentication security.PAP - Password Authentication Protocol uses unencrypted plaintext to send a passwords for authentication over the network. Its probably not a good idea to rely on this for security.Username Enter the username required for the EAP-TTLS inner method.Password Enter the password required for the EAP-TTLS inner method.OptionsEnable Auth Mode Decoration in EAP Outer IDSelect this to enable authentication mode.Enable Service Mode Decoration in EAP Outer IDSelect this to enable service mode.Random Outer IDSelect this to allow the BM2022 to generate a 16-byte random number as a username for the EAP Identity Response message.Ignore Cert VerificationSelect this to ignore base station certification verification when a certificate is received during EAP-TLS or EAP-TTLS.Same EAP OuterID in ReAuthSelect this to use the same EAP to the outer ID when reauthenticating.MAC address in EAP-TLS outer IdAdds the MAC address of the BM2022 to the outer ID while the EAP mode is set to EAP-TLS.Delete existed Root Certificate fileSelect this to delete an existing root certificate file from the BM2022.Delete existed Device Certificate fileSelect this to delete an existing device certificate file from the BM2022.Delete existed Private KeySelect this to delete an existing private key from the BM2022.Table 13 Authentication Settings (continued)LABEL DESCRIPTION

Chapter 6 WiMAXBM2022 Users Guide76Home NSP). Through the NAPs base station, which is identified by a NAP-ID, the subscribers BM2022 can access the Internet through a network service provider (NSP). Access can be through another network service provider (Visited-Network Service Provider or V-NSP) or his own network service provider (Home NSP), depending on his service agreement.In the following scenario, the subscribers BM2022 cannot reach a base station owned by his Home NSP (base station with NAP-ID = 1). The BM2022 uses ND&S and is able to access another base station with NAP-ID = 2. This base station is associated with another service provider (V-NSP with NSP-ID = 20). The subscribers service agreement specifies to route traffic from the other service provider to the Home NSP, so the Home NSP authenticates and authorizes the connection.Figure 23 ND&S ScenarioThe channel plan settings specify the allowed frequency range to search for a NAP. The channel plan is necessary to speed up the network discovery process.Click WiMAX > ND&S > Channel Plan Settings to open this screen as shown next.Figure 24 Channel Plan SettingsNAP-ID = 2NAP-ID = 1Home NSPV-NSPNSP-ID = 20

Chapter 6 WiMAXBM2022 Users Guide 77This screen contains the following fields:6.6 CAPL SettingsThis screen allows you to view the Contractual Agreement Preference List (CAPL) of NAPs for base stations that are preferred for establishing connections. The CAPL is a list of NAPs that are affiliated with the Home NSP through contractual agreements.Table 14 Channel Plan SettingsLABEL DESCRIPTIONChannel Plan Settings - You can configure multiple ranges of frequencies to scan for different NAPs. The configured frequency ranges to scan must be within the Valid Band. Specify the Channel Plan to scan for each NAP on the CAPL Settings: Add screen (Section 6.6.1 on page 78).Start Frequency (KHz)This indicates the beginning of a frequency band in kilohertz (KHz).Click this field to modify it.Enter the beginning frequency when you are adding an entry.End Frequency (KHz)This indicates the end of the frequency band in kilohertz (KHz).Click this field to modify it.Step (KHz) This indicates the frequency step within each band in kilohertz (KHz).Click this field to modify it.The minimum step is 250KHz and the maximum step is the difference between the start frequency and end frequency.Bandwidth (MHz)This indicates the bandwidth in megahertz (MHz).Click this field to modify it.Delete Click this button to remove an item from the list.Add Click this button to add an item to the list.OK Click this button to save any changes made to the list.Valid Band Info - This table displays the entire frequency band the BM2022 supports. The frequency ranges to scan that you configured in Channel Plan Settings must be within this range.Band Start (KHz)This indicates the beginning of the frequency band in kilohertz (KHz).Band End (KHz)This indicates the end of the frequency band in kilohertz (KHz).Save Click this to save the changes made.Cancel Click this avoid any changes made from being saved to your configuration.

Chapter 6 WiMAXBM2022 Users Guide78Click WiMAX > ND&S > CAPL Settings to open this screen as shown next.Figure 25 CAPL SettingsThis screen contains the following fields:6.6.1 CAPL Settings: AddThis screen allows you to specify the Contractual Agreement Preference List (CAPL) of NAPs, and the corresponding channel plan to search for the NAP.Click WiMAX > ND&S > CAPL Settings: Add to open this screen as shown next.Figure 26 CAPL Settings: AddTable 15 CAPL SettingsLABEL DESCRIPTIONNAP ID This displays the NAP ID.Priority This displays the priority for the NAP ID. Channel Plan ID This displays the Channel Plan ID.Delete Click this button to remove an item from the list.Add Click this button to add an item to the list.Save Click this to save the changes made.Cancel Click this avoid any changes made from being saved to your configuration.

Chapter 6 WiMAXBM2022 Users Guide 79This screen contains the following fields:6.7 RAPL SettingsThis screen allows you to specify the Roaming Agreement Preference List (RAPL) of preferred NSPs for establishing connections to the Home NSP. The RAPL is a list of NSPs that are affiliated with the Home NSP through roaming agreements. A NSP specified in the RAPL is a V-NSP and can route data to the Home NSP.Click WiMAX > ND&S > RAPL Settings to open this screen as shown next.Figure 27 RAPL SettingsTable 16 CAPL Settings: AddLABEL DESCRIPTIONNAP ID Specify the NAP ID in the format XX:XX:XX where X is a hexadecimal character. The NAP ID is typically the first three blocks of the BSID of the base station.Priority Specify the priority for the NAP ID. Enter 1-250 where 1 is the highest priority. The BM2022 will search for NAPs according to the priority specified.Priority may be determined by the number of base stations an NAP has, with a NAP having more base stations being assigned a higher priority. If the same priority is assigned to a NAP ID, the BM2022 will consider them as having equal priority.Select Channel Plan IDSelect After clicking a Channel Plan ID entry in the list, you can click this check box to select it.Start Frequency (KHz)This indicates the beginning of a frequency band in kilohertz (KHz).End Frequency (KHz)This indicates the end of the frequency band in kilohertz (KHz).Step (KHz) This indicates the frequency step within each band in kilohertz (KHz).Bandwidth (MHz)This indicates the bandwidth in megahertz (MHz).OK Click this button to save any changes made to the list.Save Click this to save the changes made.Cancel Click this avoid any changes made from being saved to your configuration.

Chapter 6 WiMAXBM2022 Users Guide80This screen contains the following fields:6.8 Home NSP SettingsOn this screen, you can configure settings for the Home NSP. The Home NSP can authenticate and authorize connections and may support roaming through relationships with other NSPs.Click WiMAX > ND&S > Home NSP Settings to open this screen as shown next.Figure 28 Home NSP SettingsThis screen contains the following fields:Table 17 RAPL SettingsLABEL DESCRIPTIONNSP ID Specify the Network Service Provider (NSP) ID in the format XX:XX:XX where X is a hexadecimal character. If the Home NSP ID is entered in this list, the BM2022 will try to use it to establish a connection.Priority Specify the priority for the NSP. Enter 1-250 where 1 is the highest priority.Delete Click this button to remove an item from the list.Add Click this button to add an item to the list.OK Click this button to save any changes made to the list.Save Click this to save the changes made.Cancel Click this avoid any changes made from being saved to your configuration.Table 18 Home NSP SettingsLABEL DESCRIPTIONNDS Option SettingsNDS Mode Select Enable to use NDS to establish connections to the Home NSP.

Chapter 6 WiMAXBM2022 Users Guide 816.9 ConnectThis screen allows you to view the available WiMAX frequency band(s) and base station(s) the BM2022 found through scanning and choose a base station to which to connect.RAPL Policy Select Strict to only allow V-NSPs specified in the RAPL to be used for establishing connections to the H-NSP.Select Partially Flexible to allow the BM2022 to use V-NSPs not specified in the RAPL to connect to the H-NSP. Before attempting V-NSPs not specified in the RAPL the BM2022 will first try the V-NSPs specified in the RAPL to connect to the H-NSP.Select Flexible to allow the BM2022 to use any V-NSPs for establishing connections to the H-NSP. V-NSPs specified in the RAPL will have the same priority as V-NSPs not specified in the RAPL.CAPL Policy Select Strict to only allow NAPs specified in the CAPL to be used for establishing connections to the H-NSP.Select Partially Flexible to allow the BM2022 to use NAPs not specified in the CAPL to connect to the H-NSP. Before attempting NAPs not specified in the CAPL the BM2022 will first try the NAPs specified in the CAPL to connect to the H-NSP.Select Flexible to allow the BM2022 to use any NAPs for establishing connections to the H-NSP. NAPs specified in the CAPL will have the same priority as NAPs not specified in the CAPL.Home NSP SettingsNSP ID After clicking the entry in the NSP ID list, you can enter the NSP ID for the Home NSP here in the format XX:XX:XX where X is a hexadecimal character. Only one Home NSP can be entered.OK Click this button to save any changes made to the list.Save Click this button to save any changes made to the list. Note: If you change the NDS Mode, the BM2022 will reboot when you click save.Cancel Click this avoid any changes made from being saved to your configuration.Table 18 Home NSP Settings (continued)LABEL DESCRIPTION

Chapter 6 WiMAXBM2022 Users Guide 83Connected ModeSelect a connect mode:Auto Connect Mode - This allows the BM2022 to connect to any of the base stations on the list automatically.Network Search Mode - This allows the BM2022 to connect to a user-specified base station. Select this option, choose a base station, click Connect.NSP Mode - This allows the BM2022 to connect to a base station with a user-specified NSP ID. To specify the NSP ID, select a result in the list and click Connect. The BM2022 will automatically connect to a base station with the same NSP ID, and the best CINR or RSSI.NSP/NAP Mode - This allows the BM2022 to connect to a base station with a user-specified NSP ID and NAP ID. To specify the NSP ID and NAP ID, select a result in the list and click Connect. The BM2022 will automatically connect to a base station with the same NSP ID and NAP ID, and the best CINR or RSSI.NSP/NAP/BSID Mode - This allows the BM2022 to connect to a base station with a user-specified NSP ID, NAP ID and BSID. To specify the NSP ID, NAP ID and BSID, select a result in the list and click Connect. The BM2022 will automatically connect to a base station with the same NSP ID, NAP ID and BSID, and the best CINR or RSSI.Connect Click this to connect to the selected base station.Disconnect Click this to disconnect from the selected base station.BSID This field displays the base station MAC address.NSP This field displays the NSP ID.NAP This field displays the NAP ID.Network Type This field displays the network type.Preamble ID This field displays the preamble ID.The preamble ID is the index identifier in the header of the base stations broadcast messages. In the beginning of a mobile stationss network entry process, it searches for the preamble and uses it to additional channel information. The preamble ID is used to synchronize the upstream and downstream transmission timing with the base station.Frequency (MHz)This field displays the center frequency the base station uses in kilohertz (KHz).Bandwidth (MHz)This field displays the frequency band bandwidth the base station uses in megahertz (MHz).RSSI (dBm) This field displays the Received Signal Strength Indication (RSSI), which is an overall measurement of radio signal strength. A higher RSSI level indicates a stronger signal.CINR (dB) R3/R1This field displays the average Carrier to Interference plus Noise Ratio for the current connection. This value is an indication of overall radio signal quality, where a higher value means a better quality signal.Search Click this to have the BM2022 scan for base stations in the frequency band(s) listed in the Applied Frequency Information table.Connected BS InfoTable 19 Connect (continued)LABEL DESCRIPTION

Chapter 6 WiMAXBM2022 Users Guide846.10 Wide ScanThis screen allows you to discover base stations by entering one or more frequency ranges and bandwidth on which to scan.Device Status This field displays the BM2022 current status for connecting to the selected base station.Scanning - The BM2022 is scanning for available base stations.Ready - The BM2022 has finished scanning and you can connect to a base station.Connecting - The BM2022 attempts to connect to the selected base station.Connected - The BM2022 has successfully connected to the selected base station.UMAC State This field displays the status of the WiMAX connection between the BM2022 and the base station.Network Search - The BM2022 is scanning for any available WiMAX connections.Disconnected - No WiMAX connection is available.Network Entry - A WiMAX connection is initializing.Normal - The WiMAX connection has been successfully established.BSID This field displays the MAC address of the base station to which the BM2022 is connected.Frequency (MHz)This field displays the frequency the base station uses in megahertz (MHz).RSSI (dBm) This field displays the Received Signal Strength Indication (RSSI), which is an overall measurement of radio signal strength. A higher RSSI level indicates a stronger signal.CINR (dB) This field displays the average Carrier to Interference plus Noise Ratio for the current connection. This value is an indication of overall radio signal quality, where a higher value means a better quality signal.Connected NSP InfoNSP ID This field displays the NSP ID of the connected NSP.Name This field displays the name of the connected NSP.Network Type This field displays the network type of the connected NSP.Table 19 Connect (continued)LABEL DESCRIPTION

Chapter 6 WiMAXBM2022 Users Guide 85Click WiMAX > Wide Scan to open this screen as shown next.Figure 30 Wide Scan ScreenThis screen contains the following fields:Table 20 Wide ScanLABEL DESCRIPTIONWide Scan SettingsAuto Wide ScanUse this to enable (Yes) or disable (No) automatically scanning for base stations.Wide Scan RangeStart Frequency (KHz)Enter the start frequency in kilohertz (KHz) for a wide scan range.End Frequency (KHz)Enter the end frequency in kilohertz (KHz) for a wide scan range.Step (KHz) Enter the step increment in kilohertz (KHz) that the wide scan jumps each time it scans between the start and end frequencies.Bandwidth (MHz)Enter the frequency bandwidth to be scanned.Delete Click this to remove a range of frequencies from the wide scan range list.Add Click this to add a range of frequencies to the wide scan range list.OK Click this so save any changes to the wide scan range list.Wide Scan ResultThis table displays the available frequency band(s) found through the wide scan.Frequency (KHz)This field displays the frequency in kilohertz (KHz).Bandwidth (MHz)This field displays the bandwidth in megahertz (MHz).Search Click this to initiate a wide scan.Clear Click this to clear the wide scan results.

Chapter 6 WiMAXBM2022 Users Guide 876.12 Link StatisticsThis screen provides a detailed overview of the current WiMAX connection with the service provider.Handover Success This field displays how many times the BM2022 had ever successfully switched its connection from one base station to another base station, since the BM2022 last restarted.Handover Fail This field displays how many times the BM2022 had been failed to switch its connection from one base station to another base station, since the BM2022 last restarted.Handover Maximum LatencyThis field displays the maximum latency for switching connections from one base station to another base station, since the BM2022 last restarted. Handover Minimum LatencyThis field displays the minimum latency for switching connections from one base station to another base station, since the BM2022 last restarted. Handover Average LatencyThis field displays the average latency for switching connections from one base station to another base station, since the BM2022 last restarted. Table 21 Link Status (continued)LABEL DESCRIPTION

Chapter 6 WiMAXBM2022 Users Guide88Click WiMAX > Link Statistics to open this screen as shown next.Figure 32 Link Statistics ScreenThis screen contains the following sections:6.13 Connection InfoThis screen displays all of the connections made through the WiMAX device since its last reboot.Table 22 Link StatisticsLABEL DESCRIPTIONLink This section provides a detailed overview of link statistics.HARQ This section provides a detailed overview of Hybrid Automatic Repeat Request link statistics.TX/RX This section provides a detailed overview of transmission and receiving link statistics.MCS This section provides a detailed overview of Modulation and Coding Sequence (MCS) link statistics

Chapter 6 WiMAXBM2022 Users Guide 89Click WiMAX > Connection Info to open this screen as shown next.Figure 33 Connection Info ScreenThis screen contains the following fields:6.14 Service FlowThis screen displays data priority information for all of the connections made through the WiMAX device since its last reboot.Click WiMAX > Service Flow to open this screen as shown next.Figure 34 Service Flow ScreenThis screen contains the following fields:Table 23 Connection InfoLABEL DESCRIPTIONActive Connection CIDThis displays the unique, unidirectional 16-bit Connection Identifier (CID) for an active connection.Connection Type This displays the type of connection.Table 24 Service FlowLABEL DESCRIPTIONSFID This displays a 32-bit service flow identifier.SF Status This display the service flow status.SF Direction This displays the service flow direction.

BM2022 Users Guide 91CHAPTER 7Network Setting7.1 OverviewThis chapter shows you how to configure the BM2022s network setting.7.1.1 What You Need to KnowThe following terms and concepts may help as you read through this chapter.IP AddressIP addresses identify individual devices on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts.Subnet MasksSubnet masks determine the maximum number of possible hosts on a network. You can also use subnet masks to divide one network into multiple sub-networks.DHCPA DHCP (Dynamic Host Configuration Protocol) server can assign your BM2022 an IP address, subnet mask, DNS and other routing information when its turned on.DNS Server AddressDNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The DNS server addresses that you enter in the DHCP setup are passed to the client machines along with the assigned IP address and subnet mask.There are two ways that an ISP disseminates the DNS server addresses. The first is for an ISP to tell a customer the DNS server addresses, usually in the form of an information sheet, when s/he signs up. If your ISP gives you the DNS server addresses, enter them in the DNS Server fields; otherwise, leave them blank.Some ISPs choose to pass the DNS servers using the DNS server extensions of PPP IPCP (IP Control Protocol) after the connection is up. If your ISP did not give you explicit DNS servers, chances are the DNS servers are conveyed through IPCP negotiation. The BM2022 supports the IPCP DNS server extensions through the DNS proxy feature.

Chapter 7 Network SettingBM2022 Users Guide92If the Primary and Secondary DNS Server fields are not specified, for instance, left as 0.0.0.0, the BM2022 tells the DHCP clients that it itself is the DNS server. When a computer sends a DNS query to the BM2022, the BM2022 forwards the query to the real DNS server learned through IPCP and relays the response back to the computer.Please note that DNS proxy works only when the ISP uses the IPCP DNS server extensions. It does not mean you can leave the DNS servers out of the DHCP setup under all circumstances. If your ISP gives you explicit DNS servers, make sure that you enter their IP addresses. This way, the BM2022 can pass the DNS servers to the computers and the computers can query the DNS server directly without the BM2022s intervention.RIP SetupRIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. When set to:RX/TX - the BM2022 will broadcast its routing table periodically and incorporate the RIP information that it receives.RX Only - the BM2022 will not send any RIP packets but will accept all RIP packets received.TX Only - the BM2022 will send out RIP packets but will not accept any RIP packets received.None - the BM2022 will not send any RIP packets and will ignore any RIP packets received.The Version field controls the format and the broadcasting method of the RIP packets that the BM2022 sends (it recognizes both formats when receiving). RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting.Port Forwarding A NAT server set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make accessible to the outside world even though NAT makes your whole inside network appear as a single machine to the outside world.With port forwarding, you can forward incoming service requests to the server(s) on your local network. You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. The port number identifies a service; for example, web service is on port 80 and FTP on port 21. In some cases, such as for unknown services or where one server can support more than one service (for example both FTP and web service), it might be better to specify a range of port numbers. In addition to the servers for specified services, NAT supports a default server. A service request that does not have a server explicitly designated for it is forwarded to the default server. If the default is not defined, the service request is simply discarded.For example, let's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example), port 80 to another (B in the example) and assign a default server IP address of

Chapter 7 Network SettingBM2022 Users Guide 93192.168.1.35 to a third (C in the example). You assign the LAN IP addresses and the ISP assigns the WAN IP address. The NAT network appears as a single host on the Internet.Figure 35 Multiple Servers Behind NAT ExampleTrigger PortsSome services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP address. In order to use the same service on a different LAN computer, you have to manually replace the LAN computer's IP address in the forwarding port with another LAN computer's IP address, Trigger port forwarding solves this problem by allowing computers on the LAN to dynamically take turns using the service. The BM2022 records the IP address of a LAN computer that sends traffic to the WAN to request a service with a specific port number and protocol (a "trigger" port). When the BM2022's WAN port receives a response with a specific port number and protocol ("incoming" port), the BM2022 forwards the traffic to the LAN IP address of the computer that sent the request. After that computers connection for that service closes, another computer on the LAN can use the service in the same manner. This way you do not need to configure a new IP address each time you want a different LAN computer to use the application.ALGSome applications, such as SIP, cannot operate through NAT (are NAT un-friendly) because they embed IP addresses and port numbers in their packets data payload. Some NAT routers may include a SIP Application Layer Gateway (ALG). An Application Layer Gateway (ALG) manages a specific protocol (such as SIP, H.323 or FTP) at the application layer. A SIP ALG allows SIP calls to pass through NAT by examining and translating IP addresses embedded in the data stream.UPnPUniversal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network. In turn, a device can leave a network smoothly and automatically when it is no longer in use.How do I know if I'm using UPnP?

Chapter 7 Network SettingBM2022 Users Guide94UPnP hardware is identified as an icon in the Network Connections folder (Windows XP). Each UPnP compatible device installed on your network will appear as a separate icon. Selecting the icon of a UPnP device will allow you to access the information and properties of that device. NAT TraversalUPnP NAT traversal automates the process of allowing an application to operate through NAT. UPnP network devices can automatically configure network addressing, announce their presence in the network to other UPnP devices and enable exchange of simple product and service descriptions. NAT traversal allows the following: Dynamic port mapping Learning public IP addresses Assigning lease times to mappingsWindows Messenger is an example of an application that supports NAT traversal and UPnP. Cautions with UPnPThe automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. UPnP and HuaweiHuawei has received UPnP certification from the official UPnP Forum (http://www.upnp.org). Huawei's UPnP implementation supports IGD 1.0 (Internet Gateway Device).The BM2022 only sends UPnP multicasts to the LAN.Content FilterInternet content filtering allows you to create and enforce Internet access policies tailored to their needs. Content filtering is the ability to block certain specific URL keywords.7.2 WANUse these settings to configure the WAN connection between the WiMAX Device and the service provider.

Chapter 7 Network SettingBM2022 Users Guide 95Click Network Setting > WAN to open this screen as shown next.Figure 36 WAN ScreenThis screen contains the following fields:Table 25 WANLABEL DESCRIPTIONOperation Mode Select the BM2022s operational mode.Bridge - This puts the BM2022 in bridge mode, acting as a transparent middle man between devices on the LAN and the devices on the WAN.Router - Select Router from the drop-down list box if your ISP gives you one IP address only and you want multiple computers to share an Internet account. NAT - This allows the BM2022 to tag frames for NAT, allowing devices on the LAN to use their own internal IP addresses while communicating with devices on the WAN.WAN Protocol Select the protocol the BM2022 uses to connect to the WAN.The options are:Ethernet - Select this if you have a persistent connection to the network.PPPoE - Select this if must log into the network before initiating a persistent connection.GRE Tunnel - Select this if you connect to the network using Point-to-Point Protocol to create VPNs.EtherIP - Select this if you need to tunnel Ethernet and IEEE 802.3 MAC frames across an IP Internet.Bridging LAN ARP This option enables or disables allow ARP requests to cross the BM2022.Get IP Method Select how the BM2022 receives its IP address.User - Select this to manually enter the IP address the BM2022 uses.From ISP - Select to automatically get the IP address the BM2022 uses from the ISP.

Chapter 7 Network SettingBM2022 Users Guide967.3 PPPoEUse these settings to configure the PPPoE connection between the WiMAX Device and the service provider.Click Network Setting > WAN > PPPoE.Figure 37 PPPoE ScreenWAN IP Request TimeoutEnter the number of seconds the BM2022 waits for an IP from the ISP before it times out.WAN IP Address If the BM2022 gets its IP from the user, enter the IP address it is to use.WAN IP Subnet MaskIf the BM2022 gets its IP from the ISP, enter the IP address it is to use.Gateway IP AddressIf the BM2022 gets its gateway IP address from the user, enter the IP address it is to use.MTU Enter the Maximum Transmission Unit (MTU) for the BM2022. This is the largest protocol unit that the BM2022 allows to pass through it.Clone MAC AddressEnter a MAC address here for registering bridged devices on the network if their current MAC addresses are causing problems. For example, this can happen when a desktop computer swaps network interface cards; the original NIC may have used its MAC address to register itself on the network and now the new NIC is unrecognized. Using a MAC address that you know is valid, i.e. a clone, allows that device to stay registered.First~Third DNS ServerSelect how the BM2022 acquires its DNS server address.From ISP - Select this to have the BM2022 acquire its DNS server address from the ISP.User Define - Select this to manually enter the DNS server used by the BM2022.Table 25 WAN (continued)LABEL DESCRIPTION

Chapter 7 Network SettingBM2022 Users Guide 97This screen contains the following fields:7.4 GREUse these settings to configure the peer setting of the Generic Routing Encapsulation (GRE) tunnel between the WiMAX Device and another GRE peer.Click Network Setting > WAN > GRE to open this screen as shown next.Figure 38 GRE ScreenTable 26 PPPoELABEL DESCRIPTIONUser Name Enter the username for PPPoE login into the WAN network.Password Enter the password for PPPoE login into the WAN network.Retype Password Retype the password to confirm it.Auth Protocol Select a PPPoE authentication protocol. The BM2022 supports the following:CHAP - The Challenge Handshake Authentication Protocol (CHAP) uses PPP to authenticate remote devices using a three-way handshake and shared secret verification.PAP - Password Authentication Protocol uses unencrypted plaintext to send a passwords for authentication over the network. Its probably not a good idea to rely on this for security.MS-CHAP v1/2 -This is Microsofts variant of Challenge Handshake Authentication Protocol (CHAP). It allows for mutual authentication between devices.MPPE Encryption Use this option to enable or disable authentication through Microsoft Point-To-Point Encryption (MPPE) protocol.MPPE Stateful Use this option to allow or disallow the BM2022 to use the Microsoft Point-To-Point Encryption (MPPE) protocol for stateful peer negotiation.Idle Timeout Enter the number of second the BM2022 waits during authentication before timing out.AC Name Enter the access concentrator name for the PPPoE interface if your ISP uses an AC PPPoE service.DNS Overwrite Use this option to allow or disallow the BM2022 to overwrite DNS static DNS entries on client devices.Connection TriggerSet whether the BM2022 is persistently connected to the WAN (AlwaysOn) or you must click the PPPoE Connect button each time you want to get on the WAN (Manual).Connection TimeoutEnter in seconds the duration the BM2022 waits for idle activity before disconnecting from the WAN.PPPoE Connect Click this to connect to the WAN using PPPoE.PPPoE Disconnect Click this to disconnect from the WAN.

Chapter 7 Network SettingBM2022 Users Guide98This screen contains the following fields:7.5 EtherIPUse these settings to configure the peer setting of the EtherIP tunnel between the WiMAX Device and another EtherIP peer.Click Network Setting > WAN > EtherIP to open this screen as shown next.Figure 39 EtherIP ScreenThis screen contains the following fields:7.6 IPUse these settings to configure the LAN connection between the WiMAX Device and your local network.Click Network Setting > LAN > IP to open this screen as shown next.Figure 40 IP ScreenThis screen contains the following fields:Table 27 GRELABEL DESCRIPTIONPeer IP Address Enter the IP address of the GRE peer.Table 28 EtherIPLABEL DESCRIPTIONPeer IP Address Enter the IP address of the EtherIP peer.Table 29 IPLABEL DESCRIPTIONIP address Enter the IP address of the LAN interface for the BM2022.IP Subnet Mask Enter the IP subnet mask of the LAN interface for the BM2022.

Chapter 7 Network SettingBM2022 Users Guide 997.7 DHCPUse these settings to configure whether the WiMAX Device functions as a DHCP server for your local network, or a DHCP relay between the local network and the service provider. You can also disable the DHCP functions.Click Network Setting > LAN > DHCP to open this screen as shown next.Figure 41 DHCP ScreenThis screen contains the following fields:Table 30 DHCPLABEL DESCRIPTIONDHCP ServerDHCP Mode Select this if you want the BM2022 to be the DHCP server on the LAN. As a DHCP server, the BM2022 assigns IP addresses to DHCP clients on the LAN and provides the subnet mask and DNS server information.None - This disables DHCP mode for the BM2022.Server - This sets the BM2022 as a DHCP server for the LAN.Relay - This sets the BM2022 as a DHCP relay for the LAN, allowing it to pass-through IP addresses assigned to LAN devices from the ISP servers.Start IP Enter the start IP address from which the BM2022 begins allocating IP addresses.End IP Enter the end IP address at which the BM2022 ceases allocating IP addresses.

Chapter 7 Network SettingBM2022 Users Guide1007.8 Static RouteUse these settings to create fixed paths through the network.Click Network Setting > Route > Static Route to open this screen as shown next.Figure 42 Static Route ScreenThis screen contains the following fields:Lease Time Enter the duration in minutes that devices on the LAN retain their DHCP-issued IP addresses. At the end of the lease time, they poll the BM2022 for a renewed or replacement IP.Relay IP Enter the name of the IP address to be used.DNS Server Assigned by the DHCP ServerFirst~Third DNS ServerSelect how the BM2022 acquires its DNS server address.None - Select this to not use a DNS server.From ISP - Select this to have the BM2022 acquire its DNS server address from the ISP.User Define - Select this to manually enter the DNS server used by the BM2022.Static DHCPMAC Address This field displays the MAC address of the static DHCP client connected to the BM2022.IP Address This field displays the IP address of the static DHCP client connected to the BM2022.Add Click this to add a new static DHCP entry.OK Click this to save any changes made to this list.DHCP Leased HostsMAC Address This displays the MAC address of the DHCP leased host.IP Address This displays the IP address of the DHCP leased host.Remaining TimeThis displays the how much time is left on the hosts lease.Refresh Click this to refresh the list.Table 30 DHCP (continued)LABEL DESCRIPTIONTable 31 Static RouteLABEL DESCRIPTIONDestination This field displays the destination IP address of the static route.Subnet Mask This field displays the subnet mask of the static route.Next Hop This field displays next hop information of the static route.

Chapter 7 Network SettingBM2022 Users Guide 1017.9 Static Route AddUse these settings to configure a static route.Click Add in the Network Setting > Route > Static Route screen to open this screen as shown next.Figure 43 Static Route ScreenThis screen contains the following fields:7.10 RIPUse these settings to configure how the WiMAX Device exchanges information with other routers.Metric This field displays the static route metric.Add Click this to add a new static route to the list.Table 31 Static Route (continued)LABEL DESCRIPTIONTable 32 Static RouteLABEL DESCRIPTIONDestination IP Enter the destination IP address of the static route.Subnet Mask Enter the subnet mask of the static route.Next Hop Select Interface and then select WAN or LAN for the next hop of the static route.If the next hop is an IP address rather than an interface on the BM2022, select IP Address and enter the IP address.Metric Enter the static route metric.

Chapter 7 Network SettingBM2022 Users Guide102Click Network Setting > Route > RIP to open this screen as shown next.Figure 44 RIP ScreenThis screen contains the following fields:Table 33 RIPLABEL DESCRIPTIONGeneral SetupEnable Select this to enable RIP on the BM2022.RedistributeActive This indicates whether a route is being redistributed.Type This indicates what type of route is being redistributed.Metric This indicates the metric that is being used for redistribution.Edit Click this to edit a selected route.OK Click this to save any changes to the redistribution table.LANDirection Set the LAN network direction to use with RIP.Version Set the RIP version to use.Authentication Use this option to enable or disable RIP authentication.Authentication ID Enter the authentication ID to use for RIP authentication.Authentication KeyEnter the authentication key to use for RIP authentication.WANDirection Set the WAN network direction to use with RIP.Version Set the RIP version to use.

Chapter 7 Network SettingBM2022 Users Guide 1037.11 Port ForwardingUse these settings to forward incoming service requests to the ports on your local network.Note: Make sure you did not configure a DMZ host in the Network Setting > NAT > DMZ screen if you want to make the settings of this screen work.Click Network Setting > NAT > Port Forwarding to open this screen as shown next.Figure 45 Port Forwarding ScreenThis screen contains the following fields:Authentication Use this option to enable or disable RIP authentication.Authentication ID Enter the authentication ID to use for RIP authentication.Authentication KeyEnter the authentication key to use for RIP authentication.Table 33 RIP (continued)LABEL DESCRIPTIONTable 34 Port ForwardingLABEL DESCRIPTIONActive This indicates whether the port forwarding rule is active or not.Name The displays the name of the port forwarding rule.Protocol This displays the protocol to which the port forwarding rule applies.Incoming Port(s)Start Port This displays the starting port number for incoming traffic for the port forwarding rule.End Port This displays the ending port number for incoming traffic for the port forwarding rule.Forward Port(s)Start Port This field displays the beginning of the range of port numbers forwarded by this rule.End Port This field displays the end of the range of port numbers forwarded by this rule. If it is the same as the Start Port, only one port number is forwarded.

Chapter 7 Network SettingBM2022 Users Guide1047.11.1 Port Forwarding WizardUse this wizard to set up a port forwarding rule for incoming service requests to the ports on your local network.Click Network Setting > NAT > Port Forwarding > Wizard to open this screen as shown next.Figure 46 Port Forwarding Wizard ScreenThis screen contains the following fields:Server IP This displays the IP address of the server to which packet for the selected port(s) are forwarded.Delete Click this to delete a specified rule.Wizard Click this to open the port forwarding wizard.Add Click this to add a new port forwarding rule.OK Click this to save any changes made to the port forwarding list.Table 34 Port Forwarding (continued)LABEL DESCRIPTIONTable 35 Port Forwarding WizardLABEL DESCRIPTIONActive Select this to make this port forwarding rule active.Port Forward Rule Select the type of port forwarding rule.Rule Name Enter a name for the port forwarding rule.Protocol Select the port forwarding protocol.Incoming Start PortEnter the starting port number for incoming traffic for the port forwarding rule.Incoming End PortEnter the ending port number for incoming traffic for the port forwarding rule.Forwarding Start PortEnter the starting port number for forwarded traffic for the port forwarding rule.Forwarding End PortEnter the ending port number for forwarded traffic for the port forwarding rule.Server IP Enter the port forwarding server IP address.

Chapter 7 Network SettingBM2022 Users Guide 1057.12 Port TriggerUse these settings to automate port forwarding and allow computers on local network to provide services that would normally require a fixed address on the local network.Click Network Setting > NAT > Port Trigger to open this screen as shown next.Figure 47 Port Trigger ScreenThis screen contains the following fields:Table 36 Port TriggerLABEL DESCRIPTIONActive This indicates whether the port trigger rule is active or not.Name The displays the name of the port trigger rule.Trigger Protocol This displays the protocol to which the port trigger rule applies.Trigger Port(s)Start / End PortThis displays the start / end trigger port for the port trigger rule.Click Add to create a new, empty rule, then enter the incoming port number or range of port numbers you want to forward to the IP address the BM2022 records.To forward one port number, enter the port number in the Start Port and End Port fields.To forward a range of ports, enter the port number at the beginning of the range in the Start Port field enter the port number at the end of the range in the End Port field.If you want to delete this rule, click the Delete icon.Open Protocol This indicates which protocol is used to open the port trigger ports.Open Port(s)Start / End PortThis displays the start / end open port for the port trigger rule.Click Add to create a new, empty rule, then enter the outgoing port number or range of port numbers that makes the BM2022 record the source IP address and assign it to the selected incoming port number(s).To select one port number, enter the port number in the Start Port and End Port fields.To select a range of ports, enter the port number at the beginning of the range in the Start Port field enter the port number at the end of the range in the End Port field.If you want to delete this rule, click the Delete icon.

Chapter 7 Network SettingBM2022 Users Guide1067.12.1 Port Trigger WizardUse the wizard to create a port trigger rules that will allow the BM2022 to automate port forwarding and allow computers on local network to provide services that would normally require a fixed address on the local network.Click Network Setting > NAT > Port Trigger > WizardFigure 48 Port Trigger Wizard ScreenThis screen contains the following fields:Delete Click this to delete a specified rule.Wizard Click this to open the port trigger wizard.Add Click this to add a new port trigger rule.OK Click this to save any changes made to the port trigger list.Table 36 Port Trigger (continued)LABEL DESCRIPTIONTable 37 Port Trigger WizardLABEL DESCRIPTIONActive Select this to make this port trigger rule active.Port Trigger Rule Select the type of port trigger rule.Rule Name Enter a name for the port trigger rule.Trigger Protocol Select the type of port trigger protocol.Trigger Start Port Enter the port trigger start port.Trigger End Port Enter the port trigger end port.Open Protocol Select the type of open protocol for the port trigger rule.Open Start Port Select the starting open port for the port trigger rule.Open End Port Select the ending open port number for the port trigger rule.

Chapter 7 Network SettingBM2022 Users Guide 1077.12.2 Trigger Port Forwarding ExampleThe following is an example of trigger port forwarding. In this example, J is Janes computer and S is the Real Audio server.Figure 49 Trigger Port Forwarding Example1Jane requests a file from the Real Audio server (port 7070).2Port 7070 is a trigger port and causes the BM2022 to record Janes computer IP address. The BM2022 associates Jane's computer IP address with the "incoming" port range of 6970-7170.3The Real Audio server responds using a port number ranging between 6970-7170.4The BM2022 forwards the traffic to Janes computer IP address. 5Only Jane can connect to the Real Audio server until the connection is closed or times out. The BM2022 times out in three minutes with UDP (User Datagram Protocol), or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol). Two points to remember about trigger ports:1Trigger events only happen on data that is coming from inside the BM2022 and going to the outside.2If an application needs a continuous data stream, that port (range) will be tied up so that another computer on the LAN cant trigger it. 7.13 DMZUse this page to set the IP address of your network DMZ (if you have one) for the WiMAX Device. All incoming packets received by this BM2022s WAN interface will be forwarded to the DMZ host you set.Click Network Setting > NAT > DMZ to open this screen as shown next.

Chapter 7 Network SettingBM2022 Users Guide108Note: The configuration you set in this screen takes priority than the Network Setting > NAT > Port Forwarding screen.Figure 50 DMZ ScreenThis screen contains the following fields:7.14 ALGUse these settings to bypass NAT on your WiMAX Device for those applications that are "NAT un-friendly".Click Network Setting > NAT > ALG to open this screen as shown next.Figure 51 ALG ScreenThis screen contains the following fields:Table 38 DMZLABEL DESCRIPTIONDMZ Enable Click this check box to enable DMZ.DMZ Host Enter the IP address of your network DMZ host, if you have one. 0.0.0.0 means this feature is disabled.Table 39 Network Setting > NAT > ALGLABEL DESCRIPTIONEnable FTP ALG Turns on the FTP ALG to detect FTP (File Transfer Program) traffic and helps build FTP sessions through the BM2022s NAT. Enable H.323 ALG Turns on the H.323 ALG to detect H.323 traffic (used for audio communications) and helps build H.323 sessions through the BM2022s NAT. Enable IPsec ALG Turns on the IPsec ALG to detect IPsec traffic and helps build IPsec sessions through the BM2022s NAT. Enable L2TP ALG Turns on the L2TP ALG to detect L2TP traffic and helps build L2TP sessions through the BM2022s NAT.Enable PPTP ALG Turns on the PPTP ALG to detect PPTP traffic and helps build PPTP sessions through the BM2022s NAT.

Chapter 7 Network SettingBM2022 Users Guide 1097.15 QoSUse this page to configure QoS settings on the WiMAX Device.Click Network Setting > QoS to open this screen as shown next.Figure 52 QoS ScreenThis screen contains the following fields:7.16 UPnPUse this page to enable the UPnP networking protocol on your WiMAX Device and allow easy network connectivity with other UPnP-compatible devices.Enable RTSP ALG Turns on the RTSP ALG to detect RTSP traffic and helps build RTSP sessions through the BM2022s NAT. Enable SIP ALG Turns on the SIP ALG to detect SIP traffic and helps build SIP sessions through the BM2022s NAT.SIP Port If you are using a custom UDP port number (not 5060) for SIP traffic, enter it here.Enable SIP ALG Set BSIDCheck this box to add the base station ID to the outgoing SIP messages. Select this option only if the media server forwarding calls requires this information.Table 39 Network Setting > NAT > ALG (continued)LABEL DESCRIPTIONTable 40 QoSLABEL DESCRIPTIONInterface This displays the interface for the QoS rule. The IAD interface is for device management. Configure DiffServ Code Point (DSCP) and/or Priority marking based on which method is supported within your network. With DSCP you can use 64 (0-63) different markings, compared to 6 (1-6) with Priority marking.DSCP Specify a DiffServ Code Point (DSCP) classification identification number (-1-63) to mark traffic that passes through this interface. Setting the DSCP to -1 indicates marking is not enabled. A higher number indicates higher priority. The DSCP allows marked packets to receive specific per-hop treatment at DiffServ-compliant network devices along the route based on the application types and traffic flow.Priority Select a priority level (1 to 6) to assign a priority to traffic that passes through this interface. A higher number indicates higher priority. Like DSCP, this marking is used to identify traffic for specific treatment. OK Click this to save any changes made to the QoS rules.

Chapter 7 Network SettingBM2022 Users Guide110Click Network Setting > UPnP to open this screen as shown next.Figure 53 UPnP ScreenThis screen contains the following fields:7.16.1 Installing UPnP in Windows XPFollow the steps below to install the UPnP in Windows XP.1Click Start > Control Panel. 2Double-click Network Connections.3In the Network Connections window, click Advanced in the main menu and select Optional Networking Components . Table 41 UPnPLABEL DESCRIPTIONEnable UPnP Select this to enable UPnP on the BM2022.Enable NAT-PMP Select this to enable NAT Port Mapping Protocol on the BM2022.

Chapter 7 Network SettingBM2022 Users Guide 1114The Windows Optional Networking Components Wizard window displays. Select Networking Service in the Components selection box and click Details. 5In the Networking Services window, select the Universal Plug and Play check box. 6Click OK to go back to the Windows Optional Networking Component Wizard window and click Next. 7.16.1.1 Auto-discover Your UPnP-enabled Network Device in Windows XPThis section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the BM2022.Make sure the computer is connected to a LAN port of the BM2022. Turn on your computer and the BM2022. 1Click Start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway.

Chapter 7 Network SettingBM2022 Users Guide1122Right-click the icon and select Properties. 3In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created.

Chapter 7 Network SettingBM2022 Users Guide 1134You may edit or delete the port mappings or click Add to manually add port mappings. 5When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically.6Select Show icon in notification area when connected option and click OK. An icon displays in the system tray. 7Double-click on the icon to display your current Internet connection status.

Chapter 7 Network SettingBM2022 Users Guide1147.16.2 Web Configurator Easy AccessWith UPnP, you can access the web-based configurator on the BM2022 without finding out the IP address of the BM2022 first. This becomes helpful if you do not know the IP address of the BM2022.Follow the steps below to access the web configurator:1Click Start and then Control Panel. 2Double-click Network Connections. 3Select My Network Places under Other Places. 4An icon with the description for each UPnP-enabled device displays under Local Network. 5Right-click on the icon for your BM2022 and select Invoke. The web configurator login screen displays.

Chapter 7 Network SettingBM2022 Users Guide 1156Right-click on the icon for your BM2022 and select Properties. A properties window displays with basic information about the BM2022. 7.17 VLANUse this screen to configure port-based VLAN settings on the BM2022. This screen allows you to assign port(s) to specific virtual LAN(s) in order to isolate traffic from different VLAN groups. See Section 4.11 on page 48 for example configurations for VLANs.

Chapter 7 Network SettingBM2022 Users Guide116Click Network Setting > VLAN to open the screen as shown next.Figure 54 VLAN ScreenThis screen contains the following fields:Table 42 VLANLABEL DESCRIPTIONVLAN UtilityEnable VLAN Select Yes to enable the VLAN function on the BM2022.Note: To use VLAN on the BM2022, you must switch the operation mode to bridge on the Network Setting > WAN screen. It will then require system restart to take effect.Port Settings# This is the index number of the port setting.Interface This displays the interface that the port setting applies to.Link Type Select Access if this port forwards traffic for only one VLAN. The device connected to an access port does not support VLAN tagged packets, so the BM2022 will remove packets forwarded out of this port. Packets received on access ports will be tagged with the specified PVID.Select Trunk to allow packets belonging to different VLAN groups to pass through the port. The device connected to this port should support VLAN tagged packets. You must configure Filter Settings for the port and VLAN ID for tagged packets to be forwarded. If received packets are already tagged, the PVID set for this port should not be the same as the VLAN IDs configured in Filter Settings. This will allow the tagged packets to be forwarded to the specified VLANs. If received packets are not tagged, the BM2022 will tag them with the PVID.Select Hybrid to allow the port to function as an access port and trunk port.

Chapter 7 Network SettingBM2022 Users Guide 1177.18 DDNSUse this page to configure the WiMAX Device as a dynamic DNS client.PVID A PVID (Port VLAN ID) is a tag that adds to incoming untagged packets received on a port so that the packets are forwarded to the VLAN group that the tag defines. Enter a number between 1and 4094 as the port VLAN ID.Priority Enter a priority level (1~7) that the BM2022 assigns to packets belonging to this VLAN. Enter 0 for no priority assigned.CFI Select Yes if the CFI (Canonical Format Indicator) field in a received packet is set to 1, indicating non-Canonical Format. In this case, the packet should not be forwarded as it is to an untagged port.Tag/Untag You can only select Tag if the port is configured as a Trunk or Hybrid port. The BM2022 will receive and forward VLAN tagged packets. Untagged packets will be tagged with the PVID.If you select Untag the BM2022 will remove tags from tagged packets it forwards out of the port. Untagged packets received will be forwarded. If the port is an Access port, the BM2022 will add tags to untagged packets it receives and drop tagged packets it receives. If the port is a Trunk port, the BM2022 will add tags to untagged packets it receives and retag tagged packets. OK Click this to save the changes in the Port Setting section.Filter Setting# This is the index number of a filter.Name This is the name of a filter rule.VID This field displays the VLAN ID for the filter. Click this field to change the VLAN ID. Retag Priority Select Yes to retag the priority of a packet received on a Trunk or Hybrid port.Priority NumberIf Retag Priority is enabled, specify the new priority level (1~7) to tag. Enter 0 for no priority assigned.Ports This field displays the ports included in the filter. Click this field to select which ports to include. Delete Click this button to remove an item from the list.Add Click this button to add an item to the list.OK Click this button to save any changes made to the list.Save Click this to save the changes made.Cancel Click this avoid any changes made from being saved to your configuration.Table 42 VLANLABEL DESCRIPTION

Chapter 7 Network SettingBM2022 Users Guide118Click Network Setting > DDNSFigure 55 DDNS ScreenThis screen contains the following fields:7.19 IGMP ProxyUse this page to enable IGMP Proxy on the WiMAX Device.Table 43 DDNSLABEL DESCRIPTIONEnable Dynamic DNSSelect this to enable dynamic DNS on the BM2022.Service Provider Select the dynamic DNS service provider for the BM2022.Service Type Select the dynamic DNS service type.Domain Name Enter the domain name.Login Name Enter the user name.Password Enter the password.IP Update Policy Select the policy used by the BM2022. Options are:Auto DetectWAN User DefinedUser Defined IP If chose User Defined for the IP Update Policy, enter the user defined IP address.Wildcards Select this to allow a hostname to use wildcards such as *.MX Select this to enable mail routing, if supported by the specified DYNDNS service provider.Backup MX Select this to enable a secondary mail routing, if supported by the specified DYNDNS service provider.MX Host Enter the host to which mail is routed when the MX option is selected.

Chapter 7 Network SettingBM2022 Users Guide 119Click Network Setting > IGMP Proxy to open this screen as shown next.Figure 56 IGMP ProxyThis screen contains the following fields:7.20 Content FilterUse these settings to allow ("whitelist") or block ("blacklist") connections to and from specific web sites through the WiMAX Device.Click Network Setting > Content Filter to open this screen as shown next.Figure 57 Content Filter ScreenThis screen contains the following fields:Table 44 IGMP ProxyLABEL DESCRIPTIONEnable IGMP ProxyInternet Group Multicast Protocol (IGMP) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.Select this option to have the BM2022 act as an IGMP proxy. This allows the BM2022 to get subscribing information and maintain a joined member list for each multicast group. It can reduce multicast traffic significantly.Save Click this to save the changes made.Cancel Click this avoid any changes made from being saved to your configuration.Table 45 Content FilterLABEL DESCRIPTIONURL ListEnable URL FilterSelect this employ the content filter to allow (whitelist) or block (blacklist) specific URL connections made through the BM2022.Blacklist/WhitelistSelect whether the current filtering applies to the blacklist (sites that are blocked) or the whitelist (sites that are allowed).URL Filter RuleActive Indicates whether the current URL filter is active or not.URL Indicates the URL to be filtered according to blacklist or whitelist rules.

Chapter 7 Network SettingBM2022 Users Guide120Delete Click this to delete a specified rule.Add Click this to add a new filter rule.OK Click this to save any changes made to the list.Table 45 Content Filter (continued)LABEL DESCRIPTION

BM2022 Users Guide 121CHAPTER 8Security8.1 OverviewThis chapter shows you how to configure the BM2022s network settings.8.1.1 What You Need to KnowThe following terms and concepts may help as you read through this chapter.About the BM2022s Security FeaturesThe BM2022 security features are designed to protect against Denial of Service attacks when activated as well as block access to and from specific URLs and MAC addresses. Its purpose is to allow a private Local Area Network (LAN) to be securely connected to the Internet. The BM2022 can be used to prevent theft, destruction and modification of data. The BM2022 is installed between the LAN and a WiMAX base station connecting to the Internet. This allows it to act as a secure gateway for all data passing between the Internet and the LAN.The BM2022 has one Ethernet (LAN) port. The LAN (Local Area Network) port attaches to a network of computers, which needs security from the outside world. These computers will have access to Internet services such as e-mail, FTP and the World Wide Web. However, inbound access is not allowed (by default) unless the remote host is authorized to use a specific service.8.2 IP FilterUse this screen to block incoming connections from specific IP addresses.Click Security > Firewall > IP Filter to open this screen as shown next.Figure 58 IP Filter Screen

Chapter 8 SecurityBM2022 Users Guide122This screen contains the following fields:8.3 MAC FilterUse this screen to allow ("whitelist") or block ("blacklist") connections to and from specific devices on the network based on their unique MAC addresses.Note: This feature only works when the BM2022 is in bridge mode.Table 46 IP FilterLABEL DESCRIPTIONActive Indicates whether the current IP filter is active or not.Source IP This displays the source IP address for the IP filter rule.Click Add to create a new, empty rule, then enter the incoming IP address for the BM2022 to block.If you want to delete this rule, click the Delete icon.Source Port This displays the source port number for the IP filter rule.Click Add to create a new, empty rule, then enter the incoming port number for the BM2022 to block.If you want to delete this rule, click the Delete icon.Destination IP This displays the destination IP address for the IP filter rule.Click Add to create a new, empty rule, then enter the outgoing IP address for the BM2022 to block.If you want to delete this rule, click the Delete icon.Destination Port This displays the destination port number for the IP filter rule.Click Add to create a new, empty rule, then enter the outgoing port number for the BM2022 to block.If you want to delete this rule, click the Delete icon.Protocol This displays the protocol blocked by the IP filter rule.Click Add to create a new, empty rule, then select the protocol type for the BM2022 to block.If you want to delete this rule, click the Delete icon.Delete Click this to delete a specified rule.Add Click this to add a new filter rule.OK Click this to save any changes made to the list.

Chapter 8 SecurityBM2022 Users Guide 123Click Security > Firewall > MAC Filter to open this screen as shown next.Figure 59 MAC Filter ScreenThis screen contains the following fields:8.4 DDOSUse these settings to potentially block specific types of Denial of Service attacks directed at your WiMAX Device.Table 47 MAC FilterLABEL DESCRIPTIONBlacklist/Whitelist Select either whitelist or blacklist for viewing and editing.Source MAC This displays the source MAC for the MAC filter rule.Click Add to create a new, empty rule, then enter the incoming MAC address for the BM2022 to block.If you want to delete this rule, click the Delete icon.Destination MAC This displays the destination MAC for the MAC filter rule.Click Add to create a new, empty rule, then enter the outgoing MAC address for the BM2022 to block.If you want to delete this rule, click the Delete icon.Mon ~ Sun Select which days of the week you want the filter rule to be effective.Start / End Time Select what time each day you want the filter rule to be effective. Enter times in 24-hour format; for example, 3:00pm should be entered as 15:00.Add Click this to add a new filter rule.OK Click this to save any changes made to the list.

Chapter 8 SecurityBM2022 Users Guide124Click Security > Firewall > DDOS to open this screen as shown next.Figure 60 DDOS ScreenThis screen contains the following fields:Table 48 DDOSLABEL DESCRIPTIONPrevent from TCP SYN FloodSelect this to monitor for and block TCP SYN flood attacks.A SYN flood is one type of denial of service attack where an overwhelming number of SYN requests assault a client device.Prevent from UDP FloodSelect this to monitor for and block UDP flood attacks.An UDP flood is a type of denial of service attack where an overwhelming number of UDP packets assault random ports on a client device. Because the device is forced to analyze and respond to each packet, it quickly becomes unreachable to other devices.Prevent from ICMP FloodSelect this to monitor for and block ICMP flood attacks.An ICMP flood is a type of denial of service attack where an overwhelming number of ICMP ping assault a client device, locking it down and preventing it from responding to requests from other servers.Prevent from Port ScanSelect this to monitor for and block port scan attacks.A port scan attack is typically the precursor to a full-blown denial of service attack wherein each port on a device is probed for security holes that can be exploited. Once a security flaw is discovered, an attacker can initiate the appropriate denial of service attack or intrusion attack against the client device.Prevent from LAND AttackSelect this to monitor for and block LAND attacks.A Local Area Network Denial (LAND) attack is a type of denial of service attack where a spoofed TCP SYN packet targets a client devices IP address and forces it into an infinite recursive loop of querying itself and then replying, effectively locking it down.Prevent from IP SpoofSelect this to monitor for and block IP address spoof attacks.An IP address spoof is an attack whereby the source IP address in the incoming IP packets allows a malicious party to masquerade as a legitimate user and gain access to the client device.Prevent from ICMP redirectSelect this to monitor for and block ICMP redirect attacks.An ICMP redirect attack is one where forged ICMP redirect messages can force the client device to route packets for certain connections through an attackers host.

Chapter 8 SecurityBM2022 Users Guide 1258.5 PPTP VPN ServerUse this screen to configure settings for a Point to Point Tunneling Protocol (PPTP) server.Click Security > PPTP VPN > PPTP Server to open this screen as shown next.Figure 61 PPTP ServerThis screen contains the following fields:Prevent from PING of DeathSelect this to monitor for and block ping of death attacks.A Ping of Death (POD) attack is one where larger-than-allowed ping packets are fragmented then sent against a client device. This results in the client device suffering from a buffer overflow and subsequent system crash.Prevent from PING from WANSelect this to ignore ping requests from the WAN.Table 48 DDOS (continued)LABEL DESCRIPTIONTable 49 PPTP ServerLABEL DESCRIPTIONPPTP ServerEnable Use this field to turn the BM2022S PPTP VPN function on or off.Server Name Enter the server name for the PPTP VPN connection.

Chapter 8 SecurityBM2022 Users Guide126Auth Protocol Select the Authentication Protocol allowed for the connection. Options are:PAP - Password Authentication Protocol (PAP) authentication occurs in clear text and does not use encryption. Its probably not a good idea to rely on this for security.CHAP - Challenge Handshake Authentication Protocol (CHAP) provides authentication through a shared secret key and uses a three way handshake.MSCHAPv1 - Microsoft CHAP v1 (MSCHAPv1) provides authentication through a shared secret key and uses a three way handshake. It provides improved usability with Microsoft products.MSCHAPv2 - Microsoft CHAP v2 (MSCHAPv2) provides encryption through a shared secret key and uses a three way handshake. It provides additional security over MSCHAPv1, including two-way authentication.MPPE EncryptionIf MSCHAPv1 or MSCHAPv2 is selected as an Auth Protocol, use the drop-down list box to select the type of Microsoft Point-to-Point Encryption (MPPE). Options are:MPPE 40 - MPPE with 40 bit session key lengthMPPE 128 - MPPE with 128 bit session key lengthAuto - Automatically select either MPPE 40 or MPPE 128Local IP AddressEnter the local endpoint for the PPTP connection.Remote Start IPEnter the local IP address range the BM2022 assigns to remote users if the remote client device is set to obtain an IP address automatically.Idle Timeout Enter the time in minutes to timeout PPTP connections.DNS Server 1DNS Server 2Specify the IP addresses of DNS servers to assign to the remote users.User Access ListUser Name Enter the user name for the remote user.Server Select the server that the remote user has access to: PPTPD, L2TPD or Both.Password Enter the password for the remote user.IP Address Enter the local IP address the BM2022 assigns to the remote user.Entering 0.0.0.0 indicates the local IP address will be dynamically assigned.Delete Select an entry and click this to delete it. Add Click this to create a new entry. OK Click this to save the changes. Connection ListUser Name This displays the user name for the remote user.Remote IP AddressThis displays the remote endpoint IP address of the remote user.PPTP IP AddressThis displays the local IP address of the PPTP server.Login Time This displays the time the PPTP connection started.Link Time(s) This displays the duration of the PPTP connection.Table 49 PPTP ServerLABEL DESCRIPTION

Chapter 8 SecurityBM2022 Users Guide128Click Security > PPTP VPN > PPTP Client > Add to open this screen as shown next.Figure 63 PPTP Client: AddThis screen contains the following fields:Table 51 PPTP Client: AddLABEL DESCRIPTIONProfile Name Enter the name for this client connection.NAT Mode? Select Yes if the client will be located behind a NAT enabled router. This will allow multiple clients using NAT to connect with PPTP at the same time.Auth Protocol Select the Authentication Protocol allowed for the connection. Options are:PAP - Password Authentication Protocol (PAP) authentication occurs in clear text and does not use encryption. Its probably not a good idea to rely on this for security.CHAP - Challenge Handshake Authentication Protocol (CHAP) provides authentication through a shared secret key and uses a three way handshake.MSCHAPv1 - Microsoft CHAP v1 (MSCHAPv1) provides authentication through a shared secret key and uses a three way handshake. It provides improved usability with Microsoft products.MSCHAPv2 - Microsoft CHAP v2 (MSCHAPv2) provides encryption through a shared secret key and uses a three way handshake. It provides additional security over MSCHAPv1, including two-way authentication.MPPE Encryption If MSCHAPv1 or MSCHAPv2 is selected as an Auth Protocol, use the drop-down list box to select the type of Microsoft Point-to-Point Encryption (MPPE). Options are:MPPE 40 - MPPE with 40 bit session key length.MPPE 128 - MPPE with 128 bit session key length.Auto - Automatically select either MPPE 40 or MPPE 128.MPPE Stateful? Select Yes to enable stateful MPPE encryption. This can increase performance over stateless MPPE, but should not be used in lossy network environments like layer two tunnels over the Internet.Server IP Address Enter the IP address of the PPTP server.User Name Enter the user name for connecting to the PPTP server.

Chapter 8 SecurityBM2022 Users Guide 1298.8 L2TP VPN ServerUse this screen to configure settings for Layer 2 Tunneling Protocol (L2TP) server.Click Security > L2TP VPN > L2TP Server to open this screen as shown next.Figure 64 L2TP ServerPassword Enter the password for connecting to the PPTP server.Retype Retype the password for connecting to the PPTP server.Get IP automaticallySelect Yes to have the PPTP server assign a local IP address to the client.Assign IP Address Enter the IP address for the client. Ensure that the IP address is configured to be allowed on the PPTP server.Idle Timeout Enter the time in minutes to timeout PPTP connections.Table 51 PPTP Client: AddLABEL DESCRIPTION

Chapter 8 SecurityBM2022 Users Guide130This screen contains the following fields:Table 52 L2TP ServerLABEL DESCRIPTIONL2TP ServerEnable Use this field to turn the BM2022S L2TP VPN function on or off.Server Name Enter the server name for the L2TP VPN connection.Support Protocol VersionSelect the L2TP Protocol Version 2 or 3. L2TPv2 is a standard method for tunneling Point-to-Point Protocol (PPP) while L2TPv3 provides improved support for other types of networks including frame relay and ATM.Auth Protocol Select the Authentication Protocol allowed for the connection. Options are:PAP - Password Authentication Protocol (PAP) authentication occurs in clear text and does not use encryption. Its probably not a good idea to rely on this for security.CHAP - Challenge Handshake Authentication Protocol (CHAP) provides authentication through a shared secret key and uses a three way handshake.MSCHAPv1 - Microsoft CHAP v1 (MSCHAPv1) provides authentication through a shared secret key and uses a three way handshake. It provides improved usability with Microsoft products.MSCHAPv2 - Microsoft CHAP v2 (MSCHAPv2) provides encryption through a shared secret key and uses a three way handshake. It provides additional security over MSCHAPv1, including two-way authentication.MPPE EncryptionIf MSCHAPv1 or MSCHAPv2 is selected as an Auth Protocol, use the drop-down list box to select the type of Microsoft Point-to-Point Encryption (MPPE). Options are:MPPE 40 - MPPE with 40 bit session key lengthMPPE 128 - MPPE with 128 bit session key lengthAuto - Automatically select either MPPE 40 or MPPE 128Local IP AddressEnter the local endpoint for the L2TP connection.Remote Start IPEnter the local IP address range the BM2022 assigns to remote users if the remote client device is set to obtain an IP address automatically.Restrict Client IP?Select Yes to restrict the remote client device local IP address.Allow Client IP Enter the local IP address range the remote client device is restricted to. If the client device is configured with a static IP address, it should be in this range.Idle Timeout Enter the time in minutes to timeout L2TP connections.DNS Server 1 DNS Server 2Specify the IP addresses of DNS servers to assign to the remote users.User Access ListUser Name Enter the user name for the remote user.Server Select the server that the remote user has access to: PPTPD, L2TPD or Both.Password Enter the password for the remote user.IP Address Enter the local IP address the BM2022 assigns to the remote user.Entering 0.0.0.0 indicates the local IP address will be dynamically assigned.Delete Select an entry and click this to delete it. Add Click this to create a new entry. OK Click this to save the changes.

Chapter 8 SecurityBM2022 Users Guide132Click Security > L2TP VPN > L2TP Client > Add to open this screen as shown next.Figure 66 L2TP Client: AddThis screen contains the following fields:Table 54 L2TP Client: AddLABEL DESCRIPTIONProfile Name Enter the name for this client connection.L2TP Protocol VersionSelect the L2TP Protocol Version 2 or 3. L2TPv2 is a standard method for tunneling Point-to-Point Protocol (PPP) while L2TPv3 provides improved support for other types of networks including frame relay and ATM.NAT Mode? Select Yes if the client will be located behind a NAT enabled router. This will allow multiple clients using NAT to connect with L2TP at the same time.Auth Protocol Select the Authentication Protocol allowed for the connection. Options are:PAP - Password Authentication Protocol (PAP) authentication occurs in clear text and does not use encryption. Its probably not a good idea to rely on this for security.CHAP - Challenge Handshake Authentication Protocol (CHAP) provides authentication through a shared secret key and uses a three way handshake.MSCHAPv1 - Microsoft CHAP v1 (MSCHAPv1) provides authentication through a shared secret key and uses a three way handshake. It provides improved usability with Microsoft products.MSCHAPv2 - Microsoft CHAP v2 (MSCHAPv2) provides encryption through a shared secret key and uses a three way handshake. It provides additional security over MSCHAPv1, including two-way authentication.MPPE Encryption If MSCHAPv1 or MSCHAPv2 is selected as an Auth Protocol, use the drop-down list box to select the type of Microsoft Point-to-Point Encryption (MPPE). Options are:MPPE 40 - MPPE with 40 bit session key lengthMPPE 128 - MPPE with 128 bit session key lengthAuto - Automatically select either MPPE 40 or MPPE 128MPPE Stateful? Select Yes to enable stateful MPPE encryption. This can increase performance over stateless MPPE, but should not be used in lossy network environments like layer two tunnels over the Internet.Server IP Address Enter the IP address of the L2TP server.

Chapter 8 SecurityBM2022 Users Guide 1338.11 IPSec VPN8.11.1 The General ScreenThe following figure helps explain the main fields in the web configurator.Figure 67 IPSec Fields SummaryClick Security > IPSec VPN to open this screen as shown next.Figure 68 IPSec VPNThis screen contains the following fields:User Name Enter the user name for connecting to the L2TP server.Password Enter the password for connecting to the L2TP server.Retype Retype the password for connecting to the L2TP server.Get IP automaticallySelect Yes to have the L2TP server assign a local IP address to the client.Assign IP Address Enter the IP address for the client. Ensure that the IP address is configured to be allowed on the L2TP server.Idle Timeout Enter the time in minutes to timeout L2TP connections.Table 54 L2TP Client: AddLABEL DESCRIPTIONTable 55 IPSec VPNLABEL DESCRIPTION# This is the VPN policy index number. Name Enter the name of the VPN connection.Enabled This displays if the VPN policy is enabled.Local NetworkLocal IP AddressRemote NetworkRemote IP AddressRemote IPSec RouterVPN Tunnel

Chapter 8 SecurityBM2022 Users Guide134Local Endpoint This displays the IP address of the BM2022.Remote Endpoint This displays the IP address of the remote IPSec router.Local Network This displays the single (static) IP address on the LAN behind your BM2022 or the IP address and subnet mask of a network behind your BM2022. Remote Network This displays the single (static) IP address on the LAN behind the remote IPSec router or the IP address and subnet mask of a network behind the remote IPSec router. Add Click this button to add an item to the list.Table 55 IPSec VPNLABEL DESCRIPTION

Chapter 8 SecurityBM2022 Users Guide 1358.11.2 IPSec VPN: AddUse these settings. Click Security > IPSec VPN > Add to open this screen as shown next.Figure 69 IPSec VPN: Add

Chapter 8 SecurityBM2022 Users Guide136This screen contains the following fields:Table 56 IPSec VPN: AddLABEL DESCRIPTIONPropertyEnable Select Enable to activate this VPN policy.Connection NameEnter the name of the VPN connection.Connection TypeSelect the scenario that best describes your intended VPN connection. Initiator - Choose this to connect to an IPSec server. The BM2022 is the client (dial-in user) and can initiate the VPN connection. On Demand - Choose this if the remote IPSec router has a static IP address or a domain name. This BM2022 can initiate the VPN tunnel.Responder - Choose this to allow incoming connections from IPSec VPN clients. The clients can have dynamic IP addresses and are also known as dial-in users. Only the clients can initiate the VPN tunnel.Gateway InformationLocal EndpointInterface Select the interface for the VPN gateway.IP Address Enter the IP address of the BM2022 in the IKE SA.Remote EndpointIP Address Enter the IP address of the remote IPSec router in the IKE SA.Authentication MethodPre-Shared KeyType your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal ("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x (zero x), which is not counted as part of the 16 to 62 character range for the key. For example, in "0x0123456789ABCDEF", 0x denotes that the key is hexadecimal and 0123456789ABCDEF is the key itself.Local ID Type Select IP to identify the BM2022 by its IP address. Select Domain Name to identify this BM2022 by a domain name.Select E-mail to identify this BM2022 by an e-mail address.Content When you select IP in the Local ID Type field, type the IP address of your computer in the Content field. If you configure the Content field to 0.0.0.0 or leave it blank, the BM2022 automatically uses the Pre-Shared Key (refer to the Pre-Shared Key field description). It is recommended that you type an IP address other than 0.0.0.0 in the Content field or use the Domain Name or E-mail ID type in the following situations. When there is a NAT router between the two IPSec routers.  When you want the remote IPSec router to be able to distinguish between VPN connection requests that come in from IPSec routers with dynamic WAN IP addresses. When you select Domain Name or E-mail in the Local ID Type field, type a domain name or e-mail address by which to identify this BM2022 in the Local Content field. Use up to 31 ASCII characters including spaces, although trailing spaces are truncated. The domain name or e-mail address is for identification purposes only and can be any string.

Chapter 8 SecurityBM2022 Users Guide 137Remote ID TypeSelect IP to identify the remote IPSec router by its IP address.Select Domain Name to identify the remote IPSec router by a domain name.Select E-mail to identify the remote IPSec router by an e-mail address.Content The configuration of the remote content depends on the remote ID type.For IP, type the IP address of the computer with which you will make the VPN connection. If you configure this field to 0.0.0.0 or leave it blank, the BM2022 will use the address in the Remote Endpoint field (refer to the Remote Endpoint field description).For Domain Name or E-mail, type a domain name or e-mail address by which to identify the remote IPSec router. Use up to 31 ASCII characters including spaces, although trailing spaces are truncated. The domain name or e-mail address is for identification purposes only and can be any string.It is recommended that you type an IP address other than 0.0.0.0 or use the Domain Name or E-mail ID type in the following situations: When there is a NAT router between the two IPSec routers.  When you want the BM2022 to distinguish between VPN connection requests that come in from remote IPSec routers with dynamic WAN IP addresses.IKE Phase 1Proposal# This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly.Encryption Select which key size and encryption algorithm to use in the IKE SA. Choices are:DES - a 56-bit key with the DES encryption algorithm3DES - a 168-bit key with the DES encryption algorithmAES128 - a 128-bit key with the AES encryption algorithmAES192 - a 192-bit key with the AES encryption algorithmAES256 - a 256-bit key with the AES encryption algorithmThe BM2022 and the remote IPSec router must use the same key size and encryption algorithm. Longer keys require more processing power, resulting in increased latency and decreased throughput.Authentication Select which hash algorithm to use to authenticate packet data. Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower.Remove Select an entry and click this to delete it. Add Click this to create a new entry. OK Click this to save the changes. Key Group Select which Diffie-Hellman key group (DHx) you want to use for encryption keys. Choices are:DH1 - use a 768-bit random numberDH2 - use a 1024-bit random numberDH5 - use a 1536-bit random numberThe longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group.Table 56 IPSec VPN: AddLABEL DESCRIPTION

Chapter 8 SecurityBM2022 Users Guide138SA Life Time Type the maximum number of seconds the IKE SA can last. When this time has passed, the BM2022 and remote IPSec router have to update the encryption and authentication keys and re-negotiate the IKE SA. This does not affect any existing IPSec SAs, however.Dead Peer Detection (DPD)Select this check box if you want the BM2022 to make sure the remote IPSec router is there before it transmits data through the IKE SA. The remote IPSec router must support DPD. If the remote IPSec router does not respond, the BM2022 shuts down the IKE SA.If the remote IPSec router does not support DPD, see if you can use the VPN connection connectivity check.DPD Interval Specify the time interval for the BM2022 to send a DPD message to the remote IPSec router. DPD Idle Try Specify the maximum number of times the BM2022 sends the DPD message.Local Network Local IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses. Two active SAs can have the same configured local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time.In order to have more than one active rule with the Remote Endpoint field set to 0.0.0.0, the ranges of the local IP addresses cannot overlap between rules.If you configure an active rule with 0.0.0.0 in the Remote Endpoint field and the LANs full IP address range as the local IP address, then you cannot configure any other active rules with the Remote Endpoint field set to 0.0.0.0.Address Type Select Single address or Subnet address to specify if the VPN connection begins at an IP address or subnet.Start IP AddressIf Single address is selected, enter a (static) IP address on the LAN behind your BM2022. If Subnet address is selected, specify IP addresses on a network by their subnet mask by entering a (static) IP address on the LAN behind your BM2022. Then enter the subnet mask to identify the network address.Subnet Mask If Subnet address is selected, enter the subnet mask to identify the network address.Local Port Select how the BM2022 checks the connection. The peer must be configured to respond to the method you select. Select icmp to have the BM2022 regularly ping the address you specify to make sure traffic can still go through the connection. You may need to configure the peer to respond to pings. Select tcp or udp to have the BM2022 regularly perform a TCP or UDP handshake with the address you specify to make sure traffic can still go through the connection. You may need to configure the peer to accept the TCP or UDP connection. If you select tcp or udp, specify the port number to use for the connectivity check.Remote Network Remote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses. The remote fields do not apply when the Remote Endpoint field is configured to 0.0.0.0. In this case only the remote IPSec router can initiate the VPN.Two active SAs cannot both have the same local and remote IP address(es). Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time.Table 56 IPSec VPN: AddLABEL DESCRIPTION

Chapter 8 SecurityBM2022 Users Guide 139Address Type Select Single address or Subnet address to specify if the VPN connection terminates at an IP address or subnet.Start IP AddressIf Single address is selected, enter a (static) IP address on the LAN behind the remote IPSecs router. If Subnet address is selected, specify IP addresses on a network by their subnet mask by entering a (static) IP address on the LAN behind the remote IPSecs router. Then enter the subnet mask to identify the network address.Subnet Mask If Subnet address is selected, enter the subnet mask to identify the network address.Remote Port Select how the BM2022 checks the connection. The peer must be configured to respond to the method you select. Select icmp to have the BM2022 regularly ping the address you specify to make sure traffic can still go through the connection. You may need to configure the peer to respond to pings. Select tcp or udp to have the BM2022 regularly perform a TCP or UDP handshake with the address you specify to make sure traffic can still go through the connection. You may need to configure the peer to accept the TCP or UDP connection. If you select tcp or udp, specify the port number to use for the connectivity check.IPSec ProposalEncapsulation ModeSelect Tunnel mode or Transport mode from the drop-down list box. Active ProtocolSelect the security protocols used for an SA. Both AH and ESP increase processing requirements and communications latency (delay). If you select ESP here, you must select options from the Encryption Algorithm and Authentication Algorithm fields (described below).Encryption AlgorithmSelect which key size and encryption algorithm to use in the IPSec SA. Choices are:DES - a 56-bit key with the DES encryption algorithm3DES - a 168-bit key with the DES encryption algorithmAES128 - a 128-bit key with the AES encryption algorithmAES192 - a 192-bit key with the AES encryption algorithmAES256 - a 256-bit key with the AES encryption algorithmThe BM2022 and the remote IPSec router must use the same key size and encryption algorithm. Longer keys require more processing power, resulting in increased latency and decreased throughput.Authentication AlgorithmSelect which hash algorithm to use to authenticate packet data. Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower.SA Life Time Define the length of time before an IPSec SA automatically renegotiates in this field.A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected. Table 56 IPSec VPN: AddLABEL DESCRIPTION

Chapter 8 SecurityBM2022 Users Guide1408.12 Technical ReferenceThis section provides some technical background information about the topics covered in this section.8.12.1 IPSec ArchitectureThe overall IPSec architecture is shown as follows.Figure 70 IPSec ArchitectureIPSec AlgorithmsThe ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms).The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard) and Triple DES algorithms.Perfect Forward Secrecy (PFS)Select whether or not you want to enable Perfect Forward Secrecy (PFS)PFS changes the root key that is used to generate encryption keys for each IPSec SA. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group.Save Click Apply to save your changes back to the BM2022.Cancel Click Cancel to restore your previous settings.Table 56 IPSec VPN: AddLABEL DESCRIPTION

Chapter 8 SecurityBM2022 Users Guide 141The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-1 (RFC 2404, provide an authentication mechanism for the AH and ESP protocols. Key ManagementKey management allows you to determine whether to use IKE (ISAKMP) or manual key configuration in order to set up a VPN.8.12.2 EncapsulationThe two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. At the time of writing, the BM2022 supports Tunnel mode only.Figure 71 Transport and Tunnel Mode IPSec EncapsulationTransport ModeTransport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP). With ESP, protection is applied only to the upper layer protocols contained in the packet. The IP header information and options are not used in the authentication process. Therefore, the originating IP address cannot be verified for integrity against the data. With the use of AH as the security protocol, protection is extended forward into the IP header to verify the integrity of the entire packet by use of portions of the original IP header in the hashing process.Tunnel Mode Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel mode is required for gateway services to provide access to internal systems. Tunnel mode is fundamentally an IP tunnel with authentication and encryption. This is the most common mode of operation. Tunnel mode is required for gateway to gateway and host to gateway communications. Tunnel mode communications have two sets of IP headers:Outside header: The outside IP header contains the destination IP address of the VPN gateway.

Chapter 8 SecurityBM2022 Users Guide142Inside header: The inside IP header contains the destination IP address of the final system behind the VPN gateway. The security protocol appears after the outer IP header and before the inside IP header. 8.12.3 IKE PhasesThere are two phases to every IKE (Internet Key Exchange) negotiation  phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and the second one uses that SA to negotiate SAs for IPSec.Figure 72 Two Phases to Set Up the IPSec SAIn phase 1 you must: Choose a negotiation mode. Authenticate the connection by entering a pre-shared key. Choose an encryption algorithm. Choose an authentication algorithm. Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2). Set the IKE SA lifetime. This field allows you to determine how long an IKE SA should stay up before it times out. An IKE SA times out when the IKE SA lifetime period expires. If an IKE SA times out when an IPSec SA is already established, the IPSec SA stays connected.In phase 2 you must: Choose an encryption algorithm. Choose an authentication algorithm Choose a Diffie-Hellman public-key cryptography key group. Set the IPSec SA lifetime. This field allows you to determine how long the IPSec SA should stay up before it times out. The BM2022 automatically renegotiates the IPSec SA if there is traffic when the IPSec SA lifetime period expires. If an IPSec SA times out, then the IPSec router must renegotiate the SA the next time someone attempts to send traffic.

Chapter 8 SecurityBM2022 Users Guide 1438.12.4 Negotiation ModeThe phase 1 Negotiation Mode you select determines how the Security Association (SA) will be established for each connection through IKE negotiations. Main Mode ensures the highest level of security when the communicating parties are negotiating authentication (phase 1). It uses 6 messages in three round trips: SA negotiation, Diffie-Hellman exchange and an exchange of nonces (a nonce is a random number). This mode features identity protection (your identity is not revealed in the negotiation). Aggressive Mode is quicker than Main Mode because it eliminates several steps when the communicating parties are negotiating authentication (phase 1). However the trade-off is that faster speed limits its negotiating power and it also does not provide identity protection. It is useful in remote access situations where the address of the initiator is not know by the responder and both parties want to use pre-shared key authentication.8.12.5 IPSec and NATRead this section if you are running IPSec on a host computer behind the BM2022.NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet. When using AH protocol, packet contents (the data payload) are not encrypted.A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and complain that the hash value appended to the received packet doesn't match. The VPN device at the receiving end doesn't know about the NAT in the middle, so it assumes that the data has been maliciously altered.IPSec using ESP in Tunnel mode encapsulates the entire original packet (including headers) in a new IP packet. The new IP packet's source address is the outbound address of the sending VPN gateway, and its destination address is the inbound address of the VPN device at the receiving end. When using ESP protocol with authentication, the packet contents (in this case, the entire original packet) are encrypted. The encrypted contents, but not the new headers, are signed with a hash value appended to the packet.Tunnel mode ESP with authentication is compatible with NAT because integrity checks are performed over the combination of the "original header plus original payload," which is unchanged by a NAT device. Transport mode ESP with authentication is not compatible with NAT.Table 57 VPN and NATSECURITY PROTOCOL MODE NATAH Transport NAH Tunnel NESP Transport NESP Tunnel Y

Chapter 8 SecurityBM2022 Users Guide1448.12.6 VPN, NAT, and NAT TraversalNAT is incompatible with the AH protocol in both transport and tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet, but a NAT device between the IPSec endpoints rewrites the source or destination address. As a result, the VPN device at the receiving end finds a mismatch between the hash value and the data and assumes that the data has been maliciously altered.NAT is not normally compatible with ESP in transport mode either, but the BM2022s NAT Traversal feature provides a way to handle this. NAT traversal allows you to set up an IKE SA when there are NAT routers between the two IPSec routers.Figure 73 NAT Router Between IPSec RoutersNormally you cannot set up an IKE SA with a NAT router between the two IPSec routers because the NAT router changes the header of the IPSec packet. NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet. The NAT router forwards the IPSec packet with the UDP port 500 header unchanged. In the above figure, when IPSec router A tries to establish an IKE SA, IPSec router B checks the UDP port 500 header, and IPSec routers A and B build the IKE SA.For NAT traversal to work, you must: Use ESP security protocol (in either transport or tunnel mode).Use IKE keying mode. Enable NAT traversal on both IPSec endpoints. Set the NAT router to forward UDP port 500 to IPSec router A.Finally, NAT is compatible with ESP in tunnel mode because integrity checks are performed over the combination of the "original header plus original payload," which is unchanged by a NAT device. The compatibility of AH and ESP with NAT in tunnel and transport modes is summarized in the following table.Y* - This is supported in the BM2022 if you enable NAT traversal.8.12.7 ID Type and ContentWith aggressive negotiation mode (see Section 8.12.4 on page 143), the BM2022 identifies incoming SAs by ID type and content since this identifying information is not encrypted. This Table 58 VPN and NATSECURITY PROTOCOL MODE NATAH Transport NAH Tunnel NESP Transport Y*ESP Tunnel YAB

Chapter 8 SecurityBM2022 Users Guide 145enables the BM2022 to distinguish between multiple rules for SAs that connect from remote IPSec routers that have dynamic WAN IP addresses.Regardless of the ID type and content configuration, the BM2022 does not allow you to save multiple active rules with overlapping local and remote IP addresses.With main mode (see Section 8.12.4 on page 143), the ID type and content are encrypted to provide identity protection. In this case the BM2022 can only distinguish between up to 12 different incoming SAs that connect from remote IPSec routers that have dynamic WAN IP addresses. The BM2022 can distinguish up to 48 incoming SAs because you can select between three encryption algorithms (DES, 3DES and AES), two authentication algorithms (MD5 and SHA1) and eight key groups when you configure a VPN rule (see Section 8.11.1 on page 133). The ID type and content act as an extra level of identification for incoming SAs.The type of ID can be a domain name, an IP address or an e-mail address. The content is the IP address, domain name, or e-mail address. 8.12.7.1 ID Type and Content ExamplesTwo IPSec routers must have matching ID type and content configuration in order to set up a VPN tunnel. The two BM2022s in this example can complete negotiation and establish a VPN tunnel.The two BM2022s in this example cannot complete their negotiation because BM2022 Bs Local ID type is IP, but BM2022 As Remote ID type is set to E-mail. An ID mismatched message displays in the IPSEC LOG. Table 59 Local ID Type and Content FieldsLOCAL ID TYPE= CONTENT=IP Type the IP address of your computer.DNS Type a domain name (up to 31 characters) by which to identify this BM2022.E-mail Type an e-mail address (up to 31 characters) by which to identify this BM2022.The domain name or e-mail address that you use in the Local ID Content field is used for identification purposes only and does not need to be a real domain name or e-mail address.Table 60 Matching ID Type and Content Configuration ExampleBM2022 A BM2022 BLocal ID type: E-mail Local ID type: IPLocal ID content: tom@yourcompany.com Local ID content: 1.1.1.2Remote ID type: IP Remote ID type: E-mailRemote ID content: 1.1.1.2 Remote ID content: tom@yourcompany.comTable 61 Mismatching ID Type and Content Configuration ExampleBM2022 A BM2022 BLocal ID type: IP Local ID type: IPLocal ID content: 1.1.1.10 Local ID content: 1.1.1.2Remote ID type: E-mail Remote ID type: IPRemote ID content: aa@yahoo.com Remote ID content: 1.1.1.0

Chapter 8 SecurityBM2022 Users Guide1468.12.8 Pre-Shared KeyA pre-shared key identifies a communicating party during a phase 1 IKE negotiation (see Section 8.12.3 on page 142 for more on IKE phases). It is called pre-shared because you have to share it with another party before you can communicate with them over a secure connection.8.12.9 Diffie-Hellman (DH) Key GroupsDiffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA setup to establish session keys. 768-bit, 1024-bit 1536-bit, 2048-bit, and 3072-bit Diffie-Hellman groups are supported. Upon completion of the Diffie-Hellman exchange, the two peers have a shared secret, but the IKE SA is not authenticated. For authentication, use pre-shared keys.

$BM2022 Users Guide 147CHAPTER 9The VoIP General Screens9.1 VoIP OverviewThe VOICE > General screens allow you to set up global SIP and Quality of Service (QoS) settings.VoIP (Voice over IP) is the sending of voice signals over the Internet Protocol. This allows you to make phone calls and send faxes over the Internet at a fraction of the cost of using the traditional circuit-switched telephone network. You can also use servers to run telephone service applications like PBX services and voice mail. Internet Telephony Service Provider (ITSP) companies provide VoIP service. A company could alternatively set up an IP-PBX and provide its own VoIP service.Circuit-switched telephone networks require 64 kilobits per second (kbps) in each direction to handle a telephone call. VoIP can use advanced voice coding techniques with compression to reduce the required bandwidth.9.1.1 What You Can Do in This ChapterThe Media screen (Section 9.2 on page 149) lets you set up and maintain global VoIP settings on the BM2022.The QoS screen (Section 9.3 on page 150) lets you set up and maintain QoS settings for voice traffic flowing through the BM2022.The SIP screen (Section 9.4 on page 151) lets you enable session timer and select the SIP session refresh method.The Speed Dial screen (Section 9.5 on page 151) lets you add, edit, or remove speed-dial entries for the phone line.9.1.2 What You Need to KnowThe following terms and concepts may help as you read through this chapter.Voice CodingA codec (coder/decoder) codes analog voice signals into digital signals and decodes the digital signals back into voice signals. The BM2022 supports the following codecs.G.711 is a Pulse Code Modulation (PCM) waveform codec. PCM measures analog signal amplitudes at regular time intervals (sampling) and converts them into digital bits (quantization). Quantization reads the analog signal and then writes it to the nearest digital value. For this reason, a digital sample is usually slightly different from its analog original (this difference is known as quantization noise). G.711 provides excellent sound quality but requires 64kbps of bandwidth.$

MitraStar Technology HES209M1H WiMAX Indoor VoIP IAD User Manual User s guide

MitraStar Technology Corporation WiMAX Indoor VoIP IAD User s guide

User Manual

Navigation menu

Namespaces

Views

Navigation