Sercomm RV220W Dual-Band Wireless VPN Router with GbE Switch User Manual

Sercomm Corporation Dual-Band Wireless VPN Router with GbE Switch

UserManual.wiki >

RV220W User Manual >

Contents

1. User manual
2. User manaul

User manual

Dual-Band Wireless VPN Router with GbE Switch RV220W User's Guide

i Table of Contents CHAPTER 1 INTRODUCTION .............................................................................................1 Dual-Band Wireless-N VPN Router Features ................................................................1 Package Contents ..............................................................................................................3 Physical Details..................................................................................................................5 CHAPTER 2 INSTALLATION...............................................................................................7 Requirements.....................................................................................................................7 Procedure...........................................................................................................................7 CHAPTER 3 SETUP ..............................................................................................................10 Configuration Program ..................................................................................................10 Setup Tab.........................................................................................................................12 Setup - Summary.............................................................................................................12 Setup - WAN Screen .......................................................................................................14 Setup - LAN Screen.........................................................................................................20 Setup - DMZ Screen........................................................................................................23 Setup - MAC Address Clone Screen..............................................................................24 Setup - Advanced Routing Screen .................................................................................25 Setup - Time Screen ........................................................................................................27 Setup - IP Mode Screen ..................................................................................................28 Wireless - Basic Settings Tab .........................................................................................29 Wireless - Security Settings ............................................................................................31 Wireless - Connection Control.......................................................................................39 Wireless - Advanced Settings .........................................................................................41 Wireless - VLAN & QoS.................................................................................................43 Firewall Tab.....................................................................................................................45 Firewall - Basic Settings..................................................................................................45 Firewall - IP Based ACL.................................................................................................47 Firewall - Internet Access Policy....................................................................................50 Firewall - Single Port Forwarding.................................................................................54 Firewall - Port Range Forwarding.................................................................................56 Firewall - Port Range Triggering...................................................................................57 Security Protection - Web Protection............................................................................58 Security Protection - Email Protection..........................................................................61 Security Protection - License..........................................................................................62 VPN - Summary Tab.......................................................................................................64 VPN - IPSec VPN Tab ....................................................................................................66 VPN - VPN Client Accounts Tab...................................................................................71 VPN - VPN Passthrough.................................................................................................73 QoS Tab............................................................................................................................74 QoS - Bandwidth Management......................................................................................74 QoS - QoS Setup..............................................................................................................76 QoS - Queue Settings.......................................................................................................77 QoS - DSCP Setup...........................................................................................................78 Administration Tab.........................................................................................................79 Administration - Management.......................................................................................79 Administration - Log.......................................................................................................81 Administration - Diagnostic ...........................................................................................83 Administration - Backup & Restore..............................................................................85 Administration - Factory Defaults.................................................................................86 Administration - Reboot.................................................................................................87 Administration - Firmware Upgrade.............................................................................88 L2 Switch - Create VLAN...............................................................................................89 L2 Switch - VLAN & Port Assignment .........................................................................90

ii L2 Switch - Radius ..........................................................................................................91 L2 Switch - Port Setting..................................................................................................92 L2 Switch - Statistics.......................................................................................................93 L2 Switch - Port Mirroring ............................................................................................94 Status - Gateway..............................................................................................................95 Status - Local Network ...................................................................................................97 Status - Wireless LAN.....................................................................................................99 Status - System Performance........................................................................................100 APPENDIX A SPECIFICATIONS .....................................................................................101 Dual-Band Wireless-N VPN Router ............................................................................101 Copyright © 2008. All Rights Reserved. Document Version: 1.0 All trademarks and trade names are the properties of their respective owners.

1 Chapter 1 Introduction This Chapter provides an overview of the Dual-Band Wireless-N VPN Router's features and capabilities. Congratulations on the purchase of your new Dual-Band Wireless-N VPN Router. The Dual-Band Wireless-N VPN Router is a multi-function device providing the following services: • Shared Broadband Internet Access for all LAN users. • Wireless Access Point for 802.11a, 802.11b, 802.11g and 802.11n Wireless Stations. • 4-Port Switching Hub for 10BaseT, 100 or 1000BaseT connections. Dual-Band Wireless-N VPN Router Features The Dual-Band Wireless-N VPN Router incorporates many advanced features, carefully designed to provide sophisticated functions while being easy to use. Internet Access Features • Shared Internet Access. All users on the LAN or WLAN can access the Internet through the Dual-Band Wireless-N VPN Router, using only a single external IP Address. The local (invalid) IP Addresses are hidden from external sources. This process is called NAT (Network Address Translation). • DSL & Cable Modem Support. The Dual-Band Wireless-N VPN Router has a 10/100/1000BaseT Ethernet port for connecting a DSL or Cable Modem. All popular DSL and Cable Modems are supported. • PPPoE, PPTP and L2TP Support. The Internet (WAN port) connection supports PPPoE (PPP over Ethernet), PPTP (Peer-to-Peer Tunneling Protocol) and L2TP, as well as "Direct Connection" type services. • Fixed or Dynamic IP Address. On the Internet (WAN port) connection, the Dual-Band Wireless-N VPN Router supports both Dynamic IP Address (IP Address is allocated on connection) and Fixed IP Address. Advanced Internet Functions • Application Level Gateways (ALGs). Applications which use non-standard connec-tions or port numbers are normally blocked by the Firewall. The ability to define and allow such applications is provided, to enable such applications to be used normally. • Port Triggering. This feature, also called Special Applications, allows you to use Internet applications which normally do not function when used behind a firewall. • Port Forwarding. This feature allows Internet users to access Internet servers on your LAN. The required setup is quick and easy. • Dynamic DNS Support. DDNS, when used with the Virtual Servers feature, allows users to connect to Servers on your LAN using a Domain Name, even if you have a dy-namic IP address which changes every time you connect. • URL Filter. Use the URL Filter to block access to undesirable Web sites by LAN users. 1

2 • Access Control. Using the Access Control feature, you can assign LAN users to differ-ent groups, and determine which Internet services are available to each group. • Scheduling. Both the URL Filter and Firewall rules can be scheduled to operate only at certain times. This provides great flexibility in controlling Internet -bound traffic. • Logs. Define what data is recorded in the Logs, and optionally send log data to a Syslog Server. Log data can also be E-mailed to you. • QoS Support Quality of Service can be used to handle packets so that more important connections receive priority over less important one. VPN Features • IPSec Support. IPSec is the most common protocol. • Easy Configuration. The configuration required to allow 2 Routers to establish a VPN connection between them is easy accomplished. Wireless Features • Standards Compliant. The Wireless Access Point complies with the IEEE802.11g and IEEE802.11n draft 2.0 specifications for Wireless LANs. • Supports Pre-N Wireless Stations. The 802.11n Draft standard provides for backward compatibility with the 802.11b standard, so 802.11n, 802.11a, 802.11b and 802.11g Wire-less stations can be used simultaneously. The Router supports both the 2.4GHz and 5.0GHz (802.11a) bands. • VLAN Support. The 802.1Q VLAN standard is supported, allowing traffic from differ-ent sources to be segmented. Combined with the multiple SSID feature, this provides a powerful tool to control access to your LAN. • WEP support. Support for WEP (Wired Equivalent Privacy) is included. Key sizes of 64 Bit and 128 Bit are supported. WEP encrypts any data before transmission, providing protection against snoopers. • WPA- Personal support. Like WEP, WPA-Personal encrypts any data before transmis-sion, providing protection against snoopers. The WPA- Personal is a later standard than WEP, and provides both easier configuration and greater security than WEP. • WPA2- Personal support. Support for WPA2 is also included. WPA2 uses the ex-tremely secure AES encryption method. • 802.1x Support. Support for 802.1x mode is included, providing for the industrial-strength wireless security of 802.1x authentication and authorization. • Wireless MAC Access Control. The Wireless Access Control feature can check the MAC address (hardware address) of Wireless stations to ensure that only trusted Wireless Stations can access your LAN. • Simple Configuration. If the default settings are unsuitable, they can be changed quickly and easily. • WPS Support. WPS (Wi-Fi Protected Setup) can simplify the process of connecting any device to the wireless network by using the push button configuration (PBC) on the Wire-less Access Point, or entering a PIN code if there's no button. LAN Features • 4-Port Switching Hub. The Dual-Band Wireless-N VPN Router incorporates a 4-port 10/100/1000BaseT switching hub, making it easy to create or extend your LAN.

3 • DHCP Server Support. Dynamic Host Configuration Protocol provides a dynamic IP address to PCs and other devices upon request. The Dual-Band Wireless-N VPN Router can act as a DHCP Server for devices on your local LAN and WLAN. Configuration & Management • Easy Setup. Use your WEB browser from anywhere on the LAN or WLAN for configu-ration. • Configuration File Upload/Download. Save (download) the configuration data from the Dual-Band Wireless-N VPN Router to your PC, and restore (upload) a previously-saved configuration file to the Dual-Band Wireless-N VPN Router. • Remote Management. The Dual-Band Wireless-N VPN Router can be managed from any PC on your LAN or Wireless LAN. And, if the Internet connection exists, it can also (optionally) be configured via the Internet. • Network Diagnostics. You can use the Dual-Band Wireless-N VPN Router to perform a Ping or DNS lookup. • UPnP Support. UPnP (Universal Plug and Play) allows automatic discovery and con-figuration of the Dual-Band Wireless-N VPN Router. UPnP is supported by Windows ME, XP, or later. Security Features • Password - protected Configuration. Password protection is provided to prevent unauthorized users from modifying the configuration data and settings. • Wireless LAN Security. WPA-PSK, WEP and Wireless access control by MAC ad-dress are all supported. The MAC-level access control feature can be used to prevent unknown wireless stations from accessing your LAN. • NAT Protection. An intrinsic side effect of NAT (Network Address Translation) tech-nology is that by allowing all LAN users to share a single IP address, the location and even the existence of each PC is hidden. From the external viewpoint, there is no network, only a single device - the Dual-Band Wireless-N VPN Router. • Firewall. All incoming data packets are monitored and all incoming server requests are filtered, thus protecting your network from malicious attacks from external sources. • Protection against DoS attacks. DoS (Denial of Service) attacks can flood your Internet connection with invalid packets and connection requests, using so much band-width and so many resources that Internet access becomes unavailable. The Dual-Band Wireless-N VPN Router incorporates protection against DoS attacks. Package Contents The following items should be included. If any of these items are damaged or missing, please contact your dealer immediately. • The Dual-Band Wireless-N VPN Router Unit • RJ45 (LAN) cable • Power Adapter • Warranty Card • CD-ROM containing the user manual.

This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of thefollowing measures: -Reorient or relocate the receiving antenna. -Increase the separation between the equipment and receiver. -Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. -Consult the dealer or an experienced radio/TV technician for help. You are cautioned that changes or modifications not expressly approved by the party responsi-ble for compliance could void your authority to operate the equipment. FCC RF Radiation Exposure Statement: 1. This Transmitter must not be co-located or operating in conjunction with any other antenna or transmitter.2. This equipment complies with FCC RF radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with a mini-mum distance of 20 centimeters between the radiator and your body. According to FCC 15.407(e), the device is intended to operate in the frequency band of 5.15GHz to 5.25GHz under all conditions of normal operation. Normal operation of this device is restricted to indoor used only to reduce any potential for harmful interference to co-channel MSS operations. Operation is subject to the following two conditions: (1) this device may not cause interference, and (2) this device must accept any interference, including interference that may cause unde-sired operation of the device. RSS-GEN 7.1.4: User Manual for Transmitters with Detachable Antennas The user manual of transmitter devices equipped with detachable antennas shall contain the followinginformation in a con-spicuous location: This device has been designed to operate with the antennas listed below, and having a maxi-mum gain of [2.0] dB. Antennas not included in this list or having a gain greater than [2.0] dB are strictly prohibited for use with this device. The required antenna impedance is [50] ohms. RSS-GEN 7.1.5 To reduce potential radio interference to other users, the antenna type and its gain should be so chosen that the equivalent isotropically radiated power (e.i.r.p.) is not more than that permitted for successful communication. IC RF Radiation Exposure Statement: 1. This Transmitter must not be co-located or operating in conjunction with any other antenna or transmitter.2. This equipment complies with IC RF radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with a mini-mumdistance of 20 centimeters between the radiator and your body. except above RF exposure statement, for devices used at 5.15-5.25GHz should add the following wording at their user manual.According to RSS-210, the device is intended to operate in the frequency band of 5.15GHz to 5.25GHz under all conditions of normal operation. Normal operation of this device is restricted to indoor used only to reduce any potential for harmful interference to co-channel MSS operations.

5 Physical Details Front-mounted LEDs POWER (Green) On - Power on. Off - No power. DIAG (Red) On - System problem. Off - Normal operation. Flashing - System rebooting or firmware upgrading. DMZ (Green) On - DMZ enabled. Off - DMZ disabled. WIRELESS (Green) On - Wireless enabled. Off - No Wireless connections currently exist. Flashing - Data is being transmitting or receiving via the Wireless con-nection. LAN (1~4) Each port has 3 LEDs: • 10 - This will be ON if the LAN connection is using 10BaseT, and blinking if data is being transferred via the corresponding LAN port. • 100 - This will be ON if the LAN connection is using 100BaseT, and blinking if data is being transferred via the corresponding LAN port. • 1000 - This will be ON if the LAN connection is using 1000BaseT, and blinking if data is being transferred via the corresponding LAN port. If neither LED is on, there is no active connection on the corresponding LAN port. WAN(Green) The WAN LED lights up the appropriate LED depending upon the speed of the device that is attached to the Internet port. If the Router is connected to a cable or DSL modem, typically the 10 LED will be the only LED lit up (i.e. 10Mbps). The LED Flashes during activity.

6 Rear Panel RESET button The Reset button can be used in one of two ways: • If the Router is having problems connecting to the Internet, press the Reset button for just a second with a paper clip or a pencil tip. This is similar to pressing the Reset button on your PC to reboot it. • If you are experiencing extreme problems with the Router and have tried all other troubleshooting measures, press and hold in the Reset button for 10 seconds. This will restore the factory defaults and clear all of the Router’s settings, such as port for-warding or a new password. WAN Connect the DSL or Cable Modem here. If your modem came with a cable, use the supplied cable. Otherwise, use a standard LAN cable. LAN 1-4 (10/100/1000BaseT) Use standard LAN cables (RJ45 connectors) to connect your PCs to these ports. POWER Connect the supplied power adapter here.

7 Chapter 2 Installation This Chapter covers the physical installation of the Dual-Band Wireless-N VPN Router. Requirements • Network cables. Use standard 10/100/1000BaseT network (UTP) cables with RJ45 con-nectors. • TCP/IP protocol must be installed on all PCs. • For Internet Access, an Internet Access account with an ISP, and a DSL connection. • To use the Wireless Access Point, all Wireless devices must be compliant with the IEEE 802.11a, IEEE 802.11g, IEEE 802.11b or IEEE 802.11n Draft specifications. Procedure 1. Choose an Installation Site Select a suitable place on the network to install the Dual-Band Wireless-N VPN Router. Make sure that the Router is powered off. For best Wireless reception and performance, the Dual-Band Wireless-N VPN Router should be positioned in a central location with minimum obstructions between the Dual-Band Wireless-N VPN Router and the PCs. 2. Connect LAN Cables Use standard LAN cables to connect PCs to the ports on the Dual-Band Wireless-N VPN Router. 10BaseT, 100BaseT and 1000BaseT connections can be used simultaneously. 3. Connect ADSL Cable Connect the DSL or Cable modem to the INTERNET port on the Dual-Band Wireless-N VPN Router. Use the cable supplied with your DSL/Cable modem. If no cable was sup-plied, use a standard cable. 4. Power Up Connect the supplied power adapter to the Dual-Band Wireless-N VPN Router. Use only the power adapter provided. Using a different one may cause hardware damage. 5. Check the LEDs • The Power LED should be ON. • The LAN LED should be ON (provided the PC is also ON.) • The WIRELESS LED should be ON if Wireless PC is connected. 2

8 • The WAN LED may be OFF. After configuration, it should come ON. Antennas and Positions Positions The Router can be placed in three different positions: stackable, standalone, or wall-mount. Standalone 1. Locate the Router’s left side panel. 2. The Router includes two stands. With the two large prongs facing outward, insert the short prongs into the little slots in the Router, and push the stand upward until it snaps into place. Wall-mount You will need two suitable screws to mount the Router. Make sure the screw size can fit into the crisscross wall-mount slots. 1. On the Wireless Router’s back panel are two crisscross wall-mount slots. 2. Determine where you want to mount the Wireless Router, and install two screws that are 2-9/16 in (64.5mm) apart. 3. Line up the Wireless Router so that the wall-mount slots line up with the two screws. 4. Place the wall-mount slots over the screws and slide the Wireless Router down until the screws fit snugly into the wall-mount slots.

10 Chapter 3 Setup This Chapter provides Setup details of the Dual-Band Wireless-N VPN Router. Configuration Program The Dual-Band Wireless-N VPN Router contains an HTTP server. This enables you to connect to it, and configure it, using your Web Browser. Your Browser must support JavaScript. The configuration program has been tested on the following browsers: • Netscape 7.1 or later • Mozilla 1.6 or later • Internet Explorer V5.5 or later Preparation Before attempting to configure the Dual-Band Wireless-N VPN Router, please ensure that: • Your PC can establish a physical connection to the Dual-Band Wireless-N VPN Router. The PC and the Dual-Band Wireless-N VPN Router must be directly connected (using the Hub ports on the Dual-Band Wireless-N VPN Router) or on the same LAN segment. • The Dual-Band Wireless-N VPN Router must be installed and powered ON. • If the Dual-Band Wireless-N VPN Router's default IP Address (192.168.1.1) is already used by another device, the other device must be turned OFF until the Dual-Band Wire-less-N VPN Router is allocated a new IP Address during configuration. Using your Web Browser To establish a connection from your PC to the Dual-Band Wireless-N VPN Router: 1. After installing the Dual-Band Wireless-N VPN Router in your LAN, start your PC. If your PC is already running, restart it. 2. Start your WEB browser. 3. In the Address box, enter "HTTP://" and the IP Address of the Dual-Band Wireless-N VPN Router, as in this example, which uses the Dual-Band Wireless-N VPN Router's de-fault IP Address: HTTP://192.168.1.1 4. When prompted for the User name and Password, enter values as follows: • User name admin • Password admin 3

11 Figure 1: Login Screen If you can't connect If the Dual-Band Wireless-N VPN Router does not respond, check the following: • The Dual-Band Wireless-N VPN Router is properly installed, LAN connection is OK, and it is powered ON. You can test the connection by using the "Ping" command: • Open the MS-DOS window or command prompt window. • Enter the command: ping 192.168.1.1 If no response is received, either the connection is not working, or your PC's IP address is not compatible with the Dual-Band Wireless-N VPN Router's IP Address. (See next item.) • If your PC is using a fixed IP Address, its IP Address must be within the range 192.168.1.2 to 192.168.1.254 to be compatible with the Dual-Band Wireless-N VPN Router's default IP Address of 192.168.1.1. Also, the Network Mask must be set to 255.255.255.0. See Chapter 4 - PC Configuration for details on checking your PC's TCP/IP settings. • Ensure that your PC and the Dual-Band Wireless-N VPN Router are on the same network segment. (If you don't have a router, this must be the case.) • Ensure you are using the wired LAN interface. The Wireless interface can only be used if its configuration matches your PC's wireless settings.

12 Setup Tab The Setup screen contains all of the Router’s basic setup functions. The Router can be used in most network settings without changing any of the default values. Some users may need to enter additional information in order to connect to the Internet through an ISP (Internet Service Provider) or broadband (DSL, cable modem) carrier. Setup - Summary The first screen that appears is the System Summary screen, which displays the Router’s current status and settings. This information is read-only. Underlined text is hyperlinked to related setup pages, so if you click a hyperlink, the related setup screen will appear. On the right-hand side of this screen and all other screens of the utility is a link to the Site Map, which has links to all of the utility’s tabs. Figure 2: Summary Screen

13 Data - Summary Screen System Information Firmware Ver-sion It displays the current firmware version installed on this Router. CPU Displayed here are the type and speed of the processor installed on the Router. System Up Time This is the length of time in days, hours, and minutes that the Router has been active. The current time and date are also displayed. DRAM Displayed here is the size of DRAM installed on the Router’s mother-board. FLASH Displayed here is the size of flash memory installed on the Router’s board. Port Statistics Port Statistics This section displays the following color-coded status information on the Router’s Ethernet ports: • Green - Indicates that the port has a connection. • Black - Indicates that the port has no connection. Networking Setting Status LAN IP Displays the IP address of the Router’s LAN interface. WAN IP Displays the IP address of the Router’s WAN interface. If this address was assigned using DHCP, click DHCP Release to release the address, or click DHCP Renew to renew the address. Mode Displays the operating mode, Gateway or Router. Gateway Displays the Gateway address, which is the IP address of your ISP’s server. DNS 1-2 The IP addresses of the Domain Name System (DNS) server(s) that the Router is using. DDNS Indicates whether the Dynamic Domain Name System (DDNS) feature is enabled. DMZ Indicates whether the DMZ Hosting feature is enabled. Firewall Setting Status DOS (Denial of Service) Indicates whether the DoS Protection feature is enabled to block DoS attacks. Block WAN Request Indicates whether the Block WAN Request feature is enabled. Remote Man-agement Indicates whether the Remote Management feature is enabled. VPN Setting Status Tunnel(s) Used Displays the number of VPN tunnels currently being used. Tunnel(s) Avail-able Displays the number of VPN tunnels that are available.

14 Setup - WAN Screen DHCP By default, the Router’s Configuration Type is set to Automatic Configuration - DHCP, and it should be kept only if your ISP supports DHCP or you are connecting through a dynamic IP address. Figure 3: DHCP Screen Optional Settings Host Name Enter a host name for the Router. Domain Name Enter a domain name for the Router. MTU This setting specifies the largest packet size permitted for network transmis-sion. In most cases, keep the default, Auto. To specify the MTU, select Manual, and then enter the value in the Size field. DDNS Service Select the desired option from the list. • Disabled - If selected, no DDNS service will be used. • DynDNS • User Name, Password, Host Name - Enter the User Name, Pass-word, and Host Name of the account you set up with DynDNS.org. • Custom DNS - Enable the checkbox if you want to use this fea-ture. • Status - The status of the DDNS service connection is displayed here. • TZO • E-mail Address, TZO Password, Domain Name - Enter the E-mail Address, Password, and Domain Name of the account you set

15 up with TZO. • Status - The status of the TZO service connection is displayed here. Connect Button When DDNS is enabled, the Connect button is displayed. Use this button to manually update your IP address information on the DDNS server. The Status area on this screen also updates. Static IP If you are required to use a permanent IP address, select Static IP. Figure 4: Static IP Static IP Settings Internet IP Address This is the Router’s IP address on the WAN port that can be reached from the Internet. Subnet Mask Enter the Subnet mask to match the IP address above. Default Gateway Your ISP will provide you with the Default Gateway (Router) to reach the Internet. Primary DNS Your ISP will provide you with at least one DNS (Domain Name System) Server IP Address to resolve host name to IP address mapping. Secondary DNS The secondary DNS will only be used if the primary DNS is not available.

16 PPPoE Most DSL-based ISPs use PPPoE (Point-to-Point Protocol over Ethernet) to establish Internet connections. If you are connected to the Internet through a DSL line, check with your ISP to see if they use PPPoE. If they do, you will have to enable PPPoE. Figure 5: PPPoE PPPoE Settings Username Enter the User Name provided by your ISP for PPPoE authentication. Password Enter the Password by your ISP for PPPoE authentication. Connect on Demand You can configure the Router to cut the Internet connection after it has been inactive for a specified period of time (Max Idle Time). If your Internet connection has been terminated due to inactivity, Connect on Demand enables the Router to automatically re-establish your connection as soon as you attempt to access the Internet again. If you wish to activate Connect on Demand, click the Connect on Demand option and enter the number of minutes you want to have elapsed before your Internet connec-tion terminates in the Max Idle Time field. Use this option to minimize your DSL connection time if it is charged based on time. Keep Alive This option allows the Router will periodically check your Internet con-nection. If you are disconnected, then the Router will automatically re-establish your connection. To use this option, click the option next to Keep Alive. In the Redial Period field, you specify how often you want the Router to check the Internet connection. This option is enabled by default and the default Redial Period is 30 seconds. Use this option to minimize your Internet connection response time since it will always be connected.

17 PPTP Point-to-Point Tunneling Protocol (PPTP) is a service that applies to connections in Europe and Israel only. Figure 6: PPTP PPTP Settings IP Address This is the Router’s IP address, when seen from the WAN, or the Internet. Your ISP will provide you with the IP Address you need to specify here. Subnet Mask This is the Router’s Subnet Mask. Your ISP will provide you the Subnet Mask and your IP address. Default Gateway Your ISP will provide you with the Default Gateway IP Address. PPTP Server Enter the IP address of the PPTP server. Username Enter the User Name provided by your ISP. Password Enter the Password provided by your ISP. Connect on Demand You can configure the Router to cut the Internet connection after it has been inactive for a specified period of time (Max Idle Time). If your Internet connection has been terminated due to inactivity, Connect on Demand enables the Router to automatically re-establish your connection as soon as you attempt to access the Internet again. If you wish to activate Connect on Demand, click the Connect on Demand option and enter the number of minutes you want to have elapsed before your Internet connec-

18 tion terminates in the Max Idle Time field. Use this option to minimize your DSL connection time if it is charged based on time. Keep Alive This option allows the Router will periodically check your Internet con-nection. If you are disconnected, then the Router will automatically re-establish your connection. To use this option, click the option next to Keep Alive. In the Redial Period field, you specify how often you want the Router to check the Internet connection. This option is enabled by default and the default Redial Period is 30 seconds. Use this option to minimize your Internet connection response time since it will always be connected. L2TP Layer 2 Tunneling Protocol (L2TP) is a service that tunnels Point-to-Point Protocol (PPP) across the Internet. It is used mostly in European countries. Check with your ISP for the necessary setup information. Figure 7: L2TP L2tp Settings IP Address This is the Router’s IP address, when seen from the WAN, or the Internet. Your ISP will provide you with the IP Address you need to specify here. Subnet Mask This is the Router’s Subnet Mask. Your ISP will provide you the Subnet Mask and your IP address. Gateway Your ISP will provide you with the Default Gateway IP Address.

19 L2TP Server Enter the IP address of the L2TP server Username Enter the User Name provided by your ISP. Password Enter the Password provided by your ISP. Connect on Demand You can configure the Router to cut the Internet connection after it has been inactive for a specified period of time (Max Idle Time). If your Internet connection has been terminated due to inactivity, Connect on Demand enables the Router to automatically re-establish your connection as soon as you attempt to access the Internet again. If you wish to activate Connect on Demand, click the Connect on Demand option and enter the number of minutes you want to have elapsed before your Internet connec-tion terminates in the Max Idle Time field. Use this option to minimize your DSL connection time if it is charged based on time. Keep Alive This option allows the Router will periodically check your Internet con-nection. If you are disconnected, then the Router will automatically re-establish your connection. To use this option, click the option next to Keep Alive. In the Redial Period field, you specify how often you want the Router to check the Internet connection. This option is enabled by default and the default Redial Period is 30 seconds. Use this option to minimize your Internet connection response time since it will always be connected.

20 Setup - LAN Screen The LAN Setup section allows you to change the Router’s local network settings for the four Ethernet ports. Figure 8: LAN Screen Data - LAN Screen IPv4 Local IP Address Enter the IPv4 address on the LAN side. The default value is 192.168.1.1.

21 Subnet Mask Select the subnet mask from the drop-down menu. The default value is 255.255.255.0. Server Settings (DHCP) DHCP Server DHCP is enabled by default. If you already have a DHCP server on your network, or you don't want a DHCP server, then select Disabled (no other DHCP features will be available). If you already have a DHCP server on your network, and you want the Router to act as a Relay for that DHCP Server, select DHCP Relay, then enter the DHCP Server IP Address. Starting IP Address Enter a value for the DHCP server to start with when issuing IP ad-dresses. This value will automatically follow your local IP address settings. Normally, you assign the first IP address for the Router (e.g. 192.168.1.1) so that you can assign an IP address to other devices starting from the 2nd IP address (e.g. 192.168.1.2). The last address in the subnet is for subnet broadcast (e.g. 192.168.1.255) so that the address cannot be assigned to any host. Maximum Number of DHCP Users Enter the maximum number of PCs that you want the DHCP server to assign IP addresses to. This number cannot be greater than the avail-able host addresses in the subnet (e.g. 253 for /24 subnet). In order to determine the DHCP IP Address range, add the starting IP address (e.g., 100) to the number of DHCP users. Client Lease Time This is the amount of time a DHCP client can keep the assigned IP address before it sends a renewal request to the DHCP server. The default value is 0, which actually means one day. Static DNS (1~3) If applicable, enter the IP address(es) of your DNS server(s). WINS Windows Internet Naming Service (WINS) is a service that resolves NetBIOS names to IP addresses. WINS is assigned if the computer (DHCP client) requests one. Enter the IP address of the WINS server. Static IP Mapping Static IP Ad-dress Enter the static IP address. MAC Address Enter the MAC address of the device. Host Name Enter a descriptive name for the device. Add, Modify, Remove buttons Click Add, and configure as many entries as you would like, up to a maximum of 100. To delete an entry, select it and click Remove. Select the desired entry and click the Modify to change the settings. IPv6 IPv6 Prefix Enter the IPv6 prefix. IPv6 Postfix Enter the IPv6 postfix. Prefix Length Enter the IPv6 prefix length. The default is 64, which should not need to be changed. Router Advise-ment Enabling this option allows the Router to send out IPv6 Router Adver-tisement packets periodically. This helps IPv6 hosts to learn their IPv6 prefix and setup their IPv6 Address automatically.

22 DHCPv6 DHCPv6 Enabled or Disabled as required. Lease Time Enter the desired value. The default is 0, which actually means one day. DHCP address range start Enter the start IP address of the DHCP range. DHCP address range end Enter the end IP address of the DHCP range. Primary DNS Your ISP will provide you with at least one DNS (Domain Name System) Server IP Address to resolve host name to IP address map-ping. Secondary DNS The secondary DNS will only be used if the primary DNS is not available.

23 Setup - DMZ Screen The DMZ screen allows one local PC to be exposed to the Internet for use of a special-purpose service, such as Internet gaming and video-conferencing. DMZ hosting forwards traffic to all the ports for the specified PC simultaneously, unlike Port Range Forwarding that can only forward a maximum of 10 ranges of ports. Figure 9: DMZ Screen Data - DMZ Screen DMZ DMZ Hosting This feature allows one local PC to be exposed to the Internet for use of a special-purpose service such as Internet gaming and video-conferencing. To use this feature, select Enable. To disable the DMZ feature, select Disable. DMZ Host IP Address To expose one PC, enter the computer’s IP address.

24 Setup - MAC Address Clone Screen Some ISPs require that you register a MAC address. This feature clones your PC network adapter's MAC address onto the Router, and prevents you from having to call your ISP to change the registered MAC address to the Router's MAC address. The Router's MAC address is a 6-byte hexadecimal number assigned to a unique piece of hardware for identification. Figure 10: MAC Address Clone Screen Data - MAC Address Clone Screen MAC Address Clone MAC Address Clone Select Enabled or Disabled. MAC Address Enter the MAC Address registered with your ISP in this field. Clone My PC’s MAC When Mac Address Clone is enabled, click this to copy the MAC address of the network adapter in the computer that you are using to connect to the Web-based utility.

25 Setup - Advanced Routing Screen Figure 11: Advanced Routing Screen Data - Advanced Routing Screen Operating Mode Operating Mode • Gateway - This is the normal mode of operation. This allows all devices on your LAN to share the same WAN (Internet) IP ad-dress. In the Gateway mode, the NAT (Network Address Translation) mechanism is enabled. • Router - You either need another Router to act as the Gateway, or all PCs on your LAN must be assigned (fixed) Internet IP ad-dresses. In Router mode, the NAT mechanism is disabled. Dynamic Routing RIP The Router, using the RIP protocol, calculates the most efficient route for the network’s data packets to travel between the source and the destination based upon the shortest paths. RIP Send Packet Version Choose the version of RIP packets you want to send to peers: RIPv1 or RIPv2. This should match the version supported by other Routers on your LAN. RIP Recv Packet Version Choose the version of RIP packets you want to receive from peers: RIPv1 or RIPv2. This should match the version supported by other Routers on your LAN.

26 Static Routing Select Set Number Sometimes you will prefer to use static routes to build your routing table instead of using dynamic routing protocols. Static routes do not require CPU resources to exchange routing information with a peer router. You can also use static routes to reach peer routers that do not support dynamic routing protocols. Static routes can be used together with dynamic routes. Be careful not to introduce routing loops in your network. To set up static routing, you should add route entries in the routing table that tell the Router where to forward packets to specific IP destinations. Enter the following data to create a static route entry: 1. Select Set Number. Select the set number (routing table entry number) that you wish to view or configure. If necessary, click Delete This Entry to clear the entry. 2. Destination IP Address. Enter the network address of the remote LAN segment. For a standard Class C IP domain, the network ad-dress is the first three fields of the Destination LAN IP, while the last field should be zero. 3. Subnet Mask. Enter the Subnet Mask used on the destination LAN IP domain. For Class C IP domains, the Subnet Mask is 255.255.255.0. 4. Gateway. If this Router is used to connect your network to the Internet, then your gateway IP is the Router’s IP Address. If you have another router handling your network’s Internet connection, enter the IP Address of that router instead. 5. Hop Count. This value gives the number of routers that a data packet passes through before reaching its destination. It is used to define the priority on which route to use if there is a conflict be-tween a static route and dynamic route. Show Routing Table button. Click this button to show the routing table established either through dynamic or static routing methods. Inter-VLAN Routing Inter-VLAN Routing Select Enable to allow packets to be routed between VLANs that are in different subnets. The default is Enable. Figure 12: Routing Table

27 Setup - Time Screen You can either define your Router’s time manually or automatically through Time Server. Figure 13: Time Screen Data - Time Screen Time Time • Set the local time Manually - If you wish to enter the time and date manually, enter the Day, Month, Year, Hour, Minute, and Second in the Time field using 24 hour format (example 10:00pm would be entered 22:0:0). • Set the local time using Network Time Protocol (NTP) Auto-matically - Select the time zone for your location and your setting synchronizes over the Internet with public NTP (Network Time Protocol) Servers. Time Zone Select the time zone for your location. Auto Daylight Saving To use the daylight saving feature, select Enabled. Enter the Month and Day of the start date, and then enter the Month and Day of the end date. User-defined NTPServer If you want to use your own NTP server, select the Enabled option. The default is Disabled. NTP Serve IP Enter the IP address of your own NTP server.

28 Setup - IP Mode Screen You can either define your Router’s time manually or automatically through Time Server. Figure 14: IP Mode Screen Data - IP Mode Screen IP Mode IPv4 Only This option utilizes IPv4 on the Internet and local network. Dual-Stack IP This option utilizes IPv4 over the Internet and IPV4 and IPv6 on the local network. Then select how the IPv6 hosts will connect to the Internet: • NAPT-PT - This allows an IPv6-only host on your LAN to connect to IPv4-only hosts on the WAN using address translation and protocol-translation (per RFC2766). • 6-4 Tunnel - This allows your IPv6 network to connect to other IPv6 networks via tunnels through IPv4 (per RFC3056). The re-mote router also needs to support 6to4. 6 to 4 Gateway Access Control Select the desired option to match your needs. Enter the related data in the following fields if required. • Disabled • Permit following sites: Enter the IP addresses that you want to permit in the following section. • Block following sites: Enter the IP addresses that you want to block in the following section.

29 Wireless - Basic Settings Tab The Dual-Band Wireless-N VPN Router's settings must match the other Wireless stations. Note that the Dual-Band Wireless-N VPN Router will automatically accept both 802.11b and 802.11g connections, and no configuration is required for this feature. To change the Dual-Band Wireless-N VPN Router's default settings for the Wireless Access Point feature, use the Wireless link on the main menu to reach the Wireless screen. An exam-ple screen is shown below. Figure 15: Basic Settings Data - Basic Settings Screen Basic Settings Wireless Radio Band Select 2.4GHz Wireless or 5GHz Wireless from the list to configure.

30 Wireless Net-work Mode Select the desired mode: • 2.4GHz Wireless • B-Only - All the wireless client devices can be connected to the Wireless Router at Wireless-B data rates with a maximum speed of 11Mbps. • G-Only - Both Wireless-N and Wireless-G client devices can be connected at Wireless-G data rates with a maximum speed of 54Mbps. Wireless-B clients cannot be connected in this mode. • N-Only - Only Wireless-N client devices can be connected at Wireless-N data rates with a maximum speed of 300Mbps. • B/G/N-Mixed - All the wireless client devices can be con-nected at their respective data rates in this mixed mode. • 5GHz Wireless • A-Only - All the wireless client devices can be connected to the Wireless Router at Wireless-A data rates with a maximum speed of 11Mbps. • N-Only - Only Wireless-N client devices can be connected at Wireless-N data rates with a maximum speed of 300Mbps. • A/N-Mixed - All the wireless client devices can be connected at their respective data rates in this mixed mode. Wireless Channel Select the appropriate channel to be used between your Wireless Router and your client devices. The default is channel 6. You can also select Auto so that your Wireless Router will select the channel with the lowest amount of wireless interference while the system is booting up. Auto channel selection will start when you click the Save Settings button, and it will take several seconds to scan through all the channels to find the best channel. Multiple BSSID Select Enabled or Disabled. The default is Disabled SSID Name The SSID is the unique name shared between all devices in a wireless network. It is case-sensitive, must not exceed 32 alphanumeric charac-ters, and may be any keyboard character. Make sure this setting is the same for all devices in your wireless network. The default SSID name is linksys-n. SSID Broadcast This option allows the SSID to be broadcast on your network. You may want to enable this function while configuring your network, but make sure that you disable it when you are finished. With this enabled, someone could easily obtain the SSID information with site survey software or Windows XP and gain unauthorized access to your net-work. Click Enabled to broadcast the SSID to all wireless devices in range. Click Disabled to increase network security and prevent the SSID from being seen on networked PCs. The default is Enabled in order to help users configure their network before use.

31 Wireless - Security Settings Change the Wireless Router’s wireless security settings on this screen. Figure 16: Disabled Data - Security Settings Screen WEP Data Encryption Select SSID Select the desired SSID from the drop-down list. Wireless Isola-tion (Between SSID w/o VLAN) Select Enabled to use this feature. Security Mode Select the wireless security mode you want to use, WEP, WPA-Personal, WPA2-Personal, WPA-Enterprise, WPA2-Enterprise, or Radius. (WPA stands for Wi-Fi Protected Access, which is a security standard stronger than WEP encryption and forward com-patible with IEEE 802.11e. WEP stands for Wired Equivalent Privacy, Enterprise refers to using RADIUS server for authentication, while RADIUS stands for Remote Authentication Dial-In User Service.) Refer to the appropriate instructions below after you select the Authentication Type and SSID Interoperability settings. To disable wireless security completely, select Disabled. The default is Disabled. Wireless Isolation (Within SSID) When disabled, wireless PCs that are associated to the same network name (SSID), can see and transfer files between each other. By enabling this feature, Wireless PCs will not be able to see each other. This feature is very useful when setting up a wireless hotspot loca-tion. The default is Disabled.

32 WEP Figure 17: WEP Data - WEP Screen WEP Data Encryption Authentication Type Normally, this should be left at the default value of "Automatic". If changed to "Open System" or "Shared Key", ensure that your Wireless Stations use the same setting. WEP Data Encryption Select the desired option, and ensure the Wireless Stations use the same setting. • 40/64-bit (10 Hex digits) - data is encrypted, using the default key, before being transmitted. You must enter at least the default key. For 64 Bit Encryption, the key size is 10 chars in HEX (0~9 and A~F). • 104/128-bit (26 Hex digits) - data is encrypted, using the default key, before being transmitted. You must enter at least the default key. For 128 Bit Encryption, the key size is 26 chars in HEX (0~9 and A~F). Passphrase If desired, you can generate a key from a phrase, instead of entering the key value directly. Enter the desired phrase, and click the "Gener-ate" button. Key (1~4) If you want to manually enter WEP keys, then complete the fields provided. Each WEP key can consist of the letters “A” through “F” and the numbers “0” through “9”. It should be 10 characters in length for 64-bit encryption or 26 characters in length for 128-bit encryption. TX Key Select one of the keys to be used for data encryption (when you manu-ally enter multiple WEP keys).

33 WPA-Personal Figure 18: WPA-Personal Data - WPA-Personal Screen Encryption The WPA-Personal standard allows different encryption methods to be used. Select the desired option. Wireless Stations must use the same encryption method. Shared Secret Enter a WPA Shared Key of 8-63 characters. Key Renewal Enter a Key Renewal Timeout period, which instructs the Wireless Router how often it should change the encryption keys. The default is 3600 seconds.

34 WPA2-Personal Figure 19: WPA2-Personal Data - WPA2-Personal Screen Encryption The WPA2-Personal standard allows different encryption methods to be used. Select the desired option. Wireless Stations must use the same encryption method. Shared Secret Enter a WPA Shared Key of 8-63 characters. Key Renewal Enter a Key Renewal Timeout period, which instructs the Wireless Router how often it should change the encryption keys. The default is 3600 seconds.

35 WPA-Enterprise Figure 20: WPA-Enterprise Data - WPA-Enterprise Screen Encryption WPA offers you two encryption methods, TKIP and AES for data encryption. Select the type of algorithm you want to use, TKIP or AES. RADIUS Server Enter the server address here. RADIUS Port Enter the port number used for connections to the Radius Server. Shared Key Enter the shared key. Data is encrypted using a key derived from the network key. Other Wireless Stations must use the same key. The key must be from 8 to 63 characters in length. Key Renewal Enter a Key Renewal Timeout period, which instructs the Wireless Router how often it should change the encryption keys. The default is 3600 seconds.

36 WPA2-Enterprise Figure 21: WPA2-Enterprise Data - WPA2-Enterprise Screen Encryption WPA2 always uses AES for data encryption. RADIUS Server Enter the server address here. RADIUS Port Enter the port number used for connections to the Radius Server. Shared Key Enter the shared key. Data is encrypted using a key derived from the network key. Other Wireless Stations must use the same key. The key must be from 8 to 63 characters in length. Key Renewal Enter a Key Renewal Timeout period, which instructs the Wireless Router how often it should change the encryption keys. The default is 3600 seconds.

37 Radius Server Figure 22: Radius Server Data - Radius Server Screen RADIUS Server Enter the server address here. RADIUS Port Enter the port number used for connections to the Radius Server. Shared Key Enter the shared key. Data is encrypted using a key derived from the network key. Other Wireless Stations must use the same key. The key must be from 8 to 63 characters in length. Authentication Type Normally, this should be left at the default value of "Automatic". If changed to "Open System" or "Shared Key", ensure that your Wireless Stations use the same setting. Encryption Select the desired option, and ensure the Wireless Stations use the same setting. • 40/64-bit (10 Hex digits) - data is encrypted, using the default key, before being transmitted. You must enter at least the de-fault key. For 64 Bit Encryption, the key size is 10 chars in HEX (0~9 and A~F). • 104/128-bit (26 Hex digits) - data is encrypted, using the default key, before being transmitted. You must enter at least the default key. For 128 Bit Encryption, the key size is 26 chars in HEX (0~9 and A~F). Passphrase If desired, you can generate a key from a phrase, instead of entering the key value directly. Enter the desired phrase, and click the "Gen-erate" button. Key (1~4) If you want to manually enter keys, then complete the fields pro-vided. Each key can consist of the letters “A” through “F” and the numbers “0” through “9”. It should be 10 characters in length for 64-bit encryption or 26 characters in length for 128-bit encryption.

38 TX Key Select one of the keys to be used for data encryption (when you manually enter multiple keys).

39 Wireless - Connection Control This screen allows you to configure the Connection Control List to either permit or block specific wireless client devices connecting to (associating with) the Wireless Router. Figure 23: Connection Control Data - Connection Control Select SSID Select the desired SSID from the drop-down list. Enabled/Disabled Enable or disable wireless connection control. The default is Disabled. Connection Control There are two ways to control the connection (association) of wireless client devices. You can either prevent specific devices from connecting to the Wireless Router, or you can allow only specific client devices to connect to the Wireless Router. The client devices are specified by their MAC addresses. The default is to allow only specific client devices. Wireless Client List Instead of manually entering the MAC addresses of each client, the Wireless Router provides a convenient way to select a specific client device from the client association table. Click this button and a window appears to let you select a MAC address from the table. The selected MAC address will be entered into the Connection Control List. MAC (01~20) Enter the MAC addresses of the wireless client devices you want to control.

40 Figure 24: Wireless Client List

41 Wireless - Advanced Settings This screen allows you to configure the advanced settings for the Wireless Router. The Wire-less-N Router adopts several new parameters to adjust the channel bandwidth and guard intervals to improve the data rate dynamically. Linksys recommends to let your Wireless Router automatically adjust the parameters for maximum data throughput. Figure 25: Advanced Settings Screen Channel Band-width You can select the channel bandwidth manually for Wireless-N con-nections. When it is set to 20MHz, only the 20MHz channel is used. When it is set to 40MHz, Wireless-N connections will use 40MHz channel but Wireless-B and Wireless-G will still use 20MHz channel. The default is 20MHz. Guard Interval You can select the guard interval manually for Wireless-N connec-tions. The two options are Short (400ns) and Long (800ns). The default is Short. CTS Protection Mode CTS (Clear-To-Send) Protection Mode function boosts the Wireless Router’s ability to catch all wireless transmissions, but will severely decrease performance. Keep the default setting, Auto, so the Wireless Router can use this feature as needed, when the Wireless-N/G products are not able to transmit to the Wireless Router in an environment with heavy 802.11b traffic. Select Disabled if you want to permanently disable this feature. Transmission Rate Select the desired transmission rate from the drop-down list. The default is Auto. N Transmission Rate Select the desired rate from the drop-down list. The default is Auto. Beacon Interval This value indicates the frequency interval of the beacon. A beacon is a packet broadcast by the Wireless Router to keep the network syn-chronized. A beacon includes the wireless networks service area, the Wireless Router address, the Broadcast destination addresses, a time stamp, Delivery Traffic Indicator Maps, and the Traffic Indicator

42 Message (TIM). The default is 100 Msec. DTIM Interval This value indicates how often the Wireless Router sends out a Deliv-ery Traffic Indication Message (DTIM). Lower settings result in more efficient networking, while preventing your PC from dropping into power-saving sleep mode. Higher settings allow your PC to enter sleep mode, thus saving power, but interferes with wireless transmissions. The default is 1 ms. Fragmentation Threshold Enter the preferred setting between 256 and 2346. Normally, this can be left at the default value. RTS Threshold This setting determines how large a packet can be before the Wireless Router coordinates transmission and reception to ensure efficient communication. This value should remain at its default setting of 2346. If you encounter inconsistent data flow, only minor modifications are recommended.

43 Wireless - VLAN & QoS This screen allows you to configure the Qos and VLAN settings for the Router. The QoS (Quality of Service) feature allows you specify priorities for different traffic. Lower priority traffic will be slowed down to allow greater throughput or less delay for high priority traffic. The 802.1Q VLAN feature is allowing traffic from different sources to be segmented. Com-bined with the multiple SSID feature, this provides a powerful tool to control access to your LAN. Figure 26: VLAN &QoS Screen VLAN Enabled/Disabled You can enable this feature only if the hubs/switches on your LAN support the VLAN standard. AP Management VLAN Define the VLAN ID used for management. VLAN ID Enter the VLAN ID. QoS Default CoS (Priority) Select Enabled or Disabled as required. U-PSD (WMM Power Save) Select Enabled or Disabled as required. Default CoS Select the desired value for the Default CoS. Tx Rate Limiting Select the desired rate limiting from the list. WMM Wi-Fi Multimedia is a QoS feature defined by WiFi Alliance before IEEE 802.11e was finalized. Now it is part of IEEE 802.11e. When it is enabled, it provides four priority queues for different types of traffic. It automatically maps the incoming packets to the appropriate

44 queues based on QoS settings (in IP or layer 2 header). WMM pro-vides the capability to prioritize traffic in your environment. The default is Enabled.

45 Firewall Tab The Firewall Tab allows you to configure software security features like SPI (Stateful Packet Inspection) Firewall, IP based Access List, restriction LAN users on Internet (WAN port) access, and NAPT (Network Address Port Translation) Settings (only works when NAT is enabled) to limited services to specific ports. Note that for WAN traffic, NAPT settings are applied first, then it will pass the SPI Firewall settings, followed by IP based Access List (which requires more CPU power). Firewall - Basic Settings Figure 27: Basic Settings Screen Basic Settings Firewall SPI (Stateful Packet Inspection) Firewall, when you enable this fea-ture, the Router will perform deep packet inspection on all the traffic going through the Router. DoS Protection When enabled, the Router will prevent DoS (Denial of Service) attacks coming in from the Internet. DOS attacks are making your Router’s CPU busy such that it cannot provide services to regular traffic. The default is Enable. Block WAN Request When enabled, the Router will ignore PING Request from the Internet so it seems to be hidden. The default is Enable. Remote Management When enabled, the Router will allow the Web-based Utility to be accessed from the Internet. The default is Disable. The default value of Port field is 8080. Multicast Pass-through When enabled, the Router will allow IP Multicast traffic to come in from the Internet. The default is Disable. Block Select the Web features that you wish to restrict. All those features

46 could place security concern to your PCs on the LAN side. You have to balance your needs on those applications and security. The default is unselected. • Java: Java is a programming language for websites. If you deny Java, you run the risk of not having access to Internet sites created using this programming language. • Cookies: A cookie is data stored on your PC and used by Internet sites when you interact with them, so you may not want to deny cookies. • ActiveX: ActiveX is a Microsoft (Internet Explorer) pro-gramming language for websites. If you deny ActiveX, you run the risk of not having access to Internet sites using this programming language. Also, Windows Update uses ActiveX, so if this is blocked, Windows update will not work. • Access to Proxy HTTP Server: If local users have access to WAN proxy servers, they may be able to circumvent the Router's content filters and access Internet sites blocked by the Router. Denying Proxy will block access to any WAN proxy servers.

47 Firewall - IP Based ACL This screen shows a summary of configured IP based Access List. The Access List is used to restrict traffic going through the Router either from WAN or LAN port. There are two ways to restrict data traffic. You can block specific types of traffic according to your ACL definitions. Or you can allow only specific types of traffic according to your ACL definition. The ACL rules will be read according to its priority. If there is a match for a packet, the action will be taken and following lower priority rules will not be checked against this packet. Note that the higher the number of rules that need to be checked against packets, the lower the throughput. Use ACL rules with caution. There are two default rules in the table that cannot be deleted. The first rule will allow all traffic coming in from LAN port to pass the Router. The second rule will allow all traffic coming in from WAN port. These two rules have the lowest priority, so without adding any user defined rules, all the packets can be passed through from both WAN and LAN sides. The rule will be enabled when the Enable button is checked, and when Date and Time are matched. If any of conditions are not met, the rule will not be used to check against packets. Figure 28: IP Based ACL Screen IP Based ACL Page Selection You can select specific page of ACL list from the drop-down menu to be displayed. Or you can navigate them page by page through Previous Page and Next Page button. Priority This defines the order on which rule is checked against first. The smaller number has higher priority. The default rules will always be checked last.

48 Enable This tells the Router if the rule is active or not. You can have rules defined in the ACL Table but in an inactive state. The administrator can decide on when to enable specific ACL rules manually. Action This defines how the rule is to affect the traffic. It can be either Allow or Deny. If the rule is matched and the action is Allow, the packet will be forwarded. If the rule is matched and the action is Deny, the packet will be dropped. Service You can either select one of the pre-defined services in the drop-down menu or you can define new services by clicking the Service Manage-ment button. Once you defined your own service, it will be listed on the top of the drop-down menu. You can also select ALL to allow or block all types of IP traffic. The User-defined Service GUI page can be either accessed from the New Rule screen by clicking Service Management button, or you can access it directly from the 2nd layer tab under Firewall. Source Interface Select LAN, WAN, or ANY interface. Source This is the source IP address to be matched against. You can define a Single IP address, a Range of IP addresses (start IP and end IP), a Network (IP Prefix and Network Mask), or ANY IP addresses. Destination This is the destination IP address to be matched against. You can define a Single IP address, a Range of IP addresses (start IP and end IP), a Network (IP Prefix and Network Mask), or ANY IP addresses. Time Displays the time period this rule will be enabled (used together with Date). It can be set to Any Time. Day Displays the days in a week this rule will be enabled (used together with Time). It can be set to Any Day. Edit Button Use this button to go to Edit IP ACL Rule screen and modify this rule. Delete Button Use this button to delete the ACL rule from the list. Add New Rule Click this button to enter the page to define a new ACL rule. Disable All Rule Click this page to disable all the user-defined rules. Delete All Rules Click this page to delete all the user-defined rules. Edit IP ACL Rule This Web page can be entered only through IP Based ACL Tab. You can enter this page by clicking Add New Rule button on that page.

49 Figure 29: Edit IP ACL Rule New Rule Action Select either Allow or Deny. Default is Allow. Service Select ALL or pre-defined (or user-defined) services from the drop-down menu. Log If checked, this ACL rule will be logged when a packet match hap-pens. Log Prefix This string will be attached in front of the log for the matched event. Source Interface Select LAN, WAN, or ANY interface. Source IP The source IP address to be matched against. You can define a Single IP address, a Range of IP addresses (start IP and end IP), a Network (IP Prefix and Network Mask), or ANY IP addresses. Destination IP The destination IP address to be matched against. You can define a Single IP address, a Range of IP addresses (start IP and end IP), a Network (IP Prefix and Network Mask), or ANY IP addresses. Service Man-agement Button Click this button and the Service Tab to add new service type to the Service drop-down menu. Scheduling Time Enter the time period this rule will be applied (used together with Date). It can be set to Any Time. Date Enter the days in a week this rule will be applied (used together with Time). It can be set to Any Day.

50 Firewall - Internet Access Policy Access to the Internet can be managed by policies. A policy consists of four components. You need to define the PCs (MAC or IP address) to apply this policy, either Deny or Allow Internet service, what time and date to enable this policy, and what URLs or Keywords to apply this policy. Use the settings on this screen to establish an access policy. Selecting a policy from the drop-down menu will display that policy's settings. You can then perform the following operations: • Create a Policy - see instructions below. • Delete the current policy - click the Delete button. • View all policies - click the Summary button. On the Summary screen, the policies are listed with the following information: No., Policy Name, Days, Time, and a checkbox to delete (clear) the policy. To delete a policy, check the checkbox in the Delete column, and click the Delete button • View or change the PCs covered by the current policy - click the Edit List of PCs button.

51 Figure 30: Internet Access Policy Screen On the List of PCs screen, you can define PCs by MAC Address or IP Address. You can also enter a range of IP Addresses if you want this policy to affect a group of PCs. To create an Internet Access policy: 1. Select the desired policy number from the Internet Access Policy drop-down menu. 2. Enter a Policy Name in the field provided. 3. To enable this policy, select the Enable option. 4. Click the Edit List of PCs button to select which PCs will be affected by the policy. The List of PCs screen will appear in a sub-window. You can select a PC by MAC Address or IP Address. You can also enter a range of IP Addresses if you want this policy to affect a group of PCs. After making your changes, click the Save Settings button to apply your changes. 5. Click the appropriate option, Deny or Allow, depending on whether you want to block or allow Internet access for the PCs you listed on the List of PCs screen.

52 6. Decide what Days and what Times you want this policy to be enforced. Select the individ-ual days during which the policy will be in effect, or select Everyday. Enter a range of hours and minutes during which the policy will be in effect, or select 24 Hours. 7. If you wish to block access to Web sites, use the Website Blocking by URL Address or Website Blocking by Keyword feature. • Website Blocking by URL Address. Enter the URL or Domain Name of the web sites you wish to block. • Website Blocking by Keyword. Enter the keywords you wish to block in the fields provided. If any of these Keywords appears in the URL of a web site, access to the site will be blocked. Note that only the URL is checked, not the content of each Web page. 8. Click the Save Settings button to save the policy settings. Figure 31: Summary

53 Figure 32: Internet Access PC List

54 Firewall - Single Port Forwarding This is one of the NAPT (Network Address Port Translation) feature. Use the Single Port Forwarding screen when you want to open specific services (that use single port). This allows users on the Internet to access this server by using the WAN port address and the matched external port number. When users send these types of request to your WAN port IP address via the Internet, the NAT Router will forward those requests to the appropriate servers on your LAN. Figure 33: Single Port Forwarding Screen Single Port Forwarding Application Enter the name of the application you wish to configure. External Port This is the port number used by the service or Internet application. Internet users must connect using this port number. Check with the software documentation of the Internet application for more informa-tion. Internal Port This is the port number used by the Router when forwarding Internet traffic to the PC or server on your LAN and is usually the same as the External Port number. If it is different, the Router performs a Port Translation, so that the port number used by Internet users is different from the port number used by the server or Internet application. For example, you could configure your Web Server to accept connec-tions on both port 80 (standard) and port 8080. Then, enable Port Forwarding, set the External Port to 80 and the Internal Port to 8080. Now, any traffic from the Internet to your Web server will be using port 8080, even though the Internet users used the standard port, 80. (Users on the local LAN can and should connect to your Web Server

55 using the standard port 80.) Protocol Select the protocol used for this application, TCP and/or UDP. IP Address For each application, enter the IP address of the PC running the spe-cific server application. Enabled Select Enabled to enable port forwarding for the relevant server application.

56 Firewall - Port Range Forwarding This is one of the NAPT (Network Address Port Translation) features. The Port Range For-warding screen allows you to set up public services on your network, such as web servers, ftp servers, e-mail servers, or other specialized Internet applications that use one or multiple port numbers (e.g. video conference). The port numbers being used will not change while forward-ing to the local network. This allows users on the Internet to access this server by using the WAN port IP address and the pre-defined port numbers. When users send these types of requests to your WAN port IP address via the Internet, the NAT Router will forward those requests to the appropriate servers on your LAN. Figure 34: Port Range Forwarding Screen Port Range Forwarding Application Enter the name of the application you wish to configure. Start This is the beginning of the port range. Enter the beginning of the range of port numbers (external ports) used by the server or Internet application. Check with the software documentation of the Internet application for more information if necessary. End This is the end of the port range. Enter the end of the range of port numbers (external ports) used by the server or Internet application. Check with the software documentation of the Internet application for more information if necessary. Protocol Select the protocol(s) used for this application, TCP and/or UDP. IP Address For each application, enter the IP address of the PC running the spe-cific application. Enabled Select Enabled to enable port range forwarding for the relevant appli-cation.

57 Firewall - Port Range Triggering This is one of the NAPT (Network Address Port Translation) feature. Port Range Triggering is used for special applications that can request a port to be opened on demand. For this feature, the Wireless Router will watch outgoing packets for specific port numbers. This will trigger the Wireless Router to allow the incoming packets within the specified forwarding range and forward those packets to the triggering PC. One of the example applications is QuickTime. It would use port 1000 for outgoing packets and 2000 for incoming packets. Figure 35: Port Range Triggering Screen Port Range Triggering Application Name Enter the name of the application you wish to configure. Triggered Range For each application, list the triggered port number range. These are the ports used by outgoing traffic. Check with the Internet application documentation for the port number(s) needed. In the first field, enter the starting port number of the Triggered Range. In the second field, enter the ending port number of the Triggered Range. Forwarded Range For each application, list the forwarded port number range. These are the ports used by incoming traffic. Check with the Internet application documentation for the port number(s) needed. In the first field, enter the starting port number of the Forwarded Range. In the second field, enter the ending port number of the Forwarded Range. Enabled Select Enabled to enable port range triggering for the relevant applica-tion.

58 Security Protection - Web Protection The Web Protection features are provided by the Router. Configure the website filtering settings on this screen. Figure 36: Web Protection

59 Web Protection Enable URL Filtering To filter website addresses (URLs), select this option. Enable Web Reputation To block potentially malicious websites, select this option. URL Filtering Reset Counter The Router counts the number of attempted visits to a restricted URL. To reset the counter to zero, click Reset Counter. URL Category For each URL category, select the appropriate Filtering option. If you want to filter a sub-category, click + to view the sub-categories for each category. Then select the appropriate Filtering option. Business Hours To filter this URL category during the business hours you have specified, select this option. Leisure Hours To filter this URL category during non-business hours, select this option. Instances Blocked The number of attempted visits is displayed. Business Days Select the appropriate days. The default days are Mon. through Fri. Business Times To specify entire days, keep the default, All day (24 hours). To specify hours, select Specify business hours. For morning hours, select Morning, and then select the appropriate From and To times. For afternoon hours, select Afternoon, and then select the appropriate From and To times. Web Reputation High This level blocks a higher number of potentially malicious websites but also increases the risk of false positives. (A false positive is a website that can be trusted but seems potentially malicious.) Medium This level blocks most potentially malicious websites and does not create too many false positives. The default is Med um and is the recommended setting. Low This level blocks fewer potentially malicious websites and reduces the risk of false positives. Approved URLs Enable Approved URL list To set up a list of always accessible URLs, select this option. URL(s) to ap-prove Enter the trusted URL(s). Separate multiple URLs with semicolons (“;”). Add>> To add the URLs, click Add. Approved URLs list The trusted URLs are displayed. To delete a URL, click its trash can icon. URL Overflow Control Enable Approved Client list To set up a list of trusted clients, select this option.

60 IP Addresses/range Enter the appropriate IP addresses or ranges. Separate multiple URLs with semicolons (“;”). For a range of IP addresses, use a hyphen (“-”). Example: 10.1.1.0-10.1.1.10. Add>> To add the IP addresses or ranges, click Add. Approved Clients list The IP addresses or range of trusted clients are displayed. To delete an IP address or range, click its trash can icon. Temporarily block URL requests If there are too many URL requests, the overflow will be held back until they can be processed. This is the default setting. Temporarily bypass Trend Micro URL Filtering for requested URLs If there are too many URL requests, the overflow will be allowed without verification.

61 Security Protection - Email Protection The Email Protection features are provided by an online service called IMHS, which stands for InterScan™ Messaging Hosted Security. It checks your e-mail messages so spam, viruses, and inappropriate content are filtered out. After you have configured the IMHS settings, your email messages will be checked online before appropriate messages are forwarded to your network. Note: To have your e-mail checked, you will need to provide the domain name and IP address of your e-mail server. If you do not know this information, contact your ISP. Figure 37: Email Protection Screen Email Protection https://us. imhs.trendmicro.com/linksys To set up e-mail protection, click this link. You will be redirected to the Trend Micro ProtectLink Gateway website. Then follow the on-screen instructions.

62 Security Protection - License The license for the Trend Micro ProtectLink Gateway service (Email Protection and Web Protection) is valid for one year from the time the activation code for Web Protection is gener-ated. If you do not provide the necessary information to activate Email Protection during registration, please provide that information as soon as possible because Email Protection and Web Protection will expire at the same time. Note: For example, if you provide the information needed for Email Protection one month after receiving the activation code for Web Protection, then you will receive only 11 months of Email Protection. On the License screen, license information is displayed. Use this screen to renew your license, add seats, or view license information online. Figure 38: License Screen License Update Informa-tion To refresh the license information displayed on-screen, click Update Information. License Information View detailed license online To view license information online, click this link. Status The status of your license, Activated or Expired, is displayed. Platform The model type, Gateway Service, is automatically displayed. License expires on The date and time your license expires are displayed. Renew To renew your license, click Renew. Then follow the on-screen instructions. Add Seats Each seat allows an e-mail account to use Email Protection. To add

63 seats to your license, click Add Seats. Then follow the on-screen instructions.

64 VPN - Summary Tab Figure 39: Summary Screen Summary Tunnel(s) Used Displays the number of tunnels used. Tunnel(s) Avail-able Displays the number of available tunnels. Tunnel Status No. Displays the number of the tunnel. Name Displays the name of the tunnel, as defined by the Tunnel Name field on the VPN > IPSec VPN screen. Status Displays the tunnel’s status: Connected, Hostname Resolution Failed, Resolving Hostname, or Waiting for Connection. Phase2 Enc/Auth Displays the Phase 2 Encryption type (3DES), Authentication type (MD5 or SHA1), and Group (768-bit, 1024-bit, or 1536-bit) that you chose in the VPN > IPSec VPN screen. Local Group Displays the IP address and subnet of the local group. Remote Group Displays the IP address and subnet of the remote group. Remote Gateway Displays the IP address of the remote gateway. Tunnel Test Click Connect to verify the tunnel status; the test result is updated in the Status column. If the tunnel is connected, you can disconnect the IPSec VPN connection by clicking Disconnect. Config. Click Edit to change the tunnel’s settings. Click Trash to delete all of the tunnel’s settings.

65 VPN Clients Status No. Displays the user number from 1 to 5. Username Displays the username of the VPN Client. Status Displays the connection status of the VPN Client. IP Address Displays the IP address of the VPN Client. Start Time Displays the start time of the most recent VPN session for the specified VPN Client. End Time Displays the end time of a VPN session if the VPN Client has discon-nected. Duration Displays the total connection time of the latest VPN session. Disconnect Check the Disconnect checkbox at the end of each row in the VPN Clients Table and click the Disconnect button to disconnect a VPN Client session.

66 VPN - IPSec VPN Tab Use this screen to create VPN tunnels between the Router to the remote Router. All Linksys Routers with Ipsec VPN support can be used as a remote Router (e.g. RVS4000, WRV54G, RV042). The Router supports VPN tunnels using IPsec (IP Security) technologies. You can create, delete, or modify a VPN tunnel on this page. Figure 40: IPSec VPN Screen IPSec VPN Tunnel Selected Select a tunnel to configure or create a new tunnel. Delete Button Click this button to delete the selected tunnel. Tunnel Name For each application, list the forwarded port number range. These are the ports used by incoming traffic. Check with the Internet application documentation for the port number(s) needed. In the first field, enter the starting port number of the Forwarded Range. In the second field, enter the ending port number of the Forwarded Range.

67 Tunnel Enable Select Enable to enable this tunnel. Local Security Group Local Security Gateway Type This has two settings, IP Only and IP + Domain Name (FQDN) Authentication. • IP Only If this is selected, the Wireless Router’s WAN IP address automatically appears in the IP Address field. • IP + Domain Name (FQDN) Authentication This is the same as IP Only, but includes a domain name for greater security. Enter an arbitrary domain name in the Domain Name field. The Router’s WAN IP address automatically appears in the IP Ad-dress field. Local Security Group Type Select the local LAN user(s) behind the Router that can use this VPN tunnel. This may be a single IP address. Notice that the Local Security Group must match or cover the other router's Remote Security Group. IP Address Enter the IP address on the local network. Subnet Mask If the Local Security Group Type is set to Subnet, enter the mask to determine the IP addresses on the local network. Remote Security Group Remote Security Gateway Type Select either IP Only or IP + Domain Name (FQDN) Authentica-tion. The setting should match the Local Security Gateway Type for the VPN device at the other end of the tunnel. • IP Only Select this to specify the remote device that will have access to the tunnel. Then either select IP Address from the drop-down menu and enter the remote gateway’s WAN IP ad-dress in the IP Address field, or select IP by DNS Resolved from the dropdown menu and enter the remote gateway’s do-main name in the Domain Name field. • IP + Domain Name (FQDN) Authentication This is the same as IP Only but includes a domain name for greater security. En-ter an arbitrary domain name in the Domain Name field. Then select either IP Address or IP by DNS Resolved from the drop-down menu, and fill in the IP Address field or Domain Name field. Remote Security Group Type Select the remote LAN user(s) behind the remote gateway who can use this VPN tunnel. This may be a single IP address or a Sub-network. Note that the Remote Security Group Type must match the other router’s Local Security Group Type. IP Address Enter the IP address on the remote network. Subnet Mask If the Remote Security Group Type is set to Subnet, enter the mask to determine the IP addresses on the remote network. IPSec Setup Keying Mode The Router supports both automatic and manual key management. When choosing automatic key management, IKE (Internet Key Exchange) protocols are used to negotiate key material for SA (Security Association). If manual key management is selected, no

68 key negotiation is needed. Basically, manual key management is used in small static environments or for troubleshooting purpose. Notice that both sides must use the same Key Management method (both Auto or both Manual). For Manual key management, all the configurations need to match on both sides. Manual • Incoming/Outgoing SPI The SPI (Security Parameter Index) is carried in the IPsec ESP header. This enables the receiver to select the SA (Security As-sociation), under which a packet should be processed. The SPI is a 32-bit value. Both decimal and hexadecimal values are ac-ceptable. e.g. “987654321” or “0x3ade68b1”. Each tunnel must have unique an Inbound SPI and Outbound SPI. No two tunnels share the same SPI. Notice that Inbound SPI must match the other Router's Outbound SPI, and vice versa. • Encryption The Encryption method determines the complexity to en-crypt/decrypt data packets. Only 3DES is supported. Notice that both sides must use the same Encryption method. • Authentication Authentication determines a method to authenticate the data packets to make sure they come from a trusted source. Either MD5 or SHA1 may be selected. Notice that both sides (VPN endpoints) must use the same Authentication method. • MD5 - A one way hashing algorithm that produces a 128-bit digest. • SHA1 - A one way hashing algorithm that produces a 160-bit digest. • Encryption Key This field specifies a key used to encrypt and decrypt data pack-ets. Both characters and hexadecimal values are acceptable in this field. Note: that both sides must use the same Encryption Key. • Authentication Key This field specifies a key used to authenticate IP traffic. Both characters and hexadecimal values are acceptable in this field. Note: that both sides must use the same Authentication Key. IKE with Preshared Key • Phase1 DH Group Phase 1 is used to create a security association (SA). DH (Dif-fie-Hellman) is a key exchange protocol that used during phase 1 of the authentication process to establish pre-shared keys. There are three groups of different prime key lengths. Group 1 is 768 bits, Group 2 is 1,024 bits and Group 5 is 1,536 bits. If network speed is preferred, select Group 1. If network security is preferred, select Group 5. • Phase 1 Encryption There are five methods of encryption, DES, 3DES, AES-128, AES-192 and AES-256. The Encryption method determines the length of the key used to encrypt/decrypt ESP packets. DES is 56-bit encryption, 3DES is 168-bit encryption, AES-128 is 128-bit encryption, AES-192 is 192-bit encryption and AES-256 is 256-bit encryption. DES is faster than 3DES, but 3DES is more secure than DES. Both sides must use the same Encryption

69 method. • Phase 1 Authentication Authentication determines a method to authenticate the data packets to make sure they come from a trusted source. Either MD5 or SHA1 may be selected. Notice that both sides (VPN endpoints) must use the same Authentication method. • MD5 - A one way hashing algorithm that produces a 128-bit digest. • SHA1 - A one way hashing algorithm that produces a 160-bit digest. • Phase 1 SA Life Time This field allows you to configure the length of time a VPN tun-nel is active in Phase 1. The default value is 28,800 seconds. • Perfect Forward Secrecy If PFS is enabled, IKE Phase 2 negotiation will generate a new key material for IP traffic encryption and authentication. Note that both sides must have this selected. • Phase2 DH Group There are three groups of different prime key lengths. Group1 is 768 bits, Group2 is 1,024 bits and Group 5 is 1,536 bits. If net-work speed is preferred, select Group 1. If network security is preferred, select Group 5. You can choose the different Group with the Phase 1 DH Group you chose. If Perfect Forward Se-crecy is disabled, there is no need to setup the Phase 2 DH Group since no new key generated, and the key of Phase 2 will be same with the key in Phase 1. • Phase 2 Encryption Phase 2 is used to create one or more IPSec SAs, which are then used to key IPSec sessions. There are five methods of encryp-tion, DES, 3DES, AES-128, AES-192 and AES-256. The Encryption method determines the length of the key used to en-crypt/decrypt ESP packets. DES is 56-bit encryption, 3DES is 168-bit encryption, AES-128 is 128-bit encryption, AES-192 is 192-bit encryption and AES-256 is 256-bit encryption. DES is faster than 3DES, but 3DES is more secure than DES. Both sides must use the same Encryption method. If users enable the AH Hash Algorithm in Advanced, it is recommended to select Null to disable encrypt/decrypt ESP packets in Phase 2 for most users, but both sides of tunnel must use the same setting. • Phase 2 Authentication Authentication determines a method to authenticate the data packets to make sure they come from a trusted source. Either MD5 or SHA1 may be selected. Notice that both sides (VPN endpoints) must use the same Authentication method. • MD5 - A one way hashing algorithm that produces a 128-bit digest. • SHA1 - A one way hashing algorithm that produces a 160-bit digest. • Phase 2 SA Life Time This field allows you to configure the length of time a VPN tun-nel is active in Phase 2. The default value is 3,600 seconds.

70 • PreShared Key IKE uses the Pre-shared Key field to authenticate the remote IKE peer. Both characters and hexadecimal values are accept-able in this field. e.g. “My_@123” or “0x4d795f40313233” Note that both sides must use the same Pre-shared Key. Advanced Aggressive Mode There are two types of Phase 1 exchanges: Main mode and Aggres-sive mode. Aggressive Mode requires half of the main mode messages to be exchanged in Phase 1 of the SA exchange. If net-work security is preferred, select Main mode. When users select the Dynamic IP in Remote Security Gateway Type, it will be limited as Aggressive Mode. Compress The router supports IP Payload compression Protocol. IP Payload Compression is a protocol to reduce the size of IP datagrams. If Compress is enabled, the router will propose compression when initiating a connection. If the responders reject this propose, the router will not implement the compression. When the router works as a responder, the router will always accept compression even without enabling compression. AH Hash Algo-rithm AH (Authentication Header) protocol describes the packet format and the default standards for packet structure. With the use of AH as the security protocol, protected is extended forward into IP header to verify the integrity of the entire packet by use of portions of the original IP header in the hashing process. There are two algorithms, MD5 and SHA1. MD5 produces a 128-bit digest to authenticate packet data and SHA1 produces a 160-bit digest to authenticate packet data. Both sides of tunnel should use the same algorithm. NetBIOS broadcast Check the box to enable NetBIOS traffic to pass through the VPN tunnel. By default, the router blocks these broadcasts. Dead Peer Detec-tion When DPD is enabled, the router will send the periodic HELLO/ACK messages to prove the tunnel liveliness when both peers of VPN tunnel provide DPD mechanism. Once a dead peer detected, the router will disconnect the tunnel so the connection can be re-established. The Interval is the number of seconds between DPD messages. The default is DPD enabled, and default Interval is 10 seconds.

71 VPN - VPN Client Accounts Tab You can allow remote users to easily establish a VPN connection to your Router using the Linksys QuickVPN client utility without using a compatible VPN Router with IPsec VPN settings. This is achieved by creating user accounts on the Router and authenticate users through Username and Password. After creating user accounts, it will be summarized in the table below. For users using QuickVPN, it will first establish an SSL connection with remote Wireless Router to get authenticated. Then QuickVPN will automatically negotiate IPsec settings with the remote Router. All the data packets will be encrypted using IPsec thereafter. The Wireless Router supports up to five Linksys QuickVPN clients by default. Additional QuickVPN Client licenses can be purchased separately. Figure 41: VPN Client Accounts Screen VPN Client Accounts Username Enter the username using any combination of keyboard characters. Password Enter the password you would like to assign to this user. Re-enter to Confirm Retype the password to ensure that it has been entered correctly. Allow User to Change Pass-word This option determines whether the user is allowed to change their password.

72 VPN Client List Table No Displays the user number. Active When checked, the designated user can connect, otherwise the VPN client account is disabled. Username Displays the username. Password Displays the password. Edit Button This button is used to modify the username, password, or toggle between whether the user is allowed to change their password. Remove Button This button is used to delete a user account. Certificate Management Generate Click this button to generate a new certificate to replace the existing certificate on the router. Export to Admin Click this button to export the certificate for administrator. A dialog will ask you to specify where you want to store your certificate. The default file name is “RV220W_Admin.pem” but you can use an-other name. The certificate for administrator contains the private key and needs to be stored in a safe place as a backup. If the router’s configuration is reset to the factory default, this certificate can be imported and restored on the router. Export to Client Click this button to export the certificate for client. A dialog will ask you where you want to store your certificate. The default file name is “RV220W_Client. pem” but you can use another name. For QuickVPN users to securely connect to the router, this certificate needs to be placed in the install directory of the QuickVPN client. Import Click this button to import a certificate previously saved to a file using Export for Admin or Export for Client. Enter the file name in the field or click Browse to locate the file on your computer, then click Import. Certificate Last Generated or Imported This displays the date and time when a certificate was last generated or imported.

73 VPN - VPN Passthrough Figure 42: VPN Passthrough Screen VPN Passthrough IPSec PassThrough Internet Protocol Security (IPSec) is a suite of protocols used to implement secure exchange of packets at the IP layer. IPSec Passthrough is enabled by default to allow IPSec tunnels to pass through the Router. To disable IPSec Passthrough, select Disabled. PPTP PassThrough Point-to-Point Tunneling Protocol (PPTP) allows the Point-to-Point Protocol (PPP) to be tunneled through an IP network. PPTP Passthrough is enabled by default. To disable it, select Disabled. L2TP PassThrough Layer 2 Tunneling Protocol is the method used to enable Point-to-Point sessions via the Internet on the Layer 2 level. L2TP Passthrough is enabled by default. To disable L2TP Passthrough, select Disabled.

74 QoS Tab QoS (Quality of Service) allows you to perform Bandwidth Management, by either Rate Control or Priority. You can also configure QoS Trust Mode and the DSCP settings. QoS - Bandwidth Management Figure 43: Bandwidth Management Screen Setup Bandwidth Management QoS (Quality of Service) is disabled by default. When enabled, this option allows you to assign priority based on the application type. Bandwidth This section lets you specify the maximum bandwidth provided by the ISP on the WAN interface, for both the upstream and downstream directions. Bandwidth Management Type Type The desired type of bandwidth management, either Rate Control or Priority. Depending on your selection, the lower portion of the screen displays either the Rate Control section or the Priority section. Rate Control Service Select the service from the drop-down menu. If it does not contain the service you need, click Service Management to add the service. IP Enter the IP address or IP range you need to control. The default is zero, which includes all internal IP addresses. Direction Select Upstream for outbound traffic or Downstream for inbound traffic.

75 Mini. Rate Enter the minimum rate for the guaranteed bandwidth. Max. Rate Enter the maximum rate for the guaranteed bandwidth. Enable Check this box to enable this Rate Control Rule. Add to List After a rule is set up, click this button to add it to the list. The list can contain a maximum of 15 entries. Delete selected application Click this button to delete a rule from the list. Priority Service Select the service from the drop-down menu. If it does not contain the service you need, click Service Management to add the service. Direction Select Upstream for outbound traffic or Downstream for inbound traffic. Priority Select High, Medium, Normal, or Low priority for the service. The default is Medium. Enable Check this box to enable this Priority Rule. Service Man-agement Click this button to open a sub screen to add, delete or modify services settings. Add to List After a rule is set up, click this button to add it to the list. The list can contain a maximum of 15 entries. Delete selected application Click this button to delete a rule from the list. Figure 44: Service Management

76 QoS - QoS Setup The QoS Setup screen allows users to configure QoS Trust Mode for each LAN port. Figure 45: QoS Setup Screen QoS Setup Port ID The number of the LAN port. Trust Mode Select either CoS or DSCP. The default is CoS. Priority If Trust Mode is set to Port, select the port priority from 0 to 7 from the drop-down menu. If Trust Mode is set to CoS, select the default CoS priority 0 from the drop-down menu. CoS Setup Priority The CoS priority from 0 to 7. Queue Select the desired traffic forwarding queue from the list.

77 QoS - Queue Settings Figure 46: Queue Settings QoS Setup Queue Settings Queue The number of the Queue. Strict Priority Select either Strict Priority or WRR. The default is Strict Priority. WRR If WRR enabled, enter the values for WRR Weight and % of WRR Bandwidth.

78 QoS - DSCP Setup Figure 47: DSCP Setup Screen DSCP Setup DSCP The Differentiated Services Code Point value in the incoming packet. Priority Select the traffic forwarding queue, 1 to 7, to which the DSCP priority is mapped. Restore Defaults Click this button to restore the default DSCP values.

79 Administration Tab The Administration tab provides access to system administration settings and tools. Administration - Management Figure 48: Management Screen Local Gateway Access Gateway Userlist Select the desired Gateway User List. Gateway Username Enter the user name here. Gateway Password Enter the password. Re-enter to Con-firm Retype the password in this field. SNMP SNMP Select Enable if you wish to use SNMP. To use SNMP, you need SNMP software on your PC. System Name Enter a suitable name. This name will be used to identify this device, and will be displayed by your SNMP software. System Contact Enter contact information for the system. System Location Enter the location of the system. Read Community Enter the SNMP community name for SNMP “Get” commands.

80 Write Community Enter the SNMP community name for SNMP “Set” commands. Trap Community Enter the SNMP community name for SNMP “Trap” commands. Trap To Enter the IP Address of the SNMP Manager to which traps will be sent. If desired, this may be left blank. UPnP UPnP If you want to use UPnP, keep the default setting, Enable. Other-wise, select Disable. WLAN Management Via WLAN Select Enable or Disable. The default setting is Disable.

81 Administration - Log Figure 49: Log Screen Log Setting Log Level Select the log level(s) that the Router should record. Outgoing Log Select Enable to cause all outgoing packets to be logged. You can then click View Outgoing Table to display information on the outgoing packets including Source IP, Destination IP, and Ser-vice/Port number. Incoming Log Select Enable to cause all incoming packets to be logged. You can then click View Incoming Table to display information on incoming packets including Source IP, Destination IP, and Service/Port number. Email Alerts Email Alerts Select Enable to cause an e-mail to be sent immediately if a DoS (Denial of Service) attack is detected. If enabled, fill in the e-mail address information in the remaining fields in this section.

82 Denial of Service Thresholds Enter the number of DoS (Denial of Service) attacks which need to be blocked by the built-in Firewall before an e-mail alert is sent. The minimum value is 20, the maximum value is 100. Log Queue Length The default is 0 entries (Router will e-mail the log if there are more than 50 entries). Log Time Thresh-old The default is 0 minutes (Router will e-mail the log every 10 min-utes). SMTP Mail Server Enter the address (domain name) or IP address of the SMTP (Simple Mail Transport Protocol) Server you use for outgoing e-mail. Email Address for Alert Logs Enter the e-mail address the Log is to be sent to. Return Email Address The e-mail will show this address as the Sender’s address. Enable SMTP Authentication If your SMTP server requires Authentication, you can enable it here, and enter the Username and Password. Email Log Now Press this button to cause the log to be e-mailed immediately. Syslog Enable Syslog Select the checkbox if you want to use this feature. Syslog Server Enter the IP Address in this field when Enable Syslog is checked. Output Blocking Event Log Select Enable to use this feature. Local Log Local Log Enable this if you want to see a log of all incoming and outgoing URLs or IP addresses. View Log Click this button when you wish to view the logs. A new window will appear with the log data.

83 Administration - Diagnostic Figure 50: Diagnostic Screen Ping Test Parameters Ping Target IP Enter the IP address or URL that you want to ping. Ping Size Enter the size of the packet you want to use. Number of Pings Enter the number of times you wish to ping the target device. Ping Interval Enter the time period (milliseconds) between each ping. Ping Timeout Enter the desired time period (milliseconds). If a response is not received within the defined ping period, the ping is considered to have failed. Start Test Click this button to begin the test. A new screen will appear and display the test results. Ping Result Displays the Ping status. Traceroute Test Parameters Traceroute Target Enter the target IP address for the traceroute test. Start Test Click this button to begin the test. A new screen will appear and display the test results. Cable Diagnostic Port Select the port number from the drop-down menu.

84 Pair Identifies a specific pair (A, B, C, or D) in the cable. Each cable consists of 8 pins (4 pairs). Cable Length Displays the length of the cable in meters. Status Displays the status of the pair.

85 Administration - Backup & Restore Figure 51: Backup & Restore Screen Backup & Restore Backup & Restore To download a copy of the current configuration and store the file on your PC, click Backup to start the download. Restore & Configuration Restore & Configuration To restore a previously saved config file back to the Router, enter the file name in the field or click Browse to select the config file, then click Restore to upload the config file.

86 Administration - Factory Defaults Figure 52: Factory Defaults Screen Factory Defaults Restore Factory Defaults Button Click this button to reset all configuration settings to their factory default values. Any settings that have been saved will be lost when the default settings are restored. After clicking the button, another screen will appear. Click OK to continue. Another screen will appear while the system reboots.

87 Administration - Reboot Figure 53: Reboot Screen Reboot Reboot Click this button to reboot the Router. This operation will not cause the Router to lose any of its stored settings.

88 Administration - Firmware Upgrade To upgrade firmware, download the latest firmware for the product from www.linksys.com, extract it to your computer, and perform the steps below. Figure 54: Firmware Upgrade Screen Firmware Upgrade File Type in the name of the extracted firmware upgrade file or click Browse to locate the file. Start to Upgrade Once you have selected the appropriate file, click Start to Upgrade and follow the on-screen instructions to upgrade your firmware.

89 L2 Switch - Create VLAN VLANs are logical subgroups of a Local Area Network (LAN) created via software rather than defining a hardware solution. VLANs combine user stations and network devices into a single domain regardless of the physical LAN segment to which they are attached. VLANs allow network traffic to flow more efficiently within subgroups. VLANs managed through software reduce the amount of time in which network changes are implemented. VLANs have no minimum number of ports, and can be created per unit, per device, per stack, or any other logical connection combination, as VLANs are software based and not defined by physical attributes. VLANs function at layer 2. Since VLANs isolate traffic within the VLAN, a Layer 3 router is needed to allow traffic flow between VLANs. Layer 3 routers identify segments and coordi-nate with VLANs. VLANs are broadcast and multicast domains. Broadcast and multicast traffic is transmitted only in the VLAN in which the traffic is generated. Figure 55: Create VLAN Screen VLAN Configuration VLAN ID The VLAN ID number. This can be any number from 2 to 3290, or from 3293 to 4094. (VLAN ID 1 is reserved for the default VLAN, which is used for untagged frames received on the interface. VLAN IDs 3291-3292 are reserved and cannot be used.) To create VLAN, enter the ID number and click Add VLAN. VLAN ID Range To create multiple VLANs with a range of ID numbers, enter the starting and ending ID numbers and click Add Range. Deleted Selected VLAN To delete a VLAN, select it form the VLAN list and click Delete Selected VLAN.

90 L2 Switch - VLAN & Port Assignment Figure 56: VLAN & Port Assignment Screen Port Settings Port Mode The table indicates each port’s current mode (Access, Trunk, or General e). Wireless can be enabled in Access Mode. Acceptable Ingress Frame Type Configure which kind of packet can be accepted in the port. Ingress Filtering Select the checkbox if you want to use Ingress Filtering. PVID Configure the PVID setting. VLAN Settings VLAN Select the VLAN whose membership you want to configure. Description Enter a VLAN group name of up to 50 characters. Outgoing Frame Type The table indicates each port’s outgoing frame type (Untagged, Tagged, or Exclude). VLAN/Port Assignment Summary Table Displays the table of summary.

91 L2 Switch - Radius Figure 57: Radius Screen Radius Mode Select Enabled or Disabled from the drop-down menu to enable or disable RADIUS. Radius IP Enter the Server IP address. Radius UDP Port Enter the UDP port. The UDP port is used to verify the RADIUS server authentication. Radius Secret Enter the Key string used for authenticating and encrypting all RADIUS communications between the device and the RADIUS server. This key must match the RADIUS server encryption key. If no host-specific value is specified, the global value applies to each host. Administration State Specifies the port authorization state. The possible field values are: • Auto - The controlled port state is set by the Authentication method. • Force Authorized - The controlled port state is set to Force-Authorized (forward traffic). • Force Unauthorized - The controlled port state is set to Force-Unauthorized (discard traffic). Port State Displays the state of the selected port.

92 L2 Switch - Port Setting Figure 58: Port Setting Screen Port Setting Port Displays the physical port number. Link Displays the port duplex mode and speed. Full Duplex indicates that the interface supports transmission between the device and its link partner in both directions simultaneously. Half Duplex indicates that the interface supports transmission between the device and the client in only one direction at a time. Mode Select the port duplex mode and speed from the drop-down menu. You can also select Auto Negotiation, which is a protocol between two link partners that enables a port to advertise its transmission rate, duplex mode and flow control abilities to its partner. Flow Control Displays the flow control status on the port. Operates when port is in Full duplex mode. Jumbo Frame Displays the maximum frame size the port can receive and send.

Setup 93 L2 Switch - Statistics Figure 59: Statistics Screen Statistics Tx Bytes Displays the number of Bytes transmitted from the selected port. Tx Frames Displays the number of Frames transmitted from the selected port. Rx Bytes Displays the number of Bytes received on the selected port. Rx Frames Displays the number of Frames received on the selected port. Tx Errors Displays the number of error packets transmitted from the selected port. Rx Errors Displays the number of error packets received from the selected port.

94 L2 Switch - Port Mirroring Figure 60: Port Mirroring Screen Mirror Configuration Mirror Source Use this to enable or disable source port mirroring for each port on the Router. To enable source port mirroring on a port, check the box next to that port. To disable source port mirroring on a port, leave the box unchecked. The default is disabled. Mirror Port Select the mirror destination port from the drop-down menu.

95 Status - Gateway Figure 61: Gateway Screen WAN/Gateway Firmware Version Displays the Gateway’s current firmware. Mac Address Displays the Gateway MAC Address, as seen by your ISP. Current Time Displays the time, based on the time zone you selected on the Setup tab. Internet Connection Connection Type Displays the type of the connection. Interface Displays the Gateway Internet Interface. IP Address Displays the Gateway Internet IP Address. Subnet Mask Displays the Subnet Mask that is associated with the IP address above. Default Gateway Displays your ISP’s Gateway. DNS 1-2 Displays the DNS (Domain Name System) IP addresses currently used by this Gateway. DHCP Release Click this button to release IP address on WAN port if using DHCP. DHCP Renew Click this button to renew IP address on the WAN port if using

96 DHCP. IP Conntrack Click this button to display the IP Conntrack screen. IP Conntrack Figure 62: IP Conntrack The IP Conntrack (Connection Tracking) screen displays information about TCP/UDP connec-tions, such as source and destination IP address and port number pairs (known as socket pairs), protocol types (TCP/UDP/ICMP), connection state and timeouts. To see more information, click Next Page or Previous Page, or select the page from the Goto Page drop-down menu. To see the latest information, click Refresh. Click Close to return to the Status > Gateway screen.

97 Status - Local Network Figure 63: Local Network Screen Local Network Current IP Ad-dress System This shows the current system. Mac Address This is the Router MAC Address, as seen on your local, Ethernet network. IP Address The Internet IP Address is displayed here. Subnet Mask This Subnet Mask is associated with the IP address above. IPv6 Address This shows the IPv6 IP address, if applicable. DHCP Server The status of the Router’s DHCP server function is displayed here. Start IP Address This shows the beginning of the range of IP addresses used by the DHCP Server. End IP Address This shows the end of the range of IP addresses used by the DHCP Server. DHCP Client Table Clicking this button will open a screen showing you which PCs are utilizing the Router as a DHCP server. On the DHCP Client Table screen, you will see a list of DHCP clients (PCs and other network devices) with the following information: Client Names, Interfaces, IP Addresses, MAC Addresses, and the length of time before their assigned IP addresses expire. ARP/RARP Table Clicking this button will open a screen showing you which PCs are utilizing the Router as an ARP/RARP server. On the ARP/RARP Table screen, you will see a list of ARPs/RARPs (PCs and other network devices) with the following information: IP Addresses and MAC Addresses.

98 Figure 64: DHCP Client Table Figure 65: ARP/RARP Table

99 Status - Wireless LAN This screen provides some basic information on the Wireless LAN of this Wireless Router. Figure 66: Wireless LAN Screen Wireless LAN Wireless IP Ad-dress Displays the IP address on the Wireless LAN interface. Mac Address Displays the MAC address on the Wireless LAN interface. Network Mode Displays the Wireless network operating mode (e.g. B/G/N-Mixed). Wireless SSID Displays the Wireless network name. Channel Band-width Displays the wireless channel bandwidth setting. Wireless Channel Displays the radio channel number used. Security Displays the Wireless Security mode. SSID Broadcast This shows the beginning of the range of IP addresses used by the DHCP Server.

100 Status - System Performance This screen provides data packet statistics on the LAN switch and Wireless LAN of the Router. Figure 67: System Performance Screen All LAN ports / WLAN Packets Received This shows the number of packets received. Packets Sent This shows the number of packets sent. Bytes Received This shows the number of bytes received. Bytes Sent This shows the number of bytes sent. Error Packets Received This shows the number of error packets received. Dropped Packets Received This shows the number of packets being dropped after they were received.

101 Appendix A Specifications Dual-Band Wireless-N VPN Router General Model RV220W Ports 10/100/1000 Base-T Ethernet, 12V DC Power Buttons Reset Cabling Type Type UTP CAT 5 LEDs Power, Diag, DMZ, Wireless, ETHERNET 1-4, Internet Wireless Transmit Power IEEE 802.11a: 23.92 dBm draft 802.11n Standard-20 MHz Channel mode: 24.52 dBm draft 802.11n Wide-40 MHz Channel mode: 23.82 dBm IEEE 802.11b: 19.26 dBm IEEE 802.11g: 20.74 dBm draft 802.11n Standard-20 MHz Channel mode: 20.65 dBm draft 802.11n Wide-40 MHz Channel mode: 18.79 dBm Modulation Technique & Transmit Data Rate IEEE 802.11a: OFDM (QPSK, BPSK, 16-QAM, 64-QAM) (54, 48, 36, 24, 18, 12, 9, 6 Mbps) draft 802.11n Standard-20 MHz Channel mode: OFDM (6.5, 7.2, 13, 14.4, 14.44, 19.5, 21.7, 26, 28.89, 28.9, 39, 43.3, 43.33 52, 57.78, 57.8, 58.5, 65.0, 72.2, 78, 86.67, 104, 115.56, 117, 130, 144.44 Mbps) draft 802.11n Wide-40 MHz Channel mode: OFDM (13.5, 15, 27, 30, 40.5, 45, 54, 60, 81, 90, 108, 120, 121.5, 135, 150, 162, 180, 216, 240, 243, 270, 300 Mbps) IEEE 802.11b mode: DSSS (1, 2, 5.5 and 11 Mpbs) IEEE 802.11g mode: OFDM (6, 9, 12, 18, 24, 36, 48 and 54 Mpbs) draft 802.11n Standard-20 MHz Channel mode: OFDM (6.5, 7.2, 13, 14.4, 14.44, 19.5, 21.7, 26, 28.89, 28.9, 39, 43.3, 43.33 52, 57.78, 57.8, 58.5, 65.0, 72.2, 78, 86.67, 104, 115.56, 117, 130, 144.44 Mbps) draft 802.11n Wide-40 MHz Channel mode: OFDM (13.5, 15, 27, 30, 40.5, 45, 54, 60, 81, 90, 108, 120, 121.5, 135, 150, 162, 180, 216, 240, 243, 270, 300 Mbps) Antenna Specification 1. Dipole Antenna / 2 dBi MIMO: 2dBi + 10 log (2) = 5 dBi (Numeric gain: 3.16) 2. PIFA Antenna / 6.6 dBi (RX only) Performance NAT Throughput 800 Mb/s A

102 Setup/Config Web User Interface WebUI Built in Web UI for Easy browser-based configuration (HTTP/HTTPS) Management SNMP Version SNMP Version 1, 2c Event Logging Local, Syslog, E-mail Alerts Web F/W upgrade Firmware Upgradable Through Web-Browser Diagnostics DIAG LED for Flash and RAM failure; Ping Test for network diagnostics Security VPN 5 QuickVPN Tunnels for remote client access 5 IPSec Gateway-to-Gateway Tunnels for branch office connec-tivity 3DES Encryption MD5/SHA1 Authentication IPSec NAT-T VPN Passthrough of PPTP, L2TP, IPSec Access Control IP-based ACL, Internet Access Policy Control Firewall SPI stateful packet inspection firewall Content Filtering URL blocking, keyword blocking IPS (Intrusion Prevention System) IP Sweep Detection, Application Anomaly Detection (HTTP, FTP, Telnet, RCP), P2P Control, Instant Messenger Con-trol, L3-L4 Protocol (IP, TCP, UDP, ICMP) Normalization, L7 Signature Matching Signature Update Manual download from the web (Free download for 1 year) Secure Management HTTPS, Username/Password 802.1x Port-based Radius Authentication (EAP-MD5, EAP-PEAP) NAT PAT, NAPT, ALG support, NAT Traversal QoS Prioritization types Port-based and Application-based Priority Queues 4 queues Network VLAN Support Port-based VLAN DHCP DHCP Server, DHCP Client, DHCP Relay Agent DNS DNS Relay, Dynamic DNS (DynDNS, TZO) DMZ Any host IP address on LAN side Routing Static and RIP v1, v2

103 Environment Device Dimensions (W x H x D) 170 x 131 x 170 mm Weight 0.99 lbs (0.45kg) Power 12V 1.25A Certification FCC class B, CE, ICES-003 Operating Temp. 0ºC to 40ºC (32ºF to 104ºF) Storage Temp. -20ºC to 70ºC (-4ºF to 158ºF) Operating Humidity 10% to 85% Non-Condensing Storage Humidity 5% to 90% Non-Condensing