UTT TECHNOLOGIES REG01-UTT Router User Manual

Download:
Mirror Download [FCC.gov]
Document ID	1659606
Application ID	BZ+xXJR2tf0jUIDgdEb1cQ==
Document Description	User Manual
Short Term Confidential	No
Permanent Confidential	No
Supercede	No
Document Type	User Manual
Display Format	Adobe Acrobat PDF - pdf
Filesize	387.08kB (4838562 bits)
Date Submitted	2012-03-20 00:00:00
Date Available	2012-03-20 00:00:00
Creation Date	2012-03-19 15:11:47
Producing Software	Acrobat Distiller 7.0 (Windows)
Document Lastmod	2012-03-19 15:11:47
Document Title	untitled
Document Author:	XuJinghua

UTT Routers/Firewalls
Advanced Configuration Guide
Version: ReOS V10
UTT Technologies Co., Ltd.
http://www.uttglobal.com
Copyright Notice
Copyright Š 2000-2011 UTT Technologies Co., Ltd. All rights reserved.
Information in this document, including URL and other Internet Web site references, is
subject to change without further notice.
Unless otherwise noted, the companies, organizations, people and events described in
the examples of this document are fictitious, which have no relationship with any real
company, organization, people and event.
Complying with all applicable copyright laws is the responsibility of the user. No part of this
document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording,
or otherwise), or used for any commercial and profit purposes, without the express prior
written permission of UTT Technologies Co., Ltd.
UTT Technologies Co., Ltd. has the patents, patent applications, trademarks, trademark
applications, copyrights and other intellectual property rights that are mentioned in this
document. You have no license to use these patents, trademarks, copyrights or other
intellectual property rights, without the express prior written permission of UTT
Technologies Co., Ltd.
㡒⋄® and UTT® are the registered trademarks of UTT Technologies Co., Ltd.
NEÂŽ is the registered trademark of UTT Technologies Co., Ltd.
Unless otherwise announced, the products, trademarks and patents of other companies,
organizations or people mentioned herein are the properties of their respective owners.
Product Number (PN): 0900-0306-001
Document Number (DN): PR-PMMU-1104.56-PPR-EN-1.0A
FCC Warning
This device complies with Part 15 of the FCC Rules. Operation is subject to the following
two conditions:
(1) this device may not cause harmful interference, and
(2) this device must accept any interference received, including interference that may
cause undesired operation.
NOTE: Changes or modifications not expressly approved by the party responsible for
compliance could void the user's authority to operate the equipment.
This equipment has been tested and found to comply with the limits for a Class B digital
device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide
reasonable protection against harmful interference in a residential installation. This
equipment generates, uses and can radiate radio frequency energy and, if not installed
and used in accordance with the instructions, may cause harmful interference to radio
communications. However, there is no guarantee that interference will not occur in a
particular installation.
If this equipment does cause harmful interference to radio or television reception, which
can be determined by turning the equipment off and on, the user is encouraged to try to
correct the interference by one or more of the following measures:
-- Reorient or relocate the receiving antenna.
-- Increase the separation between the equipment and receiver.
-- Connect the equipment into an outlet on a circuit different from that to which the receiver
is connected.
-- Consult the dealer or an experienced radio/TV technician for help.
UTT Technologies
Table of Contents
Table of Contents
About This Manual................................................................................................................... 1
0.1
Scope ......................................................................................................................... 1
0.2
Web UI Style .............................................................................................................. 1
0.3
Documents Conventions ......................................................................................... 2
0.3.1 Detailed Description of List ..................................................................................... 2
0.3.1.1
Editable List ................................................................................................................. 2
0.3.1.2
Read-only List .............................................................................................................. 3
0.3.1.3
Sorting Function ........................................................................................................... 4
0.3.2 Keyboard Operation ............................................................................................... 5
0.3.3 Other Conventions .................................................................................................. 5
0.3.3.1
Convention for a Page Path ......................................................................................... 5
0.3.3.2
Convention for Clicking a Button .................................................................................. 5
0.3.3.3
Convention for Selecting an Option ............................................................................. 5
0.4
Partial Factory Default Settings .............................................................................. 6
0.5
Document Organization ........................................................................................... 6
Chapter 1
Product Overview ........................................................................................... 14
1.1
Key Features ........................................................................................................... 14
1.2
Main Features ......................................................................................................... 15
1.3
VPN Features .......................................................................................................... 17
1.4
Physical Specification ........................................................................................... 18
1.5
Detailed Specifications Table ................................................................................ 19
Chapter 2
Hardware Installation ..................................................................................... 23
2.1
Installation Requirements ..................................................................................... 23
2.2
Installation Procedure ............................................................................................ 23
2.3
Installation Procedure of UTT 2512 ...................................................................... 24
2.4
Installation Procedure of U2000 ............................................................................ 27
Chapter 3
Logging in to the Device ................................................................................ 32
3.1
Configuring Your PC .............................................................................................. 32
3.2
Logging in to the Device ........................................................................................ 34
3.3
Shortcut Icons ........................................................................................................ 35
Chapter 4
Quick Wizard ................................................................................................... 37
UTT Technologies http://www.uttglobal.com
Page 1
UTT Technologies
Table of Contents
4.1
Running the Quick Wizard ..................................................................................... 37
4.2
LAN Settings ........................................................................................................... 38
4.3
Choosing an Internet Connection Type ............................................................... 38
4.4
Internet Connection Settings ................................................................................ 40
4.4.1 Notes on Internet Connection Settings ................................................................. 40
4.4.2 PPPoE Internet Connection Settings.................................................................... 40
4.4.3 Static IP Internet Connection Settings .................................................................. 42
4.4.4 DHCP Internet Connection Settings ..................................................................... 44
4.5
Reviewing and Saving the Settings ...................................................................... 44
4.6
Summary ................................................................................................................. 45
Chapter 5
5.1
System Status ................................................................................................. 46
System Information ................................................................................................ 46
5.1.1 System Up Time ................................................................................................... 46
5.1.2 System Resource ................................................................................................. 47
5.1.3 System Version ..................................................................................................... 48
5.1.4 Port Information .................................................................................................... 48
5.1.4.1
Port Status ................................................................................................................. 48
5.1.4.2
Interface Rate Chart................................................................................................... 49
5.2
NAT Statistics ......................................................................................................... 51
5.3
DHCP Statistics ...................................................................................................... 53
5.3.1 DHCP Pool Statistics List ..................................................................................... 53
5.3.2 DHCP Server Statistics List .................................................................................. 55
5.3.3 DHCP Conflict Statistics List ................................................................................ 56
5.3.4 DHCP Client Statistics List ................................................................................... 57
5.3.5 DHCP Relay Statistics List ................................................................................... 58
5.4
Interface Statistics.................................................................................................. 60
5.5
Routing Table .......................................................................................................... 62
5.6
Session Monitor...................................................................................................... 65
5.6.1 Session Monitor Settings ...................................................................................... 65
5.6.2 NAT Session List .................................................................................................. 67
5.6.3 Examples .............................................................................................................. 68
5.7
5.6.3.1
Searching Internet Activities of the LAN User with IP Address 192.168.16.68/24 ...... 68
5.6.3.2
Searching the LAN Users Accessing 200.200.200.251 ............................................. 69
5.6.3.3
Searching the LAN Users Using MSN ....................................................................... 70
5.6.3.4
Searching Internet Activities of the LAN users Using WAN1 IP address .................... 71
System Log ............................................................................................................. 74
UTT Technologies http://www.uttglobal.com
Page 2
UTT Technologies
Table of Contents
5.7.1 System Log Settings ............................................................................................. 74
5.7.2 Viewing System Logs ........................................................................................... 75
5.8
Web Log................................................................................................................... 78
5.8.1 Enable Web Log ................................................................................................... 78
5.8.2 View Web Logs ..................................................................................................... 79
5.9
Application Traffic Statistics ................................................................................. 80
5.9.1 Global Setup ......................................................................................................... 80
5.9.2 Application Traffic Statistics List ........................................................................... 80
5.9.3 User Traffic Statistics List ..................................................................................... 81
5.10
WAN Traffic Statistics ............................................................................................ 83
Chapter 6
Basic Setup ..................................................................................................... 84
6.1
LAN Settings ........................................................................................................... 84
6.2
WAN Settings .......................................................................................................... 86
6.2.1 WAN List ............................................................................................................... 86
6.2.1.1
Parameter Definitions ................................................................................................ 86
6.2.1.2
List Function .............................................................................................................. 88
6.2.1.3
How to Dial and Hang up a PPPoE connection ......................................................... 89
6.2.1.4
How to Renew and Release a DHCP Connection ..................................................... 89
6.2.2 WAN Internet Connection Settings ....................................................................... 91
6.3
6.2.2.1
PPPoE Internet Connection Settings ......................................................................... 91
6.2.2.2
Static IP Internet Connection Settings ....................................................................... 96
6.2.2.3
DHCP Internet Connection Settings........................................................................... 98
6.2.2.4
How to Delete the Internet Connection ...................................................................... 99
6.2.2.5
Related Default Routes ............................................................................................ 100
Load Balancing ..................................................................................................... 101
6.3.1 Introduction to Load Balancing and Failover ...................................................... 101
6.3.1.1
Internet Connection Detection Mechanism .............................................................. 101
6.3.1.2
Load Balancing Mode .............................................................................................. 102
6.3.1.3
Internet Connection Detection Method..................................................................... 103
6.3.2 The Operation Principle of Load Balancing ........................................................ 105
6.3.2.1
Allocating Traffic according to Connection Bandwidth ............................................. 105
6.3.2.2
Two Load Balancing Policies ................................................................................... 106
6.3.3 ID Binding ........................................................................................................... 107
6.3.4 Load Balancing Global Settings ......................................................................... 108
6.3.4.1
Global Settings - Full Load Balancing ...................................................................... 108
6.3.4.2
Global Settings --Partial Load Balancing ................................................................. 109
UTT Technologies http://www.uttglobal.com
Page 3
UTT Technologies
Table of Contents
6.3.5 Detection and Weight Settings ............................................................................ 110
6.3.6 Load Balancing List ............................................................................................. 112
6.3.7 How to Configure Load Balancing ....................................................................... 112
6.3.7.1
The Process of Configuring Load Balancing ............................................................ 112
6.3.7.2
The Configuration Steps of Connection Detection and Weight ................................ 113
6.3.7.3
The Configuration Steps of Load Balancing Global Settings ................................... 113
6.3.7.4
The Configuration Steps of ID Binding ..................................................................... 114
6.3.8 Related Detection Route ..................................................................................... 114
6.4
DHCP & DNS .......................................................................................................... 115
6.4.1 DHCP Server ....................................................................................................... 115
6.4.2 DHCP Auto Binding ............................................................................................. 116
6.4.3 DNS Proxy ........................................................................................................... 117
Chapter 7
7.1
Advanced Setup ............................................................................................. 119
Static Route ............................................................................................................ 119
7.1.1 Static Route ......................................................................................................... 119
7.1.1.1
Introduction to Static Route...................................................................................... 119
7.1.1.2
System Reserved Static Routes .............................................................................. 119
7.1.1.3
Static Route Settings ............................................................................................... 121
7.1.1.4
Static Route List ....................................................................................................... 123
7.1.1.5
How to Add the Static Routes .................................................................................. 123
7.1.2 Static Route Policy Database ............................................................................. 125
7.2
7.1.2.1
Introduction to Static Route PDB ............................................................................. 125
7.1.2.2
Static Route PDB Settings ....................................................................................... 127
7.1.2.3
How to Add the Static Route PDB Entries................................................................ 128
7.1.2.4
How to Update a System Default Static Route PDB ................................................ 129
Policy-Based Routing .......................................................................................... 131
7.2.1 Policy-Based Routing Settings ........................................................................... 131
7.2.2 Enable Policy-Based Routing ............................................................................. 133
7.2.3 Policy-Based Routing List ................................................................................... 133
7.3
DNS Redirection ................................................................................................... 135
7.3.1 Introduction to DNS Redirection ......................................................................... 135
7.3.2 Enable DNS Redirection ..................................................................................... 135
7.3.3 DNS Redirection List .......................................................................................... 136
7.3.4 DNS Redirection Settings ................................................................................... 137
7.3.5 How to Configure DNS Redirection .................................................................... 138
7.4
Plug and Play ........................................................................................................ 139
UTT Technologies http://www.uttglobal.com
Page 4
UTT Technologies
Table of Contents
7.4.1 Introduction to Plug and Play.............................................................................. 139
7.4.2 Enable Plug and Play ......................................................................................... 139
7.5
SNMP ..................................................................................................................... 140
7.6
SYSLOG ................................................................................................................. 143
7.7
DDNS ..................................................................................................................... 145
7.7.1 Introduction to DDNS .......................................................................................... 145
7.7.2 DDNS Service Offered by iplink.com.cn ............................................................. 145
7.6.1.1
Apply for a DDNS Account from iplink.com.cn ......................................................... 145
7.7.2.1
DDNS Settings Related to ipink.com.cn................................................................... 147
7.7.3 DDNS Service Offered by 3322.org ................................................................... 148
7.7.3.1
Apply for a DDNS Account from 3322.org................................................................ 148
7.7.3.2
DDNS Settings Related to 3322.org ........................................................................ 149
7.7.4 DDNS Verification ............................................................................................... 150
7.8
Advanced DHCP ................................................................................................... 152
7.8.1 Introduction to DHCP .......................................................................................... 152
7.8.1.1
Overview .................................................................................................................. 152
7.8.1.2
DHCP Operation Process ........................................................................................ 152
7.8.1.3
DHCP Message types .............................................................................................. 154
7.8.2 Introduction to DHCP Feature of the Device ...................................................... 155
7.8.2.1
Introduction to DHCP Server ................................................................................... 156
7.8.2.2
Introduction to DHCP Client ..................................................................................... 158
7.8.2.3
Introduction to DHCP Relay Agent ........................................................................... 159
7.8.2.4
Introduction to Raw Option ...................................................................................... 160
7.8.3 DHCP Client ....................................................................................................... 161
7.8.3.1
DHCP Client Settings............................................................................................... 161
7.8.3.2
DHCP Client List ...................................................................................................... 163
7.8.3.3
How to Configure DHCP Client ................................................................................ 163
7.8.4 DHCP Server ...................................................................................................... 164
7.8.4.1
DHCP Server Global Settings .................................................................................. 164
7.8.4.2
DHCP Manual Binding List ...................................................................................... 165
7.8.4.3
DHCP Manual Binding Settings ............................................................................... 166
7.8.4.4
How to Add the DHCP Manual Bindings .................................................................. 168
7.8.4.5
DHCP Address Pool List .......................................................................................... 168
7.8.4.6
DHCP Address Pool Settings ................................................................................... 169
7.8.4.7
How to Add the DHCP Address Pools...................................................................... 172
7.8.5 DHCP Relay Agent ............................................................................................. 173
UTT Technologies http://www.uttglobal.com
Page 5
UTT Technologies
Table of Contents
7.8.5.1
DHCP Relay Agent Settings .................................................................................... 174
7.8.5.2
DHCP Relay Agent List ............................................................................................ 175
7.8.5.3
How to Configure DHCP Relay Agent ...................................................................... 176
7.8.6 Raw Option ......................................................................................................... 177
7.8.6.1
Raw Option Settings ................................................................................................ 177
7.8.6.2
Raw Option List ....................................................................................................... 178
7.8.6.3
How to Add the DHCP Raw Options ........................................................................ 179
7.8.7 Configuration Examples for DHCP ..................................................................... 179
7.9
7.8.7.1
Configuration Example for the DHCP Server ........................................................... 179
7.8.7.2
Configuration Example for the DHCP Client ............................................................ 184
7.8.7.3
Configuration Example for the DHCP Relay Agent .................................................. 186
7.8.7.4
Configuration Example for the Raw Option .............................................................. 187
7.8.7.5
Comprehensive Example for DHCP......................................................................... 188
Switch .................................................................................................................... 196
7.9.1 Port Mirroring ...................................................................................................... 196
7.9.1.1
Introduction to Port Mirroring ................................................................................... 196
7.9.1.2
Port Mirroring Setup ................................................................................................. 196
7.9.2 Port-Based VLAN ............................................................................................... 197
7.10
7.9.2.1
Introduction to VLAN ................................................................................................ 197
7.9.2.2
Port-Based VLAN Setup .......................................................................................... 197
Miscellaneous ....................................................................................................... 198
7.10.1 Miscellaneous ..................................................................................................... 198
7.10.2 Scheduled Task .................................................................................................. 199
Chapter 8
8.1
NAT ................................................................................................................. 201
Port Forwarding .................................................................................................... 201
8.1.1 Introduction to Port Forwarding .......................................................................... 201
8.1.2 Port Forwarding Settings .................................................................................... 202
8.1.3 Port Forwarding List ........................................................................................... 203
8.1.4 How to Add the Port Forwarding Rules .............................................................. 204
8.1.5 Configuration Examples for Port Forwarding ..................................................... 204
8.2
8.1.5.1
Example One ........................................................................................................... 204
8.1.5.2
Example Two ........................................................................................................... 205
8.1.5.3
Example Three......................................................................................................... 205
DMZ Host ............................................................................................................... 207
8.2.1 Introduction to DMZ host .................................................................................... 207
8.2.2 DMZ Host Settings.............................................................................................. 208
UTT Technologies http://www.uttglobal.com
Page 6
UTT Technologies
Table of Contents
8.2.2.1
Global DMZ Host Settings ....................................................................................... 208
8.2.2.2
Interface DMZ Host Settings .................................................................................... 208
8.2.3 The Priorities of Port Forwarding and DMZ Host ............................................... 209
8.3
NAT Rule ................................................................................................................ 210
8.3.1 Introduction to NAT ............................................................................................. 210
8.3.1.1
NAT Address Space Definitions ............................................................................... 210
8.3.1.2
NAT Types ............................................................................................................... 210
8.3.1.3
The Relations of Internet Connection, NAT Rule and Port Forwarding Rule ............ 211
8.3.1.4
System Reserved NAT Rules................................................................................... 212
8.3.2 NAT and Multi-WAN Load Balancing .................................................................. 212
8.3.2.1
Overview .................................................................................................................. 212
8.3.2.2
Assigning Preferential Channel according to Source IP............................................. 212
8.3.2.3
Allocating Traffic according to Connection Bandwidth ............................................. 213
8.3.2.4
Two Load Balancing Policies ................................................................................... 213
8.3.2.5
The Priorities of NAT Rules ...................................................................................... 214
8.3.3 NAT Rule Settings .............................................................................................. 215
8.3.3.1
EasyIP NAT Rule Settings ....................................................................................... 215
8.3.3.2
One2One NAT Rule Settings ................................................................................... 216
8.3.3.3
Passthrough NAT Rule Settings............................................................................... 217
8.3.4 NAT Rule List ...................................................................................................... 218
8.3.5 How to Add the NAT Rules ................................................................................. 219
8.3.6 Configuration Examples for NAT Rule ................................................................ 220
8.4
8.3.6.1
An Example for Configuring EasyIP NAT Rule ......................................................... 220
8.3.6.2
An Example for Configuring One2One NAT Rule .................................................... 221
8.3.6.3
An Example for Configuring Passthrough NAT Rule ................................................ 223
UPnP ...................................................................................................................... 226
8.4.1 Enable UPnP ...................................................................................................... 226
8.4.2 UPnP Port Forwarding List ................................................................................. 227
Chapter 9
9.1
PPPoE Server ................................................................................................ 228
Introduction to PPPoE ......................................................................................... 228
9.1.1 PPPoE Stages .................................................................................................... 228
9.1.2 PPPoE Discovery Stage ..................................................................................... 228
9.1.3 PPP Session Stage ............................................................................................ 229
9.1.4 PPPoE Session Termination ............................................................................... 230
9.2
PPPoE Server Settings ........................................................................................ 230
9.2.1 PPPoE Server Global Settings ........................................................................... 230
UTT Technologies http://www.uttglobal.com
Page 7
UTT Technologies
Table of Contents
9.2.2 Internet Access Control ...................................................................................... 231
9.3
PPPoE Account .................................................................................................... 233
9.3.1 PPPoE Account Settings .................................................................................... 233
9.3.2 PPPoE Account List ............................................................................................ 236
9.3.3 Import Accounts .................................................................................................. 237
9.3.4 PPPoE Account Billing ........................................................................................ 238
9.4
9.3.4.1
Introduction to PPPoE Account Billing Mechanism .................................................. 238
9.3.4.2
PPPoE Account Billing By Date ............................................................................... 239
9.3.4.3
PPPoE Account Billing By Hour ............................................................................... 239
9.3.4.4
PPPoE Account Billing By Traffic ............................................................................. 240
PPPoE IP/MAC Binding ........................................................................................ 241
9.4.1 PPPoE IP/MAC Binding Settings ........................................................................ 241
9.4.2 PPPoE IP/MAC Binding List ............................................................................... 242
9.5
PPPoE Status ........................................................................................................ 244
9.6
Configuration Example for PPPoE Server ......................................................... 246
9.7
PPPoE Account Expiration Notice ...................................................................... 250
9.7.1 PPPoE Account Expiration Notice by Date ........................................................ 251
9.7.2 PPPoE Account Expiration Notice by Hours ...................................................... 253
9.7.3 PPPoE Account Expiration Notice by Traffic ...................................................... 255
Chapter 10
10.1
QoS ................................................................................................................. 257
Introduction to Bandwidth Management............................................................ 257
10.1.1 Why We Need Bandwidth Management............................................................. 257
10.1.2 Token Bucket Algorithm ...................................................................................... 258
10.1.3 Implementation of Bandwidth Management ....................................................... 259
10.2
Rate Limit Global Settings ................................................................................... 260
10.3
Rate Limit Rule ..................................................................................................... 261
10.3.1 Rate Limit Rule Settings ..................................................................................... 261
10.3.2 Rate Limit Rule List ............................................................................................ 264
10.3.3 The Execution Order of Rate Limit Rules ........................................................... 265
10.4
P2P Rate Limit ...................................................................................................... 266
10.5
Application QoS.................................................................................................... 268
10.6
Configuration Examples for QoS ........................................................................ 269
10.6.1 Example One ...................................................................................................... 269
10.6.2 Example Two ...................................................................................................... 272
Chapter 11
Restriction ..................................................................................................... 277
UTT Technologies http://www.uttglobal.com
Page 8
UTT Technologies
11.1
Table of Contents
User Admin............................................................................................................ 277
11.1.1 User Status List .................................................................................................. 277
11.1.2 Personal Rate Limit ............................................................................................ 279
11.1.3 Personal Internet Behavior Management ........................................................... 279
11.2
Internet Behavior Management ........................................................................... 281
11.2.1 Internet Behavior Management Policy Settings ................................................. 282
11.2.2 Internet Behavior Management Policy List ......................................................... 286
11.3
Policy Database .................................................................................................... 288
11.3.1 Introduction to Policy Database .......................................................................... 288
11.3.2 Policy Database List ........................................................................................... 289
11.3.3 Policy Database Version Check ......................................................................... 290
11.3.4 Import Policy Database ...................................................................................... 291
11.4
QQ Whitelist .......................................................................................................... 292
11.4.1 Enable QQ Whitelist ........................................................................................... 292
11.4.2 QQ Whitelist Settings ......................................................................................... 292
11.4.3 QQ Whitelist ........................................................................................................ 293
11.5
Configuration Example for Internet Behavior Management ............................ 294
11.6
Notice ..................................................................................................................... 300
11.6.1 Introduction to Notice .......................................................................................... 300
11.6.2 Notice Settings.................................................................................................... 300
11.7
11.6.2.1
One-Time Notice Settings ........................................................................................ 300
11.6.2.2
Daily Notice Settings ................................................................................................ 303
Web Authentication .............................................................................................. 304
11.7.1 Enable Web Authentication ................................................................................ 304
11.7.2 Web Authentication User Account Settings ........................................................ 305
11.7.3 Web Authentication User Account List................................................................ 305
11.7.4 How to Use Web Authentication ......................................................................... 306
Chapter 12
12.1
Security .......................................................................................................... 308
Attack Defense...................................................................................................... 308
12.1.1 Internal Attack Defense ...................................................................................... 308
12.1.2 External Attack Defense ...................................................................................... 311
12.2
IP/MAC Binding ..................................................................................................... 313
12.2.1 Introduction to IP/MAC Binding .......................................................................... 313
12.2.1.1
IP/MAC Overview .................................................................................................... 313
12.2.1.2
The Operation Principle of IP/MAC Binding ............................................................. 313
12.2.2 IP/MAC Binding Settings .................................................................................... 317
UTT Technologies http://www.uttglobal.com
Page 9
UTT Technologies
Table of Contents
12.2.3 IP/MAC Binding Global Setup ............................................................................ 318
12.2.4 IP/MAC Binding List ............................................................................................ 319
12.2.5 How to Add the IP/MAC Bindings ....................................................................... 319
12.2.6 Internet Whitelist and Blacklist ............................................................................ 320
12.3
12.2.6.1
Introduction to Internet Whitelist and Blacklist Based on IP/MAC Binding ............... 320
12.2.6.2
How to Configure an Internet Whitelist..................................................................... 321
12.2.6.3
How to Configure Internet Blacklist .......................................................................... 322
Firewall .................................................................................................................. 324
12.3.1 Introduction to Access Control ............................................................................ 324
12.3.1.1
The Purpose of Access Control Feature .................................................................. 324
12.3.1.2
The Operation Principle of Access Control .............................................................. 324
12.3.1.3
The Action of an Access Control Rule ...................................................................... 325
12.3.1.4
The Execution Order of Access Control Rules ......................................................... 325
12.3.1.5
Address Group and Service Group .......................................................................... 326
12.3.1.6
System Default Access Control Rules...................................................................... 326
12.3.2 Access Control Rule Settings ............................................................................. 327
12.3.3 Enable Access Control ....................................................................................... 330
12.3.4 Access Control List ............................................................................................. 330
12.3.5 Configuration Examples for Access Control ....................................................... 331
12.4
12.3.5.1
Example One ........................................................................................................... 331
12.3.5.2
Example Two ........................................................................................................... 336
Domain Filtering ................................................................................................... 342
12.4.1 Domain Filtering Settings ................................................................................... 342
12.4.2 Domain Blocking Notice ..................................................................................... 343
12.5
NAT Session Limit ................................................................................................ 345
12.5.1 NAT Session Limit Rule Settings ........................................................................ 346
12.5.2 NAT Session Limit Rule List ............................................................................... 347
12.6
Address Group ..................................................................................................... 349
12.6.1 Introduction to Address Group ............................................................................ 349
12.6.2 Address Group Settings ..................................................................................... 350
12.6.3 Address Group List ............................................................................................. 351
12.6.4 How to Add the Address Groups ........................................................................ 352
12.6.5 How to Edit an Address Group ........................................................................... 352
12.7
Service Group ....................................................................................................... 354
12.7.1 Introduction to Service Group ............................................................................. 354
12.7.2 Service Group Settings ....................................................................................... 355
UTT Technologies http://www.uttglobal.com
Page 10
UTT Technologies
Table of Contents
12.7.3 Service Group List .............................................................................................. 357
12.7.4 How to Add the Service Groups ......................................................................... 357
12.7.5 How to Edit an Service Group ............................................................................ 358
12.8
Schedule ................................................................................................................ 359
12.8.1 Introduction to Schedule ..................................................................................... 359
12.8.2 Schedule Settings ............................................................................................... 360
12.8.3 Schedule List ...................................................................................................... 361
12.8.4 How to Add the Schedules ................................................................................. 362
12.8.5 Configuration Example for Schedule .................................................................. 363
Chapter 13
13.1
System ........................................................................................................... 365
Administrator ........................................................................................................ 365
13.1.1 Administrator Settings ........................................................................................ 365
13.1.2 Administrator List ................................................................................................ 366
13.1.3 How to Add the Administrator Accounts ............................................................. 367
13.2
System Time ......................................................................................................... 368
13.3
Firmware Upgrade ................................................................................................ 370
13.3.1 Save Firmware.................................................................................................... 370
13.3.2 Firmware Upgrade .............................................................................................. 371
13.4
Configuration ........................................................................................................ 372
13.4.1 Backup Configuration ......................................................................................... 372
13.4.2 Restore Configuration ......................................................................................... 372
13.4.3 Restore Defaults ................................................................................................. 373
13.5
Remote Admin ...................................................................................................... 374
13.6
WEB Server ........................................................................................................... 376
13.7
Restart ................................................................................................................... 378
Appendix A How to configure your PC .............................................................................. 380
Appendix B FAQ .................................................................................................................. 383
1.
How to connect the Device to the Internet using PPPoE ................................. 383
2.
How to connect the Device to the Internet using Static IP............................... 386
3.
How to connect the Device to the Internet using DHCP................................... 387
4.
How to reset the Device to factory default settings .......................................... 389
4-1 Case One: Remember the administrator password ................................................ 389
4-2 Case Two: Forget the administrator password ........................................................ 394
5.
How to use CLI Rescue Mode ............................................................................. 400
6.
IP/MAC Binding and Access Control .................................................................. 407
UTT Technologies http://www.uttglobal.com
Page 11
UTT Technologies
Table of Contents
7.
How to find out who uses the most bandwidth? ............................................... 411
8.
How to troubleshoot faults caused by worm viruses or hacker attacks on the
Device? ............................................................................................................................. 412
9.
How to enable WAN ping respond?.................................................................... 416
Appendix C Common IP Protocols .................................................................................... 417
Appendix D Common Service Ports .................................................................................. 418
Appendix E Figure Index .................................................................................................... 422
Appendix F Table Index ....................................................................................................... 430
UTT Technologies http://www.uttglobal.com
Page 12
UTT Technologies
About This Manual
About This Manual
Note
For best use of our product, it is strongly recommended that you update Windows
Internet Explorer browser to version 6.0 or higher.
0.1
Scope
This guide describes the characteristics and features of the UTT Series Security Firewalls,
which are based on ReOS V10 firmware platform. It mainly describes how to configure
and manage the Device via Web UI. Please make sure that your DeviceÂśs firmware
version accords with ReOS V10. As the product or firmware version upgrades, or other
reasons, this guide will be updated aperiodically.
In addition, as the product specifications of each model are different, you had better
contact the UTT customer engineer to ask for help on the product specifications.
Note
The Device (The first letter is uppercase.) mentioned in this guide stands for the NE
high-performance gateway.
0.2
Web UI Style
The Web UI style complies with the browser standard, which is as follows:
Radio Button: It allows you to choose only one of a predefined set of options.
Check Box: It allows you to choose one or more options.
Button: It allows you to click to perform an action.
Text Box: It allows you to enter text information.
UTT Technologies http://www.uttglobal.com
Page 1
UTT Technologies
About This Manual
List Box: It allows you to select one or more items from a list contained
within a static, multiple line text box.
Drop-down List: It allows you to choose one item from a list. When a
drop-down list is inactive, it displays a single item. When activated, it drops down a list of
items, from which you may select one.
0.3
Documents Conventions
0.3.1 Detailed Description of List
The Web UI contains two kinds of lists: editable list and read-only list. The following
examples will describe them respectively.
0.3.1.1 Editable List
An editable list allows you to add, view, modify and delete the entries. LetÂśs take the
IP/MAC Binding List (see Figure 0-1) as an example to explain it.
Figure 0-1 IP/MAC Binding List
: Configured number / maximum number, the example means there are two
UTT Technologies http://www.uttglobal.com
Page 2
UTT Technologies
About This Manual
configured IP/MAC bindings and the maximum number of bindings supported by the
Device is 500.
: This drop-down list allows you to select the number of entries
displayed per page. In this example, the available options are 10, 30 and 50, and the
default value is 10.
: Click it to jump to the first page.
: Click it to jump to the previous page.
: Click it to jump to the next page.
: Click it to jump to the last page.
: Click it to add a new entry to the list. Here it will jump to the Security > IP/MAC
Binding > IP/MAC Binding Settings page, then you can add a new IP/MAC binding.
: Enter the text string you want to search for in this text box,
then press  key to display all the matched entries. WhatÂśs more, you can do the
search within the displayed results. If you want to display all the entries, you only need
clear the text box and then press  key.
Note that the matching rule is substring matching, that is, it will search for and display
those entries that contain the specified text string.
: Click it to go to the corresponding setup page.
: Click it (add the check mark) to select all the entries in the current page.
Click it again (remove the check mark) to unselect all the entries in the current page.
: To delete one or more entries, select the leftmost check boxes
of them at first, and then select Delete from the drop-down list, lastly click OK to delete the
selected entries. To delete all the entries in the list, select Delete All from the drop-down
list at first, and then click OK.
0.3.1.2 Read-only List
A read-only list is used to display the system status information that is not editable. LetÂśs
take the NAT Statistics list (see Figure 0-2) as an example to explain the functions.
UTT Technologies http://www.uttglobal.com
Page 3
UTT Technologies
About This Manual
Figure 0-2 NAT Statistics
First, Prev, Next, Last, Search and Lines/Page have the same meaning as the editable
list.
: Both display the number of entries in the listˈhere it means that there are four
entries in the list.
: Click to view the latest information in the list.
: Click to clear all the statistics in the list.
0.3.1.3 Sorting Function
All the lists in Web UI support sorting function, except the Access Control List in the
Security > Firewall page, Rate Limit Rule List in the QoS > Rate Limit Rule page,
Session Limit List in the Security > NAT Session Limit page, DNS Redirection List in
the Advanced > DNS Redirection page and Behavior Mgmt. List in the Restriction >
Behavior Mgmt page. The steps are as follows:
You can click any column header to sort the entries in a list by that column. Click once to
sort the entries in descending order, click again to sort them in ascending order. Click a
UTT Technologies http://www.uttglobal.com
Page 4
UTT Technologies
About This Manual
third time to sort them in descending order, and so forth. After sorted, the list will be
displayed from the first page.
0.3.2 Keyboard Operation
<>: It is used to represent the name of a key on the keyboard. For example,  key
represents the Enter key on the keyboard.
0.3.3 Other Conventions
0.3.3.1 Convention for a Page Path
First Level Menu Name > Second Level Menu Name˄bold font˅means the menu path
to open a page. E.g., System > Time means that in the Web UI, click the first level menu
System firstly, and then click the second level menu Time to open the corresponding
page.
0.3.3.2 Convention for Clicking a Button
Click the XXX button (XXX is the name of the button, bold font) means performing a
corresponding action. E.g., click the Delete button means performing a deleting action,
the Delete button is showed as
0.3.3.3 Convention for Selecting an Option
Select the XXX option (XXX is the name of the option, bold font) means selecting the
corresponding function. E.g., select the Enable DNS Proxy check box means enabling
the DNS proxy feature (see Figure 0-3).
Figure 0-3 Enable DNS Proxy
UTT Technologies http://www.uttglobal.com
Page 5
UTT Technologies
0.4
About This Manual
Partial Factory Default Settings
1.
The default administrator user name is Default (case sensitive) with a blank
password.
2.
The following table provides the factory default settings of the interfaces.
Interface
IP Address
Subnet Mask
LAN
192.168.16.1
255.255.255.0
WAN1
192.168.17.1
255.255.255.0
WAN2/DMZ
192.168.18.1
255.255.255.0
Table 0-1 Factory Default Settings of Interfaces
0.5
Document Organization
This manual mainly describes the settings and applications of the UTT products, which is
organized as follows:
Chapter
Contents
The functions and features of the Device.
Product Overview
Hardware Installation How to install the Device.
How to Login to the Device, including:
Login to the Device
Ɣ
Configure Your PC: How to install and configure TCP/IP
properties on your PC.
Ɣ
Login to the Device: How to login to the Device; introduction to
UTT Technologies http://www.uttglobal.com
Page 6
UTT Technologies
About This Manual
the web page of the Device.
Ɣ
Shortcut Icons: Introduction to the shortcut Icons in the web page
of the Device.
How to configure the basic parameters to quickly connect the Device to
the Internet, including:
Ɣ
LAN Settings: How to configure the IP address and subnet mask
of the LAN interface.
Quick Setup
Ɣ
WAN Settings: How to configure the Internet connection on each
WAN interface one by one. The Device provides three types of
connections: PPPoE, Static IP and DHCP.
Note that the number of WAN interfaces depends on the specific
product model.
How to view the system statistics and status information, including:
Ɣ
System Information: It displays system up time, system resource
usage information, system version, port status, and interface rate
chart.
Ɣ
NAT Statistics: It displays the NAT session details of each LAN
host.
Ɣ
System Status
DHCP Statistics: It displays the statistics of the DHCP address
pool, DHCP server, DHCP conflict, DHCP client and DHCP relay
agent.
Ɣ
Interface Statistics: It displays traffic statistics of each physical
interface.
Ɣ
Route Statistics: It displays the routing table.
Ɣ
Session Monitor: How to monitor the Internet activities of the LAN
users by the NAT session list. It allows you to filter and display
sessions by certain criteria, such as source IP address, destination
IP address/domain name, destination port, NAT translated IP
UTT Technologies http://www.uttglobal.com
Page 7
UTT Technologies
About This Manual
address/domain name, and so on.
Ɣ
System Log: It displays the system logs; it also allows you to
select the types of logs that you want the Device to store and
display.
Ɣ
Application Traffic Statistics: It displays the traffic statistics of
some special applications per Internet connection; it also displays
each application traffic statistics per LAN user.
Ɣ
WAN Traffic Statistics: It displays traffic and rate related
information of each Internet connection.
How to configure the basic features of the Device, including:
Ɣ
Quick Wizard: How to configure the basic parameters to quickly
connect the Device to the Internet.
Ɣ
LAN Settings: How to configure the parameters of the LAN
interface, e.g., IP address, subnet mask, IP address2, proxy ARP,
MAC address.
Ɣ
Basic Setup
WAN Settings: How to configure the Internet connection on each
WAN interface, and how to view the related configuration and
status information.
Ɣ
Load Balancing: How to configure the load balancing feature,
which includes: detection and weight settings, global settings, ID
binding; how to view load balancing list. Note that only after you
have configured more than one Internet connections, the second
level menu Load Balancing will be displayed.
Ɣ
DHCP & DNS: How to configure DHCP server, DHCP auto
binding, and DNS proxy.
How to configure the advanced features of the Device, including:
Advanced Setup
Ɣ
Static Route: How to configure static routes and static route
PDBs.
UTT Technologies http://www.uttglobal.com
Page 8
UTT Technologies
About This Manual
Ɣ
PBR: How to configure PBR (Policy-Based Routing) based on
source and destination addresses, protocols, ports, schedules,
and other criteria.
Ɣ
DNS Redirection: How to configure DNS redirection feature
which is used to redirect domain names directly to the specified IP
addresses.
Ɣ
SNMP: How to configure SNMP (Simple Network Management
Protocol).
Ɣ
DDNS: How to apply for DDNS account service and configure
DDNS (Dynamic Domain Name System).
Ɣ
DHCP: How to configure DHCP client, server, relay agent and raw
option.
Ɣ
Switch: How to configure switch features, such as VLAN, port
mirroring and so on.
Ɣ
Miscellaneous: How to configure miscellaneous, such as
scheduled task.
How to configure NAT features, including:
Ɣ
Port Forwarding: How to configure and view port forwarding
rules.
Ɣ
DMZ Host: How to configure the global DMZ host and interface
DMZ hosts.
NAT
Ɣ
NAT Rule: How to configure and view NAT rules. The Device
provides three types of NAT: One2One, EasyIP and Passthrough;
and you can create more than one NAT rule for each type of NAT
when you obtain multiple pubic IP addresses.
Ɣ
UPnP: How to enable UPnP and view the port forwarding rules
established using UPnP.
UTT Technologies http://www.uttglobal.com
Page 9
UTT Technologies
About This Manual
How to configure PPPoE server feature, including:
Ɣ
Global Settings: How to configure PPPoE server global
parameters, e.g., enable PPPoE server; and IP addresses,
gateway IP address and DNS servers IP addresses that will be
assigned to the PPPoE dial-in users.
Ɣ
PPPoE Account: How to configure PPPoE accounts. It provides
rate limit based on the account, account/MAC binding and
PPPoE Server
account/IP binding features; also, it allows you to import multiple
accounts at a time.
Ɣ
PPPoE IP/MAC Binding: How to use IP/MAC binding feature to
assign static IP addresses to the PPPoE dial-in users.
Ɣ
PPPoE Status: How to view the status and usage information of
each online PPPoE dial-in user.
How to configure QoS features, including:
Ɣ
Global Settings: How to enable or disable rate limit, how to
configure the capacity, i.e., the maximum number of network
devices that can be connected to the Device at the same time.
Ɣ
10
Rate Limit Rule: How to configure flexible rate limit rules based
on address group, service group and schedule to improve
QoS
bandwidth utilization.
Ɣ
P2P Rate Limit: How to limit the maximum upload and download
rate of the P2P traffic for the LAN users.
Ɣ
Application QoS: How to configure preferential forwarding for
some predefined special applications traffic.
How to configure restriction features, including:
11
Restriction
Ɣ
User Admin: How to view the current status information of LAN
users, and configure personal settings for each user individually,
including rate limit and Internet behavior management settings.
UTT Technologies http://www.uttglobal.com
Page 10
UTT Technologies
About This Manual
Ɣ
Internet Behavior Management: How to control and manage the
Internet behaviors of the LAN users to improve bandwidth
utilization and network security.
Ɣ
Policy Database: How to view the policy databases related
information; and how to upload or update policy databases.
Ɣ
QQ Whitelist: How to configure QQ whitelist feature. The LAN
users still can use the QQ numbers in the QQ whitelist to login to
QQ even if you have blocked them from using QQ by Internet
behavior management policies.
Ɣ
Notice: How to configure notice feature. The Device can push the
notice message to the specified LAN users; and there are two
types of notices: one-time notice and daily notice.
How to configure security features, including:
Ɣ
Attack Defense: How to configure the internal and external attack
defense features to enhance network security.
Ɣ
IP/MAC Binding: How to configure IP/MAC address pair bindings
to prevent IP address spoofing. By utilizing IP/MAC binding
feature, you can flexibly configure an Internet whitelist or blacklist
for the LAN users.
Ɣ
12
Security
Firewall: How to configure firewall access control rules which are
applied on the LAN interface.
Ɣ
Domain Filtering: How to configure domain filtering feature. You
can only block certain specified domain names or only allow
certain specified domain names.
Ɣ
NAT Session Limit: How to configure NAT session limit rules to
limit the maximum number of concurrent NAT sessions, TCP
sessions, UDP sessions, and ICMP sessions based on LAN hosts.
And you can limit different maximum sessions for different LAN
hosts.
Ɣ
Address Group: How to configure address groups. You can
UTT Technologies http://www.uttglobal.com
Page 11
UTT Technologies
About This Manual
divide some discontinuous IP addresses into an address group,
and then reference the address group in an access control rule or
rate limit rule.
Ɣ
Service Group: How to configure service groups. It provides five
types of services including general service, URL, Keyword, DNS
and MAC address. It allows you to add multiple services into a
service group, and then reference the service group in an access
control rule or rate limit rule.
Ɣ
Schedule: How to configure schedules. The schedules can be
applied to various time-related features, e.g., dial schedule, rate
limit rule, access control rule, etc.
How to manage the Device, including:
Ɣ
Administrator: How to configure the administrator account. It
provides three privilege groups: admin, read and execute.
Ɣ
System Time: How to configure the system date and time
manually or automatically.
Ɣ
Firmware upgrade: How to backup, download and upgrade
firmware.
13
System Admin
Ɣ
Configuration: How to
backup
and
restore
the
system
configuration, and reset the Device to the factory default settings.
Ɣ
Remote Admin: How to enable HTTP remote management
feature to remotely configure and manage the Device via Internet.
14
Appendix
Ɣ
Web server: How to configure the Web server.
Ɣ
Restart: How to restart the Device in the Web UI.
Provides six appendixes, including:
Ɣ
Appendix A How to configure your PC: How to install and
UTT Technologies http://www.uttglobal.com
Page 12
UTT Technologies
About This Manual
configure TCP/IP properties for Windows 95 and Windows 98.
Ɣ
Appendix B FAQ: Frequent questions and answers.
Ɣ
Appendix C Common IP Protocols: Provides the list of common
IP protocol numbers and names.
Ɣ
Appendix D Common Service Ports: Provides the list of
common service port numbers and names.
Ɣ
Appendix E Figure Index: Provides a figure index directory.
Ɣ
Appendix F Table Index: Provides a table index directory.
Table 0-2 Document Organization
UTT Technologies http://www.uttglobal.com
Page 13
UTT Technologies
Chapter 1 Product Overview
Chapter 1 Product Overview
Thanks for choosing UTT products from UTT Technologies Co., Ltd.
This chapter describes the functions and features of the UTT products in brief.
1.1
Key Features
Provides multiple Internet connection types: PPPoE, Static IP and DHCP
Provides real-time monitoring and management of the LAN traffic and users via Web
UI
Provides multiple WAN ports that support intelligent load balancing and auto backup
Supports ID binding for some applications, such as online banking, QQ, etc
Supports intelligent bandwidth management based on token bucket algorithm
Supports Internet behavior management for the LAN users, such as block QQ, MSN
and BT download applications
Defense against DoS/DDoS attacks
Supports IP packet filtering based on IP address, protocol and TCP/UDP port
Supports URL and keyword filtering
Supports MAC address filtering
Supports DNS request filtering
Supports address group and service group setup
Supports advanced firewall function based on address group and service group
Supports strong DHCP features: DCHP Server, DHCP Relay Agent and DHCP Client
Supports PPPoE Server feature
Supports UPnP (universal plug and play)
Supports express forwarding
Supports rate limit of the LAN hosts based on schedules
Supports port-based VLAN
Supports port mirroring
UTT Technologies http://www.uttglobal.com
Page 14
UTT Technologies
1.2
Chapter 1 Product Overview
Main Features
1. LAN Interface
Ɣ
Multiple-port Switch: Provides an integrated multiple-port 10/100Mbps, each port
supports auto MDI/MDI-X.
Ɣ
DHCP Server˖It can act as a DHCP server to dynamically assign IP addresses and
other TCP/IP configuration parameters (such as gateway IP address, DNS and WINs
server IP addresses) to the LAN hosts.
Ɣ
Multiple Subnets: It can be assigned multiple IP addresses to connect multiple
subnets.
Ɣ
Routing Protocols: It supports static routing and dynamic routing protocols including
RIP I and RIP II.
Ɣ
Port-based VLAN: A VLAN (Virtual Local Area Network) is a group of devices that
form a logical LAN segment, that is, a broadcast domain. The members on the same
VLAN can communicate with each other. The traffic will not disturb among different
VLANs. Note that only some models support this feature.
Ɣ
Port Mirroring: It allows an administrator to monitor network traffic. It copies the traffic
from specified ports to another port where the traffic can be monitored. Then the
administrator can perform traffic monitoring, performance analysis and fault diagnosis.
Note that only some models support this feature.
2. WAN Interface
Ɣ
Multiple WAN Interfaces˖ It provides multiple 10/100Mbps WAN interfaces that
support auto MDI/MDI-X.
Ɣ
DSL and Cable Modem Supported: UTT products have passed the compatibility
testing with many DSL and cable modems provided by popular manufacturers.
Ɣ
PPPoE: Each WAN interface can act as a PPPoE (PPP over Ethernet) client to
connect to the ISPÂśs PPPoE server.
Ɣ
Internet Connection Sharing: The LAN users can share multiple Internet connections
to access the Internet using NAT (Network Address Translation).
Ɣ
Load Balancing and Failover: Provides multiple WAN interfaces that support
intelligent load balancing and automatic failover.
Ɣ
Supports ID Binding for Some Applications, such as online banking, QQ, etc.
3. IP/MAC Binding and Access Control
Ɣ
Supports IP and MAC address pairs binding
UTT Technologies http://www.uttglobal.com
Page 15
UTT Technologies
Chapter 1 Product Overview
Ɣ
Supports management and control of multiple Internet services
Ɣ
Supports Internet harmful websites filtering
Ɣ
Supports IP packet filtering based on IP address, protocol and TCP/UDP port
Ɣ
Supports Web content filtering based on URL and keyword
Ɣ
Supports DNS request filtering
Ɣ
Supports MAC address filtering
4. IP QoS
Ɣ
Supports intelligent bandwidth management based on token bucket algorithm. It can
limit the upload and download rates for each LAN host. Also it provides flexible
bandwidth management function to effectively control network transmission rate and
improve bandwidth utilization.
Ɣ
Supports rate limiting for the P2P applications traffic. Limiting P2P traffic can
effectively solve the network problems which are caused by the abuse of P2P
software.
Ɣ
Supports preferential forwarding for some predefined special applications traffic, that
is, these applications traffic arenÂśt restricted by the rate limit rules, so that you can run
these applications more smoothly and faster.
5. Configuration and Management
Ɣ
Easy Configuration˖It provides the Web UI and CLI to facilitate configuration and
management.
Ɣ
Remote Admin: It allows a network administrator to manage the Device remotely from
any host on the LAN or WAN.
Ɣ
Device Restart: It allows you to restart the Device via the Web UI for ease of use.
6. Advanced Features
Ɣ
DMZ Host: Supports multiple DMZ hosts. The DMZ (Demilitarized Zone) host feature
allows one local host to be exposed to the Internet, so the users can easily access it
via the Internet.
Ɣ
Port Forwarding: You can create multiple port forwarding rules to allow the Internet
users to access the services offered by the local servers.
Ɣ
Advanced DHCP: All the physical interfaces support DHCP client, DHCP server and
DHCP relay agent. When acting as a DHCP server, the Device supports multiple
address pools, also provides flexible and sufficient IP address allocation policy. If you
use the DHCP server and DHCP relay agent together, it can fully meet the various
user requirements.
UTT Technologies http://www.uttglobal.com
Page 16
UTT Technologies
Chapter 1 Product Overview
Ɣ
Special Application Supported: Supports the use of some special Internet applications,
such as the Tencent QQ, online games, Video software, Audio software, and so on.
Ɣ
DDNS: Supports Dynamic Domain Name System (DDNS) service.
Ɣ
PPPoE Server: Supports rich PPPoE server features, which includes PPPoE account
and MAC address binding, PPPoE account and IP address binding, and PPPoE IP
and MAC address pair binding feature.
Ɣ
Express Forwarding: It supports express forwarding to greatly improve system
performance.
Ɣ
Notice Feature: The Device can pop up the notice messages to the LAN users.
7. Security Features
Ɣ
Configuration File: You can configure and modify the administrator password to
prevent those unauthorized users from modifying the settings of the Device; and you
can back up the configuration file to prevent accidental loss of settings.
Ɣ
Access Control: The administrator can restrict some LAN users from accessing the
Internet or some Internet services.
Ɣ
Real-time Monitoring: Supports real-time monitoring and management of the LAN
traffic and users, to promptly detect network problems and abnormal users.
Ɣ
Firewall Protection: The Device can monitor all the traffic from the Internet, block all
the illegal requests to the LAN servers, block IP address and port scanning by hacker
software, to prevent malicious attacks from the Internet, such as DoS/DDoS attacks. It
also allows you to set up an Internet blacklist and whitelist. Furthermore, it supports
advanced firewall function based on address group and service group.
Ɣ
Internet Behavior Management: You can allow or block the specified LAN users from
using popular IM (e.g., QQ, MSN) and P2P applications (e.g., BitComet, BitSpirit,
Thunder Search), downloading the files with the extension .exe, .dll, .vbs, .com, .bat
or .sys over HTTP, playing online games, accessing stock and game websites,
submitting input in the webpage, using HTTP proxy, and so on.
1.3
VPN Features
The UTT products provide full VPN features including IPSec VPN, L2TP and PPTP VPN;
and it allows you to use them at the same time. The detailed features are as follows:
1.
Supports VPN tunnels using dynamic IP addresses
2.
Supports site-to-site VPN
3.
Supports remote access VPN (mobile user-to-site)
UTT Technologies http://www.uttglobal.com
Page 17
UTT Technologies
4.
Supports L2TP server and client
5.
Supports PPTP server and client
6.
The main features of IPSec are as follows:
Chapter 1 Product Overview
Ɣ
AutoIKE based on preshared key
Ɣ
Manual key tunnel
Ɣ
ESP and AH protocols
Ɣ
DES, 3DES and AES 128/192/256 encryption algorithms
Ɣ
MD5 and SHA-1 hash algorithms
Ɣ
Diffie-Hellman group 1, 2 and 5
Ɣ
Main mode and aggressive mode
Ɣ
DPD (dead peer detection) and Anti-Replay
Ɣ
Hub-spoke and mesh connections
Ɣ
IPSec NAT traversal
Note
For detailed information about how to configure VPN features, please refer to the
related VPN configuration manual.
1.4
Physical Specification
1.
Conforms to IEEE 802.3 Ethernet and IEEE 802.3u Fast Ethernet standards
2.
Supports TCP/IP, PPPoE, DHCP, ICMP, NAT, Static Route, RIPI/II, SNMP (MIB II),
etc.
3.
Each physical port supports auto-negotiation for the speed and duplex mode
4.
Each physical port supports auto-MDIX
5.
Provides system and port LEDs
6.
Operating Environment:
Ɣ
Temperature: 32ÂşF to 104ÂşF (0ÂşC to 40ÂşC)
Ɣ
Relative Humidity: 10% to 90%, Non-condensing
Ɣ
Height: 0m to 4000m
UTT Technologies http://www.uttglobal.com
Page 18
UTT Technologies
1.5
Chapter 1 Product Overview
Detailed Specifications Table
The UTT products include multiple models. The features and specifications of each model
are different. The following table lists detailed specifications for each model.
Model
UTT 2512
U2000
Number of LAN Ports
Number of WAN Interfaces
LAN Interface Speed
10/100M
10/100M
WAN Interface Speed
10/100M
10/100M
Internet Connection Setup
Load Balancing and failover
DHCP and DNS
DDNS
NAT
Static Route
Policy-based Routing
IP/MAC binding
DNS Redirection
Advanced DHCP
UPnP
Feature
UTT Technologies http://www.uttglobal.com
Page 19
UTT Technologies
Chapter 1 Product Overview
Plug and Play
Express Forwarding
VLAN
Port Mirroring
Administrator Setup
System Time Setup
Firmware Upgrade
Backup & Restore Configuration
SNMP
SYSLOG
Remote Admin
PPPoE Server
PPPoE IP/MAC Binding
Account Billing of PPPoE Server
PPPoE Account Expiration Notice
PPPoE Session Status
User Statistics
NAT Statistics
DHCP Statistics
UTT Technologies http://www.uttglobal.com
Page 20
UTT Technologies
Chapter 1 Product Overview
Interface Statistics
Route Table
System Information
System Log
Intelligent Bandwidth Management
Web Log
P2P Traffic Rate Limiting
Application QoS
Application Traffic Statistics
WAN Traffic Statistics
Notice Feature
Domain Name Filtering
Domain Name Blocking Notice
Access Control List
Address Group
Service Group
Schedule
Internal and External Attack Defense
Internet Behavior Management
UTT Technologies http://www.uttglobal.com
Page 21
UTT Technologies
Chapter 1 Product Overview
Policy Database
ARP Spoofing Defense
NAT Session Limit
Web Authentication
VPN (PPTP/L2TP/IPSec)
Table 1-1 Detailed Specifications
UTT Technologies http://www.uttglobal.com
Page 22
UTT Technologies
Chapter 2 Hardware Installation
Chapter 2 Hardware Installation
This chapter describes how to install the UTT products, which include UTT 2512, U2000.
2.1
Installation Requirements
1.
A standard 10/100M or 10/100/1000M Ethernet network.
2.
Each LAN PC needs an Ethernet card that works well.
3.
TCP/IP should be installed on each PC properly.
4.
You should have a DSL modem, cable modem or fiber optic modem.
5.
If you will use a PPPoE Internet connection to access the Internet, you should have a
login name and password provided by your ISP.
2.2
Installation Procedure
Please make sure that the Device is powered off before installing it. The installation
procedures of UTT products are very similar, which include the following steps in general.
Step 1
Select a proper location to install the Device. You can install the Device install
the Device in a 19-inch standard rack; or on a level surface such as a desktop
or shelf if you donÂśt have a 19-inch standard rack.
Step 2
Connect the Device to the LAN, that is, connect the PC or switch on your LAN
to a LAN port of the Device.
Step 3
Connect the Device to the WAN, that is, connect your DSL, cable or fiber optic
modem to a WAN port of the Device.
Step 4
Power on the Device. Note: Before powering on the Device, make sure that the
power supply and connectivity are normal, and the power outlet is grounded
properly.
Step 5
Check the LEDs on the front panel of the Device to see whether the Device is
working well or not.
The following sections describe the installation procedure, network connection diagram,
and LEDs status of each model respectively.
UTT Technologies http://www.uttglobal.com
Page 23
UTT Technologies
2.3
Chapter 2 Hardware Installation
Installation Procedure of UTT 2512
1. Selecting the Proper Location
Before installing the UTT 2512, you should make sure that it is powered off, and then
select a proper location to install the UTT 2512. The UTT 2512 is designed as a desktop
device, you can install it on a level surface such as a desktop or shelf.
Note
Please ensure that the desktop or shelf is stable and the power outlet is grounded
properly, and do not place heavy objects on the UTT 2512.
2. Connecting the UTT 2512 to the LAN
See Figure 2-1, connect a standard network cable from a PC or switch to a LAN port of the
UTT 2512. The UTT 2512 will automatically adapt to any Ethernet device which is
operating at 10Mbps or 100Mbps.
Figure 2-1 Connecting the UTT 2512 to the LAN and Internet
3. Connecting the UTT 2512 to the Internet
Connect the network cable provided by the manufacturer from the DSL, cable or fiber
optic modem to a WAN port of the UTT 2512, see Figure 2-1. If you donÂśt have a network
UTT Technologies http://www.uttglobal.com
Page 24
UTT Technologies
Chapter 2 Hardware Installation
cable provided by the manufacturer, please use a standard network cable.
4. Powering On the UTT 2512
Connect the supplied power cord to the power connector on the back panel of the UTT 2512,
and then plug the other end of the power cord to a grounded power outlet, lastly turn on the
power switch on the back of the UTT 2512.
Note
To prevent the UTT 2512 from working abnormally or being damaged, make sure that
the power supply and connectivity are normal, and the power outlet is grounded
properly before powering on the UTT 2512.
5. Checking the LEDs
The LEDs are located on the front panel of the UTT 2512, see Figure 2-2. We divide the
LEDs into two groups:
Ɣ
The first group includes four system LEDs on the left two columns, which indicate
power status, operational status and failures of the UTT 2512, see Table 2-1 for
detailed description.
Ɣ
The second group includes the ten port LEDs on the right five columns, which
indicate the status of each port, see Table 2-2 for detailed description. Each port has
two LEDs, LEDs 1 through 4 are corresponding to LAN1 through LAN4 respectively,
and LED WAN is corresponding to WAN.
Figure 2-2 LEDs on the UTT 2512
LEDs
SYS
PWR
Status During Startup
Status During Operating
One second after powering up,
The LED flashes twice per second when the system
the LED flashes fast for one
is operating properly, and it will flash slower if the
second, and then extinguishes for
system is under heavy load.
two seconds, lastly flashes twice
The LED will extinguish or light steady if a fault
per second.
occurred in the Device.
The LED lights during startup.
UTT Technologies http://www.uttglobal.com
The LED lights steady when the power is being
supplied to the Device.
Page 25
UTT Technologies
Chapter 2 Hardware Installation
The LED flashes when the Device is sending or
TRF
receiving data.
The LED lights during startup.
The LED will extinguish if there is no network traffic
on the Device.
The LED extinguishes when the Device is operating
properly.
FLT
The LED will flash if a fault occurred in the Device.
The LED lights during startup.
And the Device will restart automatically after a
certain number of flashes.
Table 2-1 Description of the System LEDs on the UTT 2512
LEDs
Status During Startup
Status During Operating
The LED lights steady when a link between the
Link/Act
All the Link/Act LEDs flash firstly,
corresponding port and another device is detected.
and then they extinguish.
The LED flashes when the corresponding port is
sending or receiving data.
After
100Mbps
the
Link/Act
LEDs
The LED lights steady when another device is
extinguished, all the 100Mbps LEDs
connected to the corresponding port; and a
flash firstly, and then extinguish.
100Mbps link is established between them.
Table 2-2 Description of the Port LEDs on the UTT 2512
6. Reset Button
If you forget the administrator password, you can use the Reset button to reset the Device
to factory default settings. The operation is as follows: While the Device is powered on,
use a pin or paper clip to press and hold the Reset button for more than 5 seconds, and
then release the button. After that, the Device will restart with factory default settings.
Note
This operation will clear all the custom settings on the Device. If you remember the
administrator account, it is strongly recommended that you go to System >
Configuration page to backup the current configuration firstly, and then reset the
Device to factory default settings.
UTT Technologies http://www.uttglobal.com
Page 26
UTT Technologies
2.4
Chapter 2 Hardware Installation
Installation Procedure of U2000
1. Selecting the Proper Location
Before installing the U2000, you should make sure that it is powered off, and then select a
proper location to install the U2000. As the U2000 is designed according to the 11-inch
standard rack, you can install it in a standard rack. Also you can install it on a level surface
such as a desktop or shelf.
1)
Installing the U2000 in a 11-inch Rack
See Figure 2-3, to install the U2000 in a 11-inch rack, firstly attach the rack-mount
brackets to the sides of the U2000 (one on each side) with the supplied screws and
secure them tightly, and then position the U2000 into the rack and use the supplied
screws to secure it in the rack.
Figure 2-3 Install the U2000 in a Rack
2)
Installing the U2000 on a desktop or shelf
If you donÂśt have a 11-inch standard rack, you may directly place the U2000 on a sturdy,
flat surface (such as a desktop or shelf) with a power outlet nearby.
Note
Please ensure that the desktop or shelf is stable and the power outlet is grounded
properly, and do not place heavy objects on the U2000.
2. Connecting the U2000 to the LAN
See Figure 2-4, connect a standard network cable from a PC or switch to a LAN port of the
U2000. The U2000 will automatically adapt to any Ethernet device which is operating at
UTT Technologies http://www.uttglobal.com
Page 27
UTT Technologies
Chapter 2 Hardware Installation
10Mbps or 100Mbps.
Figure 2-4 Connecting the U2000 to the LAN and Internet
3. Connecting the U2000 to the Internet
Connect the network cable provided by the manufacturer from the DSL, cable or fiber
optic modem to a WAN port of the U2000, see Figure 2-4. If you donÂśt have a network
cable provided by the manufacturer, please use a standard network cable.
4. Powering On the U2000
Connect the supplied power cord to the power connector on the back panel of the U2000,
and then plug the other end of the power cord to a grounded power outlet, lastly turn on the
power switch on the back of the U2000.
Note
To prevent the U2000 from working abnormally or being damaged, make sure that the
power supply and connectivity are normal, and the power outlet is grounded properly
before powering on the U2000.
5. Checking the LEDs
The LEDs are located on the front panel of the U2000, see Figure 2-5. We divide the
LEDs into two groups:
Ɣ
The first group includes four system LEDs on the left two columns, which indicate
UTT Technologies http://www.uttglobal.com
Page 28
UTT Technologies
Chapter 2 Hardware Installation
power status, operational status and failures of the U2000, see Table 2-3 for detailed
description.
Ɣ
The second group includes the twelve port LEDs on the right six columns, which
indicate the status of each port, see Table 2-4 for detailed description. Each port has
two LEDs, LEDs 1 through 4 are corresponding to LAN1 through LAN4 respectively,
and LEDs 5 through 6 are corresponding to WAN1 through WAN2 respectively.
Figure 2-5 LEDs on the U2000
LEDs
SYS
PWR
Status During Startup
Status During Operating
One second after powering up,
The LED flashes twice per second when the
the LED flashes fast for one
system is operating properly, and it will flash
second, and then extinguishes
slower if the system is under heavy load.
for two seconds, lastly flashes
The LED will extinguish or light steady if a fault
twice per second.
occurred in the Device.
The LED lights during startup.
The LED lights steady when the power is being
supplied to the Device.
The LED flashes when the Device is sending or
TRF
The LED lights during startup.
receiving data.
The LED will extinguish if there is no network traffic
on the Device.
The LED extinguishes when the Device is
operating properly.
FLT
The LED lights during startup.
The LED will flash if a fault occurred in the Device.
And the Device will restart automatically after a
certain number of flashes.
Table 2-3 Description of the System LEDs on the U2000
UTT Technologies http://www.uttglobal.com
Page 29
UTT Technologies
LEDs
Chapter 2 Hardware Installation
Status During Startup
Status During Operating
The LED lights steady when a link between the
Link/Act
All the Link/Act LEDs flash firstly,
corresponding port and another device is detected.
and then they extinguish.
The LED flashes when the corresponding port is
sending or receiving data.
LEDs
The LED lights steady when another device is
extinguished, all the 100Mbps LEDs
connected to the corresponding port; and a
flash firstly, and then extinguish.
100Mbps link is established between them.
After
100Mbps
the
Link/Act
Table 2-4 Description of the Port LEDs on the U2000
6. Reset Button
If you forget the administrator password, you can use the Reset button to reset the Device
to factory default settings. The operation is as follows: While the Device is powered on,
use a pin or paper clip to press and hold the Reset button for more than 5 seconds, and
then release the button. After that, the Device will restart with factory default settings.
Note
This operation will clear all the custom settings on the Device. If you remember the
administrator account, it is strongly recommended that you go to System >
Configuration page to backup the current configuration firstly, and then reset the
Device to factory default settings.
UTT Technologies http://www.uttglobal.com
Page 30
UTT Technologies
UTT Technologies http://www.uttglobal.com
Chapter 2 Hardware Installation
Page 31
UTT Technologies
Chapter 3 Logging in to the Device
Chapter 3 Logging in to the Device
This chapter describes how to properly configure TCP/IP properties on the PC that you
use to administer the Device, how to login to the Device, and how to use shortcut icons
to fast link to the corresponding pages of UTTÂśs website for the products information and
services.
3.1
Configuring Your PC
Before configuring the Device via Web UI, you need properly install and configure
TCP/IP properties on the PC that you use to administer the Device. The configuration
steps are as follows:
Step 1
Connect the PC to a LAN port of the Device.
Step 2
Install TCP/IP protocol components on your PC. If it has been installed, please
ignore it.
Step 3
Configure TCP/IP parameters on your PC: If the DeviceÂśs LAN interface is
using the default IP address 192.168.16.1/24, you should set the PCÂśs IP
address to an IP address in the range of 192.168.16.2 through
192.168.16.254 that is not already being used by another LAN device, set its
subnet mask to 255.255.255.0, set its default gateway to 192.168.16.1, and
set its DNS server to an available IP address provided by your ISP.
Step 4
To verify the network connection between your PC and the Device, you can
use the ping command at the MS-DOS command prompt on the PC: Ping
192.168.16.1
If the displayed page is similar to the screenshot below, the connection
between your PC and the Device has been established.
UTT Technologies http://www.uttglobal.com
Page 32
UTT Technologies
Chapter 3 Logging in to the Device
If the displayed page is similar to the screenshot below, it means that your
PC has not connected to the Device.
If failed to connect, please do the check according to the following steps:
1.
Is the physical link between your PC and the Device connected properly?
The Link/Act LED corresponding to the DeviceÂśs LAN port and the LED on your PCÂśs adapter
should light.
2.
Is the TCP/IP configuration for your PC correct?
If the DeviceÂśs LAN interface is using the default IP address 192.168.16.1/24, your PCÂśs
IP address should be an IP address in the range of 192.168.16.2 through
192.168.16.254 that is not already being used by another LAN device, and its default
gateway should be 192.168.16.1.
UTT Technologies http://www.uttglobal.com
Page 33
UTT Technologies
3.2
Chapter 3 Logging in to the Device
Logging in to the Device
No matter what operating system is installed on the PC, such as, MS Windows, Macintosh,
UNIX, or Linux, and so on, you can configure the Device through the Web browser (for
example, Internet Explorer).
Once your PC is properly configured, please do the following to login to the Device: Open
a Web browser, enter the DeviceÂśs LAN IP address in the address bar (by default, the
address is 192.168.16.1, see Figure 3-1), and then press  key.
Figure 3-1 Entering IP address in the Address Bar
A login screen prompts you for your user name and password. When you first login to the
Device, you should use the default administrator account: Enter Default (case sensitive)
in the User name field, and leave the Password field blank (see Figure 3-2), lastly click
OK.
Figure 3-2 Login Screen
Once you have entered correct user name and password, the Status > System Info page
will appear (see Figure 3-3).
UTT Technologies http://www.uttglobal.com
Page 34
UTT Technologies
Chapter 3 Logging in to the Device
Figure 3-3 Homepage - System Info Page
In the 'HYLFHÂśV Web page, the system model and version are displayed at the top right
corner, some shortcut icons are displayed at the top, and a toolbar is displayed below the
shortcut icons.
It allows you to click Add to Toolbar to add a shortcut menu for the current page to the
toolbar. The shortcut menus are arranged from left to right in chronological order of
creation, and by default the Device provides the shortcut menu of Quick Wizard
displayed on the most left of the toolbar.
If you have not configured any Internet connection yet, please click the Quick Wizard
hyperlink to configure the basic parameters to quickly connect the Device to the Internet.
Refer to Chapter 4 Quick Wizard for detailed operation.
3.3
Shortcut Icons
The eight shortcut icons are displayed at the top of the Web page, which include Product,
Firmware, Datasheet, Register, Contact, Forum, Feedback and UTT, see Figure 3-4.
These shortcut icons are used for fast link to the corresponding pages on the website of
UTT Technologies Co., Ltd., see Table 3-1 for detailed description.
Figure 3-4 Shortcut Icons
UTT Technologies http://www.uttglobal.com
Page 35
UTT Technologies
Chapter 3 Logging in to the Device
Icons
Product
Firmware
Datasheet
Register
Contact
Forum
Feedback
UTT
Description
Click it to link to the products page of the UTTÂśs website to find more products.
Click it to link to the download page of the UTTÂśs website to download the latest
firmware.
Click it to link to the download page of the UTTÂśs website to download the product
data, such as product manual, datasheet, etc.
Click it to link to the 877)RUXPVUHJLVWU\SDJHRIWKH877ÂśVZHEVLWHWRUHJLVWHUDQ
account to post messages on the UTT Forums.
Click it to link to the contact us page of the UTTÂśs website to view contact information.
Click it to link to the forum homepage of the UTTÂśs website to participate in product
discussions.
Click it to link to send us your feedback by E-mail.
Click it to link to the homepage of the UTTÂśs website.
Table 3-1 Detailed Description of Shortcut Icons
UTT Technologies http://www.uttglobal.com
Page 36
UTT Technologies
Chapter 4 Quick Wizard
Chapter 4 Quick Wizard
This chapter describes the Basic > Quick Wizard page. The Quick Wizard allows you to
configure the basic parameters to quickly connect the Device to the Internet.
Before using Quick Wizard, you need properly install and configure TCP/IP properties on
the LAN PCs. Refer to section 3.1 Configure Your PC for detailed operation.
4.1
Running the Quick Wizard
Click the Quick Wizard hyperlink at the top of the Web page or click Basic > Quick
Wizard to run the Quick Wizard. The Quick Wizard will guide you to configure the most
basic features of the Device, such as Internet connection settings. Even if unfamiliar with
our product, you still can finish the settings via instruction easily.
Figure 4-1 Running the Quick Wizard
ž
Exit the Wizard: Click it to exit the Quick Wizard.
ž
Next: Click it to go to the next page of the Quick Wizard to set the IP address and
subnet mask of the LAN interface.
UTT Technologies http://www.uttglobal.com
Page 37
UTT Technologies
4.2
Chapter 4 Quick Wizard
LAN Settings
Figure 4-2 LAN Settings
—
IP Address: It specifies the IP address of the LAN interface. The default value is
192.168.16.1.
—
Subnet Mask: It specifies the subnet mask that defines the range of the LAN. The
default value is 255.255.255.0
ž
Back: Click it to go back to the previous page of the Quick Wizard.
ž
Next: Click it to go to the next page of the Quick Wizard to choose the Internet
connection type.
4.3
Choosing an Internet Connection Type
The Device provides three Internet connection types including PPPoE, Static IP and
DHCP, see Figure 4-3. Please select a connection type from the radio buttons, which is
provided by your Internet Service Provider (ISP).
UTT Technologies http://www.uttglobal.com
Page 38
UTT Technologies
Chapter 4 Quick Wizard
Figure 4-3 Choosing an Internet Connection Type
—
PPPoE: Some DSL-based ISPs use PPPoE to establish Internet connections for
end-users. If you use a DSL line, check with your ISP to see if they use PPPoE, and
then select the PPPoE radio button.
—
Static IP: If you are required to use a static IP address, select the Static IP radio
button.
—
DHCP: If your ISP will dynamically assigns an IP address to the Device, select the
DHCP radio button. Most cable modem subscribers use this connection type.
ž
Back: Click it to go back to the previous page of the Quick Wizard.
ž
Select the PPPoE radio button, and then click the Next button to go to the next page
of the Quick Wizard to configure a PPPoE Internet connection on the WAN1
interface.
ž
Select the Static IP radio button, and then click the Next button to go to the next page
of the Quick Wizard to configure a static IP Internet connection on the WAN1
interface.
ž
Select the DHCP radio button, and then click the Next button to go to the next page of
the Quick Wizard to configure a DHCP Internet connection on the WAN1 interface.
UTT Technologies http://www.uttglobal.com
Page 39
UTT Technologies
4.4
Chapter 4 Quick Wizard
Internet Connection Settings
4.4.1 Notes on Internet Connection Settings
1.
If you have changed the LAN IP address and saved the change, you should use the
new IP address to re-login to the Device. And each LAN hostÂśs default gateway
should be changed to this new IP address to access the Device and Internet
normally.
2.
After you have finished configuring the Internet connection on the WAN1 interface,
you also can continue to configure the Internet connection on the WAN2, WAN3 and
WAN4 interface in turn. Note that the number of WAN interfaces depends on the
specific product model.
3.
After you have finished configuring one or more Internet connections, you had better
click the Review Your Configuration button in the Quick WizardÂśs confirmation
page to review the settings that you have made in the Quick Wizard firstly, and then
modify any of them if desired, lastly click the Finish button to save the settings to
make them take effect.
4.4.2 PPPoE Internet Connection Settings
UTT Technologies http://www.uttglobal.com
Page 40
UTT Technologies
Chapter 4 Quick Wizard
Figure 4-4 Choose PPPoE as the Connection Type
In the page of choosing an Internet connection type (see Figure 4-4), select the PPPoE
radio button, and then click the Next button to go to the PPPoE Internet connection
settings page, see Figure 4-5.
Figure 4-5 PPPoE Internet Connection Settings
—
User Name and Password: They specify the PPPoE login user name and password
provided by your ISP.
ž
Back: Click it to go back to the previous page of the Quick Wizard.
ž
Continue WAN2 Settings: Click it to continue to configure the Internet connection on
the WAN2 interface if needed.
ž
Skip WAN2 Settings: Click it to go to the confirmation page at the end of the Quick
Wizard if you donÂśt want to configure another Internet connection in the Quick
Wizard.
UTT Technologies http://www.uttglobal.com
Page 41
UTT Technologies
Chapter 4 Quick Wizard
4.4.3 Static IP Internet Connection Settings
Figure 4-6 Choosing Static IP as the Connection Type
In the page of choosing an Internet connection type (see Figure 4-6), select the Static IP
radio button, and then click the Next button to go to the static IP Internet connection
settings page, see Figure 4-7.
Figure 4-7 Static IP Internet Connection Settings
UTT Technologies http://www.uttglobal.com
Page 42
UTT Technologies
Chapter 4 Quick Wizard
—
IP Address: It specifies the IP address of the WAN interface, which is provided by
your ISP.
—
Subnet Mask: It specifies the subnet mask of the WAN interface, which is provided
by your ISP.
—
Default Gateway: It specifies the IP address of the default gateway, which is
provided by your ISP.
—
Primary DNS Server: It specifies WKH,3DGGUHVVRI\RXU,63ÂśVSULPDU\'16server.
—
Secondary DNS Server: It specifies the IP address of your ISPÂśs secondary DNS
server. If it is available, you may set it. Else, please leave it 0.0.0.0.
ž
Back: Click it to go back to the previous page of the Quick Wizard.
ž
Continue WAN2 Settings: Click it to continue to configure the Internet connection on
the WAN2 interface if needed.
ž
Skip WAN2 Settings: Click it to go to the confirmation page at the end of the Quick
Wizard if you donÂśt want to configure another Internet connection in the Quick
Wizard.
Note
The WAN IP address and default gateway IP address should be on the same subnet. If
they are not, please modify the Subnet Mask to make them be on the same subnet. If
you donÂśt have the subnet related knowledge, please ask a professional or UTT
customer engineer for help.
UTT Technologies http://www.uttglobal.com
Page 43
UTT Technologies
Chapter 4 Quick Wizard
4.4.4 DHCP Internet Connection Settings
Figure 4-8 Choosing DHCP as the Connection Type
In the page of choosing an Internet connection type (see Figure 4-8), select the DHCP
radio button, and then directly click the Continue WAN2 Settings button to continue to
configure the Internet connection on the WAN2 interface if needed, or click the Skip
WAN2 Settings button to the confirmation page at the end of the Quick Wizard if you
donÂśt want to configure another Internet connection in the Quick Wizard.
4.5
Reviewing and Saving the Settings
After you have finished configuring one or more Internet connections, you had better click
the Review Your Configuration button in the Quick WizardÂśs confirmation page to
review the settings that you have made in the Quick Wizard firstly, and then modify any of
them if desired, lastly click the Finish button to save the settings to make them take effect.
Note
Do not forget to click the Finish button to save the settings you have made in the
Quick Wizard, else the related settings will be discarded.
UTT Technologies http://www.uttglobal.com
Page 44
UTT Technologies
Chapter 4 Quick Wizard
Figure 4-9 Viewing and Saving the Settings Made in the Quick Wizard
4.6
Summary
Once clicked the Finish button in the confirmation page, you have completed the
configuration of the most basic features through the Quick Wizard. If you cannot access
the Internet through the Device yet, please check whether all the settings that you have
made in the Quick Wizard are correct. Also, you can go to the Basic > WAN page to view
the Internet connection(s) status, view and modify the related configuration parameters.
UTT Technologies http://www.uttglobal.com
Page 45
UTT Technologies
Chapter 5 System Status
Chapter 5 System Status
This chapter describes the system status related pages, which provide a lot of operating
status information and statistics of the Device. By viewing them, the network administrator
can easily analyze the system status and monitor the activities on the Device.
When NAT is enabled, the Device provides a set of powerful monitoring functions, which is
divided into two categories: One is classification statistics, which can help the
administrator find the problems that occurred in the network. The other is real-time
monitoring, which can help the administrator analyze the occurring problem to find out in
which host it happens, what the problem is, and the impact on other hosts.
The management of the Device operating status is divided into two levels:
Ɣ
Physical status: The status and statistics for each physical interface, which includes
operating status, ingress and egress traffic statistics, routing table, and so on.
Ɣ
NAT status: The status and statistics for every LAN user (i.e., LAN host), which
includes upload and download packets statistics, upload and download rate, total
NAT sessions, and so on.
5.1
System Information
In the Status > System Info page, you may view some system information, which include
system up time, system resource usage status, system version, port status, and interface
rate chart.
5.1.1 System Up Time
Figure 5-1 System Up Time
—
System Time: It displays the system current date (YYYY-MM-DD) and time
(HH:MM:SS).
UTT Technologies http://www.uttglobal.com
Page 46
UTT Technologies
—
Chapter 5 System Status
System Up Time: It displays the elapsed time (in days, hours, minutes and seconds)
since the Device was last started.
5.1.2 System Resource
Figure 5-2 System Resource Usage Information
—
CPU: The real-time CPU usage information, which is displayed as a status bar and
percentage.
—
Memory: The real-time memory usage information, which is displayed as a status bar
and percentage.
—
Session: The ratio of current active NAT sessions to the maximum sessions that the
Device supports, which is displayed as a status bar and percentage.
Note
1.
2.
The color of the status bar indicates the usage percentage for each resource.
Ɣ
When the percentage is below 1%, the bar is blank.
Ɣ
When the percentage is between 1% and 50% (below 50%), the color is green.
Ɣ
When the percentage is between 50% and 70% (below 70%), the color is yellow.
Ɣ
When the percentage is equal to or above 70%, the color is red.
The above resources usage information indicates the load of the Device. If the usage
percentages are all relatively low, it means that the Device still has the ability to
process more tasks. If they are all very high, it means that the Device is nearly under
the full load. In this case, the network delays may occur if the Device processes new
UTT Technologies http://www.uttglobal.com
Page 47
UTT Technologies
Chapter 5 System Status
tasks.
5.1.3 System Version
Figure 5-3 System Version
—
SN: It displays the internal serial number of the Device, which may be different from
the SN found on the label at the bottom of the Device.
—
Model: It displays the product model of the Device.
—
Version: It displays the version of ReOS firmware running on the Device.
5.1.4 Port Information
5.1.4.1 Port Status
Figure 5-4 Port Status
The port status figure indicates whether each physical port of the Device is active (Up) or
inactive (Down). If a port is down, it is shaded black. Else it is shaded green, and its speed,
duplex and MDI or MDI-X status are displayed. See Figure 5-4, the LAN4 and WAN1 ports
are active.
UTT Technologies http://www.uttglobal.com
Page 48
UTT Technologies
Chapter 5 System Status
5.1.4.2 Interface Rate Chart
The interface rate chart dynamically displays the real-time RX/TX rate, average RX/TX
rate, maximum RX/TX rate and total RX/TX traffic of each physical interface. If you want to
view the rate chart of an interface, click the corresponding interface name hyperlink.
In the interface rate chart, the abscissa (x-axis) shows the time axis, and the ordinate
(y-axis) shows the real-time RX/TX rate axis. Furthermore, you can adjust some
parameters of the chart if needed, such as the time interval during which the real-time
rates are calculated and displayed, and the displayed colors. Note: The rate chart can only
show the rate and traffic information in the last ten minutes. Each time you open this page,
the rate chart starts anew.
Figure 5-5 Interface Rate Chart
—
RX: It indicates the real-time RX rate of the physical interface, which is calculated
every two seconds. For the LAN interface, RX means uploading; for the WAN
interface, it means downloading.
—
TX: It indicates the real-time TX rate of the physical interface, which is calculated
every two seconds. For the LAN interface, TX means downloading; for the WAN
interface, it means uploading.
—
Avg: It indicates the average RX or TX rate of the physical interface since last
opened the current page.
—
Peak: It indicates the maximum RX or TX rate of the physical interface since last
UTT Technologies http://www.uttglobal.com
Page 49
UTT Technologies
Chapter 5 System Status
opened the current page.
—
Total: It indicates the total RX or TX traffic of the physical interface since last opened
the current page.
ž
LAN/WANx: It allows you to click the interface name hyperlink to view the rate chart
of the selected interface. Therein, x (value: 1, 2, 3, 4) indicates the corresponding
WAN interface, and the number of WAN interfaces depends on the specific product
model. For example, click the WAN1 hyperlink to view the rate chart of the WAN1
interface.
Note
If the SVG Viewer isnÂśt installed on your PC, the rate chart cannot be displayed
properly. To view the rate chart, click the (Please install svgviewer if the page
cannot display properly.) hyperlink to download and install the SVG Viewer.
UTT Technologies http://www.uttglobal.com
Page 50
UTT Technologies
5.2
Chapter 5 System Status
NAT Statistics
Through the NAT Statistics list in the Status > NAT Stats page, you can view the NAT
session details for each LAN user (host).
Figure 5-6 NAT Statistics List
—
ID: It is used to identify each entry in the list.
—
Description: If the LAN user is an IP/MAC binding user, it displays the description of
the user; else it is blank.
—
IP Address: It displays the IP address of the LAN host.
—
Active Sessions: It displays the number of NAT sessions that are being used by the
LAN host now.
—
Overflow: It displays the cumulative count of the LAN KRVWÂśV RYHUIORZLQJ UHTXHVWV
due to the maximum sessions limit. The maximum sessions can be configured in the
Security > NAT Session Limit page.
—
Rx Packets: It displays the number of packets downloaded by the LAN host through
NAT function.
http://www.uttglobal.com
Page 51
UTT Technologies
Chapter 5 System Status
—
Tx Packets: It displays the number of packets uploaded by the LAN host through
NAT function.
—
Tx Broadcast Packets: It displays the number of broadcast and multicast packets
transmitted from the LAN host to the Device.
—
Total Sessions: It displays the total number of NAT sessions of the LAN host, which
include those sessions that arenÂśt being used now.
ž
Clear: Click it to clear the NAT statistics in the list, which include Overflow, Rx
Packets, Tx Packets, Tx Broadcast Packets and Total Sessions.
ž
Refresh: Click it to view the latest information in the list.
Note
1.
The NAT session limit feature can help the Device prevent some types of network
attacks. If a userÂśs Total Sessions has reached the maximum value (configured in
the Security > NAT Session Limit page), any further request for creating a new
session will be discarded, and the Overflow will be updated synchronously. In this
case, the administrator can find potential DDoS attacks by viewing the logs in the
Status > System Log page.
2.
The most Rx Packets means the corresponding user has downloaded the most
packets from the Internet.
3.
The most Tx Packets means the corresponding user has uploaded the most packets
to the Internet.
4.
The most Active Sessions means the corresponding user is the most active now.
5.
If the Overflow is larger than 100, or the Tx Packets is far larger than the Rx
Packets, this host is suspicious of using port scanner software now.
6.
If the Tx Packets is very large, but the Rx Packets is very small or zero, this host is
suspicious of performing a DoS/DDoS attack.
http://www.uttglobal.com
Page 52
UTT Technologies
5.3
Chapter 5 System Status
DHCP Statistics
This section describes the Status > DHCP Stats page, including the DHCP Pool
Statistics list, DHCP Server Statistics list, DHCP Conflict Statistics list, DHCP Client
Statistics list and DHCP Relay Statistics list.
5.3.1 DHCP Pool Statistics List
The DHCP Pool Statistics list displays the usage information of each DHCP address pool,
including IP address and subnet mask, associated MAC address, lease left, DHCP
address pool name, status of IP address, and so on.
It allows you to manually bind one or more dynamic IP addresses to the corresponding
MAC addresses. The steps are as follows: Click the leftmost check boxes of the entries
you want to bind, and then click the Bind button to bind the selected IP and MAC address
pairs. Then you may go to the Advanced > DHCP > DHCP Server or Security > IP/MAC
Binding page to view or modify them.
Figure 5-7 DHCP Pool Statistics List
—
ID: It is used to identify each entry in the list.
—
IP Address: It displays the IP address of the DHCP client.
—
Subnet Mask: It displays the subnet mask of the DHCP client.
—
MAC Address: It displays the MAC address of the DHCP client.
—
Lease Left: It displays the time remaining until the current IP address lease expires,
http://www.uttglobal.com
Page 53
UTT Technologies
Chapter 5 System Status
shown as DD: HH: MM: SS.
—
Pool Name: It displays name of the DHCP address pool.
—
Status: It displays the status of the IP address. The possible values are Detecting,
Assigned, and Conflicted.
—
Detecting: It indicates that the DHCP server is detecting whether the IP address
is already in use or not.
Assigned: It indicates that the DHCP server has assigned the IP address to the
client.
Conflicted: It indicates that the DCHP server has detected a conflict for the IP
address, i.e., there is another host on the network using the same IP address.
Type: It displays the manner in which the IP address was assigned to the DHCP
client. The possible values are Static and Dynamic.
Static: It indicates that the IP address was assigned manually through DHCP
manual binding.
Dynamic: It indicates that the IP address was assigned dynamically from a
DHCP address pool by the DHCP sever.
—
Client ID: It displays the client identifier of the DHCP client.
—
Relay Agent ID: It displays the relay agent ID of the DHCP client.
ž
Bind: If you want to manually bind one or more dynamic IP addresses to the
corresponding MAC addresses, select the leftmost check boxes of them, and then
click the Bind button. Then you may go to the Advanced > DHCP > DHCP Server or
Security > IP/MAC Binding page or to view and modify those IP/MAC bindings.
ž
Refresh: Click it to view the latest information in the list.
ž
Display IP/MAC Binding: Click it to go to the Security > IP/MAC Binding page to
view or configure IP/MAC bindings for the LAN hosts.
Note
In the DHCP Pool Statistics list, only the dynamic IP addresses can be bound
manually, but the static IP addresses cannot be bound again.
http://www.uttglobal.com
Page 54
UTT Technologies
Chapter 5 System Status
5.3.2 DHCP Server Statistics List
The DHCP Server Statistics list displays the DHCP server statistics, which includes the
number of each type of DHCP message and the number of assigned IP addresses. The
statistics is counted and displayed per physical interface.
Figure 5-8 DHCP Server Statistics List
—
Interface: The physical interface on which the DHCP server is applied.
—
Discover: During the statistics interval, the number of DHCPDISCOVER messages
that were received by the DHCP server.
—
Offer: During the statistics interval, the number of DHCPOFFER messages that were
sent by the DHCP server.
—
Request: During the statistics interval, the number of DHCPREQUEST messages
that were received by the DHCP server.
—
Ack: During the statistics interval, the number of DHCPACK messages that were sent
by the DHCP server.
—
Release: During the statistics interval, the number of DHCPRELEASE messages that
were received by the DHCP server.
—
Decline: During the statistics interval, the number of DHCPDECLINE messages that
were received by the DHCP server.
—
Nak: During the statistics interval, the number of DHCPNAK messages that were
sent by the DHCP server
—
Conflict: During the statistics interval, the number of address conflicts that were
detected by the DHCP server.
http://www.uttglobal.com
Page 55
UTT Technologies
Chapter 5 System Status
—
Inform: During the statistics interval, the number of DHCPINFORM messages that
were received by the DHCP server.
—
Unknown: During the statistics interval, the number of unknown packets.
—
Client: During the statistics interval, the number of IP addresses that were assigned
by the DHCP server.
ž
Clear: Click it to clear the DHCP server statistics in the list.
ž
Refresh: Click it to view the latest information in the list.
Note
The statistics interval is the elapsed time since the last clear action.
5.3.3 DHCP Conflict Statistics List
The DHCP Conflict Statistics list displays information related to the address conflicts found
by the DHCP server, which include the conflicted IP address, MAC address, the detection
method and detection time for each address conflict in the list.
Figure 5-9 DHCP Conflict Statistics List
—
IP Address: It displays the conflicted IP address.
—
MAC Address: It displays the MAC address of the LAN host where the IP address
conflict occurred.
—
Detection Method: It displays how the IP address conflict was detected. It may be
http://www.uttglobal.com
Page 56
UTT Technologies
Chapter 5 System Status
ARP or ICMP.
—
Detection Time: It displays the date (YYYY-MM-DD) and time (HH:MM:SS) when the
IP address conflict was detected.
ž
Refresh: Click it to view the latest information in the list.
5.3.4 DHCP Client Statistics List
The DHCP Client Statistics list displays the DHCP client statistics, which mainly includes
the number of each type of DHCP message. The statistics is counted and displayed per
physical interface.
Figure 5-10 DHCP Client Statistics List
—
Interface: The physical interface on which the DHCP client is applied.
—
Discover: During the statistics interval, the number of DHCPDISCOVER messages
that were sent by the DHCP client.
—
Offer: During the statistics interval, the number of DHCPOFFER messages that were
received by the DHCP client.
—
Request: During the statistics interval, the number of DHCPREQUEST messages
that were sent by the DHCP client.
—
Ack: During the statistics interval, the number of DHCPACK messages that were
received by the DHCP client.
—
Release: During the statistics interval, the number of DHCPRELEASE messages that
were sent by the DHCP client.
http://www.uttglobal.com
Page 57
UTT Technologies
Chapter 5 System Status
—
Decline: During the statistics interval, the number of DHCPDECLINE messages that
were sent by the DHCP client.
—
Nak: During the statistics interval, the number of DHCPNAK messages that were
received by the DHCP client.
—
Conflict: During the statistics interval, the number of address conflicts that were
found by the DHCP server when trying to assign an address to the DHCP client.
—
Inform: During the statistics interval, the number of DHCPINFORM messages that
were sent by the DHCP client.
—
Unknown: During the statistics interval, the number of unknown packets.
ž
Clear: Click it to clear the DHCP client statistics in the list.
ž
Refresh: Click it to view the latest information in the list.
Note
The statistics interval is the elapsed time since the last clear action.
5.3.5 DHCP Relay Statistics List
The DHCP Relay Statistics list displays the DHCP relay agent statistics, which includes
the number of various types of DHCP messages. The statistics is counted and displayed
per physical interface.
Figure 5-11 DHCP Relay Statistics List
—
Interface: The physical interface on which the DHCP relay agent is applied.
http://www.uttglobal.com
Page 58
UTT Technologies
Chapter 5 System Status
—
Discover: During the statistics interval, the number of DHCPDISCOVER messages
that were relayed by the DHCP relay agent.
—
Offer: During the statistics interval, the number of DHCPOFFER messages that were
relayed by the DHCP relay agent.
—
Request: During the statistics interval, the number of DHCPREQUEST messages
that were relayed by the DHCP relay agent.
—
Ack: During the statistics interval, the number of DHCPACK messages that were
relayed by the DHCP relay agent.
—
Release: During the statistics interval, the number of DHCPRELEASE messages that
were relayed by the DHCP relay agent.
—
Decline: During the statistics interval, the number of DHCPDECLINE messages that
were relayed by the DHCP relay agent.
—
Nak: During the statistics interval, the number of DHCPNAK messages that were
relayed by the DHCP relay agent.
—
Inform: During the statistics interval, the number of DHCPINFORM messages that
were relayed by the DHCP relay agent.
—
Nadd: During the statistics interval, the number of DHCP messages to which relay
information wasnÂśt added because of the maximum packet size limit.
—
Nreplace: During the statistics interval, the number of DHCP messages in which
relay information wasnÂśt replaced because of the maximum packet size limit.
—
Drop: During the statistics interval, the number of DHCP messages that were
dropped by the DHCP relay agent.
ž
Clear: Click it to clear the DHCP client statistics in the list.
ž
Refresh: Click it to view the latest information in the list.
Note
The statistics interval is the elapsed time since the last clear action.
http://www.uttglobal.com
Page 59
UTT Technologies
5.4
Chapter 5 System Status
Interface Statistics
The Interface Statistics list displays the traffic statistics of each physical interface,
including the number of bytes, unicast packets, and non-unicast (i.e., multicast and
broadcast) packets.
Figure 5-12 Interface Statistics List
—
ID: It is used to identify each interface of the Device.
—
Interface/Direction: It displays the physical interface and the traffic direction.
In: The packets are received by the interface.
Out: The packets are transmitted by the interface.
—
Total Bytes: During the statistics interval, the number of bytes that were received or
transmitted by the interface.
—
Unicast: During the statistics interval, the number of unicast packets that were
received or transmitted by the interface.
—
Non-unicast: During the statistics interval, the number of broadcast and multicast
packets that were received or transmitted by the interface.
ž
Clear: Click it to clear the interfaces statistics in the list.
ž
Refresh: Click it to view the latest information in the list.
Note
http://www.uttglobal.com
Page 60
UTT Technologies
Chapter 5 System Status
1.
The statistics interval is the elapsed time since the last clear action.
2.
The following characteristics indicate that the Device is in normal operation:
The number of packets received by the WAN interface(s) is close to those
transmitted by the LAN interface.
The number of bytes received by the WAN interface(s) is close to those
transmitted by the LAN interface.
The number of packets transmitted by the WAN interface(s) is close to those
received by the LAN interface.
The number of bytes transmitted by the WAN interface(s) is close to those
received by the LAN interface.
The total network traffic is steady without sharp wave.
http://www.uttglobal.com
Page 61
UTT Technologies
5.5
Chapter 5 System Status
Routing Table
This section describes how to view and use the Routing Table in the Status > Route
Stats page.
A router (or gateway) is a device that forwards data packets along networks. One of the
basic functions of the router is the ability to select an optimal transmission path for each
received packet, and forward the packet to the destination site effectively. The router uses
the routing table, which lists the routes to particular network destinations, to accomplish
this function. The routing table can be built and updated manually by the system
administrator, or dynamically by the router with minimal or no manual intervention.
Figure 5-13 Routing Table
—
Destination IP/Mask: It indicates the destination network ID. The Destination IP
indicates the IP address of the destination network or destination host; and the Mask
indicates the subnet mask associated with the destination network. For example,
192.168.18.0/24 means that the destination network IP address is 192.168.18.0, and
subnet mask is 255.255.255.0.
—
Gateway IP: It displays the IP address of the next hop gateway or router to which to
http://www.uttglobal.com
Page 62
UTT Technologies
Chapter 5 System Status
forward the packets.
—
—
Interface: It displays the outbound interface through which the packets are forwarded
to the next hop gateway or router.
ie0: LAN interface; ie1: WAN1 interface; ie2: WAN2 interface;
ptpdial0: Virtual interface waiting for dialing;
ptpx: Virtual interface x (value: 1, 2, 3ÂŤ);
bhole0: Internal interface, the Device will discard any packet forwarded to this
interface;
local: Internal soft-route interface, the packets are forwarded to the Device itself;
reject: Internal interface, the Device will discard any packet forwarded to this
interface and respond an ICMP unreachable packet;
loopback: Indicates the loopback network with network ID 127.0.0.0/8;
mcast: Virtual interface, multicast packets will be forwarded to it.
Flag: *-Hidden, o-OSPF, i-ICMP, l-Local, r-RIP, n-SNMP, c-Connected, s-Static,
R-Remote, g-Gateway, h-Host, p-Private, u-Up, t-Temp, M-Multiple, N-NAT, F-Float,
a-Append,?-Unknown.
*-Hidden: The route is inactive as it is backup, or the corresponding Internet
connection is inactive.
N-NAT: NAT is enabled on the route, and the LAN hosts are sharing the
corresponding Internet connection to access the Internet.
F-Float: The priority related parameters of the route has been configured, and it
is floating now. Whether to enable it or not is determined by the corresponding
Internet FRQQHFWLRQÂśVZRUNLQJVWDWXV
—
Priority: It indicates the priority of the route. If there are multiple routes to the same
destination with different priorities, the Device will choose the route with the highest
priority to forward the packets. The smaller the value, the higher the priority.
—
Metric: It indicates the cost of using the route, which is typically the number of hops
to the destination. If there are multiple routes with same priority to the same
http://www.uttglobal.com
Page 63
UTT Technologies
Chapter 5 System Status
destination, the Device will choose the route with the lowest metric to forward the
packets.
—
Use: It indicates count of lookups for the route.
—
Age: It indicates the elapsed time (in seconds) since the route was created in the
routing table.
ž
Refresh: Click it to view the latest information in the list.
ž
Display Route Settings: Click it to go to the Advanced > Static Route > Static
Route List page to view the configured static routes settings.
Taking Figure 5-13 as an example, the following describes the different types of routes:
—
0.0.0.0/0: It indicates a default static route. The Device uses a default route if no other
route matches the destination address included in a packet. The default route
forwards the packet to a default gateway, whose IP address is configured manually or
assigned dynamically by a PPPoE or DHCP server.
—
127.0.0.0/8: It indicates a loopback route. The Class A network 127.0.0.0 is defined
as the loopback network. Addresses from that network are assigned to interfaces that
process data within the local system. These loopback interfaces do not access a
physical network. Once received a packet which matches the route, the Device will
send the packet to itself.
—
200.200.202.0/24: It indicates a subnet route. The destination is a subnet. If no host
route matches the destination IP address included in a packet, the Device will use a
subnet route that matches the network ID of the destination IP address. The subnet
route forwards the packet to its gateway.
—
192.168.16.1/32: It indicates a local host route (its inteface is local). Once received a
packet which matches the route, the Device will not forward it.
—
224.0.0.0/4: It indicates a multicast route. Once received a multicast packet, the
Device will make copies and send them to all receivers that have joined the
corresponding multicast group.
http://www.uttglobal.com
Page 64
UTT Technologies
5.6
Chapter 5 System Status
Session Monitor
This section describes the Status > Session Monitor page, and it tells you how to
monitor the Internet activities of the LAN users by the NAT Session List. This page
displays the active NAT sessions on the Device, and it lets you filter and display sessions
by certain criteria, such as source IP address, destination IP address/domain name,
destination port, NAT translated IP address/domain name, and so on. It only displays the
NAT sessions that are currently used by the LAN hosts, but doesnÂśt display NAT statistics.
When receiving a request initiated by a LAN host, the Device will create a NAT session for
the request to translate the hostÂśs local IP address to a public IP address. The NAT will
translate incoming as well as outgoing packets belonging to the session.
Note
Only the administrator who has Admin privileges can open this page. You can go to
the System > Administrator page to view and modify the DGPLQLVWUDWRUÂśs privileges.
5.6.1 Session Monitor Settings
Figure 5-14 Session Monitor Settings
—
Filter Option: It specifies an option for filtering and displaying the NAT sessions.
All: Select it to display all the active NAT sessions on the Device. You can use
this option to search the Internet activities of all the LAN users.
WANx: Select a WAN interface to display the active NAT sessions related to the
interface. You can use this option to search the Internet activities of the LAN
users who are using the Internet connection on the selected interface to access
the Internet. Therein, x (value: 1, 2, 3, 4) indicates the corresponding WAN
interface, and the number of WAN interfaces depends on the specific product
http://www.uttglobal.com
Page 65
UTT Technologies
Chapter 5 System Status
model.
Source IP: Select it to display the active NAT sessions related to a LAN user,
which is specified by entering his or her IP address in the Filter Value text box.
You can use this option to search the Internet activities of the specified LAN user.
Destination IP/Domain: Select it to display the active NAT sessions related to
an Internet site, which is specified by entering its IP address or domain name in
the Filter Value text box. You can use this option to search the LAN users who
are accessing the specified website.
Destination Port: Select it to display the active NAT sessions related to a
network service, which is specified by entering the service port number in the
Filter Value text box. You can use this option to search the LAN users who are
accessing the specified service. The following provides port numbers of some
well-known services: ftp-TCP21, ssh-TCP22, telnet-TCP23, smtp-TCP25,
dns-UDP53, finger-TCP79, http-TCP80, pop3-TCP110, snmp-UDP161, etc. For
more information, please refer to Appendix D Common Service Ports.
NAT Translated IP/Domain: Select it to display the active NAT sessions related
to an Internet connectionÂśs IP address or domain name, which is specified in the
Filter Value text box. When using multi-NAT (that is, you get multiple public IP
addresses from your ISP), you can use this option to search the Internet
activities of the LAN users who are using the specified public IP address to
access the Internet.
—
Filter Value: It specifies the filter value for filtering and displaying the NAT sessions.
You should specify it according the selected Filter Option.
—
Predefined Port: It provides port numbers of some well-known services for you to
choose. If you select Destination Port from the Filter Option drop-down list, you
may select a service port number here.
ž
Search: After specifying the Filter Option and Filter Value (if needed), click the
Search button to search and display all the active NAT sessions in accordance with
your criteria in the NAT Session List.
http://www.uttglobal.com
Page 66
UTT Technologies
Chapter 5 System Status
5.6.2 NAT Session List
Figure 5-15 NAT Session List
—
ID: It is used to identify each entry in the list.
—
Source IP: It displays the source IP address for the NAT session.
—
Source Port: It displays the source port number for the NAT session.
—
Protocol: It displays the protocol type (T:TCP, U:UDP, I:ICMP) or protocol number for
the NAT session.
—
Dest IP: It displays the destination IP address for the NAT session.
—
Dest Port: It displays the destination port number or service name for the NAT
session. There are some system predefined services, such as dns, ftp, www, smtp,
pop3, msn, and so on.
—
Tx Pkts: It displays the number of transmitted packets through the NAT session.
—
Rx Pkts: It displays the number of received packets through the NAT session.
—
NAT IP: The translated public IP address for the NAT session.
—
NAT Port: The translated port for the NAT session. The Device uses this port number
http://www.uttglobal.com
Page 67
UTT Technologies
Chapter 5 System Status
to keep track of which hosts initiate data transfer. By keeping this record, the Device
is able to correctly route responses.
ž
Clear: Click it to delete all of the dynamic NAT sessions in the list.
Note
The clear operation may disconnect the dynamic sessions that are being used now,
so do it with caution.
5.6.3 Examples
5.6.3.1 Searching Internet Activities of the LAN User with IP
Address 192.168.16.68/24
Step 1
Go to the Status > Session Monitor page, see Figure 5-16.
Step 2
Select Source IP from the Filter Option drop-down list.
Step 3
Enter 192.168.16.68 in the Filter Value text box.
Step 4
Click the Search button to search and display all the matching NAT sessions in
the NAT Session List, see Figure 5-17.
Figure 5-16 Session Monitor Settings - Example1
http://www.uttglobal.com
Page 68
UTT Technologies
Chapter 5 System Status
Figure 5-17 NAT Session List - Example1
5.6.3.2 Searching the LAN Users Accessing 200.200.200.251
Step 1
Go to the Status > Session Monitor page, see Figure 5-18.
Step 2
Select Destination IP/Domain from the Filter Parameter drop-down list.
Step 3
Enter 200.200.200.251 in the Filter Value text box.
Step 4
Click the Search button to search and display all the matching NAT sessions in
the NAT Session List, see Figure 5-19.
http://www.uttglobal.com
Page 69
UTT Technologies
Chapter 5 System Status
Figure 5-18 Session Monitor Settings - Example2
Figure 5-19 NAT Session List - Example2
5.6.3.3 Searching the LAN Users Using MSN
Step 1
Go to the Status > Session Monitor page, see Figure 5-20.
Step 2
Select Destination Port from the Filter Option drop-down list.
Step 3
Enter 1863 in the Filter Value text box, or select 1863 (MSN) option from the
Predefined Port drop-down list directly.
Step 4
Click the Search button to search and display all the matching NAT sessions in
the NAT Session List, see Figure 5-21.
http://www.uttglobal.com
Page 70
UTT Technologies
Chapter 5 System Status
Figure 5-20 Session Monitor Settings - Example3
Figure 5-21 NAT Session List - Example3
5.6.3.4 Searching Internet Activities of the LAN users Using
WAN1 IP address
Note
http://www.uttglobal.com
Page 71
UTT Technologies
Chapter 5 System Status
When using multiple Internet connections, you can go to the Basic > WAN page to
view the WAN List to find the WAN1 IP address.
Step 1
Go to the Status > Session Monitor page, see Figure 5-22.
Step 2
Select the NAT Translated IP/Domain from the Filter Option drop-down list.
Step 3
Enter 200.200.202.134 in the Filter Value text box. The WAN1 IP address is
200.200.202.134 in this example.
Step 4
Click the Search button to search and display all the matching NAT sessions in
the NAT Session List, see Figure 5-23.
Figure 5-22
http://www.uttglobal.com
Session Monitor Settings - Example3
Page 72
UTT Technologies
Chapter 5 System Status
Figure 5-23 NAT Session List - Example4
http://www.uttglobal.com
Page 73
UTT Technologies
5.7
Chapter 5 System Status
System Log
In the Status > System Log page, you can view the system logs; also you can select the
types of logs that you want the Device to store and display.
5.7.1 System Log Settings
Figure 5-24 System Log Settings
—
Select All: It selects or unselects all the check boxes below. If you want to enable all
the provided system log features at a time, please select this check box. If you want
to disable all the provided system log features at a time, please clear the check box.
—
Enable Notice Log: It allows you to enable or disable notice log. If you want the
Device to store and display the notice related logs in the System Log, please select
this check box.
—
Enable Dial Log: It allows you to enable or disable dial log. If you want the Device to
store and display the dial related logs in the System Log, please select this check
box.
—
Enable NAT Log: It allows you to enable or disable NAT log. If you want the Device
to store and display the NAT related logs in the System Log, please select this check
box.
—
Enable DHCP Log: It allows you to enable or disable DHCP log. If you want the
Device to store and display the DHCP related logs in the System Log, please select
http://www.uttglobal.com
Page 74
UTT Technologies
Chapter 5 System Status
this check box.
—
Enable ARP Log: It allows you to enable or disable ARP log. If you want the Device
to store and display the ARP related logs in the System Log, please select this check
box.
—
Enable Other Log: It allows you to enable or disable other log. If you want the Device
to store and display other logs in the System Log, please select this check box.
ž
Save: Click it to save the system log settings.
5.7.2 Viewing System Logs
If you have enabled one or more system log features in the Status > System Log > Log
Settings page, you can view the related logs in the Status > System Log page, see the
following figure.
Figure 5-25 System Logs
ž
Clear: Click it to clear all the system logs.
ž
Refresh: Click it to view the latest system logs.
The following table describes some common types of system logs.
http://www.uttglobal.com
Page 75
UTT Technologies
Chapter 5 System Status
System Log
Meaning
Keyword
Sample
The specified physical interface is enabled.
Ethernet Up
ieX
ie0: LAN; ie1~ie4: WAN1~WAN4.
MAC New
00:22:aa:00:22:bb
The new MAC address of the specified user.
MAC Old
00:22:aa:00:22:aa
The old MAC address of the specified user.
ARP SPOOF
192.168.1.1
Session Up
PPPOE
The MAC address of the user with IP address
192.168.1.1 has changed.
The Device has successfully established a session
whose name is PPPOE.
The Device has successfully established a PPPoE
PPPoE Up
00:22:aa:5d:63:6f
connection with the remote device whose MAC address
is 00:0c:f8:f9:66:c6.
Call Connected
Outgoing Call
@_netiNetworkStateChanged:
The physical layer data link layer connections have been
6244, on line 1, on channel 0
established, but IP still couldnÂśt be used.
@61:1-1
The Device started dialing out.
Call Terminated @clearSession: 1
The Device failed to dial.
Outgoing Call
@61:1-1
The Device started dialing out.
Session down
Manually (PPPOE)
http://www.uttglobal.com
The session whose name is PPPOE was hanged up.
Manually means it was hanged up by manual.
Page 76
UTT Technologies
Session up
test
Chapter 5 System Status
The Device has successfully established a session
whose name is test.
The Device has successfully negotiated with the remote
Assigned to port @answerIncomingCall:8012
dial-in device, and has assigned a port to the remote
device.
Call Connected
Incoming Call
@_netiNetworkStateChanged:
The physical layer and data link layer connections have
6244, on line 1, on channel 0
been established, but IP still couldnÂśt be used.
@_netiNetworkStateChanged:
6187, on line 1, on channel 0
The Device received a call from a remote device.
The static routes bound to the specified physical
interface became active. (Usually due to that the
Route Up
ethX
corresponding Internet connection became active.)
eth1: LAN; eth2~eth5: WAN1~WAN4.
The static routes bound to the specified physical
Route Down
ethX
interface became inactive. ˄Usually due to that the
corresponding Internet connection became inactive.˅
The specified host has exceeded the maximum NAT
sessions limited by the Device. Usually due to that this
NAT exceeded
[IP Address]
host is infected with a virus or it is using hacker attack
software. If the host is working properly, please increase
the maximum NAT sessions appropriately.
The APR request for the specified IP address has been
ARP exceeded
[IP Address]
rejected due to the maximum ARP entries limit. If the
ARP table is full, any new ARP request packet to the
Device will be rejected and this log message generated.
http://www.uttglobal.com
Page 77
UTT Technologies
Chapter 5 System Status
A DHCP IP address conflict has occurred, that is, when
DHCP:IP
conflicted
acting as a DHCP server, the Device detected that the
specified IP address is already used in the LAN before
[arp: IP Address]
assigning it to a user, and then the Device assigned
another IP address to this user.
notice
Give
notice
to
user: The device has given a notice to the user with IP address
192.168.16.35
192.168.16.35.
Table 5-1 System Logs List
5.8
Web Log
This section describes the Status > Web Log page.
In this page, it allows you to view web logs. A web log records the information of a web
page access by a LAN user, which include: the access time, the LAN userÂśs IP address,
and the domain name of the web page.
5.8.1 Enable Web Log
Figure 5-26 Enable Web Log
—
Enable Web Log: It allows you to enable or disable web log. If you want the Device
to store and display the web logs in this page, please select this check box.
ž
Save: Click it to save your settings.
http://www.uttglobal.com
Page 78
UTT Technologies
Chapter 5 System Status
5.8.2 View Web Logs
Figure 5-27 View Web Logs
A web log consists of date and time, an IP address of a LAN user, and a domain name.
Ɣ
Date and time: It displays the date and time at which a LAN user accessed a web
page.
Ɣ
IP address: It displays the IP address of the LAN user who has accessed a web
page.
Ɣ
Domain name: It displays the domain name of a web page which is accessed by the
LAN user.
ž
Clear: Click it to clear all the web logs in the list box.
ž
Refresh: Click it to view the latest web logs.
Note
To ensure that the date and time of the web logs are correct, you should synchronize
http://www.uttglobal.com
Page 79
UTT Technologies
Chapter 5 System Status
the system clock in the System > Time page.
5.9
Application Traffic Statistics
In the Status > APP Traffic page, you can view the traffic statistics of some predefined
applications. For each application, you can view the traffic statistics of each WAN interface,
and the traffic statistics of each LAN user.
5.9.1 Global Setup
Figure 5-28 Enable Application Traffic Statistics
—
Enable Application Traffic Statistics: It allows you to enable or disable application
traffic statistics. If you want to view the applications traffic statistics of the LAN users
in the APP Traffic Statistics list, please select this check box to enable this feature.
ž
Save: Click it to save your settings.
5.9.2 Application Traffic Statistics List
Figure 5-29 Application Traffic Statistics List
http://www.uttglobal.com
Page 80
UTT Technologies
Chapter 5 System Status
—
Interface: It allows you select a WAN interface to display the application traffic
statistics of this interface.
—
Application: It indicates the type of application traffic. The Device provides six types
of application traffic, including TCP, UDP, Web, FTP, P2P and Game applications.
Therein, there are multiple specific types of P2P and Game applications, please refer
to section 11.2 Internet Behavior Management for more information.
—
Tx Rate: It indicates the real-time uplink rate (in kilobits per second) of the given
application traffic through the selected WAN interface.
—
Rx Rate: It indicates the real-time downlink rate (in kilobits per second) of the given
application traffic through the selected WAN interface.
—
Details: Click the IP Address hyperlink to go to the Status > APP Stats > User
Traffic Statistics page to view the given application traffic statistics of each LAN
user.
ž
Refresh: Click it to view the latest information in the list.
5.9.3 User Traffic Statistics List
Figure 5-30 User Traffic Statistics List
—
IP Address: It indicates the IP address of the LAN host (i.e., LAN user).
—
Tx Rate: It indicates the real-time rate (in kilobits per second) of the given application
traffic sent by the LAN host.
—
Rx Rate: It indicates the real-time rate (in kilobits per second) of the given application
traffic received by the LAN host.
ž
Back: Click it to back to the APP Traffic Statistics list.
ž
Refresh: Click it to view the latest information in the list.
http://www.uttglobal.com
Page 81
UTT Technologies
http://www.uttglobal.com
Chapter 5 System Status
Page 82
UTT Technologies
Chapter 5 System Status
5.10 WAN Traffic Statistics
Through the WAN Traffic Statistics list in the Status > WAN Traffic page, you can view
traffic and rate related information of each Internet connection.
Figure 5-31 WAN Traffic Statistics List
—
Interface: It specifies a WAN interface on which the Internet connection is
established.
—
Tx Bandwidth: It is the Uplink Bandwidth of the Internet connection configured in
the Basic > WAN page.
—
Real-time Tx Rate: It indicates the real-time uplink rate of the Internet connection.
—
Average Tx Rate: It indicates the average uplink rate of the Internet connection since
the Device was last started.
—
Max Tx Rate: It indicates the maximum uplink rate of the Internet connection since
the Device was last started.
—
Rx Bandwidth: It is the Downlink Bandwidth of the Internet connection configured
in the Basic > WAN page.
—
Real-time Rx Rate: It indicates the real-time downlink rate of the Internet connection.
—
Average Rx Rate: It indicates the average downlink rate of the Internet connection
since the Device was last started.
—
Max Rx Rate: It indicates the maximum downlink rate of the Internet connection
since the Device was last started.
ž
Refresh: Click it to view the latest information in the list.
http://www.uttglobal.com
Page 83
UTT Technologies
Chapter 6 Basic Setup
Chapter 6 Basic Setup
This chapter describes how to configure and use the basic features of the Device, which
include LAN interface settings, WAN interface settings, load balancing (only multi-WAN
products support it), DHCP and DNS features.
6.1
LAN Settings
This section describes the Basic > LAN page.
After you have configured the Internet Connection through the Quick Wizard, you can
modify the IP address and subnet mask of the LAN interface in this page. Also, you can
configure some other parameters, which include the IP Address 2, Subnet Mask 2, MAC
Address, Proxy ARP, and Mode. Obviously, you can directly configure the IP address
and Subnet Mask of the LAN interface in this page without using the Quick Wizard.
Figure 6-1 LAN Interface Settings
—
IP Address: It specifies the IP address of the LAN interface.
—
Subnet Mask: It specifies the subnet mask that defines the range of the LAN.
ž
Advanced Options: Click it to view and configure advanced parameters. In most
cases, you need not configure them.
—
IP Address 2: It specifies the secondary IP address of the LAN interface.
—
Subnet Mask 2: It specifies the secondary subnet mask that defines the range of the
secondary subnet.
http://www.uttglobal.com
Page 84
UTT Technologies
Chapter 6 Basic Setup
—
MAC Address: It specifies the MAC address of the LAN interface. In most cases,
please leave the default value.
—
Proxy ARP: It allows you to enable or disable proxy ARP on the LAN interface. The
available options are Disabled, Enabled and Nat.
—
Ɣ
Disabled: Select it to disable the proxy ARP on the LAN interface.
Ɣ
Enabled: Select it to enable the proxy ARP on the LAN interface.
Ɣ
Nat: Select it to enable the NAT proxy ARP on the LAN interface.
Mode: It specifies the speed and duplex mode of the LAN interface. The Device
supports five or six modes (Note that only the gigabit LAN interface supports
1000M-HD), which include Auto (Auto-negotiation), 100M-FD (100M Full-Duplex),
100M-HD (100M Half-Duplex), 10M-FD (10M Full-Duplex), 10M-HD (10M
Half-Duplex), and 1000M-FD (1000M Full-Duplex).
In most cases, please leave the default value. If a compatibility problem occurred, or
the network device connected to the LAN interface doesnÂśt support auto-negotiation
function, you may modify it as required.
ž
Save: Click it to save the LAN interface settings.
Note
1.
You can assign two IP addresses to the DeviceÂśs LAN interface to connect two
subnets. The hosts on the two subnets can communicate with each other.
2.
If you have changed the LAN IP address and saved the change, you should use the
new IP address to re-login to the Device. And the default gateway of each LAN host
should be changed to this new IP address, thus the LAN hosts can access the Device
and Internet.
3.
The LAN interface integrates multiple switch ports, and you may go to the Status >
System Info page to view each LAN port status.
http://www.uttglobal.com
Page 85
UTT Technologies
6.2
Chapter 6 Basic Setup
WAN Settings
6.2.1 WAN List
After you have configured the Internet connection through the Quick Wizard, you can
view its configuration and status in the Basic > WAN > WAN List page; also you can
modify or delete it if needed.
Figure 6-2 WAN Internet Connection List
Note
If you want to use multiple connections to access the Internet, please configure them
in this page, and then go to the Basic > Load Balancing page to configure load
balancing and failover.
6.2.1.1 Parameter Definitions
—
Type: It displays the connection type. For the PPPoE Internet connection, it will also
display its user name and dial mode.
—
Status: It displays current status of the connection. We will describe the status of
each connection status respectively.
1.
PPPoE Connection Status
There are eight kinds of status for PPPoE connection (see Table 6-1). When it is
connected, it will also display the elapsed time (days: hours: minutes: seconds) since
connected.
http://www.uttglobal.com
Page 86
UTT Technologies
Chapter 6 Basic Setup
Status
Description
Closed
The physical interface isnÂśt connected, or doesnÂśt dial up yet.
Dialing
Start dialing up, but not receive response yet.
Authenticating
Server responded and is authenticating.
Connected
Authentication succeeded, and the connection is established and
ready for data transmission.
Disconnecting
The PPPoE session is disconnecting.
Hang up
Either peer has hanged up.
Disconnected
The PPPoE session has terminated, waiting for dialing up.
Internal Error
Undefined status.
Table 6-1 Description of PPPoE Connection Status
2.
Static IP Connection Status
There are three kinds of status for Static IP connection (see Table 6-2).
Status
Description
Closed
The physical interface isnÂśt connected.
http://www.uttglobal.com
Page 87
UTT Technologies
Chapter 6 Basic Setup
Connected
The connection is established between the Device and peer device.
Internal Error
Undefined status.
Table 6-2 Description of Static IP Connection Status
3.
DHCP Connection Status
There are four kinds of status for DHCP connection (see Table 6-3). When it is
connected, it will also display the time left (days: hours: minutes: seconds) before the
lease expires for the current IP address, which is assigned by your ISPÂśs DHCP
server.
Status
Closed
Description
The physical interface isnÂśt connected. Or the connection has released
the IP address but hasnÂśt requested a new one yet.
Connecting
Requesting an IP address.
Connected
Has obtained an IP address, the connection is established successfully.
Internal Error
Undefined status.
Table 6-3 Description of DHCP Connection Status
6.2.1.2 List Function
ž
Edit an Internet Connection: If you want to modify a configured Internet connection,
click its Edit hyperlink, the related information will be displayed in the setup page.
Then modify it, and click the Save button.
http://www.uttglobal.com
Page 88
UTT Technologies
ž
Chapter 6 Basic Setup
Delete an Internet Connection: If you want to delete a configured Internet
connection, click Delete of the connection to delete it.
6.2.1.3 How to Dial and Hang up a PPPoE connection
For the PPPoE connection, the Dial, Hang Up and Delete are shown in the Operation
column (see Figure 6-3).
If the PPPoE connectionÂśs Dial Type is set to Manual (see section 6.2.2.1), you need
click Dial to dial-up the Internet connection, and click Hang Up to hang it up.
ž
Dial: Click it to dial up the Internet connection manually. During dialing up, you can
view the related status information in the Status column, which includes Closed,
Dialing, Authenticating and Connected.
ž
Hang Up: Click it to hang the Internet connection up manually.
Figure 6-3 WAN List - PPPoE Internet Connection
6.2.1.4 How to Renew and Release a DHCP Connection
For the DHCP connection, the Renew, Release and Delete are shown in the Operation
column (see Figure 6-4).
ž
Renew: Click it to re-obtain DQ,3DGGUHVVIURPWKH,63ÂśV'+&3 server. The Device
will automatically release the assigned IP address firstly, and then obtain a new IP
address from the DHCP server. During renewing, you can view the related status
information in the Status column, which includes Closed, Connecting, and
Connected.
ž
Release: Click it to UHOHDVHWKH,3DGGUHVVREWDLQHGIURPWKH,63ÂśV DHCP server.
http://www.uttglobal.com
Page 89
UTT Technologies
Chapter 6 Basic Setup
Figure 6-4 WAN List DHCP Internet Connection
http://www.uttglobal.com
Page 90
UTT Technologies
Chapter 6 Basic Setup
6.2.2 WAN Internet Connection Settings
This section describes how to configure PPPoE, Static IP and DHCP Internet connection
respectively, and how to delete the connection.
Note
Only after you have configured the Internet connection on the WAN1, you can
configure other connections. The system will automatically set these connectionsÂś
Primary DNS Server to the IP address of the WAN1 Internet connectionÂśs Primary
DNS Server, and you cannot modify them.
6.2.2.1 PPPoE Internet Connection Settings
Please select PPPoE from the Connection Type drop-down list if your ISP uses PPPoE
to establish the Internet connection for you. Then the following page will be showed.
http://www.uttglobal.com
Page 91
UTT Technologies
Chapter 6 Basic Setup
Figure 6-5 PPPoE Internet Connection Settings
—
Connection Type: It specifies the type of the Internet connection. Here please select
PPPoE.
—
Uplink Bandwidth: It specifies the uplink bandwidth of the Internet connection, which
is provided by your ISP. You may ask the ISP about the uplink bandwidth.
—
Downlink Bandwidth: It specifies the downlink bandwidth of the Internet connection,
which is provided by your ISP. You may ask the ISP about the downlink bandwidth.
—
ISP: It specifies the Internet service provider (ISP) by which the Internet connection is
provided.
—
User Name and Password: They specify the PPPoE login user name and password
provided by your ISP.
—
Dial Mode: It specifies the dial mode of the PPPoE Internet connection. The default
value is Normal mode. If the PPPoE connection isnÂśt established successfully even
http://www.uttglobal.com
Page 92
UTT Technologies
Chapter 6 Basic Setup
using correct user name and password, you may try to use another mode.
—
DNS Server: It specifies the method by which you configure the DNS server(s). If you
know the local DNS server IP address, you may select Manual, then enter the DNS
server IP address in the Primary DNS server text box, and the secondary DNS
server IP address in the Secondary DNS Server if available. Else, please select
Auto, then the Device will automatically obtain the DNS server IP address.
—
Primary DNS Server: It specifies WKH,3DGGUHVVRI\RXU,63ÂśVSULPDU\'16server.
—
Secondary DNS Server: It specifies the IP address of your ISPÂśs secondary DNS
server. If it is available, you may set it. Else, please leave it 0.0.0.0.
ž
Advanced Options: Click it to view and configure advanced parameters. In most
cases, you need not configure them.
—
PPP Authentication: It specifies the PPP authentication mode of the PPPoE
connection. The available options are NONE, PAP, CHAP and Either.
PAP: Password Authentication Protocol.
CHAP: Challenge Handshake Authentication Protocol.
None: It means that there is no protocol will be used.
Either: It means that the Device will automatically negotiate it with the peer
device.
—
Service Name: It specifies the service name provided by your ISP. In most cases,
please leave it blank. If you have any questions, please contact the ISP.
—
MRU: It specifies the largest packet size permitted for network receive. When dialing,
the Device will automatically negotiate it with the peer device. Unless special
application, please leave the default value of 1492 bytes.
—
Dial Type: It specifies the dial type of the PPPoE connection. The available options
are Always On, Manual and On Demand.
Always On: If you want the Device to establish a PPPoE connection when
starting up and to automatically re-establish the PPPoE connection once
disconnected, select this option.
Manual: If you want to dial and hang up a PPPoE connection manually, select
this option. In this case, you should dial and hang up manually in the WAN List in
the Basic > WAN page (see section 6.2.1.3).
On Demand: If you want the Device to establish a PPPoE connection only when
it listens for packets destined for the Internet, select this option. In this case, the
Device will terminate the connection after it has been inactive for the period of
time specified by the Idle Timeout.
http://www.uttglobal.com
Page 93
UTT Technologies
Chapter 6 Basic Setup
—
Dial Schedule: It specifies a schedule during which the Device can dial up. If you
select a schedule here, it will allow the Device to dial up only in the selected schedule
range; else, the Device can always dial up. The schedule is configured in the
Security > Schedule page.
—
Online Schedule: It specifies a schedule during which the Device can access the
Internet. If you select a schedule here, it will allow the Device to access the Internet
only in the selected schedule range, and the Device will automatically terminate the
PPPoE connection once beyond this schedule range; else, the Device will be always
online. The schedule is configured in the Security > Schedule page.
—
Keepalive Period: It specifies a period of time during which the Device will detect
whether the link is available or not. If the connection is connected, the Device will
periodically send keepalive packets to the peer device per 1000 milliseconds. If the
Device does not receive a response during the specified period of time, it will
terminate the connection. The default value is 15000 milliseconds.
—
Idle Timeout: It specifies how long the PPPoE connection keeps connected since no
Internet activity. The Device will automatically terminate the connection after it has
been inactive for the specified period of time. The default value is zero, which means
that the Device will not terminate it.
—
Session Timeout: It specifies how long the PPPoE connection keeps connected
since established. The Device will automatically terminate the connection after it has
been connected for the specified period of time. The default value is zero, which
means that the Device will not terminate it. In most cases, please leave the default
value.
—
Priority: It specifies the routing priority of the established connection. When there are
several established connections, the Device will choose the connection with the
highest priority to forward the packets. The lower value means the higher priority.
—
Down Priority: It specifies the routing priority of the terminated connection. When
there are several terminated connections, the connection with the highest priority will
dial up preferentially. The lower value means the higher priority.
—
Dial Sub-interface: It specifies a logical virtual interface which is subjected to the
physical interface. You can create multiple sub-interfaces on a single physical
interface. At present, the Device only supports that you create sub-interfaces on the
WAN1, and these sub-interfaces are distinguished from one another by the 802.1Q
VLAN identifier.
—
Proxy ARP: It allows you to enable or disable proxy ARP on the WAN interface. The
available options are Disabled, Enabled and Nat.
Ɣ
Disabled: Select it to disable the proxy ARP on the WAN interface.
Ɣ
Enabled: Select it to enable the proxy ARP on the WAN interface.
http://www.uttglobal.com
Page 94
UTT Technologies
Ɣ
Chapter 6 Basic Setup
Nat: Select it to enable the NAT proxy ARP on the WAN interface.
—
Mode: It specifies the speed and duplex mode of the WAN interface. The Device
supports five or six modes (Note that only the gigabit WAN interface supports
1000M-HD), which include Auto (Auto-negotiation), 100M-FD (100M Full-Duplex),
100M-HD (100M Half-Duplex), 10M-FD (10M Full-Duplex), and 10M-HD (10M
Half-Duplex) , 1000M-FD (1000M Full-Duplex). In most cases, please leave the
default value. If a compatibility problem occurred, or the network device connected to
the WAN interface doesnÂśt support auto-negotiation function, you may modify it as
required.
—
MAC Address: It specifies the MAC address of the WAN interface. In most cases,
please leave the default value.
ž
Save: Click it to save the PPPoE Internet connection settings.
Note
1.
The Dial Sub-interface can only be configured on the product that supports the IEEE
802.1Q tag-based VLAN feature. If you create multiple PPPoE Internet connections
on a WAN Interface, some ISPs may forbid these connections to access their
broadband access servers as they are using the same MAC address (that is, the
WAN InterfaceÂśs MAC address). You can use sub-interface feature to solve this
problem: connect the WAN1 to a switch that provides 802.1Q tag-based VLAN
feature, and then create multiple VALN sub-interfaces on the WAN1, lastly create a
connection on each sub-interface respectively; then each connection will use a MAC
address respectively
2.
Compared with the PPPoE Internet connection setup page in the Quick Wizard, this
page provides more configuration parameters, such as, Dial Schedule, Online
Schedule, Keepalive Period, Priority, Down Priority, and so on.
3.
In most cases, please leave the Proxy ARP the default value, that is, disable the
proxy ARP on the interface. But in some cases, you need enable the proxy ARP. For
example, when you enable PPTP or L2TP server feature on a WAN interface, and the
IP addresses assigned to the mobile user clients are on the same subnet as the
Device LAN interface, you need enable proxy ARP on this interface. Another example
is that when using multi-NAT (that is, you get multiple public IP addresses from your
ISP) on a WAN interface, you should enable NAT proxy ARP on this interface.
http://www.uttglobal.com
Page 95
UTT Technologies
Chapter 6 Basic Setup
6.2.2.2 Static IP Internet Connection Settings
If you are required to use a static IP address, please select Static IP from the Connection
Type drop-down list. Then the following page will be showed.
Figure 6-6 Static IP Internet Connection Settings
—
Connection Type: It specifies the type of the Internet connection. Here please select
Static IP.
—
Uplink Bandwidth: It specifies the uplink bandwidth of the Internet connection, which
is provided by your ISP. You may ask the ISP about the uplink bandwidth.
—
Downlink Bandwidth: It specifies the downlink bandwidth of the Internet connection,
which is provided by your ISP. You may ask the ISP about the downlink bandwidth.
—
ISP: It specifies the Internet service provider by which the Internet connection is
provided.
—
IP Address: It specifies the IP address of the WAN interface, which is provided by
your ISP.
—
Subnet Mask: It specifies the subnet mask of the WAN interface, which is provided
by your ISP.
—
Default Gateway: It specifies the IP address of the default gateway, which is
provided by your ISP.
http://www.uttglobal.com
Page 96
UTT Technologies
Chapter 6 Basic Setup
—
Primary DNS Server: It specifies WKH,3DGGUHVVRI\RXU,63ÂśVSULPDU\'16server.
—
Secondary DNS Server: It specifies the IP address of your ISPÂśs secondary DNS
server. If it is available, you may set it. Else, please leave it blank.
ž
Advanced Options: Click it to view and configure advanced parameters. In most
cases, you need not configure them.
—
MAC Address: It specifies the MAC address of the WAN interface. In most cases,
please leave the default value.
—
Proxy ARP: It allows you to enable or disable proxy ARP on the WAN interface. The
available options are Disabled, Enabled and Nat.
Ɣ
Disabled: Select it to disable the proxy ARP on the WAN interface.
Ɣ
Enabled: Select it to enable the proxy ARP on the WAN interface.
Ɣ
Nat: Select it to enable the NAT proxy ARP the WAN interface.
—
Mode: It specifies the speed and duplex mode of the WAN interface. The Device
supports five or six modes (Note that only the gigabit WAN interface supports
1000M-HD), which include Auto (Auto-negotiation), 100M-FD (100M Full-Duplex),
100M-HD (100M Half-Duplex), 10M-FD (10M Full-Duplex), and 10M-HD (10M
Half-Duplex) , 1000M-FD (1000M Full-Duplex). In most cases, please leave the
default value. If a compatibility problem occurred, or the network device connected to
the WAN interface doesnÂśt support auto-negotiation function, you may modify it as
required.
—
Gateway Binding Mode: It determines whether the gatewayÂśs IP and MAC address
pair will be bound or not. If you want to bind the gatewayÂśs IP and MAC address pair
to protect the Device against external ARP spoofing, select Manual from this
drop-down list, and enter the gatewayÂśs MAC address in the Gateway MAC Address
text box. Else, select None.
ž
Save: Click it to save the static IP Internet connection settings.
Note
The WAN interface IP address and default gateway IP address should be on the
same subnet. If they are not, please modify the Subnet Mask to make them be on the
same subnet. If you donÂśt have the subnet related knowledge, please ask a
professional or UTT customer engineer for help.
http://www.uttglobal.com
Page 97
UTT Technologies
Chapter 6 Basic Setup
6.2.2.3 DHCP Internet Connection Settings
If your ISP automatically assigns an IP address, please select DHCP from the
Connection Type drop-down list. Then the following page will be showed.
Figure 6-7 DHCP Internet Connection Settings
—
Connection Type: It specifies the type of the Internet connection. Here please select
DHCP.
—
Uplink Bandwidth: It specifies the uplink bandwidth of the Internet connection, which
is provided by your ISP. You may ask the ISP about the uplink bandwidth.
—
Downlink Bandwidth: It specifies the downlink bandwidth of the Internet connection,
which is provided by your ISP. You may ask the ISP about the downlink bandwidth.
—
ISP: It specifies the Internet service provider by which the Internet connection is
provided.
—
Primary DNS Server: It specifies WKH,3DGGUHVVRI\RXU,63ÂśVSULPDU\'16server. If
the Internet connection is refreshed, your ISP may update it to a new IP address.
—
Secondary DNS Server: It specifies the IP address of your ISPÂśs secondary DNS
server. If it is available, you may set it. Else, please leave it blank.
ž
Advanced Options: Click it to view and configure advanced parameters. In most
cases, you need not configure them.
—
MAC Address: It specifies the MAC address of the WAN interface. In most cases,
please leave the default value.
—
Proxy ARP: It allows you to enable or disable proxy ARP on the WAN interface. The
available options are Disabled, Enabled and Nat.
http://www.uttglobal.com
Page 98
UTT Technologies
Chapter 6 Basic Setup
Ɣ
Disabled: Select it to disable the proxy ARP on the WAN interface.
Ɣ
Enabled: Select it to enable the proxy ARP on the WAN interface.
Ɣ
Nat: Select it to enable the NAT proxy ARP on the WAN interface.
—
Mode: It specifies the speed and duplex mode of the WAN interface. The Device
supports five or six modes (Note that only the gigabit WAN interface supports
1000M-HD), which include Auto (Auto-negotiation), 100M-FD (100M Full-Duplex),
100M-HD (100M Half-Duplex), 10M-FD (10M Full-Duplex), and 10M-HD (10M
Half-Duplex) , 1000M-FD (1000M Full-Duplex). In most cases, please leave the
default value. If a compatibility problem occurred, or the network device connected to
the WAN interface doesnÂśt support auto-negotiation function, you may modify it as
required.
ž
Save: Click it to save the DHCP Internet connection settings.
6.2.2.4 How to Delete the Internet Connection
Figure 6-8 Delete the Internet Connection
If you want to delete a configured Internet connection, go to the Basic > WAN > WAN List
page firstly, and then click Delete of the connection in the WAN List, see Figure 6-8. The
system will pop up a prompt dialog box, see Figure 6-9. Then click OK to delete the
connection, or click Cancel to cancel the operation.
http://www.uttglobal.com
Page 99
UTT Technologies
Chapter 6 Basic Setup
Figure 6-9 Prompt Dialog Box - Delete an Internet Connection
Note
You can only delete one Internet connection at a time. And you can only delete the
WAN1 Internet connection at last, that is, there is no any other connection in the WAN
List.
6.2.2.5 Related Default Routes
After you have finished configuring the WAN1 Internet connection through the Quick
Wizard, or configuring the WAN1 Internet connection and other connections in this page,
the Device will automatically create a default route for each Internet connection
respectively. You can go to the Status > Route Stats page to view their status information
in the Routing Table. A default routeÂśs Destination IP/Mask is 0.0.0.0/0.
http://www.uttglobal.com
Page 100
UTT Technologies
6.3
Chapter 6 Basic Setup
Load Balancing
This section describes the Basic > Load Balancing page. Note that only after you have
configured more than one Internet connections, the second level menu Load Balancing
will be displayed.
When using multiple Internet connections, you can configure load balancing related
parameters, such as, load balancing policy, load balancing mode, detection method,
detection interval, retry times, and ID binding, and so on.
6.3.1 Introduction to Load Balancing and Failover
6.3.1.1 Internet Connection Detection Mechanism
When using multiple Internet connections, the Device should has the ability of real-time
monitoring each Internet connection, and the network will not be interrupted even a
connection is faulty. To this end, we design flexible automatic detection mechanism on the
Device, and provide multiple detection methods to meet the actual requirements.
For the sake of convenience, we firstly introduce several related parameters including
Detection Target IP, Detection Interval, Retry Times, and Detection Period.
Ɣ
Detection Target IP: It indicates the IP address of a target device. The Device will
monitor an Internet connection by sending the detection packets to the specified
target IP address.
Ɣ
Detection Interval: It indicates the time interval at which the Device periodically
sends detection packets, one packet at a time. The default value is 1000 milliseconds.
Especially, if you donÂśt want to monitor an Internet connection, please set it to 0.
Ɣ
Retry Times: It indicates the number of retries per detection period. The default
value is 3.
Ɣ
Detection Period: It indicates a period of time during which the Device detects
whether the Internet connection is available or not. Its value is the product of
Detection Interval and Retry Times. For example, by default, its value is 3000 (1000
× 3 = 3000) milliseconds.
For a normal Internet connection and a faulty Internet connection, the detection
http://www.uttglobal.com
Page 101
UTT Technologies
Chapter 6 Basic Setup
mechanisms are different, the following describes them respectively.
For a normal Internet connection, the detection mechanism is as follows: The Device
periodically sends a detection packet at the specified time interval to the target IP address.
Once no response packet received during a detection period, the Device will consider that
the connection is faulty and shield it immediately. For example, by default, if the Device
has sent three detection packets but not received any response packet during a detection
period, it will consider that the connection is faulty.
For a faulty Internet connection, the detection mechanism is as follows: Similarly, the
Device also periodically sends a detection packet at the specified time interval to the
target IP address. Once more than half of the response packets received during a
detection period, the Device will consider that the connection is back to normal and enable
it immediately. For example, by default, if the Device has sent three detection packets and
received two packets during a detection period, it will consider that the connection is back
to normal.
Note
If you donÂśt want to monitor an Internet connection, please set its Detection Interval
to 0.
6.3.1.2 Load Balancing Mode
The Device provides two connection groups: primary connection group and backup
connection group. An Internet connection belonging to the primary connection group is a
primary connection, while an Internet connections belonging to the backup connection
group is a backup connection. By default, all the Internet connections are primary
connections. It allows you to divide one or more connections into the backup connection
group, but the WAN1 Internet connection can only be used as a primary connection.
The Device provides two load balancing modes: Full Load Balancing and Partial Load
Balancing.
If you choose to use Full Load Balancing, all the Internet connections are used as
primary connections. The operation principle is as follows:
1.
If all the Internet connections are normal, the LAN users will use these connections to
access the Internet.
2.
If an Internet connection is faulty, the Device will shield it immediately, and the traffic
http://www.uttglobal.com
Page 102
UTT Technologies
Chapter 6 Basic Setup
through the faulty connection will be distributed to other normal connections
automatically.
3.
Once the faulty connection is back to normal, the Device will enable it immediately,
and the traffic will be redistributed automatically.
If you choose to use Partial Load Balancing, some Internet connections are used as
primary connections, and others are used as backup connections. The operation principle
is as follows:
1.
As long as one or more primary connections are normal, the LAN users will use the
primary connection(s) to access the Internet. In this case, if there is more than one
primary connection, the Device will control and balance the traffic among these
connections.
2.
If all the primary connections are faulty, it will automatically switch to the backup
connection(s) to let the LAN users use them to access the Internet. In this case, if
there is more than one backup connection, the Device will control and balance the
traffic among these connections.
3.
Once one or more faulty primary connections are back to normal, it will automatically
switch back to the primary connection(s).
Note
During connections switching, some user applications (such as some online games)
may be interrupted unexpectedly due to the nature of TCP connection. UTT
Technologies Co., Ltd. will not bear all the losses and legal proceedings caused by it.
6.3.1.3 Internet Connection Detection Method
The Device provides three detection methods: ICMP, ARP and DNS. It allows you to
select one of them to monitor the Internet connections. Note that you can only select a
single Detection Method for all the Internet connections, but can set different Detection
Target, Detection Interval, and Retry Times for each Internet connection respectively. The
descriptions of each detection mode are as follows:
Ɣ
ICMP: The Device will monitor an Internet connection by sending ICMP echo request
packets the target IP address you specify. In this case, the target IP address can be
either the connectionÂśs default gateway IP address or another public IP address you
specify.
http://www.uttglobal.com
Page 103
UTT Technologies
Chapter 6 Basic Setup
Ɣ
ARP: The Device will monitor an Internet connection by sending ARP request
packets to the connectionÂśs default gateway IP address.
Ɣ
DNS: The Device will monitor an Internet connection by sending DNS query packets
to the public DNS server IP address you specify.
The following table describes detection target IP supported by each detection method,
and the restriction of using each detection method. Therein, Gateway IP Address
indicates the IP address of the Internet connectionÂśs default gateway; Other IP Address
indicates an appropriate public IP address except gateway IP address.
Detection Method
Detection Target IP
Description
Gateway IP Address
The detection target IP can be either the gateway IP
ICMP
address or other public IP address.
Other IP Address
The detection target IP should be the gateway IP
ARP
Gateway IP Address
address. You cannot perform ARP request test on a
PPPoE Internet connection.
DNS
Other IP Address
The detection target IP should be a public DNS
serverÂśs IP address.
Table 6-4 Detection Method and Detection Target IP
In practice, it is suggested that you choose a detection method according to the following
points:
1.
As ICMP method has high sensitivity and accuracy, it is suggested that you choose
ICMP method to perform ICMP echo test (Ping) on the Internet connection. In most
cases, please use the connectionÂśs default gateway IP address as the detection
target IP; but if ping response is disabled on the default gateway, you should choose
other appropriate public IP address as the detection target IP.
2.
The ARP method applies to a network environment in which ping response is
http://www.uttglobal.com
Page 104
UTT Technologies
Chapter 6 Basic Setup
disabled. Note that when performing ARP request test, the detection target IP should
be the gateway IP address; and you cannot perform ARP request test on a PPPoE
Internet connection.
3.
The DNS method applies to a network environment in which the Internet connection
is connected always, but the access time is restricted by the ISP. Note that when
performing DNS query test, the detection target IP should be an appropriate public
DNS server IP address; and it is suggested that you use your ISPÂśs DNS server IP
address. Moreover, you cannot choose any DNS server used by the LAN hosts as the
detection target; otherwise, those LAN hosts can only use the current Internet
connection to access the Internet, but cannot use other Internet connections.
4.
As a PPPoE connection automatically uses LCP (link control protocol) echo
mechanism to validate link availability, the Device will not use ICMP, ARP or DNS
method to monitor the PPPoE Internet connection by default (its Detection Interval is
set to 0). If needed, the Device can perform ICMP echo or DNS query test on the
PPPoE connection in addition to LCP echo mechanism, but the detection target
cannot be the default gateway when choosing ICMP method.
6.3.2 The Operation Principle of Load Balancing
No matter what Load Balancing Mode you choose, as long as there are more than one
primary Internet connections, the Device will implement load balancing among these
connections. The following sections describe the operation principle and the
characteristics of load balancing feature.
6.3.2.1 Allocating Traffic according to Connection Bandwidth
On the Device, it allows you designate the ratio of traffic that will be allocated to each
Internet connection in advance. You can achieve this by specifying the Internet
connectionÂśs Weight, the connection that has larger Weight will take more traffic than the
connection that has smaller Weight. In most cases, to properly allocate traffic, you may
specify each connectionÂśV Weight according to the ratio of each connectionÂśs bandwidth.
For example, we assume that a business has four Internet connections: connection A,
connection B, connection C, and connection D. Their bandwidths are 10M, 6M, 4M and
4M respectively. There are two cases:
Ɣ
In the case of Full Load Balancing, as all of the four Internet connections are used
as primary connections, we PD\ VHW HDFK FRQQHFWLRQÂśV Weight to 5, 3, 2, and 2
http://www.uttglobal.com
Page 105
UTT Technologies
Chapter 6 Basic Setup
respectively.
Ɣ
In the case of Partial Load Balancing, letÂśs assume that connection A and B are
used as primary connections, and connection C and D are used as backup
connections, then we may set connection AÂśs and BÂśs Weight to 5 and 3 respectively,
and set both connection CÂśs and DÂśs Weight to 1.
6.3.2.2 Two Load Balancing Policies
The Load Balancing Policy is used to control and balance the traffic among multiple
Internet connections. And the Device provides two load balancing policies: load balancing
based on IP address and load balancing based on NAT session. Their implementation
mechanisms are as follows.
1. Load Balancing Based on IP Address
Note that here we assume that each LAN host only has one IP address.
If you choose IP address as the load balancing policy, the Device will assign the LAN
hostsÂś IP addresses to each Internet connection in turn. The ratio of the numbers of the IP
addresses assigned to each connection is the same with the ratio of connectionÂśs Weight.
In this case, the NAT sessions initiated from the same IP address will use the same
connection, that is, a LAN host will use only one Internet connection to access the
Internet.
For example, there are three Internet connections whose Weights are 3, 2 and 1
respectively. Then in the sequence of accessing the Internet, the first, second and third
LAN hosts will use the first connection, the fourth and fifth LAN hosts will use the second
connection, the sixth LAN hosts will use the third connection; in turn the seventh, eighth
and ninth LAN hosts will use the first connection ... and so on.
2. Load Balancing Based on NAT Session
If you choose NAT session as the load balancing policy, the Device will assign the NAT
sessions to each Internet connection in turn. The ratio of the numbers of the NAT sessions
assigned to each connection is the same with the ratio of each connectionÂśs Weight. In
this case, the NAT sessions initiated from the same LAN host will use different
connections, that is, a LAN host will use multiple connections to access the Internet.
For example, there are three Internet connections whose Weights are 3, 2 and 1
respectively. Then in the sequence of accessing the Internet, the first, second and third
NAT sessions initiated from the LAN hosts will use the first connection, the fourth and fifth
NAT sessions will use the second connection, the sixth NAT sessions will use the third
connection; in turn the seventh, eighth and ninth NAT sessions will use the first
connection ... and so on.
http://www.uttglobal.com
Page 106
UTT Technologies
Chapter 6 Basic Setup
3. How to Choose the Load Balancing Policy
In most cases, it is suggested that you choose IP address as the load balancing policy. If
you want to use some applications that need high bandwidth, such as the NetAnts,
FlashGet, Net Transport, and other multi-threaded download managers (multi-threaded
download means that it can split a file into several pieces and download the pieces
simultaneously, and merge them together once downloaded), you may choose NAT
session as the load balancing policy to take full advantage of multiple Internet connectionsÂś
bandwidth to increase download speed. Note that even if you choose NAT session as the
load balancing policy, due to that the related download website is busy or there are some
other reasons, the bandwidth of each Internet connection cannot be aggregated fully, so
some applications may be not running smoothly.
6.3.3 ID Binding
When using multiple Internet connections, if Load Balancing Policy is set to NAT
Session, the NAT sessions of the same application will be assigned to the different
connections, thus some applications (such as online banking, QQ, etc.) cannot be used
normally due to the identity change. We provide ID binding feature to solve this problem:
After you enable ID binding, the Device will assign the NAT sessions of the same
application to the same Internet connection. For example, when a LAN user logs in to an
online banking system, if the first NAT session is assigned to the WAN2 Internet
connection, henceforth all the subsequent NAT sessions of the online banking application
will be assigned to the WAN2 connection until the user logs out.
Figure 6-10 Enable ID Binding
—
Enable ID Binding: It allows you to enable or disable ID binding. If you want to
enable ID binding feature for some applications such as online banking, QQ, etc.,
please select this check box.
ž
Save: Click it to save your settings.
http://www.uttglobal.com
Page 107
UTT Technologies
Chapter 6 Basic Setup
6.3.4 Load Balancing Global Settings
The following sections describe the global settings related to Full Load Balancing and
Partial Load Balancing respectively. For more information about them, please refer to
section 6.3.1.2 Load Balancing Mode.
6.3.4.1 Global Settings - Full Load Balancing
Figure 6-11 Global Settings - Full Load Balancing
—
—
Detection Method: It specifies the detection method which is used to monitor
Internet connections. The Device provides three detection methods: ICMP, ARP and
DNS. For more information about them, please refer to section 6.3.1.3 Internet
Connection Detection Method.
Ɣ
ICMP: The Device will monitor an Internet connection by sending ICMP echo
request packets the target IP address you specify. In this case, the target IP
address can be either the connectionÂśs default gateway IP address or another
public IP address you specify.
Ɣ
ARP: The Device will monitor an Internet connection by sending ARP request
packets to the connectionÂśs default gateway IP address.
Ɣ
DNS: The Device will monitor an Internet connection by sending DNS query
packets to the public DNS server IP address you specify.
Load Balancing Policy: It specifies the policy which is used to control and balance
the traffic among multiple Internet connections. The available options are IP Address
http://www.uttglobal.com
Page 108
UTT Technologies
Chapter 6 Basic Setup
and NAT Session, and the default value is IP Address. Refer to section 6.3.2.2 Two
Load Balancing Policies for more information.
—
Load Balancing Mode: It specifies the mode of load balancing. Here please select
Full Load Balancing. Refer to section 6.3.1.2 Load Balancing Mode for more
information.
ž
Save: Click it to save the load balancing global settings.
6.3.4.2 Global Settings --Partial Load Balancing
Figure 6-12 Global Settings - Partial Load Balancing
Please refer to section 6.3.4.1 Full Load Balancing for detailed description of the
Detection Method and Load Balancing Policy.
—
Load Balancing Mode: It specifies the mode of load balancing. Here please select
Partial Load Balancing. Refer to section 6.3.1.2 Load Balancing Mode for more
information.
—
Primary: It specifies the primary connection group. An Internet connection in the
Primary list box is a primary connection. Refer to section 6.3.1.2 Load Balancing
Mode for more information.
—
Backup: It specifies the backup connection group. An Internet connection in the
http://www.uttglobal.com
Page 109
UTT Technologies
Chapter 6 Basic Setup
Backup list box is a backup connection. Refer to section 6.3.1.2 Load Balancing
Mode for more information.
—
==>: Select one or more Internet connections in the Primary list box, and then click
==> to move the selected connection(s) to the Backup list box.
—
<==: Select one or more Internet connections in the Backup list box, and then click
==> to move the selected connection(s) to the Primary list box.
ž
Save: Click it to save the load balancing global settings.
Note
1.
The WAN1 Internet Connection can only be located in the Primary list box, that is,
you cannot move it to the Backup list box.
2.
If you change the Load Balancing Mode from Partial Load Balancing to Full Load
Balancing and click the Save button to save the change, the Device will
automatically move all the Internet connection(s) in the Backup list box to the
Primary list box.
3.
If you move all the Internet connection(s) in the Backup list box to the Primary list
box and click the Save button to save change, or delete all the backup connections in
the Basic > WAN > WAN List page, the Device will automatically switch the Load
Balancing Mode from Partial Load Balancing to Full Load Balancing.
6.3.5 Detection and Weight Settings
Note
In the Basic > Load Balancing > Detection & Weight page, you can configure the
connection detection related parameters (Detection Target IP, Detection Interval,
Retry Times) and Weight for each Internet connection respectively. The operation is
as follows: Click the Edit hyperlink of an Internet connection in the Load Balancing
List to go to Detection & Weight setup page, and then configure those parameters
for the selected Internet connection, lastly click the Save button.
http://www.uttglobal.com
Page 110
UTT Technologies
Chapter 6 Basic Setup
Figure 6-13 Detection and Weight Settings
—
Detection Target IP: It indicates the IP address of a detection target device. The
Device will monitor an Internet connection by sending the detection packets to the
detection target IP address. If you select Gateway IP Address from the drop-down
list, the Device will send the detection packets to the selected Internet connectionÂśs
default gateway; If you select Other IP Address from the drop-down list, you need
enter an appropriate public IP address in the associated text box, then the Device will
send the detection packet to this IP address.
—
Detection Interval: It specifies the time interval at which the Device periodically
sends detection packets, one packet at a time. The default value is 1000 milliseconds.
It should be between 1000 and 60000 milliseconds, or 0; and 0 means that
connection detection is disabled on the selected Internet connection.
—
Retry Times: It specifies the number of retries per detection period. The default value
is 3.
—
Weight: It specifies the weight of the selected Internet connection. Refer to section
6.3.2.1 Allocating Traffic according to Connection Bandwidth for more
information about how to set it.
ž
Save: Click it to save the detection and weight settings of the selected Internet
connection.
Note
The Detection Target IP, Detection Interval, and Retry Times are connection
detection related parameters. For more information about them, please refer to
section 6.3.1.1 Internet Connection Detection Mechanism.
http://www.uttglobal.com
Page 111
UTT Technologies
Chapter 6 Basic Setup
6.3.6 Load Balancing List
Figure 6-14 Load Balancing List
ž
Edit an Internet Connection: If you want to configure or modify the detection related
parameters and Weight of an Internet connection, click its Edit hyperlink, the related
information will be displayed in the Detection & Weight page. Then configure or
modify it, and click the Save button.
ž
View Load Balancing List: When you have configured load balancing global
parameters, and detection and weight settings for one or more Internet connections,
you can view the related configuration and status information in the Load Balancing
List.
ž
Refresh Load Balancing List: Click the Refresh button to view the latest
information in the list.
6.3.7 How to Configure Load Balancing
6.3.7.1 The Process of Configuring Load Balancing
Only after you have configured more than one Internet connections, the secondary menu
of Load Balancing will be displayed. The process of configuring load balancing is as
follows:
1.
Go to the Basic > WAN page, configure the WAN1 Internet connection firstly, and
then configure other Internet connection(s) as required. Note that you also can
configure the WAN1 connection through the Quick Wizard.
2.
Go to the Basic > Load Balancing page, click the Edit hyperlink of an Internet
connection in the Load Balancing List to go to the Detection & Weight page to
http://www.uttglobal.com
Page 112
UTT Technologies
Chapter 6 Basic Setup
configure detection related parameters and Weight for the selected connection. Then
continue to configure these parameters for other connection(s) one by one.
3.
Go to the Basic > Load Balancing > Global Settings page to configure global
parameters as required.
4.
Go to the Basic > Load Balancing > ID Binding page to enable ID binding feature if
needed.
6.3.7.2 The Configuration Steps of Connection Detection and
Weight
Step 1
Go to the Basic > Load Balancing page.
Step 2
Click the Edit hyperlink of an Internet connection in the Load Balancing List to
go to the Detection & Weight page.
Step 3
Configure the connection detection related parameters (Detection Target IP,
Detection Interval, Retry Times) and Weight for the selected Internet
connection as required.
Step 4
Click the Save button to save the detection and weight settings for the selected
Internet connection.
Step 5
If you want to configure the connection detection related parameters and
Weight for another Internet connection, please repeat the above steps.
6.3.7.3 The Configuration Steps of Load Balancing Global
Settings
Step 1
Go to the Basic > Load Balancing > Global Settings page.
Step 2
Specify the Detection Method as required.
Step 3
Specify the Load Balancing Policy as required.
Step 4
Specify the Load Balancing Mode as required. If you choose Partial Load
Balancing as Load Balancing Mode, you need move one or more Internet
connections from the Primary list box to the Backup list box according to
actual requirement. .
Step 5
Click the Save button to save the load balancing global settings.
http://www.uttglobal.com
Page 113
UTT Technologies
Chapter 6 Basic Setup
6.3.7.4 The Configuration Steps of ID Binding
Step 1
Go to the Basic > Load Balancing > ID Binding page.
Step 2
Select the Enable ID Binding check box if needed.
Step 3
Click the Save button to save the ID binding settings.
6.3.8 Related Detection Route
When connection detection is enabled on an Internet connection (i.e., Detection Interval
is more than 0), the Device will automatically create a detection route for the connection to
ensure that the detection packets are forwarded through it. You can view the detection
route configuration in the Static Route List on the Advanced > Static Route page. Refer
to section 7.1.1.2 System Reserved Static Routes for more information about detection
routes.
Note
For a static IP or DHCP Internet connection, when its Detection Target IP is set to
Gateway IP Address, the system will directly use its default route to forward
detection packets to monitor the connection. That is, the default route also acts as a
detection route.
http://www.uttglobal.com
Page 114
UTT Technologies
6.4
Chapter 6 Basic Setup
DHCP & DNS
This section describes the Basic > DHCP & DNS page.
The Dynamic Host Configuration Protocol (DHCP) provides a framework for passing
configuration information to hosts on a TCP/IP network. DHCP allows a host to be configured
automatically, eliminating the need for intervention by a network administrator. The Device
can acts as a DHCP server to assign network addresses and deliver other TCP/IP
configuration parameters (such as gateway IP address, DNS server IP address, WINS
server IP address, etc.) to the LAN hosts.
6.4.1 DHCP Server
Figure 6-15 DHCP Server Settings
—
Enable DHCP Server: It allows you to enable or disable DHCP server. If you want to
enable DHCP server on the Device, please select this check box.
—
Start IP Address: It specifies the starting IP address assigned by the DHCP server.
In most cases, this address should be on the same subnet as the DeviceÂśs LAN IP
address.
—
Subnet Mask: It specifies the subnet mask of the IP addresses assigned by the
DHCP server. In most cases, this subnet mask should be the same with the DeviceÂśs
LAN subnet mask.
—
Number of Addresses: It specifies the maximum number of IP addresses that can
be assigned by the DHCP server.
http://www.uttglobal.com
Page 115
UTT Technologies
Chapter 6 Basic Setup
—
Default Gateway: It specifies the IP address of the default gateway for a DHCP client.
In most cases, this address should be the same with the DeviceÂśs LAN IP address,
that is, the Device is used as the default gateway for the LAN hosts.
—
Lease Time: It specifies a length of time (in seconds) during which a client host can
use an assigned IP address. If the lease expires, the client is automatically assigned
a new dynamic IP address. Before the lease expires, the client typically needs to
renew its address lease assignment with the server. The default value is 3600
seconds.
—
Primary DNS Server: It specifies the IP address of the primary DNS server that is
available to a DHCP client. If you have already set the Primary DNS Server through
the Quick Wizard or in the Basic > WAN page, the Device will automatically set up
the same value here.
—
Secondary DNS Server: It specifies the IP address of the secondary DNS server
that is available to a DHCP client. If you have already set the Secondary DNS
Server through the Quick Wizard or in the Basic > WAN page, the Device will
automatically set up the same value here.
ž
Save: Click it to save the DHCP server settings.
Note
If you want a LAN host to obtain an IP address and other TCP/IP parameters from the
DeviceÂśs built-in DHCP server, please select the Obtain an IP address
automatically option in the TCP/IP properties dialog box on the host.
6.4.2 DHCP Auto Binding
If the hosts change frequently on your LAN, it is very troublesome to configure DHCP
manual bindings. Using ARP Spoofing Defense (see section 12.1.1 Internal Attack
Defense) feature also needs periodic maintenance. So usually there are some users who
canÂśt access the Device and Internet. To deal with these issues, the Device provides
DHCP auto binding feature.
Once the DHCP auto binding is enabled, the Device will immediately scan the LAN to
detect active hosts connected to the Device, learn dynamic ARP information and bind the
related valid IP and MAC address pairs. After that, when a client host obtains an IP
address from the Device that acts as a DHCP server, the Device will immediately bind this
hostÂśs IP and MAC address pair. So it can effectively protect the Device and LAN hosts
against ARP Spoofing.
http://www.uttglobal.com
Page 116
UTT Technologies
Chapter 6 Basic Setup
Figure 6-16 DHCP Auto Binding
—
Enable DHCP Auto Binding: It allows you to enable or disable DHCP auto binding. If
you select this check box to enable DHCP auto binding, once a LAN host obtains an
IP address from the Device that acts as a DHCP server, the Device will immediately
bind this hostÂśs IP and MAC address pair. Else, the Device will not perform auto
binding operation.
—
Enable DHCP Auto Deleting: It allows you to enable or disable DHCP auto deleting.
If you select this check box to enable DHCP auto deleting, the Device will
automatically delete a DHCP auto binding entry if the corresponding host releases
the IP address initiatively or its lease expires. Else, the Device will not perform auto
deleting operation.
ž
Save: Click it to save your settings.
6.4.3 DNS Proxy
When acting as a DNS proxy, the Device listens for incoming DNS requests on the LAN
interface, relays the DNS requests to the current public network DNS servers, and replies
as a DNS resolver to the requesting LAN hosts.
Figure 6-17 Enable DNS Proxy
http://www.uttglobal.com
Page 117
UTT Technologies
Chapter 6 Basic Setup
—
Enable DNS Proxy: It allows you to enable or disable DNS proxy. If you want to
enable DNS proxy on the Device, please select this check box.
ž
Save: Click it to save the DHCP proxy settings.
Note
1.
If the DNS proxy is enabled on the Device, in order to use DNS proxy service
normally, you need set the LAN hostsÂś primary DNS server to the DeviceÂśs LAN IP
address. Note: If the DHCP server is also enabled on the Device, the Device will
assign its LAN IP address as the primary DNS server address to the LAN hosts
automatically.
2.
To ensure that the DNS proxy works well, you should at least specify the primary
DNS server provided by your ISP on the Device. It is obvious that you can specify the
secondary DNS server if it is provided by your ISP.
3.
The Device can act as a DNS proxy server to all LAN users; this greatly simplifies the
LAN hosts setup. For example, there is a LAN DNS proxy server on which a DNS
proxy software is installed (e.g., Wingate), and the LAN users take this serverÂśs IP
address as the primary DNS server address. Now, the Device will be used as a new
gateway for the LAN hosts. In this case, in order to use DNS proxy service normally,
the administrator only need change the DeviceÂśs LAN IP address to the old proxy
DNS serverÂśs IP address, and enable DNS proxy on the Device, without modify the
LAN hostVÂś related settings.
http://www.uttglobal.com
Page 118
UTT Technologies
Chapter 7 Advanced Setup
Chapter 7 Advanced Setup
This chapter describes how to configure and use the Device advanced features, which
include static route, policy-based routing, DNS redirection, Plug and Play, SNMP,
SYSLOG, DDNS, and switch, and so on.
7.1
Static Route
This section describes the Advanced > Static Route page.
In this page, you can configure not only static routes, but also static route PDBs (PDB:
Policy Database). Using static route PDBs, you can create a large batch of static routes at
a time, thus the traffic destined for one ISPÂśs servers will be forwarded through this ISPÂśs
connection, but not another ISPÂśs connection.
The following describes how to configure and user static route and static route PDB.
7.1.1 Static Route
7.1.1.1 Introduction to Static Route
A static route is manually configured by the network administrator, which is stored in a
routing table. By using routing table, the Device can select an optimal transmission path
for each received packet, and forward the packet to the destination site effectively. The
proper usage of static routes can not only improve the network performance, but also
achieve other benefits, such as traffic control, provide a secure network environment.
The disadvantage of using static routes is that they cannot dynamically adapt to the
current operational state of the network. When there is a change in the network or a failure
occurs, some static routes will be unreachable. In this case, the network administrator
should update the static routes manually.
7.1.1.2 System Reserved Static Routes
In the system, there are two types of reserved static routes: default route and detection
http://www.uttglobal.com
Page 119
UTT Technologies
Chapter 7 Advanced Setup
route. The following describes them respectively.
1. Default Routes
A default route is used to forward packets that donÂśt match any other route in the routing
table. The packets will be forwarded to the default gateway specified by the default route.
The default routeÂśs destination IP address and subnet mask both are 0.0.0.0.
After you have finished configuring the WAN1 Internet connection through the Quick
Wizard, or configuring the WAN1 Internet connection and other connections in the Basic >
WAN page, the Device will automatically create a default route for each Internet
connection respectively. You can go to the Status > Route Stats page to view their status
information in the Routing Table. A default routeÂśs Destination IP/Mask is 0.0.0.0/0.
2. Detection Routes
If connection detection is enabled on an Internet connection (i.e., the Detection Interval
is more than 0) in the Basic > Load Balancing page, the Device will automatically create
a detection route for the connection to ensure that the detection packets are forwarded
through it. You can view the detection route configuration in the Static Route List on this
page. Table 7-1 provides the IDs of detection routes for the Internet connections with
different interfaces and connection types.
Note
For a static IP or DHCP Internet connection, when its Detection Target IP is set to
Gateway IP Address, the system will directly use its default route to forward
detection packets to monitor the connection. That is, the default route also acts as a
detection route.
Internet Connection
Physical Interface
WAN1
Detection Route ID
Connection Type
Static IP
Detect
DHCP
Detect
PPPoE
Detect
Static IP
DETEFIX_03
DHCP
DETEDYN _03
PPPoE
DETEPPP _01
WAN2
http://www.uttglobal.com
Page 120
UTT Technologies
Chapter 7 Advanced Setup
Static IP
DETEFIX_04
DHCP
DETEDYN _04
PPPoE
DETEPPP_02
Static IP
DETEFIX_05
DHCP
DETEDYN_05
PPPoE
DETEPPP_03
WAN3
WAN4
Table 7-1 Reserved Detection Route Name
7.1.1.3 Static Route Settings
Figure 7-1 Static Route Settings
—
Predefined: When creating a static route, please leave the default value of None.
Else, select one predefined route PDB (policy database).
—
Destination IP: It specifies the IP address of the destination network or destination
host.
—
Subnet Mask: It specifies the subnet mask associated with the destination network.
http://www.uttglobal.com
Page 121
UTT Technologies
Chapter 7 Advanced Setup
—
Gateway IP Address: It specifies the IP address of the next hop gateway or router to
which to forward the packets.
—
Bind to: It specifies an outbound interface through which the packets are forwarded
to the next hop gateway or router. The available options are the name of each
physical interface, and Local. Local means internal soft-route interface, and the
packets will be forwarded to the Device itself.
—
Description: It specifies the description of the static route. When creating a static
route, you may enter the description for it. Else, the description is provided by the
system.
—
Detection Interval: It is same with the Detection Interval in the Basic > Load
Balancing > Detection & Weight page. Only the detection route needs it. It specifies
the time interval at which the Device sends the detection packets to detecting the
corresponding Internet connection status. Refer to section 6.3.5 Detection and
Weight Settings for more information.
—
Priority: It indicates the priority of the route. If there are multiple routes to the same
destination with different priorities, the Device will choose the route with the highest
priority to forward the packets. The smaller the value, the higher the priority.
—
Metric: It indicates the cost of using the route, which is typically the number of hops
to the IP destination. If there are multiple routes with same priority to the same
destination, the Device will choose the route with the lowest metric to forward the
packets.
ž
Save: Click it to save the static route settings.
Note
1.
When creating a static route, you should specify the next hop IP address by the
Gateway IP Address or Bind to. If the outbound interface is a physical interface, you
should specify the Gateway IP Address, but may not specify the Bind to (i.e., leave
it blank). In this case, the Device can select an optimal transmission path. If the
outbound interface is a dial interface related to a dial connection (e.g., PPPoE
connection), you should select the corresponding physical interface from the Bind to
drop-down list, but need not specify the Gateway IP Address (i.e., leave it the default
value 0.0.0.0). In this case, the next hop IP address is assigned by a dial server (e.g.,
PPPoE server).
2.
In most cases, please donÂśt modify the system reserved static route (e.g., Default,
Detect) to avoid surfing the Internet abnormally.
http://www.uttglobal.com
Page 122
UTT Technologies
Chapter 7 Advanced Setup
7.1.1.4 Static Route List
Figure 7-2 Static Route List
ž
Add a Static Route: If you want to add a new static route, click the New button or
select the Route Settings tab to go to the setup page, and then configure it, lastly
click the Save button.
ž
View Static Routes: When you have configured some static routes, you can view
them in the Static Route List.
ž
Edit a Static Route: If you want to modify a configured static route, click its Edit
hyperlink, the related information will be displayed in the setup page. Then modify it,
and click the Save button.
ž
Delete Static Route(s): If you want to delete one or more static routes, select the
leftmost check boxes of them, and then click the Delete button.
ž
Display Routing Table: Click this hyperlink to go to the Status > Route Stats page
to view the current status of all the active routes in the Routing Table.
7.1.1.5 How to Add the Static Routes
If you want to add one or more static routes, do the following:
Step 1
Go to the Advanced > Static Route page.
Step 2
Click the New button or select the Route Settings tab to go to the setup page.
Step 3
Specify the Destination IP and Subnet Mask for the static route.
http://www.uttglobal.com
Page 123
UTT Technologies
Step 4
Chapter 7 Advanced Setup
Specify the next hop IP address by the Gateway IP Address or Bind to.
If the outbound interface is a physical interface, you should specify the Gateway IP
Address, but may leave the Bind to blank. In this case, the Device will select an optimal
transmission path.
For example, a static routeÂśs destination network is 192.168.1.0/24, gateway IP address is
192.168.1.254, and the outbound interface is a physical interface. Here you should enter
192.168.1.254 in the Gateway IP Address text box, but may leave the Bind to blank. The
Device will select an optimal transmission path. The detailed settings are shown in the
following figure.
Figure 7-3 Static Route Settings - Example One
If the outbound interface is a dial interface, you should select the corresponding physical
interface from Bind to drop-down list, but need leave the Gateway IP Address the default
value 0.0.0.0. In this case, the next hop IP address is assigned by a dial server (e.g.,
PPPoE server).
For example, a static routeÂśs destination network is 218.19.213.45/24, the outbound
interface is a PPPoE dial interface, and the corresponding physical interface is WAN2.
Here you should select WAN2 from the Bind to drop-down list, but need leave the
Gateway IP Address the default value 0.0.0.0. The next hop IP address is assigned by
your IS3Âśs PPPoE server. The detailed settings are shown in the following figure.
http://www.uttglobal.com
Page 124
UTT Technologies
Chapter 7 Advanced Setup
Figure 7-4 Static Route Settings - Example Two
Step 5
Specify the Detection Interval if you want to detect connection status.
Step 6
Specify the Priority and Metric for the static route as required.
Step 7
Click the Save button to save the settings. You can view the static route in the
Static Route List.
Step 8
If you want to add another new static route, please repeat the above steps.
Note
If you want to delete one or more static routes, select the leftmost check boxes of
them in the Static Route List, and then click the Delete button.
7.1.2 Static Route Policy Database
Note
The policy database is called PDB for short in this document.
7.1.2.1 Introduction to Static Route PDB
A user (e.g., Internet CafĂŠ or Business) using multiple Internet connections usually applies
http://www.uttglobal.com
Page 125
UTT Technologies
Chapter 7 Advanced Setup
for them from different ISPs, for example, one is TEL Internet connection, and another is
CNC Internet connection. In some cases, if packets accessing one ISPÂśs servers are
forwarded through another ISPÂśs connection, the access rate may be very slow, or the
access even be forbidden. To ensure that the LAN hosts access the servers normally, the
traffic destined for one ISPÂśs servers should be forwarded through this ISPÂśs connection,
but not another ISPÂśs connection. You can easily achieve this by using static route PDBs.
The system provides three predefined route PDBs whose names are TEL, CNC and
ChinaMobile. The TEL PDB is used to access the TEL servers (i.e., the servers provided
by China Network Communications Corporation), the CNC PDB is used to access the
CNC servers (i.e., the servers provided by China Network Communications Corporation),
and the ChinaMobile PDB is used to access the China Mobile servers (i.e., the servers
provided by China Mobile Communications Corporation). The TEL PDB encapsulates many
TEL subnets information (IP addresses and subnet masks), the CNC PDB encapsulates
many CNC subnets information, and the ChinaMobile PDB encapsulates many China
Mobile subnets information. By introducing route PDB, the XVHUV GRQÂśt need add static
routes one by one, but instead create a large batch of static routes at a time. Then the
traffic destined for TEL servers will be forwarded through the TEL connection, the traffic
destined for CNC servers will be forwarded through the CNC Internet connection, and the
traffic destined for China Mobile servers will be forwarded through the China Mobile
connection.
UTT Technologies Co., Ltd. will successively provide more route PDBs according to
actual user requirements. You may go to the Restriction > Policy Database page to view
the route PDBs status information in the Policy Database List, such as version,
reference status, and so on.
In addition, as the IP addresses of ISP servers often change, the UTTÂśs technical
engineers will acquire the related information and provide the latest route PDBs
aperiodically as required. In order to facilitate using PDBs, we provide PDB online update
function. That is, you only need go to the Restriction > Policy Database page, and click
the Update hyperlink of a route PDB entry in the Policy Database List. Then the Device
will download the latest PDB from designated web site and apply it automatically.
http://www.uttglobal.com
Page 126
UTT Technologies
Chapter 7 Advanced Setup
7.1.2.2 Static Route PDB Settings
Figure 7-5 Static Route PDB Settings
Because each static route PDB encapsulates many IP addresses and subnet masks, you
neednÂśt configure the Destination IP and Subnet Mask when creating a static route PDB
entry as shown in Figure 7-5.
As a route PDB entryÂśs Gateway IP Address, Bind to, Detection Interval, Priority and
Metric are the same with a static routeÂśs, please refer to section 7.1.1.3 Static Route
Setup for detailed description.
—
Predefined: You should select a PDB option when creating a static route PDB entry.
The available options are TEL, CNC and ChinaMobile. Note that the TEL PDB
should be bound to a TEL connection, the CNC PDB should be bound to a CNC
connection, and the ChinaMobile PDB should be bound to a China Mobile
connection.
—
Detection Interval: Its value should be 0 for a route PDB entry.
—
Description: Its value is Routing PDB, which is provided by the system
automatically when creating a static route PDB.
—
Save: Click it to save the static route PDB entry settings.
When you have created a route PDB entry here, the system will automatically create
many static routes that have the following characteristics:
Their Destination IP and Subnet Mask are predefined by the route PDB.
Each static route has same Gateway IP Address, Bind to, Detection Interval,
Priority and Metric, that is, the same with the route PDB. Note: As the Detection
Interval can only be set to 0 when creating the PDB entry, so each static routeÂśs
Detection Interval is 0.
http://www.uttglobal.com
Page 127
UTT Technologies
Chapter 7 Advanced Setup
ID values are 1, 2, 3 ... incrementally.
Note
If there is a static route PDB entry bound to an Internet connection, once the
connection is activated, all the static routes created by the route PDB entry will take
effect immediately. You can go to the Status > Route Stats page to view the settings
and status of these static routes in the Routing Table.
7.1.2.3 How to Add the Static Route PDB Entries
If you want to add one or more static route PDB entries, do the following:
Step 1
Go to the Advanced > Static Route page.
Step 2
Click the New button or select the Route Settings tab to go to the setup page.
Step 3
Select a PDB option from the Predefined drop-down list.
Step 4
Specify the next hop IP address by the Gateway IP Address or Bind to.
If the outbound interface is a physical interface, you should specify the Gateway IP
Address, but may leave the Bind to blank. In this case, the Device will select an optimal
transmission path.
For example, you want to create a TEL route PDB entry. The TEL Internet connection is
static IP connection (that is, the outbound interface is a physical interface), and gateway
IP address is 200.200.200.254. Here you should enter 200.200.200.254 in the Gateway
IP Address text box, but may leave the Bind to blank. The Device will select an optimal
transmission path. The detailed settings are shown in the following figure.
Figure 7-6 Static Route PDB Settings - Example One
http://www.uttglobal.com
Page 128
UTT Technologies
Chapter 7 Advanced Setup
If the outbound interface is a dial interface, you should select the corresponding physical
interface from the Bind to drop-down list, but need leave the Gateway IP Address the
default value 0.0.0.0. In this case, the next hop IP address is assigned by a dial server
(e.g., PPPoE server).
For example, you want to create a CNC route PDB entry. The CNC Internet connection is
PPPoE connection (that is, the outbound interface is a dial interface), and the
corresponding physical interface is WAN2. Here you should select WAN2 from the Bind
to drop-down list, but need leave the Gateway IP Address the default value 0.0.0.0. The
next hop IP address is assigned by your IS3Âśs PPPoE server. The detailed settings are
shown in the following figure.
Figure 7-7 Static Route PDB Settings - Example Two
Step 5
Specify the priority and metric for the static route PDB entry as required. In
most cases, please leave the default values.
Step 6
Click the Save button to save the settings. You can view the static route PDB
entry in the Static Route List.
Step 7
If you want to add another new static route PDB entry, please repeat the above
steps.
Note
If you want to delete one or more static route PDB entries, select the leftmost check
boxes of them in the Static Route List, and then click the Delete button.
7.1.2.4 How to Update a System Default Static Route PDB
As mentioned earlier, if you want to update a system default static route PDB, please go to
http://www.uttglobal.com
Page 129
UTT Technologies
Chapter 7 Advanced Setup
the Restriction > Policy Database page, and click the Update hyperlink of the route PDB
in the Policy Database List. Then the Device will download the latest PDB from
designated web site and apply it automatically.
Note that if the route PDB has been referenced, you should reference it again in this page
to let the related settings take effect. The steps are as follows: At first click the Edit
hyperlink of the route PDB, and then select the PDB from the Predefined drop-down list
again, lastly click the Save button to make the related settings take effect.
http://www.uttglobal.com
Page 130
UTT Technologies
7.2
Chapter 7 Advanced Setup
Policy-Based Routing
This section describes the Advanced > PBR page.
PBR (policy-based routing) provides a tool for forwarding and routing data packets based
on the user-defined policies. Different from the traditional destination-based routing
mechanism, PBR enables you to use policies based on source and destination address,
protocol, port, schedule, and other criteria to route packets flexibly.
7.2.1 Policy-Based Routing Settings
Figure 7-8 Policy-Based Routing Settings
—
Bind to: It specifies an outbound interface through which the packets matching the
PBR entry are forwarded.
—
Schedule: It specifies a schedule to restrict when the PBR entry is in effect. The
default value is Always, which means the PBR entry will be in effect always.
http://www.uttglobal.com
Page 131
UTT Technologies
Chapter 7 Advanced Setup
—
Description: It specifies the description of the PBR entry. It is usually used to
describe the purpose of the entry.
—
Source: It specifies the source IP addresses of the packets to which the PBR entry
applies. There are two options:
—
—
Ɣ
Addresses: Select it to enter the start and end addresses in the associated text
boxes.
Ɣ
Address Group: Select it to choose an address group from the associated
drop-down list. By default, the Address Group radio button is selected, and its
value is Any Address.
Destination: It specifies the destination IP addresses of the packets to which the
PBR entry applies. There are two options:
Ɣ
Addresses: Select it to enter the start and end IP addresses in the associated
text boxes.
Ɣ
Address Group: Select it to choose an address group from the associated
drop-down list. By default, the Address Group radio button is selected, and its
value is Any Address.
Service: It specifies a range of ports or a service group to which the PBR applies.
There are two options:
Ɣ
Ports: Select it to enter the start and end port numbers in the associated text
boxes, and select a protocol type from Protocol drop-down list. The port number
is between 1 and 65535, and the protocols include TCP, UDP and ICMP.
Ɣ
Service Group: Select it to choose a service group or predefined service from
the associated drop-down list. The Device provides some well-known services,
such as telnet, smtp, web, pop3, and so on. By default, the Service Group radio
button is selected, and its value is Any Service.
ž
Edit Schedule: Click it to go to the Security > Schedule page to add, view, modify or
delete the schedules.
ž
Edit Address Group: Click it to go to the Security > Address Group page to add,
view, modify or delete the address groups.
ž
Edit Service Group: Click it to go to the Security > Service Group page to add,
view, modify or delete the service groups.
ž
Save: Click it to save the PBR entry settings.
http://www.uttglobal.com
Page 132
UTT Technologies
Chapter 7 Advanced Setup
Note
PBR
(Policy-based
routing)
takes
precedence
over
the
DeviceÂśs
normal
destination-based routing. That is, if a packet matches all the criteria (source address,
destination address, protocol type, port, etc.) specified in a PBR entry, it will be forwarded
through the outbound interface specified in the PDB entry. If no match is found in the
PBR list, the packet will be forwarded through normal routing channel (in other words,
destination-based routing is performed).
7.2.2 Enable Policy-Based Routing
Figure 7-9 Enable Policy-Based Routing
—
Enable Policy-based Routing: It allows you to enable or disable policy-based
routing. If you select the check box to enable policy-based routing, the configured
PBR entries will take effect. Else the PBR entries will be of no effect.
ž
Save: Click it to save your settings.
7.2.3 Policy-Based Routing List
http://www.uttglobal.com
Page 133
UTT Technologies
Chapter 7 Advanced Setup
Figure 7-10 PBR List
ž
Add a PBR Entry: If you want to add a new PBR entry, click the New button or select
the PBR Settings tab to go to the setup page, and then configure it, lastly click the
Save button.
ž
Enable a PBR Entry: The Enable check box is used to enable or disable the
corresponding PBR entry. The default value is selected, which means the PBR entry
is in effect. If you want to disable the PBR entry temporarily instead of deleting it,
please click it to remove the check mark.
ž
View PBR Entry(s): When you have configured some PBR entries, you can view
them in the PBR List.
ž
Edit a PBR Entry: If you want to modify a configured PBR entry, click its Edit
hyperlink, the related information will be displayed in the setup page. Then modify it,
and click the Save button.
ž
Delete PBR Entry(s): If you want to delete one or more PBR entries, select the
leftmost check boxes of them, and then click the Delete button.
ž
Move a PBR Entry: The Device allows you to move a PBR entry before another
entry in the list, the operation is as follows: Select the ID of a PBR entry that you want
to move from the Move drop-down list, and another entryÂśs ID from the before
drop-down list, lastly click OK. Note that moving a PBR entry in the list doesnÂśWFKDQJH
its ID number.
http://www.uttglobal.com
Page 134
UTT Technologies
7.3
Chapter 7 Advanced Setup
DNS Redirection
This section describes the Advanced > DNS Redirection page.
7.3.1 Introduction to DNS Redirection
DNS redirection is used to redirect domain names directly to the specified IP addresses,
that is, the domain names arenÂśt resolved by DNS server, but are queried in a
user-defined list of names-to-addresses mappings. Once you have configured some DNS
redirection entries, a DNS redirection list that contains the names-to-addresses mappings
will be created. When receiving a DNS request, the Device lookups the requested domain
name in the DNS redirection list. If a match is found, the Device will send a DNS response
that contains the IP mapped address to the requester. Else, the Device will resolve the
domain name by looking up local DNS cache or external DNS servers.
7.3.2 Enable DNS Redirection
Figure 7-11 Enable DNS Redirection
—
Enable DNS Redirection: It allows you to enable or disable DNS redirection. The
default value is unselected, which means the configured DNS redirection entries are
of no effect. If you want the DNS redirection entries to take effect, please select this
check box to enable DNS redirection.
ž
Save: Click it to save your settings.
http://www.uttglobal.com
Page 135
UTT Technologies
Chapter 7 Advanced Setup
7.3.3 DNS Redirection List
Figure 7-12 DNS Redirection List
ž
Add a DNS Redirection Entry: If you want to add a new DNS redirection entry, click
the New button or select the DNS Redirection Settings tab to go to the setup page,
and then configure it, lastly click the Save button.
ž
Enable a DNS Redirection Entry: The Enable check box is used to enable or
disable the corresponding DNS redirection entry. The default value is selected, which
means the DNS redirection entry is in effect. If you want to disable the DNS
redirection entry temporarily instead of deleting it, please click it to remove the check
mark.
ž
View DNS Redirection Entry(s): When you have configured some DNS redirection
entries, you can view them in the DNS Redirection List.
ž
Edit a DNS Redirection Entry: If you want to modify a configured DNS redirection
entry, click its Edit hyperlink, the related information will be displayed in the setup
page. Then modify it, and click the Save button.
ž
Delete DNS Redirection Entry(s): If you want to delete one or more DNS redirection
entries, select the leftmost check boxes of them, and then click the Delete button.
Note
1.
A DNS redirection entry whose domain name contains the wildcard character * has
lower priority, in other words, the domain name has the highest accuracy will be
matched first. For example, there are two DNS redirection entries in the list, the first
entryÂśVGRPDLQQDPHLVwww.sina.com, and the second entryÂśVLVwww.sina.*. When
http://www.uttglobal.com
Page 136
UTT Technologies
Chapter 7 Advanced Setup
accessing www.sina.com, the Device will redirect www.sina.com to the IP address
specified by the first entry because of higher accuracy.
2.
For the entries whose domain names have the same accuracy, in reverse
chronological order of creation, the last created entry will be matched first.
7.3.4 DNS Redirection Settings
Figure 7-13 DNS Redirection Settings
—
IP Address: It specifies the IP address to which the specified domain name(s) are
redirected.
—
Description: It specifies the description of the DNS redirection entry. It is usually
used to describe the purpose of the entry.
—
Domain List: Each DNS redirection entry has a domain list. You can enter a domain
name or multiple domain names that you want to redirect in the Domain List box. It
supports up to ten different domain names.
ž
Save: Click it to save the DNS redirection entry settings.
Note
1.
Different DNS redirection entries can have the same IP addresses or domain names.
2.
The domain names that contain the wildcard character * should be different.
http://www.uttglobal.com
Page 137
UTT Technologies
3.
Chapter 7 Advanced Setup
The domain names that belong to the same Domain List should be different.
7.3.5 How to Configure DNS Redirection
Do the following to configure DNS Redirection.
Step 1
Go to the Advanced > DNS Redirection page.
Step 2
Click the New button or select the DNS Redirection Settings tab to go to the
setup page.
Step 3
Specify the IP Address, Description and Domain List for a DNS Redirection
entry.
Step 4
Click the Save button to save the settings. You can view the DNS Redirection
entry in the DNS Redirection List.
Step 5
If you want to add another new DNS Redirection entry, please repeat the above
steps.
Step 6
Select the Enable DNS Redirection check box to enable the DNS redirection,
thus all the DNS redirection entries you have created will take effect
immediately.
Once you have configured DNS redirection, all the DNS request packets received by the
Device will be processed by DNS redirection module firstly.
Note
Please make ensure that Enable DNS Redirection check box is selected, else the
configured DNS redirection entries will not be in effect.
http://www.uttglobal.com
Page 138
UTT Technologies
7.4
Chapter 7 Advanced Setup
Plug and Play
This section describes the Advanced > Plug and Play page.
7.4.1 Introduction to Plug and Play
Plug and Play is a new feature of UTT series security firewalls. If you enable plug and play
feature on the Device, the LAN users can access the Internet through the Device without
changing any network parameters, no matter what IP address, subnet mask, default
gateway and DNS server they might have. Obviously, this feature can greatly facilitate the
users. As this feature is suitable for hotel network, we also call it hotel special version.
7.4.2 Enable Plug and Play
Figure 7-14 Enable Plug and Play
—
Enable Plug and Play: It allows you to enable or disable plug and play. By default it
is disabled. If you select the check box to enable this feature, no matter what IP
address, subnet mask, default gateway and DNS server the LAN users might have,
they are able to access the Internet through the Device.
ž
Save: Click it to save your settings.
Note
1.
The LAN hosts basic TCP/IP parameters (including IP address, subnet mask,
gateway IP address, and DNS server IP address) should be set properly; otherwise,
plug and play feature cannot act on those hosts.
http://www.uttglobal.com
Page 139
UTT Technologies
Chapter 7 Advanced Setup
2.
Once plug and play is enabled, the Device will automatically enable proxy ARP,
enable DNS proxy, and disable IP spoofing defense.
3.
Once plug and play is enabled, the Device will allow those non-IP/MAC binding users
to access the Device and Internet.
4.
The users with the same IP address cannot access the Internet at the same time. For
example, if a LAN user with IP address 1.1.1.1 has connected to the Device to access
the Internet, another user with IP address 1.1.1.1 cannot access the Internet through
the Device.
5.
A LAN userÂśs IP address cannot be the same with the DeviceÂśs LAN/WAN interface IP
address, gateway IP address, and primary/secondary DNS server IP address;
otherwise, the user cannot access the Device and Internet.
7.5
SNMP
This section describes the Advanced > SNMP page.
SNMP (Simple Network Management Protocol) is an application layer protocol for
collecting information about devices on the network. It is part of the TCP/IP protocol suite
which enables network administrators to monitor, configure, and troubleshoot the network
devices.
If you enable the SNMP agent on the Device, you can use the SNMP manager software to
monitor and manage the Device remotely. The Device supports SNMP v1/v2c and
Management Information Base II (MIBII) groups.
To ensure security, the SNMP manager can read the information about the Device but
canÂśt change anything.
http://www.uttglobal.com
Page 140
UTT Technologies
Chapter 7 Advanced Setup
Figure 7-15 SNMP Settings
—
Enable SNMP: It allows you to enable or disable the SNMP agent. If you want to
enable the SNMP agent on the Device, please select this check box.
—
Community Name: It specifies a community name to restrict access to the Device.
The SNMP community name is used as a shared secret for SNMP managers to
access the SNMP agent. The default value is uTt22aA. To ensure security, it is
recommended that you modify it to prevent intruder from using SNMP requests to get
the information from the Device.
—
System Name: It specifies the host name of the Device.
—
System Contact: It specifies the system contact information (such as a name or
phone number).
—
System Location: It specifies the physical location information of the Device.
—
Allowed SNMP NMSs: If you select this check box, you can specify up to three
SNMP network management stations (i.e., hosts), and only they can access and
manage the Device. Else, any host can use SNMP to manage the Device.
—
Host 1 IP Address ~ Host 3 IP Address: They specify the IP addresses of the hosts
that can use SNMP to manage the Device.
ž
Save: Click it to save the SNMP settings.
Note
http://www.uttglobal.com
Page 141
UTT Technologies
Chapter 7 Advanced Setup
If you want to use SNMP Manager to manage the Device via Internet, please select
the SNMP check box in the System > Remote Admin page first.
http://www.uttglobal.com
Page 142
UTT Technologies
7.6
Chapter 7 Advanced Setup
SYSLOG
This section describes the Advanced > SYSLOG page.
Syslog is a standard protocol used to capture a lot of running information about network
activity. The Device supports this protocol and can send its activity logs to an external
syslog server. It helps the network administrator monitor, analyze and troubleshoot the
Device and network.
Figure 7-16 SYSLOG Settings
—
Enable Syslog: It allows you to enable or disable syslog feature. If you want to
enable syslog feature on the Device, please select this check box.
—
Syslog Server IP address: It specifies the IP address or domain name of the syslog
server to which the Device sends syslog messages.
—
Syslog Server Port: It specifies the port used by the syslog server to communicate
with the Device. In most cases, please leave the default value of 514, which is a
well-known port number.
—
Syslog Message Facility: It specifies the facility level used for logging. The facilities
are used to distinguish different classes of syslog messages. The available options
are local0, local1 through local7.
—
Sending Interval: It specifies the time interval (in seconds) at which the Device
periodically sends heartbeat messages. If you select the option other than zero, the
Device will periodically send heartbeat messages to the syslog server to indicate that
it is still alive. The default value is 0, which means the Device will not send heartbeat
messages.
ž
Save: Click it to save the Syslog settings.
Note
http://www.uttglobal.com
Page 143
UTT Technologies
Chapter 7 Advanced Setup
So far, only the Xport HiPER Manager software of UTT Technologies Co., Ltd. can
identify the heartbeat message.
http://www.uttglobal.com
Page 144
UTT Technologies
7.7
Chapter 7 Advanced Setup
DDNS
This section describes the Advanced > DDNS page.
Note
To ensure that DDNS operates properly, you should synchronize the system clock in
the System > Time page.
7.7.1 Introduction to DDNS
Dynamic Domain Name Service (DDNS) is a service used to map a domain name which never
changes to a dynamic IP address which can change quite often. For example, if you have
applied for a PPPoE connection with a dynamically DVVLJQHG,3DGGUHVVIURPWKH,63Âśs PPPoE
server, you can use DDNS to allow the external hosts to access the Device by a constant
domain name.
In order to use DDNS service, you should apply for a DDNS account from a DDNS service
provider. Each DDNS provider offers its own specific network services. The DDNS service
provider reserves the right to change, suspend or terminate your use of some or all network
services at any time for any reason. The DDNS service providers supported by UTT
Technologies Co., Ltd. currently provide free DDNS services, but they may charge for the
DDNS services in the future. In this case, UTT Technologies Co., Ltd. will notify you as soon
as possible; if you refuse to pay for the services, you will no longer be able to use them. During
the free phase, UTT Technologies Co., Ltd. does not guarantee that the DDNS services can
meet your requirements and will be uninterrupted, and UTT does not guarantee the timeliness,
security and accuracy of the services.
So far, UTT Technologies Co., Ltd. only supports two DDNS service providers:
iplink.com.cn and 3322.org. It will successively support other DDNS service providers in
the future.
7.7.2 DDNS Service Offered by iplink.com.cn
7.6.1.1
Apply for a DDNS Account from iplink.com.cn
To use DDNS offered by iplink.com.cn on the Device, you should login to
http://www.utt.com.cn/ddns to apply for a DDNS account, which includes a fully qualified
http://www.uttglobal.com
Page 145
UTT Technologies
Chapter 7 Advanced Setup
domain name (FQDN) with suffix of iplink.com.cn and a key.
Figure 7-17 Apply for a DDNS Account from IPLink.com.cn
—
Host Name: It specifies a unique host name of the Device. The suffix of iplink.com.cn
will be appended to the host name to create a fully qualified domain name (FQDN) for
the Device. For example, if the DeviceÂśs host name is test, then its FQDN is
test.iplink.com.cn; and it allows you to use test.iplink.com.cn to access the Device.
Note that to avoid duplication, you had better use the DeviceÂśs globally unique serial
number (SN) as the host name. The SN is the same with the Registration Number
displayed in the Advanced > DDNS > DDNS Settings page.
—
Registration Number/Serial Number: It specifies the registration number (i.e., serial
number) of the Device. It should be the same with the Registration Number
displayed in the Advanced > DDNS > DDNS Settings page.
ž
Register: Click it to register a DDNS account. Once clicked the Register button, you
can get a key that matches the registered domain name of the Device.
Note
A domain name can only be registered once; and as each Device has its own unique
serial number, you will get different keys if you register the same domain name for
different Devices. Thus when you want to replace your Device and use the existing
domain name for the new Device, you need login to http://www.utt.com.cn/ddns to
delete the domain name, and then register it again.
http://www.uttglobal.com
Page 146
UTT Technologies
Chapter 7 Advanced Setup
7.7.2.1 DDNS Settings Related to ipink.com.cn
Figure 7-18 DDNS Settings Related to iplink.com.cn
—
Interface: It specifies the WAN interface on which DDNS service is applied. All the
WAN interfaces support DDNS feature, and you can use DDNS service on each WAN
interface at the same time.
—
Registry Website: It allows you to click http://www.utt.com.cn/ddns to go to this
website to register a DDNS account for the Device.
—
Registration Number: It specifies the registration number of the Device.
—
Service Provider: It specifies the DDNS service provider who offers services to the
Device. Now the Device only supports two DDNS service providers: iplink.com.cn
and 3322.org. Here please select iplink.com.cn.
—
Host Name: It specifies the host name of the Device. It should be the same with the
host name that you entered when registering the DDNS account on the website of
http://www.utt.com.cn/ddns.
—
Key: It specifies the key that you got when registering the DDNS account on the
website of http://www.utt.com.cn/ddns.
—
Confirm Key: You should re-enter the key.
ž
Save: Click it to save the DDNS settings.
http://www.uttglobal.com
Page 147
UTT Technologies
Chapter 7 Advanced Setup
7.7.3 DDNS Service Offered by 3322.org
7.7.3.1 Apply for a DDNS Account from 3322.org
To use DDNS offered by 3322.org on the Device, you should login to http://www.3322.org
to apply for a fully qualified domain name (FQDN) with suffix of 3322.org.
Figure 7-19 Apply for a DDNS Account from 3322.org
—
Host Name: It specifies a unique host name of the Device. The suffix of iplink.com.cn
will be appended to the host name to create a fully qualified domain name (FQDN) for
the Device. For example, if the DeviceÂśs host name is test, then its FQDN is
test.3322.org; and it allows you to use test.3322.org to access the Device. Note that
to avoid duplicate, you had better use the DeviceÂśs globally unique serial number (SN)
as the host name.
—
IP Address: It specifies the IP address mapped to the registered domain name of the
Device.
—
OK: Click it to register the domain name.
http://www.uttglobal.com
Page 148
UTT Technologies
Chapter 7 Advanced Setup
7.7.3.2 DDNS Settings Related to 3322.org
Figure 7-20 DDNS Settings Related to 3322.org
—
Interface: It specifies the WAN interface on which DDNS service is applied. All the
WAN interfaces support DDNS feature, and you can use DDNS service on each WAN
interface at the same time.
—
Registry Website: It allows you to click http://www.3322.org to go to this website to
register a DDNS account for the Device.
—
Service Provider: It specifies the DDNS service provider who offers services to the
Device. Now the Device only supports two DDNS service providers: iplink.com.cn
and 3322.org. Here please select 3322.org.
—
Host Name: It specifies the host name of the Device. It should be the same with the
host name that you entered when registering the DDNS account on the website of
http://www.3322.org.
—
User Name: It specifies the user name that you entered when registering your user
account on the website of http://www.3322.org.
—
Password: It specifies the password which is created by the website when
registering your user account on the website of http://www.3322.org.
ž
Save: Click it to save the DDNS settings.
Note
It also allows you to login to http://www.3322.org to apply for a domain name (FQDN)
with suffix of 2288.org, 6600.org, 7700.org, 8800.org, 8866.org, or 9966.org for the
http://www.uttglobal.com
Page 149
UTT Technologies
Chapter 7 Advanced Setup
Device. Refer to section 7.6.3.1 Apply for a DDNS Account from 3322.org for
detailed operation.
7.7.4 DDNS Verification
To verify whether DDNS is updated successfully, you can use the ping command at the
MS-DOS command prompt on the PC, for example: ping abc.iplink.com.cn
If the displayed page is similar to the screenshot below: the domain name is resolved to
an IP address successfully (200.200.202.152 in this example), DDNS is updated
successfully.
Note
1.
After you have finished configuring an Internet connection, the Device will
automatically enable NAT. Then when you ping the DeviceÂśs domain name from the
Internet, the domain name can be resolved to its mapped IP address successfully, but
the Device will not respond to the ping request. If you want to ping this IP address,
please go to the Security > Attack Defense > External Defense page to select the
Enable WAN Ping Respond check box.
2.
Only when the WAN interface IP address is a public IP address, the Internet users
can use its mapped domain name to access the Device normally.
3.
DDNS feature can help you implement VPN tunnels using dynamic IP addresses on
the Device.
http://www.uttglobal.com
Page 150
UTT Technologies
http://www.uttglobal.com
Chapter 7 Advanced Setup
Page 151
UTT Technologies
7.8
Chapter 7 Advanced Setup
Advanced DHCP
This section describes the Advanced > DHCP pages.
7.8.1 Introduction to DHCP
7.8.1.1 Overview
The Dynamic Host Configuration Protocol (DHCP) provides a framework for passing
configuration information to hosts on a TCP/IP network. DHCP allows a host to be configured
automatically, eliminating the need for intervention by a network administrator. DHCP is
built on a client/server model, where one or more DHCP servers assign network
addresses and deliver other TCP/IP configuration parameters to DHCP clients (hosts). In
addition, DHCP can guarantee to avoid allocation of duplicate IP addresses, and to
reassign the IP addresses that are no longer used.
DHCP supports three mechanisms for IP address allocation:
Ɣ
Automatic allocation: DHCP server assigns a permanent IP address to a client.
Ɣ
Dynamic allocation: DHCP server assigns an IP address to a client for a limited
period of time, which is called a lease. The client may extend its lease with
subsequent request, and it may release the address back to the server.
Ɣ
Manual allocation: A network administrator assigns an IP address to a client, and
DHCP server is used simply to convey the assigned address to the client.
A particular network will use one or more of these mechanisms, according to the actual
requirements. The dynamic allocation is the only mechanism that allows automatic reuse
of addresses that are no longer needed by the client.
7.8.1.2 DHCP Operation Process
The following describes the basic operation principle of DHCP, including the process of
requesting for a new IP address, the process of renewing an IP address, and the process
of releasing an IP address.
1. Requesting for an IP Address
http://www.uttglobal.com
Page 152
UTT Technologies
Chapter 7 Advanced Setup
DHCPDISCOVER
DHCPOFFER
DHCP Client
DHCP Server
DHCPREQUEST
DHCPACK
Figure 7-21 Requesting for an IP Address from a DHCP Server
As shown in Figure 7-20, the process of a DHCP client requesting for an IP address from a
DHCP server falls into four basic phases:
DHCP Discover: It is the phase that the DHCP client locates a DHCP server to ask
for an IP address. The client broadcasts a DHCPDISCOVER message on its local
physical subnet. Only DHCP server(s) will respond it.
DHCP Inform: It is the phase that one or more DHCP servers) offer an IP address to
the DHCP client. Once received the DHCPDISCOVER message, a DHCP server will
send a DHCPOFFER unicast message which includes configuration parameters
(such as an IP address, a domain name, a lease, and so on) to the DHCP client.
DHCP Request: It is the phase that the DHCP client accepts the offer, chooses an IP
address and requests the address. The client may receive DHCPOFFER messages
from more than one DHCP server. Then the client chooses one from them, and
broadcasts a DHCPREQUEST message to formally request the offered IP address.
The DHCPREQUEST message also includes the server identifier option to indicate
which message it has selected, implicitly declining all other DHCPOFFER messages.
Once received the DHCPREQUEST message, those servers not selected will release the
IP addresses offered to the client.
If the configuration parameters sent to the client in the DHCPOFFER unicast
message by the DHCP Server are invalid (a misconfiguration error exists), the client
returns a DHCPDECLINE broadcast message to the DHCP Server to reject the
configuration assigned.
DHCP Acknowledgement: It is the phase that the DHCP server officially assigns the
address to the client. Once received the DHCPREQUEST message, the selected
DHCP server will respond with a DHCPACK unicast message containing the IP address
and other configuration parameters for the requesting client. Then the client will accept
and apply the IP address and other configuration parameters.
2. Renewing an IP Address
An IP address dynamically allocated by a DHCP server for a client has a lease. The
http://www.uttglobal.com
Page 153
UTT Technologies
Chapter 7 Advanced Setup
DHCP server will reclaim the IP address if the lease expires, so the client has to renew
the lease in order to use the IP address longer. When one half of the lease time has
expired, the client will send a DHCPREQUEST message to the DHCP server, asking to
extend the lease for the given configuration. The DHCP server will respond with a
DHCPACK message if it agrees to renew the lease.
If the requesting IP address in the DHCPREQUEST message is inconsistent with the
allocated IP address whose lease GRHVQÂśW expire, the DHCP server will respond with
a DHCPNAK message.
3. Releasing the IP Address
When a DHCP client no longer needs the IP address assigned by a DHCP server, it
relinquishes the address by sending a DHCPRELEASE message to the DHCP server.
The address returns to the address pool for reassignment. Besides the DHCP client
sets its IP address to 0.0.0.0.
7.8.1.3 DHCP Message types
DHCP is built on a client/server model. A client and a server may exchange the types of
messages listed in the below table.
Message Type
Description
DHCPDISCOVER
Broadcast by a client to find available DHCP servers.
DHCPOFFER
Response from a server to a DHCPDISCOVER message and offering IP
address and other parameters.
Message from a client to servers that does one of the following:
Ɣ
Requests the parameters offered by one of the servers, which implicitly
declines all other offers.
DHCPREQUEST
Ɣ
Requests the extension of a lease on a particular address.
Ɣ
Verifies a previously allocated address after a system or network change
(a restart for example).
http://www.uttglobal.com
Page 154
UTT Technologies
DHCPDECLINE
DHCPACK
Chapter 7 Advanced Setup
Message from a client to server indicating that the offered address is already in
use.
Acknowledgement message from a server to a client with configuration
parameters, including IP address.
Negative acknowledgement message from a server to a client, refusing the
DHCPNAK
request for parameters. If the client receives a DHCPNAK message, it will
restart the configuration process.
DHCPRELEASE
Message from a client to a server cancelling remainder of a lease and
relinquishing network address.
Message from a client that already has an IP address (manually configured, for
DHCPINFORM
example), requesting further network configuration parameters (DNS serverÂśs
IP address, for example) from the DHCP server. This message is used very
rare.
Table 7-2 DHCP Message Types
7.8.2 Introduction to DHCP Feature of the Device
According to the different settings, the Device can act as a DHCP client, DHCP server or
DHCP relay agent. The following sections describe their characteristics respectively.
Note
If the DHCP client is enabled on a physical interface, neither the DHCP server nor
DHCP relay agent function can be enabled on it. If both the DHCP server and DHCP
relay agent function are enabled on the interface, the DHCP server has higher priority.
That is, the Device will chose the DHCP server to process the DHCP messages
preferentially; and it will chose the DHCP relay agent to process the messages only
when the DHCP server isnÂśt able to process them.
http://www.uttglobal.com
Page 155
UTT Technologies
Chapter 7 Advanced Setup
7.8.2.1 Introduction to DHCP Server
When acting as a DHCP server, the Device can allocate network addresses and deliver
other TCP/IP configuration parameters (such as gateway IP address, DNS server IP
address, WINS server IP address, etc.) to the LAN hosts.
7.8.2.1.1 Address Conflict Detection Method
In order to prevent the DHCP server from assigning duplicate addresses that cause the
address conflict, the DHCP server should probe the address before assigning an address
to a DHCP client. The device supports two address detection methods: ARP and ICMP.
ARP is the system default method which is enabled forever and is not configurable. ICMP
method is configurable, and can be disabled.
Ɣ
ARP Method: Before assigning an address to a DHCP client, DHCP will send ARP
packets to the address to detect whether it is already in use firstly. After sending two
ARP packets in succession, if no response is received, the DHCP server assumes
that the address is free. Else, the DHCP server assumes that the address is in use,
and will try another address and so on, until it finds a free address.
Ɣ
ICMP Method: Once passed the ARP detection, the address needs to be detected
further by ICMP. The DHCP server will send ICMP ECHO REQUEST packets (one
packet at a time) to detect if it is already in use. After sending the specified maximum
number of ICMP packets in succession, if no response is received, the DHCP server
assumes that the address is free and assigns the address to the requesting client.
Else, the DHCP server assumes that the address is in use, and will try another
address and so on, until it finds a free address and assigns it to the client.
The maximum number of ICMP ECHO REQUEST packets is specified by the
parameter ICMP Ping Packets, and the maximum amount of time the DHCP server
waits for a ping reply packet is specified by the parameter ICMP Ping Timeout. By
default, the value of ICMP Ping Packets is 2, and the value of DHCP Ping TimeoutÂśs
value is 500 milliseconds. If you want to disable the ICMP detection, please set the
DHCP Ping Packets to 0.
7.8.2.1.2 DHCP Address Pool
The DHCP server assigns an IP address to a requesting client from a DHCP address pool,
which also can be configured to provide other TCP/IP configuration parameters to the
client, such as the DNS Server, gateway IP address, etc. The Device supports multiple
address pools, so you can easily define multiple subnets in the LAN. Before configuring an
address pool, you should specify a physical interface to which the pool is bound.
http://www.uttglobal.com
Page 156
UTT Technologies
Chapter 7 Advanced Setup
7.8.2.1.3 DHCP Manual Binding
Through DHCP manual binding, you can assign a static IP address to a specific host
(client). You may create a manual binding by mapping the IP address to the hostÂśs MAC
address, Remote ID or Client ID. The DHCP server will always assign the specified IP
address to the host that matches the manual binding.
7.8.2.1.4 IP Address Allocation Policy
A DHCP server assigns an IP address to a client based on some parameters contained in
the message sent by the client. The parameters are Remote ID, Circuit ID (i.e., Relay
Agent ID), giaddr (i.e., Relay Agent IP), Client ID and MAC address, and the priorities of
them are descending. Only the highest priority parameter will be effect when more than
one parameter is configured. When a matching parameter is found, the DHCP server will
assign an address according to this parameter related configuration. If no matching
parameter is found, the DHCP server will find an IP address that can be allocated
according to the default sequence.
Specifically, a DHCP server assigns an IP address to a client according to the following
sequence:
1˅ If the message sent by the client contains Remote ID option, the DHCP server will
search the DHCP manual binding list to find out if there is an IP address bound to this
Remote ID. If a match is found, the DHCP server will assign the specified IP address
to the client. Else, do the next step.
2˅ If the message sent by the client contains Circuit ID option, the DHCP server will
search the DHCP address pool list to find out if there is an address pool which is
configured with this Circuit ID. If a match is found, the DHCP server will assign an IP
address from this address pool. Else, do the next step.
3˅ If the giaddr field contained in a message sent by a client is not 0, the DHCP server
will search the DHCP address pool list to find out if there is an address pool which is
configured with this giaddr. If a match is found, the DHCP server will assign an IP
address from this address pool. Else, do the next step.
4˅ If the message sent by the client contains Client ID option, the DHCP server will
search the DHCP manual binding list to find out if there is an IP address bound to this
Client ID. If a match is found, the DHCP server will assign the specified IP address to
the client. Else, do the next step.
5˅ The DHCP server will search the DHCP manual binding list to find out if there is an IP
address bound to the MAC address of the client. If a match is found, the DHCP server
will assign the specified IP address to the client. Else, do the next step.
6˅ If the message sent by the client contains Requested IP Address option, the DHCP
server will search the DHCP address pool list to find out if there is an address pool
contains this Requested IP Address. If a match is found, and this Requested IP
http://www.uttglobal.com
Page 157
UTT Technologies
Chapter 7 Advanced Setup
Address is free, the DHCP server will assign it to the client. If a match is found, but
this Requested IP address is in use, the DHCP server will try to assign another
address dynamically from the address pool. Else, do the next step.
7˅ If no matching parameter found, the DHCP server will find an assignable IP address
from each DHCP address pool in the chronological order of creation. Once an
assignable IP address is found, the DHCP server will assign it to the client.
8˅ If no IP address is assignable, the DHCP server will report an error.
Note
1)
You may create a manual binding by mapping an IP address to a hostÂśs MAC address,
Remote ID or Client ID. The priorities of Remote ID, Client ID and MAC Address are
descending. Only the highest priority parameter will be in effect when two or three of
them are configured. For example, if there is a manual binding that contains an IP
address bound to Remote ID and Client ID, the Client ID will be of no effect. That is, if
a message sent by a client contains a mismatched Remote ID option, even if it
contains a matched Client ID option, the client FDQÂśW obtain the specified IP address.
2)
If a message sent by a client contains Circuit ID or giaddr option that matches a
DHCP address pool, the DHCP server will search the manual bindings belong to this
address pool to find out if there is a DHCP manual binding contains the clientÂśs Client
ID or MAC address. If a match is found, the DHCP server will assign the specified IP
address to the client. Else, the DHCP server will try to find out if there is a DHCP
manual binding contains this Requested IP Address. If a match is found, the DHCP
server will assign it to the client. Else, the DHCP server will try to assign an address
dynamically from this address pool.
3)
If a message sent by a client matches a DHCP manual binding, but doesnÂśt match the
Circuit ID or giaddr option that is specified in the related DHCP address pool, the
DHCP server will assign the address that is specified in this DHCP manual binding to
the client.
4)
If a message sent by a client matches a DHCP manual binding, but the specified IP
address is already in use by another client (that is, an address conflict is detected),
the DHCP server wonÂśt assign any IP address to the client.
5)
If a message sent by a client contains Circuit ID or giaddr option that matches a
DHCP address pool, but there is no free address in this pool, the DHCP server will
assign an address from other DHCP address pools to the client.
7.8.2.2 Introduction to DHCP Client
When acting as a DHCP client, the Device can dynamically obtain an IP address and
http://www.uttglobal.com
Page 158
UTT Technologies
Chapter 7 Advanced Setup
other TCP/IP configuration parameters from a DHCP server. All of the physical interfaces
support DHCP client feature, and you can enable DHCP client on each interface at the
same time.
In order to meet different needs, DHCP client can use client ID to identify itself, send
DHCPREQUEST messages in broadcast or unicast mode, and require DHCP server to
respond in broadcast or unicast mode.
The Device also supports AutoIP feature, that is, if the DHCP client cannot obtain an IP
address via DHCP, it will automatically assign an IP address (in the range of
169.254.1.0/16 through 169.254.254.0/16) to itself. And the DHCP client can ascertain
that the address is not used by another host.
7.8.2.3 Introduction to DHCP Relay Agent
When acting as a DHCP relay agent, the Device can forwards DHCP messages between
DHCP servers and clients. DHCP relay agents are used to forward requests and replies
between clients and servers when they are not on the same physical subnet. Then the
DHCP clients that reside on multiple physical subnets can use the same DHCP server.
Using DHCP relay agent can help you save cost and achieve centralized management.
The following describes the basic operation principle of DHCP relay agent.
1.
When starting, a DHCP client will start the DHCP initialization procedure during that a
DHCPDISCOVER message will be broadcasted on its local physical subnet.
2.
If a DHCP server that resides on the local subnet and is configured and operating
correctly, the DHCP client will directly obtain configuration parameters such as an IP
address from it. In this case, no DHCP relay agent is required.
3.
If a DHCP server that doesnÂśt reside on the local subnet, there must be a DHCP relay
agent on the local subnet to receive the message and then generate a new DHCP
message to send to the specified DHCP server that resides on another subnet.
4.
After receiving the DHCPREQUEST message, the DHCP sever will unicast a
DHCPOFFER message to the DHCP relay agent, which includes an IP address and
other configuration parameters. After receiving the DHCPOFFER message, the
DHCP relay agent will process and forward the message to the requesting client.
5.
There are multiple such interactions during the configuration process.
The Device provides the parameters of Option and Policy to specify the forwarding policy
of DHCP messages. When a DHCP relay agent receives a client-originated DHCP
http://www.uttglobal.com
Page 159
UTT Technologies
Chapter 7 Advanced Setup
message, it will process message according to the settings of these two parameters, see
the following table for detailed description:
Option
Policy
The message is from another relay The message is from a client directly,
agent, and already contains option 82. and doesnÂśt contain option 82.
drop
Drop the message.
keep
The relay agent will retain the existing
option 82 in the message and forward it.
insert
The relay agent will insert option 82 into
the message before forwarding it.
The relay agent will replace (overwrite)
replace
the existing option 82 with its option 82 in
the message before forwarding it.
drop
Drop the message.
keep
Forward directly.
replace
Forward directly.
Forward directly.
disabled
Table 7-3 DHCP Relay Agent Forwarding Policies
The following explains the meanings of the parameters in the above table.
Option 82: It indicates the relay agent information option.
Option: It is used to enable or disable the Device to insert option 82 before forwarding a
client-originated DHCP message that doesnÂśt contain option 82. By default, the relay
agent will forward the message directly. If you want to insert option 82 into the message
before forwarding it, please select insert. Note that, when the Option is set to disabled,
the DHCP relay agent will drop or forward the message directly.
Policy: It is used to configure the reforwarding policy for a DHCP relay agent (what a relay
agent should do if a message already contains option 82). A DHCP relay agent may
receive a message from another relay agent that already contains relay information. By
default, the relay agent will retain the existing option 82 in the message and forward it. If
this behavior is not suitable for your network, you can set Policy to change it.
7.8.2.4 Introduction to Raw Option
DHCP provides a framework for passing configuration information to hosts on a TCP/IP
network. Configuration parameters and other control information are carried in tagged
http://www.uttglobal.com
Page 160
UTT Technologies
Chapter 7 Advanced Setup
data items that are stored in the options field of the DHCP message. The data items
themselves are also called options. For detailed information about DHCP options, see
RFC 2132, with updates in RFC 3942.
Most DHCP options are predefined in RFC, although new options will come out with
DHCP development. The Device provides Raw Option feature to support for the
predefined options, and also new options. The raw options can be applied to both DHCP
sever and DHCP client.
7.8.3 DHCP Client
Go to the Advanced > DHCP page firstly, and then select the DHCP Client radio button
(see the following figure) to go to the DHCP Client page, which includes the DHCP Client
List and DHCP Client Settings subpages.
Figure 7-22 Select DHCP Client
7.8.3.1 DHCP Client Settings
Figure 7-23 DHCP Client Settings
—
Interface: It specifies a physical interface on which the DHCP client is applied.
http://www.uttglobal.com
Page 161
UTT Technologies
Chapter 7 Advanced Setup
—
Enable DHCP Client: It allows you to enable or disable DHCP client. If you want to
enable DHCP client on the specified interface, please select this check box.
—
Enable PnP: It allows you to enable or disable PnP. If you select this check box to
enable PnP, the DHCP client can obtain IP address and subnet mask, and other
TCP/IP configuration parameters such as default gateway address, DNS server
addresses and so on. Else, the DHCP client can only obtain IP address and subnet
mask.
—
Request Mode: It specifies a mode in which the DHCP client sends the
DHCPREQUEST messages. The available options are Unicast and Broadcast.
—
—
Ɣ
Unicast: It indicates that the DHCP client unicasts the DHCPREQUEST
messages.
Ɣ
Broadcast: It indicates that the DHCP client broadcasts the DHCPREQUEST
messages.
Required Response Mode: It specifies a mode in which DHCP server sends the
DHCP response message. The available options are Unicast and Broadcast.
Ɣ
Unicast: It indicates that the DHCP client requires DHCP server to respond in
unicast mode.
Ɣ
Broadcast: It indicates that the DHCP client requires DHCP server to respond in
broadcast mode.
Client ID: It specifies the client identifier. There are three types of formats.
Ɣ
hex: It is used to specify a hexadecimal string. It should be between 1 and 25
characters long.
Ɣ
ascii: It is used to specify an ASCII character string. It should be between 1 and
27 characters long.
Ɣ
ip: It is used to specify an IP address.
—
Allow AutoIP: You can allow or deny the DHCP client to use AutoIP. AutoIP means if
the DHCP client cannot obtain an IP address via DHCP, it will automatically assign an
IP address (in the range of 169.254.1.0/16 through 169.254.254.0/16) to itself. And
the DHCP client can ascertain that the address is not used by another host.
ž
Save: Click it to save the DHCP client settings.
http://www.uttglobal.com
Page 162
UTT Technologies
Chapter 7 Advanced Setup
7.8.3.2 DHCP Client List
Figure 7-24 DHCP Client List
ž
Configure DHCP Client: If you want to apply DHCP client function on a physical
interface, select the DHCP Client Settings tab to go to the setup page, and then
select the interface and configure other parameters, lastly click the Save button.
ž
View DHCP Client Information: When you have configured DHCP client on one or
more physical interfaces, you can view the related configuration and status
information in the DHCP Client List.
ž
Edit DHCP Client: If you want to modify DHCP client applied on a physical interface,
click its Edit hyperlink, the related information will be displayed in the setup page.
Then modify it, and click the Save button.
ž
Release: If you want to release the current IP address of the DHCP client applied on
a physical interface, select its leftmost check box, and then click the Release button.
7.8.3.3 How to Configure DHCP Client
If you want to configure DHCP client, do the following:
Step 1
Go to the Advanced > DHCP page, select the DHCP Client radio button and
then select the DHCP Client Settings tab to go to the setup page.
Step 2
From the Interface drop-down list, select a physical interface on which the
DHCP client will be applied.
Step 3
Select the Enable DHCP Client check box to enable DHCP client on the
specified interface.
http://www.uttglobal.com
Page 163
UTT Technologies
Chapter 7 Advanced Setup
Step 4
In most cases, select the Enable PnP check box to enable PnP for the client.
Step 5
Specify the Request Mode and Required Response Mode if required.
Step 6
Specify the Client ID if required.
Step 7
In most cases, select the Allow AutoIP check box to allow the DHCP client to
use AutoIP.
Step 8
Click the Save button to save the settings. Till now you have finished
configuring the DHCP client applied on the specified interface, and then you
can view the related configuration and status in the DHCP Client List.
Note
If you want to disable DHCP client on a physical interface, please click its Edit
hyperlink in the DHCP Client List, and then unselect the Enable DHCP Client check
box, lastly click the Save button.
7.8.4 DHCP Server
Go to the Advanced > DHCP page firstly, and then select the DHCP Server radio button
(see the following figure) to go to the DHCP Server page, which includes the Global
Settings, Manual Binding List, Manual Binding Settings, Address Pool List and
Address Pool Settings subpages.
Figure 7-25 Select DHCP Server
7.8.4.1 DHCP Server Global Settings
http://www.uttglobal.com
Page 164
UTT Technologies
Chapter 7 Advanced Setup
Figure 7-26 DHCP Server Global Settings
—
Enable DHCP Server: It allows you to enable or disable DHCP server. If you want to
enable DHCP server on the Device, please select this check box.
—
DHCP Ping Packets: It specifies the maximum number of ping packets which is used
by ICMP address conflict detection method. It should be between 0 and 10, and the
default value is 2. If you want to turn off ICMP detection feature, please set its value to
0.
—
DHCP Ping Timeout: It specifies the amount of time (in milliseconds) that the DHCP
server waits before timing out a ping packet. It should be between 500 and 10000
milliseconds, and the default value is 500 milliseconds.
ž
Save: Click it to save the DHCP server global settings.
Note
For more information about ICMP address conflict detection method, please refer to
section 7.7.2.1.1 Address Conflict Detection Method.
7.8.4.2 DHCP Manual Binding List
Figure 7-27 DHCP Manual Binding List
ž
Add a DHCP Manual Binding: If you want to add a new DHCP manual binding, click
the New button or select the Manual Binding Settings tab to go to the setup page,
and then configure it, lastly click the Save button.
ž
View DHCP Manual Binding(s): When you have configured some DHCP manual
http://www.uttglobal.com
Page 165
UTT Technologies
Chapter 7 Advanced Setup
bindings, you can view them in the Manual Binding List.
ž
Edit DHCP Manual Binding: If you want to modify a configured DHCP manual
binding, click its Edit hyperlink, the related information will be displayed in the setup
page. Then modify it, and click the Save button.
ž
Delete DHCP Manual Binding(s): If you want to delete one or more DHCP manual
bindings, select the leftmost check boxes of them, and then click the Delete button.
Note
The IP/MAC bindings created in the Advanced > IP/MAC Binding page will also
display in the Manual Binding List, because they are DHCP manual bindings too.
7.8.4.3 DHCP Manual Binding Settings
Through DHCP manual binding, you can assign a static IP address to a specific host
(client). You may create a manual binding by mapping the IP address to the hostÂśs MAC
address, Remote ID or Client ID. The priorities of Remote ID, Client ID and MAC Address
are descending. Only the highest priority parameter will be in effect when two or three of
them are configured. The DHCP server will always assign the specified IP address to the
host that matches the manual binding.
Figure 7-28 DHCP Manual Binding Settings
—
Bind to: It specifies a DHCP address pool to which the DHCP manual binding
http://www.uttglobal.com
Page 166
UTT Technologies
Chapter 7 Advanced Setup
belongs.
—
User Name: It specifies a unique name for the DHCP manual binding. It is used to
identify the host that want to be assigned a static IP address. It should be between 1
and 31 characters long.
—
IP Address: It specifies the IP address for the DHCP manual binding. It must be a
valid IP address of the related address pool. The requesting host that matches the
manual binding will be assigned this specified address.
—
MAC Address: It specifies the MAC address of the DHCP client.
—
Client ID: It specifies the Client ID of the DHCP client. There are three types of
formats.
—
Ɣ
hex: It is used to specify a hexadecimal string. It should be between 1 and 25
characters long.
Ɣ
ascii: It is used to specify an ASCII character string. It should be between 1 and
27 characters long.
Ɣ
ip: It is used to specify an IP address.
Remote ID: It specifies the Remote ID of the DHCP client. There are three types of
formats.
Ɣ
hex: It is used to specify a hexadecimal string. It should be between 1 and 25
characters long.
Ɣ
ascii: It is used to specify an ASCII character string. It should be between 1 and
27 characters long.
Ɣ
ip: It is used to specify an IP address.
—
Host Name: It specifies the local host name of the DHCP client. It should be between
1 and 31 characters long.
ž
Save: Click it to save the DHCP manual binding settings.
ž
Show ARP Table: Click it to display the hostVÂś dynamic ARP information learned by
the LAN interface. Note: It will only display dynamic ARP information, but not display
static ARP information (that is, the IP and MAC address pairs have been bound
manually).
http://www.uttglobal.com
Page 167
UTT Technologies
Chapter 7 Advanced Setup
7.8.4.4 How to Add the DHCP Manual Bindings
If you want to add one or more DHCP manual bindings, do the following:
Step 1
Go to the Advanced > DHCP page, and select the DHCP Server radio button
to go to the DHCP Server page.
Step 2
Select the Manual Binding Settings tab to go to the setup page.
Step 3
From the Bind to drop-down list, select a DHCP address pool to which this
DHCP manual binding belongs.
Step 4
Specify the User Name, IP Address and MAC Address as required.
Step 5
Specify the Client ID, Remote ID or Host Name if needed.
Step 6
Click the Save button to save the settings. You can view the DHCP manual
binding in the Manual Binding List.
Step 7
If you want to add another new DHCP manual binding, please repeat the above
steps.
Note
If you want to delete one or more DHCP manual bindings, select the leftmost check
boxes of them in the Manual Binding List, and then click the Delete button.
7.8.4.5 DHCP Address Pool List
Figure 7-29 DHCP Address Pool List
http://www.uttglobal.com
Page 168
UTT Technologies
Chapter 7 Advanced Setup
ž
Add a DHCP Address Pool: If you want to add a new DHCP address pool, select the
Address Pool Settings tab, and then configure it, lastly click the Save button.
ž
View DHCP Address Pool(s): When you have configured some DHCP address
pools, you can view them in the Address Pool List.
ž
Edit DHCP Address Pool: If you want to modify a configured DHCP address pool,
click its Edit hyperlink, the related information will be displayed in the setup page.
Then modify it, and click the Save button.
ž
Delete DHCP Address Pool(s): If you want to delete one or more DHCP address
pools, select the leftmost check boxes of them, and then click the Delete button.
7.8.4.6 DHCP Address Pool Settings
The DHCP server assigns an IP address to a requesting client from a DHCP address pool,
which also can be configured to provide other TCP/IP configuration parameters to the
client, such as the Gateway IP address, DNS Server and WINS Server addresses, lease
time, etc. The Device supports multiple address pools, so you can easily define multiple
subnets in LAN.
Before configuring a DHCP address pool, you should specify a physical interface to which
the pool is bound.
http://www.uttglobal.com
Page 169
UTT Technologies
Chapter 7 Advanced Setup
Figure 7-30 DHCP Address Pool Settings
—
Interface: It specifies a physical interface to which the DHCP address pool is bound.
—
Pool Name: It specifies a unique name for the DHCP address pool. It should be
between 1 and 11 characters long.
—
Start IP Address: It specifies the starting IP address assigned from the DHCP
address pool.
—
Number of Addresses: It specifies the maximum number of IP addresses that can
be assigned from the DHCP address pool. The addresses can be assigned
dynamically or manually by the DHCP server.
—
Subnet Mask: It specifies the subnet mask of the IP addresses assigned from the
DHCP address pool.
—
Default Gateway: It specifies the IP address of the default gateway for a DHCP
client.
—
Lease Time: It specifies the length of time (in seconds) during which each IP address
assigned by a DHCP server is valid. If the lease expires, the client is automatically
assigned a new dynamic IP address. Before the lease expires, the client typically
http://www.uttglobal.com
Page 170
UTT Technologies
Chapter 7 Advanced Setup
needs to renew its address lease assignment with the server. The duration for a lease
determines when it will expire and how often the client needs to renew it with the
server. The default value is 3600 seconds.
—
Primary DNS Server: It specifies the IP address of the primary DNS server that is
available to a DHCP client.
—
Secondary DNS Server: It specifies the IP address of the secondary DNS server
that is available to a DHCP client.
—
Primary WINS Server: It specifies the IP address of the primary NetBIOS WINS
server that is available to a Microsoft DHCP client.
—
Secondary WINS Server: It specifies the IP address of the secondary NetBIOS
WINS server that is available to a Microsoft DHCP client.
—
Domain Name: It specifies the DNS domain name for a DHCP client. This is usually
an organization name followed by a period and an extension that indicates the type of
organization, such as utt.com.cn. This domain name is appended to the local host
name to create the fully qualified domain name (FQDN) for the host. When querying
for a host name, the system will append this domain name to the host name for name
resolution, thus the DHCP client host who has a host name can access the network.
—
DHCP Relay IP: It specifies the relay agent IP address for the DHCP address pool. It
can be a parameter used by address allocation policy. Refer to section 7.7.2.1.4 IP
Address Allocation Policy for details.
—
Enable AutoIP: It allows you to enable or disable AuotIP. Select it to permit the
address obtained by a DHCP client through AutoIP to coexist with the address
assigned by a DHCP server.
—
Response Mode: It specifies the mode in which DHCP server sends the DHCP
response messages to the client. The available options are Client Determine,
Unicast and Broadcast.
—
Ɣ
Client Determine: It indicates that the DHCP server sends the DHCP response
messages in the mode required by the client.
Ɣ
Unicast: It indicates that the DHCP server unicasts the DHCP response
messages to the client.
Ɣ
Broadcast: It indicates that the DHCP server broadcasts the DHCP response
messages to the client.
NetBIOS Node Type: It specifies the NetBIOS node type for Microsoft DHCP clients.
There are four NetBIOS nodes types, and each node type resolves NetBIOS names
differently.
http://www.uttglobal.com
Page 171
UTT Technologies
—
ž
Chapter 7 Advanced Setup
Ɣ
B-Node: It indicates a broadcast node that uses broadcasts for name resolution.
Ɣ
P-Node: It indicates a peer-to-peer node that uses a WINS server to resolve
NetBIOS names. P-Node does not use broadcasts but queries the WINS server
directly.
Ɣ
M-Node: It indicates a mixed node that is a combination of a B-Node and
P-Node. By default, an M-Node functions as a B-Node firstly. If the broadcast
name query is unsuccessful, it uses a WINS server.
Ɣ
H-Node: It indicates a hybrid node that is a combination of a P-Node and B-Node.
By default, an H-Node functions as a P-Node firstly. If the unicast name query to
the WINS server is unsuccessful, it uses broadcasts.
Relay Agent ID: It specifies the relay agent identifier for the DHCP address pool. It
can be a parameter used by address allocation policy. Refer to section 7.7.2.1.4 IP
Address Allocation Policy for details. There are three types of formats.
Ɣ
hex: It is used to specify a hexadecimal string. It should be between 1 and 25
characters long.
Ɣ
ascii: It is used to specify an ASCII character string. It should be between 1 and
27 characters long.
Ɣ
ip: It is used to specify an IP address.
Save: Click it to save the DHCP address pool settings.
Note
The Device provides a default address pool whose name is pool1. The pool1 is
HGLWDEOH EXW FDQÂśW EH GHOHWHG $OVR \RX FDQ FRQILJXUH DQG YLHZ LW LQ the Basic >
DHCP & DNS page.
7.8.4.7 How to Add the DHCP Address Pools
If you want to add one or more DHCP address pools, do the following:
Step 1
Go to the Advanced > DHCP page, and select the DHCP Server radio button
to go to the DHCP Server page.
Step 2
Select the Address Pool Settings tab to go to the setup page.
http://www.uttglobal.com
Page 172
UTT Technologies
Chapter 7 Advanced Setup
Step 3
From the Interface drop-down list, select a physical interface to which the
DHCP address pool is bound.
Step 4
Specify the Pool Name, Start IP Address, Number of Addresses and
Primary DNS Server.
Step 5
Specify the Subnet Mask, Default Gateway and Lease Time as required.
Step 6
Specify the Secondary DNS Server, Primary WINS Server and Secondary
WINS Server if needed.
Step 7
Specify the Domain Name, DHCP Relay IP and Relay Agent ID if needed.
Step 8
In most cases, select the Enable AutoIP check box.
Step 9
Specify the Response Mode and NetBIOS Node Type if needed
Step 10
Click the Save button to save the settings. You can view the DHCP address
pool in the Manual Binding List.
Step 11
If you want to add another new DHCP address pool, please repeat the above
steps.
Note
If you want to delete one or more DHCP address pools except the Pool1, select the
leftmost check boxes of them in the Address Pool List, and then click the Delete
button.
7.8.5 DHCP Relay Agent
Go to the Advanced > DHCP page firstly, and then select the DHCP Relay Agent radio
button (see the following figure) to go to the DHCP Relay Agent page, which includes the
DHCP Relay Agent List and Relay Agent Settings subpages.
Figure 7-31 Select DHCP Relay Agent
http://www.uttglobal.com
Page 173
UTT Technologies
Chapter 7 Advanced Setup
7.8.5.1 DHCP Relay Agent Settings
Figure 7-32 DHCP Relay Agent Settings
—
Interface: It specifies physical interface on which the DHCP relay agent is applied.
—
Enable DHCP Relay Agent: It allows you to enable or disable DHCP relay agent. If
you want to enable DHCP relay agent on the specified interface, please select this
check box.
—
DHCP Server 1 ~ 3: It specifies one or more DHCP servers for the relay agent. You
can specify up to three DHCP servers for the relay agent. The DHCP relay agent will
unicast the DHCP request messages to all the specified servers respectively.
—
Option: It specifies whether the DHCP relay agent inserts option 82 (DHCP relay
agent information option) into a client-originated DHCP message before forwarding it
to a DHCP server or not.
—
Policy: It specifies the reforwarding policy for the DHCP relay agent, that is, what the
relay agent should do if a message already contains option 82.
—
Max. Packet Size: It specifies the maximum size of packet (in bytes) that the DHCP
relay agent can forward. The default is 1024 bytes.
—
Relay Agent ID: It specifies the relay agent identifier. There are three types of
formats:
Ɣ
hex: It is used to specify a hexadecimal string. It should be between 1 and 25
http://www.uttglobal.com
Page 174
UTT Technologies
Chapter 7 Advanced Setup
characters long.
—
ž
Ɣ
ascii: It is used to specify an ASCII character string. It should be between 1 and
27 characters long.
Ɣ
ip: It is used to specify an IP address.
Response Mode: It specifies the mode in which DHCP relay agent sends the DHCP
response messages to the client. The available options are Client Determine,
Unicast and Broadcast.
Ɣ
Client Determine: It indicates that the DHCP relay agent sends the DHCP
response messages in the mode required by the client.
Ɣ
Unicast: It indicates that the DHCP relay agent unicasts the DHCP response
messages to the client.
Ɣ
Broadcast: It indicates that the DHCP relay agent broadcasts the DHCP
response messages to the client.
Save: Click it to save the DHCP relay agent settings.
Note
For more information about Option and Policy, please refer to section 7.7.2.3
Introduction to DHCP Relay Agent.
7.8.5.2 DHCP Relay Agent List
http://www.uttglobal.com
Page 175
UTT Technologies
Chapter 7 Advanced Setup
Figure 7-33 DHCP Relay Agent List
ž
Configure DHCP Relay Agent: If you want to apply DHCP relay agent function on a
physical interface, select the Relay Agent Settings tab to go to the setup page, and
then select the interface and configure other parameters, lastly click the Save button.
ž
View DHCP Relay Agent Information: When you have configured DHCP relay
agent on one or more physical interfaces, you can view the related information in the
DHCP Relay Agent List.
ž
Edit DHCP Client: If you want to modify DHCP relay agent on a physical interface,
click its Edit hyperlink, the related information will be displayed in the setup page.
Then modify it, and click the Save button.
7.8.5.3 How to Configure DHCP Relay Agent
If you want to configure DHCP relay agent, do the following:
Step 1
Go to the Advanced > DHCP page, and select the DHCP Relay Agent radio
button to go to the DHCP Relay Agent page.
Step 2
Select the Relay Agent Settings tab to go to the setup page.
Step 3
From the Interface drop-down list, select a physical interface on which the
DHCP relay agent is applied.
Step 4
Select the Enable DHCP Relay Agent check box to enable DHCP relay agent
on the specified interface.
Step 5
Specify the DHCP Server 1, and specify DHCP Server 2 and DHCP Server 3 if
needed.
Step 6
Specify the Option and Policy if needed.
Step 7
Specify the Max. Packet Size, Relay Agent ID and Policy if needed.
Step 8
Click the Save button to save the settings. Till now you have finished
configuring the DHCP relay agent which is applied on the specified interface,
and then you can view the related configuration and status information in the
DHCP Relay Agent List.
Note
If you want to disable DHCP relay agent on a physical interface, please click its Edit
hyperlink in the DHCP Relay Agent List, and then unselect the Enable DHCP Relay
Agent check box, lastly click the Save button.
http://www.uttglobal.com
Page 176
UTT Technologies
Chapter 7 Advanced Setup
7.8.6 Raw Option
Go to the Advanced > DHCP page firstly, and then select the Raw Option radio button
(see the following figure) to go to the Raw Option page, which includes the Raw Option
List and Raw Option Settings subpages.
Figure 7-34 Select Raw Option
7.8.6.1 Raw Option Settings
In this page, you can easily create DHCP raw options. Once a raw option is defined, the
DHCP server or client on the specified interface will add it into the options field of the
DHCP messages before sending them.
Figure 7-35 Raw Option Settings
—
Option Name: It specifies a unique name of the raw option. It should be between 1
and 31 characters long.
—
Option Code: It specifies the code of the raw option. It is used to uniquely identify the
option type. It should be a number between 1 and 254.
—
Option Value: It specifies the associated values of the raw option. There are three
types of formats.
Ɣ
hex: It is used to specify a hexadecimal string. It should be between 1 and 25
characters long.
http://www.uttglobal.com
Page 177
UTT Technologies
Chapter 7 Advanced Setup
Ɣ
ascii: It is used to specify an ASCII character string. It should be between 1 and
27 characters long.
Ɣ
ip: It is used to specify an IP address.
—
Interface: It specifies the physical interface on which the DHCP raw option is applied.
ž
Save: Click it to save the DHCP raw option settings.
Note
For detailed information about DHCP options, see RFC 2132, with updates in RFC
3942.
7.8.6.2 Raw Option List
Figure 7-36 Raw Option List
ž
Add a Raw Option: If you want to add a new DHCP raw option, click the New button
or select the Raw Option Settings tab to go to the setup page, and then configure it,
lastly click the Save button.
ž
View Raw Option(s): When you have configured some DHCP raw options, you can
view them in the Raw Option List.
ž
Edit a Raw Option: If you want to modify a configured DHCP raw option, click its
Edit hyperlink, the related information will be displayed in the setup page. Then
modify it, and click the Save button.
ž
Delete Raw Option(s): If you want to delete one or more DHCP raw options, select
http://www.uttglobal.com
Page 178
UTT Technologies
Chapter 7 Advanced Setup
the leftmost check boxes of them, and then click the Delete button.
7.8.6.3 How to Add the DHCP Raw Options
If you want to add one or more DHCP raw options, do the following:
Step 1
Go to the Advanced > DHCP page, and select the Raw Option radio button to
go to the Raw Option page.
Step 2
Select the Raw Option Settings tab or click the New button to go to the setup
page.
Step 3
Specify the Option Name, Option Code and Option Value.
Step 4
From the Interface drop-down list, select a physical interface on which the
DHCP raw option is applied.
Step 5
Click the Save button to save the settings. You can view the DHCP raw option
in the Raw Option List.
Step 6
If you want to add another new DHCP raw option, please repeat the above
steps.
Note
If you want to delete one or more DHCP raw options, select the leftmost check boxes
of them in the Raw Option List, and then click the Delete button.
7.8.7 Configuration Examples for DHCP
7.8.7.1 Configuration Example for the DHCP Server
There are two typical types of DHCP network topologies:
Ɣ
The DHCP server(s) and DHCP clients are on the same subnet so they can directly
exchange DHCP messages.
Ɣ
The DHCP server(s) and DHCP clients are not on the same subnet so they need
communicate via a DHCP relay agent.
The DHCP server configuration for these two types is the same.
http://www.uttglobal.com
Page 179
UTT Technologies
Chapter 7 Advanced Setup
1. Network Requirements
In this example, the Device acts as a DHCP server to dynamically assign the IP addresses
to the clients that reside on the same subnet. The DeviceÂśs LAN interface IP address is
192.168.16.1/24.
We need to create two address pools (pool1 and pool2). The pool1Âśs address range is
from 192.168.16.2/24 to 192.168.16.101/24, primary and secondary DNS servers IP
addresses are 202.96.209.5 and 202.96.199.133, domain name is utt.com.cn and lease
time is 3600 seconds. And it uses DeviceÂśs LAN IP address (that is, 192.168.16.1/24) as
the default gateway address. Leave the default values for the other parameters.
The pool2Âśs address range is from 192.168.16.102/24 to 192.168.16.254/24 and lease
time is 7200 seconds. The pool2Âśs primary and secondary DNS servers, domain name,
and default gateway IP address have the same values with pool1Âśs.
Besides, we need to create a DHCP manual binding to the host that needs a static IP
address. The hostÂśs MAC address is 000795a81c3d, client ID is 01000795a81c3d which
is formed by concatenating the media type and MAC address, and host name is test. The
host wants to use 192.168.16.10/24 as its IP address and binding1 as its user name. It is
obvious that the host belongs to the pool1.
2. Network Topology
DHCP Client
DHCP Client
LAN
DHCP Server
DHCP Client
DHCP Client
Figure 7-37 Network Topology where DHCP Server and Clients on Same Subnet
3. Configuration Procedure
1˅ Configuring DHCP Server Global Parameters
Step 1
Go to the Advanced > DHCP page, and then select the DHCP Server radio
button to go to the DHCP Server page.
Step 2
Select the Global Settings tab to go to the setup page.
Step 3
Select the Enable DHCP Server check box, see the following figure.
http://www.uttglobal.com
Page 180
UTT Technologies
Chapter 7 Advanced Setup
Figure 7-38 DHCP Server Global Settings - Example
Step 4
Click the Save button to save the settings. Till now you have finished
configuring DHCP server global settings.
2˅ Configuring the DHCP Address Pool - pool1
As mentioned earlier, the pool1 is the default address pool provided by the Device. And it
is editable, but canÂśt be deleted. So you could modify the pool1 according to your
requirements. The steps are as follows:
Step 1
Go to the Advanced > DHCP page, and then select the DHCP Server radio
button to go to DHCP Server page.
Step 2
Select the Address Pool List tab to go to related subpage, and then click the
Edit hyperlink of the pool1, the related information will be displayed in the
setup page.
http://www.uttglobal.com
Page 181
UTT Technologies
Chapter 7 Advanced Setup
Figure 7-39 DHCP Address Pool Settings - Example (pool1)
Step 3
Enter 192.168.16.2 in the Start IP Address text box, enter 100 in the Number
of Addresses text box, enter 192.168.16.1 in the Default Gateway text box,
enter 202.96.209.5 in the Primary DNS Server text box, enter 202.96.199.133
in Secondary DNS Server text box, and enter utt.com.cn in the Domain
Name text box. Leave the default values for the other parameters.
Step 4
Click the Save button to save the settings. Till now you have finished
configuring the pool1, and then you can view its configuration in the Address
Pool List.
3˅ Configuring the DHCP Address Pool - pool2
Step 1
Go to the Advanced > DHCP page, and then select the DHCP Server radio
button to go to the DHCP Server page.
Step 2
Select the Address Pool Settings tab to go to the setup page, see the
following figure.
http://www.uttglobal.com
Page 182
UTT Technologies
Chapter 7 Advanced Setup
Figure 7-40 DHCP Address Pool Settings - Example (pool2)
Step 3
Enter 192.168.16.102 in the Start IP Address text box, enter 153 in the
Number of Addresses text box, enter 192.168.16.1 in the Default Gateway
text box, enter 7200 in the Lease Time text box, enter 202.96.209.5 in the
Primary DNS Server text box, enter 202.96.199.133 in the Secondary DNS
Server text box, and enter utt.com.cn in the Domain Name text box. Leave
the default values for the other parameters.
Step 4
Click the Save button to save the settings. Till now you have finished
configuring the pool2, and then you can view its configuration in the Address
Pool List.
4˅ Configuring the DHCP Manual Binding
Step 1
Go to the Advanced > DHCP page, and then select the DHCP Server radio
button to go to the DHCP Server page.
Step 2
Select the Manual Binding Settings tab to go to the setup page, see the
following figure.
http://www.uttglobal.com
Page 183
UTT Technologies
Chapter 7 Advanced Setup
Figure 7-41 DHCP Manual Binding Settings - Example
Step 3
Select pool1 from the Bind to drop-down list, enter binding1 in the User
Name text box, enter 192.168.16.10 in the IP Address text box and enter
000795a81c3d in the MAC Address text box.
Step 4
Select hex from the Client ID drop-down list and enter 01000795a81c3d in the
associated text box, enter test in the Host Name text box. Leave the default
values for the other parameters.
Step 5
Click the Save button to save the settings. Till now you have finished
configuring the DHCP manual binding, and then you can view its configuration
in the Manual Binding List.
7.8.7.2 Configuration Example for the DHCP Client
As mentioned earlier, each physical interface of the Device supports DHCP client, and it
allows you to enable DHCP client on each interface at the same time. In this example, the
DHCP client is applied on the WAN interface.
1. Network Requirements
In this example, we connect the DeviceÂśs WAN interface to the LAN that contains a DHCP
server. The LAN network ID is 200.200.200.0/24. The Device acts as a DHCP client which
is enabled on the WAN interface, then the WAN interface will obtain an IP address from
the DHCP server dynamically. The WAN interfaceÂśs MAC address is 0022aa123456, and
its client ID is 010022aa123456 which is formed by concatenating the media type and
MAC address.
2. Network Topology
http://www.uttglobal.com
Page 184
UTT Technologies
Chapter 7 Advanced Setup
DHCP Server
200.200.200.0/24
LAN
WAN Interface
DHCP Client
Figure 7-42 Network Topology Where DHCP Client is Applied on WAN Interface
3. Configuration Procedure
Step 1
Go to the Advanced > DHCP page, select the DHCP Client radio button and
then select the DHCP Client Settings tab to go to the setup page, see the
following figure.
Figure 7-43 DHCP Client Settings - Example
Step 2
Select WAN from the Interface drop-down list.
Step 3
Select the Enable DHCP Client, Enable PnP and Allow AutoIP check boxes.
Step 4
Select hex from the Client ID drop-down list and enter 010022aa123456 in the
associated text box. Leave the default values for the other parameters.
http://www.uttglobal.com
Page 185
UTT Technologies
Step 5
Chapter 7 Advanced Setup
Click the Save button to save the settings. Till now you have finished
configuring the DHCP client, and then you can view its configuration and status
in the DHCP Client List.
7.8.7.3 Configuration Example for the DHCP Relay Agent
1. Network Requirements
In this example, the DHCP clients reside on the subnet 192.168.16.0/254, and the DHCP
serverÂśs IP address is 200.200.200.254/24. Because the DHCP server and DHCP clients
reside on the different subnets, the Device acting as a DHCP relay agent is deployed to
forward DHCP messages between the DHCP server and DHCP clients. The DHCP relay
agent is enabled on the LAN interface, which is connected to the subnet where DHCP
clients reside. Then DHCP clients can obtain an IP address and other TCP/IP
configuration parameters from the DHCP server dynamically.
Note that in order to assign appropriate IP addresses to the DHCP clients, on the DHCP
server you should create a DHCP address pool whose address range is from
192.168.16.2 to 192.168.16.254. And also you should create a static route whose
destination network is 192.168.16.0/24. For more information about static route, please
refer to section 7.1.1 Static Route.
2. Network Topology
DHCP Client
DHCP Client
DHCP Server
192.168.16.0/24
LAN1
192.168.16.1/24
200.200.200.254/24
LAN
WAN
DHCP Relay
LAN2
Switch
200.200.200.0/24
Figure 7-44 Network Topology Where the Device Acting as a DHCP Relay Agent
3. Configuration Procedure
Step 1
Go to the Advanced > DHCP page, and select the DHCP Relay Agent radio
button.
Step 2
Select the Relay Agent Settings tab to go to the setup page, see the following
figure.
http://www.uttglobal.com
Page 186
UTT Technologies
Chapter 7 Advanced Setup
Figure 7-45 DHCP Relay Agent Settings - Example
Step 3
Select LAN from the Interface drop-down list.
Step 4
Select the Enable DHCP Relay Agent check box.
Step 5
Enter 200.200.200.254 in the DHCP Server 1 text box. Leave the default
values for the other parameters.
Step 6
Click the Save button to save the settings. Till now you have finished
configuring the DHCP relay agent, and then you can view its configuration and
status in the DHCP Relay Agent List.
7.8.7.4 Configuration Example for the Raw Option
1. Requirements
In this example, we need to create a raw option whose option name is ven_inf, option
code is 43 (that is, vendor-specific information) and option value is Test in ASCII format.
And it is applied on the LAN interface.
2. Configuration Procedure
Step 1
Go to Advanced > DHCP page, and select the Raw Option radio button.
Step 2
Select the Raw Option Settings tab to go to the setup page, see the following
figure.
http://www.uttglobal.com
Page 187
UTT Technologies
Chapter 7 Advanced Setup
Figure 7-46 Raw Option Settings - Example
Step 3
Enter ven_inf in the Option Name text box, enter 43 in the Option Code text
box, select ascii from the Option Value drop-down list and enter Test in the
associated text box.
Step 4
Select LAN from the Interface drop-down list.
Step 5
Click the Save button to save the settings. Till now you have finished
configuring the DHCP raw option, and then you can view its configuration in the
Raw Option List.
7.8.7.5 Comprehensive Example for DHCP
When acting as a DHCP server, the Device supports up to ten DHCP address pools. You
can use different Relay agent IP addresses or IDs to distinguish them. In most cases, the
DHCP server will assign the addresses from the same address pool to the clients that
have the same relay agent IP address or ID with this poolÂśs, then these clients will reside
on the same subnet.
1. Network Requirements
In this example, there is a college who wants to realize the unified management of the
campus network hosts. We plan to divide the campus network into several subnets, one
subnet per building (office or dormitory building), so that the hosts residing on the same
building will be on the same subnet. We deploy a Device acting as a DHCP server on the
network center, and deploy a Devices acting as a DHCP relay agent on each building.
Each DHCP relay agent Device is connected to the center DHCP server Device. And the
hosts residing on each building are connected to a relay agent Device, so that these hosts
can access the network center through the related relay agent Device.
See the following network topology, we respectively call these buildings building1,
http://www.uttglobal.com
Page 188
UTT Technologies
Chapter 7 Advanced Setup
building2 ... building10, and call the Devices residing on each building DHCP Relay1,
DHCP Realy2 ... DHCP Realy10. Each relay agent Device has its own ID.
The Device residing on the center network acts as a DHCP server, and the DHCP address
pools are bound to the LAN interface with IP address 200.200.200.254/24.
The Devices residing on each building act as the DHCP relay agents. The DHCP relay
agent is enabled on each DeviceÂśs LAN interface. The hosts residing on each building are
connected to the related DeviceÂśs LAN interface respectively, and they will act as clients to
request addresses from the DHCP server. The following table lists the name, relay agent
ID, WAN IP address and LAN IP address for each relay agent Device. Also it lists the IP
address space of each subnet where the client hosts reside.
Name
WAN IP address
LAN IP Address
Client Subnet
Relay Agent ID
DHCP Relay1
200.200.200.1/24
192.168.1.1/24
192.168.1.0/24
Test_Relay1
DHCP Relay2
200.200.200.2/24
192.168.2.1/24
192.168.2.0/24
Test _Relay2
DHCP Relay3
200.200.200.3/24
192.168.3.1/24
192.168.3.0/24
Test _Relay3
DHCP Relay4
200.200.200.4/24
192.168.4.1/24
192.168.4.0/24
Test _Relay4
DHCP Relay5
200.200.200.5/24
192.168.5.1/24
192.168.5.0/24
Test _Relay5
DHCP Relay6
200.200.200.6/24
192.168.6.1/24
192.168.6.0/24
Test _Relay6
DHCP Relay7
200.200.200.7/24
192.168.7.1/24
192.168.7.0/24
Test _Relay7
DHCP Relay8
200.200.200.8/24
192.168.8.1/24
192.168.8.0/24
Test _Relay8
DHCP Relay9
200.200.200.9/24
192.168.9.1/24
192.168.9.0/24
Test _Relay9
DHCP Relay10
200.200.200.10/24
192.168.10.1/24
192.168.10.0/24
Test _Relay10
Table 7-4 DHCP Relay Agent IP Addresses and IDs - Comprehensive Example
In order to ensure that the hosts residing on each building obtain the addresses in the
range of the specified subnet respectively, we need to create ten DHCP address pools on
the DHCP server Device. These DHCP address poolsÂś settings are as follows:
Ɣ
Every DHCP address pool is bound to the LAN interface.
Ɣ
Their pool names are pool1, pool2 ... pool10 respectively.
Ɣ
Their starting IP addresses are 192.168.1.2, 192.168.2.2 ... 192.168.10.2
respectively.
http://www.uttglobal.com
Page 189
UTT Technologies
Chapter 7 Advanced Setup
Ɣ
Every DHCP address poolÂśs number of addresses is 253, which is the maximum
number of valid addresses in each subnet where the client hosts reside.
Ɣ
Every DHCP address poolÂśs lease time is 3600 seconds, primary and secondary DNS
VHUYHUVÂś IP addresses are 202.96.209.6 and 202.96.199.133.
Ɣ
Their relay agent IDs are Test_Relay1, Test_Relay2 ... Test_Relay10 respectively,
which are in ASCII format.
Note that you also should create ten static routes whose destination networks are the
subnets where the client hosts reside. For more information about static route, please
refer to section 7.1.1 Static Route.
For those DHCP relay agent Devices, the DHCP relay agent settings are as follows:
Ɣ
Every DHCP relay agent is applied on the LAN interface.
Ɣ
Every DHCP relay agentÂśs DHCP Server 1 is 200.200.200.254.
Ɣ
Every DHCP relay agentÂśs Option is insert.
Ɣ
Their Relay Agent IDs are Test_Relay1, Test_Relay2 ... Test_Relay10 respectively,
which are in ASCII format.
Note that since the DHCP server uses the relay agent ID to distinguish each address pool,
we need set Option to insert for each relay agent. The DHCP relay agent will insert relay
agent ID before forwarding a client-originated DHCP message; thus the DHCP server can
select a matched address pool according to the relay agent ID to assign an address to the
requesting client.
2. Network Topology
http://www.uttglobal.com
Page 190
UTT Technologies
Chapter 7 Advanced Setup
Internet
Network Center
DHCP Server
LAN: 200.200.200.254/24
Switch
WAN:
200.200.200.1/24
WAN:
200.200.200.10/24
WAN:
200.200.200.2/24
ĂĂ
DHCP Relay1
DHCP Relay2
DHCP Relay10
192.168.2.0/24
192.168.1.0/24
DHCP Client
192.168.10.0/24
DHCP Client
DHCP Client
Figure 7-47 Network Topology for DHCP Comprehensive Example
3. Configuration Procedure
As DHCP address pools have the similar configuration procedure, here we will take DHCP
address poo1 for example to describe how to configure the DHCP address pool.
As DHCP relay agents have the similar configuration procedure, here we will take DHCP
Relay1 for example to describe how to configure the DHCP relay agent.
1) Configuring DHCP server
a)
Configuring DHCP Server Global Parameters
Step 1
Go to the Advanced > DHCP page, and then select the DHCP Server radio
button to go to the DHCP Server page.
Step 2
Select the Global Settings tab to go to the setup page.
Step 3
Select the Enable DHCP Server check box, see the following figure.
http://www.uttglobal.com
Page 191
UTT Technologies
Chapter 7 Advanced Setup
Figure 7-48 DHCP Server Global Settings - Comprehensive Example
Step 4
b)
Click the Save button to save the settings. Till now you have finished
configuring DHCP server global settings.
Configuring the DHCP Address Pool - pool1
As mentioned earlier, the pool1 is the system default address pool. And it is editable, but
canÂśt be deleted. So you could modify the pool1 according to your requirements. The
steps are as follows:
Step 1
Go to the Advanced > DHCP page, and then select the DHCP Server radio
button to go to the DHCP Server page.
Step 2
Select the Address Pool List tab, and then click the pool1Âśs Edit hyperlink in
the Address Pool List, the related information will be displayed in the setup
page.
http://www.uttglobal.com
Page 192
UTT Technologies
Chapter 7 Advanced Setup
Figure 7-49 DHCP Address Pool Settings - Comprehensive Example (pool1)
Step 3
Enter 192.168.1.2 in the Start IP Address text box, enter 253 in the Number of
Addresses text box, enter 192.168.1.1 in the Default Gateway text box, enter
202.96.209.5 in the Primary DNS Server text box and enter 202.96.199.133 in
the Secondary DNS Server text box.
Step 4
Select ascii from the Relay Agent ID drop-down list and enter Test_Relay1 in
the associated text box. Leave the default values for the other parameters.
Step 5
Click the Save button to save the settings. Till now you have finished
configuring the pool1, and then you can view its configuration in the Address
Pool List.
c)
Configuring the Other DHCP Address Pools (pool2 ~ pool10)
The other DHCP address poolsÂś configuration procedures are very similar to that of the
Pool1. The difference is that each DHCP address pool has different Pool Name, Start IP
Address, Default Gateway and Relay Agent ID. Since the other DHCP address poolsÂś
configuration procedures are so similar to that of the poo1, the user is directed to review
the configuration procedure of the pool1.
http://www.uttglobal.com
Page 193
UTT Technologies
Chapter 7 Advanced Setup
2) Configuring DHCP Relay1
Step 1
Go to the Advanced > DHCP page, select the DHCP Relay Agent radio button
and then select the Relay Agent Settings tab to go to the setup page, see the
following figure.
Figure 7-50 DHCP Relay Agent Settings - Comprehensive Example (DHCP Relay1)
Step 2
Select LAN from the Interface drop-down list.
Step 3
Select the Enable DHCP Relay Agent check box.
Step 4
Enter 200.200.200.254 in the DHCP Server 1 text box. Select insert from the
Option text box, select ascii from the Relay Agent ID drop-down list and enter
Test_Relay1 in the associated text box. Leave the default values for the other
parameters.
Step 5
Click the Save button to save the settings. Till now you have finished
configuring the DHCP relay agent, and then you can view its configuration in
the DHCP Relay Agent List.
3) Configuring the Other DHCP Agent Relays (DHCP Relay2 ~ Realy10)
The other DHCP relay agentsÂś configuration procedures are very similar to that of the
DHCP Relay1. The difference is that each DHCP relay agent has different Relay Agent
ID. Since the other DHCP relay agentsÂś configuration procedures are so similar to that of
the DHCP Relay1, the user is directed to review the configuration procedure of the DHCP
Relay1.
http://www.uttglobal.com
Page 194
UTT Technologies
http://www.uttglobal.com
Chapter 7 Advanced Setup
Page 195
UTT Technologies
7.9
Chapter 7 Advanced Setup
Switch
This section describes Advanced > Switch page.
7.9.1 Port Mirroring
7.9.1.1 Introduction to Port Mirroring
The port mirroring allows an administrator to mirror and monitor network traffic. It copies
the traffic from the specified ports to another port where the traffic can be monitored with
an external network analyzer. Then the administrator can perform traffic monitoring,
performance analysis and fault diagnosis.
7.9.1.2 Port Mirroring Setup
Figure 7-51 Port Mirroring Settings
—
Enable Port Mirroring: It allows you enable or disable port mirroring. If you want to
enable port mirroring on the Device, please select this check box. By default, the LAN
Port 1 is the mirroring port that canÂśt be changed. If the port mirroring is enabled, the
LAN Port 1 will mirror the traffic of the other LAN ports
ž
Click the Save button to save the port mirroring settings.
Note
If the LAN switch ports belong to different VLANs, only the traffic of the ports on the
same VLAN as the Port 1 can be mirrored.
http://www.uttglobal.com
Page 196
UTT Technologies
Chapter 7 Advanced Setup
7.9.2 Port-Based VLAN
7.9.2.1 Introduction to VLAN
A VLAN (Virtual Local Area Network) is a group of devices that form a logical LAN
segment, that is, a broadcast domain. The members on the same VLAN can communicate
with each other. The traffic will not disturb among different VLANs, that is, any traffic
(unicast, broadcast or multicast) within a VLAN doesnÂśt flow to another VLAN. The VLAN
feature offers the benefits of both security and performance. VLAN is used to isolate traffic
between different users which provides better security. Limiting the broadcast traffic within
the same VLAN broadcast domain also enhances performance.
The Device provides port-based VLAN, which is defined according to the switch ports on
the Device. You can set a VLAN ID to each switch port. The ports that have the same
VLAN ID will be grouped into a VLAN. The ports that belong to the same VLAN can
communicate with each other, but the ports that belong to the different VLANV FDQÂśt
communicate. For example, if a port belongs to VLAN 1 and another port belongs to VLAN
2, the two ports will not be able to communicate with each other.
7.9.2.2 Port-Based VLAN Setup
Figure 7-52 Port-Based VLAN Setup
—
Port 1 VLAN ID ~ Port 5 VLAN ID: They specify the VLAN IDs of the five switch
ports. It allows you to set a VLAN ID to each switch port for each switch port
respectively. The ports that have the same VLAN ID will be grouped into a VLAN,
which is independent of the other ports.
ž
Save: Click it to save the VLAN settings.
http://www.uttglobal.com
Page 197
UTT Technologies
Chapter 7 Advanced Setup
Note
1.
The ports that have the same VLAN ID will be grouped into a VLAN. The ports on the
same VLAN can communicate with each other, but the ports that belong to the
different VLANVFDQÂśt communicate.
2.
By default, all the LAN switch ports are members of the same VLAN. The most
complex case is that each port is grouped into a VLAN respectively. For example, see
Figure 7-52, Port 1 and Port 2 are grouped into a VLAN (VLAN 1), Port 3, Port 4 and
Port 5 are grouped to the different VLANs (VLAN 2, VLAN 3 and VLAN 4)
respectively.
3.
The ports within a LAG should be grouped into the same VLAN.
7.10 Miscellaneous
This section describes Advanced > Miscellaneous page, which include Miscellaneous,
Scheduled Task List, and Scheduled Task Settings subpages.
7.10.1 Miscellaneous
Figure 7-53 Miscellaneous
—
Enable Internet Connection Sharing Protection Shield: It allows you to enable or
disable Internet connection sharing protection shield. When your ISP forbid you from
sharing a single Internet connection, you can select the check box to enable this
feature, then all your LAN hosts still can share the Internet connection to access the
Internet.
http://www.uttglobal.com
Page 198
UTT Technologies
Chapter 7 Advanced Setup
—
Enable Traffic Destined for Same IP Address via Different WANs: It allows you to
enable or disable traffic destined for same IP address via different WANs. When using
multiple Internet connections to access the Internet, if you select this check box, the
packets destined for the same IP address will be transmitted through different Internet
connections to implement load balancing.
ž
Save: Click it to save your settings.
7.10.2 Scheduled Task
By default, if you click the Display Scheduled Task hyperlink in the Advanced >
Miscellaneous page (see Figure 7-53), it will jump to the Scheduled Task Settings page,
see Figure 7-54. But if you have created one or more scheduled tasks, it will jump to the
Scheduled Task List page.
Figure 7-54 Scheduled Task Settings
—
Task Name: It indicates the sequence number of the task, and it is read-only.
—
Repeat: It specifies how often or when the Device will perform the task. The available
options are Every Week, Every Day, Every Hour, Every Minute, or When Starting.
—
Start Time: It specifies the time at which the Device will start to perform the task. Its
settings will change according to the value of Repeat.
—
Task Type: It specifies the type of the task. The available options are Predefined and
User-defined.
Ɣ
Predefined: If you want to add a new predefined task, please select this option,
and then select a predefined task from the Task Content. Now the Device
provides two predefined scheduled tasks: Bind All and Restart; therein, Bind
All means that the Device will bind all the IP/MAC address pairs periodically;
Restart means that the Device will restart itself periodically.
http://www.uttglobal.com
Page 199
UTT Technologies
Ɣ
Chapter 7 Advanced Setup
User-defined: If you want to add a new user-defined task, please select this
option, and then enter the related CLI command in the Task Content. Note that
you can only enter one command for one task.
—
Task Content: It specifies the content of the task.
ž
Save: Click it to save the scheduled task settings.
http://www.uttglobal.com
Page 200
UTT Technologies
Chapter 8 NAT
Chapter 8 NAT
This chapter describes how to configure and use NAT features, including port forwarding,
DMZ hosts, NAT rule and UPnP.
8.1
Port Forwarding
This section describes the NAT > Port Forwarding page, which allows you to configure
port forwarding rules.
8.1.1 Introduction to Port Forwarding
By default, NAT is enabled on the Device, so the Device will block all the requests initiated
from outside users. In some cases, the outside users want to access the LAN internal
servers through the Device. To achieve this purpose, you need to create port forwarding
rules or DMZ hosts on the Device.
Using port forwarding, you can create the mapping between  and , then all the requests from outside
users to the specified external IP address: port on the Device will be forwarded to the
mapped local server, so the outside users can access the service offered by the local
server.
For example, if you want to allow the local SMTP server (IP address: 192.168.16.88) to be
available to the outside users, you can create a port forwarding rule: external IP address is
WAN1 IP address (200.200.201.88 in this example), external port is 2100, internal IP
address is 192.168.16.88, and internal port is 25. Then all the requests for SMTP from
outside users to 200.200.201.88:2100 will be forwarded to 192.168.16.88:25.
http://www.uttglobal.com
Page 201
UTT Technologies
Chapter 8 NAT
8.1.2 Port Forwarding Settings
Figure 8-1 Port Forwarding Settings
—
Protocol: It specifies the transport protocol used by the service. The available
options are TCP, UDP and GRE.
—
Start External Port: It specifies the lowest port number provided by the Device. The
external ports are opened for outside users to access.
—
Internal IP Address: It specifies the IP address of the local host that provides the
service.
—
Start Internal Port: It specifies the lowest port number of the service provided by the
LAN host. The Start External Port and Start Internal Port can be different.
—
Port Count: It specifies the number of service ports provided by the LAN host. If the
service uses only one port number, enter 1. The maximum value is 20. For example,
if the start internal port is 21, the start external port is 2001 and the port count is 10,
then the internal port range is from 21 to 30, and the external port range is from 2001
to 2010.
—
Bind to: It specifies the NAT rule to which this port forwarding rule is bound. The port
forwarding rule will use the NAT ruleÂśs external IP address as its external IP address.
The available options are:
Ɣ
Each EasyIP NAT ruleÂśs ID: it stands for the corresponding NAT rule respectively.
Ɣ
WANx (x: 1, 2, 3, 4): It stands for the system reserved NAT rule bound to the
Internet connection on the selected WAN interface. The reserved NAT rule uses
the WAN interfaceÂśs IP address as its external IP address.
http://www.uttglobal.com
Page 202
UTT Technologies
Chapter 8 NAT
—
Description: It specifies the description of the port forwarding rule.
ž
Save: Click it to save the port forwarding rule settings.
Note
1.
If you choose the Protocol as GRE, you should set the Start External Port and Start
Internal Port to 0, and set the Port Count to 1.
2.
After you have enabled some features (such as, HTTP management in the System >
Remote Admin page), the system will automatically create some port forwarding
rules, which cannot be modified or deleted.
8.1.3 Port Forwarding List
Figure 8-2 Port Forwarding List
ž
Add a Port Forwarding Rule: If you want to add a new port forwarding rule, click the
New button or select the Port Forwarding Settings tab to go to the setup page, and
then configure it, lastly click the Save button.
ž
View Port Forwarding Rule(s): When you have configured some port forwarding
rules, you can view them in the Port Forwarding List.
ž
Edit a Port Forwarding Rule: If you want to modify a configured port forwarding rule,
click its Edit hyperlink, the related information will be displayed in the setup page.
Then modify it, and click the Save button.
ž
Delete Port Forwarding Rule(s): If you want to delete one or more port forwarding
rules, select the leftmost check boxes of them, and then click the Delete button.
http://www.uttglobal.com
Page 203
UTT Technologies
Chapter 8 NAT
8.1.4 How to Add the Port Forwarding Rules
If you want to add one or more port forwarding rules, do the following:
Step 1
Go to the NAT > Port Forwarding page, and then click the New button or
select the Port Forwarding Settings tab to go to the setup page.
Step 2
Specify the Protocol, Internal IP Address and Start Internal Port as required.
Step 3
Specify the Start External Port as required. The Start External Port and Start
Internal Port can be different.
Step 4
If the open service uses a range of consecutive ports, you need specify the
Port Count.
Step 5
Select a NAT rule from the Bind to drop-down list as required. The port
forwarding rule will use the selected NAT ruleÂśs external IP address as its
external IP address.
Step 6
Click the Save button to save the settings. You can view the port forwarding rule
in the Port Forwarding List.
Step 7
If you want to add another new port forwarding rule, please repeat the above
steps.
Note
If you want to delete one or more port forwarding rules, select the leftmost check
boxes of them in the Port Forwarding List, and then click the Delete button.
8.1.5 Configuration Examples for Port Forwarding
8.1.5.1 Example One
An organization wants a LAN server (IP Address: 192.168.16.88) to open syslog service
(Protocol: UDP; Port: 514) to the outside users. And the Device will use 2514 as the
external port and the WAN1 IP address (200.200.200.88 in this example) as the external
IP address. Then all the requests for syslog from outside users to 200.200.200.88:2514
will be forwarded to 192.168.16.99:514.
The following figure shows the detailed settings.
http://www.uttglobal.com
Page 204
UTT Technologies
Chapter 8 NAT
Figure 8-3 Port Forwarding Settings - Example One
8.1.5.2 Example Two
An organization wants a LAN server (IP Address: 192.168.16.100) to open ftp service
(Protocol: TCP; Port: 20, 21) to the outside users. And the Device will use 2020 and 2021
as the external ports and the WAN2 IP address (200.200.201.18 in this example) as the
external IP address. As the ftp service uses two ports, so we need set the Port Count to 2.
Then all the requests for ftp from outside users to 200.200.201.18:2020 or
200.200.201.18:2021 will be forwarded to 192.168.16.100:20 or 192.168.16.100:21.
The following figure shows the detailed settings.
Figure 8-4 Port Forwarding Settings - Example Two
8.1.5.3 Example Three
An organization obtains eight public IP addresses (from 218.1.21.0/29 to 218.1.21.7/29)
http://www.uttglobal.com
Page 205
UTT Technologies
Chapter 8 NAT
from the ISP. Therein, 218.1.21.1/29 is used as the Internet connectionÂśs gateway IP
address, 218.1.21.2/29 is used as the DeviceÂśs WAN1 interfacHÂśs IP address.
The organization wants a LAN server (IP Address: 192.168.16.88) to open SMTP service
(Protocol: TCP; Port: 25) to the outside users. And the Device will use 2025 as the
external port and 218.1.21.3 as the external IP address.
Firstly, we need to create a NAT rule, and set its External IP Address to 218.1.21.3, see
section 8.3.5 How to Add the NAT Rules for detailed information. Then we need to
create the port forwarding rule, and select the NAT ruleÂśs ID (4 in this example) from the
Bind to drop-down list.
The following figure shows the detailed settings.
Figure 8-5 Port Forwarding Settings - Example Three
http://www.uttglobal.com
Page 206
UTT Technologies
8.2
Chapter 8 NAT
DMZ Host
This section describes the NAT > DMZ page.
8.2.1 Introduction to DMZ host
The DMZ (Demilitarized Zone) host allows one local host to be exposed to the Internet for
the use of a special service such as online game or video conferencing. When receiving
the requests initiated from outside users, the Device will directly forward these requests to
the specified DMZ host.
For the Device that has multiple WAN interfaces, it allows you to create one global DMZ
host, and several interface DMZ hosts which are bound to each WAN interface
respectively.
Ɣ
Global DMZ host: You can access the global DMZ host through different Internet
connections at the same time.
Ɣ
Interface DMZ host: You can only access the interface DMZ host through the
corresponding Internet connection.
Note
When a local host is designated as the DMZ host, it loses firewall protection provided
by the Device. As the DMZ host is exposed to many exploits from the Internet, it may
be used to attack your network.
http://www.uttglobal.com
Page 207
UTT Technologies
Chapter 8 NAT
8.2.2 DMZ Host Settings
8.2.2.1 Global DMZ Host Settings
Figure 8-6 Global DMZ Host Settings
—
DMZ IP: It specifies the private IP address of the global DMZ host.
ž
Save: Click it to save the global DMZ host settings.
8.2.2.2 Interface DMZ Host Settings
Figure 8-7 Interface DMZ Host Settings
—
WANx DMZ IP: It specifies the private IP address of the interface DMZ host which is
bound to the WAN interface. Therein, x (value: 1, 2, 3, 4) indicates the corresponding
WAN interface, and the number of WAN interfaces depends on the specific product
model.
ž
Save: Click it to save the interface DMZ host settings.
http://www.uttglobal.com
Page 208
UTT Technologies
Chapter 8 NAT
8.2.3 The Priorities of Port Forwarding and DMZ Host
The port forwarding has higher priority than the DMZ host. When receiving a request
packet initiated from an outside user, the Device will firstly search the Port Forwarding
List to find out if there is a port forwarding rule matching the destination IP address and
port of the packet. If a match is found, the Device will forward the packet to the mapped
local host. Else, the Device will try to find out if there is an available DMZ host.
And the interface DMZ host has higher priority than the global DMZ host. Only when there
is no interface DMZ host available to the request packet, the Device will choose the global
DMZ host.
http://www.uttglobal.com
Page 209
UTT Technologies
8.3
Chapter 8 NAT
NAT Rule
8.3.1 Introduction to NAT
The NAT (Network Address Translation) is an Internet standard that is used to map one IP
address space (i.e., Intranet) to another IP address space (i.e., Internet). The NAT is
designed to alleviate the shortage of IP addresses, that is, it allows all the LAN hosts to
share a single or a small group of IP addresses: On the Internet, there is only a single
device using a single or a small group of public IP addresses; but the LAN hosts can use
any range of private IP addresses, and these IP addresses are not visible from the
Internet. As the internal network can be effectively isolated from the outside world, the
NAT can also provide the benefit of network security assurance.
The Device provides flexible NAT features, and the following sections will describe them in
detail.
8.3.1.1 NAT Address Space Definitions
To ensure that NAT operates properly, the Device uses and maintains two address
spaces:
Ɣ
Internal IP address: It indicates the IP address that is assigned to a LAN host by the
administrator. It is usually a private IP address.
Ɣ
External IP address: It indicates the IP address that is assigned to the DeviceÂśs
Internet connection by the ISP. It is a legal public IP address that can represent one or
more internal IP addresses to the outside world.
8.3.1.2 NAT Types
The Device provides three types of NAT: One2One, EasyIP and Passthrough.
Ɣ
One2One (One to One): It indicates static network address translation. It is always
referred to as Basic NAT, which provides a one to one mapping between an internal
and an external IP address. In this type of NAT, IP address need be changed, but port
neednÂśt.
One to One NAT can be used to allow the outside users to access a LAN server: In the
http://www.uttglobal.com
Page 210
UTT Technologies
Chapter 8 NAT
local network, the LAN server still use the private IP address, which is provided to the
LAN hosts to access; and on the Internet, the Device will assign an external IP address
to the local server, then the outside users can using this external IP address to access
the server through the Device.
Ɣ
EasyIP: It indicates network address and port translation (NAPT). Since it is the most
common type of NAT, it is often simply referred to as NAT. NAPT provides many-to-one
mappings between multiple internal IP addresses and a single external IP addresses,
that is, these multiple internal IP addresses will be translated to the same external IP
address. In this type of NAT, to avoid ambiguity in the handling of returned packets, it
must dynamically assign a TCP/UDP port to an outgoing session and change the
packetsÂś source port to the assigned port before forwarding them. Besides, the Device
must maintain a translation table so that return packets can be correctly translated
back.
Ɣ
Passthrough: It indicates bypassing NAT when NAT is enabled. If you enable NAT, the
LAN hosts must match a NAT rule when accessing outside hosts. So if you do not want
to perform NAT for some LAN hosts, you can use this function to bypass NAT for those
hosts. It is often used for some particular applications that do not support NAT well,
such as, online game or video conferencing. To ensure that these applications run
properly, you can divide a voice and video area in the LAN, and create a
Passthrough NAT rule for the hosts in this area. Then the Device will not perform
NAT for them, that is, the packets sent by these hosts to the outside hosts will be
directly routed and forwarded.
When you obtain multiple public IP addresses from your ISP, you can create more than one
NAT rule for each type of NAT. In actual network environment, different types of NAT rules are
often used together.
8.3.1.3 The Relations of Internet Connection, NAT Rule and
Port Forwarding Rule
On the Device, the relations of the Internet connection, NAT rule and port forwarding rule
are as follows:
Ɣ
A NAT rule should be bound to an Internet connection. It allows you bind multiple NAT
rules to the same Internet connection.
Ɣ
A port forwarding rule should be bound to an EasyIP NAT rule (that is, the NAT ruleÂśs
type is EasyIP), and the port forwarding rule will use the NAT UXOHÂśs external IP address
http://www.uttglobal.com
Page 211
UTT Technologies
Chapter 8 NAT
as its external IP address. It allows you bind multiple port forwarding rules to the same
EasyIP NAT rule.
Ɣ
Only after you have configured an Internet connection, you can create a NAT rule which
is bound to this Internet connection; and only after you have configured an EasyIP NAT
rule, you can create a port forwarding rule which is bound to this EasyIP NAT rule.
8.3.1.4 System Reserved NAT Rules
After you have finished configuring the WAN1 Internet connection through the Quick
Wizard, or configuring the WAN1 Internet connection and other connections in the Basic >
WAN page, the Device will automatically create a NAT rule for each Internet connection
respectively.
For convenience, we call them system reserved NAT rules in the manual. You can view them in
the NAT Rule List. By default, a system reserved NAT ruleÂśs Type is EasyIP, Bind to is the
WAN interface on which the Internet connection is established, external IP Address is 0.0.0.0
which means this NAT rule will directly use the WAN interfaceÂśs IP address as its external IP
address.
8.3.2 NAT and Multi-WAN Load Balancing
8.3.2.1 Overview
The section 6.3 Load Balancing describes load balancing among multiple Internet
connections. In actual, that feature implementation is based on NAT feature.
8.3.2.2 Assigning Preferential Channel according to Source IP
Here, the channel stands for the NAT rule, which determines NAT type, external IP
address and Internet connection used by the LAN hosts to surf the Internet.
On the Device, you can assign a preferential channel to some LAN hosts in advance by
specifying the NAT ruleÂśs Start Internal IP Address and End Internal IP Address, then
the LAN hosts belong to the specified address range will preferentially use the assigned
NAT rule to access the Internet. If the assigned NAT rule is in effect, these LAN hosts can
only use this NAT rule to access the Internet. Else, the Device will take them as the free
http://www.uttglobal.com
Page 212
UTT Technologies
Chapter 8 NAT
LAN hosts (that is, the hosts that have not been assigned a preferential channel) to
process. On the Device, you can assign different preferential channel for different LAN
hosts.
8.3.2.3 Allocating Traffic according to Connection Bandwidth
On the Device, you can designate the ratio of traffic that will be allocated to each Internet
connection in advance. You can achieve this by specifying the Internet connectionÂśs
Weight, the connection that has larger Weight will take more traffic than the connection
that has smaller Weight. In most cases, to properly allocate traffic, you may specify each
connectionÂśV Weight according to the ratio of each connectionÂśs bandwidth.
Note that if several EasyIP NAT rules are bound to an Internet connection with multiple IP
DGGUHVVHV WKHQ WKH ,QWHUQHW FRQQHFWLRQÂśV Weight is WKH VXP RI HDFK (DV\,3 1$7 UXOHÂśV
Weight.
Besides, when you have designated preferential channels for some LAN hosts, if you
specify each connectionÂśV Weight according to the ratio of each connectionÂśs bandwidth, the
ratio of each connectionÂśs actual traffic and the ratio of each connectionÂśs bandwidth may be
quite different. In this case, you can adjust each connectionÂśs Weight according to the actual
situation.
8.3.2.4 Two Load Balancing Policies
Note
In this section, those hosts that have not been assigned a preferential NAT rule are
called free LAN hosts.
The Load Balancing Policy is used to control and balance the traffic among multiple
Internet connections. Note that the load balancing policy only acts on the free LAN hosts.
The Load Balancing Policy is configured in the Basic > Load Balancing > Global
Settings page, and the Device provides two load balancing policies: load balancing based
on IP address and NAT session. Their implementation mechanisms are as follows.
1. Load Balancing Based on IP Address
Note that here we assume that each LAN host only has one IP address.
If you choose IP address as the load balancing policy, the Device will assign the free LAN
hostsÂś IP addresses to each EasyIP NAT rule in turn. The ratio of the numbers of the IP
addresses assigned to each EasyIP NAT rule is the same with the ratio of each ruleÂśs
http://www.uttglobal.com
Page 213
UTT Technologies
Chapter 8 NAT
Weight. In this case, the NAT sessions initiated from the same IP address will use the
same NAT rule, that is, a LAN host will use only one NAT rule to access the Internet.
For example, there are three EasyIP NAT rules whose Weights are 3, 2 and 1
respectively. Then in the sequence of accessing the Internet, the first, second and third
free hosts will use the first rule, the fourth and fifth free hosts will use the second rule, the
sixth free hosts will use the third rule; then the seventh, eighth and ninth free hosts will use
the first rule ... and so on.
2. Load Balancing Based on NAT Session
If you choose NAT session as the load balancing policy, the Device will assign the NAT
sessions to each EasyIP NAT rule in turn. The ratio of the numbers of the NAT sessions
assigned to each EasyIP NAT rule is the same with the ratio of each ruleÂśs Weight. In this
case, the NAT sessions initiated from the same LAN host will use different NAT rules, that
is, a LAN host will use several NAT rules to access the Internet.
For example, there are three EasyIP NAT rules whose Weights are 3, 2 and 1
respectively. Then in the sequence of accessing the Internet, the first, second and third
NAT sessions initiated from the free LAN hosts will use the first rule, the fourth and fifth
NAT sessions will use the second rule, the sixth NAT sessions will use the third rule; then
the seventh, eighth and ninth NAT sessions will use the first rule ... and so on.
3. How to Choose the Load Balancing Policy
In most cases, it is suggested that you choose IP address as the load balancing policy. If
you want to use some applications that need high bandwidth, such as the NetAnts,
FlashGet, Net Transport, and other multi-threaded download managers (multi-threaded
download means that it can split a file into several pieces and download the pieces
simultaneously, and merge them together once downloaded), you may choose NAT
session as the load balancing policy to take full advantage of multiple Internet connectionsÂś
bandwidth to increase download speed. Note that even you choose NAT session as the
load balancing policy, due to that the related download website is busy or there are some
other reasons, the bandwidth of each Internet connection cannot be aggregated fully, so
some applications may be not running smoothly.
8.3.2.5 The Priorities of NAT Rules
When receiving a request packet initiated from a LAN host to access the Internet, the
Device will firstly search the NAT Rule List to find out if there is a NAT rule matching the
source IP address or the packet, that is, the hostÂśs IP address belongs to the address
range specified by the Start Internal IP Address and End Internal IP Address of the
NAT rule. If a match is found, the Device will assign the matched NAT rule to the host, and
then the host will use this rule to access the Internet. Else, the Device will assign the
EasyIP NAT rule to the host. If there are several EasyIP NAT rules, the Device will assign
http://www.uttglobal.com
Page 214
UTT Technologies
Chapter 8 NAT
the IP addresses or NAT sessions to each EasyIP NAT rule in turn. Then the Device will
effectively control and balance the traffic among multiple Internet connections.
8.3.3 NAT Rule Settings
The following sections describe three types of NAT rules respectively, which include:
EasyIP NAT (see Figure 8-8), One2One NAT (see Figure 8-9), and Passthrough NAT
(see Figure 8-10).
Note
When using multi-NAT (that is, you get multiple public IP addresses from your ISP) on
a WAN interface, you should enable NAT proxy ARP on the interface. The operation
is as follows: Go to the Basic > WAN > WAN List page, click the Edit hyperlink of the
related Internet connection to go to its setup page, click the Advanced Options, and
then select Nat from the Proxy ARP drop-down list, lastly click the Save button.
8.3.3.1 EasyIP NAT Rule Settings
Figure 8-8 EasyIP NAT Rule Settings
—
NAT Type: It specifies the type of the NAT rule. The available options are EasyIP,
One2One, and Passthrough. Here please select EasyIP.
—
External IP Address: It specifies the external IP address to which the LAN hostsÂś IP
addressed are mapped. A system reserved NAT ruleÂśs external IP address is 0.0.0.0,
which means that the rule will use the related WAN interfaceÂśs IP address as its
http://www.uttglobal.com
Page 215
UTT Technologies
Chapter 8 NAT
external IP address; and it is non-editable. A user-defined NAT ruleÂśs external IP
address can be neither 0.0.0.0 nor the WAN interfaceÂśs IP address, that is, you can
only use the other public IP addresses provided by your ISP as its external IP
addresses.
—
Start Internal IP Address and End Internal IP Address: They specify the internal
address range of the NAT rule. The LAN hosts that belong to this address range will
preferential use the NAT rule.
—
Weight: It specifies the weight of the NAT rule. It should be a number between 1 and
255. The default value is 1.
—
Bind to: It specifies an Internet connection to which the NAT rule is bound. The LAN
hosts that match the NAT rule will access the Internet through this Internet
connection.
—
Description: It specifies the description of the NAT rule.
ž
Save: Click it to save the NAT rule settings.
8.3.3.2 One2One NAT Rule Settings
Figure 8-9 One2One NAT Rule Settings
—
NAT Type: It specifies the type of the NAT rule. The available options are EasyIP,
One2One, and Passthrough. Here please select One2One.
—
Start External IP Address: It specifies the start external IP address to which the start
internal IP address is mapped.
—
Start Internal IP Address and End Internal IP Address: They specify the internal
address range of the NAT rule. The LAN hosts that belong to this address range will
use the NAT rule.
http://www.uttglobal.com
Page 216
UTT Technologies
Chapter 8 NAT
—
Bind to: It specifies an Internet connection to which the NAT rule is bound. The LAN
hosts that match the NAT rule will access the Internet through this Internet
connection.
—
Description: It specifies the description of the NAT rule.
ž
Save: Click it to save the NAT rule settings.
Note
1.
When creating a One2One NAT rule, you should set the Start External IP Address,
and the number of the external IP addresses is the same with the number of internal
IP addresses, which is determined by the Start Internal IP Address and End
Internal IP Address. For example, if the Start Internal IP Address is 192.168.16.6,
End Internal IP Address is 192.168.16.8, and Start External IP Address is
200.200.200.116, then 192.168.16.6, 192.168.16.7, and 192.168.16.8 will be mapped
to 200.200.200.116, 200.200.200.117, and 200.200.200.118 respectively.
2.
In order to make both LAN hosts and Internet hosts can access a One2One NAT
ruleÂśs external IP addresses (that is, public IP addresses), after you finished
configuring the One2One NAT rule, the Device will automatically create the related
static routes and enable NAT proxy ARP (by selecting Nat from Proxy ARP
drop-down list) on the related WAN interface. You can go to the Advanced > Static
Route page to view those static routes in the Static Route List, therein, the static
routeÂśs Destination IP is a public IP addresses, Gateway IP is the related WAN
interfaceÂśs IP address.
8.3.3.3 Passthrough NAT Rule Settings
Figure 8-10 Passthrough NAT Rule Settings
http://www.uttglobal.com
Page 217
UTT Technologies
Chapter 8 NAT
—
NAT Type: It specifies the type of the NAT rule. The available options are EasyIP,
One2One, and Passthrough. Here please select Passthrough.
—
Start Internal IP Address and End Internal IP Address: They specify the internal
address range of the NAT rule. They are usually public IP addresses provided by the
ISP. The LAN hosts that belong to this address range will use the Passthrough NAT
rule; that is, the Device will not perform NAT for them, so the packets sent by these
hosts to the outside hosts will be directly routed and forwarded. Note that the internal
address range of a Passthrough NAT rule should not overlap with the external
address range of any EasyIP or One2One NAT rule.
—
Bind to: It specifies an Internet connection to which the NAT rule is bound. The LAN
hosts that match the NAT rule will access the Internet through this Internet
connection.
—
Description: It specifies the description of the NAT rule.
ž
Save: Click it to save the NAT rule settings.
8.3.4 NAT Rule List
Figure 8-11 NAT Rule List
ž
Add a NAT Rule: If you want to add a new NAT rule, click the New button or select
the NAT Rule Settings tab to go to the setup page, and then configure it, lastly click
the Save button.
ž
View NAT Rule(s): When you have configured some NAT rules, you can view them in
the NAT Rule List.
ž
Edit a NAT Rule: If you want to modify a configured NAT rule, click its Edit hyperlink,
http://www.uttglobal.com
Page 218
UTT Technologies
Chapter 8 NAT
the related information will be displayed in the setup page. Then modify it, and click
the Save button.
ž
Delete NAT Rule(s): If you want to delete one or more NAT rules, select the leftmost
check boxes of them, and then click the Delete button.
8.3.5 How to Add the NAT Rules
If you want to add one or more NAT rules, do the following:
Step 1
Please decide the type of the NAT rule.
Step 2
Go to the NAT > NAT Rule page, and then click the New button or select the
NAT Rule Settings tab to go to the setup page.
Step 3
Select a type from the NAT Type drop-down list as required.
Step 4
There are three cases:
1)
If the NAT rulesÂś type is EasyIP, please specify the External IP Address,
Start Internal IP Address, End Internal IP Address, and Weight as
required.
2)
If the NAT rulesÂś type is One2One, please specify the Start External IP
Address, Start Internal IP Address, and End Internal IP Address as
required.
3)
If the NAT rulesÂś type is Passthrough, please specify the Start Internal IP
Address and End Internal IP Address as required.
Step 5
Select an Internet connection from the Bind to drop-down list as required.
Step 6
Click the Save button to save the settings. You can view the NAT rule in the
NAT Rule List.
Step 7
If you want to add another new NAT rule, please repeat the above steps.
Note
1.
If you want to delete one or more NAT rules, select the leftmost check boxes of them
in the NAT Rule List, and then click the Delete button. Note that you cannot delete
the system reserved NAT rules here.
http://www.uttglobal.com
Page 219
UTT Technologies
Chapter 8 NAT
2.
A system reserved NAT ruleÂśs external IP address is 0.0.0.0, which means that the
rule will use the related WAN interfaceÂśs IP address as its external IP address; and it
is non-editable. A user-defined NAT ruleÂśs external IP address can be neither 0.0.0.0
nor the related WAN interfaceÂśs IP address, that is, you can only use the other public
IP addresses provided by your ISP as its external IP addresses.
3.
The internal IP address range of each NAT rule should not overlap, and the external
IP address range of each NAT rule should not overlap too; and the internal IP address
range of a Passthrough NAT rule should not overlap with the external IP address
range of any EasyIP or One2One NAT rule.
8.3.6 Configuration Examples for NAT Rule
8.3.6.1 An Example for Configuring EasyIP NAT Rule
1. Requirements
In this example, an Internet cafĂŠ has a single Internet connection, and obtains eight public
IP addresses (from 218.1.21.0/29 to 218.1.21.7/29) from the ISP. Therein, 218.1.21.1/29
is used as the Internet connectionÂśs gateway IP address, 218.1.21.2/29 is used as the
DeviceÂśs WAN1 interfacHÂśs IP address. Note that 218.1.21.0/29 and 218.1.21.7/29 cannot
be used as they are the subnet number and broadcast address respectively.
The administrator want the hosts in the online game area (its address range is from
192.168.16.10/24 to 192.168.16.100/24) to use 218.1.21.3/29 to access the Internet. To
achieve this purpose, he should create an EasyIP NAT rule for them. The ruleÂśs External
IP Address is 218.1.21.3, Start Internal IP address is 192.168.16.10, End Internal IP
Address is 192.168.16.100, and Bind to is WAN1. And we assume that the Weight is 2.
2. Configuration Procedure
The configuration steps are the following:
Step 1
Go to the NAT > NAT Rule page, and select the NAT Rule Settings tab to go to
the setup page.
Step 2
Select EasyIP from the NAT Type drop-down list, see the following figure.
http://www.uttglobal.com
Page 220
UTT Technologies
Chapter 8 NAT
Figure 8-12 EasyIP NAT Rule Settings - Example
Step 3
Enter 218.1.21.3 in the External IP Address text box, enter 192.168.16.10 in
the Start Internal IP address text box, and enter 192.168.16.100 in the End
Internal IP address text box.
Step 4
Enter 2 in the Weight text box.
Step 5
Select WAN1 from the Bind to drop-down list.
Step 6
Click the Save button to save the settings. Till now you have finished
configuring the NAT rule, and then you can view its configuration in the NAT
Rule List.
8.3.6.2 An Example for Configuring One2One NAT Rule
1. Requirements
In this example, see Figure 8-13, a business has a single static IP Internet connection,
and obtains eight public IP addresses (from 202.1.1.128/29 to 202.1.1.1.135/29) from the
ISP. Therein, 202.1.1.129/29 is used as the Internet connectionÂśs gateway IP address,
202.1.1.130/2 is used as the DeviceÂśs WAN1 interfacHÂśs IP address. Note that
202.1.1.128/29 and 202.1.1.1.135/29 cannot be used as they are the subnet number and
broadcast address respectively.
http://www.uttglobal.com
Page 221
UTT Technologies
Chapter 8 NAT
Figure 8-13 Network Topology for One2One NAT Rule Configuration Example
The business employees will share a single public IP address of 202.1.1.130/29 to access
the Internet. The LANÂśs subnet number is 192.168.16.0, and subnet mask is
255.255.255.0. And the business want to use the remaining four public IP addresses (from
202.1.1.131/29 to 202.1.1.134/29) to create a One2One rule for the four local servers,
then the outside users can use these public addresses to access the local servers through
the Device. The four local servers IP addresses are from 192.168.16.200/24 to
192.168.16.203/24, which are mapped to 202.1.1.131/29, 202.1.1.132/29, 202.1.1.133/29,
202.1.1.134/29 respectively.
2. Analysis
Firstly we need configure a static IP Internet connection on the WAN1 interface in the
Basic > WAN page or through the Quick Wizard. After you have configured the Internet
connection, the Device will automatically create a related system reserved NAT rule, and
also enable NAT.
Secondly, we need to create a One2One NAT rule for the four local servers. After you
have configured this rule, the Device will automatically create the related static route and
enable NAT proxy ARP on the WAN1 interface. Please see section 8.3.3.2 One2One
NAT Rule Settings for detailed description.
3. Configuration Procedure
Here we only describe how to create the One2One NAT rule.
The configuration steps are the following:
Step 1
Go to the NAT > NAT Rule page, and select the NAT Rule Settings tab to go to
the setup page.
Step 2
Select One2One from the NAT Type drop-down list, see the following figure.
http://www.uttglobal.com
Page 222
UTT Technologies
Chapter 8 NAT
Figure 8-14 One2One NAT Rule Settings - Example
Step 3
Enter 202.1.1.131 in the Start External IP Address text box, enter
192.168.16.200 in the Start Internal IP address text box, and enter
192.168.16.203 in the End Internal IP address text box.
Step 4
Select WAN1 from the Bind to drop-down list.
Step 5
Click the Save button to save the settings. Till now you have finished
configuring the NAT rule, and then you can view its related configuration in the
NAT Rule List.
8.3.6.3 An Example for Configuring Passthrough NAT Rule
1. Requirements
In this example, see Figure 8-15, a business has a single static IP Internet connection.
The connection IP address is 202.96.97.2/30, and the FRQQHFWLRQÂśV gateway IP address is
202.96.97.1/30. The business employees will share the IP address of 202.96.97.2/30 to
access the Internet. The LANÂśs subnet number is 192.168.16.0, and subnet mask is
255.255.255.0.
Furthermore, the ISP has assigned a range of IP addresses (from 202.96.100.0/27 to
202.96.100.31/27) to the business. The business wants to assign these public IP
addresses for some local servers, and create a Passthrough NAT rule for these local
servers. Note that 202.96.100.0/27 and 202.96.100.31/27 cannot be used as they are the
subnet number and broadcast address respectively.
http://www.uttglobal.com
Page 223
UTT Technologies
Chapter 8 NAT
Figure 8-15 Network Topology for Passthrough NAT Rule Configuration Example
2. Analysis
Firstly we need configure a static IP Internet connection on the WAN1 interface in the
Basic > WAN page or through the Quick Wizard. After you have configured the Internet
connection, the Device will automatically create the related system reserved NAT rule,
and also enable NAT.
Secondly, in order to make the opened local servers be routed directly, we need connect
the servers to the DeviceÂśs WAN2 interface over a switch, set the WAN2 interface IP
address to 202.96.100.1/27, set each serverÂśs IP address to an IP address in the range of
202.96.100.2/27 through 202.96.100.30/27, and set each serverÂśs default gateway IP
address to 202.96.100.1/27.
Lastly, we need to create a Passthrough NAT rule for the opened local servers.
3. Configuration Procedure
Here we only describe how to create the Passthrough NAT rule.
The configuration steps are the following:
Step 1
Go to the NAT > NAT Rule page, and select the NAT Rule Settings tab to go to
the setup page.
Step 2
Select Passthrough from the NAT Type drop-down list, see the following
figure.
http://www.uttglobal.com
Page 224
UTT Technologies
Chapter 8 NAT
Figure 8-16 Passthrough NAT Rule Settings - Example
Step 3
Enter 202.96.100.2 in the Start Internal IP address text box, and enter
202.96.100.30 in the End Internal IP address text box.
Step 4
Select WAN2 from the Bind to drop-down list.
Step 5
Click the Save button to save the settings. Till now you have finished
configuring the NAT rule, and then you can view its configuration in the NAT
Rule List.
http://www.uttglobal.com
Page 225
UTT Technologies
8.4
Chapter 8 NAT
UPnP
This section describes the NAT > UPnP page.
The Universal Plug and Play (UPnP) is architecture that implements zero configuration
networking, that is, it provides automatic IP configuration and dynamic discovery of the
UPnP compatible devices from various vendors. A UPnP compatible device can
dynamically join a network, obtain an IP address, announce its name, convey its
capabilities upon request, and learn about the presence and capabilities of other devices
on the network.
The Device can implement NAT traversal by enabling UPnP. When you enable UPnP, the
Device allows any LAN UPnP-enabled device to perform a variety of actions, including
retrieving the public IP address, enumerate existing port mappings, and add or remove
port mappings. By adding a port mapping, a UPnP-enabled device opens the related
service ports on the Device to allow the Internet hosts access. Windows Messenger is an
example of an application that supports NAT traversal and UPnP.
The Device provides the UPnP Port Forwarding List, which lists all the port forwarding rules
established using UPnP. You can view each port forwarding ruleÂśs detailed information in the
list, which includes internal IP address, internal port, protocol, remote IP address, external port,
and description.
8.4.1 Enable UPnP
Figure 8-17 Enable UPnP
—
Enable UPnP: It allows you to enable or disable UPnP. If you want to enable UPnP,
please select this check box.
ž
Save: Click it to save your settings.
Note
http://www.uttglobal.com
Page 226
UTT Technologies
Chapter 8 NAT
The UPnP is enabled on the LAN interface by default.
8.4.2 UPnP Port Forwarding List
Figure 8-18 UPnP Port Forwarding List
—
ID: It is used to identify each UPnP port forwarding rule in the list.
—
Internal IP: It displays the IP address of the LAN host.
—
Internal Port: It displays the service port provided by the LAN host.
—
Protocol: It displays the transport protocol used by the service.
—
Remote IP: It displays the IP address of the remote host.
—
External Port: It displays the external port of the UPnP port forwarding, which is
opened for outside user to access.
—
Description: It displays the description of the UPnP port forwarding rule.
ž
Delete: If you want to delete one or more UPnP port forwarding rules, select the
leftmost check boxes of them, and then click the Delete button.
http://www.uttglobal.com
Page 227
UTT Technologies
Chapter 9 PPPoE Server
Chapter 9 PPPoE Server
9.1
Introduction to PPPoE
The PPPoE stands for Point-to-Point Protocol over Ethernet, which uses client/server
model. The PPPoE provides the ability to connect the Ethernet hosts to a remote Access
Concentrator (AC) over a simple bridging access device. And it provides extensive access
control management and accounting benefits to ISPs and network administrators.
The PPPoE is a network protocol for encapsulating PPP frames in Ethernet frames to
provide point-to-point connection over an Ethernet network.
9.1.1 PPPoE Stages
As specified in RFC 2516, the PPPoE has two distinct stages: a discovery stage and a
PPP session stage. The following describes them respectively.
9.1.2 PPPoE Discovery Stage
In the PPPoE discovery stage, a PPPoE client will find a proper server, and then build the
connection. When a client initiates a PPPoE session, it should perform discovery to
indentify the PPPoE serverÂśs Ethernet MAC address, and establish a PPPoE session ID.
PADI
PPPoE Client
PADO
PPPoE Server
PADR
PADS
Figure 9-1 PPPoE Discovery Stage Flows
See Figure 9-1, the discovery stage includes the following four steps:
http://www.uttglobal.com
Page 228
UTT Technologies
Chapter 9 PPPoE Server
1.
PADI (PPPoE Active Discovery Initiation): At the beginning, a PPPoE client
broadcasts a PADI packet to find all the servers that can be connected possibly. Until
it receives PADO packets from one or more servers. The PADI packet must contain a
service name which indicates the service requested by the client.
2.
PADO (PPPoE Active Discovery Offer): When a PPPoE server receives a PADI
packet in its service range, it will send a PADO response packet. The PADO packet
must contain the serverÂśs name, and a service name identical to the one in the PADI,
and any number of other service names which indicate other services that the PPPoE
server can offer. If a PPPoE server receives a PADI packet beyond its service range,
it cannot respond with a PADO packet.
3.
PADR (PPPoE Active Discovery Request): The client may receive more than one
PADO packet as the PADI was broadcast. The client chooses one server according
to the serverÂśs name or the services offered. Then the host sends a PADR packet to
the selected server. The PADR packet must contain a service name which indicates
the service requested by the client.
4.
PADS (PPPoE Active Discovery Session- confirmation): When a PPPoE server
receives a PADR packet; it prepares to begin a PPP session. It generates a unique
PPPoE session ID, and respond to the client with a PADS packet. The PADS packet
must contain a service name which indicates the service provided to the client.
When the discovery stage completes successfully, both the server and client know the
PPPoE session ID and the peer's Ethernet MAC address, which together define the
PPPoE session uniquely.
9.1.3 PPP Session Stage
In the PPP session stage, the server and client perform standard PPP negotiation to
establish a PPP connection. After the PPP connection is established successfully, the
original datagram are encapsulated in PPP frames, and PPP frames are encapsulated in
PPPoE session frames, which have the Ethernet type 0x8864. Then these Ethernet
frames are sent to the peer. In a PPPoE session frame, the session ID must be the value
assigned in the Discovery stage, and cannot be changed in this session.
http://www.uttglobal.com
Page 229
UTT Technologies
Chapter 9 PPPoE Server
9.1.4 PPPoE Session Termination
After a session is established, either the server or client may send a PADT (PPPoE Active
Discovery Terminate) packet at anytime to indicate the session has been terminated. The
PADT packetÂśs SESSION-ID must be set to indicate which session is to be terminated.
Once received a PADT, no further PPP packets (even normal PPP termination packets)
are allowed to be sent using the specified session. A PPP peer should use the PPP
protocol itself to terminate a PPPoE session, but can use the PADT packet to terminate
the PPPoE session if PPP cannot be used.
9.2
PPPoE Server Settings
The UTT Series Security Firewalls support PPPoE server to allow LAN hosts acting as the
PPPoE clients to dial up to the Device.
The UTT Series Security Firewalls provide rich PPPoE server features, which include
PPPoE server global settings, PPPoE account settings, static and dynamic address
allocation, PPPoE account and MAC address binding, PPPoE account and IP address
binding, PPPoE IP/MAC binding, PPPoE status viewing, and so on.
9.2.1 PPPoE Server Global Settings
Figure 9-2 PPPoE Server Global Settings
http://www.uttglobal.com
Page 230
UTT Technologies
Chapter 9 PPPoE Server
—
Enable PPPoE Server: It allows you to enable or disable PPPoE server. If you want
to enable PPPoE server on the Device, please select this check box. Only after you
have enabled PPPoE server, you can configure the other parameters in this page.
—
Start IP Address: It specifies the starting IP address that is assigned by the PPPoE
server.
—
Number of Addresses: It specifies the maximum number of IP addresses that can
be assigned to the PPPoE clients. The addresses can be assigned dynamically or
manually by the PPPoE server.
—
Primary DNS Server: It specifies the IP address of the primary DNS server that is
available to a PPPoE client.
—
Secondary DNS Server: It specifies the IP address of the secondary DNS server
that is available to a PPPoE client.
ž
Advanced Options: Click it to view and configure advanced parameters. In most
cases, you need not configure them.
—
PPP Authentication: It specifies the PPP authentication mode by which the PPPoE
server authenticates a PPPoE client. The available options are NONE, PAP, CHAP
and Either. In most cases, please leave the default value of Either, which means that
the Device will automatically choose PAP or CHAP to authenticate the PPPoE client.
—
Max. Sessions: It specifies the maximum number of PPPoE sessions that can be
created on the Device. The maximum value of Max. Sessions depends on the
specific product model.
ž
Save: Click it to save the PPPoE server global settings.
9.2.2 Internet Access Control
Figure 9-3 Internet Access Control Settings
—
Only Allow PPPoE Users: It allows you to enable or disable Only Allow PPPoE
Users, that is, only the PPPoE dial-in users can access the Internet through the
Device. If you want to only allow the PPPoE dial-in users to access the Internet
http://www.uttglobal.com
Page 231
UTT Technologies
Chapter 9 PPPoE Server
through the Device, please select this option. The one exception is that you select an
address group from Exception drop-down list.
—
Exception: It specifies an address group that is exempt from the restriction of Only
Allow PPPoE Users. If you select an address group here, the LAN users that belong
to this address group are exempt from the restriction of Only Allow PPPoE Users,
that is, whether it is enabled or not, those users may access the Internet through the
Device even they arenÂśt PPPoE dial-in users. The address group is configured in the
Security > Address Group page.
ž
Save: Click it to save the Internet access control settings.
http://www.uttglobal.com
Page 232
UTT Technologies
9.3
Chapter 9 PPPoE Server
PPPoE Account
This section describes the PPPoE > PPPoE Account page, which includes the PPPoE
Account Settings, PPPoE Account List, Import Accounts and PPPoE Account
Billing.
9.3.1 PPPoE Account Settings
In the PPPoE > PPPoE Account > PPPoE Account Settings page, you can configure
PPPoE account related parameters, which include basic parameters, rate limit parameters
and security parameters.
Figure 9-4 PPPoE Account Settings
http://www.uttglobal.com
Page 233
UTT Technologies
Chapter 9 PPPoE Server
—
User Name: It specifies a unique user name of the PPPoE account. It should be
between 1 and 31 characters long. The PPPoE server will use User Name and
Password to identify the PPPoE client.
—
Password: It specifies the password of the PPPoE account.
—
Description: It specifies the description of the PPPoE account.
ž
Advanced Options: Click it to view and configure advanced parameters. In most
cases, you need not configure them.
—
Idle Timeout: It specifies how long the PPPoE session keeps connected since no
packets are transmitted through the PPPoE session. The Device will automatically
terminate the session after it has been inactive for the specified period of time. It
should be between 0 and 65535 seconds. The default value is zero, which means
that the Device will not terminate it.
—
Session Timeout: It specifies how long the PPPoE session keeps connected since
established. The Device will automatically terminate the session after it has been
connected for the specified period of time. It should be between 0 and 65535 seconds.
The default value is zero, which means that the Device will not terminate it.
—
Dialing Schedule: It specifies a schedule during which a PPPoE client can use the
current PPPoE account to dial up. If you select a schedule here, it will allow the
PPPoE client to dial up only in the selected schedule range. Else, the PPPoE client
can always dial up. The schedule is configured in the Security > Schedule page.
—
Tx Bandwidth: It specifies the maximum upload bandwidth of a PPPoE dial-in user
that uses the current PPPoE account.
—
Rx Bandwidth: It specifies the maximum download bandwidth of a PPPoE dial-in
user that uses the current PPPoE account.
—
Accounting Mode: UTT Series support Account Billing of PPPoE Server. It offer
account billing based on different mode of By Date, By Hour and By Traffic.
Ɣ
None: If you donÂśt want to bill a PPPoE Account, please select this option. The
default value is None.
Ɣ
By Date: Account will expire at the specified date. Refer to section 9.3.4 PPPoE
Account Billing for more information.
Ɣ
By Hours: Account will expire after accumulative online time reaches the
specified hours. Refer to section 9.3.4 PPPoE Account Billing for more
information.
Ɣ
By Traffic: Account will expire after accumulative upload or download traffic
http://www.uttglobal.com
Page 234
UTT Technologies
Chapter 9 PPPoE Server
reaches the specified megabytes. Refer to section 9.3.4 PPPoE Account Billing
for more information.
—
Max. Sessions: It specifies the maximum number of PPPoE sessions that can be
created by using the current PPPoE account.
—
Account/MAC Binding: It specifies the type of PPPoE account and MAC address
binding. The available options are None, Auto and Manual.
Ɣ
None: If you donÂśt want to create account/MAC binding for the current PPPoE
account, select this option, then a PPPoE client with any MAC address can use
the current PPPoE account to dial up.
Ɣ
Auto: If you want to create account/MAC binding for the current PPPoE account
automatically, select this option. That is, the Device will automatically bind the
PPPoE account to the MAC address of the user who uses this account to
establish a PPPoE session firstly. After that only this user can use the account.
Ɣ
Manual: If you want to create account/MAC binding for the current PPPoE
account manually, select this option, and configure up to four MAC addresses
that are bound to the account. Then only the users with one of these MAC
addresses can use the account.
—
MAC Address: It specifies the MAC address that is bound to the current PPPoE
account. If you select Manual from the Account/MAC Binding drop-down list, this
parameter will be displayed. In this case, you should enter a MAC address that is
bound to the account in the text box.
—
MAC Address 2, MAC Address 3, and MAC address 4: It specifies another three
MAC addresses that are bound to the current PPPoE account. If you select Manual
from the Account/MAC Binding drop-down list, you can configure more than one
MAC address (up to four) if needed.
—
Account/IP Binding: It specifies a static IP address that is assigned to the user who
uses the current PPPoE account. It must be a valid IP address in the range of
address pool configured in the PPPoE > Global Settings page.
ž
Save: Click it to save the PPPoE account settings.
Note
1.
If you want to assign a static IP address to the user that uses a PPPoE account to
establish a PPPoE session, you should enter the IP address in the Account/IP
Binding text box, and should set the Max. Sessions to 1.
http://www.uttglobal.com
Page 235
UTT Technologies
Chapter 9 PPPoE Server
2.
The PPPoE IP/MAC binding has higher priority than the PPPoE account/IP binding,
that is, if an IP/MAC binding and account/IP binding have the same IP address, the
Device will assign this IP address to the user that matches the IP/MAC binding. The
IP/MAC binding is configured in the PPPoE > PPPoE IP/MAC > IP/MAC Binding
Settings page.
3.
The rate limit for a PPPoE account is in effect only when the Enable Rate Limit
check box is selected in the QoS > Global Settings page.
9.3.2 PPPoE Account List
When you have configured some PPPoE accounts, you can view their configuration in the
PPPoE Account List, including User Name, Enable, Tx Bandwidth, Rx Bandwidth,
Account/IP Binding, Accounting Mode, Max. Sessions, and Description.
Figure 9-5 PPPoE Account List
ž
Add a PPPoE Account: If you want to add a new PPPoE account, click the New
button or select the PPPoE Account Settings tab to go to the setup page, and then
configure it, lastly click the Save button.
ž
Enable a PPPoE Account: The Enable check box is used to enable or disable the
corresponding PPPoE account. The default value is selected, which means the
PPPoE account is in effect. If you want to disable the PPPoE account temporarily
instead of deleting it, please click it to remove the check mark.
ž
Edit a PPPoE Account: If you want to modify a configured PPPoE account, click its
Edit hyperlink, the related information will be displayed in the setup page. Then
modify it, and click the Save button.
ž
Delete PPPoE Account(s): If you want to delete one or more PPPoE accounts,
http://www.uttglobal.com
Page 236
UTT Technologies
Chapter 9 PPPoE Server
select the leftmost check boxes of them, and then click the Delete button.
9.3.3 Import Accounts
The PPPoE > PPPoE Account > Import Accounts page provides PPPoE accounts
import function to simplify operation. When you want to create a great deal of PPPoE
accounts, you can import them at a time in the page. You can edit them in Notepad, and
then copy them to the Import Accounts list box; also you can directly enter them in the
Import Accounts list box. The import contents are: User Name, Password, and
Description of each PPPoE account, one PPPoE account per line; and the import format
of a PPPoE account is: User NamePasswordDescription.
Figure 9-6 PPPoE Accounts Import
ž
Save: After you have entered the PPPoE accounts in the Import Accounts list box,
click the Save button to save them to the Device, and then you can view them in the
PPPoE Account List.
Note
To avoid unnecessary data loss due to computer crashes, you can copy the entered
PPPoE accounts to a Notepad file in your local PC before saving them to the Device.
http://www.uttglobal.com
Page 237
UTT Technologies
Chapter 9 PPPoE Server
9.3.4 PPPoE Account Billing
9.3.4.1 Introduction to PPPoE Account Billing Mechanism
PPPoE Account Billing is a specific function of UTT Series Security Firewalls. It provides a
billing mechanism. According to different Accounting Mode, the UTT Device will start to
run the billing mechanism by Date, Hour or Traffic. Together with PPPoE Account
Expiration Notice to alert the user to renew the account, PPPoE Account Billing can be a
very helpful Billing tool especially for Communication. When the PPPoE account expires,
the account will be no longer available unless the user renew the account. Here provide
the billing mechanism picture, see Figure 9-7.
START
Yes
Check Accounting Mode
By Date?
Yes
Set Expiration
Date, Billing by
Date
Expiration
date reach?
Yes
Renew Account
No
No
By Hour?
Yes
Yes
Set Online
Hours, Billing by
Hour
Yes
Set Max. Tx/Rx
Traffic, Billing
by Traffic
No
Yes
No
No
By Traffic?
Remaining
hour is 0?
Remaining Tx/Rx
Traffic is 0?
PPPoE Account
closed
No
No
None
END
Figure 9-7 PPPoE Account Billing mechanism
http://www.uttglobal.com
Page 238
UTT Technologies
Chapter 9 PPPoE Server
9.3.4.2 PPPoE Account Billing By Date
If you want to create a PPPoE Billing Account by date, you can go to PPPoE > PPPoE
Account > PPPoE Account Settings page and set the Accounting Mode as By Date,
see Figure.
Figure 9-8 PPPoE Account Billing By Date
—
Accounting Mode: It specify the accounting mode of the PPPoE billing account.
Here select By Date.
—
Account Opening Date: It specify the opening date of the PPPoE account. If the
current date is before the Account Opening Date, the account cannot be used
because itÂśs been disabled by the UTT device.
—
Account Expiration Date: It specify the expiration(end) date of the PPPoE account.
If the current date is after the Account Expiration Date, the account cannot be used
because itÂśs been disabled by the UTT device.
Note
1.
To ensure that PPPoE Account Billing operates properly, you should synchronize the
system clock in the System > Time page.
2.
Before the PPPoE Account expires, if you have also set the PPPoE Account
Expiration Notice (refer to section 9.7 PPPoE Account Expiration Notice for more
information), the device will push a notice to the user. If the user decide to renew the
account(Accounting Mode is By Date), the Administrator should set the Account
Opening Date and Account Expiration Date to new dates.
9.3.4.3 PPPoE Account Billing By Hour
If you want to create a PPPoE Billing Account by hour, you can go to PPPoE > PPPoE
Account > PPPoE Account Settings page and set the Accounting Mode as By Hour.
http://www.uttglobal.com
Page 239
UTT Technologies
Chapter 9 PPPoE Server
Figure 9-9 PPPoE Account Billing By Hour
—
Accounting Mode: It specify the accounting mode of the PPPoE billing account.
Here select By Hour.
—
Hours: It specify the max online time(by hour) of the PPPoE account. The device will
accumulate the online time of the PPPoE account, once the online time reaches the
max online time, the account cannot be used because itÂśs been disabled by the UTT
device. 0 means no limit, the account will be always enabled.
Note
1.
To ensure that PPPoE Account Billing operates properly, you should synchronize the
system clock in the System > Time page.
2.
Before the PPPoE Account expires, if you have also set the PPPoE Account
Expiration Notice(refer to section 9.7 PPPoE Account Expiration Notice for more
information), the device will push a notice to the user. If the user decide to renew the
account(Accounting Mode is By Hour), the Administrator should set the Hours to a
new value.
9.3.4.4 PPPoE Account Billing By Traffic
If you want to create a PPPoE Billing Account by traffic, you can go to PPPoE > PPPoE
Account > PPPoE Account Settings page and set the Accounting Mode as By Traffic.
Figure 9-10 PPPoE Account Billing By Traffic
—
Accounting Mode: It specify the accounting mode of the PPPoE billing account.
Here select By Traffic.
http://www.uttglobal.com
Page 240
UTT Technologies
Chapter 9 PPPoE Server
—
Tx. Traffic: It specify the max Tx. Traffic of the PPPoE account. The device will
accumulate the upload traffic of the PPPoE account, once the accumulative upload
traffic reaches the Tx. Traffic, the account cannot be used because itÂśs been disabled
by the UTT device. 0 means no limit for upload traffic.
—
Rx. Traffic: It specify the max Rx. Traffic of the PPPoE account. The device will
accumulate the download traffic of the PPPoE account, once the accumulative
download traffic reaches the Rx. Traffic, the account cannot be used because itÂśs
been disabled by the UTT device. 0 means no limit for download traffic.
Note
Before the accumulative upload/download traffic reaches the Tx./Rx. Traffic, if you have
also set the PPPoE Account Expiration Notice(refer to section 9.7 PPPoE Account
Expiration Notice for more information), the device will push a notice to the user. If the
user decide to renew the account(Accounting Mode is By Traffic), the Administrator should
set the Tx. Traffic and Rx. Traffic to new value.
9.4
PPPoE IP/MAC Binding
In the PPPoE > PPPoE IP/MAC > IP/MAC Binding Settings page, you can create a
binding by mapping a static IP address to a hostÂśs MAC address, and then the PPPoE
server will always assign this IP address to the specified host.
9.4.1 PPPoE IP/MAC Binding Settings
Figure 9-11 PPPoE IP/MAC Binding Settings
—
IP Address: It specifies the IP address for the PPPoE IP/MAC binding. The PPPoE
http://www.uttglobal.com
Page 241
UTT Technologies
Chapter 9 PPPoE Server
server will always assign this address to the PPPoE dial-in host specified by the MAC
Address. It must be a valid IP address in the range of address pool configured in the
PPPoE > Global Settings page.
—
MAC Address: It specifies the MAC address of a PPPoE dial-in host.
—
Description: It specifies the description of the PPPoE IP/MAC binding.
ž
Save: Click it to save the PPPoE IP/MAC binding settings.
Note
1.
If you create an IP/MAC binding for a PPPoE dial-in user, the PPPoE server will
always assign the specified IP address to the user.
2.
The PPPoE IP/MAC binding has higher priority than the PPPoE account/IP binding,
that is, if an IP/MAC binding and account/IP binding have the same IP address, the
Device will assign this IP address to the user that matches the IP/MAC binding. The
account/IP binding is configured in the PPPoE > PPPoE Account > PPPoE Account
Settings page.
9.4.2 PPPoE IP/MAC Binding List
When you have configured some PPPoE IP/MAC bindings, you can view them in the
PPPoE IP/MAC Binding List, and check whether a static IP address is assigned to the
specified host or not.
Figure 9-12 PPPoE IP/MAC Binding List
http://www.uttglobal.com
Page 242
UTT Technologies
Chapter 9 PPPoE Server
ž
Add a PPPoE IP/MAC Binding: If you want to add a new PPPoE IP/MAC binding,
click the New button or select the IP/MAC Binding Settings tab to go to the setup
page, and then configure it, lastly click the Save button.
ž
Edit a PPPoE IP/MAC Binding: If you want to modify a configured PPPoE IP/MAC
binding, click its Edit hyperlink, the related information will be displayed in the setup
page. Then modify it, and click the Save button.
ž
Delete PPPoE IP/MAC Binding(s): If you want to delete one or more PPPoE
IP/MAC bindings, select the leftmost check boxes of them, and then select Delete
from the drop-down list on the lower right corner of the IP/MAC Binding List, lastly
click OK.
ž
Delete All: If you want to delete all the PPPoE IP/MAC bindings at a time, select
Delete All from the drop-down list on the lower right corner of the list, and then click
OK. Then the PPPoE server will assign IP addresses to the dial-in users dynamically.
http://www.uttglobal.com
Page 243
UTT Technologies
9.5
Chapter 9 PPPoE Server
PPPoE Status
In the PPPoE > PPPoE Status page, you can view the status and usage information of
each online PPPoE dial-in user. If a PPPoE dial-in user has established the PPPoE
session to the Device successfully, you can view the assigned IP address, MAC address,
Rx Rate and Tx Rate of the user, online time and session ID of the PPPoE session.
Figure 9-13 PPPoE Status List
—
User Name: It displays the PPPoE user name. The PPPoE dial-in user uses it to
dial-up and establish the PPPoE session to the Device.
—
Status: It displays the PPPoE account status. If a PPPoE dial-in user has established
the PPPoE session to the Device successfully with the PPPoE account, it displays
Connected; Else, it displays Disconnected.
—
IP Address: It displays the PPPoE dial-in userÂśs IP address that is assigned by the
PPPoE server.
—
MAC Address: It displays the PPPoE dial-in userÂśs MAC address.
—
Online Time: It displays the elapsed time since the PPPoE session was established
successfully.
—
Rx Rate: It displays the real-time download rate (in kilobytes per second) of the
PPPoE dial-in user.
—
Tx Rate: It displays the real-time upload rate (in kilobytes per second) of the PPPoE
dial-in user.
—
Session ID: It displays the session ID of the PPPoE Session, which uniquely
identifies a PPPoE session.
ž
Disconnect: If you want to hang the established PPPoE session up manually, select
the leftmost check box of this PPPoE session, and then click the Disconnect button.
ž
Refresh: Click it to view the latest information in the list.
http://www.uttglobal.com
Page 244
UTT Technologies
http://www.uttglobal.com
Chapter 9 PPPoE Server
Page 245
UTT Technologies
9.6
Chapter 9 PPPoE Server
Configuration Example for PPPoE Server
1. Requirements
In this example, an organizationÂśs administrator wants the LAN users to act as the PPPoE
clients to dial up to the Device. And it only allows the PPPoE dial-in users to access the
Internet through the Device. The exception is the CEO with IP address 192.168.16.2.
When acting as a PPPoE server, the Device dynamically will assign the IP addresses to
the LAN users. The start IP address assigned to the dial-in user is 10.0.0.1, the maximum
number of dial-in users is 100, the primary DNS server IP address is 202.101.10.10, and
the maximum number of PPPoE sessions that can be created on the Device is 100.
The administrator need to create two PPPoE accounts: one is universal account which is
used by the normal employees, and its Rx and Tx bandwidth are both 512 Kbit/s, its Max.
Sessions is 90; the other is advanced account, its Max. Sessions is 10.
And the administrator wants the LAN user with MAC address 0021859b4544 to use a
static IP address: 10.0.0.50, so he needs to create a PPPoE IP/MAC binding for this user.
2. Configuration Procedure
1˅ Configuring PPPoE Server Global Parameters
Step 1
Go to the PPPoE > Global Settings page.
Step 2
See the following figure, select the Enable PPPoE Server check box, enter
10.0.0.1 in the Start IP Address, enter 100 in the Number of Addresses,
enter 202.101.10.10 in the Primary DNS Server, and enter 100 in the Max.
Sessions text box. Leave the default values for the other parameters. Then
click the Save button to save the settings.
Figure 9-14 PPPoE Server Global Settings - Example
http://www.uttglobal.com
Page 246
UTT Technologies
Step 3
Chapter 9 PPPoE Server
Go to the PPPoE > Global Settings > Internet Access Control page, select
the Only Allow PPPoE Users check box, and select CEO from the Exception
drop-down list. The CEO address group only includes one IP address:
192.168.16.2, which is configured in the Security > Address Group page.
Figure 9-15 Internet Control Settings - Example
2˅ Configuring PPPoE Accounts
Step 1
Go to the PPPoE > PPPoE Account > PPPoE Account Settings page.
Step 2
Creating the universal PPPoE Account whose user name is All. See the
following figure, enter All in the User Name, enter test in the Password, enter
universal account in the Description, enter 512 in the Tx Bandwidth and Rx
Bandwidth, and enter 90 in the Max. Sessions text box. Leave the default
values for the other parameters. Then click the Save button to save the settings.
Note that you should enable rate limit in the QoS > Global Settings page to
make rate limit for this PPPoE account take effect.
http://www.uttglobal.com
Page 247
UTT Technologies
Chapter 9 PPPoE Server
Figure 9-16 Configuring the Universal PPPoE Account - Example
Step 3
Creating the advanced PPPoE Account whose user name is Advanced. See
the following figure, enter Advanced in the User Name, enter test2 in the
Password, enter advanced account in the Description, and enter 10 in the
Max. Sessions text box. Leave the default values for the other parameters.
Then click the Save button to save the settings.
http://www.uttglobal.com
Page 248
UTT Technologies
Chapter 9 PPPoE Server
Figure 9-17 Configuring the Advanced PPPoE Account - Example
3˅ Configuring a PPPoE IP/MAC Binding
Step 1
Go to the PPPoE > PPPoE IP/MAC > IP/MAC Binding Settings page.
Step 2
See the following figure, enter 10.0.0.50 in the IP Address, and enter
0021859b4544 in the MAC Address, then click the Save button to save the
settings.
Figure 9-18 Configuring a PPPoE IP/MAC Binding Âą Example
http://www.uttglobal.com
Page 249
UTT Technologies
9.7
Chapter 9 PPPoE Server
PPPoE Account Expiration Notice
The UTT series security firewalls provide PPPoE account expiration notice feature to
remind a PPPoE dial-in user periodically that his/her account is going to expire. Then the
user can avoid the loss due to the account expiration.
When you have enabled PPPoE account expiration notice and the account is going to
expire, the Device will pop up a notice message to remind the user. The notice is sent one
time per day, at the time user first access a webpage.
In the PPPoE > PPPoE Notice > Expiration Notice page, you can configure PPPoE
account expiration notice feature. The Device supports three PPPoE account expiration
notice modes:
Ɣ
By Date: Account will expire at the specified date.
Ɣ
By Hours: Account will expire after accumulative online time reaches the specified
hours.
Ɣ
By Traffic: Account will expire after accumulative upload or download traffic reaches
the specified megabytes.
You should select the proper mode here according to the accounting mode of a PPPoE
account, which is configured in the PPPoE > PPPoE Account > PPPoE Account
Settings page.
http://www.uttglobal.com
Page 250
UTT Technologies
Chapter 9 PPPoE Server
9.7.1 PPPoE Account Expiration Notice by Date
Figure 9-19 PPPoE Account Expiration Notice by Date
—
PPPoE Account Expiration Notice Mode: It specifies the PPPoE account expiration
notice mode. Here select By Date.
—
Enable Notice by Date: It allows you to enable or disable the PPPoE account
expiration notice by date. If you want to enable this feature, please select this check
box.
—
Remaining Days: It specifies the remaining days before account expires. If the
actual remaining days is less than the configured remaining days, the Device will pop
up the notice message one time per day; else not.
—
Notice Title: It specifies the title of the notice message.
—
Signature: It specifies the signature of the notice message.
—
Notice Content: It specifies the content of the notice message.
ž
Save: Click it to save your settings.
http://www.uttglobal.com
Page 251
UTT Technologies
ž
Chapter 9 PPPoE Server
Preview: Click it to preview the notice message you just configured. The following
figure shows an example of a notice message.
Figure 9-20 PPPoE Account Expiration Notice Preview Âą Example 1
ž
Back to Setup Page: Click it to go back to the PPPoE > PPPoE Notice > Expiration
Notice page.
http://www.uttglobal.com
Page 252
UTT Technologies
Chapter 9 PPPoE Server
9.7.2 PPPoE Account Expiration Notice by Hours
Figure 9-21 PPPoE Account Expiration Notice by Hours
—
PPPoE Account Expiration Notice Mode: It specifies the PPPoE account expiration
notice mode. Here select By Hours.
—
Enable Notice by Hours: It allows you to enable or disable the PPPoE account
expiration notice by hours. If you want to enable this feature, please select this check
box.
—
Remaining Hours: It specifies the remaining hours before account expires. If the
actual remaining hours is less than the configured remaining hours, the Device will
pop up the notice message one time per day; else not.
—
Notice Title: It specifies the title of the notice message.
—
Signature: It specifies the signature of the notice message.
—
Notice Content: It specifies the content of the notice message.
ž
Save: Click it to save your settings.
http://www.uttglobal.com
Page 253
UTT Technologies
ž
Chapter 9 PPPoE Server
Preview: Click it to preview the notice message you just configured. The following
figure shows an example of a notice message.
Figure 9-22 PPPoE Account Expiration Notice Preview Âą Example 2
ž
Back to Setup Page: Click it to go back to the PPPoE > PPPoE Notice > Expiration
Notice page.
http://www.uttglobal.com
Page 254
UTT Technologies
Chapter 9 PPPoE Server
9.7.3 PPPoE Account Expiration Notice by Traffic
Figure 9-23 PPPoE Account Expiration Notice by Traffic
—
PPPoE Account Expiration Notice Mode: It specifies the PPPoE account expiration
notice mode. Here select By Traffic.
—
Enable Notice by Traffic: It allows you to enable or disable the PPPoE account
expiration notice by traffic. If you want to enable this feature, please select this check
box.
—
Remaining Upload Traffic: It specifies the remaining upload traffic (in Megabytes)
before account expires. If the actual remaining upload traffic is less than the
configured remaining upload traffic, the Device will pop up the notice message one
time per day; else not.
—
Remaining download Traffic: It specifies the remaining download traffic (in
Megabytes) before account expires. If the actual remaining download traffic is less
than the configured remaining download traffic, the Device will pop up the notice
message one time per day; else not.
http://www.uttglobal.com
Page 255
UTT Technologies
Chapter 9 PPPoE Server
—
Notice Title: It specifies the title of the notice message.
—
Signature: It specifies the signature of the notice message.
—
Notice Content: It specifies the content of the notice message.
ž
Save: Click it to save your settings.
ž
Preview: Click it to preview the notice message you just configured. The following
figure shows an example of a notice message.
Figure 9-24 PPPoE Account Expiration Notice Preview Âą Example 3
Note
1.
The PPPoE account expiration notice function will take effect only when the
accounting function of a PPPoE account is enabled.
2.
If you select By Date from the Notice Mode drop-down list, you should configure
correct system time and time zone in the System > Time page to ensure the PPPoE
account expiration notice by date function work properly.
3.
After you selected an option from the Notice Mode drop-down list, you should enable
the corresponding PPPoE account expiration notice feature to make it take effect.
Else, it will be of no effect.
4.
The PPPoE account expiration notice by date, PPPoE account expiration notice by
hours, and PPPoE account expiration notice by traffic can be enabled at the same
time.
5.
If a PPPoE account is used by multiple users at the same time, the notice message
will only be popped up to the first user that access a webpage, but not to any other
LAN user
http://www.uttglobal.com
Page 256
UTT Technologies
Chapter 10 QoS
Chapter 10 QoS
This chapter describes how to control and manage Internet bandwidth of the LAN users,
including global settings, rate limit rule settings and P2P rate limit settings.
10.1 Introduction to Bandwidth Management
10.1.1 Why We Need Bandwidth Management
With the growing popularity of P2P, Internet users are able to quickly download high definition
movies and video clips, massively multiplayer online games, and hundreds of megabytes of
data, also share them with others. But at the same time, as the P2P has the nature of seizing
bandwidth, it can maximize the consumption of bandwidth, and thus it has been given a
name of ³network vampire´. Using P2P applications in the LAN will impact the other users
accessing the Internet, even cause network congestion and performance deterioration,
which will ultimately lead to that those users canÂśt access the Internet. Therefore, in order
to restrain the aggressive consumption of network resources by P2P applications to
provide a stable and secure network to the users, we need to effectively limit the
maximum bandwidth for the LAN users and applications. However, if we only limit the
maximum bandwidth, the bandwidth will be wasted when the network is idle, which will
undoubtedly greatly reduce bandwidth utilization. To solve this problem, we introduce a
new feature of intelligent bandwidth management on the UTT products to provide users a
more reasonable network bandwidth management solution.
The UTT products support intelligent bandwidth management based on token bucket
algorithm. It allows you to create rate limit rules based on source IP address, destination
IP address, protocol type (TCP, UDP or ICMP), port, schedule, and so on. Through the
user-defined capacity and actual network conditions, the Device will get an idea whether
the network is idle, normal, busy and exhausted; besides, it can flexibly control the upload
and download bandwidth for each LAN host according to the network status and
user-defined rate limit rules. In short, using intelligent bandwidth management feature can
help you truly implement intelligent and flexible bandwidth management.
http://www.uttglobal.com
Page 257
UTT Technologies
Chapter 10 QoS
10.1.2 Token Bucket Algorithm
As bandwidth management feature provided by the UTT products is based on token
bucket algorithm, this section describe token bucket in brief.
Token bucket algorithm is one of the most common algorithms which are used for network
traffic shaping and rate limiting. Typically, token bucket algorithm is used to control the
amount of data injected into a network, and it allows bursts of data to be sent.
The token bucket is a control mechanism that dictates when traffic can be transmitted,
based on the presence of tokens in the bucket. The bucket contains tokens, each of which
can represent a byte. If tokens are present, traffic can be transmitted; else, traffic cannot
be transmitted. Therefore, if the burst threshold is configured appropriately and there are
adequate tokens in the bucket, traffic can be transmitted in its peak burst rate.
The basic process of token bucket algorithm is as follows:
Ɣ
The token rate is r, that is, a token is added to the bucket every 1/ r seconds.
Ɣ
The bucket can hold at the most ȕ tokens. If a token arrives when the bucket is full, it
is discarded.
Ɣ
When a packet of n bytes arrives, n tokens are removed from the bucket, and the
packet is sent to the network.
Ɣ
If fewer than n tokens are available, no tokens are removed from the bucket, and the
packet is considered to be non-conformant.
Ɣ
Although the algorithm allows for the burst of up to ȕ bytes of traffic, over the long run
the output of conformant packets is limited by the constant rate, r.
Non-conformant packets can be treated in various ways:
Ɣ
They may be dropped.
Ɣ
They may be enqueued for subsequent transmission when sufficient tokens have
accumulated in the bucket.
Ɣ
They may be transmitted, but marked as being non-conformant, possibly to be
dropped subsequently if the network is overloaded.
In conclusion, the token bucket algorithm allows bursts of up to ȕ bytes, but over the long
run the output of conformant packets is limited to the constant rate, r.
http://www.uttglobal.com
Page 258
UTT Technologies
Chapter 10 QoS
10.1.3 Implementation of Bandwidth Management
Using intelligent bandwidth management based on token bucket algorithm, the Device
can flexibly control the upload and download bandwidth of the LAN hosts. There are four
process mechanisms depending on the bandwidth utilization:
1.
When the bandwidth utilization level is idle, each LAN host is likely to obtain its
maximum bandwidth.
2.
When the bandwidth utilization level is normal, each LAN host can obtain a bandwidth
between its guaranteed and maximum bandwidth, and the bandwidth allocated to the
LAN hosts are closest to their maximum bandwidth.
3.
When the bandwidth utilization level is busy, each LAN host can only obtain its
guaranteed bandwidth.
4.
When the bandwidth utilization level is exhausted, only the LAN hosts with high
priority can obtain their guaranteed bandwidth, any other LAN host can only obtain a
bandwidth lower than the guaranteed bandwidth.
Depending on the ratio of the actual capacity (i.e., total number of network devices
connected to the Device) to the user-defined capacity (set by Capacity in the QoS >
Global Settings page), we divide the bandwidth utilization into four levels: Idle, Normal,
Busy, and Exhausted.
Ɣ
Idle: The ratio is below 50%.
Ɣ
Normal: The ratio is between 50% and 95%.
Ɣ
Busy: The ratio is between 95% and 100%.
Ɣ
Exhausted: The ratio is above 100%.
The intelligent bandwidth management feature can help you effectively solve the network
congestion problem due to network abuse by the LAN users, and ensure full bandwidth
utilization without affecting the other users. In short, this feature can help you truly
implement intelligent and flexible bandwidth management.
http://www.uttglobal.com
Page 259
UTT Technologies
Chapter 10 QoS
10.2 Rate Limit Global Settings
Figure 10-1 Rate Limit Global Settings
—
Enable Rate Limit: It allows you to enable or disable rate limit. If you select the check
box to enable rate limit, the configured rate limit rules will take effect. Else the rate
limit rules will be of no effect.
—
Capacity: It specifies the maximum number of network devices (PC or other network
device) that can be connected to the Device at the same time. Depending on the ratio
of the actual capacity (i.e., total number of network devices connected to the Device)
to this user-defined capacity, we divide the bandwidth utilization into four levels: Idle,
Normal, Busy, and Exhausted. Refer to 10.1.3 Implementation of Bandwidth
Management for more information.
ž
Save: Click it to save the rate limit global settings.
Note
The units of bandwidth and rate generally are Kbit/s (Kilobit per second) and KByte/s
or KB/s (Kilobyte per second). The conversion formulas are as follows:
Byte = 8 bits
Kilobyte = 1024 bytes or 8192 (8 x 1024) bits
Megabyte = 1024 Kilobytes or 1.048.576 (1024 x 1024) bytes or 8.388.608 bits
Gigabyte = 1024 Megabytes or 1.073.741.824 bytes or 8.589.934.592 bits
For example, 10 Mbit/s = 10240 Kbit/s = 10240/8 KByte/s = 1280 KByte/s
http://www.uttglobal.com
Page 260
UTT Technologies
Chapter 10 QoS
10.3 Rate Limit Rule
You can create rate limit rules based on source IP address, destination IP address,
protocol type (TCP, UDP or ICMP), port, schedule, and so on.
Note that if you want the rate limit rules to take effect, please make sure that the Enable
Rate Limit check box is selected in the QoS > Global Settings page.
10.3.1 Rate Limit Rule Settings
Before creating the rate limit rules, you may do the following tasks:
Ɣ
Go to the Security > Address Group page to create the address groups that will be
referenced by the rules. The addresses within an address group are used to match
the source or destination IP addresses of packets that are received by the Device.
Ɣ
Go to the Security > Service Group page to create the service groups that will be
referenced by the rules. Note that only the service groups whose Service Type is
General Service can be referenced by the rate limit rules.
Ɣ
Go to the Security > Schedule page to create the schedules that will be referenced
by the rules.
If the source IP addresses are consecutive, you also can directly specify the source IP
addresses for a rate limit rule in this page. The following describes the definitions of a
ruleÂśs parameters.
http://www.uttglobal.com
Page 261
UTT Technologies
Chapter 10 QoS
Figure 10-2 Rate Limit Rule Settings
—
Source: It specifies the IP addresses of the LAN hosts to which the rate limit rule
applies. There are two available options:
Ɣ
Addresses: Select it to enter the start and end addresses in the associated text
boxes.
Ɣ
Address Group: Select it to choose an address group from the associated
drop-down list. By default, the Address Group radio button is selected, and its
value is Any Address.
—
Destination Address Group: It allows you to select an address group to specify the
destination IP addresses of the traffic to which the rate limit rule applies.
—
Min. Tx Bandwidth: It specifies the guaranteed upload bandwidth allocated to the
LAN hosts or applications that match the rate limit rule. Note that you can set the Min.
Tx Bandwidth, Min. Rx Bandwidth, Max. Tx Bandwidth and Max. Rx Bandwidth
through two ways.
Enter a value in the associated text box. If you GRQÂśt want to specify a bandwidth,
please enter 0.
Select an option from the associated drop-down list. If you donÂśt want to specify a
http://www.uttglobal.com
Page 262
UTT Technologies
Chapter 10 QoS
bandwidth, please select NoLimit.
—
Min. Rx Bandwidth: It specifies the guaranteed download bandwidth allocated to the
LAN hosts or applications that match the rate limit rule.
—
Max. Tx Bandwidth: It specifies the maximum upload bandwidth allocated to the
LAN hosts or applications that match the rate limit rule.
—
Max. Rx Bandwidth: It specifies the maximum download bandwidth allocated to the
LAN hosts or applications that match the rate limit rule.
—
Description: It specifies the description of the rate limit rule. It is usually used to
describe the purpose of the rule.
ž
Advanced Options: Click it view and configure advanced parameters. In most cases,
you need not configure them.
ž
Each: If you select this radio button, the Device will assgin the specified bandwidths
to each LAN host or application that matches the rule. For example, if the Min. Tx
Bandwidth is set to 1M and there are 10 LAN hosts match the rule, each host will be
ensured with at least 1M upload bandwidth.
ž
Share: If you select this radio button, all the LAN hosts or applications that match the
rule will share the specified bandwidths. For example, if the Min. Tx Bandwidth is set
to 1M and there are 10 LAN hosts match the rule, the total upload bandwidth
allocated to all the hosts is at least 1M.
—
Service Group: It allows you to select a service group to specify the protocol type
(TCP, UDP or ICMP) and ports of the traffic to which the rate limit rule applies. Note
that only the service groups whose Service Type is General Service can be
referenced by the rate limit rules. The default value is Any Service, which means any
protocol type and port.
—
Bandwidth Priority: It specifies the bandwidth priority of the traffic to which the rate
limit rule applies. There are three options: Low, Mid, and High. The Device will
preferentially assign idle bandwidth to the traffic with higher priority; when the network
is busy, the Device will firstly ensure the guaranteed bandwidth for the traffic with high
priority.
—
Bind to: It specifies an Internet connection to which the rate limit rule is bound.
—
Schedule: It specifies a schedule to restrict when the rate limit rule is in effect. The
default value is Always, which means the rate limit rule is in effect always. Note that
after the selected schedule has expired, the rule will be in effect always.
ž
Edit Schedule: Click it to go to the Security > Schedule page to add, view, modify or
delete schedules.
ž
Edit Address Group: Click it to go to the Security > Address Group page to add,
http://www.uttglobal.com
Page 263
UTT Technologies
Chapter 10 QoS
view, modify or delete address groups.
ž
Edit Service Group: Click it to go to the Security > Service Group page to add,
view, modify or delete service groups.
ž
Save: Click it to save the rate limit rule settings.
Note
If the sum of specified Min. Tx/Rx Bandwidth LVODUJHUWKDQWKH,QWHUQHWFRQQHFWLRQÂśV
Uplink/Downlink Bandwidth (configured in the Basic > WAN page), the Device
cannot guarantee the specified hosts or applications with minimum upload/download
bandwidth.
10.3.2 Rate Limit Rule List
Figure 10-3 Rate Limit Rule List
ž
Add a Rate Limit Rule: If you want to add a new rate limit rule, click the New button
or select the Rate Limit Rule Settings tab to go to the setup page, and then
configure it, lastly click the Save button.
ž
Enable a Rate Limit Rule: The Enable check box is used to enable or disable the
corresponding rate limit rule. The default value is selected, which means the rate limit
rule is in effect. If you want to disable the rate limit rule temporarily instead of deleting
it, please click it to remove the check mark.
ž
View Rate Limit Rule(s): When you have configured some rate limit rules, you can
http://www.uttglobal.com
Page 264
UTT Technologies
Chapter 10 QoS
view them in the Rate Limit Rule List.
ž
Edit a Rate Limit Rule: If you want to modify a configured rate limit rule, click its Edit
hyperlink, the related information will be displayed in the setup page. Then modify it,
and click the Save button.
ž
Move a Rate Limit Rule: The Device allows you to move a rate limit rule to above
another rule in the list, the operation is as follows: Select the ID of a rule that you want
to move from the Move drop-down list, and another ruleÂśs ID from the before
drop-down list, lastly click OK. Note that moving a rule in the list doesnÂśWFKDQJHLWV,'
number.
ž
Delete Rate Limit Rule(s): If you want to delete one or more rate limit rules, select
the leftmost check boxes of them, and then click the Delete button.
10.3.3 The Execution Order of Rate Limit Rules
When receiving a packet initiated from LAN, the Device will analyze the packet by
extracting its source IP address, destination IP address, protocol type (TCP, UDP or
ICMP), port number, and the date and time at which the packet was received, and then
compare them with each rule in the order in which the rules are listed in Rate Limit Rule
List to find out if there is a rule matches the packet. The first matched rule will apply to the
packet, and no further rules will be checked. If no rule matches, the packet will not be
restricted by any rate limit rule.
Note that in the Rate Limit Rule List, the rate limit rules are listed in reverse chronological
order of creation, the later the rule is created, the upper the rule is listed; and the Device
allows you to manually move a rule to a different position in the list.
http://www.uttglobal.com
Page 265
UTT Technologies
Chapter 10 QoS
10.4 P2P Rate Limit
This section describes the QoS > P2P Rate Limit page.
P2P rate limit feature is specially designed for P2P application. The P2P rate limit has the
highest priority, that is, even if you have created rate limit rules for some LAN users in the
QoS > Rate Limit Rule page, the P2P traffic of these users is still restricted by P2P rate
limit settings. Using P2P rate limit, you can effectively reduce network congestion caused
by the usage of P2P applications without the expense of the other LAN usersÂś traffic and
bandwidth.
Figure 10-4 P2P Rate Limit Settings
—
Enable P2P Rate Limit: It allows you to enable or disable P2P rate limit. If you want
to enable P2P rate limit, please select this check box. P2P applications include Bit
Spirit, Bit Comet, Thunder, Tuotu, and so on.
—
Max. Tx Rate: It specifies the maximum upload rate of the P2P traffic.
—
Max. Rx Rate: It specifies the maximum download rate of the P2P traffic.
—
Rate Limit Mode: It specifies the mode by which the Device will limit the maximum
Tx/Rx rate of the LAN hosts.
Ɣ
Each: If you select this radio button, the Tx/Rx rate of each LAN hostÂśs P2P
traffic can reach the value specified by the Max. Tx/Rx Rate at most.
Ɣ
Share: If you select this radio button, the total Tx/Rx rate of all the LAN hostVÂś
P2P traffic can reach the value specified by the Max. Tx/Rx Rate at most.
http://www.uttglobal.com
Page 266
UTT Technologies
Chapter 10 QoS
—
Exception: It specifies an address group that is exempt from the restriction of P2P
rate limit settings. If you select an address group here, the P2P traffic of the LAN
users in the group will be exempt from the restriction of P2P rate limit settings. The
address group is configured in the Security > Address Group page.
ž
Save: Click it to save the P2P rate limit settings.
Note
1.
The P2P rate limit has higher priority than the rate limit rules configured in the QoS >
Rate Limit Rule page.
2.
Only after you have enabled rate limit in the QoS > Global Settings page, the P2P
rate limit settings can take effect.
http://www.uttglobal.com
Page 267
UTT Technologies
Chapter 10 QoS
10.5 Application QoS
This section describes the QoS > APP QoS page.
The Device provides preferential forwarding for some predefined special applications
traffic, that is, these applications traffic will be exempt from the restrictions of the rate limit
rules configured in the QoS > Rate Limit Rule page. The predefined applications include
hot online games, VoIP, Web browsing, VPN and Email. In this page, it allows you enable
preferential forwarding for one or more predefined applications as required. Moreover, it
allows you to enable PPPoE upload bandwidth optimization feature.
Figure 10-5 Preferential Forwarding for Some Applications Traffic
—
Select All: It selects or unselects all the check boxes below. If you want to enable all
the features provided in this page at a time, please select this check box. If you want
to disable all the features provided in this page at a time, please clear the check box.
—
Enable Preferential Forwarding for Hot Online Games Traffic: It allows you to
enable or disable preferential forwarding for hot online games traffic. If you select the
check box to enable this feature, the LAN userVÂś hot online games traffic will be
exempt from the restriction of the rate limit rules. The online games mainly include:
WOW, Aion, MHXY, BNB, Jade Dynasty, QQGame, CGA, Zhengtu, Perfect World,
Audition, Kartrider Rush, and so on.
—
Enable PPPoE Upload Bandwidth Optimization: It allows you to enable or disable
PPPoE upload bandwidth optimization. If you want to improve the upload speed of
the LAN PPPoE dial-in users, please select the check box to enable this feature.
—
Enable Preferential Forwarding for VoIP Traffic: It allows you to enable or disable
http://www.uttglobal.com
Page 268
UTT Technologies
Chapter 10 QoS
preferential forwarding for VoIP traffic. If you select the check box to enable this
feature, the LAN userVÂś VoIP traffic will be exempt from the restriction of the rate limit
rules. The VoIP applications mainly include: Network Phone, Video Conference, etc.
—
Enable Preferential Forwarding for Web Traffic: It allows you to enable or disable
preferential forwarding for Web traffic. If you select the check box to enable this
feature, the LAN userVÂś Web traffic will be exempt from the restriction of the rate limit
rules, thus the web browsing speed of the LAN users will be improved.
—
Enable Preferential Forwarding for VPN Traffic: It allows you to enable or disable
preferential forwarding for VPN traffic. If you select the check box to enable this
feature, the LAN userVÂś VPN traffic (including PPTP, L2TP and IPSec VPN traffic) will
be exempt from the restriction of the rate limit rules.
—
Enable Preferential Forwarding for Email Traffic: It allows you to enable or disable
preferential forwarding for Email traffic. If you select the check box to enable this
feature, the LAN userVÂś Email traffic will be exempt from the restriction of the rate limit
rules.
ž
Save: Click it to save your settings.
Note
Only after you have enabled rate limit in the QoS > Global Settings page, the Device
can preferentially forward the selected applications traffic.
10.6 Configuration Examples for QoS
10.6.1 Example One
1. Requirements
In this example, a business has a single Internet connection with uplink bandwidth 10
Mbit/s and downlink bandwidth 20 Mbit/s. And the number of network devices is
approximately 100.
The requirements are as follows: All the LAN users want to access the Internet smoothly,
and the bandwidth will not be wasted when the network is idle. Besides, the administrator
wants to limit the rate of the P2P applications for each LAN host: Max. Tx Rate is 64 Kbit/s,
Max. Rx Rate is 128 Kbit/s.
2. Analysis
http://www.uttglobal.com
Page 269
UTT Technologies
Chapter 10 QoS
We need to do the following settings:
Ɣ
Set the Internet connectionÂśs Uplink Bandwidth and Downlink Bandwidth to 10240
Kbit/s and 20480 Kbit/s respectively.
Ɣ
Enable rate limit and set the Capacity to 100 in the QoS > Global Settings page.
Ɣ
Create one rate limit rule to set guaranteed bandwidth for each LAN host: Min. Tx
Bandwidth is 100 Kbit/s, and Min. Rx Bandwidth is 200 Kbit/s.
Ɣ
Enable P2P rate limit feature, and limit the P2P traffic rate for each LAN host: Max. Tx
Rate is 64 Kbit/s, Max. Rx Rate is 128 Kbit/s.
3. Configuration Procedure
Step 1
Go to the Basic > WAN > WAN1 page, enter 10240 in the Uplink Bandwidth
text box, and enter 20480 in the Downlink Bandwidth text box.
Step 2
Go to the QoS > Global Settings page (see Figure 10-6), select the Enable
Rate Limit check box, and then enter 100 in the Capacity text box, lastly click
the Save button.
Figure 10-6 Rate Limit Global Settings - Example One
Step 3
Go to QoS > Rate Limit Rule > Rate Limit Rule Settings page (see Figure
10-7), enter 100 in the Min. Tx Bandwidth text box, and enter 200 in the Min.
Rx Bandwidth text box. Leave the default values for the other parameters.
Lastly click the Save button.
http://www.uttglobal.com
Page 270
UTT Technologies
Chapter 10 QoS
Figure 10-7 Rate Limit Rule Settings - Example One
Step 4
Go to the QoS > P2P Rate Limit page (see Figure 10-8), select the Enable
P2P Rate Limit check box, and select 64K from the Max. Tx Rate drop-down
list, and select 128K from the Max. Rx Rate drop-down list. Leave the default
values for the other parameters. Lastly click the Save button.
Figure 10-8 P2P Rate Limit Settings - Example One
http://www.uttglobal.com
Page 271
UTT Technologies
Chapter 10 QoS
10.6.2 Example Two
1. Requirements
In this example, an Internet cafĂŠ has a single Internet connection with uplink bandwidth 50
Mbit/s and downlink bandwidth 100 Mbit/s. And the number of network devices is
approximately 100. The Internet cafĂŠ consists of three areas: Video Area, Online Game
Area, and Common Area. There are 30 hosts in Video Area, 30 hosts in Online Game
Area, and 40 hosts in Common Area. The IP address ranges of the areas are as follows:
Ɣ
Video Area: 192.168.16.2~192.168.16.40
Ɣ
Online Game Area: 192.168.16.41~192.168.16.80
Ɣ
Common Area: the remaining IP addresses
The requirements are as follows: The hosts in Video Area have high bandwidth demand,
the hosts in Online Game Area have mid bandwidth demand, and the hosts in Common
Area have low bandwidth demand (that is, the bandwidth just need to meet the
requirements of web browsing and any other general operation); furthermore, the LAN
userVÂś Web traffic has the highest priority.
2. Analysis
We need to do the following settings:
Ɣ
Set the Internet connectionÂśs Uplink Bandwidth and Downlink Bandwidth to 51200
Kbit/s and 102400 Kbit/s respectively.
Ɣ
Enable rate limit and set Capacity to 100 in the QoS > Global Settings page.
Ɣ
Create rate limit rule 1 for all the LAN users: Min. Tx Bandwidth is 256 Kbit/s, Min.
Rx Bandwidth is 512 Kbit/s, and Bandwidth Priority is Low. Note that as this rule
has lowest priority, it should be created at first.
Ɣ
Create rate limit rule 2 for the hosts in the Online Game Area: Min. Tx Bandwidth is
1 Mbit/s, Min. Rx Bandwidth is 2 Mbit/s, and Bandwidth Priority is Mid.
Ɣ
Create rate limit rule 3 for the hosts in the Video Area: Min. Tx Bandwidth is 2 Mbit/s,
Min. Rx Bandwidth is 4 Mbit/s, and Bandwidth Priority is High.
Ɣ
Enable preferential forwarding for Web traffic feature in the QoS > APP QoS page.
http://www.uttglobal.com
Page 272
UTT Technologies
Chapter 10 QoS
3. Configuration Procedure
Step 1
Go to Security > Address Group page to create two address groups: One is
for the Video Area, and it contains the IP addresses from 192.168.16.2 to
192.168.16.40; the other is for the Online Game Area, and it contains the IP
addresses from 192.168.16.41 to 192.168.16.80; and here we assume their
names are video and game respectively.
Step 2
Go to the Basic > WAN > WAN1 page, enter 51200 in the Uplink Bandwidth
text box, and enter 102400 in the Downlink Bandwidth text box.
Step 3
Go to the QoS > Global Settings page, select the Enable Rate Limit check
box, and then enter 100 in the Capacity text box, lastly click the Save button to
save the settings.
Step 4
Creating rate limit rule 1: Go to the QoS > Rate Limit Rule > Rate Limit Rule
Settings page (see Figure 10-9), enter 256 in the Min. Tx Bandwidth text box,
and enter 512 in the Min. Rx Bandwidth text box. Leave the default values for
the other parameters. Lastly click the Save button.
Figure 10-9 Rate Limit Rule 1 Settings - Example Two
Step 5
Creating rate limit rule 2: Go to the QoS > Rate Limit Rule > Rate Limit Rule
Settings page (see Figure 10-10), select game from the Source Address
Group, select 1M from the Min. Tx Bandwidth drop-down list, select 2M from
http://www.uttglobal.com
Page 273
UTT Technologies
Chapter 10 QoS
the Min. Rx Bandwidth drop-down list, and select Mid from the Bandwidth
Priority drop-down list. Leave the default values for the other parameters. lastly
click the Save button.
Figure 10-10 Rate Limit Rule 2 Settings - Example Two
Step 6
Creating rate limit rule 3: Go to the QoS > Rate Limit Rule > Rate Limit Rule
Settings page (see Figure 10-11), select video from the Source Address
Group, select 2M from the Min. Tx Bandwidth drop-down list, select 4M from
the Min. Rx Bandwidth drop-down list, select High from the Bandwidth
Priority drop-down list. Leave the default values for the other parameters.
Lastly click the Save button.
http://www.uttglobal.com
Page 274
UTT Technologies
Chapter 10 QoS
Figure 10-11 Rate Limit Rule 3 Settings - Example Two
Step 7
Go to the QoS > APP QoS page (see Figure 10-12), select the Enable
Preferential Forwarding for Web Traffic check box, and then click the Save
button.
Figure 10-12 Enable Preferential Forwarding for Web Traffic- Example Two
http://www.uttglobal.com
Page 275
UTT Technologies
http://www.uttglobal.com
Chapter 10 QoS
Page 276
UTT Technologies
Chapter 11 Restriction
Chapter 11 Restriction
This chapter describes how to configure personal settings for each LAN user, Internet
behavior management, policy database, QQ whitelist, notice and Web Authentication
feature; and how to view the related status information.
11.1 User Admin
This section describes how to view the current status information of LAN users (hosts);
and how to configure personal settings for each user individually, including rate limit
settings and Internet behavior management settings.
11.1.1 User Status List
Through the User Status List in the Restriction > User Admin page, you can view the
status information of each LAN user (host).
Figure 11-1 User Status List
—
ID: It is used to identify each entry in the list.
—
Description: If the LAN user is an IP/MAC binding user, it displays the description of
the user; else it is blank.
—
IP Address: It displays the IP address of the LAN user. If you click IP Address
hyperlink, it will jump to the Restriction > User Admin > Rate Limit page, and then
you can individually limit the maximum upload and download rates of the user;
http://www.uttglobal.com
Page 277
UTT Technologies
Chapter 11 Restriction
moreover, you can go to the Restriction > User Admin > Internet Behavior page to
configure the personal Internet behavior management parameters for the user. If you
move your mouse over the IP Address hyperlink, it will display the current effective
settings of the user.
—
MAC Address: It displays the MAC address of the LAN user.
—
Binding Status: It indicates whether the LAN user is binding or not. If the user is an
IP/MAC binding user, DHCP binding user, or PPPoE IP/MAC binding user, it displays
Yes; else, it displays No.
—
Rx Rate: It displays the real-time download rate (in kilobits per second) of the LAN
user.
—
Tx Rate: It displays the real-time upload rate (in kilobits per second) of the PPPoE
LAN user.
—
NAT Sessions: It displays the number of NAT sessions that are being used by the
LAN host now.
—
User Type: It displays the access type of the LAN user. The possible values are
PPPoE, DHCP and Static IP. If the user is a PPPoE dial-in user, it displays PPPoE; if
the user is a DHCP client user, it displays DHCP; else, it displays Static IP.
—
Online Status: It displays online status of the LAN user. If the user is connected to
the Device, it displays Online; if the user is an IP/MAC binding user, DHCP binding
user, or PPPoE IP/MAC binding user, and isnÂśt connected to the Device, it displays
Offline. Note that the list doesnÂśt display the status information of those non-binding
users who DUHQÂśW connected to the Device.
ž
Enable Personal Settings: The Enable Personal Settings check box is used to
enable or disable the personal settings of the LAN user. If you want to configure and
enable the personal settings of a LAN user, please select this check box. Note that as
mentioned earlier, it allows you to click IP Address hyperlink to configure, view and
modify personal settings. If you want to disable the LAN userÂśs personal settings
temporarily instead of deleting them, please click it to remove the check mark.
ž
Display IP/MAC Binding: Click it to go to the Security > IP/MAC Binding page to
view the IP/MAC Binding List.
ž
Delete Selected Personal Settings: If you want to delete personal settings of one or
more LAN users, select the leftmost check boxes of them, and then select Delete
Selected Personal Settings from the drop-down list on the lower right corner of the
list, lastly click OK.
ž
Delete All Personal Settings: If you want to delete all the personal settings at a time,
select Delete All Personal Settings from the drop-down list on the lower right corner
of the list, and then click OK.
http://www.uttglobal.com
Page 278
UTT Technologies
Chapter 11 Restriction
Note
You can configure IP/MAC binding users in the Security > IP/MAC Binding >
IP/MAC Binding Settings page, configure PPPoE IP/MAC binding users in the
PPPoE > PPPoE IP/MAC > IP/MAC Binding Settings page, and configure DHCP
manual binding users in the DHCP > DHCP Server > Manual Binding Settings
page.
11.1.2 Personal Rate Limit
If you want to individually limit the maximum upload and download rates of a LAN user, go
to the Restriction > User Admin > User Status List page firstly, and then select the
userÂśs Enable Personal Settings check box or click its IP Address hyperlink to go to the
Restriction > User Admin > Rate Limit page to specify the Max. Tx Rate and Max. Rx
Rate for the selected user.
Figure 11-2 Personal Rate Limit Settings
—
Max. Tx Rate: It specifies the maximum upload rate of the selected LAN user.
—
Max. Rx Rate: It specifies the maximum download rate of the selected LAN user.
ž
Save: Click it to save your settings.
11.1.3 Personal Internet Behavior Management
Moreover, it allows you to go to the Restriction > User Admin > Internet Behavior page
to configure, modify and view the personal Internet behavior management settings for the
http://www.uttglobal.com
Page 279
UTT Technologies
Chapter 11 Restriction
selected user, see Figure 11-3. For detailed description of the related parameters, refer to
section 11.2.1 Internet Behavior Management Settings.
Figure 11-3 Personal Internet Behavior Management Settings
http://www.uttglobal.com
Page 280
UTT Technologies
Chapter 11 Restriction
11.2 Internet Behavior Management
This section describes the Restriction > Behavior Mgmt page.
In this page, you can easily control and manage the Internet behaviors of the LAN users,
which include: allow or block the LAN users from using popular IM (e.g., QQ, MSN) and
P2P applications (e.g., Bit Comet, Bit Spirit, Thunder Search), downloading the files with
the extension .exe, .dll, .vbs, .com, .bat or .sys over HTTP, playing online games,
accessing stock and game websites, submitting input in the webpage, using HTTP proxy,
and so on.
Moreover, it allows you to configure Internet behaviors management policies based on
address group and schedule.
http://www.uttglobal.com
Page 281
UTT Technologies
Chapter 11 Restriction
11.2.1 Internet Behavior Management Policy Settings
Figure 11-4 Internet Behavior Management Policy Settings
—
Address Group: It specifies an address group to which the Internet behavior
management policy applies. The Device will control and manage the Internet
behaviors of the LAN users that belong to this address group according to the policy.
The address group is configured in the Security > Address Group page.
—
Schedule: It specifies a schedule to restrict when the Internet behavior management
policy is in effect. The default value is Always, which means the policy is in effect
always. Note that after the selected schedule has expired, the policy will be in effect
always. The schedule is configured in the Security > Schedule page.
http://www.uttglobal.com
Page 282
UTT Technologies
Chapter 11 Restriction
—
Description: It specifies the description of the Internet behavior management policy.
It is usually used to describe the purpose of the policy.
—
IM: You can allow or block some popular IM (Instant Message) applications, which
include QQ, MSN, Ali Wangwang, WebQQ and Fetion.
—
Block QQ: Allow or block QQ application. If you want to block the specified LAN
users (set by Address Group) from using QQ to chat with others, please select
this check box.
Block MSN: Allow or block MSN Messenger. If you want to block the specified
LAN users from using MSN Messenger to chat with others, please select this
check box.
Block Ali Wangwang: Allow or block Ali Wangwang application. If you want to
block the specified LAN users from using Ali Wangwang, please select this check
box.
Block WebQQ: Allow or block WebQQ application. If you want to block the
specified LAN users from using WebQQ to chat with others, please select this
check box.
Block Fetion: Allow or block Fetion application. If you want to block the specified
LAN users from using Fetion to chat with others, please select this check box.
P2P: You can allow or block some popular P2P applications, which include BT (Bit
Comet, Bit Spirit), Thunder Search, QQLive, PPS, Sogou Search, PPLive and QVOD.
Block BT (BitSpirit, BitComet): Allow or block BitSpirit and BitComet
applications. If you want to block the specified LAN users from using BitSpirit or
BitComet to download files, please select this check box.
Block Thunder Search: Allow or block Thunder search application. If you want
to block the specified LAN users from using Thunder to search resources, please
select this check box.
Block QQLive: Allow or block QQLive application. If you want to block the
specified LAN users from using QQLive to play videos, please select this check
box.
Block PPS: Allow or block PPS (i.e., PPStream) application. If you want to block
the specified LAN users from using PPS to play videos, please select this check
box.
http://www.uttglobal.com
Page 283
UTT Technologies
—
Chapter 11 Restriction
Block Sogou Search: Allow or block Sogou search application. If you want to
block the specified LAN users from using Sogou to search resources, please
select this check box.
Block PPLive: Allow or block PPLive application. If you want to block the
specified LAN users from using PPLive to play videos, please select this check
box.
Block QVOD: Allow or block QVOD (Quasi Video on Demand) application. If you
want to block the specified LAN users from using QVOD to play videos, please
select this check box.
Game: You can allow or block some popular online game applications, which include
QQGame, BNB, Zhengtu, Perfect World, Jade Dyna, MHXY, Audition, CGA, WOW,
Aion and Kartrider Rush.
Block QQGame: Allow or block QQGame application. If you want to block the
specified LAN users from playing QQGame, please select this check box.
Block BNB: Allow or block BNB application. If you want to block the specified
LAN users from playing BNB game, please select this check box.
Block Zhengtu: Allow or block Zhengtu application. If you want to block the
specified LAN users from playing Zhengtu game, please select this check box.
Block Jade Dynasty: Allow or block Jade Dynasty and Perfect World
applications. If you want to block the specified LAN users from playing Jade
Dynasty or Perfect World game, please select this check box.
Block MHXY: Allow or block MHXY application. If you want to block the specified
LAN users from playing MHXY game, please select this check box.
Block Audition: Allow or block Audition application. If you want to block the
specified LAN users from playing Audition game, please select this check box.
Block CGA: Allow or block CGA application. If you want to block the specified
LAN users from playing CGA game, please select this check box.
Block WOW: Allow or block WOW application. If you want to block the specified
LAN users from playing WOW game, please select this check box.
Block Aion: Allow or block Aion application. If you want to block the specified
http://www.uttglobal.com
Page 284
UTT Technologies
Chapter 11 Restriction
LAN users from playing Aion game, please select this check box.
—
—
—
Block Kartrider Rush: Allow or block Kartrider Rush application. If you want to
block the specified LAN users from playing Kartrider Rush game, please select
this check box.
Web: You can allow or block downloading some predefined types of files over HTTP,
and submitting input in the webpage.
Block Files: Allow or block downloading some predefined types of files over
HTTP. If you want to block the specified LAN users from downloading the files
with the extension .exe, .dll, .vbs, .com, .bat or .sys over HTTP, please select this
check box. It allows you to click View hyperlink to view all the predefined file
types.
Block Submit: Allow or block submitting input in the webpage. If you want to
block the specified LAN users from submitting input in the webpage, such as
logging in to a website, posting messages on a forum, etc.
DNS: You can allow or block some predefined game and stock websites by DNS
filtering.
Block Game Websites: Allow or block some predefined game websites. If you
want to block the specified LAN users from accessing those predefined game
websites, please select this check box. It allows you to click the View hyperlink to
view all the predefined game websites.
Block Stock Websites: Allow or block some predefined stock websites. If you
want to block the specified LAN users from accessing those predefined stock
websites, please select this check box. It allows you to click the View hyperlink to
view all the predefined stock websites.
Others: Allow or block some other applications such as HTTP Proxy, SOCK Proxy.
Block HTTP Proxy: Allow or block HTTP Proxy application. If you want to block
the specified LAN users from using HTTP Proxy, please select this check box.
Block SOCK4 Proxy: Allow or block SOCK4 Proxy application. If you want to
block the specified LAN users from using SOCK4 Proxy, please select this check
box.
Block SOCK5 Proxy: Allow or block SOCK4 Proxy application. If you want to
block the specified LAN users from using SOCK5 Proxy, please select this check
http://www.uttglobal.com
Page 285
UTT Technologies
Chapter 11 Restriction
box.
ž
Save: Click it to save the Internet behavior management policy settings.
Note
1.
If a function option of an internet behavior management policy is not in effect as
desired, please go to the Restriction > Policy Database > Policy Database List to
check whether its corresponding policy database is the latest or not. Refer to section
11.3.2 Policy Database List for more information about how to update a policy
database.
2.
When using Internet behavior management feature, the Device will search the
Internet behavior management policy list to find out if there is a matched policy for
each LAN user. It will check the userÂśs IP address against each policies in the order in
which the policies are listed. The first matched policy will apply to the LAN user, and no
further policies will be checked. Note that in the Behavior Mgmt. List, the policies
are listed in reverse chronological order of creation, the later the policy is created, the
upper the policy is listed.
11.2.2 Internet Behavior Management Policy List
Figure 11-5 Internet Behavior Management Policy List
ž
Add an Internet Behavior Management Policy: If you want to add a new Internet
behavior management policy, click the New button or select the Behavior Mgmt.
http://www.uttglobal.com
Page 286
UTT Technologies
Chapter 11 Restriction
Settings tab to go to the setup page, and then configure it, lastly click the Save
button.
ž
View Internet Behavior Management Policy(s): When you have configured some
Internet behavior management policies, you can view them in the Behavior Mgmt.
List.
ž
Enable an Internet Behavior Management Policy: The Enable check box is used
to enable or disable the corresponding Internet behavior management policy. The
default value is selected, which means the policy is in effect. If you want to disable the
policy temporarily instead of deleting it, please click it to remove the check mark.
ž
Edit an Internet Behavior Management Policy: If you want to modify a configured
Internet behavior management policy, click its Edit hyperlink, the related information
will be displayed in the setup page. Then modify it, and click the Save button.
ž
Delete Internet Behavior Management Policy(s): If you want to delete one or more
Internet behavior management policies, select the leftmost check boxes of them, and
then click the Delete button.
http://www.uttglobal.com
Page 287
UTT Technologies
Chapter 11 Restriction
11.3 Policy Database
This section describes the Restriction > Policy Database page.
Note
In this document the policy database is called PDB for short.
11.3.1 Introduction to Policy Database
This page allows you to not only view the PDBs in the Policy Database List, but also
upload and update PDBs. By introducing PDB, we can add a group of policies into a PDB;
and we also provide PDB online update function to greatly facilitate the users. The Device
currently supports four types of PDBs, which includes Route PDB, DNS PDB, Website
PDB and Firewall PDB; and in the future, UTT Technologies Co., Ltd. will successively
provide more types of PDBs according to actual user requirements.
The route PDBs can be referenced and configured in the Advanced > Static Route page.
By introducing route PDB, the XVHUVGRQÂśt need add static routes one by one, but instead
create a large batch of static routes for each ISP connection at a time. Then the traffic
destined for one ISPÂśs servers will be forwarded through this ISPÂśs connection, but not
another ISPÂśs connection; such as, the traffic destined for TEL servers will be forwarded to
the TEL connection, the traffic destined for CNC servers will be forwarded to the CNC
Internet connection, and the traffic destined for ChinaMobile servers will be forwarded to
the ChinaMobile Internet connection. Thus the LAN hosts can access those servers
normally. Refer section 7.1.2 Static Route Policy Database for more information about
route PDBs.
The firewall PDBs, DNS PDBs, and Website PDBs are referenced and configured in the
Restriction > Behavior Mgmt. > Behavior Mgmt. Settings page. By introducing firewall
PDBs, you GRQÂśW need add multiple access control rules one by one, but instead just click
some check boxes to block or allow the LAN users to use popular IM (e.g., QQ, MSN) and
P2P applications (e.g., BitComet, BitSpirit, Thunder Search).
http://www.uttglobal.com
Page 288
UTT Technologies
Chapter 11 Restriction
11.3.2 Policy Database List
Figure 11-6 Policy Database List
—
Name: It displays the name of the PDB.
—
Type: It displays the type of the PDB. Now the Device provides four types of policy
databases: Route, Firewall, Dns and Website.
—
Description: It displays the description of the PDB. It is usually used to describe the
purpose of the PDB.
—
Referenced: It indicates whether the PDB is referenced or not. If the PDB is
referenced, it displays Yes; else, it displays No.
—
Version: It displays the version of the PDB. The version indicates the date on which
PDB was created, for example, the version of 090805 means that the PDB was
created on August 5, 2009. You can judge whether a PDB needs to be updated
according to its version: the larger the value, the newer the version.
ž
Update: If you want to update a PDB, click its Update hyperlink to download the
latest PDB from designated website and apply it automatically.
ž
Update All: If you want to update all the PDBs in the list at a time, click the Update
All hyperlink to download all the latest PDBs from designated website and apply them
automatically.
ž
Delete: If you want to delete one or more PDBs, select the leftmost check boxes of
them, and then click the Delete button.
Note
http://www.uttglobal.com
Page 289
UTT Technologies
Chapter 11 Restriction
1.
You cannot delete the system default PDBs.
2.
By default, the Policy Database List only displays the system default PDBs, which
include CNC, TEL, QQ, MSN, BT, Thunder, GAMEURL, STOCKURL, FileType, and
upload. It allows you to customize firewall PDBs and modify the system default
firewall PDBs via CLI.
3.
Only the system default PDBs can be updated. Once you have updated a firewall
PDB which has been referenced, the related settings will take effect immediately;
after you updated a route PDB which has been referenced, you should go to the
Advanced > Static Route page to reference it again and perform the save operation
to make the related settings take effect. Refer to section 7.1.2.4 How to Update a
System Default Static Route PDB for detailed operation.
11.3.3 Policy Database Version Check
Figure 11-7 Policy Database Version Check
—
Policy Database Version Check: It specifies whether the Device will automatically
check the version of each PDB or not. There are two available options:
Ɣ
Never: It indicates that the Device will not automatically check the version of
each PDB.
Ɣ
Automatically: It indicates that the Device will automatically check the version of
each PDB at the specified time (set by Check Time); and log the results that
mainly contain which PDBs need to be updated in the Status > System Log
page.
http://www.uttglobal.com
Page 290
UTT Technologies
Chapter 11 Restriction
—
Check Time: It specifies a time at which PDB version check will be triggered. If you
select Automatically from the Policy Database Version Check drop-down list, you
should set the Check Time as required.
ž
Save: Click it to save the PDB version check settings.
Note
If you select Automatically from the Policy Database Version Check drop-down list,
you should synchronize the system clock in the System > Time page to ensure that
the Device will automatically check the version of each PDB at the desired time.
11.3.4 Import Policy Database
Figure 11-8 Import Policy Database
—
Choose File: Click the Browse button to choose a PDB file or enter the file path and
name in the text box.
ž
Upload: Click it to import the selected PDB file into the Device. Once the PDB file is
imported successfully, you can view it in the Policy Database List.
Note
To avoid unexpected error, do not power off the Device during importing the PDB file.
http://www.uttglobal.com
Page 291
UTT Technologies
Chapter 11 Restriction
11.4 QQ Whitelist
The Device provides QQ whitelist feature, which allows you to add some QQ numbers into
the QQ Whitelist, then those QQ numbers will be exempt from the restriction of the
Internet behavior management policies configured in the Restriction > Behavior Mgmt. >
Behavior Mgmt. Settings page, that is, the LAN users still can use those QQ numbers to
login to QQ even if you have blocked these users from using QQ by policies.
11.4.1 Enable QQ Whitelist
Figure 11-9 Enable QQ Whitelist
—
Enable QQ Whitelist: It allows you enable or disable QQ whitelist. If you select the
check box to enable QQ whitelist, the QQ numbers in the QQ Whitelist will take
effect. Else, those QQ numbers will be of no effect.
ž
Save: Click it to save your settings.
11.4.2 QQ Whitelist Settings
Figure 11-10 QQ Whitelist Settings
http://www.uttglobal.com
Page 292
UTT Technologies
Chapter 11 Restriction
—
QQ Number: It specifies a unique QQ number. It should be a number less than 11
digits. The QQ number will be exempt from the restriction of the Internet behavior
management policies, that is, a LAN user still can use this QQ number to login to QQ
even if you have blocked the user from using QQ by a policy.
—
Description: It specifies the description of the QQ number.
ž
Save: Click it to save the QQ whitelist settings.
11.4.3 QQ Whitelist
Figure 11-11 QQ Whitelist
ž
Add a QQ Number: If you want to add a new QQ number into the QQ Whitelist, click
the New button or select the QQ Whitelist Settings tab to go to the setup page, and
then configure it, lastly click the Save button.
ž
View QQ Number(s): When you have configured some QQ numbers, you can view
them in the QQ Whitelist.
ž
Edit a QQ Number: If you want to modify a configured QQ number, click its Edit
hyperlink, the related information will be displayed in the setup page. Then modify it,
and click the Save button.
ž
Delete QQ Number(s): If you want to delete one or more QQ numbers, select the
leftmost check boxes of them, and then click the Delete button.
http://www.uttglobal.com
Page 293
UTT Technologies
11.5 Configuration
Chapter 11 Restriction
Example
for
Internet
Behavior Management
1. Requirements
In 2011, a business CEO wants to control online behavior of the employees. He wants to
block all the predefined IM and P2P applications, online games, game and stock websites
during working time, but allow all the Internet services during rest periods. But there are
some exceptions which are as follows:
Ɣ
The CEO and vice CEO can access the Internet without any restrictions. Their IP
addresses are 192.168.16.4 and 192.168.16.5 respectively.
Ɣ
The Customer Service and Sales DepartmentsÂś employees need to use IM
applications to communicate with customers during working time. Their IP address
ranges are: from 192.168.16.50 to 192.168.16.70, and from 192.168.16.100 to
192.168.16.120 respectively.
Ɣ
There are five employees with dynamic IP addresses, and they need to use QQ.
Their QQ numbers are 21586375, 29583674, 1572681475, 1143550132 and
66587954 respectively.
The businessÂśs working time is: Monday to Friday, 9:00 to 12:00 am, and 1:00 to 6:00 pm.
2. Analysis
We need to create three Internet behavior management policies, enable QQ whitelist
feature and add five QQ numbers into the QQ Whitelist to meet requirements.
1)
Policy 1: It is used to block all the LAN users from using IM and P2P applications,
playing online games, and accessing game and stock websites.
2)
Policy 2: It is used to allow the Customer Service and Sales DepartmentsÂś employees
to use IM applications during working time. Note that as this policy has higher priority
than policy 1, it should be created later than policy 1.
3)
Policy 3: It is used to allow the CEO and vice CEO to access all the Internet services.
Note that as this policy has the highest priority, it should be created at last.
4)
Enable QQ whitelist feature and add five QQ numbers into the QQ Whitelist.
3. Configuration Procedure
Before creating the Internet behavior management policies, you may do the following
tasks:
http://www.uttglobal.com
Page 294
UTT Technologies
Chapter 11 Restriction
Ɣ
Go to the Security > Address Group page to create two address groups, one is for
the two CEOs, and it contains two IP addresses: 192.168.16.4 and 192.168.16.5; the
other is for Customer Service and Sales DepartmentsÂś employees, and it contains two
IP address ranges: from 192.168.16.50 to 192.168.16.70, and from 192.168.16.100
to 192.168.16.120. Here we assume the first groupÂśs name is Directors, and the
second groupÂśs name is CSD_SD. Refer to section 12.6.4 How to Add the Address
Groups for detailed information about how to create them.
Ɣ
Go to the Security > Schedule page to create one schedule for working time. Here
we assume its name is work. Refer to section 12.8.5 Configuration Example for
Schedule for detailed information about how to create it.
Here we only describe how to create three Internet behavior management policies, enable
QQ whitelist feature and add five QQ numbers into the QQ Whitelist.
The configuration steps are the following:
Step 1
Go to the Restriction > Behavior Mgmt. > Behavior Mgmt. Settings page.
Step 2
Creating Policy 1: Select Any Address from the Address Group drop-down
list, select work from the Schedule drop-down list, select all the check boxes in
IM, P2P, Games and DNS configuration fields, and then click the Save button,
see Figure 11-12.
http://www.uttglobal.com
Page 295
UTT Technologies
Chapter 11 Restriction
Figure 11-12 Internet Management Behavior Example - Policy 1
Step 3
Creating Policy 2: Select CSD_SD from the Address Group drop-down list,
select work from the Schedule drop-down list, select all the check boxes in
P2P, Games and DNS configuration fields, and then click the Save button, see
Figure 11-13.
http://www.uttglobal.com
Page 296
UTT Technologies
Chapter 11 Restriction
Figure 11-13 Figure 11-9 Internet Management Behavior Example - Policy 2
Step 4
Creating Policy 3: Select Directors from the Address Group drop-down list,
select Always from the Schedule drop-down list, and unselect all the check
boxes in the page, and then click the Save button, see Figure 11-14.
http://www.uttglobal.com
Page 297
UTT Technologies
Chapter 11 Restriction
Figure 11-14 Internet Management Behavior Example - Policy 3
Step 5
Go to Restriction > QQ Whitelist page, select the Enable QQ Whitelist check
box, and click the Save button, see Figure 11-15. Click the New button to go to
the QQ Whitelist Settings page to add the first QQ number (i.e., 21586375)
into the QQ Whitelist, and then add the other four QQ numbers one by one,
see Figure 11-16.
Figure 11-15 Internet Management Behavior Example - Enable QQ Whitelist
http://www.uttglobal.com
Page 298
UTT Technologies
Chapter 11 Restriction
Figure 11-16 Internet Management Behavior Example -QQ Whitelist
http://www.uttglobal.com
Page 299
UTT Technologies
Chapter 11 Restriction
11.6 Notice
This section describes the Restriction > Notice page.
11.6.1 Introduction to Notice
The Device provides notice feature which is used to push notice messages to the
specified LAN users. After you enable notice feature, if a specified LAN user accesses the
Internet via a web browser (e.g., IE, Firefox), the Device will automatically push a notice
message to the user.
The Device provides one-time notice and daily notice. If you enable one-time notice
feature and specify a notice message, and then when a specified LAN user accesses the
Internet via a web browser, the Device will automatically push the notice message to the
user; in general, the one-time notice message is only pushed once. If you enable daily
notice feature and specify a notice message, the Device will automatically push the notice
message to the specified LAN users one time per day.
Either you use one-time notice or daily notice, it allows you to customize a notice message
or just specify a notice URL. If you choose to customize a notice message, and then when
a specified LAN user accesses the Internet via a web browser, the Device will
automatically pop up the notice message to the user. Else, the requested web page will
automatically jump to the specified URL to display the notice; in this case, you need add
the notice message to that web page in advance.
Besides notice feature in this page, UTT Series Security Firewalls also provide domain
blocking notice feature. Please refer to section 12.4.2 Domain Blocking Notice for
detailed information.
11.6.2 Notice Settings
11.6.2.1 One-Time Notice Settings
When using one-time notice, the Device will push the notice message to the LAN users
that belong to the specified address group. And the one-time notice message is only
pushed once.
http://www.uttglobal.com
Page 300
UTT Technologies
Chapter 11 Restriction
Figure 11-17 One-Time Notice Settings - Customized Mode
—
Enable One-Time Notice: It allows you to enable or disable one-time notice. If you
want to enable one-time notice, please select this check box.
—
Address Group: It specifies an address group to which the notice message will be
pushed. When you enable one-time notice, the Device will directly push the notice
message to the LAN users that belong to this address group. The address group is
configured in the Security > Address Group page.
—
Notice Mode: It specifies the mode of pushing the notice. There are two available
options:
Ɣ
Customized: When selecting Customized (see Figure 11-17), it allows you to
customize a notice message which consists of Notice Title, Notice Content and
Signature, and to preview the notice message. In this case, if a specified LAN
user accesses the Internet via a web browser, the Device will automatically pop
up the notice message to the user.
Ɣ
URL: When selecting URL, it allows you specify a notice URL, see Figure 11-19.
In his case, you need add a notice message to the specified web page in
http://www.uttglobal.com
Page 301
UTT Technologies
Chapter 11 Restriction
advance; thus, if a specified LAN user accesses the Internet via a web browser,
the requested web page will automatically jump to the specified URL to display
the notice.
—
Notice Title: It specifies the title of the notice message. If you select Customized
from the Notice Mode check box, you need set it.
—
Signature: It specifies the signature of the notice message. If you select Customized
from the Notice Mode check box, you need set it.
—
Notice Content: It specifies the content of the notice message. If you select
Customized from the Notice Mode check box, you need set it.
—
URL: It specifies a notice URL to which the requested web page will automatically
jump. If you select URL from the Notice Mode check box, you need set it.
ž
Save: Click it to save your settings.
ž
Preview: If you select Customized from the Notice Mode check box, you may click
the Preview button to preview the notice message you just configured. The following
figure shows an example of a notice message.
Figure 11-18 One-Time Notice Preview - Example
http://www.uttglobal.com
Page 302
UTT Technologies
Chapter 11 Restriction
Figure 11-19 One-Time Notice Settings - URL Mode
Note
1.
If the Device pushes a notice message to a LAN user who hasnÂśt launched a web
browser, it will fail to push; and once the user launched the web browser and
accessed an Internet domain name or IP address, he/she will receive the notice
message immediately. For example, we assume that the Device will push a notice
message at 8:00 am as planned, if a user KDVQÂśWODXQFKWKHZHEEURZVHUDWDP
yet, the user cannot received the notice message; and if the user access the Internet
via the web browser at 10:00, he/she will receive the notice message immediately.
2.
When using one-time notice, if you restart the Device, the Device will push the notice
message once again.
11.6.2.2 Daily Notice Settings
When using daily notice, the Device will automatically push the notice message to the
LAN users that belong to the specified address group one time per day.
http://www.uttglobal.com
Page 303
UTT Technologies
Chapter 11 Restriction
Figure 11-20 Daily Notice Settings
—
Enable Daily Notice: It allows you to enable or disable daily notice. If you want to
enable daily notice, please select this check box.
Please refer to section 11.5.2.1 One-Time Notice Settings for detailed description of the
other parameters.
11.7 Web Authentication
UTT series security firewalls provide Web authentication feature. This new feature will
enhance network security. If you enable the Web authentication on the Device, those
non-PPPoE dial-in users cannot access the Internet through the Device unless they are
authenticated successfully through Web browser.
11.7.1 Enable Web Authentication
Figure 11-21Enable Web Authentication
—
Enable Web Authentication: It allows you to enable or disable web authentication
feature. By default it is disabled. If you select the check box to enable this feature,
those non-PPPoE dial-in users cannot access the Internet through the Device unless
they are authenticated successfully.
ž
Save: Click it to save your settings.
http://www.uttglobal.com
Page 304
UTT Technologies
Chapter 11 Restriction
11.7.2 Web Authentication User Account Settings
Figure 11-22 Web Authentication User Account Settings
—
User Name: It specifies a unique user name of the web authentication account. It
should be between 1 and 31 characters long. The Device will use the User Name and
Password to authenticate a user.
—
Password: It specifies the password of the web authentication account.
—
Description: It specifies the description of the web authentication account.
ž
Save: Click it to save the web authentication account settings.
11.7.3 Web Authentication User Account List
Figure 11-23 Web Authentication User Account List
http://www.uttglobal.com
Page 305
UTT Technologies
Chapter 11 Restriction
ž
Add a Web Authentication User Account: If you want to add a web authentication
user account, click the New button or select the User Account Settings tab to go to
setup page, and then configure it, lastly click the Save button.
ž
Edit a Web Authentication User Account: If you want to modify a configured web
authentication user account, click its Edit hyperlink, the related information will be
displayed in the setup page. Then modify it, and click Save button.
ž
Delete Web Authentication User Account(s): If you want to delete one or more
configured web authentication user accounts, select the leftmost check boxes of them,
and then click Delete button.
11.7.4 How to Use Web Authentication
If you want to use web authentication for a non-PPPoE dial-in user, do the following:
Step 1
Go to the Restriction > Web Authentication page, and then select the Web
User Account Settings tab to go to setup page.
Step 2
Configure a new web authentication user account (see figure 11-11), and then
click the Save button to save the settings.
Step 3
Select the User Account List tab, and then select the Enable Web
Authentication check box.
Step 4
Launch a web browser, enter an Internet domain name or IP address in the
address bar, and then press , the Device will automatically pop up an
authentication login page, see figure 11-13.
Figure 11-24 Web Authentication Login Page
Step 5
Enter the correct user name and password in the text boxes, and then click the
http://www.uttglobal.com
Page 306
UTT Technologies
Chapter 11 Restriction
Save button, the system will pop up a prompt page (see figure 11-14).
Figure 11-25 Web Authentication Prompt Page
Note
Do not close the prompt page; else, the user cannot access the Internet.
http://www.uttglobal.com
Page 307
UTT Technologies
Chapter 12 Security
Chapter 12 Security
This chapter describes how to configure security features, including attack defense,
IP/MAC binding, firewall, DNS filtering, NAT session limit, address group, service group
and schedule.
12.1 Attack Defense
This section describes the Security > Attack Defense page, which includes internal
attack defense and external attack defense.
12.1.1 Internal Attack Defense
In this page, you can do basic internal attack defense settings to enhance network security.
The internal attack defense includes three parts:
Virus Defense: It can effectively protect the Device against popular virus attacks,
such as, Anti-Blaster virus attack, UDP/ICMP/SYN flood attack, ARP spoofing attack,
and so on.
Access Restrict: It can effectively protect the Device against DDoS attacks by
restricting /$1KRVWVÂśDFFHVVto the Device.
Other Defense: It can effectively protect the Device against port scanning attack.
http://www.uttglobal.com
Page 308
UTT Technologies
Chapter 12 Security
Figure 12-1 Internal Attack Defense Settings
1. Virus Attacks Defense
—
Enable Blaster Virus Defense: It allows you to enable or disable anti-blaster virus
defense. If you select the check box to enable this feature, it will effectively protect the
Device against blaster and sasser virus attacks. After you enable this feature, the
Device will discard those TCP packets destined for port 135, 136, 137, 138, 139, 445,
1025, 5554 or 9996, so the LAN hosts cannot access the related services provided by
outside hosts, e.g., windows file and printer sharing services.
—
Enable IP Spoofing Defense: It allows you to enable or disable IP spoofing defense.
If you select the check box to enable this feature, it will effectively protect the Device
against IP spoofing attack. After you enable this feature, the Device will only forward
the packets whose source IP address is in the same subnet as the Device LAN IP
address. Note that in this case the hosts behind a L3 switch cannot access the
Internet through the Device.
—
Enable UDP Flood Defense: It allows you to enable or disable UDP flood defense. If
you select this check box to enable this feature, it will effectively protect the Device
against UDP flood attack. After you enable this feature, if the number of UDP packets
from one source IP address (e.g., 192.168.16.66) to a single port on a remote host
http://www.uttglobal.com
Page 309
UTT Technologies
Chapter 12 Security
exceeds the threshold, the Device will consider that the LAN host with IP address
192.168.16.66 is performing UDP flood attack, and then randomly discard the further
UDP packets from that source to that destination. In most cases, leave Threshold
the default value.
—
Enable ICMP Flood Defense: It allows you to enable or disable ICMP flood defense.
If you select this check box to enable this feature, it will effectively protect the Device
against ICMP flood attack. After you enable this feature, if the number of ICMP
packets from one source IP address (e.g., 192.168.16.16) to a single port on a
remote host exceeds the threshold, the Device will consider that the LAN host with IP
address 192.168.16.16 is performing ICMP flood attack, and then randomly discard
the further ICMP packets from that source to that destination. In most cases, leave
Threshold the default value.
—
Enable SYN Flood Defense: It allows you to enable or disable SYN flood defense. If
you select this check box to enable this feature, it will effectively protect the Device
against SYN flood defense. After you enable this feature, if the number of SYN
packets from one source IP address (e.g., 192.168.16.36) to a single port on a
remote host exceeds the threshold, the Device will consider that the LAN host with IP
address 192.168.16.36 is performing SYN flood attack, and then randomly discard
the further SYN packets from that source to that destination. In most cases, leave
Threshold the default value.
—
Enable ARP Spoofing Defense: It allows you to enable or disable ARP spoofing
defense. If you select the check box to enable this feature, and then bind all the
IP/MAC address pairs of the LAN hosts (configured in the Security > IP/MAC
Binding page), it will effectively protect the Device against ARP spoofing attack.
—
ARP Broadcast Interval: It specifies the time interval at which the Device
periodically broadcasts gratuitous ARP packets. These gratuitous ARP packets are
used to inform the LAN hosts the correct MAC address of the DeviceÂśs LAN interface,
so the LAN hosts can effectively defense ARP spoofing attack. It should be multiple of
10 between 100 and 5000 milliseconds.
2. Access Restrict
—
Enable Device Access Restrict: It allows you to enable or disable device access
restrict. Select the check box WRUHVWULFW/$1KRVWVÂśDFFHVVWRWKH'HYLFHWKURXJK/$1
interface, so it will protect the Device against internal DDoS attacks. The access
restrict rules are as follows:
1) Allow any LAN host to use ICMP to access the Device.
2) Allow any LAN host to access the UDP port 53, 67 or 68 of the Device, to ensure
that the DeviceÂśs DNS proxy, DHCP server and DHCP client can operate
properly.
http://www.uttglobal.com
Page 310
UTT Technologies
Chapter 12 Security
3) Only allow the LAN hosts that belong to the range specified by Allowed IP
Addresses to access the web or telnet service provided by the Device, but block
the other hosts.
4) Block LAN hosts from accessing any other services provided by the Device.
—
Allowed IP Addresses: It specifies an address range of the allowed LAN hosts.
When Enable Device Access Restrict is selected, only the LAN hosts that belong to
this range can access the web or telnet service provided by the Device.
—
Threshold: It specifies the maximum number of packets passing through the
'HYLFHÂśV/$1LQWHUIDFHSHUVHFRQGIt should be between 0 and 20000 packets per
second, and the suggested value is between 300 and 600 packets per second.
3. Other Defense
—
Enable Port Scanning Defense: It allows you to enable or disable port scanning
defense. If you select this check box to enable this feature, it will effectively protect
the Device against port scanning attack. After you enable this feature, if a LAN host
continuously sends the SYN packets to different ports on a remote host, and the
number of ports exceeds 10 at the specified time interval (set by the Threshold), the
Device will consider that the LAN host is performing port scanning attack, and then
randomly discard the further SYN packets from it to that destination host. In most
cases, leave the Threshold the default value.
ž
Save: Click it to save the internal attack defense settings.
12.1.2 External Attack Defense
In this page you can enable or disable WAN ping respond. As ping is often used by
malicious Internet users to locate active networks or hosts, in most cases, it is
recommended that you disable WAN ping respond for added security. Only in some
special cases, such as network debugging, you need enable this feature.
Figure 12-2 External Attack Defense Settings
http://www.uttglobal.com
Page 311
UTT Technologies
Chapter 12 Security
—
Enable WAN Ping Respond: It allows you to enable or disable WAN ping respond. If
you select the check box to enable WAN ping respond, all the DeviceÂśs WAN
interfaces will respond to ping requests from the outside hosts.
ž
Save: Click it to save the external attack defense settings.
http://www.uttglobal.com
Page 312
UTT Technologies
Chapter 12 Security
12.2 IP/MAC Binding
This section describes the Security > IP/MAC Binding page.
12.2.1 Introduction to IP/MAC Binding
12.2.1.1 IP/MAC Overview
To achieve network security management, you should firstly implement user identification, and
then you should implement user authorization. Section 12.3 Security > Firewall describes
how to configure and use access control rules to control the Internet behaviors of the LAN
users. In this section, we will describe how to implement user identification.
The Device provides IP/MAC binding feature to implement user identification. Using the
IP/MAC address pair as a unique user identity, you can protect the Device and your network
against IP spoofing attacks. IP spoofing attack refers to that a host attempts to use another
trusted hostÂśs IP address to connect to or pass through the Device. The hostÂśs IP address can
easily be changed to a trusted address, but MAC address cannot easily be changed as it is
added to the Ethernet card at the factory.
The IP/MAC binding feature allows you to add the IP and MAC address pairs of trusted
LAN hosts in the IP/MAC Binding List. Note that in the IP/MAC Binding List, you can
allow or block Internet access for each IP/MAC binding user. After you have added a LAN
userÂśs IP and MAC address pair into the IP/MAC Binding List, if its Allow Internet
Access check box is selected (check mark ÂĽ appears), it will allow the user to access the
Device and Internet, else block the user.
12.2.1.2 The Operation Principle of IP/MAC Binding
For the sake of convenience, we firstly introduce several related terms including legal user,
illegal user and undefined user.
Legal User: A legal userÂśs IP and MAC address pair matches an IP/MAC binding whose
Allow Internet Access check box is selected.
Illegal User: A illegal userÂśs IP and MAC address pair matches an IP/MAC binding whose
Allow Internet Access check box is unselected; or the IP address or MAC address is the
same with an IP/MAC bindingÂśs, but not both.
http://www.uttglobal.com
Page 313
UTT Technologies
Chapter 12 Security
Undefined User: An undefined userÂśs IP address and MAC address both are different
from any IP/MAC binding. The undefined users are all the users except legal and illegal
users.
It allows the legal users to access the Device and access the Internet through the Device,
and denies the illegal users. And the parameter of Allow Undefined LAN PCs
determines whether it allows the undefined users to access the Device and access the
Internet through the Device, that is, it will allow them if the Allow Undefined LAN PCs
check box is selected, else block them.
IP/MAC binding feature can act on the packets initiated from the LAN hosts to the Device
or outside hosts. When receiving a packet initiated from LAN, the Device will firstly
determine the senderÂśs identity by comparing the packet with the bindings in the IP/MAC
Binding List, and then process the packet according to the senderÂśs identity. The details
are as follows:
1.
If the sender is a legal user, the packet will be allowed to pass, and then be further
processed by the firewall access control function module.
2.
If the sender is an illegal user, the packet will be dropped immediately to prevent IP
spoofing.
3.
If the sender is an undefined user, there are two cases:
1)
If the Allow Undefined LAN PCs check box is selected, the packet will be
allowed to pass, and then be further processed by the firewall access control
function module.
2)
Else, the packet will be dropped immediately.
For example, if the IP/MAC address pair IP 192.168.16.65 and 00:15:c5:67:41:0f is added to
the IP/MAC Binding List, and its Allow Internet Access check box is selected, see Figure
12-3.
http://www.uttglobal.com
Page 314
UTT Technologies
Chapter 12 Security
Figure 12-3 IP/MAC Binding List - Example One
Then, when receiving a packet initiated from LAN, the Device will process it according to
the following cases:
1.
A packet with IP address 192.168.16.65 and MAC address 00:15:c5:67:41:0f is
allowed to pass, and then it will be further processed by the firewall access control
function module.
2.
A packet with IP address 192.168.16.65 but with a different MAC address is dropped
immediately to prevent IP spoofing.
3.
A packet with a different IP address but with MAC address 00:15:c5:67:41:0f is
dropped immediately to prevent IP spoofing.
4.
A packetÂśs IP address and MAC address both are not defined in the IP/MAC Binding
List:
1)
If the Allow Undefined LAN PCs check box is selected, the packet is allowed to
pass, and then it will be further processed by the firewall access control function
module.
2)
Else, the packet is dropped.
If you want to block the user who matches the IP/MAC binding from accessing the Device
and Internet, you need unselect Allow Internet Access check box, see Figure 12-4. Then a
packet with IP address 192.168.16.65 and MAC address 00:15:c5:67:41:0f will be
dropped.
http://www.uttglobal.com
Page 315
UTT Technologies
Chapter 12 Security
Figure 12-4 IP/MAC Binding List - Example Two
Note
1.
If you have added the IP and MAC address pair of a trusted LAN host in the IP/MAC
Binding List, and later changed this hostÂśs IP address or MAC address, you must
also change the corresponding binding in the IP/MAC Binding List; otherwise the
host cannot access the Device and Internet. If the Allow Undefined LAN PCs check
box is unselected, you must also add the IP and MAC address pair of any new host that
you add to your network, and make sure that its Allow Internet Access check box is
selected; otherwise this new host cannot access the Device and Internet.
2.
IP/MAC binding feature can only act on the packets initiated from the LAN hosts to
the Device or outside hosts, but cannot act on the packets within the LAN. If you
change a LAN hostÂśs IP address or MAC address, this LAN host will be unable to
access the Device and access the Internet through the Device, but it still can
communicate with the other LAN hosts, such as, it can browse Network
Neighborhood, use windows file and printer sharing services within the LAN, and so
on.
http://www.uttglobal.com
Page 316
UTT Technologies
Chapter 12 Security
12.2.2 IP/MAC Binding Settings
Figure 12-5 IP/MAC Binding Settings
ž
Scan: If you click the Scan button, the Device will immediately scan the LAN to
detect active hosts connected to the Device, learn and display dynamic ARP
information (that is, IP and MAC address pairs). Note that if you have added a LAN
hostÂśs IP and MAC address pair in the IP/MAC Binding List, this IP/MAC address
pair will not be displayed here.
ž
Bind: Click it to bind all the valid IP and MAC address pairs in the list box.
Also you can manually create one or more IP/MAC bindings, the operation is as
follows: Add one or more IP/MAC address pair entries in the list box, and then click
the Bind button. The input contents are: IP Address, MAC Address and Description,
one address pair entry per line; and the input format of an address pair entry is: IP
AddressMAC AddressDescription. Note that Description
is an optional parameter.
http://www.uttglobal.com
Page 317
UTT Technologies
Chapter 12 Security
12.2.3 IP/MAC Binding Global Setup
Figure 12-6 IP/MAC Binding Global Setup
—
Allow Undefined LAN PCs: It allows or blocks the undefined LAN hosts from
accessing the Device and access the Internet through the Device. If you want to allow
the undefined LAN hosts to access the Device and Internet, select this check box;
else unselect it. For more information about undefined LAN hosts, please refer to
section 12.2.1.2 Operation Principle of IP/MAC Binding.
ž
Save: Click it to save the IP/MAC binding global setup.
ž
Export IP/MAC Binding Script: Click it to download the IP/MAC binding (that is,
static ARP binding) script file to the local host. Then run the file and restart the host to
add all the static ARP entries to the host to prevent ARP spoofing.
Note
If you want to unselect the Allow Undefined LAN PCs check box to block the
undefined LAN hosts from accessing or passing through the Device, you should
make sure that you have added the IP/MAC address pair of the host that you use to
administer the Device into the IP/MAC Binding List.
http://www.uttglobal.com
Page 318
UTT Technologies
Chapter 12 Security
12.2.4 IP/MAC Binding List
Figure 12-7 IP/MAC Binding List
ž
Add an IP/MAC Binding: If you want to add a new IP/MAC binding, click the New
button or select the IP/MAC Binding Settings tab to go to the setup page, and then
configure it, lastly click the Save button.
ž
Edit an IP/MAC Binding: If you want to modify a configured IP/MAC binding, click its
Edit hyperlink, the related information will be displayed in the setup page. Then
modify it, and click the Save button. The Allow Internet Access check box is used to
allow or block a user matching an IP/MAC binding from accessing the Device and
Internet. If you want to allow the user matching an IP/MAC binding to access the
Device and Internet, select its check box; else unselect it.
ž
Delete IP/MAC Binding(s): If you want to delete one or more IP/MAC bindings,
select the leftmost check boxes of them, and then select Delete from the drop-down
list on the lower right corner of the IP/MAC Binding List, lastly click the OK button.
ž
Delete All: If you want to delete all the IP/MAC bindings at a time, select Delete All
from the drop-down list on the lower right corner of the list, and then click the OK
button.
12.2.5 How to Add the IP/MAC Bindings
If you want to add one or more IP/MAC bindings, do the following:
Step 1
Go to the Security > IP/MAC Binding page, and then click the New button or
select the IP/MAC Binding Settings tab to go to the setup page.
http://www.uttglobal.com
Page 319
UTT Technologies
Step 2
Chapter 12 Security
There are two methods to add IP/MAC bindings:
1)
Method One: Click the Scan button to learn current dynamic ARP
information (that is, IP and MAC address pairs) of the LAN hosts, and then
click the Bind button to bind all the valid IP and MAC address pairs in the
list box.
2)
Method Two: You can manually add one or more IP/MAC address pairs in
the list box, and then click the Bind button to bind these IP/MAC address
pairs. Refer to section 12.2.2 IP/MAC Binding Settings for more
information.
Step 3
After you have created some IP/MAC bindings, you can view them in the
IP/MAC Binding List.
Step 4
If you want to block the undefined LAN hosts from accessing the Device and
Internet, please unselect the Allow Undefined LAN PCs check box; else, the
undefined LAN hosts are allowed to access the Device and Internet.
Step 5
If you want to temporarily block a user matching an IP/MAC binding from
accessing the Device and Internet, please unselect its Allow Internet Access
check box.
After you have finished configuring IP/MAC binding feature, when receiving a packet
initiated from LAN, the Device will firstly compare the packet with the bindings in the
IP/MAC Binding List, and then process the packet according to the related configuration.
The packet will be allowed to pass or be dropped immediately. If it is allowed to pass, the
packet will be further processed by the firewall access control function module.
12.2.6 Internet Whitelist and Blacklist
12.2.6.1 Introduction to Internet Whitelist and Blacklist Based
on IP/MAC Binding
By utilizing IP/MAC binding feature, you can flexibly configure an Internet whitelist or blacklist
for the LAN users.
If you want to allow only a small number of LAN users to access the Internet, you can
configure an Internet whitelist for these users. Then only the users that belong to the
whitelist can access the Internet, and all the other users can not access.
If you want to block only a small number of LAN users from accessing the Internet, you
http://www.uttglobal.com
Page 320
UTT Technologies
Chapter 12 Security
can configure an Internet blacklist for these users. Then only the users that belong to the
blacklist cannot access the Internet, and all the other users can access.
On the Device, a user who belongs to the whitelist is a legal user, that is, the userÂśs IP and
MAC address pair matches an IP/MAC binding whose Allow Internet Access check box
is selected.
A user who belongs to the blacklist is an illegal user, that is, the userÂśs IP and MAC
address pair matches an IP/MAC binding whose Allow Internet Access check box is
unselected; or the IP address or MAC address is the same with an IP/MAC bindingÂśs, but
not both.
12.2.6.2 How to Configure an Internet Whitelist
If you want to configure an Internet whitelist, do the following:
Step 1
Go to the Security > IP/MAC Binding page, and then click the New button or
select the IP/MAC Binding Settings tab to go to the setup page.
Step 2
Specify the legal users by creating the IP/MAC bindings: Add these usersÂś IP
and MAC address pairs into the IP/MAC Binding List. By default, an IP/MAC
bindingÂśs Allow Internet Access check box is selected, which means that the
user matching the IP/MAC binding can access the Device and Internet, so
please leave it the default value. Refer to section 12.2.2 IP/MAC Binding
Settings for detailed operation.
Step 3
Unselect the Allow Undefined LAN PCs check box to block all the undefined
users from accessing the Device and Internet.
For example, if you want to allow a LAN user with IP address 192.168.16.68 and MAC
address 0015c5674109 to access the Device and Internet, you can add an IP/MAC
binding for he/her into the IP/MAC Binding List, see Figure 12-8. The bindingÂśs Allow
Internet Access check box is selected by default, so please leave it the default value.
http://www.uttglobal.com
Page 321
UTT Technologies
Chapter 12 Security
Figure 12-8 IP/MAC Binding List - Example Three
12.2.6.3 How to Configure Internet Blacklist
If you want to configure an Internet blacklist, do the following:
Step 1
Go to the Security > IP/MAC Binding page, and then click the New button or
select the IP/MAC Binding Settings tab to go to the setup page.
Step 2
Specify the illegal users by creating the IP/MAC bindings. There are three
methods:
Step 3
1)
Method One: Bind each illegal userÂśs IP address to a MAC address which
is different from any LAN hostÂśs in the IP/MAC Binding List. Refer to
section 12.2.2 IP/MAC Binding Settings for detailed operation.
2)
Method Two: Bind an IP address which is different from any LAN hostÂśs to
each illegal userÂśs MAC address in the IP/MAC Binding List.
3)
Method Three: Add these usersÂś IP and MAC address pairs in the IP/MAC
Binding List. Unselect each IP/MAC bindingÂśs Allow Internet Access
check box respectively, then the matched users can not access the Device
and Internet.
Select the Allow Undefined LAN PCs check box to allow all the undefined
users to access the Device and Internet.
For example, if you want to block a LAN user with IP address 192.168.16.68 and MAC
address 0015c5674109 from accessing the Device and Internet, you can add the
corresponding IP/MAC binding in the IP/MAC Binding List. And then unselect the
bindingÂśs Allow Internet Access check box to block the userÂśs access to the Device and
Internet, see Figure 12-9.
http://www.uttglobal.com
Page 322
UTT Technologies
Chapter 12 Security
Figure 12-9 IP/MAC Binding List - Example Four
http://www.uttglobal.com
Page 323
UTT Technologies
Chapter 12 Security
12.3 Firewall
This section describes the Security > Firewall page, which includes the Access Control
List and ACL Settings subpages.
The access control rules that you have created will be listed in the Access Control List.
Note that by default the rules are listed in reverse chronological order of creation, and it
allows you to manually move a rule to a different position in the list.
12.3.1 Introduction to Access Control
12.3.1.1 The Purpose of Access Control Feature
The development of Internet has brought some side effects, such as the emergence of
gambling, pornography, and other illegal websites which are contrary to the state laws and
regulations; broadband network provide fast surfing to the Internet users, while fast
spreading worms cause great threat to the Internet users. So if an organization wants to
access the Internet, it needs specific Internet access rules. Such as, a government
organization wants to block the civil servants from accessing stock websites, using IM
messenger applications; a business wants to block the employees from accessing game
websites and other services which are unrelated to work during working time; parents
want to control their childrenÂśs online time; an network administrator wants to block the
worms and hacker attacks.
To achieve these purposes, we develop and implement access control feature on the Device.
By utilizing access control feature flexibly, you can not only assign different Internet
access privileges to different LAN users, but also assign different Internet access
privileges to the same users based on schedules. In practice, you can set appropriate
access control rules according to the actual requirements of your organization. Such as,
for a school, you can block the students to access game websites; for a family, you can
only allow your children to access the Internet during the specified period of time; for a
business, you can block the Financial DepartmentÂśs employees from accessing the
Internet.
12.3.1.2 The Operation Principle of Access Control
By default, as no access control rule exists on the Device, the Device will forward all the
http://www.uttglobal.com
Page 324
UTT Technologies
Chapter 12 Security
valid packets received by the LAN interface. After you have enabled access control, the
Device will examine each packet received by the LAN interface to determine whether to
forward or drop the packet, based on the criteria you specified in the access control rules.
When receiving a packet initiated from LAN, the Device will analyze the packet by
extracting its source MAC address, source IP address, destination IP address, protocol
type (TCP, UDP or ICMP), port number, content, and the date and time at which the
packet was received, and then compare them with each rule in the order in which the rules
are listed in the Access Control List. The first rule that matches the packet will be applied
to the packet, and the Device will forward or drop it according to this ruleÂśs action. Note that
after a match is found, no further rules will be checked; and if no match is found, the
Device will drop the packet to ensure security.
The access control rules are applied to the packets that are received by the DeviceÂśs LAN
interface, that is, those packets that arrive on the LAN interface and then go through the
Device. If a packet matches a rule whose Action is Allow, the packet will be allowed to
pass, and then be further processed by route, NAT and other modules. Else, if the packet
matches a rule whose Action is Drop, or doesnÂśt match any rule, the packet will be
dropped immediately. As these dropped packets are no longer further processed by route,
NAT and other modules, it will reduce CPU load and improve the Device performance.
12.3.1.3 The Action of an Access Control Rule
The action of an access control rule is either Allow or Deny. When receiving a packet that
matches a rule in the Access Control List, the Device will forward the packet if the ruleÂśs
action is Allow; else the Device will drop it.
12.3.1.4 The Execution Order of Access Control Rules
The order of access control rules is very important. When receiving a packet initiated from
LAN, the Device will search Access Control List to find out if there is a rule that matches
the packet. It will check the packet against each rule in the order in which the rules are
listed. After a match is found, no further rules will be checked. If no match is found, the
Device will drop the packet to ensure security. Note that by default the rules are listed in
reverse chronological order of creation, the later the rule is created, the upper the rule is
listed; and the Device allows you to manually move a rule to a different position in the list.
Because the Device will allow or deny a packet to pass according to the first rule that
matches the packet, you should arrange the rules in Access Control List from specific to
general. For example, if you create an access control rule at the beginning that explicitly
allows all packets to pass, no further rules are ever checked. Another example is that if
http://www.uttglobal.com
Page 325
UTT Technologies
Chapter 12 Security
you only allow a LAN user to access Web service, and block any other service, then the
rule that allows the user to access Web service should be listed above the rule that denies
the user to access any other service.
12.3.1.5 Address Group and Service Group
On the Device, you can create the IP address groups in the Security > Address Group
page or service groups in the Security > Service Group page firstly, and then reference
them by name in the source or destination address group, or service group fields of
access control rules.
1. Address Group
Using address groups can facilitate the configuration of access control rules. For example,
if some LAN hostsÂś IP addresses are discontinuous, but the hosts have the same
privileges of accessing the Internet, you can create an address group for these hosts.
Then you only need to create one access control rule by using the address group to meet
the KRVWVÂś requirements. Else you need to create multiple access control rules for these
hosts. Refer to section 12.6 Address Group for more information about address group.
2. Service Group
The service group is used to match the source MAC address, protocol type (TCP, UDP or
ICMP), port number and content of the packets that are received by the Device. Using
service groups can facilitate the configuration of access control rules. For example, you
can add telnet, pop3 and http services into a service group, and then create one rule by
using the service group to control the access to these services. Else, you need to create
multiple access control rules for the access to these services, one rule per service. Refer
to section 12.7 Service Group for more information about service group.
12.3.1.6 System Default Access Control Rules
Besides user-defined access control rules, the Device will automatically created some
system default access control rules in the Access Control List. The following table
describes the purposes of these rules.
ID
http://www.uttglobal.com
Description
Page 326
UTT Technologies
lan
dns
dhcp
pass
generic
Chapter 12 Security
It is used to allow the LAN users to access the DeviceÂśs LAN interface. And it is the
first rule, but it is implicit and not displayed in the list.
It is used to allow the DNS packets to pass by default.
It is used to allow the DHCP packets to pass by default.
It is a global rule for IP packets. By default, it is used to allow all the IP packets to
pass. And it is always listed and displayed at the bottom of the list.
It is a global rule which is used to allow all the packets including non-IP packets to
pass. And it is the last rule, but it is implicit and not displayed in the list.
Table 12-1 The System Default Access Control Rules
Note
You cannot delete the system default access control rules in the Access Control List,
and cannot modify its parameters except Action.
12.3.2 Access Control Rule Settings
Before creating the access control rules, you may do the following tasks:
Ɣ
Go to the Security > Address Group page to create the address groups that will be
referenced by the rules.
Ɣ
Go to the Security > Service Group page to create the service groups that will be
referenced by the rules.
Ɣ
Go to the Security > Schedule page to create the schedules that will be referenced
by the rules.
http://www.uttglobal.com
Page 327
UTT Technologies
Chapter 12 Security
Also, you can directly specify the source or destination IP addresses, or services of
access control rules in this page. The following describes the definitions of a ruleÂśs
parameters.
Figure 12-10 Access Control Rule Settings
—
Action: It determines the action of the access control rule. There are two available
options:
Ɣ
Allow: It indicates that the Device will allow the packets that match the rule to
pass, that is, the Device will forward these packets.
Ɣ
Deny: It indicates that the Device will deny the packets that match the rule to
pass, that is, the Device will drop these packets.
—
Schedule: It specifies a schedule to restrict when the access control rule is in effect.
The default value is Always, which means the access control rule is in effect always.
Note that after the selected schedule has expired, the rule will be in effect always.
—
Description: It specifies the description of the access control rule. It is usually used
to describe the purpose of the rule.
http://www.uttglobal.com
Page 328
UTT Technologies
—
—
—
Chapter 12 Security
Source: It specifies the source IP addresses of the packets to which the access
control rule applies. There are two options:
Ɣ
Addresses: Select it to enter the start and end addresses in the associated text
boxes.
Ɣ
Address Group: Select it to choose an address group from the associated
drop-down list. By default, the Address Group radio button is selected, and its
value is Any Address.
Destination: It specifies the destination IP addresses of the packets to which the
access control rule applies. There are two options: Addresses and Address Group.
Ɣ
Addresses: Select it to enter the start and end addresses in the associated text
boxes.
Ɣ
Address Group: Select it to choose an address group from the associated
drop-down list. By default, the Address Group radio button is selected, and its
value is Any Address.
Service: It specifies a range of ports or a service group to which the access control
rule applies. There are two options:
Ɣ
Ports: Select it to enter the start and end port numbers in the associated text
boxes, and select a protocol type from Protocol drop-down list. The port number
is between 1 and 65535, and the protocols include TCP, UDP and ICMP.
Ɣ
Service Group: Select it to choose a service group or predefined service from
the associated drop-down list. The Device provides some well-known services,
such as telnet, smtp, web, pop3, and so on. By default, the Service Group radio
button is selected, and its value is Any Service.
ž
Edit Schedule: Click it to go to the Security > Schedule page to add, view, modify or
delete schedules.
ž
Edit Address Group: Click it to go to the Security > Address Group page to add,
view, modify or delete address groups.
ž
Edit Service Group: Click it to go to the Security > Service Group page to add,
view, modify or delete service groups.
ž
Save: Click it to save the access control rule settings.
Note
http://www.uttglobal.com
Page 329
UTT Technologies
Chapter 12 Security
You can create the IP address groups in the Security > Address Group page or
service groups in the Security > Service Group page firstly, and then reference them
by name in the source or destination address group, or service group fields of access
control rules. And if the addresses or service ports are consecutive, you also can
directly specify the source or destination IP addresses, or services of rules in this
page.
12.3.3 Enable Access Control
Figure 12-11 Enable Access Control
—
Enable Access Control: It allows you to enable or disable firewall access control. If
you select the check box to enable this feature, the configured access control rules
will take effect. Else the rules will be of no effect.
ž
Save: Click it to save your settings.
12.3.4 Access Control List
Figure 12-12 Access Control List
http://www.uttglobal.com
Page 330
UTT Technologies
Chapter 12 Security
ž
Add an Access Control Rule: If you want to add a new access control rule, click the
New button or select the ACL Settings tab to go to the setup page, and then
configure it, lastly click the Save button.
ž
View Access Control Rule(s): When you have configured some access control rules,
you can view them in the Access Control List.
ž
Edit an Access Control Rule: If you want to modify a configured access control rule,
click its Edit hyperlink, the related information will be displayed in the setup page.
Then modify it, and click the Save button.
ž
Move an Access Control Rule: The Device allows you to move an access control
rule to above another rule in the list, the operation is as follows: Select the ID of a rule
that you want to move from the Move drop-down list, and another ruleÂśs ID from the
before drop-down list, lastly click the OK button. Note: Moving a rule in the list doesnÂśW
change its ID number.
ž
Delete Access Control Rule(s): If you want to delete one or more access control
rules, select the leftmost check boxes of them, and then click the Delete button.
Note
1.
The user-defined access control rule whose Service is set to dns will be
automatically listed above the system default access control rule dns.
2.
The system default access control rule pass is always listed in the bottom of the
Access Control List, you cannot move it.
3.
You cannot delete the system default access control rules in the Access Control List,
and cannot modify its parameters except Action.
12.3.5 Configuration Examples for Access Control
12.3.5.1 Example One
1. Requirements
In this example, a business has four departments: Technology Department, Customer
Service Department, Financial Department and Sales Department.
The IP address ranges of the departments are as follows:
Ɣ
Technology Department: 192.168.16.2~192.168.16.30
http://www.uttglobal.com
Page 331
UTT Technologies
Ɣ
Customer Service Department: 192.168.16.31~192.168.16.60
Ɣ
Financial Department: 192.168.16.61~192.168.16.70
Ɣ
Sales Department: 192.168.16.71~192.168.16.100
Chapter 12 Security
The CEO wants to control Internet behaviors of the Technology and Financial
DepartmentsÂś employees:
1.
Allow them to access WEB and FTP services during working time.
2.
Deny them to access all other services during working time.
3.
Allow them to access any service during rest periods.
Besides, he wants to allow any other employee to access any service at any time.
The working time is: Monday to Friday, 9:00 to 12:00 am, and 1:00 to 6:00 pm.
2. Analysis
We need to use two user-defined access control rules together with the default rule pass
to meet requirements:
Ɣ
User-defined rule 1: It is used to allow the Technology and Financial DepartmentsÂś
employees to access WEB and FTP services during working time.
Ɣ
User-defined rule 2: It is used to deny any employee to access any service during
working time.
Ɣ
Default rule pass: It allows all the IP packets to pass by default.
3. Configuration Procedure
1˅ Configuring Access Control Rule 1
Step 1
Go to the Security > Schedule > Schedule Settings page to create a
schedule for working time. Here we assume its name is work, see Figure 12-13.
Refer to section 12.8.5 Configuration Example for Schedule for detailed
operation.
http://www.uttglobal.com
Page 332
UTT Technologies
Chapter 12 Security
Figure 12-13 The Schedule of work Settings - Example 1
Step 2
Go to the Security > Address Group > Address Group Settings page to
create an address group for the Technology and Financial DepartmentsÂś
employees. It includes two address ranges: one is from 192.168.16.2 to
192.168.16.30, the other is from 192.168.16.61 to 192.168.16.70, and here we
assume its name is TD_FD, see Figure 12-14.
Figure 12-14 The Address Group of TD_FD Settings - Example 1
Step 3
Go to the Security > Service Group > Service Group Settings page to
configure a service group which includes two services: one is web, the other is
ftp, and here we assume its name is WEB_FTP, see Figure 12-15.
http://www.uttglobal.com
Page 333
UTT Technologies
Chapter 12 Security
Figure 12-15 The Service Group of WEB_FTP Settings - Example 1
Step 4
Go to the Security > Firewall > ACL Settings page to configure rule 1, see
Figure 12-16: select Allow from the Action, select work from the Schedule,
select TD_FD from the Source Address Group drop-down list, select Any
Address from the Destination Address Group drop-down list, and select
WEB_FTP from the Service Group drop-down list, lastly click the Save button
to save the settings.
http://www.uttglobal.com
Page 334
UTT Technologies
Chapter 12 Security
Figure 12-16 The Access Control Rule 1 Settings - Example 1
2˅ Configuring Access Control Rule 2
Go to the Security > Firewall > ACL Settings page to create rule 2, see Figure 12-17:
select Deny from the Action, select work from the Schedule, select TD_FD from the
Source Address Group drop-down list, select Any Address from the Destination
Address Group drop-down list, and select Any Service from the Service Group
drop-down list, lastly click the Save button to save the settings.
http://www.uttglobal.com
Page 335
UTT Technologies
Chapter 12 Security
Figure 12-17 The Access Control Rule 2 Settings - Example 1
3˅ Enabling Access Control
You should enable access control feature to let access control rules take effect, see Figure
12-18.
Figure 12-18 Enable Access Control - Example 1
12.3.5.2 Example Two
1. Requirements
A company uses the Device as a network access device. The requirements are as follows:
1)
Block an outside user with IP address 202.106.11.22 from attacking a LAN user with
http://www.uttglobal.com
Page 336
UTT Technologies
Chapter 12 Security
IP address 200.200.200.251 maliciously;
2)
Block all the LAN users from accessing the websites which contain illegal content.
Here we take pornography for example.
2. Analysis
We need to create two access control rules to meet requirements:
Ɣ
Rule 1: It is used to protect the LAN user with IP address 200.20.200.251 against
attack from outside IP address 202.106.11.22.
Ɣ
Rule 2: It is used to block all the LAN users from accessing the websites which
contain pornography.
3. Configuration Procedure
1˅ Configuring Access Control Rule 1
Step 1
Go to the Security > Address Group > Address Group Settings page to
configure two address groups for the LAN user and outside user respectively,
see the following two figures: One includes the single IP address
200.200.200.251, the other includes the single IP address 202.106.11.22, and
here we assume their names are Inside and Outside respectively.
Figure 12-19 The Address Group of Inside Settings - Example 2
http://www.uttglobal.com
Page 337
UTT Technologies
Chapter 12 Security
Figure 12-20 The Address Group of Outside Settings - Example 2
Step 2
Go to the Security > Firewall > ACL Settings page to configure rule 1, see
Figure 12-21: select Deny from the Action, select Always from the Schedule,
select Inside from the Source Address Group drop-down list, select Outside
from the Destination Address Group drop-down list, and select Any Service
from the Service Group drop-down list, lastly click the Save button to save the
settings.
http://www.uttglobal.com
Page 338
UTT Technologies
Chapter 12 Security
Figure 12-21 The Access Control Rule 1 Settings - Example 2
2˅ Configuring Access Control Rule 2
Step 1
Go to the Security > Service Group page, enter Pornography in the Name
text box, select Keyword from the Service Type drop-down list, select the New
radio button, enter pornography in the Keyword text box, and then click ==>
to move the specified keyword to the Service Members list box, lastly click the
Save button.
http://www.uttglobal.com
Page 339
UTT Technologies
Chapter 12 Security
Figure 12-22 The Access Control Rule 2 Settings - Example 2
Step 2
Go to the Security > Firewall > ACL Settings page to create rule 2, see Figure
12-23: select Deny from the Action, select Always from the Schedule, select
Any Address from the Source Address Group drop-down list, select Any
Address from the Destination Address Group drop-down list, and select
Pornography from the Service Group drop-down list, lastly click the Save
button to save the settings.
http://www.uttglobal.com
Page 340
UTT Technologies
Chapter 12 Security
Figure 12-23 The Access Control Rule 2 Settings - Example 2
3˅ Enabling Access Control
You should enable access control feature to make the configured access control rules
take effect, see Figure 12-24.
Figure 12-24 Enable Access Control - Example 2
http://www.uttglobal.com
Page 341
UTT Technologies
Chapter 12 Security
12.4 Domain Filtering
This section describes the Security > Domain Filtering page.
12.4.1 Domain Filtering Settings
Figure 12-25 Domain Filtering Settings
—
Enable Domain Filtering: It allows you to enable or disable domain filtering. If you
select the check box to enable domain filtering, the configured domain filtering entries
will take effect. Else, the domain filtering entries will be of no effect.
—
Filtering Mode: It specifies the mode of domain filtering. There are two available
options:
—
Ɣ
Only Block Domain Names in Domain Name List: It indicates that the Device
will block the LAN users from accessing the domain names in the Domain Name
list, but allow the users to access any other domain names.
Ɣ
Only Allow Domain Names in Domain Name List: It indicates that the Device
will allow the LAN users to access the domain names in the Domain Name list,
but block the users from accessing any other domain names.
Domain Name List: It specifies the domain names that will be blocked or allowed
according to the Filtering Mode. You can create up to 100 domain names in the list.
http://www.uttglobal.com
Page 342
UTT Technologies
ž
Chapter 12 Security
Save: Click it to save the domain filtering settings.
Note
1.
The matching rule of domain filtering is whole words matching, that is, only a domain
name matches the whole words of the domain name in the Domain Name List, the
Device will block or allow it according to the Filtering Mode.
2.
You can use the wildcard "*" in a domain name to match multiple domain names. For
example, if you have created www.163.* in the Domain Name List, then all the domain
names that begin with www.163. will be blocked or allowed according to the Filtering
Mode.
12.4.2 Domain Blocking Notice
This section describes the Security > Domain Filtering > Domain Blocking Notice
page.
When domain blocking notice is enabled, if a LAN user accesses a domain name which is
blocked by the Device, the Device will pop up a notice message to remind the user that
the website is blocked rather than network problems.
http://www.uttglobal.com
Page 343
UTT Technologies
Chapter 12 Security
Figure 12-26 Domain Blocking Notice
—
Enable Domain Blocking Notice: It allows you to enable or disable domain blocking
notice. If you want to enable domain blocking notice, please select this check box. In
this case, if a LAN user accesses a domain name which is blocked by the Device, the
Device will pop up a notice message to remind the user. And the requested web page
will automatically jump to the specified web page (set by the Redirecting URL) after
the specified time interval (set by the Redirecting Time).
—
Notice Title: It specifies the title of the notice message.
—
Redirecting Time: It specifies the time interval after which the requested web page
will jump to the specified web page. 0 means that the requested web page will
immediately jump to the specified web page. Leave it blank if you donÂśt want the
requested web page to jump to any other web page.
—
Signature: It specifies the signature of the notice message.
—
Redirecting URL: It specifies the redirecting URL to which the requested web page
will jump. Leave it blank if you donÂśt want the requested web page to jump to any
other web page.
—
Notice Content: It specifies the content of the notice message.
http://www.uttglobal.com
Page 344
UTT Technologies
Chapter 12 Security
ž
Save: Click it to save domain blocking notice settings.
ž
Preview: Click it to preview the notice message you just configured. The following
figure shows an example of a notice message.
Figure 12-27 Domain Name Blocking Notice Preview
Note
Only after you have enabled domain filtering and chosen the Only Block Domain
Names in Domain Name List as the filtering mode, the Device will pop up the
domain blocking notice messages to the LAN users.
12.5 NAT Session Limit
This section describes the Security > NAT Session Limit page.
The NAT session limit feature allows you to limit the maximum number of concurrent NAT
sessions based on the LAN hosts. And it allows you to specify different maximum NAT
sessions for different LAN hosts. Furthermore, it allows you to limit the maximum number
of concurrent TCP sessions, UDP sessions and ICMP sessions respectively.
http://www.uttglobal.com
Page 345
UTT Technologies
Chapter 12 Security
12.5.1 NAT Session Limit Rule Settings
Figure 12-28 NAT Session Limit Rule Settings
—
IP Addresses and To: They specify the start IP address and end IP address of the
LAN hosts to which the NAT session limit rule applies. Please enter the start IP
address in the first text box, and the end IP address in the second text box. The
Device provides a default NAT session limit rule. Its start IP address and end IP
address both are 0.0.0.0, which means that the default rule applies to all the IP
addresses. You can modify its parameters except IP Addresses, but cannot delete it.
—
Max. Sessions: It specifies the maximum number of concurrent sessions per
restricted host.
—
Max. TCP Sessions: It specifies the maximum number of concurrent TCP sessions
per restricted host.
—
Max. UDP Sessions: It specifies the maximum number of concurrent UDP sessions
per restricted host.
—
Max. ICMP Sessions: It specifies the maximum number of concurrent ICMP
sessions per restricted host.
—
Description: It specifies the description of the NAT session limit rule.
ž
Save: Click it to save the NAT session limit rule settings.
Note
http://www.uttglobal.com
Page 346
UTT Technologies
Chapter 12 Security
1.
When using NAT session limit function, the Device will search the Session Limit List
to find out if there is a rule that matches a LAN host. It will check the hostÂśs IP address
against each rule in the order in which the rules are listed. After a match is found, no
further rules will be checked. Note that the rules are listed in reverse chronological
order of creation, the later the rule is created, and the upper the rule is listed.
2.
The start IP address should be less than or equal to the end IP address. The address
ranges of different NAT session limit rules can overlap.
3.
If some applications (such as online games) performance is degraded due to the
maximum NAT sessions limit, you can increase the Max. Sessions and Max. TCP
sessions (or Max. UDP sessions) properly. Note that if they are too large, it will
lower or lose the DeviceÂśs ability to prevent DDoS attacks.
4.
In most cases, to ensure that the LAN users surf the Internet normally, the maximum
NAT sessions cannot be too small. It is suggested that both the Max. Sessions and
Max. TCP sessions should be larger than or equal to 100, the Max. UDP sessions
should be larger than or equal to 50, and Max. ICMP sessions should be larger than
or equal to 10.
12.5.2 NAT Session Limit Rule List
Figure 12-29 NAT Session Limit Rule List
ž
Add a NAT Session Limit Rule: If you want to add a new NAT session limit rule,
click the New button or select the Session Limit Settings tab to go to the setup page,
and then configure it, lastly click the Save button.
http://www.uttglobal.com
Page 347
UTT Technologies
Chapter 12 Security
ž
Enable a NAT Session Limit Rule: The Enable check box is used to enable or
disable the corresponding NAT session limit rule. The default value is selected, which
means the NAT session limit rule is in effect. If you want to disable the NAT session
limit rule temporarily instead of deleting it, please click it to remove the check mark.
ž
View NAT Session Limit Rule(s): When you have configured some NAT session
limit rules, you can view them in the Session Limit List.
ž
Edit a NAT Session Limit Rule: If you want to modify a configured NAT session limit
rule, click its Edit hyperlink, the related information will be displayed in the setup page.
Then modify it, and click the Save button.
ž
Delete NAT Session Limit Rule(s): If you want to delete one or more NAT session
limit rules, select the leftmost check boxes of them, and then click the Delete button.
http://www.uttglobal.com
Page 348
UTT Technologies
Chapter 12 Security
12.6 Address Group
This section describes the Security > Address Group page.
12.6.1 Introduction to Address Group
An address group can contain up to ten address members. A member may be an address
range or address group. And an address group may contain address ranges only, or
address groups only, or both.
If you want to create an access control rule (in the Security > Firewall page) whose
destination or source IP addresses are discontinuous, you can create an address group
for them in this page firstly, and then reference it in the access control rule. When
receiving a packet, if the packetÂśs destination or source IP address belongs to the address
group, the Device will consider that its IP address matches the access control rule. And if
the packet also matches other criteria (protocol type, destination ports, schedule, etc.) of the
access control rule, the Device will consider that the packet matches the access control
rule.
Using address groups can facilitate the configuration of access control rules. For example,
if some LAN hostsÂś IP addresses are discontinuous, but the hosts have the same
privileges of accessing the Internet, you can create an address group for these hosts.
Then you only need to create one access control rule by using the address group to meet
the KRVWVÂś requirements. Else you need to create multiple access control rules for these
hosts.
Similarly, you also can reference an address group in a rule limit rule in the QoS > Rate
Limit Rule page.
http://www.uttglobal.com
Page 349
UTT Technologies
Chapter 12 Security
12.6.2 Address Group Settings
Figure 12-30 Address Group Settings
—
Name: It specifies a unique name of the address group. It should be between 1 and
11 characters long.
—
Zone: It specifies a network zone to which the address group belongs.
—
New: Select it to add a new address range to the group.
—
Existing: Select it to display the configured address groups.
—
Address Members: It displays the members of the address group. A member may be
an address range or address group.
ž
==>: Click it to move the new address range or selected address group(s) to the
Address Members list.
ž
<==: Click it to move the selected address member from the Address Members list
box to the left editable list.
ž
Delete: Click it to delete the selected address member from the Address Members
list box.
ž
Save: Click it to save the address group settings.
Note
http://www.uttglobal.com
Page 350
UTT Technologies
Chapter 12 Security
1.
The Name of an address group is case insensitive. For example, the address group
test or TEST is the same group. You must pay attention to it when creating an
address group.
2.
If an address group (e.g., group A) has already included another address group (e.g.,
group B), then the address group A cannot be added to any other address group.
12.6.3 Address Group List
Figure 12-31 Address Group List
ž
Add an Address Group: If you want to add a new address group, click the New
button or select the Address Group Settings tab to go to the setup page, and then
configure it, lastly click the Save button.
ž
View Address Group(s): When you have configured some address groups, you can
view them in the Address Group List.
ž
Edit an Address Group: If you want to modify a configured address group, click its
Edit hyperlink, the related information will be displayed in the setup page. Then
modify it, and click the Save button.
ž
Delete Address Group(s): If you want to delete one or more address groups, select
the leftmost check boxes of them, and then click the Delete button.
Note
You cannot delete an address group which is referenced by the access control rule in
http://www.uttglobal.com
Page 351
UTT Technologies
Chapter 12 Security
the Security > Firewall page or rate limit rule in the QoS > Rate Limit Rule page. If
you actually want to delete it, please remove all the references firstly.
12.6.4 How to Add the Address Groups
If you want to add one or more address groups, do the following:
Step 1
Go to the Security > Address Group page, and then click the New button or
select the Address Group Settings tab to go to the setup page.
Step 2
Specify the Name of the address group.
Step 3
Select the network zone from the Zone drop-down list.
Step 4
Add IP addresses to the group. There are two methods to add them.
1)
Method One: Select the New radio button, enter the start and end IP
addresses in the Start Address and End Address text boxes, and then
click ==> to move the new address range to the Address Members list
box. You can continue to add another address ranges if needed.
2)
Method Two: Select the Existing radio button, select one or more
configured address groups, and then click ==> to move the selected
address groups to the Address Members list box.
Step 5
Click the Save button to save the settings. You can view the address group in
the Address Group List.
Step 6
If you want to add another new address group, please repeat the above steps.
12.6.5 How to Edit an Address Group
If you want to modify a configured address group, do the following:
Step 1
Go to the Security > Address Group page.
Step 2
Click the Edit hyperlink of the address group in the Address Group List to go
to the setup page.
Step 3
Modify the address members as required. There are two cases:
1)
If you want to modify an address range, select the address range in the
Address Members list, click <== to move it from the Address Members
http://www.uttglobal.com
Page 352
UTT Technologies
Chapter 12 Security
list box to the left editable list, and then modify the Start Address and/or
End Address, lastly click ==> to move the modified address range to the
Address Members list box again.
2)
Step 4
If you want to delete an address member, select the member in the
Address Members list box, and then click the Delete button.
Click the Save button to save the changes to make them take effect.
http://www.uttglobal.com
Page 353
UTT Technologies
Chapter 12 Security
12.7 Service Group
This section describes Security > Service Group page.
12.7.1 Introduction to Service Group
The Device provides five service types including general service, URL, Keyword, DNS
and MAC address for the service group. Then the service groups can be used to match
the protocol type (TCP, UDP or ICMP), port number, content, source MAC address of
packets that are received by the Device. For each service type, it allows you to define new
services, or select existing services or service groups, and then add them to the service
group. A service group can contain up to ten service members. A member may be a
service or service group. And a service group may contain services only, or service groups
only, or both.
If you want to create an access control rule in the Security > Firewall page, you can
create a service group in this page firstly, and then reference it in the access control rule.
Using service groups can facilitate the configuration of access control rules. For example,
you can add telnet, pop3 and http services into a service group, and then create one rule
by using the service group to control the access to these services. Else, you need to
create multiple access control rules for the access to these services, one rule per service.
Similarly, you also can reference a service group whose Service Type is General Service
in a rule limit rule in the QoS > Rate Limit Rule page.
http://www.uttglobal.com
Page 354
UTT Technologies
Chapter 12 Security
12.7.2 Service Group Settings
Figure 12-32 Service Group Settings
—
Name: It specifies a unique name of the service group. It should be between 1 and 11
characters long.
—
Service Type: It specifies the service type of the service group. The Device provides
five service types, which include General Service, URL, Keyword, DNS and MAC.
General Service: It is used to match the source port, destination port and
protocol type of the packets.
URL: It is used for URL filtering to control the LAN usersÂś access to the specified
URLs or web sites.
Keyword: It is used for keyword filtering to block the web sites which contain the
specified keywords.
DNS: It is used for DNS request filtering to allow or block the DNS requests for
the specified domain names.
MAC: It is used for source MAC address filtering to allow or block the packets
with the specified source MAC address.
http://www.uttglobal.com
Page 355
UTT Technologies
Chapter 12 Security
—
New: Select it to add a new service to the group. For different Service Types, you
need configure different parameters.
—
Existing: Select it to display the service groups that you have configured. If you
select General Service from the Service Type drop-down list, it will also display the
system predefined services here. The Device provides 38 predefined services.
—
Service Members: It displays the members of the service group. A member may be a
user-defined service, predefined service or a service group.
ž
==>: Click it to move the new user-defined service or selected existing service(s) to
the Service Members list box.
ž
<==: Click it to move the selected service member from the Service Members list
box to the left editable list.
ž
Delete: Click it to delete the selected service member from the Service Members list
box.
ž
Save: Click it to save the service group settings.
Note
1.
A service group can contain up to ten service members.
2.
The Name of a service group is case insensitive. For example, the service group test
or TEST is the same group. You must pay attention to it when creating a service
group.
3.
If a service group (e.g., group A) has already included another service group (e.g.,
group B), then the service group A cannot be added to any other service group.
http://www.uttglobal.com
Page 356
UTT Technologies
Chapter 12 Security
12.7.3 Service Group List
Figure 12-33 Service Group List
ž
Add a Service Group: If you want to add a new service group, click the New button
or select the Service Group Settings tab to go to the setup page, and then configure
it, lastly click the Save button.
ž
View Service Group(s): When you have configured some service groups, you can
view them in the Service Group List.
ž
Edit a Service Group: If you want to modify a configured service group, click its Edit
hyperlink, the related information will be displayed in the setup page. Then modify it,
and click the Save button.
ž
Delete Service Group(s): If you want to delete one or more service groups, select
the leftmost check boxes of them, and then click the Delete button.
Note
You cannot delete a service group which is referenced by the access control rule in
the Security > Firewall page or rate limit rule in the QoS > Rate Limit Rule page. If
you actually want to delete it, please remove all the references firstly.
12.7.4 How to Add the Service Groups
If you want to add one or more service groups, do the following:
http://www.uttglobal.com
Page 357
UTT Technologies
Chapter 12 Security
Step 1
Go to the Security > Service Group page, and then click the New button or
select the Service Group Settings tab to go to the setup page.
Step 2
Specify the Name of the service group.
Step 3
Select the type from the Service Type drop-down list.
Step 4
Add services to the group. There are two methods to add them.
1)
Method One: Select the New radio button, add a new service as required,
and then click ==> to move the new service to the Service Members list
box. You can continue to add another services if needed.
2)
Method Two: Select the Existing radio button, select one or more existing
services, and then click ==> to move the selected services to the Service
Members list box.
Step 5
Click the Save button to save the settings. You can view the service group in
the Service Group List.
Step 6
If you want to add another new service group, please repeat the above steps.
12.7.5 How to Edit an Service Group
If you want to modify a configured service group, do the following:
Step 1
Go to the Security > Service Group page.
Step 2
Click the Edit hyperlink of the group in the Service Group List to go to the
setup page.
Step 3
Modify the service members as required. There are two cases:
Step 4
1)
If you want to modify a user-defined service, select the service in the
Service Members list, click <== to move it from the Service Members list
to the left editable list box, and then modify it, lastly click ==> to move the
modified service to the Service Members list box again.
2)
If you want to delete a service member, select the member in the Service
Members list box, and then click the Delete button.
Click the Save button to save the changes to make them take effect.
http://www.uttglobal.com
Page 358
UTT Technologies
Chapter 12 Security
12.8 Schedule
This section describes the Security > Schedule page.
12.8.1 Introduction to Schedule
The schedule feature lets you define schedules that can be applied to various time-related
features, e.g., dial schedule, rate limit rule, access control rule, etc. The schedule is
identified by a name and then referenced by a function, so that those time restrictions are
imposed on the function itself.
A schedule consists of a start date, an end date, and optional time periods (up to eight).
The Start Date and End Date specify when the schedule begins and ends. If exceed the
specified range, the schedule will be of no effect. If both of them are set to 1990-1-1, the
schedule will be in effect forever. The time periods (Period 1-8) specify further constraints
of active time by the days of the week, daily start time and daily end time.
Note
To ensure that the schedules take effect at the desired time, you should synchronize
the system clock in the System > Time page.
http://www.uttglobal.com
Page 359
UTT Technologies
Chapter 12 Security
12.8.2 Schedule Settings
Figure 12-34 Schedule Settings
—
Schedule Name: It specifies a unique name of the schedule. It should be between 1
and 11 characters long.
—
Start Date and End Date: They specify when the schedule begins and ends. If
exceed the specified range, the schedule will be of no effect. The date is in the range
of 1989-1-1 through 2050-12-31. If you want the schedule to be in effect for ever, set
both of Start Date and End Date to 1990-1-1.There are two methods to set them.
Ɣ
Directly enter a date: You can directly enter a date in the Start Date or End
Date text box. The date should be entered in the format YYYY-MM-DD, for
example, 2011-03-23 (or 2011-3-23). Therein, YYYY indicates a four-digit year,
MM indicates a month of the year, and DD indicates a day of that month.
Ɣ
Select a Date from the Drop-down Calendar: You also can select a date from
the drop-down calendar, see figure 12-34. Click the  to select
the year, click the  to select the month, and select a date
directly from the calendar.
—
Period 1 to Period 8: They specify further constraints of active time within the
specified date range. It allows you to configure up to eight time periods for each
schedule.
—
Days of the Week: It specifies the day(s) of the week on which the schedule is active.
The available options are Everyday, Monday, Tuesday ÂŤ Sunday, Weekdays
http://www.uttglobal.com
Page 360
UTT Technologies
Chapter 12 Security
(Mon-Fri) and Weekends (Sat-Sun).
—
Daily Start Time and Daily End Time: They specify a daily start time and end time
during which the schedule is active. The default values of them are 00:00:00 and
23:59:59 respectively. Note that the time should be entered in the format HH:MM:SS
and it is expressed in 24-hour clock. For example, 06:30:00 is 06:30:00 am and
18:30:00 is 06:30:00 pm.
ž
Save: Click it to save the schedule settings.
Note
A schedule that spans two days should be divided into two consecutive time periods.
E.g., for a schedule from 8:00 p.m. to 5:00 a.m. next day, you need configure two time
periods, one is 20:00:00~23:59:59, and the other is 00:00:00 ~ 05:00:00.
12.8.3 Schedule List
Figure 12-35 Schedule List
ž
Add a Schedule: If you want to add a new schedule, click the New button or select
the Schedule Settings tab to go to the setup page, and then configure it, lastly click
the Save button.
ž
View Schedule(s): When you have configured some schedules, you can view them
in the Schedule List.
ž
Edit a Schedule: If you want to modify a configured schedule, click its Edit hyperlink,
the related information will be displayed in the setup page. Then modify it, and click
http://www.uttglobal.com
Page 361
UTT Technologies
Chapter 12 Security
the Save button.
ž
Delete Schedule(s): If you want to delete one or more schedules, select the leftmost
check boxes of them, and then click the Delete button.
ž
View a ScheduleÂśs Details: If you want to view the details of a configured schedule,
click its Details hyperlink, then the schedule details page will be displayed (see
Figure 12-36). Furthermore, if the schedule is referenced, the related information will
be displayed too.
Figure 12-36 Schedule Details
12.8.4 How to Add the Schedules
If you want to add one or more schedules, do the following:
Step 1
Go to the Security > Schedule page, and then click the New button or select
the Schedule Settings tab to go to the setup page.
Step 2
Specify the Schedule Name of the schedule.
Step 3
Specify the Start Date and End Date as required.
Step 4
Specify one or more periods as required.
Step 5
Click the Save button to save the settings. You can view the schedule in the
Schedule List.
Step 6
If you want to add another new schedule, please repeat the above steps.
Note
If you want to delete one or more schedules, select the leftmost check boxes of them
http://www.uttglobal.com
Page 362
UTT Technologies
Chapter 12 Security
in the Schedule List, and then click the Delete button.
12.8.5 Configuration Example for Schedule
1. Requirements
In 2011, a business CEO wants to control online behavior of the sales departmentÂśs
employees. He only allows them to access WEB service during working time, but allows
them to access all the Internet services during rest periods. The working time is: Monday
to Friday, 9:00 to 12:00 am, and 1:00 to 6:00 pm.
2. Analysis
As the sales departmentÂśs employees can only access the WEB service during working
time, we need to create a schedule during which only the WEB service is accessible.
The details of the schedule are as follows:
Ɣ
Schedule Name: Here we assume its name is work.
Ɣ
Start Date: 2011-1-1
Ɣ
End Date: 2011-12-31
Ɣ
Period 1: Monday to Friday, 9:00:00 to 11:59:59
Ɣ
Period 2: Monday to Friday, 13:00:00 to 17:59:59
3. Configuration Procedure
The configuration steps are the following:
Step 1
Go to the Security > Schedule page, and then click the New button or select
the Schedule Settings tab to go to the setup page, see the following figure.
http://www.uttglobal.com
Page 363
UTT Technologies
Chapter 12 Security
Figure 12-37 Schedule Settings Example
Step 2
Enter work in the Schedule Name text box.
Step 3
Enter 2011-1-1 in the Start Date, and enter 2011-12-31 in the End Date.
Step 4
Configuring the two periods of the schedule respectively.
Step 5
1)
Configuring Period 1: Select Weekdays (Mon-Fri) from the Days of the
Week drop-down list, enter 09:00:00 in the Daily Start Time, and enter
11:59:59 in the Daily End Time.
2)
Configuring Period 2: Select Weekdays (Mon-Fri) from the Days of the
Week drop-down list, enter 13:00:00 in the Daily Start Time, and enter
17:59:59 in the Daily End Time.
Click the Save button to save the settings. Till now you have finished
configuring the schedule of work, and then you can reference it in an access
control rule. Please refer to section 12.3.5.1 for detailed operation.
http://www.uttglobal.com
Page 364
UTT Technologies
Chapter 13 System
Chapter 13 System
This chapter describes how to manage the Device, including how to configure
administrator accounts, system time, remote admin, Web server, and how to upgrade
firmware, backup and restore configuration, and restart the Device.
13.1 Administrator
In the System > Administrator page, you can add, view, modify and delete the
administrator accounts.
13.1.1 Administrator Settings
Figure 13-1 Administrator Settings
—
User Name: It specifies a unique login name of the administrator. It should be
between 1 and 31 characters long.
—
Password: It specifies a login password of the administrator.
—
Confirm Password: You should re-enter the password.
—
Privilege Group: It allows you to select the privilege group you want the
administrator to have. Each type of privilege group has different privileges.
Read: It gives the administrator the ability to view the 'HYLFHÂśs settings and
status via the Web UI, except the Status > Session Monitor page. Note: This
page will only display the current login administratorÂśs information, and only the
http://www.uttglobal.com
Page 365
UTT Technologies
Chapter 13 System
password can be modified.
ž
Execute: It gives the administrator the ability to view and configure the Device
via the Web UI, except the Status > Session Monitor page. Note: This page will
only display the current login administratorÂśs information, and only the password
can be modified.
Admin: It gives the administrator the full administrative privileges to view and
configure the Device via the Web UI.
Save: Click it to save the administrator account settings.
Note
1.
It allows you to login to the Device from multiple IP addresses concurrently with the
same administrator user name. To avoid configuration conflict, it is suggested that
each time you configure the Device from one IP address only.
2.
The default administrator user name is Default (case sensitive) with a blank
password. To ensure security, it is strongly recommended that you change the default
password and remember it.
3.
Only the administrator who has Admin privileges can telnet the Device.
13.1.2 Administrator List
Figure 13-2 Administrator List
http://www.uttglobal.com
Page 366
UTT Technologies
Chapter 13 System
ž
Add an Administrator Account: If you want to add a new administrator account,
click the New button or select the Administrator Settings tab to go to the setup page,
and then configure it, lastly click the Save button.
ž
View Administrator Account(s): When you have configured some administrator
accounts, you can view them in the Administrator List.
ž
Edit an Administrator Account: If you want to modify a configured administrator
account, click its Edit hyperlink, the related information will be displayed in the setup
page. Then modify it, and click the Save button.
ž
Delete Administrator Account(s): If you want to delete one or more administrator
accounts, select the leftmost check boxes of them, and then click the Delete button.
Note
You cannot delete the default administrator account.
13.1.3 How to Add the Administrator Accounts
If you want to add one or more administrator accounts, do the following:
Step 1
Go to the System > Administrator page.
Step 2
Click the New button or select the Administrator Settings tab to go to the
setup page, and then specify the User Name, Password, Conform Password
and Privilege Group as required.
Step 3
Specify the Privilege Group as required. If you choose Admin as the Privilege
Group, you can use this administrator account to telnet the Device.
Step 4
Click the Save button to save the settings. You can view the administrator
account in the Administrator List.
Step 5
If you want to add another new administrator account, please repeat the above
steps.
Note
If you want to delete one or more administrator accounts, select the leftmost check
boxes of them in the Administrator List, and then click the Delete button.
http://www.uttglobal.com
Page 367
UTT Technologies
Chapter 13 System
13.2 System Time
In the System > Time page, you can view and configure the system time.
To ensure that the time-related functions (e.g., DDNS, Schedule) work well, you should
set the right time on the Device.
You can manually configure the system time or enable SNTP (Synchronize with SNTP
Server) to automatically synchronize time from a designated SNTP server on the Internet.
Some models cannot keep clock running if powered off, that is, it will reset the time to the
default value. In this case, you need to choose SNTP to automatically synchronize the
system time.
Figure 13-3 System Time - Enable SNTP
—
Current System Time: It displays the DeviceÂśs current date (YYYY-MM-DD) and time
(HH:MM:SS).
—
Mode: It specifies the mode by which you set the system clock. The available options
are SNTP and Manual.
SNTP: If you want the Device to automatically synchronize the system clock from
designated SNTP server on the Internet, select this option (see Figure 13-3).
Manual: If you want to set the date (YYYY-MM-DD) and time (HH:MM:SS) for
the Device manually, select this option (see Figure 13-4).
—
Time Zone: It specifies the time zone for your local time.
—
SNTP Server 1 IP Address ~ SNTP Server 3 IP Address: It allows you to configure
up to three SNTP servers on the Device. The Server 1 is the primary server (the
http://www.uttglobal.com
Page 368
UTT Technologies
Chapter 13 System
default value is 192.43.244.18), and the Server 2 is the first backup server (the
default value is 129.6.15.28), and the Server 3 is the second backup server (the
default value is 0.0.0.0).
Figure 13-4 System Time - Set Time Manually
ž
Save: Click it to save the system time settings.
Note
To find an NTP server with which you can synchronize your Device, please refer to
the Website: http://www.ntp.org/.
http://www.uttglobal.com
Page 369
UTT Technologies
Chapter 13 System
13.3 Firmware Upgrade
In the System > Upgrade page, you can view the current firmware version information
and upgrade the firmware.
13.3.1 Save Firmware
Figure 13-5 Save Firmware to Local PC
The following figure describes the firmware version details:
Figure 13-6 Firmware Version Details
ž
Backup Firmware to Local PC: Click the Save button to save the current running
firmware to your local PC.
Note
The operation will save the DeviceÂśs current running firmware only, but it wonÂśt save
the current configuration file.
http://www.uttglobal.com
Page 370
UTT Technologies
Chapter 13 System
13.3.2 Firmware Upgrade
Figure 13-7 Upgrade Firmware
To upgrade the DeviceÂśs firmware, do the following:
Step 1
Download the Latest Firmware
Click the Download Firmware hyperlink to download the latest firmware from the website
of UTT Technologies Co., Ltd.
Note
1.
Please select the proper firmware that must accord with your product hardware
platform.
2.
It is recommended that you go to the System > Configuration to back up the
DeviceÂśs current configuration before upgrading.
Step 2
Choose the Firmware
Click Browse button to choose the firmware file you want to upgrade or enter the file path
and name in the Firmware File text box.
—
Restart after Upgraded: After upgraded, you have two options to apply this new
firmware: select the Restart after Upgraded check box to let the Device restart itself
automatically once upgraded, or manually restart the Device.
Step 3
Renew Firmware
Click the Upgrade button to renew the DeviceÂśs firmware.
http://www.uttglobal.com
Page 371
UTT Technologies
Chapter 13 System
Note
1.
It is strongly recommended that you upgrade firmware when the Device is under light
load.
2.
If you upgrade firmware timely, the Device will have more functionality and better
performance. The right upgrade will not change the DeviceÂśs current settings.
3.
The Device will take several minutes to upgrade its firmware. During this process, do
not power off the Device and perform any other operation to avoid damaging it.
13.4 Configuration
In the System > Configuration page, you can back up and restore configuration, and
reset the Device to factory default settings.
13.4.1 Backup Configuration
Figure 13-8 Backup Configuration
ž
Backup: Click it to save the current configuration file to the local PC.
13.4.2 Restore Configuration
http://www.uttglobal.com
Page 372
UTT Technologies
Chapter 13 System
Figure 13-9 Restore Configuration
—
Reset to Factory Defaults before Restore: If you select this check box, it will reset
the Device to factory default settings before importing the configuration file; else
import the file directly.
—
Configuration File: Click the Browse button to choose an appropriate configuration
file or enter the file path and name in the text box.
ž
Restore: Click it to import the selected configuration file. It will overwrite the current
configuration on the Device with the new configuration.
Note
To avoid unexpected error, do not power off the Device during importing the
configuration file.
13.4.3 Restore Defaults
Figure 13-10 Restore Default
ž
Reset: Click it to reset the Device to factory default settings.
Note
1.
This operation will clear all of the DeviceÂśs custom settings. It is strongly
recommended that you backup the current configuration before resetting.
2.
The default administrator user name is Default (case sensitive) with a blank
password. The default LAN interface IP address is 192.168.16.1, and subnet mask
is 255.255.255.0.
http://www.uttglobal.com
Page 373
UTT Technologies
Chapter 13 System
13.5 Remote Admin
This section describes System > Remote Admin page.
As the Device has built-in firewall function, it will block all requests initiated from the
Internet by default. To remotely configure and manage the Device via Internet, you should
enable the HTTP remote management.
Figure 13-11 Remote Admin Settings
—
HTTP: It allows you to enable or disable HTTP remote management. Select this
check box to enable HTTP remote management via Internet. When accessing the
Device from Internet, you will enter http:// and enter the Device's WAN IP address,
followed by a colon (:) and the port number. For example, if the WAN IP address is
218.21.31.3 and port number is 8081, enter http://218.21.31.3:8081 in your browser
URL field.
—
Port: It specifies the port number for HTTP remote management. The default value is
8081. Note: If the port value is changed to 80, the system will automatically create
one port forwarding rule: protocol is TCP and port is 80; and you can go to the NAT >
Port Forwarding page to view it in the Port Forwarding List. In this case, it will
cause conflict if you add a new port forwarding rule for a LAN Web server.
ž
Save: Click it to save the remote admin settings.
Note
1.
You can find WKH'HYLFHÂśV:$1,3DGGUHVVIURPWKHWAN List in Basic > WAN page.
2.
To ensure security, it is strongly recommended that you GRQÂśt enable HTTP remote
management unless necessary. If you are sure to enable it, you had better go to the
System > Administrator page to change the default password.
3.
If the Internet connection has a dynamic IP address, you had better enable DDNS in
the Advanced > DDNS page, so you may use a fixed domain name to manage the
http://www.uttglobal.com
Page 374
UTT Technologies
Chapter 13 System
Device via Internet.
4.
Once you enable the HTTP remote management, the system will automatically create
two port forwarding rules: their IDs are http and telnet respectively. You can go to the
NAT > Port Forwarding page to view them in the Port Forwarding List.
5.
Please enable the HTTP remote management before asking a UTT customer
engineer for the technical support.
http://www.uttglobal.com
Page 375
UTT Technologies
Chapter 13 System
13.6 WEB Server
In the System > WEB Server page, you can specify the port number that the Device Web
service uses to listen for HTTP requests from the LAN hosts.
Figure 13-12 WEB Server
—
Port: The port number that the Web server uses to listen for HTTP requests from the
LAN hosts. The default port number is 80. If it has been changed, you should enter
http://DeviceÂśs LAN IP address: port number (e.g., http://192.168.16.1:88) to
access the Device.
ž
Save: Click it to save your settings.
http://www.uttglobal.com
Page 376
UTT Technologies
http://www.uttglobal.com
Chapter 13 System
Page 377
UTT Technologies
Chapter 13 System
13.7 Restart
The System > Restart page lets you restart the Device.
Figure 13-13 Restart the Device
ž
Restart: Click it to restart the Device.
If you click the Restart button, the system will pop up a prompt dialog box (see Figure
13-19). Then you can click OK to restart the Device, and the system will jump to a
countdown page (see Figure 13-20). Or click Cancel to cancel the operation.
Figure 13-14 Prompt Dialog Box - Restart the Device
Figure 13-15 RestartingÂŤÂŤ
Note
Because restarting the Device will disconnect all the sessions, please do it with
http://www.uttglobal.com
Page 378
UTT Technologies
Chapter 13 System
caution. The Device will return to the Status > System Info page after restarted.
http://www.uttglobal.com
Page 379
UTT Technologies
Appendix A How to Configure Your PC
Appendix A How to configure your PC
This appendix describes how to install and configure TCP/IP properties for Windows 95
and Windows 98.
Step 1: Installing TCP/IP components
To install TCP/IP component, do the following:
1.
On the Windows taskbar, click Start > Settings > Control Panel.
2.
Double-click the Network icon, and select the Configuration tab. In The following
network components are installed box, you must make sure that your network card
driver and TCP/IP are installed. To do this, please check that TCP/IP -> (your
Ethernet adapter) option exist.
3.
If your network card driver and TCP/IP are not installed, at first you should install the
network card driver properly.
4.
After installing the network card driver, you should install TCP/IP. Do the following: At
first, open the Network dialog box (refer to the previous step), and then click Add
button on the Configuration tab, this will bring up the Select Network Component
Type window. Select Protocol and click the Add button, this will bring up the Select
Network Protocol window. Select Microsoft in the Manufacturers box, and select
TCP/IP in the Network Protocols box, lastly click OK to reboot the server PC. Your
computer will prompt you to restart, and then TCP/IP will be installed.
Step 2: Configuring TCP/IP properties
Once the proper Ethernet card and TCP/IP protocol are installed, you should configure the
TCP/IP properties. There are two methods of configuring TCP/IP properties: one is to
manually configure TCP/IP properties, the other is to automatically configure TCP/IP
properties with DHCP. The following describes the configuration procedure of these two
methods respectively.
ž
Method One: Manually Configuring TCP/IP
To configure the TCP/IP protocol manually, do the following:
1.
On the Windows taskbar, click Start > Settings > Control Panel.
2.
Double-click the Network icon, and select the Configuration tab. In The following
network components are installed box, select TCP/IP -> (your Ethernet adapter),
and then click Properties.
http://www.uttglobal.com
Page 380
UTT Technologies
Appendix A How to Configure Your PC
3.
In the TCP/IP properties dialog box, select the IP address tab, and then select the
Specify an IP address radio button. Enter 192.168.16.x (x is between 2 and 254,
including 2 and 254) in the IP Address box, and enter 255.255.255.0 in the Subnet
Mask box.
4.
Select the Gateway WDEHQWHUWKH,3DGGUHVVRIWKH'HYLFHÂśV/$1LQWHUIDFH GHIDXOW
value is 192.168.16.1) in the New gateway box, and then click Add button.
5.
Select the DNS Configuration tab, enter a host name in the Host box, and enter a
domain name in the Domain box optionally. In the DNS Server Search Order box,
enter the IP address of the primary DNS server provided by your ISP. Then click Add
button to add the IP address to the list. Add the secondary DNS server IP address in
the same manner as the first. Leave the domain suffix search order blank.
6.
Click OK in the TCP/IP properties window, this will return you to the Network
window. Click OK again. Till now you have finished configuring the TCP/IP properties.
Restart your PC for the changes to take effect.
ž
Method Two: Automatically Configuring TCP/IP with DHCP
1.
To ensure that the host can obtain an IP address and other TCP/IP parameters
automatically frRPWKH'HYLFH\RXVKRXOGHQDEOHWKH'HYLFHÂśVDHCP server function
in Basic > DHCP & DNS page.
2.
On the Windows taskbar, click Start > Settings > Control Panel.
3.
Double-click the Network icon, and select the Configuration tab. In The following
network components are installed box, select TCP/IP -> (your Ethernet adapter),
and then click Properties.
4.
In the TCP/IP properties dialog box, select the IP address tab, and then select
Obtain an IP address automatically.
5.
Select the Gateway tab, and then make sure that the Installed gateway box is left
blank. If any gateways are shown, remove them.
6.
Click the DNS Configuration tab, and then make sure that the Disable DNS is
selected.
7.
Click OK in the TCP/IP properties window, this will return you to the Network
window. Click OK again. Till now you have finished configuring the TCP/IP properties.
Restart your PC for the changes to take effect.
Step 3: 6HOHFWLQJ:LQGRZVÂś,QWHUQHW$FFHVV0HWKRG
1.
On the Windows taskbar, click Start > Programs
communications > Internet Connection Wizard.
2.
Select the third option I want to set up my Internet connection manually, or I want
http://www.uttglobal.com
accessories
Page 381
UTT Technologies
Appendix A How to Configure Your PC
to connect through a Local Area Network (LAN), and click the Next button.
3.
Select I want to connect through a Local Area Network radio button, and click the
Next button.
4.
Uncheck all boxes in the LAN Internet Configuration screen, and click the Next
button.
5.
In the Set Up Your Internet Mail Account screen, select No and click the Next
button.
6.
In the Internet Connection Wizard screen, Click Finish button to complete the
wizard.
Till now you have finished configuring the TCP/IP properties, then you can use the web
browser, FTP client, or other Internet client programs normally.
http://www.uttglobal.com
Page 382
UTT Technologies
Appendix B FAQ
Appendix B FAQ
1.
How to connect the Device to the Internet using
PPPoE
Step 1
Set your ADSL Modem to bridge mode (RFC 1483 bridged mode).
Step 2
Please make sure that your PPPoE Internet connection use standard dial-type.
You may use Windows XP built-in PPPoE dial-in client to test.
Step 3
Connect a network cable from the ADSL modem to a WAN port of the Device,
and connect your telephone line to the ADSL modemÂśs line port.
Step 4
Configure the PPPoE Internet connection related parameters in the Basic >
WAN page or through the Quick Wizard. Refer to section 6.2.2.1 PPPoE
Internet Connection Settings for more information.
Step 5
If you pay monthly for the Internet connection, you can choose Always On as
the Dial Type; else, you can choose On Demand or Manual as the Dial Type,
and specify the Idle Timeout to avoid wasting online time due to that you forget
to hang up the connection in time.
Step 6
If you choose Manual as the Dial Type, you need go to the Basic > WAN >
WAN List page to dial up manually. Refer to section 6.2.1.3 How to Dial and
Hang up a PPPoE Connection for more information.
Step 6
After the PPPoE connection is established successfully, you can view its
configuration and status information in the Basic > WAN > WAN List page,
such as Status (Connected means the connection is established successfully) ,
the connectionÂśs IP address and Gateway provided by your ISP, and so on,
see Figure B-0-1.
Figure B-0-1 Viewing PPPoE Internet Connection Status in WAN List
Step 7
You may go to the Status > System Log page to view the system logs related
http://www.uttglobal.com
Page 383
UTT Technologies
Appendix B FAQ
to the PPPoE connection, see Table B-0-1.
Call Syslog
Call Result
Session Up [x]
PPPoE Up 00:0c:f8:f9:66:c6
PPPoE session has been established successfully.
Call Connected, on Line1, on Channel 0
Outgoing Call @51:1-1
Call Terminated @clearSession: 1
Failed to establish the physical connection, please check
whether the Internet connection is normal. You may use
Windows XP built-in PPPoE dial-in client to test.
Outgoing Call @51:1-1
Call Terminated @clearSession: 1
The physical connection has been established, but failed to
authenticate. Please go to the Basic > WAN page to check
Call Connected, on Line1, on Channel 0
whether the user name and password are correct. If they are
correct, please change the PPP Authentication to CHAP or
NONE (see Figure B-0-2) and then click the Save button,
Outgoing Call @51:1-1
lastly restart the Device.
Table B-0-1 PPPoE Dial-up System Logs
http://www.uttglobal.com
Page 384
UTT Technologies
Appendix B FAQ
Figure B-0-2 PPPoE Connection Settings (Part)
Step 8
You may go to the Status > Route Stats page to view the related route
information in the Routing Table, such as the Gateway IP Address provided
by your ISP, Flag (N should appear, which means NAT is enabled on the route),
and so on, see Figure B-0-3.
Figure B-0-3 Routing Table - Example 1
Step 9
Configure the LAN hosts according to the steps described in Appendix A How
to configure your PC.
http://www.uttglobal.com
Page 385
UTT Technologies
2.
Appendix B FAQ
How to connect the Device to the Internet using
Static IP
Step 1
Please make sure the Internet connection is normal. You may use your PC to
test.
Step 2
Connect a network cable from the network device provided by your ISP to a
WAN port of the Device.
Step 3
Configure the static IP Internet connection related parameters in the Basic >
WAN page or through the Quick Wizard. Refer to section 6.2.2.2 Static IP
Internet Connection Settings for more information.
Step 4
After you finish configuring the static IP Internet connection, you may go to the
Status > Route Stats page to view the related route information in the Routing
Table, such as the Gateway IP Address provided by your ISP, Flag (N should
appear, which means NAT is enabled on the route), and so on, see Figure B-0-4
Figure B-0-4 Routing Table - Example 2
Step 5
Configure the LAN hosts according to the steps described in Appendix A How
to configure your PC.
http://www.uttglobal.com
Page 386
UTT Technologies
3.
Appendix B FAQ
How to connect the Device to the Internet using
DHCP
Step 1
Please make sure the Internet connection is normal. You may use your PC to
test.
Step 2
Connect a network cable from the Cable modem to a WAN port of the Device.
Step 3
Configure the DHCP Internet connection related parameters in the Basic >
WAN page or through the Quick Wizard. Refer to section 6.2.2.3 DHCP
Internet Connection Settings for more information.
Note
For DHCP Internet connection, the Cable Modem may record the old connected
network deviceÂśs MAC address, and only allows the network device with the
recorded MAC address to connect to it. Thus you should set the new DeviceÂśs
MAC address to the recorded MAC address, the operation is as follows: Go to
the Basic > WAN page to select DHCP from the Connection Type, enter the
recorded MAC address in the MAC Address text box, and then click Save to
save the change, lastly restart the Device to make the change take effect.
Step 4
After the DHCP Internet connection is established successfully, you can view its
configuration and status information in the Basic > WAN > WAN List page,
such as Status (Connected means the connection is established successfully,
and in this case, it will also display the left time before the lease expires for the
current IP address), the connectionÂśs IP address and Gateway provided by
your ISP, and so on, see Figure B-0-5.
Figure B-0-5 View DHCP Internet Connection Status Information
Step 5
You may go to the Status > Route Stats page to view the related route
information in the Routing Table, such as the Gateway IP Address provided
by your ISP, Flag (N should appear, which means NAT is enabled on the route),
and so on, see Figure B-0-6.
http://www.uttglobal.com
Page 387
UTT Technologies
Appendix B FAQ
Figure B-0-6 Routing Table - Example 3
Step 6
Configure the LAN hosts according to the steps described in Appendix A How
to configure your PC.
http://www.uttglobal.com
Page 388
UTT Technologies
4.
Appendix B FAQ
How to reset the Device to factory default settings
The following describes how to reset the Device to factory default settings. There are two
cases depending on whether you remember the administrator password or not.
Note
1)
The reset operation will clear all the custom settings on the Device, so do it with
caution.
2)
Here we take Windows XP for example.
4-1 Case One: Remember the administrator password
When you remember the administrator password, you can use the following two ways to
reset the Device to factory default settings. Note that only when the Device has a terminal
port, you can use the second way.
ž
The first way: Reset the Device to factory default settings via Wed UI.
The operation is as follows: Go to the System > Configuration > Restore Default page,
and then click Reset button to reset the Device to factory default settings.
ž
The second way: Reset the Device to factory default settings via Hyper
Terminal.
The operation steps are the following:
Step 1
Connect the RJ-45 connector of the supplied serial cable to the terminal port on
the Device, and the DB9 connector of the cable to an open COM port on your
PC.
Step 2
Click Start > Programs > Accessories > Communications > HyperTerminal,
the first screen that appears is the New Connection dialog box, see Figure
B-0-7; enter a name (Term9600 in this example) in the Name text box, and then
click OK button.
Note that if HyperTerminal is not installed, click Start > Settings > Control
Panel > Add or Remove Programs > Add/Remove Windows Components >
Accessories and Utilities > Details > Communications > Details, select the
http://www.uttglobal.com
Page 389
UTT Technologies
Appendix B FAQ
HyperTerminal check box, and then click OK.
Figure B-0-7 New Connection - Term9600
Step 3
The Connect To dialog box appears, see Figure B-0-8. From the Connect
using drop-down list, select the COM port that links your PC to the Device
(COM3 in this example), and then click OK button.
http://www.uttglobal.com
Page 390
UTT Technologies
Appendix B FAQ
Figure B-0-8 Choose a COM Port - Term9600
Step 4
The COM port properties dialog box appears (see Figure B-0-9). Select 9600
from Bits per second, 8 from Data bits, None from Parity, 1 from Stop bits,
None from Flow control, and then click OK button.
Figure B-0-9 COM Port Properties - Term9600
Step 5
Now the HyperTerminal is started and ready for use, see Figure B-0-10.
http://www.uttglobal.com
Page 391
UTT Technologies
Appendix B FAQ
Figure B-0-10 HyperTerminal Window - Term9600
Step 6
Directly press  key, the Device will acknowledge active connection with
the ³Login´ prompt, see Figure B-0-11. Enter the administrator user name
(Default in this example) at the prompt and press  key. Then the
³Password´ prompt appears; enter the password (test in this example) at the
prompt and press  key. Then the ³hiper%´ prompt appears, which
means that you have logged in to the Device successfully, and the Device is
ready to receive a command.
http://www.uttglobal.com
Page 392
UTT Technologies
Appendix B FAQ
Figure B-0-11 Login to the Device - Term9600
Step 7
Enter nvramc at the prompt and press  key (see Figure 8-12); the
Device will immediately restore to factory default settings and restart itself.
Once restarted, you can use the system default administrator account to login
to the Device via Web UI.
Note that by default, the LAN interface IP address is 192.168.16.1, and the
administrator user name is Default (case sensitive) with a blank password.
http://www.uttglobal.com
Page 393
UTT Technologies
Appendix B FAQ
Figure B-0-12 Reset to Factory Default Settings - Term9600
4-2 Case Two: Forget the administrator password
If you forget the administrator password, you can use the following two ways to reset the
Device to factory default settings. Note that only when the Device has a reset button, you
can use the first way; and only when the Device has a terminal port, you can use the
second way.
ž
The first way: Reset the Device to factory default settings via Reset Button.
The operation is as follows: While the Device is powered on, use a pin or paper clip to
press and hold the Reset button for more than 5 seconds, and then release the button.
After that, the Device will restart with factory default settings.
ž
The second way: Reset the Device to factory default settings via Hyper
Terminal.
The operation steps are the following:
Step 1
Connect the RJ-45 connector of the supplied serial cable to the terminal port on
the Device, and the DB9 connector of the cable to an open COM port on your
PC.
http://www.uttglobal.com
Page 394
UTT Technologies
Step 2
Appendix B FAQ
Click Start > Programs > Accessories > Communications > HyperTerminal,
the first screen that appears is the New Connection dialog box, see Figure
B-0-13; enter a name (Term115200 in this example) in the Name text box, and
then click OK button.
Note that if HyperTerminal is not installed, click Start > Settings > Control
Panel > Add or Remove Programs > Add/Remove Windows Components >
Accessories and Utilities > Details > Communications > Details, select the
HyperTerminal check box, and then click OK.
Figure B-0-13 New Connection - Term115200
Step 3
The Connect To dialog box appears, see Figure B-0-14. From the Connect
using drop-down list, select the COM port that links your PC to the Device
(COM3 in this example), and then click OK button.
http://www.uttglobal.com
Page 395
UTT Technologies
Appendix B FAQ
Figure B-0-14 Choose a COM Port - Term115200
Step 4
The COM port properties dialog box appears (see Figure B-0-15). Select
115200 from Bits per second, 8 from Data bits, None from Parity, 1 from
Stop bits, None from Flow control, and then click OK button.
http://www.uttglobal.com
Page 396
UTT Technologies
Appendix B FAQ
Figure B-0-15 COM Port Properties - Term115200
Step 5
Now the HyperTerminal is started and ready for use, see Figure B-0-16.
Figure B-0-16 The HyperTerminal Window - Term115200
Step 6
Restart the Device and immediately enter ast (lower case) in three seconds, then
the ³Ast>´ prompt appears, see Figure B-0-17. Note that if failed to appear,
please try several times until the ³Ast>´ prompt appears.
http://www.uttglobal.com
Page 397
UTT Technologies
Appendix B FAQ
Figure B-0-17 Login to the Device - Term115200
Step 7
Enter nv at the prompt and press  key (see Figure B-0-18), the Device
will immediately restore to the factory default settings. The appearance of
³(UDVLQJ 195$0'RQH´ means that the Device has restored to the
factory default settings successfully. Once you have restarted the Device, you
can use the system default administrator to login to the Device via Web UI.
Note that by default, the LAN interface IP address is 192.168.16.1, and the
administrator user name is Default (case sensitive) with a blank password.
http://www.uttglobal.com
Page 398
UTT Technologies
Appendix B FAQ
Figure B-0-18 Reset to Factory Default Settings - Term115200
http://www.uttglobal.com
Page 399
UTT Technologies
5.
Appendix B FAQ
How to use CLI Rescue Mode
In most cases, the Device can normally boot or reboot in Normal Startup Mode. However,
sometimes you are unable to start the Device in Normal Startup Mode due to
configuration errors, forgetting the administrator password or other reasons. To solve this
problem, we provide Rescue Mode in the Device with ReOS 5.0 or a latter version.
After boot into Rescue Mode, the Device will run with factory default settings without
custom settings, so it will like a new device that KDVQÂśWEHHQ configured. In Rescue Mode,
it allows you to use any CLI command to perform any operation.
Note
Only the Device having a serial port supports Rescue Mode.
Here we take Windows XP for example to describe how to start the Device in Rescue
Mode. The operation steps are the following:
Step 1
Connect the RJ-45 connector of the supplied serial cable to the terminal port on
the Device, and the DB9 connector of the cable to an open COM port on your
PC.
Step 2
Click Start > Programs > Accessories > Communications > HyperTerminal,
the first screen that appears is the New Connection dialog box, see Figure
B-0-19; enter a name (rescue in this example) in the Name text box, and then
click OK button.
Note that if HyperTerminal is not installed, click Start > Settings > Control
Panel > Add or Remove Programs > Add/Remove Windows Components >
Accessories and Utilities > Details > Communications > Details, select the
HyperTerminal check box, and then click OK.
http://www.uttglobal.com
Page 400
UTT Technologies
Appendix B FAQ
Figure B-0-19 New Connection - Rescue
Step 3
The Connect To dialog box appears, see Figure B-0-20. From the Connect
using drop-down list, select the COM port that links your PC to the Device
(COM3 in this example), and then click OK button.
Figure B-0-20 Choose a COM port - Rescue
http://www.uttglobal.com
Page 401
UTT Technologies
Step 4
Appendix B FAQ
The COM port properties dialog box appears (see Figure B-0-21). Select 9600
from Bits per second, 8 from Data bits, None from Parity, 1 from Stop bits,
None from Flow control, and then click OK button.
Figure B-0-21 COM Port Properties - Rescue
Step 5
Now the HyperTerminal is started and ready for use, see Figure B-0-22.
http://www.uttglobal.com
Page 402
UTT Technologies
Appendix B FAQ
Figure B-0-22 The HyperTerminal Window - Rescue
Step 6
Restart the Device; and during restarting, once the Âł***booting with factory
default configurationˈplease press Ctrl~C 3 times nowʽ***´ prompt appears,
please immediately press  keys three consecutive times within three
seconds. Then the appearance of ÂłBREAK detected, skip restore user nvram
profile by _restoreUserNvramTask.´ prompt means that the system has booted
into Rescue Mode successfully.
http://www.uttglobal.com
Page 403
UTT Technologies
Appendix B FAQ
Figure B-0-23 Boot into Rescue Mode - Rescue
Step 7
After the Device has booted into Rescue Mode, you can use the system default
administrator account to login to the Device. Enter Default at the ³Login´ prompt
and press  key, see Figure 8-24Then the ³Password´ prompt appears;
directly press  key. Then the ³rescue#´ prompt appears, which means
that you have logged in to Rescue Mode configuration interface successfully,
and the Device is ready to receive a command. Now you can perform any
operation.
http://www.uttglobal.com
Page 404
UTT Technologies
Appendix B FAQ
Figure B-0-24 Login to Rescue Mode Configuration Interface - Rescue
Step 8
In Rescue Mode configuration interface, see Figure B-0-25, if you enter show
running-config at the prompt and press  key, it will only output firmware
version information, but not output any custom settings, which means that the
system is running with the factory default settings; if you enter show nvram at
the prompt and press  key, it will output not only firmware version
information but also your custom settings.
http://www.uttglobal.com
Page 405
UTT Technologies
Appendix B FAQ
Figure B-0-25 View Settings - Rescue
Note
In Rescue Mode, it will only save the settings you have made in Rescue Mode
configuration interface by write command, and all of your original custom settings will
be lost. Thus if you want to save the original custom settings, please do the following:
Perform show nvram command to display all the original custom settings firstly, and
then re-enter the settings that you need by copy and paste function, lastly perform
write command to save those settings; or save the settings that you need as a text
file, and then perform write command, lastly re-enter the settings in Normal Startup
Mode configuration interface.
Step 9
Finally, you need restart the Device to exit Rescue Mode configuration interface.
http://www.uttglobal.com
Page 406
UTT Technologies
6.
Appendix B FAQ
IP/MAC Binding and Access Control
This section mainly describes the characteristics of the IP/MAC binding and access control
functions, and the relationship between them. Its purpose is to help you better understand
them, and use them to flexibly control and manage the Internet behaviors of the LAN
users to enhance network security.
To achieve network security management, you should firstly implement user identification, and
then you should implement user authorization. On the Device, you can use IP/MAC binding
feature to implement user identification, and use access control feature to use access control
rules to control the Internet behaviors of the LAN users.
Refer to section 12.2 IP/MAC Binding for more information about IP/MAC binding; refer to
section 12.3 Firewall for more information about access control.
A. IP/MAC Binding
The Device provides IP/MAC binding feature to implement user identification. Using the
IP/MAC address pair as a unique user identity, you can protect the Device and your network
against IP address theft, MAC address theft, IP spoofing attack, and MAC spoofing attack.
For those non-IP/MAC binding users (i.e., the users whose IP address and MAC address
both are different from any IP/MAC bindingÂśs.), the Device allows them to access the Device
and Internet by default. If you want to block them from accessing, please unselect the Allow
Undefined LAN PCs check box in the Security > IP/MAC Binding > IP/MAC Binding
List page.
IP/MAC binding feature can only act on the packets initiated from the LAN hosts to the
Device or outside hosts, but cannot act on the packets within the LAN. If you change a
LAN hostÂśs IP address or MAC address, this LAN host will be unable to access the Device
and access the Internet through the Device, but it still can communicate with the other
LAN hosts, such as, it can browse Network Neighborhood, use windows file and printer
sharing services within the LAN, and so on.
B. Access Control
The Device allows you to create access control rules by referencing address groups,
service groups and schedules. By default, as no access control rule exists on the Device,
the Device will forward all the valid packets received by the LAN interface. After you have
enabled access control, the Device will examine each packet received by the LAN
interface to determine whether to forward or drop the packet, based on the criteria you
specified in the access control rules.
C. The Relationship between Them
1)
Using IP/MAC binding feature can only implement user identification, but cannot
http://www.uttglobal.com
Page 407
UTT Technologies
Appendix B FAQ
control and manage the Internet behaviors of the LAN users. The latter is
implemented by access control function module.
2)
In most cases, you can create an access control rule for a group of users. If some
users have the privileges of accessing the Internet, you can create an address group
for these hosts even their IP addresses are discontinuous. Then you only need to
create one access control rule by using the address group to meet the KRVWVÂś
requirements, instead of creating a rule for each user respectively. Of course, you can
create access control rules for individual users if needed.
3)
On the Device, at first you can use IP/MAC binding feature to implement user
identification, and then divide the LAN users into several address groups (the users with
the same Internet access privileges are divided into the same group), lastly create
different access control rules for different address groups. Thus, you can implement
not only user identification, but also Internet behavior management of LAN users to
ensure network security and efficient use of network resources.
D. Operation Process
When receiving a packet initiated from LAN to the Device or outside host, the Device will
process the packet in the following order:
1)
User identification (i.e., the packet is processed by the IP/MAC binding function module)
a)
If the sender is a legal user, the packet will be allowed to pass, and then be
further processed by the firewall access control function module.
b)
If the sender is an illegal user, the packet will be dropped immediately
c)
If the sender is an undefined user, there are two cases:
i.
If the Allow Undefined LAN PCs check box is selected, the packet will be
allowed to pass, and then be further processed by the firewall access control
function module.
ii.
Else, the packet will be dropped immediately.
Note
The definitions of legal user, illegal user and undefined user are as follows:
Ɣ
Legal User: A legal userÂśs IP and MAC address pair matches an IP/MAC binding
whose Allow Internet Access check box is selected.
Ɣ
Illegal User: A illegal userÂśs IP and MAC address pair matches an IP/MAC
binding whose Allow Internet Access check box is unselected; or the IP
address or MAC address is the same with an IP/MAC bindingÂśs, but not both.
http://www.uttglobal.com
Page 408
UTT Technologies
Ɣ
2)
Appendix B FAQ
Undefined User: An undefined userÂśs IP address and MAC address both are
different from any IP/MAC binding. The undefined users are all the users except
legal and illegal users.
User authorization (i.e., the packet is processed by the firewall access control function
module)
When receiving a packet initiated from LAN, the Device will analyze the packet by
extracting its source MAC address, source IP address, destination IP address,
protocol type (TCP, UDP or ICMP), port number, content, and the date and time at
which the packet was received, and then compare them with each rule in the order in
which the rules are listed in the Access Control List. The first rule that matches the
packet will be applied to the packet, and the Device will forward or drop it according to this
ruleÂśs action. Note that after a match is found, no further rules will be checked; and if
no match is found, the Device will drop the packet to ensure security.
Note that if a schedule is referenced in an access control rule, you need judge
whether the schedule is in effect or not at first. If the schedule has expired, it will be of
no effect. In this case, if the access control rule still needs a time restriction, you
should reconfigure the schedule.
E. Configuration Procedure
From the above analysis, we can see that if you want to configure the network access
privileges for the LAN users, you need follow these steps:
1˅ At first, you need assign network access privileges to each LAN user: determine
whether a user can access and pass through the Device, and assign specific Internet
access privileges to the user.
2˅ Divide the LAN users into several address groups: the users with the same Internet
access privileges are divided into the same address group.
3˅ Configure TCP/IP properties for each LAN user¶s host, and record each host¶s MAC
address.
4˅ Go to the Security > IP/MAC Binding page to create IP/MAC bindings. Note that if
you want to block the undefined LAN users from accessing the Device and Internet,
you should unselect the Allow Undefined LAN PCs check box.
5˅ Go to the Security > Address Group page to create address groups.
6˅ Go to the Security > Service Group page to create service groups.
7˅ Go to the System > Time page to synchronize the system clock.
8˅ If you want to create the access control rules based on schedules, go to the Security >
Schedule page to create schedules.
http://www.uttglobal.com
Page 409
UTT Technologies
Appendix B FAQ
9˅ Go to the Security > Firewall page to create access control rules for each address
group respectively.
http://www.uttglobal.com
Page 410
UTT Technologies
7.
Appendix B FAQ
How to find out who uses the most bandwidth?
By viewing the NAT Statistics list in the Status > NAT Stats page, you can find out the
LAN user who uses the most bandwidth.
A. How to find out who has downloaded the most packets?
Query the Rx Packets in the NAT Statistics list: the larger value means the more
downloaded packets. The most Rx Packets means the corresponding LAN user has
downloaded the most packets from the Internet.
B. How to find out who has uploaded the most packets?
Query the Tx Packets in the NAT Statistics list: the larger value means the more
uploaded packets. The most Tx Packets means the corresponding LAN user has
uploaded the most packets to the Internet.
C. How to find out who is most active in the LAN?
Query the Active Sessions in the NAT Statistics list: the larger value means the user is
more active. The most Active Sessions means the corresponding user is the most active
in the LAN.
http://www.uttglobal.com
Page 411
UTT Technologies
8.
Appendix B FAQ
How to troubleshoot faults caused by worm
viruses or hacker attacks on the Device?
Note
Each of the following points can only be used as a reference for network troubleshooting,
but cannot be used as a basis for finding a network virus or attack.
A. How to find out who is using an IP/Port Scanner
When using an IP/Port Scanner, a host sends a larger number of ICMP/UDP/TCP
packets to the target host in a very short time to detect whether the target IP address
exists or there are open ports on the target host. The host using an IP/Port Scanner can
generate a large amount of traffic, and too much traffic (i.e., too heavy network load) will
cause network congestion, thus the other users may be unable to surf the Internet
normally.
On the Device, you can find out who is using an IP/Port Scanner through the following
three ways.
1)
You can view the NAT Statistics list in the Status > NAT Stats page to find out if
there is a LAN host whose Overflow is larger than 100. If a hostÂśs concurrent NAT
sessions has reached the maximum value (configured in the Security > NAT
Session Limit page), any further request for creating a new session will be discarded,
and the Overflow will be updated synchronously; so if a hostÂśs Overflow is larger
than 100, the host is suspicious of using an IP/Port Scanner.
2)
You can view the NAT Statistics list in the Status > NAT Stats page to find out if
there is a LAN host whose Tx Packets is far larger than Rx Packets. An IP/Port
Scanner often uses a forged source IP address to send out packets, this will cause
that the response packets cannot arrive at the sender; so if a hostÂśs Tx Packets is far
larger than Rx Packets, the host is suspicious of using an IP/Port Scanner.
3)
You can view system logs in the Status > System Log page to find out if there is a
NAT exceeded log message. For example, the log message of ÂłNAT exceeded
192.168.16.221´ means that the host with IP address 192.168.16.221 has exceeded
the maximum concurrent NAT sessions limited by the Device (configured in the
Security > NAT Session Limit page), and this host is suspicious of an IP/Port
Scanner.
Note
Recommended solution: It is recommended that you stop all the running
http://www.uttglobal.com
Page 412
UTT Technologies
Appendix B FAQ
applications on that suspicious host, and then run an effective antivirus software,
lastly restart or reinstall the operating system.
B. How to find out who is attacking an Internet host with DoS/DDoS
A DoS attack (denial-of-service attack) or DDoS attack (distributed denial-of-service
attack) is an attempt to make a host resource unavailable to its intended users. When
performing a DoS/DDoS attack, a host sends a larger number of packets to the target
host (typically it is a web server) in a very short time to cause too heavy load on the host,
thus the host is unable to provide normal services. The host performing DoS/DDoS
attacks can generate a large amount of traffic, and too much traffic (i.e., too heavy network
load) will cause network congestion, thus the other users may be unable to surf the
Internet normally.
On the Device, you can find out who is performing a DoS/DDoS attack through the
following three ways.
1)
You can view the NAT Statistics list in the Status > NAT Stats page to find out if
there is a LAN host whose Tx Packets is far larger than the other hostVÂś, but its Rx
Packets is very small or zero. When a LAN host attacks an Internet host with
DoS/DDoS, it sends a large number of packets to the Internet host; so if a LAN host
meets the above conditions, it is suspicious of performing a DoS/DDoS attack.
Note that the user who is uploading files via HTTP/FTP should be excluded.
2)
You can view the NAT Statistics list in the Status > NAT Stats page to find out if
there is a LAN host whose Tx Packets is far larger than Rx Packets. A DoS/DDoS
attack program often uses a forged source IP address to send out packets, this will
cause that the response packets cannot arrive at the sender; so if a hostÂśs Tx
Packets is far larger than Rx Packets, the host is suspicious of performing a
DoS/DDoS attack.
3)
You can view system logs in the Status > System Log page to find out if there is a
NAT exceeded log message. For example, the log message of ÂłNAT exceeded
192.168.16.221´ means that the host with IP address 192.168.16.221 has exceeded
the maximum concurrent NAT sessions limited by the Device (configured in the
Security > NAT Session Limit page), and this host is suspicious of performing a
DoS/DDoS attack.
Note
Recommended solution: It is recommended that you stop all the running
applications on that suspicious host, and then run an effective antivirus software,
lastly restart or reinstall the operating system.
C. How to find out a host infected with Code Red worm virus?
http://www.uttglobal.com
Page 413
UTT Technologies
Appendix B FAQ
You can view the NAT Statistics list in the Status > NAT Stats page to find out if there is
a LAN host whose Tx Packets is very large but Rx Packets is very small or zero. If a host
meets the above conditions and KDVQÂśW XVHG DQ\ /$1 VHUYHU the host is likely to be
infected with Code Red worm virus.
D. How to find out a host performing a TCP SYN Flood, UDP Flood or
ICMP Flood attack?
You can view the NAT Statistics list in the Status > NAT Stats page to find out if there is
a LAN host whose Tx Packets is very large but Rx Packets is very small. If a host meets
the above conditions, the host is likely to perform a TCP SYN Flood, UDP Flood or ICMP
Flood attack.
Note
The user who is uploading files via HTTP/FTP should be excluded.
E. How to find out a host performing an ARP Spoofing attack?
You can view system logs in the Status > System Log page to find out if there is a LAN
host whose MAC address is changing constantly, for example, the following log message
means that the host with IP address 192.168.1.1 is likely to perform an ARP Spoofing
attack.
MAC New 00:22:aa:00:22:bb
MAC Old 00:22:aa:00:22:aa
ARP SPOOF 192.168.1.1
F. How to find out a host infected with Blaster/Sasser virus
The host infected with Blaster/Sasser virus randomly sends out a large number of ICMP
packets and broadcasts a large of number of packets whose destination port is 135, 137,
139 or 445, thus it causes network congestion even the whole internal and external
networks paralysis.
Go to the Status > Session Monitor page, select All from the Filter Option drop-down
list, and then click Query button to view all the active NAT sessions in the NAT Session
List. If there are many sessions whose Protocol is ICMP, and many sessions whose Dest
Port is 135, 137, 139 or 445, the corresponding LAN host is likely to be infected with
Blaster/Sasser virus.
If a host has been infected with Blaster virus, it has the following symptoms: inexplicably
crashes or restarts itself; links in IE cannot be opened properly; copy and paste operation
cannot be performed; sometimes there are certain applications running abnormally, such as
Word; network grows slowly; there is a process named msblast.exe in Task Manager.
If a host has been infected with Sasser virus, it has the following symptoms: inexplicably
http://www.uttglobal.com
Page 414
UTT Technologies
Appendix B FAQ
crashes or restarts itself; there is a process named avserve.exe, avserve2.exe or
skynetave.exe in Task Manager; there is a virus file named avserve.exe, avserve2.exe
or skynetave.exe in the system directory; system is running extremely slow, and CPU usage
is 100%.
http://www.uttglobal.com
Page 415
UTT Technologies
9.
Appendix B FAQ
How to enable WAN ping respond?
To facilitate debugging and testing your Internet connections, the Device provides Enable
WAN Ping Respond feature; that is, it allows you to ping each WAN interfaceÂśs IP
address to detect whether each Internet connection is normal. The operation is as follows:
Go to the Security > Attack Defense > External Defense page, select the Enable WAN
Ping Respond check box, and then click the Save button.
After you have enabled WAN ping respond, you can test each Internet connection by
using ping command on an outside host. When you ping the IP address of a WAN
interface, correct responses from the WAN interface means that the corresponding
Internet connection is normal; else, the connection itself is abnormal, ping response is
disabled on a device between your PC and Device, or there is a configuration error in the
Device.
http://www.uttglobal.com
Page 416
UTT Technologies
Appendix C Common IP Protocols
Appendix C Common IP Protocols
Protocol Name
Protocol Number
Full Name
IP
Internet Protocol
ICMP
Internet Protocol Message Protocol
IGMP
Internet Group Management
GGP
Gateway-Gateway Protocol
IPINIP
IP in IP Tunnel Driver
TCP
Transmission Control Protocol
EGP
Exterior Gateway Protocol
IGP
Interior Gateway Protocol
PUP
12
PARC Universal Packet Protocol
UDP
17
User Datagram Protocol
HMP
20
Host Monitoring Protocol
XNS-IDP
22
Xerox NS IDP
RDP
27
Reliable Datagram Protocol
GRE
47
General Routing Encapsulation
ESP
50
Encap Security Payload
AH
51
Authentication Header
RVD
66
MIT Remote Virtual Disk
EIGRP
88
Enhanced Interior Gateway Routing Protocol
OSPF
89
Open Shortest Path First
http://www.uttglobal.com
Page 417
UTT Technologies
Appendix D Common Service Ports
Appendix D Common Service Ports
Service Name
Port
Protocol
echo
tcp
echo
udp
discard
tcp
discard
udp
systat
11
tcp
Active users
systat
11
udp
Active users
daytime
13
tcp
daytime
13
udp
qotd
17
tcp
Quote of the day
qotd
17
udp
Quote of the day
chargen
19
tcp
Character generator
chargen
19
udp
Character generator
ftp-data
20
tcp
FTP, data
ftp
21
tcp
FTP. control
telnet
23
tcp
smtp
25
tcp
Simple Mail Transfer Protocol
time
37
tcp
timserver
time
37
udp
timserver
rlp
39
udp
Resource Location Protocol
nameserver
42
tcp
Host Name Server
nameserver
42
udp
Host Name Server
nicname
43
tcp
whois
domain
53
tcp
Domain Name Server
domain
53
udp
Domain Name Server
bootps
67
udp
Bootstrap Protocol Server
bootpc
68
udp
Bootstrap Protocol Client
http://www.uttglobal.com
Description
Page 418
UTT Technologies
Appendix D Common Service Ports
tftp
69
udp
gopher
70
tcp
finger
79
tcp
http
80
tcp
World Wide Web
kerberos
88
tcp
Kerberos
kerberos
88
udp
Kerberos
hostname
101
tcp
NIC Host Name Server
iso-tsap
102
tcp
ISO-TSAP Class 0
rtelnet
107
tcp
Remote Telnet Service
pop2
109
tcp
Post Office Protocol - Version 2
pop3
110
tcp
Post Office Protocol - Version 3
sunrpc
111
tcp
SUN Remote Procedure Call
sunrpc
111
udp
SUN Remote Procedure Call
auth
113
tcp
Identification Protocol
uucp-path
117
tcp
nntp
119
tcp
Network News Transfer Protocol
ntp
123
udp
Network Time Protocol
epmap
135
tcp
DCE endpoint resolution
epmap
135
udp
DCE endpoint resolution
netbios-ns
137
tcp
NETBIOS Name Service
netbios-ns
137
udp
NETBIOS Name Service
netbios-dgm
138
udp
NETBIOS Datagram Service
netbios-ssn
139
tcp
NETBIOS Session Service
imap
143
tcp
Internet Message Access Protocol
pcmail-srv
158
tcp
PCMail Server
snmp
161
udp
snmptrap
162
udp
SNMP trap
print-srv
170
tcp
Network PostScript
bgp
179
tcp
Border Gateway Protocol
http://www.uttglobal.com
Trivial File Transfer
Page 419
UTT Technologies
Appendix D Common Service Ports
irc
194
tcp
Internet Relay Chat Protocol
ipx
213
udp
IPX over IP
ldap
389
tcp
Lightweight Directory Access Protocol
https
443
tcp
MCom
https
443
udp
MCom
microsoft-ds
445
tcp
microsoft-ds
445
udp
kpasswd
464
tcp
Kerberos (v5)
kpasswd
464
udp
Kerberos (v5)
isakmp
500
udp
Internet Key Exchange
exec
512
tcp
Remote Process Execution
biff
512
udp
login
513
tcp
who
513
udp
cmd
514
tcp
syslog
514
udp
printer
515
tcp
talk
517
udp
ntalk
518
udp
efs
520
tcp
Extended File Name Server
router
520
udp
route routed
timed
525
udp
tempo
526
tcp
courier
530
tcp
conference
531
tcp
netnews
532
tcp
netwall
533
udp
uucp
540
tcp
klogin
543
tcp
http://www.uttglobal.com
Remote Login
For emergency broadcasts
Kerberos login
Page 420
UTT Technologies
Appendix D Common Service Ports
kshell
544
tcp
new-rwho
550
udp
remotefs
556
tcp
rmonitor
560
udp
monitor
561
udp
ldaps
636
tcp
LDAP over TLS/SSL
doom
666
tcp
Doom Id Software
doom
666
udp
Doom Id Software
kerberos-adm
749
tcp
Kerberos administration
kerberos-adm
749
udp
Kerberos administration
kerberos-iv
750
udp
Kerberos version IV
kpop
1109
tcp
Kerberos POP
phone
1167
udp
Conference calling
ms-sql-s
1433
tcp
Microsoft-SQL-Server
ms-sql-s
1433
udp
Microsoft-SQL-Server
ms-sql-m
1434
tcp
Microsoft-SQL-Monitor
ms-sql-m
1434
udp
Microsoft-SQL-Monitor
wins
1512
tcp
Microsoft Windows Internet Name Service
wins
1512
udp
Microsoft Windows Internet Name Service
ingreslock
1524
tcp
l2tp
1701
udp
Layer Two Tunneling Protocol
pptp
1723
tcp
Point-to-point tunnelling protocol
radius
1812
udp
RADIUS authentication protocol
radacct
1813
udp
RADIUS accounting protocol
nfsd
2049
udp
NFS server
knetd
2053
tcp
Kerberos de-multiplexor
man
9535
tcp
Remote Man Server
http://www.uttglobal.com
Kerberos remote shell
Page 421
UTT Technologies
Appendix F Table Index
Appendix E Figure Index
Figure 0-1 IP/MAC Binding List ................................................................................................. 2
Figure 0-2 NAT Statistics ........................................................................................................... 4
Figure 0-3 Enable DNS Proxy ................................................................................................... 5
Figure 2-1 Connecting the UTT 2512 to the LAN and Internet................................................ 24
Figure 2-2 LEDs on the UTT 2512 .......................................................................................... 25
Figure 2-3 Install the U2000 in a Rack .................................................................................... 27
Figure 2-4 Connecting the U2000 to the LAN and Internet ..................................................... 28
Figure 2-5 LEDs on the U2000 ................................................................................................ 29
Figure 3-1 Entering IP address in the Address Bar ................................................................. 34
Figure 3-2 Login Screen .......................................................................................................... 34
Figure 3-3 Homepage - System Info Page .............................................................................. 35
Figure 3-4 Shortcut Icons ........................................................................................................ 35
Figure 4-1 Running the Quick Wizard ..................................................................................... 37
Figure 4-2 LAN Settings .......................................................................................................... 38
Figure 4-3 Choosing an Internet Connection Type .................................................................. 39
Figure 4-4 Choose PPPoE as the Connection Type ............................................................... 41
Figure 4-5 PPPoE Internet Connection Settings ..................................................................... 41
Figure 4-6 Choosing Static IP as the Connection Type ........................................................... 42
Figure 4-7 Static IP Internet Connection Settings ................................................................... 42
Figure 4-8 Choosing DHCP as the Connection Type .............................................................. 44
Figure 4-9 Viewing and Saving the Settings Made in the Quick Wizard ................................. 45
Figure 5-1 System Up Time ..................................................................................................... 46
Figure 5-2 System Resource Usage Information .................................................................... 47
Figure 5-3 System Version ...................................................................................................... 48
Figure 5-4 Port Status.............................................................................................................. 48
Figure 5-5 Interface Rate Chart ............................................................................................... 49
Figure 5-6 NAT Statistics List .................................................................................................. 51
Figure 5-7 DHCP Pool Statistics List ....................................................................................... 53
Figure 5-8 DHCP Server Statistics List ................................................................................... 55
Figure 5-9 DHCP Conflict Statistics List .................................................................................. 56
Figure 5-10 DHCP Client Statistics List ................................................................................... 57
Figure 5-11 DHCP Relay Statistics List ................................................................................... 58
Figure 5-12 Interface Statistics List ......................................................................................... 60
http://www.uttglobal.com
Page 422
UTT Technologies
Appendix F Table Index
Figure 5-13 Routing Table ....................................................................................................... 62
Figure 5-14 Session Monitor Settings ..................................................................................... 65
Figure 5-15 NAT Session List .................................................................................................. 67
Figure 5-16 Session Monitor Settings - Example1 .................................................................. 68
Figure 5-17 NAT Session List - Example1 ............................................................................... 69
Figure 5-18 Session Monitor Settings - Example2 .................................................................. 70
Figure 5-19 NAT Session List - Example2 ............................................................................... 70
Figure 5-20 Session Monitor Settings - Example3 .................................................................. 71
Figure 5-21 NAT Session List - Example3 ............................................................................... 71
Figure 5-22
Session Monitor Settings - Example3 ............................................................... 72
Figure 5-23 NAT Session List - Example4 ............................................................................... 73
Figure 5-24 System Log Settings ............................................................................................ 74
Figure 5-25 System Logs ........................................................................................................ 75
Figure 5-26 Enable Web Log ................................................................................................... 78
Figure 5-27 View Web Logs .................................................................................................... 79
Figure 5-28 Enable Application Traffic Statistics ..................................................................... 80
Figure 5-29 Application Traffic Statistics List ........................................................................... 80
Figure 5-30 User Traffic Statistics List ..................................................................................... 81
Figure 5-31 WAN Traffic Statistics List .................................................................................... 83
Figure 6-1 LAN Interface Settings ........................................................................................... 84
Figure 6-2 WAN Internet Connection List ................................................................................ 86
Figure 6-3 WAN List - PPPoE Internet Connection ................................................................. 89
Figure 6-4 WAN List DHCP Internet Connection ..................................................................... 90
Figure 6-5 PPPoE Internet Connection Settings ..................................................................... 92
Figure 6-6 Static IP Internet Connection Settings ................................................................... 96
Figure 6-7 DHCP Internet Connection Settings ...................................................................... 98
Figure 6-8 Delete the Internet Connection .............................................................................. 99
Figure 6-9 Prompt Dialog Box - Delete an Internet Connection ............................................ 100
Figure 6-10 Enable ID Binding .............................................................................................. 107
Figure 6-11 Global Settings - Full Load Balancing ................................................................ 108
Figure 6-12 Global Settings - Partial Load Balancing ........................................................... 109
Figure 6-13 Detection and Weight Settings ............................................................................ 111
Figure 6-14 Load Balancing List ............................................................................................. 112
Figure 6-15 DHCP Server Settings ........................................................................................ 115
Figure 6-16 DHCP Auto Binding ............................................................................................. 117
Figure 6-17 Enable DNS Proxy .............................................................................................. 117
http://www.uttglobal.com
Page 423
UTT Technologies
Appendix F Table Index
Figure 7-1 Static Route Settings ............................................................................................ 121
Figure 7-2 Static Route List ................................................................................................... 123
Figure 7-3 Static Route Settings - Example One .................................................................. 124
Figure 7-4 Static Route Settings - Example Two ................................................................... 125
Figure 7-5 Static Route PDB Settings ................................................................................... 127
Figure 7-6 Static Route PDB Settings - Example One .......................................................... 128
Figure 7-7 Static Route PDB Settings - Example Two .......................................................... 129
Figure 7-8 Policy-Based Routing Settings ............................................................................. 131
Figure 7-9 Enable Policy-Based Routing............................................................................... 133
Figure 7-10 PBR List ............................................................................................................. 134
Figure 7-11 Enable DNS Redirection .................................................................................... 135
Figure 7-12 DNS Redirection List .......................................................................................... 136
Figure 7-13 DNS Redirection Settings .................................................................................. 137
Figure 7-14 Enable Plug and Play ......................................................................................... 139
Figure 7-15 SNMP Settings ................................................................................................... 141
Figure 7-16 SYSLOG Settings .............................................................................................. 143
Figure 7-17 Apply for a DDNS Account from IPLink.com.cn ................................................. 146
Figure 7-18 DDNS Settings Related to iplink.com.cn............................................................ 147
Figure 7-19 Apply for a DDNS Account from 3322.org .......................................................... 148
Figure 7-20 DDNS Settings Related to 3322.org .................................................................. 149
Figure 7-21 Requesting for an IP Address from a DHCP Server .......................................... 153
Figure 7-22 Select DHCP Client ............................................................................................ 161
Figure 7-23 DHCP Client Settings ......................................................................................... 161
Figure 7-24 DHCP Client List ................................................................................................ 163
Figure 7-25 Select DHCP Server .......................................................................................... 164
Figure 7-26 DHCP Server Global Settings ............................................................................ 165
Figure 7-27 DHCP Manual Binding List ................................................................................. 165
Figure 7-28 DHCP Manual Binding Settings ......................................................................... 166
Figure 7-29 DHCP Address Pool List .................................................................................... 168
Figure 7-30 DHCP Address Pool Settings ............................................................................. 170
Figure 7-31 Select DHCP Relay Agent .................................................................................. 173
Figure 7-32 DHCP Relay Agent Settings ............................................................................... 174
Figure 7-33 DHCP Relay Agent List ...................................................................................... 176
Figure 7-34 Select Raw Option ............................................................................................. 177
Figure 7-35 Raw Option Settings .......................................................................................... 177
Figure 7-36 Raw Option List .................................................................................................. 178
http://www.uttglobal.com
Page 424
UTT Technologies
Appendix F Table Index
Figure 7-37 Network Topology where DHCP Server and Clients on Same Subnet .............. 180
Figure 7-38 DHCP Server Global Settings - Example ........................................................... 181
Figure 7-39 DHCP Address Pool Settings - Example (pool1) ............................................... 182
Figure 7-40 DHCP Address Pool Settings - Example (pool2) ............................................... 183
Figure 7-41 DHCP Manual Binding Settings - Example ........................................................ 184
Figure 7-42 Network Topology Where DHCP Client is Applied on WAN Interface................ 185
Figure 7-43 DHCP Client Settings - Example........................................................................ 185
Figure 7-44 Network Topology Where the Device Acting as a DHCP Relay Agent .............. 186
Figure 7-45 DHCP Relay Agent Settings - Example ............................................................. 187
Figure 7-46 Raw Option Settings - Example ......................................................................... 188
Figure 7-47 Network Topology for DHCP Comprehensive Example ..................................... 191
Figure 7-48 DHCP Server Global Settings - Comprehensive Example ................................ 192
Figure 7-49 DHCP Address Pool Settings - Comprehensive Example (pool1) ..................... 193
Figure 7-50 DHCP Relay Agent Settings - Comprehensive Example (DHCP Relay1) ......... 194
Figure 7-51 Port Mirroring Settings ....................................................................................... 196
Figure 7-52 Port-Based VLAN Setup .................................................................................... 197
Figure 7-53 Miscellaneous .................................................................................................... 198
Figure 7-54 Scheduled Task Settings .................................................................................... 199
Figure 8-1 Port Forwarding Settings ...................................................................................... 202
Figure 8-2 Port Forwarding List ............................................................................................. 203
Figure 8-3 Port Forwarding Settings - Example One ............................................................ 205
Figure 8-4 Port Forwarding Settings - Example Two ............................................................. 205
Figure 8-5 Port Forwarding Settings - Example Three .......................................................... 206
Figure 8-6 Global DMZ Host Settings.................................................................................... 208
Figure 8-7 Interface DMZ Host Settings ................................................................................ 208
Figure 8-8 EasyIP NAT Rule Settings.................................................................................... 215
Figure 8-9 One2One NAT Rule Settings ............................................................................... 216
Figure 8-10 Passthrough NAT Rule Settings ......................................................................... 217
Figure 8-11 NAT Rule List ...................................................................................................... 218
Figure 8-12 EasyIP NAT Rule Settings - Example ................................................................ 221
Figure 8-13 Network Topology for One2One NAT Rule Configuration Example ................... 222
Figure 8-14 One2One NAT Rule Settings - Example ............................................................ 223
Figure 8-15 Network Topology for Passthrough NAT Rule Configuration Example .............. 224
Figure 8-16 Passthrough NAT Rule Settings - Example ....................................................... 225
Figure 8-17 Enable UPnP ...................................................................................................... 226
Figure 8-18 UPnP Port Forwarding List ................................................................................. 227
http://www.uttglobal.com
Page 425
UTT Technologies
Appendix F Table Index
Figure 9-1 PPPoE Discovery Stage Flows ............................................................................ 228
Figure 9-2 PPPoE Server Global Settings............................................................................. 230
Figure 9-3 Internet Access Control Settings .......................................................................... 231
Figure 9-4 PPPoE Account Settings ...................................................................................... 233
Figure 9-5 PPPoE Account List ............................................................................................. 236
Figure 9-6 PPPoE Accounts Import ....................................................................................... 237
Figure 9-7 PPPoE Account Billing mechanism ...................................................................... 238
Figure 9-8 PPPoE Account Billing By Date ........................................................................... 239
Figure 9-9 PPPoE Account Billing By Hour ........................................................................... 240
Figure 9-10 PPPoE Account Billing By Traffic ....................................................................... 240
Figure 9-11 PPPoE IP/MAC Binding Settings ....................................................................... 241
Figure 9-12 PPPoE IP/MAC Binding List............................................................................... 242
Figure 9-13 PPPoE Status List .............................................................................................. 244
Figure 9-14 PPPoE Server Global Settings - Example ......................................................... 246
Figure 9-15 Internet Control Settings - Example ................................................................... 247
Figure 9-16 Configuring the Universal PPPoE Account - Example ....................................... 248
Figure 9-17 Configuring the Advanced PPPoE Account - Example ...................................... 249
Figure 9-18 Configuring a PPPoE IP/MAC Binding Âą Example ............................................ 249
Figure 9-19 PPPoE Account Expiration Notice by Date ........................................................ 251
Figure 9-20 PPPoE Account Expiration Notice Preview Âą Example 1 .................................. 252
Figure 9-21 PPPoE Account Expiration Notice by Hours ...................................................... 253
Figure 9-22 PPPoE Account Expiration Notice Preview Âą Example 2 .................................. 254
Figure 9-23 PPPoE Account Expiration Notice by Traffic ...................................................... 255
Figure 9-24 PPPoE Account Expiration Notice Preview Âą Example 3 .................................. 256
Figure 10-1 Rate Limit Global Settings.................................................................................. 260
Figure 10-2 Rate Limit Rule Settings ..................................................................................... 262
Figure 10-3 Rate Limit Rule List ............................................................................................ 264
Figure 10-4 P2P Rate Limit Settings ..................................................................................... 266
Figure 10-5 Preferential Forwarding for Some Applications Traffic ....................................... 268
Figure 10-6 Rate Limit Global Settings - Example One ........................................................ 270
Figure 10-7 Rate Limit Rule Settings - Example One ........................................................... 271
Figure 10-8 P2P Rate Limit Settings - Example One ............................................................ 271
Figure 10-9 Rate Limit Rule 1 Settings - Example Two ......................................................... 273
Figure 10-10 Rate Limit Rule 2 Settings - Example Two ....................................................... 274
Figure 10-11 Rate Limit Rule 3 Settings - Example Two ....................................................... 275
Figure 10-12 Enable Preferential Forwarding for Web Traffic- Example Two ....................... 275
http://www.uttglobal.com
Page 426
UTT Technologies
Appendix F Table Index
Figure 11-1 User Status List .................................................................................................. 277
Figure 11-2 Personal Rate Limit Settings .............................................................................. 279
Figure 11-3 Personal Internet Behavior Management Settings............................................. 280
Figure 11-4 Internet Behavior Management Policy Settings ................................................. 282
Figure 11-5 Internet Behavior Management Policy List ......................................................... 286
Figure 11-6 Policy Database List ........................................................................................... 289
Figure 11-7 Policy Database Version Check ......................................................................... 290
Figure 11-8 Import Policy Database ...................................................................................... 291
Figure 11-9 Enable QQ Whitelist ........................................................................................... 292
Figure 11-10 QQ Whitelist Settings ....................................................................................... 292
Figure 11-11 QQ Whitelist ...................................................................................................... 293
Figure 11-12 Internet Management Behavior Example - Policy 1 ......................................... 296
Figure 11-13 Figure 11-9 Internet Management Behavior Example - Policy 2 ...................... 297
Figure 11-14 Internet Management Behavior Example - Policy 3 ......................................... 298
Figure 11-15 Internet Management Behavior Example - Enable QQ Whitelist ..................... 298
Figure 11-16 Internet Management Behavior Example -QQ Whitelist .................................. 299
Figure 11-17 One-Time Notice Settings - Customized Mode ................................................ 301
Figure 11-18 One-Time Notice Preview - Example ............................................................... 302
Figure 11-19 One-Time Notice Settings - URL Mode ............................................................ 303
Figure 11-20 Daily Notice Settings ........................................................................................ 304
Figure 11-21Enable Web Authentication ............................................................................... 304
Figure 11-22 Web Authentication User Account Settings ...................................................... 305
Figure 11-23 Web Authentication User Account List ............................................................. 305
Figure 11-24 Web Authentication Login Page ....................................................................... 306
Figure 11-25 Web Authentication Prompt Page .................................................................... 307
Figure 12-1 Internal Attack Defense Settings ........................................................................ 309
Figure 12-2 External Attack Defense Settings ........................................................................ 311
Figure 12-3 IP/MAC Binding List - Example One .................................................................. 315
Figure 12-4 IP/MAC Binding List - Example Two .................................................................. 316
Figure 12-5 IP/MAC Binding Settings .................................................................................... 317
Figure 12-6 IP/MAC Binding Global Setup ............................................................................ 318
Figure 12-7 IP/MAC Binding List ........................................................................................... 319
Figure 12-8 IP/MAC Binding List - Example Three ............................................................... 322
Figure 12-9 IP/MAC Binding List - Example Four ................................................................. 323
Figure 12-10 Access Control Rule Settings ........................................................................... 328
Figure 12-11 Enable Access Control ..................................................................................... 330
http://www.uttglobal.com
Page 427
UTT Technologies
Appendix F Table Index
Figure 12-12 Access Control List ........................................................................................... 330
Figure 12-13 The Schedule of work Settings - Example 1 .................................................... 333
Figure 12-14 The Address Group of TD_FD Settings - Example 1 ....................................... 333
Figure 12-15 The Service Group of WEB_FTP Settings - Example 1................................... 334
Figure 12-16 The Access Control Rule 1 Settings - Example 1 ............................................ 335
Figure 12-17 The Access Control Rule 2 Settings - Example 1 ............................................ 336
Figure 12-18 Enable Access Control - Example 1 ................................................................. 336
Figure 12-19 The Address Group of Inside Settings - Example 2 ......................................... 337
Figure 12-20 The Address Group of Outside Settings - Example 2 ...................................... 338
Figure 12-21 The Access Control Rule 1 Settings - Example 2 ............................................ 339
Figure 12-22 The Access Control Rule 2 Settings - Example 2 ............................................ 340
Figure 12-23 The Access Control Rule 2 Settings - Example 2 ............................................ 341
Figure 12-24 Enable Access Control - Example 2 ................................................................. 341
Figure 12-25 Domain Filtering Settings ................................................................................. 342
Figure 12-26 Domain Blocking Notice ................................................................................... 344
Figure 12-27 Domain Name Blocking Notice Preview .......................................................... 345
Figure 12-28 NAT Session Limit Rule Settings ..................................................................... 346
Figure 12-29 NAT Session Limit Rule List ............................................................................. 347
Figure 12-30 Address Group Settings ................................................................................... 350
Figure 12-31 Address Group List ........................................................................................... 351
Figure 12-32 Service Group Settings .................................................................................... 355
Figure 12-33 Service Group List ............................................................................................ 357
Figure 12-34 Schedule Settings ............................................................................................ 360
Figure 12-35 Schedule List .................................................................................................... 361
Figure 12-36 Schedule Details .............................................................................................. 362
Figure 12-37 Schedule Settings Example ............................................................................. 364
Figure 13-1 Administrator Settings ........................................................................................ 365
Figure 13-2 Administrator List ................................................................................................ 366
Figure 13-3 System Time - Enable SNTP ............................................................................. 368
Figure 13-4 System Time - Set Time Manually ..................................................................... 369
Figure 13-5 Save Firmware to Local PC ............................................................................... 370
Figure 13-6 Firmware Version Details ................................................................................... 370
Figure 13-7 Upgrade Firmware ............................................................................................. 371
Figure 13-8 Backup Configuration ......................................................................................... 372
Figure 13-9 Restore Configuration ........................................................................................ 373
Figure 13-10 Restore Default ................................................................................................ 373
http://www.uttglobal.com
Page 428
UTT Technologies
Appendix F Table Index
Figure 13-11 Remote Admin Settings .................................................................................... 374
Figure 13-12 WEB Server ..................................................................................................... 376
Figure 13-13 Restart the Device ............................................................................................ 378
Figure 13-14 Prompt Dialog Box - Restart the Device .......................................................... 378
Figure 13-5HVWDUWLQJÂŤÂŤ .................................................................................................. 378
Figure B-0-1 Viewing PPPoE Internet Connection Status in WAN List ................................. 383
Figure B-0-2 PPPoE Connection Settings (Part) ................................................................... 385
Figure B-0-3 Routing Table - Example 1 ............................................................................... 385
Figure B-0-4 Routing Table - Example 2 ............................................................................... 386
Figure B-0-5 View DHCP Internet Connection Status Information ........................................ 387
Figure B-0-6 Routing Table - Example 3 ............................................................................... 388
Figure B-0-7 New Connection - Term9600 ............................................................................ 390
Figure B-0-8 Choose a COM Port - Term9600 ...................................................................... 391
Figure B-0-9 COM Port Properties - Term9600 ..................................................................... 391
Figure B-0-10 HyperTerminal Window - Term9600 ............................................................... 392
Figure B-0-11 Login to the Device - Term9600 ...................................................................... 393
Figure B-0-12 Reset to Factory Default Settings - Term9600 ............................................... 394
Figure B-0-13 New Connection - Term115200 ...................................................................... 395
Figure B-0-14 Choose a COM Port - Term115200 ................................................................ 396
Figure B-0-15 COM Port Properties - Term115200 ............................................................... 397
Figure B-0-16 The HyperTerminal Window - Term115200 .................................................... 397
Figure B-0-17 Login to the Device - Term115200 .................................................................. 398
Figure B-0-18 Reset to Factory Default Settings - Term115200 ............................................ 399
Figure B-0-19 New Connection - Rescue .............................................................................. 401
Figure B-0-20 Choose a COM port - Rescue ........................................................................ 401
Figure B-0-21 COM Port Properties - Rescue ....................................................................... 402
Figure B-0-22 The HyperTerminal Window - Rescue ........................................................... 403
Figure B-0-23 Boot into Rescue Mode - Rescue ................................................................... 404
Figure B-0-24 Login to Rescue Mode Configuration Interface - Rescue .............................. 405
Figure B-0-25 View Settings - Rescue .................................................................................. 406
http://www.uttglobal.com
Page 429
UTT Technologies
Appendix F Table Index
Appendix F Table Index
Table 0-1 Factory Default Settings of Interfaces ............................................................................... 6
Table 0-2 Document Organization ........................................................................................... 13
Table 1-1 Detailed Specifications ............................................................................................ 22
Table 2-1 Description of the System LEDs on the UTT 2512 .................................................. 26
Table 2-2 Description of the Port LEDs on the UTT 2512 ....................................................... 26
Table 2-3 Description of the System LEDs on the U2000 ....................................................... 29
Table 2-4 Description of the Port LEDs on the U2000............................................................. 30
Table 3-1 Detailed Description of Shortcut Icons .................................................................... 36
Table 5-1 System Logs List ..................................................................................................... 78
Table 6-1 Description of PPPoE Connection Status ................................................................ 87
Table 6-2 Description of Static IP Connection Status .............................................................. 88
Table 6-3 Description of DHCP Connection Status ................................................................. 88
Table 6-4 Detection Method and Detection Target IP ............................................................ 104
Table 7-1 Reserved Detection Route Name .......................................................................... 121
Table 7-2 DHCP Message Types........................................................................................... 155
Table 7-3 DHCP Relay Agent Forwarding Policies ................................................................ 160
Table 7-4 DHCP Relay Agent IP Addresses and IDs - Comprehensive Example ................. 189
Table 12-1 The System Default Access Control Rules .......................................................... 327
Table B-0-1 PPPoE Dial-up System Logs ............................................................................. 384
http://www.uttglobal.com
Page 430

---

Source Exif Data:

File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : Yes
XMP Toolkit                     : 3.1-701
Producer                        : Acrobat Distiller 7.0 (Windows)
Create Date                     : 2012:03:19 15:11:47+08:00
Modify Date                     : 2012:03:19 15:11:47+08:00
Metadata Date                   : 2012:03:19 15:11:42+08:00
Document ID                     : uuid:F08972C79271E1118798BAC5B09D98D0
Instance ID                     : uuid:73e65267-4b8e-4d07-a0ee-07b9e7c27be1
Derived From Instance ID        : uuid:2d7f5971-51fb-4478-950f-3610b05f2e62
Derived From Document ID        : uuid:7260978B9271E111A0D2BDB7F91CA805
Format                          : application/postscript
Creator                         : XuJinghua
Title                           : untitled
Page Count                      : 445
Author                          : XuJinghua

EXIF Metadata provided by EXIF.tools