Motorola Netopia 3300 Podręcznik Użytkownika

Netopia® Software User GuideMarch 2005Netopia® 3300 Series GatewaysVersion 7.5

Table of Contents 10 -----E----- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291-----F----- . . . . . . .

100Delete User ProfileWhen you click the Delete User Profile link, the Confirm Deletion of User screen appears.

101ConfigureLink: UPnPUniversal Plug and Play (UPnP™) is a set of protocols that allows a PC to automatically dis-cover other UPnP devices (anything f

102Link: LAN ManagementTR-064 is a LAN-side DSL Gateway configuration specification. It is an extension of UPnP. It defines more services to locally mana

103ConfigureLink: Advanced -> Ethernet BridgeThe Netopia Gateway can be used as a bridge, rather than a router. A bridge is a device that joins two

104Configuring for Bridge Mode1. Browse into the Netopia Gateway’s web interface.2. Click on the Configure button in the upper Menu bar.3. Click on the

105ConfigureThe Ethernet Bridge page appears.The appearance of this page varies, depending on your Gateway’s inter-faces.7. If available:a. Check the

10611. If you are satisfied with the changes you have made, click Save and Restart in the Save Database box to Apply changes and restart Gateway. You h

107ConfigureLink: SystemThe System Name defaults to your Gateway's factory identifier combined with its serial number. Some cable-oriented Service

108• Syslog: Enable syslog logging in the system.• Syslog Host Name/IP Address: Enter the name or the IP Address of the host that should receive syslo

109ConfigureLog Event MessagesAdministration Related Log Messages1. administrative access attempted:This log-message is generated whenever the user at

11 Table of Contents Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307Declaration for Canadian users

110DSL Log Messages (most common):1. WAN: Data link activated at <Rate> Kbps (rx/tx)This log message is generated when the DSL link comes up.2.W

111Configure6. dropped - frag-mented packet:This log-message is generated whenever a packet, traversing the router, is dropped because it is fragmente

112Link: Internal ServersYour Gateway ships with an embedded Web server and support for a Telnet session, to allow ease of use for configuration and ma

113ConfigureTo select the games or software that you want to host for a specific PC, highlight the name(s) in the box on the left side of the screen. C

114Buddy Phone Calista IP Phone CART Precision Racing, v 1.0Citrix Metaframe/ICA Client Close Combat for Windows 1.0 Close Combat: A Bridge Too Far, v

115ConfigureRename a User(PC)If a PC on your LAN has no assigned host name, you can assign one by clicking the Rename a User(PC) link.To rename a serv

116☛ NOTE:The new name given to a server is only known to Software Hosting. It is not used as an identifier in other network functions, such as DNS or

117ConfigureLink: Time ZoneWhen you click the Time Zone link, the Time Zone page appears.You can set your local time zone by selecting the number of h

118An example of multiple VLANs is shown below:To create a VLAN, click the Add button.The VLAN Entry page appears.You can create up to 32 VLANs, and y

119Configure• VLAN id – This must be a unique identifying number between 1 and 4095.• VLAN Name – A descriptive name for the VLAN.• VLAN Protocol – Th

Table of Contents 12

120For Netopia VGx technology models, separate Ethernet switch ports are displayed and may be configured.To enable any of them on this VLAN, select one

121ConfigureYou can Add, Edit, or Delete your VLAN entries by returning to the VLANs page, and selecting the appropriate entry from the displayed list

122SecurityButton: SecurityThe Security features are available by clicking on the Security toolbar button. Some items of this category do not appear w

123SecurityLink: PasswordsAccess to your Gateway may be controlled through two optional user accounts, Admin and User. When you first power up your Gat

124To display the Passwords window, click the Security toolbar button on the Home page.Use the following procedure to change existing passwords or add

125SecurityPassword changes are automatically saved, and take effect immediately.Link: FirewallUse a Netopia FirewallBreakWater Basic Firewall. BreakW

1263. Click Firewall.4. Click on the radio button to select the protection level you want. Click Submit. Changing the BreakWater setting does not requ

127SecurityTIPS for making your BreakWater Basic Firewall Selection Basic Firewall BackgroundAs a device on the Internet, a Netopia Gateway requires a

128This table shows how inbound traffic is treated. Inbound means the traffic is coming from the WAN into the WAN side of the Gateway. This table shows

129Security☛ NOTE:The Gateway’s WAN DHCP client port in SilentRunning mode is enabled. This feature allows end users to continue using DHCP-served IP

13 What’s New in 7.5 CHAPTER 1 Introduction What’s New in 7.5 New in Netopia Firmware Version 7.5 are the following features: Web-based User Interfac

130Link: IPSecWhen you click on the IPSec link, the IPSec configuration screen appears.Your Gateway can support two mechanisms for IPSec tunnels:• IPSe

131SecuritySafeHarbour IPSec VPNSafeHarbour VPN IPSec Tunnel provides a single, encrypted tunnel to be terminated on the Gateway, making a secure tunn

132A typical SafeHarbour configuration is shown below:Configuring a SafeHarbour VPNUse the following procedure to configure your SafeHarbour tunnel.1. Ob

133SecurityTable 1: IPSec Tunnel Details Parameter Setup WorksheetParameter Netopia Gateway Peer GatewayNamePeer Internal NetworkPeer Internal Netmask

1343. Be sure that you have SafeHarbour VPN enabled.SafeHarbour is a keyed feature. See “Install Keys” on page 184. for information con-cerning instal

135Security10.Make the Tunnel Details entries.Enter or select the required set-tings.Refer to your “IPSec Tunnel Details Parameter Setup Work-sheet” o

136Parameter DescriptionsThe following tables describe SafeHarbour’s parameters that are used for an IPSec VPN tunnel configuration:Table 2: IPSec Conf

137SecurityPAT Address If NAT is enabled, this field appears. You can specify a Port Address Trans-lation (PAT) address or leave the default all-zeroes

138SA Hash Type SA Hash Type refers to the Authentication Hash algorithm used during SA negotiation. Values supported include MD5 and SHA1. N/A will

139SecurityXauth Enable Extended Authentication (XAuth), an extension to the Internet Key Exchange (IKE) protocol. The Xauth extension provides dual a

14 About Netopia Documentation ☛ NOTE: This guide describes the wide variety of features and functionality of the Neto-pia Gateway, when used in Ro

140Link: Stateful InspectionAll computer operating systems are vulnerable to attack from outside sources, typically at the operating system or Interne

141Security• UDP no-activity time-out: The time in seconds after which a UDP session will be ter-minated, if there is no traffic on the session.• TCP n

142Add, Edit, or delete exposed addresses options are active only if NAT is disabled on a WAN interface. The hosts specified in exposed addresses will

143SecurityClick the Add button to add a new range of exposed addresses.You can edit a previously configured range by clicking the Edit button, or dele

144Stateful Inspection OptionsStateful Inspection Parameters are active on a WAN interface only if you enable them on your Gateway.• Stateful Inspecti

145SecurityOpen Ports in Default Stateful Inspection Installation Port Protocol DescriptionLAN (Private) InterfaceWAN (Public) Interface23 TCP telnet

146Link: Packet FilterWhen you click the Packet Filter link the Filter Sets screen appears.Security should be a high priority for anyone administering

147Securityadmit or refuse TCP/IP connections from certain remote networks and specific hosts. You will also use filters to screen particular types of c

148A filter inspects data packets like a customs inspector scrutinizing packages.Filter priorityContinuing the customs inspectors analogy, imagine the

149Securitychance to forward or reject it, and so on. Because of this hierarchical structure, each filter is said to have a priority. The first filter ha

15 Documentation Conventions Documentation Conventions General This manual uses the following conventions to present information: Internal Web Interf

150Here is what this rule looks like when implemented as a filter in Netopia Firmware Version 7.5: To understand this particular fil-ter, look at the pa

151SecurityPort number comparisonsA filter can also use a comparison option to evaluate a packet’s source or destination port number. The comparison op

152Other filter attributesThere are three other attributes to each filter:• The filter’s order (i.e., priority) in the filter set• Whether the filter is cu

153Security• Src Port: The source port to match. This is the port on the sending host that originated the packet.• Dst Port: The destination port to m

154• Destination Port = 23• The filter should be enabled and instructed to block the Telnet packets containing the source address shown in step 2:• For

155SecurityFiltering example #2Suppose a filter is configured to block all incoming IP packets with the source IP address of 200.233.14.0, regardless of

156Design guidelinesCareful thought must go into designing a new filter set. You should consider the following guidelines: • Be sure the filter set’s ov

157Working with IP Filters and Filter SetsWorking with IP Filters and Filter SetsTo work with filters and filter sets, begin by accessing the filter set

158Enter new name for the filter set, for example Filter Set 1.To save the filter set, click the Submit button. The saved filter set is empty (contains n

159Working with IP Filters and Filter SetsPackets in Netopia Firmware Version 7.5 pass through an input filter if they originate from the WAN and throu

16curly ({ }) brackets, with values sep-arated with vertical bars (|).Alternative values for an argument are pre-sented in curly ({ }) brackets, with

160The Filter Set page appears.☛ Note:There are two Add buttons in this page, one for input filters and one for out-put filters. In this section, you’l

161Working with IP Filters and Filter Sets2. If you want the filter to forward packets that match its criteria to the desti-nation IP address, check th

162If Protocol Type is set to TCP or UDP, the settings for port comparison will appear. These settings only take effect if the Protocol Type is TCP or

163Working with IP Filters and Filter SetsModifying filtersTo modify a filter, select a filter from the table and click the Edit button. The Rule Entry p

164Associating a Filter Set with an InterfaceOnce you have created a filter set, you must associate it with an interface in order for it to be effectiv

165Firewall TutorialYou can repeat this process for both the WAN and LAN interfaces, to associate your filter sets.When you return to the Filter Sets p

166Host: A workstation on the network.Packet: Unit of communication on the Internet.Packet filter: Packet filters allow or deny packets based on source

167Firewall TutorialExample TCP/UDP PortsFirewall design rulesThere are two basic rules to firewall design:• “What is not explicitly allowed is denied.

168and a packet goes through these rules destined for FTP, the packet would forward through the first rule (WWW), go through the second rule (FTP), and

169Firewall TutorialExample filter set pageThis is an example of the Netopia filter set page:

17OrganizationOrganizationThis guide consists of eight chapters, including a glossary, and an index. It is organized as follows:• Chapter 1, “Introduc

170Filter basicsIn the source or destination IP address fields, the IP address that is entered must be the network address of the subnet. A host addres

171 Firewall Tutorial Example filters Example 1 Incoming packet has the source address of 200.1.1.28This incoming IP packet has a source IP address t

172 Example 4 Incoming packet has the source address of 200.1.1.104.This rule does match and this packet will not be forwarded. Example 5 Incomin

173 Policy-based Routing using Filtersets Policy-based Routing using Filtersets Netopia Firmware Version 7.5 offers the ability to route IP packets u

174 If you check the Idle Reset checkbox, a match on this rule will keep the WAN connection alive by resetting the idle-timeout status.The Idle Res

175 Policy-based Routing using Filtersets subsequent filter is required to match and forward all other packets. Management IP traffic If the Force Rout

176 Link: Security Log Security Monitoring is a keyed feature. See page 184 for information concerning installing Netopia Software Feature Keys.Secur

177Policy-based Routing using FiltersetsThe capacity of the security log is 100 security alert messages. When the log reaches capacity, subsequent mes

178To reset this log, select Reset from the Security Monitor tool bar.The following message is displayed.When the Security Log contains no entries, th

179InstallInstallButton: InstallFrom the Install toolbar button you can Install new Operating System Software and Feature Keys as updates become avail

18

180Link: Install Software(This link is not available on the 3342/3352 models, since firmware updates must be upgraded via the USB host driver.)This pag

181InstallBackgroundFirmware upgrade image files are posted periodically on the Netopia website. You can download the latest operating system software

182a. Click the Browse button, select the file you want, and click Open. -or-b. Enter the name and path of the software image you want to install in

183InstallVerify the Netopia Firmware ReleaseTo verify that the Netopia firmware image has loaded successfully, use the following steps:1. Open a web c

184Link: Install KeysYou can obtain advanced product functionality by employing a software Feature Key. Soft-ware feature keys are specific to a Gatewa

185Install4. Click the Install Key button.5. Click the Restart toolbar button.The Confirmation screen appears.

1866. Click the Restart the Gateway link to confirm.To check your installed features:7. Click the Install toolbar button.8. Click the list of features

187InstallThe System Status page appears with the information from the features link displayed below. You can check that the feature you just installe

188

189CHAPTER 4 Basic TroubleshootingThis section gives some simple suggestions for troubleshooting problems with your Gate-way’s initial configuration.Be

19CHAPTER 2 Basic Mode SetupMost users will find that the basic Quickstart configuration is all that they ever need to use. This section may be all that

190Status Indicator LightsThe first step in troubleshooting is to check the status indicator lights (LEDs) in the order outlined below.Netopia Gateway

191Status Indicator LightsNetopia Gateway 3341, 3351 status indicator lightsEthernet LinkEthernet TrafficDSL TrafficDSL SyncUSB ActivePowerPower:USB A

192Netopia Gateway 3342, 3352 status indicator lights☛ Special patterns:• Both LEDs are off during boot (power on boot or warm reboot). • When the 33

193Status Indicator LightsNetopia Gateway 3346, 3356 status indicator lightsLAN 1LAN 2LAN 3LAN 4DSL SYNCPowerPower:DSL Sync:Solid green when trained w

194Netopia Gateway 3347W, 3347WG status indicator lightsLED Function Summary MatrixPowerUSB ActiveDSL SyncDSL TrafficEthernet TrafficEthernet LinkUnlit

195Status Indicator LightsIf a status indicator light does not look correct, look for these possible problems: LED State Possible problemsPower Unlit1

196EN TrafficUnlit1. Make sure you have Ethernet drivers installed on the PC.2. Make sure the PC’s TCP/IP Properties for the Ethernet Network Control P

197Factory Reset SwitchFactory Reset Switch(optional on some models; 3342/3352 models do not have a reset switch)Lose your password? This section show

1982. Carefully insert the point of a pen or an unwound paperclip into the open-ing.•If you press the factory default button for less than 1/2 a secon

199CHAPTER 5 Advanced TroubleshootingAdvanced Troubleshooting can be accessed from the Gateway’s Web UI. Point your browser to http://192.168.1.254. T

2 Copyright Copyright © 2005 Netopia, Inc. Netopia and the Netopia logo are registered trademarks belonging to Netopia, Inc., registered U.S. Patent

20Important Safety InstructionsPOWER SUPPLY INSTALLATIONConnect the power supply cord to the power jack on the Netopia Gateway. Plug the power supply

200Home PageThe home page displays basic information about the Gateway. This includes the ISP User-name, Connection Status, Device Address, Remote Gat

201ISP Username This should be the valid PPPoE username. If not, go to Expert Mode and change to the correct username.Device Address This is the negot

202Button: TroubleshootExpert ModeExpert Mode has advanced troubleshooting tools that are used to pinpoint the exact source of a problem. Clicking the

203Link: Ports: EthernetThe Ethernet port selection shows the traffic sent and received on the Ethernet interface. There should be frames and bytes on

204Link: Ports: DSLThe DSL port selection shows the state of the DSL line, whether it is up or down and how many times the Gateway attempted to train.

205Link: DSL: Circuit ConfigurationThe DSL Circuit Configuration screen shows the traffic sent and received over the DSL line as well as the trained rate

206Link: System Log: EntireThe system log shows the state of the WAN connection as well as the PPPoE session. Ver-ify that the PPPoE session has been

207Link: DiagnosticsThe diagnostics section tests a number of different things at the same time, including the DSL line, the Ethernet inter face and t

208Link: Network ToolsThree test tools are available from this page.• NSLookup - converts a domain name to its IP address and vice versa.• Ping - test

209PING: The network tools section sends a PING from the Gateway to either the LAN or WAN to verify connectivity. A PING could be either an IP address

21Set up the Netopia GatewaySet up the Netopia GatewayRefer to your Quickstart Guide for instructions on how to connect your Netopia gateway to your p

210Below are some specific tests:3. To use the TraceRoute capability, type a destination address (domain name or IP address) in the text box and click

211Example: Show the path to the grosso.com site.Result: It took 20 hops to get to the grosso.com web site.

212

213CHAPTER 6 Command Line InterfaceThe Netopia Gateway operating software includes a command line interface (CLI) that lets you access your Netopia Ga

214OverviewThe CLI has two major command modes: SHELL and CONFIG. Summary tables that list the commands are provided below. Details of the entire comm

215OverviewCONFIG CommandsCommand Verbs Status and/or Descriptiondelete Delete configuration list datahelp Help command optionsave Save configuration da

216Starting and Ending a CLI SessionOpen a telnet connection from a workstation on your network.You initiate a telnet connection by issuing the follow

217Using the CLI Help FacilitySaving SettingsIn CONFIG mode, the save command saves the working copy of the settings to the Gate-way. The Gateway auto

218The only commands you cannot truncate are restart and clear. To prevent accidental interruption of communications, you must enter the restart and c

219SHELL Commandsthe diagnostic utility indents its entry in the console window. For example, the diagnostic utility indents the Check IP connect to E

22Then go to Step 2.Step 2. Select Obtain an IP address automatically.Step 3. Select Obtain DNS server address automatically, if available.Step 4. Rem

220If you include the optional keyword confirm, you will not be prompted to confirm whether or not you want to perform the operation.license [key]This

221SHELL Commandsnetstat -i Displays the IP interfaces for your Netopia Gateway.netstat -r Displays the IP routes stored in your Netopia Gateway.nsloo

222reset arp Clears the Address Resolution Protocol (ARP) cache on your unit.reset atmResets the Asynchronous Transfer Mode (ATM) statistics.reset cra

223SHELL Commandsreset security-logClears the security monitoring log to make room to capture new entries. reset wan-users [all | ip-address]This func

224show bridge interfacesDisplays bridge interfaces maintained by the Netopia Gateway.show bridge tableDisplays the bridging table maintained by the N

225SHELL Commandsshow ip lan-discoveryDisplays the LAN Host Discovery Table of hosts on the wired or wireless LAN, and whether or not they are current

226show wireless [all]Shows wireless status and statistics.show wireless clients [ MAC_address ]Displays details on connected clients, or more details

227SHELL CommandsWAN Commandsatmping vccn [ segment | end-to-end ]Lets you check the ATM connection reachability and network connectivity. This comman

228show configDumps the Netopia Gateway’s configuration script just as the script command does in config mode.show dslDisplays DSL port statistics, such

229About CONFIG CommandsSome CLI commands are not available until certain conditions are met. For example, you must enable IP for an interface before

23Set up the Netopia GatewayMacintosh MacOS 8 or higher or Mac OS X: Step 1. Access the TCP/IP or Network control panel. a. MacOS follows a path like

230Entering Commands in CONFIG ModeCONFIG commands consist of keywords and arguments. Keywords in a CONFIG command specify the action you want to take

231About CONFIG CommandsGuidelines: CONFIG CommandsThe following table provides guidelines for entering and formatting CONFIG commands.If a command is

232Step Mode: A CLI Configuration TechniqueThe Netopia Gateway command line interface includes a step mode to automate the pro-cess of entering configur

233CONFIG CommandsDogzilla (top)>> validateError: Subnet mask is incorrectGlobal Validation did not passinspection!You can use the validate comm

234• cbr: One parameter is required for CBR VCs. Enter the Peak Cell Rate that applies to the VC. This value should be between 1 and the line rate. Yo

235CONFIG Commandsset atm [vccn] encap { ppp-vcmux | ppp-llc | ether-llc | ip-llc | ppoe-vcmux | pppoe-llc }Sel

236☛ NOTE:For bridging in the 3341 (or any model with a USB port), you cannot set the bridge option off, or bridge ethernet option off; these are on

237CONFIG CommandsDHCP SettingsAs a Dynamic Host Control Protocol (DHCP) server, your Netopia Gateway can assign IP addresses and provide configuration

238DMT Settings DSL Commandsset dmt type [ lite | dmt | ansi | multi ] Selects the type of Discrete Multitone (DMT) asynchronous digital subscriber li

239CONFIG CommandsCommon Commandsset dns domain-name domain-name Specifies the default domain name for your network. When an application needs to resol

24Then go to Step 2.Step 2. Select Built-in Ethernet Step 3. Select Configure Using DHCPStep 4. Close and Save, if prompted.Proceed to “Configure the Ne

240Because different dynamic DNS vendors use different proprietary protocols, currently only www.dyndns.org is supported.IP SettingsYou can use the co

241CONFIG Commandsset ip dsl vccn broadcast broadcast_addressSpecifies the broadcast address for the TCP/IP network connected to the virtual circuit. I

242an extension of RIP-2 that increases security by requiring an authentication key when routes are advertised.Depending on your network needs, you ca

243CONFIG CommandsThe broadcast address for most networks is the network number followed by 255. For example, the broadcast address for the 192.168.1.

244set ip ethernet A rip-receive { off | v1 | v2 | v1-compat | v2-MD5 }Specifies whether the Netopia Gateway should use Routing Information Protocol (R

245CONFIG Commandsset ip ip-ppp [vccn] address ip_addressAssigns an IP address to the virtual PPP interface. If you specify an IP address other than 0

246set ip ip-ppp [vccn] rip-send { off | v1 | v2 | v1-compat | v2-MD5 }Specifies whether the Netopia Gateway unit should use Routing Information Protoc

247CONFIG CommandsStatic ARP SettingsYour Netopia Gateway maintains a dynamic Address Resolution Protocol (ARP) table to map IP addresses to Ethernet

248IP Prioritizationset ip prioritize [ off | on ]Allows you to support traffic that has the TOS bit set. This defaults to off.Differentiated Services

249CONFIG Commandsset diffserv custom-flows name name protocol [ TCP | UDP | ICMP | other ] direction [ outbound | inbound | both ]

25Configure the Netopia GatewayConfigure the Netopia Gateway1. Run your Web browser application, such as Netscape Navigator or Microsoft Internet Explo

250SIP Passthroughset ip sip-passthrough [ on | off ]Turns Session Initiation Protocol application layer gateway client passthrough on or off. The def

251CONFIG Commandsset ip static-routes destination-network net_address gateway-address gate_addressSpecifies the IP address of the Gateway for the

252set ip-maps name <name> external-ip <ip address>Specifies the name and static ip address of the WAN device to be mapped.Up to 8 mapped s

253CONFIG CommandsNetwork Address Translation (NAT) Pinhole SettingsNAT pinholes let you pass specific types of network traffic through the NAT interfac

254set pinhole name name internal-ip internal-ipSpecifies the IP address of the internal host to which traffic of the specified type should be transferre

255CONFIG Commandsset ppp module [vccn] magic-number { on | off }Enables or disables LCP magic number negotiation.set ppp module [vccn] protocol-compr

256set ppp module [vccn] terminate-max integerSpecifies the maximum number of unacknowledged termination requests that your Netopia Gateway will send b

257CONFIG Commands option [ off | on | pap-only | chap-only ]Specifying on turns both PAP and CHAP on, or you can select PAP or CHAP. Specify t

258set preference more linesSpecifies how many lines of information you want the command line interface to display at one time. The lines argument spec

259CONFIG CommandsPort Renumbering SettingsIf you use NAT pinholes to forward HTTP or telnet traffic through your Netopia Gateway to an internal host,

26The browser then displays the Welcome page.The browser then displays the Quickstart web page.2. Enter the username and password supplied by your Int

260Security SettingsSecurity settings include the Firewall and IPSec parameters. All of the security functionality is keyed.Firewall Settings (for Bre

261CONFIG Commandsset security ipsec tunnels name "123" tun-enable (on) {on | off}This enables this particular tunnel. Currently, one

262set security ipsec tunnels name "123" IKE-mode pre-shared-key ("") {hex string}See page 130 for details about SafeHarbour

263CONFIG Commandsset security ipsec tunnels name "123" IKE-mode PFS-enable { off | on }See page 130 for details about SafeHarbour IPse

264set security ipsec tunnels name "123" local-id id_valueSpecifies the NAT local ID value as specified in the local-id-type for the specified

265CONFIG CommandsInternet Key Exchange (IKE) SettingsThe following four IPsec parameters configure the rekeying event.set security ipsec tunnels name

266Stateful InspectionStateful inspection options are accessed by the security state-insp tag.set security state-insp [ ip-ppp | dsl ] vccn option [ o

267CONFIG Commandsset security state-insp udp-timeout [ 30 - 65535 ]Sets the stateful inspection UDP timeout interval, in seconds.set security state-i

268set security state-insp xposed-addr exposed-address# "n" start-port [ 1 - 65535 ]set security state-insp xposed-addr exposed

269CONFIG Commandsset security pkt-filter filterset filterset-name in index frc-rte [ on | off ]Turns forced routing on or off for the specified filter rul

27Configure the Netopia GatewayOnce a connection is established, your browser is redirected to your service provider’s home page or a registration pag

270set security pkt-filter filterset filterset-name in index protocol valueSpecifies the protocol value to match packets, the type of higher-layer Interne

271CONFIG Commandsset security pkt-filter filterset filterset-name in index src-port valueSpecifies the source IP port to match packets (the port on the s

272set snmp sysgroup contact contact_infoIdentifies the system contact, such as the name, phone number, beeper number, or email address of the person r

273CONFIG Commandsassigned a name to your Netopia Gateway, you can enter that name in the Address text field of your browser to open a connection to yo

274set system idle-timeout { telnet [ 1...120 ] | http [ 1... 120 ] }Specifies a timeout period of inactivity for telnet or HTTP access to the Gateway,

275CONFIG Commands location ("string"):The heartbeat setting is used in conjunction with the configuration server to broadcast con-tact

276set system ntp option [ off | on ]:server-address (204.152.184.72)alt-server-address (""):time-zone [ -12 - 12 ] update-period (60) [ 1 -

277CONFIG CommandsSyslogset system syslog option [ off | on ]Enables or disables system syslog feature. If syslog option is on, the following commands

278 set security state-insp eth B option on• Type the command to enable the router to drop fragmented packets set security state-insp eth B deny-fr

279CONFIG CommandsWireless Settings (supported models)set wireless option ( on | off )Administratively enables or disables the wireless interface.set

28Netopia Gateway Status Indicator LightsColored LEDs on your Netopia Gateway indicate the status of various port activity. Different Gateway models h

280set wireless privacy option { off | WEP | WPA-PSK | WPA-802.1x }Specifies the type of privacy enabled on the wireless LAN. off = no privacy; WEP = W

281CONFIG CommandsFor simplicity, it is easiest to have both the Gateway and the client transmit with the same key. The default is 1.

282set wireless privacy encryption-key1-length {40/64bit, 128bit, 256bit}set wireless privacy encryption-key2-length {40/64bit, 128bit, 256b

283CONFIG CommandsWireless MAC Address Authorization Settingsset wireless mac-auth option { on | off }Enabling this feature limits the MAC addresses t

284set radius radius-port port_numberSpecifies the port on which the RADIUS server is listening. The default value is 1812.VLAN SettingsThese settings

285CONFIG Commandsenabled Netopia Gateway, will not need application layer gateway support on the Netopia Gateway to work through NAT. The default is

286TR-069. DSL Forum CPE WAN Management Protocol (TR-069) provides services similar to UPnP and TR-064. The communication between the Netopia Gateway

287CHAPTER 7 Glossary10Base-T. IEEE 802.3 specification for Ethernet that uses unshielded twisted pair (UTP) wiring with RJ-45 eight-conductor plugs at

288ADSL. Asymmetric Digital Subscriber Line. Modems attached to twisted pair copper wiring that transmit 1.5-9 Mbps downstream (to the subscriber) and

289BRI. Basic Rate Interface. ISDN standard for provision of low-speed ISDN services (two B channels (64 kbps each) and one D channel (16 kbps)) over

29Home Page - Basic ModeHome Page - Basic ModeAfter you have performed the basic Quickstart configuration, any time you log in to your Netopia Gateway

290crossover cable. Cable that lets you connect a port on one Ethernet hub to a port on another Ethernet hub. You can order an Ethernet crossover cabl

291Diffie-Hellman. A group of key-agreement algorithms that let two computers compute a key independently without exchanging the actual key. It can gen

292encapsulation. Technique used to enclose information formatted for one protocol, such as AppleTalk, within a packet formatted for a different proto

293FTP. File Transfer Protocol. Application protocol that lets one IP node trans-fer files to and from another node.FTP server. Host on network from wh

294-----I-----IKE. Internet Key Exchange protocol provides automated key management and is a preferred alternative to manual key management as it prov

295-----K-----Key Management . The Key Management algorithm manages the exchange of security keys in the IPSec protocol architecture. SafeHarbour supp

296at the other end of the connection converts the analog signal back to a digi-tal signal. MRU. Maximum Receive Unit. The maximum packet size, in byt

297PAP. Password Authentication Protocol. Security protocol within the PPP pro-tocol suite that prevents unauthorized access to network services. See

298protocol. Formal set of rules and conventions that specify how information can be exchanged over a network. PSTN. Public Switched Telephone Network

299• The authentication algorithm for AH and ESP• The encryption algorithm for ESP• The encryption and authentication keys• Lifetime of encryption key

3 Table of Contents Table of Contents Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 CHAPTER 1 Int

30The Home Page displays the following information in the center section: The links in the left-hand column on this page allow you to manage or configu

300conversation, rather than just individual packets. It verifies that packets are sent from and received by the proper IP addresses along the proper c

301-----V-----VJ. Van Jacobson. Abbreviation for a compression standard documented in RFC 1144. VLAN. Virtual Local Area Network. A network of compute

302

303DescriptionCHAPTER 8 Technical Specifications and Safety InformationDescriptionDimensions: Smart Modems: 13.5 cm (w) x 13.5 cm (d) x 3.5 cm (h); 5.

304Software and protocolsSoftware media: Software preloaded on internal flash memory; field upgrades done via download to internal flash memory via TFTP

305Agency approvalsAgency approvalsNorth AmericaSafety Approvals: United States – UL 60950, Third Edition Canada – CSA: CAN/CSA-C22.2 No. 60950-00EM

306The Netopia Firmware Version 7.4.2 complies with the following EU directives: Low Voltage, 73/23/EEC EMC Compatibility, 89/336/EEC, conforming to

307Manufacturer’s Declaration of Conformance☛ ImportantThis product was tested for FCC compliance under conditions that included the use of shielded

308Important Safety InstructionsAustralian Safety InformationThe following safety information is provided in conformance with Australian safety requir

30947 CFR Part 68 Information47 CFR Part 68 InformationFCC Requirements1. The Federal Communications Commission (FCC) has established Rules which perm

31Home Page - Basic ModeLink: Manage My AccountYou can change your ISP account information for the Netopia Gateway. You can also man-age other aspects

310d) The REN is used to determine the number of devices that may be connected to a telephone line. Excessive RENs on a telephone line may result in t

311CHAPTER 9 Overview of Major CapabilitiesThe Netopia Gateway offers simplified setup and management features as well as advanced broadband router cap

312Wide Area Network TerminationPPPoE/PPPoA (Point-to-Point Protocol over Ethernet/ATM)The PPPoE specification, incorporating the PPP and Ethernet stan

313Simplified Local Area Network Setup• Your network may change address with each connection making it more difficult to attack.When you configure Insta

314☛ NOTE:The Netopia DNS Proxy only proxies UDP DNS queries, not TCP DNS queries.ManagementEmbedded Web ServerThere is no specialized software to in

315SecurityTraceRoute - displays the path to a destination by showing the number of hops and the router addresses of these hops.The system log also pr

316from routers on networks connected to its WAN interface. In other words, the end com-puter stations on your LAN are invisible from the Internet.Onl

317Security☛ NOTE:1. The default setting for NAT is ON.2. Netopia uses Port Address Translation (PAT) to implement the NAT facility.3. NAT Pinhole tr

318Common TCP/IP protocols and ports are:See page 70 for How To instructions.Default ServerThis feature allows you to:• Direct your Gateway to forward

319SecurityIP-PassthroughNetopia OS now offers an IP passthrough feature. The IP passthrough feature allows a sin-gle PC on the LAN to have the Gatewa

32Link: Status DetailsIf you need to diagnose any problems with your Netopia Gateway or its connection to the Internet, you can run a sophisticated di

320☛ NOTE:Typically, no special configuration is necessary to use the IPSec pass through feature.In the diagram, VPN PC clients are shown behind the N

321IndexSymbols!! command 218AAccess Controls 91Access the GUI 39Address resolution table 224Administrativerestrictions 245Administrator password 39,1

322(DNS) 238DSL Forum settings 285EEcho request 255echo-period 255Embedded Web Server 314Ethernet address 235Ethernet statistics 222FFeature KeysObtai

323Local Area Network 313Location, SNMP 271, 272Log 225Logging in 216lost echoes 255MMagic number 255Maturity Level 92Memory 225Metric 251Multiple Wir

324SSecondary nameserver 238securityfilters 146–??Security log 177Set bncp command 233,234, 235Set bridge commands 236Set dns commands 239Set ip stati

325Telnet command 226Telnet traffic 259TFTP 252TFTP server 219Toolbar 43TOS bit 150, 173TraceRoute 208, 315Trap 271Trivial File TransferProtocol 219Tr

326

Netopia 3300 series by NetopiaNetopia, Inc.6001 Shellmound StreetEmeryville, CA 94608April 21, 2005

33Home Page - Basic ModeLink: Enable Remote ManagementThis link allows you to authorize a remotely-located person, such as a support technician, to di

34Link: Expert ModeMost users will find that the basic Quickstart configuration is all that they ever need to use. Some users, however, may want to do m

35Home Page - Basic ModeClick the Update Firmware link. The Firmware Update Confirmation page appears.If you click the Continue button, the Gateway wil

36Link: Factory ResetIn some cases, you may need to clear all the configuration settings and start over again to program the Netopia Gateway. You can p

37Home Page - Basic ModeLink: Access Control LoginIf you have configured Access Controls (see “Access Control” on page 91) an additional link Access Co

38

39Access the Expert Web InterfaceCHAPTER 3 Expert ModeUsing the Expert Mode Web-based user interface for the Netopia 3300-series Gateway you can config

Table of Contents 4 Update Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Factory Reset . . . . . . .

403. Click on the Expert Mode link in the left-hand column of links.You are challenged to confirm your choice.Click OK.The Home Page opens in Expert Mo

41Access the Expert Web InterfaceHome Page - Expert ModeThe Home Page is the summary page for your Netopia Gateway. The toolbar at the top pro-vides l

42Product ID Refers to internal circuit board series; useful in determining which software upgrade applies to your hardware type.Date & Time This

43ToolbarToolbarThe toolbar is the dark blue bar at the top of the page containing the major navigation but-tons. These buttons are available from alm

44RestartButton: RestartThe Restart button on the toolbar allows you to restart the Gateway at any time. You will be prompted to confirm the restart be

45RestartLink: Alert SymbolThe Alert symbol appears in the upper right corner if you make a database change; one in which a change is made to the Gate

46HelpButton: HelpContext-sensitive Help is provided in your Gateway. The page shown here is displayed when you are on the Home page or other transiti

47ConfigureConfigureButton: ConfigureThe Configuration options are presented in the order of likelihood you will need to use them. Quickstart is typicall

481. Enter your ISP Username and ISP Password.2. Click Connect to the Internet.A brief message is displayed while the Gateway attempts to establish a

49ConfigureLink: LAN* Enable Interface: Enables all LAN-connected computers to share resources and to con-nect to the WAN. The Interface should always

5 Table of Contents Can I use IPMaps with my PPPoE or PPPoA connection? . . . . . 77Will IPMaps allow IP addresses from different subnets to be assi

50• Advanced: Clicking on the Advanced link displays the Advanced LAN IP Interface page.• IGMP Forwarding: The default setting is Disabled. If you che

51Configure• DHCP Server: Your Gateway can provide network configuration information to computers on your LAN, using the Dynamic Host Configuration Prot

52WirelessIf your Gateway is a wireless model (such as a 3347W) you can enable or disable the wire-less LAN (WLAN) by clicking the Wireless link. Wire

53ConfigurePrivacy• Off - No Privacy provides no encryption on your wireless LAN data.• WPA-802.1x provides RADIUS server authentication support.• WPA

54The Pre Shared Key is a passphrase shared between the Router and the clients and is used to generate dynamically changing keys. The passphrase can b

55ConfigureAdvancedIf you click the Advanced link, the advanced 802.11 Wireless Settings page appears.Note: This page displays different options depen

56You can then configure:Enable Multiple Wireless IDs: This feature allows you to add additional network identifi-ers (SSIDs or Network Names) for your

57Configurethe same channel, the Netopia Gateway will initiate a three- to four-minute scan of the channels, locate a better one, and switch. Once it

58☛ NOTE: While clients may also have a passphrase feature, these are vendor-specific and may not necessarily create the same keys. You can passphrase

59ConfigureEncryption Key Size #1 – #4: Selects the length of each encryption key. The longer the key, the stronger the encryption and the more difficu

Table of Contents 6 Configuring a SafeHarbour VPN . . . . . . . . . . . . . . . . . . . . . . . . 132Parameter Descriptions. . . . . . . . . . . .

60The screen expands as follows:Click the Add button. The Authorized Wireless MAC Address Entry screen appears.Enter the MAC (hardware) address of the

61ConfigureYour entry will be added to a list of up to 64 authorized addresses as shown:You can continue to Add, Edit, or Delete addresses to the list

62• RADIUS Server Addr/Name: The default RADIUS server name or IP address that you want to use.• RADIUS Server Secret: The RADIUS secret key used by t

63ConfigureThe Advanced Network Configuration page appears.You access the RADIUS Server configuration screen from the Advanced Network Configura-tion web

64Link: WANWAN IP InterfacesYour IP interfaces are listed. Click on an interface to configure it.IP GatewayEnable Gateway: You can configure the Gateway

65ConfigureATM Circuits: You can configure the ATM circuits and the number of Sessions. The IP Interface(s) should be reconfigured after making changes

66You can choose UBR (Unspecified Bit Rate), CBR (Constant Bit Rate), or VBR (Variable Bit Rate) from the pull-down menu and set the Peak Cell Rate (PC

67Configure☛ Note:The difference between VBR-rt and VBR-nrt is the tolerated Cell Delay Varia-tion range and the provisioned Maximum Burst Size. Clas

68Link: AdvancedSelected Advanced options are discussed in the pages that follow. Many are self-explana-tory or are dictated by your service provider.

69ConfigureLink: IP Static RoutesA static route identifies a manually configured pathway to a remote network. Unlike dynamic routes, which are acquired

7 Table of Contents Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Example 2 . . . . . . . . . . .

70Link: PinholesPinholes allow you to transparently route selected types of network traffic, such as FTP requests or HTTP (Web) connections, to a speci

71Configurevisible IP address on your network is the Gateway’s WAN IP (supplied by your Service Pro-vider). All traffic intended for that LAN Web serve

72A diagram of this LAN example is:You can also use the LAN-side address of the Gateway, 192.168.1.x:8100 to access the web and 192.168.1.x:23 to acce

73ConfigurePinhole Configuration Procedure. Use the following steps:1. From the Configure toolbar button -> Advanced link, select the Internal Server

745. Click Add. Type your specific data into the Pinhole Entries table of this page. Click Submit. 6. Click on the Add or Edit more Pinholes link. Clic

75Configure7. Click on the Add or Edit more Pinholes link. Click the Add button. Add the next Pinhole. Type the specific data for the third Pinhole.☛

7610. Select the Save and Restart link to complete the entire Pinhole creation task and ensure that the parameters are properly saved.☛ NOTE:REMEMBER

77ConfigureConfigure the IPMaps FeatureFAQs for the IPMaps FeatureBefore configuring an example of an IPMaps-enabled network, review these frequently as

78IPMaps Block DiagramThe following diagram shows the IPMaps principle in conjunction with existing Netopia NAT operations:NAT/PAT Table143.137.50.371

79ConfigureLink: Default ServerThis feature allows you to:• Direct your Gateway to forward all externally initiated IP traffic (TCP and UDP protocols o

Table of Contents 8 CHAPTER 6 Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . 213 Overview . . . . . . . . . . . . . . . . .

80Typical Network Diagram. A typical network using the NAT Default Server looks like this:You can also use the LAN-side address of the Gateway, 192.16

81ConfigureWith this topology, you configure the embedded administration ports as a first task, fol-lowed by the Pinholes and, finally, the NAT Default S

82The Host Hardware Address field displays. Here you enter the MAC address of the desig-nated IP-Passthrough computer.• If this MAC address is not all

83ConfigureLink: Differentiated ServicesWhen you click the Differentiated Services link, the Differentiated Services configura-tion screen appears.Neto

84You can then define Custom Flows. If your applications do not provide Quality of Service (QoS) control, Custom Flows allows you to define streams for

85ConfigureQoS Setting TOS Bit Value BehaviorOff TOS=000 This custom flow is disabled. You can activate it by selecting one of the two settings below.

86Link: DNSYour Service Provider may maintain a Domain Name server. If you have the information for the DNS servers, enter it on the DNS page. If your

87ConfigureYour Service Provider may, for certain services, want to provide configuration from its DHCP servers to the computers on your LANs. In this

88Link: SNMPWhen you click the SNMP link, the SNMP configuration page appears.The Simple Network Management Protocol (SNMP) lets a network administrato

89Configure☛ WARNING:SNMP presents you with a security issue. The community facility of SNMP behaves somewhat like a password. The community “public”

9 Table of Contents Static ARP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247IGMP Forwarding . . . . . . . . . . .

90The IP Trap Entry screen appears.Enter an IP Trap Entry IP address. This is the destination for SNMP trap messages, the IP address of the host actin

91ConfigureLink: Access ControlBasic Access Controls prevent designated users from accessing certain types of undesir-able Internet content. You can d

92Click the Setup link in Access Control Options. The Manage Users screen appears.Click the here link. The Add New User screen appears. You can create

93ConfigureHere you can specify the time of day, day(s) of the week, and whether this user will be per-mitted or blocked from accessing the Internet a

94After you have added your users and configured their access control settings, you can return to the Access Control pages at any time to add more user

95Configure• Delete User Profile – allows you to delete this user.Web Filter ProfileWhen you click the Web Filter Profile link, the Block/Allow Websites

96Chat Filter ProfileWhen you click the Chat Filter Profile link, the Chat Filtering screen appears.Chat Filtering allows you to choose whether or not t

97Configure• Messaging Services – If a chat service is permitted, choose which one(s): AOL, Yahoo!, MSN, or ICQ. You can choose more than one, but you

98Email Filter ProfileWhen you click the Email Filter Profile link, the Email Filtering screen appears.Email Filtering allows you to choose whether or n

99ConfigureFor example, if you want to limit a child to exchanging email only with other family mem-bers, you can allow the email server(s), but restr