Zyxel SBG5500-B User Manual

Displayed below is the user manual for SBG5500-B by Zyxel which is a product in the Wired Routers category. This manual has pages.

Related Manuals

Zyxel P-871M Manual

Zyxel GS-105B Manual

Zyxel 793H Manual

Zyxel USG-20 Manual

Zyxel ES1100-8P Manual

Zyxel XGS4700-48F Manual

Zyxel NWA3550-N Manual

Default Login Details

User’s Guide

SBG5500 Series

SBG5500-A / SBG5500-B

Small Business Gateway

LAN IP Address http://192.168.1.1

User Name admin

Password 1234

Version 1.10 Edition 1, 12/2017

SBG5500 Series User’s Guide

IMPORTANT!

READ CAREFULLY BEFORE USE.

KEEP THIS GUIDE FOR FUTURE REFERENCE.

This is a User’s Guide for a series of products. Not all products support all firmware features. Screenshots

and graphics in this book may differ slightly from your product due to differences in your product

firmware or your computer operating system. Every effort has been made to ensure that the information

in this manual is accurate.

Category

Select UBR Without PCR for applications that are non-time sensitive, such as e-mail.

Select CBR (Continuous Bit Rate) to specify fixed (always-on) bandwidth for voice or data traffic.

Select VBR-nrt (non real-time Variable Bit Rate) for connections that do not require closely

controlled delay and delay variation.

Select Realtime VBR (real-time Variable Bit Rate) for applications with bursty connections that

require closely controlled delay and delay variation.

Peak Cell Rate Divide the DSL line rate (bps) by 424 (the size of an ATM cell) to find the Peak Cell Rate (PCR). This

is the maximum rate at which the sender can send cells. Type the PCR here.This field is not

available when you select UBR Without PCR.

Sustainable Cell

Rate

The Sustainable Cell Rate (SCR) sets the average cell rate (long-term) that can be transmitted.

Type the SCR, which must be less than the PCR. Note that system default is 0 cells/sec.

This field is available only when you select VBR-nrt or Realtime VBR.

Maximum Burst

Size

Maximum Burst Size (MBS) refers to the maximum number of cells that can be sent at the peak

rate. Type the MBS, which is less than 65535.

This field is available only when you select Non Realtime VBR or Realtime VBR.

VLAN This section is available only when you select ADSL/VDSL over PTM in the Type field.

Enable Select this to add the VLAN Tag (specified below) to the outgoing traffic through this

connection.

802.1p IEEE 802.1p defines up to 8 separate traffic types by inserting a tag into a MAC-layer frame that

contains bits to define class of service.

Select the IEEE 802.1p priority level (from 0 to 7) to add to traffic through this connection. The

greater the number, the higher the priority level.

VLAN ID Type the VLAN ID number (from 0 to 4094) for traffic through this connection.

OK Click OK to save your changes.

Cancel Click Cancel to exit this screen without saving.

Table 12 WAN / Internet > WAN Setup > Add/Edit: Bridge Mode (ADSL over ATM) (continued)

LABEL DESCRIPTION

Chapter 5 WAN/Internet

SBG5500 Series User’s Guide

Figure 52 WAN / Internet > WAN Setup > IPv6

The following table describes the labels in this screen.

Table 13 WAN / Internet > WAN Setup > IPv6

LABEL DESCRIPTION

IPv6 Address

Obtain an IPv6 Address

Automatically

Select this if you want to have the SBG use the IPv6 prefix from the connected

router’s Router Advertisement (RA) to generate an IPv6 address.

Static IPv6 Address Select this if you have a fixed IPv6 address assigned by your ISP.

IPv6 Address Enter the IPv6 address assigned by your ISP.

Prefix Length Enter the address prefix length to specify how many most significant bits in an IPv6

address compose the network address.

Default Gateway Enter the IP address of the next-hop gateway. The gateway is a router or switch on

the same segment as your SBG's interface(s). The gateway helps forward packets to

their destinations.

IPv6 Routing Feature

Enable MLD Proxy Select this check box to have the SBG act as an MLD proxy on this connection. This

allows the SBG to get subscription information and maintain a joined member list for

each multicast group. It can reduce multicast traffic significantly.

Apply as Default Gateway Select this option to have the SBG use the WAN interface of this connection as the

system default gateway.

IPv6 DNS Server

Obtain IPv6 DNS Info

Automatically

Select this to have the SBG get the IPv6 DNS server addresses from the ISP

automatically.

Use Following Static IPv6

DNS Address

Select Static to have the SBG use the IPv6 DNS server addresses you configure

manually.

Chapter 5 WAN/Internet

SBG5500 Series User’s Guide

5.4 The Mobile Screen

Use this screen to configure your 3G/4G settings. Click Configuration > WAN / Internet > Mobile.

Note: The actual data rate you obtain varies depending on the 3G/4G USB dongle you use,

the signal strength to the service provider’s base station, and so on.

DNS Server 1 Enter the first IPv6 DNS server address assigned by the ISP.

DNS Server 2 Enter the second IPv6 DNS server address assigned by the ISP.

Tunnel

(This is available only when you select IPv6 Only in the IPv4 / IPv6 Mode field.)

Enable DS-Lite Enable Dual Stack Lite to let local computers use IPv4 through an ISP’s IPv6 network.

DS-Lite Relay Server IP Specify the transition router’s IPv6 address.

OK Click OK to save your changes back to the SBG.

Cancel Click Cancel to exit this screen without saving.

Table 13 WAN / Internet > WAN Setup > IPv6

LABEL DESCRIPTION

Chapter 5 WAN/Internet

SBG5500 Series User’s Guide

Figure 53 Configuration > WAN / Internet > Mobile

Chapter 5 WAN/Internet

SBG5500 Series User’s Guide

The following table describes the labels in this screen.

Table 14 Configuration > WAN / Internet > Mobile

LABEL DESCRIPTION

3G Connection Settings

Card

Description

This field displays the manufacturer and model name of your 3G/4G card if you inserted one in

the SBG. Otherwise, it displays N/A.

Username Type the user name (of up to 64 ASCII printable characters) given to you by your service

provider.

Password Type the password (of up to 64 ASCII printable characters) associated with the user name

above.

Authentication

Type

Select an authentication type protocol for outgoing connection requests. Select Auto for the

SBG to accept any protocol when requested by the remote node. Select CHAP to accept only

CHAP and PAP for the SBG to accept only PAP.

PIN A PIN (Personal Identification Number) code is a key to a 3G/4G card. Without the PIN code, you

cannot use the 3G card.

If your ISP enabled PIN code authentication, enter the 4-digit PIN code (0000 for example)

provided by your ISP. If you enter the PIN code incorrectly, the 3G/4G card may be blocked by

your ISP and you cannot use the account to access the Internet.

If your ISP disabled PIN code authentication, leave this field blank.

Dial string Enter the phone number (dial string) used to dial up a connection to your service provider’s base

station. Your ISP should provide the phone number.

For example, *99# is the dial string to establish a GPRS or 3G or 4G connection in Taiwan.

APN Enter the APN (Access Point Name) provided by your service provider. Connections with

different APNs may provide different services (such as Internet access or MMS (Multi-Media

Messaging Service)) and charge method.

You can enter up to 32 ASCII printable characters. Spaces are allowed.

Connection Select Nailed UP if you do not want the connection to time out.

Select on Demand if you do not want the connection up all the time and specify an idle time-

out in the Max Idle Timeout field.

Max Idle

Timeout

This value specifies the time in minutes that elapses before the SBG automatically disconnects

from the ISP.

IP Address

Obtain an IP

Address

Automatically

Select this option If your ISP did not assign you a fixed IP address.

Use the

following static

IP address

Select this option If the ISP assigned a fixed IP address.

IP Address Enter your WAN IP address in this field if you selected Use the following static IP address.

Subnet Mask Enter the Subnet Mask provided by your ISP.

DNS

Obtain DNS info

dynamically

Select this to have the SBG get the DNS server addresses from the ISP automatically.

Use the

following static

DNS IP address

Select this to have the SBG use the DNS server addresses you configure manually.

DNS server 1 Enter the first DNS server address assigned by the ISP.

DNS server 2 Enter the second DNS server address assigned by the ISP.

Chapter 5 WAN/Internet

SBG5500 Series User’s Guide

Connectivity

Check

The interface can regularly check the connection to the gateway you specified to make sure it

is still available. You specify how often the interface checks the connection, how long to wait for

a response before the attempt is a failure, and how many consecutive failures are required

before the SBG stops routing to the gateway. The SBG resumes routing to the gateway the first

time the gateway passes the connectivity check.

Enable

Connectivity

Check

Select this to turn on the connection check.

Check Method Select the method that the gateway allows.

Select ICMP to have the SBG regularly ping the gateway you specify to make sure it is still

available.

Select TCP to have the SBG regularly perform a TCP handshake with the gateway you specify to

make sure it is still available.

Check Period Enter the number of seconds between connection check attempts.

Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure.

Check Fail

Tolerance

Enter the number of consecutive failures before the SBG stops routing through the gateway.

Check Default

Gateway

Select this to use the default gateway for the connectivity check.

Check This

Address

Select this to specify a domain name or IP address for the connectivity check. Enter that domain

name or IP address in the field next to it.

Budget Setup

Enable Select this option to set a monthly limit for the user account of the installed 3G card. You must

insert a 3G card before you enable budget control on the SBG.

You can set a limit on the total traffic and/or call time. The SBG takes the actions you specified

when a limit is exceeded during the month.

Time Budget Select this option and specify the amount of time (in hours) that the 3G connection can be used

within one month.

If you change the value after you configure and enable budget control, the SBG resets the

statistics.

Data Budget Select this option and specify the amount of data in Mega bytes or the number of packets that

can be transmitted via the 3G connection within one month.

Select Download to set a limit on the downstream traffic (from the ISP to the SBG).

Select Upload to set a limit on the upstream traffic (from the SBG to the ISP).

Select Download/Upload to set a limit on the total traffic in both directions.

If you change the value after you configure and enable budget control, the SBG resets the

statistics.

Reset All Budget

Counters On

Select the last or a specific day of the month to reset all budget counters. If the date you

specified is not available in a month, such as 30th or 31th of February, the SBG resets the budget

on the last day of the month.

Reset Time And

Data Budget

Counters

Click this button to reset the time and data budgets immediately. The count starts over with the

3G connection’s full configured monthly time and data budgets. This does not affect the normal

monthly budget restart.

Before Over

Budget

Enter a number from 1 to 99 in the percentage fields. The SBG takes actions when the specified

percentage of time budget or data limit is exceeded. If you change the value after you

configure and enable budget control, the SBG resets the statistics.

Enable Log Select this to activate the logging function at the interval you set in the Interval field.

Interval Enter the time interval (in minutes) at which the SBG creates log messages.

Table 14 Configuration > WAN / Internet > Mobile (continued)

LABEL DESCRIPTION

Chapter 5 WAN/Internet

SBG5500 Series User’s Guide

5.5 The Port Setting Screen

Click Configuration > WAN / Internet > Port Setting to display the following screen. Use the Port Setting

screen to set the SBG flexible ports as part of the LAN or WAN interfaces. This creates a hardware

connection between physical ports at the layer 2 (data link, MAC address level). This provides wire-

speed throughput but no security.

Note the following if you are configuring from a computer connected to a LAN or WAN port and

change the port's role:

• A port's IP address varies as its role changes. Make sure your computer's IP address is in the same

subnet as the SBG's LAN or WAN IP address.

• Use the appropriate LAN or WAN IP address to access the SBG.

Figure 54 Configuration > WAN / Internet > Port Setting

The physical Ethernet ports are shown at the bottom and the Ethernet interfaces are shown at the

bottom of the screen. Use the radio buttons to select for which interface (network) you want to use

each physical port. For example, select a port’s LAN radio button to use the port as part of the LAN

interface. The port will use the SBG’s LAN IP address and MAC address.

Note: You will notice when Port 5 is WAN, Port 6 can only be WAN, this is because Port 6 has a

better performance as WAN and Port 5 works as failover.

Click Apply to save your changes and apply them to the SBG.

When Over

Budget

Specify the actions the SBG takes when the time or data limit is exceeded.

Current

connection

Select Keep to maintain the existing 3G connection or Drop to disconnect it when the data

transmission is over the set budget.

Apply Click Apply to save your changes back to the SBG.

Reset Click Cancel to return to the previous configuration.

Table 14 Configuration > WAN / Internet > Mobile (continued)

LABEL DESCRIPTION

Chapter 5 WAN/Internet

SBG5500 Series User’s Guide

Click Reset to change the port groups to their current configuration (last-saved values).

5.6 The Multi-WAN Screen

Use the Multi-WAN screen to configure the multiple WAN load balance and failover rules to distribute

traffic among different interfaces. This helps to increase overall network throughput and reliability. Load

balancing divides traffic loads between multiple interfaces. This allows you to improve quality of service

and maximize bandwidth utilization for multiple ISP links.

You can only configure one rule for each interface. Click Configuration > WAN / Internet > Multi-WAN to

display the following screen.

Figure 55 Configuration > WAN / Internet > Multi-WAN

The following table describes the labels in this screen.

Table 15 Configuration > WAN / Internet > Multi-WAN

LABEL DESCRIPTION

Configuration

Disconnect

Connections

Before Falling

Back

Select this to terminate existing connections on an interface which is set to passive mode when

any interface set to active mode in the same trunk comes back up.

System Default The SBG automatically adds all external interfaces into the pre-configured system default

SYSTEM_DEFAULT_WAN_TRUNK. You cannot delete it.

Edit Double-click an entry or select it and click Edit to open a screen where you can modify the

entry’s settings.

# This field is a sequential value, and it is not associated with any interface.

Name This field displays the label to identify the trunk.

Algorithm This field displays the load balancing method the trunk is set to use.

Apply Click Apply to save your changes to the SBG.

Reset Click Reset to return the screen to its last-saved settings.

Chapter 5 WAN/Internet

SBG5500 Series User’s Guide

5.6.1 Edit Multi-WAN

Select an existing multi-WAN and click Edit in the Multi-WAN screen to configure it.

Figure 56 Multi-WAN: Edit

The following table describes the labels in this screen.

Table 16 Multi-WAN: Edit

LABEL DESCRIPTION

Name This field displays the label to identify the trunk.

Load Balancing

Algorithm

Select a load balancing method to use from the drop-down list box.

Select Weighted Round Robin to balance the traffic load between interfaces based on their

respective weights. An interface with a larger weight gets more chances to transmit traffic than

an interface with a smaller weight. For example, if the weight ratio of wan1 and wan2 interfaces

is 2:1, the SBG chooses wan1 for 2 sessions’ traffic and wan2 for 1 session’s traffic in each round

of 3 new sessions.

Select Least Load First to send new session traffic through the least utilized trunk member.

Select Spillover to send network traffic through the first interface in the group member list until

there is enough traffic that the second interface needs to be used (and so on).

Load Balancing

Index(es)

This field is available if you selected to use the Least Load First or Spillover method.

Select Outbound, Inbound, or Outbound + Inbound to set the traffic to which the SBG applies the

load balancing method. Outbound means the traffic traveling from an internal interface (ex.

LAN) to an external interface (ex. WAN). Inbound means the opposite.

The table lists the trunk’s member interfaces. You can add, edit, remove, or move entries for user

configured trunks.

Add Click this to add a member interface to the trunk. Select an interface and click Add to add a

new member interface after the selected member interface.

Edit Select an entry and click Edit to modify the entry’s settings.

Remove To remove a member interface, select it and click Remove.

Chapter 5 WAN/Internet

SBG5500 Series User’s Guide

5.6.2 How to Configure Multi-WAN for Load Balancing and Failover

This example shows you how to configure multi-WAN for three WAN connections: an Ethernet WAN

connection, an ADSL WAN connection, and a 3G/4G (mobile) WAN connection. The available

bandwidth for the Ethernet WAN connection is 3 Mbps, and the available bandwidth for the ADSL WAN

connection is 1 Mbps.

As these two wired WAN connections have different bandwidths, you can set multi-WAN to send traffic

over these WAN connections in a 3:2 ratio. Most 3G/4G WAN connections charge the user for the

amount of data sent, so you can set multi-WAN to send traffic over the 3G/4G WAN connection only if

all other WAN connections are unavailable.

Move To move an interface to a different number in the list, click the Move icon. In the field that

appears, specify the number to which you want to move the interface.

#This column displays the priorities of the group’s interfaces. The order of the interfaces in the list is

important since they are used in the order they are listed.

Member Click this table cell and select an interface to be a group member.

Mode Click this table cell and select Active to have the SBG always attempt to use this connection.

Select Passive to have the SBG only use this connection when all of the connections set to

active are down. You can only set one of a group’s interfaces to passive mode.

Weight This field displays with the weighted round robin load balancing algorithm. Specify the weight

(1~10) for the interface. The weights of the different member interfaces form a ratio.This ratio

determines how much traffic the SBG assigns to each member interface.The higher an

interface’s weight is (relative to the weights of the interfaces), the more sessions that interface

should handle.

Ingress

Bandwidth

This field displays with the least load first load balancing algorithm. It displays the maximum

number of kilobits of data the SBG is to allow to come in through the interface per second.

Note: You can configure the bandwidth of an interface in the corresponding

interface edit screen.

Egress

Bandwidth

This field displays with the least load first or spillover load balancing algorithm. It displays the

maximum number of kilobits of data the SBG is to send out through the interface per second.

Note: You can configure the bandwidth of an interface in the corresponding

interface edit screen.

Total Bandwidth This field displays with the spillover load balancing algorithm. It displays the maximum number of

kilobits of data the SBG is to send out and allow to come in through the interface per second.

Note: You can configure the bandwidth of an interface in the corresponding

interface edit screen.

Spillover This field displays with the spillover load balancing algorithm. Specify the maximum bandwidth

of traffic in kilobits per second (1~1048576) to send out through the interface before using

another interface. When this spillover bandwidth limit is exceeded, the SBG sends new session

traffic through the next interface. The traffic of existing sessions still goes through the interface on

which they started.

The SBG uses the group member interfaces in the order that they are listed.

OK Click OK to save your changes back to the SBG.

Cancel Click Cancel to exit this screen without saving.

Table 16 Multi-WAN: Edit (continued)

LABEL DESCRIPTION

Chapter 5 WAN/Internet

SBG5500 Series User’s Guide

5.6.2.1 Configuring Multi-WAN

1Click Configuration > WAN / Internet > Multi-WAN > Edit. By default, all available WAN connections on

the SBG are in active mode with a weight of 1, except for the mobile WAN connection which is set to

passive mode.

2Select the Ethernet WAN (WAN1) connection and click Edit. Change the weight field to 3 and change

ADSL’s weight to 2. Click the OK button.

3You have finished the configuration. When both the Ethernet WAN and ADSL connections are up, the

SBG will send traffic over these two connections in a 3:2 ratio. When only one of these two connections

are up, the SBG will use that connection exclusively. Only when both of these two connections are

down will the SBG use the mobile WAN connection.

5.6.2.2 What Can Go Wrong?

• There can only be one WAN connection configured as passive mode at a time. If there is already a

WAN connection configured as passive mode, you will not be able to add or edit another WAN

connection in passive mode until the first WAN connection is changed to active mode or deleted.

• The SBG will automatically add newly created WAN connections (from the WAN / Internet > WAN

Setup screen) to the multi-WAN configuration as active mode with a weight of 1. If you are creating a

new WAN connection for other purposes (such as exclusive VPN use), you will need to delete that

WAN connection from the multi-WAN configuration. Deleting a WAN connection from the multi-WAN

screen does not delete the WAN connection from the WAN Setup page.

• A WAN connection can only be listed once in the multi-WAN configuration table.

5.7 The Dynamic DNS screen

Use this screen to change your SBG’s DDNS. Click Configuration > WAN / Internet > Dynamic DNS. The

screen appears as shown.

Chapter 5 WAN/Internet

SBG5500 Series User’s Guide

Figure 57 Configuration > WAN / Internet > Dynamic DNS

The following table describes the labels in this screen.

5.7.1 Edit Dynamic DNS

Click Add or select an existing dynamic DNS and click Edit in the Dynamic DNS screen to configure it.

Table 17 Configuration > WAN / Internet > Dynamic DNS

LABEL DESCRIPTION

Dynamic DNS

Add Click this to add a dynamic DNS.

Edit Select an entry and click Edit to modify the dynamic DNS’s settings.

Remove To remove an Dynamic DNS, select it and click Remove.

Multiple Entries Turn On Select one or more dynamic DNS entries and click this to enable them.

Multiple Entries Turn Off Select one or more dynamic DNS entries and click this to disable them.

# This is the number of an individual dynamic DNS.

Status This field displays whether the dynamic DNS is active or not. A green ON button

signifies that this dynamic DNS is active. A gray OFF button signifies that this dynamic

DNS is not active.

Profile Name This field displays the descriptive profile name for this entry.

DDNS Server This shows your Dynamic DNS service provider.

Domain Name This shows the domain name assigned to your SBG by your Dynamic DNS provider.

Interface This field displays the interface to use for updating the IP address mapped to the

domain name.

Current IP This shows the IP address your Dynamic DNS provider has currently associated with

the Profile Name.

Result Accept - displays when DDNS profile was updated to server successfully.

Not Accept - displays when DDNS profile is there was a problem during sync process.

Time This shows the last time the IP address the Dynamic DNS provider has associated with

the profile name was updated.

Chapter 5 WAN/Internet

SBG5500 Series User’s Guide

Figure 58 Dynamic DNS: Add/Edit

The following table describes the labels on this screen.

Table 18 Dynamic DNS: Add/Edit

LABEL DESCRIPTION

Enable Select Enable to use this dynamic DNS.

General

Profile Name When you are adding a dynamic DNS entry, type a descriptive name for this DDNS

entry in the SBG. You may use 1-32 alphanumeric characters, underscores(_), or

dashes (-), but the first character cannot be a number. This value is case-sensitive.

DDNS Type Select your Dynamic DNS service provider from the drop-down list box.

DDNS Account

Username Type the user name used when you registered your domain name. You can use up

to 32 alphanumeric characters and the underscore. Spaces are not allowed.

Password Type the password provided by the DDNS provider. You can use up to 32

alphanumeric characters and the underscore. Spaces are not allowed.

DDNS Settings

Domain Name Type the domain name you registered. You can use up to 256 alphanumeric

characters.

Primary Binding Address

Interface Select the interface to use for updating the IP address mapped to the domain

name.

Enable Wildcard Option Select the check box to enable DynDNS Wildcard.

Enable the wildcard feature to alias subdomains to be aliased to the same IP

address as your (dynamic) domain name. This feature is useful if you want to be able

to use, for example, www.yourhost.dyndns.org and still reach your hostname.

Enable off line Option (only

applies to custom DNS)

This option applies for custom DNS. Check with your Dynamic DNS service provider to

have traffic redirected to a URL (that you can specify) while you are off line.

Chapter 5 WAN/Internet

SBG5500 Series User’s Guide

5.8 The xDSL Advanced screen

Use the xDSL Advanced screen to enable or disable PTM over ADSL, Annex M, and DSL PhyR functions.

The SBG supports the PhyR retransmission scheme. PhyR is a retransmission scheme designed to provide

protection against noise on the DSL line. It improves voice, video and data transmission resilience by

utilizing a retransmission buffer.

Click Configuration > WAN / Internet > xDSL Advanced to display the following screen.

Figure 59 Configuration > WAN / Internet > xDSL Advanced

OK Click OK to save your changes back to the SBG and exit this screen.

Cancel Click Cancel to exit this screen without saving.

Table 18 Dynamic DNS: Add/Edit

LABEL DESCRIPTION

Chapter 5 WAN/Internet

SBG5500 Series User’s Guide

The following table describes the labels in this screen.

Table 19 Configuration > WAN / Internet > xDSL Advanced

LABEL DESCRIPTION

DSL Capabilities

PhyR US Enable or disable PhyR US (upstream) for upstream transmission to the WAN. PhyR US should be

enabled if data being transmitted upstream is sensitive to noise. However, enabling PhyR US can

decrease the US line rate. Enabling or disabling PhyR will require the CPE to retrain. For PhyR to

function, the DSLAM must also support PhyR and have it enabled.

PhyR DS Enable or disable PhyR DS (downstream) for downstream transmission from the WAN. PhyR DS

should be enabled if data being transmitted downstream is sensitive to noise. However,

enabling PhyR DS can decrease the DS line rate. Enabling or disabling PhyR will require the CPE

to retrain. For PhyR to function, the DSLAM must also support PhyR and have it enabled.

Bitswap Enable to allow the SBG to adapt to line changes when you are using G.dmt.

Bit-swapping is a way of keeping the line more stable by constantly monitoring and redistributing

bits between channels.

SRA Enable or disable Seamless Rate Adaption (SRA). Enable to have the SBG automatically adjust

the connection’s data rate according to line conditions without interrupting service.

ADSL Modulation

PTM over ADSL Enable to use PTM over ADSL. Since PTM has less overhead than ATM, some ISPs use PTM over

ADSL for better performance.

G.dmt ITU G.992.1 (better known as G.dmt) is an ITU standard for ADSL using discrete multitone

modulation. G.dmt full-rate ADSL expands the usable bandwidth of existing copper telephone

lines, delivering high-speed data communications at rates up to 8 Mbit/s downstream and 1.3

Mbit/s upstream.

G.lite ITU G.992.2 (better known as G.lite) is an ITU standard for ADSL using discrete multitone

modulation. G.lite does not strictly require the use of DSL filters, but like all variants of ADSL

generally functions better with splitters.

T1.413 ANSI T1.413 is a technical standard that defines the requirements for the single asymmetric

digital subscriber line (ADSL) for the interface between the telecommunications network and

the customer installation in terms of their interaction and electrical characteristics.

ADSL2 It optionally extends the capability of basic ADSL in data rates to 12 Mbit/s downstream and,

depending on Annex version, up to 3.5 Mbit/s upstream (with a mandatory capability of ADSL2

transceivers of 8 Mbit/s downstream and 800 kbit/s upstream).

Annex L Annex L is an optional specification in the ITU-T ADSL2 recommendation G.992.3 titled Specific

requirements for a Reach Extended ADSL2 (READSL2) system operating in the frequency band

above POTS, therefore it is often referred to as Reach Extended ADSL2 or READSL2.The main

difference between this specification and commonly deployed Annex A is the maximum

distance that can be used. The power of the lower frequencies used for transmitting data is

boosted up to increase the reach of this signal up to 7 kilometers (23,000 ft).

ADSL2+ ADSL2+ extends the capability of basic ADSL by doubling the number of downstream channels.

The data rates can be as high as 24 Mbit/s downstream and up to 1.4 Mbit/s upstream

depending on the distance from the DSLAM to the customer's premises.

Annex M You can enable Annex M for the SBG to use double upstream mode to increase the maximum

upstream transfer rate.

VDSL Profile VDSL2 profiles differ in the width of the frequency band used to transmit the broadband

signal.Profiles that use a wider frequency band can deliver higher maximum speeds.

8a, 8b, 8c, 8d,

12a, 12b, 17a,

US0, 30a

The G.993.2 VDSL standard defines a wide range of profiles that can be used in different VDSL

deployment settings, such as in a central office, a street cabinet or a building.

The SBG must comply with at least one profile specified in G.993.2. but compliance with more

than one profile is allowed.

Apply Click Apply to save your changes back to the SBG.

Reset Click this button to return the screen to its last-saved settings.

Chapter 5 WAN/Internet

SBG5500 Series User’s Guide

5.9 Technical Reference

The following section contains additional technical information about the SBG features described in this

chapter.

Encapsulation

Be sure to use the encapsulation method required by your ISP. The SBG can work in bridge mode or

routing mode. When the SBG is in routing mode, it supports the following methods.

IP over Ethernet

IP over Ethernet (IPoE) is an alternative to PPPoE. IP packets are being delivered across an Ethernet

network, without using PPP encapsulation. They are routed between the Ethernet interface and the

WAN interface and then formatted so that they can be understood in a bridged environment. For

instance, it encapsulates routed Ethernet frames into bridged Ethernet cells.

PPP over ATM (PPPoA)

PPPoA stands for Point to Point Protocol over ATM Adaptation Layer 5 (AAL5). A PPPoA connection

functions like a dial-up Internet connection. The SBG encapsulates the PPP session based on RFC 1483

and sends it through an ATM PVC (Permanent Virtual Circuit) to the Internet Service Provider’s (ISP)

DSLAM (digital access multiplexer). Please refer to RFC 2364 for more information on PPPoA. Refer to RFC

1661 for more information on PPP.

PPP over Ethernet (PPPoE)

Point-to-Point Protocol over Ethernet (PPPoE) provides access control and billing functionality in a

manner similar to dial-up services using PPP. PPPoE is an IETF standard (RFC 2516) specifying how a

personal computer (PC) interacts with a broadband modem (DSL, cable, wireless, etc.) connection.

For the service provider, PPPoE offers an access and authentication method that works with existing

access control systems (for example RADIUS).

One of the benefits of PPPoE is the ability to let you access one of multiple network services, a function

known as dynamic service selection. This enables the service provider to easily create and offer new IP

services for individuals.

Operationally, PPPoE saves significant effort for both you and the ISP or carrier, as it requires no specific

configuration of the broadband modem at the customer site.

By implementing PPPoE directly on the SBG (rather than individual computers), the computers on the

LAN do not need PPPoE software installed, since the SBG does that part of the task. Furthermore, with

NAT, all of the LANs’ computers will have access.

ATM Traffic Classes

These are the basic ATM traffic classes defined by the ATM Forum Traffic Management 4.0 Specification.

Constant Bit Rate (CBR)

Chapter 5 WAN/Internet

SBG5500 Series User’s Guide

Constant Bit Rate (CBR) provides fixed bandwidth that is always available even if no data is being sent.

CBR traffic is generally time-sensitive (doesn't tolerate delay). CBR is used for connections that

continuously require a specific amount of bandwidth. A PCR is specified and if traffic exceeds this rate,

cells may be dropped. Examples of connections that need CBR would be high-resolution video and

voice.

Variable Bit Rate (VBR)

The Variable Bit Rate (VBR) ATM traffic class is used with bursty connections. Connections that use the

Variable Bit Rate (VBR) traffic class can be grouped into real time (VBR-RT) or non-real time (VBR-nRT)

connections.

The VBR-RT (real-time Variable Bit Rate) type is used with bursty connections that require closely

controlled delay and delay variation. It also provides a fixed amount of bandwidth (a PCR is specified)

but is only available when data is being sent. An example of an VBR-RT connection would be video

conferencing. Video conferencing requires real-time data transfers and the bandwidth requirement

varies in proportion to the video image's changing dynamics.

The VBR-nRT (non real-time Variable Bit Rate) type is used with bursty connections that do not require

closely controlled delay and delay variation. It is commonly used for "bursty" traffic typical on LANs. PCR

and MBS define the burst levels, SCR defines the minimum level. An example of an VBR-nRT connection

would be non-time sensitive data file transfers.

Unspecified Bit Rate (UBR)

The Unspecified Bit Rate (UBR) ATM traffic class is for bursty data transfers. However, UBR doesn't

guarantee any bandwidth and only delivers traffic when the network has spare bandwidth. An example

application is background file transfer.

IP Address Assignment

A static IP is a fixed IP that your ISP gives you. A dynamic IP is not fixed; the ISP assigns you a different one

each time. The Single User Account feature can be enabled or disabled if you have either a dynamic or

static IP. However the encapsulation method assigned influences your choices for IP address and

default gateway.

Introduction to VLANs

A Virtual Local Area Network (VLAN) allows a physical network to be partitioned into multiple logical

networks. Devices on a logical network belong to one group. A device can belong to more than one

group. With VLAN, a device cannot directly talk to or hear from devices that are not in the same

group(s); the traffic must first go through a router.

In Multi-Tenant Unit (MTU) applications, VLAN is vital in providing isolation and security among the

subscribers. When properly configured, VLAN prevents one subscriber from accessing the network

resources of another on the same LAN, thus a user will not see the printers and hard disks of another user

in the same building.

VLAN also increases network performance by limiting broadcasts to a smaller and more manageable

logical broadcast domain. In traditional switched environments, all broadcast packets go to each and

every individual port. With VLAN, all broadcasts are confined to a specific broadcast domain.

Chapter 5 WAN/Internet

SBG5500 Series User’s Guide

Introduction to IEEE 802.1Q Tagged VLAN

A tagged VLAN uses an explicit tag (VLAN ID) in the MAC header to identify the VLAN membership of a

frame across bridges - they are not confined to the switch on which they were created. The VLANs can

be created statically by hand or dynamically through GVRP. The VLAN ID associates a frame with a

specific VLAN and provides the information that switches need to process the frame across the network.

A tagged frame is four bytes longer than an untagged frame and contains two bytes of TPID (Tag

Protocol Identifier), residing within the type/length field of the Ethernet frame) and two bytes of TCI (Tag

Control Information), starts after the source address field of the Ethernet frame).

The CFI (Canonical Format Indicator) is a single-bit flag, always set to zero for Ethernet switches. If a

frame received at an Ethernet port has a CFI set to 1, then that frame should not be forwarded as it is to

an untagged port. The remaining twelve bits define the VLAN ID, giving a possible maximum number of

4,096 VLANs. Note that user priority and VLAN ID are independent of each other. A frame with VID

(VLAN Identifier) of null (0) is called a priority frame, meaning that only the priority level is significant and

the default VID of the ingress port is given as the VID of the frame. Of the 4096 possible VIDs, a VID of 0 is

used to identify priority frames and value 4095 (FFF) is reserved, so the maximum possible VLAN

configurations are 4,094.

Multicast

IP packets are transmitted in either one of two ways - Unicast (1 sender - 1 recipient) or Broadcast (1

sender - everybody on the network). Multicast delivers IP packets to a group of hosts on the network -

not everybody and not just 1.

Internet Group Multicast Protocol (IGMP) is a network-layer protocol used to establish membership in a

Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over

version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed

information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of

RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to

239.255.255.255. The address 224.0.0.0 is not assigned to any group and is used by IP multicast

computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of

all IP hosts (including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP.

The address 224.0.0.2 is assigned to the multicast routers group.

At start up, the SBG queries all directly connected networks to gather group membership. After that, the

SBG periodically updates this information.

DNS Server Address Assignment

Use Domain Name System (DNS) to map a domain name to its corresponding IP address and vice versa,

for instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is extremely important

because without it, you must know the IP address of a computer before you can access it.

The SBG can get the DNS server addresses in the following ways.

1The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up.

If your ISP gives you DNS server addresses, manually enter them in the DNS server fields.

TPID

2 Bytes

User Priority

3 Bits

CFI

1 Bit

VLAN ID

12 Bits

Chapter 5 WAN/Internet

SBG5500 Series User’s Guide

2If your ISP dynamically assigns the DNS server IP addresses (along with the SBG’s WAN IP address), set the

DNS server fields to get the DNS server address from the ISP.

IPv6 Addressing

The 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an

example IPv6 address 2001:0db8:1a2b:0015:0000:0000:1a2f:0000.

IPv6 addresses can be abbreviated in two ways:

• Leading zeros in a block can be omitted. So 2001:0db8:1a2b:0015:0000:0000:1a2f:0000 can be

written as 2001:db8:1a2b:15:0:0:1a2f:0.

• Any number of consecutive blocks of zeros can be replaced by a double colon. A double colon can

only appear once in an IPv6 address. So 2001:0db8:0000:0000:1a2f:0000:0000:0015 can be

written as 2001:0db8::1a2f:0000:0000:0015, 2001:0db8:0000:0000:1a2f::0015,

2001:db8::1a2f:0:0:15 or 2001:db8:0:0:1a2f::15.

IPv6 Prefix and Prefix Length

Similar to an IPv4 subnet mask, IPv6 uses an address prefix to represent the network address. An IPv6

prefix length specifies how many most significant bits (start from the left) in the address compose the

network address. The prefix length is written as “/x” where x is a number. For example,

2001:db8:1a2b:15::1a2f:0/32

means that the first 32 bits (2001:db8) is the subnet prefix.

SBG5500 Series User’s Guide

CHAPTER 6

LAN

6.1 Overview

A Local Area Network (LAN) is a shared communication system to which many networking devices are

connected. It is usually located in one immediate area such as a building or floor of a building.

Use the LAN screens to help you configure a LAN DHCP server and manage IP addresses.

6.1.1 What You Can Do in this Chapter

• Use the LAN Status screen to show the status of interfaces currently connected to the SBG (Section 6.2

on page 87).

• Use the LAN Setup screen to set the LAN IP address, subnet mask, and DHCP settings of your SBG

(Section 6.2 on page 87).

• Use the Static DHCP screen to assign IP addresses on the LAN to specific individual computers based

on their MAC Addresses (Section 6.4 on page 94).

• Use the Additional Subnet screen to configure IP alias and public static IP (Section 6.5 on page 96).

• Use the Wake on LAN screen to remotely turn on a device on the network (Section 6.6 on page 96).

• Use the VLAN / Interface Group screen to create multiple networks on the SBG (Section 6.7 on page

98).

• Use the DNS Entry screen to view, configure or remove DNS routes (Section 6.8 on page 103).

• Use the DNS Forwarder screen to view and configure domain zone forwarder on the SBG (Section 6.9

on page 103).

SBG

Chapter 6 LAN

SBG5500 Series User’s Guide

6.1.2 What You Need To Know

6.1.2.1 About LAN

IP Address

IP addresses identify individual devices on a network. Every networking device (including computers,

servers, routers, printers, etc.) needs an IP address to communicate across the network. These

networking devices are also known as hosts.

Subnet Mask

Subnet masks determine the maximum number of possible hosts on a network. You can also use subnet

masks to divide one network into multiple sub-networks.

DHCP

A DHCP (Dynamic Host Configuration Protocol) server can assign your SBG an IP address, subnet mask,

DNS and other routing information when it's turned on.

DNS

DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice

versa. The DNS server is extremely important because without it, you must know the IP address of a

networking device before you can access it. The DNS server addresses you enter when you set up DHCP

are passed to the client machines along with the assigned IP address and subnet mask.

There are two ways that an ISP disseminates the DNS server addresses.

• The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign

up. If your ISP gives you DNS server addresses, enter them in the DNS Server fields in the LAN Setup

screen.

• Some ISPs choose to disseminate the DNS server addresses using the DNS server extensions of IPCP (IP

Control Protocol) after the connection is up. If your ISP did not give you explicit DNS servers, chances

are the DNS servers are conveyed through IPCP negotiation. The SBG supports the IPCP DNS server

extensions through the DNS proxy feature.

Please note that DNS proxy works only when the ISP uses the IPCP DNS server extensions. It does not

mean you can leave the DNS servers out of the DHCP setup under all circumstances. If your ISP gives you

explicit DNS servers, make sure that you enter their IP addresses in the LAN Setup screen.

RADVD (Router Advertisement Daemon)

When an IPv6 host sends a Router Solicitation (RS) request to discover the available routers, RADVD with

Router Advertisement (RA) messages in response to the request. It specifies the minimum and maximum

intervals of RA broadcasts. RA messages containing the address prefix. IPv6 hosts can be generated

with the IPv6 prefix an IPv6 address.

Chapter 6 LAN

SBG5500 Series User’s Guide

6.1.3 Before You Begin

Find out the MAC addresses of your network devices if you intend to add them to the DHCP Client List

screen.

6.2 The LAN Status Screen

Use the LAN Status Screen to view the status of all interfaces connected to the SBG, details about DHCP

clients. Click on Configuration > LAN / Home Network > LAN Status to open the following screen. The

tables change depending on the table you click on.

Figure 60 Configuration > LAN / Home Network > LAN Status

The following table describes the labels in the screen.

Table 20 Configuration > LAN / Home Network > LAN Status

LABEL DESCRIPTION

Refresh Click this to update the table.

LAN Status

Click this to show the interfaces currently connected to the SBG.

Name This shows the name of the LAN interface.

Status This shows Up if the SBG detect a connection through this port. Otherwise it shows

Down.

Tx Pkts This is the number of transmitted packets on this port.

Rx Pkts This is the number of received packets on this port.

Tx B/s This displays the transmission speed in bytes per second on this port.

Rx B/s This displays the reception speed in bytes per second on this port.

DHCP Client

Click this to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific

MAC addresses.

# This field is a sequential value, and it is not associated with a specific entry.

Device Name This field displays the name used to identify this device on the network (the

computer name). The SBG learns these from the DHCP client requests.“None” shows

here for a static DHCP entry.

Chapter 6 LAN

SBG5500 Series User’s Guide

6.3 The LAN Setup Screen

Use this screen to set the Local Area Network IP address and subnet mask of your SBG. Click

Configuration > LAN / Home Network to open the LAN Setup screen.

Figure 61 Configuration > LAN / Home Network > LAN Setup

The following table describes the labels in this screen.

IP Address This field displays the DHCP client’s IP address.

MAC Address This field displays the MAC address to which the IP address is currently assigned or for

which the IP address is reserved.

ARP Table

Click this to view IP-to-MAC address mapping(s).

# This is the ARP table entry number.

IP Address This is the learned IPv4 or IPv6 IP address of a device connected to a port.

MAC Address This is the MAC address of the device with the listed IP address.

Interface This is the interface used by the ARP entry.

Multicast Status

Click this to look at the current list of multicast groups the SBG has joined and which ports have joined it.

# This is the multicast status table entry number.

Type This is the protocol used by the interface.

Interface This field displays the name of an interface on the SBG that belongs to an IGMP

multicast group.

Multicast Group This field displays the name of the IGMP multicast group to which the interface

belongs.

Host This shows the clients that are part of this multicast group.

Table 20 Configuration > LAN / Home Network > LAN Status

LABEL DESCRIPTION

Table 21 Configuration > LAN / Home Network > LAN Setup

LABEL DESCRIPTION

Edit Select an entry and click Edit to modify it.

# This field is a sequential value, and it is not associated with a specific entry.

Group Name This field shows the interface group name.

Zone Name This field shows the security zone (LAN, WLAN, DMZ, or EXTRA) in which the LAN

interface is included.

IPv4 / Mask This field displays the LAN IPv4 address assigned to your SBG and the subnet mask of

your network in dotted decimal notation.

Chapter 6 LAN

SBG5500 Series User’s Guide

6.3.1 Edit LAN Setup

In Configuration > LAN / Home Network screen select an entry and click Edit to open the following

screen.

Figure 62 LAN Setup: Edit > General / IPv4

DHCP This shows whether the SBG acts as DHCP Server or DHCP Relay agent. It shows

Disable if the DHCP server has been stopped in the SBG.

IPv6 This shows the IPv6 prefix and prefix length you configured when you enable IPv6 on

the LAN interface and set

Address Assign This field displays 1 when the IPv6 address is assigned using IPv6 stateful

autoconfiguration (DHCPv6) or 0 when the SBG uses IPv6 stateless

autoconfiguration.

• Stateless: The SBG send IPv6 prefix information in router advertisements

periodically and in response to router solicitations.

• Stateful: The DHCPv6 server is enabled to have the SBG act as a DHCPv6 server

and pass IPv6 addresses to DHCPv6 clients.

Table 21 Configuration > LAN / Home Network > LAN Setup

LABEL DESCRIPTION

Chapter 6 LAN

SBG5500 Series User’s Guide

The following table describes the fields in this screen.

Table 22 LAN Setup: Edit > General / IPv4

LABEL DESCRIPTION

General

Group Name Select the interface group name for which you want to configure LAN settings. See Section 6.7

on page 98 for how to create a new interface group/VLAN.

Zone Select the security zone (LAN, WLAN, DMZ, or EXTRA) in which to include the LAN interface. A

newly created local network (interface group) belongs to the LAN zone by default.

IPv4 / IPv6 Mode Select IPv4 only if you want the SBG to run IPv4 only.

Select IPv4 IPv6 Dualstack to allow the SBG to run IPv4 and IPv6 at the same time.

IPv4 Address Setting

IP Address Enter the LAN IP address you want to assign to your SBG in dotted decimal notation, for

example, 192.168.1.1 (factory default).

Subnet Mask Type the subnet mask of your network in dotted decimal notation, for example 255.255.255.0

(factory default). Your SBG automatically computes the subnet mask based on the IP Address

you enter, so do not change this field unless you are instructed to do so.

IGMP Snooping

Enable IGMP

Snooping

Select the check box to allow the SBG to passively learn multicast group.

IGMP Mode Select Standard Mode to have the SBG forward multicast packets to a port that joins the

multicast group and broadcast unknown multicast packets from the WAN to all LAN ports.

Select Blocking Mode to have the SBG block all unknown multicast packets from the WAN.

DHCP Setting

DHCP Mode Select DHCP Server to have the SBG act as a DHCP server.

Select DHCP Relay to have the SBG act as a DHCP relay agent and forward DHCP request to the

DHCP server you specify.

Select DHCP Disable to stop the DHCP server on the SBG.

Beginning IP

Address

This field specifies the first of the contiguous addresses in the IP address pool.

Ending IP

Address

This field specifies the last of the contiguous addresses in the IP address pool.

Lease Time This is the period of time DHCP-assigned addresses use. DHCP automatically assigns IP addresses

to clients when they log in. DHCP centralizes IP address management on central computers that

run the DHCP server program. DHCP leases addresses, for a period of time, which means that

past addresses are “recycled” and made available for future reassignment to other systems.

This field is only available when you select DHCP Server in the DHCP Mode field.

DNS Server 1 Specify the IP address of the first DNS server for the DHCP clients to use. Use one of the following

ways to specify the IP address.

DNS Proxy - the clients use the IP address of the SBG LAN interface. The SBG redirects clients’ DNS

queries to a DNS server for resolving domain names.

Static - enter a static IP address.

From Wan Interface - select the WAN interface that receives the DNS server address from its

DHCP server.

Chapter 6 LAN

SBG5500 Series User’s Guide

6.3.2 Edit LAN Setup IPv6

Click the IPv6 tab in Configuration > LAN / Home Network > LAN Setup > Edit to configure IPv6 LAN

settings on the SBG. This screen is available only when you select IPv4 IPv6 Dualstack in the IPv4 / IPv6

Mode field of the LAN Setup > Edit > General / IPv4 screen.

DNS Server 2 Specify the IP address of the secondary DNS server for the DHCP clients to use. Use one of the

following ways to specify the IP address.

DNS Proxy - the clients use the IP address of the SBG LAN interface. The SBG redirects clients’ DNS

queries to a DNS server for resolving domain names.

Static - enter a static IP address.

From Wan Interface - select the WAN interface that receives the DNS server address from its

DHCP server.

Remote DHCP

Server

Enter the DHCP server’s address so the SBG forwards DHCP requests to this address.

This field is only available when you select DHCP Relay.

DHCP Option

Setup

These fields display when you select DHCP Server in the DHCP Mode field. You may need to

configure them when you have VoIP phones on your LAN.

TFTP Server

Name (option

66)

Enter the name of a TFTP server to assign it to the DHCP clients.

Bootfile Name

(option 67)

Enter the name of a bootfile to assign it to the DHCP clients.

TFTP Server

Address (option

150)

Enter the IP address of a TFTP server to assign it to the DHCP clients.

OK Click OK to save your changes.

Cancel Click Cancel to restore your previously saved settings.

Table 22 LAN Setup: Edit > General / IPv4 (continued)

LABEL DESCRIPTION

Chapter 6 LAN

SBG5500 Series User’s Guide

Figure 63 LAN Setup: Edit > IPv6

The following table describes the labels in this screen.

Table 23 Configuration > LAN / Home Network > LAN Setup: Edit > IPv6

LABEL DESCRIPTION

Link Local Address

Static IPv6 Address Prefix This shows the static IPv6 address prefix used to represent the SBG network address.

Link Local Address Type Select EUI-64 to give clients a 64-bit Extended Unique Identifier (EUI) to link locally

without DHCP.

Select Manual to manually enter an interface ID for the LAN interface’s global IPv6

address.

LAN Identifier Enter an interface ID for the LAN interface’s global IPv6 address.

IP address This field shows an IPv6 address created using the Static IPv6 Address Prefix and the

LAN Identifier you input.

Address Setting

Delegate Prefix From WAN Select this option and a WAN interface with IPv6 enabled to automatically obtain

an IPv6 network prefix from the service provider or an uplink router through the

specified WAN interface.

Chapter 6 LAN

SBG5500 Series User’s Guide

Static Select this option to configure a fixed IPv6 address for the SBG’s LAN interface.

Note: This fixed address is for local hosts to access the Web Configurator

only as the global LAN IPv6 address might be changed by your ISP

any time. This address is not the routing gateway’s address for LAN

IPv6 hosts.

Static IPv6 Address Prefix Enter the address prefix to represent the SBG’s static LAN IPv6 address.

Prefix Length If you select Static, enter the IPv6 prefix length that the SBG uses to generate the LAN

IPv6 address.

An IPv6 prefix length specifies how many most significant bits (starting from the left)

in the address compose the network address. This field displays the bit number of the

IPv6 subnet mask.

LAN Global Identifier Type Select EUI-64 to allow clients to assign themselves a 64-bit Extended Unique Identifier

(EUI) without DHCP.

Select Manual if you want to enter the LAN identifier the clients use.

LAN Identifier Enter the LAN identifier clients use without DHCP.

IP Address This field shows an IPv6 address created using the Static IPv6 Address Prefix and the

LAN Identifier you input.

Route Advertisement State

LAN Address Assign Setup Select how you want to obtain an IPv6 address:

•Stateless / Auto: The SBG uses IPv6 stateless autoconfiguration. RADVD (Router

Advertisement Daemon) is enabled to have the SBG send IPv6 prefix information

in router advertisements periodically and in response to router solicitations.

DHCPv6 server is disabled.

•Stateful / DHCP: The SBG uses IPv6 stateful autoconfiguration. The DHCPv6 server

is enabled to have the SBG act as a DHCPv6 server and pass IPv6 addresses to

DHCPv6 clients.

LAN DNS Assign Setup Select how the SBG provide DNS server and domain name information to the clients:

•From Router Advertisement: The SBG provides DNS information through router

advertisements.

•From DHCPv6 Server: The SBG provides DNS information through DHCPv6.

DHCPv6 Setting

DHCPv6 Status This shows the status of the DHCPv6. DHCPv6 Server displays if you configured the

SBG to act as a DHCPv6 server which assigns IPv6 addresses and/or DNS information

to clients.

IPv6 Start Address If DHCPv6 is enabled, specify the first IPv6 address in the pool of addresses that can

be assigned to DHCPv6 clients.

IPv6 End Address If DHCPv6 is enabled, specify the last IPv6 address in the pool of addresses that can

be assigned to DHCPv6 clients.

IPv6 Domain Name If DHCPv6 is enabled, specify the domain name to be assigned to DHCPv6 clients.

IPv6 DNS Values

IPv6 DNS Server 1-3 Select From WAN Interface if your ISP dynamically assigns IPv6 DNS server

information.

Select Static if you have the IPv6 address of a DNS server. Enter the DNS server IPv6

addresses the SBG passes to the DHCP clients.

Select DNS Proxy if you have the DNS proxy service. The SBG redirects clients’ DNS

queries to a DNS server for resolving domain names.

OK Click OK to save your changes.

Cancel Click Cancel to restore your previously saved settings.

Table 23 Configuration > LAN / Home Network > LAN Setup: Edit > IPv6

LABEL DESCRIPTION

Chapter 6 LAN

SBG5500 Series User’s Guide

6.4 The Static DHCP Screen

This table allows you to assign IP addresses on the LAN to specific individual computers based on their

MAC Addresses.

Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned

at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.

Use this screen to change your SBG’s static DHCP settings. Click Configuration > LAN / Home Network >

Static DHCP to open the following screen.

Figure 64 Configuration > LAN / Home Network > Static DHCP

The following table describes the labels in this screen.

6.4.1 Edit Static DHCP

If you click Add in the Static DHCP screen or Edit next to a static DHCP entry, the following screen

displays.

Table 24 Network Setting > LAN > Static DHCP

LABEL DESCRIPTION

Add Click this to add a new static DHCP entry.

Edit Click Edit to configure a static DHCP entry.

Remove Click Remove to delete a static DHCP entry.

Multiple Entries Turn

Select one or more static DHCP entry and click this to enable them.

Multiple Entries Turn

Off

Select one or more static DHCP entry and click this to disable them.

# This is the index number of the DHCP entry.

Status This field displays whether the entry is active.

Click the slide button to turn on or turn off the entry.

MAC Address This field displays the MAC address of a computer on the LAN.

IP Address This field displays the IP address relative to the MAC address field listed above.

Chapter 6 LAN

SBG5500 Series User’s Guide

Figure 65 Static DHCP: Add/Edit

The following table describes the labels in this screen.

Table 25 Static DHCP: Add/Edit

LABEL DESCRIPTION

Static DHCP Configuration

Enable Select this to activate the rule.

Group Name Select the interface group name for which you want to configure static DHCP settings. See

Section 6.7 on page 98 for how to create a new interface group.

Select Device Info If you select Manual Input, you can manually type in the MAC address and IP address of a

computer on your LAN. You can also choose the name of a computer from the drop list and

have the MAC Address and IP Address auto-detected.

MAC Address If you select Manual Input, enter the MAC address of a computer on your LAN.

IP Address If you select Manual Input, enter the IP address that you want to assign to the computer on

your LAN with the MAC address that you will also specify.

OK Click OK to save your changes.

Cancel Click Cancel to exit this screen without saving.

Chapter 6 LAN

SBG5500 Series User’s Guide

6.5 The Additional Subnet Screen

Use the Additional Subnet screen to configure IP alias.

IP alias allows you to partition a physical network into different logical networks over the same Ethernet

interface. The SBG supports multiple logical LAN interfaces via its physical Ethernet interface with the

SBG itself as the gateway for the LAN network. When you use IP alias, you can also configure firewall

rules to control access to the LAN's logical network (subnet).

Click Configuration > LAN / Home Network > Additional Subnet to display the screen shown next.

Figure 66 Configuration > LAN / Home Network > Additional Subnet

The following table describes the labels in this screen.

6.6 The Wake on LAN Screen

Use this screen to turn on a device on the LAN network. To use this feature, the remote device must also

support Wake On LAN.

Table 26 Configuration > LAN / Home Network > Additional Subnet

LABEL DESCRIPTION

General

Group Name Select the interface group name for which you want to configure the IP alias settings. See

Section 6.7 on page 98 for how to create a new interface group. A newly created local network

(interface group) belongs to the LAN zone by default.

IP Alias Setup

Enable Select the check box to configure a LAN network for the SBG.

IP Address Enter the IP address of your SBG in dotted decimal notation.

Subnet Mask Your SBG will automatically calculate the subnet mask based on the IP address that you assign.

Unless you are implementing subnetting, use the subnet mask computed by the SBG.

Apply Click Apply to save your changes.

Reset Click Reset to return the screen to its last-saved settings.

Chapter 6 LAN

SBG5500 Series User’s Guide

You need to know the MAC address of the LAN device. It may be on a label on the device or in its

documentation.

Figure 67 Configuration > LAN / Home Network > Wake on LAN

The following table describes the labels in this screen.

6.6.1 Wake On LAN: Add/Edit

Use this screen to add a device and turn it on using Wake on LAN. Click Edit to open the following

screen.

Figure 68 Wake On LAN: Edit

Table 27 Configuration > LAN / Home Network > Wake on LAN

LABEL DESCRIPTION

Add Click this to add a new device to Wake on LAN.

Remove Select a static DHCP entry and click Remove to delete it.

Wake Up Select a device and click this to enable the Wake on LAN feature.

# This field is a sequential value, and it is not associated with any entry.

Description This field shows a descriptive name for a device on the LAN network.

MAC Address This field shows the MAC address for a device on the LAN network.

Chapter 6 LAN

SBG5500 Series User’s Guide

The following table describes the labels in this screen.

6.7 The VLAN / Interface Group Screen

Use Interface Group to create multiple networks on the SBG. You can manually add a LAN interface to

a new group. Alternatively, you can have the SBG automatically add the incoming traffic and the LAN

interface on which traffic is received to an interface group when its DHCP Vendor ID option information

matches one listed for the interface group.

Use the LAN screen to configure the private IP addresses the DHCP server on the SBG assigns to the

clients in the default and/or user-defined groups. If you set the SBG to assign IP addresses based on the

client’s DHCP Vendor ID option information, you must enable DHCP server and configure LAN TCP/IP

settings for both the default and user-defined groups.

Click Configuration > LAN / Home Network > VLAN / Interface Group to open the following screen.

Figure 69 Configuration > LAN / Home Network > VLAN / Interface Group

The following table describes the labels on this screen.

Table 28 Configuration > LAN / Home Network > Wake on LAN

LABEL DESCRIPTION

Wake From

Manual Type MAC Select this to enter the MAC address of the device to turn it on remotely.

Host Profile List Select this to look at the list of hosts connected to the SBG.

Host Profile List This is drop-down list that shows the IP addresses that can be found in the SBG’s LAN

Site Host list, see Section 16.2 on page 228. Select a host and it will then

automatically update the Description and MAC address fields.

Get MAC Address From IP If you selected Manual Type MAC you can enter a device’s IP address and click Get

to obtain its MAC address.

Description Enter a descriptive name for the device you want to turn on.

MAC Address Enter the MAC address of the device to turn it on. A MAC address consists of six

hexadecimal character pairs.

Add New Host to Profile Select this check box to add this Host to the LAN Site Host list in the Maintenance >

LAN Site Host Name screen, see Section 16.2 on page 228.

Table 29 Configuration > LAN / Home Network > VLAN / Interface Group

LABEL DESCRIPTION

VLAN/ Interface Group

Add Click Add to create a new interface group.

Edit Click Edit to configure an interface group.

Chapter 6 LAN

SBG5500 Series User’s Guide

6.7.1 VLAN / Interface Group: Add/Edit

If you click Add in the VLAN / Interface Group screen or select an existing group and click Edit the screen

displays as shown below.

The screen varies depending on whether you create a VLAN Group or an Interface Group.

Figure 70 VLAN / Interface Group: Add/Edit (VLAN Group)

Remove Click Remove to delete an interface group.

# This shows the index number of the interface group.

Mode This shows VLAN when this is a VLAN group.

This shows Interface Group when this is an interface group.

Group Name This shows the descriptive name of the group.

LAN Interface This shows the LAN interfaces in the group.

Criteria This shows the filtering criteria for the group.

Table 29 Configuration > LAN / Home Network > VLAN / Interface Group

LABEL DESCRIPTION

Chapter 6 LAN

SBG5500 Series User’s Guide

100

Figure 71 VLAN / Interface Group: Add/Edit (Interface Group)

The following table describes the labels in this screen.

Table 30 VLAN / Interface Group > Add/Edit

LABEL DESCRIPTION

VLAN / Interface Group

Group Name Enter the descriptive name of the VLAN or Interface Group. You can enter up to 65

characters. You can use numbers, letters, hyphens (-) and underscores(_). Spaces

are not allowed.

Mode

VLAN Click this check box to create a VLAN group.

Interface Group (To Bridge /

Bundle WAN Interfaces)

Click this check box to create an interface group,

802.1p IEEE 802.1p defines up to 8 separate traffic types by inserting a tag into a MAC layer

frame that contains bits to define class of service.

Select the IEEE 802.1p priority (from 0 to 7) to add to traffic the SBG sends through

tagged member ports of this group. The greater the number, the higher the priority

level.

802.1q Type the VLAN ID number (from 1 to 4094) for traffic through tagged member ports

of this group. A VLAN ID cannot be assigned to more than one group.

VLAN Port Membership

Chapter 6 LAN

SBG5500 Series User’s Guide

101

6.7.1.1 Add WAN Interface Used In This Group

Click Add in the WAN Interface Used In This Group table to display the following screen.

# This shows the index number of the interface.

Interface This shows the SBG LAN interfaces.

Member Select this check box to add the LAN interface to the group. Clear the Tagged

check box to add the LAN interface as an untagged member port.

A LAN interface can be added as an untagged member port of at most one group.

Ethernet LAN interfaces that have already been added as an untagged member

port of another group will have this check box disabled. It is still possible to add these

LAN interfaces to the group as tagged member ports.

TX Tagged Select this check box to add the LAN interface to the group as a tagged member

port.

VLAN Group(s)

Add Click this to add a new VLAN group.

Remove Select a VLAN group and click this to delete it.

# This shows the index number of the VLAN group.

802.1q This shows the VLAN ID number (from 1 to 4094) for traffic through tagged member

ports of this group. A VLAN ID cannot be assigned to more than one group.

Interfaces This shows the LAN ports included in the VLAN group and if traffic leaving the port will

be tagged with the VLAN ID.

WAN Interface Used In This Group

Add Click this to add a new WAN interface for an interface group.

Remove Select a WAN interface and click this to delete it.

WAN Type This field displays the current WAN connection type.

WAN Interface This field displays the current WAN interface.

Automatically Add Clients

With The Following DHCP

Vendor IDs

Click Add to identify LAN hosts to add to the interface group by criteria such as the

type of the hardware or firmware.

Add Click this to add a new rule.

Edit Select a rule and click this to modify it.

Remove Select a rule and click this to delete it.

# This shows the index number of the rule.

Criteria This shows the filtering criteria. The LAN interface on which the matched traffic is

received will belong to this group automatically.

Wildcard Support This shows if wildcard on DHCP option 60 is enabled.

OK Click OK to save your changes.

Cancel Click Cancel to exit this screen without saving.

Table 30 VLAN / Interface Group > Add/Edit

LABEL DESCRIPTION

Chapter 6 LAN

SBG5500 Series User’s Guide

102

Figure 72 WAN Interface Use In This Group: Add

The following table describes the labels in this screen.

6.7.1.2 Add Clients With The Following DHCP Vendor IDs

Click Add in the Clients With The Following DHCP Vendor IDs table to display the following screen.

Figure 73 Clients With The Following DHCP Vendor IDs: Add

The following table describes the labels in this screen.

Table 31

LABEL DESCRIPTION

WAN Type Select the current WAN connection type.

WAN Interface Select the current WAN interface.

OK Click OK to save your changes.

Cancel Click Cancel to exit this screen without saving.

Table 32 Clients With The Following DHCP Vendor IDs: Add

LABEL DESCRIPTION

Criteria

DHCP Option 60 Select this to enter STB’s Vendor Class IDentifiers (DHCP Option 60).

Type the class vendor ID you want the SBG to add in the DHCP Discovery packets that go

to the DHCP server in the Vendor Class ID field.

Enable Wildcard Select this option to be able to use wildcards in the Vendor Class Identifier configured for

DHCP option 60.

Chapter 6 LAN

SBG5500 Series User’s Guide

103

6.8 The DNS Entry Screen

Use this screen to view and configure DNS routes on the SBG. Click Configuration > LAN / Home Network

> DNS Entry screen.

Figure 74 Configuration > LAN / Home Network > DNS Entry

The following table describes the labels in this screen.

6.9 The DNS Forwarder Screen

A domain zone forwarder contains a DNS server’s IP address. The SBG can query the DNS server to

resolve domain zones for features like VPN, DDNS and the time server. A domain zone is a fully qualified

domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw

fully qualified domain name. Use this screen to create domain zone forwarder records. Click

Configuration > LAN / Home Network > DNS Forwarder to open the following screen.

DHCP Option 61 Click this to enter the Identity Association IDentifier (IAD Option 61) of the matched traffic

such as the MAC address of the device.

Type the DHCP Unique Identifier (DUID) you want the SBG to add in the DHCP Discovery

packets that go to the DHCP server.

DHCP Option 125 Click this to enter the vendor specific information of the matched traffic, such as the

Enterprise Number, Manufacture OUI, Serial Number and Product Class of the device.

OK Click OK to save your changes.

Cancel Click Cancel to exit this screen without saving.

Table 32 Clients With The Following DHCP Vendor IDs: Add

LABEL DESCRIPTION

Table 33 Configuration > LAN / Home Network > DNS Entry

LABEL DESCRIPTION

Add Click this to create a new DNS rule.

Edit Click Edit to modify a DNS rule.

Remove Click Remove to delete an existing DNS rule.

# This is the index number of the rule.

Host Name This indicates the host or domain name.

IP Address This indicates the IP address assigned to this computer.

Chapter 6 LAN

SBG5500 Series User’s Guide

104

Figure 75 Configuration > LAN / Home Network > DNS Forwarder

The following table describes the labels in this screen.

6.9.1 DNS Forwarder: Add/Edit

If you click Add in the DNS Forwarder screen or select an domain zone forwarder record and click Edit,

the following screen displays.

Figure 76 DNS Forwarder: Add/Edit

Table 34 Configuration > LAN / Home Network > DNS Forwarder

LABEL DESCRIPTION

Add Click this to add a domain zone forwarder record.

Edit Select an existing domain zone forwarder record and click Edit to modify it.

Remove Click this to delete a domain zone forwarder record.

# This is the index number of the domain zone entry.

Domain Name This shows the domain zone.

Mode This shows whether the DNS server is user-designed or from the ISP.

DNS Server If the Mode is User Defined Address, this field displays the IP address of the DNS server

Interface This shows the interface through which the SBG sends DNS queries to a DNS server.

Chapter 6 LAN

SBG5500 Series User’s Guide

105

The following table describes the labels in this screen.

6.10 Technical Reference

This section provides some technical background information about the topics covered in this chapter.

6.10.1 LANs, WANs and the SBG

The actual physical connection determines whether the SBG ports are LAN or WAN ports. There are two

separate IP networks, one inside the LAN network and the other outside the WAN network as shown

next.

Figure 77 LAN and WAN IP Addresses

6.10.2 DHCP Setup

DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain

TCP/IP configuration at start-up from a server. You can configure the SBG as a DHCP server or disable it.

Table 35 Configuration > LAN / Home Network > DNS Forwarder

LABEL DESCRIPTION

Domain Name Enter the domain zone in this field. A domain zone is a fully qualified domain name

without the host. For example, *.zyxel.com.tw is a wildcard domain zone for the

www.zyxel.com.tw fully qualified domain name. For example, whenever the SBG

looks up a domain name that ends in zyxel.com.tw domain name, it can send a

query to the recorded name server IP address.

DNS Server

DNS Server From ISP Select DNS Server(s) from ISP if your ISP dynamically assigns DNS server information.

You also need to select an interface through which the ISP provides the DNS server

IP address(es). The interface should be activated and set to be a DHCP client.

DNS Server Select DNS Server if you have the IP address of a DNS server. Enter the DNS server's IP

address in the field to the right. Use the Interface field to select the interface through

which the SBG sends DNS queries to a DNS server.

OK Click OK to save your customized settings and exit this screen.

Cancel Click Cancel to exit this screen without saving.

SBG

Chapter 6 LAN

SBG5500 Series User’s Guide

106

When configured as a server, the SBG provides the TCP/IP configuration for the clients. If you turn DHCP

service off, you must have another DHCP server on your LAN, or else the computer must be manually

configured.

IP Pool Setup

The SBG is pre-configured with a pool of IP addresses for the DHCP clients (DHCP Pool). See the product

specifications in the appendices. Do not assign static IP addresses from the DHCP pool to your LAN

computers.

6.10.3 DNS Server Addresses

DNS (Domain Name System) maps a domain name to its corresponding IP address and vice versa. The

DNS server is extremely important because without it, you must know the IP address of a computer

before you can access it. The DNS server addresses you enter when you set up DHCP are passed to the

client machines along with the assigned IP address and subnet mask.

There are two ways that an ISP disseminates the DNS server addresses.

• The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign

up. If your ISP gives you DNS server addresses, enter them in the DNS Server fields in the DHCP Setup

screen.

• Some ISPs choose to disseminate the DNS server addresses using the DNS server extensions of IPCP (IP

Control Protocol) after the connection is up. If your ISP did not give you explicit DNS servers, chances

are the DNS servers are conveyed through IPCP negotiation. The SBG supports the IPCP DNS server

extensions through the DNS proxy feature.

Please note that DNS proxy works only when the ISP uses the IPCP DNS server extensions. It does not

mean you can leave the DNS servers out of the DHCP setup under all circumstances. If your ISP gives

you explicit DNS servers, make sure that you enter their IP addresses in the DHCP Setup screen.

6.10.4 LAN TCP/IP

The SBG has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that

support DHCP client capability.

IP Address and Subnet Mask

Similar to the way houses on a street share a common street name, so too do computers on a LAN share

one common network number.

Where you obtain your network number depends on your particular situation. If the ISP or your network

administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP

addresses and the subnet mask.

If the ISP did not explicitly give you an IP network number, then most likely you have a single user

account and the ISP will assign you a dynamic IP address when the connection is established. If this is

the case, it is recommended that you select a network number from 192.168.0.0 to 192.168.255.0 and

you must enable the Network Address Translation (NAT) feature of the SBG. The Internet Assigned

Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use

any other number unless you are told otherwise. Let's say you select 192.168.1.0 as the network number;

which covers 254 individual addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved). In

Chapter 6 LAN

SBG5500 Series User’s Guide

107

other words, the first three numbers specify the network number while the last number identifies an

individual computer on that network.

Once you have decided on the network number, pick an IP address that is easy to remember, for

instance, 192.168.1.1, for your SBG, but make sure that no other device on your network is using that IP

address.

The subnet mask specifies the network number portion of an IP address. Your SBG will compute the

subnet mask automatically based on the IP address that you entered. You don't need to change the

subnet mask computed by the SBG unless you are instructed to do otherwise.

Private IP Addresses

Every machine on the Internet must have a unique address. If your networks are isolated from the

Internet, for example, only between your two branch offices, you can assign any IP addresses to the

hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the

following three blocks of IP addresses specifically for private networks:

• 10.0.0.0 — 10.255.255.255

• 172.16.0.0 — 172.31.255.255

• 192.168.0.0 — 192.168.255.255

You can obtain your IP address from the IANA, from an ISP or it can be assigned from a private network.

If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you

with the Internet addresses for your local networks. On the other hand, if you are part of a much larger

organization, you should consult your network administrator for the appropriate IP addresses.

Note: Regardless of your particular situation, do not create an arbitrary IP address; always

follow the guidelines above. For more information on address assignment, please refer

to RFC 1597, “Address Allocation for Private Internets” and RFC 1466, “Guidelines for

Management of IP Address Space”.

SBG5500 Series User’s Guide

108

CHAPTER 7

Routing

7.1 Overview

The SBG usually uses the default gateway to route outbound traffic from computers on the LAN to the

Internet. To have the SBG send data to devices not reachable through the default gateway, use static

routes.

For example, the next figure shows a computer (A) connected to the SBG’s LAN interface. The SBG

routes most traffic from A to the Internet through the SBG’s default gateway (R1). You create one static

route to connect to services offered by your ISP behind router R2. You create another static route to

communicate with a separate network behind a router R3 connected to the LAN.

Figure 78 Example of Routing Topology

7.1.1 What You Can Do in this Chapter

• Use the Routing Status screen to view the IPv4 and IPv6 routing flow(Section 7.2 on page 109).

• Use the Policy Route screen to configure policy routing on the SBG (Section 7.3 on page 115).

• Use the Static Route screen to view and set up static routes on the SBG (Section 7.4 on page 118).

• Use the RIP screen to set up RIP settings on the SBG (Section 7.5 on page 120).

SBG

Chapter 7 Routing

SBG5500 Series User’s Guide

109

7.2 The Routing Status Screen

The Routing Status screen allows you to view the current routing flow and quickly link to specific routing

settings. Click a function box in the Routing Flow section, the related routes (activated) will display in the

Routing Table section. To access this screen, click Configuration > Routing > Routing Status.

Note: Once a packet matches the criteria of a routing rule, the SBG takes the corresponding

action and does not perform any further flow checking.

Figure 79 Configuration > Routing > Routing Status (IPsec)

Figure 80 Configuration > Routing > Routing Status (Direct Route)

Chapter 7 Routing

SBG5500 Series User’s Guide

110

Figure 81 Configuration > Routing > Routing Status (Policy Route)

Figure 82 Configuration > Routing > Routing Status (L2TP Server)

Figure 83 Configuration > Routing > Routing Status (PPTP Route)

Chapter 7 Routing

SBG5500 Series User’s Guide

111

Figure 84 Configuration > Routing > Routing Status (Static Route)

Figure 85 Configuration > Routing > Routing Status (Dynamic Route (RIP))

Chapter 7 Routing

SBG5500 Series User’s Guide

112

Figure 86 Configuration > Routing > Routing Status (Multi-WAN)

Figure 87 Configuration > Routing > Routing Status (Main Table)

Chapter 7 Routing

SBG5500 Series User’s Guide

113

Figure 88 Configuration > Routing > Routing Status (Address Mapping (1-1 SNAT))

The following table describes the labels in this screen.

Table 36 Configuration > Routing > Routing Status

LABEL DESCRIPTION

Routing Flow This section shows you the flow of how the SBG determines where to route a packet.

Click a function box to display the related settings in the next section.

This section shows the corresponding settings according to the function box you

click in the Routing Flow section.

The following fields are available if you click IPsec in the Routing Flow section.

# This is the IPsec VPN policy index number.

VPN Connection This field displays the identification name for this VPN policy.

Local Policy This field displays the local policy.

Remote Policy This field displays the remote policy.

The following fields are available if you click Direct Route in the Routing Flow section.

Destination This is the destination IP address of a route.

Subnet Mask This is the subnet mask of a route.

Interface This is the name of an interface associated with the route.

The following fields are available if you click Policy Route in the Routing Flow section.

# This is the number of an individual policy route.

Status This field displays whether the policy route is active or not. A lit light bulb signifies that

this route is active. A gray light bulb signifies that this route is not active.

Name This field displays the descriptive name of the policy route.

Source IP This is the name of the source IP address (group) object. Any means all IP addresses.

Destination IP This is the name of the destination IP address (group) object. Any means all IP

addresses.

Source Port This displays the port (0-65535) the source IP address(es) are using in this policy route

rule.

Destination Port This displays the port (0-65535) the destination IP address(es) are using in this policy

route rule.

Protocol This shows the kind of protocol used by this policy route rule (TCP, UDP or None).

Next-Hop This is the next hop to which packets are directed. It helps forward packets to their

destinations and can be a router, VPN tunnel, outgoing interface or trunk.

The following fields are available if you click L2TP Server and PPTP Route in the Routing Flow section.

# This is the PPTP/L2TP VPN policy index number.

Chapter 7 Routing

SBG5500 Series User’s Guide

114

Destination This is the original destination IP address(es) to which the packets are transmitted.

Username This field displays the client’s login name for this connection.

Host Name This is the client's host name of this connection.

The following fields are available if you click Static Route in the Routing Flow section.

# This is the number of an individual static route.

Status This field displays whether the static route is active or not. A lit light bulb signifies that

this route is active. A gray light bulb signifies that this route is not active.

Name This field displays the descriptive name of the static route.

Destination IP This is the destination IP address. Any means all IP addresses.

Subnet Mask / Prefix Length This parameter specifies the IP network subnet mask and prefix length of the final

destination.

Gateway IP This is the IP address of the gateway. The gateway is a router or switch on the same

network segment as the device's LAN or WAN port. The gateway helps forward

packets to their destinations.

Interface This is the WAN interface used for this static route.

The following fields are available if you click Dynamic Route (RIP) in the Routing Flow section.

# This is the number of an individual dynamic route.

Destination This indicates the destination IP address of this route.

Gateway IP This indicates the IP address of the gateway that helps forward this route’s traffic.

Interface This indicates the name of the interface through which the route is forwarded.

Protocol This shows the kind of protocol used by this route rule (TCP, UDP or None).

Metric This is the route’s priority among the displayed routes.

The following fields are available if you click Multi-WAN in the Routing Flow section.

Name This is the name to identify the trunk.

Load Balancing Algorithm This shows the load balancing method used by the trunk.

# This field is a sequential value, and it is not associated with any interface.

Member This field displays the member interface of the trunk.

Mode This field displays Active when the SBG always attempt to use this connection.

Displays Passive to have the SBG only use this connection when all of the

connections set to active are down.

Weight This field displays with the weighted round robin load balancing algorithm.

The following fields are available if you click Main Table in the Routing Flow section

Destination This indicates the destination IPv4 address or IPv6 address and prefix of this route.

Gateway IP This indicates the IPv4 or IPv6 address of the gateway that helps forward this route’s

traffic.

Subnet Mask This indicates the destination subnet mask of the IPv4 route.

Table 36 Configuration > Routing > Routing Status

LABEL DESCRIPTION

Chapter 7 Routing

SBG5500 Series User’s Guide

115

7.3 The Policy Route Screen

Click Configuration > Routing to open the Policy Route screen. Use this screen to see the configured

policy routes and turn policy routing based bandwidth management on or off.

A policy route defines the matching criteria and the action to take when a packet meets the criteria.

The action is taken only when all the criteria are met. The criteria can include the user name, source

address and incoming interface, destination address, schedule, IP protocol (ICMP, UDP, TCP, etc.) and

port.

The actions that can be taken include:

• Routing the packet to a different gateway, outgoing interface, VPN tunnel, or trunk.

• Limiting the amount of bandwidth available and setting a priority for traffic.

IPPR follows the existing packet filtering facility of RAS in style and in implementation. If you enabled IPv6

you can also configure policy routes used for your IPv6 networks on this screen.

Flag This indicates the route status.

U-Up: The route is up.

UC-Up Cache: The route is up and it is a cache entry.

!-Reject: The route is blocked and will force a route lookup to fail.

G-Gateway: The route uses a gateway to forward traffic.

H-Host: The target of the route is a host.

R-Reinstate: The route is reinstated for dynamic routing.

D-Dynamic (redirect): The route is dynamically installed by a routing daemon or

redirect.

M-Modified (redirect): The route is modified from a routing daemon or redirect.

Metric The metric represents the “cost of transmission”. A router determines the best route

for transmission by choosing a path with the lowest “cost”. The smaller the number,

the lower the “cost”. This is the route’s priority among the displayed routes.

Interface This indicates the name of the interface through which the route is forwarded.

The following fields are available if you click Address Mapping (1-1 SNAT) in the Routing Flow section

# This is the index number of the rule.

WAN Interface This shows the WAN interface through which the address mapping is forwarded.

Internal beginning IP This is the starting Inside Local IP Address (ILA).

External Beginning IP This is the starting Inside Global IP Address (IGA).

Table 36 Configuration > Routing > Routing Status

LABEL DESCRIPTION

Chapter 7 Routing

SBG5500 Series User’s Guide

116

Figure 89 Configuration > Routing > Policy Route

The following table describes the labels in this screen.

7.3.1 Add/Edit Policy Route

Click Add in the Policy Route screen or click the Edit. Use this screen to configure the required

information for a policy route.

Table 37 Configuration > Routing > Policy Route

LABEL DESCRIPTION

IPv4 / IPv6 Routing Table

Add Click this to create a new entry. Select an entry and click Add to create a new entry after the

selected entry.

Edit Double-click an entry or select it and click Edit to open a screen where you can modify the

entry’s settings.

Remove To remove an existing entry, select it and click Remove.

#This is the number of an individual policy route.

Status This field displays whether the policy route is active or not. A green ON button signifies that this

route is active. A gray OFF button signifies that this route is not active.

Click the slide button to enable and disable the policy router.

Name This field displays the descriptive name of the policy route.

Source IP This is the source IP address(es) from which the packets are sent. Any means all IP addresses.

Destination IP This is the destination IP address(es) to which the packets are transmitted. Any means all IP

addresses.

Source Port This displays the port(0-65535) the source IP address(es) are using in this policy route rule.

Destination Port This displays the port(0-65535) the destination IP address(es) are using in this policy route rule.

Source MAC This displays the source MAC address. Blank space means all MAC addresses.

Destination

MAC

This displays the destination MAC address. Blank space means all MAC addresses.

Protocol This shows the kind of protocol used by this policy route rule (TCP, UDP or None).

Next Hop This is the next hop to which packets are directed. It helps forward packets to their destinations

and can be a router, VPN tunnel, outgoing interface or trunk.

Chapter 7 Routing

SBG5500 Series User’s Guide

117

Figure 90 Policy Route: Add/Edit

The following table describes the labels in this screen.

Table 38 Policy Route: Add/Edit (Sheet 1 of 2)

LABEL DESCRIPTION

Configuration

Enable Select this to activate the policy route.

Policy Name Enter a descriptive name for the policy. It should begin with a letter and cannot exceed 31

characters [0-9][A-Z] [a-z][_-].

Order Select an existing number for where you want to put this policy route to move the policy route to

the number you selected after clicking OK. Ordering your rules is important because the SBG

applies the rules in the order that you specify.

Criteria

Source Use this section to configure where the packets are coming from in this policy route.

Address Select Any if the policy route will receive packets from all IP addresses. Select IP Address to

specify the source IP address. Otherwise, select Subnet to specify the source subnet mask.

IP Address Enter a source IP address object from which the packets are sent.

Subnet Mask Enter a subnet mask address object from which the packets are sent.

MAC

Address Enter a MAC address object from which the packets are sent.

Source Port Enter the port number (1-65535) from which the packets are sent. The SBG applies the policy

route to the packets sent from the corresponding service port. Any means all service ports.

Destination Use this section to configure where the packets are going from in this policy route.

Chapter 7 Routing

SBG5500 Series User’s Guide

118

7.4 The Static Route Screen

Use this screen to view and configure the static route rules on the SBG. Click Configuration > Routing >

Static Route to open the following screen.

Figure 91 Configuration > Routing > Static Route

Address Select Any if the policy route packets will go to all IP addresses. Otherwise select IP Address to

specify the destination IP address, or select Subnet to specify the destination subnet mask.

IP Address Enter a source IP address object to which the packets go.

Subnet Mask Enter a subnet mask address object to which the packets go.

MAC

Address Enter a MAC address object to which the packets go.

Destination

Port Enter the port number (1-65535) to which the packets go. The SBG applies the policy route to the

packets that go to the corresponding service port. Any means all service ports.

Protocol Select TCP or UDP if you want to specify a protocol for the policy route. Otherwise select None.

Next-Hop

WAN Interface Select the WAN interface to route the matched packets through the specified outgoing

interface to a gateway (which is connected to the interface).

Advanced

Disable this

policy rule

automatically

while the

selected next-

hop is

unreachable

Select this if you want the SBG to disable a policy rule if next-hop is unreachable.

OK Click OK to save your changes.

Cancel Click Cancel to exit this screen without saving.

Table 38 Policy Route: Add/Edit (Sheet 2 of 2)

LABEL DESCRIPTION

Chapter 7 Routing

SBG5500 Series User’s Guide

119

The following table describes the labels in this screen.

7.4.1 Add/Edit Static Route

Use this screen to add or edit a static route. Click Add new static route in the Routing screen or the Edit

icon next to the static route you want to edit. The screen shown next appears.

Figure 92 Static Route: Add/Edit

Table 39 Configuration > Routing > Static Route

LABEL DESCRIPTION

IPv4 / IPv6 Routing Table

Add Click this to configure a new static route.

Edit Double-click an entry or select it and click Edit to open a screen where you can modify the

static route’s settings.

Click the slide button to enable and disable the static router.

Remove To remove an existing static route, select it and click Remove.

Multiple Entries

Turn On

Select one or more static routes and click this to enable them.

Multiple Entries

Turn Off

Select one or more static route and click this to disable them.

#This is the index number of the static route.

Status This field displays whether the static route is active or not. A green ON button signifies that this

static route is active. A gray OFF button signifies that this static route is not active.

Name This is the name that describes or identifies this route.

Destination IP This parameter specifies the IP network address of the final destination. Routing is always based

on network number.

Subnet Mask /

Prefix Length

This parameter specifies the IP network subnet mask and prefix length of the final destination.

Gateway IP This is the IP address of the gateway. The gateway is a router or switch on the same network

segment as the device's LAN or WAN port. The gateway helps forward packets to their

destinations.

Interface This is the WAN interface used for this static route.

Chapter 7 Routing

SBG5500 Series User’s Guide

120

The following table describes the labels in this screen.

7.5 The RIP Screen

Routing Information Protocol (RIP, RFC 1058 and RFC 1389) allows a device to exchange routing

information with other routers.

Click Configuration > Routing > RIP to open the RIP screen.

Table 40 Routing: Add/Edit

LABEL DESCRIPTION

Enable This field allows you to activate/deactivate this static route.

Select this to enable the static route. Clear this to disable this static route without having to

delete the entry.

Route Name Enter a descriptive name for the static route.

Destination IP

Address

Enter the IPv4 or IPv6 network address of the final destination.

Subnet Mask Enter the IP subnet mask here.

If you are using IPv4 and need to specify a route to a single host, use a subnet mask of

255.255.255.255 in the subnet mask field to force the network number to be identical to the host

ID.

Prefix Length Enter the IPv6 prefix length that specifies how many most significant bits (starting from the left) in

the address compose the network address.

Use Gateway IP

Address

The gateway is a router or switch on the same network segment as the device's LAN or WAN

port. The gateway helps forward packets to their destinations.

Select this if you want to use the gateway IP address.

Gateway IP Enter the IP address of the gateway.

Use Interface Select the WAN interface you want to use for this static route.

OK Click OK to save your changes.

Cancel Click Cancel to exit this screen without saving.

Chapter 7 Routing

SBG5500 Series User’s Guide

121

Figure 93 Configuration > Routing > RIP

The following table describes the labels in this screen.

Table 41 Configuration > Routing > RIP

LABEL DESCRIPTION

#This is the index number of the entry.

Interface This is the name of the interface in which the RIP setting is used.

Version The RIP version controls the format and the broadcasting method of the RIP packets that the

SBG sends (it recognizes both formats when receiving). RIP version RIPv1 is universally

supported but RIP version RIPv2 carries more information. RIP version RIPv1 is probably

adequate for most networks, unless you have an unusual network topology.

Operation Select Passive to have the SBG update the routing table based on the RIP packets received

from neighbors but not advertise its route information to other routers in this interface.

Select Active to have the SBG advertise its route information and also listen for routing

updates from neighboring routers.

Enabled Select the check box to activate the settings.

Routing Rule List This shows the destination IP address and subnet mask of the routing entries.

Deny Select the check box to deny routing entries to report (send out) through the interfaces.

Apply Click Apply to save your changes.

Cancel Click Cancel to exit this screen without saving.

SBG5500 Series User’s Guide

122

CHAPTER 8

Network Address Translation

(NAT)

8.1 Overview

This chapter discusses how to configure NAT on the SBG. NAT (Network Address Translation - NAT, RFC

1631) is the translation of the IP address of a host in a packet, for example, the source address of an

outgoing packet, used within one network to a different IP address known within another network.

8.1.1 What You Can Do in this Chapter

• Use the Port Forwarding screen to configure forward incoming service requests to the server(s) on your

local network (Section 8.2 on page 123).

• Use the Port Triggering screen to add and configure the SBG’s trigger port settings (Section 8.3 on

page 126).

• Use the Address Mapping screen to configure the SBG's address mapping settings (Section 8.4 on

page 129).

• Use the Default Server screen to configure a default server (Section 8.5 on page 131).

• Use the ALG screen to enable and disable the NAT and SIP (VoIP) ALG in the SBG (Section 8.6 on

page 133).

8.1.2 What You Need To Know

Inside/Outside

Inside/outside denotes where a host is located relative to the SBG, for example, the computers of your

subscribers are the inside hosts, while the web servers on the Internet are the outside hosts.

Global/Local

Global/local denotes the IP address of a host in a packet as the packet traverses a router, for example,

the local address refers to the IP address of a host when the packet is in the local network, while the

global address refers to the IP address of the host when the same packet is traveling in the WAN side.

NAT

In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the

inside local address) to another (the inside global address) before forwarding the packet to the WAN

side. When the response comes back, NAT translates the destination address (the inside global address)

back to the inside local address before forwarding it to the original inside host.

Chapter 8 Network Address Translation (NAT)

SBG5500 Series User’s Guide

123

Port Forwarding

A port forwarding set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you

can make visible to the outside world even though NAT makes your whole inside network appear as a

single computer to the outside world.

Finding Out More

See Section 8.7 on page 134 for advanced technical information on NAT.

8.2 The Port Forwarding Screen

Use the Port Forwarding screen to forward incoming service requests to the server(s) on your local

network.

You may enter a single port number or a range of port numbers to be forwarded, and the local IP

address of the desired server. The port number identifies a service; for example, web service is on port 80

and FTP on port 21. In some cases, such as for unknown services or where one server can support more

than one service (for example both FTP and web service), it might be better to specify a range of port

numbers. You can allocate a server IP address that corresponds to a port or a range of ports.

Please refer to RFC 1700 for further information about port numbers.

Note: Many residential broadband ISP accounts do not allow you to run any server processes

(such as a Web or FTP server) from your location. Your ISP may periodically check for

servers and may suspend your account if it discovers any active services at your

location. If you are unsure, refer to your ISP.

Configuring Servers Behind Port Forwarding (Example)

Let's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example), port 80 to

another (B in the example) and assign a default server IP address of 192.168.1.35 to a third (C in the

example). You assign the LAN IP addresses and the ISP assigns the WAN IP address. The NAT network

appears as a single host on the Internet.

Chapter 8 Network Address Translation (NAT)

SBG5500 Series User’s Guide

124

Figure 94 Multiple Servers Behind NAT Example

Click Configuration > NAT > Port Forwarding to open the following screen.

Figure 95 Configuration > NAT > Port Forwarding

The following table describes the fields in this screen.

Table 42 Configuration > NAT > Port Forwarding

LABEL DESCRIPTION

Add Click this to add a new rule.

Edit Double-click an entry or select it and click Edit to open a screen where you can modify the rule’s

settings.

Remove To remove an existing rule, select it and click Remove.

#This is the index number of the rule.

Status This field displays whether the rule is active or not. A green ON button signifies that this rule is

active. A gray OFF button signifies that this rule is not active.

Click the slide button to turn on or turn off the rule.

Firewall This shows a firewall exception icon if there is an exception filter rule on the SBG firewall for this

port forwarding rule, otherwise this field is empty.

Service Name This shows the service’s name.

Protocol This shows the IP protocol supported by this virtual server, whether it is TCP, UDP, or TCP/UDP.

WAN Interface This shows the WAN interface through which the service is forwarded.

WAN IP This field displays the incoming packet’s destination IP address.

Starting Port This is the first external port number that identifies a service.

SBG

Chapter 8 Network Address Translation (NAT)

SBG5500 Series User’s Guide

125

8.2.1 Add/Edit Port Forwarding

Click Add in the Port Forwarding screen or select an existing rule and click Edit to open the following

screen.

Figure 96 Port Forwarding: Add/Edit

The following table describes the labels in this screen.

Ending Port This is the last external port number that identifies a service.

LAN IP Address This is the service’s internal IP address.

Translation Start

Port

This is the first internal port number that identifies a service.

Translation End

Port

This is the last internal port number that identifies a service.

Table 42 Configuration > NAT > Port Forwarding (continued)

LABEL DESCRIPTION

Table 43 Port Forwarding: Add/Edit

LABEL DESCRIPTION

Enable Clear the check box to inactivate the rule. Select the check box to activate it.

Add Exception

to Firewall

Select this option to create an incoming filter rule in the Firewall to allow the packets.

Service Name Enter a name to identify this rule using keyboard characters (A-Z, a-z, 1-2 and so on).

Protocol Select the protocol supported by this virtual server. Choices are TCP, UDP, or TCP/UDP.

WAN Interface Select the WAN interface through which the service is forwarded.

You must have already configured a WAN connection with NAT enabled.

From WAN Site

Chapter 8 Network Address Translation (NAT)

SBG5500 Series User’s Guide

126

8.3 The Port Triggering Screen

Some services use a dedicated range of ports on the client side and a dedicated range of ports on the

server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in

from the server on the WAN) to the IP address of a computer on the client side (LAN). The problem is that

port forwarding only forwards a service to a single LAN IP address. In order to use the same service on a

different LAN computer, you have to manually replace the LAN computer's IP address in the forwarding

port with another LAN computer's IP address.

Trigger port forwarding solves this problem by allowing computers on the LAN to dynamically take turns

using the service. The SBG records the IP address of a LAN computer that sends traffic to the WAN to

request a service with a specific port number and protocol (a “trigger” port). When the SBG's WAN port

receives a response with a specific port number and protocol (“open” port), the SBG forwards the traffic

to the LAN IP address of the computer that sent the request. After that computer’s connection for that

service closes, another computer on the LAN can use the service in the same manner. This way you do

not need to configure a new IP address each time you want a different LAN computer to use the

application.

For example:

WAN IP Enter the WAN IP address for which the incoming service is destined. If the packet’s destination

IP address doesn’t match the one specified here, the port forwarding rule will not be applied.

Port Mapping

Type

Select Port if you only want to enter the starting port. Select Ports if you want to enter both

starting and ending ports (1-65535).

Starting Port Enter the original destination port for the packets.

To forward only one port, enter the port number again in the End Port field.

To forward a series of ports, enter the start port number here and the end port number in the End

Port field.

Ending Port Enter the last port of the original destination port range.

To forward only one port, enter the port number in the Start Port field above and then enter it

again in this field.

To forward a series of ports, enter the last port number in a series that begins with the port

number in the Start Port field above.

To LAN Site

LAN IP Address Enter the inside IP address of the virtual server here.

Translation Start

Port

This shows the port number to which you want the SBG to translate the incoming port. For a

range of ports, enter the first number of the range to which you want the incoming ports

translated.

Translation End

Port

This shows the last port of the translated port range.

OK Click OK to save your changes.

Cancel Click Cancel to exit this screen without saving.

Table 43 Port Forwarding: Add/Edit (continued)

LABEL DESCRIPTION

Chapter 8 Network Address Translation (NAT)

SBG5500 Series User’s Guide

127

Figure 97 Trigger Port Forwarding Process: Example

1Jane requests a file from the Real Audio server (port 7070).

2Port 7070 is a “trigger” port and causes the SBG to record Jane’s computer IP address. The SBG

associates Jane's computer IP address with the “open” port range of 6970-7170.

3The Real Audio server responds using a port number ranging between 6970-7170.

4The SBG forwards the traffic to Jane’s computer IP address.

5Only Jane can connect to the Real Audio server until the connection is closed or times out. The SBG

times out in three minutes with UDP (User Datagram Protocol) or two hours with TCP/IP (Transfer Control

Protocol/Internet Protocol).

Click Configuration > NAT > Port Triggering to open the following screen. Use this screen to view your

SBG’s trigger port settings.

Figure 98 Configuration > NAT > Port Triggering

The following table describes the labels in this screen.

SBG

Table 44 Network Setting > NAT > Port Triggering

LABEL DESCRIPTION

Add Click this to create a new rule.

Edit Double-click an entry or select it and click Edit to open a screen where you can modify the rule’s

settings.

Remove To remove an existing rule, select it and click Remove.

Multiple Entries

Turn On

Select one or more rules and click this to enable them.

Multiple Entries

Turn Off

Select one or more rules and click this to disable them.

#This is the index number of the rule.

Chapter 8 Network Address Translation (NAT)

SBG5500 Series User’s Guide

128

8.3.1 Add/Edit Port Triggering Rule

This screen lets you create new port triggering rules. Click Add in the Port Triggering screen or select a

rule and click Edit to open the following screen.

Figure 99 Port Triggering: Add/Edit

Status This field displays whether the rule is active or not. A green ON button signifies that this rule is

active. A gray OFF button signifies that this rule is not active.

Click the slide button to turn on or turn off the rule.

Service Name This field displays the name of the service used by this rule.

WAN Interface This field shows the WAN interface through which the service is forwarded.

Trigger Start Port The trigger port is a port (or a range of ports) that causes (or triggers) the SBG to record the IP

address of the LAN computer that sent the traffic to a server on the WAN.

This is the first port number that identifies a service.

Trigger End Port This is the last port number that identifies a service.

Trigger Protocol This is the trigger transport layer protocol.

Open Start Port The open port is a port (or a range of ports) that a server on the WAN uses when it sends out a

particular service. The SBG forwards the traffic with this port (or range of ports) to the client

computer on the LAN that requested the service.

This is the first port number that identifies a service.

Open End Port This is the last port number that identifies a service.

Open Protocol This is the open transport layer protocol.

Table 44 Network Setting > NAT > Port Triggering (continued)

LABEL DESCRIPTION

Chapter 8 Network Address Translation (NAT)

SBG5500 Series User’s Guide

129

The following table describes the labels in this screen.

8.4 The Address Mapping Screen

Use this screen to change your SBG’s address mapping settings. Ordering your rules is important,

because the SBG applies the rules in the order that you specify. When a rule matches the current

packet, the SBG takes the corresponding action and the remaining rules are ignored.

Click Configuration > NAT > Address Mapping to display the following screen.

Figure 100 Configuration > NAT > Address Mapping

Table 45 Port Triggering: Configuration Add/Edit

LABEL DESCRIPTION

Enable Select the check box to activate this rule.

Service Name Enter a name to identify this rule. It should begin with a letter and cannot exceed 20 characters

[0-9][A-Z] [a-z][_-].

WAN Interface Select a WAN interface for which you want to configure port triggering rules.

Trigger

Protocol Select the transport layer protocol from TCP, UDP, or TCP/UDP.

Starting Port The trigger port is a port (or a range of ports) that causes (or triggers) the SBG to record the IP

address of the LAN computer that sent the traffic to a server on the WAN.

Type a port number or the starting port number in a range of port numbers (1-65535).

Ending Port Type a port number or the ending port number in a range of port numbers (1-65535).

Open

Protocol Select the transport layer protocol from TCP, UDP, or TCP/UDP.

Starting Port The open port is a port (or a range of ports) that a server on the WAN uses when it sends out a

particular service. The SBG forwards the traffic with this port (or range of ports) to the client

computer on the LAN that requested the service.

Type a port number or the starting port number in a range of port numbers (1-65535).

Ending Port Type a port number or the ending port number in a range of port numbers (1-65535).

OK Click OK to save your changes.

Cancel Click Cancel to exit this screen without saving.

Chapter 8 Network Address Translation (NAT)

SBG5500 Series User’s Guide

130

The following table describes the fields in this screen.

8.4.1 Add/Edit Address Mapping Rule

To add or edit an address mapping rule, click Add or select a rule and click Edit icon in the Address

Mapping screen to display the screen shown next.

Figure 101 Address Mapping: Add/Edit

Table 46 Configuration > NAT > Address Mapping

LABEL DESCRIPTION

Add Click this to create a new address mapping rule.

Edit Double-click an address mapping rule or select it and click Edit to open a screen where you can

modify the rule’s settings.

Remove To remove an existing address mapping rule, select it and click Remove.

# This is the index number of the rule.

Type This is the address mapping type.

One-to-One: This mode maps one local IP address to one global IP address. Note that port

numbers do not change for the One-to-one NAT mapping type.

Many-to-One / Source NAT: This mode maps multiple local IP addresses to one global IP address.

This is equivalent to SUA (that is, PAT, port address translation), the SBG's Single User Account

feature that previous routers supported only.

Many-to-Many: This mode maps multiple local IP addresses to shared global IP addresses.

WAN Interface This shows the WAN interface through which the address mapping is forwarded.

Internal

Beginning IP

This is the starting Inside Local IP Address (ILA).

Internal Ending

This is the ending Inside Local IP Address (ILA). This field is blank for One-to-One mapping types.

External

Beginning IP

This is the starting Inside Global IP Address (IGA). Enter 0.0.0.0 here if you have a dynamic IP

address from your ISP. You can only do this for the Many-to-One mapping type.

External Ending

This is the ending Inside Global IP Address (IGA). This field is blank for One-to-One and Many-to-

One mapping types.

Chapter 8 Network Address Translation (NAT)

SBG5500 Series User’s Guide

131

The following table describes the fields in this screen.

8.5 The Default Server Screen

In addition to the servers for specified services, NAT supports a default server IP address. A default server

receives packets from ports that are not specified in the NAT Port Forwarding Setup screen. Click

Configuration > NAT > Default Server to open the following screen.

Figure 102 Configuration > NAT > Default Server

Table 47 Address Mapping: Add/Edit

LABEL DESCRIPTION

Type Choose the IP/port mapping type from one of the following.

One-to-One: This mode maps one local IP address to one global IP address. Note that port

numbers do not change for the One-to-one NAT mapping type.

Many-to-One / Source NAT: This mode maps multiple local IP addresses to one global IP address.

This is equivalent to SUA (that is, PAT, port address translation), the SBG's Single User Account

feature that previous routers supported only.

Many-to-Many: This mode maps multiple local IP addresses to shared global IP addresses.

WAN Interface Select the WAN interface through which the service is forwarded.

Internal

Beginning IP

Address

Enter the starting Inside Local IP Address (ILA).

Ending IP

Address

Enter the ending Inside Local IP Address (ILA). This field is blank for One-to-One mapping types.

External

Beginning IP

Address

Enter the starting Inside Global IP Address (IGA). Enter 0.0.0.0 here if you have a dynamic IP

address from your ISP. You can only do this for the Many-to-One / Source NAT mapping type.

Ending IP

Address

Enter the ending Inside Global IP Address (IGA). This field is blank for One-to-One and Many-to-

One mapping types.

OK Click OK to save your changes.

Cancel Click Cancel to exit this screen without saving.

Chapter 8 Network Address Translation (NAT)

SBG5500 Series User’s Guide

132

The following table describes the labels in this screen.

8.5.1 Edit Default Server

This screen lets you edit interface groups. Select an interface and click Edit to open the following screen.

Figure 103 Default Server: Edit

The following table describes the fields in this screen.

Table 48 Configuration > NAT > Default Server

LABEL DESCRIPTION

Edit Double-click an entry or select it and click Edit to open a screen where you can modify

the default server’s IP address.

# This is the index number of the WAN interface.

WAN Interface This shows the name of the interface group that was created in the Configuration > LAN

/ Home Network > VLAN / Interface Group screen.

Default Server Address This shows the IP address of the default server.

Table 49 Default Server: Edit

LABEL DESCRIPTION

WAN Interface This shows the name of the interface group that was created in the Configuration > LAN / Home

Network > VLAN / Interface Group screen. The host must be in the same VLAN as the selected

VLAN / Interface Group.

Default Server

Address

Enter the IP address of the default server which receives packets from ports that are not

specified in the NAT Port Forwarding screen.

Note: If you do not assign a Default Server Address, the SBG discards all packets

received for ports that are not specified in the NAT Port Forwarding screen.

OK Click OK to save your changes.

Cancel Click Cancel to restore your previously saved settings.

Chapter 8 Network Address Translation (NAT)

SBG5500 Series User’s Guide

133

8.6 The ALG Screen

Some NAT routers may include a SIP Application Layer Gateway (ALG). A SIP ALG allows SIP calls to pass

through NAT by examining and translating IP addresses embedded in the data stream. When the SBG

registers with the SIP register server, the SIP ALG translates the SBG’s private IP address inside the SIP data

stream to a public IP address. You do not need to use STUN or an outbound proxy if your SBG is behind a

SIP ALG.

Use this screen to enable and disable the NAT, SIP (VoIP) and/or RTSP ALG in the SBG. To access this

screen, click Configuration > NAT > ALG.

Figure 104 Configuration > NAT > ALG

The following table describes the fields in this screen.

Table 50 Configuration > NAT > ALG

LABEL DESCRIPTION

NAT ALG Enable this to make sure applications such as FTP and file transfer in IM applications work

correctly with port-forwarding and address-mapping rules.

FTP ALG Turn on the FTP ALG to detect FTP (File Transfer Program) traffic and help build FTP sessions

through the SBG’s NAT.

TFTP ALG Turn on the TFTP ALG to detect TFTP (Trivial File Transfer Protocol) traffic and help build TFTP

sessions through the SBG’s NAT.

RTSP ALG Enable this to have the SBG detect RTSP traffic and help build RTSP sessions through its NAT. The

Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the

Internet.

SIP ALG Enable this to make sure SIP (VoIP) works correctly with port-forwarding and address-mapping

rules.

H.323 ALG Turn on the H.323 ALG to detect H.323 traffic (used for audio communications) and help build

H.323 sessions through the SBG’s NAT.

PPTP ALG Turn on the PPTP ALG to detect PPTP (Point-to-point Tunneling Protocol) traffic and help build

PPTP sessions through the SBG’s NAT.

Apply Click Apply to save your changes.

Reset Click Reset to return the screen to its last-saved settings.

Chapter 8 Network Address Translation (NAT)

SBG5500 Series User’s Guide

134

8.7 Technical Reference

This part contains more information regarding NAT.

8.7.1 NAT Definitions

Inside/outside denotes where a host is located relative to the SBG, for example, the computers of your

subscribers are the inside hosts, while the web servers on the Internet are the outside hosts.

Global/local denotes the IP address of a host in a packet as the packet traverses a router, for example,

the local address refers to the IP address of a host when the packet is in the local network, while the

global address refers to the IP address of the host when the same packet is traveling in the WAN side.

Note that inside/outside refers to the location of a host, while global/local refers to the IP address of a

host used in a packet. Thus, an inside local address (ILA) is the IP address of an inside host in a packet

when the packet is still in the local network, while an inside global address (IGA) is the IP address of the

same inside host when the packet is on the WAN side. The following table summarizes this information.

NAT never changes the IP address (either local or global) of an outside host.

8.7.2 What NAT Does

In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the

inside local address) to another (the inside global address) before forwarding the packet to the WAN

side. When the response comes back, NAT translates the destination address (the inside global address)

back to the inside local address before forwarding it to the original inside host. Note that the IP address

(either local or global) of an outside host is never changed.

The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP. In

addition, you can designate servers, for example, a web server and a telnet server, on your local

network and make them accessible to the outside world. If you do not define any servers (for Many-to-

One and Many-to-Many Overload mapping), NAT offers the additional benefit of firewall protection.

With no servers defined, your SBG filters out all incoming inquiries, thus preventing intruders from probing

your network. For more information on IP address translation, refer to RFC 1631, The IP Network Address

Translator (NAT).

Table 51 NAT Definitions

ITEM DESCRIPTION

Inside This refers to the host on the LAN.

Outside This refers to the host on the WAN.

Local This refers to the packet address (source or destination) as the packet travels on the LAN.

Global This refers to the packet address (source or destination) as the packet travels on the WAN.

Chapter 8 Network Address Translation (NAT)

SBG5500 Series User’s Guide

135

8.7.3 How NAT Works

Each packet has two addresses – a source address and a destination address. For outgoing packets,

the ILA (Inside Local Address) is the source address on the LAN, and the IGA (Inside Global Address) is

the source address on the WAN. For incoming packets, the ILA is the destination address on the LAN,

and the IGA is the destination address on the WAN. NAT maps private (local) IP addresses to globally

unique ones required for communication with hosts on other networks. It replaces the original IP source

address (and TCP or UDP source port numbers for Many-to-One and Many-to-Many Overload NAT

mapping) in each packet and then forwards it to the Internet. The SBG keeps track of the original

addresses and port numbers so incoming reply packets can have their original values restored. The

following figure illustrates this.

Figure 105 How NAT Works

8.7.4 NAT Application

The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP

alias) behind the SBG can communicate with three distinct WAN networks.

SBG

Chapter 8 Network Address Translation (NAT)

SBG5500 Series User’s Guide

136

Figure 106 NAT Application With IP Alias

Port Forwarding: Services and Port Numbers

The most often used port numbers are shown in the following table. Please refer to RFC 1700 for further

information about port numbers. Please also refer to the Supporting CD for more examples and details

on port forwarding and NAT.

Port Forwarding Example

Let's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example), port 80 to

another (B in the example) and assign a default server IP address of 192.168.1.35 to a third (C in the

Table 52 Services and Port Numbers

SERVICES PORT NUMBER

ECHO 7

FTP (File Transfer Protocol) 21

SMTP (Simple Mail Transfer Protocol) 25

DNS (Domain Name System) 53

Finger 79

HTTP (Hyper Text Transfer protocol or WWW, Web) 80

POP3 (Post Office Protocol) 110

NNTP (Network News Transport Protocol) 119

SNMP (Simple Network Management Protocol) 161

SNMP trap 162

PPTP (Point-to-Point Tunneling Protocol) 1723

SBG

Chapter 8 Network Address Translation (NAT)

SBG5500 Series User’s Guide

137

example). You assign the LAN IP addresses and the ISP assigns the WAN IP address. The NAT network

appears as a single host on the Internet.

Figure 107 Multiple Servers Behind NAT Example

SBG

SBG5500 Series User’s Guide

138

CHAPTER 9

Firewall

9.1 Overview

This chapter shows you how to enable and configure the SBG’s security settings. Use the firewall to

protect your SBG and network from attacks by hackers on the Internet and control access to it. By

default the firewall:

• allows traffic that originates from your LAN computers to go to all other networks.

• blocks traffic that originates on other networks from going to the LAN.

The following figure illustrates the default firewall action. User A can initiate an IM (Instant Messaging)

session from the LAN to the WAN (1). Return traffic for this session is also allowed (2). However other traffic

initiated from the WAN is blocked (3 and 4).

Figure 108 Default Firewall Action

9.1.1 What You Can Do in this Chapter

• Use the Firewall Overview screen to activate the firewall feature on the SBG (Section 9.2 on page

140).

• Use the DoS screen to activate protection against Denial of Service (DoS) attacks (Section 9.3 on

page 141).

• Use the Firewall Rules screen to view the configured firewall rules and add, edit or remove incoming/

outgoing filtering rules (Section 9.4 on page 141).

• Use the Device Service screen to configure through which interfaces, which services can access the

SBG (Section 9.5 on page 144).

SBG

Chapter 9 Firewall

SBG5500 Series User’s Guide

139

• Use the Zone Control screen to set the firewall’s default actions based on the direction of travel of

packets (Section 9.6 on page 147).

• Use the Scheduler Rule screen to view, add or edit time schedule rules (Section 9.7 on page 148).

• Use the Service screen to add or remove predefined Internet services and configure firewall rules

(Section 9.8 on page 149).

• Use the MAC Filter screen to allow LAN clients access to the SBG (Section 9.9 on page 151).

• Use the Certificate screen to generate certification requests and import the SBG signed certificates

(Section 9.10 on page 153).

• Use the AAA Server screen to provide access control to your network (Section 9.11 on page 154).

9.1.2 What You Need to Know

SYN Attack

A SYN attack floods a targeted system with a series of SYN packets. Each packet causes the targeted

system to issue a SYN-ACK response. While the targeted system waits for the ACK that follows the SYN-

ACK, it queues up all outstanding SYN-ACK responses on a backlog queue. SYN-ACKs are moved off the

queue only when an ACK comes back or when an internal timer terminates the three-way handshake.

Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable

for legitimate users.

DoS

Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet.

Their goal is not to steal information, but to disable a device or network so users no longer have access

to network resources. The SBG is pre-configured to automatically detect and thwart all known DoS

attacks.

DDoS

A DDoS attack is one in which multiple compromised systems attack a single target, thereby causing

denial of service for users of the targeted system.

LAND Attack

In a LAND attack, hackers flood SYN packets into the network with a spoofed source IP address of the

target system. This makes it appear as if the host computer sent the packets to itself, making the system

unavailable while the target system tries to respond to itself.

Ping of Death

Ping of Death uses a "ping" utility to create and send an IP packet that exceeds the maximum 65,536

bytes of data allowed by the IP specification. This may cause systems to crash, hang or reboot.

SPI

Stateful Packet Inspection (SPI) tracks each connection crossing the firewall and makes sure it is valid.

Filtering decisions are based not only on rules but also context. For example, traffic from the WAN may

only be allowed to cross the firewall in response to a request from the LAN.

Chapter 9 Firewall

SBG5500 Series User’s Guide

140

Certification Authority

A Certification Authority (CA) issues certificates and guarantees the identity of each certificate owner.

There are commercial certification authorities like CyberTrust or VeriSign and government certification

authorities. The certification authority uses its private key to sign certificates. Anyone can then use the

certification authority's public key to verify the certificates. You can use the SBG to generate

certification requests that contain identifying information and public keys and then send the

certification requests to a certification authority.

AAA Servers Supported by the SBG

The following lists the types of authentication server the SBG supports.

•Local user database

The SBG uses the built-in local user database to authenticate administrative users logging into the SBG’s

Web Configurator or network access users logging into the network through the SBG.

•RADIUS

RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to

authenticate users by means of an external or built-in RADIUS server. RADIUS authentication allows you

to validate a large number of users from a central location.

9.2 The Firewall Overview Screen

Use this screen to enable the firewall on the SBG. Click Configuration > Firewall / Security > Firewall

Overview to display the General screen.

Figure 109 Configuration > Firewall / Security > Firewall Overview

Click the check box to activate the firewall feature on the SBG, then click Apply to save your changes.

You can also use the Firewall Flow to go through the SBG’s firewall features.

Chapter 9 Firewall

SBG5500 Series User’s Guide

141

9.3 The DoS Screen

DoS (Denial of Service) attacks can flood your Internet connection with invalid packets and connection

requests, using so much bandwidth and so many resources that Internet access becomes unavailable.

Click Configuration > Firewall / Security > DoS to display the following screen. Click the DoS Protection

Blocking check box to activate protection against DoS attacks. Then click Apply to save your settings.

Figure 110 Configuration > Firewall / Security > DoS

9.4 The Firewall Rules Screen

This screen displays a list of the configured firewall rules. Note the order in which the rules are listed,

ordering your rules is important because the SBG applies the rules in the order that you specify. Click

Configuration > Firewall / Security > Firewall Rules to display in the following screen.

Figure 111 Configuration > Firewall / Security > Firewall Rules

Chapter 9 Firewall

SBG5500 Series User’s Guide

142

The following table describes the labels in this screen.

Table 53 Configuration > Firewall / Security > Firewall Rules

LABEL DESCRIPTION

Status

Firewall Status This shows IPv4 Enable, IPv6 Enable when the firewall is enabled, otherwise it shows Disable.

You can change this in the Firewall Overview screen (Section 9.2 on page 140).

Rules Storage Space

Usage

This bar shows the percentage of the SBG’s space that has been used. If the usage is

almost full, you may need to remove an existing filter rule before you create a new one.

Firewall Rules

Status Select Enable to view all active firewall rules, or Disable to view all inactivate firewall rules.

From Select the source security zone of traffic to which the rule applies.

To Select the destination security zone of traffic to which the rule applies.

IP Select v4 to filter IPv4 address firewall rules or v6 for IPv6 addresses firewall rules.

Show Click this button to search the firewall rules with the filters you used.

Add Click this to create a new rule. Select a rule and click Add to create a new rule after the

selected entry.

Edit Double-click a rule or select it and click Edit to open a screen where you can modify the

rule’s settings.

Remove To remove an existing rule, select it and click Remove.

Multiple Entries Turn

Select one or more rules and click this to enable them.

Multiple Entries Turn

Off

Select one or more rules and click this to disable them.

# This is the index number of the rule.

Status This field displays whether the firewall rule is active or not. A green ON button signifies that

this firewall rule is active. A gray OFF button signifies that this firewall rule is not active.

Click the slide button to turn on or turn off the rule.

Name This displays the descriptive name of the rule.

Source Type This displays Manual when you create firewall rules on this screen.

This displays Auto when you have added an exception to the Firewall in the NAT > Port

Forwarding screen, see Section 8.2.1 on page 125.

From This displays the source security zone of traffic to which the rule applies.

To This displays the destination security zone of traffic to which the rule applies.

IP version This displays 4 if the rule applies to IPv4 addresses or 6 if it applies to IPv6 addresses.

Source IP This displays the source IP addresses to which this rule applies. Any means all IP addresses.

Destination IP This displays the destination IP addresses to which this rule applies. Any means all IP

addresses.

Service This displays the transport layer protocol that defines the service and the direction of traffic

to which this rule applies.

Schedule This field displays the scheduler rule used for this firewall rule.

Action This displays whether the rule allows packets (Accept), silently discards packets (Drop), or

discards packets and sends an ICMP destination-unreachable packet to the sender

(Reject).

Log This displays whether the SBG logs when it performs the ACL rule’s selected action on the

traffic traveling between the two zones.

Chapter 9 Firewall

SBG5500 Series User’s Guide

143

9.4.1 Add/Edit a Firewall Rule

Click Add or select a firewall rule and click Edit to open the following screen.

Figure 112 Firewall Rules: Add/Edit

The following table describes the labels in this screen.

Table 54 Firewall Rules: Add/Edit

LABEL DESCRIPTION

Enable Select this to turn on the firewall rule.

Logging Select this to have the SBG log when it performs the firewall rule’s selected action on

the traffic traveling between the two zones.

Name Enter a descriptive name of up to 16 alphanumeric characters, not including

spaces.

You must enter the filter name to add a firewall rule.

Description (Optional) Enter a description to help you identify the purpose of the firewall rule.

Order Select an existing number for where you want to put this firewall rule to move the

firewall rule to the number you selected after clicking OK. Ordering your rules is

important because the SBG applies the rules in the order that you specify.

Direction Use the From and To define the direction of travel of packets to which to apply this

firewall rule. Select from which zone the packets come in and to which zone they

are destined. For example, From LAN To WAN means packets traveling from a

computer or subnet on the LAN zone to the WAN zone.

From Any means traffic coming from the WAN, LAN, WLAN, DMZ, and EXTRA zones

(but not the ROUTER zone).

To Any (excl. Router) means traffic going to the WAN, LAN, WLAN, DMZ, and EXTRA

zones (but not the ROUTER zone).

EXTRA is a local zone to use as needed depending on your network topology.

To ROUTER applies to traffic that destined for the SBG. Use this to control which

computers can manage the SBG.

Chapter 9 Firewall

SBG5500 Series User’s Guide

144

9.5 The Device Service Screen

Use this screen to configure through which interfaces, which services can access the SBG. You can also

specify the port numbers the services must use to connect to the SBG.

Use the Trust Domain section in this screen to view a list of public IP addresses which are allowed to

access the SBG through the services configured above.

Click Configuration > Firewall / Security > Device Service to open the following screen.

IP Type Select the type of IP you want to apply this firewall rule (IPv4 or IPv6).

Select Source Device Select the source device to which the firewall rule applies. If you select Specific

Address IP, enter the source IP address in the field below.

Source IP Enter the source IP address, or select Any to apply firewall rule to any source IP

addresses.

Select Destination Device Select the destination device to which the firewall rule applies. If you select Specific

Address IP, enter the source IP address in the field below.

Destination IP If you do not select Any, enter the destiniation IP address in this field.

Select Service Select the transport layer protocol that defines your customized port from the drop-

down list box. The specific protocol rule sets you add in the Configuration > Firewall /

Security > Service > Add screen display in this list.

Protocol This field is displayed only when you select Any in Select Service.

Choose the IP port (ALL, TCP, UDP, ICMP, or ICMP6) that defines your customized port

from the drop-down list box.

Policy Use the drop-down list box to select whether to discard (DROP), deny and send an

ICMP destination-unreachable message to the sender of (REJECT) or allow the

passage of (ACCEPT) packets that match this rule.

Enable Rate Limit Select this check box to set a limit on the upstream/downstream transmission rate for

the specified protocol.

Specify how many packet(s) per Minute or Second the transmission rate is.

Scheduler Rules Select a scheduler rule for this firewall rule form the drop-down list box. The scheduler

rules available are the ones you create in the Configuration > Firewall / Security >

Scheduler Rule screen.

OK Click OK to save your changes.

Cancel Click Cancel to restore your previously saved settings.

Table 54 Firewall Rules: Add/Edit

LABEL DESCRIPTION

Chapter 9 Firewall

SBG5500 Series User’s Guide

145

Figure 113 Configuration > Firewall / Security > Device Service

The following table describes the labels in this screen.

Table 55 Configuration > Firewall / Security > Device Service

LABEL DESCRIPTION

Service List

Edit Select a service control and click Edit to modify it.

Service This is the service you may use to access the SBG.

Description This shows a description of the service.

LAN Interfaces This shows a check icon if the service is allowed access to the SBG from the LAN.

WAN Interfaces This shows the interfaces this service is allowed access to the SBG from the WAN.

Trust Domain This shows a check icon if the service is allowed access to the SBG from the Trust

Domain.

Port This field displays the server port number for the service.

Trust Domain

Add Click this to add a trusted host IP address,

Remove Click this to remove the trusted IP address.

IP Address This field shows a trusted host IP address.

Subnet Mask / Prefix Length This shows the prefix length that specifies how many most significant bits are in the

trusted host IP address,

Certificate

HTTPS Certificate Select a certificate the HTTPS server (the SBG) uses to authenticate itself to the HTTPS

client. You must have certificates already configured in the Certificates screen.

Chapter 9 Firewall

SBG5500 Series User’s Guide

146

9.5.1 Edit a Device Service

Double click a Service or select one and click Edit to open the following screen.

Figure 114 Device Service: Edit

The following table describes the labels in this screen.

9.5.2 Add/Edit a Trust Domain

Use this screen to configure a public IP address which is allowed to access the SBG. Double click an IP

Address or select one and click Edit to open the following screen.

Apply Click Apply to save your changes.

Reset Click Reset to restore your previously saved settings.

Table 55 Configuration > Firewall / Security > Device Service

LABEL DESCRIPTION

Table 56 Device Service: Edit

LABEL DESCRIPTION

Service This is the service you may use to access the SBG.

Port You may change the server port number for a service if needed, however you must use the

same port number in order to use that service for remote management.

Trust Domain Click the check box if the services is allowed access to the SBG from the trust domain.

LAN Interface Click the check box if the services are allowed access to the SBG from the LAN.

WAN Interface Click the check box if the services are allowed access to the SBG from all WAN connections,

or specify the interfaces individually.

OK Click OK to save your changes.

Cancel Click Cancel to exit this screen without saving.

Chapter 9 Firewall

SBG5500 Series User’s Guide

147

Figure 115 Trust Domain: Add/Edit

The following table describes the labels in this screen.

9.6 The Zone Control Screen

Use this screen to set the firewall’s default actions. Firewall rules are grouped based on the direction of

travel of packets to which they apply.

Click Configuration > Firewall / Security > Zone Control to display the following screen.

Figure 116 Configuration > Firewall > Security > Zone Control

Table 57 Trust Domain: Add/Edit

LABEL DESCRIPTION

IP Address [/Prefix Length

(optional)]

Enter a public IPv4 IP address which is allowed to access the service on the SBG from

the WAN. You can also enter the prefix length of the IP address.

OK Click OK to save your changes.

Cancel Click Cancel to exit this screen without saving.

Chapter 9 Firewall

SBG5500 Series User’s Guide

148

The following table describes the labels in this screen.

9.7 The Scheduler Rule Screen

Use the Scheduler Rule screen to define time periods and days during which the SBG performs

scheduled rules of certain features (such as a Firewall). Click Configuration > Firewall / Security >

Scheduler Rule to open the following screen.

Figure 117 Configuration > Firewall / Security > Scheduler Rule

The following table describes the labels in this screen.

Table 58 Configuration > Firewall / Security > Zone Control

LABEL DESCRIPTION

Status

Firewall Status This shows IPv4 Enable, IPv6 Enable when the firewall is enabled, otherwise it shows Disable. You

can change this in the Firewall Overview screen (Section 9.2 on page 140).

Zone Control

From/To The firewall rules are grouped by the direction of packet travel and their zones (WAN, LAN,

WLAN, DMZ, EXTRA and ROUTER). By default, the firewall allows passage of packets traveling in

the same zone (a LAN to a LAN, a WAN to a WAN). Here are some example descriptions of the

directions of travel.

From LAN To LAN means packets traveling from a computer on one LAN subnet to a computer

on another LAN subnet on the LAN interface of the device.

You can define the EXTRA zone to include the VPN connection. The Router zone can only be

controlled in ingress direction “to” because it is reserved for the router’s CPU. However, packets

sent from the router zone are always permitted. For example, if your packet come from a LAN

zone and is going to the Router zone. The SBG will apply the firewall rules to the LAN packets if

you did not click the Permit check box.

When Permit box is unchecked and Log box is checked, it means the “dropped” packets will be

logged. When both Permit and Log boxes are checked, it means the “permitted” packets will

be logged.

Permit Click the check box Permit to allow the passage of the packets.

Log Click the check box Log to create a log when an action from Firewall rule is taken.

Apply Click Apply to save your changes.

Cancel Click Cancel to restore your previously saved settings.

Table 59 Configuration > Firewall / Security > Scheduler Rule

LABEL DESCRIPTION

Add Click this to create a new scheduler rule. Select a rule and click Add to create a new rule after

the selected entry.

Edit Double-click a scheduler rule or select it and click Edit to open a screen where you can modify

the rule’s settings.

Chapter 9 Firewall

SBG5500 Series User’s Guide

149

9.7.1 Add/Edit a Scheduler Rule

Click Add in the Scheduler Rule screen, or select a rule and click Edit to open the following screen. Use

this screen to configure a restricted access schedule.

Figure 118 Scheduler Rule: Add/Edit

The following table describes the labels in this screen.

9.8 The Service Screen

You can configure customized services and port numbers in the Service screen. For a comprehensive list

of port numbers and services, visit the IANA (Internet Assigned Number Authority) website.

Click Configuration > Firewall / Security > Service to display the following screen.

Remove To remove an existing scheduler rule, select it and click Remove.

Note: You cannot delete a scheduler rule once it is applied to a certain feature.

# This is the index number of the rule.

Rule Name This is the name of the rule.

Days This shows the day(s) on which this rule is enabled. Green days show when the rule is enabled,

Gray days show when the rule is disabled.

Time This shows the period of time on which this rule is enabled.

Description This shows the description of this rule.

Table 59 Configuration > Firewall / Security > Scheduler Rule

LABEL DESCRIPTION

Table 60 Scheduler Rule: Add/Edit

LABEL DESCRIPTION

Rule Name Enter a name (up to 31 printable characters English keyboard characters, not including

spaces) for this schedule.

Description Enter a description for this scheduler rule.

Days Select the check boxes for the days that you want the SBG to perform this scheduler rule.

Time of Day Range Enter the time period of each day, in 24-hour format, during which the rule will be

enforced.

OK Click OK to save your changes.

Cancel Click Cancel to exit this screen without saving.

Chapter 9 Firewall

SBG5500 Series User’s Guide

150

Figure 119 Configuration > Firewall / Security > Service

The following table describes the labels in this screen.

9.8.1 Add/Edit a Service

Use this screen to add a customized service rule that you can use in the firewall’s ACL rule configuration.

Click Add or select an existing service rule and click Edit in the Service screen to display the following

screen.

Figure 120 Service: Add/Edit

Table 61 Configuration > Firewall / Security > Service

LABEL DESCRIPTION

Add Click this to add a new service.

Edit Click this to modify an existing service,

Remove Click this to remove a service,

#This is the index number of the service.

Name This is the name of your customized service.

Description This is the description of your customized service.

Protocol/

Protocol

Number

This shows the IP protocol (TCP, UDP, ICMP, or TCP/UDP) and the port number or range of ports

that defines your customized service. Other and the protocol number displays if the service uses

another IP protocol.

Chapter 9 Firewall

SBG5500 Series User’s Guide

151

The following table describes the labels in this screen.

9.9 The MAC Filter Screen

You can configure the SBG to permit access to clients based on their MAC addresses in the MAC Filter

screen. Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is

assigned at the factory and consists of six pairs of hexadecimal characters, for example,

00:A0:C5:00:00:02. You need to know the MAC addresses of the devices to configure this screen.

Click Configuration > Firewall / Security > MAC Filter to open the following screen.

Figure 121 Configuration > Firewall / Security > MAC Filter

Table 62 Service: Add/Edit

LABEL DESCRIPTION

Name Enter a unique name (up to 32 printable English keyboard characters, including spaces) for your

customized port.

Description Enter a description for your customized port.

Protocol Choose the IP protocol (TCP, UDP, ICMP, Other, or ICMPv6) that defines your customized port

from the drop-down list box.

Select Other to be able to enter a protocol number.

Select ICMPv6 to be able to select a packet type.

Source/

Destination Port

These fields are displayed if you select TCP or UDP as the IP port.

Select Single to specify one port only or Range to specify a span of ports that define your

customized service. If you select Any, the service is applied to all ports.

Type a single port number or the range of port numbers that define your customized service.

ICMPv6 Type Select an ICMPv6 packet type.

Protocol

Number

This field is displayed if you select Other as the protocol.

Enter the protocol number of your customized port.

OK Click OK to save your changes.

Cancel Click Cancel to exit this screen without saving.

Chapter 9 Firewall

SBG5500 Series User’s Guide

152

The following table describes the labels in this screen.

9.9.1 MAC Filter: Add/Edit

Click Add or select an existing MAC filter rule and click Edit to display the following screen.

Figure 122 MAC Filter: Add/Edit

The following table describes the labels in this screen.

Table 63 Configuration > Firewall / Security > MAC Filter

LABEL DESCRIPTION

General

Enable Select Enable to activate the MAC filter function.

MAC Address List

Add Click this to create a new MAC filter rule. Select a rule and click Add to create a new rule

after the selected entry.

Edit Double-click a MAC filter rule or select it and click Edit to open a screen where you can

modify the rule’s settings.

Remove To remove an existing MAC filter rule, select it and click Remove.

Multiple Entries Turn On Select one or more MAC filter rules and click this to enable them.

Multiple Entries Turn Off Select one or more MAC filter rules and click this to disable them.

Status This field displays whether the MAC filter rule is active or not. A green ON button signifies

that this MAC filter rule is active. A gray OFF button signifies that this MAC filter rule is not

active.

Click the slide button to turn on or turn off the rule.

Host Name This field displays host name of the LAN clients that are allowed access to the SBG.

MAC Address This field displays the MAC addresses of the LAN clients that are allowed access to the

SBG in these address fields.

Apply Click Apply to save your changes.

Reset Click Reset to restore your previously saved settings.

Table 64 MAC Filter: Add/Edit

LABEL DESCRIPTION

Enable Select this to enable the MAC filter rule. The rule will not be applied if Enable is not

selected.

Host Name Enter the host name of the LAN clients that are allowed access to the SBG.

MAC Address Enter the MAC addresses of the LAN clients that are allowed access to the SBG in these

address fields. Enter the MAC addresses in a valid MAC address format, that is, six

hexadecimal character pairs, for example, 12:34:56:78:9a:bc.

Chapter 9 Firewall

SBG5500 Series User’s Guide

153

9.10 The Certificate Screen

The SBG can use certificates (also called digital IDs) to authenticate users. Certificates are based on

public-private key pairs. A certificate contains the certificate owner’s identity and public key.

Certificates provide a way to exchange public keys for use in authentication. Click Configuration >

Firewall /Security > Certificate to open the following screen.

Figure 123 Configuration > Firewall / Security > Certificate

The following table describes the labels in this screen.

OK Click OK to save your changes.

Cancel Click Cancel to exit this screen without saving.

Table 64 MAC Filter: Add/Edit

LABEL DESCRIPTION

Table 65 Configuration > Firewall / Security > Certificate

LABEL DESCRIPTION

My Certificate Settings / Trusted CA Settings

Add Click this to create a new certificate. Select a rule and click Add to create a new certificate

after the selected entry.

Remove To remove an existing certificate, select it and click Remove.

More Information Select a certificate and click More Information to view all details about the certificate.

Import Click this button to save the certificate that you have enrolled from a certification authority

from your computer to the SBG.

# This is the index number of the rule.

Name This field displays the descriptive name used to identify this certificate. It is recommended

that you give each certificate a unique name.

Subject This field displays identifying information about the certificate’s owner, such as CN

(Common Name), OU (Organizational Unit or department), O (Organization or company)

and C (Country). It is recommended that each certificate have unique subject information.

Chapter 9 Firewall

SBG5500 Series User’s Guide

154

9.11 The AAA Server

You can use a AAA (Authentication, Authorization, Accounting) server to provide access control to your

network. The AAA server can be a RADIUS server. Use the AAA Server screens to create and manage

objects that contain settings for using AAA servers. Click Configuration > Firewall / Security > AAA Server

to open the following screen.

Figure 124 Configuration > Firewall / Security > AAA Server

The following table describes the labels in this screen.

Type This field displays general information about the certificate.

It displays Self when the certificate is self-signed.

It displays Import when the certificate used is imported.

Issuer This field displays identifying information about the certificate’s issuing certification authority,

such as a common name, organizational unit or department, organization or company and

country.

Valid From This field displays the date that the certificate becomes applicable. The text displays in red

and includes a Not Yet Valid! message if the certificate has not yet become applicable.

Valid To This field displays the date that the certificate expires. The text displays in red and includes

an Expiring! or Expired! message if the certificate is about to expire or has already expired.

Table 65 Configuration > Firewall / Security > Certificate

LABEL DESCRIPTION

Configuration > Firewall / Security > AAA Server

LABEL DESCRIPTION

LDAP Server Summary

Add Click this to create a new server. Select a rule and click Add to create a new server

after the selected entry.

Edit Double-click a server or select it and click Edit to open a screen where you can

modify the server’s settings.

Remove To remove an existing server, select it and click Remove.

# This field displays the index number.

Name This field displays the name of the LDAP server entry.

Server Address This field displays the address of the LDAP server.

Base DN This field displays the domain name of the LDAP server.

Chapter 9 Firewall

SBG5500 Series User’s Guide

155

9.11.1 Add/Edit an LDAP Server

Click Add icon or select a server and click Edit to display the following screen. Use this screen to create

a new LDAP entry or edit an existing one.

Figure 125 LDAP Server: Add/Edit

RADIUS Server Summary

Add Click this to create a new server. Select a rule and click Add to create a new server

after the selected entry.

Edit Double-click a server or select it and click Edit to open a screen where you can

modify the server’s settings.

Remove To remove an existing server, select it and click Remove.

# This field displays the index number.

Name This field displays the name of the RADIUS server entry.

Server Address This field displays the address of the RADIUS server.

Configuration > Firewall / Security > AAA Server

LABEL DESCRIPTION

Chapter 9 Firewall

SBG5500 Series User’s Guide

156

The following table describes the labels in this screen.

Table 66 LDAP Server: Add/Edit

LABEL DESCRIPTION

General Settings

Name Enter a descriptive name for identification purposes. It cannot exceed 64 characters

[0-9][A-Z] [a-z][_-].

Description Enter the description of each server, if any. You can use up to 128 printable ASCII

characters.

Server Settings

Server Address Enter an IP address or Fully-Qualified Domain Name (FQDN) of the LDAP

authentication server.

Backup Server Address If the LDAP server has a backup authentication server, enter its IP address or FQDN

here.

Port Specify the port number on the LDAP server to which the SBG sends authentication

requests. Enter a number between 1 and 65535.

Base DN Specify the directory (up to 127 alphanumerical characters). For example, o=Zyxel,

c=US.

This is only for LDAP.

Use SSL Select Use SSL to establish a secure connection to the LDAP server(s).

Search time limit Specify the timeout period (between 1 and 300 seconds) before the SBG

disconnects from the LDAP server. In this case, user authentication fails.

Search timeout occurs when either the user information is not in the LDAP server(s) or

the LDAP server(s) is down.

Case-sensitive User Names Select this if the server checks the case of the user names.

Server Authentication

Bind DN Specify the bind DN for logging into the LDAP server. Enter up to 127 alphanumerical

characters.

For example, cn=zyxelAdmin specifies zyxelAdmin as the user name.

Password If required, enter the password (up to 15 alphanumerical characters) for the SBG to

bind (or log in) to the AD or LDAP server.

Retype to Confirm Retype your new password for confirmation.

User Login Settings

mail address”.

Alternative Login Name

Attribute

If there is a second type of identifier that the users can use to log in, enter it here. For

example “name” or “e-mail address”.

Group Membership

Attribute

An LDAP server defines attributes for its accounts. Enter the name of the attribute

that the SBG is to check to determine to which group a user belongs. The value for

this attribute is called a group identifier; it determines to which group a user belongs.

You can add ext-group-user objects to identify groups based on these group

identifier values.

For example you could have an attribute named “memberOf” with values like

“sales”, “RD”, and “management”. Then you could also create a ext-group-user

object for each group. One with “sales” as the group identifier, another for “RD” and

a third for “management”.

OK Click OK to save your changes.

Cancel Click Cancel to exit this screen without saving.

Chapter 9 Firewall

SBG5500 Series User’s Guide

157

9.11.2 Add/Edit an RADIUS Server

Click Add icon or select a server and click Edit to display the following screen. Use this screen to create

a new RADIUS entry or edit an existing one.

Figure 126 RADIUS Server: Add/Edit

The following table describes the labels in this screen.

Table 67 RADIUS Server: Add/Edit

LABEL DESCRIPTION

General Settings

Name Enter a descriptive name (up to 64 alphanumerical characters) for identification

purposes.

Description Enter the description of each server, if any. You can use up to 128 printable ASCII

characters.

Server Settings

Server Address Enter the IP address or FQDN of the RADIUS authentication server.

Authentication Port Specify the port number on the RADIUS server to which the SBG sends

authentication requests. Enter a number between 1 and 65535.

Backup Server Address If the RADIUS server has a backup authentication server, enter its IP address or FQDN

here.

Backup Authentication Port Specify the port number on the RADIUS server to which the SBG sends

authentication requests. Enter a number between 1 and 65535.

Timeout Specify the timeout period (between 1 and 300 seconds) before the SBG

disconnects from the RADIUS server. In this case, user authentication fails.

Search timeout occurs when either the user information is not in the RADIUS server or

the RADIUS server is down.

Chapter 9 Firewall

SBG5500 Series User’s Guide

158

NAS IP Address If the RADIUS server requires the SBG to provide the Network Access Server IP

address attribute with a specific value, enter it here.

Case-sensitive User Names Select this if the server checks the case of the user names.

Server Authentication

Key Enter a password (up to 32 characters) as the key to be shared between the

external authentication server and the SBG.

The key is not sent over the network. This key must be the same on the external

authentication server and the SBG.

User Login Settings

Group Membership

Attribute

A RADIUS server defines attributes for its accounts. Select the name and number of

the attribute that the SBG is to check to determine to which group a user belongs. If

it does not display, select User Defined and specify the attribute’s number.

OK Click OK to save your changes.

Cancel Click Cancel to restore your previously saved settings.

Table 67 RADIUS Server: Add/Edit

LABEL DESCRIPTION

SBG5500 Series User’s Guide

159

CHAPTER 10

VPN

10.1 Overview

A virtual private network (VPN) provides secure communications between sites without the expense of

leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access

control and auditing. It is used to transport traffic over the Internet or any insecure network that uses

TCP/IP for communication.

10.2 What You Can Do in this Chapter

• Use the VPN Status screen to look at the VPN tunnels currently established in the SBG (Section 10.4 on

page 162).

• Use the IPsec VPN screen to display and manage active IPsec VPN connections (Section 10.5 on

page 163).

• Use the PPTP VPN screen to configure the PPTP VPN settings in the SBG(Section 10.6 on page 176).

• Use the L2TP VPN screen to configure the SBG’s L2TP VPN settings(Section 10.7 on page 179).

• Use the L2TP Client Status screen to view connection details for L2TP clients (Section 10.8 on page

185).

10.3 What You Need to Know

IPsec VPN

Internet Protocol Security (IPsec) is a standards-based VPN that offers flexible solutions for secure data

communications across a public network like the Internet. IPsec is built around a number of

standardized cryptographic techniques to provide confidentiality, data integrity and authentication at

the IP layer.

The following figure provides one perspective of a VPN tunnel.

Chapter 10 VPN

SBG5500 Series User’s Guide

160

Figure 127 IPsec VPN: Overview

The VPN tunnel connects the SBG (X) and the remote IPsec router (Y). These routers then connect the

local network (A) and remote network (B).

A VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a

contract indicating what security parameters the SBG and the remote IPsec router will use.

The first phase establishes an Internet Key Exchange (IKE) SA between the SBG and remote IPsec router.

The second phase uses the IKE SA to securely establish an IPsec SA through which the SBG and remote

IPsec router can send data between computers on the local network and remote network. The

following figure illustrates this.

Figure 128 VPN: IKE SA and IPsec SA

In this example, a computer in network A is exchanging data with a computer in network B. Inside

networks A and B, the data is transmitted the same way data is normally transmitted in the networks.

Between routers X and Y, the data is protected by tunneling, encryption, authentication, and other

security features of the IPsec SA. The IPsec SA is established securely using the IKE SA that routers X and Y

established first.

PPTP VPN

Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a

remote client to a private server, creating a VPN using TCP/IP-based networks. PPTP supports on-

demand, multi-protocol and virtual private networking over public networks, such as the Internet.

SBG

Chapter 10 VPN

SBG5500 Series User’s Guide

161

PPTP sets up two sessions and uses Generic Routing Encapsulation (GRE, RFC 2890) to transfer

information between the computers. It is convenient and easy-to-use, but you have to make sure that

firewalls support both PPTP sessions.

PPTP works on a client-server model and is suitable for remote access applications. For example, an

employee (A) can connect to the PPTP VPN gateway (X) as a PPTP client to gain access to the

company network resources from outside the office. When you connect to a remote network (B)

through a PPTP VPN, all of your traffic goes through the PPTP VPN gateway (X).

Figure 129 PPTP VPN Example

L2TP VPN

The Layer 2 Tunneling Protocol (L2TP) works at layer 2 (the data link layer) to tunnel network traffic

between two peers over another network (like the Internet). In L2TP VPN, an IPsec VPN tunnel is

established first and then an L2TP tunnel is built inside it.

L2TP VPN lets remote users use the L2TP and IPsec client software included with their computers’

operating systems to securely connect to the network behind the SBG. The remote users do not need

their own IPsec gateways or VPN client software.

Figure 130 L2TP VPN Overview

SBG

Chapter 10 VPN

SBG5500 Series User’s Guide

162

10.4 The VPN Status Screen

Use this screen to look at the VPN tunnels that are currently established. To access this screen, click

Configuration > VPN > VPN Status.

Figure 131 Configuration > VPN > VPN Status

The following table describes the labels in this screen.

Table 68 Configuration > VPN > VPN Status

LABEL DESCRIPTION

IPsec VPN

Disconnect Select a VPN policy and click Disconnect to disable it.

Refresh Click this to renew the table.

# This is the IPsec VPN policy index number.

Name This field displays the identification name for this VPN policy.

Policy This field displays the local policy and the remote policy, respectively.

My Address This field displays the interface the VPN gateway uses.

Secure Gateway This field displays the peer gateway address of the IPsec router with which you are

making the VPN connection.

Up Time This field displays the period of time the VPN tunnel has been up.

Timeout This field displays the timeout period before the SBG disconnects from this VPN tunnel.

Inbound (Bytes) This field displays the number of bytes received by the SBG on this VPN tunnel.

Outbound (Bytes) This field displays the number of bytes transmitted by the SBG on this VPN tunnel.

PPTP VPN / L2TP VPN

Disconnect Select a VPN client connection and click this to disable it.

Refresh Click this to renew the table.

# This is the PPTP/L2TP VPN policy index number.

Username This field displays the client’s login name for this connection.

Host Name This is the client's host name of this connection.

Chapter 10 VPN

SBG5500 Series User’s Guide

163

10.5 The IPsec VPN Screen

Click Configuration > VPN > IPsec VPN to open the following screen.

Use Gateway Configuration to manage the SBG’s VPN gateway policies. A VPN gateway specifies the

IPsec routers at either end of a VPN tunnel and the IKE SA settings (phase 1 settings). You can also

activate and deactivate each VPN gateway.

Use Connection Configuration to specify which IPsec VPN gateway an IPsec VPN connection policy

uses, which devices behind the IPsec routers can use the VPN tunnel, and the IPsec SA settings (phase 2

settings). You can also activate or deactivate and connect or disconnect each VPN connection (each

IPsec SA).

Figure 132 Configuration > VPN > IPsec VPN

Assigned IP This is the local point-to-point IP address assigned to the client.

Public IP This is the client’s public IP address for this connection.

Table 68 Configuration > VPN > VPN Status

LABEL DESCRIPTION

Chapter 10 VPN

SBG5500 Series User’s Guide

164

The following table describes the labels in this screen.

Table 69 Configuration > VPN > IPsec VPN

LABEL DESCRIPTION

DPD Timeout Use Dead Peer Detection (DPD) so the SBG makes sure the remote IPsec router is there

before it transmits data through the IKE SA. The remote IPsec router must support DPD.

Enter the number of seconds for DPD Timeout. The SBG sends a message to the remote

IPsec router. If the remote IPsec router responds, the SBG keeps the tunnel up.

DPD Attempts If the remote IPsec router does not respond, enter how many attempts the SBG should

make before it shuts down the tunnel.

Note: If you enabled Nailed Up in the VPN > IPsec VPN > VPN Connection

screen, the SBG shuts down the tunnel and will automatically establish a

new tunnel.

Gateway Configuration

Add Click this to configure a new entry.

Edit Double-click an entry or select it and click Edit to open a screen where you can modify

the entry’s settings.

Remove To remove an existing entry, select it and click Remove.

# This field displays the VPN gateway index number.

Status This field displays whether the IPsec VPN gateway is active or not. A green ON button

signifies that this IPsec VPN gateway is active. A gray OFF button signifies that this IPsec

VPN gateway is not active.

Name This field displays the identification name for this VPN gateway.

My Address This field displays the interface the VPN gateway uses.

Secure Gateway This field displays the peer gateway address of the IPsec router with which you are

making the VPN connection.

IP Version This field displays whether the VPN gateway uses IPv4 or IPv6 addresses.

VPN Connection This field displays which VPN connection use this gateway.

IKE Version This field displays the IKE Version the VPN gateway uses.

Connection Configuration

Add Click this to configure a new entry.

Edit Double-click an entry or select it and click Edit to open a screen where you can modify

the entry’s settings.

Remove To remove an existing entry, select it and click Remove.

Connect To connect an IPsec SA, select it and click Connect.

Disconnect To disconnect an IPsec SA, select it and click Disconnect.

# This field displays the VPN connection index number.

Status This field displays whether the IPsec VPN connection is active or not. A green ON button

signifies that this IPsec VPN connection is active. A gray OFF button signifies that this IPsec

VPN connection is not active.

Tunnel This shows a lit up globe if the VPN tunnel is connected or and a gray globe when it is

disconnected.

Name This field displays the identification name for this VPN policy.

VPN Gateway This field displays the VPN gateway the VPN connection uses.

Encapsulation This field displays the type of encapsulation the IPsec SA uses,

Algorithm This field displays the encryption algorithm used in the IKE SA.

Policy This field displays the remote and local policy.

Chapter 10 VPN

SBG5500 Series User’s Guide

165

10.5.1 Add/Edit a VPN Gateway

Click Add to create a new VPN gateway policy. You can also double click a VPN gateway policy or

select one and click Edit to go to the following screen.

Application Scenario This field is read-only and shows the scenario that the SBG supports.

Site-to-site - The remote IPsec router needs to have a static IP address or a domain name.

This SBG can initiate the VPN tunnel.

Site-to-site with Dynamic Peer - Choose this if the remote IPsec router has a dynamic IP

address. Only the remote IPsec router can initiate the VPN tunnel.

Remote Access (Server Role) - Choose this to allow incoming connections from IPsec VPN

clients. The clients have dynamic IP addresses and are also known as dial-in users. Only

the clients can initiate the VPN tunnel.

Remote Access (Client Role) - Choose this to connect to an IPsec server. This SBG is the

client (dial-in user) and can initiate the VPN tunnel.

Apply Click Apply to save your changes.

Reset Click Reset to restore your previously saved settings.

Table 69 Configuration > VPN > IPsec VPN

LABEL DESCRIPTION

Chapter 10 VPN

SBG5500 Series User’s Guide

166

Figure 133 VPN Gateway: Add/Edit

The following table describes the labels in this screen.

Table 70 VPN Gateway: Add/Edit

LABEL DESCRIPTION

Show Advanced Settings /

Hide Advanced Settings

Click this button to display a greater or lesser number of configuration fields.

General Settings

Enable Select the check box to activate this VPN gateway policy.

VPN Gateway Name Enter a name used to identify this VPN gateway.

The VPN Gateway Name of an IPsec rule must be unique and cannot be changed

once it has been created.

Chapter 10 VPN

SBG5500 Series User’s Guide

167

IKE Version Select IKEv1 or IKEv2. IKEv1 applies to IPv4 traffic only. IKEv2 applies to both IPv4 and

IPv6 traffic. IKE (Internet Key Exchange) is a protocol used in setting up security

associations that allows two parties to send data securely. See Section 10.3 on page

159 for more information on IKEv1 and IKEv2.

Gateway Settings

My address Select how the IP address of the SBG in the IKE SA is defined.

If you select Interface, select the Ethernet interface, WWAN interface, virtual

Ethernet interface, ADSL/VDSL interface. The IP address of the SBG in the IKE SA is the

IP address of the interface.

If you select Domain Name / IP, enter the domain name or the IP address of the SBG.

The IP address of the SBG in the IKE SA is the specified IP address or the IP address

corresponding to the domain name. 0.0.0.0 is not generally recommended as it has

the SBG accept IPsec requests destined for any interface address on the SBG.

Peer Gateway Address Select how the IP address of the remote IPsec router in the IKE SA is defined.

Select Static Address to enter the domain name or the IP address of the remote

IPsec router. You can provide a Secondary IP address or domain name for the SBG

to try if it cannot establish an IKE SA with the first one.

Enter a Secondary IP address, if the connection to the Primary address goes down

and the SBG changes to using the secondary connection, the SBG will reconnect to

the primary address when it becomes available again and stop using the secondary

connection. Users will lose their VPN connection briefly while the SBG changes back

to the primary connection. To use this, the peer device at the secondary address

cannot be set to use a nailed-up VPN connection. In the Fallback Check Interval

field, set how often to check if the primary address is available.

Select Dynamic Address if the remote IPsec router has a dynamic IP address (and

does not use DDNS).

Authentication Note: The SBG and remote IPsec router must use the same

authentication method to establish the IKE SA.

Pre-Shared Key Select this to have the SBG and remote IPsec router use a pre-shared key (password)

to identify each other when they negotiate the IKE SA. Type the pre-shared key in

the field to the right. The pre-shared key can be

• 8 - 32 keyboard characters except (=) equals sign, (-) dash, (/) slash, (\) backslash,

or (",') quotation marks.

• 8 - 32 pairs of hexadecimal (0-9, A-F) characters, preceded by “0x”.

If you want to enter the key in hexadecimal, type “0x” at the beginning of the key.

For example, "0x0123456789ABCDEF" is in hexadecimal format; in

“0123456789ABCDEF” is in ASCII format. If you use hexadecimal, you must enter

twice as many characters since you need to enter pairs.

The SBG and remote IPsec router must use the same pre-shared key.

Select unmasked to see the pre-shared key in readable plain text.

Note: All remote access application scenario of IPsec rules must use the

same pre-shared key.

Table 70 VPN Gateway: Add/Edit

LABEL DESCRIPTION

Chapter 10 VPN

SBG5500 Series User’s Guide

168

Certificate In order to use Certificate for IPsec authentication, you need to add new host

certificates in the Firewall / Security > Certificate screen.

Select this to have the SBG and remote IPsec router use certificates to authenticate

each other when they negotiate the IKE SA. Then select the certificate the SBG uses

to identify itself to the remote IPsec router.

This certificate is one of the certificates in Certificate. If this certificate is self-signed,

import it into the remote IPsec router. If this certificate is signed by a CA, the remote

IPsec router must trust that CA.

Note: The IPsec routers must trust each other’s certificates.

The SBG uses one of its Trusted CA to authenticate the remote IPsec router’s

certificate. The trusted certificate can be a self-signed certificate or that of a trusted

CA that signed the remote IPsec router’s certificate.

Advance

Local ID Type This field is read-only if the SBG and remote IPsec router use certificates to identify

each other. Select which type of identification is used to identify the SBG during

authentication. Choices are:

IPv4 - the SBG is identified by an IP address.

DNS - the SBG is identified by a domain name.

Email Address - the SBG is identified by the string specified in the Content field.

My Address - the SBG is identified by he IP address specified in the My Address field.

Content This field is read-only if the SBG and remote IPsec router use certificates to identify

each other. Type the identity of the SBG during authentication. The identity depends

on the Local ID Type.

IPv4 - type an IP address. This is not recommended in the following situations:

• There is a NAT router between the SBG and remote IPsec router.

• You want the remote IPsec router to be able to distinguish between IPsec SA

requests that come from IPsec routers with dynamic WAN IP addresses.

In these situations, use a different IP address, or use a different Local ID Type.

DNS - type the fully qualified domain name (FQDN). This value is only used for

identification and can be any string that matches the peer ID string.

Email Address - the SBG is identified by the string you specify here; you can use up to

63 ASCII characters including spaces, although trailing spaces are truncated. This

value is only used for identification and can be any string.

Peer ID Type Select which type of identification is used to identify the remote IPsec router during

authentication. Choices are:

IPv4 - the remote IPsec router is identified by an IP address.

DNS - the remote IPsec router is identified by a domain name.

Email Address - the remote IPsec router is identified by the string specified in this field.

Any - the SBG does not check the identity of the remote IPsec router If the SBG and

remote IPsec router use certificates, there is one more choice.

Table 70 VPN Gateway: Add/Edit

LABEL DESCRIPTION

Chapter 10 VPN

SBG5500 Series User’s Guide

169

Content This field is disabled if the Peer ID Type is Any. Type the identity of the remote IPsec

router during authentication. The identity depends on the Peer ID Type.

If the SBG and remote IPsec router do not use certificates,

IPv4 - type an IP address; see the note at the end of this description.

DNS - type the fully qualified domain name (FQDN). This value is only used for

identification and can be any string that matches the peer ID string.

Email Address - the remote IPsec router is identified by the string you specify here;

you can use up to 31 ASCII characters including spaces, although trailing spaces are

truncated. This value is only used for identification and can be any string.

Note: If Peer ID Type is IPv4, please read the rest of this section.

If you type 0.0.0.0, the SBG uses the IP address specified in the Secure Gateway

Address field. This is not recommended in the following situations:

• There is a NAT router between the SBG and remote IPsec router.

• You want the remote IPsec router to be able to distinguish between IPsec SA

requests that come from IPsec routers with dynamic WAN IP addresses.

In these situations, use a different IP address, or use a different Peer ID Type.

Phase 1 Settings Phase 1 Encryption and Authentication can have up to 3 algorithm pairs. You

cannot use phase 1 Encryption, Authentication, and Key Group pairs that already

exist in other enabled IPsec rules.

When the default IPsec rule Default_L2TP_VPN_GW is enabled, if you want to add a

new Remote Access IPsec rule, you can use phase 1 Encryption, Authentication, and

Key Group pair DES, MD5, and DH2 or DES, SHA1, and DH2, or any algorithm

combination with DH1 or DH5.

SA Life Time Define the length of time before an IKE or IPsec SA automatically renegotiates in this

field. It may range from 1 to 99,999 seconds.

A short SA Life Time increases security by forcing the two VPN gateways to update

the encryption and authentication keys. However, every time the VPN tunnel

renegotiates, all users accessing remote resources are temporarily disconnected.

Negotiation Mode Select the negotiation mode to use to negotiate the IKE SA. Choices are:

Main - this encrypts the SBG’s and remote IPsec router’s identities but takes more

time to establish the IKE SA.

Aggressive - this is faster but does not encrypt the identities The SBG and the remote

IPsec router must use the same negotiation mode.

Note: This field is only available when you select IKEv1 in the IKE Version

field.

Advanced

Proposal Use this section to manage the encryption algorithm and authentication algorithm

pairs the SBG accepts from the remote IPsec router for negotiating the IKE SA.

Add Click this to add phase 1 Encryption and Authentication.

Edit Select an entry and click the Edit to modify it.

Remove Select an entry and click Remove to delete it.

# This field is a sequential value, and it is not associated with a specific proposal. The

sequence of proposals should not affect performance significantly.

Table 70 VPN Gateway: Add/Edit

LABEL DESCRIPTION

Chapter 10 VPN

SBG5500 Series User’s Guide

170

Encryption Select which key size and encryption algorithm to use in the IKE SA. Choices are:

3DES - a 168-bit key with the DES encryption algorithm

AES128 - a 128-bit key with the AES encryption algorithm

AES192 - a 192-bit key with the AES encryption algorithm

AES256 - a 256-bit key with the AES encryption algorithm

The SBG and the remote IPsec router must use the same algorithms and keys. Longer

keys require more processing power, resulting in increased latency and decreased

throughput.

# This is the Authentication index number.

Authentication Select which hash algorithm to use to authenticate packet data in the IPsec SA.

Choices are SHA1, SHA256, and SHA512 is generally considered stronger than MD5,

but it is also slower.

The remote IPsec router must use the same authentication algorithm.

Key Group Select which Diffie-Hellman key group (DHx) you want to use for encryption keys.

Choices are:

None - disable DHx.

DH2 - use a 1024-bit random number.

DH5 - use a 1536-bit random number.

DH14 - use a 2048-bit random number.

The longer the key, the more secure the encryption, but also the longer it takes to

encrypt and decrypt information. Both routers must use the same DH key group.

NAT Traversal Select this if any of these conditions are satisfied.

• This IKE SA might be used to negotiate IPsec SAs that use ESP as the active

protocol.

• There are one or more NAT routers between the SBG and remote IPsec router,

and these routers do not support IPsec pass-thru or a similar feature.

The remote IPsec router must also enable NAT traversal, and the NAT routers have to

forward packets with UDP port 500 and UDP 4500 headers unchanged.

This field applies for IKEv1 only. NAT Traversal is always performed when you use

IKEv2.

Dead Peer Detection

(DPD) Select this check box if you want the SBG to make sure the remote IPsec router is

there before it transmits data through the IKE SA. The remote IPsec router must

support DPD. If there has been no traffic for at least 15 seconds, the SBG sends a

message to the remote IPsec router. If the remote IPsec router responds, the SBG

transmits the data. If the remote IPsec router does not respond, the SBG shuts down

the IKE SA.

If the remote IPsec router does not support DPD, see if you can use the VPN

connection connectivity check.

This field applies for IKEv1 only. Dead Peer Detection (DPD) is always performed

when you use IKEv2.

X Auth / Extended

Authentication Protocol

This part of the screen displays X-Auth when using IKEv1 and Extended

Authentication Protocol when using IKEv2.

X-Auth This displays when using IKEv1. When different users use the same VPN tunnel to

connect to the SBG (telecommuters sharing a tunnel for example), use X-auth to

enforce a user name and password check. This way even though telecommuters all

know the VPN tunnel’s security settings, each still has to provide a unique user name

and password.

Table 70 VPN Gateway: Add/Edit

LABEL DESCRIPTION

Chapter 10 VPN

SBG5500 Series User’s Guide

171

10.5.2 Add/Edit a VPN Connection

Click Add to create a new VPN Connection. You can also double click a VPN Connection or select one

and click Edit to go to the following screen.

Enable Extended

Authentication When multiple IPsec routers use the same VPN tunnel to connect to a single VPN

tunnel (telecommuters sharing a tunnel for example), use extended authentication

to enforce a user name and password check. This way even though they all know

the VPN tunnel’s security settings, each still has to provide a unique user name and

password.

Select the check box if one of the routers (the SBG or the remote IPsec router)

verifies a user name and password from the other router using the local user

database and/or an external server.

Allowed Auth Method This displays when using IKEv2. Select the authentication method, which specifies

how the SBG authenticates this information.

Server Mode Select this if the SBG authenticates the user name and password from the remote

IPsec router. You also have to select the AAA server to use for authentication if you

use IKEv1.

AAA Method This displays when using IKEv2. Select the AAA server to use to authenticate the user

name and password from the remote IPsec router.

OK Click OK to save your settings and exit this screen.

Cancel Click Cancel to exit this screen without saving.

Table 70 VPN Gateway: Add/Edit

LABEL DESCRIPTION

Chapter 10 VPN

SBG5500 Series User’s Guide

172

Figure 134 VPN Connection: Add/Edit

The following table describes the labels in this screen.

Table 71 VPN Connection: Add/Edit

LABEL DESCRIPTION

Show Advanced Settings /

Hide Advanced Settings

Click this button to display a greater or lesser number of configuration fields.

General Settings

Enable Select the check box to activate this VPN connection.

Connection Name Type the name used to identify this IPsec SA. You may use 1-48 alphanumeric

characters, underscores (_), or dashes (-), but the first character cannot be a

number. This value is case-sensitive.

Nailed Up Select this if you want the SBG to automatically renegotiate the IPsec SA when the

SA life time expires.

VPN Gateway

Chapter 10 VPN

SBG5500 Series User’s Guide

173

Application Scenario Select the scenario that best describes your intended VPN connection.

Site-to-site - Choose this if the remote IPsec router has a static IP address or a

domain name. This SBG can initiate the VPN tunnel.

Site-to-site with Dynamic Peer - Choose this if the remote IPsec router has a dynamic

IP address. Only the remote IPsec router can initiate the VPN tunnel.

Remote Access (Server Role) - Choose this to allow incoming connections from IPsec

VPN clients. The clients have dynamic IP addresses and are also known as dial-in

users. Only the clients can initiate the VPN tunnel.

Remote Access (Client Role) - Choose this to connect to an IPsec server. This SBG is

the client (dial-in user) and can initiate the VPN tunnel.

VPN Gateway Select the VPN gateway this VPN connection is to use.

Policy

Local policy Type the IP address of a computer on your network. You can also specify a subnet.

This must match the remote IP address configured on the remote IPsec device.

Remote Policy Type the IP address of a computer behind the remote IPsec device. You can also

specify a subnet. This must match the local IP address configured on the remote

IPsec device.

Full Tunnel Select this check box if you need the SBG to send packets through the VPN Tunnel.

Phase 2 Settings

SA Life Time Type the maximum number of seconds the IPsec SA can last. Shorter life times

provide better security. The SBG automatically negotiates a new IPsec SA before the

current one expires, if there are users who are accessing remote resources.

Advanced

Encapsulation Select which type of encapsulation the IPsec SA uses. Choices are:

Tunnel - this mode encrypts the IP header information and the data.

Transport - this mode only encrypts the data.

The SBG and remote IPsec router must use the same encapsulation.

Proposal Use this section to manage the encryption algorithm and authentication algorithm

pairs the SBG accepts from the remote IPsec router for negotiating the IPsec SA.

Add Click this to create a new entry.

Edit Select an entry and click this to be able to modify it.

Remove Select an entry and click this to delete it.

# This field is a sequential value, and it is not associated with a specific proposal. The

sequence of proposals should not affect performance significantly.

Table 71 VPN Connection: Add/Edit

LABEL DESCRIPTION

Chapter 10 VPN

SBG5500 Series User’s Guide

174

10.5.3 The Default_L2TP_VPN_GW IPsec VPN Rule

A default IPsec VPN rule (Default_L2TP_VPN_GW) is predefined. It can be edited but cannot be

removed. This rule is used for L2TP VPN exclusively and is disabled by default.

The following table lists the default settings for the Default_L2TP_VPN_GW IPsec VPN.

Encryption This field is applicable when the Active Protocol is ESP. Select which key size and

encryption algorithm to use in the IPsec SA. Choices are:

None - no encryption key or algorithm

3DES - a 168-bit key with the DES encryption algorithm

AES128 - a 128-bit key with the AES encryption algorithm

AES192 - a 192-bit key with the AES encryption algorithm

AES256 - a 256-bit key with the AES encryption algorithm

The SBG and the remote IPsec router must both have at least one proposal that uses

use the same encryption and the same key.

Longer keys are more secure, but require more processing power, resulting in

increased latency and decreased throughput.

Authentication Select which hash algorithm to use to authenticate packet data in the IPsec SA.

Choices are SHA1, SHA256, and SHA512. SHA is generally considered stronger than

MD5, but it is also slower.

The SBG and the remote IPsec router must both have a proposal that uses the same

authentication algorithm.

Perfect Forward Secrecy

(PFS)

Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if you

do, which Diffie-Hellman key group to use for encryption. Choices are:

DH2 - enable PFS and use a 1024-bit random number

DH5 - enable PFS and use a 1536-bit random number

DH14 - enable PFS and use a 2048-bit random number

PFS changes the root key that is used to generate encryption keys for each IPsec SA.

The longer the key, the more secure the encryption, but also the longer it takes to

encrypt and decrypt information. Both routers must use the same DH key group.

OK Click OK to save your changes.

Cancel Click Cancel to restore your previously saved settings.

Table 71 VPN Connection: Add/Edit

LABEL DESCRIPTION

Table 72 Default settings for Default_L2TP_VPN_GW

GENERAL AUTHENTICATION

Enabled No Pre-Shared Key none

Nailed-up No Certificate none

NAT Traversal Yes Local ID Type IP

Application Scenario Remote Access Content 0.0.0.0

My Address Any Remote ID Type Any

PHASE 1 PHASE 2

Life time 86400 Life time 3600

Chapter 10 VPN

SBG5500 Series User’s Guide

175

10.5.4 PPTP VPN Troubleshooting Tips

This section lists the common troubleshooting tips for PPTP VPN.

1A PPTP client device (such as a PC, smart phone, tablet) cannot connect to the SBG.

TIP: This could be due to one of the following reasons:

a. The client device is not connected to the Internet successfully.

Action: Check the client device’s Internet connection.

b. Incorrect server address configured on the client device.

(1) If the Local WAN Interface is “Any”:

From the SBG’s GUI, click Status. The client device should be configured with one of the WAN

interface IP addresses.

(2) If the Local WAN Interface is an interface (IP address shown to the right):

Use that IP address for the client device to connect.

c. The WAN interface which the SBG’s PPTP VPN is using is not connected.

Action: From the SBG’s GUI, click Status. Check if the WAN interface the client device is connected has

an IP address present.

d. The PPTP VPN is not enabled.

Action: From the SBG’s GUI, click VPN > PPTP VPN. Check Enable check box and click Apply.

e. PPTP is not configured correctly on the client device.

Action: Check the PPTP VPN configuration on the client device.

f. The client entered an incorrect username or password.

Negotiation Mode Main Tunnel Mode ESP

Encryption /

Authentication

3DES / SHA1

3DES / MD5

AES256 / SHA1

Encryption DES

3DES

AES256

Authentication MD5

SHA1

Key Group DH2 Perfect Forward Secrecy

(PFS)

Dead Peer Detection

(DPD)

Yes Encapsulation Transport

XAUTH No

Table 72 Default settings for Default_L2TP_VPN_GW (continued)

GENERAL AUTHENTICATION

Chapter 10 VPN

SBG5500 Series User’s Guide

176

Action: From the SBG’s GUI, click Maintenance > User Account. The client should use one of the

accounts to make the connection.

g. The SBG has already reached the maximum number of concurrent PPTP VPN connections.

Action: There are too many clients connected. Wait a while and then retry.

2A PPTP client is disconnected unexpectedly.

Tip: A PPTP connection will be dropped when one of the followings occurs on the SBG:

a. The client has no activity for a period of time.

b. The client loses connectivity to the SBG for a period of time.

c. PPTP VPN is disabled on the SBG.

d. When any one of these configuration changes is applied on the SBG: WAN interface used for PPTP

VPN, IP address pool, access group.

e. The SBG’s WAN interface on which the PPTP connection is established is disconnected.

3A PPTP client is connected successfully but cannot access the local host or server behind the SBG.

Tip: This may be caused by one of the followings:

a. The local host or server is disconnected.

b. The access group is not configured correctly. From the SBG’s GUI, go to VPN > PPTP VPN to check.

Note that all local hosts are by default accessible unless access group is configured.

c. IP Address Pool for PPTP VPN conflicts with any WAN, LAN, DMZ, WLAN, or L2TP VPN subnet configured

on the SBG. Note that the IP Address Pool for PPTP VPN has a 24-bit netmask and should not conflict with

any others listed above even if they are not in use.

4A PPTP client is connected successfully but cannot browse the Internet.

Tip: From the SBG’s GUI, click VPN > PPTP VPN. Check if DNS Server is configured. A client cannot browse

the Internet without DNS resolved. Note that when a new DNS server is configured, the client must

disconnect then reconnect in order for the new DNS Server to take effect.

5An Android device cannot connect to the SBG’s PPTP VPN.

Tip: Devices running an Android OS older than version 4.1 have issues with PPTP/MPPE encryption. Avoid

using devices that run an Android OS older than version 4.1 for PPTP VPN connection.

10.6 The PPTP VPN Screen

Use this screen to configure settings for a Point to Point Tunneling Protocol (PPTP) server.

Click Configuration > VPN > PPTP VPN to open the following screen.

Chapter 10 VPN

SBG5500 Series User’s Guide

177

Figure 135 Configuration > VPN > PPTP VPN

The following table describes the labels in this screen.

Table 73 Configuration > VPN > PPTP VPN

LABEL DESCRIPTION

PPTP Setup

Enable Use this field to turn the SBG’s PPTP VPN function on or off.

IP Address Pool Enter the pool of IP addresses that the SBG uses to assign to the PPTP VPN clients.

Note: This is with a 24-bit netmask and should not conflict with any configured

WAN, LAN, DMZ, WLAN, or L2TP VPN subnet even if they are not in use.

Access LAN Group

(optional)

Specify up to 2 LAN groups (subnets) which a PPTP VPN client is allowed to access. If none

is specified, all LAN groups can be accessed. Enter the IP address and Subnet Mask for

the LAN group(s).

Keep Alive Timer The SBG sends a Hello message after waiting this long without receiving any traffic from

the remote user. The SBG disconnects the VPN tunnel if the remote user does not respond.

Preferred DNS Server

(Optional)

Specify the IP addresses of DNS servers to assign to the remote users.

You can choose from one of the DNS servers from the list, or choose User Defined to enter

the static IP addresses for the first and second DNS servers manually.

Alternative DNS Server

(Optional)

Specify the second DNS server address.

Chapter 10 VPN

SBG5500 Series User’s Guide

178

10.6.1 PPTP VPN Troubleshooting Tips

This section lists the common troubleshooting tips for PPTP VPN.

1A PPTP client device (such as a PC, smart phone, tablet) cannot connect to the SBG.

TIP: This could be due to one of the following reasons:

a. The client device is not connected to the Internet successfully.

Action: Check the client device’s Internet connection.

b. Incorrect server address configured on the client device.

(1) If the Local WAN Interface is “Any”:

(2) If the Local WAN Interface is an interface (IP address shown to the right):

Use that IP address for the client device to connect.

c. The WAN interface which the SBG’s PPTP VPN is using is not connected.

Action: From the SBG’s GUI, click Status. Check if the WAN interface the client device is connected has

an IP address present.

d. The PPTP VPN is not enabled.

Action: From the SBG’s GUI, click VPN > PPTP VPN. Check Enable check box and click Apply.

e. PPTP is not configured correctly on the client device.

Action: Check the PPTP VPN configuration on the client device.

f. The client entered an incorrect username or password.

Action: From the SBG’s GUI, click Maintenance > User Account. The client should use one of the

accounts to make the connection.

g. The SBG has already reached the maximum number of concurrent PPTP VPN connections.

Action: There are too many clients connected. Wait a while and then retry.

2A PPTP client is disconnected unexpectedly.

Tip: A PPTP connection will be dropped when one of the followings occurs on the SBG:

WINS Server (Optional) The WINS (Windows Internet Naming Service) server keeps a mapping table of the

computer names on your network and the IP addresses that they are currently using.

Type the IP addresses of up to two WINS servers to assign to the remote users.

Apply Click Apply to save your changes back to the SBG.

Reset Click Reset to restore your previous settings.

Table 73 Configuration > VPN > PPTP VPN

LABEL DESCRIPTION

Chapter 10 VPN

SBG5500 Series User’s Guide

179

a. The client has no activity for a period of time.

b. The client loses connectivity to the SBG for a period of time.

c. PPTP VPN is disabled on the SBG.

d. When any one of these configuration changes is applied on the SBG: WAN interface used for PPTP

VPN, IP address pool, access group.

e. The SBG’s WAN interface on which the PPTP connection is established is disconnected.

3A PPTP client is connected successfully but cannot access the local host or server behind the SBG.

Tip: This may be caused by one of the followings:

a. The local host or server is disconnected.

b. The access group is not configured correctly. From the SBG’s GUI, go to VPN > PPTP VPN to check.

Note that all local hosts are by default accessible unless access group is configured.

c. IP Address Pool for PPTP VPN conflicts with any WAN, LAN, DMZ, WLAN, or L2TP VPN subnet configured

on the SBG. Note that the IP Address Pool for PPTP VPN has a 24-bit netmask and should not conflict with

any others listed above even if they are not in use.

4A PPTP client is connected successfully but cannot browse the Internet.

Tip: From the SBG’s GUI, click VPN > PPTP VPN. Check if DNS Server is configured. A client cannot browse

the Internet without DNS resolved. Note that when a new DNS server is configured, the client must

disconnect then reconnect in order for the new DNS Server to take effect.

5An Android device cannot connect to the SBG’s PPTP VPN.

Tip: Devices running an Android OS older than version 4.1 have issues with PPTP/MPPE encryption. Avoid

using devices that run an Android OS older than version 4.1 for PPTP VPN connection.

10.7 The L2TP VPN Screen

Click Configuration > VPN > L2TP VPN to open the following screen. Use this screen to configure the SBG

L2TP VPN settings.

10.7.1 L2TP Setup - Server

The following screen displays when you select Server in the Type field.

Chapter 10 VPN

SBG5500 Series User’s Guide

180

Figure 136 Configuration > VPN > L2TP VPN > Server

The following table describes the fields in this screen.

Table 74 Configuration > VPN > L2TP VPN > Server

LABEL DESCRIPTION

L2TP Setup

Type Select Server to have the SBG Series act as a L2TP VPN server . Also, the screen varies

depending on which option you select here.

Enable Select the check box to enable the SBG’s L2TP VPN function as a server.

IPsec

IP Address Pool Enter the pool of IP addresses that the SBG uses to assign to the L2TP VPN clients.

Note: These addresses use a 24-bit netmask and should not conflict with any WAN,

LAN, DMZ, WLAN, or PPTP VPN subnet even if they are not in use.

Access LAN Group

(optional)

Specify up to 2 LAN groups (subnets) which a L2TP VPN client is allowed to access. If none is

specified, all LAN groups can be accessed. Enter the IP address and Subnet Mask for the LAN

group(s).

Keep Alive Timer The SBG sends a Hello message after waiting this long without receiving any traffic from the

remote user. The SBG disconnects the VPN tunnel if the remote user does not respond.

DNS Server 1

(Optional)

Specify the IP addresses of DNS servers to assign to the remote users.

You can choose from one of the DNS servers from the list, or choose User Defined to enter the

static IP addresses for the first and second DNS servers manually.

DNS Server 2

(Optional)

Specify the second DNS server address.

WINS Server

(Optional)

The WINS (Windows Internet Naming Service) server keeps a mapping table of the computer

names on your network and the IP addresses that they are currently using.

Type the IP addresses of up to two WINS servers to assign to the remote users.

Chapter 10 VPN

SBG5500 Series User’s Guide

181

10.7.2 L2TP Setup - Client

The following screen displays when you select Client in the Type field.

Figure 137 Configuration > VPN > L2TP VPN > Client

The following table describes the labels in this screen.

Apply Click Apply to save your changes back to the SBG.

Reset Click Reset to restore your previous settings.

Table 74 Configuration > VPN > L2TP VPN > Server

LABEL DESCRIPTION

Table 75 Configuration > VPN > L2TP VPN > Client

LABEL DESCRIPTION

Type Select Client to have the SBG act as a L2TP VPN client. Also, the screen varies

depending on which option you select here.

Enable Select the check box to enable the SBG’s L2TP VPN function as a client.

Default Route Enable Select the check box to use the L2TP VPN connection as the system default route.

Nailed-up Enable Select this if you want the SBG to automatically reconnect when the L2TP VPN

connection is down. The attempt to reconnect will continue until the L2TP VPN

connection is up again.

Nailed-up Period Enter a value in seconds for the SBG to wait before re-initiating L2TP VPN

connections. The valid range for the period is 10-180 seconds.

Server IP Address or Name Enter the IP address or domain name of the LNS (L2TP Network Server).

Chapter 10 VPN

SBG5500 Series User’s Guide

182

10.7.3 L2TP VPN Troubleshooting Tips

This section lists the common troubleshooting tips for L2TP VPN.

1A L2TP client device (such as a PC, smart phone, tablet) cannot connect to the SBG.

TIP: This could be due to one of the following reasons:

a. The client device is not connected to the Internet successfully.

Action: Check the client device’s Internet connection.

Management IP Address Enter the SBG's public routable IP address for management purposes, and an

administrator will be able to reach the SBG via L2TP VPN connection and the

address input here.

Local Host Name Enter the L2TP local host name.

Tunnel Auth When performing tunnel authentication on the LNS (L2TP Network Server), please

select the check box to enable tunnel authentication, and enter a valid Tunnel

Secret in the next column.

Tunnel Secret Enter a valid Tunnel Secret consisting of 4-64 characters, and the following special

characters are not allowed: '/\=".

PPP Setup

MPPE Enable Click the check box to use MPPE, Microsoft Point to Point Encryption. It enables 40-bit

encryption as well as 128-bit encryption.

Note: PPP CHAP must be enabled as well.

Auth Type Select PAP or/and CHAP as your authentication method(s).

PAP (Password Authentication Protocol ) - The L2TP server will crosscheck the

username and password sent by the client with the database for authentication

purposes.

CHAP (Challenge Handshake Authentication Protocol) - When it’s enabled, MS-

CHAP and MS-CHAP-v2 are both supported. Also, CHAP needs to be enabled if you

wish to activate MPPE.

Username Enter the username for PPP authentication. It must be consistent with the

configuration made on LNS (L2TP Network Server). Otherwise the L2TP VPN

connection will not be established.

Password Enter the password for PPP authentication. It must be consistent with the

configuration made on LNS (L2TP Network Server). Otherwise the L2TP VPN

connection will not be established.

Interface Group NAT Setup

Default Select None, NAT, or Address Mapping to apply to the L2TP VPN connection.

None - NAT is not applied to the L2TP VPN connection.

NAT - Select this option to turn on the NAT function on the VPN connection.

Address Mapping - Select this option to apply the specified address mapping rule(s)

to the VPN connection. The address mapping rules are configured using the

Configuration > NAT > Address Mapping screen.

Apply Click Apply to save your changes back to the SBG.

Reset Click Reset to restore your previous settings.

Table 75 Configuration > VPN > L2TP VPN > Client

LABEL DESCRIPTION

Chapter 10 VPN

SBG5500 Series User’s Guide

183

b. Incorrect server address configured on the client device.

Action: From the SBG’s GUI, click VPN > IPsec VPN.

(1) If the Local Gateway Address for Default_L2TP_VPN_GW is set to “Any”:

(2) If the Local Gateway Address for Default_L2TP_VPN_GW is an IP address:

Use that IP address for the client device to connect.

c. The WAN interface which the SBG’s L2TP VPN is using is not connected.

Action: From the SBG’s GUI, click Status. Check if the WAN interface used by L2TP VPN is connected.

d. The client device has an incorrect IPsec pre-shared key configured.

Action: From the SBG’s GUI, click VPN > L2TP VPN. The client device should use the same pre-shared key.

e. The L2TP VPN is not fully enabled.

Action: From the SBG’s GUI,

(1) Click VPN > L2TP VPN. Select the Enable check box and click Apply.

(2) Click VPN > L2TP VPN. Select the Enable check box and click Apply.

f. L2TP or IPsec is not configured correctly on the client device.

Action: Check the L2TP VPN configuration on the client device.

g. The client entered an incorrect user name or password.

Action: From the SBG’s GUI, click Maintenance > User Account. The client should use one of the

accounts to make the connection.

h. The SBG exceeds the maximum number of concurrent L2TP VPN connections.

Action: There are too many clients connected. Wait a while and then retry.

2A windows L2TP client fails to connect to the SBG with an "invalid certificate" message.

Tip: Windows sometimes may show this error even if the client device has been configured with a

correct pre-shared key for authentication. This usually happens at the first connection attempt after a

new connection profile is created. Reconfigure the pre-shared key on the client Windows device and

retry the connection.

3An L2TP client device cannot reconnect after it is disconnected.

Tip: If a client reconnects right after it is disconnected, the reconnection may fail. Wait 60 seconds

before reconnecting.

4An L2TP client is disconnected unexpectedly.

Tip: An L2TP connection will be dropped when one of the followings occurs on the SBG:

(1) Client has no activity for a period of time.

Chapter 10 VPN

SBG5500 Series User’s Guide

184

(2) Client loses connectivity to the SBG for a period of time.

(3) Any IPsec VPN configuration change is applied on the SBG.

(4) Either Default_L2TP_VPN_GW IPsec configuration or L2TP VPN is disabled on the SBG.

(5) When any one of these configuration changes is applied on the SBG: WAN Interface used for L2TP

VPN, IP Address Pool, Access Group.

(6) The SBG WAN interface on which the L2TP connection established is disconnected.

5An L2TP client is connected successfully but cannot access the local host or server behind the SBG.

Tip: This may be caused by one of the followings:

(1) The local host or server is disconnected.

(2) The Access Group is not configured correctly. From the SBG’s GUI, go to the VPN > L2TP VPN screen

to check. Note that all local hosts are by default accessible unless Access Group is configured.

(3) IP Address Pool for L2TP VPN is conflicting with any WAN, LAN, DMZ, WLAN, or PPTP VPN subnet

configured on the SBG. Note that IP Address Pool for L2TP VPN has 24-bit netmask and should not

conflict with any others listed above even if they are not in use.

6An L2TP client is connected successfully but cannot browse Internet.

Tip: From the SBG’s GUI, click VPN > L2TP VPN. Check if DNS Server is configured. A client cannot browse

Internet without DNS resolved. Note that when a new DNS Server is configured, the client must

disconnect then reconnect in order for the new DNS Server to take effect.

7The L2TP client can no longer connect to SBG after the Encryption or Authentication for the

Default_L2TP_VPN_GW IPsec VPN rule is changed.

Tip: A user usually do not need change the default Encryption or Authentication algorithms in the

Default_L2TP_VPN IPsec VPN rule. The default Encryption and Authentication algorithms should support

the built-in L2TP/IPsec client software in the popular operating systems (Windows (XP, Vista, 7), Android,

and iOS).

Refer to Table 71 on page 172 for the default setting of the Default_L2TP_VPN_GW IPsec VPN rule.

As a reference, Table 76 on page 184 lists the IPsec proposals provided by a built-in L2TP client in the

popular operating systems during IPsec phase 1 negotiation. The first proposal that can be supported by

the phase 1 setting in the Default_L2TP_VPN_GW IPsec VPN rule will be accepted by the SBG. The

algorithms in red in Table 76 on page 184 indicate the ones that will be accepted based on Table 72 on

page 174.

Table 76 Phase 1 IPsec proposals provided by the built-in L2TP client in popular operating systems

(Encryption/Authentication/Key Group)

WINDOWS XP WINDOWS VISTA WINDOWS 7 IOS 5.1 ANDROID 4.1

1 3DES/SHA1/DH15 3DES/SHA1/DH15 AES/SHA1/DH15 AES/SHA1/DH2 AES/SHA1/DH2

23DES/SHA1/DH2 3DES/SHA1/DH2 3DES/SHA1/DH15 AES/MD5/DH2 AES/MD5/DH2

3 3DES/MD5/DH2 3DES/SHA1/DH2 3DES/SHA1/DH2 3DES/SHA1/DH2

4 DES/SHA1/DH1 3DES/MD5/DH2 3DES/MD5/DH2

Chapter 10 VPN

SBG5500 Series User’s Guide

185

After phase 1 tunnel is established, IPsec phase 2 negotiations begin. Table 77 on page 185 lists the IPsec

phase 2 proposals provided by a built-in L2TP client in the popular operating systems. The first proposal

that can be supported by the phase 2 setting in the Default_L2TP_VPN_GW IPsec VPN rule will be

accepted by the SBG. The algorithms in red in Table 77 on page 185 indicate the ones that will be

accepted based on Table 72 on page 174.

10.8 The L2TP Client Status Screen

Use the L2TP Client Status screen to view details about the L2TP clients. Click Configuration > VPN > L2TP

Client Status to open the following screen.

5DES/MD5/DH1 DES/SHA1/DH2

6DES/MD5/DH2

Table 77 Phase 2 IPsec proposals provided by the built-in L2TP client in popular operating systems

(Tunnel Mode/Encryption/Authentication) [Encapsulation = Transport]

WINDOWS XP WINDOWS VISTA WINDOWS 7 IOS 5.1 ANDROID 4.1

1ESP/3DES/MD5

ESP/3DES/SHA1

ESP/AES/SHA1 ESP/AES/SHA1 ESP/AES/SHA1

ESP/AES/MD5

ESP/3DES/SHA1

ESP/3DES/MD5

ESP/AES/SHA1

ESP/AES/MD5

ESP/3DES/SHA1

ESP/3DES/MD5

ESP/DES/SHA1

ESP/DES/MD5

2 AH/-/SHA1 and

ESP/3DES/-

ESP/3DES/SHA1 ESP/3DES/SHA1

3 AH/-/MD5 and

ESP/3DES/-

AH/-/SHA1 and

ESP/AES/-

ESP/DES/SHA1

4 AH/-/SHA1 and

ESP/3DES/SHA1

AH/-/SHA1 and

ESP/3DES/-

ESP/-/SHA1

5 AH/-/MD5 and

ESP/3DES/MD5

AH/-/SHA1 and

ESP/3DES/SHA1

AH/-/SHA1

6 ESP/DES/MD5 ESP/

DES/SHA1

ESP/-/SHA1

AH/-/SHA1

Table 76 Phase 1 IPsec proposals provided by the built-in L2TP client in popular operating systems

(Encryption/Authentication/Key Group)

WINDOWS XP WINDOWS VISTA WINDOWS 7 IOS 5.1 ANDROID 4.1

Chapter 10 VPN

SBG5500 Series User’s Guide

186

Figure 138 Configuration > VPN > L2TP Client Status

The following table describes the labels in this screen.

10.9 Technical Reference

This section provides some technical background information about the topics covered in this chapter.

10.9.1 IPsec Architecture

The overall IPsec architecture is shown as follows.

Table 78 Configuration > VPN > L2TP Client Status

LABEL DESCRIPTION

L2TP Status

Status This field displays whether the L2TP VPN is active or not. A yellow bulb signifies that

this VPN is active. A gray bulb signifies that this VPN is not active.

Up Time This field displays the period of time this connection has been up.

Server Name This field displays the name of the L2TP Network Server.

Server WAN IP This field displays the WAN IP address of the L2TP Network Server.

Client WAN IP This field displays the WAN IP address of the L2TP client.

Server L2TP IP This field displays the assigned L2TP IP address of the L2TP network server.

Client L2TP IP This field displays the assigned L2TP IP address of the L2TP client.

L2TP Statistics

Rx Data Packets This indicates the number of packets received in this L2TP connection.

Rx Data Bytes This indicates the number of bytes received in this L2TP connection.

Rx Errors This indicates the number of received packet errors in this L2TP connection.

Tx Data Packets This indicates the number of packets transmitted in this L2TP connection.

Tx Data Bytes This indicates the number of bytes transmitted in this L2TP connection.

Tx Errors This indicates the number of transmitted packet errors in this L2TP connection.

Chapter 10 VPN

SBG5500 Series User’s Guide

187

Figure 139 IPsec Architecture

IPsec Algorithms

The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol

(RFC 2402) describe the packet formats and the default standards for packet structure (including

implementation algorithms).

The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption

Standard) and Triple DES algorithms.

The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-1 (RFC 2404, provide an

authentication mechanism for the AH and ESP protocols.

Key Management

Key management allows you to determine whether to use IKE (ISAKMP) or manual key configuration in

order to set up a VPN.

10.9.2 Encapsulation

The two modes of operation for IPsec VPNs are Transport mode and Tunnel mode. At the time of writing,

the SBG supports Tunnel mode only.

Chapter 10 VPN

SBG5500 Series User’s Guide

188

Figure 140 Transport and Tunnel Mode IPsec Encapsulation

Transport Mode

Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In

Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP

header and options, but before any upper layer protocols contained in the packet (such as TCP and

UDP).

With ESP, protection is applied only to the upper layer protocols contained in the packet. The IP header

information and options are not used in the authentication process. Therefore, the originating IP address

cannot be verified for integrity against the data.

With the use of AH as the security protocol, protection is extended forward into the IP header to verify

the integrity of the entire packet by use of portions of the original IP header in the hashing process.

Tunnel Mode

Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel mode is required for

gateway services to provide access to internal systems. Tunnel mode is fundamentally an IP tunnel with

authentication and encryption. This is the most common mode of operation. Tunnel mode is required for

gateway to gateway and host to gateway communications. Tunnel mode communications have two

sets of IP headers:

•Outside header: The outside IP header contains the destination IP address of the VPN gateway.

•Inside header: The inside IP header contains the destination IP address of the final system behind the

VPN gateway. The security protocol appears after the outer IP header and before the inside IP

header.

10.9.3 IKE Phases

There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and

phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and the second one uses that SA to

negotiate SAs for IPsec.

Chapter 10 VPN

SBG5500 Series User’s Guide

189

Figure 141 Two Phases to Set Up the IPsec SA

In phase 1 you must:

• Choose a negotiation mode.

• Authenticate the connection by entering a pre-shared key.

• Choose an encryption algorithm.

• Choose an authentication algorithm.

• Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2).

• Set the IKE SA lifetime. This field allows you to determine how long an IKE SA should stay up before it

times out. An IKE SA times out when the IKE SA lifetime period expires. If an IKE SA times out when an

IPsec SA is already established, the IPsec SA stays connected.

In phase 2 you must:

• Choose an encryption algorithm.

• Choose an authentication algorithm

• Choose a Diffie-Hellman public-key cryptography key group.

• Set the IPsec SA lifetime. This field allows you to determine how long the IPsec SA should stay up

before it times out. The SBG automatically renegotiates the IPsec SA if there is traffic when the IPsec

SA lifetime period expires. If an IPsec SA times out, then the IPsec router must renegotiate the SA the

next time someone attempts to send traffic.

10.9.4 Negotiation Mode

The phase 1 Negotiation Mode you select determines how the Security Association (SA) will be

established for each connection through IKE negotiations.

•Main Mode ensures the highest level of security when the communicating parties are negotiating

authentication (phase 1). It uses 6 messages in three round trips: SA negotiation, Diffie-Hellman

exchange and an exchange of nonces (a nonce is a random number). This mode features identity

protection (your identity is not revealed in the negotiation).

Chapter 10 VPN

SBG5500 Series User’s Guide

190

•Aggressive Mode is quicker than Main Mode because it eliminates several steps when the

communicating parties are negotiating authentication (phase 1). However the trade-off is that faster

speed limits its negotiating power and it also does not provide identity protection. It is useful in remote

access situations where the address of the initiator is not know by the responder and both parties

want to use pre-shared key authentication.

10.9.5 IPsec and NAT

Read this section if you are running IPsec on a host computer behind the SBG.

NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPsec VPN using the AH

protocol digitally signs the outbound packet, both data payload and headers, with a hash value

appended to the packet. When using AH protocol, packet contents (the data payload) are not

encrypted.

A NAT device in between the IPsec endpoints will rewrite either the source or destination address with

one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming

packet by computing its own hash value, and complain that the hash value appended to the received

packet doesn't match. The VPN device at the receiving end doesn't know about the NAT in the middle,

so it assumes that the data has been maliciously altered.

IPsec using ESP in Tunnel mode encapsulates the entire original packet (including headers) in a new IP

packet. The new IP packet's source address is the outbound address of the sending VPN gateway, and

its destination address is the inbound address of the VPN device at the receiving end. When using ESP

protocol with authentication, the packet contents (in this case, the entire original packet) are

encrypted. The encrypted contents, but not the new headers, are signed with a hash value appended

to the packet.

Tunnel mode ESP with authentication is compatible with NAT because integrity checks are performed

over the combination of the "original header plus original payload," which is unchanged by a NAT

device.

Transport mode ESP with authentication is not compatible with NAT.

10.9.6 VPN, NAT, and NAT Traversal

NAT is incompatible with the AH protocol in both transport and tunnel mode. An IPsec VPN using the AH

protocol digitally signs the outbound packet, both data payload and headers, with a hash value

appended to the packet, but a NAT device between the IPsec endpoints rewrites the source or

destination address. As a result, the VPN device at the receiving end finds a mismatch between the

hash value and the data and assumes that the data has been maliciously altered.

NAT is not normally compatible with ESP in transport mode either, but the SBG’s NAT Traversal feature

provides a way to handle this. NAT traversal allows you to set up an IKE SA when there are NAT routers

between the two IPsec routers.

Table 79 VPN and NAT

SECURITY PROTOCOL MODE NAT

AH Transport N

AH Tunnel N

ESP Transport N

ESP Tunnel Y

Chapter 10 VPN

SBG5500 Series User’s Guide

191

Figure 142 NAT Router Between IPsec Routers

Normally you cannot set up an IKE SA with a NAT router between the two IPsec routers because the NAT

router changes the header of the IPsec packet. NAT traversal solves the problem by adding a UDP port

500 header to the IPsec packet. The NAT router forwards the IPsec packet with the UDP port 500 header

unchanged. In the above figure, when IPsec router A tries to establish an IKE SA, IPsec router B checks

the UDP port 500 header, and IPsec routers A and B build the IKE SA.

For NAT traversal to work, you must:

• Use ESP security protocol (in either transport or tunnel mode).

• Use IKE keying mode.

• Enable NAT traversal on both IPsec endpoints.

• Set the NAT router to forward UDP port 500 to IPsec router A.

Finally, NAT is compatible with ESP in tunnel mode because integrity checks are performed over the

combination of the "original header plus original payload," which is unchanged by a NAT device. The

compatibility of AH and ESP with NAT in tunnel and transport modes is summarized in the following table.

Y* - This is supported in the SBG if you enable NAT traversal.

10.9.7 ID Type and Content

With aggressive negotiation mode (see Section 10.9.4 on page 189), the SBG identifies incoming SAs by

ID type and content since this identifying information is not encrypted. This enables the SBG to distinguish

between multiple rules for SAs that connect from remote IPsec routers that have dynamic WAN IP

addresses.

Regardless of the ID type and content configuration, the SBG does not allow you to save multiple active

rules with overlapping local and remote IP addresses.

With main mode (see Section 10.9.4 on page 189), the ID type and content are encrypted to provide

identity protection. In this case the SBG can only distinguish between different incoming SAs that

connect from remote IPsec routers that have dynamic WAN IP addresses. The SBG can distinguish

incoming SAs because you can select between three encryption algorithms (DES, 3DES and AES), two

authentication algorithms (MD5 and SHA1) and eight key groups when you configure a VPN rule (see

Table 80 VPN and NAT

SECURITY PROTOCOL MODE NAT

AH Transport N

AH Tunnel N

ESP Transport Y*

ESP Tunnel Y

Chapter 10 VPN

SBG5500 Series User’s Guide

192

Section 10.6 on page 176). The ID type and content act as an extra level of identification for incoming

SAs.

The type of ID can be a domain name, an IP address or an e-mail address. The content is the IP address,

domain name, or e-mail address.

10.9.7.1 ID Type and Content Examples

Two IPsec routers must have matching ID type and content configuration in order to set up a VPN

tunnel.

The two SBGs in this example can complete negotiation and establish a VPN tunnel.

The two SBGs in this example cannot complete their negotiation because SBG B’s Local ID type is IP, but

SBG A’s Remote ID type is set to E-mail. An “ID mismatched” message displays in the IPSEC LOG.

10.9.8 Pre-Shared Key

A pre-shared key identifies a communicating party during a phase 1 IKE negotiation (see Section 10.9.3

on page 188 for more on IKE phases). It is called “pre-shared” because you have to share it with another

party before you can communicate with them over a secure connection.

10.9.9 Diffie-Hellman (DH) Key Groups

Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a shared

secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA setup to

establish session keys. 768-bit, 1024-bit 1536-bit, 2048-bit, and 3072-bit Diffie-Hellman groups are

Table 81 Local ID Type and Content Fields

LOCAL ID TYPE= CONTENT=

IP Type the IP address of your computer.

FQDN Type a domain name (up to 31 characters) by which to identify this SBG.

User-FQDN Type an e-mail address (up to 31 characters) by which to identify this SBG.

The domain name or e-mail address that you use in the Local ID Content field is used

for identification purposes only and does not need to be a real domain name or e-

mail address.

Table 82 Matching ID Type and Content Configuration Example

SBG A SBG B

Local ID type: User-FQDN Local ID type: IP

Local ID content: tom@yourcompany.com Local ID content: 1.1.1.2

Remote ID type: IP Remote ID type: E-mail

Remote ID content: 1.1.1.2 Remote ID content: tom@yourcompany.com

Table 83 Mismatching ID Type and Content Configuration Example

SBG A SBG B

Local ID type: IP Local ID type: IP

Local ID content: 1.1.1.10 Local ID content: 1.1.1.2

Remote ID type: User-FQDN Remote ID type: IP

Remote ID content: aa@yahoo.com Remote ID content: 1.1.1.0

Chapter 10 VPN

SBG5500 Series User’s Guide

193

supported. Upon completion of the Diffie-Hellman exchange, the two peers have a shared secret, but

the IKE SA is not authenticated. For authentication, use pre-shared keys.

SBG5500 Series User’s Guide

194

CHAPTER 11

Bandwidth Management

11.1 Overview

Quality of Service (QoS) refers to both a network’s ability to deliver data with minimum delay, and the

networking methods used to control the use of bandwidth. Without QoS, all traffic data is equally likely

to be dropped when the network is congested. This can cause a reduction in network performance and

make the network inadequate for time-critical application such as video-on-demand.

Configure QoS on the SBG to group and prioritize application traffic and fine-tune network

performance. Setting up QoS involves these steps:

1Configure classifiers to sort traffic into different flows.

2Assign priority and define actions to be performed for a classified traffic flow.

The SBG assigns each packet a priority and then queues the packet accordingly. Packets assigned a

high priority are processed more quickly than those with low priority if there is congestion, allowing time-

sensitive applications to flow more smoothly. Time-sensitive applications include both those that require

a low level of latency (delay) and a low level of jitter (variations in delay) such as Voice over IP (VoIP) or

Internet gaming, and those for which jitter alone is a problem such as Internet radio or streaming video.

This chapter contains information about configuring QoS and editing classifiers.

11.1.1 What You Can Do in this Chapter

• The General screen lets you enable or disable QoS and set the upstream bandwidth (Section 11.2 on

page 196).

• The Queue Setup screen lets you configure QoS queue assignment (Section 11.3 on page 197).

• The Classification Setup screen lets you add, edit or delete QoS classifiers (Section 11.4 on page 199).

• The Policer Setup screen lets you add, edit or delete QoS policers (Section 11.5 on page 204).

• The Shaper Setup screen lets you limit outgoing traffic transmission rate on the selected interface

(Section 11.6 on page 206)

11.1.2 What You Need to Know

The following terms and concepts may help as you read through this chapter.

QoS versus Cos

QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the

same priority. CoS (class of service) is a way of managing traffic in a network by grouping similar types of

traffic together and treating each type as a class. You can use CoS to give different priorities to different

packet types.

Chapter 11 Bandwidth Management

SBG5500 Series User’s Guide

195

CoS technologies include IEEE 802.1p layer 2 tagging and DiffServ (Differentiated Services or DS). IEEE

802.1p tagging makes use of three bits in the packet header, while DiffServ is a new protocol and

defines a new DS field, which replaces the eight-bit ToS (Type of Service) field in the IP header.

Tagging and Marking

In a QoS class, you can configure whether to add or change the DSCP (DiffServ Code Point) value, IEEE

802.1p priority level and VLAN ID number in a matched packet. When the packet passes through a

compatible network, the networking device, such as a backbone switch, can provide specific

treatment or service based on the tag or marker.

Traffic Shaping

Bursty traffic may cause network congestion. Traffic shaping regulates packets to be transmitted with a

pre-configured data transmission rate using buffers (or queues). Your SBG uses the Token Bucket

algorithm to allow a certain amount of large bursts while keeping a limit at the average rate.

Traffic Policing

Traffic policing is the limiting of the input or output transmission rate of a class of traffic on the basis of

user-defined criteria. Traffic policing methods measure traffic flows against user-defined criteria and

identify it as either conforming, exceeding or violating the criteria.

The SBG supports three incoming traffic metering algorithms: Token Bucket Filter (TBF), Single Rate Two

Color Maker (srTCM), and Two Rate Two Color Marker (trTCM). You can specify actions which are

performed on the colored packets. See Section 11.7 on page 207 for more information on each

metering algorithm.

Traffic

Time

Traffic Rate

Traffic

Time

Traffic Rate

(Before Traffic Shaping) (After Traffic Shaping)

Traffic

Time

Traffic Rate

Traffic

Time

Traffic Rate

(Before Traffic Policing) (After Traffic Policing)

Chapter 11 Bandwidth Management

SBG5500 Series User’s Guide

196

11.2 The General Screen

Click Configuration > Bandwidth Management > General to open the screen as shown next.

Use this screen to enable or disable QoS and set the upstream bandwidth. See Section 11.1 on page 194

for more information.

Figure 143 Configuration > Bandwidth Management > General

The following table describes the labels in this screen.

Table 84 Configuration > Bandwidth Management > General

LABEL DESCRIPTION

Enable Select the Enable check box to turn on QoS to improve your network performance.

WAN Managed

Upstream

Bandwidth

Enter the amount of upstream bandwidth for the WAN interfaces that you want to allocate using

QoS.

The recommendation is to set this speed to match the interfaces’ actual transmission speed. For

example, set the WAN interfaces’ speed to 100000 kbps if your Internet connection has an

upstream transmission speed of 100 Mbps.

You can set this number higher than the interfaces’ actual transmission speed. The SBG uses up

to 95% of the DSL port’s actual upstream transmission speed even if you set this number higher

than the DSL port’s actual transmission speed.

You can also set this number lower than the interfaces’ actual transmission speed. This will cause

the SBG to not use some of the interfaces’ available bandwidth.

If you leave this field blank, the SBG automatically sets this number to be 95% of the WAN

interfaces’ actual upstream transmission speed.

LAN Managed

Downstream

Bandwidth

Enter the amount of downstream bandwidth for the LAN interfaces (including WLAN) that you

want to allocate using QoS.

The recommendation is to set this speed to match the WAN interfaces’ actual transmission

speed. For example, set the LAN managed downstream bandwidth to 100000 kbps if you use a

100 Mbps wired Ethernet WAN connection.

You can also set this number lower than the WAN interfaces’ actual transmission speed. This will

cause the SBG to not use some of the interfaces’ available bandwidth.

If you leave this field blank, the SBG automatically sets this to the LAN interfaces’ maximum

supported connection speed.

Chapter 11 Bandwidth Management

SBG5500 Series User’s Guide

197

11.3 The Queue Setup Screen

Click Configuration > Bandwidth Management > Queue Setup to open the screen as shown next.

Use this screen to configure QoS queue assignment.

Figure 144 Configuration > Bandwidth Management > Queue Setup

The following table describes the labels in this screen.

Upstream traffic

priority Assigned

Select how the SBG assigns priorities to various upstream traffic flows.

•None: Disables auto priority mapping and has the SBG put packets into the queues

according to your classification rules. Traffic which does not match any of the classification

rules is mapped into the default queue with the lowest priority.

•Ethernet Priority: Automatically assign priority based on the IEEE 802.1p priority level.

•IP Precedence: Automatically assign priority based on the first three bits of the TOS field in the

IP header.

•Packet Length: Automatically assign priority based on the packet size. Smaller packets get

higher priority since control, signaling, VoIP, internet gaming, or other real-time packets are

usually small while larger packets are usually best effort

• data packets like file transfers.

Apply Click Apply to save your changes.

Reset Click Reset to restore your previously saved settings.

Table 84 Configuration > Bandwidth Management > General (continued) (continued)

LABEL DESCRIPTION

Table 85 Network Setting > QoS > Queue Setup

LABEL DESCRIPTION

Add Click this button to create a new queue entry.

Edit Double-click a queue entry or select it and click Edit to open a screen where you can modify

the queue’s settings.

Remove To remove an existing queue entry, select it and click Remove. Note that subsequent rules move

up by one when you take this action.

Multiple Entries

Turn On

Select a queue and click this to enable it.

Chapter 11 Bandwidth Management

SBG5500 Series User’s Guide

198

11.3.1 Adding a QoS Queue

Click Add or the select an existing queue and click Edit icon in the Queue Setup screen to configure a

queue.

Figure 145 Queue Setup: Add/Edit

The following table describes the labels in this screen.

Multiple Entries

Turn Off

Select a queue and click this to disable it.

#This is the index number of the queue entry.

Status This field displays whether the queue is active or not. A green ON button signifies that this queue

is active. A gray OFF button signifies that this queue is not active.

Click the slide button to turn on or turn off the queue.

Name This shows the descriptive name of this queue.

Interface This shows the name of the SBG’s interface through which traffic in this queue passes.

Priority This shows the priority of this queue.

Weight This shows the weight of this queue.

Buffer

Management

This shows the queue management algorithm used for this queue.

Queue management algorithms determine how the SBG should handle packets when it

receives too many (network congestion).

Rate Limit This shows the maximum transmission rate allowed for traffic on this queue.

Table 85 Network Setting > QoS > Queue Setup (continued)

LABEL DESCRIPTION

Table 86 Queue Setup: Add/Edit

LABEL DESCRIPTION

Enable Select to enable or disable this queue.

Name Enter the descriptive name of this queue. You can use up to 31 alphanumeric characters, it must

begin with a letter. The valid characters are [0-9][a-z] [A-Z][_-].

This field is not configurable if you are editing an existing queue.

Chapter 11 Bandwidth Management

SBG5500 Series User’s Guide

199

11.4 The Classification Setup Screen

Use this screen to add, edit or delete QoS classifiers. A classifier groups traffic into data flows according

to specific criteria such as the source address, destination address, source port number, destination port

number or incoming interface. For example, you can configure a classifier to select traffic from the

same protocol port (such as Telnet) to form a flow.

You can give different priorities to traffic that the SBG forwards out through the WAN interface. Give high

priority to voice and video to make them run more smoothly. Similarly, give low priority to many large file

downloads so that they do not reduce the quality of other applications.

Click Configuration > Bandwidth Management > Classification Setup to open the following screen.

Figure 146 Configuration > Bandwidth Management > Classification Setup

The following table describes the labels in this screen.

Interface Select the interface to which this queue is applied.

This field is read-only if you are editing the queue.

Priority Select the priority level (from 1 to 8) of this queue.

The smaller the number, the higher the priority level. Traffic assigned to higher priority queues

gets through faster while traffic in lower priority queues is dropped if the network is congested.

Weight Select the weight (from 1 to 8) of this queue.

If two queues have the same priority level, the SBG divides the bandwidth across the queues

according to their weights. Queues with larger weights get more bandwidth than queues with

smaller weights.

Dropping

Algorithm

This field displays Drop Tail (DT). Drop Tail (DT) is a simple queue management algorithm that

allows the SBG buffer to accept as many packets as it can until it is full. Once the buffer is full,

new packets that arrive are dropped until there is space in the buffer again (packets are

transmitted out of it).

Rate Limit Specify the maximum transmission rate (in Kbps) allowed for traffic on this queue.

OK Click OK to save your changes.

Cancel Click Cancel to exit this screen without saving.

Table 86 Queue Setup: Add/Edit (continued)

LABEL DESCRIPTION

Table 87 Configuration > Bandwidth Management > Classification Setup

LABEL DESCRIPTION

Add Click this to create a new classifier.

Edit Double-click a classifier or select it and click Edit to open a screen where you can modify

the classifier’s settings.

Chapter 11 Bandwidth Management

SBG5500 Series User’s Guide

200

11.4.1 Add/Edit a QoS Class

Click Add in the Classification Setup screen or the Edit icon next to a classifier to open the following

screen.

Remove To remove an existing classifier, select it and click Remove. Note that subsequent rules move

up by one when you take this action.

Multiple Entries Turn

Select one or more classifier and click this to enable them.

Multiple Entries Turn

Off

Select one or more classifier and click this to disable them.

#This field displays the order in which this classifier is applied.

Status This field displays whether the classifier is active or not. A green ON button signifies that this

classifier is active. A gray OFF button signifies that this classifier is not active.

Click the slide button to turn on or turn off the classifier.

Class Name This is the name of the classifier.

Classification

Criteria

This shows criteria specified in this classifier, for example the interface from which traffic of

this class should come and the source MAC address of traffic that matches this classifier.

DSCP Mark This is the DSCP number added to traffic of this classifier.

802.1P Mark This is the IEEE 802.1p priority level assigned to traffic of this classifier.

VLAN ID Tag This is the VLAN ID number assigned to traffic of this classifier.

To Queue This is the name of the queue in which traffic of this classifier is put.

Table 87 Configuration > Bandwidth Management > Classification Setup (continued)

LABEL DESCRIPTION

Chapter 11 Bandwidth Management

SBG5500 Series User’s Guide

201

Figure 147 Classification Setup: Add/Edit

The following table describes the labels in this screen.

Table 88 Classification Setup: Add/Edit

LABEL DESCRIPTION

Classification Setup

Enable Select this to enable this classifier.

Class Name Enter a descriptive name for the classifier. You can use up to 31 alphanumeric characters, it

must begin with a letter. The valid characters are [0-9][a-z] [A-Z][_-].

Order Select an existing number for where you want to put this classifier to move the classifier to the

number you selected after clicking OK. Ordering your classifiers is important because the SBG

applies the classifiers in the order that you specify.

Basic Criteria Configuration

Chapter 11 Bandwidth Management

SBG5500 Series User’s Guide

202

From Interface If you want to classify the traffic by an ingress interface, select an interface from the From

Interface drop-down list box.

Ether Type Select a predefined application to configure a class for the matched traffic.

If you select IP, you also need to configure source or destination MAC address, IP address,

DHCP options, DSCP value or the protocol type.

If you select 802.1Q, you can configure an 802.1p priority level.

Source Criteria Configuration

Address Select the check box and enter the source IP address in dotted decimal notation. A blank

source IP address means any source IP address.

Subnet

Netmask Enter the source subnet mask.

Starting Port Enter the starting port of the source.

Ending Port Enter the ending port of the source,

MAC Address Select the check box and enter the source MAC address of the packet.

MAC Mask Type the mask for the specified MAC address to determine which bits a packet’s MAC address

should match.

Enter “f” for each bit of the specified source MAC address that the traffic’s MAC address should

match. Enter “0” for the bit(s) of the matched traffic’s MAC address, which can be of any

hexadecimal character(s). For example, if you set the MAC address to 00:13:49:00:00:00 and

the mask to ff:ff:ff:00:00:00, a packet with a MAC address of 00:13:49:12:34:56 matches this

criteria.

Exclude Select this option to exclude the packets that match the specified criteria from this classifier.

Destination Criteria Configuration

Address Select the check box and enter the source IP address in dotted decimal notation. A blank

source IP address means any source IP address.

Subnet

Netmask Enter the source subnet mask.

Starting Port Enter the starting port of the source.

Ending Port Enter the ending port of the source,

MAC Address Select the check box and enter the source MAC address of the packet.

MAC Mask Type the mask for the specified MAC address to determine which bits a packet’s MAC address

should match.

Enter “f” for each bit of the specified source MAC address that the traffic’s MAC address should

match. Enter “0” for the bit(s) of the matched traffic’s MAC address, which can be of any

hexadecimal character(s). For example, if you set the MAC address to 00:13:49:00:00:00 and

the mask to ff:ff:ff:00:00:00, a packet with a MAC address of 00:13:49:12:34:56 matches this

criteria.

Exclude Select this option to exclude the packets that match the specified criteria from this classifier.

Other Criteria Configuration

Service This field is available only when you select IP in the Ether Type field.

This field simplifies classifier configuration by allowing you to select a predefined application.

When you select a predefined application, you do not configure the rest of the filter fields.

IP Protocol This field is available only when you select IP in the Ether Type field.

Select this option and select the protocol (service type) from TCP, UDP, ICMP or IGMP. If you

select User defined, enter the protocol (service type) number.

Table 88 Classification Setup: Add/Edit (continued)

LABEL DESCRIPTION

Chapter 11 Bandwidth Management

SBG5500 Series User’s Guide

203

DHCP This field is available only when you select IP in the Ether Type field.

Select this option and select a DHCP option.

If you select Vendor Class ID (DHCP Option 60), enter the Vendor Class Identifier (Option 60) of

the matched traffic, such as the type of the hardware or firmware.

If you select User Class ID (DHCP Option 77), enter a string that identifies the user’s category or

application type in the matched DHCP packets.

Packet

Length This field is available only when you select IP in the Ether Type field.

Select this option and enter the minimum and maximum packet length (from 46 to 1500) in the

fields provided.

DSCP Code This field is available only when you select IP in the Ether Type field.

Select this option and specify a DSCP (DiffServ Code Point) number between 0 and 63 in the

field provided.

802.1P This field is available only when you select 802.1Q in the Ether Type field.

Select this option and select a priority level (between 0 and 7) from the drop-down list box.

"0" is the lowest priority level and "7" is the highest.

VLAN ID This field is available only when you select 802.1Q in the Ether Type field.

Select this option and specify a VLAN ID number.

TCP ACK This field is available only when you select IP in the Ether Type field.

If you select this option, the matched TCP packets must contain the ACK (Acknowledge) flag.

Exclude Select this option to exclude the packets that match the specified criteria from this classifier.

DSCP Marking This field is available only when you select IP in the Ether Type field.

If you select Mark, enter a DSCP value with which the SBG replaces the DSCP field in the

packets.

If you select Unchange, the SBG keep the DSCP field in the packets.

VLAN ID If you select Remark, enter a VLAN ID number with which the SBG replaces the VLAN ID of the

frames.

If you select Remove, the SBG deletes the VLAN ID of the frames before forwarding them out.

If you select Add, the SBG treat all matched traffic untagged and add a second VLAN ID.

If you select Unchange, the SBG keep the VLAN ID in the packets.

802.1P Marking Select a priority level with which the SBG replaces the IEEE 802.1p priority field in the packets.

If you select Unchange, the SBG keep the 802.1p priority field in the packets.

Class Routing

Forward

Interface

Select a WAN interface through which traffic of this class will be forwarded out. If you select

Unchange, the SBG forward traffic of this class according to the default routing table.

Outgoing Queue

To Queue Select a queue that applies to this class.

You should have configured a queue in the Queue Setup screen already.

OK Click OK to save your changes.

Cancel Click Cancel to exit this screen without saving.

Table 88 Classification Setup: Add/Edit (continued)

LABEL DESCRIPTION

Chapter 11 Bandwidth Management

SBG5500 Series User’s Guide

204

11.5 The Policer Setup Screen

Use this screen to configure QoS policers that allow you to limit the transmission rate of incoming traffic.

Click Configuration > Bandwidth Management > Policer Setup. The screen appears as shown.

Figure 148 Configuration > Bandwidth Management > Policer Setup

The following table describes the labels in this screen.

Table 89 Network Setting > QoS > Policer Setup

LABEL DESCRIPTION

Add Click this to create a new policer.

Edit Double-click a policer or select it and click Edit to open a screen where you can modify the

policer’s settings.

Remove To delete an existing policer, select it and click Remove. Note that subsequent rules move up by

one when you take this action.

Multiple Entries

Turn On

Select one or more policers and click this to enable them.

Multiple Entries

Turn Off

Select one ore more policers and click this to disable them.

#This is the index number of the policer.

Status This field displays whether the policer is active or not. A green ON button signifies that this policer

is active. A gray OFF button signifies that this policer is not active.

Click the slide button to turn on or turn off the policer.

Name This field displays the descriptive name of this policer.

Regulated

Classes

This field displays the name of a QoS classifier.

Meter Type This field displays the type of QoS metering algorithm used in this policer.

Rule These are the rates and burst sizes against which the policer checks the traffic of the member

QoS classes.

Action This shows the how the policer has the SBG treat different types of traffic belonging to the

policer’s member QoS classes.

Chapter 11 Bandwidth Management

SBG5500 Series User’s Guide

205

11.5.1 Add/Edit a QoS Policer

Click Add in the Policer Setup screen or select a policer and click Edit next to a policer to show the

following screen.

Figure 149 Policer Setup: Add/Edit

The following table describes the labels in this screen.

Table 90 Policer Setup: Add/Edit

LABEL DESCRIPTION

Policer Setting

Enable Select the check box to activate this policer.

Name Enter the descriptive name of this policer. You can use up to 31 alphanumeric characters, it must

begin with a letter. The valid characters are [0-9][a-z] [A-Z][_-].

Meter Type This shows the traffic metering algorithm used in this policer.

The Simple Token Bucket algorithm uses tokens in a bucket to control when traffic can be

transmitted. Each token represents one byte. The algorithm allows bursts of up to b bytes which is

also the bucket size.

The Single Rate Three Color Marker (srTCM) is based on the token bucket filter and identifies

packets by comparing them to the Committed Information Rate (CIR), the Committed Burst Size

(CBS) and the Excess Burst Size (EBS).

Committed

Rate

Specify the committed rate. When the incoming traffic rate of the member QoS classes is less

than the committed rate, the device applies the conforming action to the traffic.

Committed

Burst Size

Specify the committed burst size for packet bursts. This must be equal to or less than the peak

burst size (two rate three color) or excess burst size (single rate three color) if it is also configured.

This is the maximum size of the (first) token bucket in a traffic metering algorithm.

Excess Burst Size Specify the burst size of packet bursts above which the SBG will perform the non-conforming

action.

Chapter 11 Bandwidth Management

SBG5500 Series User’s Guide

206

11.6 The Shaper Setup Screen

This screen shows that you can use the token bucket algorithm to allow a certain amount of large bursts

while keeping a limit for processing outgoing traffic at the average rate. Click Configuration >

Bandwidth Management > Shaper Setup. The screen appears as shown:

Figure 150 Configuration > Bandwidth Management > Shaper Setup

The following table describes the labels in this screen.

Conforming

Action

Specify what the SBG does for packets within the committed rate and burst size (green-marked

packets).

•Pass: Send the packets without modification.

•DSCP Mark: Change the DSCP mark value of the packets. Enter the DSCP mark value to use.

Partial

Conforming

Action

Specify what the SBG does for packets that exceed the committed rate and burst size but are

within the excess burst size or peak rate and burst size (yellow-marked packets).

•Drop: Discard the packets.

•Pass: Send the packets without modification.

•DSCP Mark: Change the DSCP mark value of the packets. Enter the DSCP mark value to use.

The packets may be dropped if there is congestion on the network.

Non-

Conforming

Action

Specify what the SBG does for packets that exceed the excess burst size or peak rate and burst

size (red-marked packets).

•Drop: Discard the packets.

•DSCP Mark: Change the DSCP mark value of the packets. Enter the DSCP mark value to use.

The packets may be dropped if there is congestion on the network.

Regulated Classes Member Setting

Available

Member

Select a QoS classifier to apply this QoS policer to traffic that matches the QoS classifier.

Highlight a QoS classifier in the Available box and use the → button to move it to the Member

box.

To remove a QoS classifier from the Member box, select it and use the ← button.

OK Click OK to save your changes.

Cancel Click Cancel to exit this screen without saving.

Table 90 Policer Setup: Add/Edit (continued)

LABEL DESCRIPTION

Table 91 Configuration > Bandwidth Management > Shaper Setup

LABEL DESCRIPTION

Add Click this to create a new shaper.

Edit Double-click a shaper or select it and click Edit to open a screen where you can

modify the shaper’s settings.

Remove To remove an existing shaper, select it and click Remove. Note that subsequent rules

move up by one when you take this action.

Chapter 11 Bandwidth Management

SBG5500 Series User’s Guide

207

11.6.1 Add/Edit a QoS Shaper

Click Add in the Shaper Setup screen or select a shaper and click Edit to show the following screen.

Figure 151 Shaper Setup: Add/Edit

The following table describes the labels in this screen.

11.7 Technical Reference

The following section contains additional technical information about the SBG features described in this

chapter.

IEEE 802.1Q Tag

The IEEE 802.1Q standard defines an explicit VLAN tag in the MAC header to identify the VLAN

membership of a frame across bridges. A VLAN tag includes the 12-bit VLAN ID and 3-bit user priority.

Multiple Entries Turn On Select one or more shapers and click this to enable them.

Multiple Entries Turn Off Select one or more shapers and click this to disable them.

# This is the index number of the entry.

Status This field displays whether the shaper is active or not. A green ON button signifies that

this shaper is active. A gray OFF button signifies that this shaper is not active.

Click the slide button to turn on or turn off the shaper.

Outgoing Interface This shows the name of the SBG’s interface through which traffic in this shaper

applies.

Rate Limit (kbps) This shows the average rate limit of traffic bursts for this shaper.

Table 91 Configuration > Bandwidth Management > Shaper Setup

LABEL DESCRIPTION

Table 92 Shaper Setup: Add/Edit

LABEL DESCRIPTION

Enable Select the check box to activate this shaper.

Outgoing Interface Select the SBG’s interface through which traffic in this shaper applies.

Rate Limit Enter the average rate limit of traffic bursts for this shaper.

OK Click this button to save your changes to the SBG.

Cancel Click this button to exit this screen without saving.

Chapter 11 Bandwidth Management

SBG5500 Series User’s Guide

208

The VLAN ID associates a frame with a specific VLAN and provides the information that devices need to

process the frame across the network.

IEEE 802.1p specifies the user priority field and defines up to eight separate traffic types. The following

table describes the traffic types defined in the IEEE 802.1d standard (which incorporates the 802.1p).

DiffServ

QoS is used to prioritize source-to-destination traffic flows. All packets in the flow are given the same

priority. You can use CoS (class of service) to give different priorities to different packet types.

DiffServ (Differentiated Services) is a class of service (CoS) model that marks packets so that they

receive specific per-hop treatment at DiffServ-compliant network devices along the route based on the

application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the

level of service desired. This allows the intermediary DiffServ-compliant network devices to handle the

packets differently depending on the code points without the need to negotiate paths or remember

state information for every flow. In addition, applications do not have to request a particular service or

give advanced notice of where the traffic is going.

DSCP and Per-Hop Behavior

DiffServ defines a new Differentiated Services (DS) field to replace the Type of Service (TOS) field in the IP

header. The DS field contains a 2-bit unused field and a 6-bit DSCP field which can define up to 64

service levels. The following figure illustrates the DS field.

DSCP is backward compatible with the three precedence bits in the ToS octet so that non-DiffServ

compliant, ToS-enabled network device will not conflict with the DSCP mapping.

The DSCP value determines the forwarding behavior, the PHB (Per-Hop Behavior), that each packet

gets across the DiffServ network. Based on the marking rule, different kinds of traffic can be marked for

different kinds of forwarding. Resources can then be allocated according to the DSCP values and the

configured policies.

Table 93 IEEE 802.1p Priority Level and Traffic Type

PRIORITY

LEVEL TRAFFIC TYPE

Level 7 Typically used for network control traffic such as router configuration messages.

Level 6 Typically used for voice traffic that is especially sensitive to jitter (jitter is the variations in delay).

Level 5 Typically used for video that consumes high bandwidth and is sensitive to jitter.

Level 4 Typically used for controlled load, latency-sensitive traffic such as SNA (Systems Network

Architecture) transactions.

Level 3 Typically used for “excellent effort” or better than best effort and would include important business

traffic that can tolerate some delay.

Level 2 This is for “spare bandwidth”.

Level 1 This is typically used for non-critical “background” traffic such as bulk transfers that are allowed but

that should not affect other applications and users.

Level 0 Typically used for best-effort traffic.

DSCP (6 bits) Unused (2 bits)

Chapter 11 Bandwidth Management

SBG5500 Series User’s Guide

209

IP Precedence

Similar to IEEE 802.1p prioritization at layer-2, you can use IP precedence to prioritize packets in a layer-3

network. IP precedence uses three bits of the eight-bit ToS (Type of Service) field in the IP header. There

are eight classes of services (ranging from zero to seven) in IP precedence. Zero is the lowest priority

level and seven is the highest.

Automatic Priority Queue Assignment

If you enable QoS on the SBG, the SBG can automatically base on the IEEE 802.1p priority level, IP

precedence and/or packet length to assign priority to traffic which does not match a class.

The following table shows you the internal layer-2 and layer-3 QoS mapping on the SBG. On the SBG,

traffic assigned to higher priority queues gets through faster while traffic in lower index queues is

dropped if the network is congested.

Table 94 Internal Layer2 and Layer3 QoS Mapping

PRIORITY

QUEUE

LAYER 2 LAYER 3

IEEE 802.1P USER

PRIORITY

(ETHERNET

PRIORITY)

TOS (IP

PRECEDENCE) DSCP IP PACKET LENGTH

(BYTE)

0 1 0 000000

2 0 0 000000 >1100

3 3 1 001110

001100

001010

001000

250~1100

4 4 2 010110

010100

010010

010000

5 5 3 011110

011100

011010

011000

<250

6 6 4 100110

100100

100010

100000

5 101110

101000

7 7 6 110000

111000

Chapter 11 Bandwidth Management

SBG5500 Series User’s Guide

210

Token Bucket

The token bucket algorithm uses tokens in a bucket to control when traffic can be transmitted. The

bucket stores tokens, each of which represents one byte. The algorithm allows bursts of up to b bytes

which is also the bucket size, so the bucket can hold up to b tokens. Tokens are generated and added

into the bucket at a constant rate. The following shows how tokens work with packets:

• A packet can be transmitted if the number of tokens in the bucket is equal to or greater than the size

of the packet (in bytes).

• After a packet is transmitted, a number of tokens corresponding to the packet size is removed from

the bucket.

• If there are no tokens in the bucket, the SBG stops transmitting until enough tokens are generated.

• If not enough tokens are available, the SBG treats the packet in either one of the following ways:

In traffic shaping:

• Holds it in the queue until enough tokens are available in the bucket.

In traffic policing:

•Drops it.

• Transmits it but adds a DSCP mark. The SBG may drop these marked packets if the network is

overloaded.

Configure the bucket size to be equal to or less than the amount of the bandwidth that the interface

can support. It does not help if you set it to a bucket size over the interface’s capability. The smaller the

bucket size, the lower the data transmission rate and that may cause outgoing packets to be dropped.

A larger transmission rate requires a big bucket size. For example, use a bucket size of 10 kbytes to get

the transmission rate up to 10 Mbps.

Single Rate Three Color Marker

The Single Rate Three Color Marker (srTCM, defined in RFC 2697) is a type of traffic policing that identifies

packets by comparing them to one user-defined rate, the Committed Information Rate (CIR), and two

burst sizes: the Committed Burst Size (CBS) and Excess Burst Size (EBS).

The srTCM evaluates incoming packets and marks them with one of three colors which refer to packet

loss priority levels. High packet loss priority level is referred to as red, medium is referred to as yellow and

low is referred to as green.

The srTCM is based on the token bucket filter and has two token buckets (CBS and EBS). Tokens are

generated and added into the bucket at a constant rate, called Committed Information Rate (CIR).

When the first bucket (CBS) is full, new tokens overflow into the second bucket (EBS).

All packets are evaluated against the CBS. If a packet does not exceed the CBS it is marked green.

Otherwise it is evaluated against the EBS. If it is below the EBS then it is marked yellow. If it exceeds the

EBS then it is marked red.

The following shows how tokens work with incoming packets in srTCM:

• A packet arrives. The packet is marked green and can be transmitted if the number of tokens in the

CBS bucket is equal to or greater than the size of the packet (in bytes).

• After a packet is transmitted, a number of tokens corresponding to the packet size is removed from

the CBS bucket.

Chapter 11 Bandwidth Management

SBG5500 Series User’s Guide

211

• If there are not enough tokens in the CBS bucket, the SBG checks the EBS bucket. The packet is

marked yellow if there are sufficient tokens in the EBS bucket. Otherwise, the packet is marked red. No

tokens are removed if the packet is dropped.

Two Rate Three Color Marker

The Two Rate Three Color Marker (trTCM, defined in RFC 2698) is a type of traffic policing that identifies

packets by comparing them to two user-defined rates: the Committed Information Rate (CIR) and the

Peak Information Rate (PIR). The CIR specifies the average rate at which packets are admitted to the

network. The PIR is greater than or equal to the CIR. CIR and PIR values are based on the guaranteed

and maximum bandwidth respectively as negotiated between a service provider and client.

The trTCM evaluates incoming packets and marks them with one of three colors which refer to packet

loss priority levels. High packet loss priority level is referred to as red, medium is referred to as yellow and

low is referred to as green.

The trTCM is based on the token bucket filter and has two token buckets (Committed Burst Size (CBS)

and Peak Burst Size (PBS)). Tokens are generated and added into the two buckets at the CIR and PIR

respectively.

All packets are evaluated against the PIR. If a packet exceeds the PIR it is marked red. Otherwise it is

evaluated against the CIR. If it exceeds the CIR then it is marked yellow. Finally, if it is below the CIR then

it is marked green.

The following shows how tokens work with incoming packets in trTCM:

• A packet arrives. If the number of tokens in the PBS bucket is less than the size of the packet (in bytes),

the packet is marked red and may be dropped regardless of the CBS bucket. No tokens are removed

if the packet is dropped.

• If the PBS bucket has enough tokens, the SBG checks the CBS bucket. The packet is marked green

and can be transmitted if the number of tokens in the CBS bucket is equal to or greater than the size

of the packet (in bytes). Otherwise, the packet is marked yellow.

SBG5500 Series User’s Guide

212

CHAPTER 12

Network Management

12.1 Overview

This chapter describes the SBG’s Configuration > Network Management screens. Use this screens to

configure your SBG’s SNMP.

12.1.1 What You Can Do in This Chapter

Use the SNMP screen to configure the SBG’s SNMP settings (Section 12.2 on page 212)

12.2 The SNMP Screen

Simple Network Management Protocol is a protocol used for exchanging management information

between network devices. Your SBG supports SNMP agent functionality, which allows a manager station

to manage and monitor the SBG through the network. The SBG supports SNMP version one (SNMPv1)

and version two (SNMPv2c). The next figure illustrates an SNMP management operation.

Figure 152 SNMP Management Model

An SNMP managed network consists of two main types of component: agents and a manager.

An agent is a management software module that resides in a managed device (the SBG). An agent

translates the local management information from the managed device into a form compatible with

SNMP. The manager is the console through which network administrators perform network management

functions. It executes applications that control and monitor managed devices.

Chapter 12 Network Management

SBG5500 Series User’s Guide

213

The managed devices contain object variables/managed objects that define each piece of

information to be collected about a device. Examples of variables include such as number of packets

received, node port status etc. A Management Information Base (MIB) is a collection of managed

objects. SNMP allows a manager and agents to communicate for the purpose of accessing these

objects.

SNMP itself is a simple request/response protocol based on the manager/agent model. The manager

issues a request and the agent returns responses using the following protocol operations:

• Get - Allows the manager to retrieve an object variable from the agent.

• GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent.

In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get

operation, followed by a series of GetNext operations.

• Set - Allows the manager to set values for object variables within an agent.

• Trap - Used by the agent to inform the manager of some events.

Click Configuration > Network Management > SNMP to open the following screen. Use this screen to

configure the SBG SNMP settings.

Figure 153 Configuration > Network Management > SNMP

The following table describes the fields in this screen.

Table 95 Configuration > Network Management > SNMP

LABEL DESCRIPTION

SNMP Agent Select the check box to allow a manager station to manage and monitor the SBG through

the network via SNMP.

Get Community Enter the password for the incoming Get and GetNext requests from the management

station. The default is public and allows all requests.

Set Community Enter the Set community, which is the password for incoming Set requests from the

management station. The default is public and allows all requests.

Trap Community Enter the Trap Community, which is the password sent with each trap to the SNMP manager.

System Name Enter the system name of the SBG.

System Location Specify the geographic location of the SBG.

System Contact Enter the name of the person in charge of the SBG.

Chapter 12 Network Management

SBG5500 Series User’s Guide

214

Trap Destination Type the IP address of the station to send your SNMP traps to.

Apply Click Apply to save your changes back to the SBG.

Reset Click Reset to restore your previously saved settings.

Table 95 Configuration > Network Management > SNMP (continued)

LABEL DESCRIPTION

SBG5500 Series User’s Guide

215

CHAPTER 13

Log / Report

13.1 Overview

The web configurator allows you to choose which categories of events and/or alerts to have the SBG

log and then display the logs or have the SBG send them to an administrator (as e-mail) or to a syslog

server.

13.1.1 What You Can Do in this Chapter

• Use the Log Viewer screen to see the system logs (Section 13.2 on page 216).

• Use the Log Settings screen to specify settings for recording log messages and alerts, e-mailing them,

storing them on a connected USB storage device, and sending them to remote syslog servers(Section

13.3 on page 217).

13.1.2 What You Need To Know

The following terms and concepts may help as you read this chapter.

Alerts and Logs

An alert is a type of log that warrants more serious attention. They include system errors, attacks (access

control) and attempted access to blocked web sites. Some categories such as System Errors consist of

both logs and alerts. You may differentiate them by their color in the View Log screen. Alerts display in

red and logs display in black.

Syslog Overview

The syslog protocol allows devices to send event notification messages across an IP network to syslog

servers that collect the event messages. A syslog-enabled device can generate a syslog message and

send it to a syslog server.

Syslog is defined in RFC 3164. The RFC defines the packet format, content and system log related

information of syslog messages. Each syslog message has a facility and severity level. The syslog facility

identifies a file in the syslog server. Refer to the documentation of your syslog program for details. The

following table describes the syslog severity levels.

Table 96 Syslog Severity Levels

CODE SEVERITY

0 Emergency: The system is unusable.

1 Alert: Action must be taken immediately.

2 Critical: The system condition is critical.

3 Error: There is an error condition on the system.

Chapter 13 Log / Report

SBG5500 Series User’s Guide

216

13.2 The Log Viewer Screen

Use the Log viewer screen to see the system logs. Click Configuration > Log / Report > Log Viewer to

open the following screen.

Figure 154 Configuration > Log / Report > Log Viewer

The following table describes the fields in this screen.

4 Warning: There is a warning condition on the system.

5 Notice: There is a normal but significant condition on the system.

6 Informational: The syslog contains an informational message.

7 Debug: The message is intended for debug-level purposes.

Table 96 Syslog Severity Levels

CODE SEVERITY

Table 97 Configuration > Log / Report > Log Viewer

LABEL DESCRIPTION

Show (Hide) Filter Click this button to show or hide the filter settings.

If the filter settings are hidden only Display filter is available.

If the filter settings are shown, the Display, Priority, Source Address, Destination IP Address,

Source Interface, Destination Interface, Protocol, Keyword, Search and Reset fields are

available.

Display Select the type of log message(s) you want to view. You can also view All Logs at one time,

or you can view the Debug Log.

Priority This displays when you show the filter. Select the priority of log messages to display. The log

displays the log messages with this priority or higher. Choices are: any, emerg, alert, crit,

error, warn, notice, and info, from highest priority to lowest priority. This field is read-only if the

Display field is set to Debug Log.

Source IP This displays when you show the filter. Type the source IP address of the incoming packet

that generated the log message. Do not include the port in this filter.

Source Interface This displays when you show the filter. Type the source interface of the incoming packet that

generated the log message.

Chapter 13 Log / Report

SBG5500 Series User’s Guide

217

13.3 Log Settings

The Log Settings screen controls log messages and alerts. A log message stores the information for

viewing or regular e-mailing later, and an alert is e-mailed immediately. Usually, alerts are used for

events that require more serious attention, such as system errors and attacks.

The Log Settings Edit screens control what information the SBG saves in each log. You can also specify

which log messages to e-mail for the system log, and where and how often to e-mail them. These

screens also set for which events to generate alerts and where to email the alerts.

To access this screen click Configuration > Log / Report > Log Settings.

Protocol This displays when you show the filter. Select a service protocol whose log messages you

would like to see.

Destination IP This displays when you show the filter. Type the IP address of the destination of the incoming

packet when the log message was generated. Do not include the port in this filter.

Destination Interface This displays when you show the filter. Type the interface of the destination of the incoming

packet when the log message was generated.

Keyword Type a keyword of the policy service available from SBG to search for a log.

Search This displays when you show the filter. Click this button to update the log using the current

filter settings.

Reset Click this to return the filters to its original settings.

Email Log Now Click this to send the log file(s) to the E-mail address you specify in the Log Settings screen.

Refresh Click this to renew the log screen.

Clear Log Click this to delete all the logs.

#This field is a sequential value and is not associated with a specific entry.

Time This field displays the time the log was recorded.

Priority This field displays the priority of the log message. It has the same range of values as the

Priority field above.

Category This field displays type of logs to display.

Messages This field states the reason for the log.

Source This field displays the source IP address and the port number in the event that generated

the log message.

Destination This field displays the destination IP address and the port number of the event that

generated the log message.

Note This field displays any additional information about the log message.

Table 97 Configuration > Log / Report > Log Viewer

LABEL DESCRIPTION

Chapter 13 Log / Report

SBG5500 Series User’s Guide

218

Figure 155 Configuration > Log / Report > Log Settings

The following table describes the labels in this screen.

13.3.1 Edit Log on USB Settings

The Edit Log on USB Settings screen controls the detailed settings for saving logs to a connected USB

storage device. Go to the Log Settings screen (see Section 13.3 on page 217), and double-click the USB

setting or select it and click Edit to open the following screen.

Table 98 Configuration > Log / Report > Log Settings

LABEL DESCRIPTION

Edit Double-click an entry or select it and click Edit to open a screen where you can modify it.

Multiple Entries Turn

Select one or more entries and click this to enable them.

Multiple Entries Turn

Off

Select one or more entries and click this to disable them.

# This field is a sequential value, and it is not associated with a specific log.

Status This field displays whether the log setting is active or not. A green ON signifies that this log

setting is active. A gray OFF signifies that this log setting is not active.

Click the slide button to turn on or turn off the entry.

Name This field displays the type of log setting entry (system log, logs stored on a USB storage device

connected to the SBG, or one of the remote servers).

Log Format This field displays the format of the log.

Internal - system log; you can view the log on the View Log tab.

VRPT/Syslog - Zyxel’s Vantage Report, syslog-compatible format.

CEF/Syslog - Common Event Format, syslog-compatible format.

Summary This field is a summary of the settings for each log.

Apply Click Apply to save your changes.

Reset Click Reset to restore your previously saved settings.

Chapter 13 Log / Report

SBG5500 Series User’s Guide

219

Figure 156 Configuration > Log / Report > Log Settings > Edit (USB)

The following table describes the labels in this screen.

Table 99 Configuration > Log / Report > Log Settings > Edit (USB)

LABEL DESCRIPTION

USB Log Setting

Enable Select the check box to turn on the USB Log Setting.

Log Settings

Selection Use the Selection drop-down list to change the log settings for all of the log categories.

disable all logs (red X) - do not send the remote server logs for any log category.

enable normal logs (green check mark) - send the remote server log messages and alerts

for all log categories.

enable normal logs and debug logs (yellow check mark) - send the remote server log

messages, alerts, and debugging information for all log categories.

# This field is a sequential value, and it is not associated with a specific entry.

Log Category This field displays each category of messages. The Default category includes debugging

messages generated by open source software.

Selection Select what information you want to log from each Log Category (except All Logs; see

below). Choices are:

disable all logs (red X) - do not log any information from this category

enable normal logs (green check mark) - log regular information and alerts from this

Table of Contents

Zyxel SBG5500-B User Manual

Related Manuals