Manuals / Draytek / Computer Equipment / Network Router

Draytek 2130 manual Basics for Firewall, Denial of Service DoS Defense

Models: 2130

1 208

Download 208 pages 58.79 Kb

Page 124

4.4 Firewall

4.4 Firewall

Basics for Firewall

While the broadband users demand more bandwidth for multimedia, interactive applications, or distance learning, security has been always the most concerned. The firewall of the Vigor router helps to protect your local network against attack from unauthorized outsiders. It also restricts users in the local network from accessing the Internet. Furthermore, it can filter out specific packets that trigger the router to build an unwanted outgoing connection.

Denial of Service (DoS) Defense

The DoS Defense functionality helps you to detect and mitigate the DoS attack. The attacks are usually categorized into two types, the flooding-type attacks and the vulnerability attacks. The flooding-type attacks will attempt to exhaust all your system's resource while the vulnerability attacks will try to paralyze the system by offending the vulnerabilities of the protocol or operation system.

The DoS Defense function enables the Vigor router to inspect every incoming packet based on the attack signature database. Any malicious packet that might duplicate itself to paralyze the host in the secure LAN will be strictly blocked and a Syslog message will be sent as warning, if you set up Syslog server.

Also the Vigor router monitors the traffic. Any abnormal traffic flow violating the pre-defined parameter, such as the number of thresholds, is identified as an attack and the Vigor router will activate its defense mechanism to mitigate in a real-time manner.

Below shows the menu items for Firewall.

4.4.1 DoS Defense

Click Firewall and click DoS Defense to open the setup page. Storm control for the switch is configured on this page.

Frame Type	Set the Unicast storm rate control, multicast storm rate control,
	and a broadcast storm rate control for your router.
Status	Check this box to enable storm control status for the frame type.
Rate	The unit is packet per second (pps). Use the drop down list to
	set the rate for data transmission. The rate is 2^n, where n is
	116	Vigor2130 Series User’s Guide

Image 124

Draytek 2130 manual Basics for Firewall, Denial of Service DoS Defense

Contents

Page Version Date 31/08/2009 Vigor2130 Series High Speed Gigabit Router User’s GuideVigor2130 Series User’s Guide Safety Instructions and Approval Copyright InformationSafety WarrantyEuropean Community Declarations Regulatory InformationTable of Contents 4 AdminModeOperation Vigor2130 Series User’s Guide4.3.1 Hardware NAT 5 Trouble Shooting 1.1 Web Configuration Buttons Explanation 1 Preface1.2 LED Indicators and Connectors 1.2.1 For Vigor2130Status ExplanationFactory Reset factory default configurationConnector for a power adapter Power Switch1.2.2 For Vigor2130n StatusExplanation InterfaceFactory Reset factory default configurationConnector for a power adapter Power Switch1.2.3 For Vigor2130Vn StatusExplanation InterfaceInterface Description1.3 Hardware Installation c d e f Stand InstallationVigor2130 Series User’s Guide 1.4 Printer Installation 2. Open Start-Settings- Printer and Faxes4. Click Local printer attached to this computer and click Next Vigor2130 Series User’s Guide8. Then, in the following dialog, click Finish 7. Click Standard and choose Generic Network CardVigor2130 Series User’s Guide 9. Now, your system will ask you to choose right name of the printer that you installed onto the router. Such step can make correct driver loaded onto your PC. When you finish the selection, click Next The printer can be used for printing now. Most of the printers with different manufacturers are compatible with vigor router 2.2 Accessing Web Page 2 Configuring Basic Settings2.1 Two-Level Management Main screen for admin mode operation full configuration 2.3 Changing PasswordMain screen for user mode operation simple configuration 5. Type New Password in New Password and Confirm New Password fields. Then click OK to continue 2.4.1 Setting up the Password 2.4 Quick Start Wizard2.4.2 Setting up the Time Zone 2.4.3 Setting up the Internet ConnectionStatic IP EnableIP Address Subnet MaskDHCP PPPoEEnable Clone MAC AddressIt means Max Transmit Unit for packet. The default setting issetting is It means Max Transmit Unit for packet. The defaultPPTP/L2TP 2.4.4 Setting up the Wireless Connection Choose Show to make the SSID being seen by wireless clientsPage WPA-PSK TypeWPA Algorithm WPA Pre-shared KeyWPA- RADIUS The UDP port number that the RADIUS server is using. TheShared Secret 2.4.5 Save the Wizard Configuration 2.5 Online Status2.6 Saving Configuration 3.1 WAN 3 User Mode OperationBasics of Internet Protocol IP Network From 10.0.0.0 to From 172.16.0.0 to From 192.168.0.0 to What are Public IP Address and Private IP AddressGet Your Public IP Address from ISP Network Connection by 3G USB Modem3.1.1 Internet Access StaticType in the primary IP address for the router if you want to use Type in the username provided by ISP in this field DHCPPPPoE UsernameIt means Max Transmit Unit for packet. The default setting is It means Max Transmit Unit for packet. The defaultPPTP/L2TP 3G USB Modem APN means Access Point Name which is provided andrequired by some ISPs 3.1.2 Ports Speed ConfiguredPort LinkDiscard - It determines whether the MAC drops frames after an 3.1.3 3G Backupexcessive collision has occurred. If yes, a frame is dropped after 3.2 LAN Basics of LANAPN means Access Point Name which is provided and required by some ISPsWhat is Routing Information Protocol RIP What are Virtual LANs and Rate Control3.2.1 General Setup You can configure the router to serve as a DHCP server for theType in an address code that determines the size of the network Enter a value of the IP address pool for the DHCP server to start3.2.2 Ports Speed ConfiguredPort Link3.2.3 MAC Address Table Power ControlDisabled All power savings mechanisms disabled ActiPHY Link down power savings enabled3.2.4 VLAN Disable Automatic AgingStatic MAC Table Config Age Time3.2.5 Static Route IndexDestination Address Display the destination address of the static routeAdd Static Routes to Private and Public Networks 3.2.6 Bind IP to MAC and MAC address listed in ARP table can be selected and added 3.3 NATand select the one, and click Remove. The selected item will be 3.3.1 Hardware NAT 3.3.2 Open PortsSpecify the name for the defined network service NameProtocol Specify the transport layer protocol. It could be TCP, UDP and3.3.3 DMZ Host 3.4 Bandwidth Management 3.4.1 Session Limit3.4.2 Bandwidth Limit 3.4.3 Port Rate Control Shaper Rate Tx 3.4.4 QoS Control ListShaper Unit QCE Type Display the type of that QCE QoS Control EntriesType Value Display the value specified for the QCEAdding a New QCE TCP/UDP Port 3.4.5 Ports Priority Editing a QCEMoving Up/Down a QCE Deleting a QCE3.4.6 QoS Statistics Default ClassQueuing Mode Use the drop down list to choose suitable modeRx Packets Rx Low 3.5 Applications 3.5.1 Dynamic DNS3.5.2 Schedule 3.5.3 IGMP Snooping Snooping EnabledCheck the box to enable this function Check the box to enable unregistered IPMC traffic flooding3.5.5 UPnP Configuration 3.5.4 IGMP StatusDisplay current IGMP groups. Maximum number of group for each VLAN can be set isCant work with Firewall Software 3.6 Wireless LAN 3.6.1 Basic Concepts3.6.2 General Setup Security OverviewWireless Security Configuration Wireless ModeSSID Broadcast SSIDDefault Key Authentication ModeWPA Mode Key1-Key4Either 8~63 ASCII characters, such as 012345678..or Vigor2130 Series User’s Guide 3.6.3 Access Control Filter Type3.6.4 Station List 3.7.1 USB General Settings 3.6.5 Access Point Discovery3.7 USB Application 3.7.2 FTP User Management The user can enter a directory name in this field. Thenafter clicking OK, the router will create the specific/new folder in the USB diskette. In addition, if the user types “/”here, he/she can access into all of the disk folders and files Note When write protect status for the USB diskette is3.7.3 Disk Status 3.7.4 Disk SharesType a name to be used as shared folder name in Samba service 3.8 User 3.8.1 User ConfigurationAdding a New User Editing/Deleting User Settings 3.9 System Maintenance3.9.1 System Status Wireless LAN 3.9.3 Configuration Backup 3.9.2 User PasswordBackup the Configuration Restore Configuration 3.9.4 Syslog / Mail Alert Check the box to activate function of mail alert Select the time zone where the router is located 3.9.5 Time and DateVigor2130 Series User’s Guide 3.9.6 Management 3.9.7 Reboot SystemAccess List 3.9.8 Firmware Upgrade Vigor2130 Series User’s Guide 4 Admin Mode Operation 4.1 WANBasics of Internet Protocol IP Network From 10.0.0.0 to From 172.16.0.0 to From 192.168.0.0 toGet Your Public IP Address from ISP What are Public IP Address and Private IP AddressNetwork Connection by 3G USB Modem Static 4.1.1 Internet AccessType the subnet mask DHCP PPPoEIt means Max Transmit Unit for packet. The default setting issetting is It means Max Transmit Unit for packet. The defaultPPTP/L2TP 3G USB Modem APN means Access Point Name which is provided andrequired by some ISPs 4.1.2 Ports You can use the drop down list to choose the required speed forInternet 4.1.3 3G BackupSIM PIN code 4.2 LAN APN means Access Point Name which is provided andrequired by some ISPs Basics of LANWhat is Routing Information Protocol RIP What is Static RouteVigor2130 Series User’s Guide 4.2.1 General Setup What are Virtual LANs and Rate Control4.2.2 Ports Speed ConfiguredStart IP Address IP Pool CountsAuto 4.2.3 MAC Address Table Disable Automatic AgingStatic MAC Table Config Age Time4.2.4 VLAN 4.2.5 Static Route Add Static Routes to Private and Public NetworksVigor2130 Series User’s Guide 4.2.6 Bind IP to MAC 4.3 NAT 4.3.1 Hardware NAT 4.3.2 Open PortsSpecify the name for the defined network service NameProtocol Specify the transport layer protocol. It could be TCP, UDP and4.3.3 DMZ Host EnableCheck to enable the DMZ Host function DMZ IPDenial of Service DoS Defense 4.4 Firewall4.4.1 DoS Defense Basics for Firewall4.4.2 Ports Configuration include Disabled, and 1 to 10. The default value is Disabled Counts the number of frames that match this Access ControlRate Limited ID Port Copy4.4.3 Rate Control Object Please specify a rate number for each ID. The default setting isRate limiter ID will be applied to WAN port and LAN port “1”packet per second4.4.4 Access Control List Adding a New Access Control ProfileAction - it means the session limitation for this access control list will be applied to if matching with the rule defined in this page Specify the destination MAC filter for this ACE MAC ParameterVLAN Parameter Ethernet Type Filter Detailed Explanation for Frame TypeARP/RARP Request/Reply Sender IP Filterdefined in Sender IP Address and Sender IP Mask Sender IP Address0 means ARP/RARP frames/packets where the hardware 1 means ARP/RARP frames/packets where the hardware0 ARP/RARP frames where the hardware address space is 1 ARP/RARP frames where the hardware address space isIP TTL IP FragmentIP Option OFFSET field is greater than zero must be able to matchSIP Filter SIP AddressSIP Mask DIP FilterICMP Code Filter ICMP Code ValueIP TTL IP FragmentIP Option SIP FilterSIP Address SIP MaskSource Port Filter Source Port NoSource Port Range Dest. Port FilterIP Fragment IP TTLIP Option SIP Filter SIP AddressSIP Mask DIP Filter0 TCP frames where the FIN field is set must not be able 0 TCP frames where the SYN field is set must not be ableDest. Port Filter Specify the TCP port destination filter for this ACE0 TCP frames where the PSH field is set must not be able 0 TCP frames where the ACK field is set must not be ableTCP PSH TCP ACKIP Protocol Value IP TTLIP Fragment IP Option4.5 Bandwidth Management SIP FilterSIP Address SIP Mask4.5.1 Session Limit 4.5.2 Bandwidth Limit EnableDisable Default TX limit4.5.3 Port Rate Control 4.5.4 QoS Control ListVigor2130 Series User’s Guide Adding a New QCE QCE TypeDisplay the type of that QCE QoS Control Entries Type ValueTCP/UDP Port Editing a QCE 4.5.5 Ports Priority Moving Up/Down a QCEDeleting a QCE Indicate the interface for the physical port, WAN port, LAN4.5.6 QoS Statistics Queuing ModeUse the drop down list to choose suitable mode Queue WeightedRx Packets Rx Low 4.6 Applications 4.6.1 Dynamic DNS4.6.2 Schedule 4.6.3 IGMP Snooping Snooping EnabledCheck the box to enable this function Check the box to enable unregistered IPMC traffic flooding4.6.5 UPnP Configuration 4.6.4 IGMP StatusDisplay current IGMP groups. Maximum number of group for each VLAN can be set isEnter the maximum sustained WAN download speed in kilobits/second. Such information can be requested byUPnP clients Enter the maximum sustained WAN upload speed in4.7 VPN and Remote Access 4.7.1 Remote Access Control4.7.2 PPTP Remote Dial-in Adding a New UserEditing/Deleting User Settings Vigor2130 Series User’s Guide4.7.3 IPSec Remote Dial-in Mobile VPN TypeAdvanced Settings AuthenticationIdentities Display the encryption and authentication algorithm used during phase 1 of the VPN connection Establishment. The4.7.4 Remote Dial-in Status algorithm is used during exchange of key exchange4.7.5 LAN to LAN Adding a VPN TunnelDisplay the encryption and authentication algorithm used during phase 1 of the VPN connection Establishment. TheEnabled NameRemote IP Type4.8 Wireless LAN 4.8.1 Basic ConceptsSecurity Overview 4.8.2 General Setup Enable Wireless LANWireless Mode SSID BroadcastWireless Security Configuration Default KeyAuthentication Mode z NoneWPA Mode WPA AlgorithmWPA Preshared Key z WPA-RADIUSWPA Algorithm Server IP AddressDestination Port Shared Secret4.8.3 Access Control Vigor2130 Series User’s Guide4.8.4 Station List 4.8.5 Access Point Discovery 4.9 USB Application4.9.1 USB General Settings 4.9.2 FTP User ManagementEnable FTP Enable Disk Sharing4.9.3 Disk Status 4.9.4 Disk Shareshere, he/she can access into all of the disk folders and files Note When write protect status for the USB diskette isThe user can enter a directory name in this field. Then after clicking OK, the router will create the specific/new4.10 User 4.10.1 User ConfigurationAdding a New User Editing/Deleting User Settings Vigor2130 Series User’s Guide4.11 System Maintenance 4.11.1 System Status4.11.3 User Password 4.11.2 System PasswordDisplay the subnet mask address of the WAN interface 4.11.4 Configuration Backup Backup the Configuration4.11.5 Syslog/Mail Alert Restore ConfigurationEnable Syslog Access… 4.11.6 Time and Date Time ZoneAdd NTP server Click the button to add a new NTP server4.11.7 Management 4.11.8 Reboot SystemClick this button to remove an NTP server 4.11.9 Firmware Upgrade 4.12 Diagnostics 4.12.1 PingD - dynamically installed by daemon or redirect A - installed by addrconf4.12.2 Routing Table Display the netmask for the destination net4.12.3 System Log 4.12.4 Traffic OverviewTime Level4.12.5 Detailed Statistics Rx Unicast 4.12.6 MAC Address Table Type VLANMAC Address Port Members4.12.7 DHCP Table It displays the name of the computer accepted the assigned4.12.8 Data Flow Monitor Block - can prevent specified PC accessing into Internet4.12.9 Ports State connection. Or you can check Auto-refresh to reload the5 Trouble Shooting 5.1 Checking If the Hardware Status Is OK or NotFor Windows For MacOs 1. Double click on the current used MacOs on the desktop2. Open the Application folder and get into Network Vigor2130 Series User’s GuideFor MacOs Terminal 5.3 Pinging the Router from Your ComputerFor Windows 5.4 Checking If the ISP Settings are OK or Not Vigor2130 Series User’s GuideFor Static Users For PPPoE Users1. Choose Static IP as the connection type 1. Choose PPPoE as the connection typeSoftware Reset 5.5 Backing to Factory Default Setting If NecessaryFor PPTP/L2TP Users Hardware Reset 5.6 Contacting Your Dealer