Stateful Inspection Options, 157 | Motorola 7000, 3352N, 3342

Stateful Inspection Options

Stateful Inspection Parameters are active on a WAN interface only if you enable them on your Gateway.

•Stateful Inspection: To enable stateful inspection on this WAN interface, check the checkbox.

•Default Mapping to Router: This is disabled by default. This option will allow the router to respond to trafﬁc received on this interface, for example, ICMP Echo requests.

☛NOTE:

If Stateful Inspection is enabled on a WAN interface Default Mapping to Router must be enabled to allow inbound VPN terminations to the router.

•TCP Sequence Number Difference: Enter a value in this ﬁeld. This value represents the maximum sequence number difference allowed between subsequent TCP packets. If this number is exceeded, the packet is dropped. The acceptable range is 0 – 65535. A value of 0 (zero) disables this check.

•Deny Fragments: To enable this option, which causes the router to discard fragmented packets on this interface, check the checkbox.

Open Ports in Default Stateful Inspection Installation

	Port	Protocol	Description	LAN (Private)	WAN (Public)
	Port	Protocol	Description	Interface	Interface
				Interface	Interface
	23	TCP	telnet	Yes	No
	53	UDP	DNS	Yes	No
	67	UDP	Bootps	Yes	No
	68	UDP	Bootpc	Yes	No
	80	TCP	HTTP	Yes	No
	137	UDP	Netbios-ns	Yes	No
	138	UDP	Netbios-dgm	Yes	No
	161	UDP	SNMP	Yes	No
	500	UDP	ISAKMP	Yes	No
	520	UDP	Router	Yes	No

157

Image 157

Motorola 7000, 3352N, 3342, 2200 Stateful Inspection Options, Open Ports in Default Stateful Inspection Installation, 157

Contents

Administrator’s Handbook Copyright Administrator’s HandbookPage Administrator’s Handbook Table of Contents Breadcrumb Trail Security Basic Troubleshooting Command Line Interface 223 Administrator’s Handbook Glossary Overview of Major Capabilities What’s New Introduction Administrator’s Handbook Intended Audience About Motorola Netopia DocumentationDocumentation Conventions General Internal Web Interface Command Line Interface Word About Example Screens Organization Administrator’s Handbook Basic Mode Setup Power Supply Installation Important Safety Instructions Achtung Wichtige SicherheitshinweiseBewahren Sie diese Anweisungen auf Microsoft Windows Setting up the Motorola Netopia GatewayPage Macintosh MacOS 8 or higher or Mac OS MiAVo Vdsl and Ethernet WAN models Quickstart Conﬁguring the Motorola Netopia Gateway You can skip to Home Page Basic Mode on PPPoE Quickstart Set up the Motorola Netopia Pocket Gateway Page Motorola Netopia Gateway Status Indicator Lights Home Page Basic Mode Down Link Manage My Account Link Status Details Link Enable Remote Management Link Expert Mode Link Update Firmware Link Factory Reset Open the Web Connection Accessing the Expert Web Interface Administrator’s Handbook Home Page Information Home Page Expert ModeSummary Information Field Status and/or Description NAT VoIP Navigating the Web Interface ToolbarLink Breadcrumb Trail Button Restart Restart Link Alert Symbol Button Help Help Button Conﬁgure ConﬁgureLink Quickstart Administrator’s Handbook Link LAN Administrator’s Handbook Page Administrator’s Handbook Wireless supported models Privacy Page Advanced About Closed System Mode Administrator’s Handbook Examples Multiple SSIDsWPA Version Allowed Administrator’s Handbook Page WiFi Multimedia Wireless MAC Authorization Administrator’s Handbook Use Radius Server Advanced Network Conﬁguration page appears PPP over Ethernet interface Link WAN DHCP/PPPoE/PPPoA Autosensing RIP-1 compatibility, or RIP-2 with MD5 Advanced Ethernet WAN interface Page IP Gateway AdvancedOther WAN Options Adsl Gateways WAN Ethernet and Vdsl GatewaysAvailable Encapsulation types Administrator’s Handbook Page Sustained Cell Rate SCR Transmit Priority Comments Class Link Advanced IP Static Route Entry page appears Link IP Static Routes Changes link Link IP Static ARP Link Pinholes Tips for making Pinhole Entries Gateway Pinhole Conﬁguration Procedure. Use the following steps Page Administrator’s Handbook FAQs for the IPMaps Feature Conﬁgure the IPMaps Feature Motorola Netopia Gateway WAN Interface LAN Interface IPMaps Block Diagram192.168.1.1 192.168.1.2 Link Default Server Internet Gateway Page Link Differentiated Services Page QoS Setting TOS Bit Value Behavior Link DNS Link Dhcp Server Link Radius Server Link Snmp Page Igmp Version 3 supports Link Igmp Internet Group Management Protocol100 101 102 Link UPnP 103 Link LAN Management 104 Link Ethernet Bridge 105 Conﬁguring for Bridge Mode 106 107 Overview 108 Ethernet Switching/Policy Setup 109 Vlan Model Combining Bridging and Routing 110 111 Vlan Port Conﬁguration screen appears 112 113 114 115 116 Example 117 118 119 Click the Save and Restart link 120 Supported models only 121 SIP Line Entry 122 Call Features Settings 123 124 Link System 125 Link Syslog Parameters Log Event Messages Administration Related Log MessagesSystem Log Messages DSL Log Messages most common 127 Access-related Log Messages 128 129 Link Internal Servers 130 Link Software Hosting 131 List of Supported Games and Software 132 Rename a UserPC Manual options Check the Enable Backup Gateway checkbox133 134 Automatic options 135 136 Link Ethernet MAC Override 137 Link Clear Options 138 Link Time Zone Button Security Security139 140 Link Passwords 141 Link Firewall Conﬁguring for a BreakWater SettingUse a Motorola Netopia Firewall 142 Basic Firewall Background Tips for making your BreakWater Basic Firewall Selection143 144 BreakWater Setting ClearSailing SilentRunning LANdLocked 145 146 Link IPSec 147 SafeHarbour IPSec VPN 148 Conﬁguring a SafeHarbour VPN Parameter Motorola Netopia Peer Gateway 149 150 Be sure that you have SafeHarbour VPN enabled Field Description Parameter Descriptions151 Address/Value 152 153 Link Stateful Inspection Stateful Inspection Firewall installation procedure154 155 Exposed Addresses 156 Stateful Inspection Options Open Ports in Default Stateful Inspection InstallationPort Protocol Description LAN Private WAN Public Interface 157 General ﬁrewall terms Firewall TutorialBasic IP packet components Basic protocol types Firewall design rules Example TCP/UDP Ports TCP Port ServiceFirewall Logic 159 Example ﬁlter set Implied rules160 Example ﬁlters Filter basicsWhat it means Example network 162 What’s a ﬁlter and what’s a ﬁlter set? Link Packet Filter163 Filter priority How ﬁlter sets work164 ﬁltering rule How individual ﬁlters workParts of a ﬁlter Port numbers Other ﬁlter attributes Port number comparisons166 Filtering example #1 Putting the parts together167 168 Filtering example #2 Design guidelines169 170 An approach to using ﬁlters Adding a ﬁlter set Working with IP Filters and Filter Sets171 172 Adding ﬁlters to a ﬁlter set 173 174 Enter the Source Mask for the source IP address 175 Deleting a ﬁlter set 176 Associating a Filter Set with an Interface TOS ﬁeld matching Policy-based Routing using Filtersets177 178 Link Security Log Using the Security Monitoring Log179 TCP 180 181 Timestamp Background Button Install Install182 Required Files Link Install SoftwareBackground 183 Motorola Netopia ﬁrmware Image File Install the Motorola Netopia ﬁrmware ImageConﬁrm Motorola Netopia Firmware Image Files 184 185 Verify the Motorola Netopia Firmware Release 186 Use Motorola Netopia Software Feature Keys Link Install KeyObtaining Software Feature Keys Procedure Install a New Feature Key File 188 189 To check your installed features 190 Link Install Certiﬁcate 191 Administrator’s Handbook 192 193 Basic Troubleshooting Action Status Indicator LightsEthernet 194 195 Model 2241N only 196 Ethernet 1, 2, 3 197 Wireless 198 199 Special patterns 200 LAN 1, 2, 3 201 Wireless Link Models only Ethernet 1, 2, 3 DSL 1 & 2 ADSL2+202 203 204 LED Function Summary Matrix Active Wireless UnlitTrafﬁc Link Factory Reset Switch 207 Advanced Troubleshooting 208 Home Device Gateway 209 Button Troubleshoot Expert Mode210 211 Link System Status 212 Link Ports Ethernet 213 Link Ports DSL 214 Link IP Interfaces 215 Link DSL Circuit Conﬁguration 216 Link System Log Entire 217 Link Diagnostics 218 Link Network Tools 219 220 If Ping is not successful, possible causes are 221 Administrator’s Handbook 222 223 Command Line Interface 224 Overview Keywords Command Verbs Status and/or Description225 Saving Settings Using the CLI Help FacilityStarting and Ending a CLI Session Logging Shell Command Shortcuts About Shell CommandsShell Prompt 227 Common Commands Shell Commands Loglevel level License key229 Netstat -r NetstatQuit 230 Reset atm Reset arpReset cdmode Reset crash Reset wan-users all ip-address Reset security-logReset wan Reset wepkeys Show dhcp agent Show crashShow dhcp server leases Show diffserv Show etheroam ah Show featuresShow group-mgmt Show ip arp Show ip lan-discovery Show ip ﬁrewallShow ip routes Show ip state-insp Show summary Show statusShow vlan 236 237 Show wireless clients MACaddress Show wireless allUpload serveraddress ﬁlename conﬁrm View conﬁg WAN Commands Config Mode Prompt About Config CommandsNavigating the Config Hierarchy Show ppp stats lcp ipcp Guidelines Config Commands Entering Commands in Config ModeSet ip ethernet a ipaddress 241 Step Mode a CLI Conﬁguration Technique Displaying Current Gateway SettingsValidating Your Conﬁguration 242 Remote ATA Conﬁguration Commands Config Commands Set ata proﬁle 0.. ata-static-wan-gateway ipaddr Set ata proﬁle 0.. ata-user-password stringSet ata proﬁle 0.. ata-proxy-server ipaddr Set ata proﬁle 0.. ata-proxy-port port DSL Commands Set atm vcc n vpi 0 Bridging SettingsSet atm vcc n vci 0 Set atm vccn pppoe-sessions 1 Set bridge sys-bridge on off Set bridge table-timeout 30Set bridge concurrent-bridging-routing on off Set bridge dhcp-ﬁlterset string Dhcp Settings Set dhcp range 2.. end-address ipaddress Set dhcp range 2.. start-address ipaddressSet dhcp gen-option name name Set dhcp gen-option option 1 250 Option Data Format Data Size Can Bytes Conﬁgure Set dhcp gen-option data data Set dhcp gen-option data-type ascii hex dotted-decimal251 Set dhcp ﬁlterset name string rule n match-str matchstring Set dhcp ﬁlterset name string rule n dhcp-option 0252 Set dhcp ﬁlterset name string rule n absent-pool ipaddress Set dhcp ﬁlterset name string rule n match-pool ipaddressSet dhcp assigned-ﬁlterset string 253 DMT Settings Domain Name System Settings 256 257 Igmp Settings Set igmp robustness value Set igmp snooping off onSet igmp query-intvl value Set igmp query-response-intvl value IP Settings Set ip dsl vccn netmask netmask Set ip dsl vccn restrictions admin-disabled noneSet ip dsl vccn addr-mapping on off Set ip dsl vccn auto-sensing off dhcp/pppoe pppoe/pppoa Set ip dsl vccn rip-receive Off v1 v2 v1-compat v2-MD5 Set ip dsl vccn rip-send off v1 v2 v1-compat v2-MD5Set ip ethernet a option on off Set ip ethernet a address ipaddress Set ip ethernet a netmask netmask Set ip ethernet a restrictions none admin-disabledSet ip ethernet a rip-send Off v1 v2 v1-compat v2-MD5 Set ip ethernet a rip-receive off v1 v2 v1-compat v2-MD5 Set ip ethernet a subnet n netmask netmask Set ip ethernet a subnet n address ipaddressSet ip gateway option on off Set ip gateway interface ip-address ppp-vccn Set ip ip-ppp vccn peer-address ipaddress Set ip ip-ppp vccn restrictions admin-disabled noneSet ip ip-ppp vccn addr-mapping on off Set ip ip-ppp vccn auto-sensing off dhcp/pppoe pppoe/pppoa Set ip ip-ppp vccn igmp-null-source-addr on off Set ip ip-ppp vccn rip-receive off v1 v2 v1-compat v2-MD5Set ip ip-ppp vccn mcast-fwd on off Set ip ip-ppp vccn unnumbered on off Set ip igmp-forwarding off on Set ip static-arp ip-addressipaddressSet ip ipsec-passthrough off on Set ip prioritize off on Set diffserv lohi-ratio 60 100 percent Set diffserv option off on267 268 Qos off assure expedite network-control 269 Set diffserv qos dscp-map default custom 270 271 Queue Conﬁguration 272 273 Set queue name wfq weight-type bps 274 Set queue name priorityqueuename default-inputqueuename 275 Rate-limiting weighted fair queue to 100Kbps Set ip ethernet B rtsp-passthrough off on Set ip sip-passthrough on offSet ip static-routes destination-networknetaddress 276 Delete ip static-routes destination-network netaddress IPMaps SettingsSet ip-maps name name internal-ip ip address Set ip-maps name name external-ip ip address Network Address Translation NAT Pinhole Settings Network Address Translation NAT Default Settings PPPoE /PPPoA Settings Set ppp module vccn magic-number on off Set ppp module vccn restart-timer integerSet ppp module vccn protocol-compression on off Set ppp module vccn lcp-echo-requests on off Set ppp module vccn port-authentication password password Set ppp module vccn port-authentication username usernameSet ppp module vccn connection-type instant-on always-on Set ppp module vccn time-out integer Set wan-over-ether pppoe on off PPPoE with IPoE SettingsSet wan-over-ether pppoe-with-ipoe on off Set wan-over-ether ipoe-sessions 1 Set atm vcc n encap pppoe-llc Ethernet Port SettingsSet ip ip-ppp vcc1 mcast-fwd on off Set ip ip-ppp vcc1 igmp-null-source-addr off on 802.3ah Ethernet OAM Settings Set preference verbose on off Command Line Interface Preference SettingsSet preference more lines 285 Set servers web-http 1 Port Renumbering SettingsSet servers telnet-tcp 1 286 Set security ipsec tunnels name 123 tun-enable on on off Security SettingsSet security ipsec option off on off Set security ipsec tunnels name 288 Set security ipsec tunnels name 123 IKE-mode DH-group 1 1 2 Set security ipsec tunnels name 123 xauth password password Set security ipsec tunnels name 123 xauth enable off onSet security ipsec tunnels name 123 nat-enable on off Set security ipsec tunnels name 123 xauth username username Set security ipsec tunnels name 123 remote-id idvalue Set security ipsec tunnels name 123 local-id idvalue290 291 Set security state-insp udp-timeout 30 Set security state-insp tcp-timeout 30Set security state-insp dos-detect off on 292 293 Set security state-insp xposed-addr exposed-address# n 294 Packet Filtering Settings 295 Operator 296 Snmp Settings Set system name name System Settings298 Set system username administrator name user name Set system idle-timeout telnet 1...120 http 1Set system password admin user Set system ftp-server option off on Set system zerotouch option on off Sleep Contact-email string@domainname location string300 Syslog 302 Default syslog installation procedure Wireless Settings supported models 304 Set wireless tx-power full medium fair low minimal Set wireless no-bridging off on305 306 Set wireless wmm option off on 307 Set wireless network-id privacy default-keyid Set wireless network-id privacy pre-shared-key string308 Example 40bit key 02468ACE02 Set wireless mac-auth option on off309 Set radius radius-secret sharedsecret Set radius radius-name servernamestringSet radius alt-radius-name servernamestring Set radius alt-radius-secret sharedsecret Vlan Settings Set vlan name name ip-interface ipinterface Set vlan name name ports port port-pbits 0312 313 Assign an IP interface Set vlan name PPPoE11 id 314 Set vlan name Video31 ports eth1 tag on 315 VoIP settings Set voip phone 0 1 sip-user-display-name name Set voip phone 0 1 sip-user-password passwordSet voip phone 0 1 sip-user-name username Set voip phone 0 1 auth-id string 318 Set voip phone 0 1 codec G72640 priority 1 2 3 4 5 6 7 none 319 320 DSL Forum settings UPnP settings 322 TR-069 Backup IP Gateway Settings 324 Set ip backup-gateway default ipaddress 325 Vdsl Settings 326 327 Vdsl Parameters Accepted Values 328 Parameter 329 Accepted Values 330 331 Glossary 332 333 334 Ethernet crossover cable. See crossover cable 335 336 337 338 339 340 341 Administrator’s Handbook 342 343 Description Manufacturer’s Declaration of Conformance Agency approvalsNorth America International 345 Declaration for Canadian users Australian Safety Information Important Safety InstructionsTelecommunication installation cautions 346 347 CFR Part 68 Information Copyright Acknowledgments Electrical Safety Advisory348 349 350 PPPoE/PPPoA Point-to-Point Protocol over Ethernet/ATM Wide Area Network Termination351 Instant-On PPP Simpliﬁed Local Area Network SetupDhcp Dynamic Host Conﬁguration Protocol Server 352 Management DiagnosticsDNS Proxy Embedded Web Server Password Protection Remote Access ControlNetwork Address Translation NAT 354 Motorola Netopia Gateway Motorola Netopia Advanced Features for NATInternal Servers 355 Pinholes Default ServerCombination NAT Bypass Conﬁguration IP-Passthrough VPN IPSec Tunnel Termination VPN IPSec Pass Through357 SSL Certiﬁcate Support Stateful Inspection FirewallVLANs 358 359 Index 360 Config 361 362 NAT 264, 278 363 PPP 364 Shell 365 VPN 366 367 Administrator’s Handbook 368