Manuals / TP-Link / Computer Equipment / Network Router

TP-Link TL-ER6020 manual Firewall, Anti ARP Spoofing, IP-MAC Binding

Models: TL-ER6020

1 168

Download 168 pages 1.21 Kb

Page 74

Flags:	The Flags of route entry. The Flags describe certain characteristics of the
	route.
Logical Interface:	The logical interface of route entry.
Physical	The physical interface of route entry.
Interface:
Metric	The Metric of route entry.

3.4 Firewall

3.4.1 Anti ARP Spoofing

ARP (Address Resolution Protocol) is used for analyzing and mapping IP addresses to the corresponding MAC addresses so that packets can be delivered to their destinations correctly.

ARP functions to translate the IP address into the corresponding MAC address and maintain an ARP Table in which the latest used IP address-to-MAC address mapping entries are stored. ARP protocol can facilitate the Hosts in the same network segment to communicate with one another or access to external network via Gateway. However, since ARP protocol is implemented with the premise that all the Hosts and Gateways are trusted, there are high security risks during ARP Implementation Procedure in the actual complex network.

The attacker may send the ARP spoofing packets with false IP address-to-MAC address mapping entries, and then the device will automatically update the ARP table after receiving wrong ARP packets, which results in a breakdown of the normal communication. Thus, ARP defense technology is generated to prevent the network from this kind of attack.

3.4.1.1IP-MAC Binding

IP-MAC Binding functions to bind the IP address, MAC address of the host together and only allows the Hosts matching the bound entries to access the network.

Choose the menu Firewall→Anti ARP Spoofing→IP-MAC Binding to load the following page.

-69-

Image 74

TP-Link TL-ER6020 manual Firewall, Anti ARP Spoofing, IP-MAC Binding

Contents

TL-ER6020 Gigabit Dual-WAN VPN Router REV1.0.1 1910010852CE Mark Warning COPYRIGHT & TRADEMARKSFCC STATEMENT CONTENTS Chapter 1 About this GuideChapter 4 Application Network RequirementsChapter 5 CLI Hardware SpecificationsGlossary  Two mounting brackets and other fittings  Installation Guide Package Contents One TL-ER6020 Router  One Power Cord  One Console Cable The following items should be found in your package1.1 Intended Readers SymbolChapter 1 About this Guide 1.2 ConventionsAppendix B FAQ Lists the hardware specifications of this RouterSpecifications Provides the possible solutions to the problems that may occur duringChapter 2 Introduction  Powerful Data Processing Capability Powerful Firewall 2.1 Overview of the Router Easy-to-use 2.2 Features Dual-WAN Ports HardwareTraffic Control 2.3 Appearance2.3.1 Front Panel SecurityStatus  Reset button LEDs Indication Grounding Terminal  Power Socket2.3.2 Rear Panel  Kensington Security Slot3.1 Network Chapter 3 Configuration3.1.2 System Mode 3.1.1 StatusFigure 3-2 Network Topology - NAT Mode Figure 3-3 Network Topology - Non-NAT Mode NAT Mode 3.1.3 WAN  Non-NAT Mode Classic Mode 1 Static IP Static IP Downstream 2 Dynamic IPUpstream Bandwidth Specify the bandwidth for receiving packets on the port Dynamic IP  Dynamic IP Status 3 PPPoEFigure 3-8 WAN - PPPoE 576-1492. The default MTU is 1480. It is recommended to keep the  PPPoE Settingson. The connection can be re-established automatically when it Enter the Account Name provided by your ISP. If you are not clearHere allows you to configure the secondary connection. Dynamic IP Dynamic IP is selected, the obtained subnet address of WAN port iscorrect and your network is connected well. Consult your ISP if  PPPoE Status4 L2TP The following items are displayed on this screen  L2TP SettingsFigure 3-9 WAN - L2TP Internet connection by the Connect or Disconnect button. It Secondary DNS  L2TP StatusPrimary DNS Upstream BandwidthFigure 3-10 WAN - PPTP  PPTP Settings5 PPTP The following items are displayed on this screenAccount Name Primary DNS Secondary DNS Upstream Bandwidth Downstream Bandwidth  PPTP Status Status6 BigPond  BigPond Settings IP Address  BigPond StatusStatus Subnet Mask3.1.4.2 DHCP 3.1.4 LAN3.1.4.1 LAN  LAN DHCP Settings 3.1.4.3 DHCP Client 3.1.4.4 DHCP Reservation List of Reserved Address 3.1.5 DMZ DHCP Reservation 3.1.5.1 DMZ Tips 3.1.6 MAC Address DMZ Set the MAC Address for DMZ port Set the MAC Address for LAN portSet the MAC Address for WAN port  MAC Address3.1.7 Switch 3.1.7.1 StatisticsTips 3.1.7.2 Port Mirror Statistics Mode GeneralPort Mirror Mirroring Port3.1.7.3 Rate Control Application Example3.1.7.4 Port Config  Rate Control Port Config 3.1.7.5 Port Status Port VLAN 3.2 User Group3.1.7.6 Port VLAN Tips3.2.2 User  Group Config3.2.1 Group  List of Group3.2.3 View  User Config View Config  List of User3.3.1 NAT 3.3.1.1 NAT Setup3.3 Advanced  NAT-DMZ 3.3.1.2 One-to-One NAT NAPT  One-to-One NAT Multi-Nets NAT 3.3.1.3 Multi-Nets NAT List of Rules  list of Rules Application Example Network RequirementsConfiguration procedure 3.3.1.4 Virtual Server Protocol  Virtual ServerInterface Status List of Rules 3.3.1.5 Port Triggering Port Triggering Status  List of Rules ALG 3.3.2 Traffic Control3.3.1.6 ALG  General 3.3.2.1 Setup Default Limit 3.3.2.2 Bandwidth Control  Interface Bandwidthdata flow might pass. Individual WAN port cannot be selected if  Bandwidth Control Rule List of Rules  General 3.3.3 Session Limit3.3.3.1 Session Limit 3.3.3.2 Session List 3.3.4.1 Configuration3.3.4 Load Balance  Session Limit3.3.4.2 Policy Routing  List of Rules 3.3.4.3 Link Backup General You can select Timing or Failover Mode  GeneralFailover 3.3.4.4 ProtocolTiming Status ： Protocol 3.3.5 Routing3.3.5.1 Static Route  List of Protocol Static Route  List of Rules3.3.5.2 RIP Application ExampleChoose the menu Advanced→Routing→RIP to load the following page  General3.3.5.3 Route Table  List of RIP3.4.1.1 IP-MAC Binding 3.4 Firewall3.4.1 Anti ARP Spoofing IP Address  IP-MAC Binding General Status3.4.1.2 ARP Scanning 3.4.2 Attack Defense 3.4.1.3 ARP List General Figure 3-49 Attack DefenseThe following items are displayed on this screen Enable Attack 3.4.3 MAC Filtering MAC Filtering Packet Anomaly URL Filtering Rule 3.4.4 Access Control3.4.4.1 URL Filtering  List of Rules List of Rules Configuration ProcedureSelect the mode for URL Filtering. “Keyword’’ indicates that all the Application Example Network Requirements3.4.4.2 Web Filtering 3.4.4.3 Access Rules Access Rules other service types can still pass through the Router. You can add group on3.2.1 GroupSelect the service for the entry. Only the service belonging to the Select the Source IP Range for the entries, including the following List of Rules 3.4.4.4 ServicePriority  Service  List of Service Control Rules 3.4.5 App Control3.4.5.1 Control Rules  General3.4.5.2 Database  List of Rules3.5 VPN 3.5.1 IKE3.5.1.1 IKE Policy  IKE PolicySA Lifetime Specify ISAKMP SA Lifetime in IKE negotiation  IKE Proposal 3.5.1.2 IKE Proposal List of IKE Policy 3.5.2 IPsec  List of IKE Proposal General 3.5.2.1 IPsec Policy IPsec Policy Policy Namewhich PCs on the remote network are covered by this policy. Its  IKE Modepolicy on VPN→IKE→IKE Policy page Gateway of the remote peer should be set to the IP address ofde-encrypted. Without PFS, the key in Phase2 is created based  Manual ModePhase2. As it is independent of the key created in Phase1, this de-encrypted, the key in Phase2 is easy to be de-encrypted, inTips 3.5.2.2 IPsec Proposal List of IPsec Policy IPsec  IPsec Proposal 3.5.2.3 IPsec SA  List of IPsec Proposal3.5.3.1 L2TP/PPTP Tunnel Authentication3.5.3 L2TP/PPTP ProtocolProtocol  L2TP/PPTP Tunnel General ModeEnter the account name of L2TP/PPTP tunnel. It should be configured Select the IP Pool Name to specify the address range for the servers IP Address Pool  List of Configurations3.5.3.2 IP Address Pool  List of IP Pool3.5.3.3 List of L2TP/PPTP Tunnel 3.6 Services3.6.1 PPPoE Server 3.6.1.1 GeneralFigure 3-66 General The following items are displayed on this screen  General3.6.1.2 IP Address Pool  List of IP Pool 3.6.1.3 Account IP Address Pool  Account  List of Account is 48. If Enable Advanced Account Features is not selected, the3.6.1.4 Exceptional IP  Exceptional IP 3.6.2 E-Bulletin3.6.1.5 List of Account  List of AccountInterval  E-Bulletin General TitleTips 3.6.3 Dynamic DNS List of E-Bulletin 3.6.3.1 DynDNS  Dyndns DDNS No-IP DDNS 3.6.3.2 No-IP List of DynDNS Account 3.6.3.3 PeanutHull  List of No-IP Account PeanutHull DDNS  Comexe DDNS 3.6.3.4 Comexe List of PeanutHull Account 3.6.4 UPnP  List of Comexe Account3.7.1.1 Administrator 3.7 Maintenance3.7.1 Admin Setup  Administrator General 3.7.1.2 Login ParameterRe-enter the new password for confirmation  List of Subnet 3.7.1.3 Remote Management Remote Management 3.7.2.2 Export and Import 3.7.2.1 Factory Defaults3.7.2 Management Configuration Procedure Export 3.7.2.3 Reboot Configuration Version  Import3.7.2.4 Firmware Upgrade 3.7.3 License Interface Traffic Statistics 3.7.4 Statistics3.7.4.1 Interface Traffic Statistics 3.7.4.2 IP Traffic Statistics  Advanced WAN Information Traffic Statistics 3.7.5 Diagnostics3.7.5.1 Diagnostics  IP Traffic Statistics Ping  TracertDisplays whether the Online Detection is enabled 3.7.5.2 Online Detection List of WAN status  General Current Time  Config3.7.6 Time  Config 3.7.7 Logs List of Logs Description LevelError conditions SeverityChapter 4 Application 4.1 Network RequirementsTips 4.2 Network Topology 4.3 Configurations4.3.1 Internet Setting 4.3.1.2 Internet Connection 4.3.1.1 System Mode4.3.1.3 Link Backup Settings 4.3.2 VPN Setting1 IKE Setting 4.3.2.1 IPsec VPNSettings  IKE PolicyAuthenticationMD5 Encryption3DES Settings 2 IPsec Setting IPsec Proposal TipsproposalIPsec1 you just created  IPsec PolicySettings Tips 4.3.2.2 PPTP VPN Setting IP Address Pool L2TP/PPTPEnable ProtocolPPTP ModeServer UsernamePPTP Passwordabcdefg  L2TP/PPTP TunnelSettings  Group 4.3.3 Network Management4.3.3.1 User Group  UserSettings 4.3.3.2 App Control View Settings1 Enable Bandwidth Control 4.3.3.3 Bandwidth ControlSettings 2 Interface Bandwidth3 Bandwidth Control Rule Keep the default valueSettings 4.3.4 Network Security4.3.3.4 Session Limit 2 Set IP-MAC Binding Entry Manually 4.3.4.1 LAN ARP Defense1 Scan and import the entries to ARP List Settings 4.3.4.2 WAN ARP Defense3 Set Attack Defense 00-11-22-33-44-aa1 Port Mirror 4.3.4.3 Attack Defense4.3.4.4 Traffic Monitoring 2 Statistics Figure 4-23 IP Traffic Statistics 5.1 Configuration Chapter 5 CLIFigure 5-2 Connection Description Figure 5-3 Select the port to connectFigure 5-4 Port Settings Figure 5-5 Connection Properties Settings 1485.2 Interface Mode enable Accessing PathLogout or Access the next mode adminShow command history enableEnter the privileged mode IP configurationIp-mac Bind Mode normal 5.4 Command IntroductionTP-LINK ip-mac get mode TP-LINK # ip-mac set mode restrictThis command will restore system, Continue?Y/N TP-LINK # sys reboot This command will reboot system, Continue?Y/NTP-LINK # sys restore TP-LINK # sys export configGet configuration file config bin succeed, file size is 7104 bytes Password admin File name config.binTry to get the configuration file config.bin TP-LINK sys show CPU Used Rate 1% TP-LINK # sys updateEnter new password Confirm new password TP-LINK user get Username admin Password adminTP-LINK user set password Enter old password TP-LINK # user get Username admin Password adminTP-LINK history View the history command5.4.6 exit 1. history 2. sys show 3. historyStandards Appendix A Hardware SpecificationsPower PortsAppendix B FAQ 4. Make sure that the NAT DMZ service is disabled AH（Authentication Header） Appendix C GlossaryGlossary data authentication, and anti-replay services. ESP encapsulatesDescription for services such as IPSec that require keys. Before any IPSecGlossary Glossary DescriptionTelnet is used for remote terminal connection, enabling users to GlossaryDescription enterprise