Professional Documents
Culture Documents
com
-----------------------------------------------------------------------------------------------------------------------------------------
Notice
Copyright © 2021
Raisecom
All rights reserved.
No part of this publication may be excerpted, reproduced, translated, or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in Writing from Raisecom
Technology Co., Ltd.
Preface
Objectives
This document introduces the features supported by the ISCOM HT803G-WS2 (N) and its
related Web configurations. The contents include an introduction, preparing for configurations,
configuring basic Internet access functions, configuring basic functions, configuring IPv6,
management, and security. The appendix lists terms, acronyms, abbreviations involved in this
document.
This document will help you to master the principles and various configuration procedures of
the ISCOM HT803G-WS2 (N) device.
Versions
The following table lists the product versions related to this document.
Conventions
Symbol conventions
The symbols that may be found in this document are defined as below.
Symbol Description
Indicate a hazard with a medium or low level of risk which, if
not avoided, could result in minor or moderate injury.
Symbol Description
Indicate a tip that may help you solve a problem or save time.
General conventions
Convention Description
Times New Roman Normal paragraphs are in Times New Roman.
Arial Paragraphs in Warning, Caution, Notes, and Tip are in Arial.
Boldface Buttons and navigation paths are in Boldface.
Italic Book titles are in italics.
Lucida Console Terminal display is in Lucida Console.
GUI conventions
Convention Description
Boldface Buttons, menus, parameters, tabs, windows, and dialog titles
are in boldface. For example, click OK.
> Multi-level menus are in boldface and separated by the ">"
signs. For example, choose File > Create > Folder.
Keyboard operation
Format Description
Key Press the key. For example, press Enter and press Tab.
Key 1+Key 2 Press the keys concurrently. For example, pressing Ctrl+C
means the two keys should be pressed concurrently.
Key 1, Key 2 Press the keys in turn. For example, pressing Alt, A means the
two keys should be pressed in turn.
Mouse operation
Action Description
Click Select and release the primary mouse button without moving
the pointer.
Double-click Press the primary mouse button twice continuously and quickly
without moving the pointer.
Right-click Press the right mouse button to pop up a menu for later
selection.
Drag Press and hold the primary mouse button and move the pointer
to a certain position.
Change history
Updates between document versions are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Issue 01 (2021-08-31)
Initial commercial release
Contents
1 Introduction.................................................................................................................................... 1
2 Preparing for configurations ....................................................................................................... 2
2.1 Management mode ........................................................................................................................................... 2
2.1.1 Web interface .......................................................................................................................................... 2
2.1.2 NView NNM ........................................................................................................................................... 3
2.2 Logging in to device ......................................................................................................................................... 3
2.3 Web interface .................................................................................................................................................... 4
2.4 Device overview............................................................................................................................................... 6
2.4.1 Web configuration page .......................................................................................................................... 6
2.4.2 Introduction ............................................................................................................................................. 7
6 Management................................................................................................................................. 74
6.1 Managing device ............................................................................................................................................ 74
6.1.1 Modifying the host name ...................................................................................................................... 74
6.1.2 Restarting device ................................................................................................................................... 74
6.1.3 One key recovery .................................................................................................................................. 75
6.1.4 Configuration maintenance ................................................................................................................... 76
6.1.5 Upgrading software ............................................................................................................................... 78
6.2 Administrator.................................................................................................................................................. 79
6.2.1 Configuring administrator ..................................................................................................................... 79
6.3 Configuring clock........................................................................................................................................... 81
6.3.1 Configuring clock ................................................................................................................................. 81
6.4 Remote management ...................................................................................................................................... 83
6.4.1 Remote management ............................................................................................................................. 83
6.4.2 TR-069 .................................................................................................................................................. 83
6.5 Fault diagnosis ............................................................................................................................................... 85
6.5.1 Ping ....................................................................................................................................................... 85
6.5.2 Tracert ................................................................................................................................................... 86
6.5.3 HTTP Get .............................................................................................................................................. 87
6.5.4 DNS Query............................................................................................................................................ 88
6.5.5 TCP Query ............................................................................................................................................ 89
6.6 Log management ............................................................................................................................................ 90
6.6.1 Local log ............................................................................................................................................... 90
6.6.2 Remote log ............................................................................................................................................ 93
7 Security.......................................................................................................................................... 95
7.1 Firewall .......................................................................................................................................................... 95
7.1.1 Configuring Firewall ............................................................................................................................. 95
7.2 Filtering website ............................................................................................................................................. 96
7.2.1 Configuring website filtering ................................................................................................................ 96
7.2.2 Local uploading .................................................................................................................................... 99
7.3 Access control .............................................................................................................................................. 100
7.3.1 Configuring access control.................................................................................................................. 100
7.3.2 Time object.......................................................................................................................................... 102
7.3.3 Service object ...................................................................................................................................... 103
7.3.4 Address object ..................................................................................................................................... 105
7.4 MAC address filtering .................................................................................................................................. 106
7.4.1 Filtering MAC address ........................................................................................................................ 106
7.5 ARP attack prevention .................................................................................................................................. 108
7.5.1 Configuring ARP attack prevention .................................................................................................... 108
7.5.2 Self-defined packet sending ................................................................................................................ 108
7.5.3 ARP table ............................................................................................................................................ 110
7.5.4 Monitor ............................................................................................................................................... 110
7.5.5 ARP spoofing prevention .................................................................................................................... 110
7.6 DDoS attack prevention ............................................................................................................................... 111
7.6.1 Configuring DDoS attack prevention .................................................................................................. 111
Figures
Figure 3-6 Router mode interface on the WAN0 Modify interface ...................................................................... 13
Figure 7-8 Black/White Lists upload interface and Black/White Lists download interface .............................. 100
Tables
Table 3-1 Configuration items in bridge mode on the WAN0 Modify interface .................................................. 12
Table 3-2 Configuration items in router mode on the WAN0 Modify interface ................................................... 13
1 Introduction
The ISCOM HT803G-WS2 (N) is a Gigabit passive fiber access user-end device, which
integrates routing, switching, data security, Wireless Local Area Network (WLAN) into one,
and deploys multi-services to the same one node under the situation of continuous enrichment
of enterprise network applications, providing an integrated solution for network construction.
The ISCOM HT803G-WS2 (N) has the following features:
Support GPON uplink at the WAN side.
Provide four 1000 Mbit/s downlink Ethernet electrical interfaces, 2.4G WLAN, and 5G
WLAN access at the LAN side.
Support WLAN access, greatly improving the flexibility and convenience of networking.
Support routing, bridging, Network Address Translation (NAT), Dynamic Host
Configuration Protocol (DHCP), and other functions to meet the basic access needs of
users.
Support firewall, website filtering, access control, and so on.
Support TR069, Web, OMCI, and other management modes to facilitate maintenance
and configuration of telecommunication administrators.
This chapter describes the preparation for logging into the Web configuration interface and
basic information about the Web configuration interface, including the following sections:
Management mode
Logging in to device
Web interface
Device overview
Use the LAN IP address to manage the device when logging in for the first time.
By default, the LAN IP address of the device is 192.168.1.1. You need to configure
the IP address of the PC to "Automatically Obtain" or manually configure it to the
same network segment as the LAN IP address.
Manage the device on the Web interface through the LAN IP address according to the
following steps:
Step 1 Configure the LAN IP address of the device and IP address of the PC, and ensure that the
LAN IP address and PC IP address can ping each other.
Step 2 Connect the network interface of the PC to the LAN interface of the device with a network
cable.
Step 3 Open a browser on the PC, enter the LAN IP address of the device in the address bar of the
browser, such as "http://192.168.1.1", and then enter the device login interface.
Manage the device on the Web interface through the WAN IP address according to the
following steps:
Step 1 Activate the basic Internet access services on the device and ensure that the PC can connect to
the network (at this time, the PC and the device may not be in the same physical location).
Step 2 Open the browser on the PC and enter the WAN IP address of the device in the address bar of
the browser, such as "http://20.20.1.2", to enter the device login interface.
Step 3 Click Login to log in to the device and enter the device configuration interface. Click Reset
to clear the user name and password in the text boxes, and re-enter.
After login, you can modify the login password through the password modification
function, or you can log in to the device with the newly added user name and
password. For specific steps, refer to section 6.2 Administrator.
Configuration items are not fixed on the configuration interface. They vary with
your selection.
Configuration items marked with an asterisk are mandatory.
Configuration items are subject to the actual configuration interface. The snapshot
is for reference only.
Common buttons
Table 2-2 lists common buttons on the Web configuration interface.
or
It is used to refresh the current interface.
Button Description
It is used to return to the previous step for reconfiguration or viewing
information.
It is used to quit the current interface.
Saving configurations
After all configurations are complete or before the device restarts, save current
configurations to prevent configuration loss.
The web configuration interface provides the method for manually saving configurations.
Manual saving: click Save Config on the upper right color of the interface to save running
configurations into the configuration file.
Before exiting the Web configuration interface, save all configurations to avoid
configuration loss.
After all configurations are complete, exit the Web configuration interface to ensure system
security.
There are 2 ways to exit the Web configuration interface:
Click the icon of the current interface on the IE, and then close the IE.
Click the Logout button on the upper right corner on the Web configuration interface.
2.4.2 Introduction
The Information interface displays the following information:
Basic information: by view basic information about the HT803G-WS2, you can learn the
operating status. Basic information includes:
– Device information
– CPU usage
– Memory usage
Connection status: you can view information about the connection status in this interface,
including:
– Broadband connection information
– LAN information
– WLAN information
System logs: by viewing the system log, you can learn the latest events and status of the
system, which can help clear faults.
This chapter describes basic Internet access configurations, including the following sections:
Uplink interface
Downlink interface
VLAN
DHCP
NAT
DNS/DDNS
WLAN
Scenario
By configuring the GPON uplink interface, you can connect the HT803G-WS2 upstream to
the OLT.
Configuration steps
GPON
Step 1 Choose Basic > Interface > GPON.
Step 2 Select the GPON Interface tab and enter the display Current Interface's Configuration and
Show the Attributes of the GPON interface.
Step 3 Configure related parameters and click OK.
Step 4 When registering the device to the OLT by using the LOID and Password, you can check the
OLT registration status on the GPON Interface configuration interface. If it displays
"registered and certified", the configuration succeeds.
Step 5 On this interface, you can view the PON MAC address, PON chip manufacturer, PON chip
model, and PON firmware version.
Item Description
Management Status Enable or disable the management status of the GPON
information.
LOID Configure the LOID of the HT803-WS2 for registration to the
OLT.
Password LOID authentication password
OLT Remote Configure the OLT remote management mode:
Administration mode HGU(VEIP)
HGU(CEIP)
SFU
The difference between the VEIP and CEIP modes lies in that
the ONT card slots are different.
Scenario
It is used to configure the WAN0 interface of the ISCOM HT803G-WS2 (N). The WAN0
interface corresponds to the GPON interface.
Configuration steps
Step 1 Choose Basic > Interface > WAN.
Step 2 On the WAN Interface Configuration interface, you can view the configurations.
Item description
The WAN interface supports the following two connection modes:
Bridge
Router
Each mode corresponds to different configuration items. You can configure the corresponding
items as required.
Table 3-1 and Table 3-2 list descriptions of the configuration items on the WAN0 Modify
interface.
Table 3-1 Configuration items in bridge mode on the WAN0 Modify interface
Item Description
Connection Name (Non-configurable) it is automatically generated by the system.
Connect type Configure the connection type.
IPoE
PPPoE
Protocol Mode Configure the type of the transmission protocol on the WAN0
interface.
IPV4
IPV6
IPV4/IPV6
Table 3-2 Configuration items in router mode on the WAN0 Modify interface
Item Description
Connection Name (Non-configurable) it is automatically generated by the system.
Connect type Select any of the following modes according to the actual
application scenarios:
IpoE
Available IPv4 obtainment mode: DHCP or Static
PPPoE
Available IPv4 obtainment mode: PPPoE. Select this mode if the
ISP uses PPPoE.
Protocol Mode Configure the type of the transmission protocol on the WAN0
interface.
IPV4 (applicable to this table)
IPV6
IPV4/IPV6 (compatible with both protocols, applicable to this
table)
Connection Mode Select a mode according to the actual application scenario:
Bridge mode
Router mode (applicable to this table)
Item Description
Service Type The service type bound to the connection, including:
Management_Internet: management and Internet access channel
Management: management channel
Internet: Internet access channel
Other: other channels
Item Description
Static If you check Static, you will need to manually configure a static
address. You need to configure the following items:
(Optional) IP address: enter the IP address in dotted decimal
notation.
(Optional) Subnet mask: enter the subnet mask in dotted decimal
notation.
(Optional) Default Gateway: enter the default gateway in dotted
decimal notation.
(Optional) Primary DNS: enter the preferred DNS server
address in dotted decimal notation.
(Optional) Backup DNS: enter the backup DNS server address
in dotted decimal notation.
PPPoE Check PPPoE from the Connect type. It indicates that connections
are initiated based on PPPoE dialing. You need to configure the
following items:
Username: enter the PPPoE user name which is provided by the
ISP.
Password: enter the PPPoE password which is provided by the
ISP.
(Optional) AC Name: PPPoE server address
PPPoE dial-mode: include "now" and "demand".
Idle time: when you select "demand" from the drop-down list of
PPPoE dial-mode, you need to enter the idle time in the idle time
text box. The idle time is an integer ranging from 10 to 65535, in
units of second. It is 0s by default, indicating that it will never
time out.
The idle time refers to the time when the user does not
have any service traffic. When the idle time exceeds the
set value, the device automatically disconnects the
network to save traffic for the user. When there is service
traffic again, the device automatically connects to the
network again.
Enable NAT Enable or disable the NAT. If you check it, the NAT will be
enabled. Then you need to configure the following items:
To enable or disable NAT, check to enable. Item required:
(Optional) Enable NAT Address Pool: In the "Static" IPv4
address configuration mode, after enabling NAT, you can
configure whether to enable the NAT address pool. After
checking the Enable NAT Address Pool radio button, you need
to enter the range of the address pool to configure the WAN
interface to allow multiple IP addresses to access the internet. If
you check the radio button, the NAT will be enabled.
Item Description
Access Control (Optional) click to enable or disable
HTTPS, Ping, Telnet, SSH, or HTTP on the interface.
Scenario
Multiple connections can be added to the WAN interface, namely, adding sub-interfaces. Each
connection can be set with a sub-interface ID. The sub-interface ID is the VLAN ID that tags
the packets with VLAN tags so that upstream packets can be forwarded with VLAN tags.
When the device uses the WAN0 interface for uplink connections, a WAN sub-interface can
be added.
Configuration steps
Step 1 Choose Basic > Interface > WAN.
Step 2 Click Add. The Add Subinterface on the WAN0 interface will appear.
Step 3 Configure related items and click OK. The difference between the sub-interface and the
WAN interface is that the sub-interface ID needs to be configured for identification.
Compared with the WAN interface, the sub-interface requires additional configurations, as
listed in Table 3-3. For the remaining configuration items, see section 3.1.2 WAN0 uplink
interface.
Scenario
You can configure the basic items of the LAN interface, including interface management, rate
and duplex mode, and loopback detection. At the same time, you can check whether there is a
loop and the connection status of the LAN interface.
Configuration steps
Step 1 Choose Basic > Interface > LAN.
Step 2 Select the ETH Configuration tab.
Step 3 Configure loopback detection, interface management, speed, and duplex mode on the
specified LAN interface, and click OK.
Item Description
Loopback Detect Enable or disable loopback detection on the interface.
Shutdown Manage Enable or disable the current LAN interface.
Enable: enable the current LAN interface.
Disable: disable the current LAN interface.
Auto Negotiation Configure auto-negotiation on the LAN interface, including:
Enable: enable auto-negotiation.
Disable: disable auto-negotiation.
Eth Speed Configure the speed of the LAN interface. You can use this
function when Auto Negotiation is disabled.
Item Description
Eth Duplex Configure the duplex mode of the interface.
You can use this function when Auto Negotiation is disabled.
Eth Flow Ctrl Configure the flow control mode of the LAN interface, including:
Enable: enable flow control.
Disable: disable flow control.
Scenario
It is used to divide the access domain. PCs in different departments can be connected to
different LAN interfaces of the device, and different VLANs can be bound through the LAN
interface to isolate different departments and prohibit mutual access.
Configuration steps
Step 1 Choose Basic > Interface > LAN.
Step 2 Select the VLAN Configuration tab.
Step 3 In the VLAN Information List section, configure the interface mode, PVID, and the bound
VLAN of various LAN interfaces and then click Binding.
Item Description
Mode The LAN interface supports the following two VLAN modes:
Access
Trunk
PVID Default VLAN ID of the LAN interface
The VLAN ID is created.
vlanID Created VLANs
Check the LAN interface to be added to this VLAN.
Scenario
View the statistics on traffic and packets received/sent on the LAN interface.
Configuration steps
Step 1 Choose Basic > Interface > LAN.
Step 2 Select the Interface statistics tab.
Step 3 It will display the LAN interface statistics and the VLAN traffic statistics.
Scenario
View the IP address and MAC address of the terminal connected to the LAN interface.
Steps
Step 1 Choose Basic > Interface > LAN.
Step 2 Select the Wired terminal tab.
Step 3 It will display the terminal ID, LAN interface, VLAN interface, IP address, and MAC address.
3.3 VLAN
3.3.1 VLAN configurations
Scenario
It is used to create VLANs and configure VLAN interfaces. After configuring the VLAN
interface, you can bind the LAN interface to this VLAN interface to enable the LAN interface
with the forwarding function.
Configuration steps
Create/Delete a VLAN.
Step 1 Choose Basic > Interface > LAN.
Step 2 Select the VLAN Configuration tab.
Step 3 In the VLAN Create & Delete section, enter the VLAN ID, check Create or Delete, and then
click OK.
Item Description
Check Create to create a VLAN.
Create/Delete
Check Delete to delete a VLAN.
VLAN ID VLAN ID that needs to be created or deleted, ranging from 1 to 4093
Item Description
VLAN Select the created VLAN from the drop-down list.
IP Address Configure the IP address of the VLAN in dotted
decimal notation, such as 192.168.1.1.
Netmask Configure the VLAN subnet mask in dotted
decimal notation, such as 255.255.255.0.
Secondart IP Config Configure the IP address and subnet mask of the
extended IP address. Up to two extended IP
addresses are supported.
Management Access Enable or disable HTTPS, Ping, Telnet, SSH, and
HTTP. Check to enable.
DHCP Server Enable Enable DHCP Server on the VLAN interface.
Disable IP address of the DHCP subnet, in dotted decimal
notation, such as 192.168.1.0
Item Description
Netmask Subnet mask of the DHCP subnet, in dotted
decimal notation, such as 255.255.255.0
Start IP Starting IP address of the DHCP server address
pool, in dotted decimal notation, such as
192.168.1.1
End IP End IP address of the DHCP server address pool,
in dotted decimal notation, such as 192.168.1.254
Gateway Address Default gateway address of the subnet connected
to the interface, in dotted decimal notation, such as
192.168.1.1
Primary DNS IP address of the preferred DNS server required
for DNS, in dotted decimal notation, such as
192.168.101.1
Backup DNS IP address of the backup DNS server required for
DNS, in dotted decimal notation, such as
218.30.118.6
Reserved IP It is not an automatically assigned IP address in
the DHCP address pool. You can enter up to 8 at a
time, separated by ",".
Lease Time After the client obtains an IP address, the period of
using the IP address can be configured from 5
minutes to 100 days. When set to 0 minutes, it can
be used indefinitely.
Step 4 After configuring DHCP Server on the VLAN interface, check the DHCP service information
of the VLAN interface in the "DHCP Service List" section. Click the check box in front of
one or more VLAN interfaces, or click the check box at the top of the table header (indicating
that all VLAN interfaces are selected), and click Delete to delete the DHCP service
configuration of the VLAN interface.
3.4 DHCP
3.4.1 DHCP services
Scenario
It is used to centrally configure the DHCP service type of a specified interface, including
DHCP server, DHCP client, and DHCP relay.
The DHCP service is only introduced here in a centralized manner. You can also
configure the DHCP service on each interface configuration interface, such as:
Configuration steps
Step 1 Choose Basic > Network > DHCP.
Step 2 Select the DHCP Service tab. It will display the DHCP service list of all interfaces.
Step 3 Click the corresponding to the interface that needs to be configured. The Interface
DHCP Settings interface will appear.
Step 4 Configure related parameters and then click Confirm.
Figure 3-11 shows how to disable DHCP services.
Figure 3-12 shows how to configure the interface as a DHCP client.
Figure 3-13 shows how to configure the interface as a DHCP server.
Figure 3-14 shows how to configure the interface as a DHCP relay.
Item Description
Interface Name Interface which needs to be configured with a service type
DHCP Service Type Disable
Item Description
Interface Name Interface which needs to be configured with a service type
Item Description
DHCP Service Type DHCP client
Enable Option60 Check the radio box to enable the Option60 field.
Address Pool Name in Server-side address pool name, a character string, with the
DHCP Server length ranging from 1 to 64, including letters, numbers, and
underscores
Match the name with that of the Option60 address pool
configured on the server. If they match, the server delivers the
host configurations.
Enable Option125 Check the radio box to enable the Option125 field.
Option125 Match Option125, a character string, with the length ranging from 1 to
String 64, including letters, numbers, and underscores
Match the character string with the Option125 configured on
the client. If they match, the client receives the host
configurations delivered by the server.
Item Description
Interface Name Interface which needs to be configured with a service type
DHCP Service Type DHCP server
Enable Option125 Check the radio box to enable the Option125 field.
Option125 Match Option125, a character string, with the length ranging from 1 to
String 64, including letters, numbers, and underscores
Match the character string with the Option125 configured on
the client. If they match, the server delivers the host
configurations.
Enable Option43 Check the radio box to enable the Option43 field.
Option43 Match String Configure the Option43 character string. The client obtains the
information of the server by obtaining the packets carrying the
option43 from the server.
Item Description
Interface Name Interface which needs to be configured with a service type
DHCP Service Type DHCP relay
DHCP Server IP IP address of the DHCP server
Scenario
After configuring an interface as a DHCP server, you need to configure the DHCP service
address pool, disabled addresses, IP/MAC binding, and so on.
Configuration steps
1. Configure DHCP address pool
Step 1 Choose Basic > Network > DHCP.
Step 2 Select the DHCP Address Pool tab. The DHCP Service List interface will appear.
Item Description
Interface Select an interface to be configured as a DHCP server.
Start IP Address The start IP address of the DHCP server address pool is generally
smaller than the end IP address.
End IP Address End IP address of the DHCP server address pool
Subnet Network segment corresponding to each interface
Subnet Mask Subnet mask of the subnet IP
Gateway (Optional) The gateway address of the network segment where the
subnet is located.
Lease Period Configure the time limit for the client to obtain an IP address:
Infinite
Finite
Lease Time When checking Finite, you need to configure the time range (5
minutes to 100 days) for the client to use the IP address.
IP/MAC Binding (Optional) Bind the IP address with the MAC address.
Primary DNS (Optional) Configure the IP address of the preferred DNS server
Servers required for DNS.
Secondary DNS (Optional) Configure the IP address of the backup DNS server
Server required for DNS.
Primary WINS (Optional) Configure the IP address of the preferred WINS server,
Server which is used to dynamically register and query the mapping
between IP address and NetBIOS name.
Item Description
Secondary WINS (Optional) Configure the IP address of the backup WINS server,
Server which is used to dynamically register and query the mapping
between IP address and NetBIOS name.
Domain Name (Optional) Configure the domain suffix for the client.
Item Description
Start IP Address Start IP address which is prohibited by the DHCP server to be
assigned to the client
End IP Address End IP address which is prohibited by the DHCP server to be
assigned to the client
To add an IP/MAC binding table of the DHCP services, click Add. The Add Static
Address Allocation Item interface will appear.
Step 3 The configuration items on the Modify Static Address Allocation Item interface are the same
as those on the Add Static Address Allocation Item interface. Configure related items, and
click OK.
Item Description
Item Name IP/MAC-bound identifier, used to distinguish the names from other
identifiers, a character string, composed of letters, numbers, and
underscores, ranging from 1 to 64
Client IP Static IP address of this binding relation, in dotted decimal notation,
such as 10.0.0.1
Mac bind MAC address of this binding relation, in colon hexadecimal
notation, such as 3001::3
Item Description
Interface Interface enabled with DHCP service
Address Pool Name Name of the Option60 address pool, a character string,
ranging from 1 to 64, including letters, numbers, and
underscores
If the client uses this address pool, you need to enable
Option60 and configure its "server address pool name" to
be the same as the name of the address pool.
Start IP Address The start IP address of the DHCP server address pool is
generally smaller than the end IP address.
End IP Address End IP address of the DHCP server address pool
Scenario
It is used to view the MAC address, assigned IP address, and start and end time of the client
currently attached to the DHCP server of the device.
Configuration steps
Step 1 Choose Basic > Network > DHCP.
Step 2 Select the DHCP Monitoring tab. The DHCP Monitor List interface will appear.
3.5 NAT
NAT type
Source NAT: refers to the source address of the first packet with connection changed,
which is processed after routing, that is, before the packet reaches the network cable. IP
masquerading belongs to source NAT.
Destination NAT (Virtual Server): refers to the destination address of the first packet
with connection changed, which is processed before routing. Interface forwarding, load
balancing, and transparent proxy all belong to the destination NAT.
The virtual server refers to the destination address translation. According to server
address and interface mapping, one-way mapping of external network address and
internal address can be realized or interface conversion can be realized at the same time.
According to server service offloading, the system can convert the destination address to
a different internal server address according to the service accessed.
One-to-one address translation: one-to-one address translation is a one-to-one
bidirectional address mapping. In this case, the mapped internal host can actively access
the outside, and the external can also actively access the internal host, which is
equivalent to establishing a bidirectional channel between the internal and external
networks.
Scenario
It is used to configure the application layer gateway of the device to support some special
application layer protocols, such as GRE, L2TP, and RTSP.
Configuration steps
Step 1 Choose Basic > Network > NAT.
Step 2 Select the ALG tab.
Step 3 Check the application protocols supported by the NAT and then click OK.
Scenario
The virtual server refers to the destination NAT, used for advertising the internal server
outside.
Configuration steps
Step 1 Choose Basic > Network > NAT.
Step 2 Select the Virtual Server tab.
Step 3 Configure related items in the Create Virtual Servers section and then click Add.
Item Description
In Interface Ingress interface matching the NAT rule
Protocol Protocol name matching the NAT rule
External IP address Destination address matching the NAT rule, which can be
the address of the ingress interface or the manually
configured IP address
Internal IP address The translated destination address, which can be a single IP
address or an address segment
Internal Port The translated interface. The default interface is used by
default. You need to select the IP range when interface
mapping is required and enters the interface ID, which
ranges from 1 to 65535.
Step 4 View the created virtual server in the The list of the internal servers section. Click the check
box in front of one or more virtual servers, or click the check box at the top of the table
header (indicating that all virtual servers are selected), and click Delete to delete the created
virtual server.
Scenario
It is used to configure the source NAT rules of the device.
Configuration steps
Step 1 Choose Basic > Network > NAT.
Step 2 Select the Source NAT tab.
Step 3 In the Create Source NAT rules section, configure related items and click Add.
Item Description
Egress Egress interface matching the NAT rule
Service Select the protocol type of NAT rules.
Internal IP Address The source address matching the NAT rule
You can specify all IP addresses or custom address segments.
External IP Address The translated source address, which can be the address of the
egress interface or a self-defined address segment
Step 4 View the created source NAT rules in the The list of source NAT rules section. Click the
check box in front of one or more source NAT rules, or click the check box at the top of the
table header (indicating that all virtual servers are selected), and click Delete to delete the
created source NAT rules.
Scenario
It is used to create global static mapping rules for the device.
Configuration steps
Step 1 Choose Basic > Network > NAT.
Step 2 Select the One to One Address Translation tab.
Step 3 In the Create global static conversion rules section, configure related items and click Add.
Item Description
External Port Name of the interface connected to the external network
External IP Address Translated external address
Internal IP Address Internal address that needs to be translated
Step 4 View the created static translation rules in the The list of static rules section. Click the check
box in front of one or more static translation rules, or click the check box at the top of the
table header (indicating that all virtual servers are selected), and click Delete to delete the
created static translation rules.
3.6 DNS/DDNS
3.6.1 DNS
Scenario
Domain Name System (DNS) is used to establish a one-to-one (or one-to-multiple) mapping
between domain names and IP addresses. All PCs in the network apply to the DNS server,
which will generate a lot of network traffic. The device can act as a DNS proxy to create a
static domain name resolution list. When the IP address is not available in this table, the
device queries the DNS server and replies to the PC.
Configuration steps
Step 1 Choose Basic > Network > DNS.
Step 2 In the DNS Proxy section, check Enable or Disable and then click OK.
Step 3 In the Static DNS List section, the host name and the host IP address are displayed.
Item Description
Host Name Configure static domain name, a character string, ranging from 1 to 255
IP Address IP address corresponding to the static domain name
3.6.2 DDNS
Scenario
Most broadband operators only provide dynamic IP addresses. DDNS maps the user's
dynamic IP address to a fixed domain name. Each time the user connects to the network, the
client program passes the dynamic IP address of the host to the server program on the
operator's host through information transfer. The server program located on the host of the
service provider captures the IP address of each change of the user, and then maps it to the
domain name, so that other Internet users can communicate with the user through the domain
name.
Configuration steps
Step 1 Choose Basic > Network > DDNS.
Step 2 It displays the configured DDNS services.
Item Description
Host Name The domain name registered with the server provider, a
character string, ranging from 1 to 256
Server ISP Service providers which provide domain name services:
Configuration 3322.org
no-ip.com
oray.net
dyndns.org
tzo.com
ipnodns.ru
Item Description
Account Username Name of the user who is registered for the domain name,
configuration a character string, ranging from 1 to 256
Password Password registered for the domain name, a character
string, ranging from 1 to 256
Other Binding Bind the DDNS to a certain interface
Configuration Interface
ON: enable DDNS on the bound interface, which is
DDNS
enabled by default.
OFF: disable DDNS on the bound interface.
3.7 WLAN
3.7.1 WLAN configurations (2.4G)
Scenario
It is used to configure the basic WLAN access functions of the device, and can connect the
user's wireless device to the network.
Configuration steps
Step 1 Choose Basic > Interface > WLAN 2.4G. Select the Advanced Configuration tab.
Step 2 Configure advanced items of WLAN access.
Click ON or OFF to enable/disable WLAN.
Configure other items and click OK.
If there is no special requirement, you can use the default configurations without
further manual configurations.
Item Description
Country Code The country code is used to identify the country where the radio
frequency is used. It specifies radio frequency characteristics,
such as power and the total number of channels available for
frame transmission. Before configuring the AP, you must
configure a valid country code or area code.
Country codes support: Australia, Canada, China, Israel, Japan,
Brazil, and United States.
Working Mode The WLAN working mode is as follows:
Mixed (mixed): automatically select the working mode
according to the current environment.
11b: the maximum transmission rate is 11 Mbit/s.
11g-only: the maximum transmission rate is 54 Mbit/s.
11n-only: the maximum transmission rate is 300 Mbit/s.
Band Width The WLAN band width can be selected when the operating
mode is mixed or 11n-only, and the selectable values are
20MHZ, 40MHZ or Auto.
Item Description
Working Channel WLAN working channel, with the value ranging from 1 to 13 or
Auto
The value Auto means automatically selecting a channel
according to the current network environment.
Step 3 Choose Basic > Interface > WLAN 2.4G. Select the Basic Configuration tab to check the
current wireless service ID, BSSID, data encryption, and service status.
Item Description
Network Name (SSID) Wireless network name, a character string, ranging
from 1 to 31
The device currently supports 4 wireless networks.
Address Mode Static In static address mode, you need to configure the
following items:
IP Address: enter the IP address which should be in
dotted decimal notation.
Subnet Mask: enter the subnet mask which should be
Item Description
Beacon Interval (Optional) Configure the Beacon frame transmission
interval, in units of milliseconds, ranging from 100 to
100, with default 100 milliseconds.
DTIM Interval (Optional) Configure the DTIM interval which ranges
from 1 to 31, being 1 by default.
BSS Max Associations Limit (Optional) Configure the maximum number of users
connected to the network at the same time. The value
ranges from 0 to 32. 0 indicates that the maximum
number of access terminals is 127, and the default is 0.
Authentication Disabled Use keyless authentication.
Mode
Open mode Use WEP to encrypt data. Any password can be
connected. But if the password is wrong, it will display
"restricted". You need to configure the following items:
Key length: 128 bits (corresponding to 26-bit
hexadecimal numbers or 13-bit ASCII codes) or 64
bits (corresponding to 10-bit hexadecimal numbers or
5-bit ASCII codes).
Key: enter a key with a fixed number of bytes
Item Description
WPA2-PSK Use WPA2-PSK to encrypt data and verify the access
point, client, and server. You need to configure the
following items:
WPA Pre-Shared Key: enter the password, which
should be a character string, ranging from 8 to 63.
(Optional) show password: when it is checked, the
Scenario
It is used to configure the basic WLAN access functions of the device, and can connect the
user's wireless device to the network.
Configuration steps
Step 1 Choose Basic > Interface > WLAN 5G. Select the Advanced Configuration tab.
If there is no special requirement, you can use the default configurations without
further manual configurations.
Item Description
Country Code The country code is used to identify the country where the radio
frequency is used. It specifies radio frequency characteristics,
such as power and the total number of channels available for
frame transmission. Before configuring the AP, you must
configure a valid country code or area code.
Country codes support: Australia, Canada, China, Israel, Japan,
Brazil, and United States.
Working Mode The WLAN working mode is as follows:
Auto: automatically select the working mode according to the
current environment.
11a: the maximum transmission rate is 54 Mbit/s.
11n-only: the maximum transmission rate is 300 Mbit/s.
11ac-only: the maximum transmission rate is 866.6 Mbit/s.
11na/ac mixed: the working modes can be 11n, 11a, and 11ac.
Item Description
Working Channel WLAN working channel, with the value of 36, 40, 44, 48, 52,
56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136,
149, 153, 157 , 161 or Auto
Auto is to automatically select a channel according to the current
network environment.
Step 3 Choose Basic > Interface > WLAN 5G. Select the Basic Configuration tab to check the
current wireless service ID, BSSID, data encryption, and service status.
Item Description
Network Name (SSID) Wireless network name, a character string, ranging
from 1 to 31
The device currently supports 4 wireless networks.
Address Mode Static In static address mode, you need to configure the
following items:
IP Address: enter the IP address which should be in
dotted decimal notation.
Subnet Mask: enter the subnet mask which should be
Item Description
SSID Hide (Optional) Configure whether to hide this wireless
network. Check to hide.
WMM (Optional) Configure whether to enable wireless
multimedia, so that the video/audio data will have a
higher priority than ordinary data, but the client is also
required to support this function. Check to enable.
Station Isolation (Optional) After it is checked, users under the same
SSID cannot communicate with each other.
Beacon Interval (Optional) Configure the Beacon frame transmission
interval, in units of milliseconds, ranging from 100 to
100, with default 100 milliseconds.
DTIM Interval (Optional) Configure the DTIM interval which ranges
from 1 to 31, being 1 by default.
BSS Max Associations Limit (Optional) Configure the maximum number of users
connected to the network at the same time. The value
ranges from 0 to 32. 0 indicates that the maximum
number of access terminals is 127, and the default is 0.
Authentication Disabled Use keyless authentication.
Mode
Open mode Use WEP to encrypt data. Any password can be
connected. But if the password is wrong, it will display
"restricted". You need to configure the following items:
Key length: 128 bits (corresponding to 26-bit
hexadecimal numbers or 13-bit ASCII codes) or 64
bits (corresponding to 10-bit hexadecimal numbers or
5-bit ASCII codes).
Key: enter a key with a fixed number of bytes
Item Description
WPA-PSK Use WPA-PSK to encrypt data and verify the access
point and client instead of the server. You need to
configure the following items:
WPA Pre-Shared Key: enter the password, which
should be a character string, ranging from 8 to 63.
(Optional) show password: when it is checked, the
Scenario
It is used to check the wireless terminal devices connected to the 2.4G WLAN.
Configuration steps
Step 1 Choose Basic > Interface > WLAN 2.4G.
Step 2 Select the Wireless Interface tab.
Step 3 Select a specified wireless interface and click View to check the wireless terminal devices
connected to the SSID.
Scenario
It is used to check the wireless terminal devices connected to the 5G WLAN.
Configuration steps
Step 1 Choose Basic > Interface > WLAN 5G.
Step 2 Select the Wireless Interface tab.
Step 3 Select a specified wireless interface and click View to check the wireless terminal devices
connected to the SSID.
3.7.5 Statistics
Scenario
It is used to view the statistics of wireless terminal devices connected to 2.4GWLAN or
5GWLAN.
Configuration steps
Step 1 Choose Basic > Interface > WLAN 2.4G or WLAN 5G.
Step 2 Select the Statistic Info tab.
Step 3 Select a specified wireless interface and click View to check statistics on the wireless terminal
devices connected to the SSID.
4.1 Routing
4.1.1 Routing table
Scenario
The routing table is a spreadsheet or database stored in a router or Internet computer. This
interface is used to view the routing table of the device, showing only static routes, direct
routes, and host routes.
Configuration steps
Step 1 Choose Basic > Network > Route.
Step 2 The Routing Table interface will appear, which displays the contents of the routing table,
including type, destination address/mask, next hop, egress interface, distance, weight,
duration, and status (valid/invalid).
Scenario
Static routes refer to a fixed routing table set in the router. Unless the network administrator
intervenes, the static route will not change. Because static routes cannot respond to changes in
the network, it is generally used in networks of a small scale and with a fixed topology. Static
routes are simple, efficient, and reliable.
You manually add, modify, or delete the created static routing tables.
Configuration steps
Step 1 Choose Basic > Network > Static Route.
Step 2 The Static Route interface will appear.
To delete a static route, click the corresponding or check the radio box before the
static route entry (click the check box at the top of the table header to select all static
route entries), and click Delete.
To modify configurations, click corresponding to a specified static route to enter
the Static Route Modify interface.
To add a static route, click Add. The Static Route interface will appear.
Step 3 The items on the Static Route Modify interface are the same as those on the Add Static Route
interface. Configure related items and click OK.
Item Description
Network Destination Address of the network to be reached by the static route
Subnet Mask Subnet mask of the network to be reached by the static route
Next Hop IP address of the next-hop router interface of the static route
Interface Egress interface of the static route
Only in the point-to-point mode can the static route configured
on the egress interface take effect, otherwise it is invalid.
Weight (Optional) routing cost, ranging from 1 to 100
Distance (Optional) routing priority, ranging from 1 to 255
Monitor Address (Optional) The reference address of the static route. If the
monitoring address can be pinged from the device, the static
route is considered valid, otherwise the route is considered
invalid. You need to configure the following items:
Send Interval (seconds): configure the monitoring interval, in
units of second, ranging from 3 to 300.
The number of packets: configure the number of ICMP packets
Scenario
Policy routing is a more flexible packet routing and forwarding mechanism than the target
network routing. It configures routing policies for matching, so that users can specify that
packets sent from a network can only be forwarded to a specific interface, or that certain
routes must go through a specific path.
Configuration steps
Step 1 Choose Basic > Network > Policy Route.
Step 2 The Policy Route interface will appear.
Item Description
Protocol type The protocol type used to configure this policy:
IPV4
IPV6
Policy Route ID It is used to identify a certain policy route. The value ranges from
1 to 100.
Source Interface Ingress interface of the traffic, one of the policy matching
conditions
Source Address Source address object name, a collection of various types of
addresses, including MAC addresses, host addresses, and IP/IPV6
address range
It is one of the policy matching conditions.
Item Description
Destination Address Destination address object name, a collection of various types of
addresses, including MAC addresses, host addresses, and IP/IPV6
address range
It is one of the policy matching conditions.
Service Name of the service object, a collection of protocols and interface
IDs, such as TCP, UDP, and interface range.
It is one of the policy matching conditions.
Schedule Time object name, which means that the strategy takes effect
within a certain period
It is one of the policy matching conditions.
Next Address Select the next hop as the specified address. You need to
Hop configure:
Mode Next Hop Address: enter the next-hop IP address, in dotted
decimal notation
Interface Select the next hop as the specified interface for point-to-point
situations. You need to configure:
Next Hop Interface: select a next-hop interface.
Reference Policy ID (Optional) It is used to adjust the priority order of policy routes, so
that the strategy with the highest position has higher priority. The
value ranges from 1 to 100.
Before/After It is used to configure the priority of this policy to be higher or
lower than the reference policy ID.
Before: higher
After: lower
4.2 Multicast
4.2.1 Multicast configurations
Scenario
Generally, IP multicast working at the network layer is called "Layer 3 multicast", and the
corresponding multicast protocol is called Layer 3 multicast protocol, including Internet
Group Management Protocol (IGMP). The IP multicast working at the data link layer is called
Layer 2 multicast, and the corresponding multicast feature is called Layer 2 multicast,
including Internet Group Management Protocol Snooping (IGMP Snooping). Multicast
configuration is used to configure the multicast working mode and multicast protocol of the
device.
Configuration steps
Step 1 Choose Basic > Network > Multicast.
Step 2 In the Bridge Mode area, configure layer 2 multicast, as shown in Figure 4-4.
Item Description
IGMP Disable Disable Layer 2 multicast protocols.
protocol
Passthrough Enable transparent transmission of Layer 2 multicast
protocols.
IGMP Snooping Enable Layer 2 multicast monitoring.
Bridge option Select a bridge interface.
IGMP vlan ID Add the multicast VLAN ID.
Fast leave Enable or disable fast leave.
When there are a large number of users and they join
and leave frequently, you can enable Fast leave, so that
the corresponding multicast forwarding entry can be
quickly deleted.
4.3 QoS
4.3.1 User bandwidth management
Scenario
It is used to configure the advanced bandwidth speed limit of the device and implement traffic
supervision at the IP layer. The advanced bandwidth speed limit can supervise the traffic
according to the interface and different speed limit modes, when the traffic meets the set
matching conditions, the packets are allowed to pass, and when the traffic fails to meet the
matching conditions, the packets are discarded to protect network resources from being
damaged.
Configuration steps
Step 1 Choose Basic > QoS.
Step 2 Select the User Rate Limit List tab.
Step 3 The interface displays the advanced bandwidth rate limit list:
Item Description
Description Description of relevant information used for this speed limit policy, a
character string, ranging from 1 to 32
Out interface Egress interface of data flow
Direction There are 3 choices:
upload
download
bidirection
Item Description
Rate Average rate after rate limiting is configured. The unit is kbit/s, and
the value ranges from 10 to 100,000.
Type NULL –
of
New flag value: configure the new flag value, which ranges from 0
Flag 802.1p
to 7, with 0 being the default.
CFI: configure the standard format indicator. The value range is 0
or 1 with 0 being the default.
Source direction value: configure the source direction value, which
DSCP
ranges from 0 to 63, with 0 being the default
Reverse direction value: configure the reverse direction value,
which ranges from 0 to 63, with 0 being the default
Item Description
LAN IP Rate Limit By IP Add the start IP address and end IP address that
(rate-limit Range needs to be configured with rate limiting, which
mode) should be in dotted decimal notation.
Source IP/Mask Add the source IP address that needs to be
configured with rate limiting, which should be in
dotted decimal format, and enter the subnet mask.
Click Add to add the source address/mask list.
Address Object At this time, the parameter in the drop-down list of
the Address Object is Any by default, which means
that all IP addresses are rate-limited.
Ingress Ingress interface of the data flow
Item Description
Time Limited period.
Select the start time and end time. NULL indicates
a non-stop limit.
Protocol Protocol Name Select the protocol of which the rate should be
type limited. If you choose ANY, other protocols cannot
be chosen.
Self-defined You can select UDP or TCP.
protocol type
Source port ID of the interface that limits the rate of received
data. The value ranges from 1 to 65535.
Destination port ID of the interface that limits the rate of sent data.
The value ranges from 1 to 65535.
Scenario
On this interface, you can modify the DSCP, 802.1p, MAC address, source/destination IP
address, source/destination interface, and ToS of the data flow, and modify the protocol type
as policy matching conditions.
Configuration steps
Step 1 Choose Basic > QoS.
Step 2 Select the Advanced qos config tab.
Step 3 Configure advanced QoS on the interface:
In the Global configuration section, configure global QoS.
In the Queue configuration section, configure the weight and priority of the QoS queue.
Step 4 Click OK.
Item Description
Advanced QoS Enable or Disable advanced QoS.
Description Configure the description of advanced QoS, which is
usually the service flow used by advanced QoS, such as
TR069. It is a character string with a length ranging from 1
to 31.
Egress rate Configure the upper limit of the bandwidth on the egress
interface. The unit is kbit/s. The value ranges from 10 to
1000000.
Enforce weight Checking it indicates mandatory bandwidth, which is used
in the weighted QoS mechanism to force the upload
bandwidth of each queue. Even if there is no other queue,
the uploading bandwidth shall not exceed the set
bandwidth. The default value is Disable.
Enable DSCP rewrite Check it to enable DSCP rewrite, and rewrite the DSCP
value in the packet on the egress interface. The default
value is Disable.
Enable 802.1p rewrite Check it to enable 802.1P rewrite, and rewrite the 802.1P
value in the packet on the egress interface. The default
value is Disable.
Queue type Configure the QoS queue mechanism:
Priority
Weight
It is Weight by default.
Item Description
Out interface Select the egress interface to which advanced QoS can be
applied.
Step 5 In the Match policy section, the matching policies are displayed:
Item Description
Enable Enable or disable this matching policy.
Item Description
Matched Queue Configure the ingress queue label to which this matching
policy will be applied. The system will compare the packets
according to the matching policy, and put the packets into the
designated queue according to the policy settings.
Matched Service System pre-defined service type: select the service type of the
Mode model policy.
TR069
Set DSCP Value: configure the DSCP value, which ranges
Policy model
from 0 to 63.
Set 802.1P Value: configure the 802.1P value, which ranges
from 0 to 7.
Source MAC: configure the MAC address range of the
Scenario
It is used to configure the session limits.
Configuration steps
Step 1 Choose Basic > QoS.
Step 2 Click Add and then select the Session Counter Limit tab.
Step 3 On the Session Counter Limit interface, configure related items and click OK.
Item Description
Session counter Enable or disable session limits.
switch
Session limit by ip It is used to limit the sessions of each IP address within a certain
IP address range:
IP Range: IP range with session limits
Max session per ip: maximum session limits per IP address,
ranging from 10 to 65535
Session limit by It is used to limit the sessions of each VLAN within a certain
vlan VLAN range:
VLAN Range vlan: VLAN range with session limits
Max session per vlan: maximum session limits per VLAN,
ranging from 10 to 2000000
Total session Limit the count of total sessions, ranging from 10 to 2000000
counter limit
Scenario
Configure a threshold for the number of connections in each session to control the number of
sessions. If this threshold is exceeded, no new connections will be established.
Configuration steps
Step 1 Choose Basic > QoS.
Step 2 Click Add and then select the Connection Counter Management List tab.
Step 3 Click corresponding to a specified session connection to modify parameters. Then click
Submit.
Item Description
Total Threshold Enable or disable session limits. The default value is
Connection 2000000.
Half Max The number of uncompleted connections, 2000000 by
Connection default
Min The number of uncompleted connections, 40000 by
default
New Max The upper threshold of the number of new connections per
connection minute, 2000000 by default
per minute
Min The lower threshold of the number of new connections per
minute, 40000 by default
Scenario
Link backup realizes the backup of the active link and supports link detection. When the
active link is disconnected, services can automatically switch to the backup link to achieve
link backup. This section is used to configure link backup on the device.
You can use the WAN and WAN sub-interface for link backup.
Configuration steps
Step 1 Choose Basic > Interface > WAN. Click Add and configure the Connection Mode to router
mode and Service Type to Management_Internet or Internet. If you configure the IPv4
address type to Static, you need to configure the default gateway.
Step 2 Choose Basic > Interface > Link_DETECT. To delete the backup link, click
corresponding to the specified backup link or check the radio box in front of the backup link
list (click the check box at the top of the table header to select all backup links), and click
Delete.
Step 3 To add a backup link, click Add. The Link detect config will appear. Configure related items
and click OK.
Item Description
Main link Select an interface to be the active link.
Backup link Select an interface to be the backup link.
The backup link and the active link cannot be the same
interface.
Item Description
ICMP message detect Peer IP address of the active link
server
ICMP message detect Sending interval for ICMP packets
interval
Max retry times Configure the maximum retry times for sending ICMP packets.
4.5 DMZ
4.5.1 Configuring DMZ
Scenario
It is used to configure the DMZ interface of the device.
Demilitarized Zone (DMZ) is a buffer zone between a non-secure system and a secure system
established to solve the problem that the external network cannot access the internal network
server after the firewall is installed. Some open servers can be provided in the area to support
access by users on the external networks.
Configuration steps
Step 1 Choose Basic > Interface > DMZ.
Step 2 The DMZ Configuration interface will appear:
Check OFF and then click OK to disable DMZ.
Check ON. Configure related items and click OK to enable DMZ.
Item Description
Attach to DMZ Select an interface to be added to the DMZ. The interfaces
can be LAN1 to LAN4 interfaces.
4.6 UPnP
4.6.1 UPnP
4.6.2 Configuring UPnP
Background
It is used to configure UPnP.
The PC is connected to the Internet by the gateway. When it downloads data through P2P
software (such as eMule, Thunder, and BT), the gateway enabled with UPnP will
automatically add a port mapping for the P2P software (adding a DNAT) so that the PC is
exposed to the public network and shares local resources. As stipulated by the P2P software
algorithm, the PC sharing more resources can download more resources, so it will gain a
faster downloading speed. In this case, the gateway, as the UPnP device end, provides the port
mapping service only, while the PC, as the UPnP controlling point, controls the gateway to
add or delete port mapping.
Configuration steps
Step 1 Choose Basic > Network > UPnP Config.
Step 2 Enable or Disable UPnP port mapping.
Item Description
UPnP PortMapping Enable or Disable UPnP port mapping
5 Configuring IPv6
Scenario
It is used to enable or disable IPv6.
Configuration steps
Step 1 Choose Basic > Network > IPv6.
Step 2 Select the Basic Configuration tab.
Step 3 Configure related items and click OK.
Item Description
IPv6 Enable Enable or disable IPv6.
IPv4 Enable Enable or disable IPv4.
Scenario
IPv6 is the next generation IP designed by IETF to replace the current IPv4. You can
configure the IPv6 address of the uplink and downlink interfaces.
Configuration steps
Configure the IPv6 address of the uplink interface.
Step 1 Choose Basic > Interface > WAN.
Step 2 Select IPv6 for the Protocol Mode and Router Mode for the Connection Mode. Select IPoE
for the Connect Type. Configure the IPv6 address of the uplink interface, as shown in Figure
5-2.
Item Description
IPv6 Prefix Address Configure the IPv6 prefix acquisition mode:
Type DHCPv6-PD: obtain the prefix through DHCPv6.
Static: manually configure the IPv6 prefix. You need to
configure IPv6 Prefix Address.
None: no IPv6 address prefix is configured.
IPv6 Prefix Address Configure this item when the IPv6 prefix acquisition mode is
Static.
Item Description
DHCPv6-PD: obtain an IPv6 address from ISP automatically
IPv6 Address Type
through DHCPv6.
Static: static IPv6 address configured by ISP
– IPv6 Address: IPv6 address of the uplink interface, in
DSLite Work Mode Configure the dual stack Lite working mode.
Off: off
Auto: automatic mode. Support obtaining the remote domain
name through DHCPv6, resolving the remote IP address, and
establishing a virtual channel with the remote end.
Static: static mode. Support static remote domain name and
Item Description
VLAN Select a created VLAN interface from the drop-down list.
IPv6 Address IPv6 address of the selected interface, in colon hexadecimal
notation, such as 3001::3
Pri source It is used to obtain the prefix assigned to the LAN side.
Prefix Information Configure the static prefix.
State(DHCPv6)
Stateless cfg
Stateless(SLAAC)
State(DHCPv6)
Address/Prefix type
Stateless(SLAAC)
IPv6 DNS Cfg Configure the DNS server type of the IPv6 address.
Wanconnection: configure the DNS obtained by the WAN
interface as the advertisement DNS.
HGW Proxy: configure the local link address as the
advertisement DNS.
Static: statically configure the advertisement DNS.
First IPv6 DNS Enter the IPv6 preferred DNS server address when selecting
Static for the IPv6 DNS Cfg.
Second IPv6 DNS Enter the IPv6 backup DNS server address when selecting
Static for the IPv6 DNS Cfg.
Item Description
Send interval Configure the interval for sending router advertisements. The
unit is seconds. The value ranges from 3 to 1800. The default is
600 seconds.
Router Lifetime Configure the valid time as the default route. The unit is
seconds. The value ranges from 3 to 9000. The default is 1800
seconds.
Prefix Lifetime Configure the lifetime of the advertisement prefix:
Infinite
Finite: configure Valid Lifetime and Preferred Lifetime
Valid Lifetime Lease period of the IPv6 prefix, an integer, ranging from 40 to
8640000, in units of second, 0s by default
Preferred Lifetime When there are multiple available prefixes within this period,
this prefix is preferred. The period shall not exceed the valid
lifetime. The value is an integer that ranges from 40s to
8640000s, being 0s by default.
Scenario
Static routes are a fixed routing table set in the router. You can manually add, modify, or
delete the manually created IPv6 static routing tables.
Configuration steps
Step 1 Choose Basic > Network > IPv6.
Step 2 Select the Static Routing List tab.
Step 3 On the Static Route List interface:
To delete an IPv6 static route, click the corresponding or check the radio box before
the IPv6 static route entry (click the check box at the top of the table header to select all
IPv6 static route entries), and click Delete.
To modify configurations, click corresponding to a specified IPv6 static route to
enter the Modify Static Routing Entry interface.
To add an IPv6 static route, click Add. The Add Static Routing Entry interface will
appear.
Step 4 The items on the Modify Static Routing Entry interface are the same as those on the Add
Static Routing Entry interface. Configure related items and click OK.
Item Description
Destination Address Destination IPv6 address
Prefix Length Prefix length of IPv6 address, ranging from 0 to 128
Next Hop Address Route gateway address
Next Hop Interface Egress interface of data forwarding
Weight (Optional) route weight, ranging from 1 to 100
Distance (Optional) route priority, ranging from 1 to 255
Scenario
The routing table is a spreadsheet or class database stored in a router or Internet computer.
This interface is used to view the IPv6 routing table of the device.
Configuration steps
Step 1 Choose Basic > Network > IPv6.
Step 2 Select the System Routing Table tab.
Step 3 View related items on the IPv6 Routing Table interface.
6 Management
Scenario
When the ISCOM HT803G-WS2 fails, you can restart it to solve the program.
Restarting the device will interrupt the services, please proceed with caution.
Save configurations as needed before restarting to avoid configuration loss.
After the device restarts, you need to log in again.
Configuration steps
Step 1 Choose System > Reboot.
Step 2 In the Reboot area, click Reboot to directly restart the device (by default, the function of
automatically saving configurations is enabled, so configurations will not be lost after restart).
Step 3 In the scheduled Reboot section, configure related items and then click OK.
Item Description
Save Config After this item is selected, the system will save configurations
before restarting the device.
Scheduled Reboot Configure the scheduled reboot of the device.
ON
OFF
Reboot Type When enabling scheduled reboot, you can select:
Once: restart once.
Cycle: cycle restart.
Reboot Time Enter the reboot time.
Scenario
One-key recovery is divided into restoring factory configuration and restoring installation
configuration.
Restoring the factory configuration will clear all current configurations, restore the
current device to the factory configuration file (that is, the system default configuration
state, including the default Web login IP address, user name, and password), and restart
the device.
Restoring the installation configuration will clear all current configurations and restore
the current device to the previously saved installation configuration file. If the
installation configuration file has not been saved previously, the system will be restored
to the factory configuration (system default configuration state), and the device will be
restarted.
One-key recovery will cause the device to restart and the service will be
interrupted. Proceed with caution.
One-key recovery will cause all current configurations to be lost.
After restoring the installation configuration, you need to log in using the system IP
address, user name, and password specified in the Installation Configuration File.
If you did not select Save Config previously, you need to log in to the system using
the default IP address, user name, and password provided by the system.
Configuration steps
Step 1 Choose System > Recovery Config.
Step 2 In the Restore Install Configuration section, click OK to restore the device to the previously
saved installation configuration file.
Step 3 In the Restore Factory Configuration section, click OK to restore the device to the factory
configuration file.
Scenario
The system has two configuration files: the system configuration file and system installation
configuration file.
Configuration file: refer to the configuration information automatically loaded by the
system when the device is powered off or restarted. The information in the configuration
file will not be lost when the device is powered off or restarted.
Installation configuration file: after you click OK for the Save the installing
configuration, the configuration file will be saved as the installation configuration file. If
you click OK for the Restore Setup Configuration on the One Key Recovery interface,
you can restore the system to the state where the installation configuration file is loaded.
After you click OK for the Save the installing configuration, all previous configurations
will be saved as the installation configuration file.
Configuration steps
1. Save configurations.
Step 1 Choose System > Configuration File.
Step 2 Select the Save Install Configuration tab.
Step 3 In the Save the installing Configuration section, click OK. A dialog box appears. Click OK.
The configuration file is saved as the installation configuration file.
Step 4 In the Import Install Configuration Files section, click Choose File, the system will pop up a
prompt dialog box, select the file to be imported according to the file path to be imported, and
click Open.
Step 3 In the Import Configuration Files section, click Choose File, the system will pop up a prompt
dialog box, select the file to be imported according to the file path to be imported, and click
Open.
Step 3 Click Upload. The system will prompt a dialog box. Click OK.
Scenario
Software upgrade provides a method to obtain the system startup file from the current local
host.
The system startup file is divided into:
Main version: the application file used to boot and start the device under normal
circumstances.
Standby version: the backup application file used to boot and start the device when the
main version is unavailable
When the backup version file is unavailable, the system automatically finds the available
system file in the CF card for starting.
The system supports upgrading the main version and backup version files separately.
Generally, the files of the main version and the backup version should be kept the same.
Place the system startup file on the local host for easy use.
The system startup file must be suffixed with ".tar".
After the upgrade is complete, the device automatically saves configurations and
is restarted.
Configuration steps
Step 1 Choose System > Software Update.
Step 2 Select the version to be upgraded on the Software Update interface and click Choose File.
The system will pop up a prompt dialog box. Select the file to be upgraded according to the
file path to be upgraded, and click Open.
Step 3 Click Upgrade. The system will automatically perform uploading. A prompt dialog box will
pop up after uploading. Click OK.
Step 4 Restart the device to complete the software upgrade.
6.2 Administrator
6.2.1 Configuring administrator
Scenario
According to the permission level, users are classified into the following types:
Super administrator: it has the highest authority and can configure all items of the device.
Ordinary administrator: generally, it is an enterprise administrator, who has the
configuration permissions for some items of the device.
General users: it is also known as service users, who are created by super administrators
or ordinary administrators, and usually only have query permissions for some items.
Ordinary administrators and service users can only see the configuration interface with their
permissions.
The user name and user rights cannot be modified once created.
You can modify the user timeout and uniqueness, add, modify, delete users, or view user
information as needed. At the same time, you can delete the current online user and view the
rights of the current logged-in user and online users with lower rights than the current logged-
in user.
Configuration steps
1. Configure the administrator.
Step 1 Choose System > Administrator.
Step 2 Select the Administrator tab.
Step 3 In the User Configuration section, configure related items and click OK.
Item Description
User Timeout Configure the user timeout period. If you do not conduct any
operation until the timeout period expires, you will be
automatically logged out. It is in units of minute. The value ranges
from 2 to 480, with 10 being the default one.
Unique Users Enable or disable user uniqueness. Only one user is allowed to log
in to each user type at the same time after this parameter is
enabled.
Item Description
Username Configure the username of the newly added administrator.
User Permission Configure the permission for the newly added administrator:
Super administrator
Ordinary administrator
General user
Step 3 View related items. To delete the current online user, click the corresponding so that the
online user will be logged out.
Scenario
To ensure cooperation with other devices in the network, you need to configure the system
time accurately. The device supports the manual setting of system time and NTP automatic
time synchronization.
NTP is used to configure the network clock source for device synchronization, to achieve
automatic and regular synchronization of the device's standard time and ensure clock
synchronization between the device and the network clock source.
Configuration steps
Step 1 Choose System > NTP.
Step 2 In the Settings network time protocol function section, the current system time is displayed.
Step 3 In the Sets the system time section, configure related items, and then click OK.
Item Description
Time zone choices Select the current time zone.
Automatic Server/Backup Configure the domain name of the clock
synchronization server synchronization server and the backup clock
synchronization server.
Item Description
Manually Set Manually configure the system time. Limited by the
system, the time can only be configured up to the
year 2035.
Scenario
Remote management is used to configure the Web server port of the device so that the device
can be remotely logged in to through the Web server port.
Configuration steps
Step 1 Choose Basic > Remote > Remote.
Step 2 In the Web Server Port section, configure the port of the HTTP server and port of the HTTPS
server. Click OK.
Item Description
HTTPS Configure the port of the HTTPS server.
HTTP Configure the port of the HTTP server.
6.4.2 TR-069
Scenario
The device supports TR069 remote management, which enables the management
personnel to complete remote maintenance, assistance, and control through computer
networks in different places, conducive to centralized deployment and maintenance.
TR-069 is a terminal equipment-oriented network management protocol, called CPE
WAN Management Protocol (CWMP), developed by the Digital Subscriber Line (DSL)
Forum, which provides a general framework and protocol for the management and
configuration of the home network and is used for remote centralized management of
gateways, routers, STBs and other devices in the home network from the network side.
Configuration steps
1. Configure the ACS.
Step 1 Choose Basic > Remote > TR-069.
Step 2 In the ACS Configuration section, configure related parameters.
Item Description
URL ACS URL address
The URL must be a valid HTTP or HTTPS URL, such as
http://192.168.2.4:7547/ACS.
User Name When the CPE attempts to connect to the ACS through CWMP,
the ACS uses this username to authenticate the CPE.
The user name is only used for HTTP authentication.
Password When the CPE attempts to connect to the ACS through CWMP,
the ACS uses this password to authenticate the CPE.
The password is only used for HTTP authentication.
Item Description
URL Use an HTTP URL. ACS can connect to the URL of the
CPE. The format is http://host:port/path. The host part of
the URL may be the IP address of the CPE management
interface, for example: http://192.168.1.1:7547/cpe.
User Name When the ACS attempts to connect to the CPE, this
username is used to authenticate the ACS.
Password When the ACS attempts to connect to the CPE, this
password is used to authenticate the ACS. When reading
the value, the system always returns an empty string,
regardless of the value.
CPE Interface ACS connects to CPE through this interface. At the same
time, the host part of the URL of CPE will become the IP
address of this interface.
Send Period CPE reporting period, in units of second, ranging from 1 to
2000000000, 600 by default
CPE Enable or disable CPE CWMP.
LOID Certification Enable or disable LOID certification.
Scenario
Ping is a network diagnostic tool, mainly used to detect whether the target host is available
and determine the network connection status.
Configuration steps
Step 1 Choose System > Diagnose Tool.
Step 2 Select the Ping tab.
Step 3 Configure related items and click Start.
Step 4 It takes a while for the Ping operation. After Ping finishes, the statistics will be displayed
automatically in the Result section. You can judge the network connection status according to
the statistics.
Item Description
Destination Address or Destination address or domain name used for Ping diagnosis
Domain Name
Packet Length Length of the packet sent during Ping diagnosis, ranging from
0 to 65507
Number of Packets Number of packets sent during Ping diagnosis, ranging from 1
to 65535
Source Address Click the radio box to configure the source address of packets
sent during Ping diagnosis.
Outgoing Interface Click the radio box and select the egress interface used to send
packets during Ping diagnosis from the drop-down list.
6.5.2 Tracert
Scenario
Tracert, the same as Ping, is a commonly used network diagnostic tool.
Tracert is often used to test the network node that a packet passes from the sender to the
destination, detect whether the network connection is available, and analyze the fault point in
the network.
Configuration steps
Step 1 Choose System > Diagnose Tool.
Step 2 Select the Tracert tab.
Item Description
Trace Route Destination address or domain name used for Tracert
diagnosis
UDP Port Probe Enable UDP interface detection or not.
UDP Port Number Configure the UDP interface number that enables UDP
interface detection. The value ranges from 1 to 65534.
Scenario
HTTP Get provides connectivity check between the device and the specified HTTP server to
determine the access permission to a certain HTTP service.
Configuration steps
Step 1 Choose System > Diagnose Tool.
Step 2 Select the HTTP Get tab.
Step 3 Configure related items and click Start.
Step 4 It takes a while for the Http Get operation. After Http Get finishes, the Http Get checking
results will be displayed automatically in the Result section.
Item Description
Destination Address or Destination address or domain name for HTTP Get
Domain Name diagnosis
Port Configure the interface number for HTTP Get diagnosis.
The value range ranges from 1 to 65535, and the default
value is 80.
Scenario
Domain Name System (DNS) provides conversion between domain names and IP addresses.
When you need to query the IP address corresponding to a domain name, you can use DNS
Query.
Configuration steps
Step 1 Choose System > Diagnose Tool.
Step 2 Select the DNS Query tab.
Step 3 Configure related items and click Start.
Step 4 It takes a while for the DNS Query operation. After DNS Query finishes, the DNS Query
results will be displayed automatically in the Result section.
Item Description
Destination Domain Name Domain name of DNS Query diagnosis
Scenario
TCP Query is used to test whether a TCP connection can be established with the target host.
Configuration steps
Step 1 Choose System > Diagnose Tool.
Step 2 Select the TCP Query tab.
Step 3 Configure related items and click Start.
Step 4 It takes a while for the TCP Query operation. After TCP Query finishes, the TCP Query
results will be displayed automatically in the Result section.
Item Description
Destination Address or Destination address or domain name used for TCP Query
Domain Name diagnosis
Port Number Configure the interface number where TCP Query
diagnosis will be enabled. The number ranges from 0 to
65535.
Number of Packets Number of packets sent during TCP Query diagnosis
The value ranges from 1 to 10. The default value is 4.
Scenario
Local log means that the device records system information and debugging information in the
form of a log, which is convenient for users to view and locate the fault when the device fails.
There are 8 types of local logs by source:
Device alarm log
Login log
Operation log
ARP attack log
DDoS log
URL log
Traffic logs
NAT logs
Local logs are classified into 8 levels according to severity, as listed in Table 6-1.
Configuration steps
1. Configure local logs.
Step 1 Choose Basic > Remote > Syslog.
Step 2 Select the Local tab.
Step 3 Configure related items and click OK.
Item Description
Local Log (State/Level) Enable or disable the log server.
All Logs When this parameter is enabled, each of the following log
functions will be enabled. When this parameter is disabled,
each of the following log functions will be disabled.
Equipment Alarm Log Enable or disable the alarm log.
Login Log Enable or disable the login log.
Operation Log Enable or disable the operation log.
ARP Attack Log Enable or disable the ARP attack log.
DDoS Log Enable or disable the DDoS log.
URL Filtering Hit Enable or disable the URL filtering hit log.
Nat Log Enable or disable the NAT log.
Item Description
Type It includes:
All Logs
Equipment Alarm Log
Login Log
Operation Log
ARP Attack Log
DDoS Log
URL Filtering Hit
Flow Log
nat log
Private log
Level It includes:
All
Emergency
Alarm
Serious
Error
Warning
Notice
Information
Debug
Time Range The format is year-month-day hour: minute: second, such as 2010-
04-19 01:02:03.
Number of records Log entries output per screen.
Scenario
It is used to configure remote Syslog management.
Configuration steps
Step 1 Choose Basic > Remote > Syslog.
Step 2 Select the Remote tab.
Step 3 Configure related items and click OK.
Item Description
Log Server Status Enable or disable the log server.
Address or Hostname IP address or domain name of the log server
Server Port Service interface of the log server, ranging from 1 to
65535, 514 by default
All Logs When this parameter is enabled, each of the following log
functions will be enabled. When this parameter is disabled,
each of the following log functions will be disabled.
Equipment Alarm Log Enable or disable the alarm log.
Login Log Enable or disable the login log.
Operation Log Enable or disable the operation log.
ARP Attack Log Enable or disable the ARP attack log.
Flow Log Enable or disable the flow log.
DDoS Log Enable or disable the DDoS log.
URL Filtering Hit Enable or disable the URL filtering hit log.
Nat Log Enable or disable the NAT log.
7 Security
7.1 Firewall
7.1.1 Configuring Firewall
Scenario
On the one hand, the firewall can prevent unauthorized access to protected networks from the
Internet. On the other hand, it allows intranet users to access the Internet or send and receive
E-mail. The firewall can also be used as an access control gateway to access the Internet, such
as allowing specific hosts in the organization to access the Internet.
In addition to controlling the Internet connection, the firewall can also be used to protect the
mainframe and important resources (such as data) within the organization's network. Access
to the protected data must be filtered by the firewall. Even if users inside the network want to
access the protected data, they must also pass the firewall.
The security level of the firewall is divided into high, medium and low. You can enable or
disable the firewall as needed, and configure the security level of the firewall.
Configuration steps
Step 1 Choose Security > Security > Firewal.
Step 2 Configure related items and click OK.
Item Description
Firewall Configuration Enable or disable Firewall.
Security Level The security level includes:
low
medium
high
Scenario
Configure basic and advanced options for website filtering. URL filtering restricts access to
web pages on the Internet that meet the filtering conditions by configuring URLs and
keywords.
Configuration steps
1. Configure website filtering.
Step 1 Choose Security > Security > URL Filter.
Step 2 Select the Web Filter tab.
Step 3 Click ON or OFF in the Web Filter section and then click OK.
Item Description
Web Filter Enable or disable web filtering.
Step 4 In the Page Redirect Set section, configure the redirection URL and then click OK.
Item Description
Redirect URL The user's Web access request is redirected to the specified URL.
If the URL request of the internal user is blocked, a Web push page
will be displayed on the internal user's browser page to remind the
user that access is restricted.
Step 5 In the Filter Type Set section, configure related items and click OK.
Item Description
Filter Type Select Black List or White List.
Step 6 In the Add Filter Rule section, enter the URL and click Add.
Item Description
URL Add an access control rule, which should be a character string with
the length ranging from 1 to 99.
Step 7 In the Delete Filter Rule section, all filtering rules are displayed. Click the check box in front
of one or more filter rules, or click the check box at the top of the table header (indicating that
all filter conditions are selected), and click Delete to delete the filter rule.
The blacklist contains entries that meet the rules and are refused to pass. For
entries which do not fall into the blacklist, they are allowed to pass by default. The
result is that URLs which meet the filtering rules are denied, and the rest are
allowed to pass.
The whitelist contains entries that meet the rules and are allowed to pass. For
entries which do not fall into the whitelist, they are denied by default. The result is
that only URLs which meet the filtering rules are allowed to pass, and the rest are
denied.
When the filter rule is deleted, the corresponding filter rule in the content of the
blacklist/whitelist uploaded to the gateway will also be deleted.
Item Description
Delete Filter Rule You can delete one rule or multiple rules at once.
Item Description
URL Keywords Configure URL keywords to be filtered.
Filter You can filter a certain type of file by using the suffix of the file name
as the URL keyword, for example: to filter GIF images, you can
add .gif to the URL keyword filtering list.
File Type Filter Configure the file types to be filtered.
Common file types can be selected from the list of file types. If it is not
a common file type, you can add a file type filtering policy by
configuring the file type and the multimedia type
HTTP Protocol Enable or disable HTTP verification.
Verify
Max Length of Configure the maximum length of the URL during the HTTP request.
URL Set Requests exceeding this length will be rejected. The value is an integer
with a length ranging from 10 to 2048. The default value is 1024.
Security Content filtering for HTTP responses, including:
Defend APPLET: filter the content with applet tags in the HTML returned to
the user.
COOKIE: clear the cookie header entity in HTTP requests and
responses.
OBJECT: filter the content with object tags in the HTML returned to
the user.
PROXY: block HTTP proxy requests.
SCRIPT: filter the content with script tags in the HTML returned to
the user.
The blocked content contains the HTTP response with the specified tag,
or the HTTP response contains the HTTP header entity of the specified
type. Content filtering is effective for uncompressed and unencrypted
HTML documents.
Always: filter at all times.
Time Range
Select Time: filter within the specified time. You need to choose a
For URL Filter
specific period.
Scenario
On this interface, you can upload or download the blacklist/whitelist. You can upload the
blacklist/whitelist to the device, or download the blacklist/whitelist from the device.
Configuration steps
Step 1 Choose Security > Security > URL Filter.
Step 2 Select the Local Update tab.
Step 3 In the Black/White Lists Upload area, click Choose File. Choose the directory of the file to be
imported, and click Open. Click Upload. The system automatically uploads the file. After
uploading is complete, a dialog box appears. Click OK.
Step 4 In the Black/White Lists Download area, click Download. A dialog box appears. Choose the
directory to save the list. The system automatically saves the blacklist/whitelist file to the
specified directory.
Figure 7-8 Black/White Lists upload interface and Black/White Lists download interface
Scenario
You can specify a specific intranet IP address segment by period and protocol to allow or
prohibit other devices from accessing the specified destination address. The access control
policy is divided into two parts:
Security policy: filter data by the combination of source interface, source address name,
destination interface, destination address name, service, and time object.
Connection limit: filter the data by PERMIT mode, and can limit the total number of
connections or host connections according to the filtering results. The host connection
limit can be based on the connection limit of the destination address or source address.
Configuration steps
Step 1 Choose Security > Security > Access Control.
Step 2 Select the Policy of Access Control tab.
Step 3 In the List of Policy section:
To add a new policy list, click Add. The Add policy interface will appear.
Step 4 The items on the Modify policy interface are the same as those on the Add policy interface.
Configure related items and click Submit.
Item Description
Source Interface Configure the ingress interface of the data packet to be controlled.
You can specify an interface. Any means all interfaces.
Source Address Configure the source IP address range of the data packet to be
Name controlled. You can refer to a defined address object or address
object group. Any indicates that the source address is arbitrary.
Destination Configure the egress interface of the data packet to be controlled.
Interface You can specify an interface. Any means all interfaces.
Destination Address Configure the destination IP address range of the data packet to be
Name controlled. You can refer to a defined address object or address
object group. Any indicates that the destination address is
arbitrary.
Service Configure the packet type or interface of the data packet to be
controlled. Any means that the service is arbitrary.
Time Object Valid time of the policy
You can refer to the configured time object. Always means all
time.
On: this policy takes effect.
State of Security
Off: this policy does not take effect.
Policy
Mode Actions performed on packets that match the matching conditions
PERMIT: allow qualified data packets to pass.
DENY: deny qualified data packets.
Item Description
Total Connection Total number of connections matching the current policy, ranging
count from 10 to 65535
Source address: match the connection limit corresponding to the
Limit of Host
Connection Count source address of the policy.
Destination address: match the connection limit corresponding to
the destination address of the policy.
Description Describe the policy.
Scenario
Configure the time object of access control to enable users to control access to data packets in
different periods. Time objects are used to describe a special time range. According to the
needs of users, some access control rules need to take effect within a certain period or certain
periods, while packet filtering is not performed in other periods. At this time, the user can first
configure one or more periods, and then refer to the time object when configuring access
control rules, thereby implementing access control based on the time object.
The configuration of the time object is as follows:
Configure absolute time object: the event happens within a fixed period with a start time
and the end time.
Configure cycle time object: the event happens in an absolute time, in the format of
certain days of the week.
Configuration steps
Step 1 Choose Security > Security > Access Control.
Step 2 Select the Time Object tab.
Step 3 In the List of Cycle Time section:
The name of the time object cannot be modified when you modify the time object.
Step 4 The items on the Time Object Modify interface are the same as those on the Time Object Add
interface. Configure related items and click OK.
Item Description
Name Name of the time object
Description Describe the time object.
Week For the week corresponding to the time object, configure the
effective time within a week.
Start Time Start time of the time object
End Time End time of the time object
The start and end time and week must be set at the same time or not set at the
same time (that is, keep the start and end time as 00:00 – 00:00, and do not select
any item in the week). When none is set, it means that the access control policy is
effective at all times.
The start time should be earlier than the end time.
Scenario
Service objects may be referenced when you configure access control entries. Some well-
known service objects have been created during system initialization. If these default service
objects still cannot meet the requirements, you can customize your service by creating service
objects.
The service object can be a combination of TCP source interface and destination interface, a
combination of UDP source interface and destination interface, a combination of ICMP
protocol type and code or IP number, or a combination of these protocols.
Configuration steps
Step 1 Choose Security > Security > Access Control.
Step 2 Select the Service Object tab.
Step 3 In the List of Customed Service section:
The name of the service object cannot be modified when you modify the service
object.
Well-known service objects predefined by the system cannot be added again. The
system can include up to 200 service objects, including predefined well-known
service objects.
Step 4 The items on the Service Object Modify interface are the same as those on the Service Object
Add interface. Configure related items and click OK.
Item Description
Name Name of the service object
Description Describe the service object.
Protocol Protocol type
Configure access control through the protocol used to transmit data
packets, including TCP, UDP, ICMP, and IP.
Source port The matching source interface range when the protocol is TCP or
number UDP
Configure this item only when the packet protocol is TCP or UDP.
The value ranges from 1 to 65535.
Destination port The matching destination interface range when the protocol is TCP or
number UDP
Configure this item only when the packet protocol is TCP or UDP.
The value ranges from 1 to 65535.
Type Specify the type of ICMP packets. Configure this item only when the
packet protocol is ICMP. The value ranges from 0 to 255.
Item Description
Code Code of ICMP packet type
Configure this item only when the packet protocol is ICMP. The value
range ranges from 0 to 255.
Protocol number IP number
Configure this item only when the packet protocol is IP.
Scenario
IP address objects need to be referenced when you configure access control entries. The
system uniformly manages the network sessions that need to be filtered through the IP address
object.
The address object can be a single host address, network segment address, MAC address or
address range, or any combination of the above several address types.
Configuration steps
Step 1 Choose Security > Security > Access Control.
Step 2 Select the Address Object tab.
Step 3 In the List of Address section:
The name of the address object cannot be modified when you modify the address
object.
The system supports up to 512 IP address objects.
Step 4 The items on the Address Object Modify interface are the same as those on the Address
Object Add interface. Configure related items and click OK.
Item Description
Name Name of the address object
Description Describe the address object.
Host: the address object is a single host.
Type of Node
Subnet/mask: the address object is a certain network segment.
MAC address: the address object is a MAC address.
Scope: the address object is a range of IP addresses.
Host Host address
Configure this item when you select Host from the Type of Node
drop-down list.
Subnet/mask Network segment of the address object
Configure this item when you select Subnet/mask from the Type
of Node drop-down list.
MAC address MAC address of the address object
Configure this item when you select MAC address from the Type
of Node drop-down list.
Scope IP address range of the computer to be controlled in the LAN
Configure this item when you select Scope from the Type of
Node drop-down list.
Scenario
By configuring MAC address filtering of the enterprise gateway, you can limit the users who
access the network according to the configured MAC address filtering parameters.
MAC address filtering supports:
Filter the Ethernet frames whose encapsulation content is not IP packets.
Filter the Ethernet frames whose destination MAC address is the multicast address.
Filter the Ethernet frames whose source MAC address or destination MAC address in the
frame header matches the configured MAC filter entry.
Configuration steps
Step 1 Choose Security > Security > MAC Filter.
Step 2 In the Function Set section, configure related items.
Item Description
Enable Switch Enable or disable MAC address filtering.
Type of filter After enabling MAC address filtering, you can select:
Allow: only allow this MAC address to access the network.
Not allow: prohibit this MAC address from accessing the
network.
Item Description
MAC Address Used for filtering MAC addresses
Scenario
ARP spoofing can be implemented by forging IP addresses and MAC addresses, which can
generate a large amount of ARP traffic in the network and block the network. As long as the
attacker continuously sends out fake ARP response packets, the target host ARP cache can be
changed, causing network interruption or Man-in-the-Middle (MITM) attack.
After a network is attacked by ARP, there will be situations where the Internet cannot be
accessed normally; the number of ARP packets increases; MAC addresses are abnormal or
incorrect; one MAC address corresponds to multiple IPs; IP conflicts.
Configuration steps
Step 1 Choose Security > Security > ARP Prevent.
Step 2 Select the Prevent ARP Attack tab.
Step 3 Configure related items and click OK.
Item Description
Enable: enable ARP Flood prevention.
Prevent ARP Flood
Disable: disable ARP Flood prevention.
ARP Flooding If the number of packets sent by the same host per second to the
Threshold device exceeds this threshold, it is considered a Flood attack. The
unit is packets/second. The default value is 300, and the value
ranges from 2 to 10000.
Attack Host It refers to the time when the device, after being attacked, does not
Inhibition Time receive the packet sent by the host which initiates the flood attack.
The unit is second. The default value is 60. The value ranges from
10 to 65535.
Scenario
The device supports self-defined packet sending. You can customize the ARP packet to be
sent from the specified interface.
Configuration steps
Step 1 Choose Security > Security > ARP Prevent.
Step 2 Select the Custom Contract tab.
Step 3 Click Edit. Configure related items and click OK.
Item Description
ON: enable self-defined packet sending.
Operation
OFF: disable self-defined packet sending.
Request: the packet sent is a request packet.
Direction
Response: the packet sent is a response packet.
Source IP Source IP address of the self-defined packet
Destination IP Destination IP address of the self-defined packet
Source MAC Source MAC address of the self-defined packet
The default value is 00:00:00:00:00:00.
Destination MAC Destination MAC address of the self-defined packet
The default value is 00:00:00:00:00:00.
Contract Number Packet sending times, ranging from 1 to 1000, being 1 by default
Time interval Interval for sending data packets, in units of second, ranging from
1 to 10, being 1 by default
Send interface Configure the packet sending interface.
Scenario
After the device resolves the destination MAC address through ARP, it will add an IP-to-
MAC mapping entry to its ARP table for subsequent forwarding of packets to the same
destination. You can view the ARP entries that communicate with this device in the ARP table.
Configuration steps
Step 1 Choose Security > Security > ARP Prevent.
Step 2 Select the ARP Table tab.
7.5.4 Monitor
Scenario
You can view the log information about the ARP flood attack through the monitor.
Configuration steps
Step 1 Choose Security > Security > ARP Prevent.
Step 2 Select the Monitor tab.
Step 3 View the logs on the Monitor Information interface.
Scenario
You can enable ARP spoofing prevention on this interface.
Configuration steps
Step 1 Choose Security > Security > ARP Prevent.
Step 2 Select the Prevent ARP CHEAT tab.
Step 3 Click Enable.
Scenario
In the network, the data packets are transmitted over the Internet through TCP/IP. The data
packets themselves are harmless, but too many data packets will cause overload of network
equipment or servers. Or the attackers use some protocols or application defects to artificially
construct incomplete or malformed data packets, which also causes the network device or
server to take a long time to process services and consume too many system resources, thus
failing to respond to normal services.
You can configure anti-DDoS for the device on this interface. It is generally classified into
three types: anti-DDoS attack, anti-abnormal packet attack, and anti-scan attack. Anti-DDoS
is configured to prevent the attack packets from attacking the CPU and ensure that the server
can operate normally under attack.
Configuration steps
Step 1 Choose Security > Security > DDos Prevent.
Step 2 Configure related items and click OK.
Item Description
DDoS Attack Type Select the types of packets to be prevented, including
Attack SYN Flood, TCP Flood, DNS Flood, UDP Flood, and
Defence ICMP Flood.
Defend Action Defense action when being attacked: discard the
packet.
Threshold Configure the connection rate threshold for flood
attack prevention. The unit of SYN Flood and TCP
Flood packets is half connections/second, and the unit
of other types of packets is connections/second. The
default value is 2000 and the value ranges from 400 to
60000.
Abnormal Jolt2 Enable Jolt2 attack detection or not.
Packet
Attack Land-Base Enable Land-Base attack detection or not.
Defence PING of death Enable PING of death attack detection or not.
TCP flag Enable TCP flag attack detection or not.
Tear Drop Enable Tear Drop attack detection or not.
Winnuke Enable Winnuke attack detection or not.
Smurf Enable Smurf attack detection or not.
ICMP Redirect Enable ICMP Redirect attack detection or not.
Scan TCP Scan Detect TCP packets.
Attack
Defence UDP Scan Detect UDP packets.
ICMP Scan Detect ICMP packets.
Item Description
Scan Identity Configure the connection rate threshold for anti-scan
Threshold attacks, in units of connection/second. The default
value is 1000, and the range is from 10 to 65535.
Host Suppression The time when the device, after being attacked, does
Duration not receive packets sent by the host which initiates the
scan attack. The unit is seconds. The value ranges
from 1 to 65535, being 20 by default.
8 Appendix
8.1 Terms
B
It refers to the process of forwarding network data
Bridging packets according to the address of the data link layer
in the OSI seven-layer model.
Blacklist: those MAC addresses in the blacklist are
forbidden to pass.
Blacklist/Whitelist Whitelist: those MAC addresses in the whitelist are
allowed to pass.
F
It is an application security technology based on
network communication technology and information
security technology. It is the unique ingress & egress
Firewall for different networks or security domains. It can
control ingress and egress traffic according to access
control policies (permit, deny, and monitor).
Moreover, it has strong resistance to attacks.
P
It refers to quickly forwarding the collated information
resources to the user's interface in the form of a web
page to realize the user's multi-level needs, allowing
Page pushing
the user to set the required information channel
himself and receive customized information directly
on the user side.
T
It is a network management protocol made by the
Digital Subscriber Line (DSL) Forum for terminal
devices, also called Customer Premised Equipment
WAN Management Protocol (CWMP). It provides a
TR069 general framework and protocol for managing and
configuring home network devices in the next
generation network. It can remotely and centrally
manage gateways, routers, and Set Top Boxes (STBs)
in a home network at the network side.
V
Network scheme in which portions of a network are
connected via the Internet, but information sent across
the Internet is encrypted. The result is a virtual
network that is also part of a larger network entity.
Virtual Private Network (VPN) This enables corporations to provide telecommuters
and mobile professionals with local access to their
corporate network or another ISP network. VPNs are
possible because of technologies and standards such as
tunneling, screening, encryption, and IPsec.
C
CDMA Code Division Multiple Access
CHAP Challenge Handshake Authentication Protocol
D
DDoS Distributed Denial of Service
DHCP Dynamic Host Configuration Protocol
E
EVDO Evolution-Data Optimized
EoIP Ethernet over IP
F
FTP File Transfer Protocol
G
GRE Generic Routing Encapsulation
I
IEEE Institute of Electrical and Electronics Engineers
IETF Internet Engineering Task Force
IP Internet Protocol
International Telecommunications Union -
ITU-T
Telecommunication Standardization Sector
IGMP Internet Group Management Protocol
IPSec IP Security
L
L2TP Layer Two Tunneling Protocol
LAN Local Area Network
M
MAC Medium Access Control
MIB Management Information Base
N
NTP Network Time Procotol
NAT Network Address Translation
O
OAM Operation, Administration, and Management
OSPF Open Shortest Path First
P
PC Personal Computer
PPPoE Point-to-Point Protocol over Ethernet
PTP Precision Time Protocol
PON Passive Optical Network
PAP Password Authentication Protocol
Q
QoS Quality of Service
R
RADIUS Remote Authentication Dial In User Service
RIP Routing Information Protocol
S
SIM Subscriber identity module
Syslog System Log
SSH Secure Shell
SSL Security Socket Layer
T
TCP Transmission Control Protocol
Time Division-Synchronous Code Division
TD-SCDMA
Multiple Access
U
URL Uniform Resource Locator
UA User Agent
V
VLAN Virtual Local Area Network
VPDN Virtual Private Dial Network
W
WLAN Wireless Local Area Network
WAN Wide Area Network