Page 1 Vigor 3300 Series Broadband VoIP/Security/Load Balance Router User’s Guide Version: 2.1 Date: 2006/08/02...
Page 2: Copyright Information
Copyright Information Copyright Copyright 2006 All rights reserved. This publication contains information that is Declarations protected by copyright. No part may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language without written permission from the copyright holders. The scope of delivery and other details are subject to change without prior notice.
Page 3: Table Of Contents
Preface ...1 1.1 LED Indicators and Connection ... 2 1.1.1 LED Indicators and Connectors for Vigor3300V ... 2 1.1.2 LED Indicators and Connectors for Vigor3300... 4 1.1.3 LED Indicators and Connectors for Vigor3300B+ ... 6 1.2 Hardware Installation ... 8 1.2.1 Detailed Explanation for the Connector...
Page 4 3.3.8 LAN Port Mirroring Setup... 68 3.3.9 LAN VLAN Setup ... 68 3.3.10 SNMP... 71 3.4 Firewall Setup ... 76 3.4.1 IP Filter... 76 3.4.2 DoS ... 81 3.4.3 URL Filter... 83 3.5 Quality of Service Setup... 88 3.5.1 Incoming/Outgoing Class Setup ... 90 3.5.2 Incoming/Outgoing Class Filter ...
Page 5: Preface
The Vigor3300 Series integrates a rich suite of functions, including NAT, firewall, VPN, load balance, bandwidth management, and VoIP capability. These products are very suitable for providing multi-integrated solutions to SME markets. An application scenario for the Vigor3300 Series is depicted in Figure 1-1, which illustrates interconnections among branch offices through the Internet via the Vigor3300 Series routers.
Page 6: Led Indicators And Connection
T.38 fax relay. By enabling and configuring fax rate on a dial peer, the originating and the terminating V3300V can enter fax relay transfer mode. By using the T.38 function, customers can also save on fax expenses. Lastly, by enabling the load balance feature on multiple WAN ports, lease lines can be replaced to provide a cost-effective method for network infrastructure.
Page 7 (1, 2, 3, 4) WAN/DMZ (1, 2, 3, 4) Interface Console LAN (P1 ~ P4) WAN/DMZ (P1 ~ P4) Vigor3300 Series User’s Guide Status Explanation The Ethernet link is established on corresponding port. No Ethernet link is established. It means that a normal 100 Mbps connection is through its corresponding port.
Page 8: Led Indicators And Connectors For Vigor3300
WLAN Attack 100M (2, 3, 1) (1, 2, 3, 4) Status Explanation The router is powered on. The router is powered off. On/Blinking The system is active. The system is hanged. Reserved for future use. The VPN tunnel is launched. The VPN tunnel is closed.
Page 9 100M Interface Console LAN (P1 ~ P4) WAN/DMZ (WAN1 ~ WAN3) Vigor3300 Series User’s Guide Status Explanation It means that a normal 100Mbps connection is through its corresponding port. It means that a normal 10Mbps connection is through its corresponding port. It means a full duplex connection on corresponding port.
Page 10: Led Indicators And Connectors For Vigor3300B
Attack 100M (2, 3, 1) (1, 2, 3, 4) 100M Status Explanation The router is powered on. The router is powered off. On/Blinking The system is active. The system is hanged. The Attack function is active. The Attack function is inactive. The QoS function is active.
Page 11 Interface Console LAN (P1 ~ P4) WAN1 ~ WAN3 Auxiliary Cables Power Cord Serial (Console) Ethernet (LAN) Ethernet (DMZ) Ethernet (WAN1) RJ-45, Blue Ethernet (WAN2) RJ-45, Blue Ethernet (WAN3) RJ-45, Blue Ethernet (WAN4) RJ-45, Blue Vigor3300 Series User’s Guide Status Explanation It means a full duplex connection on corresponding port.
Page 12: Hardware Installation
Before starting to configure the router, you have to connect your devices correctly. Connect the power cord to the power port of Vigor3300 router on the rear panel, and the other side into a wall outlet. Power on the device by pressing the power switch on the rear panel. The PWR LED should be ON.
Page 13: Detailed Explanation For The Connector
Here provides you detailed explanation for some specific connectors that you have to be familiar. The RJ45 connection jet is used for CLI commands for system configuration and control functions in the Vigor3300 Series. The jet is used for initialization of the Vigor3300 Series during preliminary installation.
Page 14 After the bracket installation, the Vigor3300 Series chassis can be installed in a rack by using four screws for each side of the rack. Rubber pads are included with the Vigor3300 Series. These rubber pads improve the air circulation and decrease unnecessary rubbing on the desktop. Vigor3300 Series User’s Guide...
Page 15: Configuring Basic Settings
For use the router properly, it is necessary for you to change the password of web configuration for security and adjust primary basic settings. This chapter explains how to setup a password for an administrator and how to adjust basic settings for accessing Internet successfully.
Page 16 Now, the Main Screen will pop up. Go to System page and choose Change Password. The following screen will appear. Enter the login password (1234) on the field of Old Password. Type a new one in the field of New Password and retype it on the field of Confirm Password. Then click Apply to continue.
Page 17: Quick Setup
Now, the password has been changed. Next time, use the new password to access the Web Configurator for this router. Next, you will see the login screen after clicking Apply. Please use new password to re-enter the system configuration. Quick Setup is designed for configuring your broadband router accessing Internet with simply steps.
Page 18 MAC Address Downstream Rate Upstream Rate Type Physical Mode IP Mode Router Default- Use the default Mac address stored originally in router. User Definition- Use a MAC address defined by the user. Assign the downstream rate for this WAN interface. The default value is 102400 kbps (100 Megabit).
Page 19: Static Mode
You can manually assign a static IP address to the WAN interface and complete the configuration by applying the settings and rebooting your router. Choosing Static as the IP mode, you will see the following page: All the settings here are set by privately. Your ISP will not provide these settings. IP Address Subnet Mask Default Gateway...
Page 20 IP Address Subnet Mask Status Start IP End IP Primary DNS When you finished the above required settings, please click Finish. A system reboot page will appear. Click Apply to activate the static mode configuration. Assign an IP address for the LAN interface. Assign the subnet mask for the LAN interface.
Page 21: Dhcp Mode
DHCP allows a user to obtain an IP address automatically from a DHCP server on the Internet. If you choose DHCP mode, the DHCP server of your ISP will assign a dynamic IP address for Vigor3300 automatically. It is not necessary for you to assign any setting. (Host Name and Domain Name are required for some ISPs).
Page 22: Pppoe
End IP Primary DNS When you finished the above required settings, please click Finish. A system reboot page will appear. Click Apply to activate the DHCP mode configuration. This mode is used for most of DSL modem users. All local users can share one PPPoE connection to access the Internet.
Page 23 IP Address Subnet Mask Status Start IP End IP Primary DNS When you finished the above required settings, please click Finish. A system reboot page will appear. Click Apply to activate the PPPoE mode configuration. Vigor3300 Series User’s Guide Assign an IP address for the LAN interface. Assign the subnet mask for the LAN interface.
Page 24: Pptp
This mode lets user get the IP group information by a DSL modem with PPTP service from ISP. Your service provider will give you user name, password, and authentication mode for a PPTP setting. If your ISP offers you PPTP (Point-to-Point Tunneling Protocol) mode, please select PPTP for this router.
Page 25 IP Address Subnet Mask Status Start IP End IP Primary DNS When you finished the above required settings, please click Finish. A system reboot page will appear. Vigor3300 Series User’s Guide Assign an IP address for the LAN interface. Assign the subnet mask for the LAN interface. Click Enable to use DHCP server;...
Page 26: Advanced Configuration
After finished basic configuration of the router, you can access Internet with ease. For the user who wants to adjust more setting for suiting his/her request, please refer to this chapter for getting detailed information about the advanced configuration of this router. For the system setup, there are several items that you have to know the way of configuration: Status, Time Setup, Syslog Setup, Access Control Setup, Reboot and Firmware Upgrade Setup, Diagnostic Tools and Configuration Setup.
Page 27 General status of this router will be displayed on Basic Status page. Model Hardware Version Firmware Version Build Date&Time System Uptime CPU Usage Memory Usage Current System Time The status of LAN connection is shown in this page. Simply click LAN Status tag to get the detailed.
Page 28 High Available Status RX Packets TX Packets The High Available Status is shown when the function is enabled. When there are two Vigor3300 devices in the same LAN, one can be set as Master device and the other can be set as Slave device.
Page 29 The status of WAN interface (Static, DHCP, PPPoE, PPTP or DMZ) is shown in this page. Simply click WAN Status tag to get the detailed. There are four sets of WAN status can be shown in this page at one time. The sample below just lists one set of WAN status for only WAN1 interface is used.
Page 30: Time
As an NTP (Network Time Protocol) client, the router gets standard time from the time server. Some time-based functions, such as Call Schedule and URL Content filtering, cannot work properly until the system time functions run successfully. Typically, NTP achieves high accuracy and reliability with multiple redundant servers and diverse network paths.
Page 31: Syslog
The Vigor3300 Series supports a Syslog function to keep a record of abnormal conditions. The router will send Syslog packets to a Syslog server on the remote site. The administrator can observe any abnormal events from Vigor3300. In the System group, click the Syslog option. The Syslog web page is shown below: Status Syslog Server IP...
Page 32: Access Control
This page allows you to determine which services (HTTP/Telnet/SSH) is used for the user to access Vigor3300 Series. In addition, you can also limit some hosts to access Vigor3300 Series with specified IP address. In the System group, click the Access Control option. You will get the following page: Management Method Allow Management from the WAN...
Page 33: Configuration Setup
PING Restriction Most of the settings can be saved locally as a configuration file, and can be applied to another router. The Vigor3300 Series supports the restore and upload functions of the configuration files. In the System group, click the Configuration Setup option. And you can see the following page.
Page 34: Firmware Upgrade Setup
Vigor3300 Series allows users to upgrade firmware through a Web interface. In the System group, click the Firmware Upgrade option. You can see the following page then. Before you execute the firmware upgrade, please download the newest firmware from Draytek’s website (www.draytek.com) or FTP site (ftp.draytek.com) on the computer first.
Page 35 The default setting of the console port is “baud rate 57600, no parity, and 8 bit with 1 stop bit.” 3. Power on Vigor3300, then press ENTER before the system reboots 4. Open Hyper Terminal on the PC. Now, Vigor3300 can accept a TFTP download and will display the following message: 5.
Page 36 Now in the Console you will find the following information. When Updating flash block at bfXXXXXX appears, it means the firmware is under downloading. 7. When set flash0_0 "780000:800000:general" appears, it means the firmware downloading has been completed. The router will reboot itself and you will see the Firmware version: V2.5.7.
Page 37: Reboot
The Vigor3300 Series system can be restarted from a Web browser. Reboot screen can appear after you finish the changing of WAN and LAN settings. You have to reboot the router to invoke the configured settings that you made before. Besides, you can select Reset to factory default to reboot the device and retrieve the default settings.
Page 38: Diagnostic Tools
In some cases, a user may need to know some information about the router, such as static or dynamic databases, or other routing information. The Vigor3300 Series supports four functions, Routing Table, ARP Cache Table, DHCP Assignment Table, and NAT Active Sessions Table for the user to review such information.
Page 39 Select View ARP Cache Table to get the following page: IP Address MAC Address Interface Refresh Select View DHCP Assignment Table to get the following page: Assigned IP MAC Address Time Left Refresh Vigor3300 Series User’s Guide Displays the IP address for different ARP cache. Displays the MAC address for different ARP cache.
Page 40 Select View NAT Active Sessions Table to get the following page. This table can display about 30000 sessions with 20 pages. Type Expire in State Source IP Dest IP sPort dPort Rep Source IP Rep Dest IP sPort dPort Displays the protocol used for the active session. Displays the remaining time (second) of this session.
Page 41: Network Setup
For Internet access, it is necessary for you to set WAN and LAN interfaces for the router. The Vigor3300 Series supports four WAN interfaces (Static, DHCP, PPPoE and PPTP), which share the same setting page. In the Network group, please click the WAN option. The following page will be shown.
Page 42 Edit IP Mode Active Default Route Load Balance Weight Backup-Master Backup-Slave VoIP Most users will use their routers primarily for Internet access. The Vigor3300 Series supports broadband Internet access and provides multiple WAN interfaces. The following sections will give a detailed illustration to broadband access methods. Click the “Edit”...
Page 43 IP Mode Before you connect a broadband access device e.g. a DSL/Cable modem to Vigor3300 Series, you need to know what kind of Internet access your ISP provides. The following sections introduce four widely used broadband access services: Static, PPPoE, PPTP for DSL, DHCP for Cable modem and DMZ.
Page 44 Host Name Domain Name Detect Type Detect Interval (sec) No-Reply Count Detect Destination Host (IP or Domain Name) IP Alias List Apply Reset Some ISP may ask you to type your host name. Please type in if necessary. Some ISP may ask you to type your domain name. Please type in if necessary.
Page 45 If the WAN interface is set as a DHCP client, the Vigor3300 Series will ask for IP network settings from the DHCP server or DSL modem automatically. It is not necessary for users to manually configure the router. Detect Type Detect Interval (sec) No-Reply Count Detect Destination Host...
Page 46 Apply Reset Most DSL modem users will use this mode. All the local users can share one PPPoE connection to access the Internet. User Name Password Authentication Service Name Detect Interval No-Reply Count Apply Reset Click Apply to go back to the WAN Interface Configuration page.
Page 47 The service provider must provide the exact settings for this mode. User Name Password Authentication Service Name PPTP Local Address PPTP Subnet Mask PPTP Remote Address Detect Interval No-Reply Count Apply Reset Vigor3300 Series User’s Guide Assign a specific valid user name provided by local ISP. Assign a valid password provided by local ISP.
Page 48: Lan
In the Network group, select LAN option. The following page for LAN IP/DHCP will be shown. In the Vigor3300 Series router, there are some IP address settings for the LAN interface. The IP address/subnet mask is for private users or NAT users. The IP address of the default gateway on other local PCs should be set as the Vigor3300 Series’...
Page 49 Secondary DNS Lease Time (Min) Gateway IP (Optional) Click Apply to reboot the system and apply the settings. Note: If both the Primary and Secondary DNS fields are left empty, the router will assign its own IP Address to local users as a DNS proxy server and maintain a DNS cache.
Page 50 This page allows users to type in secondary IP address for connecting to a subnet. You can set IP routing for each WAN interface respectively. Status IP Address Subnet Mask LAN Interface Note: Vigor3300V supports four WAN interfaces, yet Vigor3300/Vigor3300B+ support three WAN interfaces.
Page 51: Load Balance Policy
Vigor3300 Series supports a load balancing function. It can assign traffic with protocol type, IP address for specific host, a subnet of hosts, and port range to be allocated in WAN interface. User can assign traffic category and force it to go to dedicate network interface based on the following web page setup.
Page 52: High Availability
Delete/Delete All To edit an entry, select it by clicking the radio button (from 1 to 10). Then click the Edit button on the bottom to bring up the following Web page. Protocol Source IP/Subnet Mask Dest IP/Subnet Mask Dest Port Range Network Interface The High Availability (HA) feature refers to the awareness of component failure and the availability of backup resouces.
Page 53 “Master”) to the backup component (the “Slave”). This process remains system-wide resources, recovers partial of failed transactions, and restores the system to normal within a matter of microseconds. Take the following picture as an example. The left V3300 Series is regarded as Master device, the right V3300 Series is regarded as Slave device.
Page 54: Static Dhcp
High Availability Group Number Role Virtual IP Click Apply to reboot the system and apply the settings. This page can assign static IP address for specified clients in LAN. MAC Address Assign IP Address Disables or enables this function. When the master device fails down, the slave device will take its work over.
Page 55: Advanced Setup
Edit Delete/Delete All To edit an entry, select it by clicking the radio button (from 1 to 10). Then click the Edit button on the bottom to bring up the following Web page. MAC Address Assign IP Address Apply In the Advanced menu, there are several items offered here for you to adjust for the router. Vigor3300 Series User’s Guide Click this button to open the edit page for adjusting the settings.
Page 56: Static Route Setup
When you have several subnets in your LAN, sometimes a more effective and quicker way for connection is the Static routes function rather than other methods. You may simply set rules to forward data from one specified subnet to another specified subnet without the presence of RIP.
Page 57 Network Interface Gateway IP Destination IP Subnet Mask Click Apply to reboot the system and apply the settings. Select the radio button of the item that you want to delete and click Delete on the bottom of the page. The following web page will be displayed: Click OK to delete the entry in static route table.
Page 58: Nat Setup
IP addresses. It also plays a security role by obscuring the true IP addresses of important machines from potential hackers on the Internet. The Vigor 3300 Series is NAT-enabled by default and gets one globally routable IP addresses from the ISP by Static, PPPoE, or DHCP mechanism.
Page 59 Comment Protocol Public Port Start Public Port End Private IP Private Port Start Private Port End Edit Delete/Delete All To edit an item, click the radio button of the item that you want to modify. Then click Edit on the bottom of the page to add a new rule entry or modify an existed rule entry. Comment Vigor3300 Series User’s Guide Displays the name of the entry.
Page 60 Protocol Public Port Range Private IP Private Port Range Use IP Alias WAN Interface IP Alias Click Apply to reboot the system and apply the settings. Note: The port forwarding function could redirect the Internet traffic, which has the destination port within the public port range and has the same IP address as WAN Interface or IP Alias that you set.
Page 61 If you have a group of static IP addresses, then you can use the address-mapping feature to multiple open ports hosts in the Vigor3300 Series of broadband security routers. The following session will show you how to setup address-mapping feature. In the Advanced group, move to NAT option and choose Address Mapping to get the corresponding page.
Page 62 Protocol Public IP Private IP Subnet Mask Click Apply to reboot the system and apply the settings. By the way, user can click Delete to remove one current existed NAT entry in the Advanced – NAT – Address Mapping page and click Delete All to remove all entries. In computer networks, a DMZ (De-Militarized Zone) is a computer host or small network inserted as a neutral zone between a company’s private network and the outside public network.
Page 63 In the Advanced group, move to NAT option and choose DMZ Host to get the corresponding page. WAN Interface Private IP Use IP Alias IP Alias Edit Delete/Delete All To edit an item, click the radio button of the item that you want to modify. Then click Edit on the bottom of the page to add a new rule entry or modify an existed rule entry.
Page 64: Radius Setup
A user supplies his authentication data to the server either directly by answering the terminal server’s login/password prompts, or using PAP of CHAP protocols. The Vigor 3300 Series support Radius client function. A user can configure some authentication information to do an authentication with Radius server. In Vigor3300 Series, it is only applied by VPN->PPTP function.
Page 65 Enable/Disable Server IP Address Destination Port Shared Secret Confirm Shared Secret WAN Interface Click Apply to reboot the system and apply the settings. Vigor3300 Series User’s Guide Click Disable to disable this function. Click Enable to activate this function. Assign an IP address of a Radius server. Assign a destination port number used for Radius function.
Page 66: Port Block
The Port Block function provides a user to set lots of proprietary port numbers. Packets will be dropped if destination ports (both TCP and UCP) of packets with these assigned port numbers are on WAN and LAN. The advantage of this feature is to filter some unnecessary packets or attacking packets on Internet environment or LAN network.
Page 67 In the Advanced group, click DDNS option. You will get the following page. Domain Name Service Provider Service Type Active Status Click Refresh to re-display the whole page information. To modify DDNS setting, click an entry number to get into edit mode. Status Interface Vigor3300 Series User’s Guide...
Page 68 Server Provider Server Type Domain Name Login Name Login Password Wild Card Backup MX Mail Extender Click Apply to finish these settings and return to previous page. Note: 1. The Wildcard and Backup MX features are not supported for all Dynamic DNS providers.
Page 69: Call Schedule Setup
These call schedule profiles will control the up or down time of the router’s dialer or connection manager. In order to do the proper call schedule function, a user must have to setup time function and arrange schedules for specified Internet access profile or LAN-to-LAN profile.
Page 70 Enable/Disable Start Date Start Time Action How often Network Interface Click Apply to finish this setting. To delete an item, click the radio button of the item that you want to delete. Then click Delete on the bottom of the page to remove the entry. Click Disable to disable this function.
Page 71: Wan Port Mirroring Setup
Also, users can click Delete All to remove all entries in the table. Vigor 3300 Series supports port mirroring function in WAN interfaces. Generally speaking, this function copies traffic from one or more specific ports to a target port. This mechanism helps user track the network errors or abnormal packets transmission without interrupting the flow of data access the network.
Page 72: Lan Port Mirroring Setup
Port mirror can be applied for the users in LAN. It has the same mechanism like WAN port mirroring. In the Advanced group, click the LAN Port Mirroring option. Enable/Disable Mirroring Port Mirrored Port(s) After finishing the settings, please click Apply. Virtual LANs (VLANs) are logical, independent workgroups within a network.
Page 73 In the Advanced group, click the LAN VLAN option. There are two VLAN settings offered here for you to configure. If you click Disable, no configuration can be completed. Please choose Port Base VLAN to open the following page. P1 – P4 VLAN 0- 3 Apply Reset...
Page 74 Another way to set VLAN is based on 802.1Q. Please choose 802.1Q VLAN to open the following page. This page is available only for the PCs with certain network cards which support 802.1Q VLAN feature. It is useless for general network cards. Active Name VLAN ID...
Page 75: Snmp
Frame Tag Operation Management Port Port VALN ID The Simple Network Management Protocol (SNMP) is an application layer protocol that facilitates the exchange of management information between network devices. There is a set of protocols for managing complex networks. SNMP works by sending messages, called protocol data units (PDUs), to different parts of a network.
Page 76 information available to NMSs by using SNMP. Managed devices, sometimes called network elements, can be routers and access servers, switches and bridges, computers hosts, or printers. This function is to define a community string name. An agent is a network-management software module that resides in a managed device.
Page 77 Community Host/mask Vigor3300 Series User’s Guide Type the community string (e.g., public) for SNMP. Assign a value of subnet mask for host IP address.
Page 78 Max Access Apply To delete an item, click the radio button of the item that you want to delete. Then click Delete on the bottom of the page to remove the entry. A dialog will be prompted for you to ask confirmation.
Page 79 Trap server Trap community Trap server port Apply Vigor3300 Series User’s Guide Assign an IP address of trap server. Assign a community string for Trap packet using. Assign a port number for Trap server using. Click Apply to save this setting and return the previous page.
Page 80: Firewall Setup
The firewall controls the allowance and denial of packets through the router. Firewall Setup in the Vigor 3300 Series mainly consists of packet filtering, Denial of Service (DoS) and URL (Universal Resource Locator) content filtering facilities. These firewall filters help to protect your local network against attack from outsiders. A firewall also provides a...
Page 81 Data Filter Start Filter Group Group Table allows you to set definitions for different groups of the filters that will be applied for the function of IP filter. Index Group Name Next Group Comment Edit Vigor3300 Series User’s Guide Disable or Enable the firewall function. This firewall can only be enabled if at least one filter group exists.
Page 82 Delete To add a new group, please click Add on the Group Table page to access into the following page. In this page, you can type in new group name and decide the next group name. Also, you can type in your comment for such group. After you click Apply, the new group will be added and you will see it from the drop down menu of Start Filter Group.
Page 83 Source IP Subnet Mask Source Port Vigor3300 Series User’s Guide It means the source IP address. Placing the symbol “!” before a particular IP address will prevent this rule from being applied to that IP address. It is equal to the logical NOT operator. It means the subnet mask for the source IP.
Page 84 Destination IP Destination Mask Destination Port Group Name Protocol Direction Fragments Block or Pass Between - Specifies the port number is between the Start Port and End Port. It means the destination IP address for this filter rule. Placing the symbol “!” before a particular IP address will prevent this rule from being applied to that IP address.
Page 85: Dos
Next Group Name Apply The DoS function helps to detect and mitigates DoS attacks. These include flooding-type attacks and vulnerability attacks. Flooding-type attacks attempt to use up all your system's resources while vulnerability attacks try to paralyze the system by offending the vulnerabilities of the protocol or operation system.
Page 86 DoS Defense Enable SYN Flood Defense Activates the SYN flood defense function. If the amount of Enable UDP Flood Defense Activates the UDP flood defense function. If the amount of Enable ICMP Flood Defense Enable Port Scan Detection Activates the Port Scan detection function. Port scan sends Enables or disables the DoS Defense function.
Page 87: Url Filter
Enable Block IP Options Enable Block Land Enable Block Smurf Enable Block Trace Route Activates the Block trace route function. The router will not Enable Block SYN Fragment Enable Block Fraggle Attack Enable TCP Flag Scan Enable Tear Drop Enable Ping of Death Enable Block ICMP Fragment Enable Block Unknown...
Page 88 rating a site as objectionable, and refusing to display it on user's browser, URL content filter can prevent employee on SME from accessing inappropriate Internet resources. Instead of traditional firewall inspects packets based on the fields of TCP/IP headers, the URL content filter checks the URL strings or the payload of TCP/IP packets.
Page 89 Enable/Disable Keyword Keyword List Block Direct IP Web Access Enable Exception List IP Address Subnet Mask Exception List SurfControl can help to avoid your employees accessing into improper websites and affecting the work efficiency; protect your children from viewing inappropriate websites and accessing chat rooms;...
Page 90 CPA Server Select a CPA Server Permitted Categories List Forbidden Categories List The forbidden categories are obtained from the selected CPA Option Exception URL List It is recommended for you to refer to Web Content Filter user’s guide for more information about SurfControl.
Page 91 Malicious code may be embedded in some executable objects, such as ActiveX, Java Applet, compressed files, executable files, Proxy, and Multimedia. For example, an ActiveX object with malicious code may gain unlimited access to the system. Java ActiveX Compressed Files Execution Files Cookie Proxy...
Page 92: Quality Of Service Setup
After the configuration of URL Filter is configured properly, an alert page will appear in the browser when an HTTP request is denied. Refer to the following graphic. The QoS (Quality of Service) guaranteed technology in the Vigor 3300 Series allows the network administrator to monitor, analyze, and allocate bandwidth for various types of network traffic in real-time and/or for business-critical traffic.
Page 93 IP) and online gaming applications. Differentiated quality of service is therefore one of the most important issues over the Internet infrastructure. In the Vigor 3300 Series, DSCP (Differentiated Service Code Point) support is also taken into consideration in the design of theQoS-guaranteed control module.
Page 94: Incoming/Outgoing Class Setup
Incoming/Outgoing Class Setup allows you to configure bandwidth percentage for data and voice signals transmission. Click the QoS option and choose Incoming Class Setup/Outgoing Class Setup. There are eight queues that can be configured. The total sum of bandwidth has to be 100 percent for all configured queues. Any leftover bandwidth is assigned to eight queues to meet 100 percent totally.
Page 95 Priority Source IP Destination IP Service Type Status DiffServ CodePoint Status Displays the setting for DiffServ CodePoint. Class Edit Delete/Delete All To edit an incoming class filter, please choose one of the radio buttons under Priority and click Edit. The following page will be shown automatically. Source IP Destination IP Service Type Status...
Page 96 Service Type Protocol Port DiffServ CodePoint Status There are three options: DiffServ CodePoint Type DiffServ CodePoint Class Select the service type that you want to use. There are thirty-five service types provided. There are three options: TCP, UDP, and TCP/UDP. Choose the one you need.
Page 97: Vpn And Remote Access Setup
X.509 and DHCP over Internet Protocol Security (IPSec). This VPN feature is only supported for Vigor 3300, Vigor3300V routers. IPSec is the security architecture for IP networks. IPSec provides security services at the IP layer by enabling a system to select required security protocols.
Page 98: Ipsec
keying material for use with ISAKMP, and for other security associations such as AH and ESP for the IPsec DOI. The IPSec services can provide access control, connectionless integrity, data origin authentication, rejection of replayed packets that is a form of partial sequence integrity, and confidentiality by encryption.
Page 99 For Default Configuration To edit or add a policy table, please click one of the radio buttons and click Edit. The following page of default configuration will be shown: Profile Status Name Authentication PreShared Key Vigor3300 Series User’s Guide Set the initialization of IPSec Tunnel with this profile settings. Enable –...
Page 100 Security Protocol NAT Traversal WAN Interface Local Certificate Security Gateway Network IP / Subnet Mask Next Hop Remote ID DHCP-over-IPSEC Security Gateway Network IP / Subnet Mask For Advanced Configuration AH - Specify the IPSec protocol for the Authentication Header protocol.
Page 101 Click Advanced tab. The following page of default configuration will be shown: Key Lifetime (main) The rekey-renegotiated period of the IKE Phase1 keying Proposal (main) Key Lifetime (quick) The rekey-renegotiated period of the IKE Phase2 keying Vigor3300 Series User’s Guide channel of a connection.
Page 102 Proposal (quick) Accepted Proposal Status Delay Timeout After finish the configuration, click Apply to apply the IPSec policy setting into the policy table. Significant fields will be summarized in the IPSec Table. Operational Status reflects the current status of the tunnel. UP means the IPSec tunnel has been established. DOWN means no tunnel existing, or termination status of the tunnel.
Page 103 If user expects the local gateway to act as the IKE initiator, i.e., emit the first IKE main mode message, user can click the hyperlink Initiate to start the IKE negotiation or set admin status to be always on to automatically restart IKE negotiation. During the negotiation, you can press Refresh to show the latest status of all policies.
Page 104 This page allows you to set up the CA configuration to generate user’s certificate. Click the VPN>>IPSec >>User Certificate option. Generate Download Import Delete View Generate a new entry for user certification. Download a certification file generated from router to be stored in local host.
Page 105 To generate a user certificate, please click one radio button to select the entry and click the Generate button. Certification Name ID Type ID Value Organization Unit Organization Locality (City) State/Province Common Name Country E-mail Key Size When you finish the configuration, please click Apply to invoke it. To download a user certificate, please click index number one (with the status of Request Generated) and click the Download button.
Page 106 After you click the Download button, the system will guide you to save the downloaded file (newreq_RD-computer_1.pem) to a place that you assign. To import a user certificate that you saved previously, please click index number one (with the status of Request Generated) and click the Import button. If not, you might see the following dialog to warn you.
Page 107 delete it or click Cancel to leave the dialog without deletion. To view a user certificate, please click the index number that you want to view the detailed information of the certificate and click the View button. The following page will be shown for your reference.
Page 108: Pptp
To configure the general setup, please click VPN -> PPTP->General Setup. Status PPTP Authentication PPTP Encryption User Authentication Enable/Disable User Name Password When you finish the configuration, please click Apply to invoke it. To create a VPN PPTP group table, click the Group Table option under the PPTP menu. Sets the function to Active or Inactive.
Page 109 Start IP Subnet Mask Accessed IP Subnet Mask This page allows you to set up to 30 sets of accounts for authentication. User Name User Password Group Edit Vigor3300 Series User’s Guide Type the starting IP address. The default group value is 192.168.1.224/28.
Page 110 Delete Delete All When you finish the configuration, please click Apply to invoke it. This page displays some relevant information about PPTP connection. It will refresh automatically every 10 seconds. Index Remote IP Assigned IP User Byte In Byte Out Uptime Refresh Disconnect...
Page 111: Voip Setup
Voice over Internet Protocol (VoIP) is a technology that allows you to make telephone calls using a broadband Internet connection instead of a regular (or analog) phone line. The Vigor3300/Vigor3300V provides cost effective voice solution for SME customers which can be explained with the following diagram. There are two protocols can be used for VoIP - SIP and MGCP.
Page 112 SIP Local Port Active Outbound Proxy Proxy Name Proxy Address Proxy Port Registrar Address Registrar Port Expires Domain You can set up to 3 sets of SIP configurations in this page. Type the port number for SIP protocol. The default value is 5060.
Page 113 MGCP Local Port MGCP Call Agent Address The IP address of the Call Agent server in MGCP. MGCP Call Agent Port EndPoint Name Style Wild-carded RSIP Vigor3300 Series User’s Guide The UDP port number in MGCP local terminal. The UDP port number for the Call Agent server. Choose a proper name style for the VoIP settings.
Page 114: Port Settings
Port Settings page allows users to set phone number and phone groups for different call receivers. Edit Type Active Group Username Proxy Codec When you click Edit, the following page will appear for you to configure. Click this button to access into the Edit page for each phone number.
Page 115 Port 1 (FXS) Hotline Vigor3300 Series User’s Guide Click Enable to activate this port or Disable to close this port. User Name – Type the user name (a number) for each phone line. Password - Type the user password for each phone line. Display Name - Type the user name to be displayed on another phone terminal.
Page 116 Codec Hotline Number to PBX / PSTN- Pre-set a phone number to make the port dialing out to PBX/PSTN automatically. Manual Disconnection - Click Disconnect to disconnect this phone line by manual. Preferred Codec - It can be applied on this port. Vigor3300 supports five Codecs.
Page 117 DTMF Call Forwarding Apply It is very important to provide a Group function for voice service within a company. Customers can simultaneously call the same phone number. When the Vigor3300 gets a phone call, which is configured in the first port of a group from Internet, it will ring all available ports belonging to this group to provide voice service at the same time.
Page 118: Speed Dial
Rings all ports in the group Click this radio button to make all ports in the same group Rings the first available port Default Group This page allows you to set a simple way to dial a specific number. Up to 150 numbers can be stored in Vigor3300V.
Page 119: Advanced Speed Dial
Speed dial allows users to call out with simple buttons instead of dialing long numbers. To set a speed dial with specified settings, please open the following page. Prefix Strip Length Append Destination Memo Edit Delete/Delete All To configure one entry, please click Edit to open the following page. Prefix Vigor3300 Series User’s Guide Displays the prefix number of the entry.
Page 120: Miscellaneous
Strip Length Append Destination Memo This page includes RTP and T.38 Starting Port, T.38 Redundancy Number, VoIP ToS, and FAX Ringing settings. RTP Starting Port T.38 Starting Port T.38 Redundancy Number The redundancy number (how many payloads attaching to the Dialing Completion numbers of 03654321 and 04556890.
Page 121: Tone Settings
Timeout VoIP ToS Line Polarity Reversal as Callee Answer FXO auto disconnection if no packet is received in X minutes Ringing Frequency Ringing Cadence - On Ringing Cadence - Off This setting is provided for fitting the telecommunication custom for the local area of the router installed.
Page 122 Region Caller ID Type Dial tone Ringing tone Busy tone Congestion tone Low Frequency (Hz) High Frequency (Hz) TOn1 (10msec) TOff1 (10msec) TOn2 (10msec) TOff2 (10msec) Choose the country area that the Vigor3300 located for using VoIP feature. Or, select User Defined for proprietary settings. If User Defined is selected in the Region field, users can select one of the supported values.
Page 123: Qos
This Quality of Service (QoS) function is only for the VoIP feature. When this function is enabled, the Vigor 3300 Series will set rate limitation for incoming and outgoing transmissions to ensure the best quality of service in VoIP. Disable...
Page 124: Nat Traversal
NAT traversal is a challenge that all Service Providers looking to deliver public IP-based voice and multimedia services must solve. The goal of this function is to provide secure connection to subscribers behind NAT (Network Address Translation) devices and Firewalls. Overcoming this traversal problem will lead to widespread deployment of profitable voice and multimedia over IP services to any subscriber with broadband connection.
Page 125: Incoming Call Barring
Symmetric Media This feature is used to bar incoming VoIP calls from the Internet. Barring classes can be specified to allow or deny incoming calls. There are five barring classes on the device. The default setting is Allow all incoming calls. This page allows you to choose a barring class, match method and set a range for speed dial entries for the incoming call barring.
Page 126 Match Method Speed Dial Entries The Vigor3300 Series supports up to 30 entries in the Allow List table. When you choose Allow only calls from allow list as the Barring Class, only the people listed in this list can call this router. Name IP/Domain The Vigor3300 Series supports up to 30 entries in the Deny List table.
Page 127: Call History
Name IP/Domain This page lists the call history through Vigor3300. You can click Refresh to get the latest history information for these VoIP phones. Besides, this page refreshes automatically every 10 seconds. Port Number Call Type Caller Number Callee Number Start Time End Time Duration...
Page 128: Status
Remote RTP Address Remote RTP Port RTP Statistic Codec Type Packet Period DTMF Relay This page displays the connection status for VoIP phone calls. Register Status Call Status Call Type Caller Number Callee Number Start Time Remote RTP Address Remote RTP Port Codec Type Packet Period DTMF Relay...
Page 129 You can click Refresh to get the latest status information for these VoIP phones. In addition, you can set the time interval of refreshing. Use the drop down list of Refresh Option to choose an automatic refreshing setting. If you choose No Refresh, the system will not refresh this page until you click Refresh button.
Page 130 Vigor3300 Series User’s Guide...
Page 131: Trouble Shooting
This section will guide you to solve abnormal situations if you cannot access into the Internet after installing the router and finishing the web configuration. Please follow below sections to check your basic installation stage by stage. Checking if the hardware status is OK or not. Checking if the Network Connection Settings on your computer is OK or not.
Page 132 Sometimes the link failure occurs due to the wrong network connection settings. After trying the above section, if the link is stilled failed, please do the steps listed below to make sure the network connection settings is OK. The example is based on Windows XP. As to the examples for other operation systems, please refer to the similar steps or find support notes in www.draytek.com.
Page 133 Select Internet Protocol (TCP/IP) and then click Properties. Select Obtain an IP address automatically and Obtain DNS server address automatically. Vigor3300 Series User’s Guide...
Page 134 1. Double click on the current used MacOs on the desktop. 2. Open the Application folder and get into Network. 3. On the Network screen, select Using DHCP from the drop down list of Configure IPv4. Vigor3300 Series User’s Guide...
Page 135: Pinging The Router From Your Computer
The default gateway IP address of the router is 192.168.1.1. For some reason, you might need to use “ping” command to check the link status of the router. The most important thing for this command is that the computer will receive a reply from 192.168.1.1 for correct link. If not, please check the IP address of your computer.
Page 136 Go to the web configuration GUI (http://192.168.1.1), click Network >> WAN to check your ISP settings for IP modes. Make sure the Active check box has been selected. Check if Username and Password are entered with correct values that you got from your ISP.
Page 137 Check if Service Name (optional) is correct or not. It is required by some ISPs. After finishing the settings, go to System - Status page and click WAN Status. You will get a correct web page of WAN settings. Check if the values of IP Address, Subnet Mask, Gateway IP Address and Primary DNS that you got from ISP are set properly or not.
Page 138 Check if Host Name (optional) and Domain Name (optional) are correct or not. Both them are required for some ISPs. If anything wrong, please check and retype correct values. Then try the network connection again. After finishing the settings, go to System - Status page and click WAN Status. You will get a correct web page of WAN settings.
Page 139: Backing To Factory Default Setting If Necessary
Check if the settings of Username and Password are correct or not. Check if the setting of Authentication is correct or not. You may need to try both PAP and CHAP. Check if the value of PPTP Local Address, PPTP Subnet Mask, and PPTP Remote Address are correct or not.
Page 140: Contacting Your Dealer
While the router is running (ACT LED blinking), press the RST button and hold for more than 5 seconds. When you see the ACT LED blinks rapidly, please release the button. Then, the router will restart with the default configuration. After restore the factory default setting, you can configure the settings for the router again to fit your personal request.
Page 141: Appendix A Application For 802.1 Vlan
To control the communication of PCs among different network segments effectively, please adjust firewall setting to deny LAN to LAN communication from Firewall >IP Filter Group Table. Thus, PCs that belong to various LANs will not connect with each other through the router.
Page 142: How To Check/Edit Vlan Id On Your Pc
Now you will get the following page. Not all the network cards support VLAN features. If you cannot sure if the network card of your computer supports tagged VLAN or not, please do the following steps to check (or edit) VLAN ID on your PC.
Page 143 Right-click on Local Area Connection and click on Status. On the following dialog, click Properties. Vigor3300 Series User’s Guide...
Page 144 Click Configure to access into next screen. On this dialog box, locate VLANs tag and click on it. If you cannot find out VLANs tag, that means your network card does not support VLAN feature. Vigor3300 Series User’s Guide...
Page 145 In this screen, there is no VALN existed. You can create a new one. Please click the New…button. Vigor3300 Series User’s Guide...
Page 146 In New VLAN dialog, please type a number in the box of VLAN ID. Here, “5” is entered. The corresponding VLAN Name will appear automatically. Next, click OK to create it. After you click OK, the system will configure for the VLAN settings. Please wait for several seconds.
Page 147 When the configuration is finished, the new VLAN settings with ID number and name will appear on previous dialog, Desktop Adapter Properties. Click OK to exit this dialog. 10. Now, the Desktop Adapter – VLAN dialog will appear as follows. Please click OK. Vigor3300 Series User’s Guide...
Page 148 11. Next time, if you want to check VLAN setting again, please open Settings tag to modify Vigor3300 Series User’s Guide...
Page 149: Applications
A company wants to separate the Engineer Department, Sales Department, Marketing Department and Other Department to limit their communication with each other to ensure the security. In this case, we can define four VLANs that are VLAN5, VLAN6, VLAN7 and VLAN8.
Page 150 After applying the settings, the web page will be redirected to “reboot” web page. You can ignore it and continue to configure the Network setting. After finishing Network setting, you can execute the reboot procedure. After rebooting, the tagged ports will communicate with 802.1Q tagged devices only. In the Network setting, type the subnet 192.168.1.0 to LAN.
Page 151: Two Vlans For Different Departments In A Company
A company wants to separate the Engineer Department and Other Departments to limit their communication to protect the engineering data. In this case, we can define two VLANs that are VLAN5 and VLAN6. The subnet of VLAN5 is 192.168.1.0, and the subnet of VLAN6 is 192.168.2.0.
Page 152 After applying the settings, the web page will be redirected to “reboot” web page. User can it and continue to configure the Network setting. After finishing Network setting, you can execute the reboot procedure. After rebooting, the tagged ports will communicate with 802.1Q tagged devices only. In the Network setting, type the subnet 192.168.1.0 to LAN.
Page 153: Example For The Companies In The Same Building
There are four companies in the same building. They share the broadband network and use the Vigor3300V router to achieve the load balance, security, and VoIP features. In this case, we can define four VLANs including VLAN5, VLAN6, VLAN7 and VLAN8. The subnet of VLAN5 is 192.168.1.0;...
Page 154 In the VLAN8, type “8” to VLAN ID. In the Member field, choose p4. Then choose the “Tagged” for Frame Tag Operation in p4. We can ignore the PVID (Port VLAN ID), because 802.1q tag will be inserted to the frame from company D. After applying the settings, the web page will be redirect to “reboot”...
Page 155: Example For A Company And Guest
A company wants to separate the Engineer Department, Sales Department, Marketing Department and guest to limit their communication with any department to ensure the security. In this case, we can define four VLANs that are VLAN5, VLAN6, VLAN7 and VLAN8. The subnet of VLAN5 is 192.168.1.0;...
Page 156 In the VLAN8, type “8” to VLAN ID. In the Member field, choose p4. Then choose the “Untagged” for Frame Tag Operation in p4. We should configure the PVID to “8”, because the device does not support 802.1Q VLAN. After applying the settings, the web page will be redirected to “reboot” web page. User can ignore it and continue to configure the Network setting.
Page 157: Example For Trunk Usage
A company wants to separate the Engineer Department, Sales Department, Marketing Department and other departments to limit their communication with each other to ensure the security. Many employees of the company use some switches supported 802.1Q VLAN to expand the network. In this case, we can define four VLANs that are VLAN5, VLAN6, VLAN7 and VLAN8.
Page 158 the PVID (Port VLAN ID), because 802.1q tag will be inserted to the frame from the switch. In the VLAN8, type “8” to VLAN ID. In the Member field, choose p1, p2, p3 and p4. Then choose the “Tagged” for Frame Tag Operation in p1, p2, p3 and p4. We can ignore the PVID (Port VLAN ID), because 802.1q tag will be inserted to the frame from some users.

This manual is also suitable for:

Vigor 3300b Vigor 3300v Vigor 3300b+

Draytek VIGOR 3300 User Manual

Preface

Configuring Basic Settings

Advanced Configuration

Trouble Shooting

Appendix A Application for 802.1 VLAN

Quick Links

Related Manuals for Draytek VIGOR 3300

Summary of Contents for Draytek VIGOR 3300

This manual is also suitable for:

Table of Contents