Page 2 ’ ’ Version: 2.1 Firmware: V3.3.4 Date: 08/06/2010 Copyright 2010 All rights reserved. This publication contains information that is protected by copyright. No part may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language without written permission from the copyright holders.
Page 3 VigorPro5510 Series User’s Guide...
Page 4 Owner http://www.draytek.com. Firmware & Tools Please consult the DrayTek web site for more information on newest firmware, tools Updates and documents. For more detailed information, please refer to http://www.draytek.com Parts of the anti-virus features are powered by Kaspersky Lab ZAO. For more detailed information, please refer to http://www.kaspersky.com.
Page 5: Regulatory Information
No. 26, Fu Shing Road, HuKou Township, HsinChu Industrial Park, Hsin-Chu, Taiwan 303 Product: VigorPro 5510 DrayTek Corp. declares that VigorPro 5510 Series is in compliance with the following essential requirements and other relevant provisions of R&TTE Directive 1999/5/EEC. The product conforms to the requirements of Electro-Magnetic Compatibility (EMC) Directive 2004/108/EC by complying with the requirements set forth in EN55022/Class A and EN55024/Class A.
Page 6: Table Of Contents
Preface .......................1 1.1 Web Configuration Buttons Explanation ................. 1 1.2 LED Indicators and Connectors ....................2 1.2.1 For VigorPro 5510 ......................2 1.2.2 For VigorPro 5510Gi......................4 1.3 Hardware Installation ......................6 1.4 Printer Installation ........................7 Configuring Basic Settings ................13 2.1 Changing Password ......................
Page 7 3.4.1 Basics for Firewall......................64 3.4.2 General Setup......................... 66 3.4.3 Filter Setup ........................71 3.4.4 DoS Defense ........................78 3.5 Objects Settings ........................81 3.5.1 IP Object ......................... 82 3.5.2 IP Group ......................... 84 3.5.3 Service Type Object ....................... 85 3.5.4 Service Type Group......................
Page 8 3.12.1 Basic Concept......................185 3.12.2 General Setup......................185 3.12.3 Dial to a Single ISP/Dial to Dual ISPs ................ 185 3.12.4 Virtual TA ........................189 3.12.5 Call Control ......................... 192 3.13 Wireless LAN ........................194 3.13.1 Basic Concepts......................194 3.13.2 General Setup......................197 3.13.3 Security ........................
Page 9 4.2 Creating and Activating an Account from Router Web Configurator........249 4.3 Registering Your Vigor Router .................... 254 4.4 Activating Anti-Virus/Anti-Intrusion/Anti-Spam/WCF Service ..........257 4.4.1 For Anti-Virus and Anti-Intrusion Service ..............257 4.4.2 For Anti-Spam Service....................262 4.4.3 For WCF (Web Content Filter) Service................. 266 4.5 Backup and Upgrade Signature for Anti-Intrusion/Anti-Virus ..........
Page 11: Preface
VigorPro 5510 is a UTM router with dual-WAN interface. It provides policy-based load-balance, fail-over and BoD (Bandwidth on Demand), also it integrates IP layer QoS, NAT session/bandwidth management to help users control works well with large bandwidth. By adopting hardware-based VPN platform, hardware encryption of AES/DES/3DS and hardware key hash of SHA-1/MD5, the router increases the performance of VPN greatly, and offers several protocols (such as IPSec/PPTP/L2TP) with up to 200 VPN tunnels.
Page 12: Led Indicators And Connectors
Before you use the Vigor router, please get acquainted with the LED indicators and connectors first. Status Explanation ACT (Activity) Blinking The router is powered on and running normally. The router is powered off. IDP (Intrusion Detection and The anti-intrusion function is enabled. Prevention) (Yellow) Virus...
Page 13 WAN(1/2) Connecter for remote networked devices. LAN/Monitor Connecter for local networked devices. LAN (1-4) Connecter for local networked devices. Connecter for a USB device. Connecter for a power cord with 100-240VAC (inlet). Power Switch. “1” is ON; “0” is OFF. VigorPro5510 Series User’s Guide...
Page 14: For Vigorpro 5510Gi
Status Explanation ACT (Activity) Blinking The router is powered on and running normally. The router is powered off. IDP (Intrusion Detection and The anti-intrusion function is enabled. Prevention) (Yellow) Virus The anti-virus function is enabled. (Yellow) DMZ Host is specified in certain site. A USB device is connected and active.
Page 15 configuration. ISDN Connecter for ISDN line. WAN(1/2) Connecter for remote networked devices. LAN/Monitor Connecter for local networked devices. LAN (1-4) Connecter for local networked devices. Connecter for a USB device. Connecter for a power cord with 100-240VAC (inlet). Power Switch. “1” is ON; “0” is OFF. VigorPro5510 Series User’s Guide...
Page 16: Hardware Installation
Before starting to configure the router, you have to connect your devices correctly. Connect a cable Modem/DSL Modem/Media Converter (depends on your requirement) to any WAN port of router with Ethernet cable (RJ-45). The WAN1/WAN2 LED (Left or Right) will light up according to the speed (100 or 10) of the device that it connected.
Page 17: Printer Installation
You can install a printer onto the router for sharing printing. All the PCs connected this router can print documents via the router. The example provided here is made based on Windows XP/2000. For Windows 98/SE, please visit www.draytek.com. Before using it, please follow the steps below to configure settings for connected computers (or wireless clients).
Page 18 Open File->Add a New Computer. A welcome dialog will appear. Please click Next. Click Local printer attached to this computer and click Next. In this dialog, choose Create a new port Type of port and use the drop down list to select Standard TCP/IP Port.
Page 19 In the following dialog, type 192.168.1.1 (router’s LAN IP) in the field of Printer Name or IP Address and type IP_192.168.1.1 as the port name. Then, click Next. Click Standard and choose Generic Network Card. Then, in the following dialog, click Finish. VigorPro5510 Series User’s Guide...
Page 20 Now, your system will ask you to choose right name of the printer that you installed onto the router. Such step can make correct driver loaded onto your PC. When you finish the selection, click Next. 10. For the final stage, you need to go back to Control Panel-> Printers and edit the property of the new printer you have added.
Page 21 Note 1: Some printers with the fax/scanning or other additional functions are not supported. If you do not know whether your printer is supported or not, please visit www.draytek.com to find out the printer list. Open Support >FAQ; find out the link of Printer Server and click it; then click the What types of printers are compatible with Vigor router? link.
Page 22 This page is left blank. VigorPro5510 Series User’s Guide...
Page 23: Configuring Basic Settings
For use the router properly, it is necessary for you to change the password of web configuration for security and adjust primary basic settings. This chapter explains how to setup a password for an administrator and how to adjust basic settings for accessing Internet successfully.
Page 24 Now, the Main Screen will pop up. Note: The home page will change slightly in accordance with the router you have. Go to System Maintenance page and choose Administrator Password. Enter the login password (the default is blank) on the field of Old Password. Type a new one in the field of New Password and retype it on the field of Confirm New Password.
Page 25: Quick Start Wizard
If your router can be under an environment with high speed NAT, the configuration provide here can help you to deploy and use the router quickly. The first screen of Quick Start Wizard is entering login password. After typing the password, please click Next. On the next page as shown below, please select the WAN interface that you use.
Page 26: Pppoe
In the Quick Start Wizard, you can configure the router to access the Internet with different protocol/modes such as PPPoE, PPTP, Static IP or DHCP. The router supports the DSL WAN interface for Internet access. PPPoE stands for Point-to-Point Protocol over Ethernet. It relies on two widely accepted standards: PPP and Ethernet.
Page 27 Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown. VigorPro5510 Series User’s Guide...
Page 28: Pptp
Click PPTP as the protocol. Type in all the information that your ISP provides for this protocol. Click Next for viewing summary of such connection. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown.
Page 29: Static Ip
Click Static IP as the protocol. Type in all the information that your ISP provides for this protocol. After finishing the settings in this page, click Next to see the following page. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown.
Page 30: Dhcp
Click DHCP as the protocol. Type in all the information that your ISP provides for this protocol. After finishing the settings in this page, click Next to see the following page. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown.
Page 31: Service Activation Wizard
1. Open Service Activation Wizard. The screen of Service Activation Wizard will be shown as follows. Choose the one you need and click Next. In this case, we choose to activate free trail edition. Free trial edition: if it is the first time that you register the service, please use the option.
Page 32 In the following page, you can activate the AV/AI, AS and/or Web content filter service at the same time or individually. When you finish the selection, please click Next. Setting confirmation page will be displayed as follows, please click Next. Wait for a moment till the following page appears.
Page 33 Now, the web page will display the service(s) with valid time that you have activated according to your selection(s). Open Defense configuration >>Activation to check the services status. VigorPro5510 Series User’s Guide...
Page 34 If you need to extend the license valid time, you can also use the Service Activation Wizard again to reach your goal by clicking the radio button of Formal edition with license key and clicking Next. VigorPro5510 Series User’s Guide...
Page 35: Online Status
The online status shows the system status, WAN status, ADSL Information and other status related to this router within one page. If you select PPPoE/PPTP as the protocol, you will find out a link of Dial PPPoE/PPPoA or Drop PPPoE/PPPoA in the Online Status web page.
Page 36 Online status for DHCP Detailed explanation is shown below: Primary DNS Displays the IP address of the primary DNS. Secondary DNS Displays the IP address of the secondary DNS. LAN Status IP Address Displays the IP address of the LAN interface. TX Packets Displays the total transmitted packets at the LAN interface.
Page 37: Saving Configuration
Each time you click OK on the web page for saving the configuration, you can find messages showing the system interaction with you. Ready indicates the system is ready for you to input settings. Settings Saved means your settings are saved once you click Finish or OK button. VigorPro5510 Series User’s Guide...
Page 38 VigorPro5510 Series User’s Guide...
Page 39: Advanced Web Configuration
After finished basic configuration of the router, you can access Internet with ease. For the people who want to adjust more setting for suiting his/her request, please refer to this chapter for getting detailed information about the advanced configuration of this router. As for other examples of application, please refer to chapter 4.
Page 40: Network Connection By 3G Usb Modem
Besides, 3G USB Modem in WAN2 also can be used as backup device. Therefore, when WAN1 is not available, the router will use 3.5G for supporting automatically. The supported 3G USB Modem will be listed on Draytek web site. Please visit www.draytek.com for more detailed information.
Page 41 Enable Choose Yes to invoke the settings for this WAN interface. Choose No to disable the settings for this WAN interface. Display Name Type the description for the WAN1/WAN2 interface. Physical Mode For WAN1, the physical connection is done and fixed through Ethernet port;...
Page 42 Load Balance Mode If you know the practical bandwidth for your WAN interface, please choose the setting of According to Line Speed. Otherwise, please choose Auto Weigh to let the router reach the best load balance. Line Speed If your choose According to Line Speed as the Load Balance Mode, please type the line speed for downloading and uploading through WAN1/WAN2.
Page 43: Internet Access
For the router supports dual WAN function, the users can set different WAN settings (for WAN1/WAN2) for Internet Access. Due to different physical mode for WAN1 and WAN2, the Access Mode for these two connections also varies slightly. Index It shows the WAN modes that this router supports. WAN1 is the default WAN interface for accessing into the Internet.
Page 44 accessing the page to configure the settings. There are three access modes provided for PPPoE, Static or Dynamic IP and PPTP. Details Page This button will open different web page according to the access mode that you choose in WAN1 or WAN2. To use PPPoE as the accessing protocol of the internet, please choose Internet Access from WAN menu.
Page 45 in Application >> Schedule web page and you can use the number that you have set in that web page. ISDN Dial Backup This setting is available for the routers supporting ISDN function Setup only. Before utilizing the ISDN dial backup feature, you must create a dial backup profile first.
Page 46 Fixed IP – Click Yes to use this function and type in a fixed IP address in the box of Fixed IP Address. Default MAC Address – You can use Default MAC Address or specify another MAC address by typing on the boxes of MAC Address for the router.
Page 47 Static or Dynamic IP Click Enable for activating this function. If you click Disable, (DHCP Client) this function will be closed and all the settings that you adjusted in this page will be invalid. ISDN Dial Backup This setting is available for the routers supporting ISDN function Setup only.
Page 48 Connection because some ISPs will drop connections if there is no traffic within certain periods of time. Check Enable PING to keep alive box to activate this function. PING to the IP - If you enable the PING function, please specify the IP address for the system to PING it for keeping alive.
Page 49 Specify an IP address – Click this radio button to specify some data if you want to use Static IP mode. IP Address: Type the IP address. Subnet Mask: Type the subnet mask. Gateway IP Address: Type the gateway IP address. Default MAC Address: Click this radio button to use default MAC address for the router.
Page 50 This setting is available for i model only. Due to the absence of the ISDN interface in some models, the ISDN dial backup feature and its associated setup options are not available to them. Please refer to the previous part for further information.
Page 51 Default MAC Address – Click this radio button to use default MAC address for the router. Specify a MAC Address - Some Cable service providers specify a specific MAC address for access authentication. In such cases you need to click the Specify a MAC Address and enter the MAC address in the MAC Address field.
Page 52: Load-Balance Policy
Index (1-15) Set the PCs on LAN to work at certain time interval only. You may choose up to 4 schedules out of the 15 schedules pre-defined in Applications >> Schedule setup. The default setting of this field is blank and the function will always work. This router supports the function of load balancing.
Page 53 Use the drop-down menu to change the WAN interface for such index. Src IP Start Displays the IP address for the start of the source IP. Src IP End Displays the IP address for the end of the source IP. Dest IP Start Displays the IP address for the start of the destination IP.
Page 54 You can check the box of Auto failover to other WAN to make a backup WAN connection if the selected WAN interface fails to connect to Internet. Src IP Start Type the source IP start for the specified WAN interface. Src IP End Type the source IP end for the specified WAN interface.
Page 55: Lan
Local Area Network (LAN) is a group of subnets regulated and ruled by router. The design of network structure is related to what type of public IP addresses coming from your ISP. Note: VLAN menu item is only available for VigorPro 5510. The most generic function of Vigor router is NAT.
Page 56 Vigor router will exchange routing information with neighboring routers using the RIP to accomplish IP routing. This allows users to change the information of the router such as IP address and the routers will automatically inform for each other. When you have several subnets in your LAN, sometimes a more effective and quicker way for connection is the Static routes function rather than other method.
Page 57: General Setup
This page provides you the general settings for LAN. Click LAN to open the LAN settings page and choose General Setup. 1st IP Address Type in private IP address for connecting to a local private network (Default: 192.168.1.1). 1st Subnet Mask Type in an address code that determines the size of the network.
Page 58 Start IP Address: Enter a value of the IP address pool for the DHCP server to start with when issuing IP addresses. If the 2nd IP address of your router is 220.135.240.1, the starting IP address must be 220.135.240.2 or greater, but smaller than 220.135.240.254.
Page 59 DHCP Server IP Address for Relay Agent - Set the IP address of the DHCP server you are going to use so the Relay Agent can help to forward the DHCP request to the DHCP server. DNS Server DNS stands for Domain Name System. Every Internet host must Configuration have a unique IP address, also they may have a human-friendly, easy to remember name such as www.yahoo.com.
Page 60: Static Route
Go to LAN to open setting page and choose Static Route. Index The number (1 to 32) under Index allows you to open next page to set up static route. Destination Address Displays the destination address of the static route. Status Displays the status of the static route.
Page 61 Before setting Static Route, user A cannot talk to user B for Router A can only forward recognized packets to its default gateway Main Router. Go to LAN page and click General Setup, select 1st Subnet as the RIP Protocol Control. Then click the OK button.
Page 62: Vlan
Return to Static Route Setup page. Click on another Index Number to add another static route as show below, which regulates all packets destined to 211.100.88.0 will be forwarded to 192.168.1.3. Go to Diagnostics and choose Routing Table to verify current routing table. Virtual LAN function provides you a very convenient way to manage hosts by grouping them based on the physical port.
Page 63: Bind Ip To Mac
After checking the box to enable VLAN function, you will check the table according to the needs as shown below. To remove VLAN, uncheck the needed box and click OK to save the results. This function is used to bind the IP and MAC address in LAN to have a strengthen control in network.
Page 64 Enable Click this radio button to invoke this function. However, IP/MAC which is not listed in IP Bind List also can connect to Internet. Disable Click this radio button to disable this function. All the settings on this page will be invalid. Strict Bind Click this radio button to block the connection of the IP/MAC which is not listed in IP Bind List.
Page 65: Nat
Note: Before you select Strict Bind, you have to bind one set of IP/MAC address for one PC. If not, no one of the PCs can access into Internet. And the web configurator of the router might not be accessed. Usually, the router serves as an NAT (Network Address Translation) router.
Page 66 The port redirection can only apply to incoming traffic. To use this function, please go to NAT page and choose Port Redirection web page. The Port Redirection Table provides 20 port-mapping entries for the internal hosts. Press any number under Index to access into next page for configuring port redirection. VigorPro5510 Series User’s Guide...
Page 67 Enable Check this box to enable such port redirection setting. Mode Two options (Single and Range) are provided here for you to choose. To set a range for the specific service, select Range. In Range mode, if the public port (start port and end port) and the starting IP of private IP had been entered, the system will calculate and display the ending IP of private IP automatically.
Page 68 You then will access the admin screen of by suffixing the IP address with 8080, e.g., http://192.168.1.1:8080 instead of port 80. VigorPro5510 Series User’s Guide...
Page 69: Dmz Host
As mentioned above, Port Redirection can redirect incoming TCP/UDP or other traffic on particular ports to the specific private IP address/port of host in the LAN. However, other IP protocols, for example Protocols 50 (ESP) and 51 (AH), do not travel on a fixed port. Vigor router provides a facility DMZ Host that maps ALL unsolicited data on any protocol to a single host in the LAN.
Page 70 WAN1 This page allows you to configure Private IP or Active True IP as DMZ host. WAN2 This page allows you to configure Private IP as DMZ host. Private IP If you choose Private IP as DMZ host, you can type a private IP in this box or use Choose PC button to choose the one you want.
Page 71: Open Ports
Open Ports allows you to open a range of ports for the traffic of special applications. Common application of Open Ports includes P2P application (e.g., BT, KaZaA, Gnutella, WinMX, eMule and others), Internet Camera etc. Ensure that you keep the application involved up-to-date to avoid falling victim to any security exploits.
Page 72: Address Mapping
Enable Open Ports Check to enable this entry. Comment Make a name for the defined network application/service. WAN Interface Specify the WAN interface that will be used for this entry. Local Computer Enter the private IP address of the local host or click Choose PC to select one.
Page 73 Protocol Display the protocol used for this address mapping. Public IP Display the public IP address selected for this entry, e.g., 172.16.3.102. Private IP Display the private IP set for this address mapping, e.g., 192.168.1.10 Mask Display the subnet mask selected for this address mapping. Status Display the status for the entry, enable or disable.
Page 74: Firewall
the IP Alias List, the Public IP setting will be empty in this field. When you click Apply, a message will appear to inform you. Private IP Assign an IP address (e.g., 192.168.1.10) or a subnet to be compared with the Public IP address for incoming packets. Subnet Mask Select a value of subnet mask for private IP address.
Page 75 Stateful inspection is a firewall architecture that works at the network layer. Unlike legacy static packet filtering, which examines a packet based on the information in its header, stateful inspection builds up a state machine to track each connection traversing all interfaces of the firewall and makes sure they are valid.
Page 76: General Setup
1. SYN flood attack 9. Smurf attack 2. UDP flood attack 10. SYN fragment 3. ICMP flood attack 11. ICMP fragment 4. TCP Flag scan 12. Tear drop attack 5. Trace route 13. Fraggle attack 6. IP options 14. Ping of Death attack 7.
Page 77 Call Filter Check Enable to activate the Call Filter function. Assign a start filter set for the Call Filter. Data Filter Check Enable to activate the Data Filter function. Assign a start filter set for the Data Filter. Filter Select Pass or Block for the packets that do not match with the filter rules.
Page 78 Filter web page first. For troubleshooting needs, you can specify to record information for Web Content Filter by checking the Log box. It will be sent to Syslog server. Please refer to section 3.13.4 Syslog/Mail Alert for more detailed information. Anti-Virus Select one of the anti-virus profile settings (created in Anti-Virus>>Profile Setting) for applying with this router.
Page 79 Advance Setting Click Edit to open the following window. However, it is strongly recommended to use the default settings here. Codepage - This function is used to compare the characters among different languages. Choose correct codepage can help the system obtaining correct ASCII after decoding data from URL and enhance the correctness of URL Content Filter.
Page 80 Advertisement Enable – Check this box to display the words – [Powered by Draytek] on the unreachable web page Strict Security For the sake of security, you might want the router executing Checking strict security checking for data transmission.
Page 81: Filter Setup
Click Firewall and click Filter Setup to open the setup page. To edit or add a filter, click on the set number to edit the individual set. The following page will be shown. Each filter set contains up to 7 rules. Click on the rule number button to edit each rule.
Page 82 Check this box to enable the filter rule. Check to enable the Filter Rule Comments Enter filter set comments/description. Maximum length is 14- character long. Index (1-15) Set PCs on LAN to work at certain time interval only. You may choose up to 4 schedules out of the 15 schedules pre-defined in Applications >>...
Page 83 To set the IP address manually, please choose Any Address/Single Address/Range Address/Subnet Address as the Address Type and type them in this dialog. In addition, if you want to use the IP range from defined groups or objects, please choose Group and Objects as the Address Type.
Page 84 choose Group and Objects as the Service Type. Protocol - Specify the protocol(s) which this filter rule will apply to. Source/Destination Port - (=) – when the first and last value are the same, it indicates one port; when the first and last values are different, it indicates a range for the port and available for this service type.
Page 85 Filter by checking the Log box. It will be sent to Syslog server. Please refer to section Syslog/Mail Alert for more detailed information. Web Content Filter Select one of the Web Content Filter profile settings (created in CSM>> Web Content Filter Profile) for applying with this router.
Page 86 DrayTek Banner – Please uncheck this box and the following screen will not be shown for the unreachable web page. The default setting is Enabled.
Page 87 As stated before, all the traffic will be separated and arbitrated using on of two IP filters: call filter or data filter. You may preset 12 call filters and data filters in Filter Setup and even link them in a serial manner. Each filter set is composed by 7 filter rules, which can be further defined.
Page 88: Dos Defense
As a sub-functionality of IP Filter/Firewall, there are 15 types of detect/defense function in the DoS Defense setup. The DoS Defense functionality is disabled for default. Click Firewall and click DoS Defense to open the setup page. Enable Dos Defense Check the box to activate the DoS Defense Functionality.
Page 89 Enable PortScan Port Scan attacks the Vigor router by sending lots of packets to detection many ports in an attempt to find ignorant services would respond. Check the box to activate the Port Scan detection. Whenever detecting this malicious exploration behavior by monitoring the port-scanning Threshold rate, the Vigor router will send out a warning.
Page 90 Block Unknown Check the box to activate the Block Unknown Protocol function. Protocol Individual IP packet has a protocol field in the datagram header to indicate the protocol type running over the upper layer. However, the protocol types greater than 100 are reserved and undefined at this time.
Page 91: Objects Settings
For IPs in a range, service ports in a limited range and keywords usually will be applied for configuring router’s settings, we can define them with objects and bind them with groups for using conveniently. Later, we can select that object/service for applying. For example, all the IPs in the same department can be defined with an IP object (a range of IP address).
Page 92: Ip Object
You can set up to 192 sets of IP Objects with different conditions. Set to Factory Default Clear all profiles. Click the number under Index column for settings in detail. Name Type a name for this profile. Maximum 15 characters are allowed.
Page 93 Address Type Determine the address type for the IP address. Select Single Address if this object contains one IP address only. Select Range Address if this object contains several IPs within a range. Select Subnet Address if this object contains one subnet for IP address.
Page 94: Ip Group
This page allows you to bind several IP objects into one IP group. Set to Factory Default Clear all profiles. Click the number under Index column for settings in detail. Name Type a name for this profile. Maximum 15 characters are allowed.
Page 95: Service Type Object
You can set up to 96 sets of Service Type Objects with different conditions. Set to Factory Default Clear all profiles. Click the number under Index column for settings in detail. Name Type a name for this profile. Protocol Specify the protocol(s) which this profile will apply to. Source/Destination Port Source Port and the Destination Port column are available for TCP/UDP protocol.
Page 96: Service Type Group
all the ports except the port defined here; when the first last values are different, it indicates that all the ports except the range defined here are available for this service type. (>) – the port number greater than this value is available. (<) –...
Page 97: Keyword Object
Name Type a name for this profile. Available Service Type You can add IP objects from IP Object page. All the Objects available IP objects will be shown in this box. Selected Service Type Click button to add the selected IP objects in this Objects box.
Page 98: Keyword Group
Name Type a name for this profile, e.g., game. Contents Type the content for such profile. For example, type gambling as Contents. When you browse the webpage, the page with gambling information will be watched out and be passed/blocked based on the configuration on Firewall settings.
Page 99: File Extension Object
Name Type a name for this group. You can gather keyword objects from Keyword Object page Available Keyword within one keyword group. All the available Keyword Objects objects that you have created will be shown in this box. Selected Keyword Objects Click button to add the selected Keyword objects in this box.
Page 100 Profile Name Type a name for this profile. Type a name for such profile and check all the items of file extension that will be processed in the router. Finally, click OK to save this profile. VigorPro5510 Series User’s Guide...
Page 101: Im Object
This page allows you to set 32 profiles for Instant Messenger. These profiles will be applied in Firewall>>IM/P2P Filter Profile for filtering. Set to Factory Default Clear all profiles. Click the number under Profile column for configuration in details. There are several types of Instant Messenger (IM) provided here for you to choose to disallow people using.
Page 102 Profile Name Type a name for this profile. Type a name for such profile and check all the items that not allowed to be used in the host. Finally, click OK to save this profile. VigorPro5510 Series User’s Guide...
Page 103: P2P Object
This page allows you to set 32 profiles for peer-to-peer application. These profiles will be applied in Firewall>>IM/P2P Filter Profile for filtering. Set to Factory Default Clear all profiles. Click the number under Profile column for configuration in details. There are several items for P2P protocols provided here for you to choose to disallow people using.
Page 104: Misc Object
Type a name for such profile and check all the protocols that not allowed to be used in the host. Finally, click OK to save this profile. This page allows you to set 32 profiles for miscellaneous applications. These profiles will be applied in Firewall>>IM/P2P Filter Profile for filtering.
Page 105: Csm
Profile Name Type a name for this profile. Type a name for such profile and check all the protocols that not allowed to be used in the host. Finally, click OK to save this profile. CSM is an abbreviation of Content Security Management which is used to control IM/P2P usage, filter the web content and URL content to reach a goal of security management.
Page 106 On the other hand, Vigor router can prevent user from accidentally downloading malicious codes from web pages. It’s very common that malicious codes conceal in the executable objects, such as ActiveX, Java Applet, compressed files, and other executable files. Once downloading these types of files from websites, you may risk bringing threat to your system.
Page 107: App Enforcement Profile
You can define policy profiles for IM (Instant Messenger)/P2P (Peer to Peer)/Protocol application. This page allows you to set 32 profiles for different requirements. The APP Enforcement Profile will be applied in Default Rule of Firewall>>General Setup for filtering. Set to Factory Default Clear all profiles.
Page 108 full or partial matched with a keyword, the Vigor router will block the associated HTTP connection. For example, if you add key words such as “sex”, Vigor router will limit web access to web sites or web pages such as “www.sex.com”, ”www.backdoor.net/images/sex/p_386.html”. Or you may simply specify the full or partial URL such as “www.sex.com”...
Page 109 configuration set in this page for URL Access Control and Web Feature will be inactive. Both:Block –The router will block all the packages that match with the conditions specified in URL Access Control and Web Feature below. When you choose this setting, both configuration set in this page for URL Access Control and Web Feature will be inactive.
Page 110 Group/Object Selections – The Vigor router provides several frames for users to define keywords and each frame supports multiple keywords. The keyword could be a noun, a partial noun, or a complete URL string. Multiple keywords within a frame are separated by space, comma, or semicolon.
Page 111: Web Content Filter Profile
WCF adopts the mechanism developed and offered by certain service provider (e.g., DrayTek). No matter activating WCF feature or getting a new license for web content filter, you have to click Activate to satisfy your request. Be aware that service provider matching with VigorPro5510 currently offers a period of time for trial version for users to experiment.
Page 112 By the way, you can click the link of Test a site to verify whether it is categorized to access into the test server selected. Find more Click it to open http://myvigor.draytek.com for searching another qualified and suitable server. Set to Factory Default Click this link to retrieve the factory settings.
Page 113 processing rate combining the feature of L1 and L2. Eight profiles are provided here as Web content filters. Simply click the index number under Profile to open the following web page. The items listed in Categories will be changed according to the different service providers. If you have and activate another web content filter license, the items will be changed simultaneously.
Page 114 None – There is no log file will be recorded for this profile. Pass – Only the log about Pass will be recorded in Syslog. Block – Only the log about Block will be recorded in Syslog. All – All the actions (Pass and Block) will be recorded in Syslog. White/Black List Enable –...
Page 115: Defense Configuration
This menu allows you to set profiles for, activate and upgrade the service of Anti-Intrusion/Anti-Virus in your system. Anti-Intrusion allows you to prevent the intrusion from hackers while accessing into Internet. It can detect the intrusion and execute basic defense. There are more than 200 basic rules for anti-intrusion and anti-virus for this router.
Page 116 Anti-Intrusion Control This field will display the signature version of this router. The default signature version is “basic”. In this version, you Setup can modify the settings for Anti-Intrusion rules in Defense Configuration>>Anti-Intrusion >>Advanced Setup page. However, if you restart/reset the router, all the modified configurations for the rules will not be available and return to the default settings.
Page 117 Enable Reset procession Click this radio button to break down the communication between your computer and specific link which might have intrusion actions. This page lists all the available types and allows you to adjust the rule setting for each type. The rules will be applied by the options chosen in the page of Defense Configuration>>Anti-Intrusion>>Basic Setup for Anti-Intrusion.
Page 118 In order to show the detection log with such rule on the window of Draytek Syslog, you have to check the log box here and enable the SysLog Access Setup from System Maintenance >> Syslog/Mail Alert.
Page 119: Anti-Virus
Page Type the page number in this field (if there is more than one page of anti-virus detail view displayed on this page). Then ⏐ click Go to the specified page. Or you can click >, >>, << or ⏐ >...
Page 120 Enable Log In order to show the virus detection log on the window of Draytek Syslog, you have to check the log box here and enable the SysLog Access Setup from System Maintenance >> Syslog/Mail Alert. VigorPro5510 Series User’s Guide...
Page 121 Detect Macro Attachment The file with macro attachment will be passed/destroyed/reset under different protocols. The system will detect it automatically if you set corresponding configuration here. Detect Encrypted Zipped The file zipped with encryption will be detected and then be Files passed/destroyed/reset according to the configuration set here.
Page 122 SID/NAME To find the specific type of anti-virus, you can type its SID number or name in this field if you know, and then click Search. The system will locate that rule for you. Search Click this button to find out all the virus rules related to the SID/NAME that you entered.
Page 123 NAME A brief description name for the anti-virus rule is shown in this field. Click the name link to access into VigorPro website for checking the detailed information for the specified anti-virus. The number for each anti-virus rule is displayed in this field. Page Type the page number in this field (if there is more than one page of anti-virus detail view displayed on this page).
Page 124 Click any number link to open the configuration page. Below is the page of File Filter Profile. The priority of each entry is determined by the index number. That is, the entry of Index 1 has the highest priority in file name filtering; the entry of Index 32 has the lowest priority in filtering.
Page 125 found by the router system. Non-Scan –The file will not be scanned and will not be processed by using general rules set in Anti-Virus profile. Scan – Just scan the file with name specified here which is found by the router system, and be processed by using general rules set in Anti-Virus profile.
Page 126: Anti-Spam
Many people suffer with unwanted mails coming from everywhere. Such device offers a mechanism, named Anti-Spam, to do basic scanning for filtering unnecessary mails and sorting the mails. To activate function of Anti-Spam, you have to configure profile(s) for your computer first.
Page 127 Profile Name Type a name for such profile setting. Choose Protocol to Scan Spam files usually come with protocol of SMTP or POP3. Spam Please check the box that you want to avoid. It would be better to check both protocols. In addition, you can check Log All Mail Events to send record of all mail events to syslog.
Page 128 emails coming from the sender, or for the emails sending out from the receiver, or for the subject with the keyword selected here. Group/Object Selections – Choose a suitable group or object for passing or blocking. Click Edit to open the following dialog.
Page 129 shown as “***SPAM*** license page” in your mail box. Such tag can help users to identify which mail is useful or useless quickly. Reset – Choose this action to disconnect the network. It is mainly applied on SMTP server. Log - Check the box to have the process record stated on Syslog.
Page 130: Activation For Anti-Intrusion/Anti-Virus/Anti-Spam/Web-Filter Service
After you have finished the profile settings, it is the time to activate the mechanism for your computer. Click Defense Configuration>>Activation to open the following page for accessing http://myvigor.draytek.com. Activate via interface Choose WAN interface used by such device for activating Web Content Filter.
Page 131 VigorPro5510 Series User’s Guide...
Page 132: Ai/Av Auto Block
This page can determine the block standard for data transmission based on the AI/AV auto block setting. In another word, when the host is attacked over the count number set here, the system will block the data transmission from the source IP automatically for security. Limitation List displays the specific limitations that you set in this web page.
Page 133 Time Interval – type the time for the system to wait and execute the action of blocking, Limitation List This field displays the information for specific limitation. Specific Limitation Users can specify clients on LAN and let the router count AI/AV event in certain range by specifying start IP, end IP, AI count, AV count, time interval and etc.
Page 134: Signature Upgrade
You can get the most updated signature from DrayTek’s server if the license key of anti-virus/anti-intrusion for the VigorPro 5510 is not expired. Before you upgrade the signature, please check the validation information either from WEB user interface of VigorPro 5510 or account information from www.vigorpro.com.
Page 135 It displays the message of signature authentication or download Signature procedure. authentication/downl oad message Upgrade Manually The buttons in this field are only available when you finished the registration and activation for new account and your router. If not, these buttons do not have any effect even if you click them. Import –...
Page 136 Specify certain time for executing the upgrade automatically. Upgrade Remember to check the Scheduled Update box to activate the time Automatically settings. Every – It means the downloading procedure will be executed automatically whenever passing through the time (hours and minutes) that you set here.
Page 137: Status
Below shows an example with DT-KL signature used. This field will shows the status for the license, start date and expire date for Anti-Intrusion/Anti-Virus service. If your account or router is still not activated, the word Not Activated will be displayed here to inform you. VigorPro5510 Series User’s Guide...
Page 138: Bandwidth Management
Below is a sample page with valid license. Below shows the menu items for Bandwidth Management. A PC with private IP address can access to the Internet via NAT router. The router will generate the records of NAT sessions for such connection. The P2P (Peer to Peer) applications (e.g., BitTorrent) always need many sessions for procession and also they will occupy over resources which might result in important accesses impacted.
Page 139: Bandwidth Limit
To activate the function of limit session, simply click Enable and set the default session limit. Enable Click this button to activate the function of limit session. Disable Click this button to close the function of limit session. Default session limit Defines the default session number used for each computer in LAN.
Page 140 In the Bandwidth Management menu, click Bandwidth Limit to open the web page. To activate the function of limit bandwidth, simply click Enable and set the default upstream and downstream limit. Enable Click this button to activate the function of limit bandwidth. Subnet –...
Page 141: Quality Of Service
limit and RX limit. TX limit Define the limitation for the speed of the upstream. If you do not set the limit in this field, the system will use the default speed for the specific limitation you set for each index. Define the limitation for the speed of the downstream.
Page 142 DS node in these domains will perform the priority treatment. This is called per-hop-behavior (PHB). The definition of PHB includes Expedited Forwarding (EF), Assured Forwarding (AF), and Best Effort (BE). AF defines the four classes of delivery (or forwarding) classes and three levels of drop precedence in each class. Vigor routers as edge routers of DS domain shall check the marked DSCP value in the IP header of bypassing traffic, thus to allocate certain amount of resource execute appropriate policing, classification or scheduling.
Page 143 Enable the QoS Control The factory default for this setting is checked. Please also define which traffic the QoS Control settings will apply to. IN- apply to incoming traffic only. OUT-apply to outgoing traffic only. BOTH- apply to both incoming and outgoing traffic. Check this box and click OK, then click Setup link again.
Page 144 Limited_bandwidth Ratio The ratio typed here is reserved for limited bandwidth of UDP application. Online Statistics Display an online statistics for quality of service for your reference. This link will be seen only if you click OK in WAN1/WAN2 General Setup web page and click Setup again (for WAN1/WAN2) on the Bandwith Management>>Quality of Service.
Page 145 For adding a new rule, click Add to open the following page. Check this box to invoke these settings. Local Address Click the Edit button to set the local IP address (on LAN) for the rule. Remote Address Click the Edit button to set the remote IP address (on LAN/WAN) for the rule.
Page 146 To add a new service type, edit or delete an existed service type, please click the Edit link under Service Type field. After you click the Edit link, you will see the following page. VigorPro5510 Series User’s Guide...
Page 147 For adding a new service type, click Add to open the following page. Service Name Type in a new service for your request. Service Type Choose the type (TCP, UDP or TCP/UDP) for the new service. Port Configuration Click Single or Range. If you select Range, you have to type in the starting port number and the end porting number on the boxes below.
Page 148: Applications
Below shows the menu items for Applications. The ISP often provides you with a dynamic IP address when you connect to the Internet via your ISP. It means that the public IP address assigned to your router changes each time you access the Internet.
Page 149 Domain Name Display the domain name that you set on the setting page of DDNS setup. Active Display if this account is active or inactive. View Log Display DDNS log status. Force Update Force the router updates its information to DDNS server. Select Index number 1 to add an account for the router.
Page 150: Schedule
Click OK button to activate the settings. You will see your setting has been saved. The Wildcard and Backup MX features are not supported for all Dynamic DNS providers. You could get more detailed information from their websites. Disable the Function and Clear all Dynamic DNS Accounts In the DDNS setup menu, uncheck Enable Dynamic DNS Setup, and push Clear All button to disable the function and clear all accounts from the router.
Page 151 Enable Schedule Setup Check to enable the schedule. Start Date (yyyy-mm-dd) Specify the starting date of the schedule. Start Time (hh:mm) Specify the starting time of the schedule. Duration Time (hh:mm) Specify the duration (or period) for the schedule. Action Specify which action Call Schedule should apply during the period of the schedule.
Page 152: Radius/Ldap
Configure the Force Down from 18:00 to next day 9:00 for whole week. Assign these two profiles to the PPPoE Internet access profile. Now, the PPPoE Internet connection will follow the schedule order to perform Force On or Force Down action according to the time plan that has been pre-defined in the schedule profiles.
Page 153 Shared Secret The RADIUS server and client share a secret that is used to authenticate the messages sent between them. Both sides must be configured to use the same shared secret. Confirm Shared Secret Re-type the Shared Secret for confirmation. Type or edit the common name identifier for the LDAP Common Name Identifier server.
Page 154: Upnp
The UPnP (Universal Plug and Play) protocol is supported to bring to network connected devices the ease of installation and configuration which is already available for directly connected PC peripherals with the existing Windows 'Plug and Play' system. For NAT routers, the major feature of UPnP on the router is “NAT Traversal”.
Page 155 The reminder as regards concern about Firewall and UPnP Can't work with Firewall Software Enabling firewall applications on your PC may cause the UPnP function not working properly. This is because these applications will block the accessing ability of some network ports.
Page 156: Igmp
IGMP is the abbreviation of Internet Group Management Protocol. It is a communication protocol which is mainly used for managing the membership of Internet Protocol multicast groups. For invoking IGMP Snooping function, you have to check the Enable IGMP Proxy box first for activating the IGMP proxy function.
Page 157 Wake by Two types provide for you to wake up the binded IP. If you choose Wake by MAC Address, you have to type the correct MAC address of the host in MAC Address boxes. If you choose Wake by IP Address, you have to choose the correct IP address.
Page 158: Vpn And Remote Access
A Virtual Private Network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. In short, by VPN technology, you can send data between two computers across a shared or public network in a manner that emulates the properties of a point-to-point private link.
Page 159: Ppp General Setup
This submenu only applies to PPP-related VPN connections, such as PPTP, L2TP, L2TP over IPSec. Dial-In PPP Select this option to force the router to authenticate dial-in Authentication PAP Only users with the PAP protocol. PAP or CHAP Selecting this option means the router will attempt to authenticate dial-in users with the CHAP protocol first.
Page 160: Ipsec General Setup
should choose an IP address from the local private network. For example, if the local private network is 192.168.1.0/255.255.255.0, you could choose 192.168.1.200 as the Start IP Address. But, you have to notice that the first two IP addresses of 192.168.1.200 and 192.168.1.201 are reserved for ISDN remote dial-in user.
Page 161: Ipsec Peer Identity
IKE Authentication This usually applies to those are remote dial-in user or node Method (LAN-to-LAN) which uses dynamic IP address and IPSec-related VPN connections such as L2TP over IPSec and IPSec tunnel. Certificate for Dial-in – Choose the local certificate that generated or imported on Certificate Management>>Local Certificate.
Page 162 Click each index to edit one peer digital certificate. There are three security levels of digital signature authentication: Fill each necessary field to authenticate the remote peer. The following explanation will guide you to fill all the necessary fields. Profile Name Type in a name in this file.
Page 163: Remote Dial-In User
You can manage remote access by maintaining a table of remote user profile, so that users can be authenticated to dial-in via ISDN or build the VPN connection. You may set parameters including specified connection peer ID, connection type (VPN connection - including PPTP, IPSec Tunnel, and L2TP by itself or over IPSec) and corresponding security methods, etc.
Page 164 Check the box to enable this function. Enable this account Idle Timeout- If the dial-in user is idle over the limitation of the timer, the router will drop this connection. By default, the Idle Timeout is set to 300 seconds. ISDN Allow the remote ISDN dial-in connection.
Page 165 To check if SSL Tunnel is activated or not, please open Draytek SSL VPN portal interface. From the web page, you will see the message to indicate the SSL Tunnel is activated. Specify Remote Node...
Page 166 SSL Web Proxy and choose the one(s) you need as SSL VPN. To check if SSL Web Proxy is activated or not, please open Draytek SSL VPN portal interface. From the web page, you will see the message to indicate that you have the privilege for the SSL Web Proxy.
Page 167 with or without IPSec policy above. IKE Authentication This group of fields is applicable for IPSec Tunnels and L2TP Method with IPSec Policy when you specify the IP address of the remote node. The only exception is Digital Signature (X.509) can be set when you select IPSec tunnel either with or without specify the IP address of the remote node.
Page 168: Lan To Lan
Here you can manage LAN-to-LAN connections by maintaining a table of connection profiles. You may set parameters including specified connection direction (dial-in or dial-out), connection peer ID, connection type (VPN connection - including PPTP, IPSec Tunnel, and L2TP by itself or over IPSec) and corresponding security methods, etc. The router provides up to 200 profiles, which also means supporting 200 VPN tunnels simultaneously.
Page 169 Profile Name Specify a name for the profile of the LAN-to-LAN connection. Enable this profile Check here to activate this profile. VPN Connection Through Use the drop down menu to choose a proper WAN interface for this profile. This setting is useful for dial-out only. WAN1 First - While connecting, the router will use WAN1 VigorPro5510 Series User’s Guide...
Page 170 as the first channel for VPN connection. If WAN1 fails, the router will use another WAN interface instead. WAN1 Only - While connecting, the router will use WAN1 as the only channel for VPN connection. WAN2 First - While connecting, the router will use WAN2 as the first channel for VPN connection.
Page 171 You should set up Link Type and identity like User Name and Password for the authentication of remote server. You can further set up Callback (CBCP) function below. This feature is useful for i model only. PPTP Build a PPTP VPN connection to the server through the Internet.
Page 172 set to Yes to improve bandwidth utilization. IKE Authentication This group of fields is applicable for IPSec Tunnels and Method L2TP with IPSec Policy. Pre-Shared Key-Input 1-63 characters as pre-shared key. Digital Signature (X.509) – This setting will be available when IPSec Tunnel is selected.
Page 173 IKE phase 1 mode -Select from Main mode and Aggressive mode. The ultimate outcome is to exchange security proposals to create a protected secure channel. Main mode is more secure than Aggressive mode since more exchanges are done in a secure channel to set up the IPSec session.
Page 174 remote peer requires the Vigor router to callback, the local ISDN number will be provided to the remote peer. Check here to allow the Vigor router to send the ISDN number to the remote router. This feature is useful for i model only. Allowed Dial-In Type Determine the dial-in connection with different types.
Page 175 IPSec Tunnel Allow the remote dial-in user to trigger an IPSec VPN connection through Internet. L2TP Allow the remote dial-in user to make a L2TP VPN connection through the Internet. You can select to use L2TP alone or with IPSec. Select from below: None- Do not apply the IPSec policy.
Page 176 High- Encapsulating Security Payload (ESP) means payload (data) will be encrypted and authenticated. You may select encryption algorithm from Data Encryption Standard (DES), Triple DES (3DES), and AES. Callback Function The callback function provides a callback service only for the ISDN LAN-to-LAN connection (this feature is useful for i model only).
Page 177: Vpn Trunk Management
Gateway PPP IP address from the remote router during the IPCP negotiation phase. If the PPP IP address is fixed by remote side, specify the fixed IP address here. Do not change the default value if you do not select ISDN, PPTP or L2TP. Remote Network IP/ Add a static route to direct all traffic destined to this Remote Remote Network Mask...
Page 178 VPN TRUNK-VPN Backup mechanism is compliant with all WAN modes (single/multi) Dial-out connection types contain IPSec, PPTP, L2TP, L2TP over IPSec and ISDN (depends on hardware specification) The web page is simple to understand and easy to configure Fully compliant with VPN Server LAN Side Single/Multi Network Mail Alert support, please refer to System Maintenance >>...
Page 179 Backup Profile List Set to Factory Default - Click to clear all VPN TRUNK-VPN Backup mechanism profile. No-The order of VPN TRUNK-VPN Backup mechanism profile. Status (on Backup Profile field) - “v” means such profile is enabled; ”x” means such profile is disabled. Name (on Backup Profile field) - Display the name of VPN TRUNK-VPN Backup mechanism profile.
Page 180 profile (or more) created in this page Detailed information for this dialog, see later section - Advanced Load Balance and Backup. Load Balance Profile List Set to Factory Default - Click to clear all VPN TRUNK-VPN Load Balance mechanism profile. No - The order of VPN TRUNK-VPN Load Balance mechanism profile.
Page 181 Detailed information for this dialog, see later section - Advanced Load Balance and Backup. General Setup Status- After choosing one of the profile listed above, please click Enable to activate this profile. If you click Disable, the selected or current used VPN TRUNK-Backup/Load Balance mechanism profile will not have any effect for VPN tunnel.
Page 182 in red. VPN TRUNK – VPN Load Balance mechanism profile will be locked. The profiles in LAN-to-LAN will be displayed in blue. Edit Click this button to save the changes to the Status (Enable or Disable), profile name, member1 or member2. Click this button to delete the selected VPN TRUNK profile.
Page 183 Take a look for LAN-to-LAN profiles. Index 1 is chosen as Member1; index 2 is chosen as Member2. For such reason, LAN-to-LAN profiles of 1 and 2 will be expressed in red to indicate that they are fixed. If you delete the VPN TRUNK – VPN Backup/Load Balance mechanism profile, the selected LAN-to-LAN profiles will be released and expressed in black.
Page 184 Later, on peer side (as VPN Client): please type 192.168.50.100 in the field of My GRE IP and type IP address of the server (192.168.50.200) in the field of Peer GRE After setting profiles for load balance, you can choose any one of them and click Advance for more detailed configuration.
Page 185 balance of packet transmission with flexible rate. It can be divided into Auto Weighted and According to Speed Ratio. Auto Weighted can detect the device speed (10Mbps/100Mbps) and switch with fixed value ratio (3:7) for packet transmission. If the transmission rate for packets on both sides of the tunnels is the same, the value of Auto Weighted should be 5.5.
Page 186 binding tunnel table can be established. TCP/UPD means when the source IP, destination IP, destination port and fragment conditions match with the settings specified here and TCP/UDP Service Port also fits the number here, such binding tunnel table can be established. ICMP means when the source IP, destination IP, destination port and fragment conditions match with the settings specified here and ICMP Service Port also fits the number here, such binding tunnel...
Page 187 NO for Binding Fragmented. If you choose NO for Binding Fragmented, please choose TCP/UDP, IGMP/ICMP or Other as Binding Protocol. Advanced Backup Profile Name List the backup profile name. ERD Mode ERD means “Environment Recovers Detection”. Normal – choose this mode to make all dial-out VPN TRUNK backup profiles being activated alternatively.
Page 188: Connection Management
You can find the summary table of all VPN connections. You may disconnect any VPN connection by clicking Drop button. You may also aggressively Dial-out by using Dial-out Tool and clicking Dial button. Dial Click this button to execute dial out function with general mode, backup mode or load balance mode.
Page 189: Certificate Management
A digital certificate works as an electronic ID, which is issued by a certification authority (CA). It contains information such as your name, a serial number, expiration dates etc., and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real.
Page 190 Note: Please be noted that “Common Name” must be configured with rotuer’s WAN IP or domain name. After clicking GENERATE, the generated information will be displayed on the window below: IMPORT Vigor router allows you to generate a certificate request and submit it the CA server, then import it as “Local Certificate”.
Page 191 Upload Local Certificate It allows users to import the certificate which is generated by vigor router and signed by CA server. If you have done well in certificate generation, the Status of the certificate will be shown as “OK”. It allows users to import the certificate whose extensions are Upload PKCS12 usually .pfx or .p12.
Page 192 Note: You have to copy the certificate request information from above window. Next, access your CA server and enter the page of certificate request, copy the information into it and submit a request. A new certificate will be issued to you by the CA server. You can save it.
Page 193: Trusted Ca Certificate
Trusted CA certificate lists three sets of trusted CA certificate. To import a pre-saved trusted CA certificate, please click IMPORT to open the following window. Use Browse… to find out the saved text file. Then click Import. The one you imported will be listed on the Trusted CA Certificate window.
Page 194: Certificate Backup
Local certificate and Trusted CA certificate for this router can be saved within one file. Please click Backup on the following screen to save them. If you want to set encryption password for these certificates, please type characters in both fields of Encrypt password and Retype password.
Page 195: Isdn
ISDN means integrated services digital network that is an international communications standard for sending voice, video, and data over digital telephone lines or normal telephone wires. Below shows the menu items for ISDN. This web page allows you to enable ISDN function. Country Code For proper operation on your local ISDN network, you should choose the correct country code.
Page 196 ISP Access Setup ISP Name - Enter your ISP name such as Seednet, Hinet and so on. Dial Number -Enter the ISDN access number provided by your ISP. Username - Enter the username provided by your ISP. Password - Enter the password provided by your ISP. Require ISP Callback (CBCP) -If your ISP supports the callback function, check this box to activate the Callback Control Protocol during the PPP negotiation.
Page 197 Method (IPCP) most ISPs provide a dynamic IP address for the router when it connects to the ISP. If your ISP provides a fixed IP address, check Yes and enter the IP address in the field of Fixed IP Address. Select Dialing to Dual ISPs if you have more than one ISP.
Page 198 Primary ISP Setup ISP Name - Enter your ISP name. Dial Number -Enter the ISDN access number provided by your ISP. Username - Enter the username provided by your ISP. Password - Enter the password provided by your ISP. IP Address Assignment In most environments, you should not change these settings as Method (IPCP) for most ISPs provide a dynamic IP address for the router when it...
Page 199: Virtual Ta
Virtual TA means the local hosts or PCs in the network that uses popular CAPI-based software such as RVS-COM or BVRP to access the router as a local ISDN TA for sending or receiving FAX messages over the ISDN line. Basically, it is a client/server network model. The built-in Virtual TA server handles the establishment and release of connections.
Page 200 Before describing the configuration of Virtual TA in the Vigor routers, please heed the following limitations. The Virtual TA client only supports Microsoft Windows 98/SE/2000/XP platforms. The Virtual TA client only supports the CAPI 2.0 protocol and has no built-in FAX engine.
Page 201 text is RED, it means the client has lost the connection to the server. This time, please check the physical Ethernet connection. Since the Virtual TA application is a client/server network model, you must configure it on both ends to run properly your Virtual TA application. By default, the Virtual TA server is enabled and the Username/Password fields are left blank.
Page 202 Click the Virtual TA Login tab to launch the login box. Enter the Username/Password and then click OK. After a short time, the VT icon text will turn green. If you have applied to an MSN number service, the Virtual TA server can assign which client has the specified MSN number.
Page 203: Call Control
Call Control Setup Dial Retry - It specifies the dial retry counts per triggered packet. A triggered packet is the packet whose destination is outside the local network. The default setting is no dial retry. If set to 5, for each triggered packet, the router will dial 5 times until it is connected to the ISP or remote access router.
Page 204: Wireless Lan
Idle Timeout - Because our IDSN link type is Dial On Demand, the connection will be initiated only when needed. Bandwidth-On-Demand Bandwidth-On-Demand is for Multiple-Link PPP \(ML-PPP (BOD) Setup or MP). The parameters are only applied when you set the Link Type to Dialup BOD.
Page 205 Real-time Hardware Encryption: Vigor Router is equipped with a hardware AES encryption engine so it can apply the highest protection to your data without influencing user experience. Complete Security Standard Selection: To ensure the security and privacy of your wireless communication, we provide several prevailing standards on market.
Page 206 Example 2 Example 3 Separate the Wireless and the Wired LAN- WLAN Isolation enables you to isolate your wireless LAN from wired LAN for either quarantine or limit access reasons. To isolate means neither of the parties can access each other. To elaborate an example for business use, you may set up a wireless LAN for visitors only so they can connect to Internet without hassle of the confidential information leakage.
Page 207: General Setup
By clicking the General Settings, a new web page will appear so that you could configure the SSID and the wireless channel. Please refer to the following figure for more information. Enable Wireless LAN Check the box to enable wireless function. Mode Select an appropriate wireless mode.
Page 208 selected channel is under serious interference. Hide SSID Check it to prevent from wireless sniffing and make it harder for unauthorized clients or STAs to join your wireless LAN. Depending on the wireless utility, the user may only see the information except SSID or just cannot see any thing about Vigor wireless router while site surveying.
Page 209: Security
By clicking the Security Settings, a new web page will appear so that you could configure the settings of WEP and WPA. Mode There are several modes provided for you to choose. Disable - Turn off the encryption mechanism. WEP Only - Accepts only WEP clients and the encryption key should be entered in WEP Key.
Page 210 WPA/PSK Only - Accepts WPA clients and the encryption key should be entered in PSK. Remember to select WPA type to define either Mixed or WPA2 only in the field below. WPA/802.1x Only - Accept WPA clients with 802.1x authentication. Remember to select WPA type to define either Mixed or WPA2 only in the field below.
Page 211: Access Control
For additional security of wireless access, the Access Control facility allows you to restrict the network access right by controlling the wireless LAN MAC address of client. Only the valid MAC address that has been configured can access the wireless LAN interface. By clicking the Access Control, a new web page will appear, as depicted below, so that you could edit the clients' MAC addresses to control their access rights.
Page 212: Wds
Add a new MAC address into the list. Delete Delete the selected MAC address in the list. Edit Edit the selected MAC address in the list. Cancel Give up the access control set up. Click it to save the access control list. Clear All Clean all entries in the MAC address list.
Page 213 The major difference between these two modes is that: while in Repeater mode, the packets received from one peer AP can be repeated to another peer AP through WDS links. Yet in Bridge mode, packets received from a WDS link will only be forwarded to local wired or wireless hosts.
Page 214 Mode Choose the mode for WDS setting. Disable mode will not invoke any WDS setting. Bridge mode is designed to fulfill the first type of application. Repeater mode is for the second one. Security There are three types for security, Disable, WEP and Pre-shared key.
Page 215 Pre-shared Key Type 8 ~ 63 ASCII characters or 64 hexadecimal digits leading by “0x”. Bridge If you choose Bridge as the connecting mode, please type in the peer MAC address in these fields. Six peer MAC addresses are allowed to be entered in this page at one time. Yet please disable the unused link to get better performance.
Page 216: Ap Discovery
Vigor router can scan all regulatory channels and find working APs in the neighborhood. Based on the scanning result, users will know which channel is clean for usage. Also, it can be used to facilitate finding an AP for a WDS link. Notice that during the scanning process (about 5 seconds), no client is allowed to connect to Vigor.
Page 217: Station List
Station List provides the knowledge of connecting wireless clients now along with its status code. There is a code summary below for explanation. For convenient Access Control, you can select a WLAN station and click Add to Access Control below. Refresh Click this button to refresh the status of station list.
Page 218: Station Rate Control
This page allows you to control the upload and download rate of each wireless client (station) and SSID1-4. Please check the box of Enable to invoke this setting. The range for the rate is between 100 ~ 100,000 kbps. SSID rate control controls the data transmission rate through wireless connection. Enable Check Enable for typing upload and download rate.
Page 219: Wired Vlan
PCs connected to Ethernet ports of the router can be divided into different groups and formed VLAN. PCs under the same groups can share each other information through the router and will not be peeked by other groups. The VLAN >> Wired VLAN allows you to configure VLAN settings through wired connection to achieve the above intention.
Page 220: Wireless Vlan
PCs (equipped with wireless network cards) connected to the router through wireless interface can be divided into different groups and formed W_VLAN. PCs under the same groups can share each other information through the router and will not be peeked by other groups.
Page 221 Enable Check this box to invoke wireless VLAN function. Login ID Type Login ID for different groups of W_VLAN with 1 to 11 characters. Password Type password for different groups of W_VLAN with 1 to 11 characters. Details Click this button to set additional attributes settings for W_VLAN.
Page 222 After finishing the configuration of wireless VLAN, the wireless clients connecting to this router must do the following steps to access into Internet. 1. Open a browser and type http://www.draytek.vlan/login.htm or http://(vigor router’s IP address)/login.htm on the address line. 2. The following screen will appear.
Page 223: Vlan Cross Setup
5. You can go to Diagnostics>>Wireless VLAN Online Station for viewing the connection status whenever you want. This function allows the router to integrate VLAN and W_VLAN for managing different computers (notebooks). See the following picture for an example. With VLAN Cross Setup, notebook A/B and PCs on VLAN0 can share resources without difficulty.
Page 224 Enable Check this box to invoke VLAN Cross Setup function. VLAN0-3 It represents the groups of virtual LAN connected by Ethernet interface. W_VLAN0-15 It represents the groups of wireless VLAN communicated by wireless interface. VigorPro5510 Series User’s Guide...
Page 225: Wireless Rate Control
Rate Control manages the transmission rate of data in and out through the router. You can also manage the in/out rate of each wireless VLAN. Go to VLAN menu and select Wireless Rate Control. The following page will appear. Click Enable to invoke VLAN function. For the rate control of wireless connection, please open VLAN menu and choose Wireless Rate Control.
Page 226: Ssl Vpn
An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be used with a standard Web browser. There are two benefits that SSL VPN provides: It is not necessary for users to preinstall VPN client software for executing SSL VPN connection.
Page 227: Ssl Web Proxy
SSL Web Proxy will allow the remote users to access the internal web sites over SSL. It is used to access web servers on LAN side from browser. With such function, user(s) or administrator (s) can register and access the specified web server on LAN behind the router through any web browser.
Page 228: Ssl Application
corresponding IP address in this field. Such field must match with URL setting. Access Method There are three modes for you to choose. Disable – the profile will be inactive. If you choose Disable, all the web proxy profile appeared under VPN remote dial-in web page will disappear.
Page 229 Enable Application Check this box to enable this application. Service Application Name Type the profile name for the application. Application Use the drop down list to choose an application applied to this profile. Different application type will lead different web pages. Refer to the following: Virtual Network Computing –...
Page 230: User Account
Remote Desktop Protocol - Choose this item for accessing and controlling a remote PC through RDP protocol. Type the IP address for this protocol. IP Address Port Specify the port used for this protocol. The default setting is 3389. Screen Size Chose the screen size for such application.
Page 231 You can find out the link of Set SSL Web Proxy on the profile setting page. If you haven’t set any SSL Web Proxy Profile in SSL VPN>> SSL Web Proxy web page, there is no check box but a link appeared below. However, if you have set several SSL Web Proxy Profiles in SSL VPN>>...
Page 232: Online User Status
If you have finished the configuration of SSL Web Proxy (server), users can find out corresponding settings when they access into Draytek SSL VPN portal interface. Next, users can open SSL VPN>> Online Status to view login status of SSL VPN.
Page 233: System Maintenance
For the system setup, there are several items that you have to know the way of configuration: Status, Administrator Password, Configuration Backup, Syslog, Time setup, Reboot System, Firmware Upgrade. Below shows the menu items for System Maintenance. The System Status provides basic network settings of Vigor router. It includes LAN and WAN interface information.
Page 234: Setting
LAN --- MAC Address Display the MAC address of the LAN Interface. IP Address Display the IP address of the LAN interface. Subnet Mask Display the subnet mask address of the LAN interface. DHCP Server Display the current status of DHCP server of the LAN interface.
Page 235 ACS Server Such data must be typed according to the ACS (Auto Configuration Server) you want to link. Please refer to VigorACS user’s manual for detailed information. URL - Type the URL for VigorACS server. If the connected CPE needs to be authenticated, please set URL as the following and type username and password for VigorACS server: http://{IP address of...
Page 236: Administrator Password
Enable/Disable – Sometimes, port conflict might be occurred. To solve such problem, you might want to change port number for CPE. Please click Enable and change the port number. Periodic Inform Settings Disable – The system will not send inform message to ACS server.
Page 237: Configuration Backup
When you click OK, the login window will appear. Please use the new password to access into the web configurator again. Follow the steps below to backup your configuration. Go to System Maintenance >> Configuration Backup. The following windows will be popped-up, as shown below.
Page 238: Syslog/Mail Alert
Click Save button, the configuration will download automatically to your computer as a file named config.cfg. The above example is using Windows platform for demonstrating examples. The Mac or Linux platform will appear different windows, but the backup function is still available. Note: Backup for Certification must be done independently.
Page 239 SysLog Access Setup Enable (Syslog Access…) Check “Enable” to activate function of syslog. Router Name Assign a name for the router. Server IP Address The IP address of the Syslog server. Destination Port Assign a port for the Syslog protocol. Enable syslog message Check the box listed on this web page to send the corresponding message of firewall, VPN, User Access,...
Page 240 also acts as Sender address while Vigor router sends out the alert e-mails. Authentication Check this box to activate this function while using e-mail application. Type the user name for authentication. User Name Password Type the password for authentication. Enable E-Mail Alert Check the box to send alert message to the e-mail box while the router detecting the item(s) you specify here.
Page 241: Time And Date
It allows you to specify where the time of the router should be inquired from. Current System Time Click Inquire Time to get the current time. Use Browser Time Select this option to use the browser time from the remote administrator PC host as router’s system time.
Page 242: Management
This page allows you to manage the settings for access control, access list, port setup, and SNMP setup. For example, as to management access control, the port number is used to send/receive SIP message for building a session. The default value is 5060 and this must match with the peer Registrar when making VoIP calls.
Page 243: Reboot System
Set Community Set community by typing a proper name. The default setting is private. Manager Host IP Set one host as the manager to execute SNMP function. Please type in IP address to specify certain host. Set trap community by typing a proper name. The default Trap Community setting is public.
Page 244: Firmware Upgrade
Note that this example is running over Windows OS (Operating System). Download the newest firmware from DrayTek's web site or FTP site. The DrayTek web site is www.draytek.com (or local DrayTek's web site) and FTP site is ftp.draytek.com.
Page 245: Diagnostics
Diagnostic Tools provide a useful way to view or diagnose the status of your Vigor router. Below shows the menu items for Diagnostics. Click Diagnostics and click Dial-out Trigger to open the web page. The internet connection (e.g., ISDN, PPPoE, PPPoA, etc) is triggered by a package sending from the source IP address.
Page 246: Routing Table
Click Diagnostics and click Routing Table to open the web page. Refresh Click it to reload the page. Click Diagnostics and click ARP Cache Table to view the content of the ARP (Address Resolution Protocol) cache held in the router. The table shows a mapping between an Ethernet hardware address (MAC Address) and an IP address.
Page 247: Dhcp Table
The facility provides information on IP address assignments. This information is helpful in diagnosing network problems, such as IP address conflicts, etc. Click Diagnostics and click DHCP Table to open the web page. Index It displays the connection item number. IP Address It displays the IP address assigned by this router for specified MAC Address...
Page 248: Wireless Vlan Online Station Table
Peer IP :Port It indicates the destination IP address and port of remote host. Interface It indicates the interface of the WAN connection. Refresh Click it to reload the page. Click Diagnostics and click Wireless VLAN Online Station Table to open the web page. It will display the IP address, MAC address and Login ID information for all the Wireless VLAN stations.
Page 249 LAN Security Monitor Check this box to enable this function. Refresh Seconds Use the drop down list to choose the time interval of refreshing data flow that will be done by the system automatically. Refresh Click this link to refresh this page manually. Index Display the number of the data flow.
Page 250: Traffic Graph
Unblock – the device with the IP address will be blocked in five minutes. The remaining time will be shown on the session column. Current /Peak/Speed Current means current transmission rate and receiving rate for WAN1/WAN2. Peak means the highest peak value detected by the router in data transmission.
Page 251: Ping Diagnosis
The horizontal axis represents time. Yet the vertical axis has different meanings. For WAN1/WAN2 Bandwidth chart, the numbers displayed on vertical axis represent the numbers of the transmitted and received packets in the past. For Sessions chart, the numbers displayed on vertical axis represent the numbers of the NAT sessions during the past.
Page 252: Trace Route
Ping to Use the drop down list to choose the destination that you want to ping. IP Address Type in the IP address of the Host/IP that you want to ping. Click this button to start the ping work. The result will be displayed on the screen.
Page 253: Av/Ai Top 10
Click this button to start route tracing work. Clear Click this link to remove the result on the window. This page provides information for the Top 10 of Anti-Virus and Anti-Intrusion signatures used frequently. VigorPro5510 Series User’s Guide...
Page 254: Web Firewall Syslog
This page displays the time and message for firewall settings. You can check Enable Web Firewall Syslog and choose the display mode you want. Later, the event of firewall will be shown for your reference. VigorPro5510 Series User’s Guide...
Page 255: Registration For The Router
WCF during the valid time of the license key you purchased. There are two ways to create and activate new account. One is created by accessing http://myvigor.draytek.com (refer to section 4.1), the other is from router’s web configurator (refer to section 4.2).
Page 256 Check to confirm that you accept the Agreement and click Accept. Type your personal information in this page and then click Continue. VigorPro5510 Series User’s Guide...
Page 257 Choose proper selection for your computer and click Continue. Now you have created an account successfully. Click START. New Account Confirmation Check to see the confirmation email with the title of Letter from myvigor.draytek.com. VigorPro5510 Series User’s Guide...
Page 258 Click the Activate my Account link to enable the account that you created. The following screen will be shown to verify the register process is finished. Please click Login. When you see the following page, please type in the account and password (that you just created) in the fields of UserName and Password.
Page 259: Creating And Activating An Account From Router Web Configurator
You can also create and register a new account from the web configurator of the VigorPro router. Open a web browser on your PC and type http://192.168.1.1. A pop-up window will open to ask for username and password. Do not type any word on the window and click From the router’s web page, please open Defense Configuration >>Activation.
Page 260 Click the Activate link. A login page for MyVigor web site will pop up automatically. Click the link of Create an account now. Check to confirm that you accept the Agreement and click Accept. VigorPro5510 Series User’s Guide...
Page 261 Type your personal information in this page and then click Continue. Choose proper selection for your computer and click Continue. VigorPro5510 Series User’s Guide...
Page 262 New Account Confirmation 10. Check to see the confirmation email with the title of Letter from myvigor.draytek.com. 11. Click the Activate my Account link to enable the account that you created. The following screen will be shown to verify the register process is finished. Please click Login.
Page 263 13. Now, click Login. Your account has been activated. You can access into MyVigor server to activate the service (e.g., WCF) that you want. DrayTek will maintain a database of MAC address/serial number of shipped goods. Only products with shipping records can be registered. If your VigorPro 5510 cannot hook up to your account, please contact your reseller or DrayTek’s technical support.
Page 264: Registering Your Vigor Router
You have activated the new account for the router. Now, it is the time for you to register your vigor router. Open Defense Configuration >>Activation. Registering Vigor router should be done just for once. If the router has been registered previously, the system will not allow you to register the router again.
Page 265 A Login page will be shown on the screen. Please type the account and password that you created previously. And click Login. The following page will be displayed after you logging in VigorPro server. From this page, please click Add. VigorPro5510 Series User’s Guide...
Page 266 When the following page appears, please type in Nick Name (for the router) and choose the right purchase date from the popup calendar (it appears when you click on the box of Purchase Date). After adding the basic information for the router, please click Submit. Now, your router information has been added to the database.
Page 267: Activating Anti-Virus/Anti-Intrusion/Anti-Spam/Wcf Service
Now, you have finished the procedure for registering your router. After registering your vigor router, you have to follow the steps listed below to activate anti-virus/anti-intrusion/anti-spam/web content filter (WCF) service to obtain full security for your computer. Open a web browser on your PC and type http://192.168.1.1. A pop-up window will open to ask for username and password.
Page 268 A Login page will be shown on the screen. Please type the account and password that you created previously. And click Login. On the web page of My Product, you can find a list of the devices that you add with the above steps.
Page 269 From the Device’s Service section, click the Trial button for AI-AV (Anti-Intrusion & Anti-Virus) service with provider DT-DT. Rename It allows you to change the account name. Delete It allows you to delete account name used currently. Transfer It allows you to transfer the VigorPro device together with applied license to someone who has already registered another account in www.vigorpro.com.
Page 270 Then, click Next. Note: DT-DT means you can acquire the anti-intrusion and anti-virus services from DrayTek Corporation. When this page appears, click Register. Next, the DrayTek Service Activation screen will be shown as the following: VigorPro5510 Series User’s Guide...
Page 271 (Above figure supposes you have not activated Anti-Spam and Web Content Filter yet.) 10. Click Close. 11. Open Defense Configuration>>Activation page of the router’s web configurator. The start date and expire date for the license are shown in this page. 12.
Page 272: For Anti-Spam Service
Please follow the steps below to activate Anti-Spam Service for your system. Open a web browser on your PC and type http://192.168.1.1. A pop-up window will open to ask for username and password. From the router’s web page, please open Defense Configuration >>Activation. You will see the following web page.
Page 273 A Login page will be shown on the screen. Please type the account and password that you created previously. And click Login. On the web page of My Product, click the Trial button for AS (Anti-Spam) service. VigorPro5510 Series User’s Guide...
Page 274 Then, click Next. Note: CTCH means you can acquire anti-spam service from Commtouch. When this page appears, click Register. Next, the DrayTek Service Activation screen will be shown as the following. VigorPro5510 Series User’s Guide...
Page 275 Click Close. 10. Open Defense Configuration>>Activation page of the router’s web configurator. The start date and expire date for the license are shown in this page. Now, you have finished all the procedure for activating Anti-Spam service for your router. Note: You are allowed to use this version (with anti-spam feature) for 30 days after registration for your router.
Page 276: For Wcf (Web Content Filter) Service
Please follow the steps below to activate WCF Service for your system. Open a web browser on your PC and type http://192.168.1.1. A pop-up window will open to ask for username and password. From the router’s web page, please open Defense Configuration >>Activation. You will see the following web page.
Page 277 A Login page will be shown on the screen. Please type the account and password that you created previously. And click Login. On the web page of My Product, click the Trial button for WCF (Web Content Filter) service. VigorPro5510 Series User’s Guide...
Page 278 In this page, check the box of “I have read and accept the above Agreement”. The system will find out the date for you to activate this version of service. Then, click Next. When this page appears, click Register. Next, the DrayTek Service Activation screen will be shown as the following. VigorPro5510 Series User’s Guide...
Page 279 Click Close. 10. Open Defense Configuration>>Activation page of the router’s web configurator. The start date and expire date for the license are shown in this page. Now, you have finished all the procedure for activating WCF service for your router. Note: You are allowed to use this version (with WCF feature) for few days after registration for your router.
Page 280: Backup And Upgrade Signature For Anti-Intrusion/Anti-Virus
You can get the most updated signature from DrayTek’s server if the license key of anti-virus/anti-intrusion for the VigorPro 5510 is not expired. Before you upgrade the signature, please check the validation information either from WEB user interface of VigorPro 5510 or account information from www.vigorpro.com.
Page 281: Enabling Anti-Virus/Anti-Intrusion/Anti-Spam/Wcf
Backup files can be imported whenever you want. To use a saved signature information, please click Import. In addition, users can specify certain time for executing the upgrade automatically by the router. Remember to check the Schedule Update box and click OK to activate the time settings.
Page 282 B. For specified filter rule (there are twelve filter sets in Firewall, and each set is allowed to set seven filter rules), please check the box of Enable for Anti-Intrusion and choose proper action (profile) from the drop down list of Anti-Virus/Anti-Spam/Web Content Filter.
Page 283: Application And Examples
The most common case is that you may want to connect to network securely, such as the remote branch office and headquarter. According to the network structure as shown in the below illustration, you may follow the steps to create a LAN-to-LAN profile. These two networks (LANs) should NOT have the same network address.
Page 284 For using IPSec-based service, such as IPSec or L2TP with IPSec Policy, you have to set general settings in IPSec General Setup, such as the pre-shared key that both parties have known. Go to LAN-to-LAN. Click on one index number to edit a profile. Set Common Settings as shown below.
Page 285 If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, PPP Authentication and VJ Compression for this Dial-Out connection. Set Dial-In settings to as shown below to allow Router B dial-in to build VPN connection.
Page 286 If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, and VJ Compression for this Dial-In connection. At last, set the remote network IP/subnet in TCP/IP Network Settings so that Router A can direct the packets destined to the remote network to Router B via the VPN connection.
Page 287 Then, for using PPP based services, such as PPTP, L2TP, you have to set general settings in PPP General Setup. For using IPSec-based service, such as IPSec or L2TP with IPSec Policy, you have to set general settings in IPSec General Setup, such as the pre-shared key that both parties have known.
Page 288 connection. If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, PPP Authentication and VJ Compression for this Dial-Out connection. Set Dial-In settings to as shown below to allow Router A dial-in to build VPN connection.
Page 289 If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, and VJ Compression for this Dial-In connection. At last, set the remote network IP/subnet in TCP/IP Network Settings so that Router B can direct the packets destined to the remote network to Router A via the VPN connection.
Page 290: Create A Remote Dial-In User Connection Between The Teleworker And Headquarter
The other common case is that you, as a teleworker, may want to connect to the enterprise network securely. According to the network structure as shown in the below illustration, you may follow the steps to create a Remote User Profile and install Smart VPN Client on the remote host.
Page 291 Go to Remote Dial-In Users. Click on one index number to edit a profile. Set Dial-In settings to as shown below to allow the remote user dial-in to build VPN connection. If an IPSec service is selected, you may further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-In connection.
Page 292 For Win2000/XP, please use "Network and Dial-up connections" or “Smart VPN Client”, complimentary software to help you create PPTP, L2TP, and L2TP over IPSec tunnel. You can find it in CD-ROM in the package or go to www.draytek.com download center. Install as instructed.
Page 293 If an IPSec-based service is selected as shown below, You may further specify the method you use to get IP, the security method, and authentication method. If the Pre-Shared Key is selected, it should be consistent with the one set in VPN router. If a PPP-based service is selected, you should further specify the remote VPN server IP address, Username, Password, and encryption method.
Page 294: Qos Setting Example
Click Connect button to build connection. When the connection is successful, you will find a green light on the right down corner. Assume a teleworker sometimes works at home and takes care of children. When working time, he would use Vigor router at home to connect to the server in the headquarter office downtown via either HTTPS or VPN to check email and access internal database.
Page 295 Note: The rate of outbound/inbound must be smaller than the real bandwidth to ensure correct calculation of QoS. It is suggested to set the bandwidth value for inbound/outbound as 80% - 85% of physical network speed provided by ISP to maximize the QoS performance.
Page 296 Check Enable UDP Bandwidth Control on the bottom to prevent enormous UDP traffic of VoIP influent other application, and click OK. If the worker has connected to the headquarter using host to host VPN tunnel. (Please refer to Chapter 3 VPN for detail instruction), he may set up an index for it. Enter the Class Name of Index 3.
Page 297: Lan - Created By Using Nat
11. First, check the ACT box. Then click Edit of Local Address to set a worker’s subnet address. Click Edit of Remote Address to set headquarter’s subnet address. Leave other fields and click OK. – – An example of default setting and the corresponding deployment are shown below. The default Vigor router private IP address/Subnet Mask is 192.168.1.1/255.255.255.0.
Page 298 To use another DHCP server in the network rather than the built-in one of Vigor Router, you have to change the settings as show below. You can just set the settings wrapped inside the red rectangles to fit the request of NAT usage.
Page 299: Upgrade Firmware For Your Router
Before upgrading your router firmware, you need to install the Router Tools. The Firmware Upgrade Utility is included in the tools. 1. Go to www.draytek.com. 2. Access into Support >> Downloads. Please find out Firmware menu and click it. Search the model you have and click on it to download the newly update firmware for your router.
Page 300 5. Double click on the icon of router tool. The setup wizard will appear. 6. Follow the onscreen instructions to install the tool. Finally, click Finish to end the installation. 7. From the Start menu, open Programs and choose Router Tools XXX >> Firmware Upgrade Utility.
Page 301 10. Click Send. Now the firmware update is finished. VigorPro5510 Series User’s Guide...
Page 302: Request A Certificate From A Ca Server On Windows Ca Server
Go to Certificate Management and choose Local Certificate. VigorPro5510 Series User’s Guide...
Page 303 You can click GENERATE button to start to edit a certificate request. Enter the information in the certificate request. Copy and save the X509 Local Certificate Requet as a text file and save it for later use. VigorPro5510 Series User’s Guide...
Page 304 Connect to CA server via web browser. Follow the instruction to submit the request. Below we take a Windows 2000 CA server for example. Select Request a Certificate. Select Advanced request. Select Submit a certificate request a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file Import the X509 Local Certificate Requet text file.
Page 305 Then you have done the request and the server now issues you a certificate. Select Base 64 encoded certificate and Download CA certificate. Now you should get a certificate (.cer file) and save it. Back to Vigor router, go to Local Certificate. Click IMPORT button to open next page.
Page 306 When the file is imported successfully, the following dialog will appear. You may review the detail information of the certificate by clicking View button. VigorPro5510 Series User’s Guide...
Page 307: Request A Ca Certificate And Set As Trusted On Windows Ca Server
Use web browser connecting to the CA server that you would like to retrieve its CA certificate. Click Retrive the CA certificate or certificate recoring list. VigorPro5510 Series User’s Guide...
Page 308 In Choose file to download, click CA Certificate Current and Base 64 encoded, and Download CA certificate to save the .cer. file. Back to Vigor router, go to Trusted CA Certificate. Click IMPORT button and browse the file to import the certificate (.cer file) into Vigor router. When finished, click refresh and you will find the below illustration.
Page 309: Trouble Shooting
This section will guide you to solve abnormal situations if you cannot access into the Internet after installing the router and finishing the web configuration. Please follow sections below to check your basic installation status stage by stage. Checking if the hardware status is OK or not. Checking if the network connection settings on your computer are OK or not.
Page 310 The example is based on Windows XP. As to the examples for other operation systems, please refer to the similar steps or find support notes in www.draytek.com. Go to Control Panel and then double-click on Network Connections. Right-click on Local Area Connection and click on Properties.
Page 311 Select Obtain an IP address automatically and Obtain DNS server address automatically. Double click on the current used MacOs on the desktop. Open the Application folder and get into Network. On the Network screen, select Using DHCP from the drop down list of Configure IPv4.
Page 312: Pinging The Router From Your Computer
The default gateway IP address of the router is 192.168.1.1. For some reason, you might need to use “ping” command to check the link status of the router. The most important thing is that the computer will receive a reply from 192.168.1.1. If not, please check the IP address of your computer.
Page 313: Checking If The Isp Settings Are Ok Or Not
Click WAN>> Internet Access and then check whether the ISP settings are set correctly. Click Details Page of WAN1/WAN2 to review the settings that you configured previously. Check if the Enable option is selected. Check if Username and Password are entered with correct values that you got from your ISP.
Page 314 Check if the Enable option is selected. Check if IP address, Subnet Mask and Gateway are entered with correct values that you got from your ISP. Check if the Enable option for PPTP Link is selected. VigorPro5510 Series User’s Guide...
Page 315: Backing To Factory Default Setting If Necessary
Check if PPTP Server, Username, Password and WAN IP address are set correctly (must identify with the values from your ISP). Sometimes, a wrong connection can be improved by returning to the default settings. Try to reset the router by software or hardware. Warning: After pressing factory default setting, you will loose all settings you did before.
Page 316: Contacting Your Dealer
After restore the factory default setting, you can configure the settings for the router again to fit your personal request. If the router still cannot work correctly after trying many efforts, please contact your dealer for further help right away. For any questions, please feel free to send e-mail to support@draytek.com. VigorPro5510 Series User’s Guide...

Draytek VigorPro 5510 Series User Manual

Preface

Configuring Basic Settings

Advanced Web Configuration

Registration for the Router

Application and Examples

Trouble Shooting

Quick Links

Related Manuals for Draytek VigorPro 5510 Series

Summary of Contents for Draytek VigorPro 5510 Series

Table of Contents