Page 38

Schedule Rule

You may filter Internet access for local clients based on rules

Each access control rule may be activated at a scheduled time. Define the schedule on the Schedule Rule

page, and apply the rule on the Access Control page.

Click ‘Add Schedule Rule’ to add a new rule and bring up the following page.

Edit Schedule Rule

You can create and edit schedule rules on this page.

Define the appropriate settings for a schedule rule (as shown on the above screen). The rule in the screen shot

above prohibits emailing after 3.00pm to 11.00pm. Upon completion, click ‘OK’ to save your schedule rules.

Chapter 5 :

Advanced Setup

BoB

TM

Advanced Setup Method

Page 39

Intrusion Detection

The router’s firewall inspects packets at the application layer, maintains TCP and UDP session information

including timeouts and number of active sessions, and provides the ability to detect and prevent certain types

of network attacks such as Denial-of-Service (DoS) attacks.

Network attacks that deny access to a network

device are called DoS attacks DoS attacks are aimed

at devices and networks with a connection to the

Internet. Their goal is not to steal information, but to

disable a device or network so users no longer have

access to it.

The router protects against DoS attacks including:

Ping of Death (Ping f lood) attack, SYN f lood attack, IP

fragment attack (Teardrop Attack), Brute-force attack,

Land Attack, IP Spoofing attack, IP with zero length,

TCP null scan (Port Scan Attack), UDP port loopback.

Note:

The firewall does not significantly affect system

performance, so we advise enabling the prevention

features to protect your network

Parameter Description

Enable SPI and Anti-DoS firewall protection:

The Intrusion Detection feature of the router limits

the access of incoming traffic at the WAN port. When

the Stateful Packet Inspection (SPI) feature is turned

on, all incoming packets are blocked except those

types marked with a check in the Stateful Packet

Inspection section at the top of the screen

Stateful Packet Inspection:

This option allows you to select different application

types that are using dynamic port numbers. If you

wish to use Stateful Packet Inspection (SPI) for

blocking packets, click on the Yes radio button in

the ‘Enable SPI and Anti-DoSfirewall protection’ field

and then check the inspection type that you need,

such as Packet Fragmentation, TCP Connection, UDP

Session, 323 Service, and TFTP Service.

It is called a ‘stateful’ packet inspection because it

examines the contents of the packet to determine

the state of the communication; it ensures that

the stated destination computer has previously

requested the current communication. This is a way

of ensuring that all communications are initiated by

the recipient computer and are taking place only with

sources that are known and trusted from previous

interactions. In addition to being more rigorous

in their inspection of packets, stateful inspection

firewalls also close off ports until a connection to the

specific port is requested.

When particular types of traffic are checked, only the

particular type of traffic initiated from the internal

LAN will be allowed. For example, if the user only

checks FTP Service in the Stateful Packet Inspection

section, all incoming traffic will be blocked except for

FTP connections initiated from the local LAN.

Chapter 5 :

Advanced Setup

BoB

TM

Advanced Setup Method

Page 40

DoS Detect Criteria

Total incomplete TCP/UDP sessions HIGH:

Defines the rate of new un-established sessions

that will cause the software to start deleting half-

open sessions.

Total incomplete TCP/UDP sessions LOW:

Defines the rate of new un-established sessions

that will cause the software to stop deleting.

Incomplete TCP/UDP sessions (per min.) HIGH:

Maximum number of allowed incomplete TCP/UDP

sessions per minute.

Incomplete TCP/UDP sessions (per min.) LOW:

Minimum number of allowed incomplete TCP/UDP

sessions per minute.

Maximum incomplete TCP/UDP sessions

number from same host:

Maximum half-open

fragmentation packet number from same host.

Incomplete TCP/UDP sessions detect sensitive

time period:

of time before an incomplete TCP/

UDP session is detected as incomplete.

Maximum half-open fragmentation packet

number from same host:

Maximum number of

incomplete TCP/UDP sessions from the same host.

Half-open fragmentation detect sensitive

time period:

Length of time before a half-open

fragmentation session is detected as half-open.

DMZ

If you have a client PC that cannot run an Internet application properly from behind the firewall, you can open

the client up to unrestricted two-way Internet access. Enter the IP address of a DMZ (Demilitarized Zone) host

on this screen. Adding a client to the DMZ may expose your local network to a variety of security risks, so only

use this option as a last resort.

Chapter 5 :

Advanced Setup

BoB

TM

Advanced Setup Method

Page 41

SNMP

On this page you can enable the SNMP (Simple Network Management Protocol) functions for LAN, WAN or both

LAN and WAN. By default it is set to disabled.

Community

Use the SNMP configuration screen to display and modify parameters for the Simple Network Management

Protocol (SNMP). A computer attached to the network, called a Network Management Station (NMS), can

be used to access this information.

Access rights to the agent are controlled by community strings. To

communicate with the router, the NMS must first submit a valid community string for authentication.

Parameter

Description

Community

A Community name authorised for management access

Access

Management access is restricted to Read or Write

Valid

Enables or disables the entry

Note:

Up to 5 community names may be entered

Chapter 5 :

Advanced Setup

BoB

TM

Advanced Setup Method

Page 42

Trap

Parameter Description

IP Address:

Traps are sent to this address when errors or specific events occur on the network.

Community:

A community string (password) specified for trap management. Enter a word, something other

than public or private, to prevent unauthorized individuals from reading information on your system.

Version: Sets the trap status to disabled, or enabled with V1 or V2c.

The v2c protocol was proposed in late 1995 and includes enhancements to v1 that are universally accepted.

These include a get-bulk command to reduce network management traffic when retrieving a sequence of MIB

variables, and a more elaborate set of error codes for improved reporting to a Network Management Station.

ADSL

ADSL Parameters

We recommend leaving the Operation Mode at the default Automatic setting unless you are having line sync

issues, to automatically negotiate with remote DSLAM.

Parameter Description

Operation Mode

Automatic

T1.413 Issue 2

G.992.1 (G.DMT)

•

•

•

G.922.2 (G.Lite)

G.922.3 (ADSL2)

G.922.5 (ADSL2+)

•

•

•

G.922.5 (ADSL2+M)

•

Chapter 5 :

Advanced Setup

BoB

TM

Advanced Setup Method