CRADLEPOINT

MBR1200 | USER MANUAL Firmware ver. 1.6.12

© 2010

CRADLEPOINT, INC.

PLEASE VISIT

HTTP://KNOWLEDGEBASE.CRADLEPOINT.COM/

FOR MORE HELP AND RESOURCES

PAGE 39

5.2 Failover/Load Balance

The MBR1200 can establish an uplink via the ethernet WAN port or any modems

plugged into the USB, ExpressCard or CardBus ports. Although all of these devices

may be plugged in, only one of them establishes a link at a time unless load balancing

is enabled. If the WAN connection fails the router will automatically attempt to bring up a

new link on another device. This feature is called failover.

You can also manually

disconnect and re-connect specific ports using icons in the

Control

column. The priority

table can be saved permanently via the

Save

button. Priority changes take effect

immediately even if they are not saved.

5.2.1

Ethernet WAN Failure Detection

WAN failure detection works by detecting the presence of traffic on the ethernet WAN

link. (Note that this only applies to the ethernet WAN link, not the modems.) If the link is

idle for too long the router will attempt to ping a target IP address. If the ping does not

reply, the router assumes the link is down and attempts to fail over to a modem.

Enable.

This enables failure detection on the Ethernet link. Even when this is disabled,

unplugging the Ethernet cable at the WAN port will trigger failover to a modem.

Timeout.

Enter in this field the length of time that the ping target may be unresponsive

before the MBR1200 will switch to the next failover connection.

Enable Ping on Idle.

When enabled, the router will send a ping after the link idle

timeout. If the ping gets a reply, the router will restart the idle timer, otherwise it will

failover to a modem.

Ping Target.

The default ping target is the rout

er‟s gateway. You may specify a

different

IP address as a target here.

Enable Failback.

This enables the Ethernet WAN connection to be monitored for

usability. If the connection is usable, other WAN connections are disconnected and the

Ethernet WAN connection is used exclusively.

(continued)

CRADLEPOINT

MBR1200 | USER MANUAL Firmware ver. 1.6.12

© 2010

CRADLEPOINT, INC.

PLEASE VISIT

HTTP://KNOWLEDGEBASE.CRADLEPOINT.COM/

FOR MORE HELP AND RESOURCES

PAGE 40

5.2.2

Ethernet WAN Switch Settings

Enable Ethernet Switch.

This enables and disables the WAN Ethernet

switch. When the switch is disabled, wired Ethernet connections will

work.

Port 4:

The user may convert port 4 from LAN to WAN, thus creating a

secondary WAN Ethernet port.

5.2.3

WAN Load Balancing

This feature allows you to increase the data transfer throughput by

allowing any connected interface to share the connection load. If load

balancing is active, all configurable services will be associated with the

primary interface: WAN 1. For example, if you have configured the router

to accept connections on port 80 to be forwarded to a certain host, only

WAN 1 will be effected. If the primary interface is disconnected, primary

services will failover to the next available interface.

5.2.4

WAN Interfaces

This section allows you to:



Change the failover order of devices (aka interfaces)



Monitor their status



Take the active link down



Bring a link up on another device

The device at the top of the list has the highest priority. This is the device

which the router will attempt to start when it boots up. If the link cannot

be brought up on this device, or if it fails after boot up, the router will

attempt to bring the link up on the next available device. Whenever a link

fails on a device, the router will always move down to the next device

down in the list, and wrap around again to the top.

Slot.

The slot is the physical port the modem or Ethernet cable is plugged into.

Device.

This shows a description of the device.

Status.

This is the link status of a device, which is one of the following:



Ready

. This means the device is plugged in an available but not active.

(continued)

CRADLEPOINT

MBR1200 | USER MANUAL Firmware ver. 1.6.12

© 2010

CRADLEPOINT, INC.

PLEASE VISIT

HTTP://KNOWLEDGEBASE.CRADLEPOINT.COM/

FOR MORE HELP AND RESOURCES

PAGE 41



Establishing

. This means the router is attempting to bring up the link over the device.



Established

. This means the link is up and running on the device.



Suspended

. This means the router will not attempt to bring up the link over the device until a timer expires. This only applies to

modems, which must conform to carrier specifications about how often they may attempt to connect to the network. The timeout

depends on how many previous connection attempts have failed in a row.

Control.

The device which has an active link will show a circle-and-slash icon. If you click on this icon the router will bring the link down. It will not

automatically failover in this case. If you bring the link down, the modem will remain disconnected until you use the control to enable it again. The

router will not attempt to automatically connect to a modem that has been manually disconnected.

All other available devices will have a check mark icon. If you click on this icon the router will attempt to bring the link up over this device. If neces-

sary, it will first bring the active link down. Failover will proceed to the next device down on the list.

Priority.

Click on the

up-arrow

and

down-arrow

icons to change the priority of the device.

CRADLEPOINT

MBR1200 | USER MANUAL Firmware ver. 1.6.12

© 2010

CRADLEPOINT, INC.

PLEASE VISIT

HTTP://KNOWLEDGEBASE.CRADLEPOINT.COM/

FOR MORE HELP AND RESOURCES

PAGE 42

5.3 Firewall

Use the Firewall sub-menu to protect your network from the outside world. The MBR1200 provides

a tight firewall by virtue of the way NAT works. Unless you configure the router to the contrary, the

NAT does not respond to unsolicited incoming requests on any port, thereby making your LAN

invisible to public Internet view. However, some network applications cannot run with a tight

firewall. Those applications need to selectively open ports in the firewall to function correctly.

5.3.1

Firewall Settings

Enable SPI.

SPI (Stateful Packet Inspection, also known as dynamic packet filtering) helps to

prevent cyber attacks by tracking more state per session. It validates that the traffic passing

through the session conforms to the protocol. When SPI is enabled, the extra state information will

be reported on the

Status

→

Active Sessions

sub-menu.

Whether SPI is enabled or not, the router always tracks TCP connection states and ensures that

each TCP packet's flags are valid for the current state.

5.3.2

NAT Endpoint Filtering

The NAT Endpoint Filtering options control how the route

r‟s NAT manages incoming connection

requests to ports that are already being used.

UDP Endpoint Filtering/TCP Endpoint Filtering.

The

UDP Endpoint Filtering

check box

controls endpoint filtering for packets of the UDP protocol and the

TCP Endpoint Filtering

check

box controls endpoint filtering for packets of the TCP protocol. Select a NAT Endpoint Filtering

option:



Endpoint Independent.

Once a LAN-side application has created a connection

through a specific port, the NAT will forward any incoming connection requests with the

same port to the LAN-side application regardless of their origin. This is the least

restrictive option, giving the best connectivity and allowing some applications (P2P

applications in particular) to behave almost as if they are directly connected to the

Internet.



Address Restricted.

The NAT forwards incoming connection requests to a LAN-side

host only when they come from the same IP address with which a connection was

established. This allows the remote application to send data back through a port

different from the one used when the outgoing session was created.

(continued)

CRADLEPOINT

MBR1200 | USER MANUAL Firmware ver. 1.6.12

© 2010

CRADLEPOINT, INC.

PLEASE VISIT

HTTP://KNOWLEDGEBASE.CRADLEPOINT.COM/

FOR MORE HELP AND RESOURCES

PAGE 43



Port And Address Restricted.

The NAT does not forward any incoming connection requests with the same port address as an

already establish connection.

NOTE: Some of these options can interact with other port restrictions. Endpoint Independent Filtering takes priority over inbound filters or

schedules, so it is possible for an incoming session request related to an outgoing session to enter through a port in spite of an active inbound

filter on that port. However, packets will be rejected as expected when sent to blocked ports (whether blocked by schedule or by inbound filter) for

which there are no active sessions. Port and Address Restricted Filtering ensures that inbound filters and schedules work precisely, but prevents

some level of connectivity, and therefore might require the use of port triggers, virtual servers, or gaming to open the ports needed by the

application. Address Restricted Filtering gives a compromise position, which avoids problems when communicating with certain other types of

NAT router (symmetric NATs in particular) but leaves inbound filters and scheduled access working as expected.

5.3.3

NAT Port Preservation

Enable Port Preservation.

(Default: enabled). NAT Port preservation

tries to ensure that, when a LAN host makes an Internet connection, the

same LAN port is also used as the Internet visible port. This ensures best

compatibility for internet communications. Under some circumstances it

may be desirable to turn off this feature.

5.3.4

Anti-Spoof Checking

Enable Anti-Spoof Checking.

Enabling this option can provide protection

from certain kinds of “spoofing” attacks. However, enable this option with

care. With some modems, the WAN connection may be lost when this

option is enabled. In that case, it may be necessary to change the LAN

subnet to something other than 192.168.0.x (

192.168.2.x

, for example), to

re-establish the WAN connection.

5.3.5

DMZ Host

Use the DMZ Host section when you want to expose a computer to the

outside world for certain types of applications. This option will expose the

chosen computer completely to the outside world. Only one machine can

be put in the DMZ. NOTE: In general, the DMZ host should be used only if

there are no other alternatives, because it is much more exposed to

attacks than any other system on the LAN. Thought should be given to

using other configurations instead: a virtual server, a gaming rule or a port

trigger.

(continued)