User Guide

36

© Copyright 2011 Luxul. All rights reserved. Trademarks & Registered Trademarks are property of respective holders.

±

WinNuke:

When enabled, the XBR-2300 will attempt to drop all traffic that

matches the following definition: TCP fragments (usually configured as URG

NetBIOS port 139) are sent to connected devices, causing fragment overlapping

Suspicious Packets Defense

±

Big ICMP Packets:

ICMP packets should be 1024 Bytes or less. This filter drops all

ICMP packets that exceed 1024 Bytes

±

TCP Packets without Flag:

All normal TCP packet have at least one configured

symbol (Flag). This filter drops all TCP packets that do not have a set Flag

±

Set the TCP Packets of SYN and FIN at the Same Time:

TCP packets that have

set both the SYN and FIN Flags are abnormal and considered suspicious. This

filter drops all TCP packets that have set both the SYN and FIN Flags.

±

TCP Packets only Set FIN without ACK:

TCP packets that have the FIN Flag but

no ACK Flag set are considered abnormal. This filter drops all TCP packets that

have set the FIN Flag but are missing the ACK Flag

±

Unknown Protocol:

If the character value in protocol type of an IP packet is 135

bytes or larger, it is impossible to determine in advance whether this unknown

protocol is well-intentioned or malicious (all well known protocols and most

unknown protocols have character values less than 135 bytes). This filter drops all

packets with 135 bytes or more in the protocol type.

luxul.com

|

357 South 670 West

|

Suite 160

|

Lindon, UT 84042

|

p: 801-822-5450

|

f: 801-822-5460

User Guide

37

Packets Containing IP Options Defense

±

IP Timestamp Option:

Checks an IP packet to see if it contains an Internet

Timestamp. If enabled, all packets without an Internet Timestamp will

be dropped.

±

IP Security Option:

Checks an IP packet to see if it contains a Security marker. If

enabled, all packets without a Security marker will be dropped.

±

IP Stream Option:

Check an IP packet to see if it contains a Stream ID. If enabled,

any packet stream without a Stream ID will be dropped.

±

IP Record Route Option:

Checks an IP packet to see if it contains a Record

Route. If enabled, any packets without a Record Route will be dropped.

±

IP Loose Source Route Option:

Checks an IP packet to see if it contains a Loose

Source Route. If enabled, any packets without a Loose Source Route will

be dropped.

±

IP Strict Source Route Option:

Checks an IP packet to see if it contains a Strict

Source Route. If enabled, any packets without a Strict Source Route will be

dropped.

±

Invalid IP Options:

Checks an IP packet to see if it contains any integrity errors.

If enabled, any packets containing Invalid IP Options will be dropped.

Other Attacks

±

Filter Ping from WAN Port:

If enabled, XBR-2300 will drop all ICMP packets

±

DDoS Attack Defense:

If enabled, the XBR-2300 will attempt to drop all DDoS

packets (i.e. ICMP, ARP, etc)

±

Shock Waves, Sasser and Other Viruses Defense:

The XBR-2300 will block all

well known virus attacks.

NOTE:

This requires updating the firmware as new updates are released

5.5.4 LAN Attack Defense

The settings options for this section are identical to WAN Attack Defense simply

applied to the LAN ports of the XBR-2300. Please refer to section 3.4.3 WAN

Attack Defense.

User Guide

38

© Copyright 2011 Luxul. All rights reserved. Trademarks & Registered Trademarks are property of respective holders.

5.5.5 IP-MAC Binding

In the IP-MAC Binding section there are two submenus: IP-MAC Binding and

Dynamic Binding.

5.5.5.1 IP-MAC Binding

This function Binds a specified MAC address to a specified IP Address. This is useful

in networks where a device IP and the MAC address must remain linked (i.e. VoIP

Phones, Servers, Secondary Routers, etc.)

±

Enable IP-MAC Binding:

Enables IP-MAC Binding function

±

Mode:

There are two optional modes: Normal Mode or Mandatory Mode

w

Normal Mode: Blocks any IP Address that does not match the bound

MAC Address. IP Addresses not included in the binding list will

communicate normally

w

Mandatory Mode: Only IP Addresses matching the MAC addresses on the

Binding List are allowed to access the Internet. All addresses not included

in the list are blocked.

±

ARP List:

Displays the corresponding IP and MAC addresses in the ARP Table.

Select Connected Clients in ARP List to manually add IP and MAC addresses.

±

IP Address:

Specifies the IP address to be Bound.

±

MAC Address:

MAC addresses to be Bound

luxul.com

|

357 South 670 West

|

Suite 160

|

Lindon, UT 84042

|

p: 801-822-5450

|

f: 801-822-5460

User Guide

39

NOTE:

Once Binding is enabled, the device can only access the internet

when the IP and MAC addresses on the binding list match

Remark:

Name of Binding rule

5.5.5.2 Dynamic Binding

Displays the current IP Address to MAC Address relationship for all devices using

DHCP on the network. By simply clicking the “Binding” or “All Binding” buttons, you

can automatically configure Binding rules for each device on the network.

5.5.6 Attack List

This page displays the devices on the network that have been detected by any

LAN Attack Defense settings. The device will be denied Internet access until it is

removed from the list. It is recommended that any devices appearing on this list

are checked and thoroughly cleaned of any viruses before allowing them to access

the Internet.

5.6 Advanced Settings

The Advanced Settings section includes:

±

5.6.1 Port Forwarding

±

5.6.2 UPnP

±

5.6.3 One -to -One NAT

±

5.6.4 Dynamic DNS

±

5.6.5 Router Table

±

5.6.5 Static Routes

User Guide

40

© Copyright 2011 Luxul. All rights reserved. Trademarks & Registered Trademarks are property of respective holders.

5.6.1 Port Forwarding

Port Forwarding allows traffic that reaches the WAN port to be redirected to a LAN

device. Port Forwarding allows you to setup public Web, FTP, and Email servers that

physically reside on the internal LAN network.

±

WAN:

Selects a WAN interface for mapping (either WAN1 or WAN2)

±

WAN Port:

Selects a TCP/UDP port to be mapped

±

Well-known Ports:

In the Well-known Ports dropdown, there are some com-

monly used protocol ports such as: DNS (53), FTP (21), GOPHER (70), HTTP (80),

NNTP (1190), POP3 (110), PPTP (1723), SMTP (25), SOCK (1080) and TELNET (23).

Any ports that are not included in the dropdown can be manually added.

±

LAN Port:

Selects the destination port on the Internal Server

±

LAN IP:

Sets the IP Address of the Internal Server to be accessed

±

Protocol:

Sets which type of traffic is forwarded: TCP, UDP or All

±

Enable:

Enables the port forwarding rule

±

Modify:

Updates the port forwarding rule

NOTE:

If you set up Port Forwarding with a service port of 80, remote

access to the XenSmart Web Management interface will need

to be through another port such as 8080 to avoid potential

conflicts.

5.6.2 UPnP

The latest Universal Plug and Play network protocol is supported by Windows XP

or higher (the operating system needs to be integrated with or have Directx9.0 or

higher). If UPnP is enabled, port forwarding information is automatically supplied

at the request of any compatible application.