Administrator’s Handbook

76

DHCP address serving can automatically serve the WAN IP address to a LAN computer.

When

DHCP

is used for addressing the designated passthrough PC, the acquired or configured WAN address is

passed to DHCP, which will dynamically configure a single-servable-address subnet, and reserve the address for

the configured PC’s MAC address. This dynamic subnet configuration is based on the local and remote WAN

address and subnet mask.

◆

The two

DHCP

modes assign the WAN IP information needed to the client automatically.

• You can select the MAC address of the PC you want to be the IP Passthrough client with

fixed

mode,

or,

• with “first-come-first-served” –

dynamic

– the first client to renew its address will be assigned the WAN IP.

◆

Manual

mode is like statically configuring your PC. With Manual mode, you configure the

TCP/IP Properties

of the LAN client PC you want to be the IP Passthrough client. You then manually enter the WAN IP address,

Gateway Address, etc. that matches the WAN IP address information of your Motorola Gateway. This mode

works the same as the DHCP modes. Unsolicited WAN traffic will get passed to this client. The client is still

able to access the Motorola Gateway and other LAN clients on the 192.168.1.x network, etc.

◆

The

Passthrough DHCP Lease

– By default, the passthrough host's DHCP leases will be shortened to two

minutes. This allows for timely updates of the host's IP address, which will be a private IP address before the

WAN connection is established. After the WAN connection is established and has an address, the passthrough

host can renew its DHCP address binding to acquire the WAN IP address. You may alter this setting.

◆

Click

Save

. Changes take effect immediately.

A restriction

Since both the Gateway and the passthrough host will use the same IP address, new sessions that conflict with

existing sessions will be rejected by the Gateway. For example, suppose you are a teleworker using an IPSec tun-

nel from the Router and from the passthrough host. Both tunnels go to the same remote endpoint, such as the

VPN access concentrator at your employer’s office. In this case, the first one to start the IPSec traffic will be

allowed; the second one – since, from the WAN, it's indistinguishable – will fail.

77

NAT Default Server

This feature allows you to:

◆

Direct your Gateway to forward all externally initiated IP traffic (TCP and UDP protocols only) to a default host

on the LAN, specified by your entry in the

Internal Address

field.

◆

Enable it for certain situations:

– Where you cannot anticipate what port number or packet protocol an in-bound application might use. For

example, some network games select arbitrary port numbers when a connection is opened.

– When you want all unsolicited traffic to go to a specific LAN host.

This feature allows you to direct unsolicited or non-specific traffic to a designated LAN station. With NAT “On” in

the Gateway, these packets normally would be discarded.

For instance, this could be application traffic where you don’t know (in advance) the port or protocol that will be

used. Some game applications fit this profile.

◆

Click

Save

. Changes take effect immediately.

Administrator’s Handbook

78

Link: Firewall Advanced

When you click the

Firewall Advanced

link the

Firewall Advanced

screen appears.

All computer operating systems are vulnerable to attack from outside sources, typically at the operating system or

Internet Protocol (IP) layers. Stateful Inspection firewalls intercept and analyze incoming data packets to deter-

mine whether they should be admitted to your private LAN, based on multiple criteria, or blocked. Stateful inspec-

tion improves security by tracking data packets over a period of time, examining incoming and outgoing packets.

Outgoing packets that request specific types of incoming packets are tracked; only those incoming packets consti-

tuting a proper response are allowed through the firewall.

Stateful inspection is a security feature that prevents unsolicited inbound access when NAT is disabled. You can

configure UDP and TCP “no-activity” periods that will also apply to NAT time-outs if stateful inspection is enabled

on the interface. Stateful Inspection parameters are active on a WAN interface only if enabled on your Gateway.

Stateful inspection can be enabled on a WAN interface whether NAT is enabled or not.

DoS Protection – D

enial-

0

f-

S

ervice attacks are common on the Internet, and can render an individual PC or a

whole network practically unusable by consuming all its resources. Your Gateway includes default settings to

block the most common types of DoS attacks. For special requirements or circumstances, a variety of additional

blocking characteristics is offered. See the following table.

Menu item

Function

Drop packets with invalid source or

destination IP address

Whether packets with

invalid source or destination IP address

(es)

are to be dropped

Protect against port scan

Whether to detect and drop port scans.

Drop packets with unknown ether

types

Whether packets with

unknown ether types

are to be dropped

Drop packets with invalid TCP flags

Whether packets with invalid TCP flag settings (NULL, FIN, Xmas,

etc.) should be dropped

Drop incoming ICMP Echo

requests

Whether all ICMP echo requests are to be dropped;

On

or

Off

.

79

If you make any changes here, click the

Save

button.

Flood Limit

Whether packet flooding should be detected and offending packets

be dropped;

On

or

Off

.

Flood rate limit

Specifies the number limit of packets per second before dropping the

remainder.

Flood burst limit

Specifies the number limit of packets in a single burst before dropping

the remainder.

Flood limit ICMP enable

Whether ICMP traffic packet flooding should be detected and offend-

ing packets be dropped;

On

or

Off

.

Flood limit UDP enable

Whether UDP traffic packet flooding should be detected and offend-

ing packets be dropped;

On

or

Off

.

Flood limit UDP Pass multicast

Allows exclusion of UDP multicast traffic.

On

by default.

Flood limit TCP enable

Allows exclusion of TCP traffic.

Off

by default.

Flood limit TCP SYN-cookie

Allows TCP SYN cookies flooding to be excluded.

(Additional)

Neighbor Discovery Attack protec-

tion

Prevents downstream traffic from an upstream device that sends

excessive traffic but receives no replies;

On

or

Off

.

Reflexive ACL

When IPv6 is enabled, Reflexive Access Control Lists can deny

inbound IPv6 traffic unless this traffic results from returning outgoing

packets (except as configured through firewall rules).

Menu item

Function

Administrator’s Handbook

80

Diagnostics

When you click the

Diagnostics

tab, the

Troubleshoot

page appears.

This automated multi-layer test examines the functionality of the Router from the physical connections to the data

traffic being sent by users through the Router.

You can run all the tests in order by clicking the

Run Full Diagnostics

button.

The device will automatically test a number of components to determine any problems. You can see detailed

results of the tests by clicking the

Details

buttons for each item.