CRADLEPOINT

MBR1200 | USER MANUAL Firmware ver. 1.6.12

© 2010

CRADLEPOINT, INC.

PLEASE VISIT

HTTP://KNOWLEDGEBASE.CRADLEPOINT.COM/

FOR MORE HELP AND RESOURCES

PAGE 44

Enable DMZ.

If an application has trouble working from behind the router, you can expose one computer to the Internet and run the application on

that computer. NOTE: Placing a computer in the DMZ may expose that computer to a variety of security risks. Use of this option is only

recommended as a last resort.

DMZ IP Address.

Specify the IP address of the computer on the LAN that you want to have unrestricted Internet communication. If this computer

obtains its IP address automatically using DHCP, be sure to make a static reservation on the

Basic

→

DHCP

sub-menu so that the IP address of

the DMZ machine does not change.

5.3.6

NON-UDP/TCP/ICMP LAN Sessions

When a LAN application that uses a protocol other than UDP, TCP, or ICMP

initiates a session to the Internet, the router‟

s NAT can track such a session,

even though it does not recognize the protocol. This feature is useful

because it enables certain applications (most importantly a single VPN

connection to a remote host) without the need for an ALG.

NOTE: this feature does not apply to the DMZ host (if one is enabled). The

DMZ host always handles these kinds of sessions.

Enable.

(Default: enabled). Allows single VPN connections to a remote host.

But, for multiple VPN connections, the appropriate VPN ALG must be used.

Disabling this option, however, only disables VPN if the appropriate VPN

ALG is also disabled.

5.3.7

Application Level Gateway (ALG) Configuration

Here you can enable or disable ALGs. Some protocols and applications

require special handling of the IP payload to make them work with network

address translation (NAT). Each ALG provides special handling for a specific

protocol or application. A number of ALGs for common applications are

enabled by default.

PPTP.

Allows multiple machines on the LAN to connect to their corporate networks using PPTP protocol. When the PPTP ALG is enabled, LAN

computers can establish PPTP VPN connections either with the same or with different VPN servers. When the PPTP ALG is disabled, the router

allows VPN operation in a restricted way -- LAN computers are typically able to establish VPN tunnels to different VPN Internet servers but not to

the same server. The advantage of disabling the PPTP ALG is to increase VPN performance. Enabling the PPTP ALG also allows incoming VPN

connections to a LAN side VPN server (refer to

Advanced → Virtual

Server

).

IPSec (VPN).

Allows multiple VPN clients to connect to their corporate networks using IPSec. Some VPN clients support traversal of IPSec

through NAT. This option may interfere with the operation of such VPN clients. If you are having trouble connecting with your corporate network,

try disabling this option.

(continued)

CRADLEPOINT

MBR1200 | USER MANUAL Firmware ver. 1.6.12

© 2010

CRADLEPOINT, INC.

PLEASE VISIT

HTTP://KNOWLEDGEBASE.CRADLEPOINT.COM/

FOR MORE HELP AND RESOURCES

PAGE 45

Check with the system administrator of your corporate network whether your VPN client supports NAT traversal.

Note that L2TP VPN connections typically use IPSec to secure the connection. To achieve multiple VPN pass-through in this case, the IPSec ALG

must be enabled.

RTSP.

Allows applications that use Real Time Streaming Protocol to receive streaming media from the Internet. EVDO QuickTime and Real

Player are some of the common applications using this protocol.

Windows/MSN Messenger.

Supports use on LAN computers of Microsoft Windows Messenger (the Internet messaging client that ships with

Micro-soft Windows) and MSN Messenger. The SIP ALG must also be enabled when the Windows Messenger ALG is enabled. Required if you

don‟t have UPnP

-enabled chat program.

FTP.

Allows FTP clients and servers to transfer data across NAT. Refer to the

Advanced

→

Virtual Server

sub-menu if you want to host an FTP

server.

H.323 (NetMeeting).

Allows H.323 (specifically, Microsoft NetMeeting) clients to communicate across NAT. NOTE: You must set up a virtual

server for Net-Meeting. Refer to the

Advanced

→

Virtual Server

sub-menu for information on how to set up a virtual server.

SIP.

Allows devices and applications using VoIP (Voice over IP) to communicate across NAT. Some VoIP applications and devices have the

ability to discover NAT devices and work around them. This ALG may interfere with the operation of such devices. If you are having trouble

making VoIP calls, try turning this ALG off.

Wake-On-LAN.

Enables forwarding of “magic packets” (that is, specially formatted wake

-up packets) from the WAN to a LAN computer or other

device that is “Wake on LAN” (WOL) capable. The WOL device must be defined as such on the

Advanced

→

Virtual Server

sub-menu. The LAN

IP address for the virtual server is typically set to the broadcast address 192.168.0.255. The computer on the LAN whose MAC address is

contained in the magic packet will be awakened.

MMS.

Allows Windows Media Player, using MMS protocol, to receive streaming media from the Internet.

After you‟ve completed all modifications or deletions, you must click the

Save Settings

button at the top of the page to save your changes. The

router must reboot before new settings will take effect. You will be prompted to

Reboot the Device

or

Continue

. If you need to make additional

settings changes, click

Continue

. If you are finished with all configuration settings, click the

Reboot the Device

button.

CRADLEPOINT

MBR1200 | USER MANUAL Firmware ver. 1.6.12

© 2010

CRADLEPOINT, INC.

PLEASE VISIT

HTTP://KNOWLEDGEBASE.CRADLEPOINT.COM/

FOR MORE HELP AND RESOURCES

PAGE 46

5.4 Gaming

Multiple connections are required by some applications, such as internet

games, video conferencing, Internet telephony, and others. These

applications have difficulties working through NAT (Network Address

Translation). This section is used to open multiple ports or a range of ports

in your router and redirect data through those ports to a single PC on your

network. You can enter ports in various formats including,

Port Ranges

(100-150)

,

Individual Ports (80, 68, 888)

, or

Mixed (1020-5000, 689)

.

Example: Suppose you are hosting an online game server that is running on

a PC with a private IP Address of 192.168.0.50. This game requires that you

open multiple ports (6159-6180, 99) on the router so Internet users can

connect.

5.4.1

Add Gaming Rule

Use this section to add a Gaming Rule to the following list.

Enable.

Specifies whether the entry will be active or inactive.

Name.

Give the rule a name that is meaningful to you, for example

Game

Server

. You can also select from a list of popular games, and many of the

remaining configuration values will be filled in accordingly. However, you

should check whether the port values have changed since this list was

created, and you must fill in the IP address field.

IP Address.

Enter the local network IP address of the system hosting the

server, for example

192.168.0.50

. You can select a computer from the list of DHCP clients in the

Computer Name

drop-down menu, or you can

manually enter the IP address of the server computer.

TCP Ports.

Enter the TCP ports to open (for example

6159-6180, 99

).

UDP Ports.

Enter the UDP ports to open (for example

6159-6180, 99

).

Schedule.

Select a schedule for the times when this rule is in effect. If you do not see the schedule you need in the list of schedules, go to the

Tools

→

Schedules

sub-menu and create a new schedule.

Inbound Filter.

Select a filter that controls access as needed for this rule. If you do not see the filter you need in the list of filters, go to the

Advanced

→

Inbound Filter

sub-menu and create a new filter.

Save/Update.

Record the changes you have made.

(continued)

CRADLEPOINT

MBR1200 | USER MANUAL Firmware ver. 1.6.12

© 2010

CRADLEPOINT, INC.

PLEASE VISIT

HTTP://KNOWLEDGEBASE.CRADLEPOINT.COM/

FOR MORE HELP AND RESOURCES

PAGE 47

Clear.

Re-initialize this area of the screen, discarding any changes you have made.

When you are done editing the settings, you must click the

Save Settings

button at the top of the page to make the changes effective and

permanent.

With the above example values filled in and this Gaming Rule enabled, all TCP and UDP traffic on ports 6159 through 6180 and port 99 is passed

through the router and redirected to the Internal Private IP Address of your Game Server at 192.168.0.50

NOTE: different LAN computers cannot be associated with Gaming rules that contain any ports in common. Such rules would contradict each

other.

5.4.2

Gaming Rules

This is a list of the defined Gaming Rules. Click the

Enable

check box at

the left to directly activate or de-activate the entry. An entry can be

changed by clicking the

Edit

icon or can be deleted by clicking the

Delete

icon. When you click the

Edit

icon, the item is highlighted, and

the

Gaming Rules

section is activated for editing.

After you‟ve completed all modifications or dele

tions, you must click the

Save Settings

button at the top of the page to save your changes. The

router must reboot before new settings will take effect. You will be prompted to

Reboot the Device

or

Continue

. If you need to make additional

settings changes, click

Continue

. If you are finished with all configuration settings, click the

Reboot the Device

button.

CRADLEPOINT

MBR1200 | USER MANUAL Firmware ver. 1.6.12

© 2010

CRADLEPOINT, INC.

PLEASE VISIT

HTTP://KNOWLEDGEBASE.CRADLEPOINT.COM/

FOR MORE HELP AND RESOURCES

PAGE 48

5.5 Inbound Filters

(Default: No filters). When you use the Virtual Server, Gaming, or Remote

Administration features to open specific ports to traffic from the Internet, you

could be increasing the exposure of your LAN to cyberattacks from the Internet.

In these cases, you can use Inbound Filters to limit that exposure by specifying

the IP addresses of internet hosts that you trust to access your LAN through the

ports that you have opened. You might, for example, only allow access to a

game server on your home LAN from the computers of friends whom you have

invited to play the games on that server.

Inbound Filters can be used for limiting access to a server on your network to a

system or group of systems. Filter rules can be used with Virtual Server, Gaming,

or Remote Administration features. Each filter can be used for several functions;

for example a "Game Clan" filter might allow all of the members of a particular

gaming group to play several different games for which gaming entries have

been created. At the same time an "Admin" filter might only allows systems from

your office network to access the WAN admin pages and an FTP server you use

at home. If you add an IP address to a filter, the change is effected in all of the

places where the filter is used.

5.5.1

Add Inbound Filter Rule

Name.

Enter a name for the rule that is meaningful to you.

Action.

The rule can be set to either ALLOW or DENY applicable messages.

Defines the range of Internet addresses this rule applies to. Select the protocol

used for this rule.

Enable.

Enables inbound filtering for the IP Range you specify.

Remote IP Start/Remote IP End.

Define the ranges of Internet addresses this

rule applies to. For a single IP address, enter the same address in both the

Start

and

End

boxes. Up to eight ranges can be entered. The

Enable

check box allows you to turn on or off specific entries in the list of ranges.

Save/Update.

Record the changes you have made.

Clear.

Re-initialize this area of the screen, discarding any changes you have made. When you are done editing the settings, you must click the

Save Settings

button at the top of the page to make the changes effective and permanent.

(continued)