MN-700 Base Station Configuration Guide

21

The following procedure describes how to change the base station to access point mode after you have already set

up your network. If you are adding the base station to an existing network, and you want to set it to access point

mode, see Chapter 3, “Custom Setup” of the printed

User’s Guide

for detailed instructions.

To change the base station to access point mode

1.

Open the Base Station Management Tool, and click

Security

.

2.

From the

Security

menu, click

Base Station Mode

.

3.

On the

Base Station Mode

page, click the

Access Point

radio button.

4.

If you have not already established a name for your base station, type a name in the

Base station name

text

box. Do not use the default name of MN-700.

5.

Click

Apply

. When you switch the base station from router mode to access point mode, the base station resets.

While the reset is in progress, the Power light on the base station turns orange. When the light is solid green, the

reset is complete.

Firewall

The Broadband Networking Wireless Base Station provides a firewall to protect your network against malicious

transmissions. Just as the name implies, a firewall acts as a barrier or buffer zone between your local network and

the Internet. It checks data packets that are being transmitted to your network and discards any suspicious data.

The firewall is enabled by default, but you can choose to disable the firewall rule that blocks ping and other Internet

Control Message Protocol (ICMP) commands.

Block Ping Commands

The base station firewall is configured to discard network ping commands. A ping command is like a short

conversation between a device on the WAN and your base station. When a device on the WAN sends a ping

command, the base station responds.

When ping commands are blocked, the base station does not respond to a ping initiated from the WAN. This

security mechanism hides your network from hackers who might be pinging random IP addresses to see where they

get a response. A response verifies your network location, and a hacker can then use this information to send

malicious communications to your network.

In general, it is a good idea to discard ping commands sent from the WAN. You should only disable this firewall rule

under the following circumstances:

O

When your ISP needs to ping your network to ensure that the connection is still valid.

O

When you or another person needs to check your Internet connection from an external network. For example,

you might want to do this to make sure that you can access your Web server.

O

When you are playing games on the Internet, and other players need to verify your network location and

connection speed.

To disable block ICMP commands rule

1.

Open the Base Station Management Tool, and then click

Security

.

2.

On the

Security

menu, click

Firewall

.

3.

Clear the

Block ICMP Commands

check box.

4.

To disable the rule, click

Apply

.

Port Forwarding

You can configure the data ports on your base station to run programs that have special network requirements or to

host a server on your network. This configuration process is called port forwarding.

Port forwarding involves the configuration of data ports, which are logical programmatic elements. Do not confuse

data ports with the physical ports on your base station.

To run a program that sends and receives data on different ports, you must configure application-triggered port

forwarding. To host a server, you must configure persistent port forwarding.

For more information about ports and their role in data transmission, read the following section, “About Ports.”

MN-700 Base Station Configuration Guide

22

About Ports

Data ports play an important role in data transmission.

Many different types of data are transmitted across a network, and certain types of data must pass out of certain

ports. The data type is identified by the protocol, or rules, that it follows. Typically, the data protocol determines the

ports to which the data is passed. For example, when you download files by using the File Transfer Protocol (FTP),

the request goes to outbound port 21, and the response returns to inbound port 20.

As a security feature, the Microsoft base station only opens inbound ports when data is transmitted from one of the

computers or other devices on your local network to the corresponding outbound port.

By keeping the inbound ports closed, the base station protects your networked computers from unsolicited traffic

from the Internet. A computer on the wide area network cannot initiate communication with your computers.

In certain situations, however, you may need to change the port configuration of the base station.

To run a program that uses a different port for inbound traffic than for outbound traffic, you may need to configure

application-triggered port forwarding.

To host a server on your network that receives unsolicited data requests from the Internet, you must configure

persistent port forwarding.

Application-Triggered Port Forwarding

Some applications, such as Internet games and videoconferencing, require multiple ports for data transmission.

For example, when you download files by using the File Transfer Protocol (FTP), the data requests go out through

port 21, and responses return through port 20.

These multiple port transmissions might cause problems when NAT is enabled on your base station, because the

NAT service anticipates that data sent to one port will return to the same port.

To run a program that uses a different port for inbound traffic than for outbound traffic, you may need to configure

application-triggered port forwarding.

The following illustration shows the Application-Triggered Port Forwarding page of the Base Station

Management Tool.

MN-700 Base Station Configuration Guide

23

The Broadband Networking Wireless Base Station has been configured to accommodate some common

application protocols that require multiple ports, including FTP, Simple Mail Transfer Protocol (SMTP), and Post

Office Protocol 3 (POP3).

To configure application-triggered port forwarding for other applications that require multiple ports, you must

specify the following information:

O

The outbound port from which data following a particular protocol will be sent.

O

The inbound port or ports to which related data will return.

O

The protocol, or “trigger type” used when data is sent from the outbound port.

O

The protocol, or “public type,” used when data is returned to the inbound port.

Essentially, you are telling the base station how to direct traffic across the networks. The inbound ports that you

specify will open only when data is sent to the corresponding outbound port. These ports will close again after a

certain amount of time has elapsed with no data sent to the inbound port.

You can set ranges of ports, multiple ports, and combinations of single and multiple ports for the inbound ports.

To identify the protocol that an application uses and the ports to which the data should be sent, consult the

documentation for that application.

To establish application-triggered port forwarding

1.

Open the Base Station Management Tool, and then click

Security

.

2.

On the

Security

menu, click

Port Forwarding

, and then click

Set up application-triggered port forwarding

.

3.

In the

Description

box, type a description of the application that you want to enable.

4.

In the

Outbound port

box, type the number of the outbound port. The outbound port should be a number from 0

through 65535. To determine which port the application uses, consult the documentation for the application.

5.

In the

Trigger type

drop-down list box, click the protocol that the outbound data uses. This protocol should be

specified in the documentation for the application.

6.

In the

Inbound port(s)

box, type the inbound port. The inbound port can be a single port or a comma-separated list of

ports or port ranges. For example, you could type

4-25

, or

243

, or

10, 24-50, 74

. You are limited to 256 characters.

7.

In the

Public type

drop-down list box, click the protocol that the inbound data uses. The protocol should be

specified in the documentation for the application.

8.

To add this application to your list of applications, click

Add

. You can now enable, disable, edit, or delete the

application triggered port forwarding you have set up.

If an application does not function correctly after you enable multiple ports, check the documentation for the

application to verify that you are specifying the correct ports. If you have set the correct ports and the application

still does not function properly, you might need to establish a virtual DMZ on one of the client computers on your

network to run the application. For more information, see “Virtual DMZ (demilitarized zone)”

Persistent Port Forwarding

When you host a server on your network—for example, a Web or FTP server—you must configure the base station to

perform persistent port forwarding.

Persistent port forwarding is similar to application-triggered port forwarding in that you are opening inbound ports to

allow particular types of data or data requests to be sent from the Internet to one of the networked computers. The

difference is that you are opening these inbound ports permanently, rather than configuring them to open only

when there is data sent to an outbound port. In addition, you are directing all data sent to that port to a particular

computer on your local network.

For example, if you set up a Web server on one of the computers on your network, you must direct unsolicited

requests sent to Transmission Control Protocol (TCP) Port 80, which handles Hypertext Transfer Protocol (HTTP) or

Web data, to that computer. An unsolicited request is any data communication that is not initiated by a computer

on your local network.

Although not required, it is recommended that you assign a static (fixed) IP address to the computer that will host the

server on your network. For more information about assigning a static IP address, see Broadband Network Utility Help.

MN-700 Base Station Configuration Guide

24

To establish persistent port forwarding, you need the following information:

O

The IP address of the computer that you want to use as a server on your local network. If you have not assigned

a static IP address to this computer, you can determine its IP address by checking the DHCP client list on the

Home

page of the Base Station Management Tool.

O

The inbound and private port numbers and protocol that correspond to the type of data that your server handles.

To configure persistent port forwarding

1.

Open the Base Station Management Tool, and then click

Security

.

2.

On the

Security

menu, click

Port Forwarding

, and then click

Set up persistent port forwarding

.

3.

In the

Description

box, type a description of the server field. (This step is optional.)

4.

In the

Inbound port

box, type the inbound port to which data packets sent from the Internet to the server will be

passed. The inbound port can be a single port or a range of ports. The port range cannot exceed 100 ports.

5.

In the

Type

box, select the protocol (UDP or TCP) for the port.

6.

In the

Private IP address

box, type the private IP address of the client computer that is hosting the server.

7.

In the

Private port

boxes, type the private port or port range. The private port range must include the same

number of ports as the inbound port range.

8.

To add this server to your list of servers, click

Add

. You can now enable, disable, edit, or delete the persistent

port forwarding that you have set up for this server.

Virtual DMZ (demilitarized zone)

In certain situations, you might want to set up a virtual DMZ (demilitarized zone) on one of the clients on your

network. When you establish a DMZ, you essentially open all inbound ports and direct the base station to forward

certain inbound data packets (those that are not in response to a transmission initiated by a LAN client and not

handled through application-triggered or persistent port forwarding) to a particular computer on your LAN. This

computer becomes the DMZ host.

A DMZ host is useful for experimenting with new games on the Internet or for setting up a server on your network

before you know which ports to open for that server.

However, you should use a DMZ only in very specific situations. The computer that hosts the DMZ is fully exposed to

the Internet, and is thus susceptible to malicious attacks and unauthorized access.

Unlike a real DMZ, the virtual DMZ is a client on your network and therefore has access to the other computers

on your LAN. If a hacker were to upload a virus to the virtual DMZ, the virus could spread to all the computers on

your network.

You should assign a static IP address to the computer that you will use as your virtual DMZ. For information about

how to assign a static IP address to a computer on your network, see Broadband Network Utility Help.

To establish a virtual DMZ

1.

Open the Base Station Management Tool, and then click

Security

.

2.

On the

Security

menu, click

Virtual DMZ (Demilitarized Zone)

.

3.

Select the

Enable Virtual DMZ

check box.

4.

In the text box, type the IP address assigned to the computer that will host the virtual DMZ.

5.

To save your changes, click

Apply

.

MN-700 Base Station Configuration Guide

25

MAC Filtering

You can increase the security on your network by using MAC filtering. MAC filtering enables you to control wireless

access to network resources, including your Internet connection and shared files and printers. You can configure

the base station to permit or deny a wireless client access to network resources based on the MAC address of the

adapter that the client uses. MAC filtering can only prevent computers from making a wireless connection to your

network; it does not affect computers with an Ethernet connection to your network.

Note

A MAC address is a unique alphanumeric identifier for a hardware device, such as a base station or adapter. You

can find the MAC address for your Microsoft base station and any Microsoft network adapters you are using printed on

the label of each device.

You have two options for implementing MAC filtering. You can:

O

Allow unspecified MAC addresses.

This is a good option when you know the MAC addresses of the computers

or other devices that you do not want to access your network. Any device whose MAC address you do not specify

will be able to connect to your network with the appropriate wireless settings.

O

Deny unspecified MAC addresses.

This is a good option if you want to enforce the highest security level on your

network, because it helps to prevent unknown wireless clients from being able to join your network. Only the

clients to which you specifically grant permission can connect to the base station and use your network

resources.

The following illustration shows that MAC Filtering page of the Base Station Management Tool.