ISP-CPE510G/A Manual
Contents
1. Default eric pU DHCP A E CODTIP ULIUOTI aia Conflict ri tta e ete oae locos Page 137 of 141 NETKROM OS and NETKROM NMS User Manual A O 92 LEASE Me 93 Lease Dite 39ttate BIG Son ithe ad ales asada 95 A EET 94 Max EI ii EE E as 93 A LR 93 OFE Peene EE ENTER 93 igo c eee ee 96 AME Para Mete S sian ode tds t dune atu do ttd 93 DIVeESIDy OD ton Seva dota edid nf vti dep S D etd vedecetsveceusstvs a a E a Ea 66 DNA T eec rrr S 87 DNS INGE DNS and Gale Wd nent odi sutor tute du sunt lanes S In Root cape t S Rn M Doe cape etu S duet eel 96 Keep DNS and Gateway sti A oon ecc eto A A AA nde a 99 Keep DNS and Gate Wa Yassin 102 PPLPSCEVICEOUe dd didas 101 DNS Address DIESE a 94 O 4 Fade Mardin et AAA 57 A asco ciet cendo tub d iro diode ob ecran O ONU 77 AP ee 77 55 22 11001 6 ec Pree E E ae etd etna E AOA eee Ma Ce nee RE A A eer ee EN ene ee ene 87 Matt hine EIC dS oor ede t A alain 79 Global SECON OS er M PP 40 Hide ESSID anonimo aedi hti anti Miti el ME 58 HotSpot SA m t pedea etie ee tet oete1d 104 105 108 109 111 113 115 119 121 122 123 124 Len y D Lo M 128 Tdle TIME inn 57 Inactivity LIM IE cura ia O 55 Interface A A pcd Rott ee ene meer 39 IP vig RETE 39 57 PCT OU qoe2. EE 57 Upgrade o 36 A tases a tect testuesesmeceacscstcccsetastusceesuns E R 128 WAP CUAL A TA 42 LAN di 44 Mera aaa 45 WAN ra aa 7 H H 98 o A A OW E M HQ 98 MA 5 M 58 WINS o Sle T M 94 A A vo isi en disiecta A EXER VIA Ede ERES Rind 53 Extended Rd cese uM ehe Lco pt ast bad eod 76 Pointo Pont ENE ERR T T TE 74 A En 74 SN elu V uL bM LM M ELM M deu E M 54 WISP Easy Wizard iE EUR INE io EEE 37 Page 141 of 141 NETKROM OS and NETKROM NMS User Manual
3. Open Status Window Advanced Node Configuration Save Configuration Back Up Unlock b FW Upgrade Reboot Restore Defaults Current Throughput WISP Easy Wizard VVEVV Remove Figure 4 Node Shortcut Menu NETKROM NMS Main Menu Using NNMS menus you can manage system profiles implement tools to discover add and view nodes launch utilities and access help information RW menus include File Save Profile Save the current NNMS profile Load Profile Load a previously saved NNMS profile Load Background Image Load a background image typically a map to be displayed in the Topology Map NNMS Settings Set polling interval and polling port values Exit Exit NNMS Tools View Topology Display the Topology Map tab Add New Node Open the Insert New Node dialog box License Manager Display the License Manager tab Discovery Manager Open the Auto Discovery dialog box Utilities MRTG Open the MRTG window Help Home Page Access the NETKROM website About Display the NETKROM introductory window Page 22 of 141 NETKROM OS and NETKROM NMS User Manual 2 1 2 Network Topology Tab Information Panes File Tools Utilities Help gt Y io amp E Network Topology Device List 9 AAG NETKROM amp Technologies Node List Topology Map Status Firmware Version Key Level Node Status UpTime dinimisy NNMS Connectivity Pr
4. TO o tn A c en E E li g d c I R LT E o Pi LI Station EDCA Parameters AIFS VOICE VIDEO BEST EFFORT BACKGROUND cm amp a Cn e Cn bh Ge 2a fco c milo o I ojla oo oo TN e r Pi ER Submit Cancel Figure 50 Advanced WMM Parameters WMM QUEUES TRAFFIC PRIORITIES There are the four queues that h w uses to organize and prioritized the packets AC BK Background Access Category Page 72 of 141 NETKROM OS and NETKROM NMS User Manual Lowest Priority for bulk data that require maximum throughput and there 1s not any time sensitivity related such as FTP for example AC BE Best Effort Access Category medium priority traditional IP data via this queue AC VI Video Access Category High Priority lower than VOICE video data sent to this AC VO Voice Access Category High priority VOIP data and streaming media NOTEI On behalf of the AP these fields are advertised in the Beacon and the CLIENT or STATION on the other side are informed via this in order to be aware of the policy of the AP On the other hand AP knows the policy of each Client NOTE2 AP EDCA parameters affect traffic flowing from AP to the client or station On the other hand STA EDCA control the upstream form client or Station to AP CONFIGURABLE FIELDS per queue a CWmin Minimum Value of Contention Window b CWmax Maximum Va
5. sssesesseeee nennen 18 1 2 JNETIROM NMS Featul6S scs vro vimorta as 18 1 5 INETRKROM Features ii pm eaae or ee aw CH Saca MURDER T 18 1 4 NETKROM NMS Installation Guide cen 19 2x NEETKROM NMS scd ves des ae 20 2 1 Overview of NNMS Interface ccccccscccseueeuueeueeeueeuveuueeuveuueeuveeutnenees 20 2 1 1 NETKROM NMS Main Mende x ved AER Ra Us 22 2 1 2 Network Topology Tab Information Panes sseessesseeen n mH 23 2 1 3 N d Shortcut Mendaro dd AA DA idad 24 2 2 Getting Started with NM Susana lala ricas 25 2 2 14 AutosDiscovering NOGES nr A a t 25 2 2 4 Gohligurijg a NEW Node as 27 2 2 3 Moving and RESIZING CONS ad dd 29 2 2 4 Adding Background Map IMAGES iia add 29 22039 Saving and Loading Profiles aesir detached SS 31 2 2 6 Using the Node Shortcut Menu ccccceeeesscessneeeeeeescesenaeeeessssagnenatnesesenags 31 oO IP NCIWOFKINOG sessions 38 3 1 Using the Network Interfaces Tree eese emen nnn 39 32 Configuring Basic IP SetunGS id 39 3 2 1 A RISE EET STETERUNT 39 SP MEE UIS RETE 39 3 2 3 Enable Disable Selected Interface o oocccnccccncnncnnnn nn rr 39 3 2 4 ETAPAS aa 39 3 2 5 MAC WAG GSS a dada 40 3240 MAG OSDOONIOsi iS erint vta ts say i 40 3 2 7 STP Ea Dl a AE a il ae 40 345 Contg ring Global Setelhlds a 40 al Derault Gato Wayoo e m C M Drloeade it E 40 3 942 ARO Wa dla aia adas 40 3 30 9 DNS and DNS Z a AA AS A A 41 3 4 Using Special
6. Clear Click Clear to clear the data from the window 10 7 Viewing System Properties The System Properties tab provides information about the currently selected nodes CPU and Memory To access the System Properties select the System Properties tab under the Advanced Configuration tab Advanced Configuration of node Metkram Moc Configuration statistics system Properties CPU Info Vendor Model cane Bogomips Miz Memory Info Flash Size Flash Free FS Size FS Free Mem Free Mem Total Figure 105 System Properties Dialog To refresh the data in the System Properties fields click the Refresh button Page 131 of 141 NETKROM OS and NETKROM NMS User Manual 11 System Tuning System Tune allows one to maximize performance for specific applications Using this parameters you will be able to configure advanced parameters in the TCP stack make advanced adjustments to have a better control over your links restrict and limit communication requests with your wireless equipment Max cancurrent open connections Max reretransmitians of the SYM ACE reply to an SYM request Default value 4096 Current Value Defaultvalue 5 Current Value 5 TOP Timeout for established connections Max retransmitions af the initial SYM packetfor an active TCP connection atten Default value 432000 Current value Default Value Current value 5 TOP Timeout far time waiting connections send cookies to identify a valid TOP
7. Enable Disable Selected Interface 1 MAC Spoofing STP Enable Global Settings Defautcw lo Jo lo lo J pxsi b Jo Joe Jo j IP Forwarding M pus2 b Jo Jo Jo jJ Network Bridge Commands Virtual face Commands Table View IP settings retrieved succesfully Figure 18 Network Configuration Tab Page 38 of 141 NETKROM OS and NETKROM NMS User Manual 3 1 Using the Network Interfaces Tree The left pane of the IP Configuration tab contains the Network Interfaces Tree a representation of all available network interfaces of the selected node The tree view can be expanded or collapsed by left clicking on any master interface When an interface 1s selected data fields in the other panes display the parameters associated with the selected interface and changes can be made 3 2 Configuring Basic IP Settings The top pane of the IP Configuration tab contains all Basic IP Configuration fields for the interface selected in the Network Interfaces Tree IP Address 192 lisa 1 la PTP IP Address o lo la l Subnet 255 255 255 o MACADDRESS 12 s4 se ra oo llen EnableiDisable Selected Interface MAC Spoofing STP Enable Figure 19 IP Interface Settings The following section describes the fields used to configure IP settings 3 2 1 IP Address The IP Address field contains the IP address of the selected interface To change the IP address of the interface type the new address into this field
8. Firmware Version iO Key Level 1 Up Time dihimisy 0 0 0 0 NNMS Connectivity Pp Figure 9 Node Insertion Page 28 of 141 NETKROM OS and NETKROM NMS User Manual If the newly inserted node has successfully responded to a network probe B P m t n a green outline appears around the icon A red outline J indicates the node is not responding 2 2 3 Moving and Resizing Icons e To move a node icon drag it to the desired location in the pane To resize a node icon select the icon then drag one of its handles 2 2 4 Adding Background Map Images Topology Map can be further enhanced by loading a background image to indicate the geographical location of the nodes To add a background image e On the File menu click Load Background Image The Load Background Image dialog appears e Browse to the image file you wish to load select it and click the Load Background Image button Note gif or jog formats may be used for background images Page 29 of 141 NETKROM OS and NETKROM NMS User Manual File Tools Utilities Help Network Topology Device List gt Firewall Core OpenBSD Status of node Hetkrom Firmware Version 2 4 0 COMMERCIAL Key Level Up Time dih misy 0 2 3 48 MNMS Connectivity 35 System Settings retrieved succesfully Figure 10 Customized Topology Map e Adjust the magnification level of the background image using the following zoom buttons located
9. ISPAIR 54Mb CPE 510 Series NETKROM OS amp NETKROM NMS User Manual Jan 12 2008 Page 1 of 141 NETKROM OS and NETKROM NMS User Manual O 2006 NETKROM Inc No part of this publication may be reproduced or transmitted in any form or by any means electronic or mechanical including photography recording or any information storage and retrieval system without written consent Information in this manual 1s subject to change without notice and does not represent a commitment on the part of NETKROM NETKROM shall not be liable for incidental or consequential damages resulting from the furnishing performance or use of this manual All brand names used in this manual are the registered trademarks of their respective owners The use of trademarks or other designations in this publication is for reference purposes only and does not constitute an endorsement by the trademark holder Page 2 of 141 NETKROM OS and NETKROM NMS User Manual Table of Contents Hardware Installation ocooccccccnncnncnnnnn nan rr 7 lu vsimelinio fec 7 Packade CONTENTS carnaria E in 8 Setup Requirements sico in nido 9 Panel Views and Description sess nr rr rro 10 Antenna AMO MeN Eta 12 Installation DIFE AN ld CM 13 TSPAIR CPE 510 Installation dale 14 Mounting the ISPAIR CPE 510 in a Wallviviia aia 16 Mounting the ISPAIR CPE 510 in a Pole secre reia 17 MN Issue RV TT irr 18 1 1 Compatibility and Requirements
10. mE mE b server 4 lo lo lo lo E ethi O Semer J Active 3 Active O Client LI Active Figure 70 DHCP Relay To configure a DHCP Relay select the interface from the interface tree Its background turns blue To view the full DHCP Relay pane select the Relay option button then select the Active check box The Relay Configuration pane appears The Relay Configuration pane represents the subnet LAN where a relay listens for client DHCP requests in order to forward them to DHCP servers Server 1 Server 2 Server 3 or Server 4 Type the appropriate IP addresses in these fields Interface where application relays on should has a valid ip and subnet mask and like the other DHCP apis DHCP relay can have multiple instances on different interfaces To complete the configuration click Submit Page 97 of 141 NETKROM OS and NETKROM NMS User Manual 8 WAN To configure WAN settings select the WAN tab located under the Advanced Configuration of Node Configuration tabs The WAN tab contains two sub tabs PPPoE and PPTP selected by clicking the corresponding option button See Page 35 for a diagram showing Advanced Configuration tabs and sub tabs 8 1 Configuring a PPPoE CLIENT The PPPoE client application is used to create PPPoE connections with PPPoE servers mainly used by Internet Service Providers WAN Configuration rz J InterFaces aa User Hame O Pew S p EJ Bn Protocol
11. 1 dlect the physical interface in the Network Interfaces Tree 2 Click the Add new Iface button The virtual interface appears in the tree and 1s automatically named with a prefix that matches the physical interface name and a suffix which is includes the virtual interface index inside brackets InterFaces BE bro gt iB pmo B3 etho 1 HB atho Figure 23 Insertion of Virtual Interfaces Delete Interface To permanently remove a virtual interface 1 Select the virtual interface in the Network Interfaces Tree 2 Click the Delete Iface button Using Table View The Table View option is a feature that further enhances the controllability of interface IP settings This feature allows you to browse and edit the basic settings of all available interfaces To access this option click the Table View button located below Network Interface Tree pane The Interface Configuration dialog appears Page 43 of 141 NETKROM OS and NETKROM NMS User Manual MAC ADDRESS 0 0 0 0 0 0 0 0 11 22 33 44 55 BB 0 0 0 0 299 295 295 00 00 00 00 00 00 0 0 0 0 255 255 255 00 00 00 00 00 00 192165 1 10 255 255 255 l 00 00 00 00 00 00 182 158 1 10 255 255 2550 12 34 55 amp 8m EU 0 0 0 0 0 0 0 0 112233445566 Figure 24 Interface Table View 3 6 Configuring VLANs A Virtual LAN VLAN is a group of devices on one or more LANs that are configured so that they can communicate as 1f they were attached to the same network when in fac
12. 5 1 5 Configuring AP Client and Station Modes The functionality of AP Client and Station modes is similar Both modes configure the node as a client The main difference is that AP Client supports address 4 traffic Station has an embedded proxy ARP functionality to support only address 3 traffic for all possible entities which maybe adjacent to its Ethernet interface You can select either mode based on your network needs Selected Wireless Interface athl Channel Width MHz OpMode i Selected Operational Mode P Client AP Client Preferred SSID ee Preferred BS5ID State A Rate Mbps Link Guality Signal Level saver Figure 39 AP Client Mode Settings Page 61 of 141 NETKROM OS and NETKROM NMS User Manual 5 1 6 Selected Wireless Interface 210 Channel Width 20 MHz OpMode Selected Operational Mode Station Radio Security station Atheros Preferred ss Preferred BSSID 100 00 00 00 00 00 State ES Rate ia Mbps Link Quality Signal Level Site Survey Figure 40 Station Mode Settings Preferred SSID This field contains the string which is published as ESSID by the AP Client Station node To create a name for the service set identifier SSID type the name in the Preferred SSID box Preferred BSSID This field contains the MAC address which is published as BSSID by the AP Client Station node To create a name for the basic service set
13. EJ Nor Source MAC 00 00 00 00 00 00 L1 NOT Destination IP Sub 172 8 1 0 24 LJ NOT Destination Ports L_ J ONoT Destination MAC 00 00 00 00 00 00 L NOT Protocol NONE L1 NOT Application FTP ftp traffic out Page 116 of 141 NETKROM OS and NETKROM NMS User Manual 9 5 3 We drag amp drop the previous classes to these new ones to create a class hierarchy as depicted at picture 88 We also alter the structure of our policies so that only the newly created classes are assigned to them Traffic Policies B Traffic Classes ftp in L ftp traffic in ftp aut Wy ftp traffic aut Network Interfaces BS ano Input L ftp in gt Output L ftp aut HB emo 6 Input ftp traffic aut ftp1 ftp traffic in fta ftp traffic aut ftp ftp traffic in ftp ftp traffic in 3 ftp traffic in ftpz ftp traffic in ftap1 ftp traffic aut ftp traffic aut ftp Output ftp traffic aut ftp1 Figure 89 Class hierarchy This way we limit the PIR at parent classes 3000 3500 and then we further distribute the bandwidth among the child classes 1499 3500 each So we enforce an upper limit on the amount of bandwidth used for FTP traffic and at the same time we enable both FTP Server to use the full potential of the reserved bandwidth Note We couldn t have set a CIR of 1500 on each subclass because when we subdivide a class to subclasses there should alway
14. Technologies Figure 1 NNMS Main Window Page 20 of 141 NETKROM OS and NETKROM NMS User Manual Main Menu The NETKROM NMS window features a menu system with four main menu headings File Tools Utilities and Help File Tools Utilities Help Save Profile Save Profile As Load Profile Load Background Image HHITS Settings Exit Figure 2 NNMS Main Menu System Tabbed Panes The main body of the NNMS window displays information in tabbed panes When NNMS starts the Network Topology tab is available This tab contains three information panes the Topology Map the Registered Node List and the Node Status pane Hle Tools Utilities Help Advanced Configuration of pode Netkram WoC Configuration Statistics System Properties NetWork Wireless Dynamic Routing Firewall MAT o8 cervices DHCP WAN VLAN HotSpot Figure 3 NNMS Tabbed Panes Node Shortcut Menu Many other functions are accessible via the Node Shortcut Menu which includes the following items GUI Node Connectivity Settings Open Status Window Advanced Node Configuration Save Configuration Unlock Back Up FW Upgrade Reboots Current Throughput Wisp Easy Wizard WEW and Remove From the Node Shortcut Menu you can access additional tabbed windows used in configuring and monitoring the network Page 21 of 141 NETKROM OS and NETKROM NMS User Manual 2 1 1 GU Node Cannectmity Settings
15. and click the Submit button 3 2 2 Subnet The Subnet field contains the subnet mask address of the selected interface To change the subnet address type the new address into this field and click the Submit button 3 2 3 Enable Disable Selected Interface he Enable Disable Selected Interface box indicates whether the interface 1s enabled If this box 1s not checked the interface will maintain the desired configuration but it will remain disabled If the selected interface 1s a virtual interface this box has no effect Virtual interfaces can only be in the enabled state 3 2 4 PTP IP Address If there is a PPP connection from a PPPoE client or a PPTP client the remote peer IP address is displayed in the PTP IP Address field Otherwise this field 1s blank This 1s a read only field Page 39 of 141 NETKROM OS and NETKROM NMS User Manual 3 2 5 MAC Address The MAC Address field displays the interface s Media Access Control MAC address in hex format This field 1s readable for any kind of interface and writeable only for physical interfaces To change the MAC address of a physical interface the MAC Spoofing check box must be selected 3 2 6 MAC Spoofing When the MAC Spoofing check box is selected an alternate MAC address for physical interfaces only can be typed into the MAC Address field 3 2 7 STP Enable The STP Enable check box enables the use of Spanning Tree Protocol Note Spanning Tree Protocol STP elimina
16. bridge set the same traffic policy to every physical interface that makes up the bridge Virtual interfaces can only be distinguished in the basis of their ip address Bear in mind that you can t assign more than one policy per interface flow as well as the same policy to both flows of the same interface The way that Classes Policies and Interfaces are interrelated 1s depicted in picture 79 Page 105 of 141 NETKROM OS and NETKROM NMS User Manual Subclass subclass K Subclass A Traffic Class K etc Input flow Traffic Policyk M eem po pL u Prraffi c Class Interface Gum EN o Subclass Fa Su liclass E 1 Subclass ie Class 4 n etc Output flow Traffic Policy K Subclass fete ete Figure 77 Classes Policies and Interfaces Associations are carried out by drag amp dropping one to item on another 9 2 Differentiating network traffic The network traffic can be categorized by almost any combination of the following properties Inbound Outbound Interface eg EthO in ath0 out Source Destination IP subnet eg 192 168 2 0 24 172 16 1 1 32 Source Destination IP port range eg 0 1024 520 Source Destination Mac eg 01 02 03 04 05 06 Protocol eg IP TCP UDP ICMP Application eg P2P traffic etc Negations of most of the eg 192 168 1 1 32 aforementioned These pa
17. causing a match to occur 1f the opposite of the rule is matched For example Source MAC is configured with the specific MAC address When the adjacent check box is selected the rule will match all packets except the ones that have the specified Source MAC address Page 84 of 141 NETKROM OS and NETKROM NMS User Manual Source IP The Source IP field displays the Source IP address of the packet The address can be expressed as a single IP address e g 192 168 1 1 32 or as a whole IP subnet e g 192 168 1 0 24 A match occurs 1f the source IP of the packet 1s exactly the same or belongs to the subnet configured Type the source IP address and number of subnet mask bits into the Source IP field Destination IP The Destination IP field displays the Destination IP address of the packet The address can be expressed as a single IP address e g 192 168 1 1 32 or as a whole IP subnet e g 192 168 1 0 24 A match occurs if the destination IP of the packet 1s exactly the same or belongs to the subnet configured Type the destination IP address and number of subnet mask bits into the Destination IP field Source Port s The Source Port s field displays the port number of the source node A match occurs if the source port number is the same as the number in this field Type the source port number into the Source Port field Destination Port s The Destination Port s field displays the port number of the destination no
18. identifier BSSID type the MAC address in the Preferred BSSID box State and Link Quality Signal Level The State field and Link Quality Signal Level fields mirror Client Node s state as far as it has to do with the potential link with an access point A continuous polling protocol operates between the NETKROM NMS and all nodes which have been added in the Network Topology pane For Client configured nodes NETKROM NMS is continuously informed of the State Idle Authenticated or Associated of the node the quality of the link if associated and the dynamic signal strength Using Site Survey Operation The Site Survey button is available on all OpMode tabs If a NETKROM node operates as AP Client Repeater or Station Site Survey will scan all available channels to find an appropriate BSSID to join based on user credentials SSID BSSID Security etc When a NETKROM node acts as an access point or WDS Site Survey can be used to scan and monitor adjacent frequencies to detect interference from other access points Page 62 of 141 NETKROM OS and NETKROM NMS User Manual When you click the Site Survey button the Site Survey dialog box appears Rows in the dialog box display all the available information for every node scanned After the scan 1s complete and the dialog box list is populated the status bar at the bottom of NETKROM NMS window displays the message Site survey list retrieved successfully ESSIO BSSID Channel Enc
19. technique that improves network performance in the presence of RF interference You can set the fragment size by typing in the frame size threshold in bytes If a frame exceeds this value 1t will be fragmented The fragmentation range 1s 256 to 2048 bytes Setting the fragmentation threshold to 2048 effectively disables fragmentation To implement fragmentation type the threshold value into the Frag box and select the Enable check box Setting RTS The RTS field allows you to implement RTS CTS handshaking between a NETKROM node and another station on the wireless network RTS CTS handshaking helps minimize collisions among hidden stations on a wireless network An RTS CTS handshake involves the originating node sending a Ready To Send frame to its destination then waiting for the destination to return a Clear To Send frame The originating node will then send its data RTS CTS operation adds to overhead but can help avoid collisions When implementing RTS on a NETKROM access point RTS operation is initiated if a packet exceeds the threshold configured in the RTS field The valid range is 0 to 2347 bytes If RTS is enabled a starting value of 500 1s recommended To implement RTS type the threshold value into the RTS box and select the Enable check box Selecting Diversity Options The Diversity field allows you to enable the use of two antennas for diversity operation if two are used for the same radio Selecting Antenna Options
20. up to now By choosing the table view you get some more detailed statistics including dropped packets due to rate burst limitations Page 121 of 141 NETKROM OS and NETKROM NMS User Manual View Table Parent Name John_Uplink Maria_Uplink Figure 96 More detailed statistics 9 7 Design Guidelines and Limitations 9 7 1 Destination Source MAC match type To use the destination MAC match type you have to create a bridge interface and assign to it the desired physical interface a single interface is ok Then you can use the destination MAC match type of the interface assigned to the bridge Also bear in mind that on a regular ip network all receiving packets on the gateway have as destination mac the gateway s mac address similarly all packets forwarded by the gateway have as source mac the gateway s mac address Hence it s pointless to use these fields on a NETKROM OS powered AP which acts as a gateway Page 122 of 141 NETKROM OS and NETKROM NMS User Manual 9 7 2 9 7 3 9 7 4 Figure 97 A Packet sent by A for B has C Eth0 s mac address as destination mac and when it is resent by C it has a source mac of C Ethl When A sends a packet for B the packet initially has destination mac C EthO Thereafter when gateway C forwards it to its destination host B it has source mac C ethl Application match type You may set the application match type only on leaf subclasses on a class hierarchy T
21. Example Click Submit to add the rule to the list and apply it to the router Page 89 of 141 NETKROM OS and NETKROM NMS User Manual NAT DRIXISIS 09 A SNAT ination In face Qut Iface are Port Comment 192 166 1 0 24 ANY ANY eth 0 0 ANY MASQUERADE 0 MAT on WAN Figure 66 NAT Tab Masquerade Example HINT make sure IP Forwarding is enabled on the router Interface settings Panel Important To enable a NAT rule write it to the active list you must click the button Page 90 of 141 NETKROM OS and NETKROM NMS User Manual 7 DHCP The Dynamic Host Configuration Protocol DHCP provides configuration parameters to Internet hosts in a client server model DHCP server hosts allocate network addresses and deliver configuration parameters to other client hosts DHCP consists of two components a protocol for delivering host specific configuration parameters from a server to a host and a mechanism for allocation of network addresses to hosts To configure DHCP settings select the DHCP tab located under the Advanced Configuration of Node Configuration tabs The DHCP tab contains two sub tabs Server and Client selected by clicking the corresponding option button See Page 35 for a diagram showing Advanced Configuration tabs and sub tabs 7 1 Configuring a DHCP SERVER The NETKROM DHCP server provides an extended set of configuration parameters while at the same time being effective and
22. Modest COP PEDE EX Cai edid 54 Sali Selected Operational Mode A 54 5 ls 2 Configuring anm ACCESS PON E sestresexsassus taki T xviva D ar 55 Seles GCODgutindg WDS Modas rasa 58 5 14 Configuring Repeater Mode sii 59 5 1 5 Configuring AP Client and Station Modes 0occccccccnnnccnnccnnccnn non rr 61 SLG Using Site Survey ODSFAaLIOT acd 25302 tu Ee E xiu guae DEIN SECO ERR DIRE PIPER INR iNS 62 5 2 Configuring Radio Settings c cece eee eeccee eee eeeecenseeeeeteusaneesteeueansengs 64 5 2 1 Selecting Physical Layer Options o n de a 65 5 2 2 Setting Channels and Frequencies cccccccceesseeeeeeeesecssnneeeeeeseeeusanntensnssaaes 65 5 2 29 Setting Transmission Rates iio oa ass 65 5 2 4 Setting the MAC AOS 00m AAA AA 65 Deseo GCN FRAG ccm 66 A ME A O 66 5 2 7 Selecting Diversity OpLONS ii ada 66 52 0 Selecting Antenna ODUONS exei A 66 5 2 9 Seting Transmitted POWER aan Oe a veni COS ERR CGU Vra 66 5 3 Configuring Security Settings iv vex abis Ser exc OC ROC Rene nate 67 5 3 1 Setting Wired Equivalent Privacy WEP csesseeeee rennen mnn nnnm 67 5 3 2 Setting Wi Fi Protected Access WPA eeeesseeeeee nn enhn nnnm 68 5 3 3 Configuring Access Control Lists ACL lcseseeeeeeen enne nnnm 70 5 4 Configuring Atheros Advanced Capabilities ooococccccnncccnnnannn coo 71 5 5 Wireless Topology Scenarios essseeeee nennen emen nenne 74 5 5 PONC
23. NAT settings select the NAT tab located under the Advanced Configuration of Node Configuration tabs See Page 35 for a diagram showing Advanced Configuration tabs and sub tabs 6 1 Firewall and NAT Chains NETKROM OS supports advanced firewall and NAT Network Address Translation functionality and features an easy management and monitoring interface providing a turnkey solution for advanced and novice network administrators However a firewall mis configuration may result in denial of service even for the administrator outlining a high risk configuration NETKROM OS Firewall and NAT subsystems consist of four firewall and two NAT queue chains 6 1 1 Firewall Chains e Input firewall All incoming traffic is tested against the input firewall rules prior to being accepted e Output firewall All outgoing traffic is tested against the output firewall rules prior to being sent e Forwarding firewall All traffic that is being forwarded through the operating system is tested against the forwarding firewall rules prior to being forwarded e Flowmark All incoming traffic that matches the corresponding criterions is marked 6 1 2 NAT Chains e DNAT Used to alter destination attributes of a packet to redirect them Page 77 of 141 NETKROM OS and NETKROM NMS User Manual e SNAT Used to alter source attributes of a packet to hide sender s address and properties The following image displays the way data packet
24. The Antenna drop down list allows you to select the Right or Left antenna if two are used Setting Transmitted Power The transmitted power of the node can be set by selecting preset values between 5 and 30 This 1s a custom scale with no defined units which simply represents minimum and maximum Transmitted Power of the currently selected wireless interface To set transmitted power select a value in the Tx Power drop down list Page 66 of 141 NETKROM OS and NETKROM NMS User Manual 5 3 Configuring Security Settings From the Security tab you can configure the security settings of the Selected Wireless Interface From this tab you can set up e None no security e WEP Wired Equivalent Privacy e WPA Wi Fi Protected Access e ACL Access Control List 5 3 1 Setting Wired Equivalent Privacy WEP Through the WEP tab you can configure a NETKROM node to encrypt decrypt data with keys based on the WEP protocol To implement WEP select WEP in the Selected Encryption Mode drop down list To implement 64 bit encryption select WEP 64 in the WEP Type drop down list To implement 128 bit encryption select WEP 128 in the WEP Type drop down list Four text boxes WEP Key 1 2 3 and 4 with adjacent option buttons allow you to maintain four different encryption keys while using one of them Type one or more encryption key into the text boxes then select the option button of the one to be used Selected Wireless Inte
25. WISP Easy Wizard WEW Click this option to start a wizard that provides an easy and convenient way to install new nodes See Chapter 13 for details Remove Click this option to remove the currently selected node from the Topology Map and Registered Node List Page 37 of 141 NETKROM OS and NETKROM NMS User Manual 3 IP Networking This section describes IP Networking settings and configuration procedures for your NETKROM node To configure IP Networking select the Interface Configuration tab located under the Advanced Configuration of Node Configuration Network tabs See Page 35 for a diagram showing Advanced Configuration tabs and sub tabs The Interface Configuration tab features four panes e Network Interfaces Tree left pane e Basic IP Configuration top pane e Global Settings center pane e Special Action Interface Commands bottom pane Two buttons are located at the top of the IP Configuration tab e Refresh Click Refresh to retrieve setting from the selected node e Submit Click Submit to upload the configuration to the node File Tools Utilities Help amp sS E Advanced Configuration of node Netkrom NOC Configuration Statistics System Properties NetWork Dynamic Routing NAT QoS Services DHCP WAN VLAN HotSpot IP Configuration Interface Configuration Static Routing Ta LE address o Jo Jo Jo PTriPadaress o Jo Jo Jo Subnet 0 J o Jo Jo MACADDRESS
26. Wireless Interface ath m po OpnMade Selected Encryption Mode PA Radio security Atheros WPA Mode 2 WPA Pass Phrase O RSH WPA 2 Key Management Mode PSK 7 Pairwize Cipher Group Cipher Figure 47 PSK Settings Pairwise Cipher The Pairwise Cipher field provides three options for the encryption mechanism of a NETKROM node e TKIP Temporal Key Integrity Protocol e AES CCMD Advanced Encryption Standard Counter Mode CBC MAC Protocol e BOTH selected if a NETKROM node is configured as an access point Page 69 of 141 NETKROM OS and NETKROM NMS User Manual Group Cipher Group Cipher 1s not functional in NETKROM NMS version 1 1 3 5 3 3 Configuring Access Control Lists ACL When the Selected Operational Mode has been set to Access Point or WDS the ACL sub tab in the Security tab is available for selection You have the option of setting an Access Control List to manage clients trying to connect to the access point To configure Access Control List functions click the ACL tab then select the Enable checkbox Selected Wireless Interface ath 7 OpMaode Selected Encryption Mode WPA Radio Security ACL wPA Atheros Policy DENY J Enable 100 00 00 00 00 00 Add Remove Extractio File Append fram File Figure 46 Access Control List Settings Denying Access To deny specified clients access to the nod
27. a PPTP connection This name usually 1s provided by ISPs Enable on Demand Enable on demand is a feature which enables the functionality of creating a PPTP connection only when there is IP traffic on a PPTP interface some ISPs offer connection agreements where charging depends on time In these cases this feature could be valuable select the Enable on Demand check box then type a time period seconds into the Demand Time field If a PPTP connection remains idle for this period the connection closes until you try to use it again probably from a PC behind the router Current Status When you click the Refresh button the Current Status field displays information on the current connection whether there is a connection or the reason for an unsuccessful attempt to connect Page 102 of 141 NETKROM OS and NETKROM NMS User Manual 9 Quality of Service Quality of service also know as Traffic Shaping refers to the general concept of prioritizing network traffic according to some of its properties By default each packet 1s treated equally and in a first come first served basis However by utilizing QoS certain traffic patterns can be given higher priority or can be guaranteed specific network resources From now on we will refer to a traffic pattern as class Some of the policies that can be enforced with QoS are e Restrict or eliminate the bandwidth consumed by P2P applications e Distribute the available band
28. and Host PC 2 or can exchange data between them regardless of whether they are associated with the Base Node or the Repeater Preferred SSID Preferred BSSID To configure a NETKROM node as a Repeater type the Preferred SSID name or the Preferred BSSID MAC address into the appropriate fields Click the Submit button and wait for the Repeater to associate itself with the specified Base node The Repeater is then ready to accept associations with wireless stations State and Link Quality Signal Level The State field and Link Quality Signal Level fields mirror Client Node s state as far as it has to do with the potential link with an access point A continuous polling protocol operates between the NETKROM NMS and all nodes which have been added in the Network Topology pane For Client configured nodes NETKROM NMS is continuously Page 60 of 141 NETKROM OS and NETKROM NMS User Manual informed of the State Idle Authenticated or Associated of the node the quality of the link 1f associated and the dynamic signal strength Selected Wireless Interface ath0 o MHZ DpMode E Selected Operational Mode Repeater y Radio Security Repeater A O O O O OOOO Atheros Preferred 55D Preferred B55ID Beacon Period Inactiurty Limit DTIM State Rte _ Mbps Site Survey Link Quality Stop Wireless to Wireless Traffic Association List Signal Level Figure 36 Repeater Mode Settings
29. be configured in this field e ALL A match always occurs e TCP A match occurs if 1 the packet s protocol type is TCP AND Page 81 of 141 NETKROM OS and NETKROM NMS User Manual 2 the SYN flag of the packet matches based on which of the following is selected in the SYN flag drop down list ALL matches always SET A match occurs if the packet starts a new connection NOT SET A match occurs if the packet is a member of a previously started connection AND 3 Source Port Source port is entered as number 0 65535 where 0 indicates that all ports are matched 4 Destination Port Destination port is entered as number 0 65535 where 0 indicates that all ports are matched Protocol Not SYN flag ALL SoucePortsy Not n DestinationPorts MoO o Figure 36 Advanced Firewall Rule TCP e UDP A match occurs if 5 the packet s protocol type is UDP AND 6 Source Port Source port is entered as number 0 65535 where 0 indicates that all ports are matched AND 7 Destination Port Destination port 1s entered as number 0 65535 where 0 indicates that all ports are matched e ICMP A match occurs if 8 the packet s protocol type is ICMP AND 9 the ICMP Type matches based on which of the following is selected in the ICMP Type drop down list 1 ANY A match occurs always 2 REQUEST A match occurs if the packet is an ICMP request 3 RESPONSE A match occurs if the pac
30. bio uad bata eausa cotes n m itane et Mira c uoti n deu dE 39 Page 138 of 141 NETKROM OS and NETKROM NMS User Manual DP ROR AAA 40 IP Networking A aso aha el ae eta nea DL ee 38 TESEO et DT 39 MAC FG LEE A A TURRIS UDHBEEE UU RDNA ENED 40 57 SPOON eT UO M 40 MRT Gurren 132 135 NAT MAS A ee di Matec hine Lilas ENT mmc 84 E eae aa ote eaD Celle eei ne 83 NetWork DIO Cunas 41 Network Interfaces Tree PP c OPCION RNC 39 Node Aulo tutius ua LE iU M Mie 27 o e A E 33 Moymo Resina A CONS RD HH 29 cf M E 36 Shortcut Motta 24 31 Status uo UM 33 AN O A EPPS 57 Open Princesa c peo 128 Outdoor Settings GUN o o Mes poen EUREN Et etaim a Poo eus PORE BOR ne ee E ne ee ee we 71 LK DISCS naaa dni 71 o A NO 126 Pairwise CIDDGFE onore ibit nt 69 t Irpu li ruso won ovK Tc n Rc 128 PELE CMG rec tica alada rov Edd veda nt Ed sde 100 Profiles Saving and Loadih o eee ene eee en See ene ena a mT RTT eee eee meer ten Cee eee a 31 PSK A OR 69 Radio Channels and request A NU fet n Tren nr 65 Page 139 of 141 NETKROM OS and NETKROM NMS User Manual CONTOU O oo eee RO Senter ene tenn Meee ee een nner A bati sacr ead dico Re ee ene nen be eee pitt bat nd 64 MACAO cec 65 Phy CMA SAN eb ameet mm AA cic obes
31. expires or gets renewed For dynamic environments there are two common lease duration strategies The first calls for leases to be renewed halfway through a working day such as having them expire every eight hours which will cause them to be renewed after four hours Another strategy 1s to set the lease duration to a multiple of two and a half times the working day that is 20 hours for an eight hour working day causing the leases to completely expire overnight and thus be renegotiated every morning The former strategy works well on networks that keep their machines running all of the time while the latter strategy works well on networks where systems are powered down or otherwise removed from the network at night Be forewarned however that both strategies expose the network to problems if the DHCP server goes down or is on a remote network that is subject to outages If the DHCP clients are getting their lease data from a remote DHCP server that 1s on the other side of a WAN link that 1s even minimally prone to failure chances are good that short lease times will result 1n at least a few failed lease renewals Configuring a DHCP CLIENT Configuration of the DHCP Client application is simple The only requirement is selection of the interface where the DHCP client will search for DHCP servers similar to DHCP server configuration multiple instances of DHCP client on different interfaces are allowed Page 95 of 141 NETKRO
32. in the system in the background If any of them does not support the specified country code a possible violation could occur If that occurs NETKROM NMS warns you with a popup alert This protects you from choosing an unsupported country code which might cause a loss of connection with the wireless interface after setting the specific country code Selected Wireless Interface list Select the wireless interface to be configured If there are multiple wireless interfaces available this drop down a list 1s populated If the selected interface 1s not active a red warning message 1s shown next to the interface Setting Operational Modes A NETKROM node has the ability to operate in the following modes Access Point WDS Wireless Distribution System Repeater AP Client Station Site Survey The Site Survey button 1s accessible in all OpMode tabs Site Survey scans all available frequencies associated with the IEEE 802 11a b and g physical layer When the scan is complete the Site Survey dialog box appears indicating any possible sources of interference by other nearby access points For more information on Site Survey settings see Section 5 1 6 Selected Operational Mode The Selected Operational Mode drop down list is populated with all available operational modes a NETKROM node can adopt Selecting an operational mode from the drop down list makes the corresponding pane available in the OpMode tab Page 54 of 141 NETK
33. of them are evaluated against it Classes ftp traffic out ftpl and ftp traffic out ftp2 are also parallel classes as far as the outgoing interface flow of athO is concerned Parallel classes although very convenient feature should be used with caution By all means you should avoid setting parallel classes that overlap each other In other words it should be clear which class will be activated for every arriving packet For instance the two classes depicted at picture 87 are overlapping cause 1s ambiguous which one will handle traffic originating within subnet 172 8 1 0 24 and destined to host 192 168 1 1 32 with destination port number 200 Page 114 of 141 NETKROM OS and NETKROM NMS User Manual Apply Changes MATCHES TARGET Source IP Sub Source Partis source MAC Destination MAC Protocol Application 9 4 3 172 8 1 0 24 MOT LL Onor 00 00 00 00 00 00 L NOT Destination IP Sub 192 168 1 0 24 LI NOT Destination Part s LJ NOT 00 00 00 00 00 00 LI NOT __ nor FTF New Client Cay cia ew Gen MATCHES TARGET Source IF Sub 172 8 1 0 24 NOT source Ports C P Tan Source MAC 00 00 00 00 00 00 LI NOT Destination IP Sub 192 168 1 0 31 L NOT Destination Part s as O NOT Destination MAC 00 00 00 00 00 00 LI NOT Protocol NONE LI NOT Application FTP Figure 87 Figure 88 Overlapping parallel classes
34. real time graphical display of transmit and receive traffic of the network interface WISP Easy Wizard WEW The WISP Easy Wizard WEW menu option allows you to start a wizard that provides an easy and convenient way to install and configure wireless nodes See Chapter 13 for details Remove The Remove menu option allows you to remove the currently selected node from the Topology Map and Registered Node List Getting Started with NNMS starting from the menus and windows mentioned above you can auto discover and insert new nodes display maps and graphics of your wireless network save and load profiles and access multi tabbed windows used for advanced configuration of nodes Auto Discovering Nodes Discovery Manager allows you to discover nodes and insert them into the Topology Map A custom polling protocol is used to detect NETKROM nodes in the specified subnet Discovered nodes are displayed in a tabular format To use Discovery Manager In the Tools menu select Discovery Manager The Auto Discovery dialog box appears Page 25 of 141 NETKROM OS and NETKROM NMS User Manual Hetwork Subnet 132 168 1 0 124 Enable Broadcast Discovery Timeout 2O Ja Discovery Results ssid IF Host Name Include to topology Password 192 158 1 3 lacalhast sw sm ea Auto Discovery Dialog Box Network Subnet In the Network Subnet field type the subnet address NNMS will detect nodes in which the
35. the IP address to the physical address of the destination host It uses a lookup table sometimes referred to as the ARP cache to perform this translation When the address 1s not found in the ARP cache a broadcast 1s sent out on the network with a special format called the ARP request If one of the machines on the network recognizes its own IP address in the request it will send an ARP reply back to the requesting host The reply will contain the physical hardware address of the host and source route information 1f the packet has crossed bridges on its path Both this address and the source route information are stored in the ARP cache of the requesting host All subsequent datagrams to this destination IP address can now be translated to a physical address which 1s used by the device driver to send out the datagram on the network To view the ARP table select the ARP Entries tab under the Network tab Page 127 of 141 NETKROM OS and NETKROM NMS User Manual Advanced Configuration of node Metkram Moc Configuration Statistics System Properties NetWork Wireless Monitor Utils Packet Stats Refresh IP address MAC address Interface ARP Entries 192 168 1 1 00 E0 FOAN 40 CF eth Open Connections Figure 101 ARP Entries Table 10 5 Viewing the Open Connections List The Open Connections tab displays all your computer s inbound and outbound connections and lists all open ports helping the
36. traffic with the AP Note A client can be seen with multiple IP addresses if transparent bridging is being used To see a list of the IP addresses click Expand with the desired client selected Signal Level The Signal Level field displays the signal level for each associated client based on Received Signal Strength Indication RSSI Fade Margin The Fade Margin field displays the actual difference between Signal Level and Noise Level Noise Level The Noise Level field displays the noise level of the chip according to transmit rate and physical layer standard Rate The Rate field displays the transmission rate the AP uses to exchange data with each client Idle Time The Idle Time field displays the time that has passed since a formerly associated client was disassociated Type The Type field indicates the type of the node listed It can contain the following values e Adapter Station Mode e AP Client AP Client Mode e WDS Type e Client NOTE Every client that has ever been associated to the AP is included to this list which is automatically saved when you click Save Configuration Page 57 of 141 NETKROM OS and NETKROM NMS User Manual 5 1 3 Action e The Action field is a drop down list that allows you to perform several different actions on the selected node You can e Select Set Alias to set an Alias for a specific node e Select Remove to remove an idle node from the list e Select Disassoci
37. 192 168 1 0 255 355 255 0 0 0 0 0 182 168 1 10 D eth 0 0 0 0 0 0 0 0 192 168 1 1 0 0 0 0 0 eth Figure 27 Routing Table Handling The bar across the top of the Static Routing tab contains the following options Page 47 of 141 NETKROM OS and NETKROM NMS User Manual e Entries Commands buttons Button Command Insert New Route Delete Route EA Modify Route og t Move Up 4 Move Down Figure 26 Route Entries Commands e Table Commands buttons Button Command Insert New Route dp Delete Route e Figure 29 Route Table Commands e Tables drop down list Tables Table3 l Figure 30 Routing Tables Drop Down List 4 1 Configuring Routing Tables and Entries NETKROM provides a multiple routing table system with a flexible infrastructure and the ability to implement policy routing In addition to the local and main routing tables NETKROM supports up to 252 additional routing tables 4 1 1 Adding a New Routing Table To create a new routing table that will be integrated in the multiple routing table system Page 48 of 141 NETKROM OS and NETKROM NMS User Manual 1 Click the Table Commands button The Insert New Routing Table dialog appears 2 Type the name into the Routing Table box then click Submit The table name is stored in the drop down list for future use 4 1 2 Remove an Existing Routing Table To delete an existing routing ta
38. 72 PPPoE Protocol Selection Concentrator The Concentrator contains the name of a server and relates to the case where there are multiple PPPoE servers available If those servers have a valuable name called a Concentrator name you can choose the proper one by type the correct name into this field Keep DNS and Gateway In most cases PPPoE authentication supplies the client with some valid DNS addresses and makes the PPPoE interface the default system gateway To set a static DNS address and or a default gateway or leave another application to configure them e g DHCP client select the Keep DNS and Gateway check box Page 99 of 141 NETKROM OS and NETKROM NMS User Manual 8 2 MTU size The normal Ethernet MTU is 1500 bytes in length but the PPPoE overhead plus two bytes of overhead for the encapsulated PPP frame mean that the MTU of the PPP interface is at most 1492 bytes This causes all kinds of problems if you are using a Linux machine as a firewall and interfaces behind the firewall have an MTU greater than 1492 For safety MTU size must be an integer between 536 and 1412 Enable on Demand Enable on Demand is a feature which enables the functionality of creating a PPPoE connection only when there is IP traffic on a PPPoE interface Some ISPs offer connection agreements where charging depends on time In these cases this feature could be valuable When the Enable on Demand check box is selected the following field
39. As soon as EBC bytes have been sent the application 1s forced back to normal behavior average rate ranging between CIR and PIR Committed Burst Size CBS The CBS corresponds to the minimum number of bytes that have to be available in order for a transmission to start By the time that the transmission starts it is not possible to be interrupted until there are no other data to send By default this value is the smallest possible a single packet size ideally and scarcely will you have to set a different value In order to better understand the concept of rate and burst consider the analogy Each class or subclass as we will see later is like a bucket with size EBS The bucket is filled up at a rate which ranges between CIR and PIR In accordance with this analogy transmission starts when we throw water out of the bucket The minimum quantity of water traffic that we can be thrown out is CBS Therefore when a class is idle for a while it s possible for an application later on to send a large burst of data until the bucket is empty Similarly for a class that sends traffic at a steady rate lower than CIR its bucket will always be filled up Priority The Priority value dictates which class among those at the same layer will get the unused bandwidth This bandwidth comes from those classes that are not fully utilizing their CIR This extra bandwidth is delivered first to the class with the highest priority and as s
40. Class Hierarchy Although the aggregated ftp traffic falls within limits 3000 3500 the maximum allowed bandwidth for each FTP server is restricted to 1750 kbps An intuitive workaround would be to set the PIR of each class to 3500 However in that case if there is a lot of ftp traffic for both FTP servers then the aggregated ftp traffic might exceed the desired restriction 3500 since 3500 3500 7000 In order to alleviate this problem we will have to create a class hierarchy l We set the CIR PIR of every class created up to now to 1499 3500 and we remove the application type of FTP We create two new classes named ftp traffic in and ftp traffic out We set the CIR PIR on each of them to 3000 3500 Source IP Sub of ftp traffic in should be set to 192 168 1 0 24 and destination IP Sub of ftp traffic out to 192 168 1 0 24 This 1s to allow for other ftp sessions to take place Next on the MATCHES part we set the port range to 20 21 ftp data ftp control and the protocol type to FTP Page 115 of 141 NETKROM OS and NETKROM NMS User Manual Apply Changes Mew Client MATCHES TARGET Source IP Sub 192 168 1 220 32 L NOT en EN 2 Source MAC 00 00 00 00 00 00 L NOT Destination IP sub 172 8 1 0 24 LJ NOT Destination Portis 0 o L1Nor Destination MAC lo0 00 00 00 00 00 LI NOT Protocol Application ftp traffic in ftpl Covas new cre MATCHES TARGE
41. Interface Commands eee nnnm nnn 41 3 4 1 Network Bridge Commands ssi eui are Sasuke or spe Ud aaepe d cud Sho RCRUM Did La Vd 41 3 4 2 Virtual Interface COMMANGS vivia xar D oa cC co ap CD De ad SOR Rc 42 Page 3 of 141 NETKROM OS and NETKROM NMS User Manual 345 Meng Table VIEW sn 43 3 0 CONMGUANO VEANS uni eds 44 3 01 Addin VLAN INE ACES iia daa odds 45 30 2 Removing VLAN Ttertaces UE Dase 46 303 Modityibg VEAN Interfaces ua A dr 46 3 04 Uploading VLAN Interfaces ii doi A A II XE IPs 46 Static IP c n EE S ens 47 4 1 Configuring Routing Tables and Entries ccccececeseeeeeeeeeeeeeeaeeeens 48 All Adding New Routing Tables nai a a ace Sia mortes aes ETE 48 4 1 2 Remove an Existing Routing Table eeeeeeeeeeeee nn nnnm nnn 49 4 1 3 Adding Statie ROUNO ENTES AAA AAA site bee cp de ead 49 4 1 4 Removing Static Routing Entries c cece ces cce eee cece eee e sees ee eeseeeeeeseeeennenss 50 2 1 5 Modifying Static ROUNO Entries 50 4 1 6 Repositioning Static Routing Entries cc ccc cece ccc e eee sees eens sees ee eeseeeeeeees 50 4 2 CONFIGURING Static RUGS is 50 2 2 Addin Rule Entes ia cet uda Peau dad vei EOS ot RP RAQUSE DUE SRM PU PMEUA 51 42 2 Removing Rule Entre cia vses vera ese Ie divas Iesse A A Vt 52 Aes JMOGMYING RUIS ENTES a riada 52 202 4 REDOSILIOMNING RUIS ENICS pol iaa rai 52 INS c E 53 5 1 Setting Operational
42. M OS and NETKROM NMS User Manual DHCP Configuration InterF aces EE eth em Keep DHS and Gateway Be ano EB em O Server Active O Relay LJ Active client LJ Active Figure 69 DHCP Client To configure a DHCP Client select the interface from the interface tree Its background turns blue To configure DHCP client settings select the Client option button and select the Active check box The Client tab becomes available To prevent the changing of a client s default system gateway and DNS addresses when the client receives an IP address from the server select the Keep DNS and Gateway check box This is useful when you already have set a static default gateway and DNS and want them to remain unchanged or if they are to be configured from another application e g PPPoE client In most other cases this field should be remain unselected To complete the configuration click the Submit button 7 3 Configuring a DHCP Relay DHCP does not require a server on each subnet To allow for scale and economy a relay agent can be installed listening to DHCP messages and forwarding them on and onto other network segments This eliminates the necessity of having a DHCP server on each physical network Page 96 of 141 NETKROM OS and NETKROM NMS User Manual DHCP Configuration LJ Interfaces Bai eth Relay Server 1 mE b b b Server J b b o lo athl Client Server xl
43. Max reretransmitions of the SYN ACK reply to an SYN request This parameter defines the maximum re retransmitions a remote host will reply SYN ACK if it does not receive any response from the transmitter host syn request This This process is used to protect the link from ddos Send cookies to identify a valid TCP connection Blah blah blah ARP table safe number of elements ARP table safe number of elements field contains the maximun number of entries that can be considerer as safe An ARP table 1s a mapping of IP addresses to physical addresses Soft limit for ARP table s elements start deleting soft limit for ARP table s elements start deleting field contains the number from the system starts deleting entries in arp table slowly until reach the safe number of elements Max elements in arp table Max elements in arp table field contains the maximun number of entries in arp table the maximum number of entries and cannot be passed Page 134 of 141 NETKROM OS and NETKROM NMS User Manual 12 MRIG Support Multi Router Traffic Grapher or MRTG is a tool to monitor the traffic load on network links MRTG generates HTML pages containing GIF images which provide a live visual representation of this traffic MRTG client support of NETKROM NMS uses the package provided by JRobin http www jrobin org utilities MRTGdemo html To use the MRTG select MRTG under the Utilities menu 12 1 Using MRTG To implemen
44. N Interface list 3 6 4 Uploading VLAN Interfaces To send the configuration settings to the node click the EX button Page 46 of 141 NETKROM OS and NETKROM NMS User Manual 4 Static IP Routing Static routing is the manual method used to set up routing An administrator enters routes into the router using configuration commands This method has the advantage of being predictable and simple to set up It is useful in managing small networks but becomes somewhat unwieldy on larger networks NETKROM NMS provides management tools for manipulating any of the routing tables and configuring rules To configure Static IP Routing select the Static Routing tab located under the Advanced Configuration of Node Configuration Network tabs In the Static Routing tab you can select the Routes tab or the Rules tab See Page 35 for a diagram showing Advanced Configuration tabs and sub tabs In the Routes tab you can e Add delete and select routing tables e Add delete modify and prioritize routes In the Rules tab you can e Add delete and select rules File Tools Utilities Help Advanced Configuration af nade Metkram Moc Configuration Statistics System Properties Network wireless Firewall NAT QoS services DHCP WAN Hotspot IP Configuration Interface Configuration atatic Entries Commands x da Table Commands Tables Routes Rules Distance Interface
45. NONE Concentrator o Keep DHS And Gateway MTU size boo Enable n Demand O PPPoE O Active OPPTP J Active Current Status Figure 71 PPPoE Configuration To configure a PPPoE Client select the interface from the interface tree Its background turns blue This interface usually shares the same medium with an ADSL modem in bridge mode There is no need for a pre configured valid IP address and subnet mask on this interface To view the full PPPoE tab select the PPPoE option button and select the Active check box The PPPoE tab appears After completing the required fields click Submit Page 98 of 141 NETKROM OS and NETKROM NMS User Manual 8 1 1 Setting PPPoE Client Fields User Name Type the User Name for the client that will be used to authenticate with the PPPoE server usually supplied by the ISP Password Type a Password more than three characters for the client This 1s used to authenticate with the PPPoE server and is usually supplied by the ISP Protocol In the Protocol drop down list select the Protocol to be used for authentication with the PPPoE server Protocol options are None PAP and CHAP WAN Configuration LY InterFaces REESE B eto os Werhme Paswrk E ano Protocok NONE G Concentrator lp NONE E em Keep DNS Ari MTUsze Do Enable On Der jap PPPoE O Active OpPPTP L Active current Status Figure
46. O POME CINKS iu co repe AO ced 74 Boxe jJBSSID Extended Repetir isa 76 Firewall ANd NA T sas 77 Gil Firewaland NAT Chains sra aaa aa ea a 77 6 1 1 FrFSWalENaMS RE M Ae ME rd CIIM T S A 77 Sib INATFENSMS da 77 6 2 Configuring Firewall RUNES tica dida 78 6 2 1 Configuring Firewall Matching Fields cccc cece eee eeee sees eee e ee eeeeeeeeeeeeeeesanaes 79 6 5 Configuring NAT RULES aia ar 83 63t Contiguring NAT Matehitig flelds iii an 84 Page 4 of 141 NETKROM OS and NETKROM NMS User Manual A eee cette ate 91 7 1 Contiguring a DHCP SERVER sara 91 Lal Seta DHCP Server Pell das 92 7 1 2 Lease TMG Strave dle A cho 95 Ti2 COntGgunng a DACP CLIEN Vl ai 95 7 3 Configuring a DHCP Relay serra rennen naa hann rnR nnnm nn 96 WAN 98 8 1 Configuring a PPPOE CETEN Tori idas 98 Sl SERING PPPOE Client EIelas raras 99 8 2 CONTOGUENG a PPT PR Clientes idad 100 8 21 Setting PPTP Client Fed ia 101 Qualy OF Set VICe ista ais 103 9L THE QOS WINGOW tabe sdmeuv tout icoit vs T Den Dea Ed pes a 103 Ol Trac Classes 104 dz Pra ICE PONCICS I TU UU ETT 105 91 3 Network IDEtelTaCeS ati icc revi av in vetu eai diente duda em e e cata ice vibe area petu Mta d 105 9 2 Differentiating network traffic eesssseeeeenen nnnm nnn 106 9 3 Guarantees and Limitations serii ai nennen nnm nnn 107 9 3 1 Committed Information Rate CIR eeesseeseeeeeee nna nnne hn aa nnnm 108 95 2 Peak Informati
47. RIBOOO0 kpits sec Peak Information Kate PIFEJ 3500 kbits sec Commited Burst Size CBS bytes Excess Burst Size EBS bytes PRIORITY Protocol NONE LI NOT Application FTP Figure 83 Figure 84 ftp traffic in configuration 5 Now we will create two policies one for each flow direction named ftp in and ftp out We accomplish this by right clicking on Traffic Policies label Page 112 of 141 NETKROM OS and NETKROM NMS User Manual 9 4 2 Then we associate each class to each respective policy Picture 85 This is done by dragging dropping classes to policies and policies to interface flows uB Traffic Classes p ftp traffic in 4g ftp traffic aut Traffic Policies ftp in Input WB ftp traffic in L ftp_in ftp aut Output WZ ftp traffic au L ftp aut Input gt Output Figure 85 Single class per policy Parallel Classes Up to now we guarantee 3mbps for FTP traffic coming from any of the directly connected subnets and destined to the other one However we make no provisions for users of either subnet who might set up an FTP server on their own initiative Such ftp servers can consume part of the 3mbps quota which is reserved for the two original FTP server If we want to prevent this we will have to be more specific when defining our classes In particular l We rename ftp traffic out to ftp traffic out ftpl to handle traffic destined
48. ROM OS and NETKROM NMS User Manual 5 1 2 Configuring an Access Point To configure the node as an access point AP select Access Point in the Selected Operation Mode drop down list The AP tab becomes available Several parameters must be configured as follows Selected Wireless Interface ath Channel Width 20 Mz OpMade Selected Operational Mode ccess Point Radio Security AP Atheros SSID NOC Virtual BSSID LJ Enable Beacon Period 100 Inactivity Limit l5 SileSuvey Hide ESSID Association List Stop Wireless to Wireless Traffic Figure 34 Wireless Operational Mode Settings SSID Service Set Identifier This field contains the string which is published as ESSID by the access point To create a name for the service set identifier SSID type the name in the SSID box Inactivity Limit If a station associated with the NETKROM access point is idle for a period of time defined by the Inactivity Limit field the NETKROM access point sends a disassociation frame to the station to inform it that it had been disassociated due to inactivity timeout To configure the Inactivity Limit type the inactivity threshold in minutes in this box Beacon Period This field represents the desirable time interval between two consecutive beacons To configure the Beacon Period type the number of seconds in this box Default 100 Virtual BSSID As from the last INMS versions you can cre
49. T Source IP Sub 192 168 1 190 32 LI NOT acne mH 2 Source MAC 00 00 00 00 00 00 L NOT Destination IPs Sub 172 9 1 0 24 L NOT Destination Portis 0 o LINOT Destination MAC 00 00 00 00 00 00 LJ NOT Protocol NONE LI NOT Application ftp_traffic_in_ftp2 app cnanges new chert MATCHES TARGET Source IP Sub 172 8 1 0 24 C NOT Menos EE EEr Source MAC 00 00 00 00 00 00 LI NOT Destination IP Sub 192 168 1 0 24 C NOT Destination Ports L_ J CX NOT Destination MAC 00 00 00 00 00 00 LI NOT Protocol NONE O NOT Application FTP ftp traffic in ApplyChanges NewClient MATCHES TARGET Source IP Sub 172 8 1 0 24 O NOT A 12 Source MAC o00 00 00 00 00 00 LI NOT Destination IP Sub 192 168 1 220 32 LINOT Destination Portis e o L1NoT Destination MAC 00 00 00 00 00 00 LI NOT Protocol NOME LI NOT A ftp traffic out ftpl Apply Changes Mew Client MATCHES TARGET Source IP Sub 172 8 1 0724 CO NOT TA 12 Source MAC o00 00 00 00 00 00 LI NOT Destination IP Sub 192 168 1 190 32 LINOT Destination Portis 0 0 L1NoT Destination MAC 00 00 00 00 00 00 LI NOT Protocol NOME LI NOT Application ftp_traffic_out_ftp2 Apply Changes _ New Client MATCHES TARGET Source IP Sub 192 168 1 0 24 O NOT Source Pons LL
50. WDS Node 1 configuration should include the following e WDS Node 2 s MAC address should be set in Node 1 s WDS list e Both nodes should transmit on the same frequency e NETKROM Stealth Mode should be used 1f you want to avoid beacon transmitting or Hide ESSID if you want beacons to be transmitted but not to publish the NETKROM node s ESSID e Additionally you can enable an ACL with Policy set up to Deny and no node s MAC address in the list to prevent stations from connecting to the node The same configuration should be set in WDS Node 2 with corresponding values AP to AP Client Scenario You can set up a point to point link using AP and AP Client Modes Figure 52 Point to point Topology The access point should be configured as follows 1 Set up the ESSID of the AP 2 Enable Stealth Mode in the AP 3 Enable ACL with Policy set up to ALLOW and put the AP Client s MAC address in the MAC list Page 75 of 141 NETKROM OS and NETKROM NMS User Manual Dz The AP Client should be configured as follows 1 Type the AP s MAC address into the SSID field 2 Type the MAC address of the AP into the Preferred BSSID field 3 Perform a Site Survey 4 Select the AP from list and perform an Align 5 Make all the adjustments to achieve optimal alignment results BSSID Extended Repetition Repeater is a custom mode of NETKROM Repeater functionality is described in the Operational Modes section of this documen
51. Window Click this option to access the Status dialog box which contains the FW Firmware Version Key Level Up Time and Host Name fields The FW Version Key Level and Up Time fields also are displayed in the Node Status pane of the Topology Map tab e The FW Version field contains the version number of the firmware residing in the currently selected node e The Key Level field should display Level 2 e Up Time The length of time the node has been operating e Host Name The name of the currently selected node PW Version 24 0 COMMERCIAL Key Level Up Time D 2 22 32 adihim s Hast Hame lacalhast Figure 13 Current Status Dialog Box Advanced Node Configuration Click this option to retrieve information from the selected node and open the Advanced Configuration of Node tab NOTE To access the Advanced Node Configuration you must first access the GUI Node Connectivity Settings via the Node Shortcut Menu and enter the password then click OK or Submit The Advanced Configuration of Node tab contains three sub tabs Configuration Statistics and System Properties Page 33 of 141 NETKROM OS and NETKROM NMS User Manual Hle Tools Utilities Help Advanced Configuration of node Metkram MOG Configuration Statistics System Properties NetWork Wireless Dynamic Routing Firewall MAT a05 Services DHCP WAN VLAN Hotspot Figure 14 Advanced Node Configuration Ta
52. above the Registered Node List A A Zoom In Zoom Out Restore to default e Create arrows indicating a connection between nodes by clicking in the center of the source node a hand cursor will appear and dragging to the center of the destination node A line with arrowhead will appear between the nodes Page 30 of 141 NETKROM OS and NETKROM NMS User Manual Metkrom POL Core OpenBsD Network Nodes Showing Connection 2 2 5 Saving and Loading Profiles 1 To save a Topology Profile on the File menu click Save Profile 2 To load a Topology Profile on the File menu click Load Profile 2 2 6 Using the Node Shortcut Menu You can manage and configure a variety of operating parameters of network nodes from the Node Shortcut Menu which can be accessed using either of the following methods Double click any node name shown in the Node List or e Right click any node in the Topology Map GUI Node Connectivity Settings Open Status Window Advanced Node Configuration Save Configuration Back Up Unlock FW Upgrade Reboot Restore Defaults Current Throughput WISP Easy Wizard WEW Remove Figure 11 Node Shortcut Menu Page 31 of 141 NETKROM OS and NETKROM NMS User Manual GUI Node Connectivity Settings Click this option to display the Node Connectivity Settings dialog box This box contains the IP Address and Alias assigned to the selected icon If an Alias has not been assigned
53. administrator to detect host s activity Open connections can be sorted in ascending or descending order per column by clicking on the corresponding table header To the Open Connections list select the Open Connections tab under the Advanced Configuration Statistics Network tabs Advanced Configuration of node Netkrom NOC Configuration Statistics System Properties NetWork Wireless Monitor Utils Packet Stats Refresh Protocol Source IP DestIP Source Port DestPort State Flags Timeout Open Time ARP Entries TCP 10 00 2 192 168 1 1330 3517 TIME WAIT ASSURED 0 140 TCP 10 00 2 192168 1 1342 3517 ESTABLISHED ASSURED 432000 46 Open Connections UDP 10 00 2 192168 1 3517 3517 NONE ASSURED 178 15982 Figure 102 Open Connections Tab Click Refresh to update the open connections information 10 6 Using Monitor Utilities The Monitor Utilities tab provides a user interface for implementing two useful network utilities Ping ICMP and Traceroute To access these utilities select the Monitor Utilities tab under the Advanced Configuration Statistics tabs The Monitor Utils tab has two sub tabs the ICMP Util tab and Trace Route tab 10 6 1 Pinging ICMP Utility The ICMP Util tab provides a convenient tool for initiating Ping commands Ping sends ICMP requests to the address you specify and lists the responses received and their round trip time When the utility is te
54. ased for if a DHCP decline message is received Min Lease The Min Lease field contains the minimum number of seconds If a lease to be given 1s below this value sec the full lease time 1s used instead Conflict The Conflict field contains the amount of time sec that an IP address will be reserved leased if an ARP conflict two clients with the same IP address occurs Max Lease The Max Lease field contains the maximum number of current leases allocated IP addresses After this limit is reached the server stops assigning IP addresses to new clients Offer The Offer field contains the number of seconds an offered address is reserved leased This field specifies the number of seconds the DHCP server should cache the offers it has extended to discovering DHCP clients The default value 1s 60 seconds On fast network media this value can be decreased Page 93 of 141 NETKROM OS and NETKROM NMS User Manual DNS Servers In the three DNS Servers fields DNS 1 DNS 2 and DNS 3 type the IP addresses of the DNS servers that DHCP clients will use for DNS requests WINS Servers If there are WINS servers that client should use type the addresses in the WINS Servers fields WINS 1 and WINS 2 Routers In the Routers fields Router 1 and Router 2 type the IP addresses of the routers default gateways the client can use Leases Info Click the Leases Info button to access the DHCP Leases dialog box that dis
55. assword protected by the network administrator to maintain regulatory compliance e The ISPAIR CPE 510 and PoE injector can be damaged by incorrect power application Read and carefully follow the installation instructions before connecting the system to its power source Page 7 of 141 NETKROM OS and NETKROM NMS User Manual Package contents Take a moment to ensure you have all of the following parts in your Outdoor Waterproof Unit installation k1t before you begin installing the product If any parts are missing please contact your local vendor or contact us at 305 4182232 KIT CONTAINS 1 Netkrom CPE 510 Unit 2 Mounting bracket 2 screws 3 Zip Ties 4 POE Injector 5 Power Adapter 6 CDROM Page 8 of 141 NETKROM OS and NETKROM NMS User Manual Setup Requirements Before starting please verify that the following is available e CATS5 Se or FTP Outdoor Ethernet cable from the ISPAIR CPE 510 to PoE Injector e At least one computer is installed with the NNMS and a wired or wireless network interface adapter e TCP IP protocol is installed and IP address parameters are properly configured on all your network s nodes Important e Configure and verify the ISPAIR CPE 510 operations first before you mount the unit in a remote location e For choosing the best location for your ISPAIR CPE 510 choose an elevated location where trees buildings and large steel structures will not obstruct the antenna signals and which
56. ate Source IP to The IP address or range of IP addresses that the source IP of the packet will change to In case there is a range of IP addresses a round robin algorithm is used to assign addresses Translate Source Port to The range of the router s ports used to send NATed packets and track for responses DNAT Chain Specific Fields The following fields are available in the DNAT configuration dialog box Redirect When a match occurs the packet will be redirected to another port of the router Translate Dest IP to The IP address or range of IP addresses that the destination IP of the packet will change to In case there is a range of IP addresses a round robin algorithm is used to assign addresses This is used to forward the packet to another host Translate Dest Port to The port that the packet will be sent to in case there is a range of ports a round robin algorithm is used Source IP Not b b b b b Souce Port s Mot LJ bo Destination IP Not Ol fo b Jo Jp fib Destination Portis Nott 0 Input Interface Mot Output Interface Mot ANY Existed Flowmark Mot Protocol Mot L Source MAC Mat O b b b b o b Comment fF Translate Dest IP To b b b b b Redirect Translate Dest Port To b b i submit Cancel Figure 61 NAT Rule for Configuration for Destination Chain Dialog Box Important To enable a NAT rule write it to the active list
57. ate three extra virtual AP s VAP from one physical interface First you have to set the native the actual physical AP and it s properties Beacon period Inactivity DTIM These properties will follow any created VAP Page 55 of 141 NETKROM OS and NETKROM NMS User Manual Virtual BSSID O Enable To create a VAP click the Virtual BSSID scroll bar choose VAP 1 and click enable to enable it After clicking submit a new interface will be created with preconfigured name InterFaces Ba nro BS athl B athvAP 11 Association List To access a list of information for all nodes associated with the AP click the Association List button The Associated stations for wireless interface dialog box appears MAC Address IP address Signal Level Fade Margin Noise Level Idle Time 00 13 46 E9 UNKNOWN 46 dbm 44 dbm 90 dbm 11 0 0 0 0 d him s CLIENT _ Not Set Expand Refresh Set Commands Show Idle Figure 35 Association List Page 56 of 141 NETKROM OS and NETKROM NMS User Manual A description for each field in the Association List follows Alias An Alias is a special name you can create to identify a client on the AP When the configuration 1s saved all aliases are saved on the device MAC Address The MAC Address field contains the MAC address of each client associated with the AP IP Address The IP Address field contains the IP address of each client that exchanges network
58. ate to disassociate a client which 1s associated with the AP e Select Permanent Disassociation to disassociate a client which is associated to the AP and simultaneously add its MAC to an Access Control List to deny access Stealth Mode Stealth Mode is another enhancement of Access Point mode When Stealth Mode is enabled the AP does not transmit beacons and hides its SSID in transmitted probe responses which makes the AP essentially invisible No other node can discover it unless that node already has the AP s settings In addition a custom polling protocol is implemented which 1s compatible with links between NETKROM APs and NETKROM clients When using this protocol NETKROM clients are able to detect NETKROM Stealth APs To implement this feature select the Stealth Mode checkbox Hide Essid Hiding the AP s ESSID prevents outside users from joining the network because they cannot detect the network identifier To stop the AP from publishing its ESSID in it beacon transmissions select the Hide ESSID check box Stop Wireless To Wireless Traffic To prevent traffic between two wireless stations that are both associated with a NETKROM AP select the Stop Wireless to Wireless Traffic check box NOTE NETKROM has the ability to support Address 4 traffic However it is necessary to put the wireless interface the one that operates as an access point under a Network Bridge check IP Network configuration if you intend to enable Addre
59. b with Sub Tabs Each tab contains several additional tabs The mind map below shows the hierarchy of advanced configuration tabs and sub tabs used The table indicates the chapter where descriptions and configuration procedures for each tab are located Tab Chapter Network 3 4 VLAN 3 Wireless 5 Firewall 6 NAT 6 DHCP 7 WAN 8 Bandwidth Manager 9 HotSpot 10 Services 11 Statistics 12 Figure 15 Tab Chapter List The table above indicates the chapters where descriptions and configuration procedures for each tab are located Page 34 of 141 NETKROM OS and NETKROM NMS User Manual Advanced Configuration Tab Hierarchy Interface Configuration Network tab Static Routing Routes Rules AP AP Client OpMode j Station Repeater WDS Wireless tab Radio None Security is ACL WPA OutDoor Firewall tab i Flowmarks NAT tab QoS tab SNMP y HTTP Configuration tab f Services tab SSH NTP E E L Security Advanced Configuration DHCP tab of Client Node n PPPoE Tab Structure PPTP 07 10 2005 v4 VLAN tab WAN LAN DHCP NAT amp Protection Wireless HotSpot tab Radius Auth Type Walled Garden Advertisement Web Customization Summary Packet Stats ARP Entries Open Connections Network tab Statistics tab Wireless tab Packet Stats ICMP Util Trace Route Monitor Utils tab System Properties tab Figure 16 Mind Map o
60. ble 1 Select the table name from the Main drop down list 2 Click the Table Commands X button CAUTION The user has to be careful not to delete the main routing table as this action can lead to connectivity problems 4 1 3 Adding Static Routing Entries To add a new static route 1 Select the Routes tab 2 Click the Entries Commands button The Insert New Route dialog box appears Destination Subnet Default Gateway Preferred Source Distance Interface Submit Figure 31 Insert New Route In the above example all the traffic with destination addresses that belong to subnet 192 168 2 0 24 will be forwarded via interface athO NETKROM OS and NETKROM Page 49 of 141 NMS User Manual 4 In the Destination boxes type the destination network or destination host address 5 In the Subnet boxes type the netmask for the destination net 255 255 255 255 for a host destination and 0 0 0 0 for the default route 6 In the Default Gateway boxes type the gateway address 1f required 7 In the Preferred Source boxes type the preferred source address for communicating to that destination 8 In the Distance box type the distance to the target usually counted in hops This field 1s not used by recent kernels but may be needed by routing daemons 9 In the Interface drop down list select the interface to which packets for this route will be sent 10 To accep
61. connection Ciefaultwalue 120 Current value Default value Current Value TER Timeout for finalized connections ARP table safe number of elements DefaultValue Current value Default Value 28 Current Value TOP Keepalive time Soft limit for ARP table s elements start deleting Default value 2200 Current Value Default Value 512 Current value Max concurrent TCP SYN requests Max elements in arp table DefaultValue 256 Current Value Default Yalue 1024 Current Value Refresh Submit Restore Defaults Max Concurrent Open Connections The Max concurrent open connections field contains the number of concurrent connection attempts at one time TCP Timeout for Established Connections The TCP Timeout for established connections field contains the maximum value permitted by a TCP implementation for the established timeout measured in milliseconds Page 132 of 141 NETKROM OS and NETKROM NMS User Manual TCP Timeout for time waiting connections The TCP Timeout for time waiting connections field contains the maximum value permitted by a TCP implementation for the time waiting timeout measured in milliseconds TCP Timeout for finalized connections The TCP Timeout for finalized connections field contains the maximum value permitted by a TCP implementation for the finalized timeout measured in milliseconds TCP Keepalive time TCP Keepalive time field contains the time a tcp connection going
62. d la Limit Burst submit Cancel Figure 63 Advanced Rule Example Configuration Click Submit to add the rule to the list and apply 1t to the router Page 88 of 141 NETKROM OS and NETKROM NMS User Manual Firewall e 410 05 NEST MNPUT ACCEPT Rules Destination IF In Iface Out face Src Port DstPort Protocol Flowmark ACTION Comment ANY ANY eth Y TCP Kees DROP SSH_ Connect Figure 64 Example Firewall Tab NAT Having a single public IP address allow whole local network to access the internet Assume that the router is connected to the internet through interface ethO and IP address 173 55 1 2 24 Your local network is connected to router s eth interface with IP address 192 168 1 1 24 You should masquerade all outgoing traffic to the internet interface ethO originated from your local network interface eth1 Insert a rule to the SNAT chain as follows Details Source IP 192 168 1 0 24 local network Output Interface ethO Translate Source IP to 0 0 0 0 0 MASQUERADE ethO s IP address Comment NAT on WAN Source IP Not O b Souce Port s Nago Destination IP Not b b b b b Destination Port sy Mot hh Input Interface NotL amv 5 Output Interface Not Existed Flowmark Mot Protocol Mat Source MAC Mat O Comment Translate Source IP Ta b Masmquera Translate Source Port To la lo submit Cancel Figure 65 NAT Configuration Masquerade
63. de A match occurs 1f the destination port number 1s the same as the number in this field Type the destination port number into the Destination Port field Input Interface The Input Interface field displays the interface from which the packet was delivered A match occurs if the interface that the packet arrived from is the same as the configured interface if the configured interface is a bridge this also matches with interfaces under the bridge In the Input Interface drop down list select a specific input interface or select ANY Output Interface The Output Interface field displays the interface from which the packet is to be transmitted A match occurs if the interface that the packet will be transmitted from 1s the same with the configured interface in case the configured interface 1s a bridge this also matches with interfaces under the bridge In the Output Interface drop down list select a specific input interface or select ANY Page 85 of 141 NETKROM OS and NETKROM NMS User Manual Existing Flowmark The Existing Flowmark drop down list contains Flowmarks that already have been configured Select a Flowmark from the list to configure a Flowmark as a firewall matching rule A match occurs 1f the packet was marked by this mark when 1t flowed through the Flowmark chain Protocol The Protocol drop down list contains a list of protocols that can be selected for matching The following selections may be config
64. e Figure 107 WISP Easy Wizard Available configuration scenarios e Backhaul AP e Repeater AP e Point to point link e CPE installation Selecting the mode that is closest to your target configuration allows you to access a step by step simplified configuration procedure which guides you through the whole configuration process After completion of the wizard you can tweak the applied configuration manually as described in the previous chapters NOTE After the successful application of the configuration via WEW the current IP is maintained to avoid losing connectivity with the device If the user does not require that IP address any more it is recommended to remove it by deleting the corresponding Virtual Interface Page 136 of 141 NETKROM OS and NETKROM NMS User Manual ACCESS DOM ACL Allowing Access een Denying ACCESS iia Extra ctung StS cd lid Setting Up USES ua A CHON o Add Backoround Mat Eaa esas po mesa esis A texere OBapuetetoda t detta E EE T NeW BiG GC e tide e ritus idad NEw Mtera CE unesco ele Milit tees dir UU ale PELO O Statio SOLE LT dii ooo p de p ie oe Ud DH Antenna OPTIONS 5 3 0 veio oso eres eie eee Fee eva eo eoa ka s ead AP CHenboss iui a ea aeaa Bandwidth Manager cc eee eee eee ee eee eene enne nun Beacon Period eere cree eterne te etootn BSSID A doas E EM IDP DD ee IEE Current Throughput
65. e select DENY 1n the Policy drop down list Clients with MAC addresses matching MAC addresses registered in the ACL will be denied access All other addresses will be allowed Allowing Access To allow specified clients access to the node select ALLOW in the Policy drop down list Clients with MAC addresses matching MAC addresses registered in the ACL will be allowed access All other addresses will be denied Setting up Access Control Lists There are two methods to set up an Access Control List e Type in the MAC addresses manually using the Add button and remove selected MAC addresses using the Remove button Page 70 of 141 NETKROM OS and NETKROM NMS User Manual e Load a text file containing the MAC addresses using the Append from File button Extracting Access Control Lists To save an existing ACL click Extract to File and name save the file This can be a useful feature 1f you need to submit the same MAC list to another access point 5 4 Configuring Atheros Advanced Capabilities The Atheros tab is useful in optimizing the operation of distant NETKROM nodes Selected Wireless Interface ath Channel Width 20 MHz Ophlode Ath Ad dc hiliti erns Advanced Capabilities Security Atheros Link Distance 13300 meters bW Compression Burstin WMM Layer 005 Enable P d Advanced Wi Settings XR extended Range 4 AR DFS TRO 802 11h Pure G ATHEROS Figure 49 Atheros Setti
66. e Country Code Settings e Site Survey Operation To configure Wireless settings select the Wireless tab located under the Advanced Configuration of Node Configuration tabs In the Wireless tab you can select the OpMode Radio Security or Outdoor sub tabs See 35 for a diagram showing Advanced Configuration tabs and sub tabs File Tools Utilities Help Advanced Configuration of node Netkrom NOC Configuration Statistics System Properties Network Wireless Dynamic Routing Firewall NAT QoS Semices DHCP HotSpot Selected Wireless Interface ath0 Channel Width MHz OpMode z Selected Operational Mode Access Point Radio Security SSID Beacon Period Inactivity Limit B DTIM Site Survey O Hide ESSID Association List C Stop Wireless to Wireless Traffic Configuration saved succesfully Figure 33 Wireless Configuration Panel Page 53 of 141 NETKROM OS and NETKROM NMS User Manual opel Slat Three buttons and two drop down lists are located at the top of the Wireless tab Refresh Click Refresh to retrieve setting from the selected node Submit Click Submit to upload the configuration to the node Set CC Click Set CC to accept the country code specified in the CC drop down list CC List Select the required country code from the list then click set CC The software will perform all the appropriate checks of the available radio chipsets
67. eceived Mi Loss B min Bmax OW average Figure 103 ICMP Utility Tab To configure and use the ICMP Utility select the ICMP Util tab configure the Destination and Packet Size fields then use Start Stop and Clear buttons as follows Destination Type the IP address of the node you wish to ping in the Destination text box Packet Size Type the number of bytes to be sent in each packet in the Packet Size box Start Click Start to initiate the Ping command The software will repeatedly ping the destination address The window will display the number of bytes source address time to live ttl the round trip time packet loss and average time Stop Click the Stop button to terminate the pinging process The pinging session will end and a window will appear displaying the Packet Statistics Transmitted Packets Received Packets and Loss and Time Statistics Min Max and Average in bar graph format Page 129 of 141 NETKROM OS and NETKROM NMS User Manual Clear Click Clear to clear the data from the window Data can be cleared while a pinging session 1s underway 10 6 2 Using Traceroute The Traceroute tab provides a convenient tool for initiating Trace Route commands Traceroute is a utility that records the route the specific gateway computers at each hop through the Internet between your NETKROM node and a specified destination It also calculates and displays the amount of time each hop too
68. ek Lewel2 Up Time IA dihimis Host Hame lacalhast OK Figure 98 Current Status of Node Dialog Box 10 2 Using the Current Throughput Graph The Current Throughput graph provides a real time graphical display of transmit and receive traffic of each network interface By monitoring performance and analyzing performance data you can begin to see patterns in the data that will help you locate bottlenecks After you have located a bottleneck you can make changes to the component to improve performance Bottlenecks can occur anywhere in your server environment at any time so it is important to capture baseline performance information Page 125 of 141 NETKROM OS and NETKROM NMS User Manual about your system and monitor performance regularly NETKROM NMS provides the option of real time traffic monitoring To view the Current Throughput Graph click Current Throughput in the Node Shortcut Menu Netkrom NOC c ce ce Cc a a A C ai en ons n mq Ai mar ai m EE sE m pi 7 ta ah on ay qi a JA au eu DE me o MethO Metii MWathO br HotSpot Figure 99 Current Throughput Window 10 3 Viewing Packet Statistics The Packet Stats tab contains information concerning the total packet statistics per interface To view packet statistics select the Packet Stats tab under the Advanced Configuration Statistics Networ
69. ere 1s no match However on a system with only one routing table a rule set is usable only under limited conditions source Address i Jlo jo llo J Subnet b Jo Jo Jo Dest Address o Jo le jo Subnet lo lo lo lo Interface All Action LookUp Submit Figure 32 New Routing Rule Insertion Adding Rule Entries To add a new rule entry Select the Rules tab Click the Entries Commands button The Insert New Rule dialog appears In the Source Address boxes type the address of the source network or source host In the Source Address Subnet boxes type the netmask for the source net Type 255 255 255 255 for a host source In the Destination Address boxes type the destination network or destination host In the Destination Address Subnet boxes type the netmask for the destination net Type 255 255 255 255 for a host destination In the Interface drop down list select the interface that packets are received from The interface can be one of the available physical interfaces or can be set to All Page 51 of 141 NETKROM OS and NETKROM NMS User Manual 8 In the Action drop down list select one of the following a LookUp to cause the routing subsystem to look up the routing table selected in the Table drop down list Default Main table b Unreachable to drop the received packet and send an ICMP packet to the source indicating the destination was u
70. f Advanced Configuration Tabs and Sub tabs Page 35 of 141 NETKROM OS and NETKROM NMS User Manual Save Configuration Click this option to permanently save the configuration for the current node Note After the radio is configured the configuration parameters are stored in RAM volatile memory If the radio is powered down the configuration will be lost unless you Save Configuration to the radio s permanent memory Back Up Click this option and select e Retrieve Configuration to Retrieve the last saved node configuration or Restore Configuration to Restore the node configuration from a file GUI Node Connectmity Settings Open Status Window Advanced Node Configuration Save Configuration Back Up b Hetrieve Configuration Unlock Restore Configuration FW Upgrade Reboot Restore Defaults Current Throughput WISP Easy Wizard EW Remove Figure I7 Back Up Menu Options FW Upgrade Click this option to access the Select dialog box from which you can select the firmware image file to be loaded into the node Reboot Click this option to reboot the node An Alert dialog box appears with the question Should system save its configuration before reboot Click Yes if you want to save the configuration Page 36 of 141 NETKROM OS and NETKROM NMS User Manual Current Throughput Click this option to display a real time graphical display of transmit and receive traffic of the network interface
71. ferent interfaces are allowed 7 1 1 Setting DHCP Server Fields To configure DHCP server settings select the Server option button and select the Active check box The Server tab becomes available After completing the required fields click the Submit button This uploads the configuration to the node without starting the server Start IP and End IP Type the appropriate IP addresses into the Start IP and End IP fields These are the upper and lower limits for the DHCP server address pool Page 92 of 141 NETKROM OS and NETKROM NMS User Manual Broadcast Type the appropriate IP address into the Broadcast field This field contains the IP address clients will use Broadcast IP should be one of the addresses the Subnet Mask permits Subnet Mask Type the appropriate IP address into the Subnet Mask field This 1s the subnet mask clients will use Domain Type the Domain name if any that will be allocated to clients into this text box Time Parameters For each of the following fields type the appropriate value into the box Lease The Lease field contains the number of seconds an allocated IP is valid After expiration the client has to renegotiate for getting a new IP which 1s usually the same The expiration time that the client adopts depends on the operating system running on the client and the DHCP client configuration Decline The Decline field contains the number of seconds that an IP will be reserved le
72. first three segments or 24 bits of their IP address match the first three segments of the subnet address Enable Broadcast Discovery select the Enable Broadcast Discovery checkbox NNMS uses a UDP broadcast message to detect any nodes on the network Timeout In the Timeout field type a timeout value in seconds default 10 seconds Discovery Results Click Start to initiate a discovery poll The Discovery Results bar graph displays the progress of the poll When complete the table displays the IP Address Host Name and Password if used of discovered node The checkbox under Include to Topology is automatically selected Include to Topology To display a node in the Topology Map leave the Include to Topology checkbox selected Submit Click the Submit button to insert the nodes into the Topology Map Page 26 of 141 NETKROM OS and NETKROM NMS User Manual Cancel Click the Cancel button to exit the Auto Discovery dialog box Icons for each node should be visible in the Topology Map labeled with the hostname If two nodes have the same default hostname NNMS will label one with the hostname and the other with its IP address The label can be changed to an Alias using the GUI Node Connectivity Settings dialog box accessible from the Node Shortcut Menu 2 2 2 Configuring a New Node Network nodes can be configured manually using the Insert New Node dialog box 1 Use any one of the following three methods to config
73. for FTP server 192 168 1 220 We change the destination address to 192 168 1 220 32 We leave the ftp application type to FTP Similarly we rename ftp traffic in to ftp traffic in ftpl to handle traffic originating for FTP server 192 168 1 220 Therefore we change the source address to 192 168 1 220 32 The ftp application type of TARGET remains as it is In a similar manner we create two new classes named ftp traffic out ftp2 and ftp traffic in ftp2 to handle traffic originated from destined to 192 168 1 190 32 Picture 86 We also set the TARGET application type to FTP Page 113 of 141 NETKROM OS and NETKROM NMS User Manual 4 Since we dived the total CIR PIR of the initial classes one for each direction in two classes we have also to redefine the CIR PIR on each subclass to 1500 1750 This way for each direction the policy guarantees an aggregated CIR of 3000 and an aggregated PIR of 3500 LJ Network Interfaces Traffic Policies P Traffic Classes ftp traffic out ftp v E fp In ftp traffic in ftp1 ftp in ftp traffic in ftp traffic in ftpz2 Output o Bl ftp aut E ftp traffic au mu ftp traffic au 2 BB etho e Input Output Figure 86 Parallel classes Classes ftp traffic in ftpl and ftp traffic in ftp2 are considered Parallel Classes as far as the incoming interface flow of athO is concerned This is because they don t form a hierarchy and hence for every arriving packet both
74. gure 36 Wireless WDS Mode Settings In the Registered WDS nodes list type the MAC addresses of the nodes to be configured Select the check box next to the MAC address field to enable 1t as part of the WDS network topology The enable feature can be helpful when WDS nodes change behavior You can maintain the nodes MAC addresses in the list and enable or disable as necessary 5 1 4 Configuring Repeater Mode Repeater Mode is an advanced NETKROM mode When a NETKROM node is configured to perform as a repeater it operates as a client It associates with an AP that matches the desired BSSID Basic Service Set Identifier and adopts the settings of the BSS Basic Service Set After the association is complete NETKROM repeats the BSS creating a brand new BSS range Repeaters implement a combination of both Client mode and Access Point mode functionality and features such as Stealth Mode and Wireless to Wireless Traffic control Page 59 of 141 NETKROM OS and NETKROM NMS User Manual Figure 37 Repeater Topology As the diagram above illustrates the NETKROM Repeater 1s associated with the NETKROM Base Node After being associated the NETKROM Repeater extends the NETKROM Base Node s BSS The result is that the Initial BSS range is expanded to the footprint shown by the Final Merged BSS range with the Repeater acting as an access point with the Base Node settings The three stations in the example topology can have access to both Host PC 1
75. he bandwidth Steps to follow 1 We click on Traffic Classes and right click on it 2 We add a new class named let s say ftp traffic out to handle outgoing traffic from interface ath0 3 We click on ftp traffic out class and configure the MATCHES and TARGET as depicted on picture 83 Page 111 of 141 NETKROM OS and NETKROM NMS User Manual _Apply Changes New Client Apply Changes New Client MATCHES TARGET Source IP Sub 172 6 1 0 24 O NOT araro LO Onor Source MAC 00 00 00 00 00 00 U NOT Destination IP Sub 192 168 1 0 24 LI NOT Destination Ports L_ O NoT Destination MAC D0 00 00 00 00 00 LI NOT MATCHES TARGET commited Information Kate cirfaooo kbisfsec Peak Information Kate PIFEJ 3500 Ikbitsisec commited Burst Size CBS Bytes Excess Burst Size EBS JBytes PRIORITY Protocol NONE L1 NOT Application FTP Figure 81 Figure 82 ftp traffic out configuration 4 Similarly we set up an ftp traffic in class for the incoming flow direction Picture 84 aras aa MATCHES TARGET Source IF Sub 172 8 1 0 24 LJ Nat source pons E LJ Hier Source MAC 00 00 00 00 00 00 LI NOT Destination IP Sub 192 168 1 0 24 LI NOT Destination Partis L NOT Destination MAC D0 00 00 00 00 00 LI NOT Apply Changes _ New client MATCHES TARGET Commited Information Rate CI
76. he reason behind this 1s that application type 1s very specific and should only exist on subclasses that reside on the last level leaf of a class hierarchy Moreover when application type is used on a leaf class 1t s not possible to set the protocol match type on any of its parent classes This 1s because when you set an application type match you implicitly define the protocol type which corresponds to the that application type Child to Parent class relation In a class hierarchy a child s MATCH and TARGET part should be subset of that of each parent class Therefore you can t have a parent class to match a destination port range of 1 1024 when one of its child classes matches destination port range 500 2000 Port range 1025 2000 is not a subset of the parent class PIR on parallel classes Currently the QoS subsystem requires that all parallel classes or subclasses will either have a PIR defined or not Therefore it s not possible to set the PIR on a subclass and not set it on one of its sibling classes All of them should either have or not have a PIR defined Page 123 of 141 NETKROM OS and NETKROM NMS User Manual 9 7 5 Efficiency considerations Whenever possible prefer the port or protocol match type instead of the application one Application match type 1s slower and more CPU intensive 9 8 Frequently Asked Questions 9 8 1 Submit Apply Changes I m confused Apply Changes button is to save changes made t
77. how the interface as a slave to the bridge InterFaces 3 bro eth EB ano Figure 22 Inserting an Interface Under a Bridge Remove Interface 1 Select the interface in the Network Interfaces Tree 2 Click the Remove Interface button 3 4 2 Virtual Interface Commands From the Special Interface Commands pane you also can create virtual network interfaces ones that are not associated with hardware Virtual interfaces allow you to associate more than one IP address with a system A typical use of this technique would be to support multiple Web sites For example if http www examplesite com were assigned the address 222 33 44 55 virtual interfaces 222 33 44 56 and 222 33 44 57 might be assigned to www examplesite net and www examplesite org All three sites could exist on the same system without conflict Page 42 of 141 NETKROM OS and NETKROM NMS User Manual 3 5 Virtual interfaces also allow a system to communicate on more than one network address space For example virtual interfaces allow you to temporarily renumber a network from a masqueraded network address space to a private 10 0 0 0 subnet During the transition all servers can be assigned a virtual address enabling them to communicate with clients on both the old and new network address spaces Externally virtual interfaces appear as if they are actual interfaces Add New Interface To insert a new virtual interface in association with a physical interface
78. iewing Packet Statistics cessere 126 10 4 Viewing the ARP Table eese mmn nmm 127 10 5 Viewing the Open Connections List eeeesseeennnn m nnn 128 10 6 Using MORITGK Utte S usais 128 19 6 1 Pinging ICMP UNY esos ao Rex va xx Mee ass ara EE Na Set tb 128 10 62 Using Traceroute croata FA vnu RE ES QUA 130 Page 5 of 141 NETKROM OS and NETKROM NMS User Manual 10 7 Viewing System PropertieS siii aia 131 11 SY SUC ria MUNG rcm EE TRE 132 12 MREFG SUDDO ns hs 135 12 1 Usno MRT G urraca 135 13 WISP EASY WiZa dinar diia 136 14 Ito A O 137 Page 6 of 141 NETKROM OS and NETKROM NMS User Manual Hardware Installation Warnings e Do not work on the system or connect or disconnect cables during periods of lightning activity e Do not locate the antenna near overhead power lines or other electric light or power circuits or where it can come into contact with such circuits When installing the antenna take extreme care not to come into contact with such circuits as they may cause serious injury or death e Only trained and qualified personnel should be allowed to install replace or service this equipment e To meet regulatory restrictions the radio must be professionally installed The network administrator or other IT professional responsible for installing and configuring the unit must be a suitable professional installer Following installation access to the unit should be p
79. ill get 1 3 of the 7 mbps in actual SUBCLASS 2 and AUTO SUBCLASS will get exactly 1 8 mbps the CIR and SUBCLASS 1 will get 3 4 mbps This is because SUBCLASS 1 has a higher priority If there is no traffic at all for SUBCLASS 1 then SUBCLASS 2 will get 5 2 out of the 7 mbps available By now the role of priority should be clear Example Bandwidth reservation for FTP Servers Let s have a look now at one example in order to better comprehend the QoS mechanism Let s say that we have a NETKROM OS powered Hotspot equipped with an standard 11mbps wireless interface The real available bandwidth on such an interface is approximately 5 5mbps or 5500kbps On the ethernet side there are two ftp servers and a bunch of other insignificant hosts The ftp servers are meant to serve the hotspot clients Hence we would like to guarantee some bandwidth for them The network layout 1s illustrated in picture 82 Page 110 of 14 1 NETKROM OS and NETKROM NMS User Manual Subnat 192 1068 1 0724 SUR 1 Subnet Xs Al 172 8 1 08024 Figure 80 Hotspot with two back end FTP servers 9 4 1 Single Class per Policy We will start by defining a QoS policy to guarantee 3 mbps for FTP traffic Since we want to guarantee both uploads and downloads from the ftp servers we will create two different classes one for each flow direction On each of them we will set a PIR limit 3 5 mbps in order to prevent the FTP server from monopolizing t
80. ired in order to force a NETKROM access point to authenticate clients on a Back End Authentication Server They include e the Server IP address e the Server Port number used for EAP TLS packet transactions usually 1812 e a Server Secret phrase which is used for the NETKROM node authenticator to be accepted by the Back End Authentication Server EAP TLS is by default the supported protocol for EAP The NETKROM node uses 802 1X authentication to authenticate its clients If the NETKROM node is configured as a client in the case of EAP TLS usage you should upload the appropriate certificates on NETKROM station This can be done by clicking the Upload Server and Client Certificate buttons on the right pane Page 68 of 141 NETKROM OS and NETKROM NMS User Manual Selected Wireless Interface ath0 y Channel Width MHZ el Selected Encryption Mode WPA y agio Security ACL WPA Atheros WPA Mode WPA AA Server I CON RN Y 18 Server Port lo Key Management Mode EAP 7 Server Secret Pairwise Cipher Auth Server 1 Acct Server 1 Auth Server 2 Acct Server 2 Group Cipher A AAA Figure 46 EAP Settings PSK When PSK is selected in the Key Management Mode drop down list the Pass Phrase text box appears on the right side of the pane This 1s the initial value on which negotiated WPA keys are created To configure the Pass Phrase field type the pass phrase Selected
81. k Traceroute 1s a handy tool for understanding where problems are in the Internet network Advanced Configuration ofnode Metkrom MOC Configuration Statistics System Properties NetWork Wireless Monitor Utils ICMP Util Trace Route Vesiuriun Uae Max TTL Sj Start Port NENNEN Resolve Hetwork Domain Hames raceroute ta 10 0 0 1 10 0 0 1 30 hops max 40 byte packets 1 10 0 0 1 0 75 ms 0 72 ms 0 72 ms Stop race completed Start Clear Figure 104 Traceroute Tab To configure and use the ICMP Utility select the ICMP Util tab configure the required fields then use the buttons as follows Destination Type the IP address of the node to which you wish to Traceroute in the Destination text box Start Port Type the port number in Start Port box Max TTL Type the maximum time to live value in the Max TTL box Resolve Network Domain Names select Resolve Network Names to cause the utility to include the domain names of each IP address listed Page 130 of 141 NETKROM OS and NETKROM NMS User Manual Start Click Start to initiate the TraceRoute command The software will trace the route to the destination address The window will display the number of hops max size of the packets and elapsed time Stop Click the Stop button to terminate the TraceRoute process The Traceroute session will end and a dialog box will appear displaying the Traceroute utility terminated
82. k is selected in the Action field Type the name of the new flowmark in the New Flowmark box Page 80 of 141 NETKROM OS and NETKROM NMS User Manual Action When a rule is matched its action 1s performed Firewall actions can be ACCEPT The packet will flow to the next chain leaving the current chain at this rule no further rules in this chain are further examined REJECT The packet stops flowing is discarded and a return ICMP packet reason code UNREACHABLE is sent back to the sender DROP The packet stops flowing is discarded without notifying the sender FORWARD currently not in use MARK The packet will flow to the next chain leaving the current chain at this rule no further rules in this chain are further examined It will be marked as New Flowmark Comment The Comment field is used to enter a string consisting of at most 30 characters to describe the rule This field 1s not used for matching Advanced Rule Settings Basic Protocol Mot ALL Connection State O New Source MAC Nat CI b b b b b M Established uu Related Limit i Limit Rate in secs O Invalid la Limit Burst Submit Cancel Figure 57 Firewall Rule Configuration Dialog Box Advanced Tab Protocol The Protocol drop down list contains a list of protocols that can be selected for matching The contents of the dialog box changes depending on the protocol selected The following selections may
83. k tabs Interface Select the interface for which you want to view statistics in the drop down list Refresh Click Refresh to update the graph Reset Click Reset to Page 126 of 141 NETKROM OS and NETKROM NMS User Manual Advanced Configuration of node Netkrom MOC Configuration statistics System Properties Metvork Wireless Monitor Utils Packet Stats ni iz ARP Entries Interface Packet Statistics 11 000 Reset 10 000 9 000 8 000 7 000 6 000 Value 5 000 4 000 3 000 2 000 1 000 Rx Stats Tx Stats Rx Error Stats Tx Error Stats M packet 10 0 Mbytes 10 2 M eros 10 compressed 10 O M multicast 10 0 Mdropped 1040 E erc 10 0 fifo 100 Mtframe 100 Mlength 1040 E missed 100 Mover 10 O B aborted 10 0 E carier 10 Mheartbeat 10 Wilwindow 10 Figure 100 Interface Packet Statistics 10 4 Viewing the ARP Table The ARP Entries tab contains the ARP Address Resolution Protocol table of the currently selected NETKROM node On a single physical network individual hosts are known on the network by their physical hardware address Higher level protocols address destination hosts in the form of a symbolic address IP address in this case When such a protocol wants to send a datagram to destination IP address w x y z the device driver does not understand this address Therefore a module ARP is provided that will translate
84. ket is an ICMP response e GRE A match occurs if the packet s protocol type is GRE Generic Routing Encapsulation Page 82 of 141 NETKROM OS and NETKROM NMS User Manual e ESP A match occurs if the packet s protocol type is ESP e AH A match occurs if the packet s protocol type is AH Connection State NETKROM can perform firewall functions based on the connection state The following selections may be configured in this field New A match occurs if the packet starts a new connection router has seen packets in one direction Established A match occurs if the packet is a member of an existing connection router has seen packets in both directions Related A match occurs if the packet starts a new connection but is also a member of an existing connection router has seen packets in both directions Invalid A match occurs if the packet is not a member of an existing connection but also it does not start a connection ambiguous packet Source MAC A match occurs if the packet s Source MAC address in the Ethernet header is the same as the address in this field Type the Source MAC address in the Source MAC field Limit The Limit fields contain settings related to the rate at which the packet 1s arriving Limit Rate A match occurs if the configured rate has not been reached yet Limit Burst A match occurs if the configured burst rate has not been reached yet Important To enable a Firewall ru
85. le write it to the active list you must click the i button 6 3 Configuring NAT Rules Rules are entries in a chain consisting of several fields criteria that can be used to match a data packet If all criteria are met then the rule is matched and the packet leaves the chain launching the action of the matching rule From the NAT tab you can e Select the NAT Kind e Add delete edit and manage NAT rules e Write NAT rules to the active list Page 83 of 141 NETKROM OS and NETKROM NMS User Manual 6 3 1 Flowrnark NAT PORT Comment AMY ANY ANY ANY 0 0 AMY MASQUE 0 Figure 59 NAT Chains Before configuring rules you must select the NAT Kind drop down list NAT Kind In the NAT Kind drop down list select SNAT or DNAT Configuring NAT Matching fields To add a rule click the button The NAT Rule Configuration for NAT Kind Chain dialog box appears Source IP Souce Port s Mot LI b o Destination IP Destination Portis Mot boo input Interface Output Interface Mat ANY Existed Flowmark ET Protocol Mot ALL Source MAC comme E Masquera Translate Source Part To Com Cora Figure 60 NAT Rule for Configuration for Source Chain Dialog Box SNAT DNAT Common Fields The following fields are common to SNAT and DNAT configuration dialog boxes Not Check Boxes Several fields have a Not check box beside them The NOT field inverts the matching operation
86. low resource consuming Page 91 of 141 NETKROM OS and NETKROM NMS User Manual File Tools Utilities Help is s Advanced Configuration of node Netkrom NOC Configuration Statistics System Properties NetWork Dynamic Routing QoS Services DHCP WAN VLAN HotSpot DHCP Configuration Wr OOO ROO Ba ath1 Broadacst o lo lo la Subnet Mask lo lo D lo E atno omin Time Parameters Exo Min Eo Max io Leases Info m cai iano com ct Offer 0 O Relay O Active O Client O Active DHS Servers WIHS Servers Routers mans a 0 Jo Jo Je J Router 1 0 lo Jo Jo vans 2 o o lo lo Router 2 0 o lo Jb DHCP settings retrieved succesfully Figure 67 DHCP Server Configuration Dialog Box To configure a DHCP Server select the interface from the interface tree Its background turns blue Only clients in the same physical interface will be able to acquire IP addresses from this DHCP server If clients from other physical interfaces must acquire their IP addresses from the same server a bridge should be created and those interfaces should be added under that bridge Then select that bridge as the DHCP server interface NOTE You cannot select an interface which is under a bridge as the DHCP server interface Additionally the DHCP server interface should have already been configured with a valid IP address and subnet mask Multiple DHCP servers on dif
87. ls can obstruct the antenna reducing the signal strength The antenna can be installed at a height above such obstructions and aligned so that antennas are directed at each other by taking into account the horizontal angle and the vertical angle of the antenna signal When the antenna is at the optimum alignment there is less possibility of encountering interference and of causing interference to anyone else and strong signal strength can be maintained NOTE When the antennas are at the same height it is quite simple to align the antennas However when the antennas are at different heights greater care has to be taken to ensure that the antennas are properly aligned Page 12 of 141 NETKROM OS and NETKROM NMS User Manual Installation Direction Front Towards Desired Signal Direction The directional antenna radiates the signal towards the front of the unit The unit should be installed in a position whereby the front of the unit faces the direction you wish to send the signal to Therefore the direction you wish to send the signal to has to be considered before going on to the next step of starting to set up the access point Front Towards Desired Signal Direction Page 13 of 141 NETKROM OS and NETKROM NMS User Manual ISPAIR CPE 510 Installations The diagram below shows the overall setup of the ISPAIR CPE 510 5 Main Electrical Supply INDOOR AD CAT5 UTP Cable _ Etherne
88. ltiple competing classes exist for the same interface and for the same direction output input the sum of all of them should also not overrun the available bandwidth Note that regardless of the CIR the traffic 1s always transmitted at the maximum speed supported by the physical interface Literally the CIR expresses the average rate in which the traffic 1s sent in due time Peak Information Rate PIR This is the maximum rate in kbits s in which the traffic of a class can be sent or received in average Even if no other traffic competes for the bandwidth this barrier can not be exceeded This value can be as large as the capacity of the link and as small as the CIR The bandwidth between CIR and PIR is not guaranteed for a class The possibility for a class to exploit this range depends on its priority as we will see later Excess Burst Size EBS Some applications are characterized by short periods of intensive network usage and long periods with no network usage at all For instance when we browse the Internet our web browser requests a web page and then remains idle for a long period of time until another page is requested Page 108 of 141 NETKROM OS and NETKROM NMS User Manual 9 3 4 9 3 5 Such applications are not served well by the CIR PIR mechanism alone The EBS mechanism remedies this problem by allowing an application to send a number of bytes continuously for some time without being interrupted
89. lue of Contention Window b AIFsn Arbritary Interframe Space d TXOP Length of TXOP CWmin Input to the algorithm that specifies the initial random backoff wait time window as known for retry transmission This valuw 1s the upper limit in msecs of a range from which initial random backoff wait time 1s determined Page 73 of 141 NETKROM OS and NETKROM NMS User Manual Mo 5 5 1 CWmax This value is the upper limit in msecs for the doubling random backoff value This doubling continues until either the data frames is sent or the Max Contention Window is reached AIFs The Arbitration Inter Frame Spacing specifies a wait time for data frames TXOP This is an interval of time when an WMM station or client has the right to initiate transmisions onto the wireless medium Wireless Topology Scenarios In this section two possible specific wireless topologies are described based on NETKROM s operational modes In the first section two ways of setting a point to point link are described In the second section a specific topology concerning NETKROM Repeater functionality is described Point to Point Links There are two basic topology scenarios You can create a point to point link using either scenario WDS to WDS Scenario A point to point link can be created by configuring two NETKROM nodes as WDS access points Host PC 1 Figure 31 WDS Topology Page 74 of 141 NETKROM OS and NETKROM NMS User Manual
90. mmands virtual face Commands Figure 21 Special Interface Commands 3 4 1 Network Bridge Commands A bridge is a LAN interconnection device that operates at the data link layer layer 2 of the OSI reference model It may be used to join two LAN segments A B constructing a larger LAN A bridge 1s able to filter traffic passing between the two LANs and may enforce a security policy separating different work groups located on each of the LANs Bridges were first specified in IEEE 802 1D 1990 and later by ISO in 1993 Add New Bridge To create a new network bridge interface 1 Click the Add new bridge button The Insert New Bridge dialog box appears 2 Type the bridge name in the box then click the Submit button The bridge name appears in the Network Interfaces Tree Note The bridge name must begin with the string br There is no limitation to the rest of the name Delete Bridge To delete a bridge 1 Select the bridge in the Network Interfaces Tree Page 41 of 141 NETKROM OS and NETKROM NMS User Manual 2 Click the Delete Bridge button in the Network Bridge Commands pane Insert Interface To insert an interface as a slave under a bridge l In the Network Interfaces Tree select an interface to become the slave 2 Click the Insert Interface button The Insert Iface to Bridge dialog bx appears 3 In the Select Bridge list box select the desired bridge 4 Click Submit The tree is rearranged to s
91. must be pre configured with a valid IP address and subnet mask from the PPTP server subnet or it should be able to see PPTP server in some way e g through default gateway To view the full PPTP tab select the PPTP option button and select the Active check box The PPTP tab appears After completing the required fields click Submit Setting PPTP Client Fields User Name Type the User Name for the client that will be used to authenticate with the PPTP server usually supplied by the ISP Password Type a Password more than three characters for the client This is used to authenticate with the PPTP server and is usually supplied by the ISP Protocol In the Protocol drop down list select the Protocol to be used for authentication with the PPTP server Protocol options are None PAP and CHAP Dial IP or ISP Name To identify the PPTP server type the IP address in the Dial IP field OR type the DNS name of the PPTP service in the ISP Name field Page 101 of 141 NETKROM OS and NETKROM NMS User Manual Keep DNS and Gateway In most cases PPTP authentication supplies the client with some valid DNS addresses and makes the PPPoE interface the default system gateway To set a static DNS address and or a default gateway or leave another application to configure them e g DHCP client select the Keep DNS and Gateway check box Authenticator Some PPTP servers require an Authenticator field called to establish
92. network resources reserved comprises the Target of the Traffic Class These properties can be configured via the rightmost panel of the QoS window To add a new Traffic Class you have to right click on the Traffic Classes label in the respective Panel You can define as many Traffic Classes as you wish A Traffic Class can also form a tree like hierarchy of Subclasses The tree may have at most two layers of subclasses Picture 78 Page 104 of 141 NETKROM OS and NETKROM NMS User Manual hd Traffic Classes Figure 76 Three layer class hierarchy 9 1 2 Traffic Policies A Traffic policy 1s an object to which we associate one or more classes and one or more interfaces The set of classes assigned to a Traffic Policy defines the policy for the associated interfaces The way you assign classes to policies is unlimited Traffic policies can be shared by many interfaces in which case the interfaces are unified from the QoS standpoint Shared polices will be discussed in more depth later in this chapter 9 1 3 Network Interfaces This panel lists all physical interfaces of the system For each interface we distinguish two flows An incoming one which corresponds to traffic coming to the interface from the underlying physical layer and an outgoing one which corresponds to traffic going out of the interface to the physical layer Note Bridges and virtual interfaces will not be present here If you want to set a policy to a
93. ng Radio Settings To configure the radio settings of the selected wireless interface select the Radio tab on the left side of the Wireless pane From the Radio tab you can e select the Physical layer options IEEE 802 11a b and g e select the Channel number e select whether the Channel is expressed as a number or Frequency e select the TxRate data transmission rate e set and enable the Frag value e set and enable the RTS parameter e enable Spoofing e configure the MAC Address e enable Diversity operation e select the Antenna connector Page 64 of 141 NETKROM OS and NETKROM NMS User Manual Selected Wireless Interface 210 Channel Width 20 MHz Qphode Radio Physical 802 11 B Y Channel 11 Frequency security TxRate 11 Mbps Frag Po iA ALAA LL L Enable RTS Po 7 E MM M Mua L Enable Diversity Enable Antenna Ar MAIN Tx Power Ll Override 10 dera Short Preamble Enable Figure 43 Wireless Radio Settings 5 2 1 Selecting Physical Layer Options The Physical drop down list contains all physical layer options that are available for the specific hardware you are using If your hardware supports IEEE 802 11 a b and g standards the Physical drop down list will contain AUTO 802 11A 802 11B 802 11B G Turbo A and Turbo G options If the hardware does not support a physical layer standard NETKROM NMS returns a warning dialog indicating the NIC ca
94. ngs Link Distance Setting the Link Distance can be effective in optimizing operation of a node When Link Distance is defined the acknowledge timeout is configured according to the distance In lossy environments where many retries occur acknowledge timeout should be configured accordingly to the distance between the nodes To set this parameter type the distance in meters into the Link Distance text box Fast Frames Fast Frames is a feature of Atheros based technologies that utilizes frame aggregation and timing modifications to increase the data throughput rate of the system It increases throughput by transmitting more data per frame and removing inter frame pauses To implement fast frames select the Fast Frames check box Page 71 of 141 NETKROM OS and NETKROM NMS User Manual Packet Bursting Packet Bursting is another technique used by Atheros based technologies to increase throughput by decreasing overhead and sending more data frames per given period of time To implement packet bursting select the Packet Bursting check box WMM Layer 2 QoS Advanced WMM Settings WMM Wi Fi Multimedia is a priority based Quality of Service method used in implementing Voice over WLANs To implement WMM select he WMM Layer QoS check box then click the Advanced WMM Settings checkbox to access the Advanced WMM Parameters dialog Box AP ED CA Parameters i pa ru uw e VOICE VIDEO BEST EFFORT BACKGROUND
95. nnot be configured in the selected physical layer standard 5 2 2 Setting Channels and Frequencies The Channel drop down list displays the currently selected radio channel using the standard IEEE channel numbering convention To convert the Channel field to display the actual frequency click the Frequency button 5 2 3 Setting Transmission Rates The TxRate drop down list allows you to select a standard transmission rate based on the available rates associated with the selected physical layer standard You also can select Auto mode In Auto mode NETKROM will be auto configured to support the optimal TxRate for each related node This can be very useful in environments sensitive to retries In Auto mode an auto rate fallback algorithm which runs on the background tries to maximize the data transfer rate Note Management and Control frames are always transmitted at the lowest available rate of the selected physical layer standard 5 2 4 Setting the MAC Address The MAC Address field contains the MAC address of the configured radio card hardware that has been selected in the Selected Wireless Interface field However you can enable spoofing functionality by Page 65 of 141 NETKROM OS and NETKROM NMS User Manual 5 2 5 5 2 6 LATA 5 2 8 9 2 9 selecting the Enable Spoofing checkbox and typing a new MAC address into the MAC Address field Setting Frag The Frag field allows you to implement fragmentation of packets a
96. nreachable c Drop to silently drop packets with matching frames 9 In the Table drop down list select the routing table you wish to use with the LookUp option described above In the example screenshot above the rule specifies that the system will silently drop packets originated from network space 10 10 10 0 24 arriving in any interface 4 2 2 Removing Rule Entries To remove a specific rule entry select the table row of that entry then x click the Entries Commands _ button 4 2 3 Modifying Rule Entries To edit a specific rule ae La the table row of that entry then click the Entries Commands button The Insert New Rule dialog appears with the fields for the selected rule filled in Modify as required then click Submit 4 2 4 Repositioning Rule Entries Rules entries allocated in each routing table are parsed by the OS kernel in a serial manner To modify the series priority of allocated entries select the table row of the entry to be moved then click the Entries Commands button to move the entry upward or the button to move it downward in the list Page 52 of 141 NETKROM OS and NETKROM NMS User Manual 5 Wireless NETKROM NMS allows you to configure all wireless settings for nodes on your wireless network including e Link Distance e Transmit Power e Operational Modes e Radio Settings e Security Settings e Outdoor Settings
97. o the rightmost panel of the QoS interface This 1s the panel responsible for setting MATCHES and TARGET properties of a class On the other hand Submit is used to save the overall QoS configuration Finally don t forget to save configuration on the device via the Save Configuration option on the View Topology window Page 124 of 141 NETKROM OS and NETKROM NMS User Manual 10 Monitoring and Statistics The advanced statistics engine of NETKROM OS in combination with the graphing facilities of NETKROM NMS lets the administrator delve into the results real time identifying high bandwidth nodes and possible bottlenecks Some Monitoring and Statistics features are available from the Node Shortcut Menu Others are located under the Advanced Configuration of Node Configuration tabs See Page 35 for a diagram showing Advanced Configuration tabs and sub tabs 10 1 Using the Status Info Dialog Box The Status Info dialog box provides all the information displayed in the bottom pane of the Network Topology tab with the addition of an extra editable field which is used to set the Host Name of the node The displayed information is useful in cases where the administration unit is hidden behind NAT and connectionless communication such as NETKROM Polling Protocol and SNMP can not be initiated To view the Status Info dialog box click Open Status Window in the Node Shortcut Menu FW Version 2 4 0 COMMERCIAL KeyLev
98. offers maximum line of sight propagation with the users e Select an appropriate antenna to improve range and or coverage and the ISPAIR CPE 510 also lets you fine tune parameters such as the transmit power to achieve the best results Page 9 of 141 NETKROM OS and NETKROM NMS User Manual Panel Views and Description 1 2 3 4 5 6 Steady Red Power is supplied to the device Of No power is supplied to the device Steady Red The respective port has successfully connected to the access point Page 10 of 141 NETKROM OS and NETKROM NMS User Manual Flashing slowly It indicates that the firmware 1s corrupted 5 DIAG LED Flashing Fast It indicates the Reset procedure was successful Connection for computer with NIC Network Interface Card or Ethernet Network Card If using PoE connect to LANI SURGE ARRESTOR Connect to a ground wire To restore the factory default settings Turn on the radio Wait for only 5 seconds since you turned on the radio and RESET press the reset button BUTTON Keep holding the reset button for 15 seconds After this DIAG LED will blink fast Release the button Power cycle the radio Page 11 of 141 NETKROM OS and NETKROM NMS User Manual Antenna Alignment The physical environment of the antenna must be examined when aligning the antenna Obstructions available mounting locations and other factors must be considered Many objects such as forests buildings and hil
99. ofile loaded succesfully Figure 5 The NETKROM NMS Window Topology Map Located in the center pane the Topology Map displays icons representing network nodes and connection information describing the layout of the network It also can display a map graphic in the background Registered Node List Located in the left pane the Registered Node List displays all registered nodes on the network Node Status Located in the bottom pane the Node Status area displays the following information on the currently selected node Firmware Version The number representing the firmware version residing in the node e Up Time The length of time the node has been operating e Key Level e NNMS Connectivity The ratio of successfully received probe responses All panes are resizable and can be adjusted according to user preferences Page 23 of 141 NETKROM OS and NETKROM NMS User Manual 2 1 3 Node Shortcut Menu GUI Hode Connectivity Settings Open Status Window Advanced Node Configuration Save Configuration Back Up Unlock Fay Upgrade Reboot Restore Defaults Current Throughput WISP Easy Wizard VVEVV Remove Figure 6 Node Shortcut Menu GUI Node Connectivity Settings The GUI Node Connectivity Settings menu option allows you to access the Node Connectivity Settings dialog box for the currently selected node Open Status Window The Open Status Window menu option allows you to access the Status dial
100. og box which contains the FW Version Key Level Up Time and Host Name fields The FW Version Key Level and Up Time fields also are displayed in the Node Status pane of the Topology Map tab Advanced Node Configuration The Advanced Node Configuration menu option allows you to retrieve information from the selected node A new pane is displayed containing a main tab Advanced Configuration of node node name Under this tab three sub tabs are displayed Configuration Statistics and System Properties Each of these tabs contains several additional sub tabs used in the configuration process Save Configuration The Save Configuration menu option allows you to permanently save the configuration for the current node Note After the Radio is configured the configuration parameters are stored in RAM volatile memory If the radio is powered down the configuration will be lost unless you Save Configuration to the radio s permanent memory Page 24 of 141 NETKROM OS and NETKROM NMS User Manual 2 2 2 2 1 Back Up The Back Up menu option allows you to back up and restore the configuration settings for the selected node FW Upgrade The FW Upgrade menu option allows you to access the Select dialog box from which you can select the firmware image file to be loaded into the node Reboot The Reboot menu option allows you to reboot the node Current Throughput The Current Throughput menu option allows you to display a
101. ohn Alias IP Address 192 168 0 1 0 372 IP Address 182 158 0 117 32 Interface ath Interface ath Target Rate Target Rate Uplink Downlink Downlink subrnit Cancel submit Cancel 100 Uplink John s settings Marias s settings Figure 93 John s and Maria s settings Note If it s about a single IP use a subnet mask of 32 However if you want the policy to cover multiple IPs then use the appropriate subnet mask After submitting both windows the resulting class hierarchy will be 3 Traffic Policies P Traffic Classes Jahn Llplini Jahn Downtlink Maria Uplink Maria Downlink PalJahn Lplink Jahn Uplink L BB Poljohn_Upl Maria Uplink gt Output Poljohn_Downlink ls PalJohn Da I John_Downlin Maria Downli HB etho Input Output Figure 94 Resultant QoS layout for Maria and John Page 120 of 141 NETKROM OS and NETKROM NMS User Manual 9 6 2 QoS Statistics By right clicking on the traffic policy below the associated interface flow you can get statistics regarding packets handled by this policy View PieChart mohn Uplink g aria Uplink Maria Uplinlc John Uplinlc Bohn Uplink Wi Maria Uplinlc Parent Class Figure 95 Current rate and packet analogy The bar chart on the top illustrates the current average rate for each class The pie chart corresponds to the number of packets services by the class
102. on Rate PIR isis dixe dls 108 93 3 ExXceSS BUrsESIZe EBS ada 108 9 54 Committed BUrSE SIZE GBS sivsasiete Sis rmt rtSasiQu bi ni IRA cae esauhanies Drs aad etri nn 109 92325 PEOR ari line terri ara 109 9 4 Example Bandwidth reservation for FTP Servers een nne 110 Oak Sinde Class Per PONE 111 EE NAMEN a E UEM SES PR a ara a E ERAT A ERA ANNA 113 gA Class Hierarehy merion A aa 115 9 5 Example Elimination of P2P Traffic s sesssanssnassssnsnensnnunnsnsnsenenene 117 9l Shgdred PO Cesa 119 9 6 Example Access Point Bandwidth Sharing eene 119 9 6 1 NEW OOS EMERY TX HxMn ERE 119 Fo QOS Stali SUOS c NA 121 9 7 Design Guidelines and Limitations esee nmn 122 9 7 1 Destination Source MAC match type cseeeeeeee nnn nnnm hh hann 122 S9 lt AppieationhiMmacchily De iier ere ous SEEN REQUE EE ERUIT ES UE ENRENRDO ER CR P AS wanes 123 97 23 Chid to Parent class Telas 123 9 74 PIRODpatrallelicidSSes xsv vetitkipenedur svp CE xd uL TT T3 ute pet au co I EA 123 9 7 5 Efficiency considerations exea A AAA A 124 9 8 Frequently Asked Questions sees nnn 124 9 8 1 Submit Apply Changes I m confused eeeeeeseeeeeeenn nnnm nnnm 124 Monitoring and Statistics isa 125 10 1 Using the Status Info Dialog Box eee nnn 125 10 2 Using the Current Throughput Graph ccccccccccccccccnnancnnn m n 125 10 3 V
103. oon as the PIR or EBS of this class is reached the distribution continues to the next class in order of priority Priority value can vary between 0 higher priority and 7 lower priority Consider the scenario We have a standard 11mbps wireless link and we want to guarantee half of it to outgoing TCP traffic Then we further divide it to TCP traffic destined for host x and that destined to host y This scenario is depicted in the following table Classes in the table denoted as auto are classes that are automatically and transparently created by the system to handle unclassified traffic These automatically generated classes get the rest of the bandwidth as its CIR which 1s not reserved for any of the user defined ones System generated classes are always of priority 7 Page 109 of 141 NETKROM OS and NETKROM NMS User Manual 1 8 mbps host x Ead Mic Back in our scenario 9 4 CIR 5 5 mbps Outgoing TCP 11 mbps Link Bandwidth CIR 5 5 mbps Anything but TCP No subclasses available 1 8 mbps Rest traffic host y 1 8 mbps Let s assume now that 7 mbps traffic out of the 11 mbps qualifies for the USER CLASS This means that we have 7 mbps TCP traffic which has to be distributed among the three subclasses Let s also assume that 1 3 of this traffic 1s destined for host x and another 1 3 for host y Although it might be tempting to say that its of the subclasses w
104. plays all the allocated leases MAC Address Loo fk Refresh Figure 66 DHCP Leases Dialog Box In the current version DHCP server configuration does not support dynamic changing of the DHCP leases file After an IP allocation you are able to see the new record in the DHCP Leases dialog after approximately a 60 second delay Page 94 of 141 NETKROM OS and NETKROM NMS User Manual 7 1 2 7 2 Lease Time Strategies One of the most common DHCP administration questions is What setting should I give my lease times As with many networking questions the answer is It depends The primary decision criterion 1s the desired frequency at which your clients update their configuration data If you are using DHCP only for randomized address assignments having longer lease times will result in greater levels of stability For example if you use lease duration times of one month or longer a temporary server outage is not likely to affect your normal operations much However if you are using DHCP for a variety of system configuration options such as default DNS servers and static routes you will want to have shorter lease times so that changes to the network are recognized quickly by the DHCP clients In this case having lease times that are longer than a day or two can be problematic because clients that obtain a new lease just before a critical infrastructure change is made will not recognize this change until the lease
105. pplication ALL PEER TO PE p2p in p2p out MATCHES p2p in p2p out TARGET Figure 91 Overlapping parallel classes Page 118 of 141 NETKROM OS and NETKROM NMS User Manual 9 5 1 Shared Policies In our example traffic policies p2p in and p2p out are shared between interfaces ethO and ath0 That makes them both interfaces to be regarded as a single interface from the standpoint of QoS In practice this means that 1 Kbits sec can be occupied by P2P traffic coming from either ethO or ath0 and an other 1 Kbits sec for P2P traffic leaving from either ethO or ath0 not 1 Kbits sec each 9 6 Example Access Point Bandwidth Sharing 9 6 1 New QoS Entry NETKROM OS NNMS has a convenient way to set bandwidth policies for individual clients of an Access Point This feature works only for clients that have a statically assigned IP and not via DHCP If you want to set bandwidth policies for individual AP Clients which get their IP via DHCP you ll have to set up your classes manually based on client s MAC address You define a bandwidth policy for an AP client by clicking on the New Client button picture 91 Alias 0 0 IP Address O Interface ath Target Rate Uplink ee ee Downlink Submit Cancel Figure 92 The New QoS Entry window We will now create two bandwidth policies for two AP clients John and Maria Page 119 of 141 NETKROM OS and NETKROM NMS User Manual Alias
106. pressed as a single IP address e g 192 168 1 1 32 or as a whole IP subnet e g 192 168 1 0 24 A match occurs if the destination IP of the packet 1s exactly the same or belongs to the subnet configured Type the destination IP address and number of subnet mask bits into the Destination IP field Input Interface The Input Interface field displays the interface from which the packet was delivered A match occurs 1f the interface that the packet arrived from is the same as the configured interface if the configured interface is a bridge this also matches with interfaces under the bridge In the Input Interface drop down list select a specific input interface or select ANY Output Interface The Output Interface field displays the interface from which the packet is to be transmitted A match occurs if the interface that the packet will be transmitted from 1s the same with the configured interface in case the configured interface 1s a bridge this also matches with interfaces under the bridge In the Output Interface drop down list select a specific input interface or select ANY Existing Flowmark The Existing Flowmark drop down list contains Flowmarks that already have been configured Select a Flowmark from the list to configure a Flowmark as a firewall matching rule A match occurs if the packet was marked by this mark when it flowed through the Flowmark chain New Flowmark The New Flowmark field is available if Mar
107. rameters constitute the MATCH part of a class The GUI panel responsible for these options is depicted at picture 80 Page 106 of 141 NETKROM OS and NETKROM NMS User Manual Covas New cert MATCHES TARGET Source IP Sub OoOo L1NOT Source Fortis Lem OO NOT Source MAC EE ER L1 NOT Destination IP Sub L1NOT Destination Port s Nu AA Destination MAC Lo LI NOT Protocol NONE O NOT Application Figure 76 Network Traffic Matches 9 3 Guarantees and Limitations On the other hand the network resources that can be guaranteed or limited are Committed Information Rate Peak Information Rate Committed Burst Size Excess Burst Size Priority These parameters constitute the TARGET part of a class The GUI interface responsible for these options are depicted in Picture 81 Page 107 of 141 NETKROM OS and NETKROM NMS User Manual 9 3 1 9 3 2 MCN Apply Changes New Client MATCHES TARGET Commited Information Kate CIRJO Kbits sec Peak Information Rate PIE os AA Commited Burst Size LBS jo leges Excess Burst Size EBS E Bytes PRIORITY E Figure 79 Policy parameters Committed Information Rate CIR This is the rate expressed in kbits s which is guaranteed that will always be available to the respective traffic class Apparently the CIF dedicated for a specific class can not exceed the network bandwidth available When mu
108. reption Link Guali Power dBm Moise rdBm voip 00 60 B3 19 2412 NONE ee 50 95 Connect Refresh Continuous sc Figure 41 Site Survey Operation At the bottom of the Site Survey dialog box four buttons are available Connect Select a node in the list and click Connect to connect to that node Refresh Click the Refresh button to re scan and update the Site Survey list Continuous Scan Click Continuous Scan to enable consecutive scanning The button remains depressed until clicked a second time While in Continuous Scan mode the Site Survey list is updated dynamically merging all the possible unique entries Align The Align option allows you to achieve the best possible alignment for a distant point to point link Click the Align button The Site Survey Align dialog box appears This dialog box displays BSSID SSID Channel Number Link Quality and Signal Level fields Using this dialog you can monitor signal strength and quality value statistics through consecutive polling Polling occurs at a high frequency to provide an up to date representation of the link While monitoring these statistics you can adjust Page 63 of 141 NETKROM OS and NETKROM NMS User Manual your antenna to achieve maximum performance When optimal antenna position and polarity are achieved click the Quit button to return to the Site Survey panel sss Ld gt Frequency 2412 Figure 42 Site Survey Align 5 2 Configuri
109. rewall Matching Fields Click the E button The Firewall Rule Configuration for chain type Chain dialog box appears This dialog box contains two tabs Basic and Advanced Not Check Boxes In both tabs several fields have a Not check box beside them The Not field inverts the matching operation causing a match to occur 1f the opposite of the rule is matched For example Source IP is configured with the specific IP address When the adjacent check box is selected the rule will match all packets except the ones that have the specified Source IP address Basic Rule Settings Basit Advanced Source IP Not L p b P a N Input Interface Not L DestinationP Not Jo Jo Jo Jo Output Interface MotL fany r Existed Flowmark t L Hew Flawmark Do Action ACCEPT Comment aubmit Cancel Figure 56 Firewall Rule Configuration Dialog Box Basic Tab Page 79 of 141 NETKROM OS and NETKROM NMS User Manual Source IP The Source IP field displays the Source IP address of the packet The address can be expressed as a single IP address e g 192 168 1 1 32 or as a whole IP subnet e g 192 168 1 0 24 A match occurs 1f the source IP of the packet 1s exactly the same or belongs to the subnet configured Type the source IP address and number of subnet mask bits into the Source IP field Destination IP The Destination IP field displays the Destination IP address of the packet The address can be ex
110. rface 210 Opiode Radio security Atheros Selected Encryption Mode WEP WEP Type Wep Key Wep Key Wep Keys Wep Key xa o0 00 00 0000 Figure 44 Wireless WEP Settings A oy oy ria Ln 1 LJ LJ te uil M ea a ot Page 67 of 141 NETKROM OS and NETKROM NMS User Manual 5 3 2 Setting Wi Fi Protected Access WPA In the WPA tab you can configure a NETKROM node to encrypt decrypt data with keys based on WPA protocol To implement WPA select WPA in the Selected Encryption Mode drop down list Setting WPA Mode To set the WPA Mode select either the WPA or RSN WPA 2 option button Selected Wireless Interface lathO y Channel Width 20 MHz Band Selected Encryption Mode WPA v Radio Security ACL WPA Atheros WPA Mode 3 WPA A Server IP lo lo lo ID z Server Port 0 Key Management Mode y Server Secret Pairwise Cipher Auth Server1 AcctSemver1 Auth Server 2 AcctSemer2 Group Cipher Figure 45 Wireless WPA Settings Setting Key Management Mode To configure the Key Management field select PSK Pre Shared Key or EAP Extensible Authentication Protocol in the Key Management Mode drop down list This selection determines the type of fields that appear in the area in the right side of the pane EAP When EAP is selected several text boxes appear on the right side of the panel These fields are requ
111. rminated it summarizes the results in a graphic display giving the average round trip time and the percent packet loss This utility can be Page 128 of 141 NETKROM OS and NETKROM NMS User Manual used to determine whether there is a problem with the network connection between two hosts Advanced Configuration of node Metkrom NOC Configuration Statistics System Properties NetWork Wireless Monitor Utils ICMP Util race Route Desination 10 0 0 1 Packet Size ERES bytes a 88 bytes from 10 0 0 1 8 ttlz64 time 0 6 ms 0 packet lass rt avg 0 5 ms show Graph 88 bytes from 10 0 0 1 10 ttl 64 time 0 7 ms 0 packet loss rt avg 0 5 ms 88 bytes from 10 0 0 1 11 ttlz64 time 0 5 ms 0 packet loss rt avg 0 5 ms 88 bytes from 10 0 0 1 12 ttlz64 time 0 5 ms 0 packet loss avg 0 5 ms 28 hites from 160 nn 1 131 HRA time 0 mea 101 narketines rt aviez NA mc Start 88 bytes from 10 0 0 1 4 ttI 64 time 0 6 ms 0 packet loss rt avg 0 6 ms 88 bytes from 10 0 0 1 5 ttI 64 time 0 5 ms 0 packet loss rt avg 0 6 ms Stop 88 bytes from 10 0 0 1 6 ttl 64 time 0 5 ms 0 packet loss rt avg 0 5 ms LLL 88 bytes from 10 0 0 1 7 ttlz64 time 0 5 ms 0 packetloss rt avg 0 5 ms Clear 88 bytes from 10 0 0 1 8 ttI 64 time 0 5 ms 0 packet loss rt avg 0 5 ms Packet Statistics Time Statistics ml Packets Round Trip W transmitted Mr
112. s appear Remote Domain Remote IP and Demand Time To configure this field identify the PPPoE server by its IP address and type the address into the Remote IP field OR determine its domain name and type it into the Remote Domain field Then type a time period seconds into the Demand Time field If a PPPoE connection remains idle for this period the connection closes until you try to use it again probably from a PC behind the router nable On Demand Remote Tt O O Remote IP o lo lo qM Demand Time o Figure 73 PPPoE Enable on Demand Settings Current Status When you click the Refresh button the Current Status field displays information on the current connection whether there is a connection or the reason for an unsuccessful attempt to connect Configuring a PPTP Client The PPTP client application is used to create PPTP connections with PPTP servers mainly used by Internet Service Providers Page 100 of 141 NETKROM OS and NETKROM NMS User Manual 8 2 1 WAN Configuration LA InterFaces REREN Bi ct LUTO usertame password PPTP B eno Pre NONE x wa jo o jo EE aho ISP Hame KeepUNS And Gateway CI Authenticato i O PPPoE O Active Enable On Demand _ Demand Time o PPTP LL Active Currentstetus 0 Figure 74 WAN PPTP Settings To configure a PPTP Client select the interface from the interface tree Its background turns blue This interface
113. s be some bandwidth available to accommodate for the rest of the traffic traffic not covered by any of the subclasses Example Elimination of P2P Traffic Currently NETKROM OS does not support filtering of ip traffic based on its Layer 7 properties For example you can t set up a firewall rule to block incoming outgomg P2P traffic Nonetheless you can virtual eliminate it by restricting the bandwidth available to it In this example we will set up two Traffic Policies one for each direction and two Traffic Classes that will reduce the bandwidth available to P2P traffic to as low as Kbits sec P2P users will soon get frustrated and drop Page 117 of 141 NETKROM OS and NETKROM NMS User Manual their P2P applications altogether The following pictures demonstrate the QoS configuration needed a Network Interfaces a ano D M Traffic Classes amp p2p_in Li p2n in pap aut ZW pap aut Figure 90 Class hierarchy for restricting P2P traffic on both interfaces Apply Changes New Client ApplyChanges New Client MATCHES TARGET MATCHES TARGET suene E Comrmited Information Rate iC cits fee EOD Ed o Peak Information Rate PI 1 Ikbitsfsel oue E commited Burst Size CBS l lpytes Destination IP NOT Excess Burst Size EBS 1 festes Destination Portis ae O NOT PRIORITY Destination MAC 00 00 00 00 00 00 LI NOT Protocol NOME L NOT A
114. s flow through Firewall and NAT chains Fonda From a host to another host From router to another host From a host to router Figure 54 Packet flow diagram 6 2 Configuring Firewall Rules Rules are entries in a chain consisting of several fields criteria that can be used to match a data packet If all criteria are met the rule is matched and the packet leaves the chain launching the action of the matching rule From the Firewall tab you can e Select Chains e Set up Policy e Add delete and manage Firewall Rules and Flowmarks e Write rules to the active list e Refresh the displayed information Firewall xele oal y ME Neu E ACCEPT_ gt Rules Source IP Destination IA In Iface Out Iface Src Port Dst Port Protocol Flowmark ACTION Comment Flowmarks Source IP DestinationIP Inlface Out Iface Src Port Dst Port Protocol Comment Figure 55 Firewall Chains Page 78 of 141 NETKROM OS and NETKROM NMS User Manual 6 2 1 Before configuring a rule you must Select Chain and set the Policy Select Chain In the Select Chain drop down list select Input Output or Forward Policy In the Policy drop down list select Accept or Drop ACCEPT The packet will flow to the next chain leaving the current chain at this rule no further rules in this chain are further examined DROP The packet stops flowing is discarded without notifying the sender Configuring Fi
115. ss 4 support Configuring WDS Mode A NETKROM node can operate as an access point WDS node This gives you the opportunity to configure a Wireless Distribution System Network by setting up a number of NETKROM WDS nodes each one taking part in the network All the features and settings described in the access point section are supported for WDS mode In addition WDS Mode features a Page 58 of 141 NETKROM OS and NETKROM NMS User Manual WDS List which contains the MAC addresses of all WDS nodes included in the network To configure the currently selected node for Wireless Distribution System WDS mode select WDS in the Selected Operation Mode drop down list The WDS tab becomes available SSID Inactivity Limit Beacon Period Site Survey Stealth Mode Hide ESSID and Stop Wireless to Wireless Traffic fields are configured the same as for Access Point Mode The WDS tab also features an Association List button and a list of Registered WDS Nodes Selected Wireless Interface Channel Width 20 MHz ae Selected Operational Mode WDS Security WDS Atheros SSID NOC Registered WDS nodes Beacon Period 100 O0 00 00 00 00 00 00 00 00 00 00 00 CO io l00 00 00 00 00 00 SUR 00 00 00 00 00 00 00 00 00 00 00 00 C AAA 100 00 00 00 00 00 ly 100 00 00 00 00 00 a Sitesumey Hide ESSID 00 00 00 00 00 00 00 00 00 00 00 00 Association List C Stop Wireless to Wireless Traffic Fi
116. t Figure 53 Extended Repetition Topology Example In this scenario the NETKROM Base Node s BSS is repeated through a Repeater chain Each NETKROM Repeater node repeats the BSS of the previous node Each station is connected to a different Repeater Node but they all belong to the same BSS as if they were on the same access point This topology can be useful in creating a long distance extension of a Base Node AP s BSS or even to reduce the load of an AP in a large area with many clients Also by configuring a NETKROM Repeater in an optimal position within the target area you can achieve load balancing In addition Repeater offers bridging of all wireless Clients with all Ethernet Host PCs adjacent to its Ethernet interface Page 76 of 141 NETKROM OS and NETKROM NMS User Manual 6 Firewall and NAT A firewall protects networked computers from intentional hostile intrusion that could compromise confidentiality or result in data corruption or denial of service A network system in order to support firewall functionality must have at least two network interfaces one for the network it is intended to protect and one for the network it 1s exposed to A firewall sits at the junction point or gateway between the two networks usually a private network and a public network such as the Internet To configure Firewall settings select the Firewall tab located under the Advanced Configuration of Node Configuration tabs To configure
117. t DC Power qe i i F F Page 14 of 141 NETKROM OS and NETKROM NMS User Manual Step 1 Connect one end of a Cat5 Ethernet cable to the LAN OUT port of the PoE Injector and the other end of the Ethernet cable to LAN 1 port of the access point Finally connect the LAN IN port of the PoE injector to a switch or PC using another Cat5 Ethernet cable Step 2 Connect the power adapter included in the Netkrom PoE kit to the main electrical supply and the power plug into the socket of the PoE injector Now turn on your power supply Notice that the POWER LED has lighted up This indicates that the ISPAIR CPE 510 is receiving power through the Netkrom PoE Injector and that connection between your CPE and your network has been established Note Please use the power adapter provided in the package Using a power adapter with a different voltage rating will damage this product Page 15 of 141 NETKROM OS and NETKROM NMS User Manual Mounting the ISPAIR CPE 510 in a wall Step 1 Hold the catches upward as shown in the figure Step 2 While still holding the catches push the cover outwards Step 3 Align the bracket to the wall Use the bracket as a guideline make 4 marks and drill 4 holes into the wall Next secure the brackets to the wall as shown in the figure on the right Step 4 Align the main unit with the bracket to attach them as shown in the figure Step 5 Next fasten two screws tha
118. t MRTG extract the required files in a network server with java support and initialize it by executing the following command java jar MRTG server 1 4 0 jar Using MRTG e After the successful MRTG server initialization in the Utilities menu select MRTG The built in MRTG client will be invoked and a prompt appears requesting the MRTG server IP address e Type the MRTG server IP address Upon successful connection nodes can be inserted in the monitoring list e On each node insertion the user will be presented with a list of all available interfaces The user may select one or more interfaces to monitor INMS Connectivity Right click on devices to open dialog settings Figure 106 MRTG Display Statistics NOTE The JRobin MRTG server uses SNMP polls to retrieve information which means that the SNMP agent has to enable in the monitored node Page 135 of 141 NETKROM OS and NETKROM NMS User Manual 13 WISP Easy Wizard The WISP Easy Wizard is an extension to NETKROM NMS providing a convenient and easy way to install NETKROM nodes To start the WISP Easy Wizard in the Node Shortcut Menu select WISP Easy Wizard WEW The WISP Easy Wizard WEW dialog box appears which displays some typical WISP installations Select from the available operational modes An Info Tip is displayed in the upper left corner of the window when the cursor is hovered over an image internet backbon
119. t are provided in the packaging to secure the main unit to the bracket Page 16 of 141 NETKROM OS and NETKROM NMS User Manual Mounting the ISPAIR CPE 510 in a Pole Step 1 Hold the catches upward as shown in the figure Step 2 While still holding the catches push the cover outwards Step 3 Use metal straps to secure the bracket to the pole Place the straps through the slots in the bracket and then around the pole Tighten the straps Step 4 Align the main unit with the bracket to attach them as shown in the figure Step 5 Next fasten two screws that are provided in the packaging to secure the main unit to the bracket gt lt gt Page 17 of 141 NETKROM OS and NETKROM NMS User Manual 1 Product Overview 1 1 1 2 153 The NETKROM Network Management System NNMS is used to configure and manage wireless networks of NETKROM nodes NETKROM NMS has been designed to provide network administrators with a comprehensive and simple way to control and configure their network nodes Compatibility and Requirements The NETKROM NMS software operates on any PC or Mac supported by Java That is any version of Microsoft Windows 98 ME 2000 NT XP VISTA or GNU Linux NETKROM NMS Features Optimized communication protocol between NETKROM s software and NETKROM NMS featuring high levels of interactivity Additionally an advanced encryption scheme can guarantee secure configura
120. t edd AAT A E e ee E E 65 Trinitaria 65 FROG issues PED 36 Repeater Mode CONTI AAA ANS AAA AAN AAA eee 59 ROULET aire R 94 Routing A adn itu aident E aR ced GE 52 A Lo eiecti unu m eee ee ne een eee eer eee ren 52 ISCDOSIQOBIBS snd Sea eee he eee a DM ee O 52 vip C c D P M 50 TRAD NC E X peace 48 Security PRC CESS NEC rm Lc dad dt detuecmi adore teenadecdn tants ta cae tencd 70 Conf oUr A Rm 67 PP Giese bud teste ns ads ctp decides E Euer UA set OI e edoss ote desc iUis cop Defui See 67 bd mmm cT 68 SiGitval LeVel sob ib nno iicet eaaet iesu C 57 Site SUVEV ONT OE S 54 e io AM M m ul E E sec M aed DN EL c coe patties 63 Bo gol gh a seis ers ayer ener a ds dd 63 OPONE ee 62 A O 86 A A O ORO 55 o une ese t Eo pM LM A xc Re IER ME M A MA E 60 62 State and Link Otal aiii ici a iii 60 62 Status MM da 125 Stean MO de air iaa Free TT PO 58 SEO Ps TRACE RA do 58 O A E E e E n 39 DHC E Srl m E 93 Discovery Ma as erbe I5 renr a a in 25 Firewall Matching Fields as b6oisstested ert bebe t b Hottblb id 80 Page 140 of 141 NETKROM OS and NETKROM NMS User Manual NAT Mate Ede FS usd ono ete edt ta din asd a 85 PPT EIE eet CE 101 Systemi Wu TIS TI DU T TTL IE 131 A O 43 Torov A E 125 A M E 69 NO 130 Transmission Rate ni O IN recoleccion 57 Transmitted POWEE A eie deove a E PaL eo EE e e Sad Uo E oo Edel cea Ue MR dean Ud 66 Type Llc
121. t they are located on a number of different LAN segments Because VLANSs are based on logical instead of physical connections they are very flexible for user host management bandwidth allocation and resource optimization The IEEE 802 1Q specification establishes a standard method for tagging Ethernet frames with VLAN membership information The IEEE 802 1Q standard defines the operation of VLAN bridges that permit the definition operation and administration of Virtual LAN topologies within a Bridged LAN infrastructure The 802 1Q standard is intended to address the problem of how to break large networks into smaller parts so broadcast and multicast traffic does not require more bandwidth than necessary The standard also helps provide a higher level of security between segments of internal networks To make a router an 802 1Q compliant device one or more VLAN interfaces must be created with the proper tags This can be accomplished Page 44 of 141 NETKROM OS and NETKROM NMS User Manual in the VLAN tab of the NETKROM NMS window VLAN interfaces can be added removed and managed from this tab Advanced Configuration ofnode Netkrom MOC Configuration Statistics System Properties DHCP VLAN HotSpot Virtual LANs 802 10 L Oa e Interface IPisubnet 10 etho 197 168 100 124 0 eth 182 158 200 1724 Figure 25 VLAN Tab 3 6 1 Adding VLAN Interfaces l In the VLAN tab click the button The Crea
122. t your settings click the Insert New Route dialog Submit button then click the IP Configuration pane Submit button to complete the process 4 1 4 Removing Static Routing Entries To remove a specific routing entry select the table row of that entry then Xx click the Entries Commands button 4 1 5 Modifying Static Routing Entries To edit a specific routing entry select the table row of that entry then 3 E click the Entries Commands button 4 1 6 Repositioning Static Routing Entries Routing entries allocated in each routing table are parsed by the OS kernel in a serial manner To modify the series priority of allocated entries select the table row of the entry to be moved then click the Entries Commands button to move the entry upward or the button to move it downward in the list 4 2 Configuring Static Rules A rule is a method for implementing Access Control Lists ACL for routes Rules allow you to specify the filters that match packets to select a route structure when the filter does match Page 50 of 141 NETKROM OS and NETKROM NMS User Manual 4 2 1 Using a rule you can perform the most common Policy Routing function route by source address The rule can specify the selection of a packet 1f the source address of the packet falls within a designated address range and which route structure to use or other destination to choose if th
123. te a new VLAN dialog appears This dialog contains the main fields for configuring a VLAN interface The VLAN TagID field automatically generates a unique VLAN identifier according to 802 10 2 Click the arrow on the Interface dropdown list and select any enabled physical interface or bridge 3 Type IP subnet address in the IP Address Subnet Mask fields These are required to properly route tagged packets If there 1s a need to drop un tagged panes not 802 1Q compliant configure the specific physical interface and any virtual interface with zero IP address 4 Click Submit to complete the process The virtual interface Tag number Interface name and IP subnet address will appear in the Virtual LAN list Page 45 of 141 NETKROM OS and NETKROM NMS User Manual VLAH TaglD 0 4094 Interface Bridge IP Address Subnet Mask 182 168 10 1 24 submit Cancel Figure 26 Create a New VLAN Dialog Box 3 6 2 Removing VLAN Interfaces To remove a VLAN Interface in the VLAN list select the interface to be deleted Click the button The VLAN information will disappear from the list 3 6 3 Modifying VLAN Interfaces To modify the settings for a VLAN interface select the interface and click anu the PB button The Create a new VLAN dialog box appears The settings for the interface are shown in the fields Change these settings as required then click the Submit button The new settings appear in the VLA
124. tes Layer 2 loops in networks by selectively blocking some ports and allowing other ports to forward traffic based on global bridge and local port parameters you can configure 3 3 Configuring Global Settings The center pane of the IP Configuration tab contains Global Settings These fields apply to all network interfaces Global Settings Defaut aw lo o jo J DNs o Jo Jo Jo IP Forwarding pus2 b Jo lo lb Figure 20 IP Global Settings 3 3 1 Default Gateway Every IP packet with an unknown destination will be forwarded through the default gateway IP address Set this address statically by typing it into the Default GW field It also can be set dynamically from another application such as a DHCP client a PPPoE client or a PPTP client 3 3 2 IP Forwarding IP Forwarding all traffic to flow between interfaces even if they are set on different subnets Select the IP Forwarding check box to allow the system to forward packets from one subnet to another Page 40 of 141 NETKROM OS and NETKROM NMS User Manual 3 3 3 DNS1 and DNS2 You can set DNSI and DNS2 addresses statically by typing them in or they can be set dynamically from another application such as a DHCP client a PPPoE client or a PPTP client 3 4 Using Special Interface Commands The bottom pane of the IP Configuration tab contains Special Action Interface Commands used to create and manage network bridges and virtual interface commands Hetwark Bridge Co
125. the Alias field will contain the Hostname of the node IP Address Alias Password Ee 0 0 0 0 0 0 0 0 O O Dest Port 35817 Icon Submit Changes Cancel Figure 12 GUI Node Connectivity Settings Dialog Box IP Address When NETKROM NMS scans the network it looks for the IP Address listed in this dialog If 1t makes a connection the border around the icon turns green If not the border is red Default IP address 192 168 1 3 Alias To change the Alias type the new name into the Alias text box Password Type the password default admin into the Password field This step is required to allow access to Advanced Node Configuration described later in this section Node Icon To change the node icon select a icon from the drop down menu Submit Changes Click the Submit Changes button to add the node to the Topology Map and keep the dialog box open OK Click OK to add the node and exit the dialog box Page 32 of 141 NETKROM OS and NETKROM NMS User Manual NOTE Changing the IP Address Alias or Password specifies the parameters assigned to the currently selected node icon The IP address and password will be used when NNMS scans the network Changing the IP address of the icon does not change the IP address of the node If the IP address of the icon is changed to an address not present on the network the border of the associated icon will turn red indicating no connection has been made Open Status
126. the application as java jar NNMSvX jar from the current directory JRE v1 4 must be preinstalled Page 19 of 141 NETKROM OS and NETKROM NMS User Manual 2 NETKROM NMS 2 1 If your goal is to deploy several wireless access points in one system central management is recommended Even if you plan to begin with a smaller network but expect to expand in the future a centrally managed system should be considered The NETKROM Network Management System NNMS provides an effective turnkey management solution that covers the needs of most users Using NNMS you can Manage access points and devices on the wireless network Configure network nodes polling settings and other parameters e Load and save network configurations e Configure and view network topology e Auto discover available nodes e Analyze network traffic using the Multi Router Traffic Grapher MRTG Overview of NNMS Interface The user interface utilizes typical drop down menus short cut menus right click and tabbed sub tabbed panes inside the main window NNMS Main Window The NETKROM NMS window is a graphical user interface that facilitates viewing configuring and monitoring your wireless network The interface includes a typical main menu tabbed panes containing graphical and textual information and shortcut menus that allow you to navigate to other windows tabs and dialog boxes Network Topology Device List 9 ARK Yy NETKROM
127. tion and monitoring of NETKROM nodes Easy wizard based configuration of NETKROM Hot Spot Easy WISP Configuration Wizard New graph based statistics providing real time bandwidth utilization per network interface New robust network topology display Built in Multi Router Traffic Grapher MRTG support NETKROM Features Advanced fault tolerant mechanisms guaranteeing node stability Advanced Hotspot functionality Web Redirect Universal Access Method MAC Authentication Bandwidth Management User Information and Radius Statistics Walled Garden Advertisement URLs Configurable redirection page Page 18 of 141 NETKROM OS and NETKROM NMS User Manual 1 4 Multiple bridged high speed interfaces Administration MAC Radius Attributes Support WAN Interface configuration PPPoE PPTP DHCP leases information added Wireless Functionality e Advanced Wireless Security WPA 802 1x e Best Channel Selection Algorithm e Country Code Selection out of band modes e Wireless to wireless traffic filtering e Mac Address Spoofing e Advanced Firewall functionality e NTP Network Time Protocol service NETKROM NMS Installation Guide For a Windows installation double click the NETKROM vX setup exe installer and follow the prompts The installer comes bundled with jre 1 4 so you do not have to pre install it For a Linux or Macintosh installation unzip the NNMSvX jars zip file and launch
128. to be keep The keepalive concept is very simple when you set up a TCP connection you associate a set of timers Some of these timers deal with the keepalive procedure When the keepalive timer reaches zero you send your peer a keepalive probe packet with no data in it and the ACK flag turned on You can do this because of the TCP IP specifications as a sort of duplicate ACK and the remote endpoint will have no arguments as TCP is a stream oriented protocol On the other hand you will receive a reply from the remote host which doesn t need to support keepalive at all just TCP IP with no data and the ACK set If you receive a reply to your keepalive probe you can assert that the connection is still up and running without worrying about the user level implementation In fact TCP permits you to handle a stream not packets and so a zero length data packet 1s not dangerous for the user program This procedure is useful because if the other peers lose their connection for example by rebooting you will notice that the connection 1s broken even if you don t have traffic on it If the keepalive probes are not replied to by your peer you can assert that the connection cannot be considered valid and then take the correct action Max concurrent TCP SYN requests Max concurrent TCP SYN requests field contains the number of concurrent connection request attempts at one time Page 133 of 141 NETKROM OS and NETKROM NMS User Manual
129. ure a new node e Right click anywhere in the topology pane then click the Insert new node button that appears or e Click the or On the Tools menu click Add New Node The Insert New Node dialog box appears IP Settings Displayed Icon IP Address alias QUE XE SSH Settings ES Password gt H Dest Port 2017 Cancel Figure 7 Insert New Node Dialog Box 2 Type the IP address Alias optional and SSH Settings Password Typically a new node is given the default password admin 3 Select a Displayed Icon optional to represent the node Page 27 of 141 NETKROM OS and NETKROM NMS User Manual Access Point Router Dual Access Firewall Point Router Firewall Voice Gateway IP Telephony Wireless Router Bridge Mobile Access NAT Router Wireless Router default icon Figure 6 List of Available Icons Note Though optional adding Alias and or Displayed Icon provides an enhanced visual representation of the nodes This becomes especially useful when working with middle to large scale networks 4 Click the Add button The icon will appear in the topology pane All topology panes are updated with the new insertion information File Tools Utilities Help i E Network Topology Device List A AAG y Netkrom NOC NETKROM Technologies es Netkram NOC Firewall Core OpenBSD Status of node Core Ope
130. ured in this field e ALL A match always occurs TCP A match occurs if 10 The Source port is entered as a number from 0 to 65535 where 0 indicates that all ports are matched 11 The Destination port is entered as a number from 0 to 65535 where 0 indicates that all ports are matched e UDP A match occurs if packet s protocol type is UDP and 12 The Source port is entered as a number from 0 to 65535 where 0 indicates that all ports are matched 13 The Destination port is entered as a number from 0 to 65535 where 0 indicates that all ports are matched e ICMP A match occurs if packet s protocol type is ICMP e GRE A match occurs if packet s protocol type is GRE e AH A match occurs if packet s protocol type is AH e ESP A match occurs if packet s protocol type is ESP Source MAC senders MAC address A match occurs if the packet s Source MAC address in the Ethernet header is the same Comment The Comment field is used to enter a string consisting of at most 30 characters to describe the rule This field is not used for matching SNAT Chain Specific Fields The following fields are available in the SNAT configuration dialog box Masquerade The IP address to be assigned to outgoing packets is dynamically retrieved by the current outgoing interface s IP address does not need to explicitly configure the outgoing source IP address Page 86 of 141 NETKROM OS and NETKROM NMS User Manual Transl
131. width equally among a group of HOTSPOT users e Make sure that certain services eg the web portal of a hotspot will always be accessible no matter how overloaded the network 1s e Reserve a portion of the available bandwidth for latency sensitive applications like VoIP e Mitigate DoS attacks by restricting the network usage available for specific kinds of traffic eg ICMP traffic 9 1 The QoS window tab Let s have a look first at the overall GUI interface Picture 77 Page 103 of 141 NETKROM OS and NETKROM NMS User Manual File Tools Utilities Help Advanced Configuration of node Netkrom NOC Configuration Statistics System Properties Network Wireless Dynamic Routing Firewall NAT QoS Services DHCP WAN VLAN Hotspot HB atno Apply Changes New Client il bes MATCHES TARGET e Output gt Ba ath1 Source IP Sub E Input Source Port s E e Output Source MAC E IB emo Input Destination IP Sub gt Output Destination Port s Destination MAC Protocol Application Qos Data retrieved succesfully Figure 75 The QoS window There are three main columns 9 1 1 Traffic Classes Traffic classes are entities to which we associate specific traffic patterns and specific network resources The traffic patterns constitute the Matches associated to a Traffic Class and the
132. you must click the a button 6 3 2 Examples The following examples may be helpful in understanding how to configure Firewall and NAT rules Deny incoming SSH connections to your router from the internet SSH service by default runs on port 22 Assume that the router is connected to the internet through interface eth0 To disallow incoming SSH connections from the internet you can insert a rule in the Input chain of the Firewall system that will drop this kind of connection because they are TCP connections SYN flag will be set Page 87 of 141 NETKROM OS and NETKROM NMS User Manual To accomplish this configure the Firewall rules as follows In the Basic tab Source IP 0 0 0 0 0 any Destination IP 0 0 0 0 0 any Input interface ethO the connection to internet Comment no SSH connect ACTION DROP In the Advanced tab Protocol TCP SYN Flag SET Source Port O any Destination Port 22 SSH Source IP Not L b b b b b Input Interface Not Destination IP Not lo Jp b je Output Interface Not ANY m Existed Flowmark Not L Hew Flowmark Action DROP Comment SSH_Connect Figure 62 Basic Rule Example Configuration Basic Advanced Protocol NotL Ter SYN flag ALL SoucePortsy Not n Destination Portis Not Connection State O New Source MAC Not b b b b o b Established En Related Limit la Limit Rate in secs O Invali
Download Pdf Manuals
Related Search