Asus Router RX3141 User Manual
Have a look at the manual Asus Router RX3141 User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 379 Asus manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
RX3141 User’s Manual Chapter 7. Configuring Static Routes 41 7.2.2 Adding Static Routes Figure 7.2. Static Route Configuration Follow these instructions to add a static route to the routing table. 1. Open the Static Route configuration page by double clicking the Advanced Î Static Route menu. 2. Enter static routes information such as destination IP address, destination subnet mask, gateway IP address and the interface in the corresponding fields. For a description of these fields, refer to Table 7.1. Static Route Configuration Parameters. To create a route that defines the default gateway for your LAN, enter 0.0.0.0 in both the Destination IP Address and Subnet Mask fields. 3. Click to add a new route.
Chapter 7. Configuring Static Routes RX3141 User’s Manual 42 7.2.3 Deleting Static Routes Figure 7.3. Sample Routing Table Follow these instructions to delete a static route from the routing table. 1. Open the Static Route configuration page by double clicking the Advanced Î Static Route menu. 2. Click on the icon of the route to be deleted in the Routing Table. WARNING Do not remove the route for default gateway unless you know what you are doing. Removing the default route will render the Internet unreachable. 7.2.4 Viewing the Static Routing Table All IP-enabled computers and routers maintain a table of IP addresses that are commonly accessed by their users. For each of these destination IP addresses, the table lists the IP address of the first hop the data should take. This table is known as the device’s routing table. To view the RX3141’s routing table, double click the Advanced Î Static Route menu. The Routing Table displays at the upper half of the Static Route Configuration page, as shown in Figure 7.1: The Routing Table displays a row for each existing route containing the IP address of the destination network, subnet mask of destination network and the IP of the gateway that forwards the traffic.
RX3141 User’s Manual Chapter 8. Configuring DDNS 43 8 Configuring DDNS Dynamic DNS is a service that allows computers to use the same domain name, even when the IP address changes from time to time (during reboot or when the ISPs DHCP server resets IP leases). RX3141 connects to a Dynamic DNS service provider whenever the WAN IP address changes. It supports setting up the web services such as Web server, FTP server using a domain name instead of the IP address. Dynamic DNS supports the DDNS clients with the following features: f Update DNS records (addition) when an external interface comes up f Force DNS update Only HTTP DDNS client is supported. HTTP Dynamic DNS Client HTTP DDNS client uses the mechanism provided by the popular DDNS service providers for updating the DNS records dynamically. In this case, the service provider updates DNS records in the DNS. RX3141 uses HTTP to trigger this update. RX3141 supports HTTP DDNS update with the following service provider: f www.dyndns.org Internet ISRHTTP DDNS Server (DynDNS) DynDNS isr.homeunix.com Figure 8.1. Network Diagram for HTTP DDNS Whenever IP address of the configured DDNS interface changes, DDNS update is sent to the specified DDNS service provider. RX3141 should be configured with the DDNS username and password that are obtained from your DDNS service provider.
Chapter 8. Configuring DDNS RX3141 User’s Manual 44 8.1 DDNS Configuration Parameters Table 8.1 describes the configuration parameters available for DDNS service. Table 8.1. DDNS Configuration Parameters Field Description Status Shows the state of DDNS. Dynamic DNS Enable Click on this radio button to enable the DDNS Service Disable Click on this radio button to disable the DDNS Service Domain Name Enter the registered domain name provided by your ISP into this field. For example, If the host name of your RX3141 is “host1” and the domain name is “yourdomain.com”, The fully qualify domain name (FQDN) is “host1.yourdomain.com”. Username Enter the username provided by your DDNS service provider in this field. Password Enter the password provided by your DDNS service provider in this field.
RX3141 User’s Manual Chapter 8. Configuring DDNS 45 8.2 Configuring HTTP DDNS Client Figure 8.2. HTTP DDNS Configuration Page Follow these instructions to configure the HTTP DDNS: 1. First, you should have already registered a domain name to the DDNS service provider. If you have not done so, please visit www.dyndns.org for more details. 2. Log into the Configuration Manager, and then click Advanced Î DDNS Service menu to open the DDNS Configuration page. 3. In the DDNS Configuration page, select “Enable” for the Dynamic DNS. 4. Enter the domain name in the Domain Name field. 5. Enter the username and password provided by your DDNS service providers. 6. Click on button to send a DNS update request to your DDNS service provider. Note that DNS update request will also be sent to your DDNS Service provider automatically whenever the WAN port status is changed.
RX3141 User’s Manual Chapter 9. Configuring Firewall/NAT Settings 47 9 Configuring Firewall/NAT Settings The RX3141 provides built-in firewall/NAT functions, enabling you to protect the system against denial of service (DoS) attacks and other types of malicious accesses to your LAN while providing Internet access sharing at the same time. You can also specify how to monitor attempted attacks, and unwanted network access. This chapter describes how to configure router security settings, and create/modify/delete ACL (Access Control List) rules to control the data passing through your network. You will use firewall configuration pages to: f Configure router security and DoS settings f Create, modify, delete and view inbound/outbound/self-access ACL rules. f View firewall log. Note: When you define an ACL rule, you instruct the RX3141 to examine each data packet it receives to determine whether it meets criteria set forth in the rule. The criteria can include the network or Internet protocol it is carrying, the direction in which it is traveling (for example, from the LAN to the Internet or vice versa), the IP address of the sending computer, the destination IP address, and other characteristics of the packet data. If the packet matches the criteria established in a rule, the packet can either be accepted (forwarded towards its destination), or denied (discarded), depending on the action specified in the rule. 9.1 Firewall Overview 9.1.1 Stateful Packet Inspection The stateful packet inspection engine in the RX3141 maintains a state table that is used to keep track of connection states of all the packets passing through the firewall. The firewall will open a “hole” to allow the packet to pass through if the state of the packet that belongs to an already established connection matches the state maintained by the stateful packet inspection engine. Otherwise, the packet will be dropped. This “hole” will be closed when the connection session terminates. No configuration is required for stateful packet inspection; it is enabled by default when the firewall is enabled. Please refer to section 9.2.1 “Basic Router Security Configuration Parameters” to enable or disable firewall service on the RX3141. 9.1.2 DoS (Denial of Service) Protection Both DoS protection and stateful packet inspection provide first line of defense for your network. No configuration is required for both protections on your network as long as firewall is enabled for the RX3141. By default, the firewall is enabled at the factory. Please refer to section 9.2.1 “Basic Router Security Configuration Parameters” to enable or disable firewall service on the RX3141. 9.1.3 Firewall and Access Control List (ACL) 9.1.3.1 Priority Order of ACL Rule All ACL rules have a rule ID assigned – the smaller the rule ID, the higher the priority. Firewall monitors the traffic by extracting header information from the packet and then either drops or forwards the packet by looking for a match in the ACL rule table based on the header information. Note that the ACL rule checking starts from the rule with the smallest rule ID until a match is found or all the ACL rules are examined. If no match is found,
Chapter 9. Configuring Firewall/NAT Settings RX3141 User’s Manual 48 the packet is dropped; otherwise, the packet is either dropped or forwarded based on the action defined in the matched ACL rule. 9.1.3.2 ACL Rule and Connection State Tracking The stateful packet inspection engine in the firewall keeps track of the state, or progress, of a network connection. By storing information about each connection in a state table, RX3141 is able to quickly determine if a packet passing through the firewall belongs to an already established connection. If it does, it is passed through the firewall without going through ACL rule evaluation. For example, an ACL rule allows outbound ICMP packet from 192.168.1.1 to 192.168.2.1. When 192.168.1.1 sends an ICMP echo request (i.e. a ping packet) to 192.168.2.1, 192.168.2.1 will respond with an ICMP echo reply to 192.168.1.1. In the RX3141, you don’t need to create another inbound ACL rule because stateful packet inspection engine tracks the connection state and allows the ICMP echo reply to pass through the firewall 9.1.4 Default ACL Rules The RX3141 supports three types of default access rules: f Inbound Access Rules: for controlling incoming access to your LAN. f Outbound Access Rules: for controlling outbound access to external networks for hosts on your LAN. f Self-Access Rules: for controlling access to the RX3141 itself. Default Inbound Access Rules No default inbound access rule is configured. That is, all traffic from external hosts to the internal hosts is denied. Default Outbound Access Rules The default outbound access rule allows all the traffic originated from your LAN to be forwarded to the external network using NAT. Default Self Access Rules The default self access rules allow http, ping, DNS, DHCP access to the RX3141 router from the LAN. WARNING It is not necessary to remove the default ACL rule from the ACL rule table! It is better to create higher priority ACL rules to override the default rule.
RX3141 User’s Manual Chapter 9. Configuring Firewall/NAT Settings 49 9.2 Router Security Settings 9.2.1 Basic Router Security Configuration Parameters Table 9.1 describes the configuration parameters available for basic router security configuration. Table 9.1. Basic Router Security Configuration Parameters Field Description Firewall Check or uncheck this box to enable or disable firewall. NAT Check or uncheck this box to enable or disable NAT. Log Port Probing Connection attempt to closed ports will be logged if this option is enabled. Stealth Mode If enabled, RX3141 will not respond to remote peer’s attempt to connect to the closed TCP/UDP ports. To configure firewall basic settings, follow the instructions below: 1. Open the Router Security configuration page as shown in Figure 9.1 by double clicking on Router Setup Î Security menu. 2. Check or uncheck individual check box for each security option. 3. Click to save the settings. 9.2.2 DoS Configuration The RX3141 has an Attack Defense Engine that protects internal networks from Denial of Service (DoS) attacks such as IP spoofing, LAND, Ping of Death, smurf and all re-assembly attacks. It can drop ICMP redirects and IP loose/strict source routing packets. For example, a security device with the RX3141 Firewall provides protection from “WinNuke”, a widely used program to remotely crash unprotected Windows systems. For a complete list of DoS protection provided by the RX3141, please see Tables 2.1 and 9.2.
Chapter 9. Configuring Firewall/NAT Settings RX3141 User’s Manual 50 9.2.2.1 DoS Protection Configuration Parameters Table 9.2 provides explanation for each type of DoS attacks. You may check or uncheck the check box to enable or disable the protection or detection for each type DoS attacks. Table 9.2. DoS Attack Definition Field Description IP Source Route Intruder uses source routing in order to break into the target system. IP Spoofing Spoofing is the creation of TCP/IP packets using somebody else’s IP address. IP spoofing is an integral part of many network attacks that do not need to see responses. Land Attacker sends out packets to the system with the same source and destination IP address being that of the target system and causes the target system trying to resolve an infinite series of connections to itself. This can cause the target system to slow down drastically. Ping of Death An attacker sends out larger than 64KB packets to cause certain operating system to crash. Smurf An attacker issues ICMP echo requests to some broadcast addresses. Each datagram has a spoofed IP source address to be that of a real target-host. Most of the addressed hosts will respond with an ICMP echo reply, but not to the real initiating host, instead all replies carry the IP address of the previously spoofed host as their current destination and cause the victim host or network to slow down drastically. SYN/ICMP/UDP Flooding Check or un-check this option to enable or disable the logging for SYN/ICMP/UDP flooding attacks. These attacks involve sending lots of TCP SYN/ICMP/UDP to a host in a very short period of time. RX3141 will not drop the flooding packets to avoid affecting the normal traffic. TCP XMAS/NULL/FI N Scan A hacker may be scanning your system by sending these specially formatted packets to see what services are available. Sometimes this is done in preparation for a future attack, or sometimes it is done to see if your system might have a service, which is susceptible to attack. XMAS scan: A TCP packet has been seen with a sequence number of zero and the FIN, URG, and PUSH bits are all set. NULL scan: A TCP packet has been seen with a sequence number of zero and all control bits are set to zero. FIN scan: A hacker is scanning the target system using a stealth method. The goal of the hacker is to find out if they can connect to the system without really connecting using the “FIN” scanning. It attempts to close a non-existent connection on the server. Either way, it is an error, but systems sometimes respond with different error results depending upon whether the desired service is available or not. Teardrop In the teardrop attack, the attackers IP puts a confusing offset value in the second or later fragment. If the receiving operating system does not have a plan for this situation, it can cause the system to crash. WinNUKE Check or un-check this option to enable or disable protection against Winnuke attacks. Some older versions of the Microsoft Windows OS are vulnerable to this attack. If the computers in the LAN are not updated with recent versions/patches, you are advised to enable this protection by checking this check box.