TP-LINK TL-ER6120 Dokumentacja

TL-ER6120 Gigabit Dual-WAN VPN Router REV1.2.0 1910010936

-4- Chapter 2 Introduction Thanks for choosing the SafeStream Gigabit Dual-WAN VPN Router TL-ER6120. 2.1 Overview of the Router The SafeStream Gigabi

-94- Specify a unique name to the IP Address Pool for identification and management purposes. e start IP address should not exceed the end address

-95- The PPPoE configuration IP and 3.6.1.1 General On this page, you can configurCho ervices→Pcan be implemented on List of Account pages. General,

-96- Max Echo-Requests: Specify the maximum number of Echo-Requests sent by the server to wait for response. The default is 10. The link will be drop

-97- Figure 3-67 IP Address Pool The following items are displayed on this screen:  IP Address Pool Pool Name: Specify a unique name to the IP Addr

-98- Figure 3-68 Account his screen: The following items are displayed on t Account the one in L2TP/PPTP connection settings. IP Address Assigned

-99- Status: Activate or inactivate the entry. MAC Binding: count to a MAC address manually. Only from the Host with this MAC address can the  Auto

-100-  Exceptional IP IP Address Range: Specify the start and the end IP address to make an exceptional IP address range. This range should be in th

-101- Figure 3-71 E-Bulletin The fo items are displayed on this screen: e electronic bulletin function. llowing General Enable E-Bulletin: Specify

-102-  ANY: The bulletin will be released to all the users and the PCs on the Object: Select the object of this bulletin. Options include: LAN. 

-103- if the DDNS cli access the p bsite and FTP . The NS clien g this function, be sure you have registered on the rs for username, password and

-5-  Dual-WAN Ports + Providing two 10/100/1000M WAN ports for users to connect two Internet lines for bandwidth expansion. + Supporting multiple Lo

-104- DDNS Status: Displays the current status of DDNS service  Offline: DDNS service is disabled.  Online: DDNS works normally. or Password is

-105- Domain Name: Enter the Domain Name that you registered with your DDNS service DDNS Service: r inactivate DDNS service here. S is selected. e 

-106-  PeanutHull DDNS Account Name: Enter the Account Name of your DDNS account. If you have not registered, click <Go to register> to go to

-107- Figure 3-75 Comexe DDNS t r Domain Name 1: Enter the Domain Name that you registered with your DDNS service Domain Name 2: Optional. Enter th

-108- rvice: Activate or inactivate DDNS service here. WAN Port: Displays the WAN port for which Comexe DDNS is selected. ver.  Online: DDNS works

-109-  General UPnP Function: Enable or disable the UPnP function globally. apping After UPnP is enabled, all UPnP connection rules will be displa

-110- ssword: Enter a new password for the router. New PaConfirm New Password: Re-enter the new password for confirmation. Note: ● The factory def

-111- Note: ● The default Web Management Port is 80. If the port is changed, you should type in the new address, such as http://192.168.0.1:XX (“X

-112- Figure 3-79 Remote Management The following items are displayed on this screen:  Remote Management Subnet/Mask: Specify r the hosts desire

-113- Figure 3-81 Export and Import The following items are displayed on this screen:  Configuration Version Displays the current Configuration ve

-6-  Supports Diagnostic (Ping/Tracert) and Online Detection VPN  Supports IPsec VPN and provides up to 100 IPsec VPN tunnels  Supports IPSec V

-114- The configuration will not be lost after rebooting. The Internet connection will be temporarily interrupted while rebooting. Note: To avoid da

-115- Figure 3-84 License 3.7.4 Statistics 3.7. Str ailed traffic information of each port and extra page. 4.1 Interface Traffic atistics Interface

-116- Rate Rx： Displays the rate for receiving data frames. Displays the rate for transmitting data frames. Packets Tx: Displays the number of packe

-117-  General Enable IP Traffic Statistics: Allows you to enable or disable IP Traffic Statistics. Enable Auto-refresh:Allows you to enable/disabl

-118- Figure 3-87 Diagnostics The following items are displa Destination IP/Domain: on IP address or Domain name here. Then select a port for testi

-119- On this page, you can detect the WAN port is online or not. Choose the menu Maintenance→Diagnostics→Online Detection to load the following page

-120- →Time to load the following page. Choose the menu Maintenance→Time Figure 3-89 Time The following items are displayed on this screen:  Curren

-121- 3.7. ght Saving TOn this page you can configure th g Time of the router. Choose the menu Maintenance→ i6.2 Dayli ime e Daylight SavinTme→Daylig

-122- e: S t ration in Date mode. This configuration is one ff in e in minutes when Daylight ving rt/E the start time and end time of Daylight S

-123- Severity Level Description Emergency 0 The system is unusable. alerts 1 Action must be taken immediately. critical 2 Critical conditions error

-7- LED Status Indication Flashing The router works properly SYS ff On/O The router works improperly On There is a device linked to the correspondi

-124- 4.1 Network Requirements The company has established the server farms in the headquarters to provide the Web, Mail and FTP services for all the

-125- 4.2 Network Topology 4.3 Configurations You can configure the router via the PC connected to the LAN port of this router. To log in to the rou

-126- Choose the menu Network→System Mode to load the following page. Select the NAT mode and the <Save> button to apply. Figure 4-1 System Mo

-127- Figure 4-3 Link Backup osts in the re.133, LAN: 172.31.10.1) to access the quarters, you can create the VPN tunnel via the TP-LINK VPN routers

-128- DH Group: DH2 Click the <Add> button to apply. Figure 4-4 IKE Proposal  IKE Policy Choose the menu VPN→IKE→IKE Policy to load the con

-129- Figure 4-5 IKE Policy Tips: For the VPN router in the re e IKE settings should be the same as the router in mote branch office, ththe headquar

-130- Figure 4-6 IPsec Proposal  IPsec Policy Choose the menu VPN→IPsec→IPsec Policy to load the configuration page. Settings: IPsec: Enable Pol

-131- Figure 4-7 IPsec Policy Tips: For the VPN router in the remote branch office, the IPsec settings should be consistent with the router in the h

-132-  L2TP/PPTP Tunnel Choose the menu VPN→L2TP/PPTP→L2TP/PPTP Tunnel to load the following page. Check the box of Enable VPN-to-Internet to allo

-133- 4.3.3 Network Management To manage the enterprise network effectively and forbid the Hosts within the IP range of 192.168.0.30-192.168.0.50 to

-8-  Power Socket Connect the female connector of the power cord to this power socket, and the male connector to the AC power outlet. Please make s

-134- Choose the menu User Group→User to load the configuration page. Click the <Batch> button to batch processing screen. Then continue with

-135- ion List> button and select the applications desired to be blocked on the popup window. Application: Click the <ApplicatStatus: Activate

-136- andwidth the menu Network→WAN→W ad the configuration page. Configure the Upstream Bandwidth and Downstream Bandwidth of the interface as Figure

-137- Max. Sessions: 250 Status: Activate Click the <Add> button to apply. Figure 4-15 Session Limit 4.3.4 Network Security You can enable th

-138- Figure 4-17 Scanning Result Choose the menu Firewall→Anti ARP Spoofing→IP-MAC Binding to load the configuration page. be bound or click the &l

-139- Figure 4-19 IP-MAC Binding 4.3.4.2 WAN ARP Defense To prevent the WAN ARP attack, you can bind the default gateway and IP address of WAN port.

-140- Figure 4-20 Attack Defense 4.3.4.4 Traffic Monitoring 1) Port Mirror Choose the menu Network→Switch→Port Mirror to load the configuration page

-141- Figure 4-21 Port Mirror 2) Statistics Choose the menu Maintenance→Statistics to load the page. Load the Interface Traffic Statistics page to v

-142- Figure 4-23 IP Traffic Statistics After all the above steps, the enterprise network will be operated based on planning.

-143- Chapter 5 CLI TL-ER6120 provides a Console port for CLI (Command Line Interface) configuration, which enables you to configure the router by ac

-9- Chapter 3 Configuration 3.1 Network 3.1.1 Status The Status page shows the system information, the port connection status and other information r

-144- Figure 5-2 Connection Description 4. Select the port (The default port is COM1) to connect in Figure 5-3, and click OK. Figure 5-3 Select th

-145- Figure 5-4 Port Settings 6. Choose File → Properties → Settings on the Hyper Terminal window as Figure 5-5 shows, then choose VT100 or Auto de

-146- 7. Th prom ill appear after pressing the Ente l window as Figure 5-6 shows. e DOS pting “TP-LINK>” w r button in the Hyper Termina Figure

-147- Mode Accessing Path Prompt Logout or Access the next mode User EXEC MPrimary mode once it is nected withTP-LINK >Use the exit command to

-10- Figure 3-2 Network Topology - NAT Mode If your router is connecting the two networks of different areas in a large network environment with a n

-11- Figure 3-4 Network Topology – Classic Mode Choose the menu Network→System Mode to load the following page. Figure 3-5 System Mode You can sele

-12- Note: In Non-NAT mode, all the NAT forwarding rules will be disabled.  Classic Mode It's the combined mode of NAT mode and Non-NAT mode.

-13-  Static IP Connection Type: Select Static IP if your ISP has assigned a static IP address for your computer. IP Address: Enter the IP addres

-I- COPYRIGHT & TRADEMARKS Specifications are subject to change without notice. is a registered trademark of TP-LINK TECHNOLOGIES CO., LTD. Oth

-14- Figure 3-7 WAN – Dynamic IP The following items are displayed on this screen:  Dynamic IP Connection Type: Select Dynamic IP if your ISP as

-15- Use the following DNS Server: Select this option to enter the DNS (Domain Name Server) address manually. Primary DNS: Enter the IP address of yo

-16- 3) PPPoE If your ISP (Internet Service Provider) has provided the account information for the PPPoE connection, please choose the PPPoE connect

-17-  PPPoE Settings Connection Type: Select PPPoE if your ISP provides xDSL Virtual Dial-up connection. Click <Connect> to dial-up to the

-18- Service Name: Optional. Enter the Service Name provided by your ISP. It's null by default. Primary DNS: Enter the IP address of your ISP’s

-19- response from your ISP. Please ensure that your settings are correct and your network is connected well. Consult your ISP if this problem remain

-20- Figure 3-9 WAN - L2TP The following items are disp L2TP Settings ype: address. Click <Disconnect> to disconnect the Internet connect

-21- MTU: imum Transmission Unit) is the maximum data unit transmitted by the physical network. It can be set in the range of ur ISP. ly activate or

-22-  L2TP Status Status: Displays the status of PPPoE connection.  “Disabled” indicates that the L2TP connection type is not applied. “Conne

-23- Figure 3-10 WAN - PPTP The following items are displayed on this screen:  PPTP Settings Connection Type: Select PPTP if your ISP provides a P

-II- Продукт сертифіковано згідно с правилами системи УкрСЕПРО на відповідність вимогам нормативних документів та вимогам, що передбачені ч

-24- MTU: MTU (Maximum Transmission Unit) is the maximum data unit ansmitted by the physical network. It can be set in the range of 1460. The default

-25-  PPTP Status Status: Displays the status of PPTP connection.  “Disabled” indicates that the PPTP connection type is not applied.  “Conne

-26- Figure 3-11 WAN – Bigpond The following items are displayed on this screen:  BigPond Settings Connection Type: vides a BigPond connection. Cl

-27- ode: You can select the proper Active mode according to your need. Internet connection by the <Connect> or <Disconnect> button. It’s

-28- Note: To ensure the BigPond connection re-established normally, please restart the connection at least 5 seconds after the connection is off. 3.

-29- Figure 3-13 DHCP Settings The following items are displayed on this screen:  DHCP Settings DHCP Server: Enable or disable the DHCP server

-30- Optional. Enter the Primary DNS server address provided by your NS: address is available, enter it. 3.1.4.3 On this page, you can view the infor

-31-  DHCP Reservation MAC Address: Enter the MAC address of the computer for which you want to reserve the IP address. IP Address: Enter the res

-32- Figure 3-16 DMZ – Public Mode In Private mode, the DMZ port allows the Hosts in DMZ to access Internet via NAT mode which translates private IP

-33- is screen: as a normal LAN port when it’s disabled. Mode: Select the mode for DMZ port to control the connection way among DMZ, LAN and Internet

-III- CONTENTS Package Contents...1 Ch

-34- The application of MAC address for DMZ port is similar to that for LAN port. Choose the menu Network→MAC Address→MAC Address to load the follo

-35- Choos u Network→e the men Switch→Statistics to load the following page. Figure 3-20 Statistics The following items are displayed on this screen

-36- : Displays the number of the received packets (including error frames) that agged frame is 1522 bytes long. e: ames) that Total (Bytes): Display

-37-  General Enable Port Mirror:Check the box to enable the Port Mirror function. If unchecked, it will be disabled. Mode: Select the mode for the

-38- 1) before ror function and select the Ingress & Egress mode. apply. n each port so as to manage your Choose the menu Network→Switch→Rat

-39- all the frames.  Broadcast & Multicast: Select this option to limit broadcast frame and  Broadcast: Select this option to limit the

-40- Flow Control: Allows you to enable/disable the Flow Control function. Negotiation Mode: Select the Negotiation Mode for the port. All Ports: All

-41- Figure 3-25 Port VLAN The following items are displayed on this screen: f the physical port. VLAN: Select the desired VLAN for the port.  P

-42- The following items are displayed on this screen:  Group Config Group Name: Specify a unique name for the group. Description: Give a descript

-43- Figure 3-28 View Configuration The following items are displayed on this screen:  View Config View: Select the desired view for configuration.

-IV- 3.3.3 Session Limit ...55 3.3.4 Load B

-44- 3.3.1 NAT NAT (Network Address Translation) is the translation between private IP and public IP, which allows private network users to visit the

-45- NAT→One-to-One NAT to load the following page. Choose the menu Advanced→ Figure 3-30 One to One NAT The following items are displayed on this sc

-46- NAT llows the IP under LAN or DMZ port within multiple subnets to access the 3.3.1.3 Multi-NetsMulti-Nets NAT function aInternet via NAT. Choos

-47- e layer switch is 192.168.2.0 /24, while the subnet of VLAN3 is 192.168.3.0 /24. The IP of VLAN for cascading the switch to the router is 192.16

-48- nding Static Route entry, enter the IP address of the interface connecting the router and the three layer switch into the Next Hop field. Choo

-49-  Virtual Server Name: Enter a name for Virtual Server entries. Up to 28 characters can be entered. External Port: Enter the service port or p

-50- Figure 3-33 Port Triggering following items are displayed on this screen: The Port Triggering range of port. Only when the trigger port i

-51- Note: ● The Trigger Port and Incoming Port should be set in the range of 1-65535. The Incoming Port can be set in a continuous range such as 86

-52- abled. It is recommended to keep the default setting if no special requirement. quirement. Enable or disable PPTP ALG. The default setting is en

-53- Enable Bandwidth Control all the time:Select this option to enable Bandwidth Control all the time. Enable Bandwidth Control When: With this opti

-V- 4.2 Network Topology...125 4.3 Conf

-54- Figure 3-36 Bandwidth Control The following items are displayed on this screen: Select the data stream direction for the entry. The direction o

-55- Effective Time: Specify the time for the entry to take effect. Description: Give a description for the entry. Status: Activate or inactivate t

-56- Figure 3-37 Session Limit  General Enable Session Limit: Check here to enable Session Limit, otherwise all the Session Limit entries will be

-57- Figure 3-38 Session List In this table, you can view the session limit information of users configured with Session Limit. Click the <Refres

-58- Figure 3-40 Policy Routing  General Protocol: Select the protocol for the entry in the drop-down list. If the protocol you want to set is no

-59- .  List of Rules You can view the informatiThe first entry in Figure 3-40 indicates: All the packets with Source IP between 192.168.0.100 and

-60- N AN button y in the primary WAN Config: The WAN port in the secondary WAN list will share the traffic for the WAN in the primary WAN list unde

-61- otocols such as TCP, UDP and Choose the menu Advanced→Load Balance→Protocol to load the following page. 3.3.4.4 Protocol On this page, you can s

-62- small- topology, Static Route does not change along with the oute information manually as long as the network topology or link status is change

-63- by the Action buttons. The first entry in Figure 3-43 indicates: If there are packets being sent to a device with IP address of 211.162.1.0 and

-1- Package Contents The following items should be found in your package:  One TL-ER6120 Router  One Power Cord  One Console Cable  One Ground

-64- step 2. The static routing rules are shown in the following figure. 2. Add a static routing rule for LAN3 by referring to 3.3.5RIP (Routing In

-65-  General Interface: Displays the interfaces which has been physically connected or assigned static IP. Status: Enable or disable RIP protocol

-66- Figure 3-45 RIP The following items are displayed on this screen:  Route Table Destination: The Destination of route entry. Gateway: The Gate

-67- packets, which results in a breakd y is generated to3.4.1. MAC Binding IP-MAC Binding functions to bind the IP address, MAC address of the host

-68- criptionStatus: Activate or inactivate the entry.  List of Rules You an view tThe first entry in Figure 3-46 indicates: The IP address of 192

-69- --- Indicates that the IP and MAC address of this entry are not bound and may be replaced by error ARP information. Indicates that this entry

-70- Figure 3-49 Attack Defense The fo displayed General Flood Defense: Flood attack is a commonly used DoS (Denial of Service) attack, cluding

-71- On this page, you can control the Internet access of local hosts by specifying their MAC addresses. Choose the menu Firewall→MAC Filtering→MAC F

-72- irew→ s Control→URL Filtering to load the following page. Choose the menu FallAcces Figure 3-51 URL Filtering The following items are displayed

-73- Application Example: Network Requirements: Prevent the local hosts from accessing Internet website www.aabbcc.com anytime and downloading the f

-2- Chapter 1 About this Guide This User Guide contains information for setup and management of TL-ER6120 router. Please read this guide carefully be

-74- 3.4.4.3 les Choose the menu Firewall→Ac l→Access Rules to load the following page. Access Rucess Contro Figure 3-53 Access Rule The fo s are d

-75- Select the Source IP Range for the entries, including the following can set the group on3.2.1 Group.  ANY: means for any users. Destination:

-76- The ered for Firewall function conveniently. Protocol name and port range constitute a service type. The router predefines three commonly used

-77- You can view the informati List of Service on of the entries and edit them by the Action buttons. Note: The service types predefined3.4.5 App

-78- u can select “Group” to limit the predefined group, or select “ANY” to limit all the users. Application: Click the <Application List> butt

-79- The database refers to all the applications in the application list on the Application Rules page, you can download the latest database from htt

-80- phase 2, thesecurity protocols in IPsec and he transmission data. 3.5.1.1 IKE PolicyOn this page you can conChoose the menu VPN IKE peers use

-81- Select the IKE Exchange Mode in phase 1, and ensure the remote VPN tection and exchanges more information, which applies to the scenarios with h

-82- 3.5.1.2 sal On this page, you can defineChoose the menu VPN→IKE→IKE Proposal to load the following page. IKE Propo and edit the IKE Proposal.

-83- DH Group: Select the DH (Diffie-Hellman) group to be used in key negotiation phase 1. The DH Group sets the strength of the algorithm in bits. O

-3- Appendix A Hardware Specifications Lists the hardware specifications of this router. Appendix B FAQ Provides the possible solutions to the prob

-84- Figure 3-60 IPsec Policy The followin General able IPsec fun IPsec Policy Policy Name: Mode: Specify IP address range on your local LAN t

-85- Subnet: our remote network to identify which PCs on the remote network are covered by this policy. It's formed by IP address and subnet mas

-86-  Manual Mode IPsec Proposal: Select the IPsec Proposal. Only one proposal can be selected on Manual mode. You need to first create the IPsec P

-87- Key-Out: Specify the outbound ESP Encryption Key manually if ESP at the other end of the tunnel, and vice versa.  IPIn this table, yoThe fir

-88-  Proposal Name: to the IPsec Proposal for identification and ec proposal can be applied to IPsec Security Protocol: Select the security protoc

-89- ESP Encryption: Select the algorithm used to encrypt the data for ESP encryption. Options include: NONE: Performs no encryption. DES: DES (Data

-90- 3.5.3 L2TP/PPTP Layer 2 VPN tunneling protocol consists of L2TP (Layer 2 Tunneling Protocol) and PPTP (Point to Point Tunneling Protocol). Both

-91- Figure 3-63 L2TP/PPTP Tunnel The following items are displaye Enable VPN-to-Internet: e VPN-to-Internet function. If enabled, the VPN client i

-92- server initiatively for establishing a tunnel. Password: Enter the password of L2TP/PPTP tunnel. It should be configured Select the network

-93- Enter the IP address of the client which is allowed to connect to this Remote Subnet: Enter the IP address range of your remote network. (It&apo