TL-ER6120 Gigabit Dual-WAN VPN Router REV1.2.0 1910010936
-4- Chapter 2 Introduction Thanks for choosing the SafeStream Gigabit Dual-WAN VPN Router TL-ER6120. 2.1 Overview of the Router The SafeStream Gigabi
-94- Specify a unique name to the IP Address Pool for identification and management purposes. e start IP address should not exceed the end address
-95- The PPPoE configuration IP and 3.6.1.1 General On this page, you can configurCho ervices→Pcan be implemented on List of Account pages. General,
-96- Max Echo-Requests: Specify the maximum number of Echo-Requests sent by the server to wait for response. The default is 10. The link will be drop
-97- Figure 3-67 IP Address Pool The following items are displayed on this screen: IP Address Pool Pool Name: Specify a unique name to the IP Addr
-98- Figure 3-68 Account his screen: The following items are displayed on t Account the one in L2TP/PPTP connection settings. IP Address Assigned
-99- Status: Activate or inactivate the entry. MAC Binding: count to a MAC address manually. Only from the Host with this MAC address can the Auto
-100- Exceptional IP IP Address Range: Specify the start and the end IP address to make an exceptional IP address range. This range should be in th
-101- Figure 3-71 E-Bulletin The fo items are displayed on this screen: e electronic bulletin function. llowing General Enable E-Bulletin: Specify
-102- ANY: The bulletin will be released to all the users and the PCs on the Object: Select the object of this bulletin. Options include: LAN.
-103- if the DDNS cli access the p bsite and FTP . The NS clien g this function, be sure you have registered on the rs for username, password and
-5- Dual-WAN Ports + Providing two 10/100/1000M WAN ports for users to connect two Internet lines for bandwidth expansion. + Supporting multiple Lo
-104- DDNS Status: Displays the current status of DDNS service Offline: DDNS service is disabled. Online: DDNS works normally. or Password is
-105- Domain Name: Enter the Domain Name that you registered with your DDNS service DDNS Service: r inactivate DDNS service here. S is selected. e
-106- PeanutHull DDNS Account Name: Enter the Account Name of your DDNS account. If you have not registered, click <Go to register> to go to
-107- Figure 3-75 Comexe DDNS t r Domain Name 1: Enter the Domain Name that you registered with your DDNS service Domain Name 2: Optional. Enter th
-108- rvice: Activate or inactivate DDNS service here. WAN Port: Displays the WAN port for which Comexe DDNS is selected. ver. Online: DDNS works
-109- General UPnP Function: Enable or disable the UPnP function globally. apping After UPnP is enabled, all UPnP connection rules will be displa
-110- ssword: Enter a new password for the router. New PaConfirm New Password: Re-enter the new password for confirmation. Note: ● The factory def
-111- Note: ● The default Web Management Port is 80. If the port is changed, you should type in the new address, such as http://192.168.0.1:XX (“X
-112- Figure 3-79 Remote Management The following items are displayed on this screen: Remote Management Subnet/Mask: Specify r the hosts desire
-113- Figure 3-81 Export and Import The following items are displayed on this screen: Configuration Version Displays the current Configuration ve
-6- Supports Diagnostic (Ping/Tracert) and Online Detection VPN Supports IPsec VPN and provides up to 100 IPsec VPN tunnels Supports IPSec V
-114- The configuration will not be lost after rebooting. The Internet connection will be temporarily interrupted while rebooting. Note: To avoid da
-115- Figure 3-84 License 3.7.4 Statistics 3.7. Str ailed traffic information of each port and extra page. 4.1 Interface Traffic atistics Interface
-116- Rate Rx: Displays the rate for receiving data frames. Displays the rate for transmitting data frames. Packets Tx: Displays the number of packe
-117- General Enable IP Traffic Statistics: Allows you to enable or disable IP Traffic Statistics. Enable Auto-refresh:Allows you to enable/disabl
-118- Figure 3-87 Diagnostics The following items are displa Destination IP/Domain: on IP address or Domain name here. Then select a port for testi
-119- On this page, you can detect the WAN port is online or not. Choose the menu Maintenance→Diagnostics→Online Detection to load the following page
-120- →Time to load the following page. Choose the menu Maintenance→Time Figure 3-89 Time The following items are displayed on this screen: Curren
-121- 3.7. ght Saving TOn this page you can configure th g Time of the router. Choose the menu Maintenance→ i6.2 Dayli ime e Daylight SavinTme→Daylig
-122- e: S t ration in Date mode. This configuration is one ff in e in minutes when Daylight ving rt/E the start time and end time of Daylight S
-123- Severity Level Description Emergency 0 The system is unusable. alerts 1 Action must be taken immediately. critical 2 Critical conditions error
-7- LED Status Indication Flashing The router works properly SYS ff On/O The router works improperly On There is a device linked to the correspondi
-124- 4.1 Network Requirements The company has established the server farms in the headquarters to provide the Web, Mail and FTP services for all the
-125- 4.2 Network Topology 4.3 Configurations You can configure the router via the PC connected to the LAN port of this router. To log in to the rou
-126- Choose the menu Network→System Mode to load the following page. Select the NAT mode and the <Save> button to apply. Figure 4-1 System Mo
-127- Figure 4-3 Link Backup osts in the re.133, LAN: 172.31.10.1) to access the quarters, you can create the VPN tunnel via the TP-LINK VPN routers
-128- DH Group: DH2 Click the <Add> button to apply. Figure 4-4 IKE Proposal IKE Policy Choose the menu VPN→IKE→IKE Policy to load the con
-129- Figure 4-5 IKE Policy Tips: For the VPN router in the re e IKE settings should be the same as the router in mote branch office, ththe headquar
-130- Figure 4-6 IPsec Proposal IPsec Policy Choose the menu VPN→IPsec→IPsec Policy to load the configuration page. Settings: IPsec: Enable Pol
-131- Figure 4-7 IPsec Policy Tips: For the VPN router in the remote branch office, the IPsec settings should be consistent with the router in the h
-132- L2TP/PPTP Tunnel Choose the menu VPN→L2TP/PPTP→L2TP/PPTP Tunnel to load the following page. Check the box of Enable VPN-to-Internet to allo
-133- 4.3.3 Network Management To manage the enterprise network effectively and forbid the Hosts within the IP range of 192.168.0.30-192.168.0.50 to
-8- Power Socket Connect the female connector of the power cord to this power socket, and the male connector to the AC power outlet. Please make s
-134- Choose the menu User Group→User to load the configuration page. Click the <Batch> button to batch processing screen. Then continue with
-135- ion List> button and select the applications desired to be blocked on the popup window. Application: Click the <ApplicatStatus: Activate
-136- andwidth the menu Network→WAN→W ad the configuration page. Configure the Upstream Bandwidth and Downstream Bandwidth of the interface as Figure
-137- Max. Sessions: 250 Status: Activate Click the <Add> button to apply. Figure 4-15 Session Limit 4.3.4 Network Security You can enable th
-138- Figure 4-17 Scanning Result Choose the menu Firewall→Anti ARP Spoofing→IP-MAC Binding to load the configuration page. be bound or click the &l
-139- Figure 4-19 IP-MAC Binding 4.3.4.2 WAN ARP Defense To prevent the WAN ARP attack, you can bind the default gateway and IP address of WAN port.
-140- Figure 4-20 Attack Defense 4.3.4.4 Traffic Monitoring 1) Port Mirror Choose the menu Network→Switch→Port Mirror to load the configuration page
-141- Figure 4-21 Port Mirror 2) Statistics Choose the menu Maintenance→Statistics to load the page. Load the Interface Traffic Statistics page to v
-142- Figure 4-23 IP Traffic Statistics After all the above steps, the enterprise network will be operated based on planning.
-143- Chapter 5 CLI TL-ER6120 provides a Console port for CLI (Command Line Interface) configuration, which enables you to configure the router by ac
-9- Chapter 3 Configuration 3.1 Network 3.1.1 Status The Status page shows the system information, the port connection status and other information r
-144- Figure 5-2 Connection Description 4. Select the port (The default port is COM1) to connect in Figure 5-3, and click OK. Figure 5-3 Select th
-145- Figure 5-4 Port Settings 6. Choose File → Properties → Settings on the Hyper Terminal window as Figure 5-5 shows, then choose VT100 or Auto de
-146- 7. Th prom ill appear after pressing the Ente l window as Figure 5-6 shows. e DOS pting “TP-LINK>” w r button in the Hyper Termina Figure
-147- Mode Accessing Path Prompt Logout or Access the next mode User EXEC MPrimary mode once it is nected withTP-LINK >Use the exit command to
-10- Figure 3-2 Network Topology - NAT Mode If your router is connecting the two networks of different areas in a large network environment with a n
-11- Figure 3-4 Network Topology – Classic Mode Choose the menu Network→System Mode to load the following page. Figure 3-5 System Mode You can sele
-12- Note: In Non-NAT mode, all the NAT forwarding rules will be disabled. Classic Mode It's the combined mode of NAT mode and Non-NAT mode.
-13- Static IP Connection Type: Select Static IP if your ISP has assigned a static IP address for your computer. IP Address: Enter the IP addres
-I- COPYRIGHT & TRADEMARKS Specifications are subject to change without notice. is a registered trademark of TP-LINK TECHNOLOGIES CO., LTD. Oth
-14- Figure 3-7 WAN – Dynamic IP The following items are displayed on this screen: Dynamic IP Connection Type: Select Dynamic IP if your ISP as
-15- Use the following DNS Server: Select this option to enter the DNS (Domain Name Server) address manually. Primary DNS: Enter the IP address of yo
-16- 3) PPPoE If your ISP (Internet Service Provider) has provided the account information for the PPPoE connection, please choose the PPPoE connect
-17- PPPoE Settings Connection Type: Select PPPoE if your ISP provides xDSL Virtual Dial-up connection. Click <Connect> to dial-up to the
-18- Service Name: Optional. Enter the Service Name provided by your ISP. It's null by default. Primary DNS: Enter the IP address of your ISP’s
-19- response from your ISP. Please ensure that your settings are correct and your network is connected well. Consult your ISP if this problem remain
-20- Figure 3-9 WAN - L2TP The following items are disp L2TP Settings ype: address. Click <Disconnect> to disconnect the Internet connect
-21- MTU: imum Transmission Unit) is the maximum data unit transmitted by the physical network. It can be set in the range of ur ISP. ly activate or
-22- L2TP Status Status: Displays the status of PPPoE connection. “Disabled” indicates that the L2TP connection type is not applied. “Conne
-23- Figure 3-10 WAN - PPTP The following items are displayed on this screen: PPTP Settings Connection Type: Select PPTP if your ISP provides a P
-II- Продукт сертифіковано згідно с правилами системи УкрСЕПРО на відповідність вимогам нормативних документів та вимогам, що передбачені ч
-24- MTU: MTU (Maximum Transmission Unit) is the maximum data unit ansmitted by the physical network. It can be set in the range of 1460. The default
-25- PPTP Status Status: Displays the status of PPTP connection. “Disabled” indicates that the PPTP connection type is not applied. “Conne
-26- Figure 3-11 WAN – Bigpond The following items are displayed on this screen: BigPond Settings Connection Type: vides a BigPond connection. Cl
-27- ode: You can select the proper Active mode according to your need. Internet connection by the <Connect> or <Disconnect> button. It’s
-28- Note: To ensure the BigPond connection re-established normally, please restart the connection at least 5 seconds after the connection is off. 3.
-29- Figure 3-13 DHCP Settings The following items are displayed on this screen: DHCP Settings DHCP Server: Enable or disable the DHCP server
-30- Optional. Enter the Primary DNS server address provided by your NS: address is available, enter it. 3.1.4.3 On this page, you can view the infor
-31- DHCP Reservation MAC Address: Enter the MAC address of the computer for which you want to reserve the IP address. IP Address: Enter the res
-32- Figure 3-16 DMZ – Public Mode In Private mode, the DMZ port allows the Hosts in DMZ to access Internet via NAT mode which translates private IP
-33- is screen: as a normal LAN port when it’s disabled. Mode: Select the mode for DMZ port to control the connection way among DMZ, LAN and Internet
-III- CONTENTS Package Contents...1 Ch
-34- The application of MAC address for DMZ port is similar to that for LAN port. Choose the menu Network→MAC Address→MAC Address to load the follo
-35- Choos u Network→e the men Switch→Statistics to load the following page. Figure 3-20 Statistics The following items are displayed on this screen
-36- : Displays the number of the received packets (including error frames) that agged frame is 1522 bytes long. e: ames) that Total (Bytes): Display
-37- General Enable Port Mirror:Check the box to enable the Port Mirror function. If unchecked, it will be disabled. Mode: Select the mode for the
-38- 1) before ror function and select the Ingress & Egress mode. apply. n each port so as to manage your Choose the menu Network→Switch→Rat
-39- all the frames. Broadcast & Multicast: Select this option to limit broadcast frame and Broadcast: Select this option to limit the
-40- Flow Control: Allows you to enable/disable the Flow Control function. Negotiation Mode: Select the Negotiation Mode for the port. All Ports: All
-41- Figure 3-25 Port VLAN The following items are displayed on this screen: f the physical port. VLAN: Select the desired VLAN for the port. P
-42- The following items are displayed on this screen: Group Config Group Name: Specify a unique name for the group. Description: Give a descript
-43- Figure 3-28 View Configuration The following items are displayed on this screen: View Config View: Select the desired view for configuration.
-IV- 3.3.3 Session Limit ...55 3.3.4 Load B
-44- 3.3.1 NAT NAT (Network Address Translation) is the translation between private IP and public IP, which allows private network users to visit the
-45- NAT→One-to-One NAT to load the following page. Choose the menu Advanced→ Figure 3-30 One to One NAT The following items are displayed on this sc
-46- NAT llows the IP under LAN or DMZ port within multiple subnets to access the 3.3.1.3 Multi-NetsMulti-Nets NAT function aInternet via NAT. Choos
-47- e layer switch is 192.168.2.0 /24, while the subnet of VLAN3 is 192.168.3.0 /24. The IP of VLAN for cascading the switch to the router is 192.16
-48- nding Static Route entry, enter the IP address of the interface connecting the router and the three layer switch into the Next Hop field. Choo
-49- Virtual Server Name: Enter a name for Virtual Server entries. Up to 28 characters can be entered. External Port: Enter the service port or p
-50- Figure 3-33 Port Triggering following items are displayed on this screen: The Port Triggering range of port. Only when the trigger port i
-51- Note: ● The Trigger Port and Incoming Port should be set in the range of 1-65535. The Incoming Port can be set in a continuous range such as 86
-52- abled. It is recommended to keep the default setting if no special requirement. quirement. Enable or disable PPTP ALG. The default setting is en
-53- Enable Bandwidth Control all the time:Select this option to enable Bandwidth Control all the time. Enable Bandwidth Control When: With this opti
-V- 4.2 Network Topology...125 4.3 Conf
-54- Figure 3-36 Bandwidth Control The following items are displayed on this screen: Select the data stream direction for the entry. The direction o
-55- Effective Time: Specify the time for the entry to take effect. Description: Give a description for the entry. Status: Activate or inactivate t
-56- Figure 3-37 Session Limit General Enable Session Limit: Check here to enable Session Limit, otherwise all the Session Limit entries will be
-57- Figure 3-38 Session List In this table, you can view the session limit information of users configured with Session Limit. Click the <Refres
-58- Figure 3-40 Policy Routing General Protocol: Select the protocol for the entry in the drop-down list. If the protocol you want to set is no
-59- . List of Rules You can view the informatiThe first entry in Figure 3-40 indicates: All the packets with Source IP between 192.168.0.100 and
-60- N AN button y in the primary WAN Config: The WAN port in the secondary WAN list will share the traffic for the WAN in the primary WAN list unde
-61- otocols such as TCP, UDP and Choose the menu Advanced→Load Balance→Protocol to load the following page. 3.3.4.4 Protocol On this page, you can s
-62- small- topology, Static Route does not change along with the oute information manually as long as the network topology or link status is change
-63- by the Action buttons. The first entry in Figure 3-43 indicates: If there are packets being sent to a device with IP address of 211.162.1.0 and
-1- Package Contents The following items should be found in your package: One TL-ER6120 Router One Power Cord One Console Cable One Ground
-64- step 2. The static routing rules are shown in the following figure. 2. Add a static routing rule for LAN3 by referring to 3.3.5RIP (Routing In
-65- General Interface: Displays the interfaces which has been physically connected or assigned static IP. Status: Enable or disable RIP protocol
-66- Figure 3-45 RIP The following items are displayed on this screen: Route Table Destination: The Destination of route entry. Gateway: The Gate
-67- packets, which results in a breakd y is generated to3.4.1. MAC Binding IP-MAC Binding functions to bind the IP address, MAC address of the host
-68- criptionStatus: Activate or inactivate the entry. List of Rules You an view tThe first entry in Figure 3-46 indicates: The IP address of 192
-69- --- Indicates that the IP and MAC address of this entry are not bound and may be replaced by error ARP information. Indicates that this entry
-70- Figure 3-49 Attack Defense The fo displayed General Flood Defense: Flood attack is a commonly used DoS (Denial of Service) attack, cluding
-71- On this page, you can control the Internet access of local hosts by specifying their MAC addresses. Choose the menu Firewall→MAC Filtering→MAC F
-72- irew→ s Control→URL Filtering to load the following page. Choose the menu FallAcces Figure 3-51 URL Filtering The following items are displayed
-73- Application Example: Network Requirements: Prevent the local hosts from accessing Internet website www.aabbcc.com anytime and downloading the f
-2- Chapter 1 About this Guide This User Guide contains information for setup and management of TL-ER6120 router. Please read this guide carefully be
-74- 3.4.4.3 les Choose the menu Firewall→Ac l→Access Rules to load the following page. Access Rucess Contro Figure 3-53 Access Rule The fo s are d
-75- Select the Source IP Range for the entries, including the following can set the group on3.2.1 Group. ANY: means for any users. Destination:
-76- The ered for Firewall function conveniently. Protocol name and port range constitute a service type. The router predefines three commonly used
-77- You can view the informati List of Service on of the entries and edit them by the Action buttons. Note: The service types predefined3.4.5 App
-78- u can select “Group” to limit the predefined group, or select “ANY” to limit all the users. Application: Click the <Application List> butt
-79- The database refers to all the applications in the application list on the Application Rules page, you can download the latest database from htt
-80- phase 2, thesecurity protocols in IPsec and he transmission data. 3.5.1.1 IKE PolicyOn this page you can conChoose the menu VPN IKE peers use
-81- Select the IKE Exchange Mode in phase 1, and ensure the remote VPN tection and exchanges more information, which applies to the scenarios with h
-82- 3.5.1.2 sal On this page, you can defineChoose the menu VPN→IKE→IKE Proposal to load the following page. IKE Propo and edit the IKE Proposal.
-83- DH Group: Select the DH (Diffie-Hellman) group to be used in key negotiation phase 1. The DH Group sets the strength of the algorithm in bits. O
-3- Appendix A Hardware Specifications Lists the hardware specifications of this router. Appendix B FAQ Provides the possible solutions to the prob
-84- Figure 3-60 IPsec Policy The followin General able IPsec fun IPsec Policy Policy Name: Mode: Specify IP address range on your local LAN t
-85- Subnet: our remote network to identify which PCs on the remote network are covered by this policy. It's formed by IP address and subnet mas
-86- Manual Mode IPsec Proposal: Select the IPsec Proposal. Only one proposal can be selected on Manual mode. You need to first create the IPsec P
-87- Key-Out: Specify the outbound ESP Encryption Key manually if ESP at the other end of the tunnel, and vice versa. IPIn this table, yoThe fir
-88- Proposal Name: to the IPsec Proposal for identification and ec proposal can be applied to IPsec Security Protocol: Select the security protoc
-89- ESP Encryption: Select the algorithm used to encrypt the data for ESP encryption. Options include: NONE: Performs no encryption. DES: DES (Data
-90- 3.5.3 L2TP/PPTP Layer 2 VPN tunneling protocol consists of L2TP (Layer 2 Tunneling Protocol) and PPTP (Point to Point Tunneling Protocol). Both
-91- Figure 3-63 L2TP/PPTP Tunnel The following items are displaye Enable VPN-to-Internet: e VPN-to-Internet function. If enabled, the VPN client i
-92- server initiatively for establishing a tunnel. Password: Enter the password of L2TP/PPTP tunnel. It should be configured Select the network
-93- Enter the IP address of the client which is allowed to connect to this Remote Subnet: Enter the IP address range of your remote network. (It&apo
Kommentare zu diesen Handbüchern