Lobo 908911 UG

Lobo OS & Lobo NMS System User's Guide
Version Issue: Last Update:
Version 1.1b
Lobo O.S. and NMS Reference Guide
Table Of Contents
3 3.1 3.2 3.3 4 Lobo OS Management via LNMS.................................................................................17 Introduction........................................................................................................................17 Network Topology.............................................................................................................17 3.2.1 Lobo Node Insertion.............................................................................................18 Lobo Node Management..................................................................................................20 IP Networking Configuration .........................................................................................22
3/20/2005 PAGE 1
VERSION 1.0B
Lobo O.S. and NMS Reference Guide 4.1 4.2 4.3 4.4 Left Frame:.........................................................................................................................22 Top Frame:.........................................................................................................................23 Center Frame:.....................................................................................................................24 Bottom Frame ....................................................................................................................24 4.4.1 Network Bridge......................................................................................................24 4.4.2 Virtual Interfaces ...................................................................................................25 Table view..........................................................................................................................26 VLANS (IEEE 802.1Q)....................................................................................................28 Static IP Routing..............................................................................................................30 Introduction........................................................................................................................30 Lobo Static IP routing configuration................................................................................30 5.2.1 Routing Tables.......................................................................................................30 5.2.2 Routing Entries Handling ......................................................................................32 Lobo Static Rules .............................................................................................................34 5.3.1 Introduction............................................................................................................34 5.3.2 Rule Entries Handling............................................................................................34 Wireless Configuration....................................................................................................37 General Description ...........................................................................................................37 Operational Modes.............................................................................................................39 6.2.1 Access Point...........................................................................................................39 6.2.2 WDS mode.............................................................................................................43 6.2.3 Repeater Mode.......................................................................................................44 6.2.4 AP Client and Station Mode ..................................................................................46 Radio Settings ....................................................................................................................48 Security Settings ................................................................................................................51 6.4.1 WEP configuration.................................................................................................51 6.4.2 WPA Configuration ...............................................................................................52 6.4.3 Access Control List................................................................................................54 Outdoor Settings ................................................................................................................55 Setting Country Code.........................................................................................................56 Site Survey Operation........................................................................................................57 Wireless topologies Scenarios ...........................................................................................60 6.8.1 How to make a Point To Point Link ......................................................................60 6.8.2 BSSID extended Repetition ...................................................................................62
3/20/2005 PAGE 2
4.5 4.6 5 5.1 5.2
5.3
6 6.1 6.2
6.3 6.4
6.5 6.6 6.7 6.8
VERSION 1.0B
Lobo O.S. and NMS Reference Guide 7 7.1 7.2 Firewall and NAT ............................................................................................................64 Firewall and NAT Chains ..................................................................................................64 Field explanation................................................................................................................66 7.2.1 Firewall Matching fields........................................................................................66 7.2.2 NAT Matching fields .............................................................................................71 7.2.3 Examples................................................................................................................74 DHCP ................................................................................................................................79 Introduction........................................................................................................................79 DHCP SERVER.................................................................................................................79 8.2.1 Lease Times ...........................................................................................................82 DHCP CLIENT..................................................................................................................83 DHCP RELAY...................................................................................................................83 WAN Configuration.........................................................................................................85 PPPOE CLIENT ................................................................................................................85 PPTP CLIENT ...................................................................................................................88 Bandwidth Manager ........................................................................................................92 General...............................................................................................................................92
8 8.1 8.2 8.3 8.4 9 9.1 9.2 10 10.1
10.2 Field explanation................................................................................................................92 10.2.1 Shaped IP: ..............................................................................................................92 10.2.2 Source/Destination IP: ...........................................................................................93 10.2.3 Source/Destination Port: ........................................................................................93 10.2.4 Bandwidth Type:....................................................................................................93 10.2.5 Peer To Peer:..........................................................................................................93 10.2.6 Interface: ................................................................................................................93 10.2.7 Bandwidth limit: ....................................................................................................93 10.3 Examples............................................................................................................................93 10.3.1 Limiting bandwidth of whole subnets....................................................................93 10.3.2 Limiting Peer to Peer Traffic .................................................................................97 10.3.3 Tree-based mode: Limiting a host to some rate, but for a specific port use a smaller rate.............................................................................................................................100 11 11.1 Lobo HOTSPOT wizard .............................................................................................103 General HotSpot Description...........................................................................................103
VERSION 1.0B
3/20/2005
PAGE 3
Lobo O.S. and NMS Reference Guide 11.2 HotSpot Main Panel.........................................................................................................103 11.2.1 Enable HotSpot: ................................................................................................103 11.2.2 Status: .................................................................................................................103 11.2.3 Admin MAC: .......................................................................................................103 11.2.4 Users Info.............................................................................................................104 11.2.5 Radius Statistics...................................................................................................104 11.3 Wizard Configuration ......................................................................................................104 Wizard configuration is initialized by pressing Start Wizard button in the corresponding configuration panel. ...............................................................................................................104 11.3.1 Wan: ....................................................................................................................104 11.3.2 LAN:.....................................................................................................................105 11.3.3 DHCP: .................................................................................................................105 11.3.4 NAT & Protection:..............................................................................................106 11.3.5 Wireless: .............................................................................................................110 11.3.6 Radius:................................................................................................................110 11.3.7 Authentication Type: ...........................................................................................111 11.3.8 Walled Garden:..................................................................................................111 11.3.9 Advertisement:...................................................................................................112 11.3.10 Web customization:...........................................................................................112 11.3.11 Summary: ...........................................................................................................112 11.3.12 Submit:................................................................................................................113 11.4 Back end Radius Configuration.......................................................................................113 11.5 Example ...........................................................................................................................115 11.5.1 STEP 1: ................................................................................................................116 11.5.2 STEP 2: ................................................................................................................117 11.5.3 STEP 3: ................................................................................................................117 11.5.4 STEP 4: ................................................................................................................118 11.5.5 STEP 5: ................................................................................................................119 11.5.6 STEP 6: ................................................................................................................120 11.5.7 STEP 7: ................................................................................................................121 11.5.8 STEP 8: ................................................................................................................122 11.5.9 STEP 9: ................................................................................................................124 11.5.10 STEP 10: ..............................................................................................................125 11.5.11 STEP 11: ..............................................................................................................125 11.5.12 STEP 12: ..............................................................................................................126 11.5.13 STEP 13: ..............................................................................................................127 11.5.14 STEP 14: ..............................................................................................................128 11.5.15 STEP 15: ..............................................................................................................129
VERSION 1.0B 3/20/2005 PAGE 4
Lobo O.S. and NMS Reference Guide 11.6 12 12.1 12.2 12.3 12.4 12.5 12.6 13 13.1 13.2 14 15 16 16.1 16.2 16.3 16.4 16.5 16.6 Troubleshooting ...............................................................................................................134 System Services Configuration .....................................................................................136 Services Overview ...........................................................................................................136 SNMP...............................................................................................................................136 HTTP................................................................................................................................137 SSH ..................................................................................................................................138 NTP..................................................................................................................................139 Administrator Security Settings.......................................................................................141 Licensing .........................................................................................................................142 Live Unlock .....................................................................................................................142 License Manager..............................................................................................................143 Discovery Manager ........................................................................................................144 Mrtg Support..................................................................................................................145 Lobo Monitoring and Statistics..................................................................................146 Introduction......................................................................................................................146 Status Info ........................................................................................................................146 Current Throughput .........................................................................................................146 Packet Statistics ...............................................................................................................147 ARP table entries .............................................................................................................148 Open connections:............................................................................................................149
16.7 Monitor Utilities...............................................................................................................149 16.7.1 Ping ......................................................................................................................149 16.7.2 Trace Route..........................................................................................................150 16.8 17 System properties:............................................................................................................151 WISP Easy Wizard ........................................................................................................152
Table Of Figures
Lobo O.S. and NMS Reference Guide Figure 2-1:Serial interface Configuration..................................................................................... 15 Figure 3-1:LNMS Topology View ................................................................................................ 17 Figure 3-2:Insert Lobo Node Dialog........................................................................................... 18 Figure 3-3:Lobo Node Insertion.................................................................................................. 19 Figure 3-4:Customized Topology View ....................................................................................... 20 Figure 3-5:Lobo node pop-up menu............................................................................................ 21 Figure 4-1:IP Interface Settings .................................................................................................... 23 Figure 4-2:IP Global Settings ....................................................................................................... 24 Figure 4-3:Insertion of virtual interfaces ...................................................................................... 26 Figure 4-4:Interface tree view....................................................................................................... 27 Figure 5-1:Routing Table Handling.............................................................................................. 31 Figure 5-2:Insert new Route ......................................................................................................... 32 Figure 5-3:New Routing Entry Added.......................................................................................... 33 Figure 5-4:New Routing Rule Insertion ....................................................................................... 35 Figure 6-1:Wireless Configuration Panel ..................................................................................... 37 Figure 6-2:Wireless Operational Mode Settings........................................................................... 39 Figure 6-3:Wireless WDS Mode Settings..................................................................................... 44 Figure 6-4:Repeater Topology...................................................................................................... 45 Figure 6-5:Repeater Mode Settings .............................................................................................. 46 Figure 6-6:Station Mode Settings ................................................................................................. 47 Figure 6-7:Station Mode Settings (2) ........................................................................................... 48 Figure 6-8:Wireless Radio Settings .............................................................................................. 49 Figure 6-9:Setting Tx Rate............................................................................................................ 50 Figure 6-10:Wireless Radio Settings (2)....................................................................................... 51 Figure 6-11:Wireless WEP Settings ............................................................................................. 52
VERSION 1.0B
3/20/2005
PAGE 6
Lobo O.S. and NMS Reference Guide Figure 6-12:Wireless WPA Settings............................................................................................. 53 Figure 6-13:Wireless WPA Settings (2) ....................................................................................... 54 Figure 6-14:Wireless ACL configuration ..................................................................................... 55 Figure 6-15:Wireless Outdoor Settings ........................................................................................ 56 Figure 6-16:Wireless CC Code..................................................................................................... 57 Figure 6-17:Site Survey Operation ............................................................................................... 58 Figure 6-18:Site Survey Align...................................................................................................... 59 Figure 6-19:WDS Topology Example.......................................................................................... 60 Figure 6-20:Point to Point Topology Example............................................................................. 61 Figure 6-21:Lobo Extended Repetition Topology Example ....................................................... 63 Figure 7-1:Packet flow diagram.................................................................................................... 64 Figure 7-2:Firewall chains ............................................................................................................ 65 Figure 7-3:NAT chains ................................................................................................................. 66 Figure 7-4:Basic Rule configuration............................................................................................. 70 Figure 7-5:Advanced Rule configuration ..................................................................................... 71 Figure 7-6:Basic Rule configuration............................................................................................. 75 Figure 7-7:Advanced Rule configuration ..................................................................................... 75 Figure 7-8:FireWall Mail Panel.................................................................................................... 76 Figure 7-9:Rule that masquerades outgoing traffic to internet ..................................................... 77 Figure 7-10:masquerade rule is added .......................................................................................... 78 Figure 9-1:PPPoE Configuration (1) ............................................................................................ 85 Figure 9-2:PPPoE Protocol Selection ........................................................................................... 86 Figure 9-3:Wan Interface Configuration ...................................................................................... 87 Figure 9-4:PPPoE - Enable on Demand Settings.......................................................................... 88 Figure 9-5:WAN - PPTP Settings................................................................................................. 89
VERSION 1.0B
3/20/2005
PAGE 7
Lobo O.S. and NMS Reference Guide Figure 9-6:PPTP Interface ............................................................................................................ 90 Figure 10-1:Network topology ..................................................................................................... 94 Figure 10-2:Downlink rate for Company 1 .................................................................................. 95 Figure 10-3:Downlink rule is added ............................................................................................. 95 Figure 10-4:Uplink rate for Company 1 ....................................................................................... 96 Figure 10-5:Added bandwidth Rules............................................................................................ 96 Figure 10-6:Added bandwidth Rules............................................................................................ 97 Figure 10-7:Network topology ..................................................................................................... 97 Figure 10-8:Rule limiting downlink Peer to Peer Traffic............................................................. 98 Figure 10-9:Rule limiting uplink Peer to Peer Traffic.................................................................. 99 Figure 10-10:Peer to Peer Rules ................................................................................................... 99 Figure 10-11:Peer to Peer FlowMark Rule is added................................................................... 100 Figure 10-12:Network topology ................................................................................................. 101 Figure 10-13:General rule........................................................................................................... 101 Figure 10-14:Specific rule for port 23 ........................................................................................ 102 Figure 11-1:Network topology ................................................................................................... 115 Figure 11-2:Network topology after Hotspot ............................................................................. 116 Figure 11-3:HotSpot Main Panel................................................................................................ 117 Figure 11-4:Wan configuration................................................................................................... 118 Figure 11-5:Lan configuration.................................................................................................... 119 Figure 11-6:HotSpots DHCP server configuration ................................................................... 120 Figure 11-7:NAT & Protection Level configuration .................................................................. 121 Figure 11-8:Wireless configuration ............................................................................................ 122 Figure 11-9:Radius configuration............................................................................................... 123 Figure 11-10:Authentication methods ........................................................................................ 124
VERSION 1.0B
3/20/2005
PAGE 8
Lobo O.S. and NMS Reference Guide Figure 11-11:Walled Garden configuration................................................................................ 125 Figure 11-12:Redirection URLs configuration........................................................................... 126 Figure 11-13:Web page customization ....................................................................................... 127 Figure 11-14:Summarize configuration...................................................................................... 128 Figure 11-15:Start hotspot .......................................................................................................... 129 Figure 11-16:HotSpot is initializing ........................................................................................... 130 Figure 11-17:HotSpot is running ................................................................................................ 131 Figure 11-18:Interface Panel after hotspots initiation ............................................................... 132 Figure 11-19:New firewall settings ............................................................................................ 133 Figure 11-20:NAT settings ......................................................................................................... 133 Figure 11-21:HotSpot has assigned an IP address...................................................................... 134 Figure 11-22:User is redirected to fill in his/her information..................................................... 134 Figure 12-1:SNMP service configuration................................................................................... 137 Figure 12-2:HTTP service configuration.................................................................................... 138 Figure 12-3:SSH service configuration ...................................................................................... 139 Figure 12-4:NTP service configuration ...................................................................................... 140 Figure 12-5:Change administrators password ........................................................................... 141 Figure 14-1:Discovery Manager Panel ....................................................................................... 144 Figure 15-1:Mrtg display statistics ............................................................................................. 145 Figure 16-1:Real Time Interface Throughput............................................................................. 147 Figure 16-2:Interface Packet Statistics ....................................................................................... 147 Figure 16-3:ARP Entries Table .................................................................................................. 148 Figure 16-4:Open Connections Display...................................................................................... 149 Figure 16-5:System Properties Dialog........................................................................................ 151
VERSION 1.0B
3/20/2005
PAGE 9
3 Lobo OS Management via LNMS

3.1 Introduction
If you are looking to deploy more than three or four access points in the company, then a centrally managed system may be worth looking at. Even if you plan to start off small but may be expanding the wireless network in the future, a centrally managed system is worth considering. LNMS is offered at no cost, providing an effective and turnkey network management system solution covering the needs of most users. 3.2 Network Topology
By the time LNMS is launched the topology view is displayed, which is consisted of three main frames. The center frame corresponds to the topology map, the left frame corresponds to the list of registered nodes while the lower displays the status of the selected node. All frames are resizable and can be adjusted according to user preferences.
Figure 3-1:LNMS Topology View
VERSION 1.0B
3/20/2005
PAGE 17
Lobo O.S. and NMS Reference Guide 3.2.1 Lobo Node Insertion
In order to insert a new Lobo node in topology display the user has to either right click icon, or press Tools->Add Lobo Node. In each case the inside the map area, click the following dialog is displayed prompting for the connectivity attributes of the new node.
Figure 3-2:Insert Lobo Node Dialog
User has to fill in the IP address and the password of the node. The optional fields alias and displayed icon provide an easy visual representation of the nodes, which is quite useful in middlelarge scale networks. The list of available displayed icons are: Access Point Dual Access Point Firewall IP Telephony Router Mobile Access Router NAT Router Firewall Router Voice Gateway
VERSION 1.0B
3/20/2005
PAGE 18
Lobo O.S. and NMS Reference Guide Wireless Bridge Wireless Router (Default Icon)
By filling successfully the required fields the node is inserted and displayed as shown in Figure 3-3:Lobo Node Insertion.
Figure 3-3:Lobo Node Insertion
All topology frames are updated according to the new insertion, while the green outline indicates that the new inserted node is successfully probed. The status information displayed in the lower frame indicates the firmware version, the uptime, the unlock level and the LNMS connectivity which is the ratio of successful received probe responses. Another option that further enhances the customization of the topology view is the loading of a background image. Figure 3-4:Customized Topology View displays a customized topology view.
VERSION 1.0B
3/20/2005
PAGE 19
Figure 3-4:Customized Topology View
Magnification actions are supported by the buttons (Zoom In) (Zoom Out) and (Restore to default zoom).Topologies can be saved and loaded by the actions File->Save Profile and File>Load Profile correspondingly. Connections between inserted nodes can be drawn by clicking in the center of the source node view and dragging to the center of the destination node. 3.3 Lobo Node Management
By double clicking on the node list view, or by right clicking on a node in the topology view the following pop-up menu is displayed.
VERSION 1.0B
3/20/2005
PAGE 20
Figure 3-5:Lobo node pop-up menu Advanced Node Configuration: a new tapped panel is displayed containing all the configuration options of the selected node. The configuration management is presented in detail in section 2. Save Configuration: The current node configuration is permanently saved. FW Upgrade: A File chooser is used to select the Firmware image you want to upload to selected node. Reboot: This command reboots the node.
VERSION 1.0B
3/20/2005
PAGE 21
4 IP Networking Configuration
IP network configuration is consisted of four basic frames:
4.1
Left Frame:
This frame corresponds to a tree view representation of all available network interfaces of the selected node. The tree view can be expanded or collapsed by left clicking on any master interface.
VERSION 1.0B
3/20/2005
PAGE 22
Lobo O.S. and NMS Reference Guide 4.2 Top Frame:
Top frame includes all basic IP configuration for the interface selected in the tree view of left panel. More specifically the configurable fields are:
Figure 4-1:IP Interface Settings
- IP address (Point 1) IP address of the selected interface (IPv4). - Subnet (Point 2) Subnet mask of the selected interface (IPv4). - Enable/Disable Selected Interface (Point 3) Clicking this box will enable the interface otherwise the interface will keep the desired configuration but it will remain disabled. If this is a virtual interface this box has no effect. Virtual interfaces can only be in the enable state. - PTP IP address (Point 4) In case where there is a ppp connection (from a pppoe-client or a pptp-client) by selecting interface pppX user is able to see the remote peer IP in that field (figure 4.2B).For all the other cases (no ppp connection) those four boxes have zero values. Of course this field is only readable and someone can not set remote peer IP. - MAC ADDRESS (Point 5) Represent the interface mac address in hex format. This field is readable for any kind of interface and writeable only for physical interfaces. In order someone to change the mac address of a physical interface has to tick Mac Spoofing (Point 6) field.
VERSION 1.0B
3/20/2005
PAGE 23
Lobo O.S. and NMS Reference Guide 4.3 Center Frame:
Centre frame contains the global settings which are configured for all network interfaces.
Figure 4-2:IP Global Settings
- Default Gateway (Point 1:Figure 4-2:IP Global Settings) System default gateway. Every IP packet with unknown destination will be forwarded through that IP. Default gateway can be set statically by user or dynamically from an application (dhcp-client,pppoe-client,pptp-client).
- IP Forwarding (Point 2:Figure 4-2:IP Global Settings) Enabling this field will permit system to forward packets from one subnet to other. For example consider a system with two interfaces eth0 and ath0 with ips 192.168.1.10/24 and 10.10.10.10/24 respectively.If there is a user behind a pc with ip 192.168.1.11/24 without ip forwarding enable he will able to see eth0 but no ath0. - DNS1 and DNS2 (Point 3 and Point 4:Figure 4-2:IP Global Settings) DNS fields can be set statically by user or dynamically from an application (dhcp- client,pppoe-client,pptp-client).
4.4
Bottom Frame
The bottom frame includes some special action interface commands in order to crate and handle network bridges and virtual interface commands. 4.4.1 Network Bridge
4.4.1.1 Introduction A bridge is a LAN interconnection device which operates at the data link layer (layer 2) of the OSI reference model. It may be used to join two LAN segments (A,B), constructing a larger LAN. A bridge is able to filter traffic passing between the two LANs and may enforce a security policy separating different work groups located on each of the LANs. Bridges were first specified in IEEE 802.1D (1990) and later by ISO (in 1993).
VERSION 1.0B
3/20/2005
PAGE 24
Lobo O.S. and NMS Reference Guide 4.4.1.2 Network Bridge Handling in Lobo OS In order to create a new network bridge interface the administrator has to click on the button Add new bridge and fill the corresponding name in the pop-up window. Please notice that bridge name must have as prefix the string br while there is no limitation in the postfix. Upon successful completion the new created bridge is displayed in the left frame tree view. In order to insert a physical interface as slave under the new created bridge, the user has to select the interface and left click on Insert interface button. The user is prompted to select one of the available bridges and after successful selection the left frame tree view is updated accordingly. The action command Delete Bridge removes the selected bridge interface and resets the slave interfaces. Finally in order to remove a physical interface from the slave list of a bridge interface user has to select the interface and left-click on Remove Interface.
4.4.2
Virtual Interfaces
4.4.2.1 Introduction Lobo OS also makes it possible to create additional network interfaces that are not associated with hardware. These are called "virtual interfaces". The primary reason for setting up virtual interfaces is to associate more than one IP address with a system. A typical use of this technique would be to support multiple Web sites. If http://www.lobometrics.com were assigned the address 222.33.44.55, virtual interfaces 222.33.44.56 and 222.33.44.57 might be assigned to www.Lobometrics.net and www.Lobometrics.org. All three sites could "live" on the same system without conflict. Another reason to set up virtual interfaces is to allow a system to communicate on more than one network address space. A realistic example to this technique could be the renumbering of a network from a masqueraded network address space to a private (10.0.0.0) subnet. During the transition, all servers were assigned a virtual address so they could communicate with clients on both the old and new network address spaces. To the world, virtual interfaces appear as if they are actual interfaces. 4.4.2.2 Virtual Interface Handling in Lobo OS The supported commands for virtual interface handling are: Add new Iface: This commands inserts a new virtual interface in correspondence with the selected physical interface which is selected in the left frame tree view. The virtual interface is automatically named with a prefix that matches the physical interface name and a postfix which is includes the virtual interface index inside brackets. In the following figure we present the results in the IP configuration after the insertion of three virtual interfaces under physical interface eth0. Each virtual interface is set to different address space.
VERSION 1.0B
3/20/2005
PAGE 25
Figure 4-3:Insertion of virtual interfaces
Delete Iface: This action removes the virtual interface permanently. 4.5 Table view
A feature that further enhances the controllability of interface IP settings is the Table View option which can activated by clicking on Table View button located below left frame tree view. Upon activation a new dialog appears which permits the concurrent browsing and basic settings edit of all available interfaces.
VERSION 1.0B
3/20/2005
PAGE 26
Figure 4-4:Interface tree view
VERSION 1.0B
3/20/2005
PAGE 27
4.6
VLANS (IEEE 802.1Q)
Virtual LAN (VLAN) is a group of devices on one or more LANs that are configured so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical instead of physical connections, it is very flexible for user/host management, bandwidth allocation and resource optimization.The IEEE 802.1Q specification establishes a standard method for tagging Ethernet frames with VLAN membership information. The IEEE 802.1Q standard defines the operation of VLAN Bridges that permit the definition, operation and administration of Virtual LAN topologies within a Bridged LAN infrastructure. The 802.1Q standard is intended to address the problem of how to break large networks into smaller parts so broadcast and multicast traffic would not grab more bandwidth than necessary. The standard also helps provide a higher level of security between segments of internal networks.The IEEE 802.1Q specification establishes a standard method for tagging Ethernet frames with VLAN membership information. In order someone to make router a 802.1Q compliant device has to create one or more vlan interfaces with the proper tags shows them main vlan panel.
VERSION 1.0B
3/20/2005
PAGE 28
Lobo O.S. and NMS Reference Guide In the example below by pressing add button a pop-up window will display the main fields for configuring vlan interface.The tag name field inserts the vlan unique name according to 802.1Q.User can add a vlan in any enabled physical interface or bridge (802.1d).Ip/Subnet configuration is also required to properly route tagged packets. If there is a need to drop un-tagged frames (no 802.1Q compliant) someone should configure the specific physical interface and any virtual interface on this with zero ip.
VERSION 1.0B
3/20/2005
PAGE 29
5 Static IP Routing
5.1 Introduction Static routing is the term used to refer to the manual method used to set up routing. An administrator enters routes into the router using configuration commands. This method has the advantage of being predictable, and simple to set up. It is easy to manage in small networks but does not scale well. 5.2 Lobo Static IP routing configuration
LNMS static routing panel provides management tools for manipulating any of the routing tables. Operations include displaying routes or the routing cache, adding routes, deleting routes, modifying existing routes, and fetching a route and clearing an entire routing table or the routing cache. 5.2.1 Routing Tables
Lobo OS as every linux-based OS is framed by a multiple routing table system providing a flexible infrastructure on top of which the administrator can implement policy routing. Beyond the two commonly used routing tables (the local and main routing tables), the kernel supports up to 252 additional routing tables.
VERSION 1.0B
3/20/2005
PAGE 30
Figure 5-1:Routing Table Handling 5.2.1.1 Adding a new Routing Table In order to create a new routing table which will be integrated in the multiple routing table system of Lobo OS the user has to select the add button as denoted in the above figure inside the eclipse 1. The user is prompted to define the routing table name and upon successful completion the combo box displayed in eclipse 2 is populated correspondingly. Afterwards the user may configure the routing tables distinctively by selecting the suitable table. 5.2.1.2 Remove an existing Routing Table In order to delete an existing routing table the user has to select the table that wishes to remove by using the Routing Table combo box(eclipse 2) and left-click on button remove(eclipse 1). CAUTION: The user has to be careful not to delete the main routing table, as this action can lead to connectivity problems.
VERSION 1.0B
3/20/2005
PAGE 31
Lobo O.S. and NMS Reference Guide 5.2.2 Routing Entries Handling
5.2.2.1 Adding a new Static Routing Entry In order to add a new static route entry the user has to left click on the add button of Entries Commands. A new dialog box appears prompting for the configuration of 7 parameters which are explained below.
Figure 5-2:Insert new Route 1) Destination The destination network or destination host. 2) Subnet Mask The netmask for the destination net; '255.255.255.255' for a host destination and '0.0.0.0' for the default route. 3) Default Gateway The gateway address or null entry if none set. 4) Preferred Source Preferred source address for communicating to that destination. 5) Distance The 'distance' to the target (usually counted in hops). It is not used by recent kernels, but may be needed by routing daemons. 6) Interface Interface to which packets for this route will be sent.
VERSION 1.0B
3/20/2005
PAGE 32
Lobo O.S. and NMS Reference Guide In the specific example outlined above we set all the traffic which has as destination address an IP that belongs to subnet 192.168.2.0/24 to be forwarded via interface ath0. After clicking the submit button of the Insert new Route dialog box the table view is updated accordingly. The last action of the user in order to activate the new inserted routes is to left-click on the submit button located in the top frame.
Figure 5-3:New Routing Entry Added 5.2.2.2 Removing a Static Routing Entry In order to remove a specific routing entry the user has to select the entry that wishes to remove by clicking the corresponding table row and left-clicking on the remove button of Entries Commands. 5.2.2.3 Modifying a Static Routing Entry In order to edit a specific routing entry the user has to select the entry that wishes to modify by clicking the corresponding table row and left-clicking on the edit button of Entries Commands.
VERSION 1.0B
3/20/2005
PAGE 33
Lobo O.S. and NMS Reference Guide 5.2.2.4 Repositioning Static Routing Entries Routing entries allocated in each routing table are parsed by the OS kernel in a serial manner. In order to modify the series (priority) of allocated entries the user can use the action buttons move up and move down of Entries Commands.
5.3 5.3.1
Lobo Static Rules Introduction
Think of the rule as a method for implementing ACLs (Access Control Lists) for routes. The rule allows you to specify the filters that match packets, and which route structure to select when the filter does match. Using a rule you can perform the most common Policy Routing function, route by source address. The rule can specify to select a packet based on whether or not the source address of the packet falls into a designated address scope. If it does match, the rule states which route structure to use or other destination to choose. But if you stop to think about this for a moment, you realize that on a system where you only have one routing table a rule set is usable only under limited conditions. 5.3.2 Rule Entries Handling
5.3.2.1 Adding a new Rule Entry In order to add a new rule entry the user has to left click on the add button of Entries Commands after having selected the Rules sub panel. A new dialog box appears prompting for the configuration of 7 parameters which are explained below.
VERSION 1.0B
3/20/2005
PAGE 34
Figure 5-4: New Routing Rule Insertion
1) Source Address The source network or source host. 2) Subnet Mask The netmask for the source net; '255.255.255.255' must be set for a host source. 3) Destination Address The destination network or destination host. 4) Subnet Mask The netmask for the destination net; '255.255.255.255' must be set for a host destination. 5) Interface Interface that packets are received from. The interface can be one of the available physical interfaces or can be set to All if the user wishes this rule to be matched for all interfaces. 6) Action-7) Table The rule action can be one of: - LookUp: This action orders the routing subsystem to look up the routing table which is selected according to field 7. Note that by default there exists a rule which indicates that all arrived packets are looked Up by main table.
Lobo O.S. and NMS Reference Guide Unreachable: This action results in the drop of the received packet while sending an ICMP packet to the source with reason Unreachable. Drop: This action results in the silent drop of the matched frames.
In the example displayed in Figure 5-4: New Routing Rule Insertion we order the system to silently drop packets originated from network space 10.10.10.0/24 arriving in any interface. The actions of remove, edit and reposition are identical to those described in previous section.
VERSION 1.0B
3/20/2005
PAGE 36
6 Wireless Configuration
6.1
General Description
In order to handle and configure any available wireless interface existing on an active Lobo node , user should click on Advanced Settings option which appears among other basic functionality options (right-click on node - network topology). In the new screen all available configuration and monitoring panels appear. User should select the tab which is referred as Wireless (see screenshot below)
Figure 6-1:Wireless Configuration Panel
VERSION 1.0B
3/20/2005
PAGE 37
Lobo O.S. and NMS Reference Guide As far as it is shown in Figure 6-1:Wireless Configuration Panel, this is the main configuration panel for existing wireless interfaces of the node. Before proceeding to describe and explain in full detail each one of the configurable fields, there are five main points concerning main Wireless configuration panel which have to be distinguished.
Selected Wireless Interface represents the selected interface* user desires to configure. If there are multiple wireless interfaces available then a list with those interfaces is populated.
(*If selected interface is not UP and RUNNING then a red warning message is shown next to interface name which informs user that selected interface is inactive)
Refresh /Submit buttons are used at anytime configuring the selected interface. By clicking Refresh Lobo NMS retrieves all active wireless configuration for all available interfaces while Submit is used to set a desirable configuration. In case of multiple wireless interface existence, user has the opportunity to configure all interfaces and clicks submit only once.
Tabbed panel on the right side contains the list of all available wireless settings basic categories. By clicking on any tab of list, corresponding settings of the specific category are shown in main configuration panel.
Selected Operational Mode is populated with all available operational modes an Lobo node can adopt*. Selecting one of the available operational modes ,pomade tab is formed to show settings of the correspondent Operational Mode.
(*It is important to notice that CPE license level give user the right to configure his node only as an APClient and Station and not as an AP,WDS or Repeater.
VERSION 1.0B
3/20/2005
PAGE 38
6.2
Operational Modes
As it is mentioned in the previous section an Lobo Node has the ability to operate in a number of different modes .User has the choice to configure a node modifying Selected Operational Mode field value one of the following modes (a full description of each Operational Mode is following): 6.2.1 Access Point
Selecting this mode Lobo node acts as a base Access Point. There are a number of features which can be configured in Access Point mode which are described below with a reference to Figure 6-2:Wireless Operational Mode Settings .
Figure 6-2:Wireless Operational Mode Settings
6.2.1.1 SSID (1): This field corresponds to the string which is published as ESSID by Lobo Access Point.
VERSION 1.0B
3/20/2005
PAGE 39
6.2.1.2 Inactivity Limit(2) : User may configure Access Points inactivity threshold in minutes. When this timeout expires and a Station associated on the Access Point is idle for this specific time period, Lobo AP sends a disassociation frame to the specific Station in order to inform it that it had been disassociated due to inactivity timeout
6.2.1.3 Beacon Period (3): This field represents the desirable Time Interval between two consecutive beacons.
6.2.1.4 Site Survey (4): Lobo Node, performing as an AP, supports scan mode. Clicking on Site Survey button (Figure 6-2:Wireless Operational Mode Settings - 4) AP scans all available frequencies of the specific physical (11a ,11b or 11g).By the time scanning operation is performed, a Site Survey dialogue Box is popped up, with the intention of informing user for all possible interferences by other Access Points nearby.
6.2.1.5 Association List(5): Clicking on this option, a popup window is appeared, showing an Association List of Lobo Access Point. Association List is filled with all necessary information for every node associated with the AP (MAC address, rssi value, station type etc).
VERSION 1.0B
3/20/2005
PAGE 40
Lobo O.S. and NMS Reference Guide A describction for each field in Association List follows : 6.2.1.5.1 Alias: User can set up a special name in order to mark a certain client on the AP.By the time configuration is saved, all the alias which were submitted (via the corresponding Action)are saved on the device. 6.2.1.5.2 MAC Address : This field is referred to MAC address with which each Client is associated to AP. 6.2.1.5.3 IP address: This field is referred to IP address via which each Client passes traffic to the AP. Note: A Client can be seen with multiple IPs if transparent bridging is occurred.User can see the list of the IPs by clicking Expand while the certain Client is selected. 6.2.1.5.4 Signal Level It is the signal level every associated client has (based on rssi received) 6.2.1.5.5 Fade Margin : It is the actual difference between Signal Level and Noice Level. 6.2.1.5.6 Noise Level: It is the noise level of the chip according to txrate and physical 6.2.1.5.7 Rate: It is populated with the txRate AP uses to exchange data with each client. 6.2.1.5.8 Idle Time It is the time passed while a pre-associated Client is no longer associated 6.2.1.5.9 Type It is the type of the node.Can have the following values : Lobo_Adapter (Station Mode),Lobo_Client(APClient Mode),WDS_Type,Client
NOTE:Every Client which has ever been associated to the AP is included to this list,which
VERSION 1.0B
3/20/2005
PAGE 41
Lobo O.S. and NMS Reference Guide is automatically save on Save Configuration. 6.2.1.5.10 Action : By selecting to perform type of action on a selected node of the list ,user can proceed with : 6.2.1.5.11 Set Alias: User can set an Alias for a specific node. 6.2.1.5.12 Remove: User can remove an Idle node from the list 6.2.1.5.13 Disassociate: User can disassociate a client which is associated to the AP. 6.2.1.5.14 Permanent Disassociation: User can disassociate a Client which is associated to the AP ,and simultaneously add its MAC on a deny ACL.
6.2.1.6 Best channel (6): Best Channel Selection is an extra feature of Access Point mode. User enables Lobo B.S.C. algorithm by clicking on button shown in Figure 6-2:Wireless Operational Mode Settings -6. Lobo O.S. calculates the best available frequency based on this algorithm, so that Lobo Access Point can be configured to transmit on this certain channel with the purpose to achieve better performance.
6.2.1.7 Stealth Mode (7): This is another enhancement of Lobo Access Point Mode. Enabling Stealth Mode, Access Point does not transmit Beacons plus it hides its SSID in Probe Responses transmitted. This action results in the invisibility of Lobo Access Point No other node which is not aware of its Lobo Access Point settings can discover it. In addition a custom polling protocol is activated, which is compatible with links between Lobo Access Points and Lobo Clients. This protocol serves the purpose of Lobo Client being aware of Lobo Stealth Access Points aliveness.
VERSION 1.0B
3/20/2005
PAGE 42
Lobo O.S. and NMS Reference Guide 6.2.1.8 Hide Essid (8): Enabling this option Lobo Access Point does not publish its ESSID in its Beacons trasmitions.
6.2.1.9 Stop Wireless To Wireless Traffic (9): Enabling this option possible traffic between two Wireless Stations, both associated on Lobo Access Point, is prevented.
IMPORTANT NOTICE : Lobo O.S. has the ability to support Address 4 traffic. However it is NECESSARY to put correspondent wireless interface (the one that operates as an Access Point) under a Network Bridge (check IP Network configuration section) if user desires to enable Address-4 support.
6.2.2
WDS mode
An Lobo node can operate as an Access Point WDS node (Wireless Distribution System). This gives user the opportunity to configure a Wireless Distribution System Network by setting up a number of Lobo WDS nodes ,each of one taking part in this network. All the Access Point features and settings are supported for WDS mode too. In addition there is a WDS List in which user should fill all WDS nodes MAC addresses which are included in the WDS network topology (Figure 6-3:Wireless WDS Mode Settings).
VERSION 1.0B
3/20/2005
PAGE 43
Figure 6-3:Wireless WDS Mode Settings
In Registered WDS nodes List, user should fill MAC addresses of the desirable nodes he wants to configure. Checkbox next to MAC address field refers to whether this node is enabled and is joined to WDS network topology. This option can be quite helpful when WDS nodes which change behavior exist. User has the privilege to keep their MACs configured in Lobo List and modify enable/disable option accordingly.
6.2.3
Repeater Mode
Repeater Mode is an advanced Lobo O.S. mode. When an Lobo node is configured to perform as a Repeater, it firstly performs as a Client. It associates with an Access Point which matches the desired BSSID, and in parallel adopts settings of the certain BSS. After the association is completed, Lobo repeats the BSS creating a brand new BSS range. Repeaters are a combination of both Client mode and Access Point mode functionality and features such as Stealth Mode or Wireless to Wireless traffic control. In Figure 6-4:Repeater Topology a sample topology is shown to demonstrate Lobo Repeaters functionality.
VERSION 1.0B
3/20/2005
PAGE 44
Figure 6-4:Repeater Topology According to the specific example topology, Lobo Repeater is associated on Lobo Base Node. After being associated, Lobo Repeater extends Lobo Base Nodes BSS. The result is that Initial BSS Range is extended to FinalMerged BSS range (after Repeater being transformed to an Access Point which has already adopted Lobo Base Node basic settings). The three stations in the example topology can have access to both Host-PC-1 and Host-PC-2 (or even can exchange data between them) insignificantly to whether they are associated to Base Node or the Repeater. In order to configure an Lobo node as a Repeater ,user should set up the preferred SSID or the preferred BSSID field. By the time user submits desired configuration, he should waits until Lobo Repeater becomes associated (State field is going to be updated) and then Repeater is ready to accept Station-node which desire to associate with it.
VERSION 1.0B
3/20/2005
PAGE 45
Figure 6-5:Repeater Mode Settings
6.2.4
AP Client and Station Mode
These two Operational modes transform Lobo to a Client Node. Their functionality is similar. Their main difference is that AP-Client supports address 4 traffic whereas Station has an embedded proxy-ARP functionality to support only address three traffic for all possible entities which maybe adjacent to its Ethernet interface. User can select either mode according to his network needs. Below there is a screenshot of Station Configuration panel and a short description for every field.
VERSION 1.0B
3/20/2005
PAGE 46
Figure 6-6:Station Mode Settings
6.2.4.1 Preferred SSID and BSSID (1,2): These fields correspond to the desired Access Points settings user wants its Lobo Client node to be associated with.
6.2.4.2 State and LinkState Panel (3 and 4) : These two fields mirrors Client Nodes state as far as it has to do with the potential link with an Access Point. A continuous polling protocol is running between Lobo NMS and all nodes which have been added in Network Topology. For Client configured Nodes, Lobo NMS is continuously informed for the state (Idle, Authenticated or Associated) of the node ,the quality of the link (if associated) and the signal strength dynamically.(See Figure 6-7:Station Mode Settings (2) below)
VERSION 1.0B
3/20/2005
PAGE 47
Figure 6-7:Station Mode Settings (2)
6.3
Radio Settings
Selecting Radio Tab from the tabbed Panel on the right, user has the opportunity to configure radio of the selected wireless interface. Radio configuration Panel includes the following fields :
I. Physical (11a,11b,11g) ii.Channel/Frequency iii.TxRate iv.RTS value v.Spoofing functionality
VERSION 1.0B
3/20/2005
PAGE 48
Lobo O.S. and NMS Reference Guide Seeing Figure 6-8:Wireless Radio Settings, on top of Radio Panel there are two fields whose listed-values are populated according to the specific capabilities of the card. They are the wireless physical and all correspondent frequencies. For example if a radio card is dual band a/b/g card ,then all possible Physical choices are available to user.(If card does not support any of the physicals then Lobo NMS returns a warning popup informing user that NIC can not be configured in the selected physical).In Figure 6-8:Wireless Radio Settings(3) there is a button which converts Channel List either in Frequency or official IEEE channel numbering.
Figure 6-8:Wireless Radio Settings
In Figure 6-9:Setting Tx Rate txRate value list for 11a physical is shown. This field has two different levels of functionality. User can choose auto mode which means that Lobo will be auto-configured to support the optimal txrate for each related node. This can be very useful in environments sensitive to retries. That is because an auto-rate fallback algorithm which runs on the background, tries to exploit a link in the maximum-possible data transfer rate. In addition user has the option of setting his node in a specific fixed TxRate. This action will disable auto rate fallback algorithm and Lobo node will transmit its data frames in the selected rate.
**Notice :
VERSION 1.0B
3/20/2005
PAGE 49
Lobo O.S. and NMS Reference Guide Management and Control Frames are ALWAYS transmitted in lowest available rate of current physicals rate-set.
Figure 6-9:Setting Tx Rate
User has also the option to configure a node, manipulating a wireless interfaces MAC according to his needs. Field (3) in Figure 6-10:Wireless Radio Settings (2) represents by default the factory-default MAC address of configured radio card which corresponds to Selected Wireless Interface. User has the option to modify MAC address field. By clicking check Button (4), he enables spoofing functionality for Wireless Interface of Lobo Node.
VERSION 1.0B
3/20/2005
PAGE 50
Figure 6-10:Wireless Radio Settings (2)
6.4
Security Settings
Selecting Security Tab from Tabbed Panel on the right, user has the opportunity to configure Security settings of Selected Wireless interface .Through Security settings configuration Panel, user can configure WEP or WPA on an Lobo Node or set up an Access Control List .In the following paragraphs, there are further details for every sub-tab of Security Settings panel.
6.4.1
WEP configuration
Through WEP Configuration Panel user can configure an Lobo Node to encrypt/decrypt data with keys based on WEP protocol .User can configure his node either to use 64-bit encryption or 128-bit encryption .There are four entries for the 4 available WEP keys which can be set and a radio Button on the right of the entry list to select which one of the four keys will be used for encryption/decryption.
VERSION 1.0B
3/20/2005
PAGE 51
Figure 6-11:Wireless WEP Settings
6.4.2
WPA Configuration
Through WPA Configuration Panel user can configure Lobo Node to encrypt/decrypt data with keys based on WPA protocol. Configurable WPA Fields are demonstrated in Figure 5.4.2 . Field (1) is referred to the WPA version. User has the options to select either WPA-1 or WPA-2(RSN) as selected protocol. Key Management (2) field can be set either to PSK (Pre-Shared Key) or EAP. According to this value, panel on the right is configured with the appropriate type of fields. In Figure 6-13 (4) EAP fields are shown. There are all the necessary fields to configure Lobo Node interaction with a Back-End Authentication Server. These include Server IP , specific Port for EAPTLS packet transactions (usually 1812) and Servers Secret Phrase which is used for Lobo Node Authenticator to be accepted by the Back-End Authentication Server. EAP-TLS is by default the supported protocol for EAP. Lobo Node uses 802-1X authentication to authenticate its clients. If Lobo Node is configured as Client then, in case of EAP-TLS usage, user should upload the appropriate certificates on Lobo .This can be done by clicking Upload Server and Client Certificate buttons on the right Panel.
VERSION 1.0B
3/20/2005
PAGE 52
Figure 6-12:Wireless WPA Settings
In case PSK is selected as Key Management (see Figure 6-13:Wireless WPA Settings (2)) the only thing that has to be configured is field (2) PSK Passphrase. This is the initial value based on which, negotiated WPA keys are created. Finally there are two available ciphers to configure the encryption mechanism of an Lobo node. These are TKIP and AES(CCMP). If an Lobo Node is configured as an Access Point User can select BOTH value for this field. Selecting this Cipher field value, Access Point will publish in its capabilities, that both ciphers are supported.
VERSION 1.0B
3/20/2005
PAGE 53
Figure 6-13:Wireless WPA Settings (2) 6.4.3 Access Control List
If user configures an Lobo Node as an Access Point, he has the option of setting an Access Control List to control all the Clients who try to connect to Lobo Access Point. Seeing Figure 6-14:Wireless ACL configuration user can enable Access List functionality by clicking field (2). Access Control List can operate in two ways according to selected Policy (1).DENY means that Access Point will prevent every Client whose MAC address matches a MAC registered in ACL list from connecting to it. On the contrary ALLOW value means that Lobo Access Point allows only Clients whose MAC address matches a MAC in ACL list. There are two different ways to setup an Access Control List. The first is to fill all desirable MACs (3) by hand (one by one) using add (4) and remove (5) buttons. The other is to insert a text file containing all MACs using (7) Append from File option. Finally user can extract to File the already submitted MAC list. This can be helpful, if for example, user desires to submit the same MAC list in another Access Point of his backbone.
VERSION 1.0B
3/20/2005
PAGE 54
Figure 6-14:Wireless ACL configuration
6.5
Outdoor Settings
Selecting Outdoor Tab from Tabbed Panel on the right, user has the opportunity to configure Outdoor settings of Selected Wireless interface. Outdoor configurable fields are shown in Figure 6-15:Wireless Outdoor Settings. Outdoor fields are useful to optimize a distance link using an Lobo Node. User can adjust Link Distance field(1) in meters. This can be very effective in setting a long distance link. By adjusting Link Distance field, acknowledge timeout is configured according to distance. This is quite helpful as in lossy environments, where many retries are observed, acknowledge timeout should be configured accordingly to the distance between the nodes. TxPower of Lobo Node also can be configured. TxPower field (2) can be set to values 5 to 30 (with step 5). TxPower value does not represent dbms. It is a custom scale which simply represents minimum and maximum txPower of current Wireless Interface.
VERSION 1.0B
3/20/2005
PAGE 55
Lobo O.S. and NMS Reference Guide Diversity functionality is also available for configuration .User can either select diversity enabled (3) in case two Antennas are used for the same radio, or fix a specific Antenna (4) for Rx/Tx packets (LEFT/ RIGHT)
Figure 6-15:Wireless Outdoor Settings
6.6
Setting Country Code
On the top left of Wireless Configuration Panel there are two items responsible for setting supported Country Code to an Lobo Node. User can choose the appropriate Country Code from all available Country Code values in list (see Figure 6-16:Wireless CC Code). Once user chooses a country code, he can set the value by clicking SetCC button on the left of list. Lobo O.S., performs all the appropriate checks, in the background, concerning all available radio chipsets in the system. If any of them does not support the specific country code then a possible violation could occur. In such a scenario, Lobo NMS warns user with a popup alert. This action protects user from choosing an unsupported country code and lose the wireless interface after setting the specific country code.
VERSION 1.0B
3/20/2005
PAGE 56
Figure 6-16:Wireless CC Code
6.7
Site Survey Operation
Site Survey Operation is supported for all operational modes. On the one side if an Lobo Node operates as AP Client, Repeater or Station this operation has the meaning of scanning all available channels to find an appropriate BSSID to join (based on user credentials SSID , BSSID , Security etc). On the other side when an Lobo Node acts as an Access Point or WDS Site Survey can be used in order to scan and monitor adjacent frequencies in order to examine if any other Access Point interfere. Figure 6-17:Site Survey Operation shows the dynamic Site Survey popup, which comes when User clicks on Site Survey button. In the red highlighted box a valid scanned entry node is shown. User can see all the available information for every node scanned, after Site Survey has been performed, in a list. After scanned list is populated, state bar in the bottom of Lobo NMS shows the message Site survey list retrieved successfully. Then four options are available to the user. Connect (3) which is used after user selects a node of the list so that Lobo will try to connect to it. Refresh (4) which is used to re-scan and update the Site-Survey list. Continuous Scan (5) option can be
VERSION 1.0B
3/20/2005
PAGE 57
Lobo O.S. and NMS Reference Guide used instead of refresh to put Lobo Node in a consecutive scanning. Continuous button remains pressed till user click on it again. During this time Site Survey list is updated dynamically, merging all the possible unique entries. Align (6) option can be used when user wants to achieve the best possible alignment for a distance point to point link.
Figure 6-17:Site Survey Operation
By selecting a node of the list and clicking Align button, a new popup arises as it is shown in Figure 6-18:Site Survey Align . User has the opportunity to monitor signal strength and quality value statistics through a consecutive polling. This polling procedure occurs with high frequency in order to give user an up to date representation of the link. In the meanwhile user can adjust his antenna to achieve maximum performance. By the time user observes that for a certain antenna position and polarity Lobo NMS link statistics are optimal, he clicks the quit button and returns to Site Survey panel.
VERSION 1.0B
3/20/2005
PAGE 58
Figure 6-18:Site Survey Align
VERSION 1.0B
3/20/2005
PAGE 59
6.8
Wireless topologies Scenarios
In this section two possible specific wireless topologies are described, based on Lobo O.S. operational modes. In the first section two ways of setting a point to point link are described while in the second section a specific topology concerning Lobo Repeater functionality is described.
6.8.1
How to make a Point To Point Link
There are two basic topology scenarios. User can achieve a point to point link using both scenarios as described below.
6.8.1.1 Lobo WDS to Lobo WDS Scenario A point to point distance link can be achieved configuring to Lobo Nodes as WDS Access Points. Topology is shown in Figure 6-19:WDS Topology Example
Figure 6-19:WDS Topology Example
VERSION 1.0B
3/20/2005
PAGE 60
Lobo WDS Node-1 configuration should include the following : - Lobo WDS-Node-2s MAC should be set in WDS list. - Both nodes should transmit in same frequency. - Lobo Stealth Mode should be used (if you want to avoid beacon transmitting) or Hide Essid (if you want beacons to be transmitted but not to publish Lobo Nodes Essid. - Additionally User can enable ACL with policy deny and no nodes MACs in list to prevent every station from connecting on Node.
Same configuration should be set in Lobo WDS Node-2 with the corresponding values concerning the first Lobo Node.
6.8.1.2 Lobo AP to Lobo APClient Scenario User can also set a point to point link using AP and AP Client Modes. Topology is shown in Figure 6-20:Point to Point Topology Example
Figure 6-20:Point to Point Topology Example
VERSION 1.0B
3/20/2005
PAGE 61
Lobo O.S. and NMS Reference Guide Lobo Access Point should be configured as follows - Setup ESSID of the AP. - Enable Stealth Mode of the AP. - Enable ACL with policy ALLOW and fill MAC list with Lobo AP Clients MAC.
On the other side Lobo AP Client should be configured as follows - Fill SSID field with APs MAC - Fill preferred BSSID with MAC of the AP. - Perform a Site Survey . - Choose Lobo Access Point from list and confirm an Align. - Make all the adjustments to achieve optimal alignment results
6.8.2
BSSID extended Repetition
Lobo Repeater is a custom mode of Lobo O.S. Repeater functionality is described in Operational Modes section of this document. In Figure 6-21:Lobo Extended Repetition Topology Example you can see a special-case topology based on Repeater functionality.
VERSION 1.0B
3/20/2005
PAGE 62
Figure 6-21:Lobo Extended Repetition Topology Example Lobo Base Nodes BSS is repeated through a Repeater-chain. Every one of Ikr Repi nodes repeats Ikr Rep-(i-1)s BSS. Every Station-i ,of the ones figure shows, is connected to different Repeater Nodes ,but they all are in the same BSS as if they were in the same Access Point. This kind of topologies can be really useful in order to achieve a possible long-distance extension of a Base Node APs BSS or even to reduce the load of an AP in a large area with many clients. In the second case, configuring an Lobo Repeater in an optimal position within the target area, user can achieve load-balancing .Besides Repeater offers bridging of all wireless Clients with all Ethernet Host-PCs adjacent its Ethernet interface.
VERSION 1.0B
3/20/2005
PAGE 63
7 Firewall and NAT

A firewall protects networked computers from intentional hostile intrusion that could compromise confidentiality or result in data corruption or denial of service. A network system in order to support firewall functionality must have at least two network interfaces, one for the network it is intended to protect, and one for the network it is exposed to. A firewall sits at the junction point or gateway between the two networks, usually a private network and a public network such as the Internet. Lobo OS supports advanced firewall and NAT functionality combined with an easy management and monitor interface providing a turnkey solution for advanced and novice network administrators. However, a firewall mis-configuration may result in Denial Of Service even for the administrator, outlining a high risk configuration. 7.1 Firewall and NAT Chains
In correspondence with every Linux-based operating system, Lobo OS Firewall and NAT subsystem is consisted of six main queue chains: The following image displays the way data packets flow through Firewall and NAT chains:
Figure 7-1:Packet flow diagram
Firewall chains are (Figure 7-2: Firewall chains):

- Input firewall--All incoming traffic is tested against the input firewall rules prior to being accepted. - Output firewall--All outgoing traffic is tested against the output firewall rules prior to being sent.
VERSION 1.0B
3/20/2005
PAGE 64

- Forwarding firewall--All traffic that is being forwarded through the Linux system is tested against the forwarding firewall rules prior to being forwarded. - Flowmark--All incoming traffic that matches the corresponding criterions is marked.
Figure 7-2: Firewall chains
NAT chains are (Figure 7-3: NAT chains):
DNAT: used to alter destination attributes of a packet (in order to redirect them). SNAT: used to alter source attributes of a packet (in order to hide senders address and properties).
VERSION 1.0B
3/20/2005
PAGE 65
Figure 7-3: NAT chains
Rules: Rules are entries in a chain consisting of several fields (criteria) that can be used to match a data packet. If ALL criteria are met, then the rule is matched and the packet leaves the chain, launching the action of the matching rule.
7.2
Field explanation
7.2.1
Firewall Matching fields A data packet can be matched by a rule using the above criteria:
Source IP:
VERSION 1.0B
3/20/2005
PAGE 66
Lobo O.S. and NMS Reference Guide The Source IP of the packet (Single IP address 192.168.1.1/32 or whole IP subnet 192.168.1.0/24). Matches if the source IP of the packet is exactly the same or belongs to the subnet configured. Destination IP: The Destination IP of the packet (Single IP address 192.168.1.1/32 or whole IP subnet 192.168.1.0/24). Matches if the destination IP of the packet is exactly the same or belongs to the subnet configured. Input Interface: The interface where the packet was delivered from. Matches if the interface that the packet arrived from is the same with the configured interface (in case the configured interface is a bridge, this also matches with interfaces under the bridge) . Output Interface : The interface where the packet is to be transmitted from. Matches if the interface that the packet will be transmitted from is the same with the configured interface (in case the configured interface is a bridge, this also matches with interfaces under the bridge) . Existed FlowMark: Mark string. Matched if the packet was marked by this mark when flowed through FlowMark chain. Protocol: Packets protocol type. ALL: Always matches. TCP: Matches if packets protocol type is TCP and, o SYN flag: ALL: matches always. SET: matches if the packet starts a new connection. NOT SET: matches if the packet is a member of a previously started connection.
o Source Port:
Lobo O.S. and NMS Reference Guide Source port is entered as number (0-65535) where 0 indicates that all ports are matched. o Destination Port: Destination port is entered as number (0-65535) where 0 indicates that all ports are matched.
UDP: Matches if packets protocol type is UDP and, o Source Port: Source port is entered as number (0-65535) where 0 indicates that all ports are matched. o Destination Port: Destination port is entered as number (0-65535) where 0 indicates that all ports are matched.
ICMP: Matches if packets protocol type is ICMP and, o ICMP type: ANY: matches always REQUEST: matches if the packet is an ICMP request. RESPONSE: matches if the packet is an ICMP response.
GRE: matches if packets protocol type is GRE
AH: matches if packets protocol type is AH
ESP: matches if packets protocol type is ESP
VERSION 1.0B
3/20/2005
PAGE 68
Lobo O.S. and NMS Reference Guide 7.2.1.1 Connection State: New: Matches if the packet starts a new connection (router has seen packets in one direction). Established: Matches if the packet is a member of an existing connection (router has seen packets in both directions). Related: Matches if the packet starts a new connection, but is also a member of an existing connection (router has seen packets in both directions). Invalid: Matches if the packet is not a member of an existing connection, but also it does not start a connection (ambiguous packet).
7.2.1.2 Source MAC: Senders MAC address. Matches if the packets Source MAC address (in the Ethernet header) is the same.
7.2.1.3 Limit: The rate this kind of packet is arriving. Limit Rate: Matches if the configured rate has not been reached yet. Limit Burst: Matches if the configured burst rate has not been reached yet.
Special field NOT: Selecting the NOT box (existing in the majority of the fields), forces the rule to match if the opposite of the field is matched. (a rule with NOT Source Mac xx:xx:xx:xx:xx:xx will match all packets except the ones that have Source Mac xx:xx:xx:xx:xx:xx). Comment: Rule alias name. It is a string consisting of at most 30 characters. This field is not used for matching.
VERSION 1.0B
3/20/2005
PAGE 69
Lobo O.S. and NMS Reference Guide 7.2.1.4 ACTION field When a rule is matched, its action is performed. Firewall actions can be: ACCEPT: The packet will flow to the next chain, leaving current chain at this rule (no further rules in this chain are further examined) REJECT: The packet stops flowing, is discarded, and a return ICMP packet (reason code UNREACHABLE) is sent back to the sender. DROP: The packet stops flowing, is discarded, without noticing the sender. FORWARD: (currently not in use) MARK: The packet will flow to the next chain, leaving current chain at this rule (no further rules in this chain are further examined). It will be marked as New Flowmark. Following figures displays previous fields.
Figure 7-4:Basic Rule configuration
VERSION 1.0B
3/20/2005
PAGE 70
Figure 7-5:Advanced Rule configuration
7.2.2
NAT Matching fields Source IP: The Source IP of the packet (Single IP address 192.168.1.1/32 or whole IP subnet 192.168.1.0/24). Matches if the source IP of the packet is exactly the same or belongs to the subnet configured. Destination IP: The Destination IP of the packet (Single IP address 192.168.1.1/32 or whole IP subnet 192.168.1.0/24). Matches if the destination IP of the packet is exactly the same or belongs to the subnet configured. Input Interface: The interface where the packet was delivered from. Matches if the interface that the packet arrived from is the same with the configured interface (in case the configured interface is a bridge, this also matches with interfaces under the bridge) . Output Interface : The interface where the packet is to be transmitted from. Matches if the interface that the packet will be transmitted from is the same with the configured interface (in case the configured interface is a bridge, this also matches with interfaces under the bridge) . Existed FlowMark: Mark string. Matched if the packet was marked by this mark when flowed through FlowMark chain.
VERSION 1.0B
3/20/2005
PAGE 71
Lobo O.S. and NMS Reference Guide Protocol: Packets protocol type. ALL: Always matches. TCP: Matches if packets protocol type is TCP and, o Source Port: Source port is entered as number (0-65535) where 0 indicates that all ports are matched. o Destination Port: Destination port is entered as number (0-65535) where 0 indicates that all ports are matched.
UDP: Matches if packets protocol type is UDP and, o Source Port: Source port is entered as number (0-65535) where 0 indicates that all ports are matched. o Destination Port: Destination port is entered as number (0-65535) where 0 indicates that all ports are matched.
ICMP: Matches if packets protocol type is ICMP
GRE: matches if packets protocol type is GRE
AH: matches if packets protocol type is AH
ESP: matches if packets protocol type is ESP
VERSION 1.0B
3/20/2005
PAGE 72
7.2.2.1 Source MAC: Senders MAC address. Matches if the packets Source MAC address (in the Ethernet header) is the same.
Special field NOT: Selecting the NOT box (existing in the majority of the fields), forces the rule to match if the opposite of the field is matched. (a rule with NOT Source Mac xx:xx:xx:xx:xx:xx will match all packets except the ones that have Source Mac xx:xx:xx:xx:xx:xx). Comment: Rule alias name. It is a string consisting of at most 30 characters. This field is not used for matching.
7.2.2.2 ACTION field When a rule is matched, its action is performed. NAT actions can be: DNAT CHAIN REDIRECT: Using this field, the packet will be redirected to another port of the router. Translate Dest IP to: The IP address (or range of IP addresses) that the destination IP of the packet will change to. In case there is a range of IP addresses, a round robin algorithm is used to assign addresses. This is used to forward the packet to another host. Translate Dest Port to: The port that the packet will be sent to (in case there is a range of ports, a round robin algorithm is used).
SNAT CHAIN Masquerade: The IP address to be assigned to outgoing packets is dynamically retrieved by current outgoing interfaces IP address (dont need to explicitly configure the outgoing source IP address).
VERSION 1.0B
3/20/2005
PAGE 73
Lobo O.S. and NMS Reference Guide Translate Source IP to: The IP address (or range of IP addresses) that the source IP of the packet will change to. In case there is a range of IP addresses, a round robin algorithm is used to assign addresses. Translate Source Port to: The range of routers ports used to send NATed packets and track for responses.
7.2.3
Examples
7.2.3.1 Deny incoming ssh connections to your router from the internet. Ssh service by default runs on port 22. Assume that the router is connected to the internet through interface eth0. In order not to allow incoming Ssh connections from the internet, the user should insert a rule in Input chain of Firewall system that drops this kind of connections (because they are TCP connections, SYN flag will be set). Details The following rule should be created Basic TAB (Figure 7-6:Basic Rule configuration): Source IP: 0.0.0.0/0 (any) Destination IP: 0.0.0.0/0 (any) Input interface: eth0 (the connection to internet) Comment: no_ssh_connect ACTION: DROP Advanced TAB (Figure 7-8:): Protocol: TCP SYN Flag: SET Source Port: 0(any) Destinat. Port: 22(ssh)
VERSION 1.0B
3/20/2005
PAGE 74
Figure 7-6:Basic Rule configuration
Figure 7-7:Advanced Rule configuration
Upon submitting, the rule is added in the list (Figure 7-8:FireWall Mail Panel) and can be applied to the router.
VERSION 1.0B
3/20/2005
PAGE 75
Figure 7-8:FireWall Mail Panel
7.2.3.2 NAT: Having a single public IP address, allow whole local network to access the internet. Assume that the router is connected to the internet through interface eth0 and IP address 173.55.1.2/24. Users local network is connected to routers eth1 interface with IP address 192.168.1.1/24. The user should masquerade all outgoing traffic to internet (interface eth0) originated from his/her local network (interface eth1). User should insert a rule to SNAT chain as follows (Figure 7-9:Rule that masquerades outgoing traffic to internet): Details Source IP: 192.168.1.0/24 (local network)
Output Interface: eth0 Translate Source IP to: 0.0.0.0-0 MASQUERADE (eth0s IP address)
VERSION 1.0B
3/20/2005
PAGE 76
Lobo O.S. and NMS Reference Guide Comment: NAT_on_wan
Figure 7-9:Rule that masquerades outgoing traffic to internet
Upon submitting, the rule is added in the list (Figure 7-10:masquerade rule is added) and can be applied to the router.
VERSION 1.0B
3/20/2005
PAGE 77
Figure 7-10:masquerade rule is added
HINT: make sure IP Forwarding is enabled on router (Interface settings Panel)
VERSION 1.0B
3/20/2005
PAGE 78
8 DHCP
8.1
Introduction
The Dynamic Host Configuration Protocol (DHCP) provides configuration parameters to Internet hosts in a client-server model. DHCP server hosts allocate network addresses and deliver configuration parameters to other (client) hosts. DHCP consists of two components: a protocol for delivering host-specific configuration parameters from a server to a host and a mechanism for allocation of network addresses to hosts.
8.2
DHCP SERVER
Lobo OSs DHCP server provides an extended set of configuration parameters while at the same time being effective and low resource consuming. The following figure (figure 7.1A) shows the LNMS DHCP server panel with a default configuration.
Initially user has to select the interface where dhcp server will settle on. This can be easily done my moving cursor on the interface tree on the up-left corner of panel (Point 1) and leftVERSION 1.0B 3/20/2005 PAGE 79
Lobo O.S. and NMS Reference Guide click the proper interface (interface background becomes blue).The meaning of interface choice is that only clients in the same physical will be able to acquire ip addresses from this dhcpserver. In case someone needs clients from other physical interfaces to acquire ips from the same server he has to create a bridge from the interface panel ,add those interfaces under that bridge and select that bridge as the dhcp-server interface. ATTENTION : user cannot select as the dhcp-server interface an interface which is under a bridge.Additonally dhcp-server interface should have already been configured with a valid ip and subnet mask. Multiple dhcp-servers on different interfaces are allowed. In order someone to see the full dhcp-server panel should select Server (Point 2) and by selecting Active or not user can activate or deactivate (after of course the use of Submit button) dchp-server.This feature gives the functionality of keeping a custom configuration on board without starting the server. In Points 3 and 4 there are the fields for starting and ending ip respectively which is the upper and lower limit for the dhcp-server address pool. Below there is a brief description for each of the rest fields.
- Broadcast (Point 5) The broadcast ip clients will use. Broadcast ip should be one of the ips Subnet Mask permits. - Subnet Mask (Point 6) The subnet mask clients will use. - Lease (Point 7) The time (sec) that an allocated ip is valid. After expiration client has to renegotiate for getting a new ip (usually the same).In any case, expiration time that client adopts depends on the operating system which runs on client and dhcp client configuration. - Decline (Point 8) The amount of time (sec) that an IP will be reserved (leased) for if a DHCP decline message is received. - Min Lease (Point 9) If a lease to be given is below this value (sec), the full lease time is instead used. - Conflict (Point 10) The amount of time (sec) that an IP will be reserved (leased) for if an ARP conflict occurs (two clients with the same ip). - Max lease (Point 11)
VERSION 1.0B
3/20/2005
PAGE 80
Lobo O.S. and NMS Reference Guide The maximum number of current leases (allocated ips).After this limit server stops to assign ips to new clients. - Offer (Point 12) How long (sec) an offered address is reserved (leased).Specifies the number of seconds the DHCP server should cache the offers it has extended to discovering DHCP clients. The default value is 60 second. On fast network media this value can be decreased. - DNS Servers (Point 13) DNS servers that dhcp clients will use for dns requests. - WINS Servers (Point 14) If there are WINS server that client should use. - Routers (Point 15) Routers (default gateways) client can use. - Leases info (Point 16) By pressing this button a pop-up window like this in figure 7.1B will show to user all the allocated leases.
VERSION 1.0B
3/20/2005
PAGE 81
Lobo O.S. and NMS Reference Guide In current version dhcp-server configuration does not support on the fly changing of dhcpleases file so after an ip allocation user is able to see the new record in the above pop-up window with an approximately 60 seconds delay. - Domain (Point 17) The domain name (if any) that will be allocated to clients.
8.2.1
Lease Times
One of the most common DHCP administration questions is, "What setting should I give my lease times?" As with most things networking, the answer is, "It depends," with the primary decision criteria being the desired frequency at which your clients update their configuration data. If you're using DHCP only for randomized address assignments, having longer lease times will result in greater levels of stability. For example, if you use lease duration times of one month or longer, then a temporary server outage is not likely to affect your normal operations all that much. However, if you're using DHCP for a variety of system-configuration options (such as default DNS servers and static routes), you will want to have shorter lease times so that changes to the network are recognized quickly by the DHCP clients. In this case, having lease times that are longer than a day or two can be problematic because clients that obtain a new lease just before a critical infrastructure change is made will not recognize this change until the lease expires or gets renewed. For dynamic environments, there are two common lease-duration strategies. The first calls for leases to be renewed halfway through a working day (such as having them expire every eight hours, which will cause them to be renewed after four hours). Another strategy is to set the lease duration to a multiple of two and a half times the working day (that is, 20 hours for an eight-hour working day), causing the leases to completely expire overnight and thus be renegotiated every morning. The former strategy works well on networks that keep their machines running all of the time, while the latter strategy works well on networks where systems are powered down or otherwise removed from the network at night. Be forewarned, however, that both strategies expose the network to problems if the DHCP server goes down or is on a remote network that is subject to outages. If the DHCP clients are getting their lease data from a remote DHCP server that's on the other side of a WAN link that's even minimally prone to failure, chances are good that short lease times will result in at least a few failed lease renewals.
VERSION 1.0B
3/20/2005
PAGE 82
Lobo O.S. and NMS Reference Guide 8.3 DHCP CLIENT
Dhcp client application has a very simplified configuration as it is shown in figure 7.2A.It needs only the selection of the interface where dhcp-client will search for dhcpservers. The ticked field Keep DNS and Gateway prevents changing of default system gateway and DNSs when client receives an ip configuration from the server. It is useful when user has already set a static default gateway and DNS and wants them to remain unchanged or they are to be configured from another application (ex pppoe-client).In most cases this field should be unticked.Like dhcp-server multiple instances of dhcp-client on different interfaces are allowed.
8.4
DHCP RELAY
DHCP does not require a server on each subnet. To allow for scale and economy, a relay agent can be installed listening to DHCP messages and forwarding them on (and onto other network segments). This eliminates the necessity of having a DHCP server on each physical network. A sample configuration of DHCP relay agent is displayed in Figure 7.3A.
VERSION 1.0B
3/20/2005
PAGE 83
Interface represents the subnet (LAN) where relay listens for client dhcp requests in order to forward them to dhcp-servers with ips Server 1,Server 2,Server 3 or Server 4.Interface where application relays on should has a valid ip and subnet mask and like the other dhcp apis,dhcp relay can have multiple instances on different interfaces.
VERSION 1.0B
3/20/2005
PAGE 84
9 WAN Configuration
9.1
PPPOE CLIENT
Pppoe client application is used to create pppoe-connections with pppoe-servers mainly used by Internet Service Providers. Figure shows the configuration panel for pppoe-client.
Figure 9-1:PPPoE Configuration (1)
Initially user has to select an interface on the left-upper corner (Point 1) where pppoe-client will search for pppoe-servers. This interface usually shares the same medium with an ADSL modem (in bridge mode). There is no need for a pre-configured valid ip and subnet mask on this
Lobo O.S. and NMS Reference Guide interface. In order someone to see the pppoe-client panel of figure 8.1A has to tick PPPoE (Point 2) and in order to enable it he should tick Active also. The following comments give some information about the numbered fields.
- User Name (Point 3) User name for client used to authenticate with pppoe-server usually supplied by ISP. - Password (Point 4) Password (more than three characters) for client used to authenticate with pppoe-server usually supplied by ISP. - Protocol (Point 5) Protocol used for authentication with pppoe-server. By selecting Protocol button (Figure 9-2:PPPoE Protocol Selection) user is able to see the supported authentication protocols (NONE,PAP,CHAP).
Figure 9-2:PPPoE Protocol Selection
- Concentrator (Point 6) This field refers to the case where there are more than one pppoe-servers available.
VERSION 1.0B
3/20/2005
PAGE 86
Lobo O.S. and NMS Reference Guide If those servers have a valuable name (called Concentrator name) user can choose the proper one by filling this field with that name.
- Keep DNS and Gateway (Point 7) In most cases pppoe authentication supplies client with some valid DNSs and makes pppoe interface (Figure 9-3:Wan Interface Configuration) the default system gateway. If someone desires to set static DNSs or (and) default gateway or leave another application to configure them (ex dhcp-client) has to tick this field.
MTU size (Point 8) The normal Ethernet MTU is 1500 bytes, but the PPPoE overhead plus two bytes of overhead for the encapsulated PPP frame mean that the MTU of the PPP interface is at most 1492 bytes. This causes all kinds of problems if you are using a Linux machine as a firewall and interfaces behind the firewall have an MTU greater than 1492. For safety mtu size must be an integer between 536 and 1412.
Figure 9-3:Wan Interface Configuration
Enable on Demand (Point 9)
Enable on demand is a feature which enables the functionality of creating a pppoeconnection only when there is IP-traffic on pppoe-interface. Some ISPs offer connection agreements where charging depends on time. In these cases this feature could be more than
Lobo O.S. and NMS Reference Guide valuable. By ticking this field someone can see three more fields to appear (Figure 9-4:PPPoE Enable on Demand Settings).First user has to determine the pppoe-server by its ip (Remote IP) OR its domain name (Remote Domain) and then add a time period (sec) in Demand Time. If pppoe connection remains idle for this period, connection closes until someone try to use it again (probably from a pc behind the router).
Figure 9-4:PPPoE - Enable on Demand Settings
- Current Status (Point 10) By refreshing panel current status field gives information for the current connection status (if there is a connection or the reason for a no successful attempt to connect).
9.2
PPTP CLIENT
Pptp client application is used to create pptp-connections with pptp-servers mainly used by Internet Service Providers. Figure 9-5:WAN - PPTP Settings shows the configuration panel for pptp-client. Initially user has to select an interface on the left-upper corner (Point 1) where pptp-client will search for pptp-servers. This interface must be pre-configured with a valid ip and subnet mask
Lobo O.S. and NMS Reference Guide from the pptp-server subnet or it should be able to see pptp-server in some way (ex through default gateway).
Figure 9-5:WAN - PPTP Settings In order someone to see the pptp-client panel of Figure 9-5:WAN - PPTP Settings has to tick PPTP (Point 2) and in order to enable it he should tick Active also. The following comments give some information about the numbered fields.
- User Name (Point 3) User name for client used to authenticate with pptp-server usually supplied by ISP. - Password (Point 4) Password (more than three characters) for client used to authenticate with pptp-server usually supplied by ISP. - Protocol (Point 5) Protocol used for authentication with pptp-server. By selecting Protocol button (Figure 9-5:WAN - PPTP Settings) user is able to see the supported authentication protocols (NONE,PAP,CHAP).
- Dial IP (Point 6) or ISP Name (Point 7) Ip of pptp-server which is a required field. Alternatively someone could add the DNS name of pptp-server in ISP Name.
- Keep DNS and Gateway (Point 8) In most cases pptp authentication supplies client with some valid DNSs and makes pptp interface (Figure 9-6:PPTP Interface) the default system gateway. If someone desires to set static DNSs or (and) default gateway or leave another application to configure them (ex dhcpclient) has to tick this field.
Figure 9-6:PPTP Interface
Authenticator (Point 9) Some pptp-servers need also an additional field called Authenticator to establish a pptpconnection. This name usually is provided by ISPs.
VERSION 1.0B
3/20/2005
PAGE 90
Enable on Demand (Point 10)
Enable on demand is a feature which enables the functionality of creating a pppoeconnection only when there is IP-traffic on pptp-interface. Some ISPs offer connection agreements where charging depends on time. In these cases this feature could be more than valuable. User has to add a time period (sec) in Demand Time (Point 11).If pptp connection remains idle for this period, connection closes until someone try to use it again (probably from a pc behind the router).
- Current Status (Point 12) By refreshing panel current status field gives information for the current connection status (if there is a connection or the reason for a no successful attempt to connect).
VERSION 1.0B
3/20/2005
PAGE 91
10 Bandwidth Manager
Network bandwidth is the amount of data that can be transmitted on a network in a particular amount of time. Lobo OS in conjunction with LNMS software helps identify and alleviate network bottlenecks. Lobo OS bandwidth subsystem is based on HTB (HTB, Hierarchy Token Bucket).
10.1 General Bandwidth Management rules are based on: Source IP address/IP subnet (Shaped Host) Destination IP address/IP subnet Source Port Destination Port Identified Peer 2 Peer Traffic (Kazaa etc)
For every bandwidth management rule, administrator should configure the physical interface the traffic is sent through and the preferred transmit rate, along with the above criteria. The base criterion for limiting bandwidth is Shaped Host. Multiple rules for the same Shaped Host can be added, resulting in a tree based bandwidth scheme. For each IP packet that Lobo Router will forward, the properties of the packet are checked to see if there is a Bandwidth Management rule that it matches with. Once a rule is matched, Lobo Router checks whether the Shaped Host has exceeded its rate limit. In case rate limit has not yet been reached, this packet will be scheduled to be transmitted with no delay. On the other hand, it is scheduled to be transmitted later, in order to keep Shaped Hosts bandwidth rates.
10.2 Field explanation
10.2.1 Shaped IP: is the single IP address (e.g. 192.168.1.1) or the whole IP subnet (e.g. 192.168.1.0/24), also called Shaped Host, that the administrator wants to limit (shape) its bandwidth.
VERSION 1.0B
3/20/2005
PAGE 92
Lobo O.S. and NMS Reference Guide 10.2.2 Source/Destination IP: is the single IP address (e.g. 192.168.1.1) or the whole IP subnet (e.g. 192.168.1.0/24), that the Shaped Host receives/transmits traffic from/to. 10.2.3 Source/Destination Port: is the port that the Shaped Host receives/transmits traffic from/to. 10.2.4 Bandwidth Type: determines whether the rule is an Uplink or Downlink Bandwidth rule (whether the Shaped Host transmits/receives traffic to/from). 10.2.5 Peer To Peer: determines whether the rule will match Peer to Peer traffic that Shaped Host receives/transmits from/to. 10.2.6 Interface: The physical Interface the traffic is in fact sent through. 10.2.7 Bandwidth limit: is the maximum rate that this rule will allow traffic to be sent.
Lobo Bandwidth Management module uses the Firewall FlowMark chain to identify and limit Peer to Peer Traffic. Generation of Firewall FlowMark Peer to Peer marks is transparent to the user. Rules are sorted before they are applied to Lobo OS (in order to preserve tree mode queuing, see example 3).
10.3 Examples
10.3.1 Limiting bandwidth of whole subnets Assume the following topology:
VERSION 1.0B
3/20/2005
PAGE 93
Figure 10-1:Network topology
WISP building has connectivity to the Internet and there are two client buildings, which the WISP needs to feed. The client buildings are companies with many desktop computers. Company 1 has paid for 256/512 kbits and Company 2 for 384/1024 kbits bandwidth. In order to preserve bandwidth limitations, Lobo Router on WISPs building can be configured with the following bandwidth rules (assume ath0 is the wireless link and eth0 is the Ethernet link of Lobo Router): First, the user should add a rule that limits Downlink traffic for Company 1 to 512 kbits (Figure 10-2:Downlink rate for Company 1) Shaped IP: 192.168.0.0/24 Bandwidth type: Downlink Source IP: 0.0.0.0/0 (any) Source Port: 0 (any) Peer to Peer: not checked Bandwidth Limit: 512000 Interface: ath0 (ath0 is used by client to download traffic, ath0 is in fact transmitting)
VERSION 1.0B
3/20/2005
PAGE 94
Figure 10-2:Downlink rate for Company 1
Upon submit, the previous rule is added (Figure 10-3:Downlink rule is added)
Figure 10-3:Downlink rule is added Now the user should configure the Uplink for Company 1 (Figure 10-4:Uplink rate for Company 1):
Shaped IP: 192.168.0.0/24 Bandwidth type: Uplink Destination IP: 0.0.0.0/0 (any) Destination Port: 0 (any) Peer to Peer: not checked - Bandwidth Limit: 256000 - Interface: eth0 (eth0 is used by client to upload traffic, eth0 is in fact transmitting)
VERSION 1.0B
3/20/2005
PAGE 95
Figure 10-4:Uplink rate for Company 1
Upon submit, the previous rule is added (Figure 10-5:Added bandwidth Rules)
Figure 10-5:Added bandwidth Rules
User should do the same for Company 2.
Finally, these are the rules that should be applied.
VERSION 1.0B
3/20/2005
PAGE 96
Figure 10-6:Added bandwidth Rules
( in order to apply the previous rules, user should press the green tick)
10.3.2 Limiting Peer to Peer Traffic Assume the user has to limit peer to peer traffic for a host (IP address 192.168.1.2), shown in the following figure.
Figure 10-7:Network topology In order to limit hosts (192.168.1.2) Peer to Peer traffic to 128/64 kbits, user should apply the following rules:
Downlink Rule (Figure 10-8:Rule limiting downlink Peer to Peer Traffic)
VERSION 1.0B
3/20/2005
PAGE 97
Lobo O.S. and NMS Reference Guide Shaped IP: 192.168.1.2/32 Bandwidth type: Downlink Source IP: 0.0.0.0/0 (any) Source Port: 0 (any) Peer to Peer: checked Bandwidth Limit: 128000 Interface: eth1 (eth1 is used by host to download traffic, eth1 is in fact transmitting)
Figure 10-8:Rule limiting downlink Peer to Peer Traffic
Uplink Rule (Figure 10-9:Rule limiting uplink Peer to Peer Traffic)
Shaped IP: 192.168.1.2/32 Bandwidth type: Uplink Destination IP: 0.0.0.0/0 (any) Destination Port: 0 (any) Peer to Peer: checked Bandwidth Limit: 64000 Interface: eth0 (eth0 is used by host to upload traffic, eth0 is in fact transmitting)
VERSION 1.0B
3/20/2005
PAGE 98
Figure 10-9:Rule limiting uplink Peer to Peer Traffic
The following rules are added:
Figure 10-10:Peer to Peer Rules
VERSION 1.0B
3/20/2005
PAGE 99
Lobo O.S. and NMS Reference Guide Applying previous configuration, a new FlowMark is created in the Firewall panel, named P2P192.168.1.2/32, which is used to mark Peer to Peer traffic. Bandwidth subsystem uses this mark to limit traffic (Figure 10-11:Peer to Peer FlowMark Rule is added).
Figure 10-11:Peer to Peer FlowMark Rule is added
10.3.3 Tree-based mode: Limiting a host to some rate, but for a specific port use a smaller rate. This example deploys the tree mode queuing of Lobo Bandwidth Management System. Assume that the user wants to limit hosts (192.168.1.2) downlink rate to 128 kbits. But, especially for ftp traffic, he/she needs to limit the host to 64 kbits.
VERSION 1.0B 100
3/20/2005
PAGE
This can be accomplished using the following configuration: First, user should add a general rule to the desired Maximum rate of the host (128 kbits), as shown in figure 9.3.12. Shaped IP: 192.168.1.2/32 Bandwidth type: Downlink Source IP: 0.0.0.0/0 (any) Source Port: 0 (any) Peer to Peer: checked Bandwidth Limit: 128000 Interface: eth1 (eth1 is used by host to download traffic, eth1 is in fact transmitting)
Figure 10-13:General rule Then, user should add a rule that limits host downlink from ftp port (23) , as shown in Figure 10-14:Specific rule for port 23.
Shaped IP: 192.168.1.2/32 Bandwidth type: Downlink Source IP: 0.0.0.0/0 (any) Source Port: 23 (ftp) Peer to Peer: checked
3/20/2005 PAGE
VERSION 1.0B 101
Lobo O.S. and NMS Reference Guide Bandwidth Limit: 128000 Interface: eth1 (eth1 is used by host to download traffic, eth1 is in fact transmitting)
Figure 10-14:Specific rule for port 23
The latter rule will match traffic delivered to host only from ftp port (23). In fact, hosts Maximum Download Rate is 128000. Although there are two rules applied for host, the latter rule (ftp) borrows traffic from the first rule. This way, host will never exceed his Maximum Download Rate.
VERSION 1.0B 102
3/20/2005
PAGE
11 Lobo HOTSPOT wizard

11.1 General HotSpot Description LOBO OS HotSpot Access Gateway enables Telcos, operators, wireless ISPs, enterprises, government institutions, or school campuses to deploy WLANs with secured user authentication support. Based on both RADIUS and Web Redirection technology, when an unauthenticated wireless user is trying to access a Web page, a logon page is shown instead of the requested page, so that the user can type his/her user name and password for authentication. Then, the user credential information is sent to a back-end RADIUS (Remote Authentication User Dial-In Service) server to see if the user is allowed to access the Internet. This Web-redirection also supports Web page customization, allowing operators or Hotspots to easily designate a Web page / Advertisement URL before / after user login, not to mention Web-redirection bypass for paid users and/or those frequently using hotspot services, where authentication can be performed using their MAC address.
11.2 HotSpot Main Panel
11.2.1 Enable HotSpot: is used to stop or start hotspot functionality. 11.2.2 Status: displays current hotspot status (Stopped, Running and Initializing). In case there is a problem with hotspot initialization procedure, an error message is displayed. E.g. DNS error: HotSpot Needs to connect to a DNS server, but cannot find one. This may be a possible misconfiguration of hotspot's wan interface settings, or a possible temporal unreachable state of the DNS server (WAN is not initialized yet, ppp connection is not established yet). Hotspot will keep retrying to initialize at certain intervals. 11.2.3 Admin MAC: is the administrators MAC Address. This MAC address (if not zeros), is always considered authenticated and assigned first HotSpot Dynamic IPs address (x.x.x.2). Setting it is recommended, in order not to lose connectivity with the HotSpot, if connected to one of its HotSpot interfaces.
VERSION 1.0B 103
3/20/2005
PAGE
Lobo O.S. and NMS Reference Guide 11.2.4 Users Info List of users that have obtained an IP address, their authentication status (TRUE or FALSE), and users statistics. 11.2.5 Radius Statistics Table displaying radius statistics.
11.3 Wizard Configuration Wizard configuration is initialized by pressing Start Wizard button in the corresponding configuration panel.
11.3.1 Wan: Is the interface which hotspot should use to connect to the Internet. It can be configured using the following ways: 11.3.1.1 Static IP: Wan interface will be assigned with a static IP address, Subnet mask, Gateway IP and DNS IP.
11.3.1.2 Dhcp client: Wan interface will retrieve dynamically the corresponding IP Settings via DHCP protocol.
11.3.1.3 PPTP client: Wan Interface will try to connect via the PPTP protocol in correspondence with the configuration parameters.
VERSION 1.0B 104
3/20/2005
PAGE
Lobo O.S. and NMS Reference Guide 11.3.1.4 PPPOE client: Wan Interface will try to connect via the PPPoE protocol in correspondence with the configuration parameters.
11.3.2 LAN: In this panel user has to select which physical interfaces wishes to use as HotSpot interfaces. User has the flexibility to select multiple interfaces, either Ethernet or wireless. Upon HS initialization those interfaces will be bridged under a network bridge called br_HotSpot. 11.3.3 DHCP: Hotspot will assign hotspot users with an IP address in the range of the Dynamic IPs configured. Warning: Hotspot uses its build-in DHCP server, which is not displayed in DHCP panel of router.
Example: If Dynamic IPs are 192.168.1.0/24, then hotspot will assign IPs in the range of 192.168.1.2 192.168.1.254 ( IP 192.168.1.0 is the Network IP which cannot be assigned, IP 192.168.1.1 will be assigned to the hotspot itself (br_HotSpot interface), and IP 192.168.1.255 is the Broadcast IP which cannot be assigned. If DNS values are set to 0.0.0.0, hotspot will assigned router's DNS IP addresses.
Domain: Is the domain name assigned to hotspot users.
Lease: Is the number in seconds users DHCP client services will have to renew their assigned IP.
Static IPs:
VERSION 1.0B 105 3/20/2005 PAGE
Lobo O.S. and NMS Reference Guide Is an advanced option left to the administrator. Using it, hotspot will never assigned this range of IPs, unless MAC authentication is used and Radius server's response forces an IP address of this range to be assigned (Framed-IP-Address). Example: If Dynamic IPs are configured as above and Static IPs are 192.168.1.0/30, hotspot will assign IPs in the range 192.168.1.4 192.168.1.254, leaving IPs 192.168.1.2 192.168.1.3 to be assigned from Radius Server. Warning: Static IPs subnet should be a sub-subnet of Dynamic IPs subnet.
11.3.4 NAT & Protection:
NAT Enable: If NAT Enable is selected, then hotspot users' IP addresses will be translated to Wan's IP address (Network Address Translation, Masquerade). This should be used if the Dynamic IP addresses assigned are not public IP addresses, but private ones. If NAT Enable is not selected, hotspot users' IP addresses will be forwarded to the Internet unmodified. Protection Level: Protection is performed through firewall rules. According to the protection level used, appropriated firewall rules will be generated (with comment Added_By_Hotspot). Warning: All preconfigured firewall rules will be dropped. There are four (4) levels of protection: 1)No Protection: There is no protection. All traffic is accepted both from Wan and hotspot interfaces. 2)Low Protection: Policy of INPUT firewall chain will be set to DROP.
The following configuration will be applied to firewall subsystem.
VERSION 1.0B 106
3/20/2005
PAGE
Lobo O.S. and NMS Reference Guide Traffic coming from Wan interface: Type Action Comments Traffic initiated from router or hotspot users New connection Snmp request New LNMS connection ssh
Connections Accepted Related or Established Ssh connection Snmp LNMS connection ICMP traffic Accepted Accepted accepted
Limited to 5/sec All ICMP types Ipsec traffic
Udp port 500 Accepted and Protocols AH,ESP(IPsec) Everything else Dropped
Traffic coming from Hotspot Interfaces: Type Action Comments Traffic from hotspot users New connection Snmp request New LNMS connection ssh
Connections To Accepted Internet Ssh connection Snmp LNMS connection ICMP traffic Protocols AH,ESP(IPsec) Accepted Accepted accepted
Limited to 5/sec All ICMP types Accepted Ipsec traffic
Everything else Dropped

VERSION 1.0B 107 3/20/2005 PAGE
3)Medium Protection: Policy of INPUT firewall chain will be set to DROP.
Traffic coming from Wan interface Type Action Comments Traffic initiated from router or hotspot users New LNMS connection
Connections Accepted Related or Established LNMS connection ICMP traffic accepted
Udp port 500 Accepted Protocols and AH,ESP(IPsec) Everything else Dropped
Traffic coming from Hotspot Interfaces: Type Action Comments Traffic from hotspot users New LNMS connection
Connections To Accepted Internet LNMS connection ICMP traffic Protocols AH,ESP(IPsec) accepted

VERSION 1.0B 108 3/20/2005 PAGE
4) High Protection: Policy of INPUT firewall chain will be set to DROP. Warning: LNMS Connectivity from Wan or Hotspot interfaces will be lost!
Traffic coming from Wan interface Type Action Comments Traffic initiated from router or hotspot users
Connections Accepted Related or Established ICMP traffic
Udp port 500 Accepted Protocols and AH,ESP(IPsec) Everything else Dropped
Traffic coming from Hotspot Interfaces: Type Action Comments Traffic from hotspot users
Connections To Accepted Internet ICMP traffic Protocols AH,ESP(IPsec)
VERSION 1.0B 109
3/20/2005
PAGE
Lobo O.S. and NMS Reference Guide 11.3.5 Wireless: If there are wireless interfaces used as hotspot interfaces, this panel is used to configure the wireless settings of these interfaces (Access Point with a chosen SSID, channel to operate, encryption if desired). By default, Wireless to Wireless traffic is dropped.
11.3.6 Radius: The radius server used to authenticate hotspot users. 11.3.6.1 IP address: Either IP address or Domain Name of at least one Radius Server must be present. The second Radius server is used as a backup server (if present). 11.3.6.2 Authorization: Authorization to Radius server will be performed using the Authentication Method issued (CHAP or PAP). Secret key: The secret key of the Radius Server must be set. Nas ID: HotSpot's NAS identifier. Authentication Port: The port used to send Access Requests to Radius Server (1812 by default).
Accounting Port: The port used to send Accounting Requests to Radius Server (1813 by default).
VERSION 1.0B 110
3/20/2005
PAGE
Lobo O.S. and NMS Reference Guide 11.3.7 Authentication Type: Is the method used to authenticate hotspot users. At least one must be enabled.
1)UAM: Is the common Web-redirection authentication type. Hotspot users, after have obtained an IP address, and opened a Web browser, will be redirected to the hotspot's Web page in order to provide their Username and Password. UAM port is the local port hotspot will use for redirection (default 3990). Secret: Is currently unused.
2)MAC: Hotspot Users can be authenticated to the Radius Server using their MAC address (the MAC address of their media used to obtain an IP address). Hotspot will send an Access Request to the Radius Server, using as Username the MAC address of the user (followed by the suffix string if present), and password the one configured in the wizard password field. If authentication is successfully completed, user obtains the Framed-IP-Address of the Radius Access Response (if present), or the next available IP address in the range of Dynamic IP addresses. If authentication fails and UAM Authentication is enabled, user obtains an IP address in the range of Dynamic IP addresses and UAM authentication is performed (WEB-redirect page).
Password: is the password used to authenticate hotspot users to Radius Server. Suffix: is the string attached to the hotspot users' MAC address used as Radius Username. Warning: If MAC authentication is enabled, hotspot users will obtain an IP address ONLY in case Radius Server is reachable.
11.3.8 Walled Garden: Is a set of at most five (5) domains or IP addresses or subnets that a user can access without having performed authentication (But must have previously obtained an IP address by the hotspot). Example: www.lobometrics.com or 192.168.1.1 or 192.168.1.0/24
VERSION 1.0B 111
3/20/2005
PAGE
Lobo O.S. and NMS Reference Guide 11.3.9 Advertisement: Is a set of at most five (5) URLs that a hotspot user will be redirected to, after having authenticated successfully using UAM authentication. Example: http://www.lobometrics.com
11.3.10Web customization: The login web page that a hotspot user is redirected can be customized according to administrator's needs. There are two Text fields, that administrator can fill with info describing his needs. Example: BrandName: Athens Main Square Garden's Hotspot
Extra Text: Featured by Greece Major HotSpot Operators.
Select Color: Is the background color of the redirection Web-page.
Select Image: On the top of the Web-redirection page is an image, which can be replaced with any other JPEG (.jpg) image.
11.3.11Summary: Previous configuration applied is summarized here.
VERSION 1.0B 112
3/20/2005
PAGE
Lobo O.S. and NMS Reference Guide 11.3.12Submit: Configuration will be applied to the router. If Hotspot is already running, it will try to set the new configuration and start again. In case there is an error, previous configuration will be restored. If Hotspot is not running, then configuration is applied but Hotspot will remain stopped. In order to start the router operating as a hotspot, Enable HotSpot should be checked in the main panel and Submit button should be pressed.
11.4 Back end Radius Configuration Example for Linux freeradius package: Assume Dynamic IPs subnet is 192.168.1.0/24 and Static IPs subnet is 192.168.1.0/30. password configured for MAC authentication is password. MAC authentication: To authenticate a user using MAC authentication with MAC should configure radius server as follows: 000102030405, user Radius
00-01-02-03-04-05* Auth-Type := Local, User-Password == "password" Class = 0702345678, Session-Timeout = 7200, Idle-Timeout = 600, Acct-Interim-Interval = 60, Framed-IP-Address = 192.168.1.3, WISPr-Bandwidth-Max-Up = 256000, WISPr-Bandwidth-Max-Down = 512000
Upon successful authentication, * FORMAT HAS BEEN CHANGED FROM VERSION 1.1.0 (XX-XX-XX-XX-XXXX INSTEAD OF XXXXXXXXXXXX). CAPITAL LETTERS MUST BE USED (0A-0B-0C0D0E-0F).
VERSION 1.0B 113 3/20/2005 PAGE
Lobo O.S. and NMS Reference Guide 1)User will be authenticated for 7200 seconds (2 hours), will obtain IP address 192.168.1.3, upload bandwidth 256 Kbits and download bandwidth 512 Kbits.
2)HotSpot will send Accounting requests to radius every 60 seconds.
UAM authentication:
To authenticate a user using UAM authentication with username user1 and his_password, user should configure radius server as follows:
password
user1 Auth-Type := Local, User-Password == "his_password" Class = 0702345678, Session-Timeout = 7200, Idle-Timeout = 600, Acct-Interim-Interval = 60, WISPr-Bandwidth-Max-Up = 256000, WISPr-Bandwidth-Max-Down = 512000
Upon successful authentication,
1)User will be authenticated for 7200 seconds (2 hours), , upload bandwidth 256 Kbits and download bandwidth 512 Kbits.
2)HotSpot will send Accounting requests to radius every 60 seconds.
VERSION 1.0B 114
3/20/2005
PAGE
11.5 Example Assume that users system is equipped with two (2) Ethernet interfaces and one (1) Wireless Interface, as shown in the following figure.
Internet
w.x.y.z Gateway to internet
192.168.1.1/24
Radius Server
Desktop PC
192.168.1.100/24
192.168.1.x/24
eth0:192.168.1.3/24 eth1 ath0 Lobo HotSpot
Ethernet user
Ethernet user
Wireless user Wireless user
Wireless user
User is connected to the internet via a router with public IP w.x.y.z. His/Her private IP subnet is 192.168.1.0/24. The router masquerades private IPs to its public IP. User needs to authorize users connected to both hotspots Ethernet interface eth1 and wireless interfaces ath0. This is accomplished by configuring Lobo to act as a HotSpot and authenticate users connected to those interfaces (HotSpot LAN Interfaces). The authentication is assumed to be handled by users local Radius Server (IP 192.168.1.00). Lobo HotSpots Wan Interface in that case is eth0, the one connected to the router (and Internet). Hotspot users will be assigned with IPs in the subnet 192.168.0.0/24 To sum up, Lobo HotSpot should be configured with:
VERSION 1.0B 115 3/20/2005 PAGE
Lobo O.S. and NMS Reference Guide Wan interface: eth0, with static IP 192.168.1.3/24 LAN Interfaces: eth1 and ath0 Gateway: 192.168.1.1 (routers private IP) DNS: say 65.173.1.1 (obtained from your internet connection) Radius Server: 192.168.1.100 ( let radius secret be radius_secret) Dynamic IPs assigned to users: 192.168.0.0/24
Applying this example, network topology will change to:
Internet
w.x.y.z Gateway to internet
192.168.1.1/24
HoSpot Wan Interface

Radius Server Desktop PC
192.168.1.100/24
192.168.1.x/24
eth0:192.168.1.3/24 eth1 ath0 Lobo HotSpot
Ethernet user
Ethernet user
HoSpot Lan Interfaces

Wireless user Wireless user Wireless user
Figure 11-2:Network topology after Hotspot With red is displayed users LAN (Wan for HotSpot), where the is no authentication performed. With Green is displayed users public LAN (LAN for HotSpot), where authentication is required.
11.5.1 STEP 1: User should select advanced configuration on LNMS.

VERSION 1.0B 116 3/20/2005 PAGE
Lobo O.S. and NMS Reference Guide 11.5.2 STEP 2: User should click on HotSpot panel.
Figure 11-3:HotSpot Main Panel
11.5.3 STEP 3: Starting HotSpot wizard, user is redirected to configure his/her Wan interface settings. eth0 should be selected as Wan interface: IP: 192.168.1.3 Subnet Mask: 255.255.255.0 DNS: 65.173.1.1 Gateway: 192.168.1.1
Following figure displays the configuration
VERSION 1.0B 117
3/20/2005
PAGE
Figure 11-4:Wan configuration Clicking Next will redirect user to the next panel. 11.5.4 STEP 4: HotSpots LAN interfaces (the ones where authentication is required). eth1 and ath0 are selected as HotSpots LAN interfaces.
VERSION 1.0B 118
3/20/2005
PAGE
Figure 11-5:LAN configuration Clicking Next will redirect user to the next panel.
11.5.5 STEP 5: User should configure DHCP server settings (IP addresses to be assigned from HotSpot to Users), as follows:
IP: 192.168.0.0 Subnet Mask: 255.255.255.0 (/24) DNS: 0.0.0.0 (will get Lobo WAN DNS IP) Domain: domain_of_your_choice Lease: Lease time for DHCP (in seconds)

VERSION 1.0B 119 3/20/2005 PAGE
Figure 11-6:HotSpots DHCP server configuration
Clicking Next will redirect user to the next panel.
11.5.6 STEP 6: Due to hotspots Private Dynamic IPs subnet, hotspot should masquerade userss IPs to its Wan IP (eth0). Therefore, NAT Enable should be checked. Protection Level is left to medium (See previous sections for detailed information).
VERSION 1.0B 120
3/20/2005
PAGE
Figure 11-7:NAT & Protection Level configuration
11.5.7 STEP 7: User can configure his/her hotspots wireless interface as:
Physical: 802.11B Channel: 1 ESSID: My_HotSpot Encryption: NONE
VERSION 1.0B 121
3/20/2005
PAGE
Lobo O.S. and NMS Reference Guide Now, wireless users will be able to connect to Lobo HotSpot with ESSID My_HotSpot, operating at channel 1, using no wireless encryption. Following figure displays the configuration
Figure 11-8:Wireless configuration
11.5.8 STEP 8: User should configure Lobo HotSpot Radius Clients settings as follows:
Radius Server 1: IP 192.168.1.100 Radius Server 2: IP 0.0.0.0 (no backup radius server)
3/20/2005 PAGE
VERSION 1.0B 122
Lobo O.S. and NMS Reference Guide Secret Key: radius_secret Authentication mode: CHAP Authentication Port: 1812 Accounting Port: 1813 Nas ID: some_nas (if needed by radius server)
Now, Lobo HotSpot will authenticate users via radius server with the above settings. User must configure radius server appropriately in order to be able to authenticate users. (See Radius Configuration Section) Following figure displays the configuration
Figure 11-9:Radius configuration

VERSION 1.0B 123 3/20/2005 PAGE
11.5.9 STEP 9:
User should configure Lobo HotSpot authentication type(s) as follows in order to authenticate users by Web-redirect: Selected UAM authentication to authenticate users via Web-redirection. (Secret is not currently used. Port is the local Port hotspot functionality will use) Following figure displays the configuration
Figure 11-10:Authentication methods
VERSION 1.0B 124
3/20/2005
PAGE
Lobo O.S. and NMS Reference Guide 11.5.10STEP 10: User may configure domains that a user can access without being authenticated. User can configure hotspot users to access Desktop PC 192.168.1.20, where is assumed to operate a public web-server. Now, a user connected to a HotSpot LAN Interface can actually access previous Desktop PC without any authentication. Following figure displays the configuration
Figure 11-11:Walled Garden configuration
11.5.11STEP 11: User can configure domains that a user will be redirected after being authenticated.
VERSION 1.0B 125 3/20/2005 PAGE
Lobo O.S. and NMS Reference Guide User can configure hotspot users to be redirected to www.lobometrics.com, as an advertisement. Following figure displays the configuration
Figure 11-12:Redirection URLs configuration
11.5.12STEP 12: User may customize the redirection Web-page: -selecting the background color -adding some text or/and image to be displayed to users trying to login. Following figure displays the configuration
VERSION 1.0B 126
3/20/2005
PAGE
Figure 11-13:Web page customization
11.5.13STEP 13: HotSpots configuration is completed ! A summary is displayed. Pressing the Submit button the configuration is applied to HotSpot.
VERSION 1.0B 127
3/20/2005
PAGE
Figure 11-14:Summarize configuration
11.5.14STEP 14: HotSpot is not running yet. User may fill in the administrators MAC (recommended), in order never to lose your connectivity with HotSpot (due to radius mis-configuration ). User should Check Enable HotSpot and press Submit. HotSpot will assign to its HotSpot interfaces the IP 192.168.0.1 Administrators IP will be 192.168.0.2
VERSION 1.0B 128
3/20/2005
PAGE
Figure 11-15:Start hotspot
11.5.15STEP 15: Hitting Refresh, hotspots status is polled. If initializing is displayed, user should wait for a while and retry to get hotspots status.
VERSION 1.0B 129
3/20/2005
PAGE
Figure 11-16:HotSpot is initializing
Initializing. User should hit Refresh again. Running or an appropriate error code will be displayed. (Initialization may take a couple of minutes, depending of DNS settings)
VERSION 1.0B 130
3/20/2005
PAGE
Figure 11-17:HotSpot is running
Now that HotSpot is running, changes have been applied to routers configuration. 1) Network panel. Bridge br_HotSpot is generated, having eth1 and ath0 under it.
VERSION 1.0B 131
3/20/2005
PAGE
Figure 11-18:Interface Panel after hotspots initiation
2)The Firewall/Nat tabs are initialized as well.
VERSION 1.0B 132
3/20/2005
PAGE
Figure 11-19:New firewall settings
Figure 11-20:NAT settings
If a user connects to the HotSpot, it will assign him/her the next free Dynamic IP
VERSION 1.0B 133
3/20/2005
PAGE
Figure 11-21:HotSpot has assigned an IP address
If this user now tries to access the Internet, this Redirection Web-page is displayed 11.6 Troubleshooting
Cannot set wireless interfaces configuration o Check if you have selected channel and ESSID o If you are running Lobo OS with CPE license, then wireless interfaces cannot be used as Access Points, and hotspot cannot have wireless hotspot interfaces. DNS error o In case you use static IP address for WAN, make sure you have entered the right settings. o In case you use dynamic IP allocation (DHCP, PPPOE and PPTP clients), wait for WAN interface to establish a connection.
3/20/2005 PAGE
VERSION 1.0B 134
Cannot obtain an IP address o Check if Dynamic IP addresses are all allocated (Show User Info). In case you need more IP addresses, reconsider configuring an extended IP pool for Dynamic IP addresses. o If MAC authentication is enabled, check if your RADIUS SERVER is operating and has connectivity with the HotSpot, or Radius Settings are right (Secret key, Ports) . o Check if hotspot Status in Main HotSpot Panel is Running. Have obtained and IP address but cannot ping the hotspot o Check if user is authenticated.
HotSpot status is Running, but there is no DHCP Server active in DHCP panel o Hotspot uses its build-in DHCP server; there is no miss-configuration. A user is not authenticated, but can access the Internet o Check if the domain the user has accessed is in the Walled Garden domains. LNMS lost connectivity with hotspot o If you access hotspot through the Wan interface, make sure Wan interface has established its connectivity, or you have not selected HIGH Protection Level in hotspot configuration (in this situation LNMS connection from WAN is dropped). o If you access hotspot through the HotSpot LAN interfaces, and you have selected HIGH Protection Level in hotspot configuration, LNMS connection cannot be established. o If you access hotspot through the HotSpot LAN interfaces, and you have configured your MAC address as the administrators MAC, then enable DHCP client on your computer. If you cannot obtain an IP address, configure your computer with a static IP address, the first in Dynamic IP addresses (x.x.x.2) and try again (Maybe hotspot is initializing). o If there is another interface, neither WAN nor LAN, try to connect through it.
VERSION 1.0B 135
3/20/2005
PAGE
12 System Services Configuration
12.1 Services Overview Lobo Router can be configured to run the following services: SNMP Service HTTP Service SSH Service NTP (Network Time Protocol) Service In order to configure Lobo Services, user should select the corresponding panel of Advanced Configuration.
12.2 SNMP SNMP (Simple Network Management Protocol) is the most widely used protocol for managing TCP/IP Internets. A network management station (NMS) uses SNMP query (poll) SNMP processes (agents) on network devices such as routers and end stations. These agents maintain a list of variables and their values that describe the state of the network device. The variables can describe routing table entries, interface addresses, and byte counts transmitted on various interfaces. The collection of variables is described by a Management Information Base (MIB). When SNMP is enabled, Lobo get,getnext,getbulk,walk). Router will respond to SNMP requests (SNMP
A community name can be configured, as a read-only community. SNMP set requests are not supported. Snmp Enable: checkbox determining whether SNMP service is enabled or not. Port: the routers port on which SNMP module will be listening for SNMP requests (default 161). Community: the read-only community name of SNMP service (default public). Snmp service will respond to requests if and only if community name is set appropriately. To enable SNMP service, make sure Snmp Enable checkbox is checked, choose a port that SNMP service will listen on and a community name. Press Submit to apply configuration.
VERSION 1.0B 136
3/20/2005
PAGE
Figure 12-1:SNMP service configuration
12.3 HTTP Web servers are the computers that actually run web sites, accepting HTTP connections from web browsers and delivering web pages and other files to them, as well as processing form submissions. When HTTP is enabled, Lobo Router will respond to HTTP/HTTPS requests. HTTP Enable: checkbox determining whether HTTP service is enabled or not. Port: the routers port on which HTTP module will be listening for HTTP requests (default 80). Upload SSL Certificate: You can upload your own SSL certificate for Secure HTTP requests (HTTPS). A default one is included in a fresh installed Lobo Router. Upload Key File: You can upload your own Private keys File for Secure HTTP requests (HTTPS). A default one is included in a fresh installed Lobo Router. To enable HTTP service, make sure HTTP Enable checkbox is checked and choose a port that HTTP service will listen on. Press Submit to apply configuration.
VERSION 1.0B 137
3/20/2005
PAGE
Figure 12-2:HTTP service configuration
12.4 SSH Developed by SSH Communications Security Ltd., Secure Shell is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels. SSH protects a network from attacks such as IP spoofing, IP source routing, and DNS spoofing. An attacker who has managed to take over a network can only force ssh to disconnect. He or she cannot play back the traffic or hijack the connection when encryption is enabled. When using ssh's slogin (instead of rlogin) the entire login session, including transmission of password, is encrypted; therefore it is almost impossible for an outsider to collect passwords.
When SSH is enabled, Lobo Router will respond to SSH connection requests. SSH Enable: checkbox determining whether SSH service is enabled or not. Port: the routers port on which SSH module will be listening for new SSH connection requests (default 22). To enable SSH service, make sure SSH Enable checkbox is checked and choose a port that SSH service will listen on. Press Submit to apply configuration.
VERSION 1.0B 138
3/20/2005
PAGE
Figure 12-3:SSH service configuration
12.5 NTP The Network Time Protocol (NTP) is a time synchronization system for computer clocks through the Internet network,. The main characteristics of NTP are the following.
-
fully automatic, keeps continuously the synchronization. suitable to synchronize one computer as well as a whole computer network. fault tolerant and dynamically auto configuring. carrying UTC time, independent of time zones and day-light saving time. synchronization accuracy can reach 1 millisecond.
When NTP is enabled, Lobo Router will request configured NTP server every Interval time and adjust Lobo routers local system time. NTP Enable: checkbox determining whether NTP service is enabled or not.
VERSION 1.0B 139
3/20/2005
PAGE
Lobo O.S. and NMS Reference Guide Port: the routers port on which NTP module will be listening for NTP servers responses (default 123). Domain: the domain name or IP address of the NTP server. Interval: the interval in minutes between two consequential requests (default 60 minutes). To enable NTP service, make sure NTP Enable checkbox is checked, choose a local or internet NTP server to get time from, configure the interval time in minutes to query NTP server and choose a port that NTP service will listen on. Press Submit to apply configuration.
Figure 12-4:NTP service configuration
VERSION 1.0B 140
3/20/2005
PAGE
Lobo O.S. and NMS Reference Guide 12.6 Administrator Security Settings Changing administrators password: Go to the services panel and choose security. You will be asked to provide admins old password ( default is admin ) and type twice the preferred new password. Hit Submit to change the password. The new password must be at least 8 characters long (at most 63 characters).
Figure 12-5:Change administrators password
VERSION 1.0B 141
3/20/2005
PAGE
14 Discovery Manager
An alternative method to detect and insert nodes in topology is by using the Tools>Discovery Manager Utility. A custom polling protocol is used in order to detect Lobo nodes in the specified subnet. The discovered nodes are displayed in a matrix format, while the user has the option to complete the required fields on the fly. In the end by pressing submit the selected nodes are inserted in the topology view.
Figure 14-1:Discovery Manager Panel
VERSION 1.0B 144
3/20/2005
PAGE
15 Mrtg Support
Mrtg client support of LNMS uses the package provided by JRobin (http://www.jrobin.org/utilities/mrtgdemo.html). The administrator has to extract the required files in a network server with java support and initialize it by executing the following command:java jar mrtg-server-1.4.0.jar. After the successful mrtg server initialization the built in mrtg client can be invoked by clicking on Utilities->Mrtg. The client prompts for the mrtg server IP and upon successful connection nodes can be inserted in the monitoring list. On each node insertion the user will be presented with a list of all available interfaces. The user may select one or more interfaces to monitor.
JRobin mrtg server uses SNMP polls to retrieve information which means that SNMP agent has to enable in the monitored node.
VERSION 1.0B 145
3/20/2005
PAGE
16 Lobo Monitoring and Statistics

16.1 Introduction The advanced statistics engine of Lobo OS node in combination with the graphing facilities of LNMS lets the administrator drill into the results real-time, identifying high bandwidth nodes and possible bottlenecks.
16.2 Status Info Status window which can be in invoked by selecting the corresponding field in the node pop-up menu contains all the information displayed in the low frame of topology view. In addition it contains an extra editable field which is used to set the Hostname of the node. The displayed information can be proven quite useful in cases that our administration unit is hidden behind NAT and connectionless communication (such as Lobo Polling Protocol and SNMP) can not be initiated from our side.
16.3 Current Throughput By monitoring performance and analyzing performance data, you can begin to see patterns in the data that will help you locate bottlenecks. After you have located a bottleneck, you can make changes to the component to improve performance. Bottlenecks can occur anywhere in your server environment at any time, so it is important to capture baseline performance information about your system and monitor performance regularly. Lobo NMS provides the option of real time traffic monitoring. By selecting current throughput in the node pop-up menu a new dialog window appears displaying in real time the current throughput (Rx-Tx) of each network interface.
VERSION 1.0B 146
3/20/2005
PAGE
Figure 16-1:Real Time Interface Throughput
16.4 Packet Statistics Moreover in statistics panel which is tabbed in advanced configuration menu, we can retrieve information concerning the total packet statistics per interface
Figure 16-2:Interface Packet Statistics

VERSION 1.0B 147 3/20/2005 PAGE
16.5 ARP table entries On a single physical network, individual hosts are known on the network by their physical hardware address. Higher-level protocols address destination hosts in the form of a symbolic address (IP address in this case). When such a protocol wants to send a datagram to destination IP address w.x.y.z, the device driver does not understand this address. Therefore, a module (ARP) is provided that will translate the IP address to the physical address of the destination host. It uses a lookup table (sometimes referred to as the ARP cache) to perform this translation. When the address is not found in the ARP cache, a broadcast is sent out on the network, with a special format called the ARP request. If one of the machines on the network recognizes its own IP address in the request, it will send an ARP reply back to the requesting host. The reply will contain the physical hardware address of the host and source route information (if the packet has crossed bridges on its path). Both this address and the source route information are stored in the ARP cache of the requesting host. All subsequent diagrams to this destination IP address can now be translated to a physical address, which is used by the device driver to send out the datagram on the network. The ARP table of an Lobo node can retrieved and Entries in the statistics panel. displayed by selecting Network->ARP
Figure 16-3:ARP Entries Table
VERSION 1.0B 148
3/20/2005
PAGE
16.6 Open connections: Open Connections panel displays all your computer's inbound and outbound connections and lists all open ports, helping the administrator to detect host's activity. Open connections can be sorted in ascending or descending order per column by clicking on the corresponding table header.
Figure 16-4:Open Connections Display
16.7 Monitor Utilities 16.7.1 Ping Ping Utility sends ICMP requests to the address you specify and lists the responses received and their round trip time. When the utility is terminated it summarizes the results in a graphic display, giving the average round trip time and the percent packet loss. This utility can be used to determine whether there is a problem with the network connection between two hosts.
VERSION 1.0B 149
3/20/2005
PAGE
16.7.2 Trace Route Traceroute is a utility that records the route (the specific gateway computers at each hop) through the Internet between your Lobo node and a specified destination. It also calculates and displays the amount of time each hop took. Traceroute is a handy tool both for understanding where problems are in the Internet network.
VERSION 1.0B 150
3/20/2005
PAGE
Lobo O.S. and NMS Reference Guide 16.8 System properties:
Figure 16-5:System Properties Dialog
VERSION 1.0B 151
3/20/2005
PAGE
17 WISP Easy Wizard

WISP easy wizard is an extension to LNMS providing a convenient and easy way towards the installation of Lobo nodes. It can be invoked by clicking on the pop-up menu the WISP Easy Wizard (WEW) field. Upon invocation the following dialog appears which displays some of the most usual WISP installations. The administrator has the option to select on of the available operational modes. By rolling the mouse pointer over that image an Info TIP is displayed on the left-top corner.
Available configuration scenarios : a.Backhaul AP b.Repeater AP c.Point to Point link d.CPE installation By selecting the mode that is closest users target configuration a step by step simplified configuration is followed guiding the user through the configuration process. The whole configuration from Wireless to IP, DHCP, Routing and NAT is applied with the minimum possible effort.
VERSION 1.0B 152
3/20/2005
PAGE
Lobo O.S. and NMS Reference Guide Later on the user can tweak the applied configuration manually by the standard way described in the previous chapters. NOTE: After the successful application of the configuration via WEW the current IP is also been kept in order not to lose connectivity with the device. However if the user does not require that IP address any more, it is recommended to remove it by deleting the corresponding Virtual Interface.
VERSION 1.0B 153
3/20/2005
PAGE

Lobo 908911 UG

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Lobo 908911 UG

Încărcat de

Drepturi de autor:

Formate disponibile

Lobo OS & Lobo NMS System User's Guide

Version Issue: Last Update:

Lobo O.S. and NMS Reference Guide

4.5 4.6 5 5.1 5.2

6.5 6.6 6.7 6.8

8 8.1 8.2 8.3 8.4 9 9.1 9.2 10 10.1

Lobo O.S. and NMS Reference Guide

3 Lobo OS Management via LNMS

Figure 3-1:LNMS Topology View

Figure 3-2:Insert Lobo Node Dialog

Figure 3-3:Lobo Node Insertion

Lobo O.S. and NMS Reference Guide

Figure 3-4:Customized Topology View

Lobo O.S. and NMS Reference Guide

Lobo O.S. and NMS Reference Guide

IP network configuration is consisted of four basic frames:

Lobo O.S. and NMS Reference Guide 4.2 Top Frame:

Figure 4-1:IP Interface Settings

Lobo O.S. and NMS Reference Guide 4.3 Center Frame:

Figure 4-2:IP Global Settings

Lobo O.S. and NMS Reference Guide

Figure 4-3:Insertion of virtual interfaces

Lobo O.S. and NMS Reference Guide

Figure 4-4:Interface tree view

Lobo O.S. and NMS Reference Guide

VLANS (IEEE 802.1Q)

Lobo O.S. and NMS Reference Guide

Lobo O.S. and NMS Reference Guide

Lobo Static Rules Introduction

Lobo O.S. and NMS Reference Guide

Figure 5-4: New Routing Rule Insertion

Lobo O.S. and NMS Reference Guide

Figure 6-1:Wireless Configuration Panel

Lobo O.S. and NMS Reference Guide

Figure 6-2:Wireless Operational Mode Settings

Lobo O.S. and NMS Reference Guide

Lobo O.S. and NMS Reference Guide

Figure 6-3:Wireless WDS Mode Settings

Lobo O.S. and NMS Reference Guide

Lobo O.S. and NMS Reference Guide

Figure 6-5:Repeater Mode Settings

AP Client and Station Mode

Lobo O.S. and NMS Reference Guide

Figure 6-6:Station Mode Settings

Lobo O.S. and NMS Reference Guide

Figure 6-7:Station Mode Settings (2)

I. Physical (11a,11b,11g) ii.Channel/Frequency iii.TxRate iv.RTS value v.Spoofing functionality

Figure 6-8:Wireless Radio Settings

Figure 6-9:Setting Tx Rate

Lobo O.S. and NMS Reference Guide

Figure 6-10:Wireless Radio Settings (2)

Lobo O.S. and NMS Reference Guide

Figure 6-11:Wireless WEP Settings

Lobo O.S. and NMS Reference Guide

Figure 6-12:Wireless WPA Settings

Lobo O.S. and NMS Reference Guide

Figure 6-13:Wireless WPA Settings (2) 6.4.3 Access Control List

Lobo O.S. and NMS Reference Guide

Figure 6-14:Wireless ACL configuration

Figure 6-15:Wireless Outdoor Settings

Setting Country Code

Lobo O.S. and NMS Reference Guide

Figure 6-16:Wireless CC Code