TP-Link TL-ER604W - Manual

-2- Chapter 1 About this Guide This User Guide contains information for setup and management of TL-ER604W Router. Please read this guide carefully before operation. 1.1 Intended Readers This Guide is intended for Network Engineer and Network Administrator. 1.2 Conventions In this Guide the following...

-3- Chapter 2 Introduction Thanks for choosing the SafeStream Wireless N Gigabit Broadband VPN Router TL-ER604W. 2.1 Overview of the Router The SafeStream Wireless N Gigabit Broadband VPN Router TL-ER604W from TP-LINK supports Wireless N speed and Gigabit wired speeds on all ports. It integrates mul...

-8- Chapter 3 Configuration 3.1 Network 3.1.1 Status The Status page shows the system information, the port connection status and other information related to this Router. Choose the menu Network → Status to load the following page. Figure 3-1 Status 3.1.2 System Mode The TL-ER604W Router can work i...

-10- Figure 3-5 System Mode You can select a System Mode for your Router according to your network need.  NAT Mode NAT (Network Address Translation) mode allows the Router to translate private IP addresses within internal networks to public IP addresses for traffic transport over external networks,...

-12- Figure 3-7 WAN – Static IP The following items are displayed on this screen:  Static IP Connection Type: Select Static IP if your ISP has assigned a static IP address for your computer. IP Address: Enter the IP address assigned by your ISP. If you are not clear, please consult your ISP. Subnet...

-19- Figure 3-10 WAN - L2TP The following items are displayed on this screen:  L2TP Settings Connection Type: Select L2TP if your ISP provides a L2TP connection. Click <Connect> to dial-up to the Internet and obtain the IP address. Click <Disconnect> to disconnect the Internet connectio...

-21-  L2TP Status Status: Displays the status of PPPoE connection.  “Disabled” indicates that the L2TP connection type is not applied.  “Connecting” indicates that the Router is obtaining the IP parameters from your ISP.  “Connected” indicates that the Router has successfully obtained the IP par...

-22- Figure 3-11 WAN - PPTP The following items are displayed on this screen:  PPTP Settings Connection Type: Select PPTP if your ISP provides a PPTP connection. Click <Connect> to dial-up to the Internet and obtain the IP address. Click <Disconnect> to disconnect the Internet connectio...

-24-  PPTP Status Status: Displays the status of PPTP connection.  “Disabled” indicates that the PPTP connection type is not applied.  “Connecting” indicates that the Router is obtaining the IP parameters from your ISP.  “Connected” indicates that the Router has successfully obtained the IP para...

-25- Figure 3-12 WAN – Bigpond The following items are displayed on this screen:  BigPond Settings Connection Type: Select BigPond if your ISP provides a BigPond connection. Click <Connect> to dial-up to the Internet and obtain the IP address. Click <Disconnect> to disconnect the Intern...

-26- Auth Mode: You can select the proper Active mode according to your need.  Manual: Select this option to manually activate or terminate the Internet connection by the <Connect> or <Disconnect> button. It is optimum for the dial-up connection charged on time.  Always-on: Select this...

-28- Figure 3-14 DHCP Settings The following items are displayed on this screen:  DHCP Settings DHCP Server: Enable or disable the DHCP server on your Router. To enable the Router to assign the TCP/IP parameters to the computers in the LAN automatically, please select Enable. Start IP Address: Ente...

-32- The following items are displayed on this screen:  Statistics Unicast: Displays the number of normal unicast packets received or transmitted on the port. Broadcast: Displays the number of normal broadcast packets received or transmitted on the port. Pause: Displays the number of flow control f...

-34- Application Example: To monitor all the traffic and analyze the network abnormity for an enterprise’s network, please set the Port Mirror function as below: 1) Check the box before Enable Port Mirror to enable the Port Mirror function and select the Ingress & Egress mode. 2) Select Port 3 t...

-35- 3.1 Port: Displays the port number. Ingress Limit: Specify whether to enable the Ingress Limit feature. Ingress Rate: Specify the limit rate for the ingress packets. Egress Limit: Specify whether to enable Egress Limit feature. Egress Rate: Specify the limit rate for the egress packets. The fir...

-37- VLAN: Select the desired VLAN for the port. Tips: The Port VLAN can only be created among the LAN ports. 3.2 Wireless 3.2.1 Wireless Setting 3.2.1.1 Wireless Setting On this page you can configure the basic parameters of the wireless network. Choose the menu Wireless → Wireless Setting → Wirele...

-39- SSID: Enter a name for the wireless network. The same name of SSID(Service Set Identification) must be assigned to all wireless device in your network. Considering your wireless network security, the default SSID is set to be TP-LINK_XXXXXX (XXXXXX indicates the last unique six numbers of each ...

-40- Auth Type: Choose the Auth type of the WPA-PSK/WPA2-PSK security on the drop-down list. The default setting is Automatic , which can select WPA-PSK (Pre-shared key of WPA) or WPA2-PSK (Pre-shared key of WPA) automatically based on the wireless station's capability and request. Encryption: Selec...

-43- Figure 3- 25 Multi-SSID The following items are displayed on this screen:  General Multi-SSID: Enable or disable the Multi-SSID. You can establish multiple wireless networks if Multi-SSID is enabled. SSID Insulation: Enable or disable the SSID Insulation. If enabled, the hosts accessing to the...

-44- Security: Specify the security option of the wireless network. If you do not want to use wireless security, select “Disable Security”, otherwise select one Security option from the drop-down list. It’s strongly recommended to choose one of the security options to enable security. There are thre...

-49- Key ： If the AP your Router is going to connect needs password, you need to fill the key in this blank. Tips: The Multi-SSID function will be disabled if WDS is enabled. 3.2.1.4 Wireless Advanced On this page, you can configure the wireless advanced parameters. Choose the menu Wireless → Wirele...

-50- Beacon Interval: Enter a value between 40-1000 milliseconds for Beacon Interval here. The beacons are the packets sent by the router to synchronize a wireless network. Beacon Interval value determines the time interval of the beacons. The default value is 100. RTS Threshold: Here you can specif...

-55- 3.4 Group Structure: Click this button to view the tree structure of this group. All the members of this group will be displayed, including Users and sub-Groups. The Group Names are displayed in bold. Available Member: Displays the Users and the Groups which can be added into this group. Select...

-56- 3.4 NAT-DMZ: Enable or disable NAT-DMZ. NAT DMZ is a special service of NAT application, which can be considered as a default forwarding rule. When NAT DMZ (Pseudo DMZ) is enabled, all the data initiated by external network falling short of the current connections or forwarding rules will be fo...

-57- Status: Activate or inactivate the entry.  List of Rules In this table, you can view the information of the entries and edit them by the Action buttons. The first entry in Figure 3-34 indicates: The IP address of host1 in local network is 192.168.0.128 and the WAN IP address after NAT mapping ...

-58- The first entry in Figure 3-35 indicates that: This is a Multi-Nets NAT entry named tplink1. The subnet under the LAN port of the Router is 192.168.2.0/24 and this entry is activated. After the corresponding Static Route entry is set, the hosts within this subnet can access the Internet through...

-59- The configured entries are as follows: 2. Then set the corresponding Static Route entry, enter the IP address of the interface connecting the Router and the three layer switch into the Next Hop field. Choose the menu Advanced → Routing → Static Route to load the following page. The Static Route...

-60- Figure 3-36 Virtual Server The following items are displayed on this screen:  Virtual Server Name: Enter a name for Virtual Server entries. Up to 28 characters can be entered. Interface: Select an interface for forwarding data packets. External Port: Enter the service port or port range the Ro...

-61- 3.4  List of Rules In this table, you can view the information of the entries and edit them by the Action buttons. The first entry in Figure 3-36 indicates: This is a Virtual Server entry named host, all the TCP data packets from WAN1 to port 65534-65535 of the Router will be redirected to the...

-66- Limited Bandwidth (Down): Specify the Limited Downstream Bandwidth for this entry. Effective Time: Specify the time for the entry to take effect. Description: Give a description for the entry. Status: Activate or inactivate the entry.  List of Rules You can view the information of the entries ...

-67- Figure 3-41 Session Limit The following items are displayed on this screen:  General Enable Session Limit: Check here to enable Session Limit, otherwise all the Session Limit entries will be disabled.  Session Limit Group: Select a group to define the controlled users. Max. Sessions: Enter th...

-68- Figure 3-42 Session List In this table, you can view the session limit information of users configured with Session Limit. Click the <Refresh> button to get the latest information. 3.4.4 Load Balance In this part, you can configure the traffic sharing mode of the WAN ports to optimize the...

-70- 3.4  List of Rules You can view the information of the entries and edit them by the Action buttons. The first entry in Figure 3-44 indicates: All the packets with Source IP between 192.168.0.100 and 192.168.0.199 and Destination IP between 116.10.20.28 and 116.10.20.29 will be forwarded from W...

-72- Figure 3-46 Protocol The following items are displayed on this screen:  Protocol Name: Enter a name to indicate a protocol. The name will display in the drop-down list of Protocol on Access Rule page. Number: Enter the Number of the protocol in the range of 0-255.  List of Protocol You can vi...

-74- Application Example There is a network topology as the following figure shown: If the LAN port of TL-ER604W （ with Non-NAT or Classic system mode ） is connected to LAN1 with subnet of 192.168.0.0/24, while the LAN port of another Router R1 is connected to LAN2 with network of 192.168.2.0/24. Me...

-76- data via this port. The IP address of next hop is 116.10.1.254 and the hop count is 1. The effective time of this entry is 1 second. Note: ● RIP function cannot be set if the Router is in NAT Mode. To set RIP function, please change the System Mode to Routing or Full Mode. ● The RIP function of...

-77- 3.5 3.5 Firewall 3.5.1 Anti ARP Spoofing ARP (Address Resolution Protocol) is used for analyzing and mapping IP addresses to the corresponding MAC addresses so that packets can be delivered to their destinations correctly. ARP functions to translate the IP address into the corresponding MAC add...

-78- It is recommended to check all the options. You should import the IP and MAC address of the host to IP-MAC Binding List and enable the corresponding entry before enabling “Permit the packets matching the IP-MAC Binding entries only”. When suffered ARP attack, the correct ARP information will be...

-80- Figure 3-52 ARP List The configurations for the entries is the same as the configuration of List of Scanning Result on 3.5.1.2 ARP Scanning page. The unbound IP-MAC information will be replaced by new IP-MAC information or be automatically removed from the list if it has not been communicated w...

-82- 3.5.3 MAC Filtering On this page, you can control the Internet access of local hosts by specifying their MAC addresses. Choose the menu Firewall → MAC Filtering → MAC Filtering to load the following page. Figure 3-54 MAC Filtering The following items are displayed on this screen:  General To c...

-85- Figure 3-57 Access Rule The following items are displayed on this screen:  Access Rules Policy: Select a policy for the entry:  Block: When this option is selected, the packets obeyed the rule will not be permitted to pass through the Router.  Allow: When this option is selected, the packets...

-88- 3.5 3.5.5 App Control .5.1 Control Rules On this page, you can enable the Application Rules function. Choose the menu Firewall → App Control → Control Rules to load the following page. Figure 3-59 Application Rules The following items are displayed on this screen:  General Check the box before...

-90- cause the private data to be exposed to all the users on the Internet. The VPN (Virtual Private Network) technology is developed and used to establish the private network through the public network, which can guarantee a secured data exchange. VPN adopts the tunneling technology to establish a ...

-91- Figure 3-62 IKE Policy The following items are displayed on this screen:  IKE Policy Policy Name: Specify a unique name to the IKE policy for identification and management purposes. The IKE policy can be applied to IPsec policy. Exchange Mode: Select the IKE Exchange Mode in phase 1, and ensur...

-92- 3.6 Local ID: The local WAN IP will be inputted automatically if IP Address type is selected. If Name type is selected, enter a name for the local device as the ID in IKE negotiation Remote ID Type: Select the remote ID type for IKE negotiation. IP Address: uses an IP address as the ID in IKE n...

-93- Figure 3-63 IKE Proposal The following items are displayed on this screen:  IKE Proposal Proposal Name: Specify a unique name to the IKE proposal for identification and management purposes. The IKE proposal can be applied to IPsec proposal. Authentication: Select the authentication algorithm f...

-94- 3.6  DH1: 768 bits  DH2: 1024 bits  DH3: 1536 bits  List of IKE Proposal In this table, you can view the information of IKE Proposals and edit them by the action buttons. 3.6.2 IPsec IPsec (IP Security) is a set of services and protocols defined by IETF (Internet Engineering Task Force) to ...

-97- Status: Activate or inactivate the entry.  Manual Mode IPsec Proposal: Select the IPsec Proposal. Only one proposal can be selected on Manual mode. You need to first create the IPsec Proposal. Incoming SPI: Specify the Incoming SPI (Security Parameter Index) manually. The Incoming SPI here mus...

-98- ESP Encryption Key-Out: Specify the outbound ESP Encryption Key manually if ESP protocol is used in the corresponding IPsec Proposal. The outbound key here must match the inbound ESP encryption key at the other end of the tunnel, and vice versa.  List of IPsec Policy IPsec In this table, you c...

-99- Security Protocol: Select the security protocol to be used. Options include:  AH: AH (Authentication Header) provides data origin authentication, data integrity and anti-replay services.  ESP: ESP (Encapsulating Security Payload) provides data encryption in addition to origin authentication, ...

-100- 3.6.2.3 IPsec SA This page displays the information of the IPsec SA (Security Association). Choose the menu VPN → IPsec → IPsec SA to load the following page. Figure 3-66 IPsec SA Figure 3-66 displays the connection status of the NO.1 entry in the List of IPsec policy in Figure 3-64. As shown ...

-101- 3.6.3.1 L2TP/PPTP Tunnel On this page, you can configure the L2TP/PPTP VPN. Choose the menu VPN → L2TP/PPTP → L2TP/PPTP Tunnel to load the following page. Figure 3-67 L2TP/PPTP Tunnel The following items are displayed on this screen:  General Enable VPN-to-Internet: Specify whether to enable ...

-103- 3.6 Status Activate or inactivate the entry.  List of Configurations In this table, you can view your configurations of the tunnels and edit them by the action buttons. The No.1 entry in Figure 3-67 indicates: this tunnel is encapsulated by using L2TP. Its user name is test, the password can ...

-106- 3.7 Authentication: Select the Authentication type. It can be Local authentication and Remote authentication. Select Local authentication for authentication in PPPoE server and select Remote authentication for authentication in the remote server. Auth Protocol: Select at least one authenticati...

-108- 3.7 IP Address Pool: It's available on Dynamic mode. Select an IP Address Pool to make a range to assign dynamic IPs. Max Sessions: Specify the maximum number of sessions for the client. The default value is 1. Expiration Date: Specify the Expiration Date of the account. The default is 2099-1-...

-109- Figure 3-73 Exceptional IP The following items are displayed on this screen:  Exceptional IP IP Address Range: Specify the start and the end IP address to make an exceptional IP address range. This range should be in the same IP range with LAN port of the Router. The start IP address should n...

-118- Figure 3-81 Administrator The following items are displayed on this screen:  Administrator Current User Name: Enter the current user name of the Router. Current Password: Enter the current password of the Router. New User Name: Enter a new user name for the Router. New Password: Enter a new p...

-119- The following items are displayed on this screen:  General Web Management Port: Enter the Web Management Port for the Router. Telnet Management Port: Enter the Telnet Management Port for the Router. Web Idle Timeout: Enter a timeout period that the Router will log you out of the Web-based Uti...

-120- Subnet/Mask: Specify a single IP address or network address for the hosts desired to access the Router from external network. Status: Activate or inactivate the entry.  List of Subnet In this list, you can view the Remote Management entries and edit them by the Action buttons. The first entry...

-121- 3.8.2.2 Click the <Restore to Factory Defaults> button to reset all configuration settings to their default values. The default IP address is 192.168.0.1; the default login user name and password are both admin. Export and Import Choose the menu Maintenance → Management → Export and Impo...

-122- Figure 3-86 Reboot Click the <Reboot> button to reboot the Router. The configuration will not be lost after rebooting. The Internet connection will be temporarily interrupted while rebooting. Note: To avoid damage, please don't turn off the device while rebooting. 3.8.2.4 Firmware Upgrad...

-123- Figure 3-88 License 3.8.4 Statistics 3.8.4.1 Interface Traffic Statistics Interface Traffic Statistics screen displays the detailed traffic information of each port and extra information of WAN ports. Choose the menu Maintenance → Statistics → Interface Traffic Statistics to load the following...

-124- 3.8 Packets Rx: Displays the number of packets received on the interface. Packets Tx: Displays the number of packets transmitted on the interface. Bytes Rx: Displays the bytes of packets received on the interface. Bytes Tx: Displays the bytes of packets transmitted on the interface.  Advanced...

-126- 3.8  Ping Destination IP/Domain: Enter destination IP address or Domain name here. Then select a port for testing, if you select “Auto”, the Router will select the interface of destination automatically. After clicking <Start> button, the Router will send Ping packets to test the networ...

-127- dial-up status. Mode: Detect automatically or Manually. In Auto mode, gateway will be selected as destination for PING detection, DNS server of WAN port will be selected as destination for DNS Lookup. In Manual Mode, you can configure the destination for PING and DNS Lookup manually. Ping: Ent...

-128-  Current Time System Time: Displays the current date and time of the Router. Time Zone: Displays the current time zone of the Router. Status: Displays the status of time capturing  Config Get GMT: When this option is selected, you can configure the time zone and the IP Address for the NTP Se...

-129- Figure 3-94 Logs  List of Logs List of Logs displays the system log information in log buffer. An entry of log contains the following four parts:  Config Enable Auto-refresh: With this option selected, the page will refresh automatically every 5 seconds. Severity: Displays the severity level...

-130- Chapter 4 Application 4.1 Network Requirements The company has established the server farms in the headquarters to provide the Web, Mail and FTP services for all the staff in the headquarters and the branch offices, and to transmit the commercial confidential data to its partners. The dedicate...

-131- 4.2 Network Topology 4.3 Configurations You can configure the Router via the PC connected to the LAN port of this Router. To log in to the Router, the IP address of your PC should be in the same subnet of the LAN port of this Router. (The default subnet of LAN port is 192.168.0.0/24.). The IP ...

-137- Figure 4-7 IPsec Policy Tips: For the VPN Router in the remote branch office, the IPsec settings should be consistent with the Router in the headquarters. The Remote Gateway of the remote Router should be set to the IP address of the Router in the headquarters. After the IPsec VPN tunnel of th...

-139- 4.3.3 Network Management To manage the enterprise network effectively and forbid the Hosts within the IP range of 192.168.0.30-192.168.0.50 to use IM/P2P application, you can set up a User Group and specify the network bandwidth limit and session limit for this group. The detailed configuratio...

-143- Figure 4-15 Session Limit 4.3.4 Network Security You can enable the IP-MAC Binding function to defend the ARP attack from local or public network and enable Sending GARP packets function to defend ARP attack. Moreover, you can enable DoS Defense function to implement flood defense and Packet A...

-145- Choose the menu Firewall → Anti ARP Spoofing → ARP Scanning to load the configuration page. Enter the default gateway of the WAN port such as 58.51.128.254 in the Scanning Range field and click the <Scan> button, the MAC address of the WAN port will display in the Scanning Result table. ...

-146- 4.3.4.4 Traffic Monitoring 1) Port Mirror Choose the menu Network → Switch → Port Mirror to load the configuration page. Check the box before Enable Port Mirror and select the Ingress&Egress mode. Select the Port 5 for the Mirroring Port and the Port 3 and the Port 4 for the Mirrored ports...

-148- Appendix A Hardware Specifications General Standards IEEE 802.3, IEEE 802.3u, IEEE 802.3ab, IEEE 802.3x, IEEE 802.11b, IEEE 802.11g and IEEE 802.11n, TCP/ IP, DHCP, ICMP, NAT, PPPoE, SNTP, HTTP, DNS, L2TP, PPTP, IPsec One fixed 10/100/1000Mbps Auto-Negotiation WAN RJ45 port (Auto MDI/MDIX) One...

-149- Appendix B FAQ Q1. What can I do if I cannot access the web-based configuration page? 1. For the first login, please try the following steps: 1) Make sure the cable is well connected to the LAN port of the Router. The corresponding LED should flash or be solid light. 2) Make sure the IP addres...

-150- Q3: What can I do if the Router with the remote management function enabled cannot be accessed by the remote computer? 1. Make sure that the IP address of the remote computer is in the subnet allowed to remotely access the router. 2. If the router’s management port has been modified, please lo...

-151- Appendix C Glossary Glossary Description ALG （ Application Layer Gateway ） Application Level Gateway (ALG) is application specific translation agent that allows an application on a host in one address realm to connect to its counterpart running on a host indifferent realm transparently. ARP （ ...