Manual

Viprinet Multichannel VPN Router

Model 300
2
Imprint
As of 4/2010
Subject to technical changes.
Producer:
Viprinet GmbH
Mainzer Str. 43
55411 Bingen am Rhein
Germany
Phone: +49 (0)6721 4 90 30-0
Fax: +49 (0)6721 4 90 30-109
E-mail: info@viprinet.com
Web: www.viprinet.com
2007-2010 Viprinet GmbH
Pictures by Frauke Boensch
Reprinting or copying even in extracts only with written permission of Viprinet GmbH.
3
Table of contents
General information 4
Product at a glance 4
Device description 9
Technical data 10
Unpacking 10
Delivery content 11
Installation 12
Device setup 12
Installation of line modules 13
Installing the software 15
Wiring the network 16
Conguration 18
Network knowledge is necessary 18
Overview 18
Choosing topology 20
Net segmentation 22
Basic conguration using the setup program 26
Conguration using the web interface 34
Tunnel Channel Autotuning 39
Qos System and Bonding Options 43
SNMP 46
Additional information 48
Monitoring system 48
Integration of VPN Clients / Road Warriors 50
Service 51
Trouble shooting 51
Service providers 52
Appendix 54
Network basics 54
NAT-Network Address Translation 59
4
General information
Product at a glance
The Multichannel VPN Router connects a local network via up to three broadband channels with a Multi-
channel VPN Hub, which is acting as a VPN concentrator. At least two Viprinet Routers are needed for this
connection:

Internet
|et. lucol retwu|| wit| o Viu|iret Multic|orrel V|l Ruute| ,V|l luJe.
Ri|t. Joto certe| wit| Viu|iret Multic|orrel V|l |u| ,V|l |u|.
For the most common types of connections the following modems are available as modules which are
inserted into the router case.
/0S|l/0S|Z- /rrer /
/0S|l/0S|Z- /rrer B
Eu|ulS0l
uMTSl|S|/lE0CE
|ost Et|e|ret

Erte|rol auJeas ,e.. w|/l, S0S|, S|0S| ao] |e currecteJ usir t|e |ost Et|e|ret auJule. /ll
modems that either allow PPPoE pass-through or are able to assign an IP address statically via DHCP are
supported.
Technology
T|e Multic|orrel V|l Ruute| octs os o |o]e| J |uute| currectir lucol retwu||s ot Jie|ert lucotiurs ur
t|e l| le.el. l| Joto steoas o|e uic|eJ uu |] t|e |/l irte|oce orJ o|e Jist|i|uteJ tu oll o.oilo|le c|orrelsl
modem modules. As parts of data streams are sent through multiple channels, a Viprinet peer (called VPN
Hub) is always needed to reassemble the streams afterwards.
Preface
5
Safety/data encryption
|u| eoc| u|]sicol lrte|ret currectiur, o seuo|otel] erc|]uteJ V|l Turrel ,SS| u|utucul usir Z5c Bit
AES encryption) is set up between the VPN Node and the VPN Hub. These tunnels are used in a bundled
fashion, and all IP trafc is then passed through it.
Cooling
The Viprinet Router is set up for continuous operation and is cooled passively without any fans. Therefore
it is critical that the ventilation slots are never covered and the maximum specied ambient temperature is
not exceeded.
* Annex A / B
Annex A /0S| |e(uerc] |ore u| oroluue teleu|ure currectiurs
Annex B /0S| |e(uerc] |ore u| lS0l teleu|ure currectiurs
Basics of VPN Tunnels / Terminology
VPN Hubs, VPN Nodes and VPN clients
The Multichannel VPN Router is usually used to connect one or multiple branch ofces to a central location.
Generally, together all locations therefore form a star topology.
VPN Node
A router not accepting VPN connections from other routers but connecting to a cen-
tral VPN Hub is called VPN Node. VPN Nodes typically use multiple physical Internet
connections using WAN modules.
VPN Hub
A router accepting connections from VPN Nodes at a central location (data center,
cuauor] |eoJ(uo|te|s, lS| is colleJ V|l |u|.
VPN Clients
Sirle cuauute|s rut lucoteJ irsiJe o retwu|| e(uiuueJ wit| o V|l luJe ,e.. |ielJ
representatives with notebooks, home ofces) may use a Software-based solution
to become part of the VPN network. These are called VPN Clients. Using the VPN
Client software, a VPN Tunnel to a VPN Hub is created.
Preface
6
The LAN port
T|e |uute| is irte|oteJ irtu t|e |/l usir or Et|e|ret switc| currecteJ tu t|e |uute|'s |/l uu|t.
usir t|e |/l uu|t, t|e we| curu|otiur s]stea "/Jair0es|' cor |e
occesseJ |ua t|e |/l usir o we| ||uwse|.
rl] .io t|e |/l uu|t, t|e |uute| cor |e occesseJ |] t|e setuu sutwo|e tu ue|u|a t|e iritiol
conguration.
usir t|e |/l uu|t, t|e ouu|uu|iotel] curu|eJ |uute| cor ue| irte|oteJ se|.ices li|e o Juaoir
roae se|.e| orJ o 0|C| se|.e| tu ossir l| oJJ|esses tu cuauute|s wit|ir t|e |/l.
wit|ir t|e we| curu|otiur s]stea "/Jair0es|', curu|otiur u t|e |/l uu|t is ue|u|aeJ usir t|e
"|/l settirs' aeru.
The WAN Interfaces / Module slots
T|e auJea co|Js irse|teJ irtu t|e |uute|'s auJule sluts o|e colleJ "w/l lrte|oces'.
Each module used must be congured according to its type:
/ 0S| auJea, u| eroaule, |e(ui|es t|e ||| occuurt Joto |ua t|e 0S| u|u.iJe|.
For dialup lines (or UMTS links) that are billed by time it might be sensible to use a conguration that
will only dial in if a tunnel within the router is actually trying to connect to the VPN Hub.
VPN Tunnels
To connect a VPN Node with a VPN Hub, the VPN Node has to establish a TCP/IP tunnel with a VPN Hub.
T|e Joto |ua t|e V|l luJe's |/l is sert .io t|is erc|]uteJ turrel tu t|e V|l |u| w|ic| u|wo|Js it tu
another VPN Node (that is, another location) or the Internet.
Such a logical connection between VPN Node and VPN Hub is called a VPN Tunnel. Within AdminDesk
this can be congured in the VPN Tunnels menu.
Tunnel Channels
To create such a logical VPN Tunnels, TCP/IP connections with the VPN Hub have to be established through
the ISPs used by each WAN Interface.
Thanks to its innovative channel bundling technology, the Multichannel VPN Router is able to use
several physical lines provided by different ISPs to create such a VPN Tunnel.
Each physical connection created by a VPN Tunnel using a WAN Interface is called Tunnel Channel.
A VPN Tunnel contains at least one such Tunnel Channel to make a connection possible.
Preface
7
A Tunnel Channel contains the information which of the existing WAN Interfaces is used to create
the physical connection.
With a VPN Node connected to just one VPN Hub (usual case) a Tunnel Channel per existing WAN Interface
will be created. On the VPN Hub things look different: All Tunnel Channels come in through one single
w/llV|l|u|t currecteJ tu t|e Jotocerte|'s |oc||ure..
A VPN Node uses a Tunnel consisting of multiple Tunnel Channels, which each refer to a single WAN
Interface, to link to the VPN Hub.
A VPN Hub connected with several branch ofces (VPN Nodes) uses one Tunnel per VPN Hub, with
each Tunnel consisting of multiple Tunnel Channels.
Trafc Classes and Rules / Quality of Service
The Multichannel VPN Router distinguishes itself by an innovative bundling procedure. This makes it pos-
sible to internally combine all Tunnel Channels used by a VPN Tunnel for certain services. The bandwidth
of all used Tunnel Channels (that is, of all physical lines of the WAN Interface) may be summed up for
individual up-/ downloads.
This bundling procedure is only sensible for certain kinds of trafc that is, if the complete band-
width of all Tunnel Channels should be used with a small number of connections.
This is, for example, not necessary for IP telephones (VoIP) latency, that is the time the data needs
to pass between VPN Node and VPN Hub, is far more important.
The Multichannel VPN Router allows you to very precisely congure how the router should deal with
certain types of data trafc. The setting how a dened group of data trafc is treated is called QoS Trafc
Class.
This makes it possible to set up a class for data trafc like IP telephony, always assigning it to the
line with the smallest latency (possibly moving it to a different line as soon as that becomes the one
with the lowest latency).
For trafc needing the highest possible bandwidth, a class may be set up where all available Tunnel
Channels are used for the data transfer.
By using the QoS classes it is also possible to guarantee or restrict the bandwidth for certain classes of
data transfers. The router makes sure that a Trafc Class with a guaranteed bandwidth will be preferred
even if the system is running on full capacity cutting down bandwidths of other classes to always keep
the guaranteed bandwidth available. Other classes on the other hand might be restricted to a maximum
amount of bandwidth this way certain unimportant services like le sharing may be slowed down. QoS
Trafc Classes dene how individual classes of data transfer are dealt with.
Preface
8
The second component of the Quality of Service system are the QoS Trafc sorting rules. These are rules
to sort data streams by different criteria into the QoS Trafc Classes mentioned above.
Several criteria may be used to do so:
Data may be sorted by the TCP port used. A QoS Trafc sorting rule might identify all connections
from and to Port 80 as HTTP connections. The rule would be called HTTP. As part of this rule, a
target class would be set for example: the QoS Trafc Class bundling.
A rule might also use source and target ranges of your IP network. This way, a department may be
identied by its IP address and sorted into a certain QoS Trafc Class that guarantees a minimum
bandwidth.
Preface
9
Device Description
(1) Power Plug 12V (back side, for included power supply)
,Z |/lsuc|et
|ir| tu lucol retwu||
,J Viu|iret |uute| stotus |E0s
Power: lit when power is supplied
Online:
lit when connection to a VPN Hub is established
through at least one line
ashing while system is establishing a connection to a VPN Hub
(4) Reset button
The reset button can be reached with a pointed object (e.g. pencil). By pushing it briey, the router
will restart. By continuously pushing the button for 5 seconds, the router will be reset to factory
settings. Caution: all settings will be lost! Further information for this can be found in the service-
chapter.
(5) Three slots for hot plug modules
Eoc| wit| |E0s u| stotus irJicotiur.
|ir|.
lit when cable is connected correctly
os|ir w|ile auJule is t|]ir tu s]rc||uri/e wit| /0S|0S|/M ,/0S|auJule url]
ickering when line is active
Online:
lit when a VPN Tunnel is established with this module
blinking when module is used to establish a VPN Tunnel
Screws
All screws you may open are located at the case front (module faceplates). All other screws must not be
opened.
Preface
1
4
3
2
5
10
Technical Data
Construction Desktop enclosure
Measures WxHxD in mm 147 x 130 x 177 mm
Weight ca. 1 kg
Power supply 12V, 4A max
Input wattage with maximum equipment 50 Watt
CPU frequency 500 MHz
Encryption in hardware AES 256 bit
RAM 256 MB
Modules max. of 3; any slot
Working temperature 10 35 C
Unpacking
The Viprinet Router and the modules will be sent singly or pre-congured depending on the supplier.
Unpack all elements and check if complete.
Preface
11
Delivery content
Number Type
1 Multichannel VPN Router
1 Power Supply Unit
1 Power cord
1 Manual
1 CD with software
* /0S|l/0S|Z- auJule /rrer /
* /0S|l/0S|Z- auJule /rrer B
* Euro-ISDN module
* Fast Ethernet module
* UMTS/GPRS/EDGE module
lua|e| u auJules Jue tu ]uu| u|Je|. See Jeli.e|] rute.
Preface
12
Installation
Device setup
The Viprinet Router is a desktop device and can be put up at any location which offers the following
conditions:
Working temperature 10-35C
No direct sunlight (danger of overheating)
Detached position
Attention:
The ventilation slots must not be covered. The device must be placed on a level surface so that the ventila-
tion slots will not be covered.
Notice:
The device is passively cooled and can therefore do without fan. The cooling of the integrated CPU results
from heat emission to the case. The warming of the case during operation is therefore normal. Additional
cooling is effected by convection through ventilation slots. Hence, the cooling of the device can be im-
proved when it is set up in well aired areas.
Installation
3 2 1
13
Installation of line modules
Up to 3 line modules can be inserted into the Viprinet Router. Modules can be plugged into any of the slots.
They may be installed or taken out even when the router is running (hot-plug).
If modules are reassembled, the conguration has to be changed (see below).
Unscrew both screws.
Take off the cover (resp. pull out the module).
Insert the chosen module into the slot.
Keep in mind to put the board straight into the rails.
Put the screws back in.
The module has to be congured.
First conguration: use the setup program or the Web Interface.
For any upgrade: use the Web Interface.
Numbering of modules
All module slots are numbered internally. The conguration is saved for each slot.
Installation
14
Replacement of modules
You can exchange a module in slot 1 with another one of the same type.
The conguration is maintained.
T|is wo], ]uu cor, u| eroaule, erc|ore ure /0S| auJule wit| orut|e| /0S| auJule. Slut orJ
conguration stay the same.
If extracting a congured module and replacing it with a different type, the previous conguration of
the slot is lost.
/0S| /rrer / orJ B o|e seer os t|e soae t]ue u auJule.
Installation
15
Installing the software
The following software is delivered with the Viprinet Router and should be installed on a workstation/
desktop.
Setup program
Setup program for conguring the Viprinet router.
File name: setup.exe
Monitoring system
Monitoring system displaying of the data streams.
Setup le name: monitor.exe
Installation of the setup program
There is no need to install the setup program. The exe-le can be executed immediately
Copy the exe-le to your desktop or execute directly from CD.
Installation of Monitoring system
You can install the Monitoring system on your desktop.
Insert CD.
Start monitor.exe from CD.
Follow instructions on screen.
Installation
2
1
16
Wiring the network
At branch ofce (VPN Node)
Connect the Viprinet Router with the network and the lines as follows:

Currect t|e |/l uu|t ,1 wit| t|e lucol retwu||,
e.g. a work-group switch
e.g. a rewall system
(if necessary, a cross-over cable has to be used).
Connect the module with the lines. Notice the following tips.
Module Type
ADSL/ADSL2+ module Annex A
Network cable (if necessary shielded) (CAT5)
Currect wit| sulitte|, "0S|' suc|et
ADSL/ADSL2+ module Annex B
Network cable (if necessary shielded) (CAT5)
Currect wit| sulitte|, "0S|' suc|et
Euro-ISDN module
ISDN cable with RJ-14 plug or network cable (if necessary
shielded) (CAT5)
Connect with NTBA
(Alternatively, you can also connect to ISDN bus of a tele-
phone system installation, e.g. s0 intern)
Fast Ethernet module
Network cable (if necessary shielded) (CAT5)
Connect with Ethernet socket of a router or modem, e.g.:
cable modem
S0S| auJea
radio link
leased line router
Installation
17
Module Type
UMTS/GPRS/EDGE-Module
Mount the UMTS antenna shipped with the module to the
SMA socket. Alternatively an external UMTS antenna
e(uiuueJ wit| or SM/ ulu ao] |e currecteJ.
Installation
18
Conguration
Network knowledge is necessary
For correct Viprinet Router conguration sufcient network knowledge is necessary. You will nd an over-
view of important terms in the appendix. See: Basic Network Technology.
Overview
Below you will nd a compact overview about the steps you need to take in order to use the router inside
your network:
Step Action
Dene topology
You should rst decide on a network topology. As a rule, it should
be established in a star topology one or more VPN Nodes con-
nected to one central VPN Hub forwarding to the Internet and
routing between the VPN Nodes.
Net segmentation
Sirce t|e Viu|iret Ruute| is octi.e os o |o]e| J |uute|, t|e
networks which are to be connected have to have their own IP sub-
nets. So you will have to segment your entire IP network consisting
of private and public IP ranges. The Viprinet Router working as a
VPN Hub will route between those subnets.
Get public IPs
You need public IPs for the following devices:
VPN Hub
1. or l| u| t|e uulir|l|/l uu|t ,|uutir tuwo|Js t|e lrte|ret
is done from here; connections from the VPN using private IP
addresses are converted to this IP address using NAT.)
2. an IP address for the WAN/VPN interface (may use same
l| su|ret os t|e |/l uu|t
for all VPN Nodes
1. An IP address for each module (typically dynamic IP
addresses, automatically assigned by service provider, are
used here though)
Conguration
19
Basic conguration
(Setup program)
At rst use, you will have to install a basic conguration on each
Viprinet Router using the setup program.
The following values are determined:
router name
local IP and netmask
VPN Node/ VPN Hub
|/l lrte|oce settirs
module conguration
VPN connection conguration
router password
If needed, sophisticated
conguration
(Web Interface)
l |e(ui|eJ, ]uu cor set uu u|t|e| curu|otiurs |] usir t|e we|
Interface. Here, the values of the basic conguration can be changed
and further parameters can be added like:
oll |/l orJ auJule settirs
Tunnel and Channel settings
bandwidth management (priority settings for certain data
streams)
user rights
Conguration
20
Choosing topology
Example: One ofce with bundled redundant connection to the Internet
A bundled redundant connection of a single ofce to the internet may be established using two Viprinet
Routers. Up to three access lines in any combination can be used at the ofce.
Internet
Internet
Branch Ofce (VPN Node) Data Center (VPN Hub)
Physical Line
Logical Connection
1 2
(1) Data center (VPN Hub)
The router in the data center should be connected to the Internet via two Ethernet connections to the
Jotocerte|'s |oc||ure. T|e |/l uu|t u t|e |uute| se|.es os or uulir| u| t|oc w|ic| is t|orsaitteJ
from the VPN towards the Internet. The encrypted VPN connections from the VPN Node arrive via
the WAN/VPN port.
The WAN/VPN port needs to get a static public IP address assigned, which is used by the VPN
luJes os Jestirotiur oJJ|ess u| esto|lis|ir V|l Turrel C|orrels. T|e uulir|l|/l uu|t cuaaurl]
also gets assigned a public IP address. Should the VPN Hub be placed inside a closed Intranet with
out any connection to the Internet, a private IP address may be used here instead.
(2) Branch ofce (VPN Node)
T|e |uute| |e|e cor |e e(uiuueJ wit| .o|iuus Jie|ert auJules. Vio eoc| u t|ese auJules ulus t|e
Internet backbone of the provider an encrypted VPN connection is established (a Tunnel Channel)
to the Ethernet module of the VPN Hub.
T|e |/l u t|e ||orc| uce is currecteJ tu t|e |/l uu|t u t|e Viu|iret Ruute|.
/s t|e "Turrel C|orrel' currectiurs o|e uutuir TC| currectiurs, o stotic uu|lic l| is rut |e(ui|eJ
u| t|e V|l luJe's w/l auJules, J]roaicoll] ossireJ l| oJJ|esses o|e K, tuu. lt is e.er uussi|le
tu use u|i.ote l| oJJ|esses i o Je.ice |e|irJ t|e auJule ,e.. o reJ lire |uute| u| o 0S| |uute|
replaces the source IP address of outgoing TCP connections by a public one using Network Address
Translation (NAT).
T|e uce |/l ,e.. or Et|e|ret switc| is currecteJ tu t|e Viu|iret Ruute| usir t|e |/l uu|t.
Conguration
21
Example: Several branch ofces (Subnets in star topology)
Should several branch ofces be connected to the data center, a star topology is normally used several
VPN Nodes are connected to one VPN Hub in the center which serves as a data distributor between the
branch ofces themselves and the Internet.
All Tunnel Channels of all branch ofces connect to a single WAN/VPN port at the VPN Hub. The only
limiting factor is the total bandwidth and bonding capacity available at this VPN Hub.
Branch ofce (VPN Node) Data center (VPN Hub)
e.. 1- /0S| - 1- w|/l
Internet
Internet
e.. J- /0S|Z-
e.. Z- /0S|
||]sicol |ire
|uicol Currectiur
(1) Data center (VPN Hub)
For the router in the data center, the Uplink/LAN port is used as gateway to the public
internet, while VPN Tunnel trafc is handled encrypted on the WAN/ VPN port.
(2-4) Branch ofces (VPN Nodes)
T|e ||orc| |uute|s ao] |e e(uiuueJ wit| Jie|ert auJules, e.. Z /0S| u| J /0S|Z- u| 1 /0S| orJ
1 w|/l. /r erc|]uteJ V|l currectiur ,o Turrel C|orrel usir t|ese auJules orJ t|e |oc||ure
of the service provider is build between the VPN Node and the WAN/VPN port of the VPN Hub. The
||orc|es |/l is currecteJ tu t|e |/l uu|t u t|e Viu|iret Ruute|.
For this type of topology, it is of vital importance that the VPN Hub can be reached easily by all physical
service providers of the VPN Nodes. Therefore, if the VPN Hub is used across country borders, it should be
set up in the center.
Conguration
22
To do so:
Set up the VPN Hub at a data center directly connected to a provider backbone or at an national IP
exchange point.
w|er usir t|e V|l |u| ot t|e cuauor] |eoJ(uo|te|s, t|is s|uulJ |o.e o oil soe orJ ||uoJ|orJ
Internet connection which is itself not based on a Viprinet bundling.
Further possibilities
Alternative topologies like ring- or peer-to-peer-structures are also possible, but should only be congured
by experienced experts. The respective conguration can only be done via the Web Interface.
It is another special case if two branch ofces are meant to be connected directly using multiple bundled
||uoJ|orJ lires ur |ut| siJes. T|e Viu|iret Ruute| is o|le tu suuuu|t t|is, |ut it ao] u|u.e tu |e (uite Ji-
cult Tunnel Channels from the rst branch ofce have to connect to varied lines at the other branch ofce.
This does not present such a big problem if both branch ofces are using the same amount of symmetrical
lines. If a different number of lines or asymmetrical lines (in this case, the upstream of the second branch
ofce has to be as high as the downstream of the rst branch ofce) are in use, it is denitely not advisable
to use this topology. In this case, a star topology with a VPN Hub at an external data center should be
used. In any case, one of the two branch ofces (the one where the router is declared VPN Hub) needs to
have static IP addresses assigned on all WAN modules so the router in the other ofce is able to setup the
Tunnel Channel connections.
Net segmentation
Sirce t|e Viu|iret Ruute| is octi.e os o |o]e| J |uute|, t|e retwu||s tu |e currecteJ |o.e tu |o.e t|ei| uwr
IP subnets. You have to segment your entire IP network which is made up of private and/or public IP ranges;
each subnet has to have its own IP range. Between these networks, the Viprinet Router serves as a router.
Conguration
23
Conguration with private IPs
You can build your network using private IP addresses. These are only valid inside your own network and
therefore not reachable from the Internet. If data should leave the VPN towards the Internet, the VPN Hub
within the VPN will have to mask the private IP source addresses using Network Address Translation (NAT)
for packets leaving the VPN towards the Internet.
Segmenting the net
Divide your net into branches, e.g. with a supposed network of 10.0/16 (In CIDR notation, description see
appendix).
Branch 1 10.0.1/24
Branch 2 10.0.2/24
Branch 3 10.0.3/24
Branch 4 10.0.4/24
Conguration
Internet
Data center
Bundled logical connection
(VPN Tunnel)
10.0.4/24
10.0.3/24
10.0.2/24
10.0.1/24
24
Conguration with public IPs
Since public IP addresses are limited, you have to be sparing when segmenting a public IP net the single
segments should only be as big as really needed for each branch ofce.
Net segmentation
You may have the IP range 192.0.2.0/24 assigned for your network. Subdivide your network:
into two branches into four branches into eight branches
Branch 1 192.0.2.0/25 192.0.2.0/26 192.0.2.0/27
Branch 2 192.0.2.128/25 192.0.2.64/26 192.0.2.32/27
Branch 3 192.0.2.128/26 192.0.2.64/27
Branch 4 192.0.2.192/26 192.0.2.96/27
Branch 5 192.0.2.128/27
Branch 6 192.0.2.160/27
Branch 7 192.0.2.192/27
Branch 8 192.0.2.224/27
Conguration
Internet
192.0.2.192/26
192.0.2.128/26
192.0.2.64/26
192.0.2.0/26
Data center
Bundled logical connection
(VPN Tunnel)
25
Conguration with private and public IPs
If you have set up your network with private IPs, but want to use computers with public IPs as well (e.g.
server reachable via the Internet), you should start with the initial conguration for private IP networks in
the setup program. Afterwards, you can insert the public IP addresses (using CIDR notation) via the Web
Interface at
AdminDesk WAN/VPN Routing and NAT WAN/VPN routing rules
Routing decisions are based on a set of rules. If a public IP block gets routed by your datacenter ISP to your
VPN Hub, and you wish to forward this or parts of this block to one or more branch ofces (VPN Nodes), you
will have to create routing rules for that. Assumed you wish to route the public IP network 192.0.2.64/27
through the VPN to a VPN Node, you have to create a rule on the VPN Hub using Add a routing rule. Give
the rule a name (e.g. Public network branch 1). Inside the rule object set Matching IP Protocols to Ignore
(all IP protocols are to be routed), How to match IP addresses to Destination (routing decisions are based on
the target IP address of incoming packets). For IP Addresses enter 192.0.2.64/27. Finally select which VPN
Node this should be routed to by choosing its VPN tunnel under Target Interface.
Conguration
26
Basic conguration using the setup program
Before using a new router, you have to install a basic conguration on your new Viprinet Router using the
setup program. The setup program is compatible with Windows 2000/XP/Vista/7. The chosen settings may
be rened and adjusted with the Web Interface later.
This basic conguration has to be carried out before putting the router into use.
Eoc| |uute| is set uu seuo|otel] wit| oll its auJules. T|e auJules o|e (ue|ieJ ure ote| t|e ut|e|.
Eoc| t]ue u auJule |e(ui|es Jie|ert suecicotiurs.
Starting the Setup Program
Mo|e su|e ]uu| |C is currecteJ wit| t|e |uute| |] t|e |/l u| Ji|ectl] .io o c|ussu.e| co|le ot t|e
|/l uu|t.
Start up the Setup Program directly from CD or your hard drive.
File name: Setup.exe
Conrm with Next
The program searches for all available Viprinet Routers inside the local network. This is done using IP
broadcasts, so only routers inside the same broadcast segment are detected.
All Viprinet Router found are displayed.
Mark the Viprinet Router you would like to congure.
Conrm with Next.
Conguration
27
Basic Conguration
Initial conguration Enter the following data:
Name
You can identify the router by this name later on (it is
displayed when opening the setup program and the
Web Interface).
IP
|ucol l| u| t|e |/l w|e|e t|e |uute| is situ-
ated.
Netmask
letaos| u t|e |/l.
How would you like to use the router? Decide on how you are going to use the router.
VPN-Node
Router at a branch ofce. Connected to a
VPN Hub through the Internet via one or more
broadband lines.
VPN-Hub
Router at data center
(This conguration is only possible if solely
Ethernet modules are used.)
Advanced
l ]uu c|use t|is settir, url] t|e |/llrte|oce
is congured; all other settings may be done via
the Web Interface later on.
Continue Continue depending on your choice, read on the next
pages.
Conguration
28
If "VPN Node" was chosen
LAN-Interface Conguration IP-Address
Enter the IP address here under which the
|uute| ao] |e |eoc|eJ ir t|e |/l. T|e oJJ|ess
serves as a gateway for computers within the
|/l.
Netmask corresponding to the IP entered above.
Enable DHCP-Server
Tick this box if the router should assign IPs
J]roaicoll] wit|ir t|e |/l.
Range Start/ Range Stop
Enter the IP address range the router should
ossir tu cuauute|s irsiJe t|e |/l .io 0|C|.
Enter the rst and the last assignable address.
Module conguration T|e auJules ir eoc| slut o|e (ue|ieJ ure ote| t|e
ut|e| ,uu tu t||ee. Eoc| t]ue u auJule |e(ui|es Ji-
ferent specications.
Ethernet module
Ethernet with xed IP & Gateway
Congure the Ethernet module using a xed IP
address, netmask and gateway (e.g. when con-
necting a leased line router or a modem to the
Ethernet module)
Ethernet with DHCP
As above, but the Ethernet module gets its IP
conguration from the DHCP server of the con-
nected router or modem.
PPPoE
A PPPoE-enabled modem is connected to the
Et|e|ret auJule ,e.. S0S|, erte| use|roae
and password for PPP access.
Conguration
29
ADSL module
Username and password
Erte| lS|'s ||| use|roae orJ uosswu|J.
Connect on demand
If this option is activated, the module only dials
in if a VPN Tunnel is actually trying to use this
line. This makes sense if the connection is
deducted on a time basis.
UMTS module
Access Point Name
Enter the APN as specied by the UMTS
provider.
User name and password
Enter the account name and password as given
by the UMTS provider. For many providers these
values may be freely chosen, the elds however
must be lled.
Connect on demand
,See /0S| auJule
ISDN module
Username and password
Erte| se|.ice u|u.iJe|'s ||| use|roae orJ
password.
Provider Telephone Number
MSN
Your own ISDN identication number (optional)
Use both channels
ISDN provides two data channels. When using
both, the capacity is 128Kbit/s, otherwise
64Kbit/s.
Connect on demand
,See /0S| auJule
Conguration
30
VPN-Connection
Here, the connection to the VPN Hub (= router at the
data center) is congured.
Target Hub Hostname/IP
Enter the host name or the IP of the Ethernet
module of the VPN Hub to connect to.
loae u V|lTurrel
This name identies the link of between the
VPN Hub and this VPN Node. Use the same
uri(ue roae os useJ u| t|is lir| ur t|e V|l
Hub.
Tunnel Password
The password needs to be identical to the one
congured at the VPN Hub for this tunnel.
Modules to be used Now, you decide which of the installed modules are
used for connections (VPN Tunnel Channels) to the
VPN Hub in most cases, you will use all existing
modules.
Channelname
The freely chosen name also has to be entered
in the VPN Hub.
Use channel
Decides if this module is used. If activated, the
VPN Tunnel will try to establish a Channel using
this module after power-up.
Backup
Decides whether this module is a xed line or
a backup line. Backup lines are only brought up
if a congured minimum of lines are no longer
online. ISDN lines and UMTS links deducted on
a time basis are usually congured as backup
lines.
Conguration
31
Transfer Network
A private IP network not used anywhere else in-
side the VPN is needed internally by the router.
Root password You have to decide on a router root password.
The password is for the user root (who has
all rights).
Use a safe password (more than 8 characters, a
mixture of capital and small letters and digits).
Write down the password and keep it safe.
Conguration
32
If Advanced was chosen
LAN Interface Conguration IP address
If the router is to be used as a VPN Hub later,
only a static public IP is sensible here. If the
router is used as a VPN Node later on, a private
IP address may also be used. This is used by the
|/l os o otewo].
Netmask
Enter the corresponding netmask.
Gateway
For a VPN Hub, enter the IP of the gateway.
For a VPN Node, the router itself will be the
gateway, the eld will therefore stay clear.
DHCP server
Tick this option, if the Viprinet Router should
ossir l|s J]roaicoll] irsiJe t|e |/l. T|is is
only sensible for VPN Nodes,
Range start/ range stop
Enter the IP address range that should be as-
signed per DHCP by the Viprinet Router.
Root password You have to decide on a router password.
The password is for the user root (who has
all rights).
Use a safe password (more than 8 characters, a
mixture of capital and small letters and digits).
Write down the password and keep it safe.
Conguration
33
Finish the conguration
Upload settings When all steps in the setup program are done, you
can upload them to your router.
Click Finish.
The conguration is uploaded to the router.
T|e uR| u t|e |uute|'s we| lrte|oce is s|uwr
Conguration
34
Conguration using the web interface
The Viprinet Router implements a Web Interface which allows you to carry out all settings. The Web Inter-
face can only be used if the initial conguration using the setup program has been done.
You will nd a description of the use of the Web Interface here. Depending on the software status, your
Web Interface may look different and offer other possibilities. The basic use will be identical though.
Examples and operating logic of the web interface
Opening the Web Interface
Yuu cor occess eoc| Viu|iret Ruute| .io its l| oJJ|ess ossireJ tu its |/l lrte|oce.
Start your web browser.
Erte| t|e uR| u t|e Viu|iret Ruute| ]uu wort tu curu|e, e.. |ttu.ll19Z.J.Z.1
The login mask appears.


Enter username and password.
Standard user: root.
The password was set during the rst conguration with the setup program.
Conguration
35

You see the main menu with all available objects.
Select an object, e.g. VPN Tunnels.

You see the functions and objects now.
Navigate
In addition, you see your selected path top-left on each screen.
Click on a part of the path to change to another level, if necessary.
Select a function, an object or a feature, if necessary.
Conguration
36
Conguration options
Below you will nd a brief introduction of the main conguration objects inside the Web Interface. Detailed
information about these objects is available inside the Web Interface. It is possible that your Viprinet
Router is already supplied with a newer software version with more possibilities. You will then have an
extended menu available.
Information about the current version and its possibilities can also be found on the Internet at:
http://www.viprinet.com
LAN settings
|/l lrte|oce settirs ircluJir t|e settirs u t|e irte|oteJ 0|C|
server are congured with this object.
Module slots / WAN
interfaces
Allows you to congure the modules (e.g. ISP account data) for each
module slot.
VPN Tunnels
VPN Tunnels, that is Site-to-Site links between a VPN Hub and VPN
Nodes are congured here. A VPN Tunnel is the logical link between
two routers. The physical connection consists of several Tunnel Chan-
nels which themselves are referring to one installed module each.
Bandwidth-
management
The bandwidth summed up from the Tunnel Channels of a VPN Tunnel is
initially seen as a unit within the Viprinet Router.
From these capacities you can assign shares to single depart-
ments or services at a branch ofce using the integrated band-
width management.
It is, for example, possible to assign a guaranteed minimal band-
width to dened services and to slow down others.
Suitable rules can be set up on the basis of numerous data
suu|ces li|e l| ret |ores, uu|t rua|e|s u| uoc|oe (uolities.
Conguration
37
Bandwidth-
management
(continued)
You can carry out the assessments through the following steps:
Trafc Classes are created.
E.g. E-mails, Web trafc, IP telephoning
Path: AdminDesk VPN Tunnels My Tunnel QoS Trafc
classes Add a trafc class
For each Trafc Class, features are set. e.g.:
- Minimum guaranteed bandwidth
- Maximum allowed bandwidth
- Priority of channel latency
Rules are dened about which criteria are used to sort new con-
nections into one of the existing Trafc Classes. Therefore, these
rules refer to tting Trafc Classes.
Path: AdminDesk VPN Tunnels My Tunnel QoS Trafc sorting
rules First rule

When in use, the Viprinet Router directs the data stream into the cor-
responding classes according to these rules..
VPN Clients / Road
warriors
For all software VPN Clients connecting to this router a single shared
own IP subnet is used in form of a IP address pool clients get assigned
IPs from. To allow central administration, all relevant local settings
of the clients may be remotely congured using this object. This for
example includes routing and QoS settings, which are transferred to
connecting clients.
WAN/ VPN Routing and
NAT
All settings that affect routing towards the WAN/VPN Tunnels are
congured using this object. For VPN Nodes the only setting done
here usually is set the default route to the VPN Tunnel. For VPN Hubs,
rules need to be created that dene how and where to IP networks are
routed. Also, Network Address Translation for packets crossing the
border between VPN and Internet is congured here..
WAN/VPN Routing
rules
Similar to QoS rules, routing decisions are based on an extended set
of rules. This makes it possible to create routing rules that are based
on trafc type. However, the most common type of rule is destination
based: The destination address of an IP packet is used to decide which
VPN Tunnel the packet should be forwarded to. In these cases How to
match IP addresses is set to Destination, and the network to forward is
entered under IP Addresses.
Conguration
38
Logging & Maintenance
In this object a whole lot of things in regards of system logging &
maintenance can be congured and viewed. You may view the system
lu le u| curu|e |eaute S]s|u luir. |i|awo|e uuJotes cor |e
executed from inside this menu. Also the health of the router hardware
can be checked and backup copies of the router conguration may be
downloaded.
AdminDesk Accounts
User rights
The administration system is multi-subscriber capable.
Parts of the conguration options can be made accessible to sub-
administrator groups (only read, edit).
This allows for leaving parts of the conguration to departments
or clients (e.g. bandwidth management/QoS), while basic congu-
ration rights remain under the control of a central administration
(or the ISP).
Administrator group
The standard user is called root and has all rights. (The password was
set during the basic conguration.)
You can create sub administrator groups.
Object permissions
You can lay down for each object which group is allowed to see or
change it.
Go to the object.
|etclic| ur ure u t|e c|ore|utturs.

Enter the group allowed to see resp. change the object.
Attention: The Web Interface is structured hierarchically. For an object
made accessible for a group, all higher ranking objects have also to be
accessible (at least readable) for the group, so that it is possible for
them to select it.
Member
You can add new members to a group.
AdminDesk AdminDesk accounts root Members
The password can be stored in the database.
Conguration
39
Tunnel Channel Autotuning
Introduction
A TCP VPN connection set up via one module slot from VPN Node to a VPN Hub is termed Tunnel Channel.
One or more of these Tunnel Channels combined make a VPN Tunnel. Typically, a single Tunnel Channel
is established from each WAN module of the VPN Node. All Tunnel Channels from VPN Nodes with the
soae V|l |u| curu|eJ os |eaute stotiur, o||i.e ot t|is V|l |u|'s w/l uu|t. T|us, Turrel C|orrels o|e
cuaaur SS|erc|]uteJ TC| currectiurs t||uu| t|e lS| retwu|| tu t|e Joto certe| retwu|| t|e V|l |u|
resides at.
lrte|ret u|u.iJe|s |ulJ |oc| cuau|e|ersi.e uoc|et (ueues ir u|Je| tu ue| sto|le orJ ost JuwrluoJs. T|e
lo|e| t|use (ueues |ecuae, t|e |i|e| t|e currectiur's loterc] will |uw, os eoc| uoc|et will |o.e tu t|o-
.e|se t|e cuaulete (ueue. /s currectiur (uolit] aeors |i|est uussi|le |orJwiJt| w|ilst still aoirtoirir
t|e luwest uussi|le loterc], llir t|e u|u.iJe|'s serJ (ueue s|uulJ |e o.uiJeJ i uussi|le.
A TCP connection cannot identify what bandwidths are actually available on the line through the ISP back-
|ure tu t|e V|l |u|'s site, orJ w|ot loterc] orJ uoc|et luss .o|iotiur s|uulJ |e cursiJe|eJ ru|aol.
It is considered as optimum to not fully exploit the available bandwidth in up- and downstream so as to
avoid rising latencies within the line. Utilizing only 90-99% will provide considerably lower latencies in
all types of connections. This is important if you want to conduct for example VoIP-services through the
bundled Tunnel Channels.
Thus, the Tunnel Channels should be congured very thoroughly so as to attain a satisfying performance.
T|e aoriaua |orJwiJt| ir e|ess Ji|ectiur cor os well |e JereJ aoruoll] ,u| use|s ir o V|l luJe's
|/l, t|is aust |e curu|eJ ot t|e V|l luJe u| uust|eoa orJ ot t|e V|l |u| u| Juwrst|eoa os t|e
latency values that should be considered best or unusable.
In most cases, it will be more reasonable to let this be regulated by the integrated "autotuning" - after all,
available bandwidths and latencies can vary in most WAN connections. This is especially applicable in
types of connections utilized by several users (cable, UMTS), so-called shared media. In practice, a manual
denition of these parameters should be considered with dedicated lines or if only a xed fraction of one
WAN connection bandwidth should be employed. Thus, Autotuning is activated by default.
Conguration
40
Bandwidth Autotuning
Bandwidth Autotuning will attempt several speedtests in order to always reliably know the usable band-
width. For this purpose the initial transfer will be run with low rates (32 KBit/s). The rate will be raised in
follow-up tests as long as the latency will stay below the "Optimal latency below" value during the test.
Should the value be exceed, the speedtest will be canceled; the next test will be started after a short wait-
ing period. Within a few minutes after a Tunnel Channel had connected, the "Maximum allowed bandwidth
to WAN" will level off at a realistic value.
Attention: Please note that Bandwidth Autotuning will only be performed for egress (outgoing) trafc
Ji|ecteJ tu t|e w/l, ur t|e siJe u o ruJe t|is wuulJ aeor t|e uust|eoa .ieweJ |ua t|e |/l. lr u|Je| tu
congure Autotuning for downstream trafc on the side of the node, respective settings must be altered on
the side of the VPN Hub (again, this is egress trafc directed to the WAN). As a rule, Autotuning settings
should be identical on the sides of the VPN Node and VPN Hub.
The more stable bandwidth and latency are, speedtests by Bandwidth Autotuning will be performed less
and less often. On the contrary, unstable connections will effect speedtests very often.
Data trafc generated by Bandwidth Autotuning will be shown separate from actual user data as "Control
T|oc' ir t|e |uute|'s T|oc /ccuurtir S]stea. Test t|orse|s o|e aoriestl] su|u|Jirote tu or] ut|e|
user transfer. A running speedtest will thus effect the usable bandwidth only minimally. This trafc might
however incur costs, hence excessive and unnecessary speedtests should be avoided.
Bandwidth Autotuning speedtests will be documented in the Router protocol. After installing a new Tunnel
C|orrel, t|e /ututurir s|uulJ |e c|ec|eJ t|e|e. ||e(uert sueeJtests uter uuirt ot currectiur e||u|s u|
at problems in the Internet link between module/ISP and the location of the VPN Hub. In this case, a Tra-
ce|uute tu t|e V|l |u|'s w/ll| s|uulJ |e ue|u|aeJ ur t|e siJe u t|e V|l luJe orJ, w|er irJicoteJ, o
connectivity test should be carried out.
The primary parameters for Bandwidth Autotuning are:
Bandwidth autotuning Activates or deactivates Bandwidth Autotuning.
Optimal latency below
During speedtests, transfer rates will be raised only when the current
latency is below the entered value. The value will be adjusted automati-
coll] i 'Moriaua olluweJ |oterc] oututurir' is octi.oteJ ,see |eluw.
Conguration
41
Mimimize autotuning trafc
w|er usir currectiurs wit| |e(uert .o|iotiurs ir loterc] orJ |orJ-
width as well as high trafc expenses (e.g. UMTS), Autotuning can with
this setting be ordered to perform speedtests only when user trafc
ol|eoJ] uses aust u t|e currectiur's couocit]. T|e sueeJtest cor t|er
employ this trafc for measuring. Moreover, speedtests will be run less
|e(uertl]. wit| t|is settir, t|e Joto .uluae couseJ |] /ututurir
can be reduced drastically, however, the system will work less accurate
and slower. Usually, only 90% of the real bandwidth can be utilized in
practice.
Miriaua |e(ui|eJ |orJ-
with to WAN
This value denes what speedtest results will be deemed to be ac-
ceptable. If a connection will not reach the entered value for available
bandwidth, the Tunnel Channel will be considered too slow ("Con-
nectedTooSlow") and not be used - please be careful when using this
setting. Its primary use is for dening a lower threshold below which a
connection failure can be assumed. For Tunnel Channels linked to UMTS
connections, this setting can assure that the Tunnel Channel will not
be used when only a slow, high-latency GSM/GPRS connection with
64 KBit/s and below is available that would be of no use for the total
bonding.
Maximum allowed Latency autotuning
w|e|eos BorJwiJt| /ututurir s|uulJ |e octi.oteJ ir olaust or] scero|iu, |oterc] /ututurir is |eosur-
able in fewer cases only. However, it marks a starting point for customized optimization.
|oterc] /ututurir will t|] tu Jetect t|e currectiur's loterc], w|ic| aeors t|e oauurt u tiae u| o Joto
packet to cover the distance from VPN Node to VPN Hub and back. The perfect value will be determined on
t|e |osis u t|e currectiur's loterc] wit|uut or] Joto t|oc olur wit| its storJo|J Je.iotiur ,.o|iotiur.
This value will be used to determine what latency should be appropriate for almost full capacity - the
"Optimal latency below"- value. The aforementioned Bandwidth Autotuning will use this value then for
determining the maximum bandwidth ("Maximum allowed bandwidth to WAN").
|oterc] /ututurir will olsu Jetect t|e aoriaua loterc] eruecto|le u| t|is currectiur ir urJistu||eJ
curJitiur. l t|e loterc] will erceeJ t|e 'Moriaua olluweJ |oterc]' .olue, t|e currectiur will |e
considered disturbed or unstable. The Tunnel Channel will thus change its status to "ConnectedStalled".
The Tunnel Channel will be removed from the tunnel compound and no longer used for user data trafc.
lut |eu|e t|e currectiur will s|uw o loterc] .olue |eluw 'Moriaua olluweJ |oterc]' will it c|ore its
status to "Connected" an be used again.
Conguration
42
Both values are extremely relevant for a successful "Bandwidth Autotuning" as well as for stable operation
with as few connection losses in the Tunnel Channel as possible.
T|e irte|octiur |etweer 'BorJwiJt| /ututurir' orJ 'Moriaua olluweJ |oterc] oututurir' will leoJ
to a compromise between bandwidth exploitation and latency achievable in the end. This way, a formerly
unmatched stability with permanently low latencies can be achieved for WAN connections. In many cases,
|uwe.e|, t|e Turrel will |o.e suecic |e(ui|eaerts suc| os luwest uussi|le loterc], e.er ot t|e eruerse
of lower bandwidths, due to VoIP Trafc or streaming applications.
Should a WAN link be characterized by permanently low latencies and negligible packet loss, "Maximum
olluweJ |oterc] oututurir' cor |e Jeocti.oteJ orJ t|e |esuecti.e .olues oJjusteJ aoruoll]. T|is is aust
|eosuro|le wit| occess aeJio t|ot o|e rut s|o|eJ wit| ut|e| use|s ,/0S|lS0S|, lS0l, JeJicoteJ lires. lt
is not reasonable for mobile installations - a change of location will always cause strongly variable latency
proles with UMTS/3G-connections.
If the values should be adjusted manually, all Tunnel Channels and WAN links put into operation should
iritioll] |e |ur wit| 'Moriaua olluweJ |oterc] oututurir' octi.oteJ u| o w|ile. /te| t|ot, |osic .olues
are available for orientation. For further operations, it is essential to use the monitoring tool described in a
seuo|ote c|oute|. wit| |ou|icol |elu, t|e JeuerJerce u Jie|ert currectiurs' lotercies ur t|ei| luoJ cor
be easily determined.
'Moriaua olluweJ |oterc]' s|uulJ |e os luw os uussi|le. T|us, o currectiur ||eo|Juwr cor |e JetecteJ
(uic|l], o Jeecti.e currectiur will t|er rut |e useJ tu serJ use| Joto uoc|ets ,t|is ai|t leoJ tu o s|u|t
delay in user data transfer). On the other hand, it should not be picked so low that the connection will show
a higher latency in regular operation and hence will not be used any more.
Only if the current latency is below the "Optimal latency below" value, Bandwidth Autotuning speedtests
will raise the utilized bandwidth of the connection. Here, you might experiment - check whether Band-
width Autotuning will be able to exploit the line bandwidth after you have reduced this value and/or check
whether raising this value will cause an optimized bandwidth exploitation. To restart Bandwidth Autotun-
ing after changing this value, you will have to reconnect the Tunnel Channel (set "Enabled" to "No" and then
to "Yes" again). These tests should be performed with the help of the monitoring tool only. Dedicate some
extra time for it.
Conguration
43
QoS System and Bonding Options
The Quality of Service (QoS) System on the VPN tunnel level controls the prioritization of different parallel
data streams owing through a tunnel to each other. QoS is of major importance in setups where applica-
tion data sensitive to latency variations (VoIP, Software as a Service, Citrix etc.) is transferred parallel with
Down- and Uploads demanding large bandwidths.
By means of "QoS Trafc sorting rules", every newly established data stream (be it TCP, UDP, or any other
protocol) will be sorted into one "QoS Trafc class". This is based on criteria such as protocol in use, TCP- or
u0| uu|t rua|e|, t|e l||eoJe|'s uSlTuSBits, u| suu|ce u| to|et l| retwu||s.
All data streams to be sorted in the same "QoS trafc class" share the same properties dened for the
|esuecti.e closs. |u|t|e|au|e, t|ese Joto currectiurs irte|roll] s|o|e t|e soae (ueue, w|ic| aeors t|ot
data streams will compete against each other within this class.
|erce, it is .e|] iauu|tort tu o.uiJ su|tir Joto st|eoas wit| |i|l] Ji.e|ert |e(ui|eaerts irtu t|e soae
QoS class. If, for example, a certain class is being used for interactive trafc (e.g. Telnet- or SSH-connec-
tiurs os well os u| JuwrluoJs t|ot JeaorJ |i| |orJwiJt|s, t|e JuwrluoJ Joto will u|st|uct t|e (ueue
and thus lead to unnecessarily high latency for interactive trafc.
Please note that the whole QoS System will exclusively regulate egress trafc directed to the WAN, on the
siJe u o ruJe t|is wuulJ aeor t|e uust|eoa .ieweJ |ua t|e |/l. lr u|Je| tu |eulote t|e Joto st|eoa u|
downstream trafc on the side of the node, respective settings must be altered on the side of the VPN Hub
(again, this is egress trafc directed to the WAN). As a rule, QoS regulations and classes should be identi-
cal on the sides of the VPN Node and VPN Hub for a VPN tunnel.
The Router ships a default set of "QoS trafc sorting rules" and "QoS trafc classes". Although this set
s|uulJ t aust scero|ius' |e(ui|eaerts, ote| o t|oc orol]sis it is uter useul tu Jere custua |ules orJ
classes.
Behind the main menu entry "QoS rules and classes templates" customizable templates for own rule sets
are available. These templates can be used to create optimized rule sets and classes once and apply them
to various different VPN tunnels later.
With the help of a QoS class one can also dene which internal algorithm should be used to distribute
a certain type of trafc over multiple wires or if at all. The choices behind "Channel selection/bonding
modes" serve for this purpose.
Conguration
44
The following "Channel selection/bonding modes" exist:
BestChannel
For each new connection tting into this class, from all available tunnel channels
,|erce w/l uulir|s t|e ure |est aotc|ir t|is currectiur's |e(ui|eaerts will |e
chosen. This mode should be applied in absolutely exceptional cases only, most
of the time bonding is desirable. Best use of this mode is for delay-bound trafc,
reacting severely even upon the least latency jitter, as long as very stable WAN
uplinks are used at the same time - in this case "BestChannel" reduces the con-
rectiurs' jitte|. T|is ao] |e useul e.. u| ce|toir Vul| u|utuculs.
Bonding
Carries out bonding of all available Tunnel Channels. Depending on the criteria
dened along with the class, the best-matching Tunnel Channel will initially be
chosen as base. All other Tunnel Channels that do not exceed the dened value
"Maximum bonding latency" will be used, too. This mode is the best choice for
most types of trafc. It is compatible to every known IP protocol. This mode will
not alter the conveyed trafc, therefore it also will not optimize TCP trafc. When
used with bonded connections that sum up to high bandwidth and high latency at
the same time, due to the characteristics of TCP, it might become impossible to
exploit the full bandwidth available with only a single TCP connection so that a
satiation of all uplinks will only occur with multiple TCP connections. In this case,
the "BondingTCPOptimizer" is preferable.
Bonding
TCPOptimizer
In this mode TCP data streams are transparently optimized for various applica-
tions. Particularly problems with the "TCP Window Size" are being avoided (see
"Bonding"). With this mode, all uplinks can be perfectly exploited even with a
single TCP connection only. The mode is therefore perfectly suited for all kinds of
trafc demanding high bandwidth over a longer period of time, such as le down-
loads. Bonding will be performed with TCP connections only, though. Moreover,
it is not fully compatible to every TCP/IP application. Particularly in combination
wit| luw(uolit] wi occess uuirts |urrir |e|irJ t|e V|l luJe cuauoti|ilit]
issues may occur, that might lead to bad performance and stagnant TCP connec-
tions. You should prefer this mode, if your WAN links show high latencies (e.g.
UMTS) and optimal exploitation of the available bandwidth is emphasized.
Conguration
45
A "QoS Trafc Class" further contains the following important properties:
Packet Queue Size
0eres t|e si/e u t|e uoc|et (ueue. T|e .olue ir aillisecurJs Jete|-
mines the maximum time a packet of this class may be buffered (caused
by congestion) before it is dropped. Please note that depending on the
transfer rate this value may have great inuence on the memory usage
of the router. As a rule, this eld needs no adjustment.
|oc|et (ueue auJe|otiur
0ete|aires t|e |e|o.iu| ir cose u or u.e||urrir uoc|et (ueue, |ua
which packets have to be dropped. With this setting enabled, the pack-
ets to drop are randomly chosen (Random Early Detection), otherwise
the last packets arrived will always get dropped (Tail Drop). Random
Early Detection leads to more fairness with multiple connections of the
same class, and therefore the default setting usually should be kept.
Minimum guaranteed
bandwidth
Denes, how much egress bandwidth is at least guaranteed to the
sum of all connections in this class. Independent from how many data
connections may exist in other classes: the bandwidth recorded here
is reserved for this trafc class on demand. Use this setting to set
up appropriate guarantees for applications demanding a guaranteed
bandwidth (Streaming, VoIP). The value may be given either as absolute
.olue ,ir KBitls u| os ue|certoe u oll turrel c|orrels' o.oilo|le
overall bandwidth.
Maximum allowed
bandwidth
Species, how much bandwidth the sum of all connections in this class
may use at max. The value may again be given either absolute numbers
or as percentage. This setting is helpful in order to shape disagreeable
trafc.
Priority of channel latency
Here, the importance of low latency for trafc of this class should be
specied. This setting is of high importance for the "BestChannel"
bonding mode, while it only has a subordinate impact on the remaining
bonding modes.
Maximum bonding latency
This setting is used only in combination with the bonding mode "Bond-
ing". In this bonding mode, this setting is of major importance particular-
l] w|er cua|irir w/l lir|s wit| |i|l] Jie|ir lotercies ,e.. 0S|
and UMTS). Here, a value should be chosen that, based on the link with
the lowest latency, is acceptable as maximum additional latency when
bonding additional links.
Conguration
46
SNMP
Introduction
Multichannel VPN Router and Multichannel VPN Hubs can be monitored centrally with the integrated
SNMP service. Here, vital information on network interfaces and VPN tunnels can be retrieved. The SNMP
standards SNMPv1, SNMPv2, SNMPv2c, as well as MIB-2 are implemented.
Notice:
You can only read values through the SNMP, but not alter them. To change your router conguration, please
use the web interface.
Basic SNMP
The Multichannel VPN Routers 300, 1600, and 1610 and the Multichannel VPN Hub 1000 have only basic
functions included. Extended SNMP features, such as detailed trafc information for individual inter-
oces, o|e o.oilo|le ote| uu|c|osir or oJJitiurol licerse t|ot aust |e |eiste|eJ ot t|e '|eotu|e |icerse
Manager".
The integrated SNMP service will implement the standard management information base for network
components, the so-called MIB-2. Furthermore exists a particular Viprinet MIB especially designed for the
|e(ui|eaerts u uu| |uute|s t|ot will |e erterJeJ wit| rewl] oJJeJ |awo|e eotu|es.
With MIB-2 basis functions, the following router properties can be retrieved:
Router name
Uptime
Stotus iru|aotiur u |/lirte|oce
Depending on the rmware version currently used by the router, further information may be available.
Extended SNMP
With the Multichannel VPN Router 2610 and the Multichannel VPN Hub 2000, and with purchasing an
additional license with all other products, extended SNMP retrievals are available. These allow for status
|e(uests ur auJules orJ V|l turrels os well os u| Jete|airir t|ei| t|oc |ote. Beluw t|e 'lrte|oces'
object .1.3.6.1.2.1.2), modules as well as VPN tunnels are listed. Interfaces that resemble a module are
listed from index number 10 (index number 12 thus resembles the module in slot three). VPN tunnels can be
found under index numbers 100 and above. The particular Viprinet MIB also provides information on Tunnel
Channels.
Conguration
47
Settings
SlM| settirs cor |e uurJ ot t|e we| irte|oce urJe| '|uir 8 Moirterorce' 'SlM| Settirs'. T|e
following setting options are available:
Enabled Activates or deactivates SNMP service.
Community
The community name serves as authentication of SNMP clients. If no
special authentication is needed, the community should be named "pub-
lic'. |leose rute t|ot SlM| |e(uests orJ ircluJeJ cuaaurit] roaes
will be transferred unencrypted and can hence be seen by third parties
t|eu|eticoll]. T|e|eu|e, t|e cuaaurit] roae s|uulJ re.e| e(uol t|e
|uute|'s |uut uosswu|J.
|ucotiur |e|e, ]uu cor sueci] t|e |uute|'s lucotiur. T|is .olue cor |e |eoJ .io
s]stea.S]s|ucotiur ,.1.J.c.1.Z.1.1.c.
Contact Here, you can specify an administrative contact address. This value can
be read via system.SysContact (.1.3.6.1.2.1.1.4).
Conguration
48
Additional information
Monitoring system
Using the dedicated monitoring tool application (compatible with Windows 2000/XP/Vista/7) you may
|eautel] auritu| |orJwiJt| utili/otiur orJ ut|e| ue|u|aorce iru|aotiur u t|e |uute|'s V|l Turrels orJ
WAN modules in real time in a graphical fashion. This tool also is very suitable to do diagnostics on under
performing WAN lines, e.g. to check if a line is overloaded, causing abnormal latency.
Start the Monitoring System program
Programs Viprinet Monitor
Create account
You can create a single account for each router.
Select Account New
The account name is an internal identication of the router.
/s |ust roae, erte| |ust roae u| l| u t|e |uute| tu |e occesseJ ,l| u t|e |/l lrte|oce.
Username and password correspond to a user account of the Web Interface of the respective router.
Yuu ao] c|use |etweer t|e |uut occuurt u| o use| occuurt wit| |eoJir |i|ts u| t|e (ue|ieJ V|l
Tunnel.
Erte| t|e roae u t|e V|l Turrel tu |e (ue|ieJ. T|e roae aust cu||esuurJ tu t|e roae ot "V|l
Tunnels in the Web Interface.
Other
49
Settings
You can chose how data streams are displayed.
Select Options Settings ... to activate or deactivate the options.
Display Account
Select Account Account name, to display the account.
Select
Order by Channel or
Order by Source
Select the desired tab.
Other
50
Integration of VPN Clients/Road Warriors
Every Viprinet Router may, in addition to site-to-site VPN Tunnels, provide service to an unlimited number
of connections from VPN Clients.
A VPN Client is a single computer which is located outside all networks connected per VPN. This can
be a eld representative or a home ofce.
These single workstations can be connected to the VPN network using VPN Client connections. The
VPN Client integrates itself as a virtual network card into the operating system and then uses
comparable to the Multichannel VPN Router up to two available broadband connections (like UMTS
orJ w|/l J]roaicoll].
The VPN Clients dial into the Viprinet Router at the data center (VPN Hub).
A separate software with separate licence is needed.
See separate manual for instructions on installation and usage.
Other
51
Service

Trouble shooting

Password forgotten or router no longer accesible
Should you have forgotten your root password, or should the router, due to misconguration, be unac-
cesi|le t||uu| t|e |/lirte|oce, t|e |uute| cor |e |esetteJ tu Jeli.e|] stotus wit| t|e |eset |uttur.
Before taking this action, you should verify that the router is wired correctly.
Resetting the Viprinet Router
To reset the router into initial state, hold the reset button at the front end for at least 5 seconds (e.g. with
a pencil). The router will now reset to default settings and restart. After about two minutes, the router
should be found in the setup program. It can be congured anew.
/ttertiur. B] |esettir t|e |uute|, oll curu|otiurs will |e uost |ecu.e|]. T|e |/lirte|oce curu|o-
tion will be deleted as well, the router will then be accessible through the setup program only. Details on
reconguration can be found in the chapter Basic Conguration Using the Setup Program.
Service
52
Service providers
Internet
Find current documentation and FAQ at: http://www.viprinet.com
Supplier
Turn to your supplier for help, e.g. with the conguration.
Address, Hotline:
Service
53
Service
54
Appendix
CIDR notation
In CIDR notation, a sufx is added, e.g. /24 to show how many bits of the address identify the network
(and are therefore not available). In the CIDR notation all digits which are 0 can be left out (seen from the
right) 10/8 is the abbreviated form for 10.0.0.0/8 (resp. net starting at 10.0.0.0 with 8 bits identifying the
network).
192.168.1/24 means:
24 Bit bits identify network, ranges from 192.168.1.0 to 192.168.1.255 are available.
192.168.1.0/25 means:
25 Bit bits identify network, ranges from 192.168.1.0 to 192.168.1.127 are available.
192.168.1.128/25 means:
25 Bit bits identify network, ranges from 192.168.1.128 to 192.168.1.255 are available.
Example
CIDR Address Netmask Explanation
192.168.2.7/24 192.168.2.7 255.255.255.0 The notation 192.168.2.7/24 stands for
the address 192.168.2.7 with the netmask
255.255.255.0: this is 11111111.11111111.111111
11.00000000 in binary there are 24 1-bits as
indicated in the sufx. Using an AND-operation
the net address 192.168.2.0 can be determined
from this address. Therefore, the IP address
is located in a net ranging from 192.168.2.0 to
192.168.2.255.
10.43.8.67/28 10.43.8.67 255.255.255.240 10.43.8.67/28 stands for the address 10.43.8.67
with the netmask 255.255.255.240. In binary: 1
1111111.11111111.11111111.11110000 there are
28 10bits as indicated in the sufx. The IP net
where the host 10.43.8.67 is located ranges
from 10.43.8.64 to 10.43.8.79 and is abbreviated
by 10.43.8.64/28
The broadcast address is 10.43.8.79, network
address 10.43.8.64 and the subnet can address
14 hosts.
Appendix
55
CIDR
Number of
addresses
Netmask Netmask in binary
/8 16777216 255.0.0.0 11111111.00000000.00000000.00000000
/9 128x65536 255.128.0.0 11111111.10000000.00000000.00000000
/10 64x65536 255.192.0.0 11111111.11000000.00000000.00000000
/11 32x65536 255.224.0.0 11111111.11100000.00000000.00000000
/12 16x65536 255.240.0.0 11111111.11110000.00000000.00000000
/13 8x65536 255.248.0.0 11111111.11111000.00000000.00000000
/14 4x65536 255.252.0.0 11111111.11111100.00000000.00000000
/15 2x65536 255.254.0.0 11111111.11111110.00000000.00000000
/16 65536 255.255.0.0 11111111.11111111.00000000.00000000
/17 128x256 255.255.128.0 11111111.11111111.10000000.00000000
/18 64x256 255.255.192.0 11111111.11111111.11000000.00000000
/19 32x256 255.255.224.0 11111111.11111111.11100000.00000000
/20 16x256 255.255.240.0 11111111.11111111.11110000.00000000
/21 8x256 255.255.248.0 11111111.11111111.11111000.00000000
/22 4x256 255.255.252.0 11111111.11111111.11111100.00000000
/23 2x256 255.255.254.0 11111111.11111111.11111110.00000000
/24 1x256 255.255.255.0 11111111.11111111.11111111.00000000
/25 128x1 255.255.255.128 11111111.11111111.11111111.10000000
/26 64x1 255.255.255.192 11111111.11111111.11111111.11000000
/27 32x1 255.255.255.224 11111111.11111111.11111111.11100000
/28 16x1 255.255.255.240 11111111.11111111.11111111.11110000
/29 8x1 255.255.255.248 11111111.11111111.11111111.11111000
/30 4x1 255.255.255.252 11111111.11111111.11111111.11111100
/31 2x1 255.255.255.254 11111111.11111111.11111111.11111110
/32 1x1 255.255.255.255 11111111.11111111.11111111.11111111
Appendix
56
Netmask
A netmask is a bit mask that divides an IP address into a network and a device part. It is used in IP net-
works to make routing decisions. The netmask is also called network mask and subnet mask.
Structure and notation of a netmask
A netmask is as long as the IP address it is used on (that is 32 bit for IP version 4). All bits of the network
part are set to 1 and the bits for the device are set to 0.
The notation of a netmask is mostly not in binary but (as also usual for IP addresses) in decimal. Therefore,
an Ipv4 address for a 27 bit network part is 255.255.255.224 or in CIDR notation: /27.
decimal 255 255 255 224
dual 11111111 11111111 11111111 11100000
The number of 1-bits is 27 that is /27 in CIDR notation.
The usable address range of a net is dened by its netmask. With a /27 net, the rst 27 digits of an IP ad-
dress are the net part and identical for all hosts in the net.
Determining of network and device part using the netmask
The two parts of the Ipv4 address 130.94.122.195/27 can be determined using AND-operations. The
netmask for /27 is 255.255.255.224 (see CIDR notation).
decimal binary calculation
IP address
Netmask
Network part
130.094.122.195
255.255.255.224
130.094.122.192
10000010 01011110 01111010 11000011
11111111 11111111 11111111 11100000
10000010 01011110 01111010 11000000
IP address
AND netmask
= network part
IP address
Netmask
Device part
130.094.122.195
255.255.255.224
3
10000010 01011110 01111010 11000011
11111111 11111111 11111111 11100000
00000000 00000000 00000000 00000011
IP address
AND (NOT netmask)
= device part
Appendix
57
Division of addresses
Yuu cor Ji.iJe oJJ|ess suoces tu c|eote seuo|ote |ores - su|rets - u| sirle |/ls.
Division of private addresses decimal
If you are using the private address space, it is easy to divide the addresses using the decimal
representation.
Range
Examples for
branch ofces
Annotations
192.168/16 192.168.1/24
192.168.2/24
192.168.3/24
etc.
Up to 256 branch ofces with up to 254 hosts can be
provided.
The netmask is 255.255.255.0
10/8 10.0.1/24
10.0.2/24
10.0.3/24
etc.
There may be up to 65536 branch ofces with up to 254
hosts.
The netmask is 255.255.255.0
10.1/16
10.2/16
10.3/16
etc.
Up to 256 branch ofces with up to 65534 hosts can be
provided.
The netmask is 255.255.0.0
Division of private addresses binary
If the address space is not sufcient because you have more branch ofces or need more hosts per branch
ofce, you may split up the address space at any digit of the binary representation. When splitting up
the net 192.168/16 in subnets with the size /23 (510 hosts per subnet), the rst subnet would start at
192.168.0/23, the second at 192.168.2/23, the third at 192.168.4/23, etc.
CIDR Number of branch ofces Number of hosts
/20 2
4
= 16 2
12
= 4.096
/21 2
5
= 32 2
11
= 2.048
/22 2
6
= 64 2
10
= 1.024
/23 2
7
= 128 2
9
= 512
/24 2
8
= 256 2
8
= 256
Appendix
58
Division of public addresses
When using an address space in the public range, you will have to split as exact as possible to spare the
limited public IP address range, that is in binary: e.g. the range 192.0.2.0/24 was assigned to you. That
means that the rst 24 bit are needed to identify the net and you can freely assign 8. In binary representa-
tion, you can reserve bits for the net (1) and bits for the hosts (0). You have the following possibilities at
your disposal:
CIDR Number of branch ofces Number of hosts
/25 2
1
= 2 2
7
= 128
/26 2
2
= 4 2
6
= 64
/27 2
3
= 8 2
5
= 32
/28 2
4
= 16 2
4
= 16
/29 2
5
= 32 2
3
= 8
Appendix
59
NAT-Network Address Translation
T|e Viu|iret Ruute| suuuu|ts l/T. usir l/T, o |e(uest cuair |ua t|e u|i.ote l| oJJ|ess u o |C irsiJe
the VPN will get its source IP replaced with a public one before packets get forwarded to the Internet.
Replies coming back from the Internet for this connection are then translated back by replacing the destina-
tion IP address of the reply packets back to the private one from the PC. Here is an example:
/ |e(uest |ua ||orc| uce 1 is tu |e sert tu Cuule
T|e V|l luJe |uute| ir t|e |/l serJs t|e |e(uest tu t|e V|l |u| .io V|l Turrel
The VPN Hub router in the data center replaces the private sender IP by its public NAT-IP and
forwards to the Internet
The VPN Hub stores this assignment in an internal table
T|e |e(uest |eoc|es Cuule
Google answers to the public IP
The VPN Hub replaces the target address of the answer with the saved private address and forwards
it to the appropriate VPN Node.
T|e V|l luJe serJs t|e orswe| tu t|e (ue|]ir |C ir t|e |/l.
NAT conguration in the Viprinet Router
When conguring a network, you should always care to chose a router at the periphery to congure for
NAT. Normally, this would be the VPN Hub because it is, due to its connection to the Internet, the network
border.
Theoretically, it is also possible to congure a Viprinet Router at a branch ofce for NAT. This however is
not recommended, because it makes it impossible for the VPN Hub to distinguish between different hosts
on the VPN.
Appendix
60
IPs for computers in the LAN
Eoc| cuauute| wit|ir t|e |/l |os tu et its uwr l| oJJ|ess. lr oJJitiur, t|e retaos|, otewo] os well os
the name server need to be congured. For every computer choose, e.g.
Obtain an IP address automatically:
This setting is sensible in most cases. If activated,
all other settings are obtained automatically. The
DHCP server has to be activated either in the
Viprinet Router or on another server that assigns IP
addresses from the correct network range.

IP address:
Each computer needs its own IP address.

Subnet mask:
The subnet mask is determined by network and
device part.

Default gateway:
Enter the IP address of the Viprinet Router.

Preferred DNS server:
Enter the IP address of the Viprinet Router.
Appendix
61