Ruijie Reyee RG-EG Series Routers

ReyeeOS 1.219

Web-based Configuration Guide

Document Version: V1.2

Date: July 06, 2023
Copyright © 2023 Ruijie Networks
Copyright
Copyright © 2023 Ruijie Networks

All rights are reserved in this document and this statement.

Any reproduction, excerption, backup, modification, transmission, translation, or commercial use of this document
or any portion of this document, in any form or by any means, without the prior written consent of Ruijie Networks
is prohibited.

, and other Ruijie networks logos are trademarks of Ruijie Networks.

All other trademarks or registered trademarks mentioned in this document are owned by their respective owners.

Disclaimer
The products, services, or features you purchase are subject to commercial contracts and terms. Some or all of
the products, services or features described in this document may not be within the scope of your purchase or
use. Unless otherwise agreed in the contract, Ruijie Networks does not make any express or implied statement
or guarantee for the content of this document.

Due to product version upgrades or other reasons, the content of this document will be updated from time to time.
Ruijie Networks reserves the right to modify the content of the document without any notice or prompt.

This manual is for reference only. Ruijie Networks endeavors to ensure content accuracy and will not shoulder
any responsibility for losses and damages caused due to content omissions, inaccuracies or errors.

I
 Preface
Intended Audience
This document is intended for:

 Network engineers

 Technical support and servicing engineers

 Network administrators

Technical Support
 Official website of Ruijie Reyee: https://www.ruijienetworks.com/products/reyee

 Technical Support Website: https://ruijienetworks.com/support

 Case Portal: https://caseportal.ruijienetworks.com

 Community: https://community.ruijienetworks.com

 Technical Support Email: [email protected]

Conventions

1. GUI Symbols

Interface symbol Description Example

1. Button names 1. Click OK.

Boldface 2. Window names, tab name, field 2. Select Config Wizard.

name and menu items
3. Link 3. Click the Download File link.

> Multi-level menus items Select System > Time.

2. Signs

The signs used in this document are described as follows:

Warning

An alert that calls attention to important rules and information that if not understood or followed can result in data
loss or equipment damage.

Caution

An alert that calls attention to essential information that if not understood or followed can result in function failure
or performance degradation.

Note

An alert that contains additional or supplementary information that if not understood or followed will not lead to
serious consequences.

I
 Specification

An alert that contains a description of product or version support.

3. Note

This manual introduces the product model, port type and CLI for your reference. In case of any discrepancy or
inconsistency between the manual and the actual version, the actual version prevails.

II
Web-based Configuration Guide Login

1 Login
1.1 Configuration Environment Requirements
1.1.1 PC

 Browser: Google Chrome, Internet Explorer 9.0, 10.0, and 11.0, and some Chromium/Internet Explorer kernel-
based browsers (such as 360 Extreme Explorer) are supported. Exceptions such as garble or format error
may occur if an unsupported browser is used.

 Resolution: 1024 x 768 or a higher resolution is recommended. If other resolutions are used, the page fonts
and formats may not be aligned, the GUI is less artistic, or other exceptions may occur.

1.2 Default Configuration

Table 1-1 Default Web Configuration

Item Default

IP address 192.168.110.1

Username and password are not required at your first

Username/Password
login and you can configure the router directly.

1.3 Login to Eweb

1.3.1 Connecting to the Router

You can open the management page and complete Internet access configuration only after connecting a client to
the router in either of the following ways:

 Wired Connection

Connect a local area network (LAN) port of the router to the network port of the PC, and set the IP address of the
PC. See Section 1.3.2 Configuring the IP Address of the Management Client for details.

 Wireless Connection

Connect the LAN port to the uplink port on the AP and power on the AP. On a mobile phone or laptop, search for
wireless network @Ruijie-mXXXX (XXXX is the last four digits of the MAC address of each device). In this mode,
you do not need to set the IP address of the management client, and you can skip the operation in Section 1.3.2
Configuring the IP Address of the Management Client.

1.3.2 Configuring the IP Address of the Management Client

Configure an IP address for the management client in the same network segment as the default IP address of the
device (The default device IP address is 192.168.110.1, and the subnet mask is 255.255.255.0.) so that the

3
Web-based Configuration Guide Login

management client can access the device. For example, set the IP address of the management client to
192.168.110.200.

1.3.3 Login

Enter the IP address (192.168.110.1 by default) of the router in the address bar of the browser to open the login
page.

Note

If the static IP address of the device is changed, or the device obtains a new dynamic IP address, the new IP
address can be used to access the web management system of the device as long as the management client
and the device are in the same network segment of a LAN.

(1) On the web page, enter the password and click Log In to enter the web management system.

Username and password are not required at your first login and you can configure the router directly.

For device security, you are advised to set the management password after your first login to the web
management system. After the password is set, you need to enter the password when you log in to the web
management system again.

If you forget the IP address or password, hold down the Reset button on the device panel for more than 5
seconds when the device is connected to the power supply to restore factory settings. After restoration, you
can use the default IP address and password to log in.

Caution
Restoring factory settings will delete the existing configuration and you are required to configure the device
again at your next login. Therefore, exercise caution when performing this operation.

4
Web-based Configuration Guide Login

1.3.4 Frequently-Used Controls on the Web Page

Table 1-1 Frequently-Used Controls on the Web Page

Control Description

Local Device: Allows you to configure all functions of the local

device.

Network: Allows you to configure common functions of all

wired and wireless Reyee products in batches on an ad hoc
network.

The navigation bar is arranged horizontally on the top when the

device acts as the slave device, and vertically on the left when
the device acts as the master device.

Click it to change the language.

Click it to log in to the MACC for remote O&M through the URL
or by scanning the QR code.

Click it to access the network setup wizard.

Click it to log out of the web management system.

Click Add or Batch Add to add one or more table entries in the
dialog box that appears. After adding the table entries, you can
view the added table entries on this page.

Click it to delete the selected table entries in batches.

Quickly locate the table entry you want to find through the drop-
down list or by entering a keyword.

Click them to edit, delete, or bind a table entry.

If the toggle switch is displayed in gray and the button is on the

left, the related function is disabled. If the toggle switch is
displayed in blue and the button is on the right, the related
function is enabled.

Update data on the current page.

5
Web-based Configuration Guide Login

Control Description

Set the number of table entries displayed on a page. Click a

page number or specify the page number to access the
corresponding page.

1.4 Work Mode

The device can work in router mode and AC mode. The system menu pages and configuration function scope
vary depending on the work mode. By default, the EG router works in router mode. To modify the work mode, see
Section 3.1 Switching the Work Mode.

1.4.1 Router Mode

The device supports routing functions such as route-based forwarding and network address translation (NAT),
VPN, and behavior management. It can allocate addresses to downlink devices, forward network data based on
routes, and perform NAT operations.

In the router mode, the device can access the network through Point-to-Point Protocol over Ethernet (PPPoE)
dialing, dynamic IP address, and static IP address. It can also directly connect to a fiber-to-the-home (FTTH)
network cable or an uplink device to provide network access and manage downlink devices.

1.4.2 AC Mode

The device supports Layer 2 forwarding only. The device does not provide the routing and Dynamic Host
Configuration Protocol (DHCP) server functions. By default, the WAN port obtains IP addresses through DHCP.
The AC mode is applicable to the scenario where the network is working normally. In AC mode, the device serves
as the management controller to access the network in bypass mode and manage the AP.

1.5 Configuration Wizard (Router Mode)

1.5.1 Getting Started

(1) Power on the device. Connect the WAN port of the device to an uplink device using an Ethernet cable, or
connect the device to the optical modem directly.

(2) Configure the Internet connection type according to requirements of the local Internet Service Provider (ISP).
Otherwise, the Internet access may fail due to improper configuration. You are advised to contact your local
ISP to confirm the Internet connection type:

○ Figure out whether the Internet connection type is PPPoE, DHCP mode, or static IP address mode.

○ In the PPPoE mode, a username, a password, and possibly a service name are needed.

○ In the static IP address mode, an IP address, a subnet mask, a gateway, and a DNS server need to be
configured.

6
Web-based Configuration Guide Login

1.5.2 Configuration Steps

1. Adding a Device to Network

You can manage and configure all devices in the network in batches by default. Please verify the device count
and network status before configuration.

Note

New devices will join in a network automatically after being powered on. You only need to verify the device
count.

If a new device is detected not in the network, click Add to My Network and enter its management password to
add the device manually.

Note
If there is a firewall device in the network, the Firewall Port Config page appears. Select the corresponding
port for configuration.

2. Creating a Network Project

Click Start Setup to configure the Internet connection type and management password.

(1) Network Name: Identify the network where the device is located.

(2) Internet: Configure the Internet connection type according to the requirements of the local ISP.

○ DHCP: The router detects whether it can obtain an IP address via DHCP by default. If the router connects
to the Internet successfully, you can click Next without entering an account.

○ PPPoE: Click PPPoE, and enter the username, password, and service name. Click Next.

○ Static IP: Enter the IP address, subnet mask, gateway, and DNS server, and click Next.

(3) Management Password: The password is used for logging in to the management page.

7
Web-based Configuration Guide Login

(4) Country/Region: You are advised to select the actual country or region.

(5) Time Zone: Set the system time. The network time server is enabled by default to provide the time service.
You are advised to select the actual time zone.

Click Create Network & Connect. The device will deliver the initialization and check the network connectivity.

The device can access the Internet now. Bind the device with a Ruijie Cloud account for remote management.
Follow the instruction to log in to Ruijie Cloud for further configuration.

Note
If your device is not connected to the Internet, click Exit to exit the configuration wizard.
Please log in again with the new password if you change the management password.

1.5.3 Forgetting the PPPoE Account

(1) Consult your local ISP.

(2) If you replace the old router with a new one, click Obtain Account from Old Device. Connect the old and
new routers to a power supply and start them. Insert one end of an Ethernet cable into the WAN port of the
old router and connect the other end to a LAN port of the new router, and click Obtain. The new router
automatically fetches the PPPoE account of the old router. Click Save to make the configuration take effect.

8
Web-based Configuration Guide Login

1.6 Configuration Wizard (AC Mode)

1.6.1 Getting Started

 Power on the device and connect the device to an uplink device.

 Make sure that the device can access the Internet.

1.6.2 Configuration Steps

(1) On the work mode setting page, change the work mode from router mode to AC mode. For details, see Section
3.1 Switching the Work Mode.

9
Web-based Configuration Guide Login

(2) After mode switching, the device will restart. After restart, the WAN port on the device obtains an IP address
through DHCP and accesses the network by using a dynamic IP address. The default Internet connection type
is DHCP mode. You can use the default value or manually configure a static IP address for the WAN port. For
details, see Section 1.5.2 Configuration Steps.

10
Web-based Configuration Guide Login

1.7 Switching Between Management Pages

After you disable self-organizing network discovery, the web page is in the Local Device mode. (Self-organizing
network discovery is enabled upon delivery. For details, see Section 3.1 Switching the Work Mode)

After you enable self-organizing network discovery, you can switch between the Network and Local Device web
pages. Click the current management mode in the navigation bar and select the desired mode from the drop-
down list box.

Network mode: View the management information of all devices in the network and configure all devices in the
current network from the network-wide perspective.

Local Device mode: Configure the device that you log in to.

Network page:

Local Device page:

11
Web-based Configuration Guide Login

12
Web-based Configuration Guide Network-Wide Monitoring

2 Network-Wide Monitoring
Choose Network > Overview.

The Overview page displays the current network topology, uplink and downlink real-time traffic, network
connection status, and number of users and provides short-cut entries for configuring the network and devices.
On the current page, you can monitor, configure, and manage the network status of the entire network.

2.1 Viewing Networking Information

The networking topology contains information about online devices, connected port numbers, device SNs, and
uplink and downlink real-time traffic.

13
Web-based Configuration Guide Network-Wide Monitoring

 Click a traffic data item to view the real-time total traffic information.

 Click a device in the topology to view the running status and configuration of the device and configure device

functions. By default, the product model is used as the device name. Click to modify the device name
so that the description can distinguish devices from one another.

14
Web-based Configuration Guide Network-Wide Monitoring

 Click List in the upper-left corner of the topology to switch to the device list view. Then, you can view device
information in the current networking. Click an item in the list to configure and manage the device separately.

 The update time is displayed in the lower-left corner of the topology view. Click Refresh to update the topology
to the latest state. It takes some time to update the topology data. Please wait patiently.

15
Web-based Configuration Guide Network-Wide Monitoring

2.2 Adding Networking Devices

2.2.1 Wired Connection

(1) When a new device connects to an existing device on the network, the system displays the message A devices
not in SON is discovered. and the number of such devices in orange under Devices. You can click Manage
to add this device to the current network.

16
Web-based Configuration Guide Network-Wide Monitoring

(2) After the system switches to the Network List page, click Other Network. In the Other Network section,
select the device to be added to the network and click Add to My Network.

17
Web-based Configuration Guide Network-Wide Monitoring

(3) You do not need to enter the password if the device is newly delivered from factory. If the device has a
password, enter the management password of the device. Device addition fails if the password is incorrect.

2.2.2 AP Mesh

If the AP supports the AP Mesh (Reyee Mesh) function, you do not need to connect cables after powering on the
AP. The AP can be added to the current network in Reyee Mesh mode, establish a mesh networking with other
wireless devices, and automatically synchronize Wi-Fi configuration.

Caution

To scan the AP, the Reyee Mesh function must be enabled on the current network. (For details, see Section 4.11
Enabling Reyee Mesh.) The AP should be powered on nearby. It may fail to be scanned in case of long distance
or obstacle blocking.

18
Web-based Configuration Guide Network-Wide Monitoring

(1) Place the powered new AP near an existing AP, where the new AP can receive Wi-Fi signals from the existing
AP. Log in to a device in the network. On the Overview page, click +AP in the upper-right corner of the topology
to scan nearby APs that do not belong to the current network and are not connected to a network cable.

(2) Select the target AP to add it to the current network. You do not need to enter the password if the device to
add is new. If the device has a password, enter the management password of the device.

2.3 Configuring the Service Network

The wireless and wired network configurations of the current network are displayed in the lower-left of the
Overview page. Click Setup to switch to the service network configuration page (Network > Network Planning).

19
Web-based Configuration Guide Network-Wide Monitoring

2.3.1 Configuring the Wired Network

(1) Click Add Wired VLAN to add wired network configuration, or select an existing wired VLAN and click Setup
to modify its configuration.

(2) Configure a VLAN for wired access, specify the address pool server for access clients in this VLAN, and
determine whether to create a new DHCP address pool. By default, the gateway is used as the address pool
server to allocate addresses to access clients. If an access switch is available in this networking, you can
select this switch as the address pool server. After setting the service parameters, click Next.

(3) Select the switch to configure in the topology, select the switch ports added to this VLAN, and click Next.

20
Web-based Configuration Guide Network-Wide Monitoring

(4) Confirm that the configuration items to be delivered are correct and then click Save. Wait a moment for the
configuration to take effect.

2.3.2 Configuring the Wireless Network

(1) Click Add Wi-Fi VLAN to add wireless network configuration.

(2) Set the SSID, Wi-Fi password, and applicable bands. Click Next.

21
Web-based Configuration Guide Network-Wide Monitoring

Applicable bands include 2.4 GHz, 5 GHz, and 2.4 GHz + 5 GHz.

Security types include Open, WPA-PSK, WPA2-PSK, and WPA_WPA2-PSK. When the security type is set
to WPA-PSK, WPA2-PSK, or WPA_WPA2-PSK, a Wi-Fi password is required.

Click Expand to configure the advanced parameters, including Hide SSID, Client Isolation, and Band Steering.

(3) Configure a VLAN for wireless access, specify the address pool server for access clients in this VLAN, and
determine whether to create a new DHCP address pool. By default, the gateway is used as the address pool
server to allocate addresses to access clients. If an access switch is available in this networking, you can
select this switch as the address pool server. After setting the service parameters, click Next.

(4) Confirm that the configuration items to be delivered are correct and then click Save. Wait a moment for the
configuration to take effect.

22
Web-based Configuration Guide Network-Wide Monitoring

2.4 Supporting Traffic Monitoring

Traffic monitoring can be carried out based on ports, users, and applications. The real-time or historical uplink
traffic, downlink traffic, and number of sessions can be displayed.

2.4.1 Viewing Real-time Traffic

Choose Local Device > Overview > Real Time Flow.

(1) View real-time traffic of a port.

a Click the Port Real-Time Flow tab.
b Set Choose Outbound Interface.
Set Choose Outbound Interface to a port or ALL-WAN. You can view the uplink or downlink traffic of
a port or the system.

c View traffic in the last one hour.

Choose a port or ALL-WAN from the Choose Outbound Interface drop-down list and view the traffic
and sessions (including sessions of an original WAN port after LAN/WAN switching) in the last one hour.

23
Web-based Configuration Guide Network-Wide Monitoring

Note
Uplink traffic and downlink traffic are color-coded in the figure. You can move the cursor over a curve to
view uplink traffic and downlink traffic at a certain time.

(2) View real-time traffic of a user.

a Click the User Real-Time Flow tab.

b The system displays real-time traffic of users.

You can view the IP address, online duration, uplink traffic, and downlink traffic of each user.

If there are multiple users, the system displays traffic data by downlink traffic in descending order by
default. The sorting mode can be switched based on uplink traffic or downlink traffic. You can set the
traffic unit, number of items to be displayed on the current page, paging display, and other functions
based on service requirements.

c View traffic details of a user.

Note
Only EG3XX series devices (such as EG310G-E) support this function and Flow-audit Switch on the
App Real-Time Flow tab page needs to be turned on.

Click Detailed. The pop-up page displays the uplink traffic and downlink traffic of each app used by the
current user. You can set the sorting mode (by downlink traffic or uplink traffic), unit, and other parameters
based on service requirements.

24
Web-based Configuration Guide Network-Wide Monitoring

(3) View real-time traffic of an app.

a Click the App Real-Time Flow tab.
b Turn on Flow-audit Switch.

c The system displays real-time traffic of apps.

You can view the name, application group, uplink traffic, and downlink traffic of each app.

If there are multiple apps, the system displays traffic data by downlink traffic in descending order by
default. The sorting mode can be switched based on uplink traffic or downlink traffic. You can set the
traffic unit, number of items to be displayed on the current page, paging display, and other functions
based on service requirements.

d View traffic details of an app.

Note
Only EG3XX series devices (such as EG310G-E) support this function.

Click Detailed. The pop-up page displays details about the traffic of each user who uses the current app.
You can set the sorting mode (by downlink traffic or uplink traffic), unit, and other parameters based on
service requirements.

25
Web-based Configuration Guide Network-Wide Monitoring

2.4.2 Viewing Historical Traffic

Choose Local Device > Overview > Flow History.

(1) View historical traffic of a port.

a Click the Port Flow History tab.
b Set Choose Outbound Interface and Time Span.
Set Choose Outbound Interface to a port or ALL-WAN. You can view the uplink or downlink traffic of a
port or the system.

The system allows you to view historical data of 24 hours or 48 hours. Set Time Span and Choose
Outbound Interface. The system displays historical data of a port or all ports in the current time span.

Note
Uplink traffic and downlink traffic are color-coded in the figure. You can move the cursor over a curve to
view uplink traffic and downlink traffic at a certain time.

(2) View historical traffic of a user.

a Click the User Flow History tab.
b Set Time Span.
On the User Flow History tab page, you can view today's or this week's historical traffic data of a user.

For example, you can click This Week to switch to this week's data statistics display page, as shown in
the figure below.

26
Web-based Configuration Guide Network-Wide Monitoring

If there are multiple users, the system displays traffic data by downlink traffic in descending order by
default. You can view the online duration, uplink traffic, and downlink traffic of each user in the time span.
The sorting mode can be switched based on uplink traffic or downlink traffic. You can set the traffic unit,
number of items to be displayed on the current page, paging display, and other functions based on service
requirements.

c View traffic details of apps used by a user.

Note
Only EG3XX series devices (such as EG310G-E) support this function and Flow-audit Switch on the
App Flow History tab page needs to be turned on.

Click Detailed. The pop-up page displays the traffic and online duration of each app used by the current
user. You can set the sorting mode (by downlink traffic or uplink traffic), unit, and other parameters based
on service requirements.

(3) View historical traffic of an app.

a Click the App Flow History tab.
b Turn on Flow-audit Switch.

Note
The status of Flow-audit Switch is consistent with that of Flow-audit Switch on the App Real-Time
Flow page. After it is turned on, the app real-time flow function and app flow history function are enabled.

c Set the time span.

On the App Flow History tab page, you can view today's or this week's historical user data.

For example, you can click This Week to switch to this week's data statistics display page, as shown in
the figure below.

27
Web-based Configuration Guide Network-Wide Monitoring

If there are multiple apps, the system displays traffic data by downlink traffic in descending order by default.
You can view the name, application group, uplink traffic, and downlink traffic of each app in the time span.
The sorting mode can be switched based on uplink traffic or downlink traffic. You can set the traffic unit,
number of items to be displayed on the current page, paging display, and other functions based on service
requirements.

d View traffic details of an app.

Note
Only EG3XX series devices (such as EG310G-E) support this function.

Click Detailed. The pop-up page displays details about the traffic of each user who uses the current app.
You can set the sorting mode (by downlink traffic or uplink traffic), unit, and other parameters based on
service requirements.

28
Web-based Configuration Guide Network-Wide Monitoring

2.5 Supporting the URL Logging Function

URL logs record and display website domain names accessed by devices connected to LAN ports within a certain
minute, access count, and audit results.

Note
Only EG3XX series devices (such as EG310G-E) support this function.

Choose Local Device > Overview > URL Log.

(1) Enable the URL logging function.

Click Enable and then click OK.

(2) (Optional) Configure record IP.

The system records access records of all devices connected to LAN ports by default. If you need to view
access records of a single device, set record IP.

Enter the device IP address in record IP and click Save.

29
Web-based Configuration Guide Network-Wide Monitoring

Note
If you need to restore access records of all devices connected to LAN ports, clear information in record IP and
click Save.

(3) Check access records.

The system displays detailed access records, including the time, IP address, and access count.

You can search for access records by IP address or URL.

2.6 Processing Alerts

If a network exception occurs, alert message on this exception and the corresponding solution are displayed on
the Overview page. Click the alert message in the Alert Center section to view the faulty device, problem details,
and its solution. Troubleshoot and process the alert according to the solution.

30
Web-based Configuration Guide Network-Wide Monitoring

2.7 Configuring the Audit Log

After the audit log function is enabled and configured, the system will generate the DHCP lease time logs, URL
logs of online users, and NAT logs.

Choose Local Device > Advanced > Audit Log.

31
Web-based Configuration Guide Network-Wide Monitoring

(1) Click Enable to enable the audit log function.

Note

The system will clear the logs if you enable the audit log function and then disable it.

(2) Configure the following parameters related to the audit log function.

Parameter Description

Configur the log output format. Currently DHCP logs, URL

Server Type
logs and NAT logs only support Türkiye-5651mode.

Configure the log server address. Only IPv4 addresses are

Server Address
supported.

Configure the server port ID, which can be customized.

Port
The default port ID is 514.

Configure the log sending rate at which the device sends

the audit logs to the server. The default rate is 5000 logs
Log Sending Rate
per second and the customized rate ranges from 1 to
10000 logs per second.

Configure the log type sent to the server, including DHCP

logs, NAT logs and URL logs.

You can specify the sending priority for the logs: High,
Log Type
Medium, and Low. If the log type is in the high-prority list,
its cache line will be prioritized and the logs will be sent to
the server preferentially.

(3) Click Save.

32
Web-based Configuration Guide Network-Wide Monitoring

Click Show Log Status to view the status of the audit log function, including the server IP address, server
connection status, sending history of each log type (including the logs in the three statuses: Received, Sent,
and Discarded).

33
Web-based Configuration Guide Network Settings

3 Network Settings
3.1 Switching the Work Mode
3.1.1 Work Mode

For details, see Section 1.4 Work Mode.

3.1.2 Self-Organizing Network Discovery

When setting the work mode, you can set whether to enable the self-organizing network discovery function. This
function is enabled by default.

After the self-organizing network discovery function is enabled, the device can be discovered in the network and
discover other devices in the network. Devices network with each other based on the device status and
synchronize global configuration. You can log in to the Web management page of any device in the network to
check information about all devices in the network. After this function is enabled, clients can maintain and manage
the current network more efficiently. You are advised to keep this function enabled.

If the self-organizing network discovery function is disabled, the device will not be discovered in the network and
it runs in standalone mode. After logging in to the Web page, you can configure and manage only the currently
logged in device. If only one device is configured or global configuration does not need to be synchronized to the
device, you can disable the self-organizing network discovery function.

Note
In AC mode, the self-organizing network discovery function is enabled by default.
After the self-organizing network discovery function is enabled, you can view the self-organizing role of the
device on the Device Details page.

The menus on the Web page vary depending on whether the self-organizing network discovery function is
enabled. (For details, see Section 1.7 Switching Between Management Pages.) Find the configuration entry for
this function according to the instructions in Configuration Steps below.

3.1.3 Configuration Steps

Choose Local Device > Overview > Device Details.

Click the current work mode to edit the work mode.

Caution

After you switch the work mode, the device will restore factory settings and restart. Please proceed with caution.

34
Web-based Configuration Guide Network Settings

AC function switch: If a device works in the router mode and the self-organizing network discovery function is
enabled, you can enable or disable the AC function. After the AC function is enabled, the device in the router
mode supports the virtual AC function and can manage downlink devices. If this function is disabled, the device
needs to be elected as an AC in self-organizing network mode and then manage downlink devices.

3.1.4 Viewing the Self-Organizing Role

Choose Local Device > Overview > Device Details.

After the self-organizing network discovery function is enabled, you can view the self-organizing role of the device
on the Device Details page.

Master AP/AC: The device functions as an AC to manage downlink devices.

Slave AP: The device connects to the AC in self-organizing mode and is managed by the AC. Slave APs are
uniformly managed by the master AP/AC. Some wireless network configurations cannot be modified separately
in local mode, and must be delivered by the master AP/AC.

35
Web-based Configuration Guide Network Settings

3.2 Port Settings

You can choose Port Settings to set port parameters and view the port information.

3.2.1 Setting the Port Parameters

Choose Local Device > Overview > Network > Port Settings > Basics.

(1) Choose the target port and click Edit.

36
Web-based Configuration Guide Network Settings

(2) Set the port paramters and click OK.

3.2.2 Viewing the Port Information

Choose Local Device > Overview > Network > Port Settings > Port Info.

3.3 Configuring the WAN Ports

Choose Local Device > Basics > WAN.

You can configure multi-line access for the device to allow multiple lines to work simultaneously. After you switch
to multi-line access, you need to specify the egress provider of the lines and set the load balancing mode, in
addition to setting basic network parameters for the WAN ports.

Caution

The number of lines supported varies with the product. The actual configuration prevails.

3.3.1 Configuring the Internet Access Mode

Choose Local Device > Basics > WAN > Single Line/Dual-Line/Three Lines/Four Lines.

The device can access the WAN in one of the following three methods: static IP, DHCP, and PPPoE dialing. Select
a proper method based on the actual broadband line type. For details, see Section 1.5 Configuration Wizard
(Router Mode).

37
Web-based Configuration Guide Network Settings

3.3.2 Modifying the MAC Address

Choose Local Device > Basics > WAN > Single Line/Dual-Line/Three Lines/Four Lines > Advanced Settings.

Sometimes, the provider restricts Internet access of devices with unknown MAC addresses out of security
considerations. In this case, you can change the MAC addresses of the WAN ports to valid MAC addresses.

Click Advanced Settings, enter a MAC address, and click Save. You do not need to modify the default MAC
address unless otherwise specified.

38
Web-based Configuration Guide Network Settings

3.3.3 Modifying the MTU

Choose Local Device > Basics > WAN > Single Line/Dual-Line/Three Lines/Four Lines > Advanced Settings.

MTU specifies the maximum transmission unit allowed to pass a WAN port. By default, the MTU of a WAN port
is 1500 bytes. Sometimes, large data packets are limited in transmission speed or prohibited in the ISP network,
leading to slow network speed or even network disconnection. If this occurs, you can set the MTU to a smaller
value.

3.3.4 Configuring the Private Line

Choose Local Device > Basics > WAN > Single Line/Dual-Line/Three Lines/Four Lines > Advanced Settings.

Turn on Private Line and determine whether to set the current WAN line as a private line. Generally, private lines
are used for access to specific internal networks but not the Internet. Private lines provide higher network security.

39
Web-based Configuration Guide Network Settings

3.3.5 Configuring the VLAN Tag

Choose Local Device > Basics > WAN > Single Line/Dual-Line/Three Lines/Four Lines > Advanced Settings.

Some ISPs require that packets transmitted to their networks carry VLAN IDs. In this case, you can enable the
VLAN tag function and set a VLAN ID for the WAN port. By default, the VLAN tag function is disabled. You are
advised to keep the VLAN tag function disabled unless otherwise specified.

3.3.6 Configuring the Multi-Line Load Balancing Mode

Choose Local Device > Basics > WAN > Single Line/Dual-Line/Three Lines/Four Lines > ISP/Load Settings >
Load Balancing Settings.

When multiple lines are available, some traffic is forwarded along the line selected based on the address library
and the remaining traffic is distributed to other lines in load balancing mode.

Table 3-1 Load balancing modes

40
Web-based Configuration Guide Network Settings

Load Balancing Mode Description

The traffic will be spread across multiple links according to the weight of each
WAN port. Larger traffic will be distributed to the WAN port with a higher
weight.
Balanced
When you select this mode, you must specify the weight of each WAN port.

For example, if WAN and WAN 1 weight are set to 3 and 2 respectively, 60%
of the total traffic will be routed over WAN and 40% over WAN 1.

All traffic is routed over the primary interface. Once the primary interface fails,
traffic will be switched over to the secondary interface.
Primary & Secondary
If there are multiple primary or secondary interfaces, please configure their
weight. (See balanced mode.)

After you set the load balancing mode to balanced, you can configure load balancing policies.

Table 3-2 Load balancing policies

Load Balancing Policy Description

After you enable this policy, the traffic is routed over multiple links based on
Based on Link the links. Packets with the same source IP address, destination IP address,
source port, destination port, and protocol are routed over the same link.

41
Web-based Configuration Guide Network Settings

Load Balancing Policy Description

After you enable this policy, the traffic is routed over multiple links based on
the source IP address. The traffic from the same user (same source IP
Based on Src IP Address address) will be routed to the same outbound interface. This policy prevents
traffic from the same user from being routed to different links, lowering the
risks of network access exceptions.

After you enable this policy, the traffic is routed over multiple links based on
Based on Src and Dest IP the source IP address and destination. The traffic of the same source IP
Address address and destination IP address will be routed to the same outbound
interface.

After you enable this feature, the traffic is routed over multiple links based on
Smart Load Balancing the link bandwidth, the actual loads of the links, application recognition and
traffic prediction.

3.3.7 Configuring Line Detection

Choose Local Device > Basics > WAN > Line Detection.

After configuring multiple WAN ports, use the line detection function to check whether lines are connected to the
external network. If the network is down, the system does not select a route based on the interface, such as load
balancing, policy-based routing, and ISP routing.

(1) In the WAN port list, select a WAN port for line detection, and click Edit.

(2) Configure the parameters of the line detection function.

Table 3-3 Line Detection

Parameter Description

Detection Interval The time interval of connectivity test.

The system periodically sends a ping message to a detection destination IP

address at the specified interval. If the ping succeeds and the number of
Rounds for Going Online
consecutive successful pings reaches the set number of Rounds for Going
Online, the WAN port is set to be online.

42
Web-based Configuration Guide Network Settings

Parameter Description

The system periodically sends a ping message to a detection destination IP

address at the specified interval. If the ping fails and the number of consecutive
Rounds for Going Offline
unsuccessful pings reaches the set number of Rounds for Going Offline, the
WAN port is set to be offline.

The destination IP address to which the system sends ping messages.

Detected Dest IP You can set up to three destination IP addresses. The system sends ping
messages to one of the IP addresses randomly during detection.

(3) Click OK.

3.4 Configuring the LAN Ports

3.4.1 Modifying the LAN Port IP Address

Choose Local Device > Basics > LAN > LAN Settings.

Click Edit. In the dialog box that appears, enter the IP address and subnet mask, and then click OK. After you
modify the LAN port IP address, you need to enter the new IP address in the browser to log in to the device again
before you can configure and manage this device.

43
Web-based Configuration Guide Network Settings

3.4.2 Modifying the MAC Address

Choose Local Device > Basics > LAN > LAN Settings.

If a static Address Resolution Protocol (ARP) entry (binding between IP address and MAC address of the gateway)
is configured to prevent ARP attacks to clients in the LAN, the gateway IP address remains unchanged but its
MAC address changes when the gateway is replaced. As a result, the client may fail to learn the gateway MAC
address. You can modify the static ARP entry of the client to prevent this problem. You can also change the LAN
port MAC address of the new device to the MAC address of the original device to allow clients in the LAN to
access the Internet normally.

Click Edit. In the dialog box that appears, enter the MAC address, and then click OK. You do not need to modify
the default LAN port MAC address unless otherwise specified.

44
Web-based Configuration Guide Network Settings

3.4.3 Configuring ARP Guard

After ARP guard is enabled, only devices configured with IP-MAC binding on the LAN are allowed to access the
external network.

Before enabling ARP guard, configure ARP binding. For specific steps, see 3.10.2 Configuring ARP Binding.

(1) Enable ARP guard.

(2) Select an effective port.

If you select Select All, the configuration will take effect on all clients on the LAN. If you select a specified
port, the configuration will take effect only on clients connected to the port.

3.5 Configuring VLAN

3.5.1 VLAN Overview

Virtual Local Area Network (VLAN) is a communication technology that divides a physical LAN into multiple logical
broadcast domains. Each VLAN has independent broadcast domains. Hosts in the same VLAN can directly
communicate with each other, while hosts in different VLANs cannot as they are isolated at Layer 2. Compared
with traditional Ethernet, VLAN has the following advantages:

 Control broadcast storms: Broadcast packets can only be forwarded inside a VLAN. This saves bandwidth as
the performance of a VLAN is not affected by broadcast storms of other VLANs.

 Enhance LAN security: As a VLAN is divided into multiple broadcast domains, packets of different VLANs in a
LAN are isolated. Different VLAN users cannot directly communicate, enhancing network security.

 Simplify network management: The VLAN technology can be used to divide the same physical network into
different logical networks. When the network topology changes, you only need to modify the VLAN
configuration, simplifying network management.

45
Web-based Configuration Guide Network Settings

3.5.2 Creating a VLAN

Choose Local Device > Basics > LAN > LAN Settings.

A LAN can be divided into multiple VLANs. Click Add and create a VLAN.

Table 3-4 VLAN configuration

46
Web-based Configuration Guide Network Settings

Parameter Description

Configure an IP address for the VLAN interface. This IP address is used as the default
IP
gateway for the LAN devices that need to access the Internet.

Subnet Mask Configure an IP address subnet mask for the VLAN interface.

VLAN ID Configure the VLAN ID.

Remark Enter the VLAN description.

MAC Configure an MAC address for the VLAN interface.

Enable the DHCP server function. After this function is enabled, devices in the LAN
can automatically obtain IP addresses. You also need to specify the start address for
DHCP Server IP address allocation by the DHCP server, the number of IP addresses that can be
allocated, and the address lease. You can also configure DHCP Options. For details,
see Section 3.7.3 Configuring the DHCP Server.

Caution

The VLAN configuration is associated with the uplink configuration. Exercise caution when you perform this
operation.

3.5.3 Configuring a Port VLAN

Choose Local Device > Basics > Port VLAN.

This page displays the VLAN division of the current port. Create VLANs on the LAN Settings page and then
configure the port based on the VLANs on this page. For details, see Section 3.4.2 Creating a VLAN.

Click the check box under a port and select the relationship between VLAN and port from the drop-down list box.

 UNTAG: Configure the VLAN as the native VLAN of the port. When the port receives packets from the specified
VLAN, the port removes the VLAN ID before forwarding the packets. When the port receives packets without
a VLAN ID, the port adds this VLAN ID to the packets before forwarding them. You can set only one VLAN of
the port to UNTAG.

 TAG: Configure the port to allow packets with this VLAN ID to pass. This VLAN is not the native VLAN. When
the port receives packets from the specified VLAN, it forwards the packets with the original VLAN ID.

 Not Join: Configure the port to deny packets with this VLAN ID to pass. For example, if you set VLAN 10 and
VLAN 20 to Not Join for port 2, port 2 will not receive packets from VLAN 10 and VLAN 20.

47
Web-based Configuration Guide Network Settings

3.6 Configuring DNS

3.6.1 Local DNS

When the WAN interface runs DHCP or PPPoE protocol, the device automatically obtains the DNS server address.
If the upper-layer device does not deliver the DNS server address or the DNS server needs to be changed, you
can manually configure a new DNS server.

Choose Local Device > Advanced > Local DNS.

Local DNS server: Configure the DNS server address used by the local device. If multiple addresses exist,
separate them with spaces.

3.6.2 DNS Proxy

DNS proxy is optional configuration. By default, the device obtains the DNS server address from the upper-layer
device.

Choose Local Device > Basics > LAN > LAN Settings.

DNS Proxy: By default, the DNS proxy is disabled, and the DNS address delivered by the ISP is used. If the DNS
configuration is incorrect, the device may fail to parse domain names and network access will fail. It is
recommended to keep the DNS proxy disabled.

DNS Server: Enable clients to access the Internet by using the DNS server address delivered by the upper-layer
device. The default settings are recommended. After the DNS proxy is enabled, you need to enter the DNS server
IP address. The DNS settings vary with the region. Consult the local ISP for details.

48
Web-based Configuration Guide Network Settings

3.7 Configuring IPv6

3.7.1 IPv6 Overview

Internet Protocol Version 6 (IPv6) is the next-generation IP protocol designed by Internet Engineering Task Force
(IETF) to substitute IPv4. It is used to compensate insufficient IPv4 network addresses.

3.7.2 IPv6 Basics

1. IPv6 Address Format

IPv6 extends 32-bit IPv4 address into 128 bits, providing wider address space than IPv4.

The basic format of an IPv6 address is X:X:X:X:X:X:X:X. It is represented as eight groups of four hexadecimal
digits (0-9, A-F), each group representing16 bits. The groups are separated by colons (:). In this format, each X
represents a group of four hexadecimal digits.

Samples of IPv6 addresses are 2001:ABCD:1234:5678:AAAA:BBBB:1200:2100, 800:0:0:0:0:0:0:1, and

1080:0:0:0:8:800:200C:417A.

The digit 0 in an IPv6 address can be suppressed as follows:

 Leading zeros in each 16-bit field are suppressed. For example, 2001:00CD:0034:0078:000A:000B:1200:2100
can be suppressed to 2001:CD:34:78:A:B:1200:2100.

 The long sequence of consecutive all-zero fields in some IPv6 addresses can be replaced with two colons (::).
For example, 800:0:0:0:0:0:0:1 can be represented as 800::1. The two colons (::) can be used only when all
the 16 bits in a group are 0s, and it can appear only once in an IPv6 address.

2. IPv6 Prefix

IPv6 addresses are typically composed of two logical parts:

 Network prefix: n bits, corresponding to the network ID in IPv4 addresses

 interface ID: (128 – n) bits, corresponding to the host ID in IPv4 addresses

A slash (/) is used to separate the length of network prefix from an IPv6 address. For example,
12AB::CD30:0:0:0:0/60 indicates that the 60-bit network prefix in the address is used for route selection. IPv6
prefixes can be obtained from the IPv6 DHCP server, along with IPv6 addresses. A downlink DHCP server can
also automatically obtain IPv6 prefixes from its uplink DHCP server.

49
Web-based Configuration Guide Network Settings

3. Special IPv6 Addresses

There are some special IPv6 addresses:

fe80::/8: loopback address, similar to the IPv4 address 169.254.0.0/16

fc00::/7: local address, similar to IPv4 addresses 10.0.0.0/8, 172.16.0.0/16, and 192.168.0.0/16

ff00::/12: multicast address, similar to the IPv4 address 224.0.0.0/8

4. NAT66

IPv6-to-IPv6 Network Address Translation (NAT66) is a process of converting the IPv6 address in the IPv6 data
packet header into another IPv6 address. NAT66 can be implemented by converting the prefix in an IPv6 address
in an IPv6 data packet header into another IPv6 address prefix. NAT66 enables mutual access between an
internal network and an external public network.

3.7.3 IPv6 Address Allocation Modes

 Manual configuration: IPv6 addresses, prefixes, and other network parameters are configured manually.

 Stateless Address Autoconfiguration (SLAAC): The link-local address is generated based on the interface ID,
and the lPv6 address is automatically allocated based on the prefix information in the Router Advertisement
(RA) packet.

 Stateful address allocation (DHCPv6): Two DHCPv6 allocation methods are as follows:

○ Automatic DHCPv6 allocation: The DHCPv6 server automatically allocates IPv6 addresses, prefixes, and
other network parameters.

○ Automatic allocation of DHCPv6 Prefix Delegations (PDs): The lower-layer network device submits a prefix
allocation application to the upper-layer network device. The upper-layer network device allocates an
appropriate address prefix to the lower-layer device. The lower-layer device further divides the obtained
prefix (usually less than 64 bits) into 64-bit prefixed subnet segments and advertises the address prefixes
to the user link directly connected to the IPv6 host through the RA packet, implementing automatic address
configuration for hosts.

3.7.4 Enabling the IPv6 Function

Choose Local Device > Basics > IPv6 Address.

Turn on Enable to enable the IPv6 function.

3.7.5 Configuring an IPv6 Address for the WAN Port

Choose Local Device > Basics > IPv6 Address > WAN Settings.

After you enable the IPv6 function, you can set related parameters on the WAN Settings tab. The number of
WAN_V6 tabs indicates the number of WAN ports on the current device.

50
Web-based Configuration Guide Network Settings

Table 3-5 IPv6 address configuration for WAN port

Parameter Description

Configure a method for the WAN port to obtain an IPv6 address.

DHCP: The current device functions as the DHCPv6 client, and it applies for
Internet an IPv6 address and prefix from the uplink network device.
Static IP: You need to manually configure a static IPv6 address, gateway
address, and DNS server.
Null: The IPv6 function is disabled on the WAN port.

When Internet is set to DHCP, the automatically obtained IPv6 address is

IPv6 Address displayed.

When Internet is set to Static IP, you need to configure this parameter manually.

When Internet is set to DHCP, the IPv6 address prefix automatically obtained by
IPv6 Prefix
the current device is displayed.

51
Web-based Configuration Guide Network Settings

Parameter Description

When Internet is set to DHCP, the automatically obtained gateway address is

Gateway displayed.

When Internet is set to Static IP, you need to configure this parameter manually.

When Internet is set to DHCP, the automatically obtained DNS server address is
DNS Server displayed.

When Internet is set to Static IP, you need to configure this parameter manually.

If the current device cannot access the Internet through DHCP or cannot obtain
NAT66 the IPv6 prefix, you need to enable the NAT66 function to allocate IPv6 addresses
to clients on the internal network.

Set the default route preference for the current line. A smaller value indicates a
Default Preference higher preference. For the same destination address, the route with the highest
preference is selected as the optimal route.

Caution

The RG-EG105G and RG-EG105G-P does not support the NAT66 function.

3.7.6 Configuring an IPv6 Address for the LAN Port

Choose Local Device > Basics > IPv6 Address > LAN Settings.

When the device accesses the Internet through DHCP, it can obtain LAN port IPv6 addresses from the uplink
device and allocate IPv6 addresses to the clients in the LAN based on the IPv6 address prefix. If the uplink device
cannot allocate an IPv6 address prefix to the device, you need to manually configure an IPv6 address prefix for
the LAN port and enable the NAT66 function to allocate IPv6 addresses to the clients in the LAN. For details, see
Section 3.6.5 Configuring an IPv6 Address for the WAN Port.

Click Edit next to the default VLAN, and set IPv6 Address/Prefix Length to a local address with no more than
64 bits. This address is also used as the IPv6 address prefix.

You can use either of the following methods to allocate IPv6 addresses to clients:

 Auto: Allocate IPv6 addresses to clients in DHCPv6 or SLAAC mode.

52
Web-based Configuration Guide Network Settings

 DHCPv6: Allocate IPv6 addresses to clients through DHCPv6.

 SLAAC: Allocate IPv6 addresses to clients through SLAAC.

 Null: Do not allocate addresses to clients.

You should select an allocation method based on the protocol supported by clients on the internal network. If you
are not sure about the supported protocol, select Auto.

Click Advanced Settings to configure more address attributes.

53
Web-based Configuration Guide Network Settings

Table 3-6 IPv6 address configuration for LAN port

Parameter Description

Specify the interface from which the prefix is obtained, such as WAN_V6 or
Subnet Prefix Name
WAN1_V6. By default, the device obtains prefixes from all interfaces.

Subnet Prefix Length Specify the length of the subnet prefix. The value is in the range of 48 to 64.

Configure the subnet ID in the hexadecimal format. The value 0 indicates

Subnet ID
auto increment.

Lease Time(Min) Set the lease of the IPv6 address, in minutes.

DNS Server Configure the IPv6 DNS server address.

3.7.7 Viewing the DHCPv6 Client

Choose Local Device > Network > IPv6 Address > DHCPv6 Clients.

When the device functions as a DHCPv6 server to allocate IPv6 addresses to clients, you can view the information
about the client that obtains an IPv6 address from the device on the current page. The client information includes
the host name, IPv6 address, remaining lease time, and DHCPv6 Unique Identifier (DUID).

Enter the DUID in the search bar and click to quickly find relative information of the specified DHCPv6
client.

 Click Convert to Static IP to convert the IP binding of a client with an IP address to static binding. Then the
DHCP server assigns a static IP address to the client.

 Click Bind Selected to convert the IP binding of multiple clients with IP addresses to static binding. Then the
DHCP server assigns static IP addresses to the clients.

3.7.8 Configuring the Static DHCPv6 Address

Configure the IPv6 address statically bound to the DUID of a client so that the client can obtain the specified
address each time.

Choose Local Device > Network > IPv6 Address > Static DHCPv6.

54
Web-based Configuration Guide Network Settings

(1) Click Add.

(2) Enter the IPv6 address and DUID.

(3) Click OK.

3.7.9 Configuring the IPv6 Neighbor List

In IPv6, Neighbor Discovery Protocol (NDP) is an important basic protocol. NDP replaces the ARP and ICMP
route discovery protocols of IPv4, and supports the following functions: address resolution, neighbor status
tracking, duplicate address detection, router discovery, and redirection.

Choose Local Device > Security > IPv6 Address > IPv6 Neighbor List.

55
Web-based Configuration Guide Network Settings

(1) Click Add and manually add the interface, IPv6 address and MAC address of the neighbor.

(2) Select the MAC address and IP address to be bound, and click Bind in the Action column to bind the IP
address to the MAC address to prevent ND attacks.

56
Web-based Configuration Guide Network Settings

3.8 Configuring a DHCP Server

3.8.1 DHCP Server Overview

After the DHCP server function is enabled in the LAN, the device can automatically deliver IP addresses to clients,
so that clients connected to the LAN ports of the device or connected to Wi-Fi can access the Internet using the
obtained addresses.

See Section 3.6.6 Configuring an IPv6 Address for the LAN Port for more information about the DHCPv6 server
function.

3.8.2 Address Allocation Mechanism

The DHCP server allocates an IP address to a client in the following way:

(1) When the device receives an IP address request from a DHCP client, the device searches the DHCP static
address allocation list. If the MAC address of the DHCP client is in the DHCP static address allocation list, the
device allocates the corresponding IP address to the DHCP client.

(2) If the MAC address of the DHCP client is not in the DHCP static address allocation list or the IP address that
the DHCP client applies is not in the same network segment as the LAN port IP address, the device selects
an IP address not used from the address pool and allocates the address to the DHCP client.

(3) If no IP address in the address pool is allocatable, the client will fail to obtain an IP address.

3.8.3 Configuring the DHCP Server

1. Configuring Basic Parameters

Choose Local Device > Basics > LAN > LAN Settings.

DHCP Server: The DHCP server function is enabled by default in the router mode. You are advised to enable the
function if the device is used as the sole router in the network. When multiple routers are connected to the upper-
layer device through LAN ports, disable this function.

Caution

If the DHCP server function is disabled on all devices in the network, clients cannot automatically obtain IP
addresses. You need to enable the DHCP server function on one device or manually configure a static IP
address for each client for Internet access.

Start: Enter the start IP address of the DHCP address pool. A client obtains an IP address from the address pool.
If all the addresses in the address pool are used up, no IP address can be obtained from the address pool.

IP Count: Enter the number of IP addresses in the address pool.

Lease Time(Min): Enter the address lease term. When a client is connected, the leased IP address is
automatically renewed. If a leased IP address is not renewed due to client disconnection or network instability,
the IP address will be reclaimed after the lease term expires. After the client connection is restored, the client can
request an IP address again. The default lease term is 30 minutes.

57
Web-based Configuration Guide Network Settings

1. Configuring DHCP Option

Choose Local Device > Basics > LAN > DHCP.

The DHCP Option configuration is shared by all LAN ports. You can configure DHCP Option based on actual
needs.

58
Web-based Configuration Guide Network Settings

Table 3-7 DHCP Option configuration

Parameter Description

DNS Server Enter the DNS server address provided by the ISP.

When the AC (wireless controller) and the AP are not in the same LAN, the AP cannot
discover the AC through broadcast after obtaining an IP address from the DHCP
Option 43
server. To enable the AP to discover the AC, you need to configure Option 43 carried in
the DHCP response packet on the DHCP server.

Enter the IP address of the AC. Similar to Option 43, when the AC and AP are not in
Option 138 the same LAN, you can configure Option 138 to enable the AP to obtain the IPv4
address of the AC.

Enter the IP address of the TFTP server. The TFTP server allocates addresses to
Option 150
clients.

3.8.4 Viewing the DHCP Client

Choose Local Device > Basics > LAN > DHCP Clients.

View the client addresses automatically allocated by thorough DHCP. Find the target client and click Convert to
Static IP in the Status column, or select desired clients and click Batch Convert. The dynamic address allocation
relationship is added to the static address allocation list, so that the host can obtain the bound IP address for each
connection. For details on how to view the static address allocation list, see Section 3.7.5 Configuring Static IP
Addresses.

59
Web-based Configuration Guide Network Settings

3.8.5 Configuring Static IP Addresses

Choose Local Device > Basics > LAN Static IP Addresses.

The page displays all configured static IP addresses.

Click Add. In the pop-up window, enter the MAC address and IP address of the client to be bound, and click OK.
After a static IP address is bound, the bound IP address will be obtained each time the client connects to the
network.

3.9 Configuring Routes

3.9.1 Configuring Static Routes

Choose Local Device > Advanced > Routing > Static Routing.

60
Web-based Configuration Guide Network Settings

Static routes are manually configured by the user. When a data packet matches a static route, the packet will be
forwarded according to the specified forwarding mode.

Caution

Static routes cannot automatically adapt to changes of the network topology. When the network topology
changes, you need to reconfigure the static routes.

Click Add. In the dialog box that appears, enter the destination address, subnet mask, outbound interface, and
next-hop IP address to create a static route.

Table 3-8 Static route configuration

Parameter Description

Specify the destination network to which the data packet is to be sent. The device
Dest IP Address
matches the data packet based on the destination address and subnet mask.

Specify the subnet mask of the destination network. The device matches the data
Subnet Mask
packet based on the destination address and subnet mask.

Outbound Interface Specify the interface that forwards the data packet.

61
Web-based Configuration Guide Network Settings

Parameter Description

Specify the IP address of the next hop in the route for the data packet. If the
Next Hop outbound interface accesses the Internet through PPPoE dialing, you do not need
to configure the next-hop address.

After a static route is created, you can find the relevant route configuration and reachability status in the static
route list. The Reachable parameter specifies whether the next hop is reachable, based on which you can
determine whether the route takes effect. If the value is No, check whether the outbound interface in the current
route can ping the next-hop address.

3.9.2 Configuring the IPv6 Static Route

Choose Local Device > Advanced > Routing > Static Routing_v6.

(1) Click Add.

62
Web-based Configuration Guide Network Settings

(2) Configure an IPv6 static route of the device.

Table 3-1 Description of IPv6 Static Routing Configuration Parameters

Parameter Description

Destination network of the packet. The destination

IPv6 Address/Prefix Length address of the packet is matched according to the IPv6
address and prefix length.

Outbound Interface Interface that forwards the packet.

IP address of the next routing node to which the packet is

Next Hop
sent.

(3) Click OK.

3.9.3 Configuring RIP

Routing Information Protocol (RIP) is applicable to small and medium-sized networks and is a dynamic routing
protocol that is easy to configure. RIP measures the network distance based on the number of hops and selects
a route based on the distance. RIP uses UDP port 520 to exchange the routing information.

1. Configuring RIP Basic Functions

Choose Local Device > Advanced > Routing > RIP Settings

Click Add and configure the network segment and interface.

63
Web-based Configuration Guide Network Settings

Table 3-2 RIP Configuration Parameters

Parameter Description

Network Segment: Enable RIP in the specified network

segment. The IP addresses of this network segment are
added to the RIP routing table. The device and its RIP-
enabled neighbor devices learn the routing table from
Type each other.

Port: Enable RIP on the specified port. All the IP

addresses of this port are added to the RIP routing
table. The device and its RIP-enabled neighbor devices
learn the routing table from each other.

64
Web-based Configuration Guide Network Settings

Enter the network segment, for example, 10.1.0.0/24,

when Type is set to Network Segment.
Network Segment
RIP will be enabled on all interfaces of the device
covered by this network segment.

Select a VLAN interface or physical port when Type is

Port
set to Port.

No Authentication: The protocol packets are not

authenticated.

Encrypted Text: The protocol packets are

authenticated, and the authentication key is transmitted
Auth Mode
with the protocol packets in the form of encrypted text.

Plain Text: The protocol packets are authenticated, and

the authentication key is transmitted with the protocol
packets in the form of plain text.

Enter the authentication key to authenticate protocol

Auth Key packets when Auth Mode is set to Encrypted Text or
Plain Text.

2. Configuring the RIP Port

Choose Local Device > Advanced > Routing > RIP Settings >> Port Settings

Table 3-3 Configuration Parameters in the Port List

Parameter Description

Port Name Name of the port where RIP is enabled.

Rx Status RIP version of packets currently received.

Tx Status RIP version of packets currently transmitted.

After the port learns the route, the route overhead is

set to 16 (indicating that the route is unreachable),
Poison Reverse
and the route is sent back to the neighbor from the
original port to avoid a loop.

65
Web-based Configuration Guide Network Settings

When a neighbor does not support multicast,

broadcast packets can be sent.
v2 Broadcast Packet
You are advised to disable RIPv2 broadcast packets
to improve network performance.

No Authentication: The protocol packets are not

authenticated.

Encrypted Text: The protocol packets are

authenticated, and the authentication key is
Auth Mode transmitted with the protocol packets in the form of
encrypted text.

Plain Text: The protocol packets are authenticated,

and the authentication key is transmitted with the
protocol packets in the form of plain text.

Enter the authentication key to authenticate protocol

Auth Key packets when Auth Mode is set to Encrypted Text or
Plain Text.

Action Click Edit to modify RIP settings of the port.

3. Configuring the RIP Global Configuration

Choose Local Device > Advanced > Routing > RIP Settings >> Advanced, click Edit Config, and configure
RIP global configuration parameters.

66
Web-based Configuration Guide Network Settings

Table 3-4 RIP Global Configuration Parameters

Parameter Description

Default: Select RIPv2 for sending packets and

RIPv1/v2 for receiving packets.
RIP Version
V1: Select RIPv1 for sending and receiving packets.

V2: Select RIPv2 for sending and receiving packets.

67
Web-based Configuration Guide Network Settings

Parameter Description

After route advertisement is enabled, the current

Route Advertisement device generates a default route and sends it to the
neighbor.

Redistribute routes of other protocols to the RIP

Administrative Distance domain so that RIP can interwork with other routing
domains.

RIP update cycle. The routing information is updated

Update Timer
every 30 seconds by default.

If no update is received before a route becomes

Invalid Timer invalid, the route is considered unreachable. The
default value is 180 seconds.

If no update is received before the flush timer of an

invalid route expires, the route is completely deleted
Flush Timer
from the RIP routing table. The default value is 120
seconds.

4. Configuring the RIP Route Redistribution List

Redistribute routes of other protocols to the RIP domain so that RIP can interwork with other routing domains.

Choose Local Device > Advanced > Routing > RIP Settings >> Advanced, click Add in RIP Redistribution
List, and select the type and administrative distance.

68
Web-based Configuration Guide Network Settings

Table 3-5 RIP Route Redistribution Parameters

Parameter Description

Direct Routing

Type OSPF Routing

Static Routing

A smaller administrative distance indicates a higher

Administrative Distance priority. The default value is 0. The value ranges from
0 to 16.

Select the instance ID of OSPF that needs to be

Instance ID redistributed. OSPFv2 needs to be enabled on the
local device.

5. Configuring the Passive Interface

If an interface is configured as a passive interface, it will suppress RIP update packets. If the connected peer
device does not run RIP, you are advised to enable the passive interface.

Choose Local Device > Advanced > Routing > RIP Settings >> Advanced, click Add in Passive Interface
and select a passive interface.

69
Web-based Configuration Guide Network Settings

6. Configuring the Neighbor Route

When the router cannot process broadcast packets, another router can be designated as the neighbor to establish
a RIP direct link.

Choose Local Device > Advanced > Routing > RIP Settings >> Advanced, click Add in Neighbor Route, and
enter the IP address of the neighbor router.

70
Web-based Configuration Guide Network Settings

3.9.4 Configuring RIPng

RIP Next Generation (RIPng) provides the routing function for IPv6 networks.

RIPng uses UDP port 512 to exchange the routing information.

1. Configuring RIPng Basic Functions

Choose Local Device > Advanced > Routing > RIPng Settings

Click Add, set Type to Network Segment or Port, and specify the network segment or port accordingly.

71
Web-based Configuration Guide Network Settings

表1-1 RIPng Configuration Parameters

Parameter Description

Network Segment: Enable RIP in the specified network

segment. The IP addresses of this network segment are
added to the RIP routing table, and the device and its
RIP-enabled neighbor devices learn the routing table
Type from each other.

Port: Enable RIP on the specified port. All the IP

addresses of this port are added to the RIP routing table,
and the device and its RIP-enabled neighbor devices
learn the routing table from each other.

Enter the IPv6 address and prefix length when Type is

set to Network Segment.
Network Segment
RIPng will be enabled on all interfaces of the device
covered by this network segment.

Select a VLAN interface or physical port when Type is

Port
set to Port.

2. Configuring the RIPng Port

RIPng poison reverse: After the port learns the route, the route overhead is set to 16 (indicating that the route is
unreachable), and the route is sent back to the neighbor from the original port to avoid a loop.

Choose Local Device > Advanced > Routing > RIPng Settings > Port Settings, click Edit, and enable IPv6
poison reverse.

72
Web-based Configuration Guide Network Settings

3. Configuring the RIPng Global Configuration

Choose Local Device > Advanced > Routing > RIPng Settings >> Advanced, click Edit Config in RIPng
Global Config, and configure RIPng global configuration parameters.

73
Web-based Configuration Guide Network Settings

4. Configuring the RIPng Route Redistribution List

Redistribute routes of other protocols to the RIPng domain to interwork with other routing domains.

Choose Local Device > Advanced > Routing > RIPng Settings > Advanced, click Add in Route
Redistribution List, and configure RIPng route redistribution.

74
Web-based Configuration Guide Network Settings

Table 3-6 RIP Route Redistribution Parameters

Parameter Description

Direct Routing

Type OSPF Routing

Static Routing

Administrative Distance Value range: 0-16. The default value is 0.

5. Configuring the RIPng Passive Interface

If an interface is configured as a passive interface, it will suppress RIPng update packets. If the connected peer
device does not run RIP, you are advised to enable the passive interface.

Choose Local Device > Advanced > Routing > RIPng Settings > Advanced, click Add in Passive Interface,
and select a passive interface.

75
Web-based Configuration Guide Network Settings

6. Configuring the IPv6 Aggregate Route

Choose Local Device > Advanced > Routing > RIPng Settings > Advanced, click Add in RIPng Aggregate
Routing, and enter the IPv6 address or length. The length of IPv6 address prefix ranges from 0 bit to 128 bits.

3.9.5 OSPF v2

Open Shortest Path First (OSPF) can be applied to large-scale networks. IPv4 uses OSPFv2, and IPv6 uses
OSPFv3.

OSPF is a typical link-state routing protocol, which can solve the problems of slow route update, inaccurate
measurement, and poor scalability in large networks. It is suitable for networks of various sizes, and even a
network with up to thousands of devices.

76
Web-based Configuration Guide Network Settings

1. Configuring OSPFv2 Basic Parameters

Choose Local Device > Advanced > Routing > OSPFV2, click Start Setup, and then configure an instance and
an interface respectively.

(1) Configure an instance.

a Configure basic parameters for an instance.

77
Web-based Configuration Guide Network Settings

Table 3-7 Description of Basic OSPF Instance Configuration Parameters

Parameter Description

Create an OSPF instance based on the service type.

Instance ID The instance only takes effect locally, and does not
affect packet exchange with other devices.

It identifies a router in an OSPF domain.

Caution
Router ID
Router IDs within the same domain must be
unique. The same configuration may cause
neighbor discovery failures.

Generate a default route and send it to the neighbor.

After this function is enabled, you need to enter the

metric and select a type. The default metric is 1.
Advertise Default Route Type 1: The metrics displayed on different routers
vary.

Type 2: The metrics displayed on all routers are the

same.

Redistribute routes of other protocols to the OSPF

domain to interwork with other routing domains.

If Static Route Redistribution is selected, enter the

metric, which is 20 by default.
Import External Route
If Direct Route Redistribution is selected, enter the
metric, which is 20 by default.

If RIP Redistribution is selected, enter the metric,

which is 20 by default.

b Click Details to display detailed configurations.

78
Web-based Configuration Guide Network Settings

Table 3-8 Description of Detailed OSPF Instance Configuration Parameters

Parameter Description

It is used for protocol selection. By default, the intra-

Distance
area, inter-area, and external distances are all 110.

Frequent network changes and route flapping may

occupy too much network bandwidth and device
LSA resources. The LSA generation and reception delays
are specified in OSPF by default.

The default value is 1000 ms.

79
Web-based Configuration Guide Network Settings

Parameter Description

When the link state database (LSDB) changes, OSPF

recalculates the shortest path, and sets the interval to
prevent frequent network changes from occupying a
large number of resources

Waiting Interval: When the state changes, the timer

is triggered. The delay is calculated for the first time
after the timer expires. The default value is 0 ms.
SPF Calculation Min Interval: As the number of changes increases,
the time of each interval will increase according to the
algorithm, and the default value is 50 ms.

Max Interval: When the calculated interval reaches

the maximum interval, the subsequent interval is
always equal to the maximum interval. If the time from
the last calculation exceeds the maximum interval and
the LSDB is not updated, the timer is disabled.

Graceful Restart (GR) can avoid route flapping

caused by traffic interruption and active/standby board
switchover, thus ensuring the stability of key services.

Graceful Restart Helper: The Graceful Restart

Helper function is enabled when this switch is turned
on.
Graceful Restart LSA Check: LSA packets outside the domain are
checked when this switch is turned on.

Max Wait Time: Timing starts after the device

receives the GR packet from the peer device. If the
peer device does not complete GR within Max Wait
Time, the device exits the GR Helper mode. The
default value is 1800 seconds.

(2) Configure an interface.

80
Web-based Configuration Guide Network Settings

c Configure basic parameters for an OSPFv2 interface.

Table 3-9 Description of Basic OSPFv2 Interface Configuration Parameters

Parameter Description

Interface Select the OSPF-enabled L3 interface.

Area Configure the area ID. Value range: 0-4294967295

If Stub Area is enabled, you need to configure the

area type and inter-area route isolation.

Stub area: Routers at the edge of the area do not

advertise routes outside the area, and the routing
table in the area is small.
Stub Area
Not-So-Stubby Area (NSSA): A few external routes
can be imported.

Inter-area route isolation: After this function is

enabled, inter-area routes will not be imported to this
area.

Details Expand the detailed configuration.

d Click Details to display detailed configurations.

81
Web-based Configuration Guide Network Settings

Table 3-10 Description of Detailed OSPFv2 Interface Configuration Parameters

Parameter Description

Priority It is 1 by default.

Broadcast

Unicast
Network Type
Multicast

Non-Broadcast Multiple Access

Interval for periodic transmission, which is used to

Hello Packets discover and maintain OSPF neighbor relationship.
The default value is 10 seconds.

82
Web-based Configuration Guide Network Settings

Parameter Description

Time after which the neighbor becomes invalid. The

Dead Interval
default value is 40 seconds.

LSA transmission delay of the interface. The default

LSA Transmission Delay
value is 1 second.

Time after which LSA is retransmitted after LSA is lost.

LSA Retransmission Interval
The default value is 5 seconds.

No Auth: The protocol packets are not authenticated.

It is the default value.

Plain Text: The protocol packets are authenticated,

and the authentication key is transmitted with the
Interface Auth
protocol packets in the form of plain text.

MD5: The protocol packets are authenticated, and the

authentication key is MD5 encrypted and then
transmitted with the protocol packets.

Ignore MTU Check Enabled by default.

e Click Add to add an interface to Interface List.

(3) Click Finish.

83
Web-based Configuration Guide Network Settings

After you create an instance and an interface, choose Local Device > Advanced > Routing > OSPFV2 to check
the current Instance List.

2. Adding an OSPFv2 Interface

Choose Local Device > Advanced > Routing > OSPFV2, select the instance to be configured in Instance List,
and choose More > V2 Interface.

84
Web-based Configuration Guide Network Settings

3. Redistributing OSPFv2 Instance Routes

Choose Local Device > Advanced > Routing > OSPFV2, select the instance to be configured in Instance List,
and choose More > V2 Instance Route Redistribution.

85
Web-based Configuration Guide Network Settings

4. Managing OSPFv2 Stub Areas

Choose Local Device > Advanced > Routing > OSPFV2, select the instance to be configured in Instance List,
and choose More > V2 Stub Area Management.

5. Managing OSPFv2 Neighbors

Choose Local Device > Advanced > Routing > OSPFV2, select the instance to be configured in Instance List,
and choose More > V2 Neighbor Management.

86
Web-based Configuration Guide Network Settings

6. Viewing OSPFv2 Neighbor Information

Choose Local Device > Advanced > Routing > OSPFV2, select the instance to be configured in Instance List,
and click Neighbor Info.

87
Web-based Configuration Guide Network Settings

3.9.6 OSPF v3

Open Shortest Path First (OSPF) can be applied to large-scale networks. IPv4 uses OSPFv2, and IPv6 uses
OSPFv3.

1. Configuring OSPFv3 Basic Parameters

Choose Local Device > Advanced > Routing > OSPFV3, click Start Setup, and then configure an instance and
an interface respectively.

(1) Configure an instance.

a Configure basic parameters for an instance.

88
Web-based Configuration Guide Network Settings

Table 3-11 Description of Basic OSPF Instance Configuration Parameters

Parameter Description

Create an OSPF instance based on the service type.

Instance ID The instance only takes effect locally, and does not
affect packet exchange with other devices.

It identifies a router in an OSPF domain.

Caution
Router ID Router IDs within the same domain must be
unique. The same configuration may cause
neighbor discovery failures.

89
Web-based Configuration Guide Network Settings

Parameter Description

Generate a default route and send it to the neighbor.

After this function is enabled, you need to enter the

metric and select a type. The default metric is 1.
Advertise Default Route Type 1: The metrics displayed on different routers
vary.

Type 2: The metrics displayed on all routers are the

same.

Redistribute routes of other protocols to the OSPF

domain to interwork with other routing domains.

If Static Route Redistribution is selected, enter the

metric, which is 20 by default.
Import External Route
If Direct Route Redistribution is selected, enter the
metric, which is 20 by default.

If RIP Redistribution is selected, enter the metric,

which is 20 by default.

b Click Details to display detailed configurations.

90
Web-based Configuration Guide Network Settings

Table 3-12 Description of Detailed OSPF Instance Configuration Parameters

Parameter Description

It is used for protocol selection. By default, the intra-

Distance
area, inter-area, and external distances are all 110.

Frequent network changes and route flapping may

occupy too much network bandwidth and device
LSA resources. The LSA generation and reception delays
are specified in OSPF by default.

The default value is 1000 ms.

91
Web-based Configuration Guide Network Settings

Parameter Description

When the link state database (LSDB) changes, OSPF

recalculates the shortest path, and sets the interval to
prevent frequent network changes from occupying a
large number of resources

Waiting Interval: When the state changes, the timer

is triggered. The delay is calculated for the first time
after the timer expires. The default value is 0 ms.
SPF Calculation Min Interval: As the number of changes increases,
the time of each interval will increase according to the
algorithm, and the default value is 50 ms.

Max Interval: When the calculated interval reaches

the maximum interval, the subsequent interval is
always equal to the maximum interval. If the time from
the last calculation exceeds the maximum interval and
the LSDB is not updated, the timer is disabled.

Graceful Restart (GR) can avoid route flapping

caused by traffic interruption and active/standby board
switchover, thus ensuring the stability of key services.

Graceful Restart Helper: The Graceful Restart

Helper function is enabled when this switch is turned
on.
Graceful Restart LSA Check: LSA packets outside the domain are
checked when this switch is turned on.

Max Wait Time: Timing starts after the device

receives the GR packet from the peer device. If the
peer device does not complete GR within Max Wait
Time, the device exits the GR Helper mode. The
default value is 1800 seconds.

(2) Configure an interface.

92
Web-based Configuration Guide Network Settings

a Configure basic parameters for an interface.

Table 3-13 Description of Basic OSPF Interface Configuration Parameters

Parameter Description

Interface Select the OSPF-enabled L3 interface.

Area Configure the area ID. Value range: 0-4294967295

If Stub Area is enabled, you need to configure the

area type and inter-area route isolation.

Stub area: Routers at the edge of the area do not

Stub Area advertise routes outside the area, and the routing
table in the area is small.

Not-So-Stubby Area (NSSA): A few external routes

can be imported.

b Click Details to display detailed configurations.

93
Web-based Configuration Guide Network Settings

Table 3-14 Description of Detailed OSPF Interface Configuration Parameters

Parameter Description

Priority It is 1 by default.

Broadcast

Unicast
Network Type
Multicast

Non-Broadcast Multiple Access

Interval for periodic transmission, which is used to

Hello Packets discover and maintain OSPF neighbor relationship.
The default value is 10 seconds.

Time after which the neighbor becomes invalid. The

Dead Interval
default value is 40 seconds.

94
Web-based Configuration Guide Network Settings

Parameter Description

LSA transmission delay of the interface. The default

LSA Transmission Delay
value is 1 second.

Time after which LSA is retransmitted after LSA is lost.

LSA Retransmission Interval
The default value is 5 seconds.

No Auth: The protocol packets are not authenticated.

It is the default value.

Plain Text: The protocol packets are authenticated,

and the authentication key is transmitted with the
Interface Auth
protocol packets in the form of plain text.

MD5: The protocol packets are authenticated, and the

authentication key is MD5 encrypted and then
transmitted with the protocol packets.

Ignore MTU Check Enabled by default.

c Click Add to add an interface to Interface List.

(2) Click Finish.

95
Web-based Configuration Guide Network Settings

After you complete configuration, choose Advanced > Routing > OSPFV3 to check Instance List.

2. Adding an OSPFv3 Interface

Choose Local Device > Advanced > Routing > OSPFV3, select the instance to be configured in Instance List,
and choose More > V3 Interface.

96
Web-based Configuration Guide Network Settings

3. Managing OSPFv3 Stub Areas

Choose Local Device > Advanced > Routing > OSPFV3, select the instance to be configured in Instance List,
and choose More > V3 Stub Area Management.

97
Web-based Configuration Guide Network Settings

3.9.7 Viewing Routing Tables

Choose Local Device > Advanced > Routing > Routing Table Info to view IPv4 and IPv6 routing table details.

3.9.8 Configuring PBR

1. Overview

Policy-based routing (PBR) is a mechanism for routing and forwarding based on user-specified policies. When a
router forwards data packets, it filters the packets according to the configured rules, and then forwards the
matched packets according to the specified forwarding policy. The PBR feature enables the device to formulate

98
Web-based Configuration Guide Network Settings

rules according to specific fields (source or destination IP address and protocol type) in the data packets, and
forward the data packets from a specific interface.

In a multi-line scenario, if the device is connected to the Internet and the internal network through different lines,
the traffic will be evenly routed over the lines if no routing settings are available. In this case, access data to the
internal network may be sent to the external network, or access data to the external network may be sent to the
internal network, resulting in network exceptions. To prevent these exceptions, you need to configure PBR to
control data isolation and forwarding on the internal and external networks.

The device can forward data packets using either of the following three policies: PBR, address-based routing,
and static routing. When all the policies exist, PBR, static routing, and address-based routing have descending
order in priority. For details on address-based routing, see Section 3.2.6 Configuring the Multi-Line Load
Balancing Mode.

2. Configuration Steps

Choose Local Device > Advanced > Routing > PBR.

Click Add to add a PBR rule.

99
Web-based Configuration Guide Network Settings

Table 3-9 PBR configuration

Parameter Description

Specify the name of the PBR rule, which uniquely identifies a PBR rule. The
Name
name must be unique for each rule.

Specify the protocol to which the PBR rule is effective. You can set this
Protocol Type
parameter to IP, ICMP, UDP, TCP, or Custom.

Protocol Number When Protocol Type is set to Custom, you need to enter the protocol number.

Configure the source IP address or IP address range for matching PBR entries.
The default value is All IP Addresses.
Src IP/IP Range
All IP Addresses: Match all the source IP addresses.
Custom: Match the source IP addresses in the specified IP range.

When Src IP/IP Range is set to Custom, you need to enter a single source IP
Custom Src IP
address or a source IP range.

Configure the destination IP address or IP address range for matching PBR

entries. The default value is All IP Addresses.
Dest IP/IP Range
All IP Addresses: Match all the destination IP addresses.
Custom: Match the destination IP addresses in the specified IP range.

When Dest IP/IP Range is set to Custom, you need to enter a destination source
Custom Dest IP
IP address or a destination IP range.

This parameter is available only when Protocol Type is set to TCP or UDP. This
Src Port Range
parameter specifies the source port range for packet matching using PBR.

This parameter is available only when Protocol Type is set to TCP or UDP. This
Dest Port Range
parameter specifies the destination port range for packet matching using PBR.

Outbound Interface Specify the interface that forwards the data packet based on the hit PBR rule.

Turn on Status to specify whether to enable the PBR rule. If Status is turned off,
Status
this rule does not take effect.

Note

If you want to restrict the access device to access only the specified internal network, you can set the outbound
interface in the corresponding route to the WAN port in the private line network. For details on how to set the
private line network, see Section 3.2.4 Configuring the Private Line.

100
Web-based Configuration Guide Network Settings

All the created PBR policies are displayed in the PBR list, with the latest policy listed on the top. The device
matches the policies according to their sorting in the list. You can manually adjust the policy matching sequence

by clicking or in the Match Order column.

3. Typical Configuration Example

 Networking Requirements

Two lines with different bandwidths are deployed for an enterprise. Line A (WAN 1) is used for access to the
Internet and Line B (WAN 2) is used for access to the specific internal network (10.1.1.0/24). The enterprise wants
to configure PBR to guarantee correct data flows between the internal and external networks, isolate devices in
the specified address range (172.26.31.1 to 172.26.31.200) from the external network, and allow these devices
to access the specific internal network only.

 Configuration Roadmap

 Configure the private line.

 Add a PBR policy for access to the internal network.

 Add a PBR policy for access to the external network.

 Add a PBR policy to restrict specific devices to access the internal network only.

 Configuration Steps

(1) Configure WAN 2 as the private line for the internal network.

When you configure networking parameters for WAN 2 port, click Advanced Settings, turn on Private Line,
and click Save. For details, see Section 3.2.4 Configuring the Private Line.

(2) Add a PBR policy to forward data packets destined to the external network through WAN 1 port.

101
Web-based Configuration Guide Network Settings

Choose Advanced > Routing > PBR and click Add. In the dialog box that appears, create a PBR policy and
set Outbound Interface to WAN1.

(3) Add a PBR policy to forward data packets destined to the internal network through WAN 2 port.

In this policy, set Custom Dest IP to 10.1.1.1-10.1.1.254 and Outbound Interface to WAN2.

(4) Add a PBR policy to restrict devices in the IP range 172.26.31.1 to 172.26.31.200 to access the internal private
line only.

102
Web-based Configuration Guide Network Settings

In this policy, set Src IP/IP Range to Custom, Custom Src IP to 172.26.31.1-172.26.31.200, and Outbound
Interface to WAN2.

3.10 Configuring ARP Binding and ARP Guard

3.10.1 Overview

The device learns the IP address and MAC address of the network devices connected to its interfaces and
generates the corresponding ARP entries. You can enable ARP guard and configure IP-MAC binding to restrict
Internet access of LAN hosts and improve network security.

3.10.2 Configuring ARP Binding

Choose Local Device > Security > ARP List.

Before you enable ARP guard, you must configure the binding between IP addresses and MAC addresses in
either of the following ways:

(1) Select a dynamic ARP entry in the ARP list and click Bind. You can select multiple entries to be bound at one
time and click Bind Selected to bind them.

103
Web-based Configuration Guide Network Settings

(2) Click Add, enter the IP address and MAC address to be bound, and click OK. The input box can display
existing address mappings in the ARP list. You can click a mapping to automatically enter the address mapping.

To remove the binding between a static IP address and a MAC address, click Delete in the Action column.

3.10.3 Configuring ARP Guard

After ARP guard is enabled, only LAN hosts with IP-MAC binding can access the external network. For details on
how to configure ARP binding, see Section 3.10.2 Configuring ARP Binding.

(1) Choose Local Device > Security > ARP List.

(2) Turn on Enable in the ARP Guard section to enable ARP guard.

104
Web-based Configuration Guide Network Settings

(3) Set the range for the function to take effect.

If you select Select All, the ARP guard function will take effect on all clients on the LAN. If you select a
specified port, the ARP guard function will take effect only on clients connected to the port.

3.11 Configuring MAC Address Filtering

3.11.1 Overview

You can enable MAC address filtering and configure a whitelist or blacklist to effectively control Internet access
from LAN hosts.

 Whitelist: Allow only hosts whose MAC addresses are in the filter rule list to access the Internet.

 Blacklist: Deny hosts whose MAC addresses are in the filter rule list from accessing the Internet.

3.11.2 Configuration Steps

Choose Local Device > Security > MAC Filtering.

(1) Click Add. In the dialog box that appears, enter the MAC address and remarks. The input box can display
existing address mappings in the ARP list. You can click a mapping to automatically enter the MAC address.
Click OK. A filter rule is created.

105
Web-based Configuration Guide Network Settings

(2) Turn on MAC Filtering, set Filtering Type, and click Save.

3.12 Configuring the PPPoE Server

3.12.1 Overview

Point-to-Point Protocol over Ethernet (PPPoE) is a network tunneling protocol that encapsulates PPP frames
inside Ethernet frames. When the router functions as a PPPoE server, it provides the access service to LAN users
and supports bandwidth management.

3.12.2 Global Settings

Choose Local Device > Advanced > PPPoE Server > Global Settings.

Set PPPoE Server to Enable and configure PPPoE server parameters.

106
Web-based Configuration Guide Network Settings

Table 3-10 PPPoE server configuration

Parameter Description

PPPoE Server Specify whether to enable the PPPoE server function.

Mandatory PPPoE Dialup Specify whether LAN users must access the Internet through dialing.

Local Tunnel IP Set the point-to-point address of the PPPoE server.

Specify the IP address range that can be allocated by the PPPoE server
IP Range
to authenticated users.

VLAN Set the VLAN of the current PPPoE server.

Primary/Secondary DNS
Specify the DNS server address delivered to authenticated users.
Server

When the number of LCP packets not answered in one link exceeds the
Unanswered LCP Packet Limit
specified value, the PPPoE server automatically disconnects the link.

107
Web-based Configuration Guide Network Settings

Parameter Description

Select at least one authentication mode from the following: PAP, CHAP,
Auth Mode
MSCHAP, and MSCHAP2.

3.12.3 Configuring a PPPoE User Account

Choose Local Device > Advanced > PPPoE Server > Account Settings.

Click Add to create a PPPoE authentication user account. The currently created PPPoE authentication user
accounts are displayed in the Account List section. Find the target account and click Edit to modify the account
information. Find the target account and click Delete to delete the account.

108
Web-based Configuration Guide Network Settings

Table 3-11 PPPoE user account configuration

Parameter Description

Set the username and password of the authentication account

Username/Password
for Internet access through PPPoE dialing.

Set the expiration date of the authentication account. After the

Expire Date account expires, it can no longer be used for Internet access
through PPPoE authentication.

Remark Enter the account description.

Specify whether to enable this user account. If the account is

Status disabled, the account is invalid and cannot be used for Internet
access through PPPoE authentication.

109
Web-based Configuration Guide Network Settings

Parameter Description

Specify whether to apply flow control on the account. If flow

control is enabled, you need to configure flow control policies
for the PPPoE authentication user. If smart flow control is
Flow Control disabled, Flow Control must be turned off. To turn on Flow
Control, enable smart flow control first. For details on how to
configure smart flow control, see Section 6.6.2 Smart Flow
Control.

After flow control is enabled, you need to configure a flow

control package for the current account to restrict user
Account Management bandwidth accordingly. For details on how to configure and
view flow control packages, see Section 3.12.4 Configuring a
Flow Control Package.

3.12.4 Configuring a Flow Control Package

Choose Local Device > Advanced > PPPoE Server > Account Management.

If smart flow control is disabled, the flow control package for the account does not take effect. Before you configure
a flow control package, enable smart flow control first. For details on how to set smart flow control, see Section
6.6.2 Smart Flow Control.

Click Add to create a flow control package. The currently created flow control packages are displayed in the
Account Management List section. You can modify or delete the packages.

110
Web-based Configuration Guide Network Settings

Table 3-12 PPPoE user flow control package configuration

Parameter Description

Set the name of the flow control package. When you configure an
Account Name authentication account, you can select a flow control package based on
the name.

Specify the uplink and downlink committed information rate (CIR) for the
Uplink/Downlink CIR
authentication account when the bandwidth is insufficient.

Specify the uplink and downlink peak information rate (PIR) that can be
Uplink/Downlink PIR
used by the authentication account when the bandwidth is sufficient.

Specify the PIR that can be consumed by each user. This parameter is
Uplink/Downlink PIR per User
optional. By default, the PIR per user is not limited.

Interface Specify the interface to which the flow control package applies.

3.12.5 Configuring Exceptional IP Addresses

Choose Local Device > Advanced > PPPoE Server > Exceptional IP Address.

When the PPPoE server is enabled, if you want to allow some IP addresses in a specific VLAN to access the
Internet without passing account and password authentication, you can configure these IP addresses as
exceptional IP addresses.

The currently created exceptional IP addresses are displayed in the Exceptional IP Address List section. Click
Edit to modify the exceptional IP address. Click Delete to delete the exceptional IP address.

Start IP Address/End IP Address: Start and end of exceptional IP addresses.

Remark: Description of an exceptional IP address.

Status: Whether the exceptional IP address is effective.

111
Web-based Configuration Guide Network Settings

3.12.6 Viewing Online Users

Choose Local Device > Advanced > PPPoE Server > Online Clients.

View the information of end users that access the Internet through PPPoE dialing. Click Disconnect to disconnect
the user from the PPPoE server.

112
Web-based Configuration Guide Network Settings

Table 3-13 PPPoE online user information

Parameter Description

Username Total number of online users that access the Internet through PPPoE dialing.

IP IP address of the client.

MAC MAC address of the client.

Up on Time when the user accesses the Internet.

3.13 Port Mapping

3.13.1 Overview

1. Port Mapping

The port mapping function can establish a mapping relationship between the IP address and port number of a
WAN port and the IP address and port number of a server in the LAN, so that all access traffic to a service port
of the WAN port will be redirected to the corresponding port of the specified LAN server. This function enables
external users to actively access the service host in the LAN through the IP address and port number of the
specified WAN port.

Application scenario: Port mapping enables users to access the cameras or computers in their home network
when they are in the enterprise or on a business trip.

2. NAT-DMZ

When an incoming data packet does not hit any port mapping entry, the packet is redirected to the LAN server
according to the Demilitarized Zone (DMZ) rule. All data packets actively sent from the Internet to the device are
forwarded to the designated DMZ host, thus realizing LAN server access of external network users. DMZ not only
realizes the external network access service, but also ensures the security of other hosts in the LAN.

Application scenario: Configure port mapping or DMZ when an external network user wants to access the LAN
server, for example, access a server deployed in the home network when the user is in the enterprise or on a
business trip.

113
Web-based Configuration Guide Network Settings

3.13.2 Getting Started

 Confirm the intranet IP address of the mapping device on the LAN and the port number used by the service.

 Confirm that the mapped service can be normally used on the LAN.

3.13.3 Configuration Steps

Choose Local Device > Advanced > Port Mapping > Port Mapping.

Click Add. In the dialog box that appears, enter the rule name, service type, protocol type, external port/range,
internal server IP address, and internal port/range. You can create a maximum of 50 port mapping rules.

Table 3-14 Port mapping configuration

114
Web-based Configuration Guide Network Settings

Parameter Description

Name Enter the description of the port mapping rule, which is used to identify the rule.

Select the type of service to be mapped, such as HTTP or FTP. The internal port
Preferred Server number commonly used by the service is automatically entered. If you are not sure
about the service type, select Custom.

Select the transmission layer protocol type used by the service, such as TCP or
Protocol UDP. The value ALL indicates that the rule applies to both protocols. The value
must comply with the client configuration of the service.

Specify the host address used for accessing the external network. You can set it to
the following:
External IP Address
Outbound Interface: You can select All WAN Ports or specify a WAN port.
Enter or select an IP address: Select or enter the IP address of a WAN port.

Specify the port number used for Internet access. You need to confirm the port
number in the client software, such as the camera monitoring software. You can
External Port/Range
enter a port number or a port range, such as 1050-1060. If you enter a port range,
the value of Internal Port/Range must also be a port range.

Specify the IP address of the internal server to be mapped to the WAN port, that is,
Internal IP Address the IP address of the LAN device that provides Internet access, such as the IP
address of the network camera.

Specify the service port number of the internal server to be mapped to the WAN
port, that is, the port number of the application that provides Internet access, such
as port 8080 of the Web service.
Internal Port/Range
You can enter a port number or a port range, such as 1050-1060. If you enter a port
range, the number of ports must be the same as that specified in External
Port/Range.

3.13.4 Verification and Test

Check whether the external network device can access services on the destination host using the external IP
address and external port number.

3.13.5 Solution to Test Failure

(1) Modify the value of External Port/Range and use the new external port number to perform the test again. The
possible cause is that the port is blocked by the firewall.

(2) Enable the remote access permission on the server. The possible cause is that remote access is displayed on
the server, resulting in normal internal access but abnormal access across network segments.

(3) Configure DMZ rules. For details, see Section 3.13.6 Configuration Steps (DMZ). The possible cause is that
the specified ports are incorrect or incomplete.

115
Web-based Configuration Guide Network Settings

3.13.6 Configuration Steps (DMZ)

Choose Local Device > Advanced > Port Mapping > NAT-DMZ.

Click Add. Enter the rule name and internal server IP address, select the interface to which the rule applies,
specify the rule status, and click OK. You can configure only one DMZ rule for an outbound interface.

Table 3-15 DMZ rule configuration

Parameter Description

Name Enter the description of the mapping rule, which is identify the DMZ rule.

Specify the IP address of the DMZ host to which packets are redirected, that is,
Dest IP Address
the IP address of the internal server that can be accessed from the Internet.

Specify the WAN port in the DMZ rule. You can configure only one rule for a
Outbound Interface
WAN port.

Specify whether the rule is effective. The rule is effective after you turn on
Status
Status.

116
Web-based Configuration Guide Network Settings

3.14 UPnP
3.14.1 Overview

After the Universal Plug and Play (UPnP) function is enabled, the device can change the port used by the Internet
access service according to the client request, implementing NAT. When a client on the Internet wants to access
the internal resources on the LAN device, the device can automatically add port mapping entries to realize
traversal of some services between internal and external networks. The following commonly used programs
support the UPnP protocol: MSN Messenger, Thunder, BT, and PPLive.

Before you use the UPnP service, note that clients (PCs and mobile phones) used in combination also support
UPnP.

Note
To implement automatic port mapping using UPnP, the following conditions must be met:
 UPnP is enabled on the device.
 The operating system of the LAN host supports UPnP and has UPnP enabled.
 The programs support UPnP and have UPnP enabled.

3.14.2 Configuring UPnP

Choose Local Device > Advanced > UPnP Settings.

Turn on Enable to enable the UPnP function. Select a port from the drop-down list box of Default Interface. Click
Save to make the configuration take effect.

If any relevant program converts the port automatically, the information is displayed in the UPnP List section.

Table 3-16 UPnP configuration

Parameter Description

Enable Specify whether to enable UPnP. By default, UPnP is disabled.

117
Web-based Configuration Guide Network Settings

Specify the WAN port address bound to the UPnP service. By default, the
default interface is a WAN port. On the device with multiple WAN ports, you
Default Interface
can manually select the WAN port to bind or set this parameter to Auto to
allow the device to select a WAN port automatically.

3.14.3 Verifying Configuration

After the UPnP service is enabled, open a program that supports the UPnP protocol (such as Thunder or BitComet)
on the client used with the device, and refresh the Web page on the device. If a UPnP entry is displayed in the
UPnP list, a UPnP tunnel is created successfully.

3.15 DDNS
3.15.1 Overview

After the Dynamic Domain Name Server (DDNS) service is enabled, external users can use a fixed domain name
to access service resources on the device over the Internet at any time, without the need to search for the WAN
port IP address. You need to register an account and a domain name on the third-party DDNS service provider
for this service. The device supports DDNS and No-IP DNS.

3.15.2 Getting Started

Before you use the DDNS service, register an account and a domain name on the DDNS or No-IP official website.

3.15.3 Configuring DDNS

1. Configuration Steps

The device supports Oray DDNS, No-IP DNS and DynDNS. Oray DDNS cannot be used by the International
users, and No-IP DNS can be used by both Chinese and International users.

Choose Local Device > Advanced > Dynamic DNS > No-IP DNS.

Enter the registered username and password and click Log In to initiate a connection request to the server. The
binding between the domain name and WAN port IP address of the device takes effect.

Click Delete to clear all the entered information and remove the server connection relationship.

The Link Status parameter specifies whether the server connection is established successfully. If you do not
specify the domain name upon login, the domain name list of the current account is displayed after successful
connection. All the domain names of this account are parsed to the WAN port IP address.

118
Web-based Configuration Guide Network Settings

Table 3-17 DDNS login information

Parameter Description

One domain name can be parsed to only one IP address. Therefore, you need
Service Interface to specify the WAN port bound to the domain name when multiple WAN ports
are available. By default, the service interface is a WAN port.

Enter the username and password of the account registered on the official
Username & Password website. If no registered account is available, click Register to switch to the
official website and create a new account.

Specify the domain name bound to the service interface IP address.

This parameter is optional for No-IP DNS. One account can be bound to multiple
domain names. You can choose to bind only one domain name to the IP
Domain
address of the current service interface. Only the selected domain name is
parsed to the WAN port IP address. If no domain name is specified, all the
domain names of the current account are parsed to the WAN port IP address.

2. Verifying Configuration

If Link Status is displayed as Connected, the server connection is established successfully. After the
configuration is completed, ping the domain name from the Internet. The ping succeeds and the domain name is
parsed to the WAN port IP address.

119
Web-based Configuration Guide Network Settings

3.16 Connecting to IPTV

Caution

To connect to IPTV in the Chinese environment, switch the system language. For details, see Section 9.11
Switching System Language.

IPTV is a network television service provided by the ISP.

3.16.1 Getting Started

 Confirm that the IPTV service is activated.

 Check the local IPTV type: VLAN or IGMP. If the type is VLAN, confirm the VLAN ID. If you cannot confirm the
type or VLAN ID, contact the local ISP.

3.16.2 Configuration Steps (VLAN Type)

Choose Local Device > Basics > IPTV > IPTV/VLAN.

Select a proper mode based on your region, click the drop-down list box next to the interface to connect and
select IPTV, and enter the VLAN ID provided by the ISP. For example, when you want to connect the IPTV set
top box to LAN 3 port of the device and the VLAN ID is 20, the configuration UI is as follows.

Internet VLAN: If you need to set a VLAN ID for the Internet access service, turn on this parameter and enter the
VLAN ID. By default, the VLAN tag function is disabled. You are advised to keep the VLAN tag function disabled
unless otherwise specified.

After the configuration is completed, confirm that the IPTV set top box is connected to the correct port, for example,
LAN 3 in the example.

Caution

Enabling this function may lead to network disconnection. Exercise caution when performing this operation.

120
Web-based Configuration Guide Network Settings

3.16.3 Configuration Steps (IGMP Type)

Choose Local Device > Basics > IPTV > IPTV/IGMP.

The IGMP type is applicable to the ISP FPT. After you enable IPTV connection, connect the IPTV set top box to
any LAN port on the router.

121
Web-based Configuration Guide Network Settings

3.17 Port Flow Control

Caution

Only the RG-EG105G-E and RG-EG210G-E support this function.

Choose Local Device > Advanced > Port Settings.

When wired ports of the device work in different rates, data blocking may occur, leading to slow network speed.
Enabling port flow control helps relieve the data congestion.

3.18 Limiting the Number of Connections

Choose Local Device > Advanced > Session Limit.

This function is used to control the maximum number of connections per IP address.

Click Add to add an IP session limit rule.

122
Web-based Configuration Guide Network Settings

Table 3-18 IP session limit rule information

Parameter Description

Name Enter the name of the IP session limit rule.

Start Enter the start IP address for session matching in the rule.

End IP Address Enter the end IP address for session matching in the rule.

Specify the maximum number of session connections for an IP address

Session Count Limit
matching the rule.

Specify whether the rule is effective. The rule takes effect after you turn on this
Status
parameter.

3.19 Configuring Device Security

3.19.1 Overview

Prohibit Ping: This function identifies and directly discards the ping packets in the traffic sent to the
device, so as to prohibit the ping operation on the device. Only admin IP addresses can ping through
the device.

Admin IP Address: Admin IP addresses are exempt from the ping prohibition function. Packets sent
from admin IP addresses can pass through and will not be discarded.

3.19.2 Enabling the Ping Prohibition Function

Choose Local Device > Security > Local Safety.

The ping prohibition function includes the following:

123
Web-based Configuration Guide Network Settings

 If you select Prohibit LAN, ping packets sent from all clients on the LAN to the device will be discarded.

 If you select Prohibit WAN, ping packets sent from all clients on the WANs to the device will be discarded.
Ping packets sent from a client to the device will be responded only after the IP address of the client is
contained in Admin IP Address list. For the configuration of admin IP addresses, see Configuring an Admin
IP Address.

3.19.3 Configuring an Admin IP Address

Choose Local Device > Security > Local Safety.

Click Add. Then, you can configure admin IP address information.

1. Configuring an Admin IP Address (Based on an IP Address)

(1) Configure a name for the admin IP address.

The name is a string of 1–32 characters.

124
Web-based Configuration Guide Network Settings

(2) Set Specific Mode to IP Range.

(3) Configure an IP address.

You can specify a single P address or an IP address range.

2. Configuring an Admin IP Address (Based on a Port)

(1) Configure a name for the admin IP address.

The name is a string of 1–32 characters.

(2) Set Specific Mode to Outbound Interface.

(3) Specify the port.

You can select a LAN port or WAN port as the outbound interface.

3. Deleting an Admin IP Address

 Select an entry and click Delete to delete information about the admin IP address.

 Select multiple entries and click Delete Selected to bulk delete selected entries.

4. Editing Information About an Admin IP Address

You cannot modify the name and specified mode of an admin IP address but modify the IP address range or port
in the specified mode.

125
Web-based Configuration Guide Network Settings

3.20 Configuring TTL Rules

3.20.1 Overview

Time to live (TTL) aims to prevent unauthorized connections. It limits the number of devices that can transmit data
packets in the network by limiting the existence time of the data packets in the computer network, so as to prevent
infinite transmission of data packets in the network and the waste of resources.

When TTL is set to 1 and is valid for LANs, packets are directly discarded when passing through the next router.
If a user connects a router to Ruijie device without permission and connects a client to the router, packets cannot
pass through the client, either. This restriction prevents users from connecting routers without permission.

Note
 Changing the TTL affects packet forwarding on the network.
 The following data packets are not affected by this function: data packets forwarded by the express
forwarding function of the device, data packets used by Wi-Fi cracking software (Cheetah Wi-Fi) to
implement hotspot sharing, data packets forwarded at L2, and data packets passing through devices with
TTL changed.

3.20.2 Configuring TTL Rules

Choose Local Device > Advanced > TTL Rule.

126
Web-based Configuration Guide Network Settings

This operation allows you to change the TTL value in packets forwarded to a specified IP address range or a
specified port.

1. Configuring a TTL Rule

Table 3-19 Description of TTL Rule Configuration

Parameter Description

Rule Name Specify the name of a TTL rule.

Specify the range for the rule to take effect:

Specified Mode IP Range: Indicates that the TTL rule takes effect on a specified IP address range.
Outbound Interface: Indicates that the TTL rule takes effect on a specified outbound
interface.

Configure a rule for TTL values in packets.

TTL Value: Specifies the value, to which the TTL value is changed, after a data packet
TTL Config passes through the device.
Mode TTL Increment: Specifies the increment of the TTL value on the basis of the original
value after a data packet passes through the device.
TTL Decrement: Specifies the decrement of the TTL value on the basis of the original
value after a data packet passes through the device.

Value Configure the TTL value in packets. The value range is from 1 to 255.

127
Web-based Configuration Guide Network Settings

2. Deleting a TTL Rule

 Click Delete to delete the configuration of a specified entry.

 Select multiple entries and click Delete Selected to bulk delete selected entries.

3. Editing a TTL Rule

Click Edit. Change the TTL rule configuration mode and TTL value.

4. Adjusting the Sequence of TTL Rules

After configuring multiple TTL rules, you can adjust their sequence to specify the rule matching sequence. TTL
rules in front rows are matched first, and those in back rows are matched later. If the ranges of rules overlap, the
final effect is the superposition of multiple matching results.

128
Web-based Configuration Guide Network Settings

3.21 Other Settings

Choose Local Device > Advanced > Other Settings.

You can set some functions not frequently used on the Other Settings page. By default, all the functions on this
page are disabled.

Enable RIP&RIPng: After this function is enabled, LAN and WAN ports support dynamic routing protocols Routing
Information Protocol (RIP) and RIP next generation (RIPng) and can automatically synchronize route information
from other RIP-enabled routers in the network.

Enable Advanced Firewall: After this function is enabled, enhanced attack defense and packet protocol check
will degrade the forwarding performance of the device.

Enable SIP ALG: Some voice communication uses the Session Initiation Protocol (SIP) protocol. If the server is
connected to a WAN port, SIP packets may become unavailable after NAT. After you enable this function, SIP
packets are converted by the application-level gateway (ALG). You can enable or disable this function based on
actual needs.

Disable ICMPv6 Error Messages: In normal cases, when the device receives an ICMPv6 anomaly packet, it
sends an ICMPv6 error packet to the packet source. If you do not want the device to send these packets due to
security considerations, enable this function.

129
Web-based Configuration Guide AP Management

4 AP Management
Note
 To manage the downlink AP, please enable self-organizing network discovery (See Section 3.1 Switching
the Work Mode for details.). The wireless settings are synchronized to all wireless devices in the network
by default. You can configure groups to limit the device scope under wireless management. For details,
see 4.1 AP Management.
 The device does not emit the Wi-Fi signals. Deliver the wireless settings to the downlink AP to take effect.

4.1 Configuring AP Groups

4.1.1 Overview

After self-organizing network discovery is enabled, the device can function as the master AP/AC to batch
configure and manage its downlink APs by group. Before you configure the APs, divide them to different groups.

Note

If you specify groups when configuring the wireless network, the configuration takes effect on wireless devices
in the specified groups.

4.1.2 Configuration Steps

Choose Network > Devices > AP.

(1) View the information of all APs in the current network, including the basic information, RF information, and
model. Click the SN of an AP to configure the AP separately.

(2) Click Expand. Information of all the current groups is displayed to the left of the list. Click to create a

group. You can create a maximum of eight groups. Select the target group and click to modify the group

name or click to delete the group. You cannot modify the name of the default group or delete the default
group.

130
Web-based Configuration Guide AP Management

(3) Click a group name in the left. All devices in the group are displayed. One device can belong to only one group.
By default, all devices belong to the default group. Select a record in the device list and click Change Group
to migrate the selected device to the specified group. After a device is moved to the specified group, the device
will use the configuration for the new group. Click Delete Offline Devices to remove offline devices from the
list.

4.2 Configuring Wi-Fi

Choose Network > Wi-Fi > Wi-Fi Settings.

131
Web-based Configuration Guide AP Management

(1) Configure a Wi-Fi.

a Click Add Wi-Fi.

132
Web-based Configuration Guide AP Management

b Enter the SSID and Wi-Fi password, select a frequency band.

c Click Advanced Settings to configure more Wi-Fi parameters.

d Click OK.

133
Web-based Configuration Guide AP Management

Caution

Modification will cause restart of the wireless configuration, resulting in logout of connected clients. Exercise
caution when performing this operation.

Table 4-1 Wireless network configuration

Parameter Description

Enter the name displayed when a wireless client searches for a wireless
SSID
network.

If the SSID does not contain Chinese, this item will be hidden. If the SSID
SSID Encoding
contains Chinese, this item will be displayed. You can select UTF-8 or GBK.

Set the band used by the Wi-Fi signal. The options are 2.4 GHz and 5 GHz. The
5 GHz band provides faster network transmission rate and less interference than
the 2.4 GHz band, but is inferior to the 2.4 GHz band in terms of signal coverage
Band
range and wall penetration performance. Select a proper band based on actual
needs. The default value is 2.4G + 5G, indicating that the device provides
signals at both 2.4 GHz and 5 GHz bands.

Select an encryption mode for the wireless network connection. The options are
as follows:

Open: The device can associate with Wi-Fi without a password.

Security WPA-PSK/WPA2-PSK: Wi-Fi Protected Access (WPA) or WPA2 is used for
encryption.

WPA_WPA2-PSK (recommended): WPA2-PSK or WPA-PSK is used for

encryption.

Specify the password for connection to the wireless network. The password is a
Wi-Fi Password
string of 8 to 16 characters.

Specify the time periods during which Wi-Fi is enabled. After you set this
Wireless Schedule
parameter, users cannot connect to Wi-Fi in other periods.

Set the VLAN to which the Wi-Fi signal belongs. You can choose from the
VLAN available VLANs or click Add New VLAN, and go to the LAN Settings page to
add a VLAN.

Enabling the hide SSID function can prevent unauthorized user access to Wi-Fi,
improving security. However, mobile phones or computers cannot find the SSID
Hide SSID after this function is enabled. You must manually enter the correct name and
password to connect to Wi-Fi. Record the current SSID before you enable this
function.

134
Web-based Configuration Guide AP Management

Parameter Description

After you enable this parameter, clients associated with the Wi-Fi are isolated
Client Isolation from one other, and end users connected to the same AP (in the same network
segment) cannot access each other. This improves security.

After this function is enabled, 5G-capable clients select 5G Wi-Fi preferentially.

Band Steering
You can enable this function only when Band is set to 2.4G + 5G.

After this function is enabled, the device sends game packets preferentially,
XPress
providing more stable wireless network for games.

After this function is enabled, clients keep their IP addresses unchanged when
Layer-3 Roaming associating with the same Wi-Fi. This function improves the roaming experience
of users in the cross-VLAN scenario.

After this function is enabled, wireless users can have faster network access
speed and optimized network access experience.
Wi-Fi6 This function is valid only on APs and routers supporting 802.11ax. Clients must
also support 802.11ax to experience high-speed network access empowered by
Wi-Fi 6. If clients do not support Wi-Fi 6, disable this function.

(2) Configuring Guest Wi-Fi

Guest Wi-Fi is a wireless network provided for guests, and is disabled by default. Client Isolation is enabled
for guest Wi-Fi by default, and it cannot be disabled. In this case, users associating with guest Wi-Fi are
mutually isolated, and they can only access the Internet through Wi-Fi. This improves network access security.
You can configure a wireless schedule for the guest network. After the specified schedule expires, the guest
network will become unreachable.

a Click Add Guest Wi-Fi.

b Set the guest SSID and password. Click Advanced Settings to configure the wireless schedule of the
guest Wi-Fi and more Wi-Fi parameters (For details, see Section 4.2 Configuring Wi-Fi.). Click Save.
Guests can access the Internet through Wi-Fi after entering the SSID and password.

135
Web-based Configuration Guide AP Management

136
Web-based Configuration Guide AP Management

4.3 Adding a Wi-Fi

Choose Network > Wi-Fi > Wi-Fi List.

Click Add Wi-Fi, enter the SSID and password, and click OK to create a Wi-Fi. Click Advanced Settings to
configure more Wi-Fi parameters. For details, see Section 4.2 Configuring Wi-Fi. After a Wi-Fi is added, clients
can find this Wi-Fi, and the Wi-Fi information is displayed in the Wi-Fi list.

137
Web-based Configuration Guide AP Management

4.4 Healthy Mode

Choose Network > Wi-Fi > Healthy Mode.

Turn on healthy mode and select a wireless schedule for the mode.

After the healthy mode is enabled, the RF transmit power and Wi-Fi coverage range of the device are reduced in
the schedule. This may lead to weak signals and network freezing. You are advised to disable healthy mode or
set the wireless schedule to the idle periods.

4.5 RF Settings
Choose Network > Radio Frequency.

138
Web-based Configuration Guide AP Management

The device can detect the surrounding wireless environment upon power-on and select proper configuration.
However, network freezing caused by wireless environment changes cannot be prevented. You can analyze the
wireless environment around the APs and routers and manually select proper parameters.

Caution

Modification will cause restart of the wireless configuration, resulting in logout of connected clients. Exercise
caution when performing this operation.

Table 4-2 RF configuration

Parameter Description

The Wi-Fi channels stipulated by each country may be different. To ensure that
Country/Region clients can find the Wi-Fi signal, select the country or region where the device is
located.

A lower bandwidth indicates more stable network, and a higher bandwidth

indicates easier interference. In case of severe interference, select a relatively
low bandwidth to prevent network freezing to certain extent. The 2.4 GHz band
2.4G/5G Channel Width supports the 20 MHz and 40 MHz bandwidths. The 5 GHz band supports the 20
MHz, 40 MHz, and 80 MHz bandwidths.

By default, the value is Auto, indicating that the bandwidth is selected

automatically based on the environment.

139
Web-based Configuration Guide AP Management

Parameter Description

If a large number of users access the AP or router, the wireless network

performance of the AP or router may be degraded, affecting users' Internet
access experience. After you set this parameter, new user access is prohibited
Client Count Limit
when the number of access users reaches the specified value. If the clients
require high bandwidth, you can adjust this parameter to a smaller value. You
are advised to keep the default value unless otherwise specified.

When multiple Wi-Fi signals are available, you can set this parameter to
optimize the wireless signal quality to some extent. When a client is far away
from the wireless device, the Wi-Fi connection is disconnected when the
wireless signal strength of the end user is lower than the kick-off threshold. In
Kick-off Threshold
this case, the client has to select a nearer wireless signal.

The client is prone to be kicked off if the kick-off threshold is high. To ensure that
the client can normally access the Internet, you are advised to set this
parameter to Disable or a value smaller than -75 dBm.

Note
 Wireless channels available for your selection are determined by the country/region code. Select the
country/region code based on the country or region of your device.
 Channel, transmit power, and roaming sensitivity cannot be set globally. Please perform the configurations
on the devices separately.

140
Web-based Configuration Guide AP Management

4.6 Configuring Wi-Fi Blacklist or Whitelist

4.6.1 Overview

You can configure the global or SSID-based blacklist and whitelist. The MAC address supports full match and
OUI match.

Wi-Fi blacklist: Clients in the Wi-Fi blacklist are prevented from accessing the Internet. Clients that are not added
to the Wi-Fi blacklist are free to access the Internet.

Wi-Fi whitelist: Only clients in the Wi-Fi whitelist can access the Internet. Clients that are not added to the Wi-Fi
whitelist are prevented from accessing the Internet.

Caution

If the whitelist is empty, the whitelist does not take effect. In this case, all clients are allowed to access the
Internet.

4.6.2 Configuring a Global Blacklist/Whitelist

In Network mode, choose Clients > Blacklist/Whitelist > Global Blacklist/Whitelist.

Select the blacklist or whitelist mode and click Add to configure a blacklist or whitelist client. In the Add dialog
box, enter the MAC address and remark of the target client and click OK. If a client is already associated with the
router, its MAC address will pop up automatically. Click the MAC address directly for automatic input. All clients
in the blacklist will be forced offline and not allowed to access the Wi-Fi network. The global blacklist and whitelist
settings take effect on all Wi-Fi networks of the router.

141
Web-based Configuration Guide AP Management

If you delete a client from the blacklist, the client will be allowed to connect to the Wi-Fi network. If you delete a
client from the whitelist, the client will be forced offline and denied access to the Wi-Fi network.

4.6.3 Configuring an SSID-based Blacklist/Whitelist

In Network mode, choose Clients > Blacklist/Whitelist > SSID-Based Blacklist/Whitelist.

Select a target Wi-Fi network from the left column, select the blacklist or whitelist mode, and click Add to configure
a blacklist or whitelist client. The SSID-based blacklist and whitelist will restrict the client access to the specified
Wi-Fi.

142
Web-based Configuration Guide AP Management

4.7 Configuring AP Load Balancing

4.7.1 Overview

The AP load balancing function is used to balance the load of APs in the wireless network. When APs are added
to a load balancing group, clients will automatically associate with the APs with light load when the APs in the
group are not load balanced. AP load balancing supports two modes:

 Client Load Balancing: The load is balanced according to the number of associated clients. When a large
number of clients have been associated with an AP and the count difference to the AP with the lightest load
has reached the specified value, the client can only associate with another AP in the group.

 Traffic Load Balancing: The load is balanced according to the traffic on the APs. When the traffic on an AP is
large and the traffic difference to the AP with the lightest load has reached the specified value, the client can
only associate with another AP in the group.

Example: Add AP1 and AP2 into a group and select client load balancing. Set both the client count threshold and
difference to 3. AP1 is associated with 5 clients and AP2 is associated with 2 clients, triggering load balancing.
New clients' attempt to associate to AP1 will be denied, and therefore they can associate only with AP2.

After a client request is denied by an AP and it fails to associate with another AP in the group, the client will keep
trying to associate with this AP. If the client attempts reach the specified value, the AP will permit connection of
this client, ensuring that the user can normally access the Internet.

4.7.2 Configuring Client Load Balancing

Choose Network > Wi-Fi > Load Balancing.

Click Add. In the dialog box that appears, set Type to Client Load Balancing, and configure Group Name,
Members, and Rule.

143
Web-based Configuration Guide AP Management

Table 4-3 Client load balancing configuration

Parameter Description

Group Name Enter the name of the AP load balancing group.

Type Select Client Load Balancing.

144
Web-based Configuration Guide AP Management

Parameter Description

Configure a detailed load balancing rule, including the maximum number of

clients allowed to associate with an AP, the difference between the currently
associated client count and client count on the AP with the lightest load, and the
number of attempts to the AP with full load.
Rule By default, when an AP is associated with 3 clients and the difference between
the currently associated client count and client count on the AP with the lightest
load reaches 3, clients can associate only to another AP in the group. After a
client association is denied by an AP for 10 times, the client will be allowed to
associate to the AP upon the next attempt.

Members Specify the APs to be added to the AP load balancing group.

4.7.3 Configuring Traffic Load Balancing

Choose Network > Wi-Fi > Load Balancing.

Click Add. In the dialog box that appears, set Type to Traffic Load Balancing, and configure Group Name,
Members, and Rule.

145
Web-based Configuration Guide AP Management

Table 4-4 Traffic load balancing configuration

Parameter Description

Group Name Enter the name of the AP load balancing group.

Type Select Traffic Load Balancing.

Configure a detailed load balancing rule, including the maximum traffic allowed
on an AP, the difference between the current traffic and the traffic on the AP with
the lightest load, and the number of attempts to the AP with full load.

By default, when the traffic load on an AP reaches 500 Kbit/s and the difference
Rule
between the current traffic and the traffic on the AP with the lightest load reaches
500 Kbit/s, clients can associate only to another AP in the group. After a client
association is denied by an AP for 10 times, the client will be allowed to
associate to the AP upon the next attempt.

Members Specify the APs to be added to the AP load balancing group.

146
Web-based Configuration Guide AP Management

4.8 Configuring Wireless Rate Limiting

4.8.1 Overview

The device supports four rate limiting modes: client-based rate limiting, SSID-based rate limiting, AP-based rate
limiting, and packet-based rate limiting. For the same client, if multiple rate limiting modes are configured, the
priority order is as follows: client-based rate limiting > SSID-based rate limiting > AP-based rate limiting.

 Client-based rate limiting: This function allows you to limit the rate based on the MAC address of the client, so as
to limit or guarantee the bandwidth required by specific clients.

 SSID-based rate limiting: This function provides two rate limiting modes for a specified SSID: Rate Limit Per User
and Rate Limit All Users. Rate Limit Per User means that all clients connected to the SSID use the same rate
limit. Rate Limit All Users means that the configured rate limit value is evenly allocated to all clients connected to
the SSID. The rate limit value of each client dynamically changes with the number of clients connected to the SSID.

 AP-based rate limiting: This function limits the client rates based on the whole network. All clients connected to the
network will work according to the configured rate limit value.

 Packet-based rate limiting: This function limits the client rates based on the downlink broadcast and multicast
packets. The device supports rate limiting for specific broadcast packets (such as ARP and DHCP), multicast
packets (such as MDNS and SSDP), or all types of broadcast and multicast packets. If network stalling remains
during network access and there is no client with large traffic, you are advised to adjust the rate between 1 kbps
and 512 kbps.

4.8.2 Configuration Steps

1. Configuring Client-based Rate Limiting

Choose Network > LimitSpeed > Client-based Rate Limiting.

(1) Enable Wireless Rate Limiting.

(2) Click Add. In the dialog box that appears, set the MAC address and uplink and downlink rate limit values of
the client, and click OK.

147
Web-based Configuration Guide AP Management

2. Configuring SSID-based Rate Limiting

Choose Network > LimitSpeed > SSID-based Rate Limiting.

(1) Enable Wireless Rate Limiting.

(2) Click Edit in the Action column of the target SSID. In the dialog box that appears, set the uplink and downlink
rate limit modes and values, and click OK.

148
Web-based Configuration Guide AP Management

3. Configuring AP-based Rate Limiting

Choose Network > LimitSpeed > AP-based Rate Limiting.

(1) Enable Wireless Rate Limiting.

(2) Set the uplink and downlink rate limit modes to Rate Limit Per User, configure the rate limit values, and click
OK.

4. Configuring Packet-based Rate Limiting

Choose Network > LimitSpeed > Packet-based Rate Limiting.

(1) Enable Wireless Rate Limiting.

(2) Select the specific type of packets for rate limiting, configure the rate limit value, and click Save.

149
Web-based Configuration Guide AP Management

4.9 Wireless Network Optimization

4.9.1 Wireless Network Optimization with One Click

Choose Network > WIO.

On the Network Optimization tab, select I have read the notes and click Network Optimization to perform
automatic wireless network optimization in the networking environment. You can configure scheduled optimization
to optimize the network at the specified time. You are advised to set the scheduled optimization time to daybreak
or the idle periods.

Caution

Clients may be kicked offline during optimization and the configuration cannot be rolled back after optimization
starts. Exercise caution when performing this operation.

150
Web-based Configuration Guide AP Management

After optimization starts, please wait patiently until optimization is complete. After optimization ends, click Cancel
Optimization to restore optimized RF parameters to default values.

Click View Details or the Optimization Record tab to view the latest optimization record details.

4.9.2 Wi-Fi Roaming Optimization (802.11k/v)

Wi-Fi roaming is further optimized through the 802.11k/802.11v protocol. Smart endpoints compliant with IEEE
802.11k/v can switch association to the access points with better signal and faster speed, thereby ensuring high-
speed wireless connectivity.

To ensure high quality of smart roaming service, the WLAN environment will be automatically scanned when Wi-
Fi roaming optimization is first enabled.

Choose Network > WIO > Wi-Fi Roaming Optimization (802.11k/v).

151
Web-based Configuration Guide AP Management

Caution
During the optimization, the clients may be forced offline. Please proceed with caution.

Click Enable and the optimization starts.

4.10 Wi-Fi Authentication

4.10.1 Overview

With the popularity of wireless networks, Wi-Fi has become one of the marketing means for merchants. Customers
can connect to the Wi-Fi provided by the merchants to surf the Internet after watching advertisements or following
the WeChat official accounts. In addition, to defend against security vulnerabilities, the wireless office network
usually allows only employees to associate with Wi-Fi, so the identity of the clients needs to be verified.

The Wi-Fi authentication function of the device uses the Portal authentication technology to implement information
display and user management. After users connect to Wi-Fi, the traffic will not be directly routed to the Internet.
Wi-Fi users must pass authentication on the Portal authentication website, and only authenticated users are
allowed to use network resources. Merchants or enterprises can customize Portal pages for identity authentication
and advertisement display.

4.10.2 Getting Started

(1) Before you enable Wi-Fi authentication, ensure that the wireless signal is stable and users can connect to Wi-
Fi and surf the Internet normally. The wireless SSID used for authentication in the network should be set to
the open state. Encryption may lead to exceptions during Connect Wi-Fi via WeChat authentication.

(2) If the IP address of an AP in the network is within the authentication scope, add the AP as the authentication-
free user. For details, see Section 4.10.9 Authentication-Free.

○ In a Layer 2 network, add the MAC address of the AP to the authentication-free MAC address whitelist.

152
Web-based Configuration Guide AP Management

○ In a Layer 3 network, add the IP address of the AP to the authentication-free IP address whitelist.

4.10.3 WeChat Authentication

1. Overview

The EG device is connected to the MACC authentication server on the cloud. After Wi-Fi users connect to Wi-Fi,
a Portal page pops up. The users need to jump to WeChat and follow the WeChat official account before they
can access the Internet. WeChat authentication is applicable to the shopping mall scenario, where merchants
guide customers to follow their WeChat official accounts through WeChat authentication.

2. Getting Started

(1) Connect Wi-Fi via WeChat is a Layer 2 protocol. Ensure that the authentication device can obtain the MAC
addresses of the wireless users.

○ The gateway address of the wireless users to be authenticated is deployed on the authentication device.

○ If the gateway address is not deployed on the authentication device, the device functions as a DHCP
server to allocate IP addresses to the wireless users and obtain MAC addresses of the wireless users. In
this scenario, you need to set Network Type to Layer-3 Network.

(2) Complete the corresponding configuration on the WeChat Official Account platform and NOC MACC platform
before you enable the authentication function on the device. Ruijie Cloud supports voucher authentication,
local account authentication, SMS authentication, and one-click authentication. Please log into Ruijie Cloud to
enable authentication.

3. Configuration Steps

Choose Local Device > Advanced > Authentication > Cloud Auth.

(1) Enable WeChat authentication for Internet access.

Turn on Authentication, set Server Type to Connect Wi-Fi via WeChat, configure Network Type, Auth
Server URL, Redirect IP, and Client Escape, and click Save.

153
Web-based Configuration Guide AP Management

Table 4-5 WeChat authentication configuration

Parameter Description

The default value is Layer-2 Network. Select a network type based on the
actual network environment.

As Connect Wi-Fi via WeChat is a Layer 2 protocol, in a Layer 3 network

environment, you need to connect downlink devices to the current authentication
Network Type
device through the DHCP relay and deploy the DHCP address pool for the
authentication-engaged network segments in the authentication device. In this
way, the authentication device can obtain MAC addresses of wireless users
through DHCP. In this scenario, set this parameter to Layer-3 Network.

Server Type Select Connect Wi-Fi via WeChat.

After you complete the MACC server configuration, the MACC server returns a
Auth Server URL
URL. The device sends an authentication request to this URL.

The redirect IP address corresponds to a menu or link address set in the official
account. The default value is 118.31.178.137. Generally, you do not need to
change the value.

Redirect IP After the user is redirected to the WeChat official account, the user needs to visit
this IP address before the subsequent authentication steps can continue.

Change the value to an IP address in a not used LAN network segment, if

required. For details, see Troubleshooting.

154
Web-based Configuration Guide AP Management

Parameter Description

After this function is enabled, the authentication function is disabled on the

device if the authentication server fails, so that all the users can directly access
Client Escape
the Internet. After the server recovers, the authentication function is started
automatically.

(1) Configure the authentication scope.

Click Add on the current page. In the dialog box that appears, enter the SSID and IP address range that
needs authentication, and click OK.

For clients that do not need authentication, such as printers, computers, or some users, set IP/IP Range to
authentication-free, so that these clients can directly access the Internet. For details, see Section 4.10.9
Authentication-Free.

4. Verifying Configuration

When a mobile phone connects to the specific Wi-Fi, the Portal authentication page pops up automatically. The
user visits the WeChat page under instructions on the Portal authentication page, follows the WeChat official
account, clicks the menu or auto reply link to complete authentication. Then, the user can normally access the
Internet. After successful user authentication, you can choose Advanced > Authentication > Online Clients to
view information about this authenticated user. For details, see Section 4.10.10 Online Authenticated User
Management.

5. Troubleshooting

 When the user clicks the authentication menu or link in the official account during WeChat authentication, the

155
Web-based Configuration Guide AP Management

message This page cannot be accessed now. pops up, leading to authentication failure.

Cause: The link address set in the official account authentication entry in the Official Account Platform is regarded
as insecure by Security Center of the WeChat client. When a client sends a request to this address, WeChat
blocks this request.

Solution: Change the forced redirection address and the address in the official account authentication menu or
link to an IP address not used in the LAN. For example, if the network segment 172.29.0.0 is not used in the LAN,
set both the official account redirection IP address and the link address in the official account to 172.29.1.140.

Caution

If the official account redirection IP address is set to an IP address in a network segment used in the LAN,
WeChat authentication will fail.

4.10.4 Enterprise WeChat Authentication

1. Overview

Similar to WeChat authentication, Wi-Fi users need to jump to the enterprise WeChat after connecting to Wi-Fi
and complete applet authentication in the workspace before they can access the Internet. Enterprise WeChat

156
Web-based Configuration Guide AP Management

authentication can be used to manage Internet access of employee clients and guest clients in the enterprise
environment.

2. Getting Started

Same as those in Section 4.10.3 WeChat Authentication. Before you enable enterprise WeChat authentication,
complete relevant configurations on the enterprise WeChat console and NOC MACC platform.

3. Configuration Steps

Choose Local Device > Advanced > Authentication > Cloud Auth.

The configuration steps are similar to those in WeChat authentication, with major difference in that the official
account redirection IP address in enterprise WeChat authentication should be set to 47.104.189.180:81. For
details, see Section 4.10.3 WeChat Authentication.

4. Employee Authentication

Make sure that the employee has joined the enterprise WeChat organization. When the employee connects the
mobile phone to Wi-Fi, the employee is automatically redirected to the enterprise WeChat for authentication. After
the employee opens the enterprise WeChat, employee needs to enter the Workspace menu of the enterprise
WeChat and click the authentication app created by the administrator to obtain Internet access permission. After
the authentication success message pops up, the employee can access the Internet normally.

The enterprise WeChat may not be started on the Portal authentication page on some mobile phones due to poor
compatibility. If this occurs, users can manually open the enterprise WeChat and continue follow-up operations.

5. Guest Authentication

Guest access to the Internet via Wi-Fi should be authorized by the receptionist. After a guest connects to the
guest Wi-Fi, the authentication QR code pops up. At this time, the authenticated employee scans the QR code

157
Web-based Configuration Guide AP Management

using the enterprise WeChat on the mobile phone and enters the guest name. Then, the guest can pass
authentication and access the Internet normally.

It should be noted that when configuring guest authentication, you need to configure at least two Wi-Fi SSIDs and
corresponding network segments in the Wi-Fi list, which are used for employee connection and guest connection,
respectively.

4.10.5 WiFiDog Authentication

1. Overview

The EG device is connected to the MACC authentication server on the cloud. After Wi-Fi users connect to Wi-Fi,
a Portal page pops up. The users need to enter the account and password to pass authentication before they can
access the Internet. According to the authentication configuration on the MACC server, you can set the
authentication mode to SMS authentication, fixed account authentication, or account-free one-click login.

2. Getting Started

(1) WiFiDog is a Layer 2 protocol. Ensure that the authentication device can obtain the MAC addresses of the
wireless users.

○ The gateway address of the wireless users to be authenticated is deployed on the authentication device.

○ If the gateway address is not deployed on the authentication device, the device functions as a DHCP
server to allocate IP addresses to the wireless users and obtain MAC addresses of the wireless users. In
this scenario, you need to set Network Type to Layer-3 Network.

(2) Complete the corresponding configuration on the NOC MACC platform before you enable the authentication
function on the device. If SMS authentication is used, you also need to configure the SMS gateway.

3. Configuration Steps

Choose Local Device > Advanced > Authentication > Cloud Auth.
(1) Turn on Authentication.

(2) Set Server Type to Cloud Integration, configure Network Type, Auth Server URL, Client Escape, and IP/IP
Range, and click Save.

158
Web-based Configuration Guide AP Management

(3) In the Wi-Fi List area, click Add. In the displayed dialog box, enter the Wi-Fi network name and the IP
address/range to be authenticated and click OK.

Table 4-6 Description of WiFiDog Authentication Configuration

Parameter Description

The default value is Layer-2 Network. Set the parameter based on the actual network
Network Type
environment.

Server Type Select Cloud Integration from the drop-down list.

After completing the configuration at the MACC server end, the MACC server returns a
Auth Server URL
URL. The device sends authentication requests to the URL during authentication.

After the client escape function is enabled, if an exception occurs on the authentication
Client Escape server, the device disables authentication to allow all clients to directly access the
Internet. After the server recovers, the device automatically enables authentication.

Specify the name of a Wi-Fi network, to which clients connect. A maximum of eight Wi-
SSID
Fi network names can be configured.

159
Web-based Configuration Guide AP Management

Parameter Description

Specify the IP address range to be authenticated. You can enter a single IP address
IP/IP Range (such as 192.168.112.2) or an IP address range (such as 192.168.112.2–
192.168.112.254). A maximum of five IP address ranges can be configured.

4. Verifying Configuration

After a mobile phone connects to a specific Wi-Fi, the Portal authentication page pops up automatically.

If the authentication mode configured on the MACC server is SMS authentication, the user needs to enter the
mobile number to obtain an Internet access password and enter the password to complete authentication.

If the authentication mode configured on the MACC server is account-free one-click authentication, the user can
directly access the Internet after clicking the corresponding button on the page.

If the authentication mode configured on the MACC server is fixed account login, the user can access the Internet
after entering the account and password configured on the cloud.

After successful connection, you can choose Advanced > Authentication > Online Clients to view information
about this authenticated user. For details, see Section 4.10.10 Online Authenticated User Management.

4.10.6 Local Account Authentication

1. Overview

The device is connected to the local authentication server, and user identity is verified based on the account and
password. Local account authentication is applicable to the wireless office network environment.

2. Getting Started

Ensure that the device with the authentication function enabled has been connected to the Internet. Otherwise,
the authentication page does not pop up when a client associates with Wi-Fi.

3. Configuration Steps

Choose Local Device > Advanced > Authentication > Local Account Auth.

(1) Enable account authentication.

Turn on Local Account Auth, enter the IP address range of clients to be authenticated, and click Save. After
account authentication is enabled, clients in the specified IP address range can access the Internet only after
passing authentication.

160
Web-based Configuration Guide AP Management

(2) Configure an authentication account.

Click Add to configure an authentication account for Internet access. Multiple clients can access the Internet
using the same account and password. The Concurrent Users parameter specifies the maximum number
of users allowed to access the Internet using the same account.

After a Wi-Fi user passes authentication using an account, the IP address of the authenticated user is
displayed in the IP column next to the account. The account list records a maximum of five latest device IP
addresses using the same account.

161
Web-based Configuration Guide AP Management

4. Verifying Configuration

After a client connects to the specific Wi-Fi, the authentication page pops up automatically. The user can normally
access the Internet only after entering the account and password configured on the local server on the
authentication page. You can choose Advanced > Authentication > Online Clients to view information about
the successfully connected user. For details, see Section 4.10.10 Online Authenticated User Management.

4.10.7 Authorized Guest Authentication

1. Overview

The device is connected to the local authentication server. After a guest connects to Wi-Fi, the guest can access
the Internet after the specified authorization IP user or account and password authentication user scans the QR
code that pops up for guest authentication. For example, in the wireless office network, users in the employee
network segment are authorized to scan the guest authentication QR code for users in the guest network segment.

2. Getting Started

Ensure that the device with the authentication function enabled has been connected to the Internet. Otherwise,
the authentication page does not pop up when a client associates with Wi-Fi.

3. Configuration Steps

Choose Local Device > Advanced > Authentication > Authorized Auth.

Turn on Authorized Auth, configure Popup Message, Auth IP / IP Range, Authorization IP/IP Range, and
Limit Online Duration, and click Save.

162
Web-based Configuration Guide AP Management

Table 4-7 Authorized guest authentication configuration

Parameter Description

Popup Message Specify the text to be displayed on the pop-up QR code page.

Specify the IP address range for users to be authenticated. The value can be a
single IP address (such as 192.168.110.2) or an IP address range (such as
Auth IP / IP Range
192.168.110.2-192.168.110.254). Users in the specified IP address range can
access the Internet only after passing authentication.

Specify whether to limit the online duration of guests. After you enable this
function, you need to configure Duration Limit. If the online duration of a guest
Limit Online Duration exceeds the specified value, the guest can continue Internet access only after re-
authorization. By default, this function is disabled, indicating that guests can use
Wi-Fi without limit on the online duration.

Specify the maximum online duration of authorized guests. If the online duration
Duration Limit of an authorized guest exceeds the specified value, the guest goes offline
automatically and needs to be re-authorized for login again.

Authorization IP/IP Specify the IP address range of authorization users. Users in this range can scan
Range the QR code to authorize guests.

4. Verifying Configuration

After a guest connects to Wi-Fi, the QR code authentication page pops up. The guest can access the Internet
after the specified authorization user scans this QR code. You can choose Advanced > Authentication > Online
Clients to view information about the successfully connected user. For details, see Section 4.10.10 Online
Authenticated User Management.

4.10.8 Guest Authentication Through QR Code Scanning

1. Overview

Guests scan the specified QR code to access the Internet. For example, in the wireless office network, guests
scan the pasted QR code to access the Internet after they connect to Wi-Fi.

2. Getting Started

Ensure that the device with the authentication function enabled has been connected to the Internet. Otherwise,
the authentication page does not pop up when a client associates with Wi-Fi.

3. Configuration Steps

Choose Local Device > Advanced > Authentication > QR Code Auth.

Turn on QR Code Auth, configure Auth IP / IP Range, Limit Online Duration, and QR Code Generator, and
click Save.

163
Web-based Configuration Guide AP Management

Table 4-8 Guest authentication through QR code scanning configuration

Parameter Description

Specify the IP address range for users to be authenticated. The value can be a
single IP address (such as 192.168.110.2) or an IP address range (such as
Auth IP / IP Range
192.168.110.2-192.168.110.254). Users in the specified IP address range can
access the Internet only after passing authentication.

Specify whether to limit the online duration of guests. After you enable this
function, you need to configure Duration Limit. If the online duration of a guest
Limit Online Duration exceeds the specified value, the guest needs to scan the QR code again before
continuing Internet access. By default, this function is disabled, indicating that
guests can use Wi-Fi without limit on the online duration.

Specify the maximum online duration of authorized guests. If the online duration
Duration Limit of an authorized guest exceeds the specified value, the guest goes offline
automatically and needs to be re-authenticated.

164
Web-based Configuration Guide AP Management

Parameter Description

The dynamic QR code is used to generate a QR code image. After the dynamic
QR code is updated, the QR code image changes and the previous image
Dynamic QR Code becomes invalid.

You can print and paste the generated QR code image, which can be scanned
by guests to access the Internet.

Specify the QR code prompt message displayed on the page after a guest scans
Popup Message
the QR code.

4. Verifying Configuration

After a client connects to Wi-Fi, the guest can scan the QR code to pass authentication and access the Internet.
You can choose Advanced > Authentication > Online Clients to view information about the successfully
connected user. For details, see Section 4.10.10 Online Authenticated User Management.

4.10.9 Authentication-Free

1. Overview

After IP addresses or MAC addresses are configured for authentication-free users, they can directly access the
Internet without passing authentication. Traffic from all the users in the blacklist is blocked.

2. Configuring an Authentication-Free User

Choose Local Device > Advanced > Authentication > Whitelist > User Whitelist.

Authentication-free user: Users in the specified IP address range can directly access the Internet without passing
authentication.

Click Add to configure the IP address range for authentication-free users. The value can be a single IP address
(such as 192.168.110.2) or an IP address range (such as 192.168.110.2-192.168.110.254). A maximum of 50
entries are supported.

165
Web-based Configuration Guide AP Management

3. Configuring Extranet IP Addresses for Authentication-Free

Choose Local Device > Advanced > Authentication > Whitelist > IP Whitelist.

Extranet IP address for authentication-free: Specify the IP addresses that can be assessed by all users including
unauthenticated users.

Click Add to configure extranet IP addresses that can be assessed by users without authentication. A maximum
of 50 entries are supported.

4. Configuring a URL Whitelist

Choose Local Device > Advanced > Authentication > Whitelist > URL Whitelist.

URL Whitelist: Specify the URLs that can be accessed without authentication.

Click Add. In the dialog box that appears, enter the authentication-free URLs, and then click OK. When the
destination URL of the user is in the URL whitelist, traffic from the user will be permitted directly, regardless of
whether the user passes authentication. A maximum of 100 entries are supported.

166
Web-based Configuration Guide AP Management

5. Configuring a User MAC Whitelist

Choose Local Device > Advanced > Authentication > Whitelist > MAC Whitelist.

MAC Whitelist: Clients whose MAC addresses are in the whitelist can access the Internet through Wi-Fi without
the need for authentication.

Click Add. In the dialog box that appears, enter the MAC addresses of authentication-free users, and then click
OK. A maximum of 250 entries are supported.

167
Web-based Configuration Guide AP Management

6. Configuring a User MAC Blacklist

Choose Local Device > Advanced > Authentication > Whitelist > MAC Blacklist.

User MAC blacklist: Clients whose MAC addresses are in the blacklist are prohibited from accessing the Internet.

Click Add. In the dialog box that appears, enter the MAC addresses of users in the blacklist, and then click OK.
A maximum of 250 entries are supported.

4.10.10 Online Authenticated User Management

1. Configuring the Idle Client Timeout Period

Choose Local Device > Advanced > Authentication > Online Clients.

You can configure the idle client timeout period. The default value is 15 minutes. If no traffic from an online user
passes through the device within the specified period, the device will force the user offline. The user can continue
Internet access only after re-authentication.

168
Web-based Configuration Guide AP Management

2. Kicking a User Offline

The online client list displays information about all the current online clients, including the client IP address, client
MAC address, login time, and authentication mode. You can find the client information based on the IP address,
MAC address, or username. Find the target client in the online client list and click Delete in the Action column to
kick the client off and disconnect the Wi-Fi connection of the client.

4.11 Enabling Reyee Mesh

Choose Network > Reyee Mesh.

After Reyee Mesh is enabled, you can set up a Mesh network through Mesh pairing between the devices that
support Reyee Mesh. You can press the Mesh button on the device to automatically discover a new device for
Mesh pairing or log in to the management page to select a new device for Mesh pairing. Reyee Mesh is enabled
on the device by default.

169
Web-based Configuration Guide AP Management

4.12 Configuring the LAN Port of Downlink Access Point

Caution

The configuration takes effect only for a downlink access point with a wired LAN port.

Choose Network > LAN Ports.

Enter the VLAN ID and click Save to configure the VLAN, to which the AP wired ports belong. If the VLAN ID is
null, the wired ports and WAN port belong to the same VLAN.

In self-organizing network mode, the AP wired port configuration applies to all APs having wired LAN ports on the
current network. The configuration applied to APs in LAN Port Settings takes effect preferentially. Click Add to
add the AP wired port configuration. For APs, to which no configuration is applied in LAN Port Settings, the
default configuration of the AP wired ports will take effect on them.

4.13 Wireless Authentication

Note

The function is supported by EG310G-E, EG305GH-E, and EG310GH-E.

4.13.1 Overview

Use the wireless authentication function to perform authentication configuration for the AP connected to the
gateway. After users connect to the Wi-Fi signals released by the AP, the traffic will not be directly routed to the
Internet. Wi-Fi users must pass authentication before accessing network resources.

170
Web-based Configuration Guide AP Management

Note

The EG series router supports egress authentication. When an EG router is used independently, you are
advised to use the authentication function of the router. Log in to the Eweb of the EG router. Choose Local
Device > Advanced > Authentication. For details, see 4.10 Wi-Fi Authentication.

When the EG router connects to the AP, the Wireless Auth action entry point appears on the Network page
but not on the Local Device page.

4.13.2 Configuring One-click Login on Ruijie Cloud

1. Configuring a Portal Template with the Authentication Mode Set to One-click Login

(1) Log in to Ruijie Cloud, choose Project > Configuration > Authentication > Captive Portal, and select a
network that needs to configure wireless authentication.

(2) Click Add to open the portal template configuration page.

(3) Configure basic information of the portal template.

Table 4-1 Basic Information of the Portal Template

Parameter Description

Name Indicates the name of a captive portal template.

Description Indicates the description of a captive portal template.

Select One-click Login, which indicates login without the username and
Login Options
password. You can set the access duration and access time per day.

Show Balance Page Indicates the available duration, time, or data after portal authentication.

Post-login URL Indicates the URL that is displayed after portal authentication.

(4) In the Portal Page area, click Basic to configure basic information for the portal page.

171
Web-based Configuration Guide AP Management

Table 4-2 Basic Information of the Portal Page

Parameter Description

Logo Select whether to display the logo image.

Logo Image When Logo is set to Image, upload the logo picture or select the default logo.

Background Select the background with the image or the solid color.

When Background is set to Image, upload the background image or select the
Background Image
default image.

When Background is set to Solid Color, configure the background color. The
Background Color
default value is #ffffff.

172
Web-based Configuration Guide AP Management

Parameter Description

Select the language of the portal page and configure the content displayed on

the portal page as required. You can click to add portal pages in other
languages.

Welcome Message: Select the welcome message with the image or text.
Marketing message: Enter the marketing message.
Terms & Conditions: Enter terms and conditions.
Language Copyright: Enter the copyright.
One-click Login: After One-click Login is enabled, you can customize the
button name displayed on the portal page, which is set to One-click
Login by default.

(5) In the Portal Page area, click Advanced to configure advanced information for the portal page.

Table 4-3 Advanced Information of the Portal Page

Parameter Description

Logo Position Select the logo position (Upper, Middle, or Lower).

Background Mask Color Select the background mask color. The default value is #a2a2a2.

Background Mask Opacity Select the background mask opacity (0-100).

173
Web-based Configuration Guide AP Management

Parameter Description

Welcome Message Text

Select the welcome message text color. The default value is #ffffff.
Color

Welcome Message Text Size Select the welcome message text size.

Button Color Select the button color. The default value is #0066ff.

Button Text Color Select the button text color. The default value is #ffffff.

Link Color Select the link color. The default value is #ffffff.

Text Color in Box Select the text color in the box. The default value is #ffffff.

(6) After the configuration, click OK to save the portal template configurations.

2. Enabling One-click Login for an SSID

(1) Log in to Ruijie Cloud, choose Project > Configuration > Devices > Wireless > SSID, and select a network
that needs to configure wireless authentication.

(2) If the SSID that needs to enable wireless authentication is not created, click to open the SSID

configuration page. If the SSID that needs to enable wireless authentication is created, click in the
Action column. The following content only describes configurations related to wireless authentication. For
details about other SSID configuration parameters, see the Ruijie Cloud Cookbook.

(3) Enable Auth (disabled by default) and configure authentication-related parameters. After the configuration,
click OK to save the configurations.

Note

When Encryption Mode is set to a value other than WPA2-Enterprise(802.1x), Auth is available and you can
select whether to perform wireless authentication.

174
Web-based Configuration Guide AP Management

 Mode: Set it to Captive Portal.

 Seamless Online: Determine whether to enable Seamless Online as required, which is enabled by default. After
Seamless Online is enabled, users do not need to be authenticated when they go online again in the specified
period of time.

 Select or add a new portal: Select a portal template with the authentication mode set to One-click Login. If the
configured template does not meet the requirements, click or add a new portal to create a portal template.

(4) Click Save for the configuration to take effect.

4.13.3 Configuring Voucher Authentication on Ruijie Cloud

1. Configuring a Portal Template with the Authentication Mode Set to Voucher

(1) Log in to Ruijie Cloud, choose Project > Configuration > Authentication > Captive Portal, and select a
network that needs to configure wireless authentication.

(2) Click Add to open the portal template configuration page.

(3) Configure basic information of the portal template.

175
Web-based Configuration Guide AP Management

Table 4-4 Basic Information of the Portal Template

Parameter Description

Name Indicates the name of a captive portal template.

Description Indicates the description of a captive portal template.

Login Options Select Voucher, which indicates login with a random eight-digit password.

Show Balance Page Indicates the available duration, time, or data after portal authentication.

Post-login URL Indicates the URL that is displayed after portal authentication.

(4) In the Portal Page area, click Basic to configure basic information for the portal page.

Table 4-5 Basic Information of the Portal Page

Parameter Description

Logo Select whether to display the logo image.

176
Web-based Configuration Guide AP Management

Parameter Description

When Logo is set to Image, upload the logo picture or select the default
Logo Image
logo.

Background Select the background with the image or the solid color.

When Background is set to Image, upload the background image or

Background Image
select the default image.

When Background is set to Solid Color, configure the background

Background Color
color. The default value is #ffffff.

Select the language of the portal page and configure the content displayed on

the portal page as required. You can click to add portal pages in other
languages.

Welcome Message: Select the welcome message with the image or text.
Marketing message: Enter the marketing message.
Terms & Conditions: Enter terms and conditions.
Copyright: Enter the copyright.
Voucher Login: After Voucher Login is enabled, you can customize the
names of controls related to voucher authentication.
Language

(5) In the Portal Page area, click Advanced to configure advanced information for the portal page.

177
Web-based Configuration Guide AP Management

Table 4-6 Advanced Information of the Portal Page

Parameter Description

Logo Position Select the logo position (Upper, Middle, or Lower).

Background Mask Color Select the background mask color. The default value is #a2a2a2.

Background Mask Opacity Select the background mask opacity (0-100).

Welcome Message Text

Select the welcome message text color. The default value is #ffffff.
Color

Welcome Message Text Size Select the welcome message text size.

Button Color Select the button color. The default value is #0066ff.

Button Text Color Select the button text color. The default value is #ffffff.

Link Color Select the link color. The default value is #ffffff.

Text Color in Box Select the text color in the box. The default value is #ffffff.

(6) After the configuration, click OK to save the portal template configurations.

2. Enabling Voucher Authentication for an SSID

(1) Log in to Ruijie Cloud, choose Project > Configuration > Devices > Wireless > SSID, and select a network
that needs to configure wireless authentication.

(2) If the SSID that needs to enable wireless authentication is not created, click to open the SSID

configuration page. If the SSID that needs to enable wireless authentication is created, click in the

178
Web-based Configuration Guide AP Management

Action column. The following content only describes configurations related to wireless authentication. For
details about other SSID configuration parameters, see the Ruijie Cloud Cookbook.

(3) Enable Auth (disabled by default) and configure authentication-related parameters. After the configuration,
click OK to save the configurations.

Note

When Encryption Mode is set to a value other than WPA2-Enterprise(802.1x), Auth is available and you can
select whether to perform wireless authentication.

 Mode: Set it to Captive Portal.

 Seamless Online: Determine whether to enable Seamless Online as required, which is enabled by default. After
Seamless Online is enabled, users do not need to be authenticated when they go online again in the specified
period of time.

 Select or add a new portal: Select a portal template with the authentication mode set to Voucher. If the configured
template does not meet the requirements, click or add a new portal to create a portal template.

(4) Click Save for the configuration to take effect.

179
Web-based Configuration Guide AP Management

3. Adding a Voucher

(1) Log in to Ruijie Cloud, choose Project > Authentication > User Management, and select a network in this
account.

(2) Configure a user group.

a On the User Group tab, click Add.

b Configure user group parameters. After the configuration, click OK.

User Group Name: indicates the user group name.

180
Web-based Configuration Guide AP Management

Price: indicates the price of the user group. Mark user groups by numeral. The current version has no impact on
network usage.

Concurrent Devices: indicates the number of concurrent devices for one account.

Period: indicates the maximum validity time of an account. The maximum value is counted after the client passes
authentication and successfully accesses the Internet.

Quota: indicates the maximum amount of data transfer.

Maximum upload rate: indicates the maximum upload rate.

Maximum download rate: indicates the maximum download rate.

Bind MAC on first use: indicates that the MAC address of the first device used will be bound and other devices
used by the same user will be prohibited from accessing the Internet.

(3) Configure a voucher.

a On the Voucher tab, click Add voucher.

b Configure voucher parameters. After the configuration, click OK.

Quantity: Enter the quantity of the voucher to print. When the value is set to 1, you can add a voucher and
configure the name and the email address. When the value is greater than 1, you can add vouchers in batches.
In this case, you can only configure the name and email address separately after the vouchers are added.

User group: Select a created user group from the drop-down list. If the created user group does not meet the
requirements, click Custom to create a user group.

User information setting: Configure user information, which is optional.

Advance setting:

○ Voucher code type: Set the value to Alphanumeric 0-9, a-z, Alphabetic a-z, or Numeric 0-9.

181
Web-based Configuration Guide AP Management

○ Voucher length: Select the voucher length. The value ranges from 6 to 9.

(4) Obtain the voucher code from the voucher list.

4.13.4 Configuring Account Authentication on Ruijie Cloud

1. Configuring a Portal Template with the Authentication Mode Set to Account

(1) Log in to Ruijie Cloud, choose Project > Configuration > Authentication > Captive Portal, and select a
network that needs to configure wireless authentication.

(2) Click Add to open the portal template configuration page.

(3) Configure basic information of the portal template.

182
Web-based Configuration Guide AP Management

Table 4-7 Basic Information of the Portal Template

Parameter Description

Name Indicates the name of a captive portal template.

Description Indicates the description of a captive portal template.

Login Options Select Account, which indicates login with the account and password.

Show Balance Page Indicates the available duration, time, or data after portal authentication.

Post-login URL Indicates the URL that is displayed after portal authentication.

(4) In the Portal Page area, click Basic to configure basic information for the portal page.

Table 4-8 Basic Information of the Portal Page

Parameter Description

Logo Select whether to display the logo image.

183
Web-based Configuration Guide AP Management

Parameter Description

Logo Image When Logo is set to Image, upload the logo picture or select the default logo.

Background Select the background with the image or the solid color.

When Background is set to Image, upload the background image or select the
Background Image
default image.

When Background is set to Solid Color, configure the background color. The
Background Color
default value is #ffffff.

Select the language of the portal page and configure the content displayed on

the portal page as required. You can click to add portal pages in other
languages.

Welcome Message: Select the welcome message with the image or text.
Marketing message: Enter the marketing message.
Terms & Conditions: Enter terms and conditions.
Copyright: Enter the copyright.
Account Login: After Account Login is enabled, you can customize the
names of the controls related to account authentication.
Language

(5) In the Portal Page area, click Advanced to configure advanced information for the portal page.

184
Web-based Configuration Guide AP Management

Table 4-9 Advanced Information of the Portal Page

Parameter Description

Logo Position Select the logo position (Upper, Middle, or Lower).

Background Mask Color Select the background mask color. The default value is #a2a2a2.

Background Mask Opacity Select the background mask opacity (0-100).

Welcome Message Text

Select the welcome message text color. The default value is #ffffff.
Color

Welcome Message Text Size Select the welcome message text size.

Button Color Select the button color. The default value is #0066ff.

Button Text Color Select the button text color. The default value is #ffffff.

Link Color Select the link color. The default value is #ffffff.

Text Color in Box Select the text color in the box. The default value is #ffffff.

(6) After the configuration, click OK to save the portal template configurations.

2. Enabling Account Authentication for an SSID

(1) Log in to Ruijie Cloud, choose Project > Configuration > Devices > Wireless > SSID, and select a network
that needs to configure wireless authentication.

(2) If the SSID that needs to enable wireless authentication is not created, click to open the SSID

configuration page. If the SSID that needs to enable wireless authentication is created, click in the

185
Web-based Configuration Guide AP Management

Action column. The following content only describes configurations related to wireless authentication. For
details about other SSID configuration parameters, see the Ruijie Cloud Cookbook.

(3) Enable Auth (disabled by default) and configure authentication-related parameters. After the configuration,
click OK to save the configurations.

Note

When Encryption Mode is set to a value other than WPA2-Enterprise(802.1x), Auth is available and you can
select whether to perform wireless authentication.

 Mode: Set it to Captive Portal.

 Seamless Online: Determine whether to enable Seamless Online as required, which is enabled by default. After
Seamless Online is enabled, users do not need to be authenticated when they go online again in the specified
period of time.

 Select or add a new portal: Select a portal template with the authentication mode set to Account. If the configured
template does not meet the requirements, click or add a new portal to create a portal template.

(4) Click Save for the configuration to take effect.

186
Web-based Configuration Guide AP Management

3. Adding an Account

(1) Log in to Ruijie Cloud, choose Project > Authentication > User Management, and select a network in this
account.

(2) Configure a user group.

a On the User Group tab, click Add.

b Configure user group parameters. After the configuration, click OK.

User Group Name: indicates the user group name.

187
Web-based Configuration Guide AP Management

Price: indicates the price of the user group. Mark user groups by numeral. The current version has no impact on
network usage.

Concurrent Devices: indicates the number of concurrent devices for one account.

Period: indicates the maximum validity time of an account. The maximum value is counted after the client passes
authentication and successfully accesses the Internet.

Quota: indicates the maximum amount of data transfer.

Maximum upload rate: indicates the maximum upload rate.

Maximum download rate: indicates the maximum download rate.

Bind MAC on first use: indicates that the MAC address of the first device used will be bound and other devices
used by the same user will be prohibited from accessing the Internet.

(3) On the Account tab, add an account. Accounts can be added manually or through batch import.

 Adding an account manually

Click Add an Account, set parameters about the account, and click OK.

User name: The value is a string of less than 32 characters, consisting of letters, numerals, and underscores.

Password: The value is a string of less than 32 characters, consisting of letters, numerals, and underscores.

User group: Select a created user group from the drop-down list. If the created user group does not meet the
requirements, click Custom to create a user group.

Allow VPN connection: By enabling this option, the user can use this account to log in remotely using a VPN.

User information setting: You can expand it to have more user information displayed, including the first name,
last name, email, phone number, and alias.

 Adding accounts through batch import

a Click Bulk import.

188
Web-based Configuration Guide AP Management

b Click Download Template to download the template.

c Edit the template and save it.

Note

 Account, Password, and User Group are mandatory.

 Check that the user group already exists and the added accounts are not duplicate with existing
accounts.

d Click Please select an .xls or .xlsx file to upload the file. After uploading, users are automatically created.

4.13.5 Configuring SMS Authentication on Ruijie Cloud

1. Adding a Twilio Account

Prerequisites

A Twilio account has been applied for from the Twilio official website (https://www.twilio.com/login).

Note

A Twilio account is used to send the SMS verification code.

189
Web-based Configuration Guide AP Management

Configuration Steps

(1) Log in to Ruijie Cloud and choose > Account.

(2) Add Twilio account information and click Save.

2. Configuring a Portal Template with the Authentication Mode Set to SMS

(1) Log in to Ruijie Cloud, choose Project > Configuration > Authentication > Captive Portal, and select a
network that needs to configure wireless authentication.

(2) Click Add to open the portal template configuration page.

(3) Configure basic information of the portal template.

190
Web-based Configuration Guide AP Management

Table 4-10 Basic Information of the Portal Template

Parameter Description

Name Indicates the name of a captive portal template.

Description Indicates the description of a captive portal template.

Login Options Select SMS, which indicates login with the phone number and code.

Show Balance Page Indicates the available duration, time, or data after portal authentication.

Post-login URL Indicates the URL that is displayed after portal authentication.

(4) In the Portal Page area, click Basic to configure basic information for the portal page.

Table 4-11 Basic Information of the Portal Page

Parameter Description

Logo Select whether to display the logo image.

Logo Image When Logo is set to Image, upload the logo picture or select the default logo.

Background Select the background with the image or the solid color.

When Background is set to Image, upload the background image or select the
Background Image
default image.

191
Web-based Configuration Guide AP Management

Parameter Description

When Background is set to Solid Color, configure the background color. The
Background Color
default value is #ffffff.

Select the language of the portal page and configure the content displayed on

the portal page as required. You can click to add portal pages in other
languages.

Welcome Message: Select the welcome message with the image or text.
Marketing message: Enter the marketing message.
Terms & Conditions: Enter terms and conditions.
Copyright: Enter the copyright.
SMS Login: After SMS Login is enabled, you can customize the names of
the controls related to SMS authentication.

Language

(5) In the Portal Page area, click Advanced to configure advanced information for the portal page.

192
Web-based Configuration Guide AP Management

Table 4-12 Advanced Information of the Portal Page

Parameter Description

Logo Position Select the logo position (Upper, Middle, or Lower).

Background Mask Color Select the background mask color. The default value is #a2a2a2.

Background Mask Opacity Select the background mask opacity (0-100).

Welcome Message Text

Select the welcome message text color. The default value is #ffffff.
Color

Welcome Message Text Size Select the welcome message text size.

Button Color Select the button color. The default value is #0066ff.

Button Text Color Select the button text color. The default value is #ffffff.

Link Color Select the link color. The default value is #ffffff.

Text Color in Box Select the text color in the box. The default value is #ffffff.

(6) After the configuration, click OK to save the portal template configurations.

3. Enabling SMS Authentication for an SSID

(1) Log in to Ruijie Cloud, choose Project > Configuration > Devices > Wireless > SSID, and select a network
that needs to configure wireless authentication.

193
Web-based Configuration Guide AP Management

(2) If the SSID that needs to enable wireless authentication is not created, click to open the SSID

configuration page. If the SSID that needs to enable wireless authentication is created, click in the
Action column. The following content only describes configurations related to wireless authentication. For
details about other SSID configuration parameters, see the Ruijie Cloud Cookbook.

(3) Enable Auth (disabled by default) and configure authentication-related parameters. After the configuration,
click OK to save the configurations.

Note

When Encryption Mode is set to a value other than WPA2-Enterprise(802.1x), Auth is available and you can
select whether to perform wireless authentication.

 Mode: Set it to Captive Portal.

 Seamless Online: Determine whether to enable Seamless Online as required, which is enabled by default. After
Seamless Online is enabled, users do not need to be authenticated when they go online again in the specified
period of time.

 Select or add a new portal: Select a portal template with the authentication mode set to SMS. If the configured
template does not meet the requirements, click or add a new portal to create a portal template.

(4) Click Save for the configuration to take effect.

194
Web-based Configuration Guide AP Management

4.13.6 Configuring an Authentication-Free Account on Eweb Management System

1. Configuring an Authentication-Free Account

The authentication-free user can access the Internet without authentication.

Choose Network > Overview > Network > Wireless Auth > Allowlist.

(1) Click User Allowlist.

(2) Click Add.

(3) Configure the IP address or IP address range for authentication-free users.

(4) Click OK.

2. Configuring Authentication-Free External IP Addresses

After configuration, the user can access the authentication-free external IP address without authentication.

Choose Network > Wireless Auth > Allowlist.

(1) Click IP Allowlist.

(2) Click Add.

195
Web-based Configuration Guide AP Management

(3) Configure authentication-free external IP address or IP address range.

(4) Click OK.

3. Configuring a Domain Allowlist

The user can access the URL in the domain allowlist without authentication.

(1) Choose Network > Wireless Auth > Allowlist.

(2) Click Domain Allowlist.

(3) Click Add.

(4) Configure authentication-free domains.

196
Web-based Configuration Guide AP Management

(5) Click OK.

4. Configuring a MAC Address Blocklist and Allowlist

After configuration, the STA with a whitelist MAC address can access the Internet without authentication while the
STA with a blacklist MAC address is forbidden to access the Internet.

(1) Choose Network > Wireless Auth > Allowlist.

(2) Click MAC Blocklist/Allowlist.

(3) Configure a MAC address allowlist.

a Click Add on the MAC Allowlist page.

b Add the MAC address to the allowlist.

197
Web-based Configuration Guide AP Management

c Click OK.

(4) Configure a MAC address blocklist.

a Click Add on the MAC Blocklist page.

b Add the MAC address to the blocklist.

c Click OK.

4.13.7 Checking Authentication User List Eweb Management System

Check authentication users in the list view.

198
Web-based Configuration Guide AP Management

Choose Local Device > WLAN > Wireless Auth > Client List.

Click Offline in the Action column to disconnect users to release network resources.

199
Web-based Configuration Guide Switch Management

5 Switch Management
5.1 Configuring RLDP
5.1.1 Overview

Rapid Link Detection Protocol (RLDP) is an Ethernet link fault detection protocol used to quickly detect link faults
and downlink loop faults. RLDP can prevent network congestion and connection interruptions caused by loops.
After a loop occurs, the port on the access switch involved in the loop will shut down automatically.

5.1.2 Configuration Steps

Choose Network > RLDP.

(1) Click Enable to access the RLDP Config page.

(2) In the networking topology, you can select the access switches on which you want to enable RLDP in either
recommended or custom mode. If you select the recommended mode, all access switches in the network are
selected automatically. If you select the custom mode, you can manually select the desired access switches.
Click Deliver Config. RLDP is enabled on the selected switches.

200
Web-based Configuration Guide Switch Management

(3) After the configuration is delivered, if you want to modify the effective range of the RLDP function, click
Configure to select desired switches in the topology again. Turn off RLDP to disable RLDP on all the switches
with one click.

201
Web-based Configuration Guide Switch Management

5.2 Configuring DHCP Snooping

5.2.1 Overview

DHCP Snooping implements recording and monitoring the usage of client IP addresses through exchange of
DHCP packets between the server and client. In addition, this function can filter invalid DHCP packets to ensure
that clients can obtain network configuration parameters only from the DHCP server in the controlled range. DHCP
Snooping will prevent rogue DHCP servers offering IP addresses to DHCP clients to ensure the stability of the
network.

Caution

After DHCP Snooping is enabled on the switch, the switch does not forward invalid DHCP packets. However, if
a client directly connects to a rogue DHCP server, it cannot access the Internet as the obtained IP address is
incorrect. In this case, you need to find the rogue router and disable DHCP on it, or use the WAN port for uplink
connection.

5.2.2 Configuration Steps

Choose Network > DHCP Snooping.

(1) Click Enable to access the DHCP Snooping Config page.

202
Web-based Configuration Guide Switch Management

(2) In the networking topology, you can select the access switches on which you want to enable DHCP Snooping
in either recommended or custom mode. If you select the recommended mode, all switches in the network are
selected automatically. If you select the custom mode, you can manually select the desired switches. Click
Deliver Config. DHCP Snooping is enabled on the selected switches.

(3) After the configuration is delivered, if you want to modify the effective range of the DHCP Snooping function,
click Configure to select desired switches in the topology again. Turn off DHCP Snooping to disable DHCP
Snooping on all switches with one click.

203
Web-based Configuration Guide Switch Management

5.3 Batch Configuring Switches

5.3.1 Overview

You can batch create VLANs, configure port attributes, and divide port VLANs for switches in the network.

5.3.2 Configuration Steps

Choose Network > Batch Config.

(1) The page displays all switches in the current network. Select the switches to configure, and then select the
desired ports in the device port view that appears below. If there are a large number of devices in the current
network, select a product model from the drop-down list box to filter the devices. After the desired devices and
ports are selected, click Next.

204
Web-based Configuration Guide Switch Management

(2) Click Add VLAN to create a VLAN for the selected devices in a batch. If you want to create multiple VLANs,
click Batch Add and enter the VLAN ID range, such as 3-5,100. After setting the VLANs, click Next.

(3) Configure port attributes for the ports selected in Step 1 in a batch. Select a port type. If you set Type to
Access Port, you need to configure VLAN ID. If you set Type to Trunk Port, you need to configure Native
VLAN and Permitted VLAN. After setting the port attributes, click Override to deliver the batch configurations
to the target devices.

205
Web-based Configuration Guide Switch Management

5.3.3 Verifying Configuration

View the VLAN and port information of switches to check whether the batch configurations are successfully
delivered.

206
Web-based Configuration Guide Firewall Management

6 Firewall Management
After a firewall is added to the network, you can manage and configure the firewall on the Web management
system.

6.1 Viewing Firewall Information

You can view the basic information and license of the firewall on the Web management system.

Choose Network > Firewall.

(1) If the password of the firewall is inconsistent with that of the gateway, please enter the management
password of the firewall and click OK.

(2) The basic information, capacity, and security service license of the firewall are displayed on the Web
management system.

Click Manage Firwall to go to the Web management interface of the firewall. Configure the security policy
and license activation for the firewall. For details, see the Web-based configuration guide of the firewall.

207
Web-based Configuration Guide Firewall Management

6.2 Configuring Firewall Port

If the firewall is set to transparent mode, the Firewall Port Config page appears. You can select the WAN port
connected to the gateway or the LAN port connected to the switch and enable Security Guard.

208
Web-based Configuration Guide Online Behavior Management

7 Online Behavior Management

7.1 Overview
Online behavior management aims to block or prohibit specific Internet access behaviors of LAN users. Online
behavior management functions are classified into five categories: app control, website filtering, QQ management,
flow control, and access control. The effective range of each behavior management policy is flexibly controlled by
the specified client IP address and effective time.

7.2 User Management

7.2.1 Overview

The management policy of online behavior needs to flexibly match with specific user groups. Please manage and
classify users before the behaviour management policy is configured, ensuring efficient configuration and
management. User management is used to maintain user information based on IP addresses. When managing
online behaviours, you can limit the effective scope of application blocking, traffic auditing, flow control and other
services by specifying created or authenticated users.

User groups contain two default root user groups: User Group, Authentication Group and VPN Group. You can
create and configure users and user groups under the root user group.

Note
The system creats a VPN user group by default. The VPN accounts added in the system are automatically
added to a VPN user group. You can select a VPN user group to control VPN accounts when you creat a policy
of application control, network managemenrt or flow control.

7.2.2 User Group

Choose Local Device > Behavior > User Management.

You can add new user groups or users below the first-level user group. Up to three levels of grouping is supported.
If a user is a leaf node, no users or user groups can be created below this leaf node. A created user group can
be used as a configuration item in a behavior management policy and is directly referenced by the user group
name.

All Addresses group exists in the user group list by default. The IP range is from 1.1.1.1 to 255.255.255.255.
This group cannot be edited or deleted.

209
Web-based Configuration Guide Online Behavior Management

1. Creating a User Group

Click near User Group or click Add at the upper right of the page. Select the type of User Group and
enter the group name, and click OK. You can create a sub-user group below this user group.

Table 6-1 Parameter Descriptions of User Group

Parameter Description

Configure the parent group to which the created user group belongs. Up to three
levels of groups are allowed below a user group currently (such as Root
Parent Node
Node/R&D Center/R&D Section 1). No user groups are allowed below the third-
level group.

Group Name Configure the name of the user group.

2. Creating a User

Click User Group to display the users in the current group. Click or click Add at the upper right of the page.
Select the type of Client and enter the user name and IP range, and click OK. You can create a user under the
user group.

210
Web-based Configuration Guide Online Behavior Management

Table 6-2 Parameter Descriptions of User

Parameter Description

Configure the group to which the created user belongs, Click the drop-down list
Parent Node
box to display all the currently created user groups and click to select one group.

Username Configure the name of the user.

Configure the IP address of the user. You can enter an IP address or IP range. If
IP /IP Range
a rule is valid to this user, the rule takes effect in this IP range.

3. Deleting a User Group or a User

Click near User Group to delete the user group and its members. Click Delete in the Action bar in the user
list to delete the specified user.

211
Web-based Configuration Guide Online Behavior Management

4. Verifying Configuration
(1) You can view the created user groups on the left part of the page after user groups and users are configured.
Click User Group to view user details in this group.

(2) When configuring the behaviour management policy (such as adding an application control rule), you can view
and select the created user groups and the members.

7.2.3 Authentication Group

Choose Local Device > Behavior > User Management.

212
Web-based Configuration Guide Online Behavior Management

The users in the Authentication Group are synchronized from the authentication server to the Authentication
Group. The local authentication account set by the device (See Section 4.10.6 Local Account Authentication for
details.) is automatically synchronized to the Local Authentication Group.

When configuring the behaviour management policy (such as adding an application control rule), you can
configure a policy to take effect in the specified authentication group. After an authenticated user goes online, the
user automatically matches with the authentication group and then associates with the behaviour management
policy, enabling online behavior control over the authenticated user.

213
Web-based Configuration Guide Online Behavior Management

7.3 Time Management

Choose Local Device > Behavior > Time Management.

You can create time entries to classify time information. A created time entry can be used as a configuration item
in a behavior management policy and is directly referenced by the time entry name.

Click Add. In the dialog box that appears, enter the time entry name and select the specific time to create a time
entry.

All the created time entries are displayed in the time entry list. In the list, find the target time entry and click Edit
to modify the time span. Find the target time entry and click Delete to delete it. By default, the time entries named
All Time, Weekdays, and Weekends are available and they cannot be modified or deleted.

Caution

If a time entry is referenced in any policy, it cannot be deleted on the Time Management page. To delete the
time entry, remove the reference relationship first.

214
Web-based Configuration Guide Online Behavior Management

215
Web-based Configuration Guide Online Behavior Management

7.4 App Control

7.4.1 Overview

App control aims at controlling the range of specific apps that can be accessed by users. By default, users can
access any app. After an app control policy is configured, users in the current network cannot access prohibited
apps. App access can be prohibited based on the specified user group and time range. For example, employees
in the office network are prohibited from accessing entertainment and game software during work periods to
improve network security.

7.4.2 Configuring App Control

Choose Local Device > Behavior > App Control.

1. Switching the Application Library

The application lists vary in different regions. The Chinese and International versions of the application library are
provided. Please select the version based on the regions.

Click to select Application Library Version and click OK. The version is switched after a few minutes.

216
Web-based Configuration Guide Online Behavior Management

Caution
It takes about one minute to switch the application library version. Please wait.
If you switch the application library, the old application control policy may be inactive. Please proceed with
caution.

2. Configuring App Control

Click Add to create an App control policy.

217
Web-based Configuration Guide Online Behavior Management

Table 7-3 App control policy configuration

Parameter Description

User Group: The policy is applicable to users in the specified user group.
Type Please select the target user group.
Custom: The policy is applicable to users in the specified IP range. Please
manually enter the managed IP range.

Select the users managed by the policy from the list of user groups. For the
configuration of the user group list, see Section 6.2 User Management.
User Group
If all members in the user group are selected, the policy takes effect for the user
group and is also valid for new members added to this group.

If the IP range is restricted by the APP control policy and the type of the policy is
IP Address Group
set to Custom, please enter the IP range manually.

Specify the time range under app control. In the specified time range, managed
clients cannot access the selected apps in the list of prohibited apps. You can
Time
select a time range defined in Section 7.3 Time Management from the drop-
down list box, or select Custom and manually enter the specific time range.

Blocked App Specify the apps or app groups to block.

Remark Enter the policy description.

Status Specify whether to enable the app control policy.

218
Web-based Configuration Guide Online Behavior Management

7.4.3 Custom App

1. Overview

Based on traffic packets of certain websites or apps that are captured by the device, users can analyze and
extract 5-tuple information characteristics (protocol, source IP address, source port, destination IP address, and
destination port) of the packets. You can define apps that are not in the default application list.

After custom apps are configured successfully, you can configure control policies for custom apps on the app
control page to block users from accessing the custom apps on the current network.

2. Procedure

Choose Local Device > Behavior > App Control > Custom.

(1) Switch the application library.

The supported app list varies with regions. There are the application library of the Chinese version and the
application library of the international version. Select an application library version based on the actual region.

Click Application Library Version and select a version. In the displayed dialog box, click OK. Wait a period
of time for the system to complete switching.

Caution
Switching the application library version takes about 1 minute to take effect.

After the application library version is switched, the original app control policy may become invalid.
Therefore, exercise caution when performing this operation.

(2) Click Add. Enter information about a custom app.

Table 7-4 Description of Custom App Configuration

219
Web-based Configuration Guide Online Behavior Management

Parameter Description

App Configure the app name (the name cannot be duplicated with a name in the app
list).

Select a protocol type based on the protocol used by captured packets. It can be
Protocol Type
set to TCP, UDP, or IP.

Select a rule type based on 5-tuple information characteristics of extracted

packets. It can be set to the following:
Control Type
 Src IP + Src Port
 Dest IP + Dest Port
 Src IP+ Dest IP

Source/Destination IP Enter a characteristic IP address.

Source/Destination Port Enter a characteristic port number.

Note
If Control Type is set to Src IP + Src Port, you need to set the source IP address and source port.
If Control Type is set to Dest IP + Dest Port, you need to set the destination IP address and destination
port.
If Control Type is set to Src IP + Dest IP, you need to set the source and destination IP addresses. The
source IP address can be also to Auto Assign.

(3) Click OK.

7.4.4 Custom Application Group

1. Overview

You can add multiple applications with the same features into a customer application group, which is a logical
group. The custom application group can be used for policy .

The system has a default blocking group to block applications. (The blocking group is associated with relevant
applications by default.) The applications added to the blocking group are directly blocked.

2. Procedure

Choose Local Device > Behavior > App Control > Custom Application Group.

220
Web-based Configuration Guide Online Behavior Management

(1) Switch the application library version.

The supported application list varies with regions. The application library version falls into the Chinese version
and the international version. Select an application library version based on the actual region.

Click Application Library Version and select a version. In the displayed dialog box, click OK. Wait a moment
for the system to complete switching.

Caution
Switching the application library version takes about one minute. Please wait for the configuration to take
effect.

The exisiting custom application group is invalid after the application library version is switched. Therefore,
exercise caution when performing this operation.

(2) Click Add to configure the parameters for an application group.

221
Web-based Configuration Guide Online Behavior Management

Table 7-5 Custom Application Group

Parameter Description

The application group name customized by a user. (The group name must differ from the
Group Name
application names in the group list.)

Application List Multiple applications involved in an application group.

Remark Description of an application group.

(3) Click OK.

7.5 Website Management

7.5.1 Overview

Website management consists of website grouping and website filtering. Website grouping refers to the
classification of website URLs. You can modify existing website groups or create new website groups. Website
filtering refers to access control to existing website groups to prohibit user access to websites in specific groups.
Website filtering can be applied based on the specified user group and time range. For example, employees in
the office network are prohibited from accessing game websites during work periods to improve network security.

7.5.2 Configuration Steps

Choose Local Device > Behavior > Website Management.

1. Configuring Website Groups

Choose Local Device > Behavior > Website Management > Website Group.

Click the Website Group tab. On the page that appears, all the created website groups are displayed in the list.
Find the target group and click More in the Member column to view all the website URLs in the group. Find the
target group and click Edit in the Action column to modify the member website URLs in the group. Find the target
group and click Delete in the Action column to delete the group.

Click Add to create a new website group.

Caution

If a website filtering rule in a website group is being referenced, the group cannot be deleted from the website
group list. To delete this group, modify the website filtering configuration to remove the reference relationship
first.

222
Web-based Configuration Guide Online Behavior Management

Table 7-5 Website group configuration

Parameter Description

Configure a unique name for the website group. The name can be a string of
Group Name
1 to 64 characters.

223
Web-based Configuration Guide Online Behavior Management

Parameter Description

Specify members in the website group. You can enter multiple websites in a
batch. The group member can be complete URL (such as www.baidu.com) or
Member keywords in the URL (domain name with a wildcard in front, such as
*.baidu.com). The wildcard can only appear at the beginning of a URL, and it
cannot be in the middle or end of the domain name.

2. Configuring Website Filtering

Choose Local Device > Behavior > Website Management > Website Filtering.

Click the Website Filtering tab. On the page that appears, all the created website filtering rules are displayed in
the list. Click Edit to modify the rule information. Click Delete to delete the specific filtering rule.

Click Add to create a website filtering rule.

224
Web-based Configuration Guide Online Behavior Management

Table 7-1 Table 7-6 Website filtering rule configuration

Parameter Description

User Group: The policy is applicable to users in the specified user group.
Please select the target user group.
Type Custom: The policy is applicable to users in the specified IP range. Please
manually enter the managed IP range.

Select the users managed by the policy from the list of user groups. For the
configuration of the user group list, see Section 6.2 User Management.

User Group If all members in the user group are selected, the policy takes effect for the user
group and is also valid for new members added to this group.

If the IP range is restricted by the APP control policy and the type of the policy is
IP Address Group set to Custom, please enter the IP range manually.

Specify the time range under website filtering control. In the specified time
range, managed clients cannot access the prohibited websites. You can select a
Time
time range defined in Section 7.3 Time Management from the drop-down list
box, or select Custom and manually enter the specific time range.

Configure the type of websites to block. You can select an existing website
group. After a website group is selected, users are prohibited from accessing all
Blocked Website
websites in this group. For details on how to create or modify a website group,
see Configuring Website Groups.

Remark Enter the rule description.

Status Specify whether to enable the website filtering rule.

7.6 Flow Control

7.6.1 Overview

Flow control is a mechanism that classifies flows based on certain rules and processes flows using different
policies based on their categories. You can configure flow control to guarantee key flows and suppress malicious
flows. You can enable flow control when the bandwidth is insufficient or flows need to be distributed properly.

225
Web-based Configuration Guide Online Behavior Management

7.6.2 Smart Flow Control

1. Overview

When you need to limit the uplink traffic and downlink traffic bandwidth of the device ports (such as WAN and
WAN 1), you can enable the smart flow control function. After the line bandwidth is configured for a port, the uplink
and downlink traffic of the port will be limited within the specified range. In addition, the per user bandwidth should
be intelligently adjusted according to the number of users to ensure that users fairly share the bandwidth.

2. Configuration Steps

Choose Local Device > Behavior > Flow Control > Smart Flow Control.

Turn on Enable on the Smart Flow Control tab and set the line bandwidth based on the bandwidth actually
allocated by the ISP. If the device has multiple lines, you can set the bandwidth for these WAN ports separately.
For details on the multi-line configuration, see Section 3.2 Port Settings

You can choose Port Settings to set port parameters and view the port information.

7.6.3 Setting the Port Parameters

Choose Local Device > Overview > Network > Port Settings > Basics.

(3) Choose the target port and click Edit.

226
Web-based Configuration Guide Online Behavior Management

(4) Set the port paramters and click OK.

7.6.4 Viewing the Port Information

Choose Local Device > Overview > Network > Port Settings > Port Info.

Configuring the WAN Ports.

Click Save to make the configuration take effect.

Caution

Enabling flow control will affect network speed testing. If you want to test the network speed, disable flow control
first.

Table 7-7 Smart flow control configuration

Parameter Description

Specify whether to enable the smart flow control function. By default, smart flow
Enable
control is disabled.

WAN Bandwidth Set the uplink and downlink bandwidth limits for the WAN ports, in Mbit/s.

227
Web-based Configuration Guide Online Behavior Management

Note

Smart flow control can be used to control the line traffic in different networking modes, including bandwidth-
based, static IP address, and dynamic IP address.

7.6.5 Custom Policies

1. Overview

Custom policies are used to restrict the traffic with specific IP addresses based on the smart flow control function,
thereby meeting the bandwidth requirements of specific users or servers. When you create a custom flow control
policy, you can flexibly configure the limited user range, the bandwidth limit, the limited application traffic, and the
rate limit mode. When a custom policy is enabled, it takes precedence over the smart flow control configuration.

Custom policies fall into common policies and VPN policies.

Common policies include the custom policies configured on the Eweb or Ruijie Cloud and the flow control policies
configured on Ruijie Cloud for authentication accounts. Common policies manage common traffic.

Common policies and VPN policies are used to manage common traffic and VPN traffic, respectively.

2. Getting Started

Before you configure a custom policy, enable smart flow control first. For details, see Section 7.6.2 Smart Flow
Control.

3. Configuration Steps

Choose Local Device > Behavior > Flow Control > Custom Policy.

(1) Set Policy Type.

Note

The flow control policies configured on Ruijie Cloud and Eweb are displayed in the Normal Policy list. The
flow control policies for authentication accounts configured on Ruijie Cloud cannot be edited or deleted on
Eweb. You can only enable or disable these policies and change the priority of them.

(2) Switching the Application Library

The application lists vary in different regions. The Chinese and International versions of the application library
are provided. Please select the version based on the regions.

Click to select Application Library Version and click OK. The version is switched after a few minutes.

Caution
It takes about one minute to switch the application library version. Please wait.
If you switch the application library, the template of the application priority will be reset (See Section
6.6.4 Application Priority for details.), and the old application control policy may be inactive (See
Section 6.4 App Control for details.). Please proceed with caution.

228
Web-based Configuration Guide Online Behavior Management

(3) Set a custom policy.

 Set a custom policy.

a Set Policy Type to Normal Policy and click Add to create a custom flow control policy.
You can set up to 30 custom common policies, including the custom policies configured on Eweb and
Ruijie Cloud.

You can set up to 20 flow control policies for authentication accounts on Ruijie Cloud. The Eweb only
displays thses policies.

b Configure items related to a common policy.

229
Web-based Configuration Guide Online Behavior Management

Parameter Description

Policy Name A policy name uniquely identifies a custom flow control policy. It cannot be modified.

The type of a flow control policy can be set to the following:

User Group: Indicates that the policy is applied to users in a specified user group. You
Type
need to select a user group to be managed.
Custom: Indicates that the policy is applied to users in a specified IP address segment.
You need to manually enter the IP address range to be managed.

Select a user to be managed by the policy from the user group list. For details about how to
set the user group list, see 7.2 User Management.

User Group If you select all members of a user group, the policy takes effect on the entire user group (it
also takes effect on members added to the user group later).

This parameter is required when Type is set to User Group.

Specify the IP address range for the flow control policy to take effect. When Type is set to
Custom, enter the IP address manually. You can enter a single IP address or an IP address
segment.

This parameter is required when Type is set to Client.

The IP address range must be within a LAN segment. You can choose Overview > Ethernet
IP/IP Range status to check the network segment of the current LAN port. For example, the network
segment of the LAN port shown in the figure below is 192.168.110.0/24.

Shared: Indicates that all users in a user group (all IP addresses in an address range)
share the configured uplink and downlink bandwidths, and the bandwidth of a single
Bandwidth user is not limited.
Type Independent: Indicates that all users in a user group (all IP addresses in an address
range) share the configured uplink and downlink bandwidths, and the maximum
bandwidth of a single user can be limited.

When Bandwidth Type is set to Shared, the flow control policy can be configured to take
effect only on specified applications.

All Applications: Indicates that the flow control policy takes effect on all applications in
the current application library.
Custom: Indicates that the flow control policy takes effect only on specified applications
in the application list.
Application Application Group: Indicates that the flow control policy takes effect only on specified
applications in the application list.
When Bandwidth Type is set to Independent, some models do not support application
selection and the flow control policy takes effect on all applications in the current application
library by default.

For the models, contact technical support engineers.

230
Web-based Configuration Guide Online Behavior Management

Parameter Description

Application When Application is set to Custom, it specifies the applications, on which the policy takes
List effect. The traffic of the selected applications is subject to the policy.

Application When Application is set to Application Group, it specifies the application groups, on which
Group the policy takes effect. The traffic of the selected application group is subject to the policy.

Specify the traffic guarantee level. The value range is from 0 to 7. A smaller value indicates a
higher priority and the value 0 indicates the highest priority.
Channel Different traffic priority values correspond to different application groups in an application
Priority template. 2 indicates the key group, 4 indicates the normal group, and 6 indicates the
suppression group. For the description of application groups in a priority template, see
7.6.6 .

Configure whether to limit the bandwidth.

Bandwidth
Limit Kbps: You can set the uplink and downlink bandwidth limits as needed.
Limit
No Limit: When the bandwidth is sufficient, the maximum bandwidth is not limited.
When the bandwidth is insufficient, the minimum bandwidth cannot be guaranteed.

Configure the data transmission rate in uploading, in Kbps. It includes Limit-at, Max-Limit,
and Max-Limit per User.

Uplink Limit-at: Specifies the minimum bandwidth that can be shared by all users when the
Bandwidth bandwidth is insufficient.
Max-Limit: Specifies the total maximum bandwidth that can be occupied by all users
when the bandwidth is sufficient.
Max-Limit per User: Specifies the maximum bandwidth that can be occupied by each
user when multiple users share the bandwidth. It is optional and can be configured only
when Bandwidth Type is set to Independent. The rate is not limited by default.

Configure the data transmission rate in uploading and downloading, in Kbps. It includes Limit-
at, Max-Limit, and Max-Limit per User.

Limit-at: Specifies the minimum bandwidth that can be shared by all users when the
bandwidth is insufficient.
Downlink Rate Max-Limit: Specifies the total maximum bandwidth that can be occupied by all users
when the bandwidth is sufficient.
Max-Limit per User: Specifies the maximum bandwidth that can be occupied by each
user when multiple users share the bandwidth. It is optional and can be configured only
when Bandwidth Type is set to Independent. The rate is not limited by default.

Specify the WAN port, on which the policy takes effect. When it is set to All WAN Ports, the
Interface
policy will be applied to all WAN ports.

Enabled Set whether to enable the flow control policy. If it is disabled, the policy does not take effect.

Caution
After switching the application library version, you may need to reconfigure the application list.

c Click OK.
 Set a custom VPN policy.
a Set Policy Type to VPN Policy and click Add to create a custom VPN flow control policy.

231
Web-based Configuration Guide Online Behavior Management

A maximum of 10 VPN policies can be configured.

d Configure items related to a VPN policy.

Parameter Description

Policy Name A policy name uniquely identifies a custom flow control policy. It cannot be modified.

The type of a flow control policy can be set to the following:

User Group: Indicates that the policy is applied to users in a specified user group. You
Type
need to select a user group to be managed.
Custom: Indicates that the policy is applied to users in a specified IP address segment.
You need to manually enter the IP address range to be managed.

Select a user to be managed by the policy from the user group list. For details about how to
set the user group list, see 7.2 User Management.

User Group If you select all members of a user group, the policy takes effect on the entire user group (it
also takes effect on members added to the user group later).

This parameter is required when Type is set to User Group.

232
Web-based Configuration Guide Online Behavior Management

Parameter Description

Enter an IP address or IP range manually.

IP/IP Range
This parameter is required when Type is set to Client.

Specify the type of effective users. It can be set to the following:

Internal IP/User: For a gateway, IP addresses of clients connected to the gateway are
internal IP addresses.
External IP/External User: For a gateway, non-gateway internal IP addresses are
external IP addresses.
The configuration suggestions are as follows:

When clients are configured to control VPN traffic, select Internal IP/ User to control the
traffic of internal network users. When the VPN server is configured to control the VPN
Effective User traffic, select External IP/External User to control the traffic of external network users.
For the VPN of the NAT model, the external IP address of the server must be in the IP
address segment of the VPN address pool.
For the VPN in router mode, the IP address segment must be set to IP addresses of
restricted users. For the VPN in router mode, to configure flow control on internal IP
addresses of clients, set internal IP addresses to the IP addresses of the flow control
objects.
Note: The external IP address configured by the Open VPN server is the IP address of the
address pool. The internal IP address configured by the client is the actual IP address of the
client.

When Bandwidth Type is set to Shared, the flow control policy can be configured to take
effect only on specified applications.

All Applications: Indicates that the flow control policy takes effect on all applications in
the current application library.
Custom: Indicates that the flow control policy takes effect only on specified applications
in the application list.
Application Application Group: Indicates that the flow control policy takes effect only on specified
application groups. The traffic of applications involved in the application group is subject
to the policy.
When Bandwidth Type is set to Independent, some models do not support application
selection and the flow control policy takes effect on all applications in the current application
library by default.

For the models, contact technical support engineers.

Application When Application is set to Custom, it specifies the applications, on which the policy takes
List effect. The traffic of the selected applications is subject to the policy.

Application When Application is set to ApplicationGroup, it specifies the application group, on which
Group the policy takes effect. The traffic of the selected application group is subject to the policy.

Configure whether to limit the bandwidth.

Bandwidth
Limit Kbps: You can set uplink and downlink bandwidth limits as needed.
Limit
No Limit: When the bandwidth is sufficient, the maximum bandwidth is not limited. When
the bandwidth is insufficient, the minimum bandwidth is not guaranteed.

233
Web-based Configuration Guide Online Behavior Management

Parameter Description

Configure the maximum uplink bandwidth shared by VPN users matching the policy in Kbps.
Uplink When the bandwidth is shared by multiple users, you can aslo set the maximum uplink
Bandwidth bandwidth per user in Kbps. The uplink bandwidth is not limited by default.Note: The
parameter is valid when Bandwidth Limit is set to Limit Kbps.

Configure the maximum downlink bandwidth shared by VPN users matching the policy in
Kbps.

Downlink Rate When the bandwidth is shared by multiple users, you can aslo set the maximum downlink
bandwidth per user in Kbps. The downlink bandwidth is not limited by default.

Note: The parameter is valid when Bandwidth Limit is set to Limit Kbps.

Specify the VPN port, on which the policy takes effect. When it is set to All VPN Ports, the
Interface
policy will be applied to all VPN ports.

Enabled Set whether to enable the flow control policy. If it is disabled, the policy does not take effect.

e Click OK.
(4) View Custom Policies

The current custom policies are displayed in the Policy List section. You can modify and delete a custom
policy. To delete multiple custom policies in a batch, select the desired policies and click Delete Selected.

 Normal policy list

 VPN policy list

Table 7-8 Policy list information

234
Web-based Configuration Guide Online Behavior Management

Parameter Description

The Application List contains the applications to which the policy is valid. If the
Application Library matches with the Application that is set to Custom and

Application List
supported by the policy, is displayed in the Application List. If

not, is displayed.

Indicate whether the current policy is enabled. You can click to edit the status. If
the Application Library does not match with the Application that is set to
Status
Custom and supported by the policy, you cannot edit the Status directly. Please
click Edit in the action bar to edit the policy or switch the application library.

Indicate whether the policy is effective in the current system. If Inactive is

displayed, check whether the policy is enabled, whether the policy-enabled port
Effective State
exists, and whether the Application Library matches with the Application to
which the policy is valid.

All the created custom policies are displayed in the policy list, with the latest
policy listed on the top. The device matches the policies according to their
Match Order sorting in the list. You can manually adjust the policy matching sequence by

clicking or in the list.

Action You can modify and delete the custom policy.

7.6.6 Application Priority

1. Overview

After smart flow control is enabled, you can set the application priority to provide guaranteed bandwidth to
applications with high priority and suppress the bandwidth for applications with low priority. You can predefine a
list of applications whose bandwidth needs to be guaranteed preferentially and a list of applications whose
bandwidth needs to be suppressed based on actual needs.

Caution

If one application exists in both the custom policy list and the application priority list, the custom policy prevails.

2. Getting Started

 Before you configure application priority, enable smart flow control first. For details, see Section 7.6.2
Smart Flow Control.
 Confirm that the appropriate application library is selected on the Custom Policy page (See Section 6.6.3
Custom Policies for details.).

3. Configuration Steps

Choose Local Device > Behavior > Flow Control > Application Priority.

235
Web-based Configuration Guide Online Behavior Management

(1) Create an application priority template.

Select a template from the Application Priority drop-down list box.

Four application priority templates are predefined to meet the needs in different scenarios. You can switch
among the templates based on actual needs.

The application priority templates are as follows:

○ Default: This template is used during device initialization. The traffic bandwidth is not guaranteed or
suppressed for any application.

○ Office: This template is designed for the office scenario, where the application traffic from the office
network is guaranteed preferentially.

○ Home: This template is designed for the home scenario, where the application traffic from the home
network is guaranteed preferentially.

○ Entertainment: This template is designed for the entertainment scenario, where the application traffic
from the entertainment network is guaranteed preferentially.

(2) Create an application group list.

Each default template has three application groups: key group, block group, and normal group. The
application priority of the three groups decreases in the following order: key group, normal group, and block
group.

○ Key Group: The traffic from applications in the application list for this group is guaranteed preferentially.

○ Block Group: The traffic from applications in the application list for this group is suppressed to
preferentially guarantee the traffic from applications with higher priority.

○ Normal Group: All the applications in the application library beyond the key group and block group are in
this group. The traffic from applications in this group are guaranteed after that from the key group.

After you select a template, three application groups Key Group, Block Group, and Normal Group and the
application list for each group in the current template are displayed. You can click More to view the details of
each application list.

236
Web-based Configuration Guide Online Behavior Management

You can click Edit in the Action column next to the key group and block group to edit the application list for
the groups, allowing the traffic from these applications to be guaranteed or suppressed.

Caution
If you switch the application library, the application list will change.
The application list will be reset after you switch the application priority template.

7.7 Access Control

7.7.1 Overview

The access control function matches data packets passing through the device based on specific rules and permits
or drops data packets in the specified time range. This function controls whether to permit LAN user access to
the Internet and whether to block a specific data flow. The device matches packets based on the MAC address
or IP address.

7.7.2 Configuration Steps

Choose Local Device > Behavior > Access Control.

237
Web-based Configuration Guide Online Behavior Management

The access control rule list displays the created access control rules. Click Add to add an access control rule.

Table 7-9 Access control rule information

Parameter Description

Indicate whether the rule takes effect. If Inactive is displayed, the current

Effective State system time may not in the effective time range. Move the cursor to to view
the detailed cause.

All the created ACL rules are displayed in the ACL list, with the latest rule listed
on the top. The device matches the rules according to their sorting in the list.
Match Order
You can manually adjust the rule matching sequence by clicking or
in the list.

Action You can modify and delete a rule.

1. Configuring a MAC Address-based ACL Rule

MAC address-based ACL rules enable the device to match data packets based on the source MAC address, and
are generally used to control Internet access from online users or specific clients.

Set Based on MAC, enter the MAC address of the client, select a rule type, set the effective time range, and click
OK.

Note

MAC address-based ACL rules are valid on WAN ports by default.

238
Web-based Configuration Guide Online Behavior Management

Table 7-10 MAC address-based ACL configuration

Parameter Description

Enter the client MAC address to be controlled by the ACL rule. After you click the
MAC input field, the current client information is displayed. You can click to
automatically enter the corresponding MAC address.

Specify the method for processing data packets matching the conditions.
Control Type
 Allow: Permit the data packets matching the conditions.
 Block: Drop the data packets matching the conditions.

You can select a time range defined in Section 7.3 Time Management from
Wireless Schedule the drop-down list box, or select Custom and manually enter the specific time
range.

Remark Enter the rule description, which is used to uniquely identify a rule.

2. Configuring an IP Address-based ACL Rule

IP address-based ACL rules enable the device to match data flows according to the source IP address, destination
IP address, and protocol number.

Set Based on IP, enter the source IP address and port and destination IP address and port of the data flow, select
the protocol type, rule type, effective time range, and effective port, and click OK.

239
Web-based Configuration Guide Online Behavior Management

Caution
IP address-based ACL rules are effective in only one direction. For example, in a block rule, the source IP
address segment is 192.168.1.0/24 and the destination IP address segment is 192.168.2.0/24. According to this
rule, the device with the IP address 192.168.1.x cannot access the device with the IP address 192.168.2.x, but
the device with the IP address 192.168.2.x can access the device with the IP address 192.168.1.x. To block
bidirectional access in this network segment, you need to configure another block rule with the source IP
address segment 192.168.2.0/24 and destination IP address segment 192.168.1.0/24.

L2TP/PPTP VPN supports only IP address-based access control and the effective ports must be in the LAN.

Table 7-11 IP address-based ACL configuration

Parameter Description

Enter the source IP address and port number for data packet matching. If this
parameter is not specified, the device matches all the IP addresses and port
Src IP Address: Port
numbers. The source IP address can be a single IP address (such as
192.168.1.1) or an IP address range (such as 192.168.1.1/24).

240
Web-based Configuration Guide Online Behavior Management

Parameter Description

Enter the destination IP address and port number for data packet matching. If
this parameter is not specified, the device matches all the IP addresses and port
Dest IP Address: Port
numbers. The destination IP address can be a single IP address (such as
192.168.1.1) or an IP address range (such as 192.168.1.1/24).

Specify the protocol type for data packet matching. The options are TCP, UDP,
Protocol Type
and ICMP.

Specify the method for processing data packets matching the conditions.

Control Type Allow: Permit the data packets matching the conditions.
Block: Drop the data packets matching the conditions. This rule is valid
only in one direction, and does not block the reverse flow.

You can select a time range defined in Section 7.3 Time Management from
Wireless Schedule the drop-down list box, or select Custom and manually enter the specific time
range.

Select the port on which the rule applies.

LAN: The rule takes effect on a LAN port to control data packets to the
Interface
LAN.
WAN: The rule takes effect on a WAN port to control data packets received
from or sent to the Internet.

Remark Enter the rule description, which is used to uniquely identify a rule.

7.8 Online User Management

Choose Clients > Online Clients.

You can view the wired users and wireless users in the current network. Find the target online user and click Go
in the Access Control column to create an ACL rule for the user, to control the online behavior and networking
time range of the user client. For details on how to configure an ACL rule, see Section 7.7 .

241
Web-based Configuration Guide Online Behavior Management

Table 7-12 Online user information

Parameter Description

Indicate the name and access type of the client. The access type can be
Username/Type
Wireless or Wired.

Indicate the SN of the device to which the client connects in wired or wireless
Access Location
mode.

IP/MAC Indicate the IP address and MAC address of the client.

Current Rate Indicate the current uplink and downlink data transmission rates.

Indicate the wireless signal information displayed when Username/Type is set

Wi-Fi to Wireless. The information includes the channel, signal strength, online
duration, and negotiated rate.

242
Web-based Configuration Guide Online Behavior Management

7.9 Upgrading the Application Library

7.9.1 Overview

The app control function relies on the accuracy of the application library, and the application library is updated
with the app version. You can upgrade the application library to the latest version on the Application Library
Update page.

7.9.2 Local Upgrade

Choose Local Device > Behavior > App Control > Application Library Update.

Caution
Upgrading the application library version takes about one minute to take effect. Do not cut off power during
the upgrade. You can view the current application library version on the page.
Perform subsequent operations based on the memory information displayed on the page. If the memory is
insufficient, you are advised to restart the device and then upgrade the application library.
After the application library is upgraded, the original app control policy may become invalid. Therefore,
exercise caution when performing this operation.

(1) Click Browse. Select an application library upgrade file.

(2) Click Upload to upload the upgrade file.
(3) Click OK. Wait for the system to automatically complete the upgrade.

243
Web-based Configuration Guide Online Behavior Management

7.9.3 Online Upgrade

Choose Local Device > Overview > Behavior > Application Library Management

Enable Auto Update Version. When the system identifies the latest version, the application library is
automatically upgraded.

244
Web-based Configuration Guide VPN

8 VPN
8.1 Configuring IPsec VPN
8.1.1 Overview

1. IPsec Overview

IP Security (IPsec) is a Layer 3 tunnel encryption protocol defined by the IETF. IPsec is used to provide end-to-
end encryption and verification services in the network to provide high quality and interoperability for data
transmission over the network and ensure transmission security by using cryptographic algorithms. The
communicating parties obtain the following security services at the IP layer through encryption and data source
authentication:

 Confidentiality: The IPsec sender encrypts packets before transmitting the packets over the network.

 Data integrity: The IPsec receiver authenticates packets received from the sender to ensure that data is not
tampered with during the transmission.

 Data authentication: The IPsec receiver authenticates whether the sender of IPsec packets is valid.

 Anti-replay: The IPsec receiver detects and denies expired or repeated packets.

The IPsec protocol is widely used for communication between the HQ and branches of an organization. Currently,
the device can be deployed as the IPsec server or client. A secure tunnel is established between the HQ and
each branch based on the IPsec protocol to ensure the confidentiality of data transmission and improve network
security.

2. IKE Overview

IPsec provides secure communication between two endpoints, which are called IPsec peers. Security Association
(SA) is the establishment of shared security attributes between the peers to support secure communication. An
SA may include attributes such as: security protocol used by the peers, characteristics of data flows to be
protected, encapsulation mode of data transmitted between the peers, encryption and authentication algorithms,
keys for secure data conversion and transmission, and the SA lifetime. When you configure IPsec, you can use
the Internet Key Exchange (IKE) protocol to establish an SA. IKE provides automatically negotiated keys for
establishing and maintaining SAs, simplifying IPsec usage and management.

3. IPsec Security Policy

IPsec security policies define security proposals (equivalent to SA) for data flows. You can configure matching
security policies on both parties engaged in the communication to establish IPsec tunnels between the IPsec
client and the IPsec server, protecting the communication data. An IPsec security policy consists of two parts:
basic settings and advanced settings. Advanced settings are optional and include the specific IKE policy and
connection policy. You can keep the default settings unless otherwise specified. For details, see the Configuration
Steps below.

8.1.2 Configuring the IPsec Server

Choose Local Device > VPN > IPSec > IPSec Security Policy.

245
Web-based Configuration Guide VPN

1. Basic Settings

Click Add. In the dialog box that appears, set Policy Type to Server, enter the policy name and local subnet
range, set the pre-shared key, and click OK.

Table 8-1 IPsec server basic settings

Parameter Description

Specify the name of the IPsec security policy. The name must be a string of 1 to
Policy Name
28 characters.

246
Web-based Configuration Guide VPN

Parameter Description

Select a local WAN port from the drop-down list box. The Peer Gateway
parameter set for the communication peer (IPsec client) must use the IP
Interface
address of the WAN port specified here.

In the multi-line scenario, you are advised to set this parameter to Auto.

Specify the local subnet address range for the data flows to be protected, that is,
Local Subnet the LAN port network segment of the server. The value is the combination of IP
address and subnet mask.

Specify the same pre-shared key as the credential for authentication between
communicating parties. For higher security, different peers must be configured
Pre-shared Key with different pre-shared keys. That is, a pair of interface bound to the IPsec
server and peer gateway of the IPsec client must be configured with the same
unique pre-shared key.

Status Specify whether to enable the security policy.

2. Advanced Settings (Phase 1)

Click 1. Set IKE Policy to expand the configuration items. Keep the default settings unless otherwise specified.

247
Web-based Configuration Guide VPN

Table 8-2 IPsec server IKE policy configuration

248
Web-based Configuration Guide VPN

Parameter Description

Select the hash algorithm, encryption algorithm, and Diffie-Hellman (DH) group ID
used by the IKE protocol. An IKE policy is composed of the three parameters. You can
set five sets of IKE policies. To ensure successful IKE negotiation, the two parties
engaged in IKE negotiation must have at least one set of consistent IKE policy.

Hash algorithm:
○ sha1: SHA-1 algorithm

○ md5: MD5 algorithm

Encryption algorithm:
○ des: DES algorithm using 56-bit keys
IKE Policy
○ 3des: 3DES algorithm using 168-bit keys

○ aes-128: AES algorithm using 128-bit keys

○ aes-192: AES algorithm using 192-bit keys

○ aes-256: AES algorithm using 256-bit keys

DH group ID:
○ dh1: 768-bit DH group

○ dh2: 1024-bit DH group

○ dh5: 1536-bit DH group

Select Main Mode or Aggressive Mode. The negotiation mode on the IPsec server
and IPsec client must be the same.

Main Mode: Generally, this mode is applicable to communication between fixed

public network IP addresses and point-to-point communication between devices.
Negotiation Mode In this mode, the peer identity is authenticated to provide high security.
Aggressive Mode: The public network IP addresses obtained by ADSL dial-up
users are not fixed and an NAT device may exist. Therefore, the aggressive
mode is used to implement NAT traversal. In this mode, you need to set the local
and peer ID type to NAME as the IP address is not fixed. The aggressive mode
does not authenticate the peer identity, so it has low security.

Specify the ID type of the local or peer device. The local ID type of the peer device
must be the same as the peer ID type of the local device.

IP: The IP address is used as the identity ID. The IDs of the local and peer
Local/Peer ID
devices are generated automatically.
Type NAME: The host character string is used as the identity ID. The IDs of the local
and peer devices are generated automatically. When the IP address is not fixed,
you need to set Local ID Type to NAME and modify the peer device settings
accordingly. In this case, you also need to configure the host character string that
is used as the identity ID.

When the local or peer ID type is set to NAME, you also need to host character string
Local/Peer ID that is used as the identity ID. The local ID of the peer device must be the same as
peer ID of the local device.

249
Web-based Configuration Guide VPN

Parameter Description

Specify the lifetime of the IKE SA. (The negotiated IKE SA lifetime prevails.) You are
Lifetime
advised to use the default value.

Specify whether to enable Dead Peer Detection (DPD) to detect the IPsec neighbor
status. After DPD is enabled, if the receiver does not receive IPsec encrypted packets
DPD from the peer within the DPD detection interval, DPD query will be triggered and the
receiver actively sends a request packet to detect whether the IKE peer exists.

You are advised to configure DPD when links are unstable.

Specify the DPD detection interval. That is, the interval for triggering DPD query. You
DPD Interval
are advised to keep the default setting.

3. Advanced Settings (Phase 2)

Click 2. Connection Policy to expand the configuration items. Keep the default settings unless otherwise
specified.

Table 8-3 IPsec server connection policy configuration

250
Web-based Configuration Guide VPN

Parameter Description

Specify the set of security protocol and algorithms. During IPsec SA negotiation,
the two parties use the same transform set to protect specific data flow. The
transform set on the IPsec server and IPsec client must be the same.

Security protocol: The Encapsulating Security Payload (ESP) protocol

provides data source authentication, data integrity check, and anti-replay
functions for IPsec connections and guarantees data confidentiality.
Verification algorithm:
○ sha1: SHA-1 HMAC
Transform Set
○ md5: MD5 HMAC
Encryption algorithm:
○ des: DES algorithm using 56-bit keys

○ 3des: 3DES algorithm using 168-bit keys

○ aes-128: AES algorithm using 128-bit keys

○ aes-192: AES algorithm using 192-bit keys

○ aes-256: AES algorithm using 256-bit keys

Perfect Forward Secrecy (PFS) is a security feature that can guarantee the
security of other keys when one key is cracked, because there is no derivative
relationship among the keys. After PFS is enabled, temporary private key
exchange is performed when an IKE negotiation is initiated using a security
policy. If PFS is configured on the local device, it must also be configured on the
Perfect Forward peer device that initiates negotiation and the DH group specified on the local
Secrecy and peer devices must be the same. Otherwise, negotiation will fail.

none: Disable PFS.

d1: 768-bit DH group
d2: 1024-bit DH group
d5: 1536-bit DH group
By default, PFS is disabled.

8.1.3 Configuring the IPsec Client

Choose Local Device > VPN > IPSec > IPSec Security Policy.

Click Add. In the dialog box that appears, set Policy Type to Client, enter the policy name, peer gateway, local
subnet range, and peer subnet range, set the pre-shared key, and click OK.

251
Web-based Configuration Guide VPN

Table 8-4 IPsec client basic settings

Parameter Description

Specify the name of the IPsec security policy. The name must be a string of 1 to
Policy Name
28 characters.

Peer Gateway Enter the IP address or domain name of the peer device.

252
Web-based Configuration Guide VPN

Parameter Description

Select a WAN port used locally from the drop-down list box. In the multi-line
Interface
scenario, you are advised to set this parameter to Auto.

Specify the local subnet address range for the data flows to be protected, that is,
Local Subnet the LAN port network segment of the server. The value is the combination of IP
address and subnet mask.

Specify the peer subnet address range for the data flows to be protected, that is,
Peer Subnet the LAN port network segment of the client. The value is the combination of IP
address and subnet mask.

Pre-shared Key Configure the pre-shared key the same as that on the IPsec server.

Status Specify whether to enable the security policy.

You can configure advanced parameters by referring to the corresponding settings on the IPsec server. For details,
see Advanced Settings (Phase 1) and Advanced Settings (Phase 2).

8.1.4 Viewing the IPsec Connection Status

Choose Local Device > VPN > IPSec > IPSec Connection Status.

You can view the IPsec tunnel connection status on the current page.

Table 8-5 IPsec tunnel connection status information

Parameter Description

Name Indicate the security policy name on the IPsec server or client.

Indicate the Security Parameter Index (SPI) of the IPsec connection, used to
SPI associate the received IPsec data packets with the corresponding SA. The SPI
of each IPsec connection must be unique.

253
Web-based Configuration Guide VPN

Parameter Description

Indicate the direction of the IPsec connection. The value in indicates inbound,
Direction
and the value out indicates outbound.

Indicate the gateway addresses on two ends of the IPsec connection. The arrow
Tunnel Client
indicates the direction of data flows to be protected by the current tunnel.

Indicate the subnet range on two ends of the IPsec connection. The arrow
Flow
indicates the direction of data flows to be protected by the current tunnel.

Status Indicate the IPsec tunnel connection status.

Security Protocol Indicate the security protocol used by the IPsec connection.

Indicate the encryption algorithm and authentication algorithm used by the IPsec
Algorithm
connection.

8.1.5 Typical Configuration Example

1. Networking Requirements

The HQ and branch of an enterprise are connected through the Internet. An IPsec tunnel needs to be established
between the HQ gateway and branch gateway to ensure the confidentiality of transmitted data.

2. Networking Diagram

WAN WAN
172.26.30.192 172.26.1.200
Device A Device B

LAN:192.168.110.0/24 LAN:192.168.120.0/24

Headquarters Branch

3. Configuration Roadmap

 Configure the HQ gateway Device A as the IPsec server.

 Configure the branch gateway Device B as the IPsec client.

4. Configuration Steps

(1) Configure the HQ gateway.

254
Web-based Configuration Guide VPN

a Log in to the web management system and choose VPN > IPSec > IPSec Security Policy to access the
IPSec Security Policy page.

b Click Add. In the dialog box that appears, set Policy Type to Server, enter the policy name, select the
bound interface, and configure the local subnet to be accessed through IPsec and the pre-shared key.

If the device connects to other EG devices in the Reyee network, you are advised to keep the default
settings in IKE phase 1 and phase 2. If the device connects to devices from another vendor, keep the
parameter settings consistent on the connected devices.

255
Web-based Configuration Guide VPN

(2) Configure the branch gateway.

a Log in to the web management system and access the IPSec Security Policy page.

b Click Add. In the dialog box that appears, set Policy Type to Client, enter the policy name, select the peer
gateway (WAN port address or domain name of the HQ gateway), and configure the local subnet that
needs to access the peer subnet and the pre-shared key the same as that on the HQ gateway. Keep the
other phase 1 and phase 2 parameters consistent with those on the IPsec server.

256
Web-based Configuration Guide VPN

5. Verifying Configuration

(1) Log in to the web management system of the HQ or branch gateway and choose VPN > IPSec > IPSec
Connection Status. You can view the IPsec connection status between the HQ and branch.

(2) Perform ping test between clients on the two ends that need to access each other. The clients can successfully
ping and access each other.

257
Web-based Configuration Guide VPN

8.1.6 Solution to IPsec VPN Connection Failure

(1) Run the ping command to test the connectivity between the client and server. For details, see Section 9.9.3
Network Tools. If the ping fails, check the network connection settings. Check whether the branch EG can ping
to HQ EG. If the ping fails, check the network connection between the two EGs.

Click Diagnostics > Network Tools. Then, you can start the ping operation. For details, see Section 9.9.3
Network Tools.

(2) Confirm that the configurations on the IPsec server and IPsec client are correct.

Choose VPN > IPSec > IPSec Security Policy and confirm that the security policies configured on the two
ends are matching.

(3) Check whether the WAN IP address of your HQ EG is a public IP address. If not, you need to configure DMZ
or port mapping (UDP 500 and 4500 used as IPsec VPN port) on your egress gateway and set Local ID Type
to NAME on HQ and branch gateways.

258
Web-based Configuration Guide VPN

8.2 Configuring L2TP VPN

8.2.1 Overview

Layer Two Tunneling Protocol (L2TP) is a virtual tunneling protocol, usually used in virtual private networks.

The L2TP protocol does not provide encryption and reliability verification functions, but it can work with a security
protocol to implement encrypted data transmission. L2TP is frequently used with IPsec to encapsulate packets
using L2TP before encapsulating packets using IPsec. This combination implements user verification and address
allocation through L2TP and ensures communication security through IPsec.

L2TP VPN can be used to establish secure tunnels between the enterprise HQ and branches and allow traveling
employees to access the HQ. Currently, the device can be deployed as the L2TP server or client.

8.2.2 Configuring the L2TP Server

1. Basic Settings of L2TP Server

Choose Local Device > VPN > L2TP > L2TP Settings.

Turn on the L2TP function, set L2TP Type to Server, set L2TP server parameters, and click Save.

Table 8-6 L2TP server configuration

259
Web-based Configuration Guide VPN

Parameter Description

Specify the local virtual IP address of the L2TP server. Clients can dial up to
Local Tunnel IP
access the L2TP server through this address.

Specify the address pool used by the L2TP server to allocate IP addresses to
IP Range
clients.

DNS Server Specify the DNS server address pushed by the L2TP server to clients.

Specify whether to enable L2TP tunnel authentication. If you enable this

function, you need to configure a tunnel authentication key. By default, tunnel
authentication is disabled.

The tunnel authentication request can be initiated by clients. If tunnel

authentication is enabled on one end, a tunnel to the peer can be established
Tunnel Authentication only when tunnel authentication is also enabled on the peer and consistent keys
are configured on the two ends. Otherwise, the local end will automatically shut
down the tunnel connection. If tunnel authentication is disabled on both ends, no
authentication key is required for tunnel establishment.

When a PC functions as the client to access the L2TP server, you are advised
not to enable tunnel authentication on the L2TP server.

Specify whether to encrypt the tunnel. If you select Security, the device
encrypts the L2TP tunnel using IPsec, indicating the L2TP over IPsec mode.

If an IPsec security policy is enabled on the current device, you cannot enable
IPSec Security IPsec encryption for the L2TP tunnel. If you want to configure L2TP over IPsec,
disable the IPsec security policy first.

The IPsec encryption configuration on the L2TP server and client must be
consistent. For details, see Configuring the L2TP over IPsec Server.

The VPN server has a lower priority to control the traffic of the client than the
Flow Control custom policy. The VPN server can only limit the maximum uplink and downlink
bandwidth per user for the client. For details, see 7.6.2 Smart Flow Control.

Specify the interval for sending PPP Hello packets after L2TP VPN is deployed.
PPP Hello Interval
You are advised to retain the default configuration.

Caution

The local tunnel address and IP address range of the address pool cannot overlap the network segment of the
LAN port on the device.

260
Web-based Configuration Guide VPN

2. Configuring the L2TP over IPsec Server

Choose Local Device > VPN > L2TP > L2TP Settings.

After you complete Basic Settings of L2TP Server, enable IPsec encryption on the L2TP server to guarantee
communication security. For details on the IPsec configuration, see Section 8.1 Configuring IPsec VPN.

261
Web-based Configuration Guide VPN

Table 8-7 L2TP over IPsec server configuration

Parameter Description

Specify the same unique pre-shared key as the credential for mutual authentication
Pre-shared Key
between the server and client.

Select the encryption algorithm, hash algorithm, and DH group ID used by the IKE
protocol. To ensure successful IKE negotiation, the two parties engaged in IKE
negotiation must have at least one set of consistent IKE policy. The IKE policies on the
server and client must be consistent.

Hash algorithm:
○ sha1: SHA-1 algorithm

○ md5: MD5 algorithm

Encryption algorithm:
○ des: DES algorithm using 56-bit keys
IKE Policy
○ 3des: 3DES algorithm using 168-bit keys

○ aes-128: AES algorithm using 128-bit keys

○ aes-192: AES algorithm using 192-bit keys

○ aes-256: AES algorithm using 256-bit keys

DH group ID:
○ dh1: 768-bit DH group

○ dh2: 1024-bit DH group

○ dh5: 1536-bit DH group

Specify the set of security protocol and algorithms. During IPsec SA negotiation, the
two parties use the same transform set to protect specific data flow. The transform set
on the server and client must be the same.

Security protocol: The Encapsulating Security Payload (ESP) protocol provides

data source authentication, data integrity check, and anti-replay functions for
IPsec connections and guarantees data confidentiality.
Verification algorithm:
○ sha1: SHA-1 HMAC
Transform Set
○ md5: MD5 HMAC
Encryption algorithm:
○ des: DES algorithm using 56-bit keys

○ 3des: 3DES algorithm using 168-bit keys

○ aes-128: AES algorithm using 128-bit keys

○ aes-192: AES algorithm using 192-bit keys

○ aes-256: AES algorithm using 256-bit keys

262
Web-based Configuration Guide VPN

Parameter Description

Select Main Mode or Aggressive Mode. The negotiation mode on the server and
client must be the same.

Main Mode: This mode is applicable to communication between fixed public

network IP addresses and point-to-point communication between devices. In this
Negotiation Mode mode, the peer identity is authenticated to provide high security.
Aggressive Mode: The public network IP addresses obtained by ADSL dial-up
users are not fixed and an NAT device may exist. Therefore, the aggressive
mode is used to implement NAT traversal. In this mode, you need to set the local
and peer ID type to NAME as the IP address is not fixed. The aggressive mode
does not authenticate the peer identity, so it has low security.

Specify the ID type of the local device. The peer ID of the client must be the same as
local ID of the server.

IP: The IP address is used as the identity ID. The ID of the local device is
generated automatically.
NAME: The host character string is used as the identity ID. The ID of the local
Local ID Type device is generated automatically. In this case, you also need to configure the
host character string that is used as the identity ID.
When the WAN port IP address of the server is a private network address, you need
to set Local ID Type to NAME and configure DMZ on the external device.

When the IP address is not fixed, you need to set Local ID Type to NAME and modify
the peer device settings accordingly.

When Local ID Type is set to NAME, the host character string is used as the identity
Local ID
ID. The peer ID of the client must be the same as local ID of the server.

3. Configuring L2TP User

Choose Local Device > VPN > VPN Clients.

Only user accounts added to the VPN client list are allowed to dial up to connect to the L2TP server. Therefore,
you need to manually configure user accounts for clients to access the L2TP server.

Click Add. In the dialog box that appears, set Service Type to L2TP or ALL. (If you select ALL, the created
account can be used to establish all types of VPN tunnels.) Enter the username, password, and peer subnet,
select a network mode, and click OK.

263
Web-based Configuration Guide VPN

264
Web-based Configuration Guide VPN

Table 8-8 L2TP user configuration

Parameter Description

Specify the name and password of the L2TP user allowed to dial up to connect
Username/Password to the L2TP server. The username and password are used to establish a
connection between the server and client.

PC to Router: The dial-up client is an individual. Select this mode when a

PC wants to dial up to communicate with the remote PC through the LAN.
Network Mode Router to Router: The dial-up client is a user in a network segment. Select
this mode when the LANs on two ends of the tunnel need to communicate
through router dial-up.

Specify the IP address range used by the LAN on the peer end of the L2TP
tunnel. Generally, the peer subnet is the IP address network segment of the LAN
port on the device. (The LAN network segments of the server and client cannot
Peer Subnet
overlap.)

For example, when a branch dials up to connect to the HQ, enter the LAN
network segment of the router.

Status Specify whether to enable the user account.

8.2.3 Configuring the L2TP Client

1. Basic Settings of L2TP Client

Choose Local Device > VPN > L2TP > L2TP Settings.

Turn on the L2TP function, set L2TP Type to Client, set L2TP client parameters, and click Save.

265
Web-based Configuration Guide VPN

Table 8-9 L2TP client configuration

Parameter Description

Specify the username and password for identity authentication for communication
Username/Password over the L2TP tunnel. The values must be the same as those configured on the
L2TP server.

Interface Specify the WAN port used by the client.

Specify the virtual IP address of the VPN tunnel client. If you select Dynamic, the
client obtains an IP address from the server address pool. If you select Static,
Tunnel IP
manually configure an idle static address within the range of the server address
pool as the local tunnel IP address.

Enter the WAN port IP address or domain name of the server. This address must be
Server Address
a public network IP address.

266
Web-based Configuration Guide VPN

Parameter Description

Enter the LAN network segment in which clients want to access the server. The
Peer Subnet
value cannot overlap with the LAN network segment of the client.

Specify whether to enable L2TP tunnel authentication. If you enable this function,
Tunnel you need to enter tunnel authentication key the same as that configured on the
Authentication server. By default, tunnel authentication is disabled. To protect tunnel security, you
are advised to enable tunnel authentication.

Specify whether to encrypt the tunnel. If you select Security, the device Enable the
L2TP tunnel using IPsec, indicating the L2TP over IPsec mode. The IPsec
IPSec Security
encryption configuration on the server and client must be consistent. For details,
see Configuring the L2TP over IPsec Client.

NAT: Perform NAT traversal on the data packet passing through the L2TP
tunnel. That is, replace the source IP address of the data packet with the local
Work Mode virtual IP address of the L2TP tunnel. In NAT mode, the server cannot access
the LAN where the client resides.
Router: Only route the data packet passing through the L2TP tunnel. In router
mode, the server can access the LAN where the client resides.

Specify the interval for sending PPP Hello packets after L2TP VPN is deployed. You
PPP Hello Interval
are advised to retain the default configuration.

2. Configuring the L2TP over IPsec Client

Choose Local Device > VPN > L2TP > L2TP Settings.

After you complete Basic Settings of L2TP Client, enable IPsec encryption on the L2TP client to guarantee
communication security. The IPsec encryption configuration on the server and client must be consistent. For
details, see Configuring the L2TP over IPsec Server.

267
Web-based Configuration Guide VPN

8.2.4 Viewing the L2TP Tunnel Information

Choose Local Device > VPN > L2TP > Tunnel List.

It takes some time to establish a VPN connection between the server and client. After the configuration of the
server and client is completed, wait for 1 to 2 minutes to refresh the page and view the L2TP tunnel establishment
status.

Table 8-10 L2TP tunnel information

Parameter Description

Username Indicate the username used by the client for identity authentication.

Server/Client Indicate the role of the current device, which is client or server.

Tunnel Name Indicate the name of the vNIC generated by L2TP.

268
Web-based Configuration Guide VPN

Parameter Description

Indicate the local virtual IP address of the tunnel. The virtual IP address of the L2TP
Virtual Local IP
client is allocated by the L2TP server.

Access Server IP Indicate the real IP address of the peer connecting to the L2TP tunnel.

Indicate the peer virtual IP address of the tunnel. The virtual IP address of the L2TP
Peer Virtual IP
client is allocated by the L2TP server.

DNS Indicate the DNS server address allocated by the L2TP server.

8.2.5 Typical Configuration Example

1. Networking Requirements

An enterprise wants to establish an L2TP tunnel to allow its traveling employees and branch employees to access
the servers deployed in the HQ LAN.

 Traveling employees want to access the HQ servers from their PCs through L2TP VPN.

 Branch employees need to frequently access documents on the HQ servers. The enterprise wants to deploy
the branch router (Device B) as the L2TP client, so that branch employees can dial up to transparently and
directly access documents on the HQ servers, as if they are accessing servers inside the branch.

2. Networking Diagram

PC

Headquarters Branch

WAN WAN
172.26.30.192 172.26.1.200

Device A Device B

192.168.110.0/24 192.168.120.0/24

3. Configuration Roadmap

 Configure the HQ gateway Device A as the L2TP server.

 Configure the branch gateway Device B as the L2TP client.

 Configure the PC of the traveling employee as the L2TP client.

269
Web-based Configuration Guide VPN

4. Configuration Steps

(1) Configure the HQ gateway.

Note

The LAN address of the HQ cannot conflict with that of the branch. Otherwise, resource access will fail.

a Log in to the web management system and choose VPN > L2TP > L2TP Settings to access the L2TP
Settings page.

b Turn on the L2TP function, set L2TP Type to Server, enter the local tunnel address, address pool IP
address range, and DNS server address, specify whether to enable IPsec encryption and tunnel
authentication, and click Save.

270
Web-based Configuration Guide VPN

Table 8-11 L2TP server configuration

Parameter Description

Enter an IP address not in the LAN network segment. The PC can dial up to
Local Tunnel IP
access the server through this IP address.

Enter an IP address range not in the LAN network segment, which is used to
IP Range
allocate IP addresses to clients.

DNS Server Enter an available DNS server address.

By default, tunnel authentication is disabled. After this function is enabled, the

Tunnel Authentication server and client can be connected only when they use the same tunnel key.
You can keep tunnel authentication disabled.

Specify whether to encrypt the L2TP tunnel using the IPsec protocol. You are
advised to select Security to guarantee data security.
IPSec Security If an IPsec security policy is enabled on the current device, you cannot enable
IPsec encryption for the L2TP tunnel. If you want to configure L2TP over IPsec,
disable the IPsec security policy first.

271
Web-based Configuration Guide VPN

Parameter Description

Enter the key for IPsec authentication. The client can access the server only
Pre-shared Key
when the same pre-shared key is configured on the client.

IKE Policy

Transform Set

Negotiation Mode Keep the default settings unless otherwise specified.

Local ID Type

Local ID

PPP Hello Interval Keep the default settings unless otherwise specified.

c Choose VPN > VPN Clients and add L2TP user accounts for the traveling employee and branch employee
to access the HQ.

For the traveling employee account, set Network Mode to PC to Router.

For the branch employee account, set Network Mode to Router to Router and Peer Subnet to the LAN
network segment of the branch gateway, that is 192.168.120.0/24.

Caution
The LAN network segments of the server and client cannot overlap.

272
Web-based Configuration Guide VPN

(2) Configure the branch gateway.

a Log in to the web management system and access the L2TP Settings page.

b Turn on the L2TP function, set L2TP Type to Client, enter the username and password configured on the
server, server address, and LAN network segment of the peer, configure IPsec encryption parameters the
same as those on the server, and click Save.

Table 8-12 L2TP client configuration

Parameter Description

Username/Password Enter the username and password configured on the server.

Interface Select the WAN port on the client to establish a tunnel with the server.

Select Dynamic to automatically obtain the tunnel IP address. You can also
Tunnel IP
select Static and enter an IP address in the address pool of the server.

Server Address Enter the WAN port address of the server, that is 172.26.30.192.

Enter the LAN network segment (LAN port IP address range) of the server, that
Peer Subnet
is 192.168.110.0/24.

The value must be the same as that on the server. In this example, you need to
Tunnel Authentication
disable tunnel authentication.

The value must be the same as that on the server. In this example, you need to
IPSec Security
set this parameter to Security.

Pre-shared Key Enter the pre-shared key configured on the server.

273
Web-based Configuration Guide VPN

Parameter Description

IKE Policy

Transform Set
The settings must be the same as those on the server. Set Peer ID Type to the
Negotiation Mode
same value as that of Local ID Type on the server.
Peer ID Type

Peer ID

Work Mode If the HQ wants to access the LAN of the branch, set this parameter to Router.

Specify the interval for sending PPP Hello packets after L2TP VPN is deployed.
PPP Hello Interval
Keep the default settings.

(3) Configure the PC of the traveling employee.

Note
Configure the PC of a traveling employee as the L2TP client. The following uses the PC running Windows
10 operating system as an example.
The Windows XP (shorted as XP) system and Windows 7/Windows 10 (shorted as Win7/10) system differ
in their support for L2TP VPN: To enable L2TP VPN in the XP system, you need to modify the service
registries. L2TP is supported in the Win7/10 system by default, without the need to modify registries.
Neither the Win7/Win10 system nor the XP system supports L2TP tunnel authentication. Therefore, tunnel
authentication must be disabled on the server.

Apple mobile phones support L2TP over IPsec but do not support IPsec encryption for L2TP dial-up.

a Choose Settings > Network & Internet > VPN to access the VPN page.

b Click Add a VPN connection. In the dialog box that appears, set VPN provider to Windows, enter the
connection name and server address or domain name, and click Save.

274
Web-based Configuration Guide VPN

c Right-click the created VPN connection named L2TP_TEST and select Properties to view the properties
of the network connection.

d In the dialog box that appears, click the Security tab, and set Type of VPN to Layer 2 Tunneling Protocol
with IPsec (L2TP/IPsec) and Data encryption to Optional encryption (connect even if no encryption).

If IPsec encryption is not enabled on the L2TP server, select Unencrypted password (PAP) and click OK.
Skip Step e .

If IPsec encryption is enabled on the L2TP server, perform Step e .

275
Web-based Configuration Guide VPN

e If IPsec encryption is enabled on the server, select CHAP and MS-CHAP v2 as the identity authentication
protocols and click Advanced settings. In the dialog box that appears, configure the pre-shared key the
same as that on the server. After completing the configuration, click OK.

276
Web-based Configuration Guide VPN

Note

The device does not support EAP for identity authentication. Therefore, you cannot select EAP-related
identity authentication options in the Windows client. Otherwise, the VPN connection fails.

f After the L2TP client configuration is completed on the PC, initiate a VPN connection on the PC. Click the

network icon in the task bar, select the created L2TP VPN connection, and click Connect. In the
dialog box that appears, enter the username and password configured on the server.

277
Web-based Configuration Guide VPN

5. Verifying Configuration

(1) After the server and client are configured, wait for about 1 minute. If you can view the L2TP tunnel connection
information on the HQ server and branch client, the connection is successful.

HQ:

Branch:

(2) Ping the LAN address of the peer from the HQ or branch. The HQ and branch can successfully communicate.
The PC of the traveling employee and the PC of the branch employee can access the HQ server.

278
Web-based Configuration Guide VPN

8.2.6 Solution to L2TP VPN Connection Failure

(1) Run the ping command to test the connectivity between the client and server. For details, see Section 9.9.3
Network Tools. If the ping fails, check the network connection settings. Check whether the branch EG can ping
to HQ EG. If the ping fails, check the network connection between the two EGs.

Choose Diagnostics > Network Tools. Then, you can start the ping operation. For details, see Section 9.9.3
Network Tools.

(2) Check whether the username and password used by the client are the same as those configured on the server.

(3) Check whether the WAN port IP address of your HQ EG is a public network IP address. If not, you need to
configure DMZ on your egress gateway.

8.3 Configuring PPTP VPN

8.3.1 Overview

Point-to-Point Tunneling Protocol (PPTP) is an enhanced security protocol designed based on the Point-to-Point
Protocol (PPP). It allows an enterprise to use private tunnels to expand its enterprise network over the public
network. PPTP relies on the PPP protocol to implement security functions such as encryption and identity
authentication. Generally, PPTP works with Password Authentication Protocol (PAP), Challenge Handshake
Authentication Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAPv1/v2), or
Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) for identity authentication and Microsoft
Point-to-Point Encryption (MPPE) for encryption to improve security.

Currently, the device can be deployed as the PPTP server or client. It supports MPPE for encryption MSCHAP-
v2 for identity authentication, and does not support EAP authentication.

8.3.2 Configuring the PPTP Service

1. Configuring the PPTP Server

Choose Local Device > VPN > PPTP > PPTP Settings.

Turn on the PPTP function, set PPTP Type to Server, configure PPTP server parameters, and click Save.

279
Web-based Configuration Guide VPN

Table 8-13 PPTP server configuration

Parameter Description

Specify the local virtual IP address of the L2TP server. Clients can dial up to
Local Tunnel IP
access the L2TP server through this address.

Specify the address pool used by the PPTP server to allocate IP addresses to
IP Range
clients.

DNS Server Specify the DNS server address pushed by the PPTP server to clients.

280
Web-based Configuration Guide VPN

Parameter Description

Specify whether to use MPPE to encrypt the PPTP tunnel.

After MPPE is enabled on the server: If Data encryption is set to Optional

encryption on the client, the server and client can be connected but the server
does not encrypt packets. If Data encryption is set to Require encryption on
the client, the server and client can be connected and the server encrypts
packets. If Data encryption is set to No encryption allowed on the client, the
MPPE
server and client cannot be connected.

If MPPE is disabled on the server but the client requires encryption, the server
and client connection fails.

By default, MPPE is disabled on the server. After you enable MPPE, the
bandwidth performance of the device degrades. You are advised to keep MPPE
disabled if there are no special security requirements.

The VPN server has a lower priority to control the traffic of the client than the
Flow Control custom policy. The VPN server can only limit the maximum uplink and downlink
bandwidth per user for the client. For details, see 7.6.2 Smart Flow Control.

PPP Hello Interval Specify the interval for sending PPP Hello packets after PPTP VPN is deployed.

Caution

The local tunnel address and IP address range of the address pool cannot overlap the network segment of the
LAN port on the device.

2. Configuring PPTP User

Choose Local Device > VPN > VPN Clients.

Only user accounts added to the VPN client list are allowed to dial up to connect to the PPTP server. Therefore,
you need to manually configure user accounts for clients to access the PPTP server.

Click Add. In the dialog box that appears, set Service Type to PPTP or ALL. (If you select ALL, the created
account can be used to establish all types of VPN tunnels.) Enter the username, password, and peer subnet,
select a network mode, and click OK.

281
Web-based Configuration Guide VPN

Table 8-14 PPTP user configuration

Parameter Description

Specify the name and password of the PPTP user allowed to dial up to connect to
Username/Password the PPTP server. The username and password are used to establish a connection
between the server and client.

PC to Router: The dial-up client is an individual. Select this mode when a PC

wants to dial up to communicate with the remote PC through the LAN.
Network Mode Router to Router: The dial-up client is a user in a network segment. Select this
mode when the LANs on two ends of the tunnel need to communicate through
router dial-up.

Specify the IP address range used by the LAN on the peer end of the PPTP tunnel.
Generally, the peer subnet is the IP address network segment of the LAN port on
Peer Subnet the device. (The LAN network segments of the server and client cannot overlap.)

For example, when a branch dials up to connect to the HQ, enter the LAN network
segment of the router.

Status Specify whether to enable the user account.

8.3.3 Configuring the PPTP Client

Choose Local Device > VPN > PPTP > PPTP Settings.

Turn on the PPTP function, set PPTP Type to Client, configure PPTP client parameters, and click Save.

282
Web-based Configuration Guide VPN

Table 8-15 PPTP client configuration

Parameter Description

Specify the username and password for identity authentication for

Username/Password communication over the PPTP tunnel. The values must be the same as those
configured on the PPTP server.

Interface Specify the WAN port used by the client.

Specify the virtual IP address of the VPN tunnel client. If you select Dynamic,
the client obtains an IP address from the server address pool. If you select
Tunnel IP
Static, manually configure an idle static address within the range of the server
address pool as the local tunnel IP address.

Enter the WAN port IP address or domain name of the server. This address
Server Address
must be a public network IP address.

283
Web-based Configuration Guide VPN

Parameter Description

Enter the LAN network segment in which clients want to access the server. The
Peer Subnet
value cannot overlap with the LAN network segment of the client.

Specify whether to use MPPE to encrypt the PPTP tunnel. The value must be
MPPE
the same as that on the server.

NAT: The client can access the server network, but the server cannot access the
Work Mode client network.

Router: The server can access the client network.

Specify the interval for sending PPP Hello packets after a PPTP tunnel is
PPP Hello Interval
established. You are advised to retain the default configuration.

8.3.4 Viewing the PPTP Tunnel Information

Choose Local Device > VPN > PPTP > Tunnel List.

It takes some time to establish a VPN connection between the server and client. After the configuration of the
server and client is completed, wait for 1 to 2 minutes to refresh the page and view the PPTP tunnel establishment
status.

Table 8-16 PPTP tunnel information

Parameter Description

Username Indicate the username used by the client for identity authentication.

Server/Client Indicate the role of the current device, which is client or server.

Tunnel Name Indicate the name of the vNIC generated by PPTP.

Indicate the local virtual IP address of the tunnel. The virtual IP address of the
Virtual Local IP
PPTP client is allocated by the PPTP server.

Access Server IP Indicate the real IP address of the peer connecting to the PPTP tunnel.

284
Web-based Configuration Guide VPN

Parameter Description

Indicate the peer virtual IP address of the tunnel. The virtual IP address of the
Peer Virtual IP
PPTP client is allocated by the PPTP server.

DNS Indicate the DNS server address allocated by the PPTP server.

8.3.5 Typical Configuration Example

1. Networking Requirements

An enterprise wants to establish a PPTP tunnel to allow its traveling employees and branch employees to access
the servers deployed in the HQ LAN.

 Traveling employees want to access the HQ servers from their PCs through PPTP dial-up.

 Branch employees need to frequently access documents on the HQ servers. The enterprise wants to deploy
the branch router (Device B) as the PPTP client, so that branch employees can dial up to transparently and
directly access documents on the HQ servers, as if they are accessing servers inside the branch.

2. Networking Diagram

3. Configuration Roadmap

 Configure the HQ gateway Device A as the PPTP server.

 Configure the branch gateway Device B as the PPTP client.

 Configure the PC of the traveling employee as the PPTP client.

4. Configuration Steps

(1) Configure the HQ gateway.

Note

The LAN address of the HQ cannot conflict with that of the branch. Otherwise, resource access will fail.

285
Web-based Configuration Guide VPN

a Log in to the web management system and choose VPN > PPTP > PPTP Settings to access the PPTP
Settings page.

b Turn on the PPTP function, set PPTP Type to Server, enter the local tunnel address, address pool IP
address range, and DNS server address, specify whether to enable MPPE encryption, and click Save.

Table 8-17 PPTP server configuration

286
Web-based Configuration Guide VPN

Parameter Description

Enter an IP address not in the LAN network segment. The PC can dial up to
Local Tunnel IP
access the server through this IP address.

Enter an IP address range not in the LAN network segment, which is used to
IP Range
allocate IP addresses to clients.

DNS Server Enter an available DNS server address.

Specify whether to use MPPE to encrypt the PPTP tunnel. The value must be
the same as that on the client.
MPPE After you enable MPPE, the device security is improved but the bandwidth
performance of the device degrades. You are advised to keep MPPE disabled if
there are no special security requirements.

PPP Hello Interval Keep the default settings unless otherwise specified.

c Choose VPN > VPN Clients and add PPTP user accounts for the traveling employee and branch
employee to access the HQ.

For the traveling employee account, set Network Mode to PC to Router.

For the branch employee account, set Network Mode to Router to Router and Peer Subnet to the LAN
network segment of the branch gateway.

Caution
The LAN network segments of the server and client cannot overlap.

287
Web-based Configuration Guide VPN

(2) Configure the branch gateway.

a Log in to the web management system and access the PPTP Settings page.

b Turn on the PPTP function, set PPTP Type to Client, enter the username and password configured on the
server, server address, and LAN network segment of the peer, configure IPsec encryption parameters the
same as those on the server, and click Save.

288
Web-based Configuration Guide VPN

Table 8-18 PPTP client configuration

Parameter Description

Username/Password Enter the username and password configured on the server.

Interface Select the WAN port on the client to establish a tunnel with the server.

Select Dynamic to automatically obtain the tunnel IP address. You can also
Tunnel IP
select Static and enter an IP address in the address pool of the server.

Server Address Enter the WAN port address of the server.

Peer Subnet Enter the LAN network segment (LAN port IP address range) of the server.

MPPE The value must be the same as that on the server.

Work Mode If the HQ wants to access the LAN of the branch, set this parameter to Router.

289
Web-based Configuration Guide VPN

Parameter Description

Specify the interval for sending PPP Hello packets after PPTP VPN is deployed.
PPP Hello Interval
Keep the default settings.

(3) Configure the PC of the traveling employee.

Note

Configure the PC of a traveling employee as the PPTP client. The following uses the PC running Windows
10 operating system as an example.

Enable ports 1723 (PPTP) and 47 (GRE) on the PC firewall.

a Choose Settings > Network & Internet > VPN to access the VPN page.

b Click Add a VPN connection. In the dialog box that appears, set VPN provider to Windows and VPN
type to Point to Point Tunneling Protocol (PPTP), enter the connection name and server address or
domain name, and click Save.

290
Web-based Configuration Guide VPN

c Right-click the created VPN connection named PPTP_TEST and select Properties to view the properties
of the network connection.

d In the dialog box that appears, click the Security tab.

If MPPE is not enabled on the PPTP server, set Data encryption to Optional encryption or No
encryption allowed and use PAP, CHAP, or MS-CHAP v2 for identity authentication, as shown in the
following figure on the left.

If MPPE is enabled on the PPTP server, set Data encryption to Require encryption or Maximum
strength encryption and use MS-CHAP v2 for identity authentication, as shown in the following figure on
the right.

291
Web-based Configuration Guide VPN

Note

The device does not support EAP for identity authentication. Therefore, you cannot select EAP-related
identity authentication options in the Windows client. Otherwise, the VPN connection fails.

e When the PC functions as a dial-up client, configure the PC by using either of the following methods:

○ Add a route to the VPN peer network segment on the PC as the administrator.

○ In the Properties dialog box of the local VPN connection, select Use default gateway on remote
network. After the VPN connection is successful, all data flows from the PC to the Internet are routed to
the VPN tunnel. The following figures show the detailed configuration.

292
Web-based Configuration Guide VPN

293
Web-based Configuration Guide VPN

f After the PPTP client configuration is completed on the PC, initiate a VPN connection on the PC. Click the

network icon in the task bar, select the PPTP VPN connection, and click Connect. In the dialog
box that appears, enter the username and password configured on the server.

5. Verifying Configuration

(1) After the server and client are configured, wait for about 1 minute. If you can view the L2TP tunnel connection
information on the HQ server and branch client, the connection is successful.

HQ:

294
Web-based Configuration Guide VPN

Branch:

(2) Ping the LAN address of the peer from the HQ or branch. The HQ and branch can successfully communicate.
The PC of the traveling employee and the PC of the branch employee can access the HQ server.

8.3.6 Solution to PPTP VPN Connection Failure

(1) iPhones and other IOS devices do not support PPTP VPN. Please use L2TP VPN instead

(2) Run the ping command to test the connectivity between the client and server. For details, see Section 9.9.3
Network Tools. If the ping fails, check the network connection settings. Check whether the branch EG can ping
to HQ EG. If the ping fails. Check the network connection between the two EGs.

Choose Diagnostics > Network Tools. Then, you can start the ping operation. For details, see Section 9.9.3
Network Tools.

(3) Check whether the username and password used by the client are the same as those configured on the server.

(4) Check whether the WAN port IP address of your HQ EG is a public network IP address. If not, please configure
DMZ on your egress gateway.

295
Web-based Configuration Guide VPN

8.4 Configuring OpenVPN

Caution
 The RG-EG105G does not support the OpenVPN function.
 IPTV connection is not supported only in the Chinese environment. To connect to IPTV in the Chinese
environment, switch the system language. For details, see Section 9.11 Switching System Language.

8.4.1 Overview

1. OpenVPN Overview

Due to security considerations or cross-NAT communication needs, private channels need to be established
between enterprises or between individual and enterprise. OpenVPN is used to establish Layer 2 or Layer 3 VPN
tunnels by using the vNIC. OpenVPN supports flexible client authorization modes, supports authentication through
certificate or username and password, and allows users to connect to VPN virtual interfaces through the firewall.
It is easier to use than other types of VPN technologies. OpenVPN can run in the Linux, xBSD, Mac OS X, and
Windows 2000/XP systems. The device can establish VPN connections to PCs, Android/Apple mobile phones,
routers, and Linux devices, and it is compatible with most OpenVPN products in the market.

OpenVPN connections can traverse most proxy servers and can function well in the NAT environment. The
OpenVPN server can push the following network configuration to clients: IP address, routes, and DNS settings.

2. Certificate Overview

The major advantage of OpenVPN lies in its high security, but OpenVPN security requires the support of
certificates.

The OpenVPN client supports certificates ca.crt, ca.key, client.crt, and client.key and the OpenVPN server
supports certificates ca.crt, ca.key, server.crt, and server.key.

8.4.2 Configuring the OpenVPN Server

Choose Local Device > VPN > OpenVPN.

1. Basic Settings

Turn on Enable to enable the OpenVPN function, set OpenVPN Type to Server, set other parameters, and click
Save. After the basic settings are completed, you can view the tunnel information of the server in the tunnel list.

296
Web-based Configuration Guide VPN

Table 8-19 OpenVPN server basic settings

Parameter Description

Select a server authentication mode. The options are Account, Certificate, and
Account & Certificate.

Account: Enter the correct username and password and upload the CA
certificate on the client to connect to the server. The configuration is
Server Mode simple.
Certificate: Upload the CA certificate and client certificate and enter the
correct private key on the client to connect to the server.
Account & Certificate: Upload the CA certificate and client certificate and
enter the correct username, password, and private key. This mode is
applicable to scenarios with high security requirements.

297
Web-based Configuration Guide VPN

Parameter Description

Select a protocol for all OpenVPN communications based on a single IP port.

The options are UDP and TCP.
Protocol The default value is UDP, which is recommended. When you select a protocol,
pay attention to the network status between two encrypted tunnel ends. If high
latency or heavy packet loss occurs, select TCP as the underlying protocol.

Specify the server address for client connection. You can set this parameter to a
Server Address
domain name.

Specify the port used by the OpenVPN service process. Internet Assigned
Numbers Authority (IANA) specifies port 1194 as the official port for the
Port ID OpenVPN service. If the port is in use or disabled in the local network, the
server log prompts port binding failure and you are asked to change the port
number.

Specify the network segment of the OpenVPN address pool. The first available
in the address pool is allocated to the server, and the other addresses are
IP Range
allocated to clients. For example, if this parameter is set to 10.80.12.0/24, the
VPN virtual address of the server is 10.80.12.1.

Specify the VPN dial-up line for clients to access the LAN network segment of
Deliver Route the server. The server informs clients that want to access the server LAN of the
route information. You can configure a maximum of three routes.

The VPN server has a lower priority to control the traffic of the client than the
Flow Control custom policy. The VPN server can only limit the maximum uplink and downlink
bandwidth per user for the client. For details, see 7.6.2 Smart Flow Control.

Click Export to export the parameter configuration of the client connected to the
server in the .tar compressed package. The decompressed information is used
for setting the OpenVPN client.

In account mode, the compressed package contains the configuration file

client.ovpn, CA certificate ca.crt, and CA private key ca.key.
Client Config If certificate authentication is configured, the compressed package contains the
configuration file client.ovpn, CA certificate ca.crt, CA private key ca.key, client
certificate client.cart, and client private key client.key.

If TLS authentication is enabled, the compressed package contains the TLS

identity authentication key tls.key apart from the preceding files. For details on
TLS authentication, see Advanced Settings.

298
Web-based Configuration Guide VPN

Parameter Description

Click Export to export server log files, including the server start time and client
Server Log
dial-up logs.

Caution

The IP address range of the device cannot overlap the network segment of the LAN port on the device.

2. Advanced Settings

Click Expand to configure the advanced parameters. Keep the default settings unless otherwise specified.

Table 8-20 OpenVPN server advanced settings

Parameter Description

Specify the TLS key for enhanced OpenVPN security by allowing the
communicating parties to possess the shared key before TLS handshake. After
TLS Authentication
TLS authentication is enabled, you must import the TLS key on the client. (The
version of the peer OpenVPN client must be higher than 2.40.)

299
Web-based Configuration Guide VPN

Parameter Description

Specify whether to enable data compression. If this function is enabled,

Allow Data transmitted data is compressed using the LZO algorithm. Data compression
Compression saves bandwidth but consumes certain CPU resources. The setting on the client
must be the same as that on the server. Otherwise, the connection fails.

Specify whether to route all traffic over VPN. After this function is enabled, all the
Route All Traffic over
traffic is routed over the VPN tunnel. This means that the VPN tunnel is the
VPN
default route.

Select the data encryption mode before data transmission to ensure that even
data packets are intercepted during transmission, the leaked data cannot be
interpreted.

Cipher If this parameter is set to Auto on the server, you can set this parameter to any
option on the client.

If a specific encryption algorithm is configured on the server, you must select the
same encryption algorithm on the client. Otherwise, the connection fails.

Specify the DNS server address pushed by the server to clients. Currently, the
Deliver DNS
device can push the DNS server address to Windows clients only.

Specify the MD5 algorithm used by the server. The server will inform the clients
Auth
of this information. The default value is SHA1.

3. Configuring OpenVPN User

Choose Local Device > VPN > VPN Clients.

Only user accounts added to the VPN client list are allowed to dial up to connect to the OpenVPN server.
Therefore, you need to manually configure user accounts for clients to access the OpenVPN server.

Click Add. In the dialog box that appears, set Service Type to OpenVpn, enter the username and password, and
click OK. The Status parameter specifies whether to enable the user account.

300
Web-based Configuration Guide VPN

8.4.3 Configuring the OpenVPN Client

Choose Local Device > VPN > OpenVPN.

Currently, you can configure the device as the OpenVPN client in either of the following methods:

Web Settings: Configure OpenVPN client on the web page. This method is used when the device is connected
to a non-EG server.

Import Config: Manually import the configuration file. This method is used when the device is connected to a
similar device. The client configuration file client.ovpn can be directly exported from the connected OpenVPN
server.

1. Import Config

Turn on Enable to enable the OpenVPN function, set OpenVPN Type to Client and Client Config to Import
Config, select a server mode, set relevant parameters, and click Browse to import the client configuration file.
Then, click Save to make the configuration take effect.

301
Web-based Configuration Guide VPN

Table 8-21 OpenVPN client configuration in Import Config method

Parameter Description

Select a server authentication mode. The options are Account,

Certificate, Account & Certificate and Pre-Shared Key.

Account: Enter the correct username and password and upload

the CA certificate on the client. The CA certificate information is
embedded in the client configuration file.
Certificate: Upload the CA certificate and client certificate and
Server Mode enter the correct private key on the client. All the information is
embedded in the client configuration file.
Account & Certificate: Enter the correct username, password, and
private key and upload the CA certificate, and client certificate on
the client. The information of the CA certificate, client certificate,
and private key is embedded in the client configuration file.
Pre-Shared Key: Upload the pre-shared key file apart from the
client configuration file.

Username & Password Enter the username and password configured on the server.

Click Browse, select the client configuration file exported from the
Client Config
server, and upload the file.

302
Web-based Configuration Guide VPN

Parameter Description

Pre-Shared Key Click Browse, select the pre-shared key file, and upload the file.

This parameter is available only when Server Mode is set to Pre-

Shared Key.

Workmode NAT: The client can access the server network, but the server cannot
access the client network.

Router: The server can access the client network.

Client Log Click Export to export the client log file.

2. Web Settings

Turn on Enable to enable the OpenVPN function, set OpenVPN Type to Client and Client Config to Web
Settings, configure parameters such as Device Mode and Device Mode, and click Save to make the
configuration take effect.

(1) Basic Settings

303
Web-based Configuration Guide VPN

Table 8-22 OpenVPN client configuration in Web Settings method

Parameter Description

Specify the mode of the EG device that functions as a client. The options are
Device Mode TUN and TAP. The value must be the same as that configured on the server.

When the EG device works as a server, it supports the TUN mode only.

Select a client authentication mode. The options are Account, Certificate, and
Account & Certificate.

Account: Enter the correct username and password and upload the CA
Server Mode certificate on the client.
Certificate: Upload the correct CA certificate, client certificate, and private
key file on the client.
Account & Certificate: Enter the correct username and password, and
upload the CA certificate, client certificate, and private key file on the client.

304
Web-based Configuration Guide VPN

Parameter Description

Select the protocol running on the device. The options are UDP and TCP. The
Protocol
value must be the same as that configured on the server.

Server Address Enter the address or domain name of the server to be connected.

Server Port ID Enter the port number of the server to be connected.

Click Browse, select the CA certificate file with the file name extension .ca, and
CA Certificate
upload the file.

Click Browse, select the client private file with the file name extension .key, and
Client Key
upload the file.

Click Browse, select the client certificate file with the file name extension .crt,
Client Certificate
and upload the file.

Specify the client certificate key if the client certificate provided by the server
Client Certificate Key
(such as the MikroTik server) is encrypted twice.

Client Log Click Export to export the client log file.

(2) Advanced Settings

Click Expand to configure the advanced parameters. Keep the default settings unless otherwise specified.

305
Web-based Configuration Guide VPN

Table 8-23 OpenVPN client configuration in Web Settings method

Parameter Description

Specify whether to verify the server certificate using explicit signature. By

default, this function is enabled.
Use Explicit Signature for
If the server certificate does not use explicit signature, for example, the
Server Certificate
MikroTik server, you need to disable this function. Otherwise, the connection
fails.

Specify whether to enable TLS authentication for the server. If this function is
TLS Authentication
enabled, you need to upload the TLS certificate file.

Select a data compression algorithm. The value must be the same as that
Cipher
configured on the server. Otherwise, the connection fails.

Select an MD5 algorithm for data packet verification. The options are SHA1,
Auth MD5, SHA256, and NULL. The value must be the same as that configured on
the server. Otherwise, the connection fails.

Specify whether to allow data compression. After this function is enabled, the
Allow Data Compression transmitted data can be compressed by using the LZO algorithm. The value
must be the same as that configured on the server.

306
Web-based Configuration Guide VPN

Parameter Description

Specify whether to use the routes pushed by the server. If this function is
Use Route Pushed by
disabled, the device cannot accept the routes pushed by the server. If the
Server
server needs to access LAN devices, you must set this parameter to Yes.

8.4.4 Viewing the OpenVPN Tunnel Information

Choose Local Device > VPN > OpenVPN > Tunnel List.

After the server and client are configured, you can view the OpenVPN tunnel connection status. If the tunnel is
established successfully, the client tunnel information is displayed in the tunnel list of the server.

Table 8-24 OpenVPN tunnel information

Parameter Description

Indicate the username used by the client for identity authentication. By default, the
Username
username displayed on the server is openvpn.

Server/Client Indicate the role of the local end of the tunnel, which can be client or server.

Status Indicate the tunnel establishment status.

Real IP Address Indicate the real IP address used by the local end to connect to the VPN.

Indicate the local virtual IP address of the tunnel. The virtual IP address of the
Virtual IP Address
OpenVPN client is allocated by the OpenVPN server.

8.4.5 Typical Configuration Example

1. Networking Requirements

The enterprise wants to allow the client network to dial up to the server through OpenVPN, implementing mutual
access between the server and client.

307
Web-based Configuration Guide VPN

2. Networking Diagram

WAN WAN
172.26.31.51 172.29.22.210
10.80.12.1 10.80.12.2
Device A VPN Tunnel Device B

192.168.110.0/24 192.168.12.0/24

3. Configuration Roadmap

 Configure Device A as the OpenVPN server.

 Configure Device B as the OpenVPN client.

 The server needs to push the local LAN network segment to the client to allow the client to access the server
in the LAN.

4. Configuration Steps

(1) Configure Device A.

a Log in to the web management system and choose VPN > OpenVPN > OpenVPN to access the OpenVPN
page.

308
Web-based Configuration Guide VPN

b Turn on Enable to enable the OpenVPN function, set OpenVPN Type to Server, select a server mode and
protocol, enter the port number (1194 by default) and server address (external IP address of the local
device), and click Save.

Table 8-25 OpenVPN server configuration

Parameter Description

Select an authentication mode. In this example, select Account.

Server Mode
In scenarios with high security requirements, select Account & Certificate.

Select UDP unless otherwise specified.

Protocol When the network status between two encrypted tunnel ends is poor, such as
high latency or heavy packet loss, select TCP.

Server Address Enter the WAN port address of the server, that is 172.26.31.51.

The default value is 1194. Keep the default value unless otherwise specified. If
Port ID the port is in use of disabled in the current network, change to an available port
number.

309
Web-based Configuration Guide VPN

Parameter Description

Specify the network segment of the OpenVPN address pool. The first available
in the address pool is allocated to the server, and the other addresses are
IP Range
allocated to clients. For example, if this parameter is set to 10.80.12.0/24, the
VPN virtual address of the server is 10.80.12.1.

Add routes to the corresponding network segment if the client wants to the LAN
Deliver Route
network segment where the server resides.

c Click Expand to configure more advanced parameters. If the device connects to other EG devices in the
Reyee network, you are advised to keep the default values for advanced settings. If the device connects
to devices from another vendor, keep the parameter settings consistent on the connected devices.

d Click Export to export the compressed package of the client parameter configuration. Download the
compressed package to the local device and decompress it for setting the OpenVPN client in subsequent
steps.

e Choose VPN > VPN Clients and add an OpenVPN user account.

310
Web-based Configuration Guide VPN

(2) Configure Device B.

a Log in to the web management system and access the OpenVPN page.

b Turn on Enable to enable the OpenVPN function and set OpenVPN Type to Client. Two methods are
available for configuring the client. The Import Config method is recommended.

Import Config:

311
Web-based Configuration Guide VPN

Table 8-26 OpenVPN client configuration in Import Config method

Parameter Description

Client Config Select Import Config.

The value must be the same as that on the server. In this example, select
Server Mode
Account.

Username & Password Enter the username and password configured on the server.

Click Browse, select the client configuration file exported from the server, and
Client Config
upload the file.

Web Settings:

312
Web-based Configuration Guide VPN

Table 8-27 OpenVPN client configuration in Web Settings method

Parameter Description

Client Config Select Web Settings.

Device Mode The value must be the same as that on the server. In this example, select TUN.

The value must be the same as that on the server. In this example, select
Server Mode
Account.

Username &
Enter the username and password configured on the server.
Password

Protocol The value must be the same as that on the server. In this example, select UDP.

Server Address Enter the public network IP address of the server, that is 172.26.31.51.

Server Port ID Enter the port number used by the server, such as 1194.

Import the corresponding files according to the value of Server Mode.

If Server Mode is set to Certificate or Account & Certificate, you need to import the CA certificate file,
client certificate file, and client private key file. If Server Mode is set to Account, you only need to import

313
Web-based Configuration Guide VPN

the CA certificate file. If the client certificate is encrypted, you also need to enter the pre-shared key
specified by Client Certificate Key.

Click Expand to configure more parameters. Configure Use Route Pushed by Server to specify whether
to accept routes pushed by the server. The value must be the same as that on the server. If the client is
connected to a non-EG device, such as MikroTik server outside China, you need to turn off Use Explicit
Signature for Server Certificate.

c After the configuration is completed, click Save to make the configuration take effect.

5. Verifying Configuration

After the server and client are configured, view the two tunnel end information in the tunnel list.

Client:

314
Web-based Configuration Guide VPN

Server:

315
Web-based Configuration Guide Configuring PoE

9 Configuring PoE
Caution

This feature is supported by only the models ending with -P, for example, RG-EG105G-P and RG-EG210G-P.

Choose Local Device > Basics > PoE.

The device supplies power to PoE powered devices through ports. You can check the total power, current
consumption, remaining consumption, and whether PoE power supply status is normal. Move the cursor over a
port. The PoE toggle appears. You can click it to control whether to enable PoE on the port.

316
Web-based Configuration Guide System Management

10 System Management
10.1 Setting the Login Password
Turn off Self-Organizing Network Discovery. Choose System > Login > Login Password.

Turn on Self-Organizing Network Discovery. Choose Network > System > Login Password.

Enter the old password and new password. After saving the configuration, log in again using the new password.

Caution

In the self-organizing network mode, the login password of all devices in the network will be changed
synchronously.

10.2 Setting the Session Timeout Duration

Choose Local Device > System > Login > Session Timeout.

If no operation is performed on the Web page within a period of time, the session is automatically disconnected.
When you need to perform operations again, enter the password to log in again. The default timeout duration is
3600 seconds, that is, 1 hour.

317
Web-based Configuration Guide System Management

10.3 Restoring Factory Settings

10.3.1 Restoring the Current Device to Factory Settings

Choose Local Device > System > Management > Reset.

Click Reset to restore the current device to the factory settings.

Caution

The operation will clear all configuration of the current device. If you want to retain the current configuration,
back up the configuration first. (For details, see Configuring Backup and Import.) Therefore, exercise caution
when performing this operation.

10.3.2 Restoring All Devices to Factory Settings

Choose Network > System > Management > Reset.

Click All Devices, select whether to enable Unbind Account, and click Reset All Devices. All devices in the
network will be restored to factory settings.

318
Web-based Configuration Guide System Management

Caution

The operation will clear all configuration of all devices in the network. Therefore, exercise caution when
performing this operation.

10.4 Configuring Reboot

10.4.1 Rebooting the Current Device

Choose Local Device > System > Reboot > Reboot.

Click Reboot, and the device will be restarted. Please do not refresh or close the page during the reboot process.
After the device is rebooted, the browser will be redirected to the login page.

10.4.2 Rebooting All Devices in the Network

Choose Local Device > System > Reboot > Reboot.

Select All Devices, and click Reboot All Device to reboot all devices in the current network.

Caution

The operation takes some time and affects the whole network. Therefore, exercise caution when performing this
operation.

10.4.3 Rebooting the Specified Device

Choose Local Device > System > Reboot > Reboot.

Click Specified Devices, select required devices from the Available Devices list, and click Add to add devices
to the Selected Devices list on the right. Click Reboot. Specified devices in the Selected Devices list will be
rebooted.

319
Web-based Configuration Guide System Management

10.5 Configuring Scheduled Reboot

Confirm that the system time is accurate to avoid network interruption caused by device reboot at wrong time. For
details about how to configure the system time, see Section 9.6 Setting and Displaying System Time.

Choose System > Reboot > Scheduled Reboot.

Turn on Enable, and select the date and time of scheduled reboot every week. Click Save. When the system time
matches the scheduled reboot time, the device will restart. You are advised to set scheduled reboot time to off-
peak hours.

Caution

The operation affects the whole network. Therefore, exercise caution when performing this operation.

320
Web-based Configuration Guide System Management

10.6 Setting and Displaying System Time

Choose System > System Time.

You can view the current system time. If the time is incorrect, check and select the local time zone. If the time
zone is correct but time is still incorrect, click Edit to manually set the time. In addition, the device supports
Network Time Protocol (NTP) servers. By default, multiple servers serve as the backup of each other. You can
add or delete the local server as required.

Click Current Time, and the current system time will be filled in automatically.

10.7 Configuring Backup and Import

Choose System > Management > Backup & Import.

Configuration backup: Click Backup to download a configuration file locally.

321
Web-based Configuration Guide System Management

Configuration import: Click Browse, select a backup file on the local PC, and click Import to import the
configuration file. The device will restart.

10.8 Configuring LED Status Control

Choose Network > LED.

Turn on Enable and click Save to deliver the configuration.

10.9 Configuring Diagnostics

10.9.1 Network Check

When a network error occurs, perform Network Check to identify the fault and take the suggested action.

Choose Local Device > Diagnostics > Network Check.

Click Start to perform the network check and show the result.

322
Web-based Configuration Guide System Management

If a network error occurs, its symptom and suggested action will be displayed.

10.9.2 Alerts

Choose Network > Alerts.

The Alert List page displays possible problems on the network environment and device. All types of alerts are
followed by default. You can click Unfollow in the Action column to unfollow this type of alert.

323
Web-based Configuration Guide System Management

Caution

After unfollowing a specified alert type, you will not discover and process all alerts of this type promptly.
Therefore, exercise caution when performing this operation.

Click View Unfollowed Alert to view the unfollowed alert. You can follow the alert again in the pop-up window.

10.9.3 Network Tools

1. Ping

Choose Local Device > Diagnostics > Network Tools.

The Ping command is used to detect the network connectivity.

Select Ping as the diagnosis mode, select the IP type, enter the destination IP address or website address,
configure the ping count and packet size, and click Start to test the network connectivity between the device and
the IP address or website. If "Ping failed" is displayed, the device is not reachable to the IP address or website.

324
Web-based Configuration Guide System Management

2. Traceroute

Choose Local Device > Diagnostics > Network Tools.

The Traceroute function is used to identify the network path from one device to another. On a simple network,
the network path may pass through only one routing node or none at all. On a complex network, packets may
pass through dozens of routing nodes before reaching their destination. The traceroute function can be used to
judge the transmission path of data packets during communication.

Select Traceroute as the diagnosis mode, select the IP type, and enter a destination IP address or the maximum
TTL value used by the URL and traceroute, and click Start.

325
Web-based Configuration Guide System Management

3. DNS Lookup

Choose Local Device > Diagnostics > Network Tools.

DNS Lookup is used to query the information of network domain name or diagnose DNS server problems. If the
device can ping through the IP address of the Internet from your web page but the browser cannot open the web
page, you can use the DNS lookup function to check whether domain name resolution is normal.

Select DNS Lookup as the diagnosis mode, enter a destination IP address or URL, and click Start.

326
Web-based Configuration Guide System Management

10.9.4 Packet Capture

Choose Local Device > Diagnostics > Packet Capture.

If the device fails and troubleshooting is required, the packet capture result can be analyzed to locate and rectify
the fault.

Select an interface and a protocol and specify the host IP address to capture the content in data packets. Select
the file size limit and packet count limit to determine the conditions for automatically stopping packet capture. (If
the file size or number of packets reaches the specified threshold, packet capture stops and a diagnostic package
download link is generated.) Click Start to execute the packet capture command.

Caution

The packet capture operation may occupy many system resources, causing network freezing. Therefore,
exercise caution when performing this operation.

327
Web-based Configuration Guide System Management

Packet capture can be stopped at any time. After that, a download link is generated. Click this link to save the
packet capture result in the PCAP format locally. Use analysis software such as Wireshark to view and analyze
the result.

10.9.5 Fault Collection

Choose Local Device > Diagnostics > Fault Collection.

328
Web-based Configuration Guide System Management

When the device fails, you need to collect the fault information. Click Start. The configuration files of the device
will be packed into a compressed file. Download the compressed file locally and provide it to R&D personnel for
fault locating.

10.10 Performing Upgrade and Checking System Version

Caution
You are advised to back up the configuration before upgrading the router.

Version upgrade will restart the device. Do not refresh or close the browser during the upgrade process.

10.10.1 Online Upgrade

Choose Local Device > System > Upgrade > Online Upgrade.

The current page displays the current system version and allows you to detect whether a later version is available.
If a new version is available, click Upgrade Now to perform online upgrade. If the network environment does not
support online upgrade, click Download File to download the upgrade installation package locally and then
perform local upgrade.

Note
Online upgrade will retain the current configuration.

Do not refresh the page or close the browser during the upgrade process. After successful upgrade, you will be
redirected to the login page automatically.

329
Web-based Configuration Guide System Management

10.10.2 Local Upgrade

Choose Local Device > System > Upgrade > Local Upgrade.

You can view the current software version and device model. If you want to upgrade the device with the
configuration retained, select Keep Config. Click Browse, select an upgrade package on the local PC, and click
Upload to upload the file. The device will be upgraded.

10.11 Switching System Language

Click in the upper-right corner of the Web page.

Click a required language to switch the system language.

330
Web-based Configuration Guide FAQs

11 FAQs
11.1 Login Failure
 What can I do if I fail to log in to the Web management system?

(1) Confirm that the network cable is correctly connected to the LAN port of the device, and the corresponding
indicator is flashing or solid on.

(2) Before you access the Web management system page, you are advised to configure the PC to automatically
obtain an IP address, so the DHCP-enabled device automatically allocates an IP address to the PC. If you
want to specify a static IP address to the PC, ensure that the IP address of the PC and the IP address of the
device's LAN port are in the same network segment. For example, if the LAN port IP address is 192.168.110.1
and subnet mask is 255.255.255.0, set the PC IP address to 192.168.110.X (X representing any integer in the
range of 2 to 254) and the subnet mask to 255.255.255.0.

(3) Run the ping command to test the connectivity between the PC and device. If ping fails, check the network
settings.

(4) If you still cannot log in to the Device Management page after the preceding steps, restore the device to
factory settings.

11.2 Password Loss/Factory Setting Restoration

 What can I do if I forget the login password? How can I restore the device to factory settings?

When the device is powered, press and hold the Reset button on the panel for 5 seconds. The device will restore
factory settings after restart. Then, you can log in to the Web page of the device using the default IP address
192.168.110.1.

11.3 Internet Access Failure

 What can I do if the Internet access through PPPoE Dial-Up fails?

(1) Check whether the PPPoE account and password are correct. Please see Section 1.5.3 Forgetting the PPPoE
Account for details.

(2) Check whether the IP address allocated by the ISP conflicts with the IP address existing on the router.

(3) Check whether the MTU setting of the device meets the requirements of the ISP.

The default MTU is 1500. Please see Section 3.2.3 Modifying the MTU for details.

(4) Check whether VLAN tagging should be configured for PPPoE.

VLAN tagging is disabled by default. Please see Section 3.2.5 Configuring the VLAN Tag for details.

331