TP-LINK TL-ER6020 User's Guide

TL-ER6020 SafeStreamTM Gigabit Dual-WAN VPN Router Rev: 1.0.0 1910010695

-5-  Dual-WAN Ports + Providing two 10/100/1000M WAN ports for users to connect two Internet lines for bandwidth expansion. + Supporting multiple Lo

-95- Figure 3-63 L2TP/PPTP Tunnel The following items are displayed on this screen:  General Enable VPN-to-Internet: Specify whether to enable VPN

-96- Account Name: Enter the account name of L2TP/PPTP tunnel. It should be configured identically on server and client. Password: Enter the passwo

-97- Remote Subnet: Enter the IP address range of your remote network. (It's always the IP address range of LAN on the remote peer of VPN tunnel

-98- In this table, you can view the information of IP Pools and edit them by the action buttons. 3.5.3.3 List of L2TP/PPTP Tunnel This page display

-99- Figure 3-66 General The following items are displayed on this screen:  General PPPoE Server: Specify whether to enable the PPPoE Server funct

-100- Idle Timeout: Enter the maximum idle time. The session will be terminated after it has been inactive for this specified period. It can be 0-100

-101- Figure 3-67 IP Address Pool The following items are displayed on this screen:  IP Address Pool Pool Name: Specify a unique name to the IP Ad

-102- Figure 3-68 Account The following items are displayed on this screen:  Account Account Name: Enter the account name. This name should not be

-103- Description: Enter the description for management and search purposes. Up to 28 characters can be entered. Status: Activate or inactivate the e

-104- The following items are displayed on this screen:  Exceptional IP IP Address Range: Specify the start and the end IP address to make an excep

-6-  Supports Diagnostic (Ping/Tracert) and Online Detection VPN  Supports IPsec VPN and provides up to 50 IPsec VPN tunnels  Supports IPSec VP

-105- Figure 3-71 E-Bulletin The following items are displayed on this screen:  General Enable E-Bulletin: Specify whether to enable electronic bu

-106- Content: Enter the content of the bulletin. Object: Select the object of this bulletin. Options include:  ANY: The bulletin will be released

-107- latest IP address, the server will update the mappings between the domain name and IP address in DNS database. Therefore, the users can use the

-108- Domain Name: Enter the Domain Name that you registered with your DDNS service provider. DDNS Service: Activate or inactivate DDNS service here.

-109- Account Name: Enter the Account Name of your DDNS account. If you have not registered, click <Go to register> to go to the website of No-

-110- Figure 3-74 PeanutHull DDNS The following items are displayed on this screen:  PeanutHull DDNS Account Name: Enter the Account Name of your

-111- Domain Name: Displays the domain names obtained from the DDNS server. Up to 16 domain names can be displayed here.  List of PeanutHull Accoun

-112- DDNS Status: Displays the current status of DDNS service  Offline: DDNS service is disabled.  Connecting: client is connecting to the serve

-113-  General UPnP Function: Enable or disable the UPnP function globally.  List of UPnP Mapping After UPnP is enabled, all UPnP connection rul

-114- New User Name: Enter a new user name for the Router. New Password: Enter a new password for the Router. Confirm New Password: Re-enter the new

-7-  LEDs LED Status Indication On The Router is powered on PWR Off The Router is powered off or power supply is abnormal Flashing The Router w

-115- Telnet Idle Timeout: Enter a timeout period that the Router will log the remote PCs out of the Web-based Utility after a specified period (Te

-116- Application Example Network Requirements Allow the IP address within 210.10.10.0/24 segment to manage the Router with IP address of 210.10.10.5

-117- Figure 3-81 Export and Import The following items are displayed on this screen:  Configuration Version Displays the current Configuration ve

-118- Figure 3-82 Reboot Click the <Reboot> button to reboot the Router. The configuration will not be lost after rebooting. The Internet co

-119- Figure 3-84 License 3.7.4 Statistics 3.7.4.1 Interface Traffic Statistics Interface Traffic Statistics screen displays the detailed traffic

-120- Interface: Displays the interface. Rate Rx： Displays the rate for receiving data frames. Rate Tx: Displays the rate for transmitting data fram

-121- Figure 3-86 IP Traffic Statistics The following items are displayed on this screen:  General Enable IP Traffic Statistics: Allows you to ena

-122- Figure 3-87 Diagnostics The following items are displayed on this screen:  Ping Destination IP/Domain: Enter destination IP address or Doma

-123- of destination automatically. After clicking the <Start> button, the Router will send Tracert packets to test the connectivity of the gat

-124- WAN Status: Display the detecting results. 3.7.6 Time System Time is the time displayed while the Router is running. On this page you can con

-8- 2.3.2 Rear Panel The rear panel of TL-ER6020 is shown as the following figure.  Power Socket Connect the female connector of the power cord to

-125- Note: ● If Get GMT function cannot be used properly, please add an entry with UDP port of 123 to the firewall software of the PC. ● The tim

-126- The Logs of switch are classified into the following eight levels. Severity Level Description Emergency 0 The system is unusable. Alert 1 Act

-127- Chapter 4 Application 4.1 Network Requirements The company has established the server farms in the headquarters to provide the Web, Mail and

-128- 4.2 Network Topology 4.3 Configurations You can configure the Router via the PC connected to the LAN port of this Router. To log in to the R

-129- 4.3.1.1 System Mode Set the system mode of the Router to the NAT mode. Choose the menu Network→System Mode to load the following page. Select

-130- Figure 4-3 Link Backup 4.3.2 VPN Setting To enable the hosts in the remote branch office (WAN: 116.31.85.133, LAN: 172.31.10.1) to access the

-131- Authentication: MD5 Encryption: 3DES DH Group: DH2 Click the <Add> button to apply. Figure 4-4 IKE Proposal  IKE Policy Choose the me

-132- Figure 4-5 IKE Policy Tips: For the VPN Router in the remote branch office, the IKE settings should be the same as the Router in the headquart

-133- ESP Encryption: 3DES Click the <Save> button to apply. Figure 4-6 IPsec Proposal  IPsec Policy Choose the menu VPN→IPsec→IPsec Policy

-134- Figure 4-7 IPsec Policy Tips: For the VPN Router in the remote branch office, the IPsec settings should be consistent with the Router in the h

-9- Chapter 3 Configuration 3.1 Network 3.1.1 Status The Status page shows the system information, the port connection status and other informatio

-135-  L2TP/PPTP Tunnel Choose the menu VPN→L2TP/PPTP→L2TP/PPTP Tunnel to load the following page. Check the box of Enable VPN-to-Internet to allo

-136- 4.3.3 Network Management To manage the enterprise network effectively and forbid the Hosts within the IP range of 192.168.0.30-192.168.0.50 t

-137- Choose the menu User Group→User to load the configuration page. Click the <Batch> button to enter the batch processing screen. Then cont

-138- Application: Click the <Application List> button and select the applications desired to be blocked on the popup window.Status: Activat

-139- Figure 4-12 Bandwidth Setup 2) Interface Bandwidth Choose the menu Network→WAN→WAN1 to load the configuration page. Configure the Upstream Ban

-140- Figure 4-14 Bandwidth Control Rule 4.3.3.4 Session Limit Choose the menu Advanced→Session Limit→Session Limit to load the configuration page.

-141- 4.3.4.1 LAN ARP Defense You can configure IP-MAC Binding manually or by ARP Scanning. For the first time configuration, please bind most of th

-142- Choose the menu Firewall→Anti ARP Spoofing→IP-MAC Binding to load the configuration page. To add the host with IP address of 192.168.1.20 and M

-143- 4.3.4.3 Attack Defense Choose the menu Firewall→Attack Defense→Attack Defense to load the configuration page. Select the options desired to be

-144- Figure 4-21 Port Mirror 2) Statistics Choose the menu Maintenance→Statistics to load the page. Load the Interface Traffic Statistics page to v

-10- Figure 3-2 Network Topology - NAT Mode If your Router is connecting the two networks of different areas in a large network environment with a n

-145- Figure 4-23 IP Traffic Statistics After all the above steps, the enterprise network will be operated based on planning.

-146- Chapter 5 CLI TL-ER6020 provides a Console port for CLI (Command Line Interface) configuration, which enables you to configure the Router by a

-147- Figure 5-2 Connection Description 4. Select the port (The default port is COM1) to connect in Figure 5-3, and click OK. Figure 5-3 Select th

-148- Figure 5-4 Port Settings 6. Choose File → Properties → Settings on the Hyper Terminal window as Figure 5-5 shows, then choose VT100 or Auto de

-149- 7. The DOS prompting “TP-LINK>” will appear after pressing the Enter button in the Hyper Terminal window as Figure 5-6 shows. Figure 5-6 L

-150- Mode Accessing Path Prompt Logout or Access the next mode User EXEC Mode Primary mode once it is connected with the Router. TP-LINK > Use

-151- enable - Enter the privileged mode exit - Exit the CLI (only for telnet) history - Show command history ip - Display or Set the IP

-152- 5.4 Command Introduction TL-ER6020 provides a number of CLI commands for users to manage the Router and user information. For better understan

-153- 5.4.3 sys The sys command is used for system management, including Backup and Restore, Factory Default, Reboot, Firmware Upgrade and so on. T

-154- ● Pay special attention that the specified account must be with appropriate permissions since the functions such as export, import and firmwar

-11- Figure 3-4 Network Topology – Classic Mode Choose the menu Network→System Mode to load the following page. Figure 3-5 System Mode You can sele

-155- TP-LINK > user get Username: admin Password: admin Query the user name and password of the current Guest. TP-LINK > user set passwor

-156- TP-LINK > history 1. history 2. sys show 3. history View the history command. TP-LINK > history clear 1. history 2. sys show 3

-157- Appendix A Hardware Specifications Standards IEEE 802.3, IEEE 802.3u, IEEE 802.3ab, IEEE 802.3x, TCP/ IP, DHCP, ICMP, NAT、PPPoE, SNTP, HTTP, DN

-158- Appendix B FAQ Q1. What can I do if I cannot access the web-based configuration page? 1. For the first login, please try the following steps:

-159- Q3: What can I do if the Router with the remote management function enabled cannot be accessed by the remote computer? 1. Make sure that t

-160- Appendix C Glossary Glossary Description DSL (Digital Subscriber Line) A technology that allows data to be sent or received over existing tr

-161- Glossary Description H.323 H.323 allows dissimilar communication devices to communicate with each other by using a standardized communicatio

-162- Glossary Description MAC address（Media Access Control address） Standardized data link layer address that is required for every port or devic

-163- Glossary Description Telnet（Telecommunication Network protocol） Telnet is used for remote terminal connection, enabling users to log in to r

-12-  Non-NAT Mode In this mode, the Router functions as the traditional Gateway and forwards the packets via routing protocol. The Hosts in differ

-13- Figure 3-6 WAN – Static IP The following items are displayed on this screen:  Static IP Connection Type: Select Static IP if your ISP has a

-14- Upstream Bandwidth: Specify the bandwidth for transmitting packets on the port. Downstream Bandwidth: Specify the bandwidth for receiving packet

-I- COPYRIGHT & TRADEMARKS Specifications are subject to change without notice. is a registered trademark of TP-LINK TECHNOLOGIES CO., LTD. Oth

-15-  Dynamic IP Connection Type: Select Dynamic IP if your ISP assigns the IP address automatically. Click <Obtain> to get the IP address

-16-  Dynamic IP Status Status: Displays the status of obtaining an IP address from your ISP.  “Disabled” indicates that the Dynamic IP connectio

-17- Figure 3-8 WAN - PPPoE

-18- The following items are displayed on this screen:  PPPoE Settings Connection Type: Select PPPoE if your ISP provides xDSL Virtual Dial-up co

-19- ISP Address: Optional. Enter the ISP address provided by your ISP. It's null by default. Service Name: Optional. Enter the Service Name pro

-20-  PPPoE Status Status: Displays the status of PPPoE connection.  “Disabled” indicates that the PPPoE connection type is not applied.  “Co

-21- Figure 3-9 WAN - L2TP The following items are displayed on this screen:  L2TP Settings Connection Type: Select L2TP if your ISP provides a

-22- Account Name: Enter the Account Name provided by your ISP. If you are not clear, please consult your ISP. Password: Enter the Password provided

-23- Primary DNS/ Secondary DNS: If Static IP is selected, configure the DNS. If Dynamic IP is selected, the obtained DNS is displayed. Upstream Ba

-24- 5) PPTP If your ISP (Internet Service Provider) has provided the account information for the PPTP connection, please choose the PPTP connection

-II- CONTENTS Package Contents...1 Cha

-25- <Disconnect> to disconnect the Internet connection and release the current IP address. Account Name: Enter the Account Name provided by

-26- Primary DNS/ Secondary DNS: If Static IP is selected, configure the DNS. If Dynamic IP is selected, the obtained DNS is displayed. Upstream Ba

-27- Figure 3-11 WAN – Bigpond The following items are displayed on this screen:  BigPond Settings Connection Type: Select BigPond if your ISP p

-28- Auth Domain: Enter the domain name of authentication server. It's only required when the address of Auth Server is a server name. Auth Mode

-29- Default Gateway: Displays the IP address of the default gateway assigned by your ISP. Note: To ensure the BigPond connection re-established norm

-30- Choose the menu Network→LAN→DHCP to load the following page. Figure 3-13 DHCP Settings The following items are displayed on this screen:  D

-31- Primary DNS: Optional. Enter the Primary DNS server address provided by your ISP. It is recommended to enter the IP address of the LAN port of t

-32-  DHCP Reservation MAC Address: Enter the MAC address of the computer for which you want to reserve the IP address. IP Address: Enter the res

-33- Figure 3-16 DMZ – Public Mode In Private mode, the DMZ port allows the Hosts in DMZ to access Internet via NAT mode which translates private IP

-34- Figure 3-18 DMZ The following items are displayed on this screen:  DMZ Status: Activate or inactivate this entry. The DMZ port functions a

-III- 3.3.3 Session Limit ...58 3.3.4 Load

-35- Set the MAC Address for LAN port: In a complex network topology with all the ARP bound devices, if you want to use TL-ER6020 instead of the curr

-36- MAC Clone: It’s only available for WAN port. Click the <Restore Factory MAC> button to restore the MAC address to the factory default valu

-37- The following items are displayed on this screen:  Statistics Unicast: Displays the number of normal unicast packets received or transmitted o

-38- Choose the menu Network→Switch→Port Mirror to load the following page. Figure 3-21 Port Mirror The following items are displayed on this screen

-39- The entry in Figure 3-21 indicates: The outgoing packets sent by port 1, port 2, port 3 and port 5 (mirrored ports) will be copied to port 4 (mi

-40- Figure 3-22 Rate Control The following items are displayed on this screen:  Rate Control Port: Displays the port number. Ingress Limit: Spe

-41- Figure 3-23 Port Config The following items are displayed on this screen:  Port Config Status: Specify whether to enable the port. The packet

-42- 3.1.7.6 Port VLAN A VLAN (Virtual Local Area Network) is a network topology configured according to a logical scheme rather than the physical l

-43- 3.2.1 Group On this page you can define the group for management. Choose the menu User Group→Group to load the following page. Figure 3-26 G

-44-  User Config User Name: Specify a unique name for the user. IP Address: Enter the IP Address of the user. It cannot be the network address or

-IV- 4.2 Network Topology...128 4.3 Con

-45- User Name: Select the name of the desired User. Available Group: Displays the Groups that the User can join. Selected Group: Displays the Groups

-46- The following items are displayed on this screen:  NAPT Source Port Range: Enter the source port range between 2049 and 65000, the span of whi

-47- Interface: Select an interface for forwarding data packets. DMZ Forwarding: Enable or disable DMZ Forwarding. The packets transmitted to the Tra

-48- Subnet/Mask: Enter the subnet/mask to make the address range for the entry. Interface: Select the interface for the entry. You can select LAN or

-49- Configuration procedure 1. Establish the Multi-Nets NAT entries with Subnet/Mask of VLAN2 and VLAN3. The configured entries are as follows:

-50- Choose the menu Advanced→Routing→Static Route to load the following page. The Static Route entry is as follows: 3.3.1.4 Virtual Server Virtua

-51- Figure 3-32 Virtual Server The fo layed Virtual Server entries. Up to 28 characters can be Interface: Select an interface for forwarding dat

-52- Note: ● The External port and Internal Port should be set in the range of 1-65535. ● The external ports of different entries should be diffe

-53- p to 28 characters can be entered. Interface: Select an interface for forwarding data packets. Trigger Port: Enter the trigger port number or th

-54- 3.3.1.6 Some special protocols such as (Application Layer Gateway) service is enabled. Choose the menu Advanced→NAT→ALG to load the following p

-1- Package Contents The following items should be found in your package:  One TL-ER6020 Router  One Power Cord  One Console Cable  Two mounti

-55- 3.3.2.1 Setup Choose the menu Advanced→Traffic Control→Setup to load the following page. Figure 3-35 Configuration The following items are dis

-56-  Interface B ndwidth Interface: tal bandwidth is equal to Bandwidth: e Downstream Bandwidth of WAN port can be configured on WAN page. aDispla

-57-  Band Rule Direction: WAN port cannot be selected if Mode: h user equals to the current addresses d Bandwidth Specify the Guaranteed Upstrea

-58- Note: ● The premise for single rule taking effect is that the bandwidth of the interface for this rule is sufficient and not used up. ● It i

-59-  Session Limit ion: Status: Activate or inactivate the entry. ssions for the hosts within group1 ed. Limit. Choose the menu Advanced→Sessio

-60- Figure 3-39 Configuration With the box before Enable Application Optimized Routing checked, the Router will consider the source IP address and

-61- The following items are displa is screen:  Generalyed on th Protocol: Select the protocol for the entry in the drop-down list. If the protoco

-62- On this page, you can configure the Link Backup function based on actual need to reduce the traffic burden of WAN port and improve the network e

-63- Timing: Link Backup will be enabled if the specified effective time is reached. All the traffic on the primary WAN will switch to the backup WAN

-64- Figure 3-42 Protocol The following items are displayed on this screen:  Protocol Name: Enter a name to indicate a protocol. The name will di

-2- Chapter 1 About this Guide This User Guide contains information for setup and management of TL-ER6020 Router. Please read this guide carefully b

-65- Choose the menu Advanced→Routing→Static Route to load the following page. Figure 3-43 Static Route The following items are displayed on this sc

-66- The first entry in Figure 3-43 indicates: If there are packets being sent to a device with IP address of 211.162.1.0 and subnet mask of 255.255.

-67- The distance of RIP refers to the hop counts that a data packet passes through before reaching its destination, the value range of which is 1–15

-68- Authentication: network situation, and the password should not be more than 15 characters. All Interfaces: Here you can operate all the interfac

-69- Flags: The Flags of route entry. The Flags describe certain characteristics of the route. Logical Interface: The logical interface of route entr

-70- Figure 3-46 IP-MAC Binding The following items are displayed on this screen:  General It is recommended to check all the options. You should

-71- You can view the information of the entries and edit them by the Action buttons. The first entry in Figure 3-46 indicates: The IP address of 192

-72- Indicates that the IP and MAC address of this entry are already bound. To bind the entries in the list, check these entries and click the <I

-73- Figure 3-49 Attack Defense The following items are displayed on this screen:  General Flood Defense: Flood attack is a commonly used DoS (De

-74- Packet Anomaly Defense: Packet Anomaly refers to the abnormal packets. It is recommended to select all the Packet Anomaly Defense options. Enabl

-3- Appendix A Hardware Specifications Lists the hardware specifications of this Router. Appendix B FAQ Provides the possible solutions to the prob

-75-  List of Rules You can view the information of the entries and edit them by the Action buttons. 3.4.4 Access Control 3.4.4.1 URL Filtering

-76-  Group: URL Filtering will take effect to all the users in group.Mode: Select the mode for URL Filtering. “Keyword’’ indicates that all the UR

-77- 3.4.4.2 Web Filtering On this page, you can filter the desired web components. Choose the menu Firewall→Access Control→Web Filtering to load th

-78- Policy: Select a policy for the entry:  Block: When this option is selected, the packets obeyed the rule will not be permitted to pass through

-79- Priority: Select this option to specify the priority for the added entries. The latest enabled entry will be displayed at the end of the list by

-80- Figure 3-54 Service The following items are displayed on this screen:  Service Name: Enter a name for the service. The name should not be mo

-81- 3.4.5 App Control 3.4.5.1 Control Rules On this page, you can enable the Application Rules function. Choose the menu Firewall→App Control→Cont

-82- Application: Click the <Application List> button to select applications from the popup checkbox. The applications include IM, Web IM, SNS,

-83- 3.5 VPN VPN (Virtual Private Network) is a private network established via the public network, generally via the Internet. However, the private

-84- 3.5.1.1 IKE Policy On this page you can configure the related parameters for IKE negotiation. Choose the menu VPN→IKE→IKE Policy to load the

-4- Chapter 2 Introduction Thanks for choosing the SafeStreamTM Gigabit Dual-WAN VPN Router TL-ER6020. 2.1 Overview of the Router The SafeStreamTM

-85- Exchange Mode: Select the IKE Exchange Mode in phase 1, and ensure the remote VPN peer uses the same mode.  Main: Main mode provides identity

-86- DPD Interval: Enter the interval after which the DPD is triggered.  List of IKE Policy In this table, you can view the information of IKE Poli

-87- Encryption: Specify the encryption algorithm for IKE negotiation. Options include:  DES: DES (Data Encryption Standard) encrypts a 64-bit bloc

-88- 3.5.2.1 IPsec Policy On this page, you can define and edit the IPsec policy. Choose the menu VPN→IPsec→IPsec Policy to load the following pag

-89- Mode: Select the network mode for IPsec policy. Options include:  LAN-to-LAN: Select this option when the client is a network.  Client-to-LA

-90- Phase2. As it is independent of the key created in Phase1, this key can be secure even when the key in Phase1 is de-encrypted. Without PFS, the

-91- AH Authentication Key-Out: Specify the outbound AH Authentication Key manually if AH protocol is used in the corresponding IPsec Proposal. The o

-92- Figure 3-61 IPsec Proposal The following items are displayed on this screen:  IPsec Proposal Proposal Name: Specify a unique name to the IP

-93- ESP Authentication: Select the algorithm used to verify the integrity of the data for ESP authentication. Options include:  MD5: MD5 (Message

-94- outgoing SPI value are different. However, the Incoming SPI value must match the Outgoing SPI value at the other end of the tunnel, and vice ver