TP-LINK TL-ER6120 User Manual

TL-ER6120 Multi-WAN VPN Router Rev: 1.0.0 1910010516

-5- z Multi-WAN Ports + Providing three adjustable 10/100/1000M WAN/LAN ports for users to configure the amount of WAN ports based on need and connec

-95- for ESP authentication. Options include: z MD5: MD5 (Message Digest Algorithm) takes a message of arbitrary length and generates a 128-bit mess

-96- and the default gateway of remote peer are 172.30.70.151 and 172.30.70.161 respectively. Security protocol and other parameters for IPsec tunnel

-97- Figure 3-62 L2TP/PPTP Tunnel The following items are displayed on this screen: ¾ General Enable VPN-to-Internet: Specify whether to enable VPN

-98- tunnel. z Server: In this mode, the Router responds the request from the remote client for establishing a tunnel. Account Name: Enter the ac

-99- IP Pool: Select the IP Pool Name to specify the address range for the server's IP assignment. This item is available for Server mode. Remo

-100- IP Address Range: Specify the start and the end IP address for IP Pool. The start IP address should not exceed the end address and the IP range

-101- 3.6.1.1 General On this page, you can configure PPPoE function globally. Choose the menu Services→PPPoE Server→General to load the following

-102- Idle Timeout: Enter the maximum idle time. The session will be terminated after it has been inactive for this specified period. It can be 0-100

-103- Figure 3-66 IP Address Pool The following items are displayed on this screen: ¾ IP Address Pool Pool Name: Specify a unique name to the IP Ad

-104- Figure 3-67 Account The following items are displayed on this screen: ¾ Account Account Name: Enter the account name. This name should not be

-6- ¾ Supports to change the MAC address of LAN, WAN, DMZ port ¾ Supports Logs, Statistics, Time setting ¾ Supports Remote and Web management ¾ S

-105- Status: Activate or inactivate the entry. MAC Binding: Select a MAC Binding type from the pull-down list. Options include: z Disable: Select t

-106- IP Address Range: Specify the start and the end IP address to make an exceptional IP address range. This range should be in the same IP range w

-107- Figure 3-70 E-Bulletin The following items are displayed on this screen: ¾ General Enable E-Bulletin: Specify whether to enable electronic bu

-108- Content: Enter the content of the bulletin. Object: Select the object of this bulletin. Options include: z ANY: The bulletin will be released

-109- DNS database. Therefore, the users can use the same domain name to access the DDNS client even if the IP address of the DDNS client has changed

-110- DDNS Status: Displays the current status of DDNS service z Offline: DDNS service is disabled. z Connecting: client is connecting to the serv

-111- DDNS Status: Displays the current status of DDNS service z Offline: DDNS service is disabled. z Connecting: client is connecting to the serv

-112- DDNS Status: Displays the current status of DDNS service z Offline: DDNS service is disabled. z Connecting: client is connecting to the serv

-113- Domain Name 1: Enter the Domain Name that you registered with your DDNS service provider. Domain Name 2: Optional. Enter the Domain Name that

-114- Figure 3-75 UPnP The following items are displayed on this screen: ¾ General UPnP Function: Enable or disable the UPnP function globally. ¾

-7- z LEDs LED Status Indication On The Router is powered on PWR Off The Router is powered off or power supply is abnormal Flashing The Router

-115- Figure 3-76 Password The following items are displayed on this screen: ¾ Administrator Current User Name: Enter the current user name of the

-116- ¾ General Web Management Port: Enter the Web Management Port for the Router. Telnet Management Port: Enter the Telnet Management Port for th

-117- 3.7.1.3 Remote Management On this page you can configure the Remote Management function. This feature allows managing your Router from a remot

-118- 3.7.2.2 Export and Import Choose the menu Maintenance→Management→Export and Import to load the following page. Figure 3-80 Export and Import

-119- Figure 3-81 Reboot Click the <Reboot> button to reboot the Router. The configuration will not be lost after rebooting. The Internet co

-120- Figure 3-83 License 3.7.4 Statistics 3.7.4.1 Interface Traffic Statistics Interface Traffic Statistics screen displays the detailed traffic

-121- Rate Rx： Displays the rate for receiving data frames. Rate Tx: Displays the rate for transmitting data frames. Packets Rx: Displays the numbe

-122- Direction: Select the direction in the drop-down list to get the Flow Statistics of the specified direction. ¾ IP Traffic Statistics This t

-123- Figure 3-86 Diagnostics The following items are displayed on this screen: ¾ Ping Destination IP/Domain: Enter destination IP address or Doma

-124- ¾ Tracert Destination IP/Domain: Enter destination IP address or Domain name here. Then select a port for testing, if Auto is selected, the R

-8- press and hold the Reset button (about 4~5 seconds). After the SYS LED goes out, release the Reset button. If the SYS LED is flashing with a high

-125- DNS Lookup: Enter the IP address of DNS server in Manual mode. 0.0.0.0 means DNS Lookup is disabled. ¾ List of WAN status Port: Displays the

-126- Get GMT: When this option is selected, you can configure the time zone and the IP Address for the NTP Server. The Router will get GMT automati

-127- Send System Logs: Select Send System Logs and specify the server IP, then the new added logs will be sent to the specified server. The Logs of

-128- Chapter 4 Application 4.1 Network Requirements The company has established the server farms in the headquarters to provide the Web, Mail and

-129- 4.2 Network Topology 4.3 Configurations You can configure the Router via the PC connected to the LAN port of this Router. To log in to the R

-130- 4.3.1.1 System Mode Set the system mode of the Router to the NAT mode. Choose the menu Network→System Mode to load the following page. Select

-131- Figure 4-3 WAN – Static IP 4.3.1.4 Link Backup Set the connection of WAN1 as the primary link, the connection of WAN 2 as the secondary lin

-132- 4.3.2 VPN Setting To enable the hosts in the remote branch office (WAN: 116.31.85.133, LAN: 172.31.10.1) to access the servers in the headqua

-133- Policy Name: IKE_1 Exchange Mode: Main IKE Proposal: proposal_IKE_1 (you just created) Pre-shared Key: aabbccddee SA Lifetime: 3600 DPD: E

-134- the headquarters. 2) IPsec Setting To configure the IPsec function, you should create an IPsec Proposal firstly. z IPsec Proposal Choose t

-9- Chapter 3 Configuration 3.1 Network 3.1.1 Status The Status page shows the system information, the port connection status and other informatio

-135- WAN: WAN1 Remote Gateway: 116.31.85.133 Exchange Mode IKE IKE Policy: IKE_1 IPsec Proposal: proposal_IPsec_1 (you just created) PFS: DH1 SA

-136- After the IPsec VPN tunnel of the two peers is established successfully, you can view the connection information on the VPN→IPsec→IPsec SA page

-137- Tunnel: Client-to-LAN IP Pool: PPTP_Dialup_User (you just created) Click the <Save> button to apply. 4.3.3 Network Management To manag

-138- Figure 4-11 Group Config z User Choose the menu User Group→User to load the configuration page. Click the <Batch> button to enter the

-139- 4.3.3.2 App Control Choose the menu Firewall→App Control→Control Rules to load the configuration page. Check the box before Enable Application

-140- Figure 4-14 Bandwidth Setup 2) Interface Bandwidth Choose the menu Network→WAN→WAN1 to load the configuration page. Configure the Upstream Ban

-141- Figure 4-16 Bandwidth Control Rule 4.3.3.4 Session Limit Choose the menu Advanced→Session Limit→Session Limit to load the configuration page.

-142- 4.3.4.1 LAN ARP Defense You can configure IP-MAC Binding manually or by ARP Scanning. For the first time configuration, please bind most of th

-143- Choose the menu Firewall→Anti ARP Spoofing→IP-MAC Binding to load the configuration page. To add the host with IP address of 192.168.1.20 and M

-144- 4.3.4.3 Attack Defense Choose the menu Firewall→Attack Defense→Attack Defense to load the configuration page. Select the options desired to be

-10- Figure 3-1 Status 3.1.2 System Mode The TL-ER6120 Router can work in three modes: NAT, Non-NAT and Classic. If your Router is hosting your loc

-145- Figure 4-23 Port Mirror 2) Statistics Choose the menu Maintenance→Statistics to load the page. Load the Interface Traffic Statistics page to v

-146- Figure 4-25 IP Traffic Statistics After all the above steps, the enterprise network will be operated based on planning.

-147- Chapter 5 CLI TL-ER6120 provides a Console port for CLI (Command Line Interface) configuration, which enables you to configure the Router by a

-148- Figure 5-2 Connection Description 4. Select the port (The default port is COM1) to connect in Figure 5-3, and click OK. Figure 5-3 Select th

-149- Figure 5-4 Port Settings 6. Choose File → Properties → Settings on the Hyper Terminal window as Figure 5-5 shows, then choose VT100 or Auto de

-150- 7. The DOS prompting “TP-LINK>” will appear after pressing the Enter button in the Hyper Terminal window as Figure 5-6 shows. Figure 5-6 L

-151- port). Use the enable command to access Privileged EXEC mode. Privileged EXEC Mode Use the enable command to enter this mode from User EXEC mo

-152- ip - Display or Set the IP configuration ip-mac - Display or Set the IP mac bind configuration sys - System manager user - User con

-153- 5.4.1 ip The ip command is used to view or configure the IP address and subnet mask of the interfaces. View command can be used in both User E

-154- TP-LINK # sys reboot This command will reboot system, Continue?[Y/N] Reboot the system. Y means YES, N means NO. TP-LINK # sys restore

-11- Figure 3-2 Network Topology - NAT Mode If your Router is connecting the two networks of different areas in a large network environment with a n

-155- TP-LINK # sys import config Server address: [192.168.1.101] Username: [admin] Password: [admin] File name: [config.bin] Import the conf

-156- TP-LINK > user set password Enter old password: Enter new password: Confirm new password: Modify the password of the Guest. TP-LIN

-157- TP-LINK > history 1. history 2. sys show 3. history View the history command. TP-LINK > history clear 1. history 2. sys show 3

-158- Appendix A Hardware Specifications Standards IEEE 802.3、IEEE 802.3u、IEEE 802.3x、TCP/ IP、DHCP、ICMP、NAT、PPPoE、SNTP、HTTP、DNS、L2TP、PPTP、IPsec One

-159- Appendix B FAQ Q1. What can I do if I cannot access the web-based configuration page? 1. For the first login, please try the following steps:

-160- Q3: What can I do if the Router with the remote management function enabled cannot be accessed by the remote computer? 1. Make sure that t

-161- Appendix C Glossary Glossary Description DSL (Digital Subscriber Line) A technology that allows data to be sent or received over existing t

-162- Glossary Description H.323 H.323 allows dissimilar communication devices to communicate with each other by using a standardized communicatio

-163- Glossary Description structures. MAC addresses are 6 bytes long and are controlled by the IEEE. MTU（Maximum Transmission Unit） The size in b

-164- Glossary Description Protocol） processing and retransmission be handled by other protocols. UPnP（Universal Plug and Play） UPnP is a set of n

-12- Figure 3-4 Network Topology – Classic Mode Choose the menu Network→System Mode to load the following page. Figure 3-5 System Mode You can sele

-13- In this mode, the Router functions as the traditional Gateway and forwards the packets via routing protocol. The Hosts in different subnets can

-14- Note: 1) By default, TL-ER6120 is set to work in the mode of dual WAN ports. 2) Any change to the number of WAN ports may lead to a loss of

-I- COPYRIGHT & TRADEMARKS Specifications are subject to change without notice. is a registered trademark of TP-LINK TECHNOLOGIES CO., LTD. Oth

-15- The following items are displayed on this screen: ¾ Static IP Connection Type: Select Static IP if your ISP has assigned a static IP address

-16- Figure 3-8 WAN – Dynamic IP The following items are displayed on this screen: ¾ Dynamic IP Connection Type: Select Dynamic IP if your ISP as

-17- Get IP Address by Unicast: The broadcast requirement may not be supported by a few ISPs. Select this option if you can not get the IP address fr

-18- IP Address: Displays the IP address assigned by your ISP. Subnet Mask: Displays the Subnet Mask assigned by your ISP. Gateway Address: Displays

-19- Figure 3-9 WAN - PPPoE The following items are displayed on this screen: ¾ PPPoE Settings Connection Type: Select PPPoE if your ISP provides

-20- Account Name: Enter the Account Name provided by your ISP. If you are not clear, please consult your ISP. Password: Enter the Password provided

-21- connection. Dynamic IP and Static IP connection types are provided. Connection Type: Select the secondary connection type. Options include Disab

-22- this problem remains. IP Address: Displays the IP address assigned by your ISP. Gateway Address: Displays the Gateway Address assigned by your I

-23- Figure 3-10 WAN - L2TP The following items are displayed on this screen: ¾ L2TP Settings Connection Type: Select L2TP if your ISP provides a

-24- not clear, please consult your ISP. Password: Enter the Password provided by your ISP. Server IP: Enter the Server IP provided by your ISP. MTU:

-II- CONTENTS Package Contents...1 Cha

-25- Primary DNS/Secondary DNS: If Static IP is selected, configure the DNS. If Dynamic IP is selected, the obtained DNS is displayed. Upstream Ban

-26- Figure 3-11 WAN - PPTP The following items are displayed on this screen: ¾ PPTP Settings Connection Type: Select PPTP if your ISP provides a

-27- Account Name: Enter the Account Name provided by your ISP. If you are not clear, please consult your ISP. Password: Enter the Password provided

-28- displayed. Primary DNS/Secondary DNS: If Static IP is selected, configure the DNS. If Dynamic IP is selected, the obtained DNS is displayed. U

-29- The following items are displayed on this screen: ¾ BigPond Settings Connection Type: Select BigPond if your ISP provides a BigPond connecti

-30- Auth Domain: Enter the domain name of authentication server. It's only required when the address of Auth Server is a server name. Auth Mode

-31- IP Address: Displays the IP address assigned by your ISP. Subnet Mask: Displays the Subnet Mask assigned by your ISP. Default Gateway: Displays

-32- 3.1.4.2 DHCP The Router with its DHCP (Dynamic Host Configuration Protocol) server enabled can automatically assign an IP address to the compu

-33- Default Gateway: Optional. Enter the Gateway address to be assigned. It is recommended to enter the IP address of the LAN port of the Router. De

-34- Figure 3-15 DHCP Reservation The following items are displayed on this screen: ¾ DHCP Reservation MAC Address: Enter the MAC address of the

-III- 3.3.3 Session Limit ...59 3.3.4 Load

-35- 3.1.5 DMZ DMZ (Demilitarized Zone) is a network which has fewer default firewall restrictions than the LAN does. TL-ER6120 provides a DMZ port

-36- Choose the menu Network→DMZ→DMZ to load the following page. Figure 3-18 DMZ The following items are displayed on this screen: ¾ DMZ Status:

-37- Set the MAC Address for LAN port: In a complex network topology with all the ARP bound devices, if you want to change to use TL-ER6120 instead o

-38- to apply. Note: To avoid a conflict of MAC address on the LAN, it’s not allowed to set the MAC address of the Router’s LAN port to the MAC add

-39- Unicast: Displays the number of normal unicast packets received or transmitted on the port. Broadcast: Displays the number of normal broadcast p

-40- Figure 3-21 Port Mirror The following items are displayed on this screen: ¾ General Enable Port Mirror:Check the box to enable the Port Mirror

-41- The entry in Figure 3-21 indicates: The outgoing packets sent by port 1, port 2, port 3 and port 5 (mirrored ports) will be copied to port 4 (mi

-42- Figure 3-22 Rate Control The following items are displayed on this screen: ¾ Rate Control Port: Displays the port number. Ingress Limit: S

-43- Figure 3-23 Port Config The following items are displayed on this screen: ¾ Port Config Status: Specify whether to enable the port. The packet

-44- 3.1.7.6 Port VLAN A VLAN (Virtual Local Area Network) is a network topology configured according to a logical scheme rather than the physical l

-IV- 4.2 Network Topology...129 4.3 Con

-45- 3.2.1 Group On this page you can define the group for management. Choose the menu User Group→Group to load the following page. Figure 3-26 G

-46- ¾ User Config User Name: Specify a unique name for the user. IP Address: Enter the IP Address of the user. It cannot be the network address o

-47- Group Structure: Click this button to view the tree structure of this group. All the members of this group will be displayed, including Users a

-48- NAT-DMZ: Enable or disable NAT-DMZ. NAT DMZ is a special service of NAT application, which can be considered as a default forwarding rule. When

-49- The first entry in Figure 3-29 indicates: The IP address of host1 in local network is 1.1.1.1 and the WAN IP address after NAT mapping is specif

-50- The first entry in Figure 3-30 indicates that: This is a Multi-Nets NAT entry named tplink1. The subnet under the LAN port of the Router is 192.

-51- Configuration procedure 1. Establish the Multi-Nets NAT entries with Subnet/Mask of VLAN2 and VLAN3. The configured entries are as follows: 2

-52- 3.3.1.4 Virtual Server Virtual server can be used for setting up public services in your private network, such as DNS, Email and FTP. Virtual s

-53- Status: Activate or inactivate the entry. Note: ● The External port and Internal Port should be set in the range of 1-65535. ● The external

-54- ¾ Port Triggering Name: Enter a name for Port Triggering entries. Up to 28 characters can be entered. Trigger Port: Enter the trigger port nu

-1- Package Contents The following items should be found in your box: ¾ One TL-ER6120 Router ¾ One power cord ¾ One console cable ¾ One ground cab

-55- Choose the menu Advanced→NAT→ALG to load the following page. Figure 3-33 ALG The following items are displayed on this screen: ¾ ALG FTP ALG:

-56- Figure 3-34 Configuration The following items are displayed on this screen: ¾ General Disable Bandwidth Control: Select this option to disable

-57- Interface: Displays the current enabled WAN port(s). The Total bandwidth is equal to the sum of bandwidth of the enabled WAN ports. Upstream Ban

-58- ¾ Bandwidth Control Rule Direction: Select the data stream direction for the entry. The direction of arrowhead indicates the data stream direct

-59- Note: ● The premise for single rule taking effect is that the bandwidth of the interface for this rule is sufficient and not used up. ● It i

-60- Enable Session Limit: Check here to enable Session Limit, otherwise all the Session Limit entries will be disabled. ¾ Session Limit Group: Sele

-61- Figure 3-38 Configuration With the box before Enable Application Optimized Routing checked, the Router will consider the source IP address and

-62- The following items are displayed on this screen: ¾ General Protocol: Select the protocol for the entry in the drop-down list. If the protocol

-63- On this page, you can configure the Link Backup function based on actual need to reduce the traffic burden of WAN port and improve the network e

-64- Timing: Link Backup will be enabled if the specified effective time is reached. All the traffic on the primary WAN will switch to the backup WAN

-2- Chapter 1 About this Guide This User Guide contains information for setup and management of TL-ER6120 Router. Please read this guide carefully b

-65- Figure 3-41 Protocol The following items are displayed on this screen: ¾ Protocol Name: Enter a name to indicate a protocol. The name will di

-66- Choose the menu Advanced→Routing→Static Route to load the following page. Figure 3-42 Static Route The following items are displayed on this sc

-67- The first entry in Figure 3-42 indicates: If there are packets being sent to a device with IP address of 172.31.70.28 and subnet mask of 255.255

-68- 3.3.5.2 RIP RIP (Routing Information Protocol) is a dynamic route protocol using distance vector algorithm to select the optimal path. With fe

-69- Status: Enable or disable RIP protocol. RIP Version: Select RIPv1 or RIPv2. RIPv2 supports multicast and broadcast. Password Authentication: If

-70- Destination: The Destination of route entry. Gateway: The Gateway of route entry. Flags: The Flags of route entry. The Flags describe certain c

-71- Figure 3-45 IP-MAC Binding The following items are displayed on this screen: ¾ General It is recommended to check all the options. You should

-72- ¾ List of Rules You can view the information of the entries and edit them by the Action buttons. The first entry in Figure 3-45 indicates: The

-73- Indicates that the IP and MAC address of this entry is already bound. To bind the entries in the list, check these entries and click the <Im

-74- Figure 3-48 Attack Defense The following items are displayed on this screen: ¾ General Flood Defense: Flood attack is a kind of commonly us

-3- Appendix A Hardware Specifications Lists the hardware specifications of this Router. Appendix B FAQ Provides the possible solutions to the prob

-75- not sure. Packet Anomaly Defense: Packet Anomaly refers to the abnormal packets. It is recommended to select all the Packet Anomaly Defense opti

-76- Description: Give a description for the entry. ¾ List of Rules You can view the information of the entries and edit them by the Action button

-77- ¾ URL Filtering Rule Object: Select the range in which the URL Filtering takes effect: z ANY: URL Filtering will take effect to all the user

-78- 3.4.4.2 Web Filtering On this page, you can filter the desired web components. Choose the menu Firewall→Access Control→Web Filtering to load

-79- Figure 3-52 Access Rule The following items are displayed on this screen: ¾ Access Rules Policy: Select a policy for the entry: y Block: W

-80- DMZ refers to all the WAN, LAN or DMZ interfaces. Source: Select the Source IP Range for the entries, including the following three ways: y IP/

-81- ¾ List of Rules You can view the information of the entries and edit them by the Action buttons. The smaller the value is, the higher the prior

-82- The following items are displayed on this screen: ¾ Service Name: Enter a name for the service. The name should not be more than 28 characters

-83- Figure 3-54 Application Rules The following items are displayed on this screen: ¾ General Check the box before Enable Application Control to m

-84- Effective Time: Specify the time for the entry to take effect. Description: Give a description for the entry. Status: Activate or inactivate the

-4- Chapter 2 Introduction Thanks for choosing the SafeStreamTM Multi-WAN VPN Router TL-ER6120. 2.1 Overview of the Router The SafeStreamTM Multi-W

-85- technology is developed and used to establish the private network through the public network, which can guarantee a secured data exchange. VPN

-86- Figure 3-57 IKE Policy The following items are displayed on this screen: ¾ IKE Policy Policy Name: Specify a unique name to the IKE policy for

-87- scenarios with lower requirement for identity protection. Local ID Type: Select the local ID type for IKE negotiation. IP Address: uses an IP ad

-88- Figure 3-58 IKE Proposal The following items are displayed on this screen: ¾ IKE Proposal Proposal Name: Specify a unique name to the IKE pr

-89- z AES192: Uses the AES algorithm and 192-bit key for encryption. z AES256: Uses the AES algorithm and 256-bit key for encryption. DH Group: Se

-90- Figure 3-59 IPsec Policy The following items are displayed on this screen: ¾ General You can enable/disable IPsec function for the Router here

-91- host. Local Subnet: Specify IP address range on your local LAN to identify which PCs on your LAN are covered by this policy. It's formed by

-92- Phase1 is de-encrypted. Without PFS, the key in Phase2 is created based on the key in Phase1 and thus once the key in Phase1 is de-encrypted, th

-93- Outgoing SPI: Specify the Outgoing SPI (Security Parameter Index) manually. The Outgoing SPI here must match the Incoming SPI value at the other

-94- Figure 3-60 IPsec Proposal The following items are displayed on this screen: ¾ IPsec Proposal Proposal Name: Specify a unique name to the IP