TL-ER6120 Multi-WAN VPN Router Rev: 1.0.0 1910010516
-5- z Multi-WAN Ports + Providing three adjustable 10/100/1000M WAN/LAN ports for users to configure the amount of WAN ports based on need and connec
-95- for ESP authentication. Options include: z MD5: MD5 (Message Digest Algorithm) takes a message of arbitrary length and generates a 128-bit mess
-96- and the default gateway of remote peer are 172.30.70.151 and 172.30.70.161 respectively. Security protocol and other parameters for IPsec tunnel
-97- Figure 3-62 L2TP/PPTP Tunnel The following items are displayed on this screen: ¾ General Enable VPN-to-Internet: Specify whether to enable VPN
-98- tunnel. z Server: In this mode, the Router responds the request from the remote client for establishing a tunnel. Account Name: Enter the ac
-99- IP Pool: Select the IP Pool Name to specify the address range for the server's IP assignment. This item is available for Server mode. Remo
-100- IP Address Range: Specify the start and the end IP address for IP Pool. The start IP address should not exceed the end address and the IP range
-101- 3.6.1.1 General On this page, you can configure PPPoE function globally. Choose the menu Services→PPPoE Server→General to load the following
-102- Idle Timeout: Enter the maximum idle time. The session will be terminated after it has been inactive for this specified period. It can be 0-100
-103- Figure 3-66 IP Address Pool The following items are displayed on this screen: ¾ IP Address Pool Pool Name: Specify a unique name to the IP Ad
-104- Figure 3-67 Account The following items are displayed on this screen: ¾ Account Account Name: Enter the account name. This name should not be
-6- ¾ Supports to change the MAC address of LAN, WAN, DMZ port ¾ Supports Logs, Statistics, Time setting ¾ Supports Remote and Web management ¾ S
-105- Status: Activate or inactivate the entry. MAC Binding: Select a MAC Binding type from the pull-down list. Options include: z Disable: Select t
-106- IP Address Range: Specify the start and the end IP address to make an exceptional IP address range. This range should be in the same IP range w
-107- Figure 3-70 E-Bulletin The following items are displayed on this screen: ¾ General Enable E-Bulletin: Specify whether to enable electronic bu
-108- Content: Enter the content of the bulletin. Object: Select the object of this bulletin. Options include: z ANY: The bulletin will be released
-109- DNS database. Therefore, the users can use the same domain name to access the DDNS client even if the IP address of the DDNS client has changed
-110- DDNS Status: Displays the current status of DDNS service z Offline: DDNS service is disabled. z Connecting: client is connecting to the serv
-111- DDNS Status: Displays the current status of DDNS service z Offline: DDNS service is disabled. z Connecting: client is connecting to the serv
-112- DDNS Status: Displays the current status of DDNS service z Offline: DDNS service is disabled. z Connecting: client is connecting to the serv
-113- Domain Name 1: Enter the Domain Name that you registered with your DDNS service provider. Domain Name 2: Optional. Enter the Domain Name that
-114- Figure 3-75 UPnP The following items are displayed on this screen: ¾ General UPnP Function: Enable or disable the UPnP function globally. ¾
-7- z LEDs LED Status Indication On The Router is powered on PWR Off The Router is powered off or power supply is abnormal Flashing The Router
-115- Figure 3-76 Password The following items are displayed on this screen: ¾ Administrator Current User Name: Enter the current user name of the
-116- ¾ General Web Management Port: Enter the Web Management Port for the Router. Telnet Management Port: Enter the Telnet Management Port for th
-117- 3.7.1.3 Remote Management On this page you can configure the Remote Management function. This feature allows managing your Router from a remot
-118- 3.7.2.2 Export and Import Choose the menu Maintenance→Management→Export and Import to load the following page. Figure 3-80 Export and Import
-119- Figure 3-81 Reboot Click the <Reboot> button to reboot the Router. The configuration will not be lost after rebooting. The Internet co
-120- Figure 3-83 License 3.7.4 Statistics 3.7.4.1 Interface Traffic Statistics Interface Traffic Statistics screen displays the detailed traffic
-121- Rate Rx: Displays the rate for receiving data frames. Rate Tx: Displays the rate for transmitting data frames. Packets Rx: Displays the numbe
-122- Direction: Select the direction in the drop-down list to get the Flow Statistics of the specified direction. ¾ IP Traffic Statistics This t
-123- Figure 3-86 Diagnostics The following items are displayed on this screen: ¾ Ping Destination IP/Domain: Enter destination IP address or Doma
-124- ¾ Tracert Destination IP/Domain: Enter destination IP address or Domain name here. Then select a port for testing, if Auto is selected, the R
-8- press and hold the Reset button (about 4~5 seconds). After the SYS LED goes out, release the Reset button. If the SYS LED is flashing with a high
-125- DNS Lookup: Enter the IP address of DNS server in Manual mode. 0.0.0.0 means DNS Lookup is disabled. ¾ List of WAN status Port: Displays the
-126- Get GMT: When this option is selected, you can configure the time zone and the IP Address for the NTP Server. The Router will get GMT automati
-127- Send System Logs: Select Send System Logs and specify the server IP, then the new added logs will be sent to the specified server. The Logs of
-128- Chapter 4 Application 4.1 Network Requirements The company has established the server farms in the headquarters to provide the Web, Mail and
-129- 4.2 Network Topology 4.3 Configurations You can configure the Router via the PC connected to the LAN port of this Router. To log in to the R
-130- 4.3.1.1 System Mode Set the system mode of the Router to the NAT mode. Choose the menu Network→System Mode to load the following page. Select
-131- Figure 4-3 WAN – Static IP 4.3.1.4 Link Backup Set the connection of WAN1 as the primary link, the connection of WAN 2 as the secondary lin
-132- 4.3.2 VPN Setting To enable the hosts in the remote branch office (WAN: 116.31.85.133, LAN: 172.31.10.1) to access the servers in the headqua
-133- Policy Name: IKE_1 Exchange Mode: Main IKE Proposal: proposal_IKE_1 (you just created) Pre-shared Key: aabbccddee SA Lifetime: 3600 DPD: E
-134- the headquarters. 2) IPsec Setting To configure the IPsec function, you should create an IPsec Proposal firstly. z IPsec Proposal Choose t
-9- Chapter 3 Configuration 3.1 Network 3.1.1 Status The Status page shows the system information, the port connection status and other informatio
-135- WAN: WAN1 Remote Gateway: 116.31.85.133 Exchange Mode IKE IKE Policy: IKE_1 IPsec Proposal: proposal_IPsec_1 (you just created) PFS: DH1 SA
-136- After the IPsec VPN tunnel of the two peers is established successfully, you can view the connection information on the VPN→IPsec→IPsec SA page
-137- Tunnel: Client-to-LAN IP Pool: PPTP_Dialup_User (you just created) Click the <Save> button to apply. 4.3.3 Network Management To manag
-138- Figure 4-11 Group Config z User Choose the menu User Group→User to load the configuration page. Click the <Batch> button to enter the
-139- 4.3.3.2 App Control Choose the menu Firewall→App Control→Control Rules to load the configuration page. Check the box before Enable Application
-140- Figure 4-14 Bandwidth Setup 2) Interface Bandwidth Choose the menu Network→WAN→WAN1 to load the configuration page. Configure the Upstream Ban
-141- Figure 4-16 Bandwidth Control Rule 4.3.3.4 Session Limit Choose the menu Advanced→Session Limit→Session Limit to load the configuration page.
-142- 4.3.4.1 LAN ARP Defense You can configure IP-MAC Binding manually or by ARP Scanning. For the first time configuration, please bind most of th
-143- Choose the menu Firewall→Anti ARP Spoofing→IP-MAC Binding to load the configuration page. To add the host with IP address of 192.168.1.20 and M
-144- 4.3.4.3 Attack Defense Choose the menu Firewall→Attack Defense→Attack Defense to load the configuration page. Select the options desired to be
-10- Figure 3-1 Status 3.1.2 System Mode The TL-ER6120 Router can work in three modes: NAT, Non-NAT and Classic. If your Router is hosting your loc
-145- Figure 4-23 Port Mirror 2) Statistics Choose the menu Maintenance→Statistics to load the page. Load the Interface Traffic Statistics page to v
-146- Figure 4-25 IP Traffic Statistics After all the above steps, the enterprise network will be operated based on planning.
-147- Chapter 5 CLI TL-ER6120 provides a Console port for CLI (Command Line Interface) configuration, which enables you to configure the Router by a
-148- Figure 5-2 Connection Description 4. Select the port (The default port is COM1) to connect in Figure 5-3, and click OK. Figure 5-3 Select th
-149- Figure 5-4 Port Settings 6. Choose File → Properties → Settings on the Hyper Terminal window as Figure 5-5 shows, then choose VT100 or Auto de
-150- 7. The DOS prompting “TP-LINK>” will appear after pressing the Enter button in the Hyper Terminal window as Figure 5-6 shows. Figure 5-6 L
-151- port). Use the enable command to access Privileged EXEC mode. Privileged EXEC Mode Use the enable command to enter this mode from User EXEC mo
-152- ip - Display or Set the IP configuration ip-mac - Display or Set the IP mac bind configuration sys - System manager user - User con
-153- 5.4.1 ip The ip command is used to view or configure the IP address and subnet mask of the interfaces. View command can be used in both User E
-154- TP-LINK # sys reboot This command will reboot system, Continue?[Y/N] Reboot the system. Y means YES, N means NO. TP-LINK # sys restore
-11- Figure 3-2 Network Topology - NAT Mode If your Router is connecting the two networks of different areas in a large network environment with a n
-155- TP-LINK # sys import config Server address: [192.168.1.101] Username: [admin] Password: [admin] File name: [config.bin] Import the conf
-156- TP-LINK > user set password Enter old password: Enter new password: Confirm new password: Modify the password of the Guest. TP-LIN
-157- TP-LINK > history 1. history 2. sys show 3. history View the history command. TP-LINK > history clear 1. history 2. sys show 3
-158- Appendix A Hardware Specifications Standards IEEE 802.3、IEEE 802.3u、IEEE 802.3x、TCP/ IP、DHCP、ICMP、NAT、PPPoE、SNTP、HTTP、DNS、L2TP、PPTP、IPsec One
-159- Appendix B FAQ Q1. What can I do if I cannot access the web-based configuration page? 1. For the first login, please try the following steps:
-160- Q3: What can I do if the Router with the remote management function enabled cannot be accessed by the remote computer? 1. Make sure that t
-161- Appendix C Glossary Glossary Description DSL (Digital Subscriber Line) A technology that allows data to be sent or received over existing t
-162- Glossary Description H.323 H.323 allows dissimilar communication devices to communicate with each other by using a standardized communicatio
-163- Glossary Description structures. MAC addresses are 6 bytes long and are controlled by the IEEE. MTU(Maximum Transmission Unit) The size in b
-164- Glossary Description Protocol) processing and retransmission be handled by other protocols. UPnP(Universal Plug and Play) UPnP is a set of n
-12- Figure 3-4 Network Topology – Classic Mode Choose the menu Network→System Mode to load the following page. Figure 3-5 System Mode You can sele
-13- In this mode, the Router functions as the traditional Gateway and forwards the packets via routing protocol. The Hosts in different subnets can
-14- Note: 1) By default, TL-ER6120 is set to work in the mode of dual WAN ports. 2) Any change to the number of WAN ports may lead to a loss of
-I- COPYRIGHT & TRADEMARKS Specifications are subject to change without notice. is a registered trademark of TP-LINK TECHNOLOGIES CO., LTD. Oth
-15- The following items are displayed on this screen: ¾ Static IP Connection Type: Select Static IP if your ISP has assigned a static IP address
-16- Figure 3-8 WAN – Dynamic IP The following items are displayed on this screen: ¾ Dynamic IP Connection Type: Select Dynamic IP if your ISP as
-17- Get IP Address by Unicast: The broadcast requirement may not be supported by a few ISPs. Select this option if you can not get the IP address fr
-18- IP Address: Displays the IP address assigned by your ISP. Subnet Mask: Displays the Subnet Mask assigned by your ISP. Gateway Address: Displays
-19- Figure 3-9 WAN - PPPoE The following items are displayed on this screen: ¾ PPPoE Settings Connection Type: Select PPPoE if your ISP provides
-20- Account Name: Enter the Account Name provided by your ISP. If you are not clear, please consult your ISP. Password: Enter the Password provided
-21- connection. Dynamic IP and Static IP connection types are provided. Connection Type: Select the secondary connection type. Options include Disab
-22- this problem remains. IP Address: Displays the IP address assigned by your ISP. Gateway Address: Displays the Gateway Address assigned by your I
-23- Figure 3-10 WAN - L2TP The following items are displayed on this screen: ¾ L2TP Settings Connection Type: Select L2TP if your ISP provides a
-24- not clear, please consult your ISP. Password: Enter the Password provided by your ISP. Server IP: Enter the Server IP provided by your ISP. MTU:
-II- CONTENTS Package Contents...1 Cha
-25- Primary DNS/Secondary DNS: If Static IP is selected, configure the DNS. If Dynamic IP is selected, the obtained DNS is displayed. Upstream Ban
-26- Figure 3-11 WAN - PPTP The following items are displayed on this screen: ¾ PPTP Settings Connection Type: Select PPTP if your ISP provides a
-27- Account Name: Enter the Account Name provided by your ISP. If you are not clear, please consult your ISP. Password: Enter the Password provided
-28- displayed. Primary DNS/Secondary DNS: If Static IP is selected, configure the DNS. If Dynamic IP is selected, the obtained DNS is displayed. U
-29- The following items are displayed on this screen: ¾ BigPond Settings Connection Type: Select BigPond if your ISP provides a BigPond connecti
-30- Auth Domain: Enter the domain name of authentication server. It's only required when the address of Auth Server is a server name. Auth Mode
-31- IP Address: Displays the IP address assigned by your ISP. Subnet Mask: Displays the Subnet Mask assigned by your ISP. Default Gateway: Displays
-32- 3.1.4.2 DHCP The Router with its DHCP (Dynamic Host Configuration Protocol) server enabled can automatically assign an IP address to the compu
-33- Default Gateway: Optional. Enter the Gateway address to be assigned. It is recommended to enter the IP address of the LAN port of the Router. De
-34- Figure 3-15 DHCP Reservation The following items are displayed on this screen: ¾ DHCP Reservation MAC Address: Enter the MAC address of the
-III- 3.3.3 Session Limit ...59 3.3.4 Load
-35- 3.1.5 DMZ DMZ (Demilitarized Zone) is a network which has fewer default firewall restrictions than the LAN does. TL-ER6120 provides a DMZ port
-36- Choose the menu Network→DMZ→DMZ to load the following page. Figure 3-18 DMZ The following items are displayed on this screen: ¾ DMZ Status:
-37- Set the MAC Address for LAN port: In a complex network topology with all the ARP bound devices, if you want to change to use TL-ER6120 instead o
-38- to apply. Note: To avoid a conflict of MAC address on the LAN, it’s not allowed to set the MAC address of the Router’s LAN port to the MAC add
-39- Unicast: Displays the number of normal unicast packets received or transmitted on the port. Broadcast: Displays the number of normal broadcast p
-40- Figure 3-21 Port Mirror The following items are displayed on this screen: ¾ General Enable Port Mirror:Check the box to enable the Port Mirror
-41- The entry in Figure 3-21 indicates: The outgoing packets sent by port 1, port 2, port 3 and port 5 (mirrored ports) will be copied to port 4 (mi
-42- Figure 3-22 Rate Control The following items are displayed on this screen: ¾ Rate Control Port: Displays the port number. Ingress Limit: S
-43- Figure 3-23 Port Config The following items are displayed on this screen: ¾ Port Config Status: Specify whether to enable the port. The packet
-44- 3.1.7.6 Port VLAN A VLAN (Virtual Local Area Network) is a network topology configured according to a logical scheme rather than the physical l
-IV- 4.2 Network Topology...129 4.3 Con
-45- 3.2.1 Group On this page you can define the group for management. Choose the menu User Group→Group to load the following page. Figure 3-26 G
-46- ¾ User Config User Name: Specify a unique name for the user. IP Address: Enter the IP Address of the user. It cannot be the network address o
-47- Group Structure: Click this button to view the tree structure of this group. All the members of this group will be displayed, including Users a
-48- NAT-DMZ: Enable or disable NAT-DMZ. NAT DMZ is a special service of NAT application, which can be considered as a default forwarding rule. When
-49- The first entry in Figure 3-29 indicates: The IP address of host1 in local network is 1.1.1.1 and the WAN IP address after NAT mapping is specif
-50- The first entry in Figure 3-30 indicates that: This is a Multi-Nets NAT entry named tplink1. The subnet under the LAN port of the Router is 192.
-51- Configuration procedure 1. Establish the Multi-Nets NAT entries with Subnet/Mask of VLAN2 and VLAN3. The configured entries are as follows: 2
-52- 3.3.1.4 Virtual Server Virtual server can be used for setting up public services in your private network, such as DNS, Email and FTP. Virtual s
-53- Status: Activate or inactivate the entry. Note: ● The External port and Internal Port should be set in the range of 1-65535. ● The external
-54- ¾ Port Triggering Name: Enter a name for Port Triggering entries. Up to 28 characters can be entered. Trigger Port: Enter the trigger port nu
-1- Package Contents The following items should be found in your box: ¾ One TL-ER6120 Router ¾ One power cord ¾ One console cable ¾ One ground cab
-55- Choose the menu Advanced→NAT→ALG to load the following page. Figure 3-33 ALG The following items are displayed on this screen: ¾ ALG FTP ALG:
-56- Figure 3-34 Configuration The following items are displayed on this screen: ¾ General Disable Bandwidth Control: Select this option to disable
-57- Interface: Displays the current enabled WAN port(s). The Total bandwidth is equal to the sum of bandwidth of the enabled WAN ports. Upstream Ban
-58- ¾ Bandwidth Control Rule Direction: Select the data stream direction for the entry. The direction of arrowhead indicates the data stream direct
-59- Note: ● The premise for single rule taking effect is that the bandwidth of the interface for this rule is sufficient and not used up. ● It i
-60- Enable Session Limit: Check here to enable Session Limit, otherwise all the Session Limit entries will be disabled. ¾ Session Limit Group: Sele
-61- Figure 3-38 Configuration With the box before Enable Application Optimized Routing checked, the Router will consider the source IP address and
-62- The following items are displayed on this screen: ¾ General Protocol: Select the protocol for the entry in the drop-down list. If the protocol
-63- On this page, you can configure the Link Backup function based on actual need to reduce the traffic burden of WAN port and improve the network e
-64- Timing: Link Backup will be enabled if the specified effective time is reached. All the traffic on the primary WAN will switch to the backup WAN
-2- Chapter 1 About this Guide This User Guide contains information for setup and management of TL-ER6120 Router. Please read this guide carefully b
-65- Figure 3-41 Protocol The following items are displayed on this screen: ¾ Protocol Name: Enter a name to indicate a protocol. The name will di
-66- Choose the menu Advanced→Routing→Static Route to load the following page. Figure 3-42 Static Route The following items are displayed on this sc
-67- The first entry in Figure 3-42 indicates: If there are packets being sent to a device with IP address of 172.31.70.28 and subnet mask of 255.255
-68- 3.3.5.2 RIP RIP (Routing Information Protocol) is a dynamic route protocol using distance vector algorithm to select the optimal path. With fe
-69- Status: Enable or disable RIP protocol. RIP Version: Select RIPv1 or RIPv2. RIPv2 supports multicast and broadcast. Password Authentication: If
-70- Destination: The Destination of route entry. Gateway: The Gateway of route entry. Flags: The Flags of route entry. The Flags describe certain c
-71- Figure 3-45 IP-MAC Binding The following items are displayed on this screen: ¾ General It is recommended to check all the options. You should
-72- ¾ List of Rules You can view the information of the entries and edit them by the Action buttons. The first entry in Figure 3-45 indicates: The
-73- Indicates that the IP and MAC address of this entry is already bound. To bind the entries in the list, check these entries and click the <Im
-74- Figure 3-48 Attack Defense The following items are displayed on this screen: ¾ General Flood Defense: Flood attack is a kind of commonly us
-3- Appendix A Hardware Specifications Lists the hardware specifications of this Router. Appendix B FAQ Provides the possible solutions to the prob
-75- not sure. Packet Anomaly Defense: Packet Anomaly refers to the abnormal packets. It is recommended to select all the Packet Anomaly Defense opti
-76- Description: Give a description for the entry. ¾ List of Rules You can view the information of the entries and edit them by the Action button
-77- ¾ URL Filtering Rule Object: Select the range in which the URL Filtering takes effect: z ANY: URL Filtering will take effect to all the user
-78- 3.4.4.2 Web Filtering On this page, you can filter the desired web components. Choose the menu Firewall→Access Control→Web Filtering to load
-79- Figure 3-52 Access Rule The following items are displayed on this screen: ¾ Access Rules Policy: Select a policy for the entry: y Block: W
-80- DMZ refers to all the WAN, LAN or DMZ interfaces. Source: Select the Source IP Range for the entries, including the following three ways: y IP/
-81- ¾ List of Rules You can view the information of the entries and edit them by the Action buttons. The smaller the value is, the higher the prior
-82- The following items are displayed on this screen: ¾ Service Name: Enter a name for the service. The name should not be more than 28 characters
-83- Figure 3-54 Application Rules The following items are displayed on this screen: ¾ General Check the box before Enable Application Control to m
-84- Effective Time: Specify the time for the entry to take effect. Description: Give a description for the entry. Status: Activate or inactivate the
-4- Chapter 2 Introduction Thanks for choosing the SafeStreamTM Multi-WAN VPN Router TL-ER6120. 2.1 Overview of the Router The SafeStreamTM Multi-W
-85- technology is developed and used to establish the private network through the public network, which can guarantee a secured data exchange. VPN
-86- Figure 3-57 IKE Policy The following items are displayed on this screen: ¾ IKE Policy Policy Name: Specify a unique name to the IKE policy for
-87- scenarios with lower requirement for identity protection. Local ID Type: Select the local ID type for IKE negotiation. IP Address: uses an IP ad
-88- Figure 3-58 IKE Proposal The following items are displayed on this screen: ¾ IKE Proposal Proposal Name: Specify a unique name to the IKE pr
-89- z AES192: Uses the AES algorithm and 192-bit key for encryption. z AES256: Uses the AES algorithm and 256-bit key for encryption. DH Group: Se
-90- Figure 3-59 IPsec Policy The following items are displayed on this screen: ¾ General You can enable/disable IPsec function for the Router here
-91- host. Local Subnet: Specify IP address range on your local LAN to identify which PCs on your LAN are covered by this policy. It's formed by
-92- Phase1 is de-encrypted. Without PFS, the key in Phase2 is created based on the key in Phase1 and thus once the key in Phase1 is de-encrypted, th
-93- Outgoing SPI: Specify the Outgoing SPI (Security Parameter Index) manually. The Outgoing SPI here must match the Incoming SPI value at the other
-94- Figure 3-60 IPsec Proposal The following items are displayed on this screen: ¾ IPsec Proposal Proposal Name: Specify a unique name to the IP
Comments to this Manuals