Wifi 6 Hospot Rport
Wifi 6 Hospot Rport
Wifi 6 Hospot Rport
Copyright Statement
© 2022 Shenzhen Tenda Technology Co., Ltd. All rights reserved.
is a registered trademark legally held by Shenzhen Tenda Technology Co., Ltd. Other
brand and product names mentioned herein are trademarks or registered trademarks of their
respective holders. Copyright of the whole product as integration, including its accessories and
software, belongs to Shenzhen Tenda Technology Co., Ltd. No part of this publication can be
reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language
in any form or by any means without the prior written permission of Shenzhen Tenda Technology
Co., Ltd.
Disclaimer
Pictures, images and product specifications herein are for references only. To improve internal
design, operational function, and/or reliability, Tenda reserves the right to make changes to the
products without obligation to notify any person or organization of such revisions or changes.
Tenda does not assume any liability that may occur due to the use or application of the product
described herein. Every effort has been made in the preparation of this document to ensure
accuracy of the contents, but all statements, information and recommendations in this document
do not constitute a warranty of any kind, express or implied.
i
Version 1.0
Preface
Thank you for choosing Tenda! Please read this user guide carefully before you start.
Conventions
This user guide applies to the Tenda AX3000 Dual Band Wi-Fi 6 Wireless Hotspot Router W30E.
The contained images and UI screenshots are subject to the actual products.
The typographical elements that may be found in this document are defined as follows.
Item Presentation Example
The symbols that may be found in this document are defined as follows.
Symbol Meaning
This format is used to highlight a procedure that will save time or resources.
Document Description
It introduces how to set up the device quickly for internet access, the
Quick Installation Guide descriptions of LED indicators, ports, and buttons, FAQ, statement information,
and so on.
It introduces how to set up more functions of the device for more requirements,
User Guide
including all functions on the web UI of the device.
ii
Version 1.0
Technical Support
If you need more help, contact us by any of the following means. We will be glad to assist you as
soon as possible.
Global: (86) 755-27657180
(China Time Zone)
www.tendacn.com
Website
Revision History
Tenda is constantly searching for ways to improve its products and documentation. The following
table indicates any changes that might have been made since the user guide was released.
iii
Version 1.0
Contents
1 Login ............................................................................................................................................ 1
1.1 Log in to the web UI .............................................................................................................. 1
1.2 Logout ................................................................................................................................... 5
2 Web UI ......................................................................................................................................... 6
2.1 Web UI layout........................................................................................................................ 6
2.2 Frequently-used buttons ....................................................................................................... 7
3 System status ............................................................................................................................... 8
3.1 Check physical connections and system status ...................................................................... 8
3.1.1 Check physical connections ........................................................................................ 8
3.1.2 View system status ................................................................................................... 10
3.2 View CPU and memory status ............................................................................................. 14
3.3 Monitor traffic ..................................................................................................................... 14
3.3.1 Enable traffic monitoring .......................................................................................... 14
3.3.2 View traffic statistics................................................................................................. 15
3.4 Manage online devices ........................................................................................................ 17
3.5 Control bandwidth of online devices................................................................................... 18
3.6 Blacklist ............................................................................................................................... 20
3.6.1 Add devices to blacklist ............................................................................................ 20
3.6.2 Remove devices from blacklist ................................................................................. 21
3.7 Manage APs......................................................................................................................... 22
4 Internet settings ......................................................................................................................... 24
4.1 Internet Settings .................................................................................................................. 24
4.1.1 Overview .................................................................................................................. 24
4.1.2 Configure multiple WAN ports.................................................................................. 26
4.1.3 Set up for internet access ......................................................................................... 29
4.2 WAN parameters ................................................................................................................. 36
4.2.1 WAN speed ............................................................................................................... 36
4.2.2 MTU.......................................................................................................................... 37
4.2.3 Clone MAC address .................................................................................................. 38
4.3 LAN settings ........................................................................................................................ 40
4.3.1 Modify LAN IP address of the router ........................................................................ 40
4.3.2 Modify DHCP server ................................................................................................. 41
5 Wireless ..................................................................................................................................... 43
iv
Version 1.0
5.1 Wireless settings ................................................................................................................. 43
5.2 Max rate & isolation ............................................................................................................ 46
5.3 MAC filters........................................................................................................................... 48
5.3.1 Overview .................................................................................................................. 48
5.3.2 Configure a MAC filter rule ....................................................................................... 49
5.3.3 Example of configuring MAC filters rule ................................................................... 51
5.4 Advanced settings ............................................................................................................... 54
5.5 Guest network ..................................................................................................................... 58
6 Address reservation ................................................................................................................... 60
6.1 Address reservation ............................................................................................................ 60
6.2 Configure address reservation ............................................................................................ 62
6.2.1 Quick address reservation ........................................................................................ 62
6.2.2 Manual address reservation ..................................................................................... 64
7 Bandwidth control ..................................................................................................................... 65
7.1 Overview ............................................................................................................................. 65
7.2 Manual ................................................................................................................................ 66
7.3 Auto .................................................................................................................................... 68
7.4 Limit by group ..................................................................................................................... 69
7.5 Example of configuring limit by group rules ........................................................................ 71
8 Authentication ........................................................................................................................... 74
8.1 Captive portal ...................................................................................................................... 74
8.1.1 Overview .................................................................................................................. 74
8.1.2 Configure SMS authentication .................................................................................. 79
8.1.3 Configure local user authentication.......................................................................... 82
8.1.4 Configure email authentication ................................................................................ 84
8.1.5 Configure one-key authentication ............................................................................ 86
8.2 User management ............................................................................................................... 88
8.2.1 Overview .................................................................................................................. 88
8.2.2 Add user accounts for local user authentication ...................................................... 89
8.3 Examples of configuring authentication .............................................................................. 91
8.3.1 Example of configuring SMS authentication ............................................................. 91
8.3.2 Example of configuring local user authentication ..................................................... 97
8.3.3 Example of configuring email authentication ......................................................... 103
9 AP mangement......................................................................................................................... 108
9.1 Basic settings ..................................................................................................................... 108
9.1.1 Overview ................................................................................................................ 108
9.1.2 Distribute wireless policies to APs .......................................................................... 110
v
Version 1.0
9.2 AP settings......................................................................................................................... 111
9.2.1 Overview ................................................................................................................ 111
9.2.2 Upgrade the APs ..................................................................................................... 113
9.2.3 Reset the APs .......................................................................................................... 114
9.2.4 Reboot the APs ....................................................................................................... 115
9.2.5 Delete the APs ........................................................................................................ 116
9.2.6 Refresh the page .................................................................................................... 117
9.2.7 Export data ............................................................................................................. 117
9.2.8 More settings ......................................................................................................... 118
9.3 Advanced settings ............................................................................................................. 119
10 USB sharing .............................................................................................................................. 122
10.1 Overview ......................................................................................................................... 122
10.2 USB sharing ..................................................................................................................... 122
10.3 Example of configuring USB sharing ................................................................................ 124
10.3.1 Networking requirement ...................................................................................... 124
10.3.2 Network topology................................................................................................. 124
10.3.3 Configuration procedure ...................................................................................... 125
10.3.4 Verification ........................................................................................................... 126
11 Filter management ................................................................................................................... 127
11.1 IP group/time group ........................................................................................................ 127
11.1.1 Overview .............................................................................................................. 127
11.1.2 Add a time group .................................................................................................. 129
11.1.3 Add an IP group .................................................................................................... 130
11.2 MAC address filter ........................................................................................................... 131
11.2.1 Overview .............................................................................................................. 131
11.2.2 Configure a MAC address filter rule ...................................................................... 132
11.2.3 Example of configuring a MAC address filter rule ................................................. 133
11.3 IP address filter ............................................................................................................... 136
11.3.1 Overview .............................................................................................................. 136
11.3.2 Configure an IP address filter rule ........................................................................ 137
11.3.3 Example of configuring an IP address filter rule ................................................... 138
11.4 Port filter ......................................................................................................................... 142
11.4.1 Overview .............................................................................................................. 142
11.4.2 Configure a port filter rule .................................................................................... 143
11.4.3 Example of configuring a port filter rule ............................................................... 144
11.5 URL filter ......................................................................................................................... 148
11.5.1 Overview .............................................................................................................. 148
vi
Version 1.0
11.5.2 Customize a URL group ......................................................................................... 149
11.5.3 Configure a URL filter rule .................................................................................... 150
11.5.4 Example of configuring a URL filter rule ............................................................... 152
11.6 Log audit ......................................................................................................................... 157
11.6.1 Log settings .......................................................................................................... 157
11.6.2 Log storage ........................................................................................................... 159
12 More settings ........................................................................................................................... 160
12.1 Static route ...................................................................................................................... 160
12.1.1 Overview .............................................................................................................. 160
12.1.2 Configure a static routing rule .............................................................................. 161
12.1.3 Example of configuring static route ...................................................................... 162
12.2 Port mirroring.................................................................................................................. 166
12.2.1 Overview .............................................................................................................. 166
12.2.2 Example of configuring port mirroring ................................................................. 167
12.3 Remote web management .............................................................................................. 169
12.3.1 Overview .............................................................................................................. 169
12.3.2 Example of configuring remote web management ............................................... 170
12.4 DDNS ............................................................................................................................... 172
12.4.1 Overview .............................................................................................................. 172
12.4.2 Example of configuring DDNS ............................................................................... 174
12.5 Port forwarding ............................................................................................................... 179
12.5.1 Overview .............................................................................................................. 179
12.5.2 Configure a port forwarding rule .......................................................................... 180
12.5.3 Example of configuring a port forwarding rule ..................................................... 181
12.6 DMZ host ......................................................................................................................... 186
12.6.1 Overview .............................................................................................................. 186
12.6.2 Example of configuring DMZ host......................................................................... 187
12.7 UPnP................................................................................................................................ 191
12.7.1 Overview .............................................................................................................. 191
12.7.2 Enable UPnP ......................................................................................................... 191
12.8 Any IP .............................................................................................................................. 192
12.9 DNS forwarding ............................................................................................................... 193
12.10 Security settings ............................................................................................................ 194
12.11 VPN ............................................................................................................................... 196
12.11.1 Overview ............................................................................................................ 196
12.11.2 VPN server .......................................................................................................... 197
12.11.3 VPN client ........................................................................................................... 200
vii
Version 1.0
12.11.4 IPSec ................................................................................................................... 202
12.11.5 Example of configuring a PPTP/L2TP VPN ........................................................... 212
12.11.6 Example of configuring an IPSec VPN ................................................................. 218
12.11.7 Example of configuring a L2TP over IPSec VPN ................................................... 223
12.12 Multi-WAN policy .......................................................................................................... 235
12.12.1 Overview ............................................................................................................ 235
12.12.2 Customize a multi-WAN policy ........................................................................... 236
12.12.3 Example of customizing a multi-WAN policy ...................................................... 237
12.13 IPv6 ............................................................................................................................... 239
12.13.1 Overview ............................................................................................................ 239
12.13.2 IPv6 WAN settings .............................................................................................. 240
12.13.3 IPv6 LAN settings ................................................................................................ 243
13 Maintenance ............................................................................................................................ 245
13.1 Reboot ............................................................................................................................. 245
13.2 Upgrade........................................................................................................................... 246
13.2.1 Overview .............................................................................................................. 246
13.2.2 Local upgrade ....................................................................................................... 246
13.2.3 Online upgrade ..................................................................................................... 248
13.3 Reset ............................................................................................................................... 249
13.3.1 Overview .............................................................................................................. 249
13.3.2 Reset the router using web UI .............................................................................. 249
13.3.3 Reset the router using the reset button ............................................................... 249
13.4 Password manager .......................................................................................................... 250
13.4.1 Overview .............................................................................................................. 250
13.4.2 Modify login password ......................................................................................... 250
13.5 Reboot schedule.............................................................................................................. 251
13.5.1 Overview .............................................................................................................. 251
13.5.2 Customize reboot schedule .................................................................................. 251
13.6 Backup/Restore ............................................................................................................... 252
13.6.1 Overview .............................................................................................................. 252
13.6.2 Back up your current configuration ...................................................................... 252
13.6.3 Restore your previous configuration .................................................................... 253
13.7 System log ....................................................................................................................... 254
13.8 Diagnostic tool ................................................................................................................ 255
13.8.1 Overview .............................................................................................................. 255
13.8.2 Execute Ping command ........................................................................................ 255
13.8.3 Execute Traceroute command .............................................................................. 256
viii
Version 1.0
13.9 System time..................................................................................................................... 257
13.9.1 Synchronize with internet time ............................................................................ 257
13.9.2 Set system time manually ..................................................................................... 258
13.10 Function center ............................................................................................................. 259
Appendix ......................................................................................................................................... 260
Acronyms and Abbreviations .................................................................................................. 260
ix
Version 1.0
1 Login
1.1 Log in to the web UI
If you use this router for the first time or have reset it to factory settings, refer to the quick
installation guide to complete the setup wizard. Otherwise, refer to the following steps.
Step 2 Set the local connection of your computer to Obtain an IP address automatically and
Obtain DNS server address automatically.
Step 4 Enter the login password of the router you set, and click Login.
- By default, the WiFi password is set as the login password automatically. Thus, if you forget the
login password, try with the WiFi password.
- If the above fails, reset the router to factory settings and then set the login password. After reset,
you need to reconfigure the network.
----End
1
Version 1.0
If the above page does not appear, try the following solutions:
- Ensure that the router is powered on properly.
- Ensure that the computer is connected to a LAN port of the router, and the corresponding
indicator lights solid on or blinks.
- Reset the router to factory settings, and log in again.
2
Version 1.0
- By default, the WiFi password is set as the login password automatically. Thus, if you forget the
login password, try with the WiFi password.
- If the above fails, reset the router to factory settings and then set the login password. After reset,
you need to reconfigure the network.
----End
If the above page does not appear, try the following solutions:
- Ensure that your smartphone is connected to the WiFi network of the router.
- Ensure that the mobile data is disabled.
- Reset the router to factory settings, and log in again.
3
Version 1.0
4
Version 1.0
1.2 Logout
If you log in to the web UI of the router and perform no operation within 20 minutes, the router
logs you out automatically.
You can log out by clicking Logout on the upper right corner of the web UI as well.
5
Version 1.0
2 Web UI
2.1 Web UI layout
The web UI of the router consists of three sections, including the level-1, level-2 navigation bar, and
configuration area. See the following figure:
1
S
3
1
Features and parameters in gray indicate that they are not available or cannot be changed under the
current condition.
❶ Level-1 navigation bar Used to display the function menu of the router. Users can select functions
in the navigation bars and the configuration appears in the configuration
❷ Level-2 navigation bar area.
6
Version 1.0
Button Description
Used to save the configuration on the current page and enable the configuration to take
effect.
Used to change the current configuration on the current page back to the original
configuration.
7
Version 1.0
3 System status
In the System Status module, you can:
◼ Check physical connections and system status
◼ View CPU and memory status
◼ Monitor traffic
◼ Manage online devices
◼ Control bandwidth of online devices
◼ Add devices to or remove devices from blacklist
◼ Manage APs
8
Version 1.0
You can click WAN1 to view the connection type and status.
The following figure indicates that the router is disconnected from the internet. Check whether the
Ethernet cable is connected properly.
9
Version 1.0
Operating status
This module displays the router’s operating status about the system time, uptime, firmware version
and so on.
Parameter description
Parameter Description
Uptime Specifies the time that has elapsed since the router was started last time.
10
Version 1.0
You can modify LAN settings by navigating to More > LAN settings.
WAN info
This module displays parameters about all enabled WAN ports, including connection type, status, IP
address and so on.
Parameter description
Parameter Description
Connection Type Specifies the internet connection type of the corresponding WAN port.
11
Version 1.0
Parameter Description
Specifies whether or not the WAN port is plugged. If Disconnected appears, check
Status
its physical connection.
Subnet Mask Specifies the subnet mask of the corresponding WAN port.
Default Gateway Specifies the gateway IP address of the corresponding WAN port.
Primary DNS
Specify the primary/secondary DNS server addresses of the corresponding WAN
port.
Secondary DNS
Upload Rate
Specify the upload and download rates of the corresponding WAN port.
Download Rate
IPv6 status
This module displays the Connection Type, Status and other parameters of the IPv6 WAN port and
the IPv6 LAN address (This part appears when you enable the IPv6 function).
Parameter description
Parameter Description
Connection Type Specifies the internet connection type of the corresponding IPv6 WAN port.
12
Version 1.0
Parameter Description
Specifies whether or not the IPv6 WAN port is plugged. If Unplugged appears,
Status
check its physical connection.
IPv6 WAN Address Specifies the IP address of the corresponding IPv6 WAN port.
IPv6 Default Gateway Specifies the gateway IP address of the corresponding IPv6 WAN port.
IPv6 LAN Address Specifies the IP address of the corresponding IPv6 LAN port.
13
Version 1.0
14
Version 1.0
Here, you can view the dynamic flow of upload and download traffic on the WAN port of the router,
and can also learn the basic information of certain client and relevant parameters such as Upload
Bandwidth, Download Bandwidth and Uptime.
Parameter description
Parameter Description
Specifies the names of clients connected to the router, connection way, their IP
Host Name
addresses, and MAC addresses.
Concurrent Sessions Specifies the number of TCP connections between the client and the router.
15
Version 1.0
Parameter Description
Upload Bandwidth
Specify the real-time upload/download bandwidth of each client.
Download Bandwidth
Total Download Specify the total download traffic utilized by each client.
Uptime Specifies the connection time of each client. The format is Hour:Minute.
16
Version 1.0
17
Version 1.0
----End
You can view the configured upload and download limits of a device as shown below.
18
Version 1.0
You can view the configured upload and download limits of all online devices as shown below.
Upload/download limits of devices that are configured by Limit by Group policy cannot be modified
here.
19
Version 1.0
3.6 Blacklist
Click System Status to enter the page.
Here, you can add devices to or remove devices from the blacklist.
----End
Add other online devices to blacklist:
Step 1 Click Terminals to enter the Bandwidth Control and Blacklist page.
Step 2 Locate the device among Online Devices, and click Blacklist.
----End
20
Version 1.0
You can view the blocked devices on the Blacklist page as shown below.
----End
21
Version 1.0
Parameter description
Parameter Description
Remark Specifies the remark name that you leave for the corresponding AP.
Specifies the WiFi SSID of the corresponding AP, including 2.4G and 5G WiFi.
SSID
You can change the remark for the AP by clicking
Online Devices Specifies the number of online devices of each wireless network.
IP/MAC Address Specifies the IP address and MAC address of the corresponding AP.
22
Version 1.0
Parameter Description
Direct to AP
By clicking this button, you are directed to the configuration page of AP Management.
Management
23
Version 1.0
4 Internet settings
4.1 Internet Settings
4.1.1 Overview
Click Internet Settings to enter the page.
Here, you can configure the internet settings of the router for multiple devices in the LAN to share.
Parameter description
Parameter Description
Specifies how many WAN ports you can set on the router.
WAN Ports By default, the router has only one WAN port (the WAN1 port), and you can set 3
WAN ports at most.
24
Version 1.0
Parameter Description
Indicates that the port functions as a WAN port or a LAN port, as well as the port is
connected or not.
Port Type The port is connected properly.
The router supports PPPoE Russia, PPTP/PPTP Russia, and L2TP/L2TP Russia as well.
These three connection types are only applicable to Russia and its vicinity.
PPPoE Username These two parameters are required only when your internet connection type is
PPPoE or PPPoE Russia.
You can obtain them from your ISP.
PPPoE Password
Server Name
These two parameters are required only when your internet connection type is
PPPoE or PPPoE Russia. Enter these two parameters (optional) provided by your ISP.
Service Name
This parameter is required only when your internet connection type is PPTP/PPTP
PPTP Server Address
Russia. You can obtain it from your ISP.
This parameter is required only when your internet connection type is L2TP/L2TP
L2TP Server Address
Russia. You can obtain it from your ISP.
User Name
These two parameters are required only when your internet connection type is
PPTP/PPTP Russia or L2TP/L2TP Russia. You can obtain them from your ISP.
Password
This parameter appears when your internet connection type is PPPoE Russia,
PPTP/PPTP Russia, or L2TP/L2TP Russia. If there is no DHCP server in the network,
Obtain an IP address select Manual and enter the IP address and related parameters. If there is a DHCP
server in the network, select Auto, and the device will obtain these parameters from
the DHCP server.
IP Address
Subnet Mask These parameters are required only when your internet connection type is Static IP
or if you set Obtain an IP address to Manual when your internet connection type is
Default Gateway PPPoE Russia, PPTP/PPTP Russia, or L2TP/L2TP Russia. The Secondary DNS
parameter is optional.
Primary DNS You can obtain them from your ISP.
Secondary DNS
25
Version 1.0
Parameter Description
Parameters for internet access are provided by your ISP. Refer to Choose your connection type
table for detailed description. Values used here are only for examples.
Modifying number of WAN ports makes the router reboot.
The following procedure describes how to configure 2 WAN ports. You can refer to the following
steps to increase or decrease WAN ports as needed.
Step 1 Select the number of WAN ports from the WAN Ports drop-down list menu, which is 2 in
this example.
The port marked with LAN2 changes into WAN2, and the WAN2 configuration area
appears.
26
Version 1.0
Step 2 On the WAN1 configuration area, enter the PPPoE information provided by your ISP.
Step 3 On the WAN2 configuration area, set Connection Type to Dynamic IP.
27
Version 1.0
Step 4 Click Save at the bottom of the page to apply your settings.
----End
Wait a moment. The router performs rebooting to apply your settings. When the status shows
Authenticated successfully or networked, your configuration is successful. See the following figure:
28
Version 1.0
PPPoE PPPoE username, PPPoE password, server name, and service name.
Static IP IP address, subnet mask, default gateway, primary DNS, and secondary DNS (optional).
None or the device is connected to an upstream device which can access the internet and
Dynamic IP
has its DHCP server enabled.
PPPoE Russia If the DHCP server of the upstream device is disabled (means you have to select Manual
for Obtain an IP address), then the IP address, subnet mask, default gateway, and primary
DNS are required.
PPTP/PPTP Russia If the DHCP server of the upstream device is disabled (means you have to select Manual
for Obtain an IP address), then the IP address, subnet mask, default gateway, and primary
DNS are required.
L2TP/L2TP Russia If the DHCP server of the upstream device is disabled (means you have to select Manual
for Obtain an IP address), then the IP address, subnet mask, default gateway, and primary
DNS are required.
29
Version 1.0
PPPoE
Step 1 Navigate to Internet Settings > Internet Settings.
Step 2 Set Connection Type to PPPoE.
Step 3 Enter the PPPoE Username and PPPoE Password provided by your ISP.
Step 4 Click Save at the bottom of the page to apply your settings.
----End
Wait a moment. When the Status shows Authenticated successfully, the router is connected to the
internet successfully
If the username and password you entered are correct but the router fails to connect to the
internet, try to modify WAN parameters in Internet Settings > WAN Parameters.
30
Version 1.0
Static IP
Step 1 Navigate to Internet Settings > Internet Settings.
Step 2 Set Connection Type to Static IP.
Step 3 Enter the IP Address, Subnet Mask, Default Gateway and Primary/Secondary DNS
provided by your ISP.
Step 4 Click Save at the bottom of the page to apply your settings.
----End
Wait a moment. When the Status shows networked, the router is connected to the internet
successfully.
If the router fails to connect to the internet, try to modify WAN parameters in Internet Settings >
WAN Parameters.
31
Version 1.0
Dynamic IP
Step 1 Navigate to Internet Settings > Internet Settings.
Step 2 Set Connection Type to Dynamic IP.
Step 3 Click Save at the bottom of the page to apply your settings.
----End
Wait a moment. When the Status shows networked, the router is connected to the internet
successfully.
If the router fails to connect to the internet, try to modify WAN parameters in Internet Settings >
WAN Parameters.
32
Version 1.0
PPPoE Russia
Step 1 Navigate to Internet Settings > Internet Settings.
Step 2 Set Connection Type to PPPoE Russia.
Step 3 Enter the PPPoE Username, PPPoE Password provided by your ISP. If the Server Name,
Service Name, IP Address and other related parameters are also provided, enter them in
the corresponding input box as well.
Step 4 Click Save at the bottom of the page to apply your settings.
----End
Wait a moment. When the Status shows Authenticated successfully, the router is connected to the
internet successfully
If the username and password you entered are correct but the router fails to connect to the
internet, try to modify WAN parameters in Internet Settings > WAN Parameters.
33
Version 1.0
PPTP/PPTP Russia
Step 1 Navigate to Internet Settings > Internet Settings.
Step 2 Set Connection Type to PPTP/PPTP Russia.
Step 3 Enter the PPTP Server Address, User Name, and Password provided by your ISP. If the IP
Address and related parameters are also provided, enter them in the corresponding input
box as well.
Step 4 Click Save at the bottom of the page to apply your settings.
----End
Wait a moment. When the Status shows networked, the router is connected to the internet
successfully.
If the router fails to connect to the internet, try to modify WAN parameters in Internet Settings >
WAN Parameters.
34
Version 1.0
L2TP/L2TP Russia
Step 1 Navigate to Internet Settings > Internet Settings.
Step 2 Set Connection Type to L2TP/L2TP Russia.
Step 3 Enter the L2TP Server Address, User Name, and Password provided by your ISP. If the IP
Address and related parameters are also provided, enter them in the corresponding input
box as well.
Step 4 Click Save at the bottom of the page to apply your settings.
---End
Wait a moment. When the Status shows networked, the router is connected to the internet
successfully.
If the router fails to connect to the internet, try to modify WAN parameters in Internet Settings >
WAN Parameters.
35
Version 1.0
The duplex mode of the port is determined through auto negotiation between the
router and its peer device.
You are recommended to keep the default settings since auto negotiation is the default
Auto Negotiation
option for most of Ethernet network devices.
If the router uses auto negotiation, while its peer uses non-auto negotiation, the
negotiated duplex mode is half duplex.
36
Version 1.0
The interface can receive and send packets simultaneously, leading to low latency and
high efficiency. 10/100/1000 Mbps indicates the maximum link speed that both ends
can negotiate.
10/100/1000 Mbps
Full Duplex
You are recommended to use the same speed link and duplex modes for both ends.
Otherwise, network connection issues may occur.
The interface can either receive or send packets at a time. 10/100 Mbps indicates the
maximum link speed that both ends can negotiate.
10/100 Mbps Half
Duplex
You are recommended to use the same speed link and duplex modes for both ends.
Otherwise, network connection issues may occur.
4.2.2 MTU
MTU is abbreviated for Maximum Transmission Unit. It specifies the maximum size of a packet that
can be transmitted by a network device. Either larger or smaller MTU value affects the network
performance.
Do not modify the default settings unless the following situations happen:
− Some websites are inaccessible, or secure websites cannot be displayed properly, such as online
banking websites, or PayPal.
− Email service suspends, or servers, such as FTP/POP servers, are inaccessible.
In such situations, try to reduce the MTU value from the maximum of 1500 to a smaller value
(Recommended range: 1400 – 1500) until the problem is solved.
37
Version 1.0
1500 It is the most common value for non-PPPoE connections and non-VPN connections.
It is the maximum value for the ping function. (If a greater value is used, packets are
1480
split.)
1450 It is used for DHCP, which assigns dynamic IP addresses to connected devices.
38
Version 1.0
----End
Option B: Manual MAC
Step 1 Record the correct MAC address.
Step 2 Log in to the web UI of the router and navigate to Internet Settings > WAN Parameters.
Step 3 Set MAC Address to Manual, then enter the correct MAC address (“the MAC address of
the computer which directly connects to the Ethernet jack and has internet connectivity”
or “the MAC address of the WAN port of the router on which you set up the internet
connection”).
Step 4 Click Save at the bottom of the page to apply your settings.
----End
If you want to restore the MAC address of the WAN port to the default MAC address, set MAC Address
to Default MAC, and click Save.
39
Version 1.0
In case of IP address conflict, for example, “The router’s WAN IP address and LAN IP address are in the
same network segment.”, the IP network segment of LAN ports will automatically be incremented by 1
and changed to 192.168.1.1.
Generally, you do not need to modify the LAN IP address of the router. When other management
devices in the LAN network need to be set to 192.168.0.X, you can modify this router’s LAN IP
address to a network segment different from 192.168.0.X.
After the LAN IP address is changed successfully, you will be redirected to the login page.
If the network segment of the new LAN IP address is different from the original one, the router
modifies the network segment of the DHCP server automatically.
40
Version 1.0
With this function enabled, IP address-based functions, such as port forwarding and IP address filter
may be affected.
Parameter description
Parameter Description
Start IP
Specifies the range of IP addresses that the DHCP server can assign. The start IP
address is 192.168.0.30 and the end IP address is 192.168.0.200 by default.
End IP
41
Version 1.0
Parameter Description
Specifies the validity period of the IP address assigned by the DHCP server to LAN
devices. By default, the time is 30 minutes.
When the IP address expires:
⚫ If the device is still connected to the network, the device will automatically renew
Lease Time and continue to occupy the IP address.
⚫ If the device is not connected to the network, the router will release the IP
address. If other devices later request IP address information, the router can
assign this IP address to other devices.
You are recommended to keep the default settings unless in special circumstances.
Specifies the primary DNS server IP address assigned by the DHCP server to LAN
devices. By default, the primary DNS server address is the LAN IP address of the
device.
Primary DNS
If you enabled the DHCP server, to ensure LAN devices can access the internet
properly, make sure that the primary DNS you set is the correct DNS server address
or DNS proxy IP address.
Specifies the secondary DNS server IP address assigned by the DHCP server to LAN
Secondary DNS devices. If this parameter is left blank, the DHCP server does not assign the
secondary DNS server IP address.
42
Version 1.0
5 Wireless
5.1 Wireless settings
Click Wireless > Wireless Settings to enter the page.
Here, you are allowed to set up WiFi network-related parameters, such as view and edit wireless
network names (SSID), WiFi passwords, configure 2.4 GHz and 5 GHz WiFi networks separately, hide
your WiFi network so that nearby wireless clients cannot detect it, and specify how many wireless
clients can connect to a wireless network.
43
Version 1.0
Parameter description
Parameter Description
Enable WiFi Network Enable or disable the wireless network of the router.
After this function is enabled, the 2.4 GHz guest network and the 5 GHz guest
network share the same WiFi network name and password. A wireless client will be
Unify 2.4&5 GHz SSID
automatically connected to the WiFi network with the best network quality when
connecting to the guest network.
SSID Specifies the wireless network name of the corresponding WiFi network.
Specifies the password used for wireless internet connection. You are recommended
WiFi Password
to use the combination of digits, letters and special characters for higher security.
With this function enabled, nearby wireless clients cannot detect the SSID, and you
need to manually enter the SSID on the wireless client to access the wireless
network.
Hide SSID
The function appears when you enable Unify 2.4&5 GHz SSID.
With this function enabled, nearby wireless clients cannot detect the 2.4 GHz SSID,
and you need to manually enter the SSID on the wireless client to access the wireless
network.
Hide 2.4 GHz SSID
The function appears when you disable Unify 2.4&5 GHz SSID.
44
Version 1.0
Parameter Description
With this function enabled, nearby wireless clients cannot detect the 5 GHz SSID,
and you need to manually enter the SSID on the wireless client to access the wireless
network.
Hide 5 GHz SSID
The function appears when you disable Unify 2.4&5 GHz SSID.
Maximum number of wireless clients that can be connected to the wireless network
with the SSID at the same time.
Max. Clients After the value is reached, this wireless network denies new connection requests.
Clients connected to all the enabled wireless networks (including guest networks) of
the router cannot exceed 128 on 2.4 GHz and 5 GHz bands respectively. If you
enable multiple SSIDs, plan your maximum number of clients to each SSID first.
45
Version 1.0
46
Version 1.0
Parameter description
Parameter Description
SSID Specifies the wireless network name of the corresponding WiFi network.
With this function enabled, clients connected to different wireless networks of this
Isolate this network device cannot communicate with each other, leading to higher wireless network
security. By default, this function is disabled.
No access to LAN With this function enabled, clients connected to this wireless network cannot access
the web UI and private network (LAN) of this router, protecting your LAN network
security. By default, this function is disabled.
47
Version 1.0
Parameter description
Parameter Description
Lists all the main wireless networks that the router supports.
MAC Address
SSID
Filter
If you unify the SSIDs for 2.4 GHz and 5 GHz bands, the corresponding
wireless network only displays one SSID here.
48
Version 1.0
Parameter Description
Specifies the three kinds of rules you can perform on the corresponding
wireless network.
- Disable: This function is disabled, and all wireless clients can connect to
MAC Address this wireless network.
Filter - Only Allow: Only wireless clients with the specified MAC address can
connect to this wireless network.
- Only Forbid: Only wireless clients with the specified MAC address cannot
connect to this wireless network.
MAC Address Specifies the MAC address of the client to which the rule applies.
(Optional) Specifies the brief description you set for the corresponding MAC
Remark
address.
MAC Filters
List
Effective Specifies the wireless network(s) to which the wireless client with this MAC
Network address applies.
Step 2 Configure the MAC address filter mode for each SSID by selecting from the MAC Address
Filter drop-down list menu.
49
Version 1.0
2. Enter the MAC Address of a client to which a rule applies to, then enter the Remark of the
client, and select the wireless network from the drop-down list menu of the Effective
Network.
3. Click Save. The rule appears on the MAC Filter List.
----End
50
Version 1.0
Solution
The MAC filters function can meet this requirement. Assume that the physical address of the
computer of the procurement manager is CC:3A:61:71:1B:6E.
Configuration procedure
Step 1 Enable the MAC filters function.
1. Navigate to Wireless > MAC Filters.
2. Toggle on MAC Filters.
3. Click Save.
51
Version 1.0
----End
Added successfully. See the following figure.
52
Version 1.0
Verification
Only the before-mentioned wireless client can connect to the WiFi network Procurement while
other clients are blocked.
53
Version 1.0
54
Version 1.0
Parameter description
Parameter Description
2.4 GHz WiFi Network Enable or disable the 2.4 GHz wireless network of the router.
5 GHz WiFi Network Enable or disable the 5 GHz wireless network of the router.
Specifies the country/region that you set for the router in order to conform to the
Country/Region
regulations of different countries or regions concerning channels.
Specifies the wireless network mode (also called 802.11 mode, radio mode, or
wireless mode) of the router. A proper network mode enables the clients to get the
maximum transfer rate and compatibility.
Available options for 2.4 GHz band: 11b, 11g, 11b/g, 11b/g/n and 11b/g/n/ax
Network Mode (default).
Available options for 5 GHz band: 11a, 11ac, 11a/n mixed, 11a/n/ac, 11a/n/ac/ax
(default).
You are recommended to keep the default settings.
Specifies the channel in which the wireless data is transmitted and received. The
available channels are determined by the current country/region and wireless band.
Auto: The router automatically detects the occupation rate of channels and selects
the appropriate working channel accordingly.
Channel
If connection drop, freeze or slow internet occurs frequently when you are using the
WiFi network, you can try changing the working channel. You can check the channels
with low occupation rate and little interference using software tools (such as WiFi
analyzer).
Specifies the bandwidth of the working channel. A high channel bandwidth means a
higher transmission rate, but the penetration capability is reduced and the
transmission distance is shortened.
⚫ 20MHz: The router uses the 20MHz channel bandwidth.
⚫ 40MHz: The router uses the 40MHz channel bandwidth.
Channel Bandwidth ⚫ 20MHz/40MHz: This channel bandwidth is available only for the 2.4 GHz. The
router automatically adjusts the channel bandwidth to 20MHz or 40MHz based on
the surrounding environment.
⚫ 80MHz: This channel bandwidth is available only for the 5 GHz. The router uses the
80MHz channel bandwidth.
⚫ 160MHz: This channel bandwidth is available only for the 5 GHz. The router uses
the 160MHz channel bandwidth.
Specifies the minimum wireless client signal strength acceptable to the router. A
mobile client with signal strength lower than this threshold cannot connect to the
RSSI Threshold
router. You can set this parameter to ensure that mobile clients connect to router
with strong signal strength.
55
Version 1.0
Parameter Description
Specifies the deployment mode of the router. This parameter is valid only for 2.4
GHz networks. Set this parameter based on the application scenario. The options
include:
Deployment Mode ⚫ Coverage-oriented: Applies to scenarios with large area, multiple walls,
decentralized users and less than 10 SSIDs in the ambient environment.
⚫ Capacity-oriented: Applies to scenarios with intensive users, open and large areas,
and more than 25 SSIDs in ambient environment.
Specifies that a wireless client uses the 5 GHz SSID first to connect to the device if
Prioritize 5 GHz the wireless client supports both 5 GHz and 2.4 GHz networks and the networks use
the same SSID and password.
When Prioritize 5 GHz is enabled, if the client signal strength received by the router
in 5 GHz is larger than the threshold value, the router allows the client to connect to
Prioritize 5 GHz the 5 GHz for priority; if it is smaller than the value, the router only allows the client
Threshold to connect to the 2.4 GHz.
The default value is -80 dBm. You are recommended to keep the default settings.
Specifies whether to enable the Automatic Power Save Delivery (APSD) mode.
APSD APSD is a WMM power saving protocol created by Wi-Fi Alliance. Enabling APSD
helps reduce power consumption. By default, this mode is disabled.
Specifies the maximum period before a WiFi client is disconnected from the router if
Client Timeout Interval the client exchanges no data with the router. When data is exchanged within the
period, countdown stops.
Mandatory Rate By adjusting the mandatory rate and optional rate, you can limit access from
low-speed clients, thus improving the internet experience of other clients.
⚫ Mandatory Rate: It is a group of mandatory rates of the router. Clients must
support these mandatory rates; otherwise, the clients will fail to access the WiFi
Optional Rate network.
⚫ Optional Rate: It is a collection of other rates supported by the router except for
mandatory rates. These optional rates help clients realize connection with the
router at a higher rate.
56
Version 1.0
Parameter Description
After the function is enabled, the router can communicate with multiple terminals at
MU-MIMO
the same time, improving network experience.
After the function is enabled, multiple clients can reuse the channel resource,
OFDMA
improving the transmission rate and reducing network latency.
After the function is enabled, the router automatically optimizes the resource
allocation among devices, awakens devices by negotiation, reduces disordered
TWT
competition, increases the sleep time of devices and prolongs the battery life. For
some terminals with old drive, incompatibility may occur.
After the function is enabled, the router can process data packets with priority
WMM
information. It is recommended to enable this function.
57
Version 1.0
58
Version 1.0
Parameter description
Parameter Description
Enable Guest
Enable or disable the guest network.
Network
After this function is enabled, the 2.4 GHz guest network and the 5 GHz
Unify 2.4&5 GHz guest network share the same WiFi network name and password. A
SSID wireless client will be automatically connected to the WiFi network with
the best network quality when connecting to the guest network.
With this function enabled, clients connected to the guest network cannot
Isolate Client
communicate with each other, leading to higher wireless network security.
Guest
Network Specifies the wireless network name of the guest network.
SSID
To differentiate the main network and the guest network, you are
recommended to set the SSIDs differently.
Specifies the password used for wireless internet connection. You are
WiFi Password recommended to use the combination of digits, letters and special
characters for higher security.
Uplink
Bandwidth
Guest Specify the uplink and downlink rate limits on guest network.
Network Downlink
Bandwidth Bandwidth
Limit
Specifies the maximum number of wireless devices allowed to connect to
Client Limit
the guest network.
59
6 Address reservation
6.1 Address reservation
Click Address Reservation to enter the page.
Here, you can specify a pre-set IP address for the specified client and make the client obtain this IP
address all the time. In this way, such functions depending on IP address as filter management,
bandwidth control, and port forwarding will not be ineffective because of IP address change.
This function takes effect only when the DHCP server function of the router is enabled. The router
supports the following two address reservation methods:
− Quick Address Reservation: You can check the information of the clients obtaining IP
addresses from the DHCP server of the router, and reserve IP addresses for clients by
just clicking Reserve. In this way, the DHCP server will assign the fixed IP address for
the fixed client all the time.
− Manual Address Reservation: You can manually reserve address for client to let the
DHCP server assign fixed IP address for fixed client all the time.
60
Parameter description
Parameter Description
Reserve Used to bind the IP address and MAC address of the selected client.
Click Reserve to bind the IP address and MAC address together, so the
Reservation
client will obtain the reserved IP address all the time. If the reservation is
Status
successful, the reservation status will be displayed as Reserved.
Specifies the IP address reserved for the client with the target MAC
IP Address
address.
Export Configuration Click Export to back up the static IP reservation table to the local computer.
Select a file and click Import to import the backed up static IP reservation
Import Configuration
table to the router.
61
6.2 Configure address reservation
If you want to assign IP address for clients already connected to the network, it is recommended
that you configure in the Quick Address Reservation module. Otherwise, configure in the Manual
Address Reservation module.
----End
After the IP address is reserved successfully, you can check the added rule in the Address
Reservation > Manual Address Reservation module. The rule will take effect the next time when
the client requests for an IP address.
62
Reserve IP addresses for multiple clients
Step 1 Navigate to Address Reservation > Quick Address Reservation.
Step 2 Select the multiple clients you want to reserve static IP addresses, and click the upper
Reserve.
----End
After the IP addresses are reserved successfully, you can check the added rules in the Address
Reservation > Manual Address Reservation module. The rules will take effect the next time when
the client requests for an IP address.
63
6.2.2 Manual address reservation
Step 1 Navigate to Address Reservation > Manual Address Reservation.
Step 2 Click +Add.
Step 3 Enter the IP Address, MAC Address and Remark (Optional), and click Save.
----End
After the IP address is reserved successfully, you can check the added rule in the Address
Reservation > Manual Address Reservation module. The rule will take effect the next time when
the client requests for an IP address.
64
7 Bandwidth control
7.1 Overview
Click Bandwidth Control to enter the page.
Here, the network administrator can control the rate of users, so the limited bandwidth can be
properly distributed.
Parameter description
Parameter Description
Control Mode The system, based on the WAN upload/download rate set on the
Auto
Bandwidth Control page, evenly distributes bandwidth to LAN users.
The network administrator, based on the actual conditions, sets rate limit
rules for different groups.
Limit By Group The network administrator controls the dedicated or shared
upload/download rate for users in the specified IP group in the specified
time group, and also, sets the concurrent sessions for each client.
65
7.2 Manual
Assume that you want to separately set the maximum upload/download rates for connected clients.
Configuration procedure
Step 1 Click Bandwidth Control.
Step 2 Set Control Mode to Manual.
Step 3 Select Online Devices or Offline Devices as required.
Step 4 Set Upload/Download Limit for the devices, and click Save.
----End
Parameter description
Parameter Description
Total Download Specifies the total download traffic utilized by each client.
Upload Limit
Specifies the maximum upload/download rate you set for each client.
Download Limit
66
Assume that you want to set the maximum upload/download rates for all the online or offline
clients in the LAN.
Configuration procedure
Step 1 Click Bandwidth Control.
Step 2 Set Control Mode to Manual.
Step 3 Select Online Devices or Offline Devices as required. Here takes Online Devices as an
example.
Step 4 Click Limit All.
Step 5 Set the maximum Upload Rate and Download rate for all the online and offline clients in
the LAN, and click Save.
----End
67
7.3 Auto
This mode distributes bandwidth evenly to the online clients connected to the router.
Configuration procedure
Step 1 Click Bandwidth Control.
Step 2 Set the Upload Rate and Download Rate of the target WAN port based on the bandwidth
provided by your ISP.
Step 3 Set Control Mode to Auto.
Step 4 Click Save at the bottom of the page.
----End
68
7.4 Limit by group
Through the limit by group function, you can set a dedicated or shared upload/download rate for
clients in an IP group to use in a period of time.
To control the bandwidth based on groups, you need to configure the IP group and time group first by
navigating to Filter Management > IP Group/Time Group.
----End
69
You can check the added rule on the page.
Parameter description
Parameter Description
Specifies the IP group to be used, which is used to designate the clients with these IP
IP Group addresses. IP group should be configured in advance on the Filter Management > IP
Group/Time Group page.
Specifies the time group to be used, which is used to designate the validity period of the
Time Group rule. Time group should be configured in advance on the Filter Management > IP
Group/Time Group page.
Specifies the maximum number of connections each client within the specified IP address
Concurrent
range can use. Unless you have any special requirements, it is recommended to set the
Sessions
parameter to 600.
Upload Rate
Specifies the maximum upload/download rate you set.
Download Rate
Status Specifies the status of the rule. You can enable or disable the rule as required.
70
7.5 Example of configuring limit by group rules
Networking requirement
An enterprise uses the wireless router to set up a network. The enterprise has the following
requirements:
During business hours (08:00 to 18:00 every workday), procurement personnel’s computers with IP
addresses ranging from 192.168.0.2 to 192.168.0.250 can use a fixed upload and download
bandwidth of 1 Mbps. For other clients in the LAN, no bandwidth control rules are added.
Upload Download
Group name IP range Effective time
bandwidth bandwidth
Solution
You can use the Limit By Group bandwidth control function of the router to meet this requirement.
Assume that the concurrent sessions of each client is 600.
Configuration procedure
Step Task Description
Set the time group on the Filter Management > IP Group/Time Group
1 Set a time group
page.
Set the IP address group on the Filter Management > IP Group/Time
2 Set an IP group
Group page.
Set a bandwidth control
3 Set a limit by group rule on the Bandwidth Control page.
rule
71
Step 2 Set an IP group.
1. Navigate to Filter Management > IP Group/Time Group.
2. Set the IP group shown in the following figure.
3. Click +Add.
72
4. Configure parameters in the Add window, and click Save.
(1) Select Procurement for IP Group.
(2) Select BusinessHour for Time Group.
(3) Set Concurrent Sessions of each client to 600 in this example.
(4) Set Control Mode to Dedicated.
(5) Set the maximum upload/download rate of clients to both 128 KB/s in this example.
----End
Verification
During business hours from 08:00 to 18:00 on weekdays, each computer with an IP address ranging
from 192.168.0.2 to 192.168.0.250 is allocated 1 Mbps (128 KB/s) upload and download bandwidth.
73
8 Authentication
8.1 Captive portal
8.1.1 Overview
By default, after the router is connected to the internet, the LAN users will have internet availability.
After the Captive Portal function is enabled, users connected to the authentication network need to
pass the authentication before gaining internet access.
Click Authentication > Captive Portal to enter the page.
Here, you can configure the authentication page and authentication policy.
74
Parameter description
Parameter Description
Captive Portal Enable or disable the captive portal function of the router.
Wired Network: Specifies that the authentication rule will be applied to the devices
connected to the router through the selected ports.
WiFi Network: Specifies that the authentication rule will be applied to the wireless
Apply to devices connected to the router through the selected WiFi networks.
If the user does not select a kind of network, the captive portal authentication is
effective to all networks in the list.
Specifies the logo image of the web authentication page. Click Change to change the
Logo
logo picture, and click Delete to delete the uploaded picture.
Specifies the title information of the web authentication page. It is Welcome to Tenda
Title
by default.
Specifies the background image of the web authentication page. Click Change to
Background Image
change the picture, and click Delete to delete the uploaded picture.
Specifies the website that the client automatically redirects to after passing
authentication:
⚫ Previous Page: When the captive portal is passed, the page would redirect to the
Redirect To previous page the user visited. For example, if a user is visiting Google search page
before authentication, the user will stay on Google search page after passing the
authentication.
⚫ Specified Page: Specifies the website redirected to after passing the captive portal.
75
SMS provider settings
SMS provider is the provider who issues authorization verification code to designated mobile phone
number. At present, supported SMS providers include Jixintong and NEXMO, and you can also
choose Custom HTTP Interconnection to use other SMS providers.
You need to purchase an SMS package in the corresponding SMS provider first, and then configure the
applied interconnection information to this router.
Parameter description
Parameter Description
Content
76
Parameter Description
Content
Content
Enter the SMS error code of SMS service provider. After the SMS
platform fails to send an SMS message, it will send the message to
this router. Users can consult the corresponding SMS service provider
SMS Error Code based on relevant information.
For the specific content of the SMS error code, consult the
corresponding SMS service provider.
After the SMS Provider Settings, you can conduct the Validity Test to check whether the settings
you made are correct. The steps are as follows:
Step 1 Click Validity Test.
77
Step 2 Enter the Phone Number and the short message Content sent by the SMS platform, and
click Save.
----End
Wait a moment. If the interconnection is successful, the phone number will receive an SMS
message containing a verification code.
Parameter description
Parameter Description
Email Password Specifies the password or authorization code of the email account.
78
Parameter Description
Specifies the SMTP server address. It could be an IP address or domain name address.
SMTP Server
The SMTP (Simple Mail Transfer Protocol) server is a mail delivery server. The address
and port of the SMTP server of each mail service provider are different. Please check on
your own.
Specifies the email account, which is used to test whether the email server settings are
Account for Test
valid.
3. Configure the following parameters related to the SMS provider, and click Save.
(1) Select the SMS provider from which you have purchased an SMS package, such as
Jixintong.
(2) Enter the User name and Password from your SMS provider, such as Tom123 and
Tommy456.
79
(3) Customize the SMS Content sent to the user by the SMS platform for verification.
80
6. Configure the authentication page settings.
(1) Click Change and upload the company logo image.
(2) Set the title of the captive portal page, such as Welcome to XX.
(3) Click Change and upload the background image of the captive portal page, such as the
enterprise promotion photo.
(4) Set the disclaimer information of the enterprise, such as Copyright © 2022 XX. All
rights reserved.
(5) Select the Previous Page or enter a Specified Page as the page to which the users are
redirected after passing the authentication.
----End
81
8.1.3 Configure local user authentication
Step 1 Navigate to Authentication > Captive Portal.
Step 2 Enable Captive Portal.
Step 3 Configure the following parameters, then click Save at the bottom of the page.
1. Set Authentication Type to Local User Authentication.
2. Set the Valid Duration, such as 8 hrs.
3. Click Choose, choose the network(s) to be applied, and click Save.
82
(4) Set the disclaimer information of the enterprise, such as Copyright © 2022 XX. All
rights reserved.
(5) Select the Previous Page or enter a Specified Page as the page to which the users are
redirected after passing the authentication.
Step 4 Set the User Name and Password by referring to Add user accounts for local user
authentication.
----End
83
8.1.4 Configure email authentication
Step 1 Navigate to Authentication > Captive Portal.
Step 2 Enable Captive Portal.
Step 3 Configure the following parameters, then click Save at the bottom of the page.
1. Set Authentication Type to Email Authentication.
2. Set the Valid Duration, such as 8 hrs.
3. Set the People Shared with (the number of users allowed to connect to the internet using
the email at the same time), such as 3.
4. Click Choose, choose the network(s) to be applied, and click Save.
84
(4) Enter the SMTP Server Port. It is recommended to keep the default settings.
(5) Enter the Account for Test (a valid email address) to check whether the email server
is effective.
----End
85
8.1.5 Configure one-key authentication
Step 1 Navigate to Authentication > Captive Portal.
Step 2 Enable Captive Portal.
Step 3 Configure the following parameters, then click Save at the bottom of the page.
1. Set Authentication Type to One-key Authentication.
2. Set the Valid Duration, such as 8 hrs.
3. Click Choose, choose the network(s) to be applied, and click Save.
86
(4) Set the disclaimer information of the enterprise, such as Copyright © 2022 XX. All
rights reserved.
(5) Select the Previous Page or enter a Specified Page as the page to which the users are
redirected after passing the authentication.
----End
87
8.2 User management
8.2.1 Overview
Click Authentication > User Management to enter the page.
Here, you can configure the user name and password for account authentication, export or import
authentication account information, and add authentication-free hosts.
Parameter description
Parameter Description
88
Specifies the operations you can perform on the rule.
User Name Specifies the user name and password of the authentication account.
After the account authentication function is enabled, users need to use this
Password user name and password for authentication on the browser page before
gaining internet access.
Client Status Specifies the status of the account (being used or not).
Valid Specifies the valid duration of the account. After the duration expires, users
Duration cannot use this account for internet access authentication.
Account
Management Status Specifies the status of the rule. You can enable it or disable it as needed.
89
Step 3 Configure the following parameters, and click Save.
----End
Parameter description
Parameter Description
People Shared with Specifies the number of users allowed to access the internet using the same account.
Specifies the maximum number of connections that can be set up on each computer
Concurrent Sessions
covered by the corresponding rule.
Upload Rate
Specifies the maximum upload/download rate of this account.
Download Rate
90
8.3 Examples of configuring authentication
8.3.1 Example of configuring SMS authentication
Networking requirement
An enterprise wants to establish a network and regulate the use of the network with the router.
Requirements:
− SMS authentication is required for employees who want to access the internet through
the LAN port of the router or the wireless network Tenda_10DCD2.
− Employees are directed to www.tendacn.com after being authenticated.
− The network administrator is free from authentication when accessing the internet.
Solution
The requirements can be achieved through the WiFi via SMS function of the router.
Assume that:
− The MAC address of the network administrator’s computer is 44:37:E6:12:34:56.
− The user name applied by the enterprise in Jixintong is Tom123.
− The password of the account applied by the enterprise in Jixintong is Tommy456.
Configuration procedure
Step 1 Configure the SMS authentication settings.
1. Navigate to Authentication > Captive Portal.
2. Enable Captive Portal.
3. Configure the following parameters, and click Save at the bottom of the page.
(1) Set Authentication Type to WiFi via SMS.
(2) Click SMS Provider Settings, then the configuration window appears.
91
(3) Configure the following parameters related to the SMS provider, and click Save.
- Select the SMS provider from which you have purchased an SMS package, such as
Jixintong.
- Enter the User name and Password from your SMS provider, which are Tom123
and Tommy456 in this example.
- Customize the SMS Content sent to the user by the SMS platform for verification.
92
(6) Configure the authentication page settings.
- Click Change and upload the company logo image.
- Set the Title of the captive portal page, such as Welcome to XX.
- Click Change and upload the background image of the captive portal page, such as
the enterprise promotion photo.
- Set the disclaimer information of the enterprise, such as Copyright © 2022 XX. All
rights reserved.
- Enter the Specified Page, which is www.tendacn.com in this example.
93
The overall configuration of SMS authentication is shown as below.
94
Step 2 Add an authentication-free host.
1. Navigate to Authentication > User Management.
2. Click +Add in the Authentication-free Host module.
----End
95
Added successfully. See the following figure.
Verification
The network administrator can access the internet without authentication. Other employees have
to perform SMS authentication as follows:
Step 1 Start a web browser and visit any website. The authentication page appears.
Step 2 Enter a valid phone number and tap Obtain.
Step 3 Enter the Verification Code in the SMS received.
Step 4 Tap Connect.
96
8.3.2 Example of configuring local user authentication
Networking requirement
An enterprise wants to establish a network and regulate the use of the network with the router.
Requirements:
− Local user authentication with user name and password is required for employees who
want to access the internet through the LAN port of the router or the wireless network
Tenda_10DCD2.
− No upload or download rate limit is specified for employees.
− Employees are directed to www.tendacn.com after being authenticated.
− The network administrator is free from authentication when accessing the internet.
Solution
The requirements can be achieved through the local user authentication function of the router.
Assume that the MAC address of the network administrator’s computer is 44:37:E6:12:34:56.
Configuration procedure
Step 1 Configure the local user authentication settings.
1. Navigate to Authentication > Captive Portal.
2. Enable Captive Portal.
3. Configure the following parameters, then click Save at the bottom of the page.
(1) Set Authentication Type to Local User Authentication.
(2) Set the Valid Duration, such as 8 hrs.
(3) Click Choose, choose the network(s) to be applied, and click Save.
97
(4) Configure the authentication page settings.
- Click Change and upload the company logo image.
- Set the Title of the captive portal page, such as Welcome to XX.
- Click Change and upload the background image of the captive portal page, such as
the enterprise promotion photo.
- Set the disclaimer information of the enterprise, such as Copyright © 2022 XX. All
rights reserved.
- Enter the Specified Page, which is www.tendacn.com in this example.
98
The overall configuration of local user authentication is shown as below.
99
Step 2 Add local user authentication account(s).
1. Navigate to Authentication > User Management > Account Management.
2. Click +Add.
100
2. Click +Add in the Authentication-free Host module.
----End
101
Added successfully. See the following figure.
Verification
The network administrator can access the internet without authentication. Other employees have
to perform local user authentication as follows:
Step 1 Start a web browser and visit any website. The authentication page appears.
Step 2 Enter the correct User Name and Password.
Step 3 Tap Connect.
102
8.3.3 Example of configuring email authentication
Networking requirement
An enterprise wants to establish a network and regulate the use of the network with the router.
Requirements:
− Email authentication is required for employees who want to access the internet
through the LAN port of the router or the wireless network Tenda_10DCD2.
− No upload or download rate limit is specified for employees.
− Employees are directed to www.tendacn.com after being authenticated.
− The network administrator is free from authentication when accessing the internet.
Solution
The requirements can be achieved through the email authentication function of the router.
Assume the MAC address of the network administrator’s computer is 44:37:E6:12:34:56, and the
parameters of the email server are as follows:
− Email Address: Tom@gmail.com
− Email Password: Tom159357
− SMTP Server: smtp.gmail.com (SSL enabled)
− SMTP Server Port: 465
− Account for Test: lisi@gmail.com
Configuration procedure
Step 1 Configure the local user authentication settings.
1. Navigate to Authentication > Captive Portal.
2. Enable Captive Portal.
3. Configure the following parameters.
(1) Set Authentication Type to Email Authentication.
(2) Set the Valid Duration, such as 8 hrs.
(3) Set the People Shared with (the number of users allowed to connect to the internet
using the email at the same time), which is 10 in this example.
(4) Click Choose, choose the network(s) to be applied, and click Save.
103
4. Configure the email server settings.
(1) Set Email Address to Tom@gmail.com.
(2) Set Email Password to Tom159357.
(3) Set SMTP Server to smtp.gmail.com.
(4) Tick SSL.
(5) Set SMTP Server Port to 465.
(6) Enter another email address in Account for Test, which is lisi@gmail.com in this
example.
104
6. Click Save at the bottom of the page.
7. Click Test in the Email Server Settings module, you can check whether the configuration of
email server is correct.
105
Step 2 Add an authentication-free host.
1. Navigate to Authentication > User Management.
2. Click +Add in the Authentication-free Host module.
----End
106
Added successfully. See the following figure.
Verification
The network administrator can access the internet without authentication. Other employees have
to perform email authentication as follows:
Step 1 Start a web browser and visit any website. The authentication page appears.
Step 2 Enter a valid email address and tap Obtain.
Step 3 Enter the Verification Code in the email received.
Step 4 Tap Connect.
107
9 AP mangement
9.1 Basic settings
9.1.1 Overview
Click AP Management > Basic Settings to enter the page.
Here, you can enable or disable the AP management function of the router. After it is enabled, you
can centrally set up WiFi network-related configurations of APs in your local area network, such as
viewing and editing wireless network names (SSID), WiFi passwords, configuring 2.4 GHz and 5 GHz
WiFi networks, hiding your WiFi network so that nearby wireless clients cannot detect it, and
specifying how many wireless clients can connect to a wireless network at most.
The wireless configuration you configured here will be automatically delivered to the Tenda APs
within the LAN of the router.
108
Parameter description
Parameter Description
Select a band used by the wireless policy which will be delivered to APs.
⚫ 2.4G: The wireless policy will be applied to the 2.4 GHz wireless networks of APs.
⚫ 5G: The wireless policy will be applied to the 5 GHz wireless networks of APs.
⚫ 2.4G&5G: The wireless policy will be applied to both 2.4 GHz and 5 GHz wireless
Frequency networks of APs.
If a single band, such as 2.4G (or 5G), is selected in policies 1 to 4, the wireless
networks at the other band will be disabled after the policy is delivered to APs.
109
Parameter Description
For more settings, click the icon and navigate to the configuration page:
⚫ Isolate Client: With this function enabled, clients connected to the wireless
network cannot communicate with each other, improving the security of the
wireless network.
More
⚫ Hide SSID: With this function enabled, nearby wireless clients cannot detect the
SSID, and you need to manually enter the SSID on the wireless client to access the
wireless network.
⚫ Max. Users: Maximum number of wireless clients that can be connected to the
wireless network with the SSID. After the value is reached, this wireless network
denies new connection requests. By default, it is set to 48.
When wireless policies are distributed to APs that do not support part of the functions, these
unsupported policies will still be received but will not take effect.
For example, when policies concerning 5G network are distributed to APs that do not support 5G,
these policies will be received but will not take effect in these APs.
----End
Wait a moment. The wireless configurations of APs in the LAN will be same as the wireless policies.
110
9.2 AP settings
9.2.1 Overview
Click AP Management > AP Settings to enter the page.
Here, you can manage Tenda APs connected to your router, such as upgrading/resetting/rebooting
APs in batches, deleting offline APs in batches, modifying APs’ configuration individually and
viewing/exporting APs’ configuration.
Parameter description
Parameter Description
Specifies the band used by the wireless policy which will be delivered to APs.
⚫ 2.4G: The wireless policy will be applied to the 2.4 GHz wireless networks of APs.
⚫ 5G: The wireless policy will be applied to the 5 GHz wireless networks of APs.
⚫ 2.4G&5G: The wireless policy will be applied to both 2.4 GHz and 5 GHz wireless
Frequency networks of APs.
If a single band, such as 2.4G (or 5G), is selected in policies 1 to 4, the wireless
networks at the other band will be disabled after the policy is delivered to APs.
111
Parameter Description
Specify the online devices connected to the AP and the maximum devices allowed to
Online/Limit connect to the AP.
112
9.2.2 Upgrade the APs
To avoid data loss and device damage, Do NOT remove the power of APs and the router during the
upgrade.
Step 1 Visit www.tendacn.com to download the latest firmware of the AP to your local computer.
Step 2 Log in to the web UI of the router, and navigate to AP Management > AP Settings.
Step 3 Select the AP(s) you want to upgrade, click the Upgrade button, and follow the
instructions.
----End
113
9.2.3 Reset the APs
Step 1 Navigate to AP Management > AP Settings.
Step 2 Select the AP(s) you want to reset, click the Reset button, and follow the instructions.
----End
114
9.2.4 Reboot the APs
Step 1 Navigate to AP Management > AP Settings.
Step 2 Select the AP(s) you want to reboot, click the Reboot button, and follow the instructions.
----End
After rebooting successfully, the AP will automatically become online. The time from offline to
online lasts about 1 to 2 minutes. Please wait with patience. You can click Refresh to view the
status.
115
9.2.5 Delete the APs
Here, you can delete offline APs.
Step 1 Navigate to AP Management > AP Settings.
Step 2 Select the offline AP(s) you want to delete, click the Delete button, and follow the
instructions.
----End
116
9.2.6 Refresh the page
Here, you can click the Refresh button to view the latest status of AP.
----End
117
9.2.8 More settings
Here, you can modify each AP’s configuration, such as the country/region, channel, transmit power,
and so on.
Step 1 Navigate to AP Management > AP Settings.
Step 2 Locate the AP as needed, and click .
Step 3 Modify the configuration of the AP, and click Save at the bottom of the page.
----End
118
9.3 Advanced settings
Click AP Management > Advanced Settings to enter the page.
Here, you can set up the advanced settings for the APs in the LAN.
Parameter Description
Country or region where this device is located. You can select the country or region
Country/Region to ensure that this device complies with the local regulations.
Specifies the wireless network mode (also called 802.11 mode, radio mode, or
wireless mode) of the AP. A proper network mode enables the clients to get the
maximum transfer rate and compatibility.
Network Mode Available options for 2.4 GHz band: 11b, 11g, 11b/g, 11b/g/n and 11b/g/n/ax
(default).
Available options for 5 GHz band: 11a, 11ac, 11a/n and 11a/n/ac/ax (default).
119
Parameter Description
Used to set the minimum received signal strength threshold of wireless clients
connected to the AP.
RSSI Threshold After this function is enabled, wireless clients whose received signal strength is
lower than this threshold cannot connect to the AP.
An appropriate threshold ensures the connection quality of clients.
If a wireless client does not exchange data with the AP in the specified period, the
Client Timeout Interval AP disconnects the client.
Specifies that a wireless client compliant with dual-band wireless firstly connects to
the 5 GHz band of the device if the corresponding wireless network uses the same
SSID and password for both 2.4 GHz and 5 GHz.
Prioritize 5 GHz This function takes effect when:
⚫ The encryption mode is set to WPA-PSK, WPA2-PSK, or WPA-PSK&WPA2-PSK.
⚫ The SSID does not contain Chinese characters.
Air interface scheduling allocates equal download data transmission time for each
Air Interface client. In this way, high-speed clients can transmit more data packets and the AP
Scheduling: has a higher throughput and client capacity.
After WMM is enabled, voice and video packets are transmitted with top priority.
WMM You are recommended to enable this function for better transmission of multimedia
packets.
Specifies whether to enable the Automatic Power Save Delivery (APSD) mode. APSD
APSD is a WMM power saving protocol created by Wi-Fi Alliance.
Enabling APSD helps reduce power consumption. By default, this mode is disabled.
Specifies the deployment mode of the router. This parameter is valid only for 2.4
GHz networks. Select a mode that conforms to your application scenario.
Available options:
⚫ Default: This option is a balance between Coverage-oriented and
Deployment Mode Capacity-oriented.
⚫ Coverage-oriented: This mode applies to scenarios that the network environment
is complex, users are scattered, and the interference is weak.
⚫ Capacity-oriented: This mode applies to scenarios that the area is open and
crowded with users and the interference is strong.
120
Global settings
Here, you can view and configure the Ethernet mode, LED indicator status and reboot schedule of
APs in a global way.
Parameter description
Parameter Description
Select the Ethernet mode for the ports of AP. Available options:
⚫ Standard (default): This mode features a high data rate but short transmission
distance.
Ethernet Mode ⚫ 10 Mbps Full Duplex: This mode features long transmission distance but low data
rate. If the distance between the Ethernet port of the AP and the peer device is
longer than 100 meters, this mode is recommended. In this case, ensure that the
peer device adopts auto negotiation mode.
Select the reboot schedule mode for the AP. Available options:
⚫ Disable (default).
Reboot Schedule
⚫ Reboot Schedule: The AP reboots at the specified date and time.
⚫ Reboot Interval: The AP reboots every interval.
121
10 USB sharing
10.1 Overview
The router provides a USB port for file sharing.
The router can automatically identify the USB storage device plugged into its USB port, and display
the information such as the disk usage of the USB device on the web UI. The router also supports
the management on file access permission, and LAN users can access files shared on the USB
storage device.
Parameter description
Parameter Description
sda1 Specifies the status and occupation percentage of the USB device.
122
Parameter Description
Specifies the access address LAN users use to access the USB disk device.
\\192.168.0.1: You can type this address into the Start > Run menu on your
Local Access computer to get local access.
192.168.0.1 is the default LAN IP address of the router. If the address is changed, you
need to type in the new address to get local access.
User Name
Specifies the user name/password of the read-write or the read-only user.
Password
123
10.3 Example of configuring USB sharing
10.3.1 Networking requirement
An enterprise uses the wireless router to build a network.
Requirement: A mobile storage device, connected to the USB port of the router, serves as the file
server. Employees can search and download files from the file server in local network or through
internet.
Assume that:
− Read-write user name/password are both xxadmin.
− Read-only user name/password are both xxguest.
WAN LAN
Internet
Router Switch
LAN Users
124
10.3.3 Configuration procedure
Step 1 Plug the mobile storage device into the router.
Step 2 Click USB Sharing.
Step 3 Set the read-write user name/password as xxadmin, and the read-only user
name/password as xxguest, and click Save.
----End
125
10.3.4 Verification
Take Windows 10 as an example: Enter \\192.168.0.1 in the search bar at the lower-left of your
computer screen. Then, the following page appears. Enter authorized user name and password, and
click OK.
126
11 Filter management
11.1 IP group/time group
11.1.1 Overview
Click Filter Management > IP Group/Time Group to enter the page.
When configuring functions which take effect depending on IP group or time group, such as MAC
address filter, IP address filter, port filter, URL filter, bandwidth limit by group and multi-WAN policy,
you need to first configure the target IP group and/or time group.
By default, a time group and an IP group have been added on the router, and the default time group
and IP group cannot be deleted or edited.
127
Parameter description
Parameter Description
Group Name Specifies the name of the time group. The name must be unique.
Time Specifies the start and end time of the time group. 00:00~00:00 indicates a whole
Time
Group day.
Settings
Specifies the operations you can perform on the rule.
IP Group Specifies the name of the IP group. The name must be unique.
128
11.1.2 Add a time group
Step 1 Navigate to Filter Management > IP Group/Time Group > Time Group Settings.
Step 2 Click +Add.
Step 3 Configure the following parameters in the Add window, and click Save.
----End
129
11.1.3 Add an IP group
Step 1 Navigate to Filter Management > IP Group/Time Group > IP Group Settings.
Step 2 Click +Add.
Step 3 Configure the following parameters in the Add window, and click Save.
----End
130
11.2 MAC address filter
11.2.1 Overview
Through MAC address filter, you can allow or block internet access through this router for specified
clients.
Click Filter Management > MAC Address Filter to enter the page.
By default, this function is disabled.
Parameter description
Parameter Description
MAC Address Filter Enable or disable the MAC address filter function.
MAC Address Specifies the MAC address of the client to which the rule applies.
The time group used to specify the time period during which the rule takes
effect.
Time Group
The time group rule should be configured in advance on the Filter
Management > IP Group/Time Group page.
131
Parameter Description
Specifies the status of the MAC address filter rule. You can enable or disable the
Status
rule as required.
Allow clients with disabled ⚫ If this option is selected, clients to which the disabled rules in the list apply and
status or clients not on the clients not in the list can both access the internet.
list to access the internet ⚫ If this option is not selected, clients to which the disabled rules in the list apply
through this device. and clients not in the list can neither access the internet.
Before configuring a MAC address filter rule, please configure the target time group first.
132
2. Configure the following parameters in the Add window, and click Save.
----End
Solution
The MAC address filter can meet this requirement.
Assume that the MAC address of the purchaser’s computer is CC:3A:61:71:1B:6E.
Configuration procedure
Set a time group Enable MAC address filter Add a MAC filter rule
133
Step 2 Enable MAC address filter.
1. Navigate to Filter Management > MAC Address Filter.
2. Enable MAC Address Filter, and click Save at the bottom of the page.
134
(4) (Optional) Enter a Remark for the rule, for example, Purchaser 1.
3. Deselect Allow clients with disabled status or clients not on the list to access the internet
through this device.
Verification
During 08:00 to 18:00 on weekdays, only the purchaser’s computer with MAC address
CC:3A:61:71:1B:6E can access the internet.
135
11.3 IP address filter
11.3.1 Overview
Through IP address filter, you can allow or block internet access through this router for specified
clients.
Click Filter Management > IP Address Filter to enter the page.
By default, this function is disabled.
Parameter description
Parameter Description
The IP group used to specify the client to which the rule applies.
IP Group The IP group rule should be configured in advance on the Filter Management > IP
Group/Time Group page.
The time group used to specify the time period during which the rule takes
effect.
Time Group
The time group rule should be configured in advance on the Filter
Management > IP Group/Time Group page.
136
Parameter Description
Specifies the status of the IP address filter rule. You can enable or disable the rule
Status
as required.
Allow clients with disabled ⚫ If this option is selected, clients to which the disabled rules in the list apply and
status or clients not on the clients not in the list can both access the internet.
list to access the internet ⚫ If this option is not selected, clients to which the disabled rules in the list apply
through this device. and clients not in the list can neither access the internet.
Before configuring an IP address filter rule, please configure the target IP group and time group first.
137
2. Configure the following parameters in the Add window, and click Save.
----End
Solution
The IP address filter can meet this requirement.
Assume that the IP addresses of the purchasers’ computers range from 192.168.0.2 to
192.168.0.10.
Configuration procedure
Set a time group Set an IP group Enable IP address filter Add an IP filter rule
138
Step 2 Set an IP group.
Navigate to Filter Management > IP Group/Time Group. Set an IP group shown in the
following figure.
139
2. Configure the following parameters, and click Save.
(1) Set Filter Mode to Allow access to the internet (whitelist).
(2) Select the target Time Group, which is BusinessHour in this example.
(3) Select the target IP Group, which is Purchasers in this example.
(4) (Optional) Enter a Remark for the rule, for example, Purchasers.
3. Deselect Allow clients with disabled status or clients not on the list to access the internet
through this device.
140
4. Click Save at the bottom of the page.
----End
Verification
During 08:00 to 18:00 on weekdays, only the purchasers’ computers with IP addresses ranging from
192.168.0.2 to 192.168.0.10 can access the internet.
141
11.4 Port filter
11.4.1 Overview
The protocols of various services available over the internet use dedicated port numbers. The
common service port numbers range from 0 to 1023 and are generally assigned to specific services.
The port filter prevents LAN users from accessing certain internet services by disabling the users to
access the port numbers of the services.
Click Filter Management > Port Filter to enter the page.
By default, this function is disabled.
Parameter description
Parameter Description
Specifies the IP group used to specify the client to which the rule applies.
IP Group The IP group rule should be configured in advance on the Filter Management > IP
Group/Time Group page.
Specifies the time group used to specify the time period during which the rule is
effective.
Time Group
The time group rule should be configured in advance on the Filter
Management > IP Group/Time Group page.
Ports Specifies the TCP or UDP port number used by the service to be blocked.
Specifies the protocol used by the service to be blocked. All indicates TCP and
Protocols
UDP.
142
Parameter Description
Specifies the status of the port filter rule. You can enable or disable the rule as
Status
required.
Before configuring a port filter rule, please configure the target IP group and time group first.
2. Configure the following parameters in the Add window, and click Save.
143
----End
Solution
The port filter can meet this requirement.
Assume that the IP addresses of the finance department staff range from 192.168.0.2 to
192.168.0.10.
Configuration procedure
Set a time group Set an IP group Enable port filter Add port filter rule
144
Step 2 Set an IP group.
Navigate to Filter Management > IP Group/Time Group. Set an IP group shown in the
following figure.
145
2. Configure the following parameters, and click Save.
(1) Select the target IP Group, which is Financier in this example.
(2) Select the target Time Group, which is BusinessHour in this example.
(3) Enter the port number used by the webpage browsing service, which is 80.
(4) Select the protocol used by the service. You are recommended to retain the default
option All.
----End
146
Added successfully. See the following figure.
Verification
During 08:00 to 18:00 on weekdays, in the LAN network, the computers with IP addresses ranging
from 192.168.0.2 to 192.168.0.100 cannot browse web pages.
147
11.5 URL filter
11.5.1 Overview
The URL filter prevents LAN users from accessing specified types of website and controls internet
accessibility of LAN users so that they will not spend time on websites irrelevant to their duties.
Before you add web filter rules, add web categories.
Click Filter Management > URL Filter to enter the page.
By default, this function is disabled.
Parameter description
Parameter Description
The IP group used to specify the client to which the rule applies.
IP Group The IP group rule should be configured in advance on the Filter Management > IP
Group/Time Group page.
148
Parameter Description
The time group used to specify the time period during which the rule takes
effect.
Time Group
The time group rule should be configured in advance on the Filter
Management > IP Group/Time Group page.
Specifies the status of the URL filter rule. You can enable or disable the rule as
Status
required.
URL Management
149
2. Click New.
3. Configure the following parameters in the Add window, and click Save.
----End
Before configuring a URL filter rule, please configure the target IP group and time group first.
150
Step 3 Configure the following parameters in the Add window, and click Save.
----End
151
11.5.4 Example of configuring a URL filter rule
Networking requirement
An enterprise uses the wireless router to build a network.
Requirement:
During business hours (08:00 to 18:00 on weekdays), designing department staff are disallowed to
access social media like Facebook and Tumblr.
Solution
The URL filter can meet this requirement.
Assume that the IP addresses of the designing department staff’s computers range from
192.168.0.2 to 192.168.0.10.
Configuration procedure
Set a time group Set an IP group Enable URL filter Add a URL group Add a URL filter rule
152
Step 2 Set an IP group.
Navigate to Filter Management > IP Group/Time Group. Set an IP group shown in the
following figure.
2. Click New.
153
3. Configure the following parameters in the Add window, and click Save.
(1) Enter the Group Name, which is SocialMedia in this example.
(2) Enter the keywords of the domain name of the website to be blocked, which are
facebook;tumblr in this example.
(3) Enter a Remark for the URL group, for example, SocialMedia.
154
----End
155
Added successfully. See the following figure.
Verification
During 08:00 to 18:00 on weekdays, clients with the IP addresses ranging from 192.168.0.2 to
192.168.0.10 cannot access Facebook and Tumblr.
156
11.6 Log audit
11.6.1 Log settings
Click Filter Management > Log Audit > Log Settings to enter the page.
Here, you can enable or disable the internet log audit function. When it is enabled, the router will
collect specified types of log records as required.
By default, this function is disabled.
Parameter description
Parameter Description
After it is enabled, the router records users’ MAC addresses, IP addresses and
URL Access Log
visited websites.
After it is enabled, the router records users’ MAC addresses, IP addresses, online
Online/Offline Time
time and offline time.
After it is enabled, the router records users’ MAC addresses, IP addresses and the
Stay Duration
duration from online to offline.
157
Parameter Description
After it is enabled, the router records users’ MAC addresses, IP addresses, mobile
SMS AUTH Phone
phone numbers for SMS authentication and the time for such authentication.
After it is enabled, the router records users’ MAC addresses, IP addresses and the
Authenticated Account
account information used for authentication.
After it is enabled, the router records users’ MAC addresses, IP addresses, the
AP Wireless Connection
names of connected mobile phones and APs.
After it is enabled, the router records users’ MAC addresses, IP addresses and
SSID Connection
connected Wi-Fi names.
158
11.6.2 Log storage
Click Filter Management > Log Audit > Log Storage to enter the page.
After Log audit is enabled, the log records can be saved to a local PC or a USB device.
By default, it is set to USB storage.
Parameter description
Parameter Description
USB Device Displays the available space of the USB storage device.
159
12 More settings
12.1 Static route
12.1.1 Overview
Routing is an operation to select the optimal route for delivering data from a source to a destination.
A static route is a special route configured manually, which is simple, efficient, and reliable. Proper
static routes help reduce route selection issues and prevent overload caused by route selection data
flows, accelerating packet forwarding.
To define a static route, specify the network segment and subnet mask used to identify a
destination network or host, the gateway IP address, and the router WAN port for forwarding
packets. After a static route is defined, all the packets indented for the destination of the static
route are directly forwarded through the WAN port of the router to the gateway IP address.
If only static routes are used in a large-scale complex network, destinations may be unreachable in case
of a network fault or topology change, which results in network interruption. If the problem occurs,
manually modify the static routes.
160
Parameter description
Parameter Description
Specifies the IP address of the target network. 0.0.0.0 destination network and 0.0.0.0
subnet mask indicate the default route.
Destination Network
If no accurate route is found in the route table, the router chooses the default route to
forward data packets.
Specifies the ingress port IP address of the next hop route after data packets egress
from the router.
Default Gateway
0.0.0.0 indicates that the destination network is directly connected to the interface of
the router.
Interface Specifies the interface from which packets egress. Select it as required.
If a static route conflicts with a user-defined multi-WAN policy, the static route prioritizes.
Click More > Static Routing to enter the page. Click +Add, and configure the following parameters in
the window, then click Save.
161
12.1.3 Example of configuring static route
Networking requirement
An enterprise uses the wireless router to build a network.
Requirements:
The internet and the intranet are deployed on different networks. The WAN1 port of the router
accesses the internet using a PPPoE connection and the WAN2 port of the router accesses the
intranet (enterprise LAN) using a dynamic IP address.
Users on the router’s LAN are allowed to access both the internet and intranet.
Solution
The static routing function can meet this requirement.
Assume that:
− PPPoE user name: tdxy123
− PPPoE password: ipxz456
Internet
Intranet Router
WAN LAN WAN2
172.16.100.0/24 LAN IP: 192.168.98.1 LAN IP: 192.168.0.252
Switch
LAN
Configuration procedure
Step 1 Enable two WAN ports, and configure the internet settings.
1. Navigate to Internet Settings > Internet Settings.
2. Select the number of WAN ports from the WAN Ports drop-down list menu, which is 2 in
this example.
162
3. On the WAN1 configuration area, set Connection Type to PPPoE, and enter the PPPoE
Username and PPPoE Password provided by your ISP, which are tdxy123 and ipxz456 in
this example.
163
Step 2 Configure static routing.
1. Click System Status > , and view the IP information of WAN2. Assume that:
- IP Address: 192.168.98.190
- Subnet Mask: 255.255.255.0
- Default Gateway: 192.168.98.1
- Primary DNS: 192.168.96.1
2. Add a static routing rule.
(1) Navigate to More > Static Routing.
(2) Click +Add.
----End
164
Add successfully. See the following figure.
Verification
Computers in the LAN can access the internet and the intranet simultaneously.
165
12.2 Port mirroring
12.2.1 Overview
Port mirroring function forwards a copy of data of one or more mirrored ports to the specified
mirroring port. The network administrator uses data monitoring devices to monitor traffic, analyze
performance and perform network diagnose.
Click More > Port Mirroring to enter the page.
By default, this function is disabled.
Parameter description
Parameter Description
Specifies the monitoring port. A piece of monitoring software must be installed on the
Mirroring Port computer with this port to perform monitoring. The default mirroring port is LAN4, which
can be customized.
Specifies the monitored ports. After the port mirroring function is enabled, packets of the
Mirrored Port
mirrored ports are replicated to the mirroring port for monitoring.
166
12.2.2 Example of configuring port mirroring
Networking requirement
An enterprise uses the router to build a network. Recently, internet access failures occur frequently
and the network administrator needs to capture data packets from the WAN and LAN ports of the
router for analysis.
Solution
The port mirroring function of the router can meet this requirement.
Assume that a data monitoring device is connected to the LAN3 to monitor the data of other ports.
Internet
WAN1
Router
LAN3
LAN Data monitoring device
Switch
LAN
Configuration procedure
Step 1 Navigate to More > Port Mirroring.
Step 2 Enable Port Mirroring.
Step 3 Select the Mirroring Port, which is LAN3 in this example.
Step 4 Select the Mirrored Ports, which are WAN1, LAN2 and LAN4 in this example.
Step 5 Click Save at the bottom of the page.
167
----End
Verification
Run monitoring software such as Wireshark on the monitoring computer to verify the software can
capture data packets from the mirrored ports.
168
12.3 Remote web management
12.3.1 Overview
Generally, the web UI of the router can only be accessed on devices that are connected to the
router in wired or wireless manner. This costs in case of seeking technician to fix network problems.
The remote web management function is designed to address such requirement. When you
encounter network faulty, you can ask technicians far away to diagnose and fix your problems,
improving efficiency and reducing costs and efforts.
Click More > Remote WEB Management to enter the page.
Parameter description
Parameter Description
Remote WEB MGMT Enable or disable the remote web management function.
Specifies the WAN port of the router, which is also the WAN port used to remotely
WAN
access the web UI of the router.
Remote Access With this function enabled, the router automatically generates one unique domain
Address name that can be used to manage the router remotely.
169
12.3.2 Example of configuring remote web management
Networking requirement
An enterprise uses the wireless router to deploy its network. The network administrator needs to
seek a Tenda technician to solve a problem remotely.
Solution
The remote web management function can meet this requirement.
Internet
Technician WAN1
IP: 202.105.88.77
Router
LAN
Switch
LAN
Configuration procedure
Step 1 Navigate to More > Remote WEB Management.
Step 2 Enable Remote WEB MGMT.
Step 3 Select the WAN port for remote management, which is WAN1 in this example.
Step 4 Select the Specified IP, and enter the IP address of the computer of the Tenda support
technician, which is 202.105.88.77 in this example.
Step 5 Click Save at the bottom of the page.
170
----End
Verification
Tenda technician with a computer IP address 202.105.88.77 can use
http://o95juq6q.cloud.tendacn.net:8080 to access the web UI of the router remotely.
171
12.4 DDNS
12.4.1 Overview
DDNS is abbreviated for Dynamic Domain Name Service. When a service is running, the DDNS client
on the router sends the IP address of the current WAN port of the router to the DDNS server, and
the server updates the mapping relationships between the domain name and IP address in the
database, achieving dynamic domain name resolution.
On this page, you can map the dynamic WAN IP address of the router (public IP address) to a fixed
domain name. The DDNS function is generally used with such functions as port forwarding and DMZ
host to enable internet users to access the LAN server or the web UI of the router through domain
name without caring about the change of the WAN IP address.
Click More > DDNS to enter the page.
By default, this function is disabled.
172
Parameter description
Parameter Description
DDNS Provider The router supports four DDNS providers: noip, dyndns, oray, and gnway.
Specifies the type of the DDNS account. This parameter appears when DDNS Provider
Service Type
is set to oray.
User Name Specifies the user name/password used to log in to a DDNS provider. They are
registered on the website of the provider.
Password
Specifies the domain name obtained from the DDNS provider. If DDNS Provider is set
Domain Name to other DDNS provider other than oray, you need to manually enter the domain
name applied from the target website.
173
12.4.2 Example of configuring DDNS
Networking requirement
An enterprise uses the wireless router to set up a network. The router has been connected to the
internet and can offer internet service to LAN users.
The enterprise has the following requirement:
The intranet web server is open to internet users to enable staff to access the intranet even when
they are not physically in the enterprise.
Solution
− You can use the Port Forwarding function to enable internet users to access the
intranet web server.
− You can use the DDNS function to enable internet users to access the intranet web
server through a fixed domain name, avoiding access failure caused by WAN IP
address change.
− You can use the Address Reservation function to avoid access failure caused by web
server address change.
Assume that the information of the web server is shown as below:
− IP address of the web server: 192.168.0.250
− MAC address of the host that runs the web server: C8:9C:DC:60:54:69
− Service port: 9999
Before the configuration, ensure that the WAN port of the router obtains a public IP address; if
the WAN port obtains a private IP address or an intranet IP address assigned by the ISP (starting
with 100), the function may not take effect. Commonly-used IPv4 private IP addresses include
10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255.
ISP may not support unreported web service accessed using the default port number 80.
Therefore, when setting port forwarding, you are recommended to set the external port as a
non-familiar port (1024 to 65535), such as 9999, to ensure normal access.
Internal and external ports can be different.
174
Internet
Internet user
WAN1
Router
LAN
Switch
Configuration procedure
Configure port forwarding Reserve a fixed IP address for the server Configure DDNS
host
Step 1 Configure port forwarding.
Navigate to More > Port Forwarding, and add a rule. Refer to Configure a port forwarding rule.
175
3. Configure the following parameters in the Add window, and click Save.
(1) Set the fixed IP address assigned to the server host, which is 192.168.0.250 in this
example.
(2) Enter the MAC address of the server host, which is C8:9C:DC:60:54:69 in this example.
(3) (Optional) Enter a remark, such as Web Server.
176
Step 3 Configure DDNS.
1. Register a domain name.
Log in to the DDNS provider website. Assume that the DDNS provider where you applied
the domain name is noip, the user name you registered is Tenda, the password is tdxy123,
and the domain name is tenda.ddns.net
2. Log in to the web UI of the router and configure DDNS.
(1) Navigate to More > DDNS.
(2) Enable DDNS.
(3) Select noip from the DDNS Provider drop-down list.
(4) Enter the user name and password, which is Tenda and tdxy123 in this example.
(5) Enter the domain name, which is tenda.ddns.net in this example.
(6) Click Save at the bottom of the page.
----End
Wait a moment, and refresh the page. When the Status shows Connected, the configuration
completes successfully.
177
Verification
Internet users can successfully access the intranet server by using intranet service application layer
protocol name://WAN port domain name:external port, which is http://tenda.ddns.net:9999 in
this example.
If you set the default port of the intranet service as the external port when configuring port
forwarding, the external port number can be excluded from the access address. Under such
circumstances, the access address is intranet service application layer protocol name://WAN port
domain name.
If internet users still cannot access the LAN server after the configuration, try the following methods:
Make sure that the internal port you entered is correct.
Maybe the system firewall, anti-virus software and security guard on the LAN server blocked
internet user access. Please disable these programs and try again.
178
12.5 Port forwarding
12.5.1 Overview
By default, internet users cannot access LAN devices. However, with port forwarding function, you
can open one or multiple service ports (TCP or UDP) of the router and forwards these ports to the
specified LAN server. In this way, service requests sent to those ports of the node can be forwarded
to the target LAN server. Internet users can access the LAN server and the LAN is defended against
attacks.
Navigate to More > Port Forwarding to enter the page.
Parameter description
Parameter Description
Specify the types of the transfer layer protocol used by the LAN service.
Protocols
All indicates both TCP and UDP. Select All if you are uncertain about the service type.
Port Specifies the WAN port internet users use to access the LAN service.
Status Specifies the status of the rule. You can enable or disable the rule as required.
179
12.5.2 Configure a port forwarding rule
Click More > Port Forwarding to enter the page. Click +Add, configure the following parameters,
and click Save.
180
12.5.3 Example of configuring a port forwarding rule
Networking requirement
An enterprise uses the wireless router to set up a network. The router has been connected to the
internet and can offer internet service to LAN users.
The enterprise has the following requirement:
The intranet web server is open to internet users to enable staff to access the intranet even when
they are not physically in the enterprise.
Solution
− You can use the Port Forwarding function to enable internet users to access the
intranet web server. Assume that the open port of the router is 9999.
− You can use the Address Reservation function to avoid access failure caused by web
server address change.
Assume that the information of the web server is shown as below:
− IP address of the web server: 192.168.0.250
− MAC address of the host that runs the web server: C8:9C:DC:60:54:69
− Service port: 9999
Before the configuration, ensure that the WAN port of the router obtains a public IP address; if
the WAN port obtains a private IP address or an intranet IP address assigned by the ISP (starting
with 100), the function may not take effect. Commonly-used IPv4 private IP addresses include
10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255.
ISP may not support unreported web service accessed using the default port number 80.
Therefore, when setting port forwarding, you are recommended to set the external port as a
non-familiar port (1024 to 65535), such as 9999, to ensure normal access.
Internal and external ports can be different.
181
Internet
Internet user
WAN1 IP:202.105.11.22
Router
LAN
Switch
Configuration procedure
Configure port forwarding Reserve a fixed IP address for the server host
3. Configure the following parameters in the Add window, and click Save.
(1) Enter the Internal Server IP, which is 192.168.0.250 in this example.
(2) Enter the Internal Port, which is 9999 in this example.
(3) Enter the External Port, which is 9999 in this example.
(4) Choose the protocol used by the web server, which is TCP in this example.
182
(5) Select WAN1 as the port through which WAN users get access to the LAN server.
183
3. Configure the following parameters in the Add window, and click Save.
(1) Set the fixed IP address assigned to the server host, which is 192.168.0.250 in this
example.
(2) Enter the MAC address of the server host, which is C8:9C:DC:60:54:69 in this example.
(3) (Optional) Enter a remark, such as Web Server.
----End
184
Verification
Internet users can successfully access the intranet server by using intranet service application layer
protocol name://WAN port IP address:external port. If you set the default port of the intranet
service as the external port when configuring port forwarding, the external port number can be
excluded from the access address. Under such circumstances, the access address is intranet service
application layer protocol name://WAN port IP address.
In this example, the access address is http://202.105.11.22:9999
You can check the current WAN IP address on the System Status page.
If DDNS is enabled on the WAN port, internet users can also access the intranet server by using
intranet service application layer protocol name://WAN port domain name:external port.
If internet users still cannot access the LAN server after the configuration, try the following methods:
Make sure that the internal port you entered is correct.
Maybe the system firewall, anti-virus software and security guard on the LAN server blocked
internet user access. Please disable these programs and try again.
185
12.6 DMZ host
12.6.1 Overview
After setting a device in the LAN as the DMZ host, it enjoys no limitations when communicating with
the internet. For example, if video meeting or online games are under way on a computer, you can
set that computer as the DMZ host to make the video meeting and online games go smoother. In
addition, you can also set the LAN server as the DMZ host when internet users access the LAN
server resources.
After you set a LAN device as a DMZ host, that device will be completely exposed to the internet
and the firewall of the node does not take effect on the device.
Hackers may fire attacks on the local network by using the DMZ host. Please exercise caution to
use the DMZ host function.
The security guard, anti-virus software and system firewall on the DMZ host may affect the DMZ
host function. Disable them when using this function. When you are not using the DMZ host
function, you are recommended to disable the function and enable the firewall, security guard
and anti-virus software on the DMZ host.
Parameter description
Parameter Description
IP Address of DMZ
Specifies the IP address of the LAN device to be set as the DMZ host.
Host
186
Parameter Description
If the router has already enabled the VPN server function and is about to enable the
DMZ host function, to ensure the validity of the VPN server of the router, enable the
filter VPN port function as well.
Solution
− You can use the DMZ Host function to enable internet users to access the intranet web
server.
− You can use the Address Reservation function to avoid access failure caused by web
server address change.
Assume that the information of the web server is shown as below:
− IP address of the web server: 192.168.0.250
− MAC address of the host that runs the web server: C8:9C:DC:60:54:69
− Service port: 9999
Before the configuration, ensure that the WAN port of the router obtains a public IP address; if
the WAN port obtains a private IP address or an intranet IP address assigned by the ISP (starting
with 100), the function may not take effect. Commonly-used IPv4 private IP addresses include
10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255.
ISP may not support unreported web service accessed using the default port number 80.
Therefore, when setting port forwarding, you are recommended to set the external port as a
non-familiar port (1024 to 65535), such as 9999, to ensure normal access.
187
Internet
Internet user
WAN1 IP:202.105.11.22
Router
LAN
Switch
Configuration procedure
188
Step 2 Reserve a fixed IP address for the DMZ host.
1. Navigate to Address Reservation > Manual Address Reservation.
2. Click +Add.
3. Configure the following parameters in the Add window, and click Save.
(1) Set the fixed IP address assigned to the server host, which is 192.168.0.250 in this
example.
(2) Enter the MAC address of the server host, which is C8:9C:DC:60:54:69 in this example.
(3) (Optional) Enter a remark, such as Web Server.
----End
189
Verification
Internet users can successfully access the intranet server by using intranet service application layer
protocol name://WAN port IP address:internal service port. If you use the default port for the
intranet service, the intranet service port number can be excluded from the access address. Under
such circumstances, the access address is intranet service application layer protocol name://WAN
port IP address.
In this example, the access address is http://202.105.11.22:9999
You can check the current WAN IP address on the System Status page.
If DDNS is enabled on the WAN port, internet users can also access the intranet server by using
intranet service application layer protocol name://WAN port domain name:internal service port.
After the configuration, if internet users still cannot access the LAN server, disable the system firewall,
anti-virus software or security guard on the DMZ host and try again.
190
12.7 UPnP
12.7.1 Overview
UPnP is abbreviated for Universal Plug and Play. After the UPnP function is enabled, the router can
automatically open port for UPnP-supporting programs in the LAN (such as BitComet and AnyChat)
and make these applications run smoother.
If you enable the UPnP function, when UPnP-based programs, such as BitComet and AnyChat, are
running on the local network, the external and internal mapping relationships are displayed on the
page.
191
12.8 Any IP
Click More > Any IP to enter the page.
This function is typically used in public spaces, such as at a hotel. With this function enabled,
devices in the LAN network with any IP address, gateway and DNS can access the internet through
the router, avoiding the issue that the private IP addresses of guests do not match with the hotel
network.
By default, this function is disabled. Enable it when necessary.
192
12.9 DNS forwarding
The DNS forwarding function forwards specified domain names to specified DNS servers through
the fixed WAN port for DNS address resolution, improving access speed.
Click More > DNS Forwarding to enter the page.
Parameter description
Parameter Description
DNS Address Specifies the server address that requires DNS resolution.
Specifies the port through which data goes out of the router. Please set the
Interface
corresponding WAN port as needed.
193
12.10 Security settings
The router supports ARP Defense, DDoS Defense, IP Attack Defense, and Block WAN Ping security
settings.
− ARP Defense: This function can identify the ARP spoofing in the local network, and
record the MAC addresses of the attacker.
− DDoS Defense: DDoS attack, abbreviated for Distributed Denial of Service Attack,
makes network resource unavailable to its intended users. The router can block DDoS
attack, including ICMP Flood, UDP Flood, and SYN Flood attacks.
− IP Attack Defense: With this function enabled, the router can intercept some packets
with specified IP options. These IP options include IP Timestamp Option, IP Security
Option, IP Stream Option, IP Record Route Option, IP Loose Source Route Option and
illegal IP options.
− Block WAN Ping: With this function enabled, the router automatically ignores WAN IP
address ping requests from internet hosts; therefore, the router avoids exposing itself
and defends the external ping attacks.
Click More > Security Settings to enter the page.
194
Parameter description
Parameter Description
ICMP Flood If ICMP request packets from a same host in LAN received by the router exceed
Threshold this threshold within 1 second, the router suffers ICMP flood attack.
DDoS UDP Flood If UDP request packets from a same host in LAN received by the router exceed
Defense Threshold this threshold within 1 second, the router suffers UDP flood attack.
SYN Flood If TCP SYN request packets from a same host in LAN received by the router
Threshold exceed this threshold within 1 second, the router suffers SYN flood attack.
IP Timestamp With this function enabled, the router blocks IP packets that contain the
Option Internet Timestamp option in the local network.
IP Security With this function enabled, the router blocks IP packets that contain the
Option Security option in the local network.
IP Stream With this function enabled, the router blocks IP packets that contain the Stream
IP Attack Option ID option in the local network.
Defense IP Record With this function enabled, the router blocks IP packets that contain the Record
Route Option Route option in the local network.
IP Loose Source With this function enabled, the router blocks IP packets that contain the Loose
Route Option Source Route option in the local network.
Rouge IP With this function enabled, the router blocks IP packets that fail to pass
Option integrity and correctness check in the local network.
Enable or disable the block WAN ping function. By default, this function is
disabled.
Block WAN Ping After the block WAN ping function is enabled, the router automatically ignores
WAN IP address ping requests from internet hosts; therefore, the router avoids
exposing itself and defends external ping attacks.
195
12.11 VPN
12.11.1 Overview
VPN, abbreviated for Virtual Private Network, is a special network set up on the public network
(generally the internet). It exists only logically, and does not have any physical lines. The VPN
technology is widely used in enterprise networks and is used to achieve resource sharing between a
subsidiary and the headquarters, and at the same time, protects these resources from being
exposed to other users in the internet.
The typical network topology is shown as below.
Subsidiary Headquarters
Internet
LAN WAN WAN LAN
VPN tunnel
196
12.11.2 VPN server
The router can be used as a PPTP/L2TP server to accept connections from PPTP/L2TP clients.
Click More > VPN Server to enter the page.
By default, this function is disabled.
Parameter description
Parameter Description
Specifies the VPN protocol type the router uses, including PPTP and L2TP. Both PPTP and
L2TP are layer-2 VPN tunnel protocol and use the PPP to encapsulate data, and both add an
Server Type additional head for data.
⚫ PPTP: The router serves as a PPTP server and accepts connections from PPTP clients.
⚫ L2TP: The router serves as an L2TP server and accepts connections from L2TP clients.
Specifies the WAN port for setting up a VPN tunnel between the VPN server and the
clients.
WAN
The IP address or domain name of the WAN port is the server IP address/domain name of
VPN client.
197
Parameter Description
Enable or disable 128-bit data encryption. This parameter only appears when PPTP is
selected.
Encryption
The encryption configuration of the client and server must be the same. Otherwise, the
communication cannot be performed properly.
Enable or disable the IPSec encryption. This parameter only appears when L2TP is selected.
IPSec Encryption If you want to configure IPSec encryption, select the IPSec rules whose encapsulation mode
is transport mode.
Specifies IP address range that the PPTP/L2TP clients can obtain from the VPN server to be
IP Address Pool
connected.
Specifies the maximum number of VPN clients allowed to connect to the PPTP/L2TP server.
Max. Users
The value is fixed to 32.
User Name
Specifies the user name and password used to dial in a PPTP/L2TP VPN connection.
Password
Specifies the type of the VPN client.
⚫ Yes: Choose this option when the VPN client is a network. Under such circumstances, you
Network Users
need to set the network segment, subnet mask of the VPN client.
⚫ No: Choose this option when the VPN client is a host.
Network
When the VPN client is a network, enter the private network prefix of the client.
Segment
Subnet Mask When the VPN client is a network, enter the subnet mask of the client.
198
Add a PPTP/L2TP user account
Navigate to More > VPN Server > PPTP/L2TP User, click +Add, configure the following parameters in
the Add window, and click Save.
199
12.11.3 VPN client
The router can be used as a PPTP/L2TP client connected to the PPTP/L2TP server.
Click More > VPN Client to enter the page.
By default, VPN Client is disabled.
Parameter description
Parameter Description
Specifies the VPN protocol type the router uses, including PPTP and L2TP. Both PPTP and
L2TP are layer-2 VPN tunnel protocol and use the PPP to encapsulate data, and both add an
Client Type additional head for data.
⚫ PPTP: Choose this option if the VPN server to be connected is a PPTP server.
⚫ L2TP: Choose this option if the VPN server to be connected is an L2TP server.
WAN Specifies the WAN port the router uses for VPN dial-up.
200
Parameter Description
Specifies the IP address or domain name of the VPN server to be connected, which is
Server IP/Domain
generally the IP address or domain name of the WAN port enabling the PPTP/L2TP server
Name
function of the peer VPN router.
User Name Specifies the PPTP/L2TP user account, which is the user name and password assigned by
Password the VPN server.
Enable or disable data encryption. This parameter only appears when PPTP is selected.
Encryption The encryption configuration of the client and server must be the same. Otherwise, the
communication cannot be performed properly.
After this function is enabled, LAN users access the internet through the VPN server-side
VPN Proxy
router.
Remote LAN Specifies the network segment of the LAN of the VPN server.
Remote Subnet
Specifies the subnet mask of the LAN of the VPN server.
Mask
201
12.11.4 IPSec
IP Security (IPSec) is a protocol suite for transmitting data over the internet in a secure and
encrypted manner.
◼ Encapsulation mode
Encapsulation mode specifies encapsulation mode of the data transmitted by IPSec. IPSec
supports Tunnel and Transport modes.
− Tunnel: This mode adds an additional IP head and is most commonly used between
gateways. The whole IP data packet of the user is used to calculate the AH or ESP head.
AH or ESP head and the user data encrypted by ESP are encapsulated in a new IP data
packet.
− Transport: This mode does not change the original IP head and is most commonly used
between hosts. Only the data at the transmission layer is used to calculate AH or ESP
head. AH or ESP head or user data encrypted by ESP are placed behind the original IP
packet head.
◼ Security gateway
It refers to a gateway (secure and encrypted router) with the IPSec functionality. IPSec is used
to protect data exchanged between such gateways from being tampered and peeped.
◼ IPSec peer
The two IPSec terminals are called IPSec peers. The two peers (security gateways) can
securely exchange data only after a Security Association (SA) is set up between them.
◼ SA
SA specifies some elements of the peers, such as the base protocol (AH, ESP, or both),
encapsulation mode (transport or tunnel), encryption algorithm (DES, 3DES, or AES), shared
key for data protection in specified flows, and life cycle of the key. SA has the following
features:
− A triplet {SPI, Destination IP address, Security protocol identifier} is used as a unique
ID.
− An SA specifies the protocol, algorithm, and key for processing packets.
− Each IPsec SA is unidirectional with a life cycle.
− An SA can be created manually or generated automatically using internet Key Exchange
(IKE). The IKE protocol has two versions of IKEv1 and IKEv2. The device supports IKEv1
and the IKE hereinafter stands for IKEv1.
202
Configure IPSec connection: Tunnel mode
Click More > IPSec to enter the page. Click +Add, select the Tunnel mode, configure the following
parameters in the window, and click Save.
The router supports both Tunnel mode (default) and Transport mode.
Parameter description
Parameter Description
Specifies the WAN port over which the IPSec function takes effect. The remote gateway
WAN
address of the IPSec peer device should be the IP address of this interface.
203
Parameter Description
Do not set both ends of the IPSec tunnel as Responder Mode; otherwise, the IPSec tunnel
setup fails.
Specifies the protocol which offers the security service for IPSec.
⚫ AH: It is abbreviated for Authentication Header. This protocol is used for verifying data
integrity. If a packet is tampered during transmission, the receiver discards it during data
integrity verification.
Tunnel Protocol ⚫ ESP: It is abbreviated for Encapsulating Security Payload. This protocol is used for
verifying data integrity and encrypting data. If a packet processed using this protocol is
intercepted during transmission, it is difficult for the intercepting party to obtain the real
information contained in the packet. This compatible protocol is widely used in gateway
products.
⚫ AH+ESP: It indicates that the function features both AH and ESP.
Remote Gateway Specifies the IP address or domain name of the peer gateway of the IPSec tunnel.
Specifies the network segment/prefix length of the LAN of the device. For example, if the
Local LAN/Prefix
IP address of the LAN port of the device is 192.168.0.1 and the subnet mask is
Length
255.255.255.0, the local LAN/prefix length can be 192.168.0.0/24.
Remote Specifies the network segment/prefix length of the LAN of the peer gateway of the IPSec
LAN/Prefix tunnel. If the peer device is a host, this parameter can be set as “the IP address of the
Length device/32”.
204
− ISAKMP: Internet Security Association and Key Management Protocol. It defines the
procedures for authenticating a communicating peer, creation and management of
Security Associations, key generation techniques, and threat mitigation.
− Oakley: Oakley Key Determination Protocol. It defines the specific key negotiation
mechanism.
− SKEME: A secure and versatile key exchange protocol for key management over
internet is presented.
IKE negotiation can be broken down into two periods.
Period 1: The communicating parties negotiate exchange and authentication algorithm, encryption
algorithm and other security protocols, and generate an ISAKMP SA which is used to exchange more
information in phase II.
Period 2: The ISAKMP SA set up in phase I is used as the security agreement negotiation parameter
of IPSec to create IPSec SA, which is used to protect the communication data of both parties
When Auto Negotiation is selected, the following page appears.
Parameter description
Parameter Description
Authentication Specifies the shared key mode, which indicates a shared key string negotiated by IPSec
Type parties with some way in advance.
Specifies the pre-shared key used during negotiation. This parameter must be the same
Pre-shared Key
with that of the peer gateway. A maximum of 128 characters are allowed.
Enable or disable the DPD Detection. This function can detect whether the remote tunnel
DPD Detection
site is valid.
205
Click Advanced, and the following configuration area appears.
Parameter description
Parameter Description
Specifies the exchange mode in IKE phase I, which should be the same as that of peer
gateway.
⚫ Main: This mode is the primary mode. In this mode, exchanged packets are huge to offer
Mode identity protection, which is applicable to scenarios where identity protection is rigorous.
⚫ Aggressive: This mode does not offer identity protection. In this mode, the exchanged
packets are few in number and negotiation rate is high, which is applicable to scenarios
where identity protection is loose.
Specifies the IKE session encryption algorithm. The router supports the following
algorithms:
⚫ DES (Data Encryption Standard): A 56-bit key is used to encrypt 64-bit data. The last 8
Encryption
bits of the 64-bit data are used for parity check. 3DES indicates that three 56-bit keys are
Algorithm
used for encryption.
⚫ AES (Advanced Encryption Standard): AES 128/192/256 indicates that 128/192/256-bit
keys are used for encryption respectively.
Specifies the IKE session verification algorithm. The router supports the following
algorithms:
Integrity ⚫ MD5 (Message Digest Algorithm): A 128-bit message digest is generated to prevent
Verification message tampering.
⚫ SHA1 (Secure Hash Algorithm): A 160-bit message digest is generated to prevent
message tampering, leading to higher security than MD5.
206
Parameter Description
Diffle-Hellman Specifies the group information for the Diffie-Hellman algorithm for generating a session
Group key used to encrypt an IKE tunnel.
Local ID Type and Peer ID Type should be the same. Under such circumstances, you are
recommended to modify the Mode to Aggressive.
Local ID Type and Peer ID Type should be the same. Under such circumstances, you are
recommended to modify the Mode to Aggressive.
This feature generates a new key in IKE Phase II, which is unrelated to the key generated in
IKE Phase I, ensuring that the key generated in Phase II is secure even if the key generated
in IKE1 Phase I is cracked.
PFS
With the PFS disabled, generation of the new key in IKE Phase II depends on the key in
Phase I. Once the key generated in IKE Phase I is cracked, the key generated in Phase II will
suffer threats, and further threatens the communication security.
207
Key negotiation: Manual
The following displays the page when Manual is selected for Key Negotiation (Tunnel protocol
AH+ESP is used for illustration here).
Parameter description
Parameter Description
When the Tunnel Protocol is set to ESP, the ESP encryption algorithm is required. The
router supports the following algorithms:
ESP Encryption
Algorithm
⚫ DES: A 56-bit key is used to encrypt 64-bit data. The last 8 bits of the 64-bit data are
used for parity check. 3DES indicates that three 56-bit keys are used for encryption.
⚫ AES: A 128/192/256-bit key is used for encryption.
Specifies the ESP encryption key. Both IPSec communication parties should have the
ESP Encryption Key
same key.
When the Tunnel Protocol is set to ESP or AH, the corresponding encryption algorithm
ESP/AH is required. The router supports the following algorithms:
Authentication
Algorithm
⚫ MD5: A 128-bit message digest is generated to prevent message tampering.
⚫ SHA1: A 160-bit message digest is generated to prevent message tampering.
208
Parameter Description
When the Tunnel Protocol is set to ESP or AH, the corresponding authentication key is
ESP/AH required.
Authentication Key
Both IPSec communication parties should have the same key.
209
Configure IPSec connection: Transport mode
Click More > IPSec to enter the page. Click +Add, select the Transport mode, configure the following
parameters in the window, and click Save.
Parameter description
Parameter Description
Specifies the WAN port over which the IPSec function takes effect. The remote gateway
WAN
address of the IPSec peer device should be the IP address of this interface.
Do not set both ends of the IPSec tunnel as Responder Mode; otherwise, the IPSec tunnel
setup fails.
210
Parameter Description
Specifies the IKE session encryption algorithm. The router supports the following
algorithms:
Encryption
⚫ DES (Data Encryption Standard): A 56-bit key is used to encrypt 64-bit data. The last 8
Algorithm bits of the 64-bit data are used for parity check. 3DES indicates that three 56-bit keys are
used for encryption.
⚫ AES (Advanced Encryption Standard): AES 128/192/256 indicates that 128/192/256-bit
keys are used for encryption respectively.
Specifies the IKE session verification algorithm. The router supports the following
algorithms:
Integrity ⚫ MD5 (Message Digest Algorithm): A 128-bit message digest is generated to prevent
Verification message tampering.
⚫ SHA1 (Secure Hash Algorithm): A 160-bit message digest is generated to prevent
message tampering, leading to higher security than MD5.
Specifies the pre-shared key used during negotiation. This parameter must be the same
Pre-shared Key
with that of the peer gateway. A maximum of 128 characters are allowed.
211
12.11.5 Example of configuring a PPTP/L2TP VPN
Networking requirement
An enterprise and its subsidiary both use the wireless routers to set up a network and the routers
have been connected to the internet.
The enterprise has the following requirement:
Subsidiary staff can access the LAN resources through the internet, such as documents, OA, ERP
system, CRM system, project management system and other resources.
Solution
Set a router as the VPN server and the other as the VPN client to enable remote users to securely
access the LAN through the internet. PPTP VPN is taken as an example here and the configuration
for L2TP VPN is the same.
Assume that router 1 is set as the PPTP server and its basic information is as follows:
− User name and password assigned by the PPTP server: Subsidiary 1
− IP address of the PPTP server: 202.105.11.22
− Data encryption is enabled on the PPTP server.
− Intranet of the PPTP server: 192.168.0.0/24
− Port of the PPTP server to establish a VPN tunnel: WAN1
Assume that router 2 is set as the PPTP client and its basic information is as follows:
− Intranet of the PPTP client: 192.168.1.0/24
− Port of the PPTP client to establish a VPN tunnel: WAN1
Subsidiary Headquarters
Internet Router 1
Router 2 WAN1 WAN1
VPN tunnel
VPN client VPN server
LAN LAN
Switch Switch
LAN
Enterprise server
Configuration procedure
Set router 1 as VPN server Set router 2 as VPN client
212
1. Enable the PPTP server.
(1) Log in to the web UI of router 1, and navigate to More > VPN Server.
(2) Enable VPN Server.
(3) Configure the following parameters, and click Save at the bottom of the page.
- Select Server Type, which is PPTP in this example.
- Select the WAN port for setting up a VPN tunnel between the VPN server and
client, which is WAN1 in this example.
- Enable Encryption.
(3) Configure the following parameters in the Add window, and click Save.
- Enter the User Name the VPN client uses for VPN connection, which is Subsidiary 1
in this example.
- Enter the Password, which is Subsidiary 1 in this example.
- Select Yes for Network Users.
- Enter the Network Segment of the VPN client LAN, which is 192.168.1.0 in this
example.
- Enter the Subnet Mask, which is 255.255.255.0 in this example.
213
- Enter a Remark for the user account, which is Subsidiary 1 in this example.
214
(3) Enter the Serve IP/Domain Name of the WAN port which serves as the egress at the
VPN server side, which is 202.105.11.22 in this example.
(4) Enter the User Name assigned by the VPN server, which is Subsidiary 1 in this
example.
(5) Enter the Password, which is Subsidiary 1 in this example.
(6) Enable Encryption.
(7) Enter the Remote LAN, which is 192.168.0.0 in this example.
(8) Enter the Remote Subnet Mask, which is 255.255.255.0 in this example.
----End
When the Status shows Connected, the VPN connection is successful. Staff of the headquarters and
the subsidiary can securely access the LAN resources through the internet.
215
Verification
Assume that the subsidiary is about to access the FTP server of the headquarters. The headquarters
project data is stored on an FTP server and the server information is as follows:
− FTP server IP address: 192.168.0.104
− Server port: 21
− Login username/password: Tom123/Tommy456
When subsidiary staff access the headquarters project materials, perform the following procedures:
Step 1 Enter ftp://server IP address in a browser or This PC, which is ftp://192.168.0.104 in this
example.
If the LAN service port is not the default port number, the access format is LAN service application
layer protocol name://server IP address:LAN service port.
Step 2 Enter the user name and password, which are Tom123 and Tommy 456 in this example,
and click Login.
216
The access is successful. See the following figure.
217
12.11.6 Example of configuring an IPSec VPN
Networking requirement
An enterprise and its subsidiary both use routers to set up a network and the routers have been
connected to the internet.
The enterprise has the following requirement:
Subsidiary staff can access the LAN resources through the internet, such as documents, OA, ERP
system, CRM system, project management system and other resources.
Solution
Set up an IPSec tunnel on the two routers for the remote users to securely access the LAN through
the internet.
Assume that router 1 is deployed in the headquarters and its basic information is as follows:
− Port used to establish an IPSec tunnel: WAN1
− WAN1 IP address: 202.105.11.22
− IP address of the LAN: 192.168.0.0/24
Assume that router 2 is deployed in the subsidiary and its basic information is as follows:
− Port used to establish an IPSec tunnel: WAN1
− WAN IP address: 202.105.88.77
− IP address of the LAN: 192.168.1.0/24
Assume that the basic information of the IPSec connection between the two routers is:
− Encapsulation mode: Tunnel
− Key negotiation mode: Auto negotiation
− Pre-shared key: td159357
Subsidiary Headquarters
Router 2 Internet Router 1
WAN1 WAN1
VPN tunnel VPN server
VPN client
LAN LAN
Switch Switch
LAN
Enterprise server
218
Configuration procedure
Configure router 1 Configure router 2
During the configuration, if you want to configure the advanced settings of IPSec connection, make
sure the parameters of the two routers are the same.
3. Configure the parameters in the Add window, and click Save at the bottom of the page.
(1) Select the WAN port to establish an IPSec tunnel, which is WAN1 this example.
(2) Set Encapsulation Mode to Tunnel.
(3) Set the Connection Name, which is IPSec_1 in this example.
(4) Enter the Remote Gateway, which is 202.105.88.77 in this example.
(5) Enter the Local LAN/Prefix Length, which is 192.168.0.0/24 in this example.
(6) Enter the Remote LAN/Prefix Length, which is 192.168.1.0/24 in this example.
(7) Set the Pre-shared Key, which is td159357 in this example.
219
The IPSec is added successfully. See the following figure.
220
Step 2 Configure router 2.
1. Log in to the web UI of the router 2 and navigate to More > IPSec.
2. Click +Add.
3. Configure the parameters in the Add window, and click Save at the bottom of the page.
(1) Select the WAN port to establish an IPSec tunnel, which is WAN1 this example.
(2) Set Encapsulation Mode to Tunnel.
(3) Set the Connection Name, which is IPSec_1 in this example.
(4) Enter the Remote Gateway, which is 202.105.11.22 in this example.
(5) Enter the Local LAN/Prefix Length, which is 192.168.1.0/24 in this example.
(6) Enter the Remote LAN/Prefix Length, which is 192.168.0.0/24 in this example.
(7) Set the Pre-shared Key, which is td159357 in this example.
221
The IPSec is added successfully. See the following figure.
----End
Verification
When IPSec Status shows Connected, the IPSec tunnel is set up successfully and headquarters and
subsidiary staff can securely access the LAN resources of each other through internet.
222
12.11.7 Example of configuring a L2TP over IPSec VPN
Networking requirement
An enterprise and its branch have used the wireless routers to set up LANs and access the internet.
Branch employees need to access the headquarters’ internal resources through the internet, such
as internal data, OA, ERP, CRM, and project management systems.
Solution
IPSec and L2TP server function of the router can meet this requirement.
Assume that the related information is shown as below:
− Port used to establish an IPSec tunnel: WAN1
− Port used to establish an L2TP VPN tunnel: WAN1
− IP address of WAN1: 202.105.11.22
− LAN: 192.168.0.0/24
Assume that the related information of IPSec connection of the router is shown as below:
− Encapsulation Mode: Tunnel mode
− Key Negotiation: Auto negotiation
− Pre-shared Key: ip159357
Internet
WAN1
VPN tunnel Router
Switch
Enterprise
AP Computer
server
223
Configuration Procedure
Configure IPSec connection Enable an L2TP server Add a PPTP/L2TP user
Step 1 Configure the IPSec connection.
1. Navigate to More > IPSec.
2. Click +Add.
3. Configure the following parameters in the Add window, and click Save.
(1) Select a WAN port for the IPSec VPN connection, which is WAN1 in this example.
(2) Select Encapsulation Mode, which is Transport in this example.
(3) Set Connection Name to the name of the IPSec tunnel, which is HQ in this example.
(4) Specify Pre-shared Key, which is ip159357 in this example.
224
The IPSec connection is configured successfully. See the following figure.
Step 4 Configure the following parameters in the Add window, and click Save.
225
1. Enter the User Name and Password assigned by the VPN client, which are both Tom123 in
this example.
2. Set Network User to No.
3. Enter a Remark to your account, which is Tom123 in this example.
The L2TP over IPSec VPN is added successfully. See the following figure.
----End
226
Verification
To access the headquarters LAN resources, you have to configure your client. The document
introduces how to create VPN dialing on Windows 10 and iOS. Choose the scenario according to
your actual situations.
Create VPN connection on Windows 10
227
3. Set VPN connection parameters, and then click Save.
(1) Select VPN provider, which is Windows (built-in) in this example.
(2) Set the Connection name of VPN, which is VPN Access in this example.
(3) Enter Server name or address, which is 202.105.11.22 in this example.
(4) Select VPN type, which is L2TP/IPsec with pre-shared key.
(5) Enter Pre-shared key of the IPSec tunnel, which is ip159357 in this example.
(6) Pull down the scroll bar, select Type of sign-in info, which is User name and password
in this example.
(7) Enter User name and Password, which are both Tom123 in this example.
228
4. Click VPN Access, then click Connect.
229
Create VPN connection on a mobile device (Example: iOS).
Step 1 Click Settings on your smartphone.
Step 2 Tap VPN.
230
Step 3 Tap Add VPN Configuration....
231
Step 5 Tap .
----End
Wait until the Status turns to Connected , the IPSec connection is created successfully.
232
Employees accessing headquarters resources on business trip
Assume that a branch needs to access the FTP server of headquarters. The project data of the
headquarters is stored on the FTP server. Assume that the server information is as follows:
− FTP server IP address: 192.168.0.104
− Server port: 21
− FTP server login user name and password: Tom123
When branch staff access the project data of the headquarters, they perform the following steps:
Step 1 Access the link ftp://server IP address: server port on a computer, which is
ftp://192.168.0.104 in this example.
If the server port of the LAN is not port number by default, the access format is LAN service
application layer protocol name://server IP address: Server port of the LAN.
233
Step 2 Enter the User name and Password, which are both Tom123 in this example, then click
Login.
----End
The headquarters LAN resources can be accessed successfully. See the following figure.
If you want to use the mobile device (such as smartphone and tablet) to access the FTP server, you
should install an FTP client on your mobile device first.
234
12.12 Multi-WAN policy
12.12.1 Overview
The router supports the following types of multi-WAN policy:
◼ Smart load balancing (default)
If such a policy is applied, the router automatically distributes traffic based on the bandwidth
on the Bandwidth Control page through the WAN ports to achieve load balancing.
◼ Custom
Such a policy is configured by an administrator to distribute traffic of specified IP address
groups to specified WAN ports.
Click More > Multi-WAN Policy to enter the page.
Parameter description
Parameter Description
Mutil-WAN Policy
⚫ Smart Load Balancing: The system automatically distributes traffic through the WAN
ports with the smallest amount of traffic.
⚫ Custom: It enables you to assign WAN ports to source IP addresses as required.
The router regularly detects the connection status between the WAN ports and
detection address.
⚫ Detection Address: The IP address or domain name to detect.
WAN Link Detection
⚫ Detection Method: When the route is unreachable, the network sends the TCP or
ICMP packets with error messages to the router.
⚫ Detection Interval: The interval of detection, 5 seconds by default.
235
12.12.2 Customize a multi-WAN policy
Before configuring the multi-WAN policy, go to Filter Management > IP Group/Time Group to add an
IP group first.
Step 1 Navigate to More > Multi-WAN Policy, select Custom and click +Add.
Step 2 Select the IP Group you set.
Step 3 Select the WAN port to which the policy applies.
Step 4 Click Save.
----End
Parameter description
Parameter Description
WAN Port Specifies the WAN port for incoming and outgoing traffic.
236
12.12.3 Example of customizing a multi-WAN policy
Networking Requirement
An enterprise and its branch use the wireless router to set up a network and access the internet. To
meet its internet access requirement, the enterprise has set up two broadband connections with
two different ISPs and can now access the Internet properly. To achieve load balancing, the
enterprise raises the following LAN requirements:
− The devices with IP addresses ranging from 192.168.0.2 to 192.168.0.100 access the
internet through the fixed-line broadband connection with ISP A.
− The devices with IP addresses ranging from 192.168.0.101 to 192.168.0.250 access the
internet through the mobile broadband connection with ISP B.
Solution
You can use the multi-WAN policy function of the router to meet this requirement.
WAN1 WAN2
Router
LAN
Switch
LAN1 LAN2
Configuration Procedure
Configure IP Group/Time Group Enable customize multi-WAN policy Customize multi-WAN policy rule
Step 1 Set IP address groups.
Navigate to Filter Management > IP Group/Time Group, and add the IP groups as follows.
237
Step 2 Customize multi-WAN policies.
1. Navigate to More > Multi-WAN Policy.
2. Select Custom, and click Save.
3. Click +Add, and set the rules shown in the following figure.
----End
Verification
The computers with IP addresses ranging from 192.168.0.2 to 192.168.0.100 access the internet
through WAN1.
The computers with IP addresses ranging from 192.168.0.101 to 192.168.0.250 access the internet
through WAN2.
238
12.13 IPv6
Only the WAN1 port of the router supports IPv6, so you need to connect the broadband with IPv6
service to WAN1 before configuring the following functions.
12.13.1 Overview
IPv6 is abbreviated for Internet Protocol version 6, a second-generation standard network layer
protocol. It is an upgraded version of IPv4 and addresses many defects in IPv4. The most significant
difference between IPv6 and IPv4 is that IP addresses are lengthened from 32 bits to 128 bits.
IPv6 addresses are represented as eight groups of four hexadecimal digits each, separated by
colons.
An IPv6 address consists of a network prefix and an interface ID.
− A network prefix has n bits and is similar to the network ID in an IPv4 address.
− An interface identifier has (128 – n) bits and is similar to the host ID in an IPv4 address.
Click More > IPv6 to enter the page.
By default, IPv6 is disabled.
239
12.13.2 IPv6 WAN settings
The router can access the IPv6 network of ISPs through three connection types. Choose the
connection type by referring to the following chart.
Scenario Connection Type
⚫ The ISP does not provide any PPPoEv6 user name and password.
⚫ The ISP does not provide information about IPv6 address. Obtain Automatically
⚫ You have a router that can access IPv6 network.
IPv6 service is included in the PPPoE user name and password. PPPoEv6
⚫ The ISP provides you with a set of information including IPv6 address, subnet mask,
default gateway and DNS server, etc. Static IPv6 Address
⚫ The LAN port of the upstream device disables the DHCPv6 function
Before configuring the IPv6 function, ensure that you are within the coverage of IPv6 network and
already subscribe the IPv6 internet service. Contact your ISP for any doubt about it.
Obtain automatically
This type enables the router to obtain an IPv6 address from a DHCPv6 server to access the internet.
Parameter description
Parameter Description
When the option is selected, the LAN port of router obtains IPv6 prefix from its
upstream device.
It is recommended to keep the default setting (Selected).
Obtain IPv6 Prefix
Delegation
If the LAN port cannot obtain the PD prefix, it is because the upstream device does not
support PD prefix delivery. Contact your ISP to solve this problem.
240
PPPoEv6
If your ISP provides you with the PPPoE user name and password with IPv6 service, you can choose
PPPoEv6 to access the internet.
Parameter description
Parameter Description
PPPoE Username
Specifies the PPPoE user name and password provided by your ISP.
PPPoE Password
When the option is selected, the LAN port of router obtains IPv6 prefix from its
upstream device.
It is recommended to keep the default setting (Selected).
Obtain IPv6 Prefix
Delegation
If the LAN port cannot obtain the PD prefix, it is because the upstream device does not
support PD prefix delivery. Contact your ISP to solve this problem.
241
Static IPv6 Address
When your ISP provides you with information including IPv6 address, subnet mask, default gateway
and DNS server, you can choose this connection type to access the internet with IPv6.
Parameter description
Parameter Description
IPv6 Address
Specifies the fixed IP address information provided by your ISP.
IPv6 Default
Gateway
Primary IPv6 DNS If your ISP only provides one DNS server address, you can leave the Secondary IPv6
DNS blank.
Secondary IPv6 DNS
242
12.13.3 IPv6 LAN settings
To enable LAN devices to access the IPv6 network, you can change the IPv6 LAN settings here.
Parameter description
Parameter Description
DHCPv6 (Dynamic Host Configuration Protocol for IPv6) is used to assign IP addresses
DHCPv6 and prefix to IPv6 hosts on a network. It is the IPv6 equivalent of the DHCP for IPv4. This
is also known as a stateful autoconfiguration.
Specifies the assignment type of DHCPv6 address for the clients connected to the
router.
⚫ Stateless: DHCPv6 stateless configuration. Clients obtain their IPv6 address through
Address Router Advertisement (Stateless Auto Address Configuration) and other parameters
Assignment are allocated by the DHCPv6 server.
⚫ Stateful: DHCPv6 stateful configuration. The DHCPv6 server automatically assigns IPv6
addresses/prefixes and other network configuration parameters (for example, DNS
server addresses and so on) to clients. The user needs to manually configure the start
ID and the end ID.
Start ID
The configuration is required when the IPv6 Address Assignment is set to Stateful.
End ID Specifies the range of the last segment of the IPv6 address that the DHCPv6 server
243
Parameter Description
assigns to the devices. Range: 1 to ffff.
Primary IPv6 DNS Specifies the fixed IPv6 DNS address provided by your ISP here. Available when you set
IPv6 DNS to Manual.
Secondary IPv6
DNS If your ISP only provides one DNS server address, you can leave the Secondary IPv6 DNS
blank.
244
13 Maintenance
13.1 Reboot
If any parameter fails to take effect or the router does not work properly, you can try rebooting the
router.
Click Maintenance > Reboot, and follow the on-screen instruction to reboot the device.
245
13.2 Upgrade
13.2.1 Overview
The router supports Local Upgrade and Online Upgrade.
Click Maintenance > Upgrade to enter the page.
To enable your router to work properly after an upgrade, ensure that the firmware used to upgrade
complies with your product model.
When upgrading, do not power off the router.
Step 1 Visit www.tendacn.com, search the product model, and download the latest firmware to
your computer.
Step 2 Log in to the web UI of your router, and navigate to Maintenance > Upgrade.
Step 3 Set Upgrade Option to Local Upgrade.
246
Step 4 Click Browse, select and upload the firmware that has been downloaded to your computer.
Ensure that the suffix of the firmware is .bin.
----End
Wait for the upgrade to complete, then reset your router and configure it again to access the
internet. To know whether the upgrade succeeds, go to the System Status or Maintenance >
Upgrade page and check the current firmware version.
To better experience the stability and new features of the latest firmware, you are recommended to
reset the router and configure it again after the upgrade completes.
247
13.2.3 Online upgrade
When the router is connected to the internet, it checks whether there is the latest firmware version,
and displays the detected information on the page. If you want to upgrade the firmware, click
Download and Upgrade.
248
13.3 Reset
13.3.1 Overview
If the internet is inaccessible for unknown reasons, or you forget the login password, you can reset
the router to resolve the problems.
The router supports two resetting methods: Reset the router using web UI and Reset the router
using the reset button.
Resetting the router deletes all your current configurations and you need to reconfigure the router
to access the internet.
When resetting, do not power off the router.
249
13.4 Password manager
13.4.1 Overview
The router supports two account types: Administrator and Authentication. The difference between
them is their access permission.
− The Administrator account enjoys all access permission. Password for administrator
account is the login password you set during initial setup. The default password for this
account is admin.
− The Authentication account only has permission for accessing System Status and
Authentication modules. The default password for this account is rzadmin.
Click Maintenance > Password Manager to enter the page.
250
13.5 Reboot schedule
13.5.1 Overview
Click Maintenance > Reboot Schedule to enter the page.
On this page, you can set the router to automatically reboot periodically to avoid such phenomena
as deteriorating performance and instability caused by long time operation.
To enable reboot schedule function to work properly, ensure that the System time of your router is
correct.
----End
The device automatically reboots at 3 am on each Thursday.
251
13.6 Backup/Restore
13.6.1 Overview
The backup function is used to export the current configuration of the router to your computer. The
restore function is used to import a configuration file to the router.
You are recommended to back up the configuration after it is significantly changed. When the
performance of your router decreases because of an improper configuration, or after you restore
the router to factory settings, you can use this function to restore the configuration that has been
backed up.
Click Maintenance > Backup/Restore to enter the page.
----End
252
13.6.3 Restore your previous configuration
Step 1 Navigate to Maintenance > Backup/Restore.
Step 2 Click Browse, and upload the configuration file ending with .cfg.
Step 3 Click Restore and follow the on-screen instruction to restore the configuration.
----End
253
13.7 System log
System logs record information about the system running statuses such as system startup, dialing,
time synchronization, device login and WAN connection. When system malfunctions occur, you can
use the system log for troubleshooting.
Click Maintenance > System Log to enter the page.
Click Export Log, the log file will be downloaded to your local computer.
The router records three log types: System Log, Attack Log, and Error Log. You can view all logs or
filter the logs to view as needed.
The time of log depends on the system time of the router. To make sure it is correct, please set
correctly the System time of the router first.
The router only records the logs occurred after the last reboot.
After a power cutoff, such operations as power-on again, firmware upgrade, backup/restore, and
reset will all cause the router to reboot.
254
13.8 Diagnostic tool
13.8.1 Overview
Click Maintenance > Diagnostic Tool to enter the page.
You can execute Ping/Traceroute command on this page.
− Ping: Used to check whether the connection is correct and the connection quality.
− Traceroute: Used to detect the route from the bridge to the destination IP address or
domain name.
255
13.8.3 Execute Traceroute command
Assume that:
You need to detect the path from the router to Bing website.
Step 1 Navigate to Maintenance > Diagnostic Tool.
Step 2 Select Traceroute as the Diagnostic Tool.
Step 3 Enter the IP address or domain name of the traceroute target, which is cn.bing.com in this
example.
Step 4 Click Start.
----End
Wait a moment. The traceroute result will be displayed in the result box.
256
13.9 System time
Click Maintenance > System Time to enter the page.
This function is used to set the system time of your router. To make the time-related functions
effective, ensure that the system time of the router is set correctly.
The router supports: Synchronize with internet time (default) and Set system time manually.
Parameter description
Parameter Description
Specifies an interval at which the router synchronizes its system time with the time
Sync Interval
server on the internet.
Time Zone Specifies the time zone where the router is deployed.
257
13.9.2 Set system time manually
With this method, you can manually specify a system time for the router. When Manual option is
selected, the related parameters are shown as follows.
With this method, you need to manually reconfigure the system time each time the router reboots.
After configuration, you can navigate to the System status page to check whether the system time is
correct.
Parameter description
Parameter Description
Date You can directly enter the correct time here. Or, you can click Sync with Local PC
Time to synchronize the time of the router with that of the computer managing the
Time router.
258
13.10 Function center
Click Maintenance > Function Center to enter the page.
On this page, you can view the Enabled Function and Disabled Function of the router. You can enter
the configuration page of a function after clicking it.
259
Appendix
Acronyms and Abbreviations
Acronym and Abbreviation Full Spelling
AH Authentication Header
AP Access Point
AUTH Authentication
GI Guard Interval
HQ Headquarters
260
Acronym and Abbreviation Full Spelling
IP Internet Protocol
MGMT Management
OA Office Automation
SA Security Association
261
Acronym and Abbreviation Full Spelling
SYS System
UI User Interface
262