Wifi 6 Hospot Rport

Version 1.
Copyright Statement
© 2022 Shenzhen Tenda Technology Co., Ltd. All rights reserved.
is a registered trademark legally held by Shenzhen Tenda Technology Co., Ltd. Other
brand and product names mentioned herein are trademarks or registered trademarks of their
respective holders. Copyright of the whole product as integration, including its accessories and
software, belongs to Shenzhen Tenda Technology Co., Ltd. No part of this publication can be
reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language
in any form or by any means without the prior written permission of Shenzhen Tenda Technology
Co., Ltd.
Disclaimer
Pictures, images and product specifications herein are for references only. To improve internal
design, operational function, and/or reliability, Tenda reserves the right to make changes to the
products without obligation to notify any person or organization of such revisions or changes.
Tenda does not assume any liability that may occur due to the use or application of the product
described herein. Every effort has been made in the preparation of this document to ensure
accuracy of the contents, but all statements, information and recommendations in this document
do not constitute a warranty of any kind, express or implied.
i
Version 1.0
Preface
Thank you for choosing Tenda! Please read this user guide carefully before you start.
Conventions
This user guide applies to the Tenda AX3000 Dual Band Wi-Fi 6 Wireless Hotspot Router W30E.
The contained images and UI screenshots are subject to the actual products.
The typographical elements that may be found in this document are defined as follows.
Item Presentation Example
Cascading menus > System > Live Users
Parameter and value Bold Set User Name to Tom.
Variable Italic Format: XX:XX:XX:XX:XX:XX
UI control Bold On the Policy page, click the OK button.
Message “” The “Success” message appears.
The symbols that may be found in this document are defined as follows.
Symbol Meaning
This format is used to highlight information of importance or special interest.

Ignoring this type of note may result in ineffective configurations, loss of data or
damage to device.
This format is used to highlight a procedure that will save time or resources.
For more documents

Go to our website at www.tendacn.com and search for the latest documents for this product.
Document Description
It introduces how to set up the device quickly for internet access, the
Quick Installation Guide descriptions of LED indicators, ports, and buttons, FAQ, statement information,
and so on.
It introduces how to set up more functions of the device for more requirements,
User Guide
including all functions on the web UI of the device.
It introduces the basic information of the device, including product overview,

Data Sheet
selling points, and specifications.
ii
Version 1.0
Technical Support
If you need more help, contact us by any of the following means. We will be glad to assist you as
soon as possible.
Global: (86) 755-27657180
(China Time Zone)
United States: 1-800-570-5892

(Toll Free: 7 x 24 hours) support@tenda.com.cn
Hotline Email
Canada: 1-888-998-8966
(Toll Free: Mon - Fri 9 am - 6 pm PST)
Hong Kong: 00852-81931998
www.tendacn.com
Website
Revision History
Tenda is constantly searching for ways to improve its products and documentation. The following
table indicates any changes that might have been made since the user guide was released.
Version Date Description
V1.0 2022-08-23 Original publication
iii
Version 1.0
Contents
1 Login ............................................................................................................................................ 1
1.1 Log in to the web UI .............................................................................................................. 1
1.2 Logout ................................................................................................................................... 5
2 Web UI ......................................................................................................................................... 6
2.1 Web UI layout........................................................................................................................ 6
2.2 Frequently-used buttons ....................................................................................................... 7
3 System status ............................................................................................................................... 8
3.1 Check physical connections and system status ...................................................................... 8
3.1.1 Check physical connections ........................................................................................ 8
3.1.2 View system status ................................................................................................... 10
3.2 View CPU and memory status ............................................................................................. 14
3.3 Monitor traffic ..................................................................................................................... 14
3.3.1 Enable traffic monitoring .......................................................................................... 14
3.3.2 View traffic statistics................................................................................................. 15
3.4 Manage online devices ........................................................................................................ 17
3.5 Control bandwidth of online devices................................................................................... 18
3.6 Blacklist ............................................................................................................................... 20
3.6.1 Add devices to blacklist ............................................................................................ 20
3.6.2 Remove devices from blacklist ................................................................................. 21
3.7 Manage APs......................................................................................................................... 22
4 Internet settings ......................................................................................................................... 24
4.1 Internet Settings .................................................................................................................. 24
4.1.1 Overview .................................................................................................................. 24
4.1.2 Configure multiple WAN ports.................................................................................. 26
4.1.3 Set up for internet access ......................................................................................... 29
4.2 WAN parameters ................................................................................................................. 36
4.2.1 WAN speed ............................................................................................................... 36
4.2.2 MTU.......................................................................................................................... 37
4.2.3 Clone MAC address .................................................................................................. 38
4.3 LAN settings ........................................................................................................................ 40
4.3.1 Modify LAN IP address of the router ........................................................................ 40
4.3.2 Modify DHCP server ................................................................................................. 41
5 Wireless ..................................................................................................................................... 43
iv
Version 1.0
5.1 Wireless settings ................................................................................................................. 43
5.2 Max rate & isolation ............................................................................................................ 46
5.3 MAC filters........................................................................................................................... 48
5.3.1 Overview .................................................................................................................. 48
5.3.2 Configure a MAC filter rule ....................................................................................... 49
5.3.3 Example of configuring MAC filters rule ................................................................... 51
5.4 Advanced settings ............................................................................................................... 54
5.5 Guest network ..................................................................................................................... 58
6 Address reservation ................................................................................................................... 60
6.1 Address reservation ............................................................................................................ 60
6.2 Configure address reservation ............................................................................................ 62
6.2.1 Quick address reservation ........................................................................................ 62
6.2.2 Manual address reservation ..................................................................................... 64
7 Bandwidth control ..................................................................................................................... 65
7.1 Overview ............................................................................................................................. 65
7.2 Manual ................................................................................................................................ 66
7.3 Auto .................................................................................................................................... 68
7.4 Limit by group ..................................................................................................................... 69
7.5 Example of configuring limit by group rules ........................................................................ 71
8 Authentication ........................................................................................................................... 74
8.1 Captive portal ...................................................................................................................... 74
8.1.1 Overview .................................................................................................................. 74
8.1.2 Configure SMS authentication .................................................................................. 79
8.1.3 Configure local user authentication.......................................................................... 82
8.1.4 Configure email authentication ................................................................................ 84
8.1.5 Configure one-key authentication ............................................................................ 86
8.2 User management ............................................................................................................... 88
8.2.1 Overview .................................................................................................................. 88
8.2.2 Add user accounts for local user authentication ...................................................... 89
8.3 Examples of configuring authentication .............................................................................. 91
8.3.1 Example of configuring SMS authentication ............................................................. 91
8.3.2 Example of configuring local user authentication ..................................................... 97
8.3.3 Example of configuring email authentication ......................................................... 103
9 AP mangement......................................................................................................................... 108
9.1 Basic settings ..................................................................................................................... 108
9.1.1 Overview ................................................................................................................ 108
9.1.2 Distribute wireless policies to APs .......................................................................... 110
v
Version 1.0
9.2 AP settings......................................................................................................................... 111
9.2.1 Overview ................................................................................................................ 111
9.2.2 Upgrade the APs ..................................................................................................... 113
9.2.3 Reset the APs .......................................................................................................... 114
9.2.4 Reboot the APs ....................................................................................................... 115
9.2.5 Delete the APs ........................................................................................................ 116
9.2.6 Refresh the page .................................................................................................... 117
9.2.7 Export data ............................................................................................................. 117
9.2.8 More settings ......................................................................................................... 118
9.3 Advanced settings ............................................................................................................. 119
10 USB sharing .............................................................................................................................. 122
10.1 Overview ......................................................................................................................... 122
10.2 USB sharing ..................................................................................................................... 122
10.3 Example of configuring USB sharing ................................................................................ 124
10.3.1 Networking requirement ...................................................................................... 124
10.3.2 Network topology................................................................................................. 124
10.3.3 Configuration procedure ...................................................................................... 125
10.3.4 Verification ........................................................................................................... 126
11 Filter management ................................................................................................................... 127
11.1 IP group/time group ........................................................................................................ 127
11.1.1 Overview .............................................................................................................. 127
11.1.2 Add a time group .................................................................................................. 129
11.1.3 Add an IP group .................................................................................................... 130
11.2 MAC address filter ........................................................................................................... 131
11.2.1 Overview .............................................................................................................. 131
11.2.2 Configure a MAC address filter rule ...................................................................... 132
11.2.3 Example of configuring a MAC address filter rule ................................................. 133
11.3 IP address filter ............................................................................................................... 136
11.3.1 Overview .............................................................................................................. 136
11.3.2 Configure an IP address filter rule ........................................................................ 137
11.3.3 Example of configuring an IP address filter rule ................................................... 138
11.4 Port filter ......................................................................................................................... 142
11.4.1 Overview .............................................................................................................. 142
11.4.2 Configure a port filter rule .................................................................................... 143
11.4.3 Example of configuring a port filter rule ............................................................... 144
11.5 URL filter ......................................................................................................................... 148
11.5.1 Overview .............................................................................................................. 148
vi
Version 1.0
11.5.2 Customize a URL group ......................................................................................... 149
11.5.3 Configure a URL filter rule .................................................................................... 150
11.5.4 Example of configuring a URL filter rule ............................................................... 152
11.6 Log audit ......................................................................................................................... 157
11.6.1 Log settings .......................................................................................................... 157
11.6.2 Log storage ........................................................................................................... 159
12 More settings ........................................................................................................................... 160
12.1 Static route ...................................................................................................................... 160
12.1.1 Overview .............................................................................................................. 160
12.1.2 Configure a static routing rule .............................................................................. 161
12.1.3 Example of configuring static route ...................................................................... 162
12.2 Port mirroring.................................................................................................................. 166
12.2.1 Overview .............................................................................................................. 166
12.2.2 Example of configuring port mirroring ................................................................. 167
12.3 Remote web management .............................................................................................. 169
12.3.1 Overview .............................................................................................................. 169
12.3.2 Example of configuring remote web management ............................................... 170
12.4 DDNS ............................................................................................................................... 172
12.4.1 Overview .............................................................................................................. 172
12.4.2 Example of configuring DDNS ............................................................................... 174
12.5 Port forwarding ............................................................................................................... 179
12.5.1 Overview .............................................................................................................. 179
12.5.2 Configure a port forwarding rule .......................................................................... 180
12.5.3 Example of configuring a port forwarding rule ..................................................... 181
12.6 DMZ host ......................................................................................................................... 186
12.6.1 Overview .............................................................................................................. 186
12.6.2 Example of configuring DMZ host......................................................................... 187
12.7 UPnP................................................................................................................................ 191
12.7.1 Overview .............................................................................................................. 191
12.7.2 Enable UPnP ......................................................................................................... 191
12.8 Any IP .............................................................................................................................. 192
12.9 DNS forwarding ............................................................................................................... 193
12.10 Security settings ............................................................................................................ 194
12.11 VPN ............................................................................................................................... 196
12.11.1 Overview ............................................................................................................ 196
12.11.2 VPN server .......................................................................................................... 197
12.11.3 VPN client ........................................................................................................... 200
vii
Version 1.0
12.11.4 IPSec ................................................................................................................... 202
12.11.5 Example of configuring a PPTP/L2TP VPN ........................................................... 212
12.11.6 Example of configuring an IPSec VPN ................................................................. 218
12.11.7 Example of configuring a L2TP over IPSec VPN ................................................... 223
12.12 Multi-WAN policy .......................................................................................................... 235
12.12.1 Overview ............................................................................................................ 235
12.12.2 Customize a multi-WAN policy ........................................................................... 236
12.12.3 Example of customizing a multi-WAN policy ...................................................... 237
12.13 IPv6 ............................................................................................................................... 239
12.13.1 Overview ............................................................................................................ 239
12.13.2 IPv6 WAN settings .............................................................................................. 240
12.13.3 IPv6 LAN settings ................................................................................................ 243
13 Maintenance ............................................................................................................................ 245
13.1 Reboot ............................................................................................................................. 245
13.2 Upgrade........................................................................................................................... 246
13.2.1 Overview .............................................................................................................. 246
13.2.2 Local upgrade ....................................................................................................... 246
13.2.3 Online upgrade ..................................................................................................... 248
13.3 Reset ............................................................................................................................... 249
13.3.1 Overview .............................................................................................................. 249
13.3.2 Reset the router using web UI .............................................................................. 249
13.3.3 Reset the router using the reset button ............................................................... 249
13.4 Password manager .......................................................................................................... 250
13.4.1 Overview .............................................................................................................. 250
13.4.2 Modify login password ......................................................................................... 250
13.5 Reboot schedule.............................................................................................................. 251
13.5.1 Overview .............................................................................................................. 251
13.5.2 Customize reboot schedule .................................................................................. 251
13.6 Backup/Restore ............................................................................................................... 252
13.6.1 Overview .............................................................................................................. 252
13.6.2 Back up your current configuration ...................................................................... 252
13.6.3 Restore your previous configuration .................................................................... 253
13.7 System log ....................................................................................................................... 254
13.8 Diagnostic tool ................................................................................................................ 255
13.8.1 Overview .............................................................................................................. 255
13.8.2 Execute Ping command ........................................................................................ 255
13.8.3 Execute Traceroute command .............................................................................. 256
viii
Version 1.0
13.9 System time..................................................................................................................... 257
13.9.1 Synchronize with internet time ............................................................................ 257
13.9.2 Set system time manually ..................................................................................... 258
13.10 Function center ............................................................................................................. 259
Appendix ......................................................................................................................................... 260
Acronyms and Abbreviations .................................................................................................. 260
ix
Version 1.0
1 Login
1.1 Log in to the web UI
If you use this router for the first time or have reset it to factory settings, refer to the quick
installation guide to complete the setup wizard. Otherwise, refer to the following steps.
1.1.1 Log in with your computer

Step 1 Connect your computer to a LAN port of the router with an Ethernet cable.
Step 2 Set the local connection of your computer to Obtain an IP address automatically and
Obtain DNS server address automatically.
Step 3 Start a web browser, and visit tendawifi.com.
Step 4 Enter the login password of the router you set, and click Login.
- By default, the WiFi password is set as the login password automatically. Thus, if you forget the
login password, try with the WiFi password.
- If the above fails, reset the router to factory settings and then set the login password. After reset,
you need to reconfigure the network.
----End
1
Version 1.0
If the above page does not appear, try the following solutions:
- Ensure that the router is powered on properly.
- Ensure that the computer is connected to a LAN port of the router, and the corresponding
indicator lights solid on or blinks.
- Reset the router to factory settings, and log in again.
Log in to the web UI successfully. See the following figure.
2
Version 1.0
1.1.2 Log in with your smartphone

Step 1 Connect your smartphone to the SSID of the router.
Step 2 Start a web browser on the smartphone, and visit tendawifi.com.
Step 3 Enter the login password of the router you set, and click Login.
- By default, the WiFi password is set as the login password automatically. Thus, if you forget the
login password, try with the WiFi password.
- If the above fails, reset the router to factory settings and then set the login password. After reset,
you need to reconfigure the network.
----End
If the above page does not appear, try the following solutions:
- Ensure that your smartphone is connected to the WiFi network of the router.
- Ensure that the mobile data is disabled.
- Reset the router to factory settings, and log in again.
3
Version 1.0
Log in to the web UI successfully. See the following figure.
4
Version 1.0
1.2 Logout
If you log in to the web UI of the router and perform no operation within 20 minutes, the router
logs you out automatically.
You can log out by clicking Logout on the upper right corner of the web UI as well.
5
Version 1.0
2 Web UI
2.1 Web UI layout
The web UI of the router consists of three sections, including the level-1, level-2 navigation bar, and
configuration area. See the following figure:
1
S
3
1
Features and parameters in gray indicate that they are not available or cannot be changed under the
current condition.
No. Name Description
❶ Level-1 navigation bar Used to display the function menu of the router. Users can select functions
in the navigation bars and the configuration appears in the configuration
❷ Level-2 navigation bar area.
❸ Configuration area Used to modify or view your configuration.
6
Version 1.0
2.2 Frequently-used buttons

The following table describes the frequently-used buttons available on the web UI of the router.
Button Description
Used to add a new rule or policy.
Used to delete the selected rule or policy.
Used to save the configuration on the current page and enable the configuration to take
effect.
Used to change the current configuration on the current page back to the original
configuration.
Used to refresh the page information.
Used to view help information for the current page.
7
Version 1.0
3 System status
In the System Status module, you can:
◼ Check physical connections and system status
◼ View CPU and memory status
◼ Monitor traffic
◼ Manage online devices
◼ Control bandwidth of online devices
◼ Add devices to or remove devices from blacklist
◼ Manage APs
3.1 Check physical connections and system status

Click System Status to enter the page.
Here, you can check if the physical connections are proper, or view the router’s system status.
3.1.1 Check physical connections

The following figure indicates that the router is connected to the internet properly through the
WAN1 port.
8
Version 1.0
You can click WAN1 to view the connection type and status.
The following figure indicates that the router is disconnected from the internet. Check whether the
Ethernet cable is connected properly.
9
Version 1.0
3.1.2 View system status

Click the Router icon , then the Device Info window pops up.
The Device Info window consists of four parts: Operating Status, LAN Port Status, WAN Info and
IPv6 Status.
Operating status
This module displays the router’s operating status about the system time, uptime, firmware version
and so on.
Parameter description
Parameter Description
Specifies the current system time of the router.

System Time
You can set system time by navigating to Maintenance > System time.
Uptime Specifies the time that has elapsed since the router was started last time.
Firmware Version Specifies the firmware version number of the router.
Device Name Specifies the name of your router.
CPU Usage Specifies the current CPU usage of the router.
Memory Usage Specifies the current memory usage of the router.
10
Version 1.0
LAN port status

This module displays the LAN IP address and the MAC address of the router.
You can modify LAN settings by navigating to More > LAN settings.
WAN info
This module displays parameters about all enabled WAN ports, including connection type, status, IP
address and so on.
Connection Type Specifies the internet connection type of the corresponding WAN port.
11
Version 1.0
Specifies whether or not the WAN port is plugged. If Disconnected appears, check
Status
its physical connection.
IP Address Specifies the IP address of the corresponding WAN port.
Subnet Mask Specifies the subnet mask of the corresponding WAN port.
Default Gateway Specifies the gateway IP address of the corresponding WAN port.
Primary DNS
Specify the primary/secondary DNS server addresses of the corresponding WAN
port.
Secondary DNS
Upload Rate
Specify the upload and download rates of the corresponding WAN port.
Download Rate
IPv6 status
This module displays the Connection Type, Status and other parameters of the IPv6 WAN port and
the IPv6 LAN address (This part appears when you enable the IPv6 function).
Connection Type Specifies the internet connection type of the corresponding IPv6 WAN port.
12
Version 1.0
Specifies whether or not the IPv6 WAN port is plugged. If Unplugged appears,
Status
check its physical connection.
IPv6 WAN Address Specifies the IP address of the corresponding IPv6 WAN port.
IPv6 Default Gateway Specifies the gateway IP address of the corresponding IPv6 WAN port.
Primary IPv6 DNS

Specify the primary/secondary DNS server addresses of the corresponding IPv6
WAN port.
Secondary IPv6 DNS
IPv6 LAN Address Specifies the IP address of the corresponding IPv6 LAN port.
13
Version 1.0
3.2 View CPU and memory status

Click System Status > CPU Status/Memory Status to enter the page.
Here, you can view the CPU and memory usage rates of the router.
3.3 Monitor traffic

3.3.1 Enable traffic monitoring
Click System Status > Top 5 Fastest Devices to enter the page.
Here, you can toggle on Traffic Monitoring to view the traffic statistics of the router. By default, it is
disabled.
14
Version 1.0
3.3.2 View traffic statistics

Click System Status > More Statistics to enter the page.
Here, you can view the dynamic flow of upload and download traffic on the WAN port of the router,
and can also learn the basic information of certain client and relevant parameters such as Upload
Bandwidth, Download Bandwidth and Uptime.
Specifies the names of clients connected to the router, connection way, their IP
Host Name
addresses, and MAC addresses.
Concurrent Sessions Specifies the number of TCP connections between the client and the router.
15
Version 1.0
Upload Bandwidth
Specify the real-time upload/download bandwidth of each client.
Download Bandwidth
Total Download Specify the total download traffic utilized by each client.
Uptime Specifies the connection time of each client. The format is Hour:Minute.
16
Version 1.0
3.4 Manage online devices

Here, you can view and manage the top 5 fastest terminals, or click Terminals to view and manage
all online terminal devices.
When managing all online terminal devices, you can enter the host name, IP address, MAC address
in the search bar to filter them quickly.
17
Version 1.0
3.5 Control bandwidth of online devices

Here, you can control the bandwidth of top 5 fastest terminals, or click Terminals to control the
bandwidth of all online terminal devices. Here takes all online terminal devices as an example.
Control bandwidth of online devices individually:
Step 1 Click Terminals to enter the Bandwidth Control and Blacklist page.
Step 2 Locate the devices as required, select a pre-defined value from the drop-down list menu of
Upload Limit and/or Download Limit, or select Manual to specify a value manually.
----End
You can view the configured upload and download limits of a device as shown below.
18
Version 1.0
Control bandwidth of online devices in batches:

Step 2 Click Limit All, specify the values according to your actual situation, and click Save.
You can view the configured upload and download limits of all online devices as shown below.
Upload/download limits of devices that are configured by Limit by Group policy cannot be modified
here.
19
Version 1.0
3.6 Blacklist
Here, you can add devices to or remove devices from the blacklist.
3.6.1 Add devices to blacklist

The blocked devices will be moved to the Blacklist section, and cannot connect to your router.
Add top 5 fastest devices to blacklist:
Step 1 Locate the device on the System Status page.
Step 2 Click Blacklist.
----End
Add other online devices to blacklist:
Step 2 Locate the device among Online Devices, and click Blacklist.
----End
20
Version 1.0
You can view the blocked devices on the Blacklist page as shown below.
3.6.2 Remove devices from blacklist

The unblocked devices can connect to your router again.
Step 2 Locate the device among the Blacklist, and click Remove.
----End
21
Version 1.0
3.7 Manage APs

Here, you can view and manage the online APs in the network.
If you want to perform further configurations concerning the connected APs, please refer to AP
management.
To access the configuration page, click the AP icon. The AP Management window appears.
AP Model Specifies the model of the corresponding AP.
Remark Specifies the remark name that you leave for the corresponding AP.
Specifies the WiFi SSID of the corresponding AP, including 2.4G and 5G WiFi.
SSID
You can change the remark for the AP by clicking
Online Devices Specifies the number of online devices of each wireless network.
IP/MAC Address Specifies the IP address and MAC address of the corresponding AP.
22
Version 1.0
Operation By clicking , you are directed to the web UI of the AP.
Direct to AP
By clicking this button, you are directed to the configuration page of AP Management.
Management
23
Version 1.0
4 Internet settings
4.1 Internet Settings
4.1.1 Overview
Click Internet Settings to enter the page.
Here, you can configure the internet settings of the router for multiple devices in the LAN to share.
Specifies how many WAN ports you can set on the router.
WAN Ports By default, the router has only one WAN port (the WAN1 port), and you can set 3
WAN ports at most.
24
Version 1.0
Indicates that the port functions as a WAN port or a LAN port, as well as the port is
connected or not.
Port Type The port is connected properly.
The port is disconnected or improperly connected.
Specifies in which way the router is connected to the internet.

The router supports PPPoE, Static IP, and Dynamic IP. Refer to the table Choose
your connection type for details.
Connection Type
The router supports PPPoE Russia, PPTP/PPTP Russia, and L2TP/L2TP Russia as well.
These three connection types are only applicable to Russia and its vicinity.
PPPoE Username These two parameters are required only when your internet connection type is
PPPoE or PPPoE Russia.
You can obtain them from your ISP.
PPPoE Password
Server Name
These two parameters are required only when your internet connection type is
PPPoE or PPPoE Russia. Enter these two parameters (optional) provided by your ISP.
Service Name
This parameter is required only when your internet connection type is PPTP/PPTP
PPTP Server Address
Russia. You can obtain it from your ISP.
This parameter is required only when your internet connection type is L2TP/L2TP
L2TP Server Address
Russia. You can obtain it from your ISP.
User Name
These two parameters are required only when your internet connection type is
PPTP/PPTP Russia or L2TP/L2TP Russia. You can obtain them from your ISP.
Password
This parameter appears when your internet connection type is PPPoE Russia,
PPTP/PPTP Russia, or L2TP/L2TP Russia. If there is no DHCP server in the network,
Obtain an IP address select Manual and enter the IP address and related parameters. If there is a DHCP
server in the network, select Auto, and the device will obtain these parameters from
the DHCP server.
IP Address
Subnet Mask These parameters are required only when your internet connection type is Static IP
or if you set Obtain an IP address to Manual when your internet connection type is
Default Gateway PPPoE Russia, PPTP/PPTP Russia, or L2TP/L2TP Russia. The Secondary DNS
parameter is optional.
Primary DNS You can obtain them from your ISP.
Secondary DNS
25
Version 1.0
Specifies the connection status of the corresponding WAN port.

⚫ Authenticated successfully/networked: The WAN port is connected to the
internet or server.
Status ⚫ Connecting…: The router is connecting to the internet or server.
⚫ Disconnected: The port is physically disconnected, or fails to connect to the
internet or server. Please check if the physical connections are proper, or the
parameters you entered are correct.
4.1.2 Configure multiple WAN ports

The router supports 3 WAN ports at most. The multi-WAN port feature allows you to aggregate
bandwidth, enjoy uninterrupted broadband service even in case of connection malfunction, and
make ISP route selection, thus getting better utilization of your bandwidth.
Assume that:
WAN1 internet connection type is PPPoE, and PPPoE information is as follows:
- PPPoE username: tdxy123
- PPPoE password: ipxz456
WAN2 internet connection type is Dynamic IP.
Configuration procedure
Parameters for internet access are provided by your ISP. Refer to Choose your connection type
table for detailed description. Values used here are only for examples.
Modifying number of WAN ports makes the router reboot.
The following procedure describes how to configure 2 WAN ports. You can refer to the following
steps to increase or decrease WAN ports as needed.
Step 1 Select the number of WAN ports from the WAN Ports drop-down list menu, which is 2 in
this example.
The port marked with LAN2 changes into WAN2, and the WAN2 configuration area
appears.
26
Version 1.0
Step 2 On the WAN1 configuration area, enter the PPPoE information provided by your ISP.
Step 3 On the WAN2 configuration area, set Connection Type to Dynamic IP.
27
Version 1.0
Step 4 Click Save at the bottom of the page to apply your settings.
----End
Wait a moment. The router performs rebooting to apply your settings. When the status shows
Authenticated successfully or networked, your configuration is successful. See the following figure:
28
Version 1.0
4.1.3 Set up for internet access

This section describes how to set up to access the internet using different connection types.
Choose the proper connection type according to your actual environment. Use the table below to
help you select your internet connection type if you are uncertain about how to select one.
Choose your connection type:
Connection Type Available Parameters
PPPoE PPPoE username, PPPoE password, server name, and service name.
Static IP IP address, subnet mask, default gateway, primary DNS, and secondary DNS (optional).
None or the device is connected to an upstream device which can access the internet and
Dynamic IP
has its DHCP server enabled.
PPPoE username, PPPoE password, server name, and service name.
PPPoE Russia If the DHCP server of the upstream device is disabled (means you have to select Manual
for Obtain an IP address), then the IP address, subnet mask, default gateway, and primary
DNS are required.
PPTP server address, user name, and password.
PPTP/PPTP Russia If the DHCP server of the upstream device is disabled (means you have to select Manual
DNS are required.
L2TP server address, user name, and password.
L2TP/L2TP Russia If the DHCP server of the upstream device is disabled (means you have to select Manual
DNS are required.
29
Version 1.0
PPPoE
Step 1 Navigate to Internet Settings > Internet Settings.
Step 2 Set Connection Type to PPPoE.
Step 3 Enter the PPPoE Username and PPPoE Password provided by your ISP.
----End
Wait a moment. When the Status shows Authenticated successfully, the router is connected to the
internet successfully
If the username and password you entered are correct but the router fails to connect to the
internet, try to modify WAN parameters in Internet Settings > WAN Parameters.
30
Version 1.0
Static IP
Step 2 Set Connection Type to Static IP.
Step 3 Enter the IP Address, Subnet Mask, Default Gateway and Primary/Secondary DNS
provided by your ISP.
----End
Wait a moment. When the Status shows networked, the router is connected to the internet
successfully.
If the router fails to connect to the internet, try to modify WAN parameters in Internet Settings >
WAN Parameters.
31
Version 1.0
Dynamic IP
Step 2 Set Connection Type to Dynamic IP.
----End
successfully.
WAN Parameters.
32
Version 1.0
PPPoE Russia
Step 2 Set Connection Type to PPPoE Russia.
Step 3 Enter the PPPoE Username, PPPoE Password provided by your ISP. If the Server Name,
Service Name, IP Address and other related parameters are also provided, enter them in
the corresponding input box as well.
----End
Wait a moment. When the Status shows Authenticated successfully, the router is connected to the
internet successfully
If the username and password you entered are correct but the router fails to connect to the
internet, try to modify WAN parameters in Internet Settings > WAN Parameters.
33
Version 1.0
PPTP/PPTP Russia
Step 2 Set Connection Type to PPTP/PPTP Russia.
Step 3 Enter the PPTP Server Address, User Name, and Password provided by your ISP. If the IP
Address and related parameters are also provided, enter them in the corresponding input
box as well.
----End
successfully.
WAN Parameters.
34
Version 1.0
L2TP/L2TP Russia
Step 2 Set Connection Type to L2TP/L2TP Russia.
Step 3 Enter the L2TP Server Address, User Name, and Password provided by your ISP. If the IP
Address and related parameters are also provided, enter them in the corresponding input
box as well.
---End
successfully.
WAN Parameters.
35
Version 1.0
4.2 WAN parameters

Click Internet Settings > WAN Parameters to enter the page.
If you have configured Internet Settings but your LAN devices cannot access the internet, try
modifying WAN port parameters here.
4.2.1 WAN speed

The speed of an Ethernet physical port is determined through negotiation with its peer device. The
negotiated speed can be any speed within the interface capability.
If an Ethernet cable is connected to a WAN port but the WAN port does not light, or the WAN port
lights up after a while (5 seconds or above), you can try to change the WAN Speed to 10 Mbps Full
Duplex or 10 Mbps Half Duplex to fix this issue.
In other cases, it is recommended to set the WAN Speed to Auto Negotiation.
Duplex modes supported by the router and their scenarios:
Speed and Duplex Applicable scenario
The duplex mode of the port is determined through auto negotiation between the
router and its peer device.
You are recommended to keep the default settings since auto negotiation is the default
Auto Negotiation
option for most of Ethernet network devices.
If the router uses auto negotiation, while its peer uses non-auto negotiation, the
negotiated duplex mode is half duplex.
36
Version 1.0
Speed and Duplex Applicable scenario
The interface can receive and send packets simultaneously, leading to low latency and
high efficiency. 10/100/1000 Mbps indicates the maximum link speed that both ends
can negotiate.
10/100/1000 Mbps
Full Duplex
You are recommended to use the same speed link and duplex modes for both ends.
Otherwise, network connection issues may occur.
The interface can either receive or send packets at a time. 10/100 Mbps indicates the
maximum link speed that both ends can negotiate.
10/100 Mbps Half
Duplex
You are recommended to use the same speed link and duplex modes for both ends.
Otherwise, network connection issues may occur.
4.2.2 MTU
MTU is abbreviated for Maximum Transmission Unit. It specifies the maximum size of a packet that
can be transmitted by a network device. Either larger or smaller MTU value affects the network
performance.
Do not modify the default settings unless the following situations happen:
− Some websites are inaccessible, or secure websites cannot be displayed properly, such as online
banking websites, or PayPal.
− Email service suspends, or servers, such as FTP/POP servers, are inaccessible.
In such situations, try to reduce the MTU value from the maximum of 1500 to a smaller value
(Recommended range: 1400 – 1500) until the problem is solved.
37
Version 1.0
Commonly-used MTU value in different scenarios:
MTU (Bytes) Scenario
1500 It is the most common value for non-PPPoE connections and non-VPN connections.
1492 It is used for PPPoE connections.
It is the maximum value for the ping function. (If a greater value is used, packets are
1480
split.)
1450 It is used for DHCP, which assigns dynamic IP addresses to connected devices.
1400 It is used for VPNs or PPTP.
4.2.3 Clone MAC address

Some ISPs allow only a single or a certain number of computers to use the broadband service you
subscribed, and register the MAC address of your computer when you first use their cable modem
for internet access. Therefore, you may find yourself in the following situations after setting up the
router:
− Only one computer can access the internet normally.
− No internet connection at all.
The reason why such a problem happens is that your ISP does not accept MAC addresses other than
the registered one. To resolve this, you need to clone the MAC address of the registered computer
to the router to pretend that the router has the same MAC address as the registered one.
The cloning MAC address function is designed for this purpose.
Option A: Clone Local Host MAC

Step 1 Connect a computer already with internet connectivity to the router.
Step 2 Log in to the web UI of the router, navigate to Internet Settings > WAN Parameters, and
set MAC Address to Clone Local Host MAC.
38
Version 1.0
----End
Option B: Manual MAC
Step 1 Record the correct MAC address.
Step 2 Log in to the web UI of the router and navigate to Internet Settings > WAN Parameters.
Step 3 Set MAC Address to Manual, then enter the correct MAC address (“the MAC address of
the computer which directly connects to the Ethernet jack and has internet connectivity”
or “the MAC address of the WAN port of the router on which you set up the internet
connection”).
----End
If you want to restore the MAC address of the WAN port to the default MAC address, set MAC Address
to Default MAC, and click Save.
39
Version 1.0
4.3 LAN settings

Click Internet Settings > LAN Settings to enter the page.
Here, you can view and modify the LAN IP address of the router, and configure the DHCP server.
4.3.1 Modify LAN IP address of the router

The LAN IP address is also the login IP address of the router. The default LAN IP address is
192.168.0.1.
In case of IP address conflict, for example, “The router’s WAN IP address and LAN IP address are in the
same network segment.”, the IP network segment of LAN ports will automatically be incremented by 1
and changed to 192.168.1.1.
Generally, you do not need to modify the LAN IP address of the router. When other management
devices in the LAN network need to be set to 192.168.0.X, you can modify this router’s LAN IP
address to a network segment different from 192.168.0.X.
After the LAN IP address is changed successfully, you will be redirected to the login page.
If the network segment of the new LAN IP address is different from the original one, the router
modifies the network segment of the DHCP server automatically.
40
Version 1.0
4.3.2 Modify DHCP server

DHCP server can automatically assign IP addresses, subnet mask, gateway and other internet
parameters to devices connected to the router. If this function is disabled, you have to manually set
IP address settings for your connected devices for internet access. Therefore, you are recommended
to keep the DHCP server enabled.
With this function enabled, IP address-based functions, such as port forwarding and IP address filter
may be affected.
DHCP Server Enable or disable the DHCP server function.
Start IP
Specifies the range of IP addresses that the DHCP server can assign. The start IP
address is 192.168.0.30 and the end IP address is 192.168.0.200 by default.
End IP
41
Version 1.0
Specifies the validity period of the IP address assigned by the DHCP server to LAN
devices. By default, the time is 30 minutes.
When the IP address expires:
⚫ If the device is still connected to the network, the device will automatically renew
Lease Time and continue to occupy the IP address.
⚫ If the device is not connected to the network, the router will release the IP
address. If other devices later request IP address information, the router can
assign this IP address to other devices.
You are recommended to keep the default settings unless in special circumstances.
Specifies the primary DNS server IP address assigned by the DHCP server to LAN
devices. By default, the primary DNS server address is the LAN IP address of the
device.
Primary DNS
If you enabled the DHCP server, to ensure LAN devices can access the internet
properly, make sure that the primary DNS you set is the correct DNS server address
or DNS proxy IP address.
Specifies the secondary DNS server IP address assigned by the DHCP server to LAN
Secondary DNS devices. If this parameter is left blank, the DHCP server does not assign the
secondary DNS server IP address.
42
Version 1.0
5 Wireless
5.1 Wireless settings
Click Wireless > Wireless Settings to enter the page.
Here, you are allowed to set up WiFi network-related parameters, such as view and edit wireless
network names (SSID), WiFi passwords, configure 2.4 GHz and 5 GHz WiFi networks separately, hide
your WiFi network so that nearby wireless clients cannot detect it, and specify how many wireless
clients can connect to a wireless network.
43
Version 1.0
Enable WiFi Network Enable or disable the wireless network of the router.
After this function is enabled, the 2.4 GHz guest network and the 5 GHz guest
network share the same WiFi network name and password. A wireless client will be
Unify 2.4&5 GHz SSID
automatically connected to the WiFi network with the best network quality when
connecting to the guest network.
SSID Specifies the wireless network name of the corresponding WiFi network.
Specifies the password used for wireless internet connection. You are recommended
WiFi Password
to use the combination of digits, letters and special characters for higher security.
Specifies the encryption types supported by the router.

⚫ None: Open wireless network. No password is required when a client connects to
the wireless network. To secure the network, this option is not recommended.
⚫ WPA-PSK: The wireless network adopts the WPA-PSK authentication method (AES
encryption rule). It is featured with better compatibility than WPA2-PSK.
⚫ WPA2-PSK: The wireless network adopts the WPA2-PSK authentication method
(AES encryption rule). It is featured with higher security level than WPA-PSK.
⚫ WPA-PSK/WPA2-PSK: The wireless network adopts both WPA-PSK and WPA2-PSK.
⚫ WPA2-PSK/WPA3-SAE: The wireless network adopts both WPA2-PSK and
Encryption Type WPA3-SAE. With Simultaneous Authentication of Equals (SAE) and Protected
Management Frames (PMF), WPA3-SAE provides protection against dictionary
attacks and information disclosure, saving you the trouble to set a complicated
password. Through such mixed encryption mode, the router allows clients that do
not support WPA3 to access the wireless network, ensuring both compatibility and
security.
WPA3-SAE is an upgraded version of WPA2-PSK. If your wireless client does not

support WPA3-SAE, or the actual WiFi experience is bad, it is recommended to set
the encryption type to WPA2-PSK.
With this function enabled, nearby wireless clients cannot detect the SSID, and you
need to manually enter the SSID on the wireless client to access the wireless
network.
Hide SSID
The function appears when you enable Unify 2.4&5 GHz SSID.
With this function enabled, nearby wireless clients cannot detect the 2.4 GHz SSID,
and you need to manually enter the SSID on the wireless client to access the wireless
network.
Hide 2.4 GHz SSID
The function appears when you disable Unify 2.4&5 GHz SSID.
44
Version 1.0
With this function enabled, nearby wireless clients cannot detect the 5 GHz SSID,
and you need to manually enter the SSID on the wireless client to access the wireless
network.
Hide 5 GHz SSID
The function appears when you disable Unify 2.4&5 GHz SSID.
Maximum number of wireless clients that can be connected to the wireless network
with the SSID at the same time.
Max. Clients After the value is reached, this wireless network denies new connection requests.
Clients connected to all the enabled wireless networks (including guest networks) of
the router cannot exceed 128 on 2.4 GHz and 5 GHz bands respectively. If you
enable multiple SSIDs, plan your maximum number of clients to each SSID first.
45
Version 1.0
5.2 Max rate & isolation

Click Wireless > Max Rate & Isolation to enter the page.
Here, you can limit the rate of wireless networks or isolate networks. Isolating a network makes
clients connected to it cannot communicate with clients connected to another network.
46
Version 1.0
SSID Specifies the wireless network name of the corresponding WiFi network.
With this function enabled, clients connected to different wireless networks of this
Isolate this network device cannot communicate with each other, leading to higher wireless network
security. By default, this function is disabled.
Shared Download Rate

Specifies the maximum download and upload rates shared by all clients connected
to the wireless network.
Shared Upload Rate
This function is only applicable to WiFi Network2/3.
No access to LAN With this function enabled, clients connected to this wireless network cannot access
the web UI and private network (LAN) of this router, protecting your LAN network
security. By default, this function is disabled.
47
Version 1.0
5.3 MAC filters

5.3.1 Overview
Click Wireless > MAC Filters to enter the page.
Here, you can configure MAC address-based wireless access control rules. By default, this function is
disabled.
Lists all the main wireless networks that the router supports.
MAC Address
SSID
Filter
If you unify the SSIDs for 2.4 GHz and 5 GHz bands, the corresponding
wireless network only displays one SSID here.
48
Version 1.0
Specifies the three kinds of rules you can perform on the corresponding
wireless network.
- Disable: This function is disabled, and all wireless clients can connect to
MAC Address this wireless network.
Filter - Only Allow: Only wireless clients with the specified MAC address can
connect to this wireless network.
- Only Forbid: Only wireless clients with the specified MAC address cannot
connect to this wireless network.
MAC Address Specifies the MAC address of the client to which the rule applies.
(Optional) Specifies the brief description you set for the corresponding MAC
Remark
address.
MAC Filters
List
Effective Specifies the wireless network(s) to which the wireless client with this MAC
Network address applies.
Status Specifies whether or not the rule is enabled.
5.3.2 Configure a MAC filter rule

Step 1 Enable MAC Filters, and click Save at the bottom of the page.
Step 2 Configure the MAC address filter mode for each SSID by selecting from the MAC Address
Filter drop-down list menu.
Step 3 Add rule(s).

1. Click Add.
49
Version 1.0
2. Enter the MAC Address of a client to which a rule applies to, then enter the Remark of the
client, and select the wireless network from the drop-down list menu of the Effective
Network.
3. Click Save. The rule appears on the MAC Filter List.
----End
50
Version 1.0
5.3.3 Example of configuring MAC filters rule

Networking requirement
An enterprise uses the wireless router to set up a network.
Requirement: Only a procurement manager’s computer is allowed to connect to the WiFi network
(Procurement) of the router for internet access. Other staff cannot connect to the network.
Solution
The MAC filters function can meet this requirement. Assume that the physical address of the
computer of the procurement manager is CC:3A:61:71:1B:6E.
Step 1 Enable the MAC filters function.
1. Navigate to Wireless > MAC Filters.
2. Toggle on MAC Filters.
3. Click Save.
Step 2 Set the MAC address filter mode.

1. Select a MAC address filter mode for the WiFi network Procurement, which is Only Allow
in this example.
2. Click Save at the bottom of the page.
51
Version 1.0
Step 3 Add a MAC filter rule.

1. Click +Add.
2. On the Add configuration window, set the following parameters:

(1) Set MAC Address to CC:3A:61:71:1B:6E.
(2) (Optional) Set Remark to Procurement manager.
(3) Select Procurement from the drop-down list of Effective Network.
(4) Click Save.
----End
Added successfully. See the following figure.
52
Version 1.0
Verification
Only the before-mentioned wireless client can connect to the WiFi network Procurement while
other clients are blocked.
53
Version 1.0
5.4 Advanced settings

Click Wireless > Advanced to enter the page.
Here, you can configure the wireless-related advanced settings such as transmit power, network
mode, channel and channel bandwidth.
54
Version 1.0
2.4 GHz WiFi Network Enable or disable the 2.4 GHz wireless network of the router.
5 GHz WiFi Network Enable or disable the 5 GHz wireless network of the router.
Specifies the transmit power of this device.

Transmit Power A higher value leads to wider WiFi coverage. However, decreasing the value properly
increases performance and security of the wireless network.
Specifies the country/region that you set for the router in order to conform to the
Country/Region
regulations of different countries or regions concerning channels.
Specifies the wireless network mode (also called 802.11 mode, radio mode, or
wireless mode) of the router. A proper network mode enables the clients to get the
maximum transfer rate and compatibility.
Available options for 2.4 GHz band: 11b, 11g, 11b/g, 11b/g/n and 11b/g/n/ax
Network Mode (default).
Available options for 5 GHz band: 11a, 11ac, 11a/n mixed, 11a/n/ac, 11a/n/ac/ax
(default).
You are recommended to keep the default settings.
Specifies the channel in which the wireless data is transmitted and received. The
available channels are determined by the current country/region and wireless band.
Auto: The router automatically detects the occupation rate of channels and selects
the appropriate working channel accordingly.
Channel
If connection drop, freeze or slow internet occurs frequently when you are using the
WiFi network, you can try changing the working channel. You can check the channels
with low occupation rate and little interference using software tools (such as WiFi
analyzer).
Specifies the bandwidth of the working channel. A high channel bandwidth means a
higher transmission rate, but the penetration capability is reduced and the
transmission distance is shortened.
⚫ 20MHz: The router uses the 20MHz channel bandwidth.
⚫ 40MHz: The router uses the 40MHz channel bandwidth.
Channel Bandwidth ⚫ 20MHz/40MHz: This channel bandwidth is available only for the 2.4 GHz. The
router automatically adjusts the channel bandwidth to 20MHz or 40MHz based on
the surrounding environment.
⚫ 80MHz: This channel bandwidth is available only for the 5 GHz. The router uses the
80MHz channel bandwidth.
⚫ 160MHz: This channel bandwidth is available only for the 5 GHz. The router uses
the 160MHz channel bandwidth.
Specifies the minimum wireless client signal strength acceptable to the router. A
mobile client with signal strength lower than this threshold cannot connect to the
RSSI Threshold
router. You can set this parameter to ensure that mobile clients connect to router
with strong signal strength.
55
Version 1.0
Specifies the deployment mode of the router. This parameter is valid only for 2.4
GHz networks. Set this parameter based on the application scenario. The options
include:
Deployment Mode ⚫ Coverage-oriented: Applies to scenarios with large area, multiple walls,
decentralized users and less than 10 SSIDs in the ambient environment.
⚫ Capacity-oriented: Applies to scenarios with intensive users, open and large areas,
and more than 25 SSIDs in ambient environment.
Specifies that a wireless client uses the 5 GHz SSID first to connect to the device if
Prioritize 5 GHz the wireless client supports both 5 GHz and 2.4 GHz networks and the networks use
the same SSID and password.
When Prioritize 5 GHz is enabled, if the client signal strength received by the router
in 5 GHz is larger than the threshold value, the router allows the client to connect to
Prioritize 5 GHz the 5 GHz for priority; if it is smaller than the value, the router only allows the client
Threshold to connect to the 2.4 GHz.
The default value is -80 dBm. You are recommended to keep the default settings.
Specifies whether to enable the air interface scheduling function.

This function allows all clients to transmit data for the same duration. If a client
transmits data at a low speed and does not finish data transmission within the
Air Interface Scheduling duration, it can continue transmitting data only in its next data transmission
duration. This prevents some slow clients from occupying excessive airtime
resources, so as to improve the overall AP efficiency and effectively ensure AP
connections for a larger number of clients and greater throughputs.
Short guard interval for preventing data block interference.

Propagation delays may occur on the receiver side due to factors such as multipath
Short GI wireless signal transmission. If a data block is transmitted at an overly high speed, it
may interfere with the previous data block. The short GI helps prevent such
interference. Enabling the short GI can yield a 10% improvement in wireless data
throughput.
Specifies whether to enable the Automatic Power Save Delivery (APSD) mode.
APSD APSD is a WMM power saving protocol created by Wi-Fi Alliance. Enabling APSD
helps reduce power consumption. By default, this mode is disabled.
Specifies the maximum period before a WiFi client is disconnected from the router if
Client Timeout Interval the client exchanges no data with the router. When data is exchanged within the
period, countdown stops.
Mandatory Rate By adjusting the mandatory rate and optional rate, you can limit access from
low-speed clients, thus improving the internet experience of other clients.
⚫ Mandatory Rate: It is a group of mandatory rates of the router. Clients must
support these mandatory rates; otherwise, the clients will fail to access the WiFi
Optional Rate network.
⚫ Optional Rate: It is a collection of other rates supported by the router except for
mandatory rates. These optional rates help clients realize connection with the
router at a higher rate.
56
Version 1.0
After the function is enabled, the router can communicate with multiple terminals at
MU-MIMO
the same time, improving network experience.
After the function is enabled, multiple clients can reuse the channel resource,
OFDMA
improving the transmission rate and reducing network latency.
After the function is enabled, the router automatically optimizes the resource
allocation among devices, awakens devices by negotiation, reduces disordered
TWT
competition, increases the sleep time of devices and prolongs the battery life. For
some terminals with old drive, incompatibility may occur.
After the function is enabled, the router can process data packets with priority
WMM
information. It is recommended to enable this function.
57
Version 1.0
5.5 Guest network

Click Wireless > Guest Network to enter the page.
Here, you can configure the basic parameters of guest network, such as enable/disable guest
network, modify the SSID, and set the WiFi password.
Clients connected to the guest network can only access the internet and other wireless clients
connected to the guest network as well, and cannot access the web UI of the router or the LAN
where the primary network is deployed. The guest network meets the internet requirement of
guests and ensures the security of the primary network as well.
58
Version 1.0
Enable Guest
Enable or disable the guest network.
Network
After this function is enabled, the 2.4 GHz guest network and the 5 GHz
Unify 2.4&5 GHz guest network share the same WiFi network name and password. A
SSID wireless client will be automatically connected to the WiFi network with
the best network quality when connecting to the guest network.
With this function enabled, clients connected to the guest network cannot
Isolate Client
communicate with each other, leading to higher wireless network security.
Guest
Network Specifies the wireless network name of the guest network.
SSID
To differentiate the main network and the guest network, you are
recommended to set the SSIDs differently.
Specifies the password used for wireless internet connection. You are
WiFi Password recommended to use the combination of digits, letters and special
characters for higher security.
Encryption Type Specifies the encryption types of the guest network.
Specifies the IP address (default: 192.168.168.1) of the guest network. The

IP Address router assigns 192.168.168.X to wireless clients connected to it.
Guest
Network IP You are recommended to keep the default settings.
Address
Specifies the subnet mask of the guest network, which is used to define the
Subnet Mask
address space of the guest network.
Uplink
Bandwidth
Guest Specify the uplink and downlink rate limits on guest network.
Network Downlink
Bandwidth Bandwidth
Limit
Specifies the maximum number of wireless devices allowed to connect to
Client Limit
the guest network.
59
6 Address reservation
6.1 Address reservation
Click Address Reservation to enter the page.
Here, you can specify a pre-set IP address for the specified client and make the client obtain this IP
address all the time. In this way, such functions depending on IP address as filter management,
bandwidth control, and port forwarding will not be ineffective because of IP address change.
This function takes effect only when the DHCP server function of the router is enabled. The router
supports the following two address reservation methods:
− Quick Address Reservation: You can check the information of the clients obtaining IP
addresses from the DHCP server of the router, and reserve IP addresses for clients by
just clicking Reserve. In this way, the DHCP server will assign the fixed IP address for
the fixed client all the time.
− Manual Address Reservation: You can manually reserve address for client to let the
DHCP server assign fixed IP address for fixed client all the time.
60
Reserve Used to bind the IP address and MAC address of the selected client.
Host Name Specifies the name of the client.
IP Address Specifies the IP address of the client.

Quick Address
Reservation MAC Address Specifies the MAC address of the client.
Click Reserve to bind the IP address and MAC address together, so the
Reservation
client will obtain the reserved IP address all the time. If the reservation is
Status
successful, the reservation status will be displayed as Reserved.
Specifies the name of the client or remarks of static IP address reservation

Host Name
rule.
Specifies the IP address reserved for the client with the target MAC
IP Address
address.
Manual MAC Address Specifies the MAC address of the client.

Address
Reservation Specifies the status of the rule. You can enable or disable the rule as
Status
required.
Specifies the operations you can perform on the rule.
Action : Click it to edit the rule.
: Click it to delete the rule.
Export Configuration Click Export to back up the static IP reservation table to the local computer.
Select a file and click Import to import the backed up static IP reservation
Import Configuration
table to the router.
61
6.2 Configure address reservation
If you want to assign IP address for clients already connected to the network, it is recommended
that you configure in the Quick Address Reservation module. Otherwise, configure in the Manual
Address Reservation module.
6.2.1 Quick address reservation

Reserve IP address for one client
Step 1 Navigate to Address Reservation > Quick Address Reservation.
Step 2 Select the client you want to reserve a static IP address, and click Reserve.
----End
After the IP address is reserved successfully, you can check the added rule in the Address
Reservation > Manual Address Reservation module. The rule will take effect the next time when
the client requests for an IP address.
62
Reserve IP addresses for multiple clients
Step 1 Navigate to Address Reservation > Quick Address Reservation.
Step 2 Select the multiple clients you want to reserve static IP addresses, and click the upper
Reserve.
----End
After the IP addresses are reserved successfully, you can check the added rules in the Address
Reservation > Manual Address Reservation module. The rules will take effect the next time when
63
6.2.2 Manual address reservation
Step 1 Navigate to Address Reservation > Manual Address Reservation.
Step 2 Click +Add.
Step 3 Enter the IP Address, MAC Address and Remark (Optional), and click Save.
Click + to add a rule and click - to delete an unsaved rule.
----End
After the IP address is reserved successfully, you can check the added rule in the Address
Reservation > Manual Address Reservation module. The rule will take effect the next time when
64
7 Bandwidth control
7.1 Overview
Click Bandwidth Control to enter the page.
Here, the network administrator can control the rate of users, so the limited bandwidth can be
properly distributed.
WAN Upload Rate

Enter the bandwidth provided by your ISP for better internet experience.
Broadband Download Rate
No Limit No limitations are set on the upload/download rate of LAN users.
The network administrator, based on the actual conditions, sets the

maximum upload/download rate for each connected client, or set an
Manual upload/download rate for all the connected clients.
The manual control mode is more flexible compared with the limit by
group control mode.
Control Mode The system, based on the WAN upload/download rate set on the
Auto
Bandwidth Control page, evenly distributes bandwidth to LAN users.
The network administrator, based on the actual conditions, sets rate limit
rules for different groups.
Limit By Group The network administrator controls the dedicated or shared
upload/download rate for users in the specified IP group in the specified
time group, and also, sets the concurrent sessions for each client.
65
7.2 Manual
Assume that you want to separately set the maximum upload/download rates for connected clients.
Step 1 Click Bandwidth Control.
Step 2 Set Control Mode to Manual.
Step 3 Select Online Devices or Offline Devices as required.
Step 4 Set Upload/Download Limit for the devices, and click Save.
----End
Host Name Specifies the name of client connected to the router.
Total Download Specifies the total download traffic utilized by each client.
Only available for offline devices.

Offline Time
Indicates the time when the client is disconnected.
Upload Bandwidth Indicates the real-time upload/download bandwidth of each client.
Download Bandwidth 1 Mbps=128 KB/s=1024 kb/s.
Upload Limit
Specifies the maximum upload/download rate you set for each client.
Download Limit
66
Assume that you want to set the maximum upload/download rates for all the online or offline
clients in the LAN.
Step 2 Set Control Mode to Manual.
Step 3 Select Online Devices or Offline Devices as required. Here takes Online Devices as an
example.
Step 4 Click Limit All.
Step 5 Set the maximum Upload Rate and Download rate for all the online and offline clients in
the LAN, and click Save.
----End
67
7.3 Auto
This mode distributes bandwidth evenly to the online clients connected to the router.
Step 2 Set the Upload Rate and Download Rate of the target WAN port based on the bandwidth
provided by your ISP.
Step 3 Set Control Mode to Auto.
Step 4 Click Save at the bottom of the page.
----End
68
7.4 Limit by group
Through the limit by group function, you can set a dedicated or shared upload/download rate for
clients in an IP group to use in a period of time.
To control the bandwidth based on groups, you need to configure the IP group and time group first by
navigating to Filter Management > IP Group/Time Group.

Step 2 Set Control Mode to Limit By Group.
Step 3 Click +Add.
Step 4 Configure parameters in the Add window, and click Save.
----End
69
You can check the added rule on the page.
Specifies the IP group to be used, which is used to designate the clients with these IP
IP Group addresses. IP group should be configured in advance on the Filter Management > IP
Group/Time Group page.
Specifies the time group to be used, which is used to designate the validity period of the
Time Group rule. Time group should be configured in advance on the Filter Management > IP
Specifies the maximum number of connections each client within the specified IP address
Concurrent
range can use. Unless you have any special requirements, it is recommended to set the
Sessions
parameter to 600.
Specifies the mode of bandwidth control rules.

⚫ Dedicated: Specifies that every client within the specified IP address range uses the set
upload/download rate. Under this mode, every client obtains the same bandwidth.
Control Mode
⚫ Shared: Specifies that all clients within the specified IP address range use the set
upload/download rate together. Under this mode, every client may obtain different
bandwidths.
Upload Rate
Specifies the maximum upload/download rate you set.
Download Rate
Status Specifies the status of the rule. You can enable or disable the rule as required.
Operation : Click it to edit the rule.

70
7.5 Example of configuring limit by group rules
An enterprise uses the wireless router to set up a network. The enterprise has the following
requirements:
During business hours (08:00 to 18:00 every workday), procurement personnel’s computers with IP
addresses ranging from 192.168.0.2 to 192.168.0.250 can use a fixed upload and download
bandwidth of 1 Mbps. For other clients in the LAN, no bandwidth control rules are added.
Upload Download
Group name IP range Effective time
bandwidth bandwidth
Procurement 192.168.0.2~250 08:00~18:00 on weekdays 1 Mbps 1 Mbps
Solution
You can use the Limit By Group bandwidth control function of the router to meet this requirement.
Assume that the concurrent sessions of each client is 600.
Step Task Description
Set the time group on the Filter Management > IP Group/Time Group
1 Set a time group
page.
Set the IP address group on the Filter Management > IP Group/Time
2 Set an IP group
Group page.
Set a bandwidth control
3 Set a limit by group rule on the Bandwidth Control page.
rule
Step 1 Set a time group.

1. Navigate to Filter Management > IP Group/Time Group.
2. Set the time group shown in the following figure.
71
Step 2 Set an IP group.
1. Navigate to Filter Management > IP Group/Time Group.
2. Set the IP group shown in the following figure.
Step 3 Set a bandwidth control rule.

1. On the Bandwidth Control page, set Control Mode to Limit By Group.
3. Click +Add.
72
4. Configure parameters in the Add window, and click Save.
(1) Select Procurement for IP Group.
(2) Select BusinessHour for Time Group.
(3) Set Concurrent Sessions of each client to 600 in this example.
(4) Set Control Mode to Dedicated.
(5) Set the maximum upload/download rate of clients to both 128 KB/s in this example.
----End
Verification
During business hours from 08:00 to 18:00 on weekdays, each computer with an IP address ranging
from 192.168.0.2 to 192.168.0.250 is allocated 1 Mbps (128 KB/s) upload and download bandwidth.
73
8 Authentication
8.1 Captive portal
8.1.1 Overview
By default, after the router is connected to the internet, the LAN users will have internet availability.
After the Captive Portal function is enabled, users connected to the authentication network need to
pass the authentication before gaining internet access.
Click Authentication > Captive Portal to enter the page.
Here, you can configure the authentication page and authentication policy.
74
Captive Portal Enable or disable the captive portal function of the router.
Specifies the types of the captive portal.

⚫ WiFi via SMS: It allows a user to access the internet with a verification code sent by
SMS when receiving an authentication web page. To enable this authentication
type, you need to configure SMS Provider Settings first.
⚫ Local User Authentication: It allows a user to access the internet with a username
Authentication Type and password on the authentication web page. The username and password should
be added on Authentication > User Management page.
⚫ Email Authentication: It allows a user to access the internet with a verification code
sent through email when receiving an authentication web page. To enable this
authentication type, you need to configure Email Server Settings first.
⚫ One-key Authentication: It allows a user to access the internet by clicking Connect
when receiving an authentication web page.
Specifies the authentication validity period. A user must be re-authenticated for

Valid Duration
accessing the internet after the period expires.
Wired Network: Specifies that the authentication rule will be applied to the devices
connected to the router through the selected ports.
WiFi Network: Specifies that the authentication rule will be applied to the wireless
Apply to devices connected to the router through the selected WiFi networks.
If the user does not select a kind of network, the captive portal authentication is
effective to all networks in the list.
Only available for Email Authentication.

People Shared with Specifies the number of users allowed to access the internet using a same email
address.
Specifies the logo image of the web authentication page. Click Change to change the
Logo
logo picture, and click Delete to delete the uploaded picture.
Specifies the title information of the web authentication page. It is Welcome to Tenda
Title
by default.
Specifies the background image of the web authentication page. Click Change to
Background Image
change the picture, and click Delete to delete the uploaded picture.
Disclaimer Specifies the disclaimer information on the web authentication page.
Specifies the website that the client automatically redirects to after passing
authentication:
⚫ Previous Page: When the captive portal is passed, the page would redirect to the
Redirect To previous page the user visited. For example, if a user is visiting Google search page
before authentication, the user will stay on Google search page after passing the
authentication.
⚫ Specified Page: Specifies the website redirected to after passing the captive portal.
75
SMS provider settings
SMS provider is the provider who issues authorization verification code to designated mobile phone
number. At present, supported SMS providers include Jixintong and NEXMO, and you can also
choose Custom HTTP Interconnection to use other SMS providers.
You need to purchase an SMS package in the corresponding SMS provider first, and then configure the
applied interconnection information to this router.
User name from

your SMS provider
Enter the user name and password you’ve applied on the Jixintong
platform.
Password from
your SMS provider
Jixintong
Customize the short message sent to users.
Content
The verification code format is $$CODE$$, which cannot be modified.
76
api_key Enter the api_key you’ve applied on the NEXMO platform.
api_secret Enter the api_secret you’ve applied on the NEXMO platform.
NEXMO Customize the short message sent to users.
Content
Specifies the character encoding format. Select the encoding format

Encoding
that your SMS provider supports.
Customize the short message sent to users.
Content
Enter the URL interface address of SMS gateway provided by SMS

Customize HTTP service provider. In general, SMS service providers provide the format
SMS Gateway URL
Interconnection of SMS Gateway URL Interface and users need to complete the URL
Interface
interface address of SMS gateway according to the information
applied for in SMS service providers.
Enter the SMS error code of SMS service provider. After the SMS
platform fails to send an SMS message, it will send the message to
this router. Users can consult the corresponding SMS service provider
SMS Error Code based on relevant information.
For the specific content of the SMS error code, consult the
corresponding SMS service provider.
After the SMS Provider Settings, you can conduct the Validity Test to check whether the settings
you made are correct. The steps are as follows:
Step 1 Click Validity Test.
77
Step 2 Enter the Phone Number and the short message Content sent by the SMS platform, and
click Save.
----End
Wait a moment. If the interconnection is successful, the phone number will receive an SMS
message containing a verification code.
Email server settings

This router supports email authentication. Related parameters are as follows.
Email Address Specifies the email account that sends email.
Email Password Specifies the password or authorization code of the email account.
78
Specifies the SMTP server address. It could be an IP address or domain name address.
SMTP Server
The SMTP (Simple Mail Transfer Protocol) server is a mail delivery server. The address
and port of the SMTP server of each mail service provider are different. Please check on
your own.
Secure Sockets Layer, a security protocol.

SSL It uses data encryption, identity authentication and message integrity verification
mechanism to ensure the security of network data transmission.
Specifies the SMTP service port. By default, it is 25.
SMTP Server Port

If you select SSL, the server port will change. Please contact your email service provider
for the information.
Specifies the email account, which is used to test whether the email server settings are
Account for Test
valid.
8.1.2 Configure SMS authentication

Step 1 Navigate to Authentication > Captive Portal.
Step 2 Enable Captive Portal.
Step 3 Configure the following parameters, then click Save at the bottom of the page.
1. Set Authentication Type to WiFi via SMS.
2. Click SMS Provider Settings, then the configuration window appears.
3. Configure the following parameters related to the SMS provider, and click Save.
(1) Select the SMS provider from which you have purchased an SMS package, such as
Jixintong.
(2) Enter the User name and Password from your SMS provider, such as Tom123 and
Tommy456.
79
(3) Customize the SMS Content sent to the user by the SMS platform for verification.
4. Set the Valid Duration, such as 8 hrs.

5. Click Choose, choose the network(s) to be applied, and click Save.
80
6. Configure the authentication page settings.
(1) Click Change and upload the company logo image.
(2) Set the title of the captive portal page, such as Welcome to XX.
(3) Click Change and upload the background image of the captive portal page, such as the
enterprise promotion photo.
(4) Set the disclaimer information of the enterprise, such as Copyright © 2022 XX. All
rights reserved.
(5) Select the Previous Page or enter a Specified Page as the page to which the users are
redirected after passing the authentication.
----End
81
8.1.3 Configure local user authentication
1. Set Authentication Type to Local User Authentication.

82
rights reserved.
Step 4 Set the User Name and Password by referring to Add user accounts for local user
authentication.
----End
83
8.1.4 Configure email authentication
1. Set Authentication Type to Email Authentication.
3. Set the People Shared with (the number of users allowed to connect to the internet using
the email at the same time), such as 3.
5. Configure the email server settings.

(1) Enter the Email Address.
(2) Enter the corresponding Email Password.
(3) Enter the SMTP Server address.
84
(4) Enter the SMTP Server Port. It is recommended to keep the default settings.
(5) Enter the Account for Test (a valid email address) to check whether the email server
is effective.

(1) Set the Email Content sent to users (“$$CODE$$” is the format of the email
verification code and cannot be modified).
rights reserved.
----End
85
8.1.5 Configure one-key authentication
1. Set Authentication Type to One-key Authentication.

86
rights reserved.
----End
87
8.2 User management
8.2.1 Overview
Click Authentication > User Management to enter the page.
Here, you can configure the user name and password for account authentication, export or import
authentication account information, and add authentication-free hosts.
Specifies by which method you specify an authentication-free host. The

Host Type
router supports host name, IP address and MAC address.
Specifies the information of the authentication-free host.

⚫ If you select Host Name, enter the host name of the authentication-free
device. Please fill in the host name on the System Status page. If the host
Authentication- name is modified, modify the host name here as well.
Host Name/IP
free Host /MAC ⚫ If you select IP Address, enter the IP address of the authentication-free
device. You are recommended to bind the IP address for the device on the
Address Reservation page.
⚫ If you select MAC Address, enter the MAC address of the
authentication-free device.
Remark Specifies the description of the authentication-free device.
88
User Name Specifies the user name and password of the authentication account.
After the account authentication function is enabled, users need to use this
Password user name and password for authentication on the browser page before
gaining internet access.
Remark Specifies the account description information.
Client Status Specifies the status of the account (being used or not).
Valid Specifies the valid duration of the account. After the duration expires, users
Duration cannot use this account for internet access authentication.
Account
Management Status Specifies the status of the rule. You can enable it or disable it as needed.
Used to export the data of the configured authentication user account to

Export
the local computer.
Used to import the previously exported authentication user account data to

Import
the router.
8.2.2 Add user accounts for local user authentication

Step 1 Navigate to Authentication > User Management > Account Management.
Step 2 Click +Add.
89
Step 3 Configure the following parameters, and click Save.
----End
People Shared with Specifies the number of users allowed to access the internet using the same account.
Specifies the maximum number of connections that can be set up on each computer
Concurrent Sessions
covered by the corresponding rule.
Upload Rate
Specifies the maximum upload/download rate of this account.
Download Rate
90
8.3 Examples of configuring authentication
8.3.1 Example of configuring SMS authentication
An enterprise wants to establish a network and regulate the use of the network with the router.
Requirements:
− SMS authentication is required for employees who want to access the internet through
the LAN port of the router or the wireless network Tenda_10DCD2.
− Employees are directed to www.tendacn.com after being authenticated.
− The network administrator is free from authentication when accessing the internet.
Solution
The requirements can be achieved through the WiFi via SMS function of the router.
Assume that:
− The MAC address of the network administrator’s computer is 44:37:E6:12:34:56.
− The user name applied by the enterprise in Jixintong is Tom123.
− The password of the account applied by the enterprise in Jixintong is Tommy456.
Step 1 Configure the SMS authentication settings.
1. Navigate to Authentication > Captive Portal.
2. Enable Captive Portal.
3. Configure the following parameters, and click Save at the bottom of the page.
(1) Set Authentication Type to WiFi via SMS.
(2) Click SMS Provider Settings, then the configuration window appears.
91
(3) Configure the following parameters related to the SMS provider, and click Save.
- Select the SMS provider from which you have purchased an SMS package, such as
Jixintong.
- Enter the User name and Password from your SMS provider, which are Tom123
and Tommy456 in this example.
- Customize the SMS Content sent to the user by the SMS platform for verification.
(4) Set the Valid Duration, such as 8 hrs.

(5) Click Choose, choose the network(s) to be applied, and click Save.
92
(6) Configure the authentication page settings.
- Click Change and upload the company logo image.
- Set the Title of the captive portal page, such as Welcome to XX.
- Click Change and upload the background image of the captive portal page, such as
the enterprise promotion photo.
- Set the disclaimer information of the enterprise, such as Copyright © 2022 XX. All
rights reserved.
- Enter the Specified Page, which is www.tendacn.com in this example.
93
The overall configuration of SMS authentication is shown as below.
94
Step 2 Add an authentication-free host.
1. Navigate to Authentication > User Management.
2. Click +Add in the Authentication-free Host module.
3. Configure the following parameters, then click Save.

(1) Select MAC Address for Host Type.
(2) Enter the MAC Address, which is 44:37:E6:12:34:56 in this example.
(3) (Optional) Set a Remark for the host, which is Network Administrator in this
example.
----End
95
Verification
The network administrator can access the internet without authentication. Other employees have
to perform SMS authentication as follows:
Step 1 Start a web browser and visit any website. The authentication page appears.
Step 2 Enter a valid phone number and tap Obtain.
Step 3 Enter the Verification Code in the SMS received.
Step 4 Tap Connect.
After successful authentication, the browser will automatically redirect to www.tendacn.com.
96
8.3.2 Example of configuring local user authentication
Requirements:
− Local user authentication with user name and password is required for employees who
want to access the internet through the LAN port of the router or the wireless network
Tenda_10DCD2.
− No upload or download rate limit is specified for employees.
Solution
The requirements can be achieved through the local user authentication function of the router.
Assume that the MAC address of the network administrator’s computer is 44:37:E6:12:34:56.
Step 1 Configure the local user authentication settings.
3. Configure the following parameters, then click Save at the bottom of the page.
(1) Set Authentication Type to Local User Authentication.
97
(4) Configure the authentication page settings.
- Click Change and upload the company logo image.
- Set the Title of the captive portal page, such as Welcome to XX.
- Click Change and upload the background image of the captive portal page, such as
the enterprise promotion photo.
- Set the disclaimer information of the enterprise, such as Copyright © 2022 XX. All
rights reserved.
- Enter the Specified Page, which is www.tendacn.com in this example.
98
The overall configuration of local user authentication is shown as below.
99
Step 2 Add local user authentication account(s).
1. Navigate to Authentication > User Management > Account Management.
2. Click +Add.
3. Configure the following parameters, and click Save.

(1) Set the User name and Password for authentication, such as Tom123 and Tommy456.
(2) (Optional) Set a Remark for the user, such as Employee.
(3) Set Valid Duration to Always valid.
(4) Set People Shared with to 10.
(5) Set the Concurrent Sessions established by the account device. You are recommended
to keep the default settings.

100

example.
----End
101
Verification
to perform local user authentication as follows:
Step 2 Enter the correct User Name and Password.
Step 3 Tap Connect.
102
8.3.3 Example of configuring email authentication
Requirements:
− Email authentication is required for employees who want to access the internet
through the LAN port of the router or the wireless network Tenda_10DCD2.
− No upload or download rate limit is specified for employees.
Solution
The requirements can be achieved through the email authentication function of the router.
Assume the MAC address of the network administrator’s computer is 44:37:E6:12:34:56, and the
parameters of the email server are as follows:
− Email Address: Tom@gmail.com
− Email Password: Tom159357
− SMTP Server: smtp.gmail.com (SSL enabled)
− SMTP Server Port: 465
− Account for Test: lisi@gmail.com
Step 1 Configure the local user authentication settings.
3. Configure the following parameters.
(1) Set Authentication Type to Email Authentication.
(3) Set the People Shared with (the number of users allowed to connect to the internet
using the email at the same time), which is 10 in this example.
103
4. Configure the email server settings.
(1) Set Email Address to Tom@gmail.com.
(2) Set Email Password to Tom159357.
(3) Set SMTP Server to smtp.gmail.com.
(4) Tick SSL.
(5) Set SMTP Server Port to 465.
(6) Enter another email address in Account for Test, which is lisi@gmail.com in this
example.

(1) Set the Email Content sent to users (“$$CODE$$” is the format of the email
verification code and cannot be modified).
(2) Click Change to upload a logo image.
(3) Set the Title of the captive portal page, such as Welcome to XX.
(4) Click Change to upload a background image.
rights reserved.
(6) Enter the Specified Page, which is www.tendacn.com in this example.
104
7. Click Test in the Email Server Settings module, you can check whether the configuration of
email server is correct.
If the test fails, try the following solutions:

Check if the SMTP service is enabled for the Email Address.
Check if the Account for Test is valid.
Change the Email Content.
105

example.
----End
106
Verification
to perform email authentication as follows:
Step 2 Enter a valid email address and tap Obtain.
Step 3 Enter the Verification Code in the email received.
Step 4 Tap Connect.
107
9 AP mangement
9.1 Basic settings
9.1.1 Overview
Click AP Management > Basic Settings to enter the page.
Here, you can enable or disable the AP management function of the router. After it is enabled, you
can centrally set up WiFi network-related configurations of APs in your local area network, such as
viewing and editing wireless network names (SSID), WiFi passwords, configuring 2.4 GHz and 5 GHz
WiFi networks, hiding your WiFi network so that nearby wireless clients cannot detect it, and
specifying how many wireless clients can connect to a wireless network at most.
The wireless configuration you configured here will be automatically delivered to the Tenda APs
within the LAN of the router.
108
Serial number of the wireless policies.

WiFi Signal ⚫ 1 to 4 policies: Used to apply to 1 to 4 wireless networks of APs
⚫ 5 to 8 policies: Used to apply to 5 to 8 wireless networks of APs.
Enable or disable a wireless network policy or AP’s corresponding SSID. By default,

Status WiFi network policy 1 is enabled and the other policies are disabled.
SSID Used to change the wireless network name.
Select a band used by the wireless policy which will be delivered to APs.
⚫ 2.4G: The wireless policy will be applied to the 2.4 GHz wireless networks of APs.
⚫ 5G: The wireless policy will be applied to the 5 GHz wireless networks of APs.
⚫ 2.4G&5G: The wireless policy will be applied to both 2.4 GHz and 5 GHz wireless
Frequency networks of APs.
If a single band, such as 2.4G (or 5G), is selected in policies 1 to 4, the wireless
networks at the other band will be disabled after the policy is delivered to APs.
Specifies the encryption types of the wireless network.

⚫ None: Open wireless network. No password is required when a client connects to
the wireless network. To secure the network, this option is not recommended.
⚫ WPA-PSK: The wireless network adopts the WPA-PSK authentication method (AES
encryption rule). It is featured with better compatibility than WPA2-PSK.
⚫ WPA2-PSK: The wireless network adopts the WPA2-PSK authentication method
(AES encryption rule). It is featured with higher security level than WPA-PSK.
⚫ WPA-PSK/WPA2-PSK: The wireless network adopts both WPA-PSK and WPA2-PSK.
⚫ WPA2-PSK/WPA3-SAE: The wireless network adopts both WPA2-PSK and
Encryption Type WPA3-SAE. With Simultaneous Authentication of Equals (SAE) and Protected
Management Frames (PMF), WPA3-SAE provides protection against dictionary
attacks and information disclosure, saving you the trouble to set a complicated
password. Through such mixed encryption mode, the router allows clients that do
not support WPA3 to access the wireless network, ensuring both compatibility and
security.
WPA3-SAE is an upgraded version of WPA2-PSK. If your wireless client does not

support WPA3-SAE, or the actual WiFi experience is bad, it is recommended to set
the encryption type to WPA2-PSK.
Specifies the pre-shared password for WPA-PSK, WPA2-PSK or WPA3-SAE, as well as

WiFi Password the password required for connecting to the wireless network.
109
For more settings, click the icon and navigate to the configuration page:
⚫ Isolate Client: With this function enabled, clients connected to the wireless
network cannot communicate with each other, improving the security of the
wireless network.
More
⚫ Hide SSID: With this function enabled, nearby wireless clients cannot detect the
SSID, and you need to manually enter the SSID on the wireless client to access the
wireless network.
⚫ Max. Users: Maximum number of wireless clients that can be connected to the
wireless network with the SSID. After the value is reached, this wireless network
denies new connection requests. By default, it is set to 48.
9.1.2 Distribute wireless policies to APs
When wireless policies are distributed to APs that do not support part of the functions, these
unsupported policies will still be received but will not take effect.
For example, when policies concerning 5G network are distributed to APs that do not support 5G,
these policies will be received but will not take effect in these APs.
Step 1 Choose AP Management > Basic Settings.

Step 2 Change the wireless configurations, and click Save at the bottom of the page.
----End
Wait a moment. The wireless configurations of APs in the LAN will be same as the wireless policies.
110
9.2 AP settings
9.2.1 Overview
Click AP Management > AP Settings to enter the page.
Here, you can manage Tenda APs connected to your router, such as upgrading/resetting/rebooting
APs in batches, deleting offline APs in batches, modifying APs’ configuration individually and
viewing/exporting APs’ configuration.
AP Model Specifies the model of AP.
Remark Specifies the remark of AP.
Specifies the IP address, MAC address and firmware version of AP.

IP/MAC/Firmware
Version
Click the IP address to visit the web UI of the AP.
Specifies the band used by the wireless policy which will be delivered to APs.
⚫ 2.4G: The wireless policy will be applied to the 2.4 GHz wireless networks of APs.
⚫ 5G: The wireless policy will be applied to the 5 GHz wireless networks of APs.
⚫ 2.4G&5G: The wireless policy will be applied to both 2.4 GHz and 5 GHz wireless
Frequency networks of APs.
If a single band, such as 2.4G (or 5G), is selected in policies 1 to 4, the wireless
networks at the other band will be disabled after the policy is delivered to APs.
Specifies the transmit power of the AP.

If the specified transmit power exceeds the limit power of an AP, the actual power is
Transmit Power equal to the limit power. For example, if the specified power is greater than the
maximum power of an AP, the actual power of the AP is the maximum power after
the wireless policy is delivered, and vice versa.
Channel Specifies the operating channel of AP.
111
Specify the online devices connected to the AP and the maximum devices allowed to
Online/Limit connect to the AP.
Status Specifies the status of AP.
More Click the icon for more Advanced Settings.
112
9.2.2 Upgrade the APs
To avoid data loss and device damage, Do NOT remove the power of APs and the router during the
upgrade.
Step 1 Visit www.tendacn.com to download the latest firmware of the AP to your local computer.
Step 2 Log in to the web UI of the router, and navigate to AP Management > AP Settings.
Step 3 Select the AP(s) you want to upgrade, click the Upgrade button, and follow the
instructions.
----End
113
9.2.3 Reset the APs
Step 1 Navigate to AP Management > AP Settings.
Step 2 Select the AP(s) you want to reset, click the Reset button, and follow the instructions.
----End
114
9.2.4 Reboot the APs
Step 2 Select the AP(s) you want to reboot, click the Reboot button, and follow the instructions.
----End
After rebooting successfully, the AP will automatically become online. The time from offline to
online lasts about 1 to 2 minutes. Please wait with patience. You can click Refresh to view the
status.
115
9.2.5 Delete the APs
Here, you can delete offline APs.
Step 2 Select the offline AP(s) you want to delete, click the Delete button, and follow the
instructions.
----End
116
9.2.6 Refresh the page
Here, you can click the Refresh button to view the latest status of AP.
9.2.7 Export data

Use Export Data button if you want to download your APs’ information displayed on the AP Settings
page as an Excel document to your local computer.
Step 2 Click the Export Data button, and follow the instructions.
----End
117
9.2.8 More settings
Here, you can modify each AP’s configuration, such as the country/region, channel, transmit power,
and so on.
Step 2 Locate the AP as needed, and click .
Step 3 Modify the configuration of the AP, and click Save at the bottom of the page.
----End
118
9.3 Advanced settings
Click AP Management > Advanced Settings to enter the page.
Here, you can set up the advanced settings for the APs in the LAN.
2.4 GHz advanced settings / 5 GHz advanced settings

Country or region where this device is located. You can select the country or region
Country/Region to ensure that this device complies with the local regulations.
Specifies the wireless network mode (also called 802.11 mode, radio mode, or
wireless mode) of the AP. A proper network mode enables the clients to get the
maximum transfer rate and compatibility.
Network Mode Available options for 2.4 GHz band: 11b, 11g, 11b/g, 11b/g/n and 11b/g/n/ax
(default).
Available options for 5 GHz band: 11a, 11ac, 11a/n and 11a/n/ac/ax (default).
Specifies the channel bandwidth for the AP.

Available options for 2.4 GHz band: Auto (default), 20MHz, and 40MHz.
Channel Bandwidth
Available options for 5 GHz band: 20MHz, 40MHz, 80MHz, 160MHz, and Auto
(default).
119
Specifies the channel in which the AP operates.

Channel The available channels are determined by the current country/region and wireless
band.
Specifies the transmit power of the AP.

If the specified transmit power exceeds the limit power of an AP, the actual power
Transmit Power is equal to the limit power. For example, if the specified power is greater than the
maximum power of an AP, the actual power of the AP is the maximum power after
the wireless policy is delivered, and vice versa.
Used to set the minimum received signal strength threshold of wireless clients
connected to the AP.
RSSI Threshold After this function is enabled, wireless clients whose received signal strength is
lower than this threshold cannot connect to the AP.
An appropriate threshold ensures the connection quality of clients.
If a wireless client does not exchange data with the AP in the specified period, the
Client Timeout Interval AP disconnects the client.
Specifies that a wireless client compliant with dual-band wireless firstly connects to
the 5 GHz band of the device if the corresponding wireless network uses the same
SSID and password for both 2.4 GHz and 5 GHz.
Prioritize 5 GHz This function takes effect when:
⚫ The encryption mode is set to WPA-PSK, WPA2-PSK, or WPA-PSK&WPA2-PSK.
⚫ The SSID does not contain Chinese characters.
Air interface scheduling allocates equal download data transmission time for each
Air Interface client. In this way, high-speed clients can transmit more data packets and the AP
Scheduling: has a higher throughput and client capacity.
Specifies whether to disable communications among the clients connected to

Isolate this network different wireless networks of this device. This function increases wireless network
security.
After WMM is enabled, voice and video packets are transmitted with top priority.
WMM You are recommended to enable this function for better transmission of multimedia
packets.
Specifies whether to enable the Automatic Power Save Delivery (APSD) mode. APSD
APSD is a WMM power saving protocol created by Wi-Fi Alliance.
Enabling APSD helps reduce power consumption. By default, this mode is disabled.
Specifies the deployment mode of the router. This parameter is valid only for 2.4
GHz networks. Select a mode that conforms to your application scenario.
Available options:
⚫ Default: This option is a balance between Coverage-oriented and
Deployment Mode Capacity-oriented.
⚫ Coverage-oriented: This mode applies to scenarios that the network environment
is complex, users are scattered, and the interference is weak.
⚫ Capacity-oriented: This mode applies to scenarios that the area is open and
crowded with users and the interference is strong.
120
Global settings
Here, you can view and configure the Ethernet mode, LED indicator status and reboot schedule of
APs in a global way.
Select the Ethernet mode for the ports of AP. Available options:
⚫ Standard (default): This mode features a high data rate but short transmission
distance.
Ethernet Mode ⚫ 10 Mbps Full Duplex: This mode features long transmission distance but low data
rate. If the distance between the Ethernet port of the AP and the peer device is
longer than 100 meters, this mode is recommended. In this case, ensure that the
peer device adopts auto negotiation mode.
Used to turn on/off the LED indicators of AP. By default, it is enabled.

LED Indicator
You can judge the working status of AP through the LED indicators.
Select the reboot schedule mode for the AP. Available options:
⚫ Disable (default).
Reboot Schedule
⚫ Reboot Schedule: The AP reboots at the specified date and time.
⚫ Reboot Interval: The AP reboots every interval.
121
10 USB sharing
10.1 Overview
The router provides a USB port for file sharing.
The router can automatically identify the USB storage device plugged into its USB port, and display
the information such as the disk usage of the USB device on the web UI. The router also supports
the management on file access permission, and LAN users can access files shared on the USB
storage device.
10.2 USB sharing

Click USB Sharing to enter the page.
After a USB device is plugged in, the router will automatically identify the device as shown below.
sda1 Specifies the status and occupation percentage of the USB device.
122
Eject Safely Click it to safely eject the USB device.
Specifies the access address LAN users use to access the USB disk device.
\\192.168.0.1: You can type this address into the Start > Run menu on your
Local Access computer to get local access.
192.168.0.1 is the default LAN IP address of the router. If the address is changed, you
need to type in the new address to get local access.
User Name
Specifies the user name/password of the read-write or the read-only user.
Password
Specifies the permission of the target user.

⚫ Read-write: The user can read, add, or delete files on the USB device. By default,
Permission the user name and password are both admin.
⚫ Read-only: The user can only read files on the USB device. By default, the user
name and password are both guest.
123
10.3 Example of configuring USB sharing
10.3.1 Networking requirement
An enterprise uses the wireless router to build a network.
Requirement: A mobile storage device, connected to the USB port of the router, serves as the file
server. Employees can search and download files from the file server in local network or through
internet.
Assume that:
− Read-write user name/password are both xxadmin.
− Read-only user name/password are both xxguest.
10.3.2 Network topology
LAN IP: 192.168.0.1
WAN LAN
Internet
Router Switch
LAN Users
124
10.3.3 Configuration procedure
Step 1 Plug the mobile storage device into the router.
Step 2 Click USB Sharing.
Step 3 Set the read-write user name/password as xxadmin, and the read-only user
name/password as xxguest, and click Save.
----End
125
10.3.4 Verification
Take Windows 10 as an example: Enter \\192.168.0.1 in the search bar at the lower-left of your
computer screen. Then, the following page appears. Enter authorized user name and password, and
click OK.
Access the files successfully.
126
11 Filter management
11.1 IP group/time group
11.1.1 Overview
Click Filter Management > IP Group/Time Group to enter the page.
When configuring functions which take effect depending on IP group or time group, such as MAC
address filter, IP address filter, port filter, URL filter, bandwidth limit by group and multi-WAN policy,
you need to first configure the target IP group and/or time group.
By default, a time group and an IP group have been added on the router, and the default time group
and IP group cannot be deleted or edited.
127
Group Name Specifies the name of the time group. The name must be unique.
Date Specifies the dates included in the time group.
Time Specifies the start and end time of the time group. 00:00~00:00 indicates a whole
Time
Group day.
Settings
IP Group Specifies the name of the IP group. The name must be unique.
IP Range Specifies the start and end IP address of the IP group.

IP Group
Settings Specifies the operations you can perform on the rule.

128
11.1.2 Add a time group
Step 1 Navigate to Filter Management > IP Group/Time Group > Time Group Settings.
Step 2 Click +Add.
Step 3 Configure the following parameters in the Add window, and click Save.
----End
129
11.1.3 Add an IP group
Step 1 Navigate to Filter Management > IP Group/Time Group > IP Group Settings.
Step 2 Click +Add.
----End
130
11.2 MAC address filter
11.2.1 Overview
Through MAC address filter, you can allow or block internet access through this router for specified
clients.
Click Filter Management > MAC Address Filter to enter the page.
By default, this function is disabled.
MAC Address Filter Enable or disable the MAC address filter function.
Specifies the MAC address filter modes.

⚫ Whitelist: Specifies that internet access is allowed. In this mode, clients with
the specified MAC address can access the internet only within the specified
Filter Mode time period.
⚫ Blacklist: Specifies that internet access is blocked. In this mode, clients with the
specified MAC address cannot access the internet only within the specified
time period.
MAC Address Specifies the MAC address of the client to which the rule applies.
The time group used to specify the time period during which the rule takes
effect.
Time Group
The time group rule should be configured in advance on the Filter
Management > IP Group/Time Group page.
131
Remark Specifies the remark of the MAC address filter rule.
Specifies the status of the MAC address filter rule. You can enable or disable the
Status
rule as required.
Allow clients with disabled ⚫ If this option is selected, clients to which the disabled rules in the list apply and
status or clients not on the clients not in the list can both access the internet.
list to access the internet ⚫ If this option is not selected, clients to which the disabled rules in the list apply
through this device. and clients not in the list can neither access the internet.
11.2.2 Configure a MAC address filter rule
Before configuring a MAC address filter rule, please configure the target time group first.
Step 1 Enable MAC address filter.

1. Navigate to Filter Management > MAC Address Filter.
2. Enable MAC Address Filter, and click Save at the bottom of the page.
Step 2 Add a MAC address filter rule.

1. Click +Add.
132
2. Configure the following parameters in the Add window, and click Save.
----End
11.2.3 Example of configuring a MAC address filter rule

Requirement:
During business hours (08:00 to 18:00 on weekdays), only a purchaser is allowed to access the
internet.
Solution
The MAC address filter can meet this requirement.
Assume that the MAC address of the purchaser’s computer is CC:3A:61:71:1B:6E.
Set a time group Enable MAC address filter Add a MAC filter rule

Navigate to Filter Management > IP Group/Time Group. Set a time group shown in the
following figure.
133
Step 2 Enable MAC address filter.
1. Navigate to Filter Management > MAC Address Filter.
2. Enable MAC Address Filter, and click Save at the bottom of the page.
Step 3 Add a MAC address filter rule.

1. Click +Add.

(1) Set Filter Mode to Allow access to the internet (whitelist).
(2) Select the target Time Group, which is BusinessHour in this example.
(3) Enter the MAC Address of the purchaser’s computer, which is CC:3A:61:71:1B:6E in
this example.
134
(4) (Optional) Enter a Remark for the rule, for example, Purchaser 1.
3. Deselect Allow clients with disabled status or clients not on the list to access the internet
through this device.

----End
Verification
During 08:00 to 18:00 on weekdays, only the purchaser’s computer with MAC address
CC:3A:61:71:1B:6E can access the internet.
135
11.3 IP address filter
11.3.1 Overview
Through IP address filter, you can allow or block internet access through this router for specified
clients.
Click Filter Management > IP Address Filter to enter the page.
IP Address Filter Enable or disable the IP address filter function.
Specifies the IP address filter modes.

⚫ Whitelist: Specifies that internet access is allowed. In this mode, clients with
the specified IP address can access the internet only within the specified time
Filter Mode period.
⚫ Blacklist: Specifies that internet access is blocked. In this mode, clients with the
specified IP address cannot access the internet only within the specified time
period.
The IP group used to specify the client to which the rule applies.
IP Group The IP group rule should be configured in advance on the Filter Management > IP
effect.
Time Group
136
Remark Specifies the remark of the IP address filter rule.
Specifies the status of the IP address filter rule. You can enable or disable the rule
Status
as required.
Allow clients with disabled ⚫ If this option is selected, clients to which the disabled rules in the list apply and
status or clients not on the clients not in the list can both access the internet.
list to access the internet ⚫ If this option is not selected, clients to which the disabled rules in the list apply
through this device. and clients not in the list can neither access the internet.
11.3.2 Configure an IP address filter rule
Before configuring an IP address filter rule, please configure the target IP group and time group first.
Step 1 Enable IP address filter.

1. Navigate to Filter Management > IP Address Filter.
2. Enable IP Address Filter, and click Save at the bottom of the page.
Step 2 Add an IP address filter rule.

1. Click +Add.
137
----End
11.3.3 Example of configuring an IP address filter rule

Requirement:
During business hours (08:00 to 18:00 on weekdays), only purchasers are allowed to access the
internet.
Solution
The IP address filter can meet this requirement.
Assume that the IP addresses of the purchasers’ computers range from 192.168.0.2 to
192.168.0.10.
Set a time group Set an IP group Enable IP address filter Add an IP filter rule

following figure.
138
Navigate to Filter Management > IP Group/Time Group. Set an IP group shown in the
following figure.
Step 3 Enable IP address filter.

1. Navigate to Filter Management > IP Address Filter.
2. Enable IP Address Filter, and click Save at the bottom of the page.
Step 4 Add an IP address filter rule.

1. Click +Add.
139
(1) Set Filter Mode to Allow access to the internet (whitelist).
(3) Select the target IP Group, which is Purchasers in this example.
(4) (Optional) Enter a Remark for the rule, for example, Purchasers.
3. Deselect Allow clients with disabled status or clients not on the list to access the internet
through this device.
140
----End
Verification
During 08:00 to 18:00 on weekdays, only the purchasers’ computers with IP addresses ranging from
192.168.0.2 to 192.168.0.10 can access the internet.
141
11.4 Port filter
11.4.1 Overview
The protocols of various services available over the internet use dedicated port numbers. The
common service port numbers range from 0 to 1023 and are generally assigned to specific services.
The port filter prevents LAN users from accessing certain internet services by disabling the users to
access the port numbers of the services.
Click Filter Management > Port Filter to enter the page.
Port Filter Enable or disable the port filter function.
Specifies the IP group used to specify the client to which the rule applies.
Specifies the time group used to specify the time period during which the rule is
effective.
Time Group
Ports Specifies the TCP or UDP port number used by the service to be blocked.
Specifies the protocol used by the service to be blocked. All indicates TCP and
Protocols
UDP.
142
Specifies the status of the port filter rule. You can enable or disable the rule as
Status
required.
11.4.2 Configure a port filter rule
Before configuring a port filter rule, please configure the target IP group and time group first.
Step 1 Enable port filter.

1. Navigate to Filter Management > Port Filter.
2. Enable this function, and click Save at the bottom of the page.
Step 2 Add a port filter rule.

1. Click +Add.
143
----End
11.4.3 Example of configuring a port filter rule

Requirement:
During business hours (08:00 to 18:00 on weekdays), webpage browsing is forbidden for finance
department staff (The default port number of the webpage browsing service is 80).
Solution
The port filter can meet this requirement.
Assume that the IP addresses of the finance department staff range from 192.168.0.2 to
192.168.0.10.
Set a time group Set an IP group Enable port filter Add port filter rule

following figure.
144
following figure.
Step 3 Enable port filter.

1. Navigate to Filter Management > Port Filter.
2. Enable Port Filter, and click Save at the bottom of the page.
Step 4 Add a port filter rule.

1. Click +Add.
145
(1) Select the target IP Group, which is Financier in this example.
(3) Enter the port number used by the webpage browsing service, which is 80.
(4) Select the protocol used by the service. You are recommended to retain the default
option All.
----End
146
Verification
During 08:00 to 18:00 on weekdays, in the LAN network, the computers with IP addresses ranging
from 192.168.0.2 to 192.168.0.100 cannot browse web pages.
147
11.5 URL filter
11.5.1 Overview
The URL filter prevents LAN users from accessing specified types of website and controls internet
accessibility of LAN users so that they will not spend time on websites irrelevant to their duties.
Before you add web filter rules, add web categories.
Click Filter Management > URL Filter to enter the page.
URL Filter Enable or disable the URL filter function.
Specifies the URL filter modes.

⚫ Allow access only: It specifies that internet access is allowed. In this mode,
clients in the IP group can access only the specified website and cannot access
other websites during the specified time period. During other time periods, the
Filter Mode clients can access all the websites.
⚫ Block access only: It specifies that internet access is blocked. In this mode,
clients in the IP group cannot access only the specified website and can access
other websites during the specified time period. During other time periods, the
clients can access all the websites.
The IP group used to specify the client to which the rule applies.
148
effect.
Time Group
Specifies the URL category the rule uses.

URL
The URL category should be configured in advance.
Specifies the status of the URL filter rule. You can enable or disable the rule as
Status
required.
Specifies the customized URL category.
URL Management
The device does not have a pre-set default URL category.
11.5.2 Customize a URL group

Step 1 Enable URL filter.
1. Navigate to Filter Management > URL Filter.
2. Enable URL Filter, and click Save at the bottom of the page.
Step 2 Add a customized URL group.

1. Click URL Management.
149
2. Click New.
----End
11.5.3 Configure a URL filter rule
Before configuring a URL filter rule, please configure the target IP group and time group first.
Step 1 Navigate to Filter Management > URL Filter.

Step 2 Click +Add.
150
----End
151
11.5.4 Example of configuring a URL filter rule
Requirement:
During business hours (08:00 to 18:00 on weekdays), designing department staff are disallowed to
access social media like Facebook and Tumblr.
Solution
The URL filter can meet this requirement.
Assume that the IP addresses of the designing department staff’s computers range from
192.168.0.2 to 192.168.0.10.
Set a time group Set an IP group Enable URL filter Add a URL group Add a URL filter rule

following figure.
152
following figure.
Step 3 Enable URL filter.

1. Navigate to Filter Management > URL Filter.
2. Enable URL Filter, and click Save at the bottom of the page.
Step 4 Add a customized URL group.

1. Click URL Management.
2. Click New.
153
(1) Enter the Group Name, which is SocialMedia in this example.
(2) Enter the keywords of the domain name of the website to be blocked, which are
facebook;tumblr in this example.
(3) Enter a Remark for the URL group, for example, SocialMedia.
Step 5 Add a URL filter rule.

1. Click +Add.

(1) Set Filter Mode to Block access only.
(2) Select the target IP Group, which is Designers in this example.
(4) (Optional) Enter a Remark for the URL filter rule. You can also choose to leave it
blank.
(5) Select the target URL, which is SocialMedia in this example.
154
----End
155
Verification
During 08:00 to 18:00 on weekdays, clients with the IP addresses ranging from 192.168.0.2 to
192.168.0.10 cannot access Facebook and Tumblr.
156
11.6 Log audit
11.6.1 Log settings
Click Filter Management > Log Audit > Log Settings to enter the page.
Here, you can enable or disable the internet log audit function. When it is enabled, the router will
collect specified types of log records as required.
Enable or disable the log audit function.

Log Audit
After it is enabled, the router can collect specified types of log records.
After it is enabled, the router records users’ MAC addresses, IP addresses and
URL Access Log
visited websites.
After it is enabled, the router records users’ MAC addresses, IP addresses, online
Online/Offline Time
time and offline time.
After it is enabled, the router records users’ MAC addresses, IP addresses and the
Stay Duration
duration from online to offline.
157
After it is enabled, the router records users’ MAC addresses, IP addresses, mobile
SMS AUTH Phone
phone numbers for SMS authentication and the time for such authentication.
After it is enabled, the router records users’ MAC addresses, IP addresses and the
Authenticated Account
account information used for authentication.
After it is enabled, the router records users’ MAC addresses, IP addresses, the
AP Wireless Connection
names of connected mobile phones and APs.
After it is enabled, the router records users’ MAC addresses, IP addresses and
SSID Connection
connected Wi-Fi names.
158
11.6.2 Log storage
Click Filter Management > Log Audit > Log Storage to enter the page.
After Log audit is enabled, the log records can be saved to a local PC or a USB device.
By default, it is set to USB storage.
Specifies the storage location of log records.

⚫ USB Storage: The log records are stored in a USB device. Ensure that a USB
Storage Mode device is already plugged.
⚫ Local Storage: The log records are stored in a local computer. Ensure that the
computer is installed with log tools, such as syslog.
USB Device Displays the available space of the USB storage device.
Host IP Address Enter the IP address of the local computer.
159
12 More settings
12.1 Static route
12.1.1 Overview
Routing is an operation to select the optimal route for delivering data from a source to a destination.
A static route is a special route configured manually, which is simple, efficient, and reliable. Proper
static routes help reduce route selection issues and prevent overload caused by route selection data
flows, accelerating packet forwarding.
To define a static route, specify the network segment and subnet mask used to identify a
destination network or host, the gateway IP address, and the router WAN port for forwarding
packets. After a static route is defined, all the packets indented for the destination of the static
route are directly forwarded through the WAN port of the router to the gateway IP address.
If only static routes are used in a large-scale complex network, destinations may be unreachable in case
of a network fault or topology change, which results in network interruption. If the problem occurs,
manually modify the static routes.
Click More > Static Routing to enter the page.
160
Specifies the IP address of the target network. 0.0.0.0 destination network and 0.0.0.0
subnet mask indicate the default route.
Destination Network
If no accurate route is found in the route table, the router chooses the default route to
forward data packets.
Subnet Mask Specifies the subnet mask of the destination network.
Specifies the ingress port IP address of the next hop route after data packets egress
from the router.
Default Gateway
0.0.0.0 indicates that the destination network is directly connected to the interface of
the router.
Interface Specifies the interface from which packets egress. Select it as required.
12.1.2 Configure a static routing rule
If a static route conflicts with a user-defined multi-WAN policy, the static route prioritizes.
Click More > Static Routing to enter the page. Click +Add, and configure the following parameters in
the window, then click Save.
161
12.1.3 Example of configuring static route
Requirements:
The internet and the intranet are deployed on different networks. The WAN1 port of the router
accesses the internet using a PPPoE connection and the WAN2 port of the router accesses the
intranet (enterprise LAN) using a dynamic IP address.
Users on the router’s LAN are allowed to access both the internet and intranet.
Solution
The static routing function can meet this requirement.
Assume that:
− PPPoE user name: tdxy123
− PPPoE password: ipxz456
Internet
Internal gateway WAN1
Intranet Router
WAN LAN WAN2
172.16.100.0/24 LAN IP: 192.168.98.1 LAN IP: 192.168.0.252
Switch
LAN
Step 1 Enable two WAN ports, and configure the internet settings.
1. Navigate to Internet Settings > Internet Settings.
2. Select the number of WAN ports from the WAN Ports drop-down list menu, which is 2 in
this example.
162
3. On the WAN1 configuration area, set Connection Type to PPPoE, and enter the PPPoE
Username and PPPoE Password provided by your ISP, which are tdxy123 and ipxz456 in
this example.
4. On the WAN2 configuration area, set Connection Type to Dynamic IP.
5. Click Save at the bottom of page.

Wait a moment. When the status of WAN1 shows Authenticated successfully, the WAN1 is
connected to the internet; when the status of WAN2 shows networked, the WAN2 is
connected to the internet.
163
Step 2 Configure static routing.
1. Click System Status > , and view the IP information of WAN2. Assume that:
- IP Address: 192.168.98.190
- Subnet Mask: 255.255.255.0
- Default Gateway: 192.168.98.1
- Primary DNS: 192.168.96.1
2. Add a static routing rule.
(1) Navigate to More > Static Routing.
(2) Click +Add.
(3) Configure the following parameters, and click Save.

- Enter the Destination Network, which is 172.16.100.0 in this example.
- Enter the Subnet Mask of the destination network, which is 255.255.255.0 in this
example.
- Enter the Default Gateway (the ingress port IP address of the next hop route after
data packets egress from the router), which is 192.168.98.1 in this example.
- Enter the Interface between the router and the destination network, which is
WAN2 in this example.
----End
164
Add successfully. See the following figure.
Verification
Computers in the LAN can access the internet and the intranet simultaneously.
165
12.2 Port mirroring
12.2.1 Overview
Port mirroring function forwards a copy of data of one or more mirrored ports to the specified
mirroring port. The network administrator uses data monitoring devices to monitor traffic, analyze
performance and perform network diagnose.
Click More > Port Mirroring to enter the page.
Port Mirroring Enable or disable the port mirroring function.
Specifies the monitoring port. A piece of monitoring software must be installed on the
Mirroring Port computer with this port to perform monitoring. The default mirroring port is LAN4, which
can be customized.
Specifies the monitored ports. After the port mirroring function is enabled, packets of the
Mirrored Port
mirrored ports are replicated to the mirroring port for monitoring.
166
12.2.2 Example of configuring port mirroring
An enterprise uses the router to build a network. Recently, internet access failures occur frequently
and the network administrator needs to capture data packets from the WAN and LAN ports of the
router for analysis.
Solution
The port mirroring function of the router can meet this requirement.
Assume that a data monitoring device is connected to the LAN3 to monitor the data of other ports.
Internet
WAN1
Router
LAN3
LAN Data monitoring device
Switch
LAN
Step 1 Navigate to More > Port Mirroring.
Step 2 Enable Port Mirroring.
Step 3 Select the Mirroring Port, which is LAN3 in this example.
Step 4 Select the Mirrored Ports, which are WAN1, LAN2 and LAN4 in this example.
167
----End
Verification
Run monitoring software such as Wireshark on the monitoring computer to verify the software can
capture data packets from the mirrored ports.
168
12.3 Remote web management
12.3.1 Overview
Generally, the web UI of the router can only be accessed on devices that are connected to the
router in wired or wireless manner. This costs in case of seeking technician to fix network problems.
The remote web management function is designed to address such requirement. When you
encounter network faulty, you can ask technicians far away to diagnose and fix your problems,
improving efficiency and reducing costs and efforts.
Click More > Remote WEB Management to enter the page.
Remote WEB MGMT Enable or disable the remote web management function.
Specifies the WAN port of the router, which is also the WAN port used to remotely
WAN
access the web UI of the router.
IP address of the computer that can access the router remotely.

⚫ Any IP: Any computers can access the router over the internet. Choose this option
Remote IP only when necessary since it lowers network security.
⚫ Specified IP: Only a computer with the specified IP address can access the router
over the internet. If the computer is on a LAN, enter the WAN port IP address of the
gateway of the computer.
Remote Access With this function enabled, the router automatically generates one unique domain
Address name that can be used to manage the router remotely.
169
12.3.2 Example of configuring remote web management
An enterprise uses the wireless router to deploy its network. The network administrator needs to
seek a Tenda technician to solve a problem remotely.
Solution
The remote web management function can meet this requirement.
Internet
Technician WAN1
IP: 202.105.88.77
Router
LAN
Switch
LAN
Step 1 Navigate to More > Remote WEB Management.
Step 2 Enable Remote WEB MGMT.
Step 3 Select the WAN port for remote management, which is WAN1 in this example.
Step 4 Select the Specified IP, and enter the IP address of the computer of the Tenda support
technician, which is 202.105.88.77 in this example.
170
----End
Verification
Tenda technician with a computer IP address 202.105.88.77 can use
http://o95juq6q.cloud.tendacn.net:8080 to access the web UI of the router remotely.
171
12.4 DDNS
12.4.1 Overview
DDNS is abbreviated for Dynamic Domain Name Service. When a service is running, the DDNS client
on the router sends the IP address of the current WAN port of the router to the DDNS server, and
the server updates the mapping relationships between the domain name and IP address in the
database, achieving dynamic domain name resolution.
On this page, you can map the dynamic WAN IP address of the router (public IP address) to a fixed
domain name. The DDNS function is generally used with such functions as port forwarding and DMZ
host to enable internet users to access the LAN server or the web UI of the router through domain
name without caring about the change of the WAN IP address.
Click More > DDNS to enter the page.
172
DDNS Enable or disable the DDNS function.
DDNS Provider The router supports four DDNS providers: noip, dyndns, oray, and gnway.
Specifies the type of the DDNS account. This parameter appears when DDNS Provider
Service Type
is set to oray.
User Name Specifies the user name/password used to log in to a DDNS provider. They are
registered on the website of the provider.
Password
Specifies the domain name obtained from the DDNS provider. If DDNS Provider is set
Domain Name to other DDNS provider other than oray, you need to manually enter the domain
name applied from the target website.
Status Specifies the DDNS service status.
173
12.4.2 Example of configuring DDNS
An enterprise uses the wireless router to set up a network. The router has been connected to the
internet and can offer internet service to LAN users.
The enterprise has the following requirement:
The intranet web server is open to internet users to enable staff to access the intranet even when
they are not physically in the enterprise.
Solution
− You can use the Port Forwarding function to enable internet users to access the
intranet web server.
− You can use the DDNS function to enable internet users to access the intranet web
server through a fixed domain name, avoiding access failure caused by WAN IP
address change.
− You can use the Address Reservation function to avoid access failure caused by web
server address change.
Assume that the information of the web server is shown as below:
− IP address of the web server: 192.168.0.250
− MAC address of the host that runs the web server: C8:9C:DC:60:54:69
− Service port: 9999
Before the configuration, ensure that the WAN port of the router obtains a public IP address; if
the WAN port obtains a private IP address or an intranet IP address assigned by the ISP (starting
with 100), the function may not take effect. Commonly-used IPv4 private IP addresses include
10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255.
ISP may not support unreported web service accessed using the default port number 80.
Therefore, when setting port forwarding, you are recommended to set the external port as a
non-familiar port (1024 to 65535), such as 9999, to ensure normal access.
Internal and external ports can be different.
174
Internet
Internet user
WAN1
Router
LAN
Switch
Web server AP Computer
Configure port forwarding Reserve a fixed IP address for the server Configure DDNS
host
Step 1 Configure port forwarding.
Navigate to More > Port Forwarding, and add a rule. Refer to Configure a port forwarding rule.
Step 2 Reserve a fixed IP address for the server host.

1. Navigate to Address Reservation > Manual Address Reservation.
2. Click +Add.
175
(1) Set the fixed IP address assigned to the server host, which is 192.168.0.250 in this
example.
(2) Enter the MAC address of the server host, which is C8:9C:DC:60:54:69 in this example.
(3) (Optional) Enter a remark, such as Web Server.
Reserved successfully. See the following figure.
176
Step 3 Configure DDNS.
1. Register a domain name.
Log in to the DDNS provider website. Assume that the DDNS provider where you applied
the domain name is noip, the user name you registered is Tenda, the password is tdxy123,
and the domain name is tenda.ddns.net
2. Log in to the web UI of the router and configure DDNS.
(1) Navigate to More > DDNS.
(2) Enable DDNS.
(3) Select noip from the DDNS Provider drop-down list.
(4) Enter the user name and password, which is Tenda and tdxy123 in this example.
(5) Enter the domain name, which is tenda.ddns.net in this example.
(6) Click Save at the bottom of the page.
----End
Wait a moment, and refresh the page. When the Status shows Connected, the configuration
completes successfully.
177
Verification
Internet users can successfully access the intranet server by using intranet service application layer
protocol name://WAN port domain name:external port, which is http://tenda.ddns.net:9999 in
this example.
If you set the default port of the intranet service as the external port when configuring port
forwarding, the external port number can be excluded from the access address. Under such
circumstances, the access address is intranet service application layer protocol name://WAN port
domain name.
If internet users still cannot access the LAN server after the configuration, try the following methods:
Make sure that the internal port you entered is correct.
Maybe the system firewall, anti-virus software and security guard on the LAN server blocked
internet user access. Please disable these programs and try again.
178
12.5 Port forwarding
12.5.1 Overview
By default, internet users cannot access LAN devices. However, with port forwarding function, you
can open one or multiple service ports (TCP or UDP) of the router and forwards these ports to the
specified LAN server. In this way, service requests sent to those ports of the node can be forwarded
to the target LAN server. Internet users can access the LAN server and the LAN is defended against
attacks.
Navigate to More > Port Forwarding to enter the page.
Internal Server IP Specifies the IP address of the internal server.
Internal Port Specifies the service port of the internal server.
External Port Specifies the port opened to internet users to access.
Specify the types of the transfer layer protocol used by the LAN service.
Protocols
All indicates both TCP and UDP. Select All if you are uncertain about the service type.
Port Specifies the WAN port internet users use to access the LAN service.
Status Specifies the status of the rule. You can enable or disable the rule as required.
179
12.5.2 Configure a port forwarding rule
Click More > Port Forwarding to enter the page. Click +Add, configure the following parameters,
and click Save.
180
12.5.3 Example of configuring a port forwarding rule
Solution
− You can use the Port Forwarding function to enable internet users to access the
intranet web server. Assume that the open port of the router is 9999.
10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255.
Internal and external ports can be different.
181
Internet
Internet user
WAN1 IP:202.105.11.22
Router
LAN
Switch
Configure port forwarding Reserve a fixed IP address for the server host
Step 1 Configure port forwarding.

1. Navigate to More > Port Forwarding.
2. Click +Add.
(1) Enter the Internal Server IP, which is 192.168.0.250 in this example.
(2) Enter the Internal Port, which is 9999 in this example.
(3) Enter the External Port, which is 9999 in this example.
(4) Choose the protocol used by the web server, which is TCP in this example.
182
(5) Select WAN1 as the port through which WAN users get access to the LAN server.
Step 2 Reserve a fixed IP address for the server host.

2. Click +Add.
183
example.
----End
184
Verification
protocol name://WAN port IP address:external port. If you set the default port of the intranet
service as the external port when configuring port forwarding, the external port number can be
excluded from the access address. Under such circumstances, the access address is intranet service
application layer protocol name://WAN port IP address.
In this example, the access address is http://202.105.11.22:9999
You can check the current WAN IP address on the System Status page.
If DDNS is enabled on the WAN port, internet users can also access the intranet server by using
intranet service application layer protocol name://WAN port domain name:external port.
If internet users still cannot access the LAN server after the configuration, try the following methods:
Make sure that the internal port you entered is correct.
Maybe the system firewall, anti-virus software and security guard on the LAN server blocked
internet user access. Please disable these programs and try again.
185
12.6 DMZ host
12.6.1 Overview
After setting a device in the LAN as the DMZ host, it enjoys no limitations when communicating with
the internet. For example, if video meeting or online games are under way on a computer, you can
set that computer as the DMZ host to make the video meeting and online games go smoother. In
addition, you can also set the LAN server as the DMZ host when internet users access the LAN
server resources.
After you set a LAN device as a DMZ host, that device will be completely exposed to the internet
and the firewall of the node does not take effect on the device.
Hackers may fire attacks on the local network by using the DMZ host. Please exercise caution to
use the DMZ host function.
The security guard, anti-virus software and system firewall on the DMZ host may affect the DMZ
host function. Disable them when using this function. When you are not using the DMZ host
function, you are recommended to disable the function and enable the firewall, security guard
and anti-virus software on the DMZ host.
Click to More > DMZ Host to enter the page.

DMZ Host Enable or disable the DMZ host function.
IP Address of DMZ
Specifies the IP address of the LAN device to be set as the DMZ host.
Host
186
Enable or disable the filter VPN port function.

After this function is enabled and you enabled the DMZ host function at the same
time, the VPN service of the router will respond to the VPN requests from the internet.
Filter VPN Port
If the router has already enabled the VPN server function and is about to enable the
DMZ host function, to ensure the validity of the VPN server of the router, enable the
filter VPN port function as well.
12.6.2 Example of configuring DMZ host

Solution
− You can use the DMZ Host function to enable internet users to access the intranet web
server.
10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255.
187
Internet
Internet user
WAN1 IP:202.105.11.22
Router
LAN
Switch
Configure DMZ host Reserve a fixed IP address for DMZ host

Step 1 Configure the DMZ host.
1. Navigate to More > DMZ Host.
2. Enable DMZ Host.
3. Enter the IP address of the LAN device to be set as the DMZ host, which is 192.168.0.250 in
this example.
188
Step 2 Reserve a fixed IP address for the DMZ host.
2. Click +Add.
example.
----End
189
Verification
protocol name://WAN port IP address:internal service port. If you use the default port for the
intranet service, the intranet service port number can be excluded from the access address. Under
such circumstances, the access address is intranet service application layer protocol name://WAN
port IP address.
In this example, the access address is http://202.105.11.22:9999
You can check the current WAN IP address on the System Status page.
If DDNS is enabled on the WAN port, internet users can also access the intranet server by using
intranet service application layer protocol name://WAN port domain name:internal service port.
After the configuration, if internet users still cannot access the LAN server, disable the system firewall,
anti-virus software or security guard on the DMZ host and try again.
190
12.7 UPnP
12.7.1 Overview
UPnP is abbreviated for Universal Plug and Play. After the UPnP function is enabled, the router can
automatically open port for UPnP-supporting programs in the LAN (such as BitComet and AnyChat)
and make these applications run smoother.
12.7.2 Enable UPnP

Click More > UPnP to enter the page, and enable UPnP.
If you enable the UPnP function, when UPnP-based programs, such as BitComet and AnyChat, are
running on the local network, the external and internal mapping relationships are displayed on the
page.
191
12.8 Any IP
Click More > Any IP to enter the page.
This function is typically used in public spaces, such as at a hotel. With this function enabled,
devices in the LAN network with any IP address, gateway and DNS can access the internet through
the router, avoiding the issue that the private IP addresses of guests do not match with the hotel
network.
By default, this function is disabled. Enable it when necessary.
192
12.9 DNS forwarding
The DNS forwarding function forwards specified domain names to specified DNS servers through
the fixed WAN port for DNS address resolution, improving access speed.
Click More > DNS Forwarding to enter the page.
Domain Name Specifies the domain name to be forwarded and resolved.
DNS Address Specifies the server address that requires DNS resolution.
Specifies the port through which data goes out of the router. Please set the
Interface
corresponding WAN port as needed.
Status Enable or disable the rule.
193
12.10 Security settings
The router supports ARP Defense, DDoS Defense, IP Attack Defense, and Block WAN Ping security
settings.
− ARP Defense: This function can identify the ARP spoofing in the local network, and
record the MAC addresses of the attacker.
− DDoS Defense: DDoS attack, abbreviated for Distributed Denial of Service Attack,
makes network resource unavailable to its intended users. The router can block DDoS
attack, including ICMP Flood, UDP Flood, and SYN Flood attacks.
− IP Attack Defense: With this function enabled, the router can intercept some packets
with specified IP options. These IP options include IP Timestamp Option, IP Security
Option, IP Stream Option, IP Record Route Option, IP Loose Source Route Option and
illegal IP options.
− Block WAN Ping: With this function enabled, the router automatically ignores WAN IP
address ping requests from internet hosts; therefore, the router avoids exposing itself
and defends the external ping attacks.
Click More > Security Settings to enter the page.
194
ARP Defense Enable or disable the ARP defense function.

Security
Settings ARP Broadcast
Specifies the interval at which the router sends ARP broadcast messages.
Interval
ICMP Flood If ICMP request packets from a same host in LAN received by the router exceed
Threshold this threshold within 1 second, the router suffers ICMP flood attack.
DDoS UDP Flood If UDP request packets from a same host in LAN received by the router exceed
Defense Threshold this threshold within 1 second, the router suffers UDP flood attack.
SYN Flood If TCP SYN request packets from a same host in LAN received by the router
Threshold exceed this threshold within 1 second, the router suffers SYN flood attack.
IP Timestamp With this function enabled, the router blocks IP packets that contain the
Option Internet Timestamp option in the local network.
IP Security With this function enabled, the router blocks IP packets that contain the
Option Security option in the local network.
IP Stream With this function enabled, the router blocks IP packets that contain the Stream
IP Attack Option ID option in the local network.
Defense IP Record With this function enabled, the router blocks IP packets that contain the Record
Route Option Route option in the local network.
IP Loose Source With this function enabled, the router blocks IP packets that contain the Loose
Route Option Source Route option in the local network.
Rouge IP With this function enabled, the router blocks IP packets that fail to pass
Option integrity and correctness check in the local network.
Enable or disable the block WAN ping function. By default, this function is
disabled.
Block WAN Ping After the block WAN ping function is enabled, the router automatically ignores
WAN IP address ping requests from internet hosts; therefore, the router avoids
exposing itself and defends external ping attacks.
195
12.11 VPN
12.11.1 Overview
VPN, abbreviated for Virtual Private Network, is a special network set up on the public network
(generally the internet). It exists only logically, and does not have any physical lines. The VPN
technology is widely used in enterprise networks and is used to achieve resource sharing between a
subsidiary and the headquarters, and at the same time, protects these resources from being
exposed to other users in the internet.
The typical network topology is shown as below.
Subsidiary Headquarters
Internet
LAN WAN WAN LAN
VPN tunnel
Subsidiary Router Router Enterprise

staff VPN Client VPN Server internal
server
The router supports the following VPN services:

− PPTP/L2TP VPN Server
− PPTP/L2TP VPN Client
− IPSec
196
12.11.2 VPN server
The router can be used as a PPTP/L2TP server to accept connections from PPTP/L2TP clients.
Click More > VPN Server to enter the page.
Enable or disable the VPN server function.

VPN Server
After this function is enabled, the router serves as a VPN server.
Specifies the VPN protocol type the router uses, including PPTP and L2TP. Both PPTP and
L2TP are layer-2 VPN tunnel protocol and use the PPP to encapsulate data, and both add an
Server Type additional head for data.
⚫ PPTP: The router serves as a PPTP server and accepts connections from PPTP clients.
⚫ L2TP: The router serves as an L2TP server and accepts connections from L2TP clients.
Specifies the WAN port for setting up a VPN tunnel between the VPN server and the
clients.
WAN
The IP address or domain name of the WAN port is the server IP address/domain name of
VPN client.
197
Enable or disable 128-bit data encryption. This parameter only appears when PPTP is
selected.
Encryption
The encryption configuration of the client and server must be the same. Otherwise, the
communication cannot be performed properly.
Enable or disable the IPSec encryption. This parameter only appears when L2TP is selected.
IPSec Encryption If you want to configure IPSec encryption, select the IPSec rules whose encapsulation mode
is transport mode.
Specifies IP address range that the PPTP/L2TP clients can obtain from the VPN server to be
IP Address Pool
connected.
Specifies the maximum number of VPN clients allowed to connect to the PPTP/L2TP server.
Max. Users
The value is fixed to 32.
User Name
Specifies the user name and password used to dial in a PPTP/L2TP VPN connection.
Password
Specifies the type of the VPN client.
⚫ Yes: Choose this option when the VPN client is a network. Under such circumstances, you
Network Users
need to set the network segment, subnet mask of the VPN client.
⚫ No: Choose this option when the VPN client is a host.
Network
When the VPN client is a network, enter the private network prefix of the client.
Segment
Subnet Mask When the VPN client is a network, enter the subnet mask of the client.
Remark Specifies the remarks of the account.
Status Specifies whether the corresponding rule is enabled.

198
Add a PPTP/L2TP user account
Navigate to More > VPN Server > PPTP/L2TP User, click +Add, configure the following parameters in
the Add window, and click Save.
199
12.11.3 VPN client
The router can be used as a PPTP/L2TP client connected to the PPTP/L2TP server.
Click More > VPN Client to enter the page.
By default, VPN Client is disabled.
Enable or disable the VPN client function.

VPN Client
After this function is enabled, the router serves as a VPN client.
Specifies the VPN protocol type the router uses, including PPTP and L2TP. Both PPTP and
L2TP are layer-2 VPN tunnel protocol and use the PPP to encapsulate data, and both add an
Client Type additional head for data.
⚫ PPTP: Choose this option if the VPN server to be connected is a PPTP server.
⚫ L2TP: Choose this option if the VPN server to be connected is an L2TP server.
WAN Specifies the WAN port the router uses for VPN dial-up.
200
Specifies the IP address or domain name of the VPN server to be connected, which is
Server IP/Domain
generally the IP address or domain name of the WAN port enabling the PPTP/L2TP server
Name
function of the peer VPN router.
User Name Specifies the PPTP/L2TP user account, which is the user name and password assigned by
Password the VPN server.
Enable or disable data encryption. This parameter only appears when PPTP is selected.
Encryption The encryption configuration of the client and server must be the same. Otherwise, the
communication cannot be performed properly.
After this function is enabled, LAN users access the internet through the VPN server-side
VPN Proxy
router.
Remote LAN Specifies the network segment of the LAN of the VPN server.
Remote Subnet
Specifies the subnet mask of the LAN of the VPN server.
Mask
Status Specifies the current connection status of the VPN.
201
12.11.4 IPSec
IP Security (IPSec) is a protocol suite for transmitting data over the internet in a secure and
encrypted manner.
◼ Encapsulation mode
Encapsulation mode specifies encapsulation mode of the data transmitted by IPSec. IPSec
supports Tunnel and Transport modes.
− Tunnel: This mode adds an additional IP head and is most commonly used between
gateways. The whole IP data packet of the user is used to calculate the AH or ESP head.
AH or ESP head and the user data encrypted by ESP are encapsulated in a new IP data
packet.
− Transport: This mode does not change the original IP head and is most commonly used
between hosts. Only the data at the transmission layer is used to calculate AH or ESP
head. AH or ESP head or user data encrypted by ESP are placed behind the original IP
packet head.
◼ Security gateway
It refers to a gateway (secure and encrypted router) with the IPSec functionality. IPSec is used
to protect data exchanged between such gateways from being tampered and peeped.
◼ IPSec peer
The two IPSec terminals are called IPSec peers. The two peers (security gateways) can
securely exchange data only after a Security Association (SA) is set up between them.
◼ SA
SA specifies some elements of the peers, such as the base protocol (AH, ESP, or both),
encapsulation mode (transport or tunnel), encryption algorithm (DES, 3DES, or AES), shared
key for data protection in specified flows, and life cycle of the key. SA has the following
features:
− A triplet {SPI, Destination IP address, Security protocol identifier} is used as a unique
ID.
− An SA specifies the protocol, algorithm, and key for processing packets.
− Each IPsec SA is unidirectional with a life cycle.
− An SA can be created manually or generated automatically using internet Key Exchange
(IKE). The IKE protocol has two versions of IKEv1 and IKEv2. The device supports IKEv1
and the IKE hereinafter stands for IKEv1.
202
Configure IPSec connection: Tunnel mode
Click More > IPSec to enter the page. Click +Add, select the Tunnel mode, configure the following
parameters in the window, and click Save.
The router supports both Tunnel mode (default) and Transport mode.
IPSec Enable or disable the IPSec function.
Specifies the WAN port over which the IPSec function takes effect. The remote gateway
WAN
address of the IPSec peer device should be the IP address of this interface.
203
Specifies the IPSec data encapsulation mode.

Encapsulation
⚫ Tunnel: This mode is generally used between two security gateways.
Mode
⚫ Transport: This mode is generally used between hosts or host and gateway.
Connection
Specifies the name of the IPSec connection.
Name
Specifies the exchange mode of the IPSec tunnel.
⚫ Initiator Mode: The device sends a connection request to the peer device.
⚫ Responder Mode: The device waits for the peer device to send a connection request.
Exchange Mode
Do not set both ends of the IPSec tunnel as Responder Mode; otherwise, the IPSec tunnel
setup fails.
Specifies the protocol which offers the security service for IPSec.
⚫ AH: It is abbreviated for Authentication Header. This protocol is used for verifying data
integrity. If a packet is tampered during transmission, the receiver discards it during data
integrity verification.
Tunnel Protocol ⚫ ESP: It is abbreviated for Encapsulating Security Payload. This protocol is used for
verifying data integrity and encrypting data. If a packet processed using this protocol is
intercepted during transmission, it is difficult for the intercepting party to obtain the real
information contained in the packet. This compatible protocol is widely used in gateway
products.
⚫ AH+ESP: It indicates that the function features both AH and ESP.
Remote Gateway Specifies the IP address or domain name of the peer gateway of the IPSec tunnel.
Specifies the network segment/prefix length of the LAN of the device. For example, if the
Local LAN/Prefix
IP address of the LAN port of the device is 192.168.0.1 and the subnet mask is
Length
255.255.255.0, the local LAN/prefix length can be 192.168.0.0/24.
Remote Specifies the network segment/prefix length of the LAN of the peer gateway of the IPSec
LAN/Prefix tunnel. If the peer device is a host, this parameter can be set as “the IP address of the
Length device/32”.
Specifies the key negotiation mode of the IPSec security tunnel.

⚫ Auto Negotiation: It indicates that an SA is set up, maintained, and deleted automatically
using IKE (Internet Key Exchange). This reduces configuration complexity and simplifies
IPSec usage and management. Such an SA (Security Association) has a life cycle and is
Key Negotiation updated regularly, leading to higher security.
⚫ Manual: It indicates that an SA is set up by manually specifying encryption and
authentication algorithms and keys. Such an SA does not have a life cycle, and therefore
it remains valid unless being manually deleted, leading to security risks. Generally, this
mode is used only for commissioning.
Key negotiation: Auto negotiation

To protect information confidentiality when using auto negotiation, IKE is in place to negotiate keys
for secure communication between IPSec peers. The IKE protocol is a hybrid of three other
protocols:
204
− ISAKMP: Internet Security Association and Key Management Protocol. It defines the
procedures for authenticating a communicating peer, creation and management of
Security Associations, key generation techniques, and threat mitigation.
− Oakley: Oakley Key Determination Protocol. It defines the specific key negotiation
mechanism.
− SKEME: A secure and versatile key exchange protocol for key management over
internet is presented.
IKE negotiation can be broken down into two periods.
Period 1: The communicating parties negotiate exchange and authentication algorithm, encryption
algorithm and other security protocols, and generate an ISAKMP SA which is used to exchange more
information in phase II.
Period 2: The ISAKMP SA set up in phase I is used as the security agreement negotiation parameter
of IPSec to create IPSec SA, which is used to protect the communication data of both parties
When Auto Negotiation is selected, the following page appears.
Authentication Specifies the shared key mode, which indicates a shared key string negotiated by IPSec
Type parties with some way in advance.
Specifies the pre-shared key used during negotiation. This parameter must be the same
Pre-shared Key
with that of the peer gateway. A maximum of 128 characters are allowed.
Enable or disable the DPD Detection. This function can detect whether the remote tunnel
DPD Detection
site is valid.
Specifies the cycle of transmitting DPD packets.

DPD Detection The device transmits DPD packets based on the cycle set here. If the DPD packets are not
Cycle confirmed by the remote peer device during the cycle period, the device re-initializes the
IPSec SA between the both sides.
205
Click Advanced, and the following configuration area appears.
Specifies the exchange mode in IKE phase I, which should be the same as that of peer
gateway.
⚫ Main: This mode is the primary mode. In this mode, exchanged packets are huge to offer
Mode identity protection, which is applicable to scenarios where identity protection is rigorous.
⚫ Aggressive: This mode does not offer identity protection. In this mode, the exchanged
packets are few in number and negotiation rate is high, which is applicable to scenarios
where identity protection is loose.
Specifies the IKE session encryption algorithm. The router supports the following
algorithms:
⚫ DES (Data Encryption Standard): A 56-bit key is used to encrypt 64-bit data. The last 8
Encryption
bits of the 64-bit data are used for parity check. 3DES indicates that three 56-bit keys are
Algorithm
used for encryption.
⚫ AES (Advanced Encryption Standard): AES 128/192/256 indicates that 128/192/256-bit
keys are used for encryption respectively.
Specifies the IKE session verification algorithm. The router supports the following
algorithms:
Integrity ⚫ MD5 (Message Digest Algorithm): A 128-bit message digest is generated to prevent
Verification message tampering.
⚫ SHA1 (Secure Hash Algorithm): A 160-bit message digest is generated to prevent
message tampering, leading to higher security than MD5.
206
Diffle-Hellman Specifies the group information for the Diffie-Hellman algorithm for generating a session
Group key used to encrypt an IKE tunnel.
Specifies the ID of the local gateway.

⚫ IP Address: The router uses the IP address of the specified WAN port for negotiation with
the remote gateway.
⚫ FQDN: Fully Qualified Domain Name. If you select FQDN, you need to manually set a
Local ID Type string of characters, which should be identical with the remote ID.
Local ID Type and Peer ID Type should be the same. Under such circumstances, you are
recommended to modify the Mode to Aggressive.
Specifies the ID of the remote gateway.

⚫ IP Address: By default, the remote gateway uses the WAN IP address of the router for
negotiation.
⚫ FQDN: Fully Qualified Domain Name. If you select FQDN, you need to manually set a
Peer ID Type string of characters, which should be identical with the local ID.
Local ID Type and Peer ID Type should be the same. Under such circumstances, you are
recommended to modify the Mode to Aggressive.
Key Expiration Specifies the life cycle of ISAKMP SA.
This feature generates a new key in IKE Phase II, which is unrelated to the key generated in
IKE Phase I, ensuring that the key generated in Phase II is secure even if the key generated
in IKE1 Phase I is cracked.
PFS
With the PFS disabled, generation of the new key in IKE Phase II depends on the key in
Phase I. Once the key generated in IKE Phase I is cracked, the key generated in Phase II will
suffer threats, and further threatens the communication security.
207
Key negotiation: Manual
The following displays the page when Manual is selected for Key Negotiation (Tunnel protocol
AH+ESP is used for illustration here).
When the Tunnel Protocol is set to ESP, the ESP encryption algorithm is required. The
router supports the following algorithms:
ESP Encryption
Algorithm
⚫ DES: A 56-bit key is used to encrypt 64-bit data. The last 8 bits of the 64-bit data are
used for parity check. 3DES indicates that three 56-bit keys are used for encryption.
⚫ AES: A 128/192/256-bit key is used for encryption.
Specifies the ESP encryption key. Both IPSec communication parties should have the
ESP Encryption Key
same key.
When the Tunnel Protocol is set to ESP or AH, the corresponding encryption algorithm
ESP/AH is required. The router supports the following algorithms:
Authentication
Algorithm
⚫ MD5: A 128-bit message digest is generated to prevent message tampering.
⚫ SHA1: A 160-bit message digest is generated to prevent message tampering.
208
When the Tunnel Protocol is set to ESP or AH, the corresponding authentication key is
ESP/AH required.
Authentication Key
Both IPSec communication parties should have the same key.
Specifies the outgoing SPI.

ESP/AH Outgoing SPI SPI, remote gateway address, protocol type identify an IPSec security community. This
parameter must be the same with the incoming SPI of the peer device.
Specifies the incoming SPI.

ESP/AH Incoming SPI SPI, remote gateway address, protocol type identify an IPSec security community. This
parameter must be the same with the outgoing SPI of the peer device.
209
Configure IPSec connection: Transport mode
Click More > IPSec to enter the page. Click +Add, select the Transport mode, configure the following
parameters in the window, and click Save.
IPSec Enable or disable the IPSec function.
Specifies the WAN port over which the IPSec function takes effect. The remote gateway
WAN
address of the IPSec peer device should be the IP address of this interface.
Specifies the IPSec data encapsulation mode.

Encapsulation
⚫ Tunnel: This mode is generally used between two security gateways.
Mode
⚫ Transport: This mode is generally used between hosts or host and gateway.
Connection
Specifies the name of the IPSec connection.
Name
Specifies the exchange mode of the IPSec tunnel.
⚫ Initiator Mode: The device sends a connection request to the peer device.
⚫ Responder Mode: The device waits for the peer device to send a connection request.
Exchange Mode
Do not set both ends of the IPSec tunnel as Responder Mode; otherwise, the IPSec tunnel
setup fails.
210
Specifies the IKE session encryption algorithm. The router supports the following
algorithms:
Encryption
⚫ DES (Data Encryption Standard): A 56-bit key is used to encrypt 64-bit data. The last 8
Algorithm bits of the 64-bit data are used for parity check. 3DES indicates that three 56-bit keys are
used for encryption.
⚫ AES (Advanced Encryption Standard): AES 128/192/256 indicates that 128/192/256-bit
keys are used for encryption respectively.
Specifies the IKE session verification algorithm. The router supports the following
algorithms:
Integrity ⚫ MD5 (Message Digest Algorithm): A 128-bit message digest is generated to prevent
Verification message tampering.
⚫ SHA1 (Secure Hash Algorithm): A 160-bit message digest is generated to prevent
message tampering, leading to higher security than MD5.
Specifies the pre-shared key used during negotiation. This parameter must be the same
Pre-shared Key
with that of the peer gateway. A maximum of 128 characters are allowed.
211
12.11.5 Example of configuring a PPTP/L2TP VPN
An enterprise and its subsidiary both use the wireless routers to set up a network and the routers
have been connected to the internet.
Subsidiary staff can access the LAN resources through the internet, such as documents, OA, ERP
system, CRM system, project management system and other resources.
Solution
Set a router as the VPN server and the other as the VPN client to enable remote users to securely
access the LAN through the internet. PPTP VPN is taken as an example here and the configuration
for L2TP VPN is the same.
Assume that router 1 is set as the PPTP server and its basic information is as follows:
− User name and password assigned by the PPTP server: Subsidiary 1
− IP address of the PPTP server: 202.105.11.22
− Data encryption is enabled on the PPTP server.
− Intranet of the PPTP server: 192.168.0.0/24
− Port of the PPTP server to establish a VPN tunnel: WAN1
Assume that router 2 is set as the PPTP client and its basic information is as follows:
− Intranet of the PPTP client: 192.168.1.0/24
− Port of the PPTP client to establish a VPN tunnel: WAN1
Internet Router 1
Router 2 WAN1 WAN1
VPN tunnel
VPN client VPN server
LAN LAN
Switch Switch
LAN
Enterprise server
Set router 1 as VPN server Set router 2 as VPN client
Step 1 Set router 1 as the VPN server.
212
1. Enable the PPTP server.
(1) Log in to the web UI of router 1, and navigate to More > VPN Server.
(2) Enable VPN Server.
(3) Configure the following parameters, and click Save at the bottom of the page.
- Select Server Type, which is PPTP in this example.
- Select the WAN port for setting up a VPN tunnel between the VPN server and
client, which is WAN1 in this example.
- Enable Encryption.
2. Configure the PPTP/L2TP user.

(1) Navigate to More > VPN Server > PPTP/L2TP user.
(2) Click +Add.
(3) Configure the following parameters in the Add window, and click Save.
- Enter the User Name the VPN client uses for VPN connection, which is Subsidiary 1
in this example.
- Enter the Password, which is Subsidiary 1 in this example.
- Select Yes for Network Users.
- Enter the Network Segment of the VPN client LAN, which is 192.168.1.0 in this
example.
- Enter the Subnet Mask, which is 255.255.255.0 in this example.
213
- Enter a Remark for the user account, which is Subsidiary 1 in this example.
Step 2 Set router 2 as the VPN client.

1. Log in to the web UI of router 2, and navigate to More > VPN Client.
2. Enable VPN Client.
3. Configure the following parameters, and click Save at the bottom of the page.
(1) Select the Client Type same as the server type, which is PPTP in this example.
(2) Select the WAN port for setting up a VPN tunnel between the VPN server and client,
which is WAN1 in this example.
214
(3) Enter the Serve IP/Domain Name of the WAN port which serves as the egress at the
VPN server side, which is 202.105.11.22 in this example.
(4) Enter the User Name assigned by the VPN server, which is Subsidiary 1 in this
example.
(5) Enter the Password, which is Subsidiary 1 in this example.
(6) Enable Encryption.
(7) Enter the Remote LAN, which is 192.168.0.0 in this example.
(8) Enter the Remote Subnet Mask, which is 255.255.255.0 in this example.
----End
When the Status shows Connected, the VPN connection is successful. Staff of the headquarters and
the subsidiary can securely access the LAN resources through the internet.
215
Verification
Assume that the subsidiary is about to access the FTP server of the headquarters. The headquarters
project data is stored on an FTP server and the server information is as follows:
− FTP server IP address: 192.168.0.104
− Server port: 21
− Login username/password: Tom123/Tommy456
When subsidiary staff access the headquarters project materials, perform the following procedures:
Step 1 Enter ftp://server IP address in a browser or This PC, which is ftp://192.168.0.104 in this
example.
If the LAN service port is not the default port number, the access format is LAN service application
layer protocol name://server IP address:LAN service port.
Step 2 Enter the user name and password, which are Tom123 and Tommy 456 in this example,
and click Login.
216
The access is successful. See the following figure.
217
12.11.6 Example of configuring an IPSec VPN
An enterprise and its subsidiary both use routers to set up a network and the routers have been
connected to the internet.
Subsidiary staff can access the LAN resources through the internet, such as documents, OA, ERP
system, CRM system, project management system and other resources.
Solution
Set up an IPSec tunnel on the two routers for the remote users to securely access the LAN through
the internet.
Assume that router 1 is deployed in the headquarters and its basic information is as follows:
− Port used to establish an IPSec tunnel: WAN1
− WAN1 IP address: 202.105.11.22
− IP address of the LAN: 192.168.0.0/24
Assume that router 2 is deployed in the subsidiary and its basic information is as follows:
− WAN IP address: 202.105.88.77
− IP address of the LAN: 192.168.1.0/24
Assume that the basic information of the IPSec connection between the two routers is:
− Encapsulation mode: Tunnel
− Key negotiation mode: Auto negotiation
− Pre-shared key: td159357
Router 2 Internet Router 1
WAN1 WAN1
VPN tunnel VPN server
VPN client
LAN LAN
Switch Switch
LAN
Enterprise server
218
Configure router 1 Configure router 2
During the configuration, if you want to configure the advanced settings of IPSec connection, make
sure the parameters of the two routers are the same.
Step 1 Configure router 1.

1. Log in to the web UI of the router 1, and navigate to More > IPSec.
2. Click +Add.
3. Configure the parameters in the Add window, and click Save at the bottom of the page.
(1) Select the WAN port to establish an IPSec tunnel, which is WAN1 this example.
(2) Set Encapsulation Mode to Tunnel.
(3) Set the Connection Name, which is IPSec_1 in this example.
(4) Enter the Remote Gateway, which is 202.105.88.77 in this example.
(5) Enter the Local LAN/Prefix Length, which is 192.168.0.0/24 in this example.
(6) Enter the Remote LAN/Prefix Length, which is 192.168.1.0/24 in this example.
(7) Set the Pre-shared Key, which is td159357 in this example.
219
The IPSec is added successfully. See the following figure.
220
Step 2 Configure router 2.
1. Log in to the web UI of the router 2 and navigate to More > IPSec.
2. Click +Add.
3. Configure the parameters in the Add window, and click Save at the bottom of the page.
(1) Select the WAN port to establish an IPSec tunnel, which is WAN1 this example.
(2) Set Encapsulation Mode to Tunnel.
(3) Set the Connection Name, which is IPSec_1 in this example.
(4) Enter the Remote Gateway, which is 202.105.11.22 in this example.
(5) Enter the Local LAN/Prefix Length, which is 192.168.1.0/24 in this example.
(6) Enter the Remote LAN/Prefix Length, which is 192.168.0.0/24 in this example.
(7) Set the Pre-shared Key, which is td159357 in this example.
221
The IPSec is added successfully. See the following figure.
----End
Verification
When IPSec Status shows Connected, the IPSec tunnel is set up successfully and headquarters and
subsidiary staff can securely access the LAN resources of each other through internet.
222
12.11.7 Example of configuring a L2TP over IPSec VPN
An enterprise and its branch have used the wireless routers to set up LANs and access the internet.
Branch employees need to access the headquarters’ internal resources through the internet, such
as internal data, OA, ERP, CRM, and project management systems.
Solution
IPSec and L2TP server function of the router can meet this requirement.
Assume that the related information is shown as below:
− Port used to establish an L2TP VPN tunnel: WAN1
− IP address of WAN1: 202.105.11.22
− LAN: 192.168.0.0/24
Assume that the related information of IPSec connection of the router is shown as below:
− Encapsulation Mode: Tunnel mode
− Key Negotiation: Auto negotiation
− Pre-shared Key: ip159357
Internet
WAN1
VPN tunnel Router
Branch staff LAN
Switch
Enterprise
AP Computer
server
223
Configuration Procedure
Configure IPSec connection Enable an L2TP server Add a PPTP/L2TP user
Step 1 Configure the IPSec connection.
1. Navigate to More > IPSec.
2. Click +Add.
(1) Select a WAN port for the IPSec VPN connection, which is WAN1 in this example.
(2) Select Encapsulation Mode, which is Transport in this example.
(3) Set Connection Name to the name of the IPSec tunnel, which is HQ in this example.
(4) Specify Pre-shared Key, which is ip159357 in this example.
224
The IPSec connection is configured successfully. See the following figure.
Step 2 Enable the L2TP server.

1. Navigate to More > VPN Server.
2. Enable VPN Server.
3. Set Server Type to L2TP.
4. Select a WAN port for the IPSec VPN connection, which is WAN1 in this example.
5. Set IPSec Encryption of the IPSec tunnel, which is HQ in this example.
6. Click Save.
Step 3 Add a PPTP/L2TP User.

1. Navigate to More > VPN Server > PPTP/L2TP User.
2. Click +Add.
225
1. Enter the User Name and Password assigned by the VPN client, which are both Tom123 in
this example.
2. Set Network User to No.
3. Enter a Remark to your account, which is Tom123 in this example.
The L2TP over IPSec VPN is added successfully. See the following figure.
----End
226
Verification
To access the headquarters LAN resources, you have to configure your client. The document
introduces how to create VPN dialing on Windows 10 and iOS. Choose the scenario according to
your actual situations.
Create VPN connection on Windows 10
Step 1 Create VPN connections.

1. Click in the lower right corner of the desktop, click Network & Internet settings.
2. Click VPN, click Add a VPN connection.
227
3. Set VPN connection parameters, and then click Save.
(1) Select VPN provider, which is Windows (built-in) in this example.
(2) Set the Connection name of VPN, which is VPN Access in this example.
(3) Enter Server name or address, which is 202.105.11.22 in this example.
(4) Select VPN type, which is L2TP/IPsec with pre-shared key.
(5) Enter Pre-shared key of the IPSec tunnel, which is ip159357 in this example.
(6) Pull down the scroll bar, select Type of sign-in info, which is User name and password
in this example.
(7) Enter User name and Password, which are both Tom123 in this example.
228
4. Click VPN Access, then click Connect.
Wait until a connection is established.
229
Create VPN connection on a mobile device (Example: iOS).
Step 1 Click Settings on your smartphone.
Step 2 Tap VPN.
230
Step 3 Tap Add VPN Configuration....
Step 4 Set the VPN connection parameters.

1. Select the Type, which is L2TP in this example.
2. Set the name of VPN connection in Description, which is HQ in this example.
3. Enter the IP address of L2TP Server, which is 202.105.11.22 in this example.
4. Enter the Account and Password of L2TP VPN, which are both Tom123 in this example.
5. Enter the Secret of IPSec tunnel, which is ip159357 in this example.
6. Tap Done.
231
Step 5 Tap .
----End
Wait until the Status turns to Connected , the IPSec connection is created successfully.
232
Employees accessing headquarters resources on business trip
Assume that a branch needs to access the FTP server of headquarters. The project data of the
headquarters is stored on the FTP server. Assume that the server information is as follows:
− FTP server IP address: 192.168.0.104
− Server port: 21
− FTP server login user name and password: Tom123
When branch staff access the project data of the headquarters, they perform the following steps:
Step 1 Access the link ftp://server IP address: server port on a computer, which is
ftp://192.168.0.104 in this example.
If the server port of the LAN is not port number by default, the access format is LAN service
application layer protocol name://server IP address: Server port of the LAN.
233
Step 2 Enter the User name and Password, which are both Tom123 in this example, then click
Login.
----End
The headquarters LAN resources can be accessed successfully. See the following figure.
If you want to use the mobile device (such as smartphone and tablet) to access the FTP server, you
should install an FTP client on your mobile device first.
234
12.12 Multi-WAN policy
12.12.1 Overview
The router supports the following types of multi-WAN policy:
◼ Smart load balancing (default)
If such a policy is applied, the router automatically distributes traffic based on the bandwidth
on the Bandwidth Control page through the WAN ports to achieve load balancing.
◼ Custom
Such a policy is configured by an administrator to distribute traffic of specified IP address
groups to specified WAN ports.
Click More > Multi-WAN Policy to enter the page.
Specifies the policy through the WAN ports.
Mutil-WAN Policy
⚫ Smart Load Balancing: The system automatically distributes traffic through the WAN
ports with the smallest amount of traffic.
⚫ Custom: It enables you to assign WAN ports to source IP addresses as required.
The router regularly detects the connection status between the WAN ports and
detection address.
⚫ Detection Address: The IP address or domain name to detect.
WAN Link Detection
⚫ Detection Method: When the route is unreachable, the network sends the TCP or
ICMP packets with error messages to the router.
⚫ Detection Interval: The interval of detection, 5 seconds by default.
235
12.12.2 Customize a multi-WAN policy
Before configuring the multi-WAN policy, go to Filter Management > IP Group/Time Group to add an
IP group first.
Step 1 Navigate to More > Multi-WAN Policy, select Custom and click +Add.
Step 2 Select the IP Group you set.
Step 3 Select the WAN port to which the policy applies.
Step 4 Click Save.
----End
Status Enable or disable the rule.
Create or select the IP group to which the rule applies. To create an IP

IP Group
group, choose Filter Management > IP Group/Time Group.
WAN Port Specifies the WAN port for incoming and outgoing traffic.
236
12.12.3 Example of customizing a multi-WAN policy
Networking Requirement
An enterprise and its branch use the wireless router to set up a network and access the internet. To
meet its internet access requirement, the enterprise has set up two broadband connections with
two different ISPs and can now access the Internet properly. To achieve load balancing, the
enterprise raises the following LAN requirements:
− The devices with IP addresses ranging from 192.168.0.2 to 192.168.0.100 access the
internet through the fixed-line broadband connection with ISP A.
− The devices with IP addresses ranging from 192.168.0.101 to 192.168.0.250 access the
internet through the mobile broadband connection with ISP B.
Solution
You can use the multi-WAN policy function of the router to meet this requirement.
WAN1: ISP A Internet

WAN2: ISP B
WAN1 WAN2
Router
LAN
Switch
LAN1 LAN2
Configuration Procedure
Configure IP Group/Time Group Enable customize multi-WAN policy Customize multi-WAN policy rule
Step 1 Set IP address groups.
Navigate to Filter Management > IP Group/Time Group, and add the IP groups as follows.
237
Step 2 Customize multi-WAN policies.
1. Navigate to More > Multi-WAN Policy.
2. Select Custom, and click Save.
3. Click +Add, and set the rules shown in the following figure.
----End
Verification
The computers with IP addresses ranging from 192.168.0.2 to 192.168.0.100 access the internet
through WAN1.
The computers with IP addresses ranging from 192.168.0.101 to 192.168.0.250 access the internet
through WAN2.
238
12.13 IPv6
Only the WAN1 port of the router supports IPv6, so you need to connect the broadband with IPv6
service to WAN1 before configuring the following functions.
12.13.1 Overview
IPv6 is abbreviated for Internet Protocol version 6, a second-generation standard network layer
protocol. It is an upgraded version of IPv4 and addresses many defects in IPv4. The most significant
difference between IPv6 and IPv4 is that IP addresses are lengthened from 32 bits to 128 bits.
IPv6 addresses are represented as eight groups of four hexadecimal digits each, separated by
colons.
An IPv6 address consists of a network prefix and an interface ID.
− A network prefix has n bits and is similar to the network ID in an IPv4 address.
− An interface identifier has (128 – n) bits and is similar to the host ID in an IPv4 address.
Click More > IPv6 to enter the page.
By default, IPv6 is disabled.
239
12.13.2 IPv6 WAN settings
The router can access the IPv6 network of ISPs through three connection types. Choose the
connection type by referring to the following chart.
Scenario Connection Type
⚫ The ISP does not provide any PPPoEv6 user name and password.
⚫ The ISP does not provide information about IPv6 address. Obtain Automatically
⚫ You have a router that can access IPv6 network.
IPv6 service is included in the PPPoE user name and password. PPPoEv6
⚫ The ISP provides you with a set of information including IPv6 address, subnet mask,
default gateway and DNS server, etc. Static IPv6 Address
⚫ The LAN port of the upstream device disables the DHCPv6 function
Before configuring the IPv6 function, ensure that you are within the coverage of IPv6 network and
already subscribe the IPv6 internet service. Contact your ISP for any doubt about it.
Obtain automatically
This type enables the router to obtain an IPv6 address from a DHCPv6 server to access the internet.
When the option is selected, the LAN port of router obtains IPv6 prefix from its
upstream device.
It is recommended to keep the default setting (Selected).
Obtain IPv6 Prefix
Delegation
If the LAN port cannot obtain the PD prefix, it is because the upstream device does not
support PD prefix delivery. Contact your ISP to solve this problem.
240
PPPoEv6
If your ISP provides you with the PPPoE user name and password with IPv6 service, you can choose
PPPoEv6 to access the internet.
PPPoE Username
Specifies the PPPoE user name and password provided by your ISP.
PPPoE Password
When the option is selected, the LAN port of router obtains IPv6 prefix from its
upstream device.
It is recommended to keep the default setting (Selected).
Obtain IPv6 Prefix
Delegation
If the LAN port cannot obtain the PD prefix, it is because the upstream device does not
support PD prefix delivery. Contact your ISP to solve this problem.
241
Static IPv6 Address
When your ISP provides you with information including IPv6 address, subnet mask, default gateway
and DNS server, you can choose this connection type to access the internet with IPv6.
IPv6 Address
Specifies the fixed IP address information provided by your ISP.
IPv6 Default
Gateway
Primary IPv6 DNS If your ISP only provides one DNS server address, you can leave the Secondary IPv6
DNS blank.
Secondary IPv6 DNS
242
12.13.3 IPv6 LAN settings
To enable LAN devices to access the IPv6 network, you can change the IPv6 LAN settings here.
Specifies two types of IPv6 LAN address assignment.
IPv6 LAN Address

⚫ Auto: The router generates the IPv6 address according to its LAN IPv6 address. By
default, the prefix has 64 digits.
⚫ Manual: You need to set the IPv6 LAN address manually.
Specifies two types IPv6 LAN prefix address assignment.

⚫ Auto: The router obtains a LAN prefix from the upstream device. Available when you
IPv6 LAN Prefix select Obtain IPv6 Prefix Delegation.
⚫ Manual: You need to set the IPv6 LAN prefix manually. Available when you deselect
Obtain IPv6 Prefix Delegation.
DHCPv6 (Dynamic Host Configuration Protocol for IPv6) is used to assign IP addresses
DHCPv6 and prefix to IPv6 hosts on a network. It is the IPv6 equivalent of the DHCP for IPv4. This
is also known as a stateful autoconfiguration.
Specifies the assignment type of DHCPv6 address for the clients connected to the
router.
⚫ Stateless: DHCPv6 stateless configuration. Clients obtain their IPv6 address through
Address Router Advertisement (Stateless Auto Address Configuration) and other parameters
Assignment are allocated by the DHCPv6 server.
⚫ Stateful: DHCPv6 stateful configuration. The DHCPv6 server automatically assigns IPv6
addresses/prefixes and other network configuration parameters (for example, DNS
server addresses and so on) to clients. The user needs to manually configure the start
ID and the end ID.
Start ID
The configuration is required when the IPv6 Address Assignment is set to Stateful.
End ID Specifies the range of the last segment of the IPv6 address that the DHCPv6 server
243
assigns to the devices. Range: 1 to ffff.
Specifies the LAN IPv6 DNS configuration method.

IPv6 DNS ⚫ Auto: Obtain the IPv6 DNS address from the upstream device.
⚫ Manual: Configure the IPv6 DNS address manually.
Primary IPv6 DNS Specifies the fixed IPv6 DNS address provided by your ISP here. Available when you set
IPv6 DNS to Manual.
Secondary IPv6
DNS If your ISP only provides one DNS server address, you can leave the Secondary IPv6 DNS
blank.
244
13 Maintenance
13.1 Reboot
If any parameter fails to take effect or the router does not work properly, you can try rebooting the
router.
Click Maintenance > Reboot, and follow the on-screen instruction to reboot the device.
245
13.2 Upgrade
13.2.1 Overview
The router supports Local Upgrade and Online Upgrade.
Click Maintenance > Upgrade to enter the page.
13.2.2 Local upgrade
To enable your router to work properly after an upgrade, ensure that the firmware used to upgrade
complies with your product model.
When upgrading, do not power off the router.
Step 1 Visit www.tendacn.com, search the product model, and download the latest firmware to
your computer.
Step 2 Log in to the web UI of your router, and navigate to Maintenance > Upgrade.
Step 3 Set Upgrade Option to Local Upgrade.
246
Step 4 Click Browse, select and upload the firmware that has been downloaded to your computer.
Ensure that the suffix of the firmware is .bin.
Step 5 Click Upgrade.
----End
Wait for the upgrade to complete, then reset your router and configure it again to access the
internet. To know whether the upgrade succeeds, go to the System Status or Maintenance >
Upgrade page and check the current firmware version.
To better experience the stability and new features of the latest firmware, you are recommended to
reset the router and configure it again after the upgrade completes.
247
13.2.3 Online upgrade
When the router is connected to the internet, it checks whether there is the latest firmware version,
and displays the detected information on the page. If you want to upgrade the firmware, click
Download and Upgrade.
248
13.3 Reset
13.3.1 Overview
If the internet is inaccessible for unknown reasons, or you forget the login password, you can reset
the router to resolve the problems.
The router supports two resetting methods: Reset the router using web UI and Reset the router
using the reset button.
Resetting the router deletes all your current configurations and you need to reconfigure the router
to access the internet.
When resetting, do not power off the router.
13.3.2 Reset the router using web UI

Choose Maintenance > Reset, and follow the on-screen instruction to reset the device.
13.3.3 Reset the router using the reset button

With the SYS LED indicator blinking, hold down the Reset button for about 8 seconds, and then
release it. When all LED indicators light up, the router is reset to factory settings successfully.
249
13.4 Password manager
13.4.1 Overview
The router supports two account types: Administrator and Authentication. The difference between
them is their access permission.
− The Administrator account enjoys all access permission. Password for administrator
account is the login password you set during initial setup. The default password for this
account is admin.
− The Authentication account only has permission for accessing System Status and
Authentication modules. The default password for this account is rzadmin.
Click Maintenance > Password Manager to enter the page.
13.4.2 Modify login password

Step 1 Navigate to Maintenance > Password Manager.
Step 2 Locate the account type and modify the password.
Step 3 Click Save on the bottom of the page to apply your settings.
----End
Then you will be redirected to the login page. Enter the password corresponding to the
administrator account you set just now, and click Login to log in to the router.
250
13.5 Reboot schedule
13.5.1 Overview
Click Maintenance > Reboot Schedule to enter the page.
On this page, you can set the router to automatically reboot periodically to avoid such phenomena
as deteriorating performance and instability caused by long time operation.
13.5.2 Customize reboot schedule
To enable reboot schedule function to work properly, ensure that the System time of your router is
correct.
Step 1 Navigate to Maintenance > Custom Reboot.

Step 2 Enable Reboot Schedule.
Step 3 Set the time to reboot, such as 3 hrs 0 min.
Step 4 Set the date to reboot, such as Thursday.
----End
The device automatically reboots at 3 am on each Thursday.
251
13.6 Backup/Restore
13.6.1 Overview
The backup function is used to export the current configuration of the router to your computer. The
restore function is used to import a configuration file to the router.
You are recommended to back up the configuration after it is significantly changed. When the
performance of your router decreases because of an improper configuration, or after you restore
the router to factory settings, you can use this function to restore the configuration that has been
backed up.
Click Maintenance > Backup/Restore to enter the page.
13.6.2 Back up your current configuration

Step 1 Navigate to Maintenance > Backup/Restore.
Step 2 Click Backup. The system exports the configuration file to your local computer.
If the following warning message appears, click Keep.
----End
252
13.6.3 Restore your previous configuration
Step 1 Navigate to Maintenance > Backup/Restore.
Step 2 Click Browse, and upload the configuration file ending with .cfg.
Step 3 Click Restore and follow the on-screen instruction to restore the configuration.
----End
253
13.7 System log
System logs record information about the system running statuses such as system startup, dialing,
time synchronization, device login and WAN connection. When system malfunctions occur, you can
use the system log for troubleshooting.
Click Maintenance > System Log to enter the page.
Click Export Log, the log file will be downloaded to your local computer.
The router records three log types: System Log, Attack Log, and Error Log. You can view all logs or
filter the logs to view as needed.
The time of log depends on the system time of the router. To make sure it is correct, please set
correctly the System time of the router first.
The router only records the logs occurred after the last reboot.
After a power cutoff, such operations as power-on again, firmware upgrade, backup/restore, and
reset will all cause the router to reboot.
254
13.8 Diagnostic tool
13.8.1 Overview
Click Maintenance > Diagnostic Tool to enter the page.
You can execute Ping/Traceroute command on this page.
− Ping: Used to check whether the connection is correct and the connection quality.
− Traceroute: Used to detect the route from the bridge to the destination IP address or
domain name.
13.8.2 Execute Ping command

Assume that:
You need to detect the connectivity between the router and the Bing website.
Step 1 Navigate to Maintenance > Diagnostic Tool.
Step 2 Select Ping as the Diagnostic Tool.
Step 3 Enter the IP address or domain name of the ping target, which is cn.bing.com in this
example.
Step 4 Set No. of Ping Packets as required.
Step 5 Set Ping Packet Size as required.
Step 6 Click Start.
----End
Wait a moment. The ping result will be displayed in the result box.
255
13.8.3 Execute Traceroute command
Assume that:
You need to detect the path from the router to Bing website.
Step 1 Navigate to Maintenance > Diagnostic Tool.
Step 2 Select Traceroute as the Diagnostic Tool.
Step 3 Enter the IP address or domain name of the traceroute target, which is cn.bing.com in this
example.
Step 4 Click Start.
----End
Wait a moment. The traceroute result will be displayed in the result box.
256
13.9 System time
Click Maintenance > System Time to enter the page.
This function is used to set the system time of your router. To make the time-related functions
effective, ensure that the system time of the router is set correctly.
The router supports: Synchronize with internet time (default) and Set system time manually.
13.9.1 Synchronize with internet time

With this method, the router automatically synchronizes its system time with the network time
server (NTS). As long as the router is connected to the internet, the system time is correct.
After configuration, you can navigate to the System status page to check whether the system time is
correct.
System Time Choose the configuration method of the system time.
Specifies an interval at which the router synchronizes its system time with the time
Sync Interval
server on the internet.
Time Zone Specifies the time zone where the router is deployed.
257
13.9.2 Set system time manually
With this method, you can manually specify a system time for the router. When Manual option is
selected, the related parameters are shown as follows.
With this method, you need to manually reconfigure the system time each time the router reboots.
After configuration, you can navigate to the System status page to check whether the system time is
correct.
System Time Choose the configuration method of the system time.
Date You can directly enter the correct time here. Or, you can click Sync with Local PC
Time to synchronize the time of the router with that of the computer managing the
Time router.
258
13.10 Function center
Click Maintenance > Function Center to enter the page.
On this page, you can view the Enabled Function and Disabled Function of the router. You can enter
the configuration page of a function after clicking it.
259
Appendix
Acronyms and Abbreviations
Acronym and Abbreviation Full Spelling
AES Advanced Encryption Standard
AH Authentication Header
AP Access Point
APSD Automatic Power Save Delivery
ARP Address Resolution Protocol
AUTH Authentication
CPU Central Processing Unit
CRM Customer Relationship Management
DDNS Dynamic Domain Name Service
DDoS Distributed Denial of Service
DES Data Encryption Standard
DHCP Dynamic Host Configuration Protocol
DMZ Demilitarized Zone
DNS Domain Name System
DPD Dead Peer Detection
ERP Enterprise Resource Planning
ESP Encapsulating Security Payload
FQDN Fully Qualified Domain Name
FTP File Transfer Protocol
GI Guard Interval
HQ Headquarters
HTTP Hypertext Transfer Protocol
ICMP Internet Control Message Protocol
260
IKE Internet Key Exchange
IP Internet Protocol
IPSec Internet Protocol Security
IPv4 Internet Protocol Version 4
IPv6 Internet Protocol Version 6
ISAKMP Internet Security Association Key Management Protocol
ISP Internet Service Provider
L2TP Layer 2 Tunneling Protocol
LAN Local Area Network
MAC Medium Access Control
MD5 Message Digest Algorithm
MGMT Management
MTU Maximum Transmission Unit
MUMIMO Multi-User Multiple-Input Multiple-Output
NAT Network Address Translation
NTS Network Time Server
OA Office Automation
OFDMA Orthogonal Frequency Division Multiple Access
PFS Perfect Forward Secrecy
PMF Protected Management Frames
POP Post Office Protocol
PPP Point to Point Protocol
PPPoE Point to Point Protocol over Ethernet
PPTP Point to Point Tunneling Protocol
PST Pacific Standard Time
RSSI Received Signal Strength Indicator
SA Security Association
SAE Simultaneous Authentication of Equals
261
SKEME Security Key Exchange Mechanism
SMS Short Message Service
SMTP Simple Mail Transfer Protocol
SPI Security Parameter Index
SSID Service Set Identifier
SSL Secure Sockets Layer
SYN Synchronize Sequence Numbers
SYS System
TCP Transmission Control Protocol
TWT Target Wake Time
UDP User Datagram Protocol
UI User Interface
UPnP Universal Plug and Play
URL Uniform Resource Locator
USB Universal Serial Bus
VPN Virtual Private Network
WAN Wide Area Network
WMM Wi-Fi Multi-Media
WPA Wi-Fi Protected Access
WPA-PSK WPA-Preshared Key
262

Wifi 6 Hospot Rport

Uploaded by

Copyright:

Available Formats

Wifi 6 Hospot Rport

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Wifi 6 Hospot Rport

Uploaded by

Copyright:

Available Formats

Version 1.

Cascading menus > System > Live Users

Parameter and value Bold Set User Name to Tom.

Variable Italic Format: XX:XX:XX:XX:XX:XX

UI control Bold On the Policy page, click the OK button.

Message “” The “Success” message appears.

This format is used to highlight information of importance or special interest.

For more documents

It introduces the basic information of the device, including product overview,

United States: 1-800-570-5892

Hong Kong: 00852-81931998

Version Date Description

V1.0 2022-08-23 Original publication

1.1.1 Log in with your computer

Step 3 Start a web browser, and visit tendawifi.com.

Log in to the web UI successfully. See the following figure.

1.1.2 Log in with your smartphone

Log in to the web UI successfully. See the following figure.

No. Name Description

❸ Configuration area Used to modify or view your configuration.

2.2 Frequently-used buttons

Used to add a new rule or policy.

Used to delete the selected rule or policy.

Used to refresh the page information.

Used to view help information for the current page.

3.1 Check physical connections and system status

3.1.1 Check physical connections

3.1.2 View system status

Specifies the current system time of the router.

Firmware Version Specifies the firmware version number of the router.

Device Name Specifies the name of your router.

CPU Usage Specifies the current CPU usage of the router.

Memory Usage Specifies the current memory usage of the router.

LAN port status

IP Address Specifies the IP address of the corresponding WAN port.

Primary IPv6 DNS

3.2 View CPU and memory status

3.3 Monitor traffic

3.3.2 View traffic statistics

3.4 Manage online devices

3.5 Control bandwidth of online devices

Control bandwidth of online devices in batches:

3.6.1 Add devices to blacklist

3.6.2 Remove devices from blacklist

3.7 Manage APs

AP Model Specifies the model of the corresponding AP.

Operation By clicking , you are directed to the web UI of the AP.

The port is disconnected or improperly connected.

Specifies in which way the router is connected to the internet.

Specifies the connection status of the corresponding WAN port.

4.1.2 Configure multiple WAN ports

4.1.3 Set up for internet access

Connection Type Available Parameters

PPPoE username, PPPoE password, server name, and service name.

PPTP server address, user name, and password.

L2TP server address, user name, and password.

4.2 WAN parameters

4.2.1 WAN speed

Duplex modes supported by the router and their scenarios: