In this example the the iptables command is saying, only allow traffic from 10.0.0.66 to MAC address 00:06:FB:45:45:FE

• iptables -A FORWARD -m mac --mac-source 00:06:FB:45:45:FE -s ! 10.0.0.66 -j DROP

• iptables -A FORWARD -m layer7 --l7proto ssl -j ACCEPT
• iptables -A FORWARD -m layer7 --l7proto http -j ACCEPT
• iptables -A FORWARD -m layer7 --l7proto ssh -j ACCEPT
• iptables -A FORWARD -m layer7 --l7proto smtp -j ACCEPT
• iptables -A FORWARD -m layer7 --l7proto pop3 -j ACCEPT
• iptables -A FORWARD -m layer7 --l7proto ftp -j ACCEPT
• iptables -A FORWARD -m layer7 --l7proto telnet -j ACCEPT
• iptables -A FORWARD -m layer7 --l7proto snmp -j ACCEPT
• iptables -A FORWARD -m layer7 --l7proto dns -j ACCEPT
• iptables -A FORWARD -p tcp -m connlimit --connlimit-above 25 -j DROP --connlimit-mask 32
  

"iptables" commands can be entered into "advanced firewall and port forwarding" as and will be passed though to the firewall scripts, examples:

• iptables -A FORWARD -m ipp2p --ipp2p -j DROP
• iptables -A FORWARD -p tcp -m connlimit --connlimit-above 25 -j DROP --connlimit-mask 32
• iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

A very detail FAQ on IPTABLES can be found at: http://www.faqs.org/docs/iptables/index.html

! Enter Enable Mode
en
! Enter Configuration Mode
configure terminal
! Enter RIP Configuration Mode
router rip
! RIP Configuration Commands
no redistribute kernel
no redistribute static
no redistribute ospf
no redistribute bgp
no network 0.0.0.0/0
! Networks below will be different depending on which model RWV is used
network eth0
network eth1
network wpci0
network wpci1
network wpci2
network wpci4
network wlan1
network wlan2

The Atheros driver reports all RF that is not a packet as an error which is normal operation.

The following OSPF configurations will allow the protocol to work as expected over wireless links, note that all interfaces including ethernet must be setup as non-broadcast as well as neighbors defined.:

!
hostname ospfd
password 1234
!
!
!
interface eth0
! Ether1
ip ospf network non-broadcast
!
interface eth1
! Ether2
ip ospf network non-broadcast
!
interface wpcm0
! Wlan1
ip ospf network non-broadcast
!
interface wpci0
! Wpci1
ip ospf network non-broadcast
!
router ospf
ospf router-id 111.111.111.111
network xxx.xxx.xxx.xxx/xx area 0.0.0.0
neighbor xxx.xxx.xxx.xxx poll-interval 45
!
access-list vtylist permit 127.0.0.1/32
access-list vtylist deny any
!
route-map just-us permit 10
match ip address our-nets
!
line vty
access-class vtylist
!
end

0 Reserved
1 Unspecified reason
2 Previous authentication no longer valid
3 Deauthenticated because sending station is leaving (or has left) IBSS or ESS
4 Disassociated due to inactivity
5 Disassociated because AP is unable to handle all currently associated stations
6 Class 2 frame received from nonauthenticated station
7 Class 3 frame received from nonassociated station
8 Disassociated because sending station is leaving (or has left) BSS
9 Station requesting (re)association is not authenticated with responding station

• iptables -A PREROUTING -t mangle -m layer7 --l7proto fasttrack -j MARK --set-mark 100
• iptables -A PREROUTING -t mangle -m layer7 --l7proto bittorrent -j MARK --set-mark 101
• iptables -A PREROUTING -t mangle -m layer7 --l7proto edonkey -j MARK --set-mark 102
• iptables -A PREROUTING -t mangle -m layer7 --l7proto gnutella -j MARK --set-mark 103
• iptables -A PREROUTING -t mangle -m layer7 --l7proto audiogalaxy -j MARK --set-mark 104
• iptables -A PREROUTING -t mangle -m layer7 --l7proto bearshare -j MARK --set-mark 105
• iptables -A PREROUTING -t mangle -m layer7 --l7proto openft -j MARK --set-mark 106
• iptables -A PREROUTING -t mangle -m Layer7 --l7proto directconnect -j MARK --set-mark 107
• iptables -A PREROUTING -t mangle -m Layer7 --l7proto gnucleuslan -j MARK --set-mark 108
• iptables -A PREROUTING -t mangle -m Layer7 --l7proto hotline -j MARK --set-mark 109
• iptables -A PREROUTING -t mangle -m Layer7 --l7proto mute -j MARK --set-mark 110
• iptables -A PREROUTING -t mangle -m Layer7 --l7proto tesla -j MARK --set-mark 111

• pipe 2000 bw 56k
• shape all to pipe 2000 from mark 100 out via ether1
• shape all to pipe 2000 from mark 101 out via ether1
• shape all to pipe 2000 from mark 102 out via ether1
• shape all to pipe 2000 from mark 103 out via ether1
• shape all to pipe 2000 from mark 104 out via ether1
• shape all to pipe 2000 from mark 105 out via ether1
• shape all to pipe 2000 from mark 106 out via ether1
• shape all to pipe 2000 from mark 107 out via ether1
• shape all to pipe 2000 from mark 108 out via ether1
• shape all to pipe 2000 from mark 109 out via ether1
• shape all to pipe 2000 from mark 110 out via ether1
• shape all to pipe 2000 from mark 111 out via ether1
• shape all to pipe 2000 from mark 100 in via ether1
• shape all to pipe 2000 from mark 101 in via ether1
• shape all to pipe 2000 from mark 102 in via ether1
• shape all to pipe 2000 from mark 103 in via ether1
• shape all to pipe 2000 from mark 104 in via ether1
• shape all to pipe 2000 from mark 105 in via ether1
• shape all to pipe 2000 from mark 106 in via ether1
• shape all to pipe 2000 from mark 107 in via ether1
• shape all to pipe 2000 from mark 108 in via ether1
• shape all to pipe 2000 from mark 109 in via ether1
• shape all to pipe 2000 from mark 110 in via ether1
• shape all to pipe 2000 from mark 111 in via ether1

• assuming ip range is 192.168.1.110 to 192.168.1.199 (90 ips total)
• limit each individual user to max of 128k each (upload/download)
• limit all users combined (aggregated) together to max of 1024k
• Rules would be:
  • bi-pipe 100 bw 1024k 1024k
  • qshape 110:199 bw 128k 128k parent 100 192.168.1.110 on $local

• Question:
  • Supposing you have 2 buildings A & B, which is using an AP/Client link and the IP scheme is as below:
    • Building A (AP) : Ether1 (192.168.0.92/255.255.255.0) - bridge 1
    • Building A (AP) : WPCI1 (no ip) - bridge 1
    • Building B (Client) : Ether1 (no ip) - bridge 1
    • Building B (Client) : WPCI1 (192.168.0.91/255.255.255.0) - bridge 1
  • There are servers and workstations at both buildings A & B using the same IP addressing scheme (192.168.0.x/24) What type of config would I put in the VDS dialogues?
• Answer:
  • Building A (AP)
    • Ether1 (192.168.0.92/255.255.255.0) - bridge 1
    • vds1 (no IP),master,LINK1,password,compression, encryption, keep alive - bridge 1
    • WPCI1 (192.168.255.1/255.255.255.0)
  • Building B (Client)
    • WPCI1 (192.168.255.2/255.255.255.0) default route 192.168.255.1
    • vds1 (no IP),client,LINK1,password,compression,encryption,keep alive, master IP 192.168.255.1-bridge 1
    • Ether1 (192.168.0.91/255.255.255.0) - bridge 1
• Additional information:
  • Each VDS virtual device tunnels to another VDS device on another system. This means you can actually deliver a no hop, flat address space across a continent of routed backbone. And it is a true bridge at the MAC Layer 2 level.
  • The VDS is merely a mechanism to form a tunneled ptp link between two virtual Ethernet devices on machines that can ping each other. Anything you do with the virtual device at each end is the same as a real Ethernet. Broadcasts are handled the same.
  • There is one master per client (point-to-point). Each system can have up to 20 total vds interfaces.

• DO NOT SET THE POWER ABOVE THE MAX RATING OF THE RADIO! This can cause damage to the card
• The setting is use to hard code the power output of the radio. The range is 0dBm to 30dBm but as there are different radio cards used in the RWV the max value can be different for each radio. The max value of each radio is listed on the spec sheet, this value can not be exceeded as at a minimum the radio performance will drop and at worst case the radio can become damaged after an extended period of time.

• The Atheros radio establishes the link and then awaits traffic for the reporting. The first info is just the ACK packets from the link, to see the real signal rate traffic need to be passed thought the link.

• PPPoE operates at layer-2, the interface that accepts pppoe requests need no IPs assigned (great for security), and must NOT be in bridge mode.
• The Host IP is the IP of the gateway interface, your WAN interface.
• The IP range you are assigning to your customers must be within the range of the subnet assigned to your WAN interface. For instance, if you wish to assign your customers IP ranges 192.168.1.100 to 192.168.1.200, you would use the following configuration:
  • ether1 (WAN) has an IP address of 192.168.1.1/24
  • wpci1 (LAN) has no IP, is not in bridge mode and has 'listen to pppoe requests' enabled
  • The system's default gateway is 192.168.1.254
  • Under your pppoe server setup, set it to enabled, and add the IP range 192.168.1.100 to 192.168.1.200
  • PPPoE host IP is 192.168.1.1, same as your WAN interface.
  • All other settings can be modified to your liking, but are not critical to get it up and running. Now, when your customers log in, they will receive an IP in the range provided, or one from your Radius server if supplied.

• When you put fb in front of the speed in the CBQ script, CBQ starts out at the desired speed. If the user hits the max set speed for 10 seconds sustained CBQ will begin to drop there speed at the rate of 5% for every 10 seconds that the customer hits the top set speed. This will penalizes customers download but gives the customers that are browsing web sites full speed. These customers see the system respond very fast, but the customer downloading or uploading sees the speed drop to about 50% after a minute or so.
  

• To setup and use NAT is pretty simple, and only requires one line under the advanced NAT script.
  • As a sample system configuration (ether1 being the gateway, wlan1 being used as a LAN interface with a user on it).
  • In this setting, we are going to add the public IP of 64.247.53.10 onto ether1, and a default route of 64.247.53.1, which is the internet a T1 resides on.
    ether1: 64.247.53.10 netmask 255.255.255.0
    static route: 0.0.0.0/0 gw 64.247.53.1
  • The customers will be using a private IP of 192.168.2.x which will be Nat'd.
    WLAN1: 192.168.2.1 netmask 255.255.255.0
  • under the Nat script, enter this line:
    • masq from 192.168.2.0/24 to dev ether1
  • Once you activate changes, Your clients on the LAN interface should be able to ping www.yahoo.com etc, and surf regularly.
  • On the client system, make sure they have an IP between 192.168.2.2 and 192.168.2.253, with a gateway of 192.168.2.1. The DNS entries should be that of your DNS server

• The DHCP server is configured from the services - > dhcp -> modify configuration file menu item.
  • The DHCP Server configuration is a text file
    • Set your domain-name using the option domain-name command.
    • Set your DNS servers using the option domain-name-servers command.
    • Define the subnet’s you wish to service with DHCP
    • Configure the DHCP parameters to be handed out to clients. Example:

      option domain-name “domain.com”;
      option domain-name-servers 192.168.1.254, 192.168.1.253;
      subnet 10.0.0.0 netmask 255.255.255.0 {
      range 10.0.0.10 10.0.0.100;
      option routers 10.0.0.1;
      };

    • This configuration will automatically configure client computers to use the following parameters:
      o Domain Name: domain.com
      o Name Servers: 192.168.1.254 and 192.168.1.253
      o An IP address from 10.0.0.10 through 10.0.0.100
      o A default router address of 10.0.0.0

• Logging in: Using a SSH you will be provided with a login prompt. The default username is "admin" and the default password is "1234"
• Setting up the Ethernet cards: Under the Interfaces menu choose Ether1 then IP Assignments menu. If needed select the default IP 192.168.1.1 then click the Edit button to change the card the IP address. The IP you provide will be the address that the RWV will use to connect to the up-stream network. On the bottom of this screen change the Ethernet Bridge Number to 1.
• Setting up the Wireless cards: Under the Wireless menu, select the wireless card you wish to setup, and then select Config Current Card. If this wireless card is to be an Access Point Set the ESSID you wish to use and select Access Point in the Network Type field. If this wireless card is NOT to be an Access Point Set the ESSID field to the ESSID of the Access Point that it will be connecting to and select Infrastructure in the Network Type field.
• Continue setting up the Wireless cards: Under the Interfaces menu choose the wireless interface wish to setup then IP Assignments menu. On the bottom of this screen change the Ethernet Bridge Number to 1. Note: in bridge mode only the Ethernet interface will have an IP not the wireless.
• Select the File menu and Save Change. Select the File menu and Activate Changes

• When the RWV's is in Demo mode, and the time expires, the system will automatically reboot and ask for a key via the console port. This can happen if the flash is corrupted or there is an issue with the ethernet port which a licenses key is based on. You will need to follow the FAQ on re-flashing the compact flash as noted below.

• Session-Timeout (max session length in seconds. 0 = unlimited)
• Idle-Timeout (max idle time before session is closed in seconds, 0 = no idle timeout)
• Framed-IP-Address (used to verify against user's login IP)
• DTG-PPPoE-CBQ-RX (RX rate for user in bps)
• DTG-PPPoE-CBQ-TX (TX rate for user in bps)
• DTG-PPPoE-CBQ-RX-Fallback (Fallback RX rate for user in bps)
• DTG-PPPoE-CBQ-TX-Fallback (Fallback TX rate for user in bps)

RWV Radius Client and Dictionary Files Download

• The port nearest to the 9 pin serial port on the 2XXX has support for POE
• The port furthest from the 9 pint serial port on the 3XXX has support for POE
• ***DO NOT*** Plug the POE into the second ethernet ports this could damage the RWV.

• Connect to serial port with null modem cable, set to 9600 baud for RWV-2XXX or 38400 for RWV-3XXX
• Turn on RVW, garbage will appear on the screen for a few seconds then the boot system will start
• Wait for full boot up to complete
• Select "2) Restore Factory Defaults"
• Type "factory"
• Hard reboot the RWV

• Boot up will take anywhere from 45-60 seconds
• If a system needs to be re-keyed from a newly made flash boot up will take 4-5 min during on the first boot, one system is keyed boot up will go back to 45-60 seconds

• IP: 192.168.1.1
• Username: Admin
• Password: 1234

• When connecting to the RWV directly a cross over ethernet cable is used.
• When connecting the RWV to a switch or hub a straight thought cable is used.

• You will need a supported USB or PCMCIA to CF read/writer
  • Any PCMCIA to CF should work
  • PNY Technologies USB to CF is known to work
• Pull the CF from the slot in the RWV and insert in to CF read/writer
• Verify CF is recognized by the operating system as a hard drive
• Download the RAW write utility and RAW firmware file to the same directory:
  • http://www.demarctech.com/techsupport/downloads.html
• Run from the command line, for example "physdiskwrite.exe dtrwv2xxx.1.13.4b1-4020.raw"
• **WARNING SELECTING THE INCORRECT DRIVE WILL KILL YOUR SYSTEMS HARD DRIVE**
  • Make sure to select the CF drive, example drive output for PNY USB read/writer:

    Searching for physical drives... Information for \\.\PhysicalDrive0:

    Windows: cyl: 7299
    tpc: 255
    spt: 63
    C/H/S: 16383/16/63
    Model: QUANTUM FIREBALLP AS60.0
    Serial number: 796116079169

    Firmware rev.: A1Y.1500 Information for \\.\PhysicalDrive1:
    Windows: cyl: 3
    pc: 255
    pt: 63

    Which disk do you want to write? (0..1)

  • In this case select drive 1, which will write the RAW file to the CF
• Insert the CF back into the RWV and power up.
• At this point the RWV has a default setup with IP 192.168.1.1, a login of admin
  and password 1234.
• Find MAC address of ether1 under interfaces and mail this to support@demarctech.com with key request in the subject line.
• Once you have the key, under system > update / enter unlock key, enter the key to unlock the system

• Download the rwv-util.exe backup / restore utility from our downloads page which will be used to perform the upgrade:
  • http://www.demarctech.com/techsupport/downloads.html
• Download RWV firmware (.bin version) that you wish to upgrade too:
  • http://www.demarctech.com/techsupport/downloads.html
• .Open a command prompt and type the following to upload the new firmware to your RWV base station
  • rwv-util 192.168.1.1 1234 -f rwv-1.xx.x-xxxx.bin
  • Substitute '1234' for your system password, and include the appropriate IP and firmware name.
• You will see a progress meter, and when it hits 100%, the firmware has been sent to your system.
  • If by chance you get a time-out or a lost connection, simply try again. This procedure is not harmful your system if you decide to cancel.
• Once uploaded, log into your RWV system via SSH or console, and click on menu item "System->Upgrade Firmware". Follow the on-screen instructions to finish the update.
• The new firmware will take effect after the next reboot.

• On long cable runs over 200 feet set your switch to 10Mb / Full Duplex which will force the RWV to the same mode.