GWN700X - User Manual

WELCOME

GWN7001/7002/7003 are Multi-WAN Gigabit VPN routers with built-in firewalls that allow businesses to build comprehensive wired, wireless and VPN networks for one or many locations. They offer high-performance routing and switching power along with built-in VPN support for secure in-office and inter-office connectivity. To provide enterprise-grade security protection and ensure stable network operation, the GWN 7001/7002/7003 features a built-in firewall with advanced content security, filtering, threat detection, attack prevention and more. To maximize network reliability, they support traffic load balancing, failover (WAN backup) and bandwidth management capabilities. The GWN7001 includes 6 Gigabit Ethernet ports.The GWN7002/GWN7003 include 2 2.5 Gigabit SFP ports, 4/9 Gigabit Ethernet ports, and 2 PoE output ports that allow them to provide power to other endpoints. These routers can manage themselves and up to 150 Grandstream GWN Series Wi-Fi APs thanks to an embedded controller located in the products’ web user interface. These routers can also be managed with GWN.Cloud and GWN Manager, Grandstream’s free cloud and on-premise network management tools. By providing high-performance routing, VPN support, powerful security protection and easy-to-use network management tools, the GWN Gigabit VPN routers are ideal for a wide variety of deployments including small-to- medium businesses, retail, education, hospitality, healthcare and more.

PRODUCT OVERVIEW

Technical Specifications

GWN700x Technical Specifications

INSTALLATION

Before deploying and configuring the GWN700x router, the device needs to be properly powered up and connected to the network. This section describes detailed information on the installation, connection, and warranty policy of the GWN700x router.

Package Contents

GWN700x Ports

GWN700x ports

Powering and Connecting GWN700x

1. Power the GWN700x

GWN7002/GWN7003 can be powered on using the right PSU (DC 24V, 1A) or PoE (IEEE 802.3af/at).

2. Connect to the Internet

Connect the LAN/WAN or SFP/WAN port to an optical fiber broadband modem, ADSL broadband modem, or community broadband interface.

3. Connect to GWN7002/7003 Network

Connect your computer to one of the LAN ports.

GWN700x installation

• Mounting GWN7001/7002 to the Wall

1. Using a drill, make two holes in the wall with 135.0mm spacing, 6.0mm diameter. Put a plastic anchor and screw (not provided) on each hole.
2. Mount the GWN7001/7002 router on the mounting screws.

• Mounting GWN7003 to the Wall

1. Use the provided screws to fix the two L-shaped Mounting bracket (rotated 90°) on both sides of the GWN7003 router.
2. Stick the router port up and horizontally on the selected wall, mark the position of the screw hole on the L-shaped mounting brackets with a marker. Then, drill a hole at the marked position with an impact drill, and drill the plastic anchors (prepared by yourself) into the drilled hole in the wall.
3. Use a screwdriver to tighten the screws (prepared by yourself) that have passed through the L-shaped mounting brackets to ensure that the GWN7003 router is firmly installed on the wall.

• Install on a 19” Standard Rack

1. Check the grounding and stability of the rack.
2. Install the two L-shaped rack-mounting in the accessories on both sides of the router, and fix them with the screws provided.
3. Place the router in a proper position in the rack and support it by the bracket.
4. Fix the L-shaped rack mounting to the guide grooves at both ends of the rack with screws(prepared by yourself) to ensure that the router is stably and horizontally installed on the rack.

• Grounding GWN7003

1. Remove the ground screw from the back of the router, and connect one end of the ground cable to the wiring terminal of the router.
2. Put the ground screw back into the screw hole, and tighten it with a screwdriver.
3. Connect the other end of the ground cable to other device that has been grounded or directly to the terminal of the ground bar in the equipment room.

GETTING STARTED

The GWN700x Multi-WAN Gigabit VPN Routers provide an intuitive web GUI configuration interface for easy management to give users access to all the configurations and options for the GWN700x’s setup.

Use the WEB GUI

Access WEB GUI

The GWN700x embedded Web server responds to HTTPS GET/POST requests. Embedded HTML pages allow users to configure the device through a Web browser such as Microsoft IE, Mozilla Firefox, or Google Chrome.

To access the Web GUI:

1. Connect a computer to a LAN port of the GWN700x.
2. Ensure the device is properly powered up, and the Power and LAN port LEDs light up in green.
3. Open a Web browser on the computer and enter the web GUI URL in the following format:
   https://192.168.80.1 (Default IP address).
4. Enter the administrator’s login and password to access the Web Configuration Menu. The default administrator’s username is “admin” and the default password is printed on the MAC tag of the unit.

At first boot or after factory reset, users will be asked to change the default administrator and user passwords before accessing the GWN700x web interface. The password field is case-sensitive with a maximum length of 32 characters. Using strong passwords including letters, digits, and special characters are recommended for security purposes.

Once the user enters the password, this is the initial page that will be shown. This page contains general information and status about the router.

Search

To make it easier for the user to find a particular option quickly, the GWN700X web UI has a search feature which can be accessed by clicking on the magnifier icon on the top right corner of the screen and typing the option name.

Setup Wizard and Feedback

Setup Wizard

If the user missed the Setup Wizard at the first boot of GWN700X. It’s accessible all the time at the top of the page and it contains the necessary settings that the user must configure in 2 steps, first country and time zone, and Internet Settings.

Click on button to go through the setup wizard.

Feedback

If the user has a question or a suggestion to make the GWN700x product even better or has an issue, he can always send feedback, in case of a problem it’s better as well to include Syslog as it may help solve the problem faster.

OVERVIEW

Overview Page

Overview is the first page shown after successful login to the GWN700x’s Web Interface. It provides an overall view of the GWN700x’s information presented in a Dashboard style for easy monitoring. Please refer to the figure and table below:

Overview page

Port Info

Port Info page displays an overview of all ports status including the USB Port, Gigabits ports, and SFP ports, indicating the links up with green color and links down with grey color, furthermore the user can click on the port icon to get more info about the select link, refer to the figure below:

Navigate to Web UI → Overview → Port Info:

System Info

System Info page shows many info related to GWN700x router like device name, system version, MAC address, system up time, CPU and memory usage, temperature, etc.

The router’s System Info can be accessed from the Web GUI → Overview → System Info Tab.

NETWORK SETTINGS

Port Configuration

To access port configuration, please access the user interface of the GWN700X router and then navigate to Network Settings → Port Configuration.

• Port Status

On the top, you can find the status of all the ports of the router.

• Violet color: port speed is 2.5Gbps (works only with SFP ports and 2.5Gbps SFP module).
• Green color: port speed is 1Gbps.
• Light green color: port speed is 100Mbps/10Mbps.
• Grey color: link down.
• White color: port disabled.
• Internet icon: port connected to the internet (for WAN ports).

• Port Configuration

Port configuration page allows the user to configure the settings related to all the ports of the router; this includes the gigabit Ethernet ports as well as the SFP ports. The settings that can be edited include flow control, speed and duplex mode.

Port configuration – part 2

• PoE Configuration

The user can also control the total power limited that the router can supply through PoE. The power supplied can also be controlled on the port level.

Port configuration – PoE configuration

WAN

The WAN ports can be connected to a DSL modem or a router. WAN port support also sets up static IPv4/IPv6 addresses and configure PPPoE.

On this page, the user can modify the setting for each WAN port, and also can delete or even add another WAN, Adding a WAN port will reduce the LAN ports number. In the case where there is more than one WAN port, load balancing or backup (Failover) can be configured.

If a GWN router is added to either GWN.Cloud or GWN Manager, the WAN Speed Test feature will be available to users. Please for more details check GWN Management Platforms – User Guide (WAN Speed Test).

Click on to add another WAN port or click on the “edit icon” to edit the previously created ones.

Please refer to the following table for network configuration parameters on the WAN port.

WAN Settings

Triple play

Triple Play feature the user to benefit from multi-service plan (depends on ISP provider), and with a single WAN connection each service e.g: Internet, Voice (VoIP) and IPTV can be separated using VLANs and a specific port.

Navigate to Network Settings → WAN → Edit/Add WAN, then scroll down and search for Bridge Mode, please refer the figure below:

LAN

To access the LAN configuration page, log in to the GWN700x WebGUI and go to Network Settings → LAN. VLAN configuration such as adding VLANs or setting up a VLAN port can be found here on this page, as well as the ability to add Static IP Bindings, local DNS Records and Bonjour Gateway.

VLAN

GWN700x router integrates VLAN to enhance security and add more functionalities and features. VLAN tags can be used with SSIDs to separate them from the rest, also the user can allow these VLANs only on specific LANs for more control and isolation and they can be used as well with policy routing.

• Add or Edit VLAN

To Add or Edit a VLAN, Navigate to Router Interface → Network Settings → LAN. Click on button or click on Edit button.

Add/edit VLAN

VLAN Port Settings

The user can use LAN ports to allow only specific VLANs on each LAN port and in case there are more than one VLAN then there is an option to choose one VLAN as the default VLAN ID (PVID or Port VLAN Identifier). Click on to edit the VLAN Port Settings or click on to delete that configuration and bring back the default settings which is by default VLAN 1.

Allowed VLANs	Choose the VLANS to be allowed on this port.
PVID	Select the Port VLAN Identifier or the default VLAN ID

Static IP Binding

The user can set IP static binding to devices in which the IP address will be bound to the MAC address. Any traffic that is received by the router which does not have the corresponding IP address and MAC address combination will not be forwarded.

To configure Static IP Binding, please navigate to Network Settings → LAN → Static IP Binding, refer to the figure and table below:

Static IP Binding

Local DNS Records

Local DNS Records is a feature that allows the user to a DNS records into the router which can be used to map the domain name to an IP address. This feature can be used when the user needs to access a specific server using a domain name instead of an IP address when they do not want to include the entry in public DNS servers. To add a local DNS record, please navigate to Network Settings → LAN → Local DNS Records, then click “Add”

• Enter the domain name in “Domain”
• Then, enter the IP address to which the domain name will be mapped to.
• Toggle on the “Status” for the mapping to take effect.

Bonjour Gateway

The Boujour service is a zero-configuration network that enables automatic discovery of devices and services on a local network. For example: it can be used on a local network to share printers with Windows® and Apple® devices.

Once enabled, Bonjour services (such as Samba) can be provided to Bonjour supporting clients under multiple VLANs. Once enabled, configure the services of the VLANs and proxies that need to intercommunicate.

To start using Bonjour Gateway, Toggle ON or OFF the service first, then select the VLAN and the services as shown below:

IGMP

When IGMP Proxy is enabled, the GWN router can issue IGMP messages on behalf of the clients behind it, then the GWN router will be able to access any multicast group.

To start using IGMP Proxy:

1. Toggle ON IGMP Proxy first.
2. Select the WAN interface to be used from the drop-down list (Note: IGMP proxy cannot be enabled on a WAN port with bridge mode enabled)
3. Select the version, be default is Auto.

The user can also enable IGMP Snooping. Once enabled, multicast traffic will be forwarded to the port belonging to the multicast group member. This configuration will be applied to all LAN ports.

On the IGMP Multicast Group Table, all the active multicast groups will be displayed here.

Network Acceleration

Network acceleration allows the router to transfer data at a higher rate when Hardware acceleration is enabled. This ensures a high performance.

CLIENTS

Clients page keeps a list of all the devices and users connected currently or previously to different LAN subnets with details such as the MAC Address, the IP Address, the duration time, and the upload and download information etc.

Clients Page

• View Client Information and Report

Click on a device to open the full report of the traffic used by the device. The report will contain the total data uploaded and downloaded, as well as the statistics used by each application on the device.

To see information related to the device, please click on Device Info tab.

VPN

VPN stands for “Virtual Private Network” and it encrypts data in real time to establish a protected network connection when using public networks.

VPN allows the GWN700x routers to be connected to a remote VPN server using PPTP, IPSec, L2TP, OpenVPN® and WireGuard® protocols, or configure an OpenVPN® server and generate certificates and keys for clients.

GWN700X routers support the following VPN functions:

• PPTP: Client and server
• IPSec: Site-to-site and client-to-site (Beta)
• OpenVPN®: Client and server
• L2TP: Client
• WireGuard®: Server

VPN page can be accessed from the GWN700x Web GUI → VPN.

PPTP

A data-link layer protocol for wide area networks (WANs) based on the Point-to-Point Protocol (PPP) and developed by Microsoft enables network traffic to be encapsulated and routed over an unsecured public network such as the Internet. Point-to-Point Tunneling Protocol (PPTP) allows the creation of virtual private networks (VPNs), which tunnel TCP/IP traffic through the Internet.

PPTP Clients

To configure the PPTP client on the GWN700x, navigate under VPN → PPTP → PPTP Clients and set the followings:

1. Click on “Add” button.

The following window will pop up.

PPTP Client Configuration

PPTP Servers

To add a PPTP Server, please navigate to Web UI → VPN → PPTP page → PPTP Servers tab, then click on “Add” button.

PPTP Sever

• Create the remote user credentials:

To creates the remote user account which will be required to be entered on the client side and and authenticated on the server side, please refer to the Remote Users section.

To view the clients connected to this server, click on “Client List” icon as shown below:

IPSec

IPSec or Internet Protocol Security is mainly used to authenticate and encrypt packets of data sent over the network layer. To accomplish this, they use two security protocols – ESP (Encapsulation Security Payload) and AH (Authentication Header), the former provides both authentications as well as encryption whereas the latter provides only authentication for the data packets. Since both authentication and encryption are equally desirable, most of the implementations use ESP.

IPSec supports two different encryption modes, they are Tunnel (default) and Transport mode. Tunnel mode is used to encrypt both payloads as well as the header of an IP packet, which is considered to be more secure. Transport mode is used to encrypt only the payload of an IP packet, which is generally used in gateway or host implementations.

IPSec also involves IKE (Internet Key Exchange) protocol which is used to set up the Security Associations (SA). A Security Association establishes a set of shared security parameters between two network entities to provide secure network layer communication. These security parameters may include the cryptographic algorithm and mode, traffic encryption key, and parameters for the network data to be sent over the connection. Currently, there are two IKE versions available – IKEv1 and IKEv2. IKE works in two phases:

Phase 1: ISAKMP operations will be performed after a secure channel is established between two network entities.

Phase 2: Security Associations will be negotiated between two network entities.

IKE operates in three modes for exchanging keying information and establishing security associations – Main, Aggressive and Quick mode.

• Main mode: is used to establish phase 1 during the key exchange. It uses three two-way exchanges between the initiator and the receiver. In the first exchange, algorithms and hashes are exchanged. In the second exchange, shared keys are generated using the Diffie-Hellman exchange. In the last exchange, verification of each other’s identities takes place.

• Aggressive mode: provides the same service as the main mode, but it uses two exchanges instead of three. It does not provide identity protection, which makes it vulnerable to hackers. The main mode is more secure than this.

• Quick mode: After establishing a secure channel using either the main mode or aggressive mode, the quick mode can be used to negotiate general IPsec security services and generate newly keyed material. They are always encrypted under the secure channel and use the hash payload that is used to authenticate the rest of the packet.

IPSec Site-to-Site

To build an IPSec secure tunnel between two sites located in two distant geographical locations, we can use the sample scenario below:

The branch office router needs to connect to the Headquarters office via an IPSec tunnel, on each side we have a GWN700x router. Users can configure the two devices as follows:

The branch office router runs a LAN subnet 192.168.1.0/24 and the HQ router runs a LAN subnet 192.168.3.0, the public IP of the branch office router is 1.1.1.1 and the IP of the HQ router is 2.2.2.2.

Go under VPN → IPSec → Site-to-Site then click on to add a VPN Client.

○ Phase 1

○ Phase 2

After this is done, press “Save” and do the same for the HQ Router. The two routers will build the tunnel and the necessary routing information to route traffic through the tunnel back and from the branch office to the HQ network.

• Create the remote user credentials:

To creates the remote user account which will be required to be entered on the client side and and authenticated on the server side, please refer to the Remote Users section.

IPSec Client-to-Site

Go under VPN → IPSec → Client-to-Site then fill in the following information:

OpenVPN®

OpenVPN® Client

There are two ways to use the GWN700x as an OpenVPN® client:

1. Upload client certificate created from an OpenVPN® server to GWN700x.

2. Create client/server certificates on GWN700x and upload the server certificate to the OpenVPN® server.

Go to Go to VPN → OpenVPN® → OpenVPN® Clients and follow the steps below:

Click on button. The following window will pop up.

Clickafter completing all the fields.

OpenVPN® Client

OpenVPN® Server

To use the GWN700x as an OpenVPN® server, you will need to start creating an OpenVPN® certificates and remote users.

To create a new VPN server, navigating under Web UI → VPN → OpenVPN® page → OpenVPN® Servers tab.

Clickafter completing all the fields.

Refer to the table below:

Create OpenVPN® Server

• Create the remote user credentials:

To creates the remote user account which will be required to be entered on the client side and and authenticated on the server side, please refer to the Remote Users section.

L2TP

To configure the L2TP client on the GWN700x router, navigate under “VPN → VPN Clients” and set the followings:

1. Click onbutton and the following window will pop up.

L2TP Client Configuration

Clickafter completing all the fields.

WireGuard®

WireGuard® is free and open source VPN solution that encrypts virtual private networks, easy to use, high performance and secure. GWN700x routers series support WireGuard® VPN with automatic peer generation and QR code scanning for mobile phones and devices with camera support.

To start using WireGuard® VPN, please navigate to Web UI → VPN → WireGuard® page. Click on “Add” button to add a WireGuard® server as shown below:

Please refer to the figure and table below when filling up the fields.

Add/Edit WireGuard®

Once finished configuring WireGuard®, click on “Automatic peer generation” icon to generate peers very quickly and easily as shown in the figures below:

Enter a name and toggle status ON then click on “Save” button.

Now, the user can either download the configuration file and share it, or download QR code for devices like mobile phones to scan.

Peers

On the peers tab, the user can create peers manually by clicking on “Add” button.

Please refer to the figure below when filling up the fields.

The user can download the config file after adding the peer.

Or scanning the QR code for devices with camera support.

Remote Users

To create the VPN user accounts, please navigate to VPN → Remote Users then click “Add”. The account configured will be used for the client to authenticate into the VPN server. The remote client user that can be created in this section is for PPTP, IPSec, and OpenVPN.

Add VPN Remote Users

To authenticate a remote user into the VPN server successfully, the username and password are used alongside the client certificate. To create a client certificate please refer to Certificates section.

To configure the VPN clients for each VPN server type, please refer to the respective VPN client configuration above.

ROUTING

Policy Routes

On this section, the user can create a policy route to either load balance or backup (Failover) between 2 or more WAN ports. This feature allows a network administrator to make advanced routing decisions for traffic passing through the router and for high granularity control over policies that dictate what WAN port and even VLAN, traffic should use. Traffic controlled this way can be balanced across multiple VLANs.

Load Balance Pool

To create a load balance rule, navigate to Routing → Policy Routes page → Load Balance Pool tab, click on “Add” button, then select the mode (Load Balance or Backup), after that select the WAN ports from the drop-down list and specify the Weight for each port added. Please refer to the figures below:

Policy Route

On the second tab (Policy Routes), the user can specify which Networks (VLAN) can use which Load Balance rule (must be created first), also the user can specify the protocol type, source and destination IP and even assign a schedule for it.

To create a Policy Route, please navigate to Routing → Policy Routes page → Policy Routes tab, then click on “Add” button as shown below:

Static Routes

Static routing is a form of routing by manually configuring the routing entries, rather than using a dynamic routing traffic for any service that requires a static address that never change.

GWN700x supports setting manually IPv4 or IPv6 Static Routes which can be accessed from GWN700x WebGUI Routing → Static Routing.

To add a new Static Route, the user needs to click on 

Add IPv4 Static Routing

TRAFFIC MANAGEMENT

Traffic Management – Basic Settings

The GWN700x routers are capable of identifying and analyzing the traffic exchanged between the intranet clients and remote hosts located on the Internet. To enable this feature please navigate to the GUI of the router, then click on Traffic Management → Basic Settings and toggle on “Traffic Identification”.

Traffic Statistics

When “Traffic Identification” is enabled, the router will start identifying the traffic and generate statistics. The statistics will be represented graphically as shown in the screenshot below. The feature displays the name and the type of the service generating the traffic to easily identify which services are being used and which clients are using them.

QoS

Quality of Service (QoS) is a feature that allows the prioritization if the latency-sensitive traffic exchanged between the WAN and the LAN hosts. This will offer more control over the usage of a limited bandwidth and ensures that all application services are not affected by the amount of the traffic exchanged.

General Settings

On this page, the user will be able to allocate a percentage of the download and the upload bandwidth to 4 classes. These classes can be assigned to applications to determine which application traffic will be prioritized, this includes the inbound and the outbound traffic. Also, it’s possible to tag outbound traffic with DSCP tags for each class.

To set Upload/Download bandwidth percentage for each class, click on edit button .

Edit Bandwidth limit

Click on bandwidth statistics icon to get a general overview for upload/download bandwidth status.

APP Class

GWN700X routers can prioritize the traffic of each application individually. The priority level can be set in 4 classes, class 1 having the highest priority and class 4 having the lowest priority. To access APP Class settings, please access the web GUI of the router then navigate to Traffic Management → QoS → APP Class.

The user can either set the priority for the individual applications by selecting the priority of the corresponding applications.

Or, the use can select the applications and application categories and then click “Configure Classes” then choose the adequate priority.

Class Rules

QoS class rules are rules which sets the QoS based on source or/and destination IP addresses, and source and destination ports.

QoS – Add Class Rules

VoIP Settings

VoIP Settings in QoS allow the user to identify and prioritize the VoIP traffic that is forwarded by the router. To configure this option, please access the web UI of the GWN router and navigate to Traffic Management → QoS → VoIP Settings, then toggle on the “VoIP Prioritization”, after that specify the SIP UDP port, by default the port number is 5060.

Bandwidth Limit

Bandwidth limit feature helps to limit bandwidth by specifying the maximum upload and download limit, then this limit can be applied on each IP/MAC address or applied on all IP addresses in the IP address range. Navigate to Web UI → Traffic Management → Bandwidth Limit.

To add a bandwidth rule, please click on “Add” button or click on “Edit” icon as shown above.

Please refer to the figure below:

AP MANAGEMENT

GWN700X routers come with an embedded controller for the GWN access points. The user can configure all the Wi-Fi related settings through the controller. When the APs are connected to the router, and they are paired with it, they will automatically inherit the configuration which has been set on the router’s AP Management section.

Access Points

In this section, the user can add the access point which can be controlled using the embedded controller within the router. The user can either pair or takeover an access point in order to be able to configure it. The configuration performed on the router AP embedded controller will be pushed to the access points; thus, offering a centralized management of the GWN access points.

To add a GWN access point to the GWN router, please navigate to Web UI → AP Management → Access Points.

Pair AP: Use this button when pairing an AP which has not be set as a master.
Takeover AP: Use this button to take over an access point which has formerly been set as slave to a different master device. In order to pair the devices successfully, the network administrator must enter the password of the master device.

Click on a paired GWN AP to view Details, Client list and debug tools. Please refer to the figures below:

Details section contains details about the paired AP like firmware version, SSID, IP address, Temperature, etc.

Client List section lists all the connected clients trough this AP with many info like MAC Address, Device name, IP Address, bandwidth, etc.

Debug section provides the users with many debug tools to help diagnostics any issue like Ping/Traceroute, One-click Debug and SSH Remote Access.

Transfer APs to GWN.Cloud/GWN Manager

GWN routers also enables to users to transfer their paired GWN APs to GWN.Cloud/GWN Manager.

On the AP Management → Access Points page, select the AP or APs then click on “Transfer” button as shown below:

On the next page, select either GWN Cloud or GWN Manager then click “Save” button. the user will be forwarded automatically to either GWN Cloud or GWN Manager to login.

SSIDs

In this page, the user can configure SSID settings. The Wi-Fi SSID will be broadcasted by the paired access points. This offers a centralized control over the SSIDs created which makes managing many GWN access points easier and more convenient.

In order to add an SSID, the user should click on “Add” button, then the following page will appear:

Add SSID

Private Pre-Shared Key (PPSK)

PPSK (Private Pre-Shared Key) is a way of creating Wi-Fi passwords per group of clients instead of using one single password for all clients. When configuring PPSK, the user can specify the Wi-Fi password, maximum number of access clients, maximum upload and download bandwidth.

To start using PPSK, please follow the steps below:

1. First, create an SSID with WPA key mode set to either PPSK without RADIUS or PPSK with RADIUS.
2. Navigate to Web UI → AP Management → PPSK page, then click on “Add” button then fill in the fields as shown below:

Add PPSK

Radio

Under AP Managements → Radio, the user will be able to set the general wireless settings for all the Wi-Fi SSIDs created by the router. These settings will take effect on the level of the access points which are paired with the router.

Radio

Mesh

Through the controller embedded in the GWN700X routers, the user can configure a Wi-Fi Mesh using the GWN access points. The configuration is centralized and the user can view the topology of the Mesh.

• Configuration:

To configure GWN access points in a Mesh network successfully, the user must pair the access points first with the GWN router, then configure the same SSID on the access points. Once that’s done, the user should navigate to AP Management → Mesh → Configure, then enable Mesh and configure the related information as shown in the figure below.

For more information about the parameters that need to be configured, please refer to the table below.

Mesh Configuration

• Topology:

In this page, the user will be able to see the topology of the GWN access points when they are configured in a Mesh network. The page will display information related to the APs like the MAC address, RSSI, Channel, IP Address, and Clients. It will show as well the cascades in the Mesh.

ACCESS CONTROL

GWN700x has features that can enable the user to block clients and sites as well and also limit the bandwidth per client or SSID.

Blocklist

The Blocklist is a feature in GWN700x that enables the user to block wireless clients from the available ones or manually add the MAC Address.

To create a new Blocklist, Navigate under: “Web UI → Access Control → Blocklist“.

• Add devices from the list:

Enter the name of the blocklist, then add the devices from the list.

• Add Devices Manually:

Enter the name of the blocklist, then add the devices’ MAC addresses.

After the blocklist is created, to take effect the user needs to apply it on the desired SSID.

Navigate to ” Web UI → AP Management → SSIDs“, either click on “Add” button to create new SSID or click on “Edit” icon to edit previously created SSID, scroll down to “Access Security” section then look for “Blocklist Filtering” option and finally select from the list the previously created blocklists, the user can select one or more, or click on “Create Blocklist” at the bottom of the list to create new one.

Please refer to the figure below:

SafeSearch

The GWN700X routers offer SafeSearch feature on Bing, Google, and Youtube. Enabling this option will hide any inappropriate or explicit search results from being displayed.

EXTERNAL ACCESS

By default, all the requests initiated from the WAN side are rejected by the router GWN700x external access features allow hosts located on the WAN side to access the services hosted on the LAN side of the GWN router.

DDNS

1. Access to GWN700x web GUI, navigate to External Access → DDNS, and click to Add Service.

2. Fill in the domain name created with the DDNS provider under the Service Provider field.

3. Enter your account username and password under the User Name and Password fields.

4. Specify the Domain to which DDNS Account is applied under Domain.

DDNS Page

Port Forward

Port forwarding allows forwarding requested initiated from the WAN side of the router to a LAN host. This is done by configuring either the port only, or the port and the IP address in case we want to restrict the access over that specific port to one IP address. Once the router receives the requested on the IP address, the router will verify the port on which the request has been initiated and will forward the request to the host IP address and the port of the host which is configured as the destination.

Port forwarding can be used in the case when a host on the WAN side wants to access a server on the LAN side.

Navigate to GWN700x WEB UI → External Access  → Port Forward:

Refer to the following table for the Port Forwarding option when editing or creating a port forwarding rule:

Port Forwarding page

DMZ

Configuring the DMZ, the router will allow all the external access requests to the DMZ host. This is

This section can be accessed from GWN700x Web GUI → External Access  → DMZ.
GWN700x supports DMZ, where it is possible to specify a Hostname IP Address to be put on the DMZ.

Enabling the DMZ host function, the computer set as the DMZ host can be completely exposed to the Internet, realizing two-way unrestricted communication.

Refer to the below table for DMZ fields:

DMZ Page

UPnP

GWN700x supports UPnP that enables programs running on a host to configure automatically port forwarding.

UPnP allows a program to make the GWN700x open necessary ports, without any intervention from the user, without making any check.

UPnP settings can be accessed from GWN700x Web GUI → External Access → UPnP.

UPnP Settings

When UPnP is enabled, the ports will be shown in the section below. The information shown includes application name, IP address of the LAN host which has requested the opening of the port, the external port number, the internet port number, and the transport protocol used (UDP or TCP).

TURN Service

TURN stands for Traversal Using Relays around NAT and it’s a network service that helps establish peer-to-peer connections between devices that are behind a NAT or Firewall. Real-time communication like video conferencing, Voice over IP, etc benefit from TURN service to establish connections between peers when the NAT or the Firewall block or modify the traffic.

Navigate to Web UI → External Access → TURN Service. The service is OFF by default, toggle Status ON to turn on the service. The default TURN Server Port is 3478, also it’s possible to add or remove username and password by clicking on “minus” and “Plus” icons.

FIREWALL

The Firewall in GWN routers enables the user to secure the network by blocking the most common attacks and allowing for more control over the traffic.

The Firewall section provides the ability to set up input/output policies for each WAN interface and LAN group as well as setting configuration for Static and Dynamic NAT and ALG.

Firewall – Basic Settings

General Settings

• Flush Connection Reload

When this option is enabled and the firewall configuration changes are made, existing connections that had been permitted by the previous firewall rules will be terminated.
If the new firewall rules do not permit a previously established connection, it will be terminated and will not be able to reconnect. With this option disabled, existing connections are allowed to continue until they timeout,even if the new rules would not allow this connection to be established.

DoS Defense

Denial-of-Service Attack is an attack aimed to make the network resources unavailable to legitimate users by flooding the target machine with so many requests causing the system to overload or even crash or shutdown.

DoS Defense

Spoofing Defense

Spoofing defense section offers a number of counter-measures to the various spoofing techniques. To protect your network against spoofing, please enable the following measures in order to eliminate the risk of having your traffic intercepted and spoofed. GWN routers offer measures to counter spoofing on ARP information, as well as on IP information.

ARP Spoofing Defense

• Block ARP Replies with Inconsistent Source MAC Addresses: The router will verify the destination MAC address of a specific packet, and when the response is received by the router, it will verify the source MAC address and it will make sure that they match. Otherwise, the router will not forward the packet.
• Block ARP Replies with Inconsistent Destination MAC Addresses: The router will verify the source MAC address and when the response is received. The router will verify the destination MAC address and it will make sure that they match. Otherwise, the router will not forward the packet.
• Decline VRRP MAC Into ARP Table: The router will decline including any generated virtual MAC address in the ARP table.

IP Spoofing Defense

• Block IP Packet From WAN with Inconsistent Source IP Addresses: The router will verify the the IP address of the inbound packets, the source IP address has to match the destination IP address to which the request was initially sent to. If there is a mismatch between these two IP addresses, the router will drop the packet.
• Block IP Packet from LAN With Inconsistent Source IP Address: The router will verify the IP address of the packets forwarded. If the router discovers that there is a mismatch in the packet source IP address, the packet will not be forwarded.

Rules Policy

Rules policy allows to define how the router is going to handle the traffic based on whether it is inbound traffic or outbound traffic. This is done per WAN port as well as LAN ports of the router.

• Inbound Policy: Define the decision that the router will take for the traffic initiated from the WAN. The options available are Accept, Reject, and Drop.
• Outbound Traffic: Define the decision that the router will take for the traffic initiated from the LAN side. The options available are Accept, Reject, and Drop.
• IP Masquerading: Enable IP masquerading. This will masque the IP address of the internal hosts.
• MSS Clamping: Enabling this option will allow the MSS (Maximum Segment Size) to be negotiated during the TCP session negotiation
• Log Drop / Reject Traffic: Enabling this option will generate a log of all the traffic that has been dropped or rejected.

Content Security

The content security feature on GWN700x routers uses DPI (Deep Packet Inspection) to allow users to filter (accept, deny or drop packets) content based on DNS, APP or URL. DNS and URL filtering uses keywords and wildcard * (which can represent any string) while APP filtering works by selecting APPs from a list organized in categories.

For more details about how to block (filter) DNS, APPs and URL, please visit the link below:

documentation.grandstream.com/knowledge-base/gwn700x-firewall-content-security

DNS Filtering

When DNS filtering is enabled, the router will filter the DNS requests initiated by the LAN hosts disallow the requests which match the queries which contains the strings and patterns specified in “Filtered DNS” field. To access DNS filtering, please access the web UI of the router then navigate to Firewall → Content Security → DNS Filtering.

Add DNS Filtering

APP Filtering

The user can restrict application(s) from accessing Internet. To restrict applications from accessing internet, please access the web UI of the router then navigate to Firewall → Content Security → APP Filtering and check the boxes of the applications then click “Save”.

Enter the name of the rule along with the description, then choose the application which will be restricted from accessing the Internet. The user can choose the applications from two categories, “Efficiently Identifiable” application and “Others”. The first category can be quickly identifiable from a single network packet, while the second category require multiple packet inspection before the application is identified and blocked.

URL Filtering

The user can restrict accessing to specific URLs by configuring this option. Enter the URL(s) in “Filter URL” field.

Add URL Filtering

Traffic Rules

GWN700x offers the possibility to fully control incoming/outgoing traffic for different protocols in customized scheduled times and take actions for specified rules such as Accept, Reject and Drop.

Traffic Rules settings can be accessed from GWN700x Web GUI → Firewall → Traffic Rules.

Following actions are available to configure Input, output, and forward rules for configured protocols

• To add new rule, Click on  .
• To edit a rule, click on  .
• To delete a rule, click on  .

Inbound Rules

The GWN700x allows to filter incoming traffic to networks group or port WAN and apply rules such as:

• Accept: To allow the traffic to go through.

• Deny: A reply will be sent to the remote side stating that the packet is rejected.

• Drop: The packet will be dropped without any notice to the remote side.

Traffic Rules – Inbound Rules

Outbound Rules

The GWN700x allows to filter outgoing traffic from the local LAN networks to outside networks and apply rules such as:

• Accept: To allow the traffic to go through.

• Deny: A reply will be sent to the remote side stating that the packet is rejected.

• Drop: The packet will be dropped without any notice to the remote side.

Traffic Rules – Outbound Rules

Forwarding Rules

GWN700x offers the possibility to allow traffic between different groups and interfaces.

Advanced NAT

NAT or Network address translation as the name suggests it’s a translation or mapping private or internal addresses to public IP addresses or vice versa, and the GWN routers support both.

• SNAT :  Source NAT refers to the mapping of clients IP address (Private or Internal Addresses) to a public one.
• DNAT : Destination NAT is the reverse process of SNAT where packets will be redirected to a specific internal address.

The Firewall Advanced NAT page provides the ability to set up the configuration for Static and Dynamic NAT.

SNAT

Following actions are available for SNAT.

Click on to add the Port Forward rule.

Click on to edit a Port Forward rule.

Click on to delete a Port Forward rule.

Refer to the below table when creating or editing a SNAT entry:

SNAT page

DNAT

The following actions are available for DNAT:

Click on to add the Port Forward rule.

Click on toedit a Port Forward rule.

Click on todelete a Port Forward rule.

Refer to the below table when creating or editing a DNAT entry:

Advanced NAT – DNAT

ALG

ALG stands for Application Layer Gateway. Its purpose is to prevent some of the problems caused by router firewalls by inspecting VoIP traffic (packets) and if necessary modifying it.

Navigate to  Web GUI → Firewall → ALG to activate ALG.

CAPTIVE PORTAL

Captive Portal feature on GWN700x helps to define a Landing Page (Web page) that will be displayed on Wi-Fi clients’ browsers when attempting to access the Internet. Once connected Wi-Fi clients will be forced to view and interact with that landing page before Internet access is granted.

The Captive Portal feature can be configured from the GWN700x Web page under “Captive Portal”.

Policy

Users can customize a portal policy on this page. Click on “Add” button to add new policy or click on “Edit” to edit previously added one.

The policy configuration page allows for adding multiple captive portal policies which will be applied to SSIDs and contain options for different authentication types.

Policy page

Splash Page

The splash page allows users with an easy-to-configure menu to generate a customized splash page that will be displayed to the users when trying to connect to the Wi-Fi.

On this menu, users can create multiple splash pages and assign each one of them to a separate captive portal policy to enforce the select authentication type.

The generation tool provides an intuitive “WYSIWYG” method to customize a captive portal with a very rich manipulation tool.

To add a splash page, click on “Add” button or click on “Edit” icon to edit previously added one.

Users can set the following:

• Authentication type: Add one or more ways from the supported authentication methods (Simple Password, Radius Server, For Free, Facebook, Twitter, Google and Voucher).
• Set up a picture (company logo) to be displayed on the splash page.
• Customize the layout of the page and background colors.
• Customize the Terms of use text.
• Visualize a preview for both mobile devices and laptops.

Guests

This page displays information about the clients connected via Captive portal including the MAC address, Hostname, Authentication Type, etc.

To export the list of all guests, please click on “Export Guest List” button, then an EXCEL file will be downloaded.

Vouchers

Voucher feature will allow clients to have internet access for a limited duration using a code that is randomly generated from platform controller.

As an example, a coffee shop could offer internet access to customers via Wi-Fi using voucher codes that can be delivered on each command. Once the voucher expires the client can no longer connect to the internet.

Note that multiple users can use a single voucher for connection with expiration duration of the voucher that starts counting after first successful connection from one of the users that are allowed.

Another interesting feature is that the admin can set data bandwidth limitation on each created voucher depending on the current load on the network, users’ profile (VIP customers get more speed than regular ones etc.…) and the internet connection available (fiber, DSL or cable etc.…) to avoid connection congestion and slowness of the service.

Click on “Add” button to create a voucher group.

Please refer to the figure below when filling up the fields.

MAINTENANCE

GWN700x offers multiple tools and options for maintenance and debugging to help further troubleshooting and monitoring the GWN700x resources.

TR-069

It is a protocol for communication between CPE (Customer Premise Equipment) and an ACS (Auto Configuration Server) that provides secure auto-configuration as well as other CPE management functions within a common framework.

TR-069 stands for a “Technical Report” defined by the Broadband Forum that specifies the CWMP “CPE WAN Management Protocol”. It commonly uses HTTP or HTTPS as transport for communication between CPE and the ACS. The message exchange is using SOAP (XML_RPC) for configuration and management of the device.

TR-069 page

SNMP

GWN700x routers support SNMP (Simple Network Management Protocol) which is widely used in network management for network monitoring for collecting information about monitored devices.

To configure SNMP settings, go to GWN700x Web GUI → Maintenance → SNMP, in this page the user can either enable SNMPv1, SNMPv2c, or enable SNMPv3, and enter all the necessary parameters.

To configure SNMPv1 or SNMPv2, please refer to the table below:

SNMP – SNMPv1 or SNMPv2

To configure SNMPv3, please refer to the table below:

SNMP – SNMPv3

Backup and Restore

The GWN700x configuration can be backed up (e.g., when performing a firmware update), the configuration can be uploaded to the router by clicking on “Import” and selecting the back up file. This will load the backed up configuration back into the router quickly.

If the user wish to modify the configuration file before importing, then a GWN Router Configuration Tool can be used to make the necessary modifications to the configuration file. The tool is supported on Windows® and Linux environments. To download the tool: GWN Router Configuration Tool, then download the Windows® or Linux version accordingly.

Please, visit this guide on how to use the GWN Router Configuration Tool User Guide.

If the user wants to reset the device to its initial configuration, he/she can click one “Factory Reset”.

System Diagnostics

Many debugging tools are available on GWN700x’s Web GUI to check the status and troubleshoot GWN700x’s services and networks.

To access these tools navigate to “Web UI → System Settings → System Diagnosis“

Ping/Traceroute

Ping and Traceroute are useful debugging tools to verify reachability with other clients across the network (WAN or LAN). The GWN700x offers both Ping and Traceroute tools for IPv4 and IPv6 protocols.

Core File

When a crash event happens on the unit, it will automatically generate a core dump file that can be used by the engineering team for debugging purposes.

Capture

This section is used to capture packet traces from the GWN700x interfaces (WAN ports and network groups) for troubleshooting purposes or monitoring. It’s even possible to capture based on MAC address or IP Address, once done the user can click on and the file (CAP) will start downloading right away.

External Syslog

GWN700x routers support dumping the Syslog information to a remote server under Web GUI → System Settings → System Diagnosis → External Syslog Tab

Enter the Syslog server Hostname or IP address and select the level for the Syslog information. Nine levels of Syslog are available: None, Emergency, Alert, Critical, Error, Warning, Notice, Information and Debug.

ARP Cache Table

GWN700X router keeps an ARP table record of all the device which have been assigned an IP address from the router. The record will keep the devices information when the device is offline. To access the ARP Cache Table, please navigate to System Diagnostics → ARP Cache Table

Link Tracing Table

Link Tracing Table shows the flow of traffic by displaying the source IP address/Port (the green color) and the reply IP address/port (the blue color), also other information can be displayed like IP Family, Protocol Type, Life Time, Status, Packets/Bytes etc.

Users/Administrators can also delete the flow of certain IP addresses/Ports (Source and Destination) or then click on “Delete” button to clear the link tracing statistic.

Network Diagnostics

Network diagnostics feature allows the user to quickly diagnose the connection link on a specific WAN interface.

PoE Diagnostics

PoE diagnostics page offers an insight about the ports and their components as well as the power used and the temperature. The information provided can be useful when the user encounters an issue with the PoE function of the GWN700X router.

Cloud/Manager Connection Diagnostics

If the GWN700x router is added to the GWN.Cloud or GWN Manager, it will display a Cloud icon with a green check mark (as shown in the figure below) indicating it’s added to either GWN.Cloud or GWN Manager.

In case there is an issue with the connection, then the user can navigate to Maintenance → System Diagnosis → Cloud/Manager Connection Diagnostics and then click on “Detection” or “Redetect” button to see in what stage/step the connection has failed.

Upgrade

Under Maintenance → Upgrade. The user has the option to upgrade the GWN router via manual upload (a bin file) or via network either HTTP/HTTPS or TFTP or even schedule to upgrade in a specific time.

Please refer to the figure below:

Alerts & Notifications

Alerts

Alerts page displays alerts about the network, the user can specify to display only certain types like (System, Performance, Security or Network) or the levels. To check the alerts which have been generated, please navigate to Maintenance → Alerts & Notifications page → Alerts tab.

The alerts can be displayed either by type or levels. However, that is not the only way to display them. The user can filter through the alert log using a date interval or search by MAC address or device name.

Alerts Types

The available types are System, Performance, Security, Network, or the user can choose to display all the types.

Alerts Levels

The user can filter the alert level by the following levels: All Levels, Emergency, Warning or Notice.

Alert Notification Settings

To enable the notifications on the Alerts tab, please click on “Alert Notification Settings” button as shown below:

The figures below show all the possible alerts notifications that the user can enable on the Alerts tab, organized into 4 categories: System Alert, Performance Alert, Security Alert and Network Alert.

Please refer to the figures below:

E-mail Notifications

On this tab, the user can setup the E-mails that will receive the notifications, once the feature is enabled, then the user can fill up the fields according to SMTP parameters. Refer to the figure below:

It’s possible to add more than one receiver E-mail address as shown in the figure above.

• Click on “Minus” icon to delete the receiver E-mail address.
• Click on “Plus” icon to add the receiver E-mail address.

E-mail Notification Settings

To select what notifications will be sent to the receiver E-mail addresses, please click on “E-mail Notification Settings” button as shown below:

The figures below show all the possible E-mail notifications that the user can send to the pre-configured receiver E-mail Addresses, organized into 4 categories: System Alert, Performance Alert, Security Alert and Network Alert.

SYSTEM SETTINGS

Basic Settings

On the this page, the user is able to specify a name for the GWN700x router, and configures basic settings: country/region, time zone, NTP server, Reboot plan and LED Indicator either Always On, Always Off or even based on a schedule.

Manager Server Settings

In the case of GWN manager (on-premise GWN management solution), the user can specify the manager server address and port, there is also the option to allow DHCP option 43 override.

Security Management

Under “Web UI → System Settings → Security Management“ the user can change the login password and activate the web service for example web WAN port access for HTTPS port 443 as well as enabling SSH remote access.

Login Password

On this page, the user can change the password by entering the old password and then confirming the new password.

Web Service

Web Service feature allows the user to access the router’s web GUI from the WAN side. The connection is established over HTTPS for enhanced security. It’s also possible to specify a hostname for the GWN700x router as shown in the figure below:

SSH Service

This feature allows the user to access the device using SSH remotely. Enable this option and click on “SSH Remote Access” button and then enter the SSH remote access password (login password). Once that’s done, SSH access will be provided to remote users when they enter the correct password.

Passwordless Remote Access

Enabling the Passwordless Remote Access feature, accessing the device using GWN.Cloud will not require entering the password to be able to access the web GUI of the router.

Schedule

GWN routers allow the user to create a schedule, either weekly based or an absolute date/time (specific date and an interval), then these schedules can be assigned to various services on GWN routers: Upgrade, SSID, Bandwidth limit, Policy route and reboot.

To create a schedule, navigate to System Settings → Schedule, then click on “Create Schedule” button as shown below:

Certificates

CA Certificates

In this section, the user can create a CA certificate. This certificate will authenticate the user when connected to the VPN server created on the router. This authentication will ensure that no identity is being usurped and that the data exchanged remain confidential. To create a certificate, please access the web GUI of the router and access System Settings → Certificates → CA Certificates then click “Add” and fill in the necessary information.

Add CA Certificate

Certificate

In this section, the user can create a server or a client certificate. To create a certificate please access the web UI of the router, then navigate to System Settings → Certificates → Add Certificate, click “Add”, then enter the necessary information regarding the certificate.

Add Certificate

Certificates Backup and Restore

To backup the created certificates, first select all the desired certificates, then click on “Backup” button and enter a password to protect it as shown below:

To restore a certificate, click on “Restore” button, then upload the file and enter the password.

File Sharing

The GWN routers have a USB port that can be used for file sharing, either using a USB flash drive or a Hard Drive, enabling clients with Windows, Mac or Linux to access files easily on the local network. There is also an option to enable a password for security reasons.

Navigate to System Settings → File Sharing.

CHANGE LOG

This section documents significant changes from previous versions of the GWN700x routers user manuals. Only major new features or major document updates are listed here. Minor updates for corrections or editing are not documented here.

Firmware Version 1.0.5.30

• Added the new feature of Speed test [WAN]

Firmware Version 1.0.5.7

• Removed the DHCP range restriction on Static IP assignment which was added in 1.0.5.6 [Static IP Binding]

Firmware Version 1.0.5.6

• Added new feature of WAN-Bridge Mode and VLAN tag priority [WAN]
• Added new feature of disabling the router ports [Port Configuration]
• Added more services under DHCP option 43 [LAN]
• Added IGMP proxy and IGMP snooping [IGMP]
• Added new feature of IP Routed Subnet [LAN]
• Added Bonjour Gateway [Bonjour Gateway]
• Added Binding Mode and Device Name under Static IP Binding [Static IP Binding]
• Added new feature of transferring GWN APs taken over by GWN router to GWN Cloud/Manager [AP Management]
• Added Client list under Access Point for clients connected currently to the AP [Access Points]
• Added PPSK (Private Pre-Shared Key) feature [PPSK]
• Added SSID Bandwidth limit feature with schedule support [SSIDs]
• Added WireGuard® VPN [WireGuard®]
• Added new feature of exporting clients list [Clients]
• Added clients bandwidth limit feature with schedule support [Clients]
• Added Bandwidth limit feature for both wireless and wired clients [Bandwidth Limit]
• Added more social authentication (Facebook, Twitter and Google) under Captive portal [Splash Page]
• Added Vouchers feature under Captive Portal [Vouchers]
• Added new feature of exporting Guest list [Guests]
• Added support for more alerts [Alerts]
• Added new feature of naming the GWN router [Basic Settings]
• Added new feature of customizing the Hostname [Web Service]
• Added GWN.Cloud/Manager connection status detection [System Diagnostics]
• Added EEE (Energy-Efficient Ethernet) feature [Port Configuration]
• Added the option to display a month-long time period in traffic statistics (only for GWN7003) [Traffic Statistics]
• Added TURN Service feature [TURN Service]

Firmware Version 1.0.3.5

• No major changes.

Firmware Version 1.0.3.4

• Added new feature of TURN server (Beta) [TURN Service]
• Added new feature of 2.5G SFP module support [Port Configuration]
• Added QoS bandwidth statistics feature [QoS]

Firmware Version 1.0.1.6

• This is the initial release.