Settings in 3CR860 and 3CR870
First of all, both devices are shipped with a very convenient utility Discovery Application. When started, it finds all 3Com devices connected to the network (of the reviewed in this article) irregardless of their IP address. When you select the device you need, the utility sets its IP address in the LAN interface belonging to the same subnetwork as the computer from which the utility was started. Thus, to access the web interface of the router, we don't have to painfully try to recollect the default IP address of the device or even to modify our IP. You just run Discovery Application and get access to router settings (of course if you know the password to the web interface).
Now a brief account of the settings in the web interface. It's identical for both devices, but in 3CR860 there is no traffic shaping menu and you cannot set more than two VPN tunnels. And of course the device labels are different.
As usual, the interface has a wizard allowing quick configuration of the router. Or you can walk through all the menus on your own. By the way, I want to note how well-engineered this web interface is, all the options are grouped logically. In short, it's very convenient to control the device via the web interface.
Besides, the interface possesses a detailed menu system. The Help button can be found in all main sections of the interface.
In Network Setting you can configure IP addressing and operation modes in WAN...
... and LAN interfaces. The built-in DHCP server is also configured here.
The Advanced Networking section allows to configure NAT modes (you cannot turn it off completely). Here you can also configure the static routing table...
... and activate the dynamic routing protocols.
In this section you can also set up the dynamic DNS service support. The list of services is hardcoded and cannot be changed, but it contains a sufficient number of DDNS services.
The next section (Traffic Shaping) is available only in 3CR870 (3Com OfficeConnect VPN Firewall). You can limit the incoming/outgoing traffic completely or partially by certain criteria. Unfortunately the scope of criteria is rather narrow.
The Firewall section, as you can understand from its title, is devoted to the settings of the embedded firewall. The first submenu contains virtual server settings.
The PC Privileges submenu serves to specify firewall rules. You cannot find the place where to specify the rules? Yes, I was also surprised not to find the usual interface to specify the rules. The only option allowed is to set a global (single) rule for all local IP addresses and to add rules for a selected IP address where you can set only the outgoing port. And that's all! No protocol management, no rich features of the SPI firewall. Nothing... However, the SPI mode is used in the next submenu, but it has nothing to do with filtering rules.
This subsection allows to configure specific protocols, which require several open sessions (simultaneously) or critical to packet headers modified by NAT procedures.
The last subsection allows to activate responses to ICMP Ping of the switch from the Internet side and to disable SPI in the firewall.
The Content Filtering section allows to filter access to web sites using url-filters, which can be specified manually or by the web content filtering services.
You can also specify IP addresses of the computers, which will be subject to filtering or vice versa will not be filtered (unlike all the other IP addresses).
In the VPN section you can configure IPSec/PPTP/L2TP modes.
And here is the second difference between 3CR860 and 3CR870: in 3CR860 you cannot specify more than two VPN tunnels.
In case of IPSec you can set the server-server mode (tunnel between the networks) as well as the server-client mode (connecting remote users to the network). For L2TP you can set only the latter mode.
There is a separate subsection for IPSec, which allows to configure the dedicated routing table for each tunnel.
In the next section (System Tools) you can specify the time zone of the router, save/load configurations and update the firmware. NTP client, which synchronizes the clock in the device, cannot be redirected to another NTP server - this device can be synchronized only with a preset list of servers over Internet.
This menu also contains diagnostic utilities, which allow to ping or traceroute a remote host as well as to resolve a host name or an IP address.
The last section, as it's clear from its title, displays the current status of the router subsystems and is also responsible for viewing and configuring the logging subsystem.
This device can keep detailed logs. You can always specify what is to be logged. The device also logs all network attack attempts.
Here you can see a screenshot of a sample log of establishing an IPSec tunnel. Of course, you cannot enable the "debug" mode, but even this level of logging details can be very helpful :)
Eugene Zaitsev (email@example.com)
Write a comment below. No registration needed!