AF1210 Sangfor Gateway Configuration
FIG . 1 : SANGFOR NGAF front panel (to NGAF. 1 21 is 0 as an example)
1.CONSOLE (control) port 2.ETH1 3.ETH2 4.ETH3 5.ETH4 6.ETH5 7.MANAGE (management) port
The management port of other models may be ETH0 port, and the management port of this model is MANAGE port
The CONSOLE (control) port is only for development, testing and debugging. The end user needs to access the device through the MANAGE port.
The warning light is always red when the device is started. Generally, the red light goes out after one or two minutes, indicating normal startup. If the red light does not go out for a long time, please turn off the device and wait 5 minutes before restarting. If it is still on, please contact the customer service department to confirm whether the equipment is damaged. After normal startup, sometimes the red light will flash, which is normal. The red light flashing means that the device is writing the system log.
2.1. Scenario description
The hotel has a 100M extranet (dedicated line), 10 office computers, and 100 guest rooms (100 APs).
(1). Hotel special line information:
Ip: 202.158.175.50
Mask: 255.255.255.252
Gateway: 202.158.175.49
DNS1: 211.167.97.67
DNS2: 219.233.241.166
(2). Sangfor each interface information:
Eth2: 202.158.175.50/30 (external network dedicated line)
Eth1: 10.22.177.0/24 (office network segment)
Eth0: 172.16.0.0/22 (guest room network segment)
(3). Hotel server information:
2.2 Single device wiring mode
Connect the power cord and turn on the power switch
Please use the network cable SINFOR MANAGE (eth 0) port and the laptop is connected to the A F. Configure the device.
Please use the network cable SINFOR ETH2 port connected to the Internet access device, such as a light cat , fiber optic transceivers.
The ip of the fixed notebook is 10.251.251.251 and the mask is 255.255.255.0. Others do not move
2.3. Log in to the device
AF uses the standard port login of the HTTPS protocol. The initial login is from the MANAGE (ETH0) port,
The login URL is: https://10.251.251.251
Default account: admin Password: admin
3. Configuration and management
3.1, interface configuration
[Navigation Menu] → "Network Configuration" → "Interface/Area " → "Physical Interface ",
Start configuration>
Click ETH2 port, the interface is as follows
:
Check enable, enter "external network" for description, select routing mode for type, and click the drop-down button to select the wan port for the region to which it belongs. If there is no wan, click the new region. The operation interface is as follows:
Check the WAN port and check to allow PING.
Select static ip, enter the external network ip address and subnet mask in the static ip address field.
Enter the gateway address of the external network for Next Hop Gateway Address.
Click ETH1 port, the interface is as follows:
Failed to export, re-upload canceled
The operation is as shown in the figure above, do not check the WAN port, and leave the next hop gateway blank.
Click ETH0 port, the interface is as follows:
Failed to export, re-upload canceled
The operation is the same as the ETH1 port. Note that the default management ip10.251.251.251 of eth0 in the static IP address bar cannot be deleted. If you delete and save it, an error will be reported. Just add the intranet ip.
3.2, address translation
【Navigation Menu】→『Firewall』→『Address Translation』page
Failed to export, re-upload canceled
Click Add, select source address conversion, the following interface appears:
Check to enable, enter the proxy name for Internet access, select dmz and lan for the source area, and select all for the ip group.
Select wan for the destination area and all for the IP group. The source address is converted into the selected out interface address.
Failed to export, re-upload canceled
Failed to export, re-upload canceled
3.3, add routing
【Navigation Menu】→『Network Configuration』→『Routing』page
Click Add, select a single static route, the interface is as follows:
The destination address is 0.0.0.0, the subnet mask is 0.0.0.0, the next hop ip address is the external network gateway address, and the interface is external network port eth2.
3.5, DNS configuration
[Navigation menu]→"Network configuration"→"Advanced network configuration"→"DNS" page, enter the DNS of the external network, the interface is as follows:
3.4, DHCP configuration
【Navigation Menu】→『Network Configuration』→『Advanced Network Configuration』→『DHCP』
Select the interface that needs to be configured with DHCP in the [DHCP Service Interface List].
[Click] ETH0 port
Lease period (minutes): 240
Gateway: 172.16.0.1
Subnet mask: 255.255.252.0
Preferred DNS: 211.167.97.67
Alternate DNS: 219.233.241.166
DHCP IP address range: 172.16.0.40-172.16.3.254
[Click] Submit
[Click] ETH1
Lease period (minutes): 240
Gateway: 10.22.177.1
Subnet mask: 255.255.255.0
Preferred DNS: 211.167.97.67
Alternate DNS: 219.233.241.166
DHCP IP address range: 10.22.177.40-10.22.177.100
[Click] Submit
3.5, set the strategy
[Navigation Menu]→"Content Security"→"Application Control Strategy" page,
[Click] add
[Check] Enable
Rule name: permit_any (allow all)
source:
Network objects: all
Area: select all of dmz, lan, wan
Port: select all
purpose:
Network objects: all
Area: select all of dmz, lan, wan
Service/Application:
Check the application and select all.
Effective time: all day
Action: Allow
Click OK.
Establish guest room denial of access office policy:
[Click] add
[Check] Enable
Rule name: lan2dmz
source:
Network objects: all
Area: lan
Port: All
purpose:
Network objects: all
Area: dmz
Service/Application:
Check the application and select all.
Effective time: all day
Action: Reject
Click OK.
3.6. Set up groups/users (new work groups and room groups)
【Navigation Menu】→『Authentication System』→『User Management』→『Group/User』page
Member Management>
[Click] New>Group
List of group names: working group
[Click] Submit
[Click] Enter "Authentication System" → "User Authentication" → "Authentication Strategy" page
Check to enable user authentication.
[Click] New>Group
Name: Working Group
Policy applicable IP/MAC range: 10.22.177.1-10.22.177.254
Authentication method: no authentication/single sign-on [click]
New user option: add to the specified local workgroup
Select group: [click] work group
[Click] Submit
[Click] New>Group
Name: Room Group
Policy applicable IP/MAC range: 172.16.0.2-172.16.3.254
Authentication method: no authentication/single sign-on [click]
New user option (new user refers to an account that does not exist locally)
Add to the designated local workgroup
Select group: [click] room group
[Click] Submit
3.7, speed limit
【Navigation Menu】→『Traffic Management』page
[Click] Virtual line configuration
[Click] Route 1
Outgoing interface: select eth2
Uplink 100Mbps Downlink 100Mbps
[Click] Submit
【Navigation Menu】→『Traffic Management』page
[Click] Virtual line configuration
[Click] Virtual Line Rules
Click to add
All default, click Submit. \\If the virtual line rule is not enabled, the virtual line bandwidth configuration cannot take effect.
『Traffic Management』→『Channel Configuration』page
Enable traffic management system [check]> add channel> enable channel[check]> bandwidth allocation
Channel name: working group
[Click] Bandwidth channel setting
Effective line: line 1
Guaranteed channel [click to select]
Uplink bandwidth: Guarantee 10% 10Mbps \\ Guarantee the office group has about 10 Mbps uplink .
Maximum 10% 10Mbps
Downlink bandwidth: Guarantee 10% 10Mbps \\ Guarantee the office group has about 10 Mbps downlink .
Maximum 10% 10Mbps
Priority: high
[Click] Channel use range
Applicable applications: all applications
Applicable objects: User[click]>Workgroup[check]
[Click] OK
Bandwidth Allocation>New Channel>
Enable channel [check]
Channel name: Guest room group
[Click] Bandwidth channel setting
Effective line: line 1
Restricted channel [click to select]
Uplink bandwidth: up to 90% 90Mbps
Downlink bandwidth: up to 90% 90Mbps
Priority: Medium
Enable limit single IP maximum bandwidth check
Uplink: 5Mbps \\Reasonable speed limit based on the hotel’s external network bandwidth and the number of rooms.
Downlink: 5Mbps \\ Reasonable speed limit based on the hotel’s external network bandwidth and the number of rooms.
[Click] Channel use range
Applicable applications: all applications
Applicable objects: user [click]>room group[check]
[Click] OK
Finally, the other channel configurations are removed, and the working group, guest room group, and default channel are retained.
(If the total bandwidth is larger, it can be adjusted accordingly)
4. Configuration is complete
The configuration is complete, the eth2 port is connected to the external network, the eth1 port is connected to the office switch, and the eth0 port is connected to the guest room wireless switch.