The LANCOM operating system LCOS is a collection of different software modules, the LANCOM devices themselves have different interfaces to the WAN and LAN. Depending on the particular application, data packets flow through different modules on their way from one interface to another.
The following block diagram illustrates in abstract the general arrangement of LANCOM interfaces and LCOS modules. In the course of this reference manual the descriptions of the individual functions will refer to this illustration to show important connections of the particular applications and to deduce the resulting consequences.
The diagram can thus explain for which data streams the firewall comes into play, or, in case of address translations (IP masquerading or N:N mapping), at which place which addresses are valid.
Notes regarding the respective modules and interfaces:
- The IP router takes care of routing data on IP connections between the interfaces from LAN and WAN.
- With IP redirect requests in the LAN are redirected to a specific computer
- The firewall (with the services “Intrusion Detection”, “Denial of Service” and “Quality of Service”) encloses the IP router like a shield. All connections via the IP router automatically flow through the firewall as well.
- LANCOM devices provide either a separate LAN interface or an integrated switch with multiple LAN interfaces as interfaces to the LAN.
- LANCOM Router access points resp. LANCOM routers with wireless modules offer additionally one or, depending on the respective model, also two wireless interfaces for the connection of Wireless LANs. Depending on the model every wireless interface can build up to eight different wireless networks (“multi SSID”).
- A DMZ interface enables for some models a ’demilitarized zone’ (DMZ), which is also physically separated within the LAN bridge from other LAN interfaces.
- The LAN bridge provides a protocol filter that enables blocking of dedicated protocols on the LAN. Additionally, single LAN interfaces can be separated by the “isolated mode”. Due to VLAN functions, virtual LANs may be installed in the LAN bridge, which permit the operating of several logical networks on a physical cabling.
- Applications can communicate with different IP modules (NetBIOS, DNS, DHCP server, RADIUS, RIP, NTP, SNMP, SYSLOG, SMTP) either via the IP router, or directly via the LAN bridge.
- The functions “IP masquerading” and “N:N mapping” provide suitable IP address translations between private and public IP ranges, or also between multiple private networks.
- Provided according authorization, direct access to the configuration and management services of the devices (WEBconfig, Telnet, TFTP) is provided from the LAN and also from the WAN side. These services are protected by filters and login barring, but do not require any processing by the firewall. Nevertheless, a direct access from WAN to LAN (or vice versa) using the internal services as a bypass for the firewall is not possible.
- The IPX router and the LANCAPI access on the WAN side only the ISDN interface. Both modules are independent from the firewall, which controls only data traffic through the IP router.
- The VPN services (including PPTP) enable data encryption in the Internet and thereby enable virtual private networks over public data connections.
- Depending on the specific model, either xDSL/Cable, ADSL or ISDN are available as different WAN interfaces.
- The DSLoL interface (DSL over LAN) is no physical WAN interface, but more a “virtual WAN interface”. With appropriate LCOS settings, it is possible to use on some models a LAN interface as an additional xDSL/Cable interface.