Netgear orporated FVM318 Wireless Router User Manual FVM318

Netgear Incorporated Wireless Router FVM318

Contents

users manual 1 of 2

SM-FVM318NA-0October 2002NETGEAR, Inc.4500 Great America Parkway Santa Clara, CA 95054 USAPhone 1-888-NETGEARReference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall Reference Manual FVM318.book Page i Wednesday, September 18, 2002 5:20 PM
FEDERAL COMMUNICATIONS COMMISSION INTERFERENCE STATEMENT This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: -- Reorient or relocate the receiving antenna. -- Increase the separation between the equipment and receiver. -- Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. -- Consult the dealer or an experienced radio/TV technician for help. CAUTION: Any changes or modifications not expressly approved by the grantee of this device could void the user's authority to operate the equipment. FCC RF Radiation Exposure Statement This equipment complies with FCC RF radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with a minimum distance of 20cm between the radiator and your body.
ii © 2002 by NETGEAR, Inc. All rights reserved.TrademarksNETGEAR and Auto Uplink are trademarks or registered trademarks of Netgear, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation.Other brand and product names are registered trademarks or trademarks of their respective holders.Statement of ConditionsIn the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice.NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.Federal Communications Commission (FCC) Compliance Notice: Radio Frequency NoticeThis equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:• Reorient or relocate the receiving antenna.• Increase the separation between the equipment and receiver.• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.• Consult the dealer or an experienced radio/TV technician for help. EN 55 022 Declaration of ConformanceThis is to certify that the FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall is shielded against the generation of radio interference in accordance with the application of Council Directive 89/336/EEC, Article 4a. Conformity is declared by the application of EN 55 022 Class B (CISPR 22).FVM318.book Page ii Wednesday, September 18, 2002 5:20 PM
iiiBestätigung des Herstellers/ImporteursEs wird hiermit bestätigt, daß dasFVM318 Cable/DSL ProSafe Wireless VPN Security Firewall gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.Certificate of the Manufacturer/ImporterIt is hereby certified that the FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example, test transmitters) in accordance with the regulations may, however, be subject to certain restrictions. Please refer to the notes in the operating instructions. Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations. Voluntary Control Council for Interference (VCCI) StatementThis equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.When used near a radio or TV receiver, it may become the cause of radio interference. Read instructions for correct handling.Technical SupportRefer to the Support Information Card that shipped with your FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall.World Wide WebNETGEAR maintains a World Wide Web home page that you can access at the universal resource locator (URL) http://www.netgear.com. A direct connection to the Internet and a Web browser such as Internet Explorer or Netscape are required.FVM318.book Page iii Wednesday, September 18, 2002 5:20 PM
ivFVM318.book Page iv Wednesday, September 18, 2002 5:20 PM
Contents v ContentsPreface About This ManualAudience .......................................................................................................................1-xiiiTypographical Conventions ..........................................................................................1-xiiiSpecial Message Formats ........................................................................................... 1-xivTechnical Support ........................................................................................................ 1-xivChapter 1 IntroductionAbout the FVM318 ..........................................................................................................1-1Key Features ..................................................................................................................1-1A Powerful, True Firewall .........................................................................................1-1Content Filtering .......................................................................................................1-2Configurable Auto Uplink™ Ethernet Connection ....................................................1-2Protocol Support ......................................................................................................1-2Easy Installation and Management ..........................................................................1-3What’s in the Box? ..........................................................................................................1-5The Firewall’s Front Panel .................................................................................1-5The Firewall’s Rear Panel ..................................................................................1-6Chapter 2 Connecting the Firewall to the InternetWhat You Will Need Before You Begin ...........................................................................2-1LAN Hardware Requirements ..................................................................................2-1Computer Requirements ....................................................................................2-1Cable or DSL Modem Requirement ..................................................................2-1LAN Configuration Requirements ............................................................................2-2Internet Configuration Requirements .......................................................................2-2Where Do I Get the Internet Configuration Parameters? ..................................2-2Connecting the FVM318 firewall to Your LAN ................................................................2-4Connecting the FVM318 firewall to the Internet .............................................................2-8FVM318.book Page v Wednesday, September 18, 2002 5:20 PM
vi ContentsUsing the Smart Wizard to Auto-Detect Your Internet Connection Type ..................2-8Manually Configuring Your Internet Connection .....................................................2-14Configuring Wireless Connectivity ................................................................................2-17Testing Your Internet Connection ..................................................................................2-21Chapter 3 Protecting Your NetworkProtecting Access to Your FVM318 firewall ....................................................................3-1Configuring Basic Firewall Services ...............................................................................3-3Blocking Functions, Keywords, Sites, and Services ................................................3-3Block Services ...................................................................................................3-5Setting Times and Scheduling Firewall Services ............................................................3-7Chapter 4 Virtual Private NetworkingNetwork to Network and Remote Computer to Network VPNs ......................................4-1Planning a VPN ..............................................................................................................4-2VPN Configuration Choices ...............................................................................4-2Sample Network to Network VPN Tunnel Configuration Worksheet .................4-3Using the VPN Connection .............................................................................. 4-11Configuring a Remote PC to Network VPN ..................................................................4-12Sample PC to Network VPN Tunnel Configuration Worksheet .......................4-12Check the VPN Connection .............................................................................4-21Monitoring the PC to Network VPN Connection Using SafeNet Tools ............4-22Deleting a Security Association ..............................................................................4-23Manual Keying ..............................................................................................................4-24Blank VPN Tunnel Configuration Worksheets ..............................................................4-26Chapter 5 Managing Your NetworkNetwork Management Information .................................................................................5-1Viewing Router Status and Usage Statistics ............................................................5-1Viewing Attached Devices ........................................................................................5-4Viewing, Selecting, and Saving Logged Information ................................................5-5Selecting What Information to Log ....................................................................5-6Saving Log Files on a Server ............................................................................5-7Examples of log messages ......................................................................................5-7Activation and Administration ............................................................................5-7FVM318.book Page vi Wednesday, September 18, 2002 5:20 PM
Contents vii Dropped Packets ...............................................................................................5-7Enabling Security Event E-mail Notification ...................................................................5-8Backing Up, Restoring, or Erasing Your Settings ...........................................................5-9Running Diagnostic Utilities and Rebooting the Router ................................................5-12Enabling Remote Management ....................................................................................5-13Upgrading the Router’s Firmware .................................................................................5-14Chapter 6 Wireless ConfigurationConsiderations For A Wireless Network .........................................................................6-1Security ....................................................................................................................6-1Placement and Range ..............................................................................................6-1Wireless Settings ............................................................................................................6-2Wireless Network Settings .......................................................................................6-3Using the Wireless Card Access List to Restrict Wireless Access by MAC Address 6-4Configuring Wired Equivalent Privacy (WEP) ..........................................................6-5Chapter 7 Advanced ConfigurationConfiguring Advanced Security ......................................................................................7-1Setting Up A Default DMZ Server ............................................................................7-1Respond to Ping on Internet WAN Port ...................................................................7-2Configuring LAN IP Settings ...........................................................................................7-2LAN TCP/IP Setup ...................................................................................................7-2MTU Size .................................................................................................................7-3DHCP .......................................................................................................................7-4Use router as DHCP server ...............................................................................7-4Reserved IP addresses .....................................................................................7-5Configuring Dynamic DNS .......................................................................................7-6Using Static Routes ........................................................................................................7-8Static Route Example ...............................................................................................7-8Chapter 8 TroubleshootingBasic Functions ..............................................................................................................8-1Power LED Not On ...................................................................................................8-2Test LED Never Turns On or Test LED Stays On .....................................................8-2Local or Internet Port Link LEDs Not On ..................................................................8-2FVM318.book Page vii Wednesday, September 18, 2002 5:20 PM
viii ContentsTroubleshooting the Web Configuration Interface ..........................................................8-4Troubleshooting the ISP Connection ..............................................................................8-5Troubleshooting a TCP/IP Network Using a Ping Utility .................................................8-6Testing the LAN Path to Your Firewall ......................................................................8-6Testing the Path from Your PC to a Remote Device ................................................8-7Restoring the Default Configuration and Password ........................................................8-8Using the Default Reset button ................................................................................8-8Problems with Date and Time .........................................................................................8-9Appendix A Technical SpecificationsAppendix B Network, Routing, Firewall, and Wireless BasicsRelated Publications ...................................................................................................... B-1Basic Router Concepts .................................................................................................. B-1What is a Router? ................................................................................................... B-2Routing Information Protocol ................................................................................... B-2IP Addresses and the Internet ................................................................................. B-2Netmask .................................................................................................................. B-4Subnet Addressing .................................................................................................. B-5Private IP Addresses ............................................................................................... B-7Single IP Address Operation Using NAT ................................................................. B-8MAC Addresses and Address Resolution Protocol ................................................. B-9Related Documents ................................................................................................. B-9Domain Name Server ............................................................................................ B-10IP Configuration by DHCP .................................................................................... B-10Ethernet Cabling ...........................................................................................................B-11Uplink Switches and Crossover Cables .................................................................B-11Cable Quality ......................................................................................................... B-12Internet Security and Firewalls .................................................................................... B-12What is a Firewall? ................................................................................................ B-12Stateful Packet Inspection ..................................................................................... B-13Denial of Service Attack ........................................................................................ B-13Wireless Networking .................................................................................................... B-13Wireless Network Configuration ............................................................................ B-13Ad-hoc Mode (Peer-to-Peer Workgroup) ........................................................ B-14FVM318.book Page viii Wednesday, September 18, 2002 5:20 PM
Contents ix Infrastructure Mode ........................................................................................ B-14Extended Service Set Identification (ESSID) ........................................................ B-14Authentication and WEP Encryption ..................................................................... B-15Wireless Channel Selection .................................................................................. B-15Ethernet Cabling .......................................................................................................... B-17Uplink Switches, Crossover Cables, and MDI/MDIX Switching ............................ B-17Cable Quality ......................................................................................................... B-18Appendix C Preparing Your NetworkPreparing Your Computers for TCP/IP Networking ....................................................... C-1Configuring Windows 95, 98, and ME for TCP/IP Networking ................................ C-2Install or Verify Windows Networking Components .......................................... C-2Enabling DHCP to Automatically Configure TCP/IP Settings ........................... C-4Selecting Windows’ Internet Access Method .................................................... C-4Verifying TCP/IP Properties .............................................................................. C-5Configuring Windows NT, 2000 or XP for IP Networking ........................................ C-5Install or Verify Windows Networking Components .......................................... C-5Verifying TCP/IP Properties .............................................................................. C-6Configuring the Macintosh for TCP/IP Networking .................................................. C-6MacOS 8.6 or 9.x .............................................................................................. C-6MacOS X .......................................................................................................... C-7Verifying TCP/IP Properties for Macintosh Computers ..................................... C-8Verifying the Readiness of Your Internet Account ......................................................... C-9Are Login Protocols Used? ..................................................................................... C-9What Is Your Configuration Information? ................................................................ C-9Obtaining ISP Configuration Information for Windows Computers ................. C-10Obtaining ISP Configuration Information for Macintosh Computers ............... C-11Restarting the Network ................................................................................................ C-12 Glossary IndexFVM318.book Page ix Wednesday, September 18, 2002 5:20 PM
xContentsFVM318.book Page x Wednesday, September 18, 2002 5:20 PM
xiList of ProceduresProcedure 2-1: Record Your Internet Connection Information ......................................2-3Procedure 2-2: Connecting the Firewall to Your LAN ....................................................2-4Procedure 2-3: Auto-Detecting Your Internet Connection Type ....................................2-9Procedure 2-4: Wizard-Detected Login Account Setup ...............................................2-10Procedure 2-5: Wizard-Detected Dynamic IP Account Setup .....................................2-11Procedure 2-6: Wizard-Detected Fixed IP (Static) Account Setup ..............................2-13Procedure 2-7: Manual Configuration .........................................................................2-14Procedure 2-8: Serial Port Internet Connection Configuration ....................................2-17Procedure 3-1: Changing the Built-In Password ...........................................................3-2Procedure 3-1: Changing the Administrator Login Timeout ..........................................3-3Procedure 3-2: Block Functions, Keywords, and Sites .................................................3-4Procedure 3-3: Block Services ......................................................................................3-6Procedure 3-4: Setting Your Time Zone ........................................................................3-7Procedure 3-5: Scheduling Firewall Services ................................................................3-9Procedure 4-1: Configuring a Network to Network VPN Tunnel ....................................4-4Procedure 4-2: Check the VPN Connection ................................................................ 4-11Procedure 4-3: Configuring a Remote PC to Network VPN ........................................4-13Procedure 4-4: Using Manual Keying as an Alternative to IKE ...................................4-24Procedure 5-5: Backup the Configuration to a File .......................................................5-9Procedure 5-6: Restore a Configuration from a File ....................................................5-11Procedure 5-7: Erase the Configuration ......................................................................5-11Procedure 5-8: Configure Remote Management ........................................................5-13Procedure 5-1: Router Upgrade ..................................................................................5-14Procedure 7-1: Configure LAN TCP/IP Setup ...............................................................7-6Procedure 7-2: Configure Dynamic DNS ......................................................................7-7Procedure 7-3: Configuring Static Routes .....................................................................7-9FVM318.book Page xi Wednesday, September 18, 2002 5:20 PM
xiiFVM318.book Page xii Wednesday, September 18, 2002 5:20 PM
About This Manual xiii Preface About This ManualThank your for purchasing the NETGEAR™ FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall. This manual describes the features of the firewall and provides installation and configuration instructions.AudienceThis reference manual assumes that the reader has intermediate to advanced computer and Internet skills. However, basic computer network, Internet, firewall, and VPN technologies tutorial information is provided in the Appendices.Typographical ConventionsThis guide uses the following typographical conventions:italics Book titles and UNIX file, command, and directory names.courier font Screen text, user-typed command-line entries.Initial Caps Menu titles and window and button names.[Enter] Named keys in text are shown enclosed in square brackets. The notation [Enter] is used for the Enter key and the Return key.[Ctrl]+C Two or more keys that must be pressed simultaneously are shown in text linked with a plus (+) sign.ALL CAPS DOS file and directory names.FVM318.book Page xiii Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewallxiv About This Manual Special Message FormatsThis guide uses the following formats to highlight special messages: Technical SupportFor help with any technical issues, contact Customer Support at 1-888-NETGEAR, or visit us on the Web at www.NETGEAR.com. The NETGEAR Web site includes an extensive knowledge base, answers to frequently asked questions, and a means for submitting technical questions online. Note: This format is used to highlight information of importance or special interest.Procedure: This format is used to let you know that you are following a sequence of steps required to complete a task.Warning: This format is used to highlight information about the possibility of injury or equipment damage.Danger: This format is used to alert you that there is the potential for incurring an electrical shock if you mishandle the equipment.FVM318.book Page xiv Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallAbout This Manual xv FVM318.book Page xv Wednesday, September 18, 2002 5:20 PM
FVM318.book Page xvi Wednesday, September 18, 2002 5:20 PM
Introduction 1-1 Chapter 1 IntroductionThis chapter describes the features of the NETGEAR FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall.About the FVM318The FVM318 is a complete security solution that protects your network from attacks and intrusions. Unlike simple Internet sharing routers that rely on Network Address Translation (NAT) for security, the FVM318 uses Stateful Packet Inspection for Denial of Service (DoS) attack protection and intrusion detection. The 8-port FVM318 with auto fail-over connectivity through the serial port provides highly reliable Internet access for up to 253 users.Key FeaturesThe FVM318 offers the following features.A Powerful, True FirewallUnlike simple Internet sharing NAT routers, the FVM318 is a true firewall, using stateful packet inspection to defend against hacker attacks. Its firewall features include:• Denial of Service (DoS) protection Automatically detects and thwarts Denial of Service (DoS) attacks such as Ping of Death, SYN Flood, LAND Attack and IP Spoofing.• Blocks unwanted traffic from the Internet to your LAN.• Blocks access from your LAN to Internet locations or services that you specify as off-limits.FVM318.book Page 1 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall1-2 Introduction • Logs security incidents The FVM318 will log security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the firewall to email the log to you at specified intervals. You can also configure the firewall to send immediate alert messages to your email address or email pager whenever a significant event occurs.Content FilteringWith its content filtering feature, the FVM318 prevents objectionable content from reaching your PCs. The firewall allows you to control access to Internet content by screening for keywords within Web addresses. You can configure the firewall to log and report attempts to access objectionable Internet sites.Configurable Auto Uplink™ Ethernet ConnectionWith its internal 8-port 10/100 switch, the FVM318 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network. Both the local LAN and the Internet WAN interfaces are autosensing and capable of full-duplex or half-duplex operation. The firewall incorporates Auto UplinkTM technology. Each LOCAL Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a ‘normal’ connection such as to a PC or an ‘uplink’ connection such as to a switch or hub. That port will then configure itself to the correct configuration. This feature also eliminates the need to worry about crossover cables, as Auto Uplink will accommodate either type of cable to make the right connection.Protocol SupportThe FVM318 supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). Appendix B, “Network, Routing, Firewall, and Wireless Basics” provides further information on TCP/IP.• IP Address Sharing by NAT The FVM318 allows several networked PCs to share an Internet account using only a single IP address, which may be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as Network Address Translation (NAT), allows the use of an inexpensive single-user ISP account.FVM318.book Page 2 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallIntroduction 1-3 • Automatic Configuration of Attached PCs by DHCP The FVM318 dynamically assigns network configuration information, including IP, gateway, and domain name server (DNS) addresses, to attached PCs on the LAN using the Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies configuration of PCs on your local network.• DNS Proxy When DHCP is enabled and no DNS addresses are specified, the firewall provides its own address as a DNS server to the attached PCs. The firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN.• PPP over Ethernet (PPPoE) PPP over Ethernet is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial-up connection. This feature eliminates the need to run a login program such as EnterNet or WinPOET on your PC.• PPTP login support for European ISPs, BigPond login for Telstra cable in Australia.•Dynamic DNS Dynamic DNS services allow remote users to find your network using a domain name when your IP address is not permanently assigned. The firewall contains a client that can connect to many popular Dynamic DNS services to register your dynamic IP address.Easy Installation and ManagementYou can install, configure, and operate the FVM318 within minutes after connecting it to the network. The following features simplify installation and management tasks:• Browser-based management Browser-based configuration allows you to easily configure your firewall from almost any type of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup Wizard is provided and online help documentation is built into the browser-based Web Management Interface.• Smart Wizard The firewall automatically senses the type of Internet connection, asking you only for the information required for your type of ISP account.• Auto fail-over connectivity through an analog or ISDN modem connected to the serial port If the cable or DSL modem Internet connection fails, after a waiting for an amount of time you specify, the FVM318 can automatically establish a backup ISDN or dial-up Internet connection via the serial port on the firewall.FVM318.book Page 3 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall1-4 Introduction • Remote management The firewall allows you to login to the Web Management Interface from a remote location via the Internet. For security, you can limit remote management access to a specified remote IP address or range of addresses, and you can choose a nonstandard port number.• Remote Access Server connectivity vial the serial port• Diagnostic functions The firewall incorporates built-in diagnostic functions such as Ping, DNS lookup, and remote reboot. These functions allow you to test Internet connectivity and reboot the firewall. You can use these diagnostic functions directly from the FVM318 when your are connect on the LAN or when you are connected over the Internet via the remote management function.• Visual monitoring The firewall’s front panel LEDs provide an easy way to monitor its status and activity.• Flash EPROM for firmware upgrade• Regional support, including ISPs like Telstra DSL and BigPond or Deutsche Telekom.FVM318.book Page 4 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallIntroduction 1-5 What’s in the Box?The product package should contain the following items:• FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall• AC power adapter• Category 5 (CAT5) Ethernet cable•FVM318 Resource CD, including:— This manual— Application Notes, Tools, and other helpful information• Warranty and registration card• Support information cardIf any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the product for repair.The Firewall’s Front PanelThe front panel of the FVM318 (Figure 1-1) contains status LEDs. Figure 1-1: FVM318 Front PanelYou can use some of the LEDs to verify connections. Table 1-1 lists and describes each LED on the front panel of the firewall. FVM318.book Page 5 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall1-6 Introduction These LEDs are green when lit, except for the TEST LED, which is amber.The Firewall’s Rear PanelThe rear panel of the FVM318 (Figure 1-2) contains the connections identified below.Figure 1-2: FVM318 Rear PanelViewed from left to right, the rear panel contains the following elements:• DB-9 serial port for modem connection• Factory Default Reset push button• Eight Local Ethernet RJ-45 ports for connecting the firewall to the local computers• Internet WAN Ethernet RJ-45 port for connecting the firewall to a cable or DSL modem• AC power adapter inputTable 1-1: LED DescriptionsLabel Activity DescriptionPOWER On Power is supplied to the firewall.TEST OnOff The system is initializing.The system is ready and running.MODEM On/Blinking The port detected a link with the Internet WAN connection or Remote Access Server. Blinking indicates data transmission.INTERNET 100 On/Blinking The Internet port is operating at 100 Mbps. LINK/ACT (Activity) On/Blinking The port detected a link with the Internet WAN connection and is operating at 10 Mbps. Blinking indicates data transmission.LOCAL 100 On/Blinking The Local port is operating at 100 Mbps.LINK/ACT (Link/Activity) On/Blinking The Local port has detected a link with a LAN connection and is operating at 10 Mbps. Blinking indicates data transmission.MODEM 12VDC O.5A87654321LO CA L10/100MIN TERN ETFVM318.book Page 6 Wednesday, September 18, 2002 5:20 PM
Connecting the Firewall to the Internet 2-1 Chapter 2 Connecting the Firewall to the InternetThis chapter describes how to set up the firewall on your Local Area Network (LAN), connect to the Internet, perform basic configuration of your FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall using the Setup Wizard, or how to manually configure your Internet connection.What You Will Need Before You BeginYou need to prepare these three things before you can connect your firewall to the Internet:1. A computer properly connected to the firewall as explained below.2. Active Internet service such as that provided by a DSL or Cable modem account.3. The Internet Service Provider (ISP) configuration information for your DSL or Cable modem account.LAN Hardware RequirementsThe FVM318 firewall connects to your LAN via twisted-pair Ethernet cables.Computer RequirementsTo use the FVM318 firewall on your network, each computer must have an installed Ethernet Network Interface Card (NIC) and an Ethernet cable. If the computer will connect to your network at 100 Mbps, you must use a Category 5 (CAT5) cable such as the one provided with your firewall.Cable or DSL Modem RequirementThe cable modem or DSL modem must provide a standard 10 Mbps 10BASE-T or 100 Mbps 100BASE-T Ethernet interface.FVM318.book Page 1 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall2-2 Connecting the Firewall to the Internet LAN Configuration RequirementsFor the initial connection to the Internet and configuration of your firewall, you will need to connect a computer to the firewall which is set to automatically get its TCP/IP configuration from the firewall via DHCP.Note: Please refer to Appendix C, "Preparing Your Network" for assistance with DHCP configuration.Internet Configuration RequirementsDepending on how your ISP set up your Internet account, you will need one or more of these configuration parameters to connect your firewall to the Internet: • Host and Domain Names• ISP Login Name and Password• ISP Domain Name Server (DNS) Addresses• Fixed or Static IP AddressWhere Do I Get the Internet Configuration Parameters?There are several ways you can gather the required Internet connection information.• Your ISP should have provided you with all the information needed to connect to the Internet. If you cannot locate this information, you can ask your ISP to provide it or you can try one of the options below.• If you have a computer already connected using the active Internet access account, you can gather the configuration information from that computer.• For Windows 95/98/ME, open the Network control panel, select the TCP/IP entry for the Ethernet adapter, and click Properties.• For Windows 2000/XP, open the Local Area Network Connection, select the TCP/IP entry for the Ethernet adapter, and click Properties.• For Macintosh computers, open the TCP/IP or Network control panel.• You may also refer to the FR328S Resource CD for the NETGEAR Router ISP Guide which provides Internet connection information for many ISPs.Once you locate your Internet configuration parameters, you may want to record them on the page below according to the instructions in “Record Your Internet Connection Information” on page 2-3.FVM318.book Page 2 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallConnecting the Firewall to the Internet 2-3 Procedure 2-1: Record Your Internet Connection Information1. Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP).ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by your ISP. Some ISPs use your full e-mail address as the login name. The Service Name is not required by all ISPs. If you connect using a login name and password, then fill in the following:Login Name: ______________________________ Password: ____________________________Service Name: _____________________________ Fixed or Static IP Address: If you have a static IP address, record the following information. For example, 169.254.141.148 could be a valid IP address.Fixed or Static Internet IP Address: ______ . ______ . ______ . ______Subnet Mask: ______ . ______ . ______ . ______Gateway IP Address: ______ . ______ . ______ . ______ISP DNS Server Addresses: If you were given DNS server addresses, fill in the following:Primary DNS Server IP Address: ______ . ______ . ______ . ______Secondary DNS Server IP Address: ______ . ______ . ______ . ______Host and Domain Names: Some ISPs use a specific host or domain name like CCA7324-A or home. If you haven’t been given host or domain names, you can use the following examples as a guide:• If your main e-mail account with your ISP is aaa@yyy.com, then use aaa as your host name. Your ISP might call this your account, user, host, computer, or system name. • If your ISP’s mail server is mail.xxx.yyy.com, then use xxx.yyy.com as the domain name.ISP Host Name: _________________________ ISP Domain Name: _______________________For Serial Port Internet Access: If you use a dial-up account, record the following: Account/User Name: _________________________ Password: _________________________ Telephone number: ______________________ Alternative number: ______________________FVM318.book Page 3 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall2-4 Connecting the Firewall to the Internet Connecting the FVM318 firewall to Your LANThis section provides instructions for connecting the FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall to your Local Area Network (LAN).Note: The Resource CD included with your firewall contains an animated Installation Assistant to help you through this procedure.Procedure 2-2: Connecting the Firewall to Your LANThere are three steps to connecting your firewall:1. Connect the firewall to your network2. Log in to the firewall3. Connect to the InternetFollow the steps below to connect your firewall to your network. You can also refer to the Resource CD included with your firewall which contains an animated Installation Assistant to help you through this procedure.1. Connect the Firewalla. Turn off your computer and Cable or DSL Modem.FVM318.book Page 4 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallConnecting the Firewall to the Internet 2-5 b. Disconnect the Ethernet cable (A) from your computer which connects to your Cable or DSL modem.Figure 2-1: Disconnect the Cable or DSL Modemc. Connect the Ethernet cable (A) from your Cable or DSL modem to the FR328S’s Internet port.Figure 2-2: Connect the Cable or DSL Modem to the firewallDSL modemACable orDSL modemAFVM318.book Page 5 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall2-6 Connecting the Firewall to the Internet d. Connect the Ethernet cable (B) which came with the firewall from a Local port on the router to your computer.Figure 2-3: Connect the computers on your network to the firewallNote: The FVM318 firewall incorporates Auto UplinkTM technology. Each LAN Ethernet port will automatically sense whether the cable plugged into the port should have a 'normal' connection (e.g. connecting to a PC) or an 'uplink' connection (e.g. connecting to a switch or hub). That port will then configure itself to the correct configuration. This feature also eliminates the need to worry about crossover cables, as Auto Uplink will accommodate either type of cable to make the right connection.e. Turn on the Cable or DSL modem and wait about 30 seconds for the lights to stop blinking. 2. Log in to the FirewallNote: To connect to the firewall, your computer needs to be configured to obtain an IP address automatically via DHCP. Please refer to Appendix C, "Preparing Your Network" for instructions on how to do this.a. Turn on the firewall and wait for the Test light to stop blinking.b. Now, turn on your computer. Note: If you usually run software to log in to your Internet connection, do not run that software.FVS318 C bl /DSL P S f VPN Fi llCable orDSL modemBAFVM318.book Page 6 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallConnecting the Firewall to the Internet 2-7 Now that the Cable or DSL Modem, firewall, and the computer are turned on, verify the following:• When power on the firewall was first turned on, the PWR light went on, the TEST light turned on within a few seconds, and then went off after approximately 10 seconds.• The firewall’s LOCAL LINK/ACT lights are lit for any computers that are connected to it.• The firewall’s INTERNET LINK light is lit, indicating a link has been established to the cable or DSL modem.c. Next, use a browser like Internet Explorer or Netscape to log in to the firewall at its default address of http://192.168.0.1. Figure 2-4: Log in to the firewallA login window opens as shown in Figure 2-5 below:Figure 2-5: Login windowd. For security reasons, the firewall has its own user name and password. When prompted, enter admin for the firewall User Name and password for the firewall Password, both in lower case letters.Note: The user name and password are not the same as any user name or password you may use to log in to your Internet connection.FVM318.book Page 7 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall2-8 Connecting the Firewall to the Internet 3. Connect to the InternetFigure 2-6: Setup Wizard a. You are now connected to the firewall. If you do not see the menu above, click the Setup Wizard link on the upper left of the main menu. Click the Yes button in the Setup Wizard.b. Please click Next to follow the steps in the Setup Wizard to input the configuration parameters from your ISP to connect to the Internet.Note: If you were unable to connect to the firewall, please refer to “Basic Functions” on page 8-1.Connecting the FVM318 firewall to the InternetThe firewall is now properly attached to your network. You are now ready to configure your firewall to connect to the Internet. There are two ways you can configure your firewall to connect to the Internet:• Let the FVM318 auto-detect the type of Internet connection you have and configure it.• Manually choose which type of Internet connection you have and configure it.These options are described below. In either case, unless your ISP automatically assigns your configuration automatically via DHCP, you will need the configuration parameters from your ISP you recorded in “Record Your Internet Connection Information” on page 2-3.Using the Smart Wizard to Auto-Detect Your Internet Connection TypeFollow the procedures below to let the Smart Wizard help set up your Internet configuration.FVM318.book Page 8 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallConnecting the Firewall to the Internet 2-9 Procedure 2-3: Auto-Detecting Your Internet Connection TypeThe Web Configuration Manager built in to the firewall contains a Setup Wizard that can automatically determine your network connection type. 1. If your firewall has not yet been configured, the Setup Wizard shown in Figure 2-7 should launch automatically. When the Wizard launches, select Yes in the menu below to allow the firewall to automatically determine your connection.Figure 2-7: Built-in Web-based Configuration Manager Setup WizardNote: If, instead of the Setup Wizard menu, the main menu of the firewall’s Configuration Manager as shown in Figure 2-13 appears, click the Setup Wizard link in the upper left to bring up this menu.2. Click NextThe Setup Wizard will now check for the following connection types:• Dynamic IP assignment• A login protocol such as PPPoE• Fixed IP address assignmentFVM318.book Page 9 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall2-10 Connecting the Firewall to the Internet Next, the Setup Wizard will report which connection type it has discovered, and then display the appropriate configuration menu. If the Setup Wizard finds no connection, you will be prompted to check the physical connection between your firewall and the cable or DSL modem. When the connection is properly made, the firewall’s Internet LED should be on.The procedures for filling in the configuration menu for each type of connection follow below.Procedure 2-4: Wizard-Detected Login Account SetupIf the Setup Wizard determines that your Internet service account uses a login protocol such as PPP over Ethernet (PPPoE), you will be directed to a menu like the PPPoE menu in Figure 2-8:Figure 2-8: Setup Wizard menu for PPPoE login accounts1. Enter your Account Name (may also be called Host Name) and Domain Name. These parameters may be necessary to access your ISP’s services such as mail or news servers. If you leave the Domain Name field blank, the firewall will attempt to learn the domain automatically from the ISP. If this is not successful, you may need to enter it manually.2. Enter the PPPoE login user name and password provided by your ISP. These fields are case sensitive. If you wish to change the login timeout, enter a new value in minutes.FVM318.book Page 10 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallConnecting the Firewall to the Internet 2-11 Note: You will no longer need to launch the ISP’s login program on your PC in order to access the Internet. When you start an Internet application, your firewall will automatically log you in.3. Domain Name Server (DNS) Address: If you know that your ISP does not automatically transmit DNS addresses to the firewall during login, select “Use these DNS servers” and enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is available, enter it also.If you enter an address here, after you finish configuring the firewall, reboot your PCs so that the settings take effect.4. Click on Apply to save your settings.5. Click on the Test button to test your Internet connection. If the NETGEAR website does not appear within one minute, refer to Chapter 8, Troubleshooting”.Procedure 2-5: Wizard-Detected Dynamic IP Account SetupIf the Setup Wizard determines that your Internet service account uses Dynamic IP assignment, you will be directed to the menu shown in Figure 2-9 below: Figure 2-9: Setup Wizard menu for Dynamic IP addressFVM318.book Page 11 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall2-12 Connecting the Firewall to the Internet 1. Enter your Account Name (may also be called Host Name) and Domain Name. These parameters may be necessary to access your ISP’s services such as mail or news servers. If you leave the Domain Name field blank, the firewall will attempt to learn the domain automatically from the ISP. If this is not successful, you may need to enter it manually.2. If you know that your ISP does not automatically transmit DNS addresses to the firewall during login, select “Use these DNS servers” and enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is available, enter it also.A DNS server is a host on the Internet that translates Internet names (such as www.netgear.com) to numeric IP addresses. Typically your ISP transfers the IP address of one or two DNS servers to your firewall during login. If the ISP does not transfer an address, you must obtain it from the ISP and enter it manually here. If you enter an address here, you should reboot your PCs after configuring the firewall.3. The Router’s MAC Address is the Ethernet MAC address that will be used by the firewall on the Internet port. If your ISP allows access from only one specific computer’s Ethernet MAC address, select “Use this MAC address.” The firewall will then capture and use the MAC address of the computer that you are now using. You must be using the one computer that is allowed by the ISP. Otherwise, you can type in a MAC address.Note: Some ISPs will register the Ethernet MAC address of the network interface card in your PC when your account is first opened. They will then only accept traffic from the MAC address of that PC. This feature allows your firewall to masquerade as that PC by using its MAC address.4. Click on Apply to save your settings.5. Click on the Test button to test your Internet connection. If the NETGEAR website does not appear within one minute, refer to Chapter 8, Troubleshooting”.FVM318.book Page 12 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallConnecting the Firewall to the Internet 2-13 Procedure 2-6: Wizard-Detected Fixed IP (Static) Account SetupIf the Setup Wizard determines that your Internet service account uses Fixed IP assignment, you will be directed to the menu shown in Figure 2-10 below:Figure 2-10: Setup Wizard menu for Fixed IP address1. Enter your assigned IP Address, Subnet Mask, and the IP Address of your ISP’s gateway router. This information should have been provided to you by your ISP. You will need the configuration parameters from your ISP you recorded in “Record Your Internet Connection Information” on page 2-3.2. Enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is available, enter it also.A DNS servers are required to perform the function of translating an Internet name such as www.netgear.com to a numeric IP address. For a fixed IP address configuration, you must obtain DNS server addresses from your ISP and enter them manually here. You should reboot your PCs after configuring the firewall for these settings to take effect.3. Click on Apply to save the settings.4. Click on the Test button to test your Internet connection. If the NETGEAR website does not appear within one minute, refer to Chapter 8, Troubleshooting.FVM318.book Page 13 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall2-14 Connecting the Firewall to the Internet Manually Configuring Your Internet ConnectionYou can manually configure your firewall using the menu below, or you can allow the Setup Wizard to determine your configuration as described in the previous section.Figure 2-11: Browser-based configuration Basic Settings menuProcedure 2-7: Manual ConfigurationYou can manually configure the firewall in the Basic Settings menu shown in Figure 2-13 using these steps:FVM318.book Page 14 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallConnecting the Firewall to the Internet 2-15 1. Select whether your Internet connection requires a login.Select Broadband with Login if you normally must launch a login program such as Enternet or WinPOET in order to access the Internet.Note: If you are a Telstra BigPond cable modem customer, or if you are in an area such as Austria that uses PPTP, login is required. If so, select BigPond or PPTP from the Internet Service Type drop down box.2. Enter your Account Name (may also be called Host Name) and Domain Name. These parameters may be necessary to access your ISP’s services such as mail or news servers.3. (If displayed) Enter the PPPoE login user name and password provided by your ISP. These fields are case sensitive. If you wish to change the login timeout, enter a new value in minutes.Note: You will no longer need to launch the ISP’s login program on your PC in order to access the Internet. When you start an Internet application, your firewall will automatically log you in.4. Internet IP Address: If your ISP has assigned you a permanent, fixed (static) IP address for your PC, select “Use static IP address”. Enter the IP address that your ISP assigned. Also enter the netmask and the Gateway IP address. The Gateway is the ISP’s router to which your firewall will connect.5. Domain Name Server (DNS) Address: If you know that your ISP does not automatically transmit DNS addresses to the firewall during login, select “Use these DNS servers” and enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is available, enter it also.A DNS server is a host on the Internet that translates Internet names (such as www.netgear.com) to numeric IP addresses. Typically your ISP transfers the IP address of one or two DNS servers to your firewall during login. If the ISP does not transfer an address, you must obtain it from the ISP and enter it manually here. If you enter an address here, you should reboot your PCs after configuring the firewall.6. Router’s MAC Address: This section determines the Ethernet MAC address that will be used by the firewall on the Internet port. Some ISPs will register the Ethernet MAC address of the network interface card in your PC when your account is first opened. They will then only accept traffic from the MAC address of that PC. This feature allows your firewall to masquerade as that PC by “cloning” its MAC address. To change the MAC address, select “Use this Computer’s MAC address.” The firewall will then capture and use the MAC address of the PC that you are now using. You must be using the one PC that is allowed by the ISP. Or, select “Use this MAC address” and enter it.FVM318.book Page 15 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall2-16 Connecting the Firewall to the Internet 7. Click Apply to save your settings.8. Click on the Test button to test your Internet connection. If the NETGEAR website does not appear within one minute, refer to Chapter 8, Troubleshooting.FVM318.book Page 16 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallConnecting the Firewall to the Internet 2-17 Configuring Wireless ConnectivityUse the procedure below to configure an Internet connection via the serial port of your firewall.Procedure 2-8: Serial Port Internet Connection ConfigurationThere are three steps to configuring the serial port of your firewall for an Internet connection:1. Connect the firewall to your ISDN or dial-up analog modem2. Configure the firewall3. Connect to the InternetFollow the steps below to configure a serial port Internet connection on your firewall.1. Connect the Firewall to your ISDN or dial-up modema. Turn off your Modem and connect the cable (C) from your FR328S’s serial port to the modem. Figure 2-12: Connect the ISDN or analog modem to the firewallb. Turn on the modem and wait about 30 seconds for the lights to stop blinking. MODEM 12VDC O.5A87654321LO CA L10/100MIN TERNETISDN oranalog modemCFVM318.book Page 17 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall2-18 Connecting the Firewall to the Internet 2. Configure the Serial Port of the Firewall. Note: To connect to the firewall, your computer needs to be configured to obtain an IP address automatically via DHCP. If you need instructions on how to do this, please refer to Appendix C, "Preparing Your Network".a. Use a browser to log in to the firewall at http://192.168.0.1 with its default User Name of admin and default Password of password, or using whatever User Name, Password you have set up.Note: The user name and password are not the same as any user name or password you may use to log in to your Internet connection.b. From the Setup menu, click the Serial Port link to display the menu below.Figure 2-13: Setup Serial Port configuration menuFVM318.book Page 18 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallConnecting the Firewall to the Internet 2-19 c. Choose the type of Serial Port Usage:• Auto-rollover with a wait time in minutes• Primary Internet connectiond. Fill in the ISP Internet configuration parameters as appropriate:• For a Dial-up Account, enter the Account/User Name, Password, the Telephone number to dial, an Alternative Telephone number if available. Check “Connect as required” to enable the firewall to automatically dial the number. If you want to enable a Idle Time disconnect, check the box and enter a time in minutes.• To configure the TCP/IP settings, fill in whatever address parameters your ISP provided.e. Configure the Modem parameters:Figure 2-14: Modem configuration menu• Select the Serial Line Speed. This is the maximum speed the modem will attempt to use. For ISDN permanent connections, the speeds are typically 64000 or 128000 bps. For dial-up modems, 56000 bps would be a typical setting. —For ISDN, select “Permanent connection (leased line).”—For dial-up, select your modem from the list.—If your modem is not on the list, select “User Defined” and enter the Modem Properties.FVM318.book Page 19 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall2-20 Connecting the Firewall to the Internet • Select the Modem TypeFigure 2-15: Modem Properties menu• If you are using the “Generic Modem” selection and configuring your own modem stings, fill in the Modem Properties settings. Note: You can validate modem string settings by first connecting the modem directly to a PC, establishing a connection to your ISP, and then copying the modem string settings from the PC configuration and pasting them into the FR328S Modem Properties Initial String field. For more information on this procedure, please refer to the support area of the NETGEAR web site.f. Click Apply to save your settings.3. Connect to the Internet to test your configuration.a. If you have a broadband connection, disconnect it.b. From a workstation, open a browser and test your serial port Internet connection. Note: The response time of your serial port Internet connection will be slower than a broadband Internet connection.FVM318.book Page 20 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallConnecting the Firewall to the Internet 2-21 Testing Your Internet ConnectionAfter completing the Internet connection configuration, your can test your Internet connection. Log in to the firewall, then, from the Setup Basic Settings link, click on the Test button. If the NETGEAR website does not appear within one minute, refer to Chapter 8, Troubleshooting.Your firewall is now configured to provide Internet access for your network. Your firewall automatically connects to the Internet when one of your computers requires access. It is not necessary to run a dialer or login application such as Dial-Up Networking or Enternet to connect, log in, or disconnect. These functions are performed by the firewall as needed.To access the Internet from any computer connected to your firewall, launch a browser such as Microsoft Internet Explorer or Netscape Navigator. You should see the firewall’s Internet LED blink, indicating communication to the ISP. The browser should begin to display a Web page.The following chapters describe how to configure the Advanced features of your firewall, and how to troubleshoot problems that may occur.FVM318.book Page 21 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall2-22 Connecting the Firewall to the Internet FVM318.book Page 22 Wednesday, September 18, 2002 5:20 PM
Protecting Your Network 3-1 Chapter 3 Protecting Your NetworkThis chapter describes how to use the basic firewall features of the FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall to protect your network.Protecting Access to Your FVM318 firewallFor security reasons, the firewall has its own user name and password. Also, after a period of inactivity for a set length of time, the administrator login will automatically disconnect. When prompted, enter admin for the firewall User Name and password for the firewall Password. You can use procedures below to change the firewall's password and the amount of time for the administrator’s login timeout.Note: The user name and password are not the same as any user name or password your may use to log in to your Internet connection.NETGEAR recommends that you change this password to a more secure password. The ideal password should contain no dictionary words from any language, and should be a mixture of both upper and lower case letters, numbers, and symbols. Your password can be up to 30 characters.FVM318.book Page 1 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall3-2 Protecting Your Network Procedure 3-1: Changing the Built-In Password1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User Name of admin, default password of password, or using whatever User Name, Password and LAN address you have chosen for the firewall.Figure 3-1: Log in to the firewall2. From the Main Menu of the browser interface, under the Maintenance heading, select Set Password to bring up the menu shown in Figure 3-2.Figure 3-2: Set Password menu3. To change the password, first enter the old password, and then enter the new password twice.4. Click Apply to save your changes. Note: After changing the password, you will be required to log in again to continue the configuration. If you have backed up the firewall settings previously, you should do a new backup so that the saved settings file includes the new password. FVM318.book Page 2 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallProtecting Your Network 3-3 Procedure 3-1: Changing the Administrator Login TimeoutFor security, the administrator's login to the firewall configuration will timeout after a period of inactivity. To change the login timeout period: 1. In the Set Password menu, type a number in ‘Administrator login times out’ field.The suggested default value is 5 minutes. 2. Click Apply to save your changes or click Cancel to keep the current period. Configuring Basic Firewall ServicesBasic firewall services you can configure include access blocking and scheduling of firewall security. These topics are presented below.Blocking Functions, Keywords, Sites, and ServicesThe firewall provides a variety of options for blocking Internet based content and communications services. Those basic options include:With its content filtering feature, the FVM318 firewall prevents objectionable content from reaching your PCs. The FR114P allows you to control access to Internet content by screening for keywords within Web addresses. Key content filtering options include:• Keyword blocking of newsgroup names.• ActiveX, Java, cookie, and web proxy filtering.• ActiveX and Java programs can be embedded is websites, and will be executed by your computer. These programs may sometimes include malicious content.• Cookies are small files that a website can store on your computer to track your activity. Some cookies can be helpful, but some may compromise your privacy.• Web proxies are computers on the Internet that act as relays for browsing. A web proxy can be used to bypass your web blocking methods.• Outbound Services Blocking limits access from your LAN to Internet locations or services that you specify as off-limits.• Denial of Service (DoS) protection. Automatically detects and thwarts Denial of Service (DoS) attacks such as Ping of Death, SYN Flood, LAND Attack and IP Spoofing.FVM318.book Page 3 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall3-4 Protecting Your Network • Blocks unwanted traffic from the Internet to your LAN.• Blocks access from your LAN to Internet locations that you specify as off-limits.The section below explains how to configure your firewall to perform these functions.Procedure 3-2: Block Functions, Keywords, and SitesThe FVM318 firewall allows you to restrict access to Internet content based on functions such as Java or Cookies, Web addresses and Web address keywords. 1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User Name of admin, default password of password, or using whatever User Name, Password and LAN address you have chosen for the firewall.2. Click on the Block Sites link of the Security menu. Figure 3-3: Block Sites menuFVM318.book Page 4 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallProtecting Your Network 3-5 3. To block ActiveX, Java, Cookies, or Web Proxy functions for all Internet sites, click the check box next to the function and then click Apply.4. To enable keyword blocking, check “Turn keyword blocking on”, enter a keyword or domain in the Keyword box, click Add Keyword, then click Apply. Some examples of Keyword application follow:• If the keyword “XXX” is specified, the URL <http://www.badstuff.com/xxx.html> is blocked, as is the newsgroup alt.pictures.xxx.• If the keyword “.com” is specified, only websites with other domain suffixes (such as .edu or .gov) can be viewed.• Enter the keyword “.” to block all Internet browsing access.Up to 32 entries are supported in the Keyword list.5. To delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply.6. To specify a Trusted User, enter that PC’s IP address in the Trusted User box and click Apply.You may specify one Trusted User, which is a PC that will be exempt from blocking and logging. Since the Trusted User will be identified by an IP address, you should configure that PC with a fixed IP address.Block ServicesFirewalls are used to regulate specific traffic passing through from one side of the firewall to the other. You can restrict outbound (LAN to WAN) traffic to what outside resources you want local users to be able to access. In addition to the kind of blocking of sites discussed above, you can block services like Telnet or Instant Messenger.By default, the FR114P regulates inbound and outbound traffic in these ways:• Inbound: Block all access from outside except responses to requests from the LAN side.• Outbound: Allow all access from the LAN side to the outside.You may define exceptions to the default outbound settings by adding Block Services definitions to the Outbound Services table. In this way, you can block or allow access based on the service or application destination IP addresses, and time of day. You can also choose to log traffic that matches or does not match what you have defined.FVM318.book Page 5 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall3-6 Protecting Your Network Procedure 3-3: Block Services1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User Name of admin, default password of password, or using whatever User Name, Password and LAN address you have chosen for the firewall.2. Click on the Block Sites link of the Security menu to display the Block Services menu shown in Figure 3-4:Figure 3-4: Block Services menu• To create a new Block Services rule, click the Add button.• To edit an existing Block Services rule, select its button on the left side of the table and click Edit.• To delete an existing Block Services rule, select its button on the left side of the table and click Delete.3. Modify the menu shown below for defining or editing a how a service is regulated. Figure 3-5: Add Block Services menuFVM318.book Page 6 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallProtecting Your Network 3-7 The parameters are:•Service From this list, select the application or service to be allowed or blocked. The list already displays many common services, but you are not limited to these choices. Use the Add Services menu to add any additional services or applications that do not already appear.• Action Choose how you would like this type of traffic to be handled. You can block or allow always, or you can choose to block or allow according to the schedule you have defined in the Schedule menu.• LAN Users Address Specify traffic originating on the LAN (outbound), and choose whether you would like the traffic to be restricted by source IP address. You can select Any, a Single address, or a Range. If you select a range of addresses, enter the range in the start and finish boxes. If you select a single address, enter it in the start box.•Log You can select whether the traffic will be logged. The choices are:• Never - no log entries will be made for this service.• Always - any traffic for this service type will be logged.• Match - traffic of this type which matches the parameters and action will be logged.• Not match - traffic of this type which does not match the parameters and action will be logged.4. Click Apply to save your definition.Setting Times and Scheduling Firewall ServicesThe FVM318 firewall uses the Network Time Protocol (NTP) to obtain the current time and date from one of several Network Time Servers on the Internet. In order to localize the time for your log entries, you must select your Time Zone from the list.Procedure 3-4: Setting Your Time ZoneIn order to localize the time for your log entries, you must specify your Time Zone:FVM318.book Page 7 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall3-8 Protecting Your Network 1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User Name of admin, default password of password, or using whatever User Name, Password and LAN address you have chosen for the firewall.2. Click on the Schedule link of the Security menu to display menu shown below. Figure 3-6: Schedule Services menu3. Select your Time Zone. This setting will be used for the blocking schedule according to your local time zone and for time-stamping log entries.Check the Daylight Savings Time box if your time zone is currently in daylight savings time.Note: If your region uses Daylight Savings Time, you must manually check Adjust for Daylight Savings Time on the first day of Daylight Savings Time, and uncheck it at the end. Enabling Daylight Savings Time will cause one hour to be added to the standard time.4. The firewall has a list of publicly available NTP servers. If you would prefer to use a particular NTP server as the primary server, enter its IP address under Use this NTP Server.5. Click Apply to save your settings.FVM318.book Page 8 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallProtecting Your Network 3-9 Procedure 3-5: Scheduling Firewall ServicesIf you enabled services blocking in the Block Services menu or Port forwarding in the Ports menu, you can set up a schedule for when blocking occurs or when access isn't restricted. 1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User Name of admin, default password of password, or using whatever User Name, Password and LAN address you have chosen for the firewall.2. Click on the Schedule link of the Security menu to display menu shown in the “Schedule Services menu“ on page -8.3. To block Internet services based on a schedule, select Every Day or select one or more days. If you want to limit access completely for the selected days, select All Day. Otherwise, to limit access during certain times for the selected days, enter Start Blocking and End Blocking times.Note: Enter the values as 24-hour time. For example, 10:30 am would be 10 hours and 30 minutes and 10:30 pm would be 22 hours and 30 minutes. 4. Click ApplyFVM318.book Page 9 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall3-10 Protecting Your Network FVM318.book Page 10 Wednesday, September 18, 2002 5:20 PM
Virtual Private Networking 4-1 Chapter 4 Virtual Private NetworkingThis chapter describes how to use the virtual private networking (VPN) features of the FVM318 firewall. VPN communications paths are called tunnels. VPN tunnels provide secure, encrypted communications between your local network and a remote network or computer. Network to Network and Remote Computer to Network VPNsTwo common scenarios for configuring VPN tunnels are between two or more networks, and between a remote computer and a network. The FVS318 supports these configurations:Figure 4-1: Secure access through FVS318 VPN routers • Secure access between networks, such as a branch or home office and a main office.A VPN between two or more NETGEAR VPN-enabled routers is a good way to connect branch or home offices and business partners over the Internet. VPN tunnels also enable FVM318.book Page 1 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall4-2 Virtual Private Networking access to network resources when NAT is enabled and remote computers have been assigned private IP addresses.• Secure access from a remote PC, such as a telecommuter connecting to an office network.VPN client access allows a remote PC to connect to your network from any location on the Internet. In this case, the remote PC is one tunnel endpoint, running VPN client software. The FVM318 firewall router on your network is the other tunnel endpoint• The FVM318 firewall supports up to eight concurrent tunnels.These scenarios are described below.Planning a VPNWhen you set up a VPN, it is helpful to plan the network configuration and record the configuration parameters on a worksheet. These topics are discussed below.VPN Configuration ChoicesWhen planning your VPN, you must make a few choices first:• To set up a VPN connection, you must configure each endpoint with specific identification and connection information describing the other endpoint. This set of configuration information defines a security association (SA) between the two points. The FVS318 is capable of eight Security Associations which are commonly referred to as tunnels.• Will the remote end be a network or a single PC?Note: To connect remote networks, the LAN IP address ranges of each connected network must be different. The connection will not work if both ends are using the NETGEAR default address range of 192.168.0.x. Note: The FVM318 firewall uses industry standard VPN protocols. However, due to variations in how manufacturers interpret these standards, many VPN products are not interoperable. NETGEAR provides support for connections between FVM318 firewalls, and between an FVM318 firewall and the SafeNet SoftRemote VPN Client for Windows. Although the FVS318 can interoperate with many other VPN products, it is not possible for NETGEAR to provide specific technical support for every other interconnection. Please see NETGEAR's web site for additional VPN information.FVM318.book Page 2 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallVirtual Private Networking 4-3 • At least one side must have a fixed IP address. If one side has a dynamic IP address, the side with a dynamic IP address must always be the initiator of the connection.• Will you use the typical automated Internet Key Exchange (IKE) setup, or a Manual Keying setup in which you must specify each phase of the connection? IKE is an automated method for establishing a shared security policy and authenticated keys. • What level of encryption will you use, 56 bit DES or 168 bit 3DES? 3DES is more secure but the throughput will be slower.Sample Network to Network VPN Tunnel Configuration WorksheetThe sample configuration worksheet below is filled in with the parameters used in the procedure examples below. A blank worksheet is provided below at “Network to Network IKE VPN Tunnel Configuration Worksheet” on page 4-26. Table 4-1. Sample Network to Network IKE VPN Tunnel Configuration WorksheetIKE Tunnel Security Association SettingsConnection Name: VPNABPreShared Key:r>T(h4&3@#kBSecure Association -- Main Mode or Aggressive Mode: MainPerfect Forward Secrecy: EnabledEncryption Protocol -- Null, 56 bit DES, or 168 bit 3DES: DESKey Life in seconds: 3600 (1 hour)IKE Life Time in seconds: 28800 (8 hours)FVM318 firewall Network IP SettingsNetwork Local IPSec Identifier LAN IP Network Address Subnet Mask Gateway IP (WAN IP Address)LAN A LAN_A 192.168.3.1 255.255.255.0 24.0.0.1LAN B LAN_B 192.168.0.1 255.255.255.0 10.0.0.1FVM318.book Page 3 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall4-4 Virtual Private Networking Procedure 4-1: Configuring a Network to Network VPN Tunnel Follow this procedure to configure a VPN tunnel between two LANs via a FVS318 at each end. Figure 4-2: LAN to LAN VPN access through an FVS318 to an FVS3181. Set up the two LANs to have different IP address ranges. The procedures below refer to the “Sample Network to Network IKE VPN Tunnel Configuration Worksheet” on page 4-3. To configure your actual network, print and fill out the blank “Network to Network IKE VPN Tunnel Configuration Worksheet” on page 4-26 for your network configuration. Then follow the procedures below. a. Log in to the first FVS318 firewall (A) at its default LAN address of http://192.168.0.1 with its default User Name of admin and default Password of password, or using whatever User Name, Password you have set up.Figure 4-3: Log inABFVM318.book Page 4 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallVirtual Private Networking 4-5 b. Click the LAN IP Setup link from the Advanced section of the main menu to display the menu shown in Figure 4-4. Figure 4-4: Configuring the Local LAN (A) via the LAN IP Setup Menuc. Change the settings as follows:• IP Address to 192.168.3.1 • DHCP Starting Address to 192.168.3.2• DHCP Ending Address to 192.168.3.100• Change any Reserved IP Addresses to be part of the 192.168.3.x networkNote: If Port Forwarding, Trusted User, or Static Routes are set up, you will need to change these configurations to match the 192.168.3.x network as well.FVM318.book Page 5 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall4-6 Virtual Private Networking d. Click Apply. Because you changed the firewall’s IP address, you are now disconnected.e. Reboot all PCs on network A. The network configuration should now look like this:Figure 4-5: Local LAN (A) configuration 2. Configure the VPN Settings of the FVS318 firewall (A) on the local LAN.a. Log in to the first FVS318 router (A) at its new LAN address of http://192.168.3.1 with its default User Name of admin and default Password of password, or using whatever User Name and Password you set up.b. From the Setup menu, click the VPN Settings link. The VPN Settings window opens as shown in Figure 4-6 below: Figure 4-6: VPN Settings menuAB192.168.3.1 192.168.0.1FVM318.book Page 6 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallVirtual Private Networking 4-7 c. Click the button next to an unused tunnel profile in the table and click Edit. The VPN Settings - Main Mode window opens as shown in Figure 4-7 below:Figure 4-7: LAN A VPN Settings - Main Mode IKE Edit menud. Fill in the Connection Name VPN settings.• In the Connection Name box, type the name for the Security Association of LANs A and B. For example, enter VPNAB as the Connection Name.• Enter the unique Local IPSec Identifier name for the local FVS318 (A). For example, enter LAN_A. Note: This IPSec name must not be used in any other SA definitions in this VPN network. • Enter the unique Remote IPSec Identifier name for the remote FVS318 (B).For example, enter LAN_B. • Enter the Remote IP Address and IP Subnet Mask. In this case, the Remote network address is the LAN network address of the second FVS318 (B), which is 192.168.0.1 and the Subnet Mask is 255.255.255.0.FVM318.book Page 7 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall4-8 Virtual Private Networking • Enter the Remote Gateway IP Address which is the WAN IP Address for the second FVS318 (B). In this example, use 10.0.0.1 for the Gateway IP Address. You can look up the Remote Gateway IP Address by viewing the WAN Status screen of the second FVS318 (B). When FVS318 (B) is connected to the Internet, log in, go go to its Maintenance menu Router Status link. If you find the WAN Port DHCP field says “DHCP Client” or “PPPOE,” then it is a dynamic address. For a dynamic address enter 0.0.0.0 in the configuration screen of the FVS318 on LAN A as the WAN IP Address for the FVS318 on LAN (B). Note: Only one side may have a dynamic IP address, and that side must always initiate the connection.e. Under Secure Association, select Main Mode, unless you are connecting to a device that requires Aggressive Mode, and fill in the settings below. Note: The alternative to IKE is Manual Keying which is covered “Using Manual Keying as an Alternative to IKE” on page 4-24. To configure the IKE settings for firewall A, enter the following:• Enable Perfect Forward Secrecy. • For Encryption Protocol, select: DES. • Enter the PreShared Key. In this example, r>T(h4&3@#kB is the PreShared Key. With IKE, a preshared key that you make up is used for mutual identification. The PreShared Key should be between 8 and 80 characters, and the letters are case sensitive. Entering a combination of letters, numbers and symbols, such as r>T(h4&3@#kB provides greater security.• Key Life - Default is 3600 seconds (1 hour) • IKE Life Time - Default is 28800 seconds (8 hours). A shorter time increases security, but users will be temporarily disconnected upon renegotiation. f. If you need to run Microsoft networking functions such as Network Neighborhood, click the NETBIOS Enable check box to allow NETBIOS traffic over the VPN tunnel.g. Click Apply to save the Security Association tunnel settings into the table. FVM318.book Page 8 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallVirtual Private Networking 4-9 3. Configure the VPN Settings of the FVS318 firewall (B) on the remote LAN. To configure the second FVS318 (B), refer to the configuration worksheet and do the following:a. Log in to the FVS318 router (B) at its default LAN address of http://192.168.0.1 with its default User Name of admin and default Password of password, or using whatever User Name and Password you set up.b. From the Setup menu, click the VPN Settings link. The VPN Settings window opens.c. Click the button next to an unused profile in the table and click Edit. The VPN Settings - Main Mode window opens as shown in Figure 4-8 below:Figure 4-8: LAN B VPN Settings - Main Mode IKE Edit menud. Fill in the Connection Name VPN settings.• In the Connection Name box, type the same Security Association name of LANs A and B you entered for LAN A. In this case, enter VPNAB as the Connection Name. • Enter the unique IPSec Identifiers. In this example, enter LAN_B as the Local IPSec Identifier name for the local FVS318 (B), and LAN_B as the Remote IPSec Identifier name for the FVS318 (A).FVM318.book Page 9 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall4-10 Virtual Private Networking • Enter the Remote IP Address and the Remote IP Subnet Mask. In this example, 192.168.3.1 is the Remote network address, which is the LAN network address of the first FVS318 (A), and 255.255.255.0 is the Subnet Mask.• Type the Remote Gateway IP Address, which is the WAN IP address of the first FVS318 (A). In this example, 24.0.0.1 is the Remote Gateway. You can look up the Remote Gateway IP Address by viewing the WAN Status screen of the second FVS318 (A). When FVS318 (A) is connected to the Internet, log in, go to its Maintenance menu Router Status link. If you find the WAN Port DHCP field says “DHCP Client” or “PPPOE,” then it is a dynamic address. For a dynamic address enter 0.0.0.0 in the configuration screen of the FVS318 on LAN B as the WAN IP Address for the FVS318 on LAN (A). Note: Only one side may have a dynamic IP address, and that side must always initiate the connection.e. Under Secure Association, select Main Mode, unless you are connecting to a device that requires Aggressive Mode, and fill in the settings below.• Enable Perfect Forward Secrecy. • For Encryption Protocol, select: Null. •Enter r>T(h4&3@#kB as the PreShared Key • Key Life - Default is 3600 seconds (1 hour) • IKE Life Time - Default is 28800 seconds (8 hours).f. If you need to run Microsoft networking functions such as Network Neighborhood, click the NETBIOS Enable check box to allow NETBIOS traffic over the VPN tunnel.g. Click Apply to save the Security Association tunnel settings into the table. FVM318.book Page 10 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallVirtual Private Networking 4-11 Procedure 4-2: Check the VPN ConnectionTo check the VPN Connection, you can initiate a request from one network to the other. If one FVS318 has a dynamically assigned WAN IP address, you must initiate the request from that FVS318’s network. The simplest method is to ping the LAN IP address of the other FVS318. 1. Using our example, from a PC attached to the FVS318 on LAN A, on the Windows taskbar click the Start button, and then click Run.2. Type ping -t 192.168.0.1 , and then click OK.Figure 4-9: Running a Ping test from Windows3. This will cause a continuous ping to be sent to the first FVS318. After between several seconds and two minutes, the ping response should change from “timed out” to “reply.”Figure 4-10: Ping test resultsAt this point the connection is established. Using the VPN ConnectionNow that your VPN connection is working, whenever a PC on the second LAN needs to access an IP address on the first LAN, the firewalls will automatically establish the connection. FVM318.book Page 11 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall4-12 Virtual Private Networking Configuring a Remote PC to Network VPN This procedure describes linking a remote PC and a LAN. The LAN will connect to the Internet using an FVS318 with a fixed IP address. The PC can be connected to the Internet through dialup, cable or DSL modem, or other means, and we will assume it has a dynamically assigned IP address. The PC must have a VPN client program that supports IPSec. NETGEAR recommends and supports the SafeNet SoftRemote (or Soft-PK) Secure VPN Client for Windows, Version 5 or later. The SafeNet VPN Client can be purchased from SafeNet at http://www.safenet-inc.com. Sample PC to Network VPN Tunnel Configuration WorksheetThe sample configuration worksheet below is filled in with the parameters used in the procedure examples below. A blank worksheet is at, “PC to Network IKE VPN Tunnel Settings Configuration Worksheet” on page 4-27. Table 4-2: Sample PC to Network IKE VPN Tunnel Settings Configuration WorksheetIKE Tunnel Security Association SettingsConnection Name: VPNLANPCPreShared Key:r>T(h4&3@#kBSecure Association -- Main Mode or Aggressive Mode: MainPerfect Forward Secrecy: EnabledEncryption Protocol -- Null, 56 bit DES, or 168 bit 3DES: DESKey Life in seconds: 3600 (1 hour)IKE Life Time in seconds: 28800 (8 hours)FVM318 firewall Network and PC IP SettingsLocal IPSec Identifier LAN IP Network Address Subnet Mask Gateway IP (WAN IP Address)Network: LAN A LANAPCIPSEC 192.168.3.1 255.255.255.0 24.0.0.1Computer: PC PCIPSEC 192.168.100.2 255.255.255.255 0.0.0.0FVM318.book Page 12 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallVirtual Private Networking 4-13 Note: If your situation is different, for example, if your remote PC is connected through a simple cable/DSL router, or if you wish to use different VPN client software, please refer to NETGEAR's web site for additional VPN applications information. Procedure 4-3: Configuring a Remote PC to Network VPN1. Configure the VPN Tunnel on the FVS318 (A) firewall. To configure the firewall, follow these steps:a. From the Setup Menu, click the VPN Settings link to open the window in Figure 4-6: Figure 4-11: VPN Settings WindowA192.168.3.1FVM318.book Page 13 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall4-14 Virtual Private Networking b. Click the button next to an unused profile in the table and click Edit. The VPN Settings - IKE window opens as shown in Figure 4-12 below:Figure 4-12: VPN Edit menu for connecting with a VPN clientc. Choose Main Mode for IKE automated method for establishing a shared security policy and authenticated keys. d. Type VPNLANPC in the Connection Name box for this Security Association tunnel. Note: This name must match the name of the Security Association defined in the VPN client on the remote PC.e. Enter LANAPCIPSEC as the Local IPSec Identifier for the FVS318 on LAN A. Note: This IPSec name must not be used in any other SA definitions in this VPN network. f. Enter PCIPSEC as the Remote IPSec Identifier for the PC.g. In this case, the remote network is a single PC, and its IP address is unknown since it will usually be assigned dynamically by the user’s ISP. We will choose an arbitrary “fixed virtual” IP address to define this connection. This IP address will be used in the configuration of the VPN client. For this example, enter 192.168.100.2 as the Remote IP Network.FVM318.book Page 14 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallVirtual Private Networking 4-15 h. Since the remote network is a single PC, enter 255.255.255.255 for the Subnet Mask. i. Since the remote PC has a dynamically assigned IP address, enter 0.0.0.0 as the Remote Gateway IP Address.Note: Only one side may have a dynamic IP address, and that side must always initiate the connection.j. Under Secure Association, for IKE, select Main Mode, unless you are connecting to a device that requires Aggressive Mode, and fill in the settings below.k. Enable Perfect Forward Secrecy. l. For Encryption Protocol, select: DESm. Enter the case sensitive PreShared Key: r>T(h4&3@#kB This combination of letters, numbers and symbols, provides greater security. n. Key Life - Default is 3600 seconds (1 hour) o. IKE Life Time - Default is 28800 seconds (8 hours). A shorter time increases security, but users will be temporarily disconnected upon renegotiation. p. If you need to run Microsoft networking functions such as Network Neighborhood, click the NETBIOS Enable check box to allow NETBIOS traffic over the VPN tunnel.q. Click Apply to save the Security Association tunnel settings into the table. 2. Install the SafeNet VPN Client Software on the PC.a. Install the SafeNet Secure VPN Client.Note: You may need to insert your Windows CD to complete the installation.—If you do not have a modem or dial-up adapter installed in your PC, you may see the warning message stating “The SafeNet VPN Component requires at least one dial-up adapter be installed.” You can disregard this message.—Install the IPSec Component. You may have the option to install either or both of the VPN Adapter or the IPSec Component. The VPN Adapter is not necessary.b. Reboot your PC after installing the client software.FVM318.book Page 15 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall4-16 Virtual Private Networking 3. Configure the SafeNet software via its Security Policy Editora. Run the SafeNet Security Policy Editor program and, using the “Sample PC to Network IKE VPN Tunnel Settings Configuration Worksheet” on page 4-12, create a VPN Connection. Figure 4-13: Security Policy Editor New Connection• From the Edit menu of the Security Policy Editor, click Add, then Connection. A “New Connection” listing appears in the list of policies.• Rename the “New Connection” so that it matches the Connection Name you entered in the VPN Settings of the FVS318 (A). In this example, it would be VPNLANPC.• In the Connection Security box, select Secure.• In the ID Type menu, select IP Subnet. • In the Subnet field, type 192.168.3.0 for the network address of the FVS318. In this example, 192.168.3.0 would be used. The network address is the LAN IP Address of the FVS318 with 0 as the last number.• In the Mask field, type 255.255.255.0 as the LAN Subnet Mask of the FVS318• In the Protocol menu, select All to allow all traffic through the VPN tunnel. •Check the Connect using Secure Gateway Tunnel checkbox. • In the ID Type menu below the checkbox, select IP Address. FVM318.book Page 16 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallVirtual Private Networking 4-17 • Enter the public (WAN) IP Address of the FVS318 in the field directly below the ID Type menu. In this example, 24.0.0.1 would be used.4. Configure the Security Policy in the SafeNet VPN Client Software.a. In the Network Security Policy list, expand the new connection by double clicking its name or clicking on the “+” symbol.My Identity and Security Policy subheadings appear below the connection name.b. Click on the Security Policy subheading to show the Security Policy menu.Figure 4-14: Security Policy Editor Security Policyc. In the Select Phase 1 Negotiation Mode box, select Main Mode. d. Check the Enable Perfect Forward Secrecy (PFS) checkbox.e. For PFS Key Group, select Diffie-Helman Group 1.f. Check the Enable Replay Detection checkbox.FVM318.book Page 17 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall4-18 Virtual Private Networking g. From the Options menu at the top of the Security Policy Editor window, select Global Policy Settings.Figure 4-15: Security Policy Editor Global Policy Optionsh. Increase the Retransmit Interval period to 45 seconds.i. Check the Allow to Specify Internal Network Address checkbox and click OK.5. Configure the VPN Client Identity In this step, you will provide information about the remote VPN client PC. You will need to provide:• The PreShared Key that you configured in the FVS318.• Either a fixed IP address or a “fixed virtual” IP address of the VPN client PC.FVM318.book Page 18 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallVirtual Private Networking 4-19 a. In the Network Security Policy list on the left side of the Security Policy Editor window, click on My Identity. Figure 4-16: Security Policy Editor My Identityb. In the Select Certificate menu, choose None. c. In the ID Type menu, select IP Address. d. If you are using a “virtual fixed” IP address as discussed in “Configuring a Remote PC to Network VPN“ on page 4-13, enter this address in the Internal Network IP Address box. Otherwise, leave this box empty. For this example, use 192.168.100.2.e. In the Internet Interface box, select the adapter you use to access the Internet. Select PPP Adapter in the Name menu if you have a dial-up Internet account. Select your Ethernet adapter if you have dedicated Cable or DSL line. You may also choose Any if you will be switching between adapters or if you have only one adapter. f. Click the Pre-Shared Key button. In the Pre-Shared Key dialog box, click the Enter Key button. Enter the FVS318's Pre-Shared Key and click OK. In this example, r>T(h4&3@#kB would entered. Note that this field is case sensitive.FVM318.book Page 19 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall4-20 Virtual Private Networking 6. Configure VPN Client Authentication Proposal. These settings do not depend on your network information.a. In the Network Security Policy list on the left side of the Security Policy Editor window, expand the Security Policy heading by double clicking its name or clicking on the “+” symbol.b. Expand the Authentication subheading by double clicking its name or clicking on the “+” symbol. Then select Proposal 1 below Authentication. c. In the Authentication Method menu, select Pre-Shared key. d. In the Encrypt Alg menu, select DES. e. In the Hash Alg menu, select MD5. f. In the SA Life menu, select Unspecified. g. In the Key Group menu, select Diffie-Hellman Group 1. 7. Configure the VPN Client Key Exchange Proposal. In this step, you will provide the type of encryption (DES or 3DES) to be used for this connection. This selection must match your selection in the FVS318 configuration.a. Expand the Key Exchange subheading by double clicking its name or clicking on the “+” symbol. Then select Proposal 1 below Key Exchange. b. In the SA Life menu, select Unspecified. c. In the Compression menu, select None. d. Check the Encapsulation Protocol (ESP) checkbox. e. In the Encrypt Alg menu, select the type of encryption to correspond with what you configured for the Encryption Protocol in the FVS318 in “Configuring a Remote PC to Network VPN“ on page 4-13. In this example, use DES.f. In the Hash Alg menu, select MD5. g. In the Encapsulation menu, select Tunnel. h. Leave the Authentication Protocol (AH) checkbox unchecked. 8. Save the VPN Client Settings. a. From the File menu at the top of the Security Policy Editor window, select Save Changes. After you have configured and saved the VPN client information, your PC will automatically open the VPN connection when you attempt to access any IP addresses in the range of the remote VPN router’s LAN.FVM318.book Page 20 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallVirtual Private Networking 4-21 Check the VPN ConnectionTo check the VPN Connection, you can initiate a request from the remote PC to the FVS318’s network. Since the remote PC has a dynamically assigned WAN IP address, it must initiate the request. The simplest method is to ping from the remote PC to the LAN IP address of the FVS318. Using our example, start from the remote PC:1. Establish an Internet connection from the PC.2. On the Windows taskbar, click the Start button, and then click Run.3. Type ping -t 192.168.3.1 , and then click OK.Figure 4-17: Running a Ping test to LAN a from the PCFVM318.book Page 21 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall4-22 Virtual Private Networking This will cause a continuous ping to be sent to the first FVS318. After between several seconds and two minutes, the ping response should change from “timed out” to “reply.”Figure 4-18: Ping test resultsOnce the connection is established, you can open the browser of the remote PC and enter the LAN IP Address of the remote FVS318. After a short wait, you should see the login screen of the firewall.Monitoring the PC to Network VPN Connection Using SafeNet ToolsInformation on the progress and status of the VPN client connection can be viewed by opening the SafeNet Connection Monitor or Log Viewer. To launch these functions, click on the Windows Start button, then select Programs, then SafeNet Soft-PK, then either the Connection Monitor or Log Viewer.The Log Viewer screen for a successful connection is shown below:Figure 4-19: Log Viewer screenFVM318.book Page 22 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallVirtual Private Networking 4-23 The Connection Monitor screen for this connection is shown below:Figure 4-20: Connection Monitor screenIn this example:• The FVS318 has a public IP WAN address of 134.177.100.11• The FVS318 has a LAN IP address of 192.168.0.1• The VPN client PC has a dynamically assigned address of 12.236.5.184• The VPN client PC is using a “virtual fixed” IP address of 192.168.100.100While the connection is being established, the Connection Name field in this menu will say “SA” before the name of the connection. When the connection is successful, the “SA” will change to the yellow key symbol shown in the illustration above.Deleting a Security AssociationTo delete a security association:1. Log in to the firewall.1. Click on the VPN Settings link.2. In the VPN Settings Security Association table, select the radio button for the security association to be deleted.3. Click on the Delete button.4. Click on the Update button.Note: While your PC is connected to a remote LAN through a VPN, you might not have normal Internet access. If this is the case, you will need to close the VPN connection in order to have normal Internet access.FVM318.book Page 23 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall4-24 Virtual Private Networking Manual KeyingAs an alternative to IKE, you may use Manual Keying, in which you must specify each phase of the connection. Follow the steps to configure Manual Keying.Procedure 4-4: Using Manual Keying as an Alternative to IKE1. When editing the VPN Settings, you may select manual keying. At that time, the edit menu changes to look like Figure 4-21:Figure 4-21: VPN Edit menu for Manual Keying2. Incoming SPI - Enter a Security Parameter Index that the remote host will send to identify the Security Association (SA). This will be the remote host’s Outgoing SPI.3. Outgoing SPI - Enter a Security Parameter Index that this firewall will send to identify the Security Association (SA). This will be the remote host’s Incoming SPI.FVM318.book Page 24 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallVirtual Private Networking 4-25 The SPI should be a string of hexadecimal [0-9,A-F] characters, and should not be used in any other Security Association.Tip: For simplicity or troubleshooting, the Incoming and Outgoing SPI can be identical.4. For Encryption Protocol, select one:a. Null - Fastest, but no security. b. DES - Faster but less secure than 3DES. c. 3DES - (Triple DES) Most secure. 5. Enter a hexadecimal Encryption Key— For DES, enter 16 hexadecimal [0-9,A-F] characters. — For 3DES, enter 48 hexadecimal [0-9,A-F] characters. The encryption key must match exactly the key used by the remote router or host. 6. Select the Authentication Protocol— MD5 (default) - 128 bits, faster but less secure.— SHA-1 - 160 bits, slower but more secure.7. Enter 32 hexadecimal characters for the Authentication Key The authentication key must match exactly the key used by the remote router or host.8. Click the NETBIOS Enable check box to allow NETBIOS over the VPN tunnel.9. Click Apply to enter the SA into the table. FVM318.book Page 25 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall4-26 Virtual Private Networking Blank VPN Tunnel Configuration WorksheetsThe blank configuration worksheets below are provided to aid you in collecting and recording the parameters used in the VPN configuration procedure. Table 4-3: Network to Network IKE VPN Tunnel Configuration WorksheetIKE Tunnel Security Association SettingsConnection Name:PreShared Key:Secure Association -- Main Mode or Aggressive Mode:Perfect Forward Secrecy:Encryption Protocol -- Null, 56 bit DES, or 168 bit 3DES:Key Life in seconds:IKE Life Time in seconds:FVS318 Network IP SettingsNetwork Local IPSec Identifier LAN IP Network Address Subnet Mask Gateway IP (WAN IP Address)FVM318.book Page 26 Wednesday, September 18, 2002 5:20 PM
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security FirewallVirtual Private Networking 4-27 Table 4-4: PC to Network IKE VPN Tunnel Settings Configuration WorksheetIKE Tunnel Security Association SettingsConnection Name:PreShared Key:Secure Association -- Main Mode or Aggressive Mode:Perfect Forward Secrecy:Encryption Protocol -- Null, 56 bit DES, or 168 bit 3DES:Key Life in seconds:IKE Life Time in seconds:PC and FVS318 Network IP SettingsLocal IPSec Identifier LAN IP Network Address Subnet Mask Gateway IP (WAN IP Address)Network: PC: FVM318.book Page 27 Wednesday, September 18, 2002 5:20 PM

Navigation menu