Netgear orporated FWG114PV2 ProSafe 802.11g Wireless Firewall/Print Server User Manual FullManual
Netgear Incorporated ProSafe 802.11g Wireless Firewall/Print Server FullManual
Contents
- 1. Users Manual Part 1
- 2. Users Manual Part 2
- 3. Users Manual Part 3
Users Manual Part 3
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Virtual Private Networking 8-41
March 2004, 202-10027-01
b. Click Pre-Shared Key.
Figure 8-29: Connection Identity Pre-Shared Key
c. Enter hr5xb84l6aa9r6, which is the same Pre-Shared Key entered in the FWG114P.
d. Click OK.
4. Configure the Connection Identity Settings.
a. In the Network Security Policy list, click the Security Policy subheading.
Figure 8-30: Security Policy
b. For this example, ensure that the following settings are configured:
– In the Select Phase 1 Negotiation Mode menu, select Aggressive Mode.
– Select the Enable Perfect Forward Secrecy (PFS) check box.
– In the PFS Key Group drop-down list, Diffie-Hellman Group 2.
– Select the Enable Replay Detection check box.
In this example, enter this
pre-shared key in this field:
hr5xb84l6aa9r6
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
8-42 Virtual Private Networking
March 2004, 202-10027-01
5. Configure the Connection Security Policy
In this step, you will provide the authentication (IKE Phase 1) settings, and the key exchange
(Phase 2) settings. The setting choices in this procedure follow the VPNC guidelines.
Figure 8-31: Connection Security Policy Authentication (Phase 1)
a. Configure the Authentication (Phase 1) Settings.
• Expand the Security Policy heading, then expand the Authentication (Phase 1)
heading, and click on Proposal 1.
• For this example, ensure that the following settings are configured:
– In the Encrypt Alg menu, select Triple DES.
– In the Hash Alg, select SHA-1.
– In the SA Life, select Unspecified.
– In the Key Group menu, select Diffie-Hellman Group 2.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Virtual Private Networking 8-43
March 2004, 202-10027-01
Figure 8-32: Connection Security Policy Key Exchange (Phase 2)
b. Configure the Key Exchange (Phase 2).
• Expand the Key Exchange (Phase 2) heading, and click on Proposal 1.
• For this example, ensure that the following settings are configured:
– In the SA Life menu, select Unspecified.
– In the Compression menu, select None.
– Check the Encapsulation Protocol (ESP) check box.
– In the Encrypt Alg menu, select Triple DES.
– In the Hash Alg, select SHA-1.
– In the Encapsulation menu, select Tunnel.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
8-44 Virtual Private Networking
March 2004, 202-10027-01
6. Configure the Global Policy Settings.
a. From the Options menu at the top of the Security Policy Editor window, select Global
Policy Settings.
Figure 8-33: Security Policy Editor Global Policy Options
b. Increase the Retransmit Interval period to 45 seconds.
c. Select the Allow to Specify Internal Network Address check box and click OK.
7. Save the VPN Client Settings.
From the File menu at the top of the Security Policy Editor window, select Save.
After you have configured and saved the VPN client information, your PC will automatically
open the VPN connection when you attempt to access any IP addresses in the range of the
remote VPN router’s LAN.
Note: Whenever you make changes to a Security Policy, save them first, then deactivate
the security policy, reload the security policy, and finally activate the security policy.
This ensures that your new settings will take effect.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Virtual Private Networking 8-45
March 2004, 202-10027-01
Testing the VPN Connection
You can test the VPN connection in several ways:
• From the client PC to the FWG114P
• From the FWG114P to the client PC
These procedures are explained below.
From the Client PC to the FWG114P
To check the VPN Connection, you can initiate a request from the remote PC to the FWG114P by
using the “Connect” option of the FWG114P Wireless Firewall/Print Server popup menu.
1. Open the popup menu by right-clicking on the system tray icon.
2. Select Connect to open the My Connections list.
3. Choose FWG114P.
The FWG114P Wireless Firewall/Print Server will report the results of the attempt to connect.
Once the connection is established, you can access resources of the network connected to the
FWG114P.
Another method is to ping from the remote PC to the LAN IP address of the FWG114P. To
perform a ping test using our example, start from the remote PC:
1. Establish an Internet connection from the PC.
2. On the Windows taskbar, click the Start button, and then click Run.
3. Type ping -t 192.168.0.1 and click OK.
This will cause a continuous ping to be sent to the first FWG114P. After a period of up to two
minutes, the ping response should change from “timed out” to “reply.”
Note: Virus protection or firewall software can interfere with VPN communications. Be
sure such software is not running on the remote PC with the Netgear ProSafe VPN
Client and that the firewall features of the FWG114P are not set in such a way as to
prevent VPN communications.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
8-46 Virtual Private Networking
March 2004, 202-10027-01
To test the connection to a computer connected to the FWG114P, simply ping the IP address of
that computer.
Once connected, you can open a browser on the remote PC and enter the LAN IP Address of the
FWG114P, which is http://192.168.0.1 in this example. After a short wait, you should see the login
screen of the FWG114P.
From the FWG114P to the Client PC
You can use the FWG114P Diagnostic utilities to test the VPN connection from the FWG114P to
the client PC. Run ping tests from the Diagnostics link of the FWG114P main menu.
Monitoring the PC VPN Connection
Information on the progress and status of the VPN client connection can be viewed by opening the
Netgear ProSafe VPN Client Connection Monitor or Log Viewer. To launch these functions, click
on the Windows Start button, then select Programs, then Netgear ProSafe VPN Client, then either
the Connection Monitor or Log Viewer.
The Log Viewer screen for a successful connection is similar to the one shown below:
Figure 8-34: Log Viewer screen
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Virtual Private Networking 8-47
March 2004, 202-10027-01
A sample Connection Monitor screen for a different connection is shown below:
Figure 8-35: Connection Monitor screen
In this example the following connection options apply:
• The FWG114P has a public IP WAN address of 66.120.188.153
• The FWG114P has a LAN IP address of 192.168.0.1
• The VPN client PC is behind a home NAT router and has a dynamically assigned address
of 192.168.0.3
While the connection is being established, the Connection Name field in this menu will say “SA”
before the name of the connection. When the connection is successful, the “SA” will change to the
yellow key symbol shown in the illustration above.
Viewing the FWG114P VPN Status and Log Information
Information on the status of the VPN client connection can be viewed by opening the FWG114P
VPN Status screen. To view this screen, click the VPN Status link on the FWG114P main menu.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
8-48 Virtual Private Networking
March 2004, 202-10027-01
The FWG114P VPN Status screen for a successful connection is shown below:
Figure 8-36: FWG114P VPN Status screen
Maintenance 9-1
March 2004, 202-10027-01
Chapter 9
Maintenance
This chapter describes how to use the maintenance features of your ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P. These features are accessed via the Main Menu
Maintenance heading.
Viewing Wireless Firewall/Print Server Status Information
The Router Status menu provides status and usage information. From the main menu of the
browser interface, click on Maintenance, then select Router Status to view this screen.
Figure 9-1: Router Status screen
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
9-2 Maintenance
March 2004, 202-10027-01
The Router Status screen shows the following parameters:
Table 9-1. Status Fields
Field Description
System Name The System Name assigned to the router.
Firmware Version The router firmware version.
Printer Status The printer status.
WAN Port These parameters apply to the Internet (WAN) port of the router.
MAC Address This field displays the MAC address being used by the Internet (WAN)
port of the router.
IP Address This field displays the IP address being used by the Internet (WAN) port
of the router. If no address is shown, the router cannot connect to the
Internet.
DHCP This field if the WAN port DHCP settings are dynamic or static.
IP Subnet Mask This field displays the IP Subnet Mask being used by the Internet (WAN)
port of the router.
Domain Name Server Identifies the IP address of the DNS server(s).
LAN Port
MAC Address The Media Access Control address being used by the LAN port of the
router.
IP Address The IP address being used by the Local (LAN) port of the router. The
default is 192.168.0.1.
DHCP Identifies if the router’s built-in DHCP server is active for the LAN
attached devices.
IP Subnet Mask The IP Subnet Mask being used by the Local (LAN) port of the router.
The default is 255.255.255.0.
Wireless Port
Name (SSID) This field displays the wireless network name (SSID) being used by the
wireless port of the router. The default is Wireless.
Region This field displays the MAC address being used by the wireless port of
the router.
Channel/Frequency Identifies the channel the wireless port is using. See “Wireless
Channels” on page E-7 for the frequencies used on each channel.
Mode Identifies if the channel the wireless port is set for 802.11b, 802.11g, or
both.
Wireless AP Identifies if the wireless access point is on or off.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Maintenance 9-3
March 2004, 202-10027-01
Click “WAN Status” to display the WAN connection status.
Figure 9-2: Connection Status screen
This screen shows the following statistics:.
Broadcast Name Identifies if the Name (SSID) is being broadcast.
Serial Port
Status The status of the serial port. Click the Details button to view the Serial
Port Log, Port Status, Physical Link, PPP Link, PPP IP Address, Phone
Line Speed, and Serial Line Speed.
Modem The status of the modem port.
Dial-In The status of the Dial-In port.
Internet Access The status of the serial Internet connection.
Lan-to-LAN The status of the serial LAN-to-LAN connection.
Table 9-1. Connection Status Fields
Field Description
Connection Time The length of time the router has been connected to your Internet service provider’s
network.
Connection Method The method used to obtain an IP address from your Internet service provider.
IP Address The WAN (Internet) IP Address assigned to the router.
Table 9-1. Status Fields
Field Description
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
9-4 Maintenance
March 2004, 202-10027-01
Log action buttons are described in Table 9-2.
Click “Show Statistics” to display router usage statistics.
Figure 9-3: Router Statistics screen
This screen shows the following statistics:
Network Mask The WAN (Internet) Subnet Mask assigned to the router.
Default Gateway The WAN (Internet) default gateway the router communicates with.
Table 9-2. Connection Status action buttons
Field Description
Renew Click the Renew button to renew the DHCP lease.
Table 9-1. Router Statistics Fields
Field Description
interface The statistics for the WAN (Internet), LAN (local), Wireless, and Serial interfaces. For
each interface, the screen displays:
Status The link status of the interface.
TxPkts The number of packets transmitted on this interface since reset or manual clear.
RxPkts The number of packets received on this interface since reset or manual clear.
Table 9-1. Connection Status Fields (continued)
Field Description
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Maintenance 9-5
March 2004, 202-10027-01
WAN Status action buttons are described in Table 9-2.
Viewing a List of Attached Devices
The Attached Devices menu contains a table of all IP devices that the router has discovered on the
local network. From the Main Menu of the browser interface, under the Maintenance heading,
select Attached Devices to view the table shown below:
Figure 9-4: Attached Devices menu
Collisions The number of collisions on this interface since reset or manual clear.
Tx B/s The current transmission (outbound) bandwidth used on the interfaces.
Rx B/s The current reception (inbound) bandwidth used on the interfaces.
Up Time The amount of time since the router was last restarted.
Serial Up Time The time elapsed since this port acquired the link.
Poll Interval Specifies the intervals at which the statistics are updated in this window. Click on Stop
to freeze the display.
Table 9-2. Connection Status action buttons
Field Description
Set Interval Enter a time and click the button to set the polling frequency.
Stop Click the Stop button to freeze the polling information.
Table 9-1. Router Statistics Fields (continued)
Field Description
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
9-6 Maintenance
March 2004, 202-10027-01
For each device, the table shows the IP address, Device Name (if available), and Ethernet MAC
address. Note that if the router is rebooted, the table data is lost until the router rediscovers the
devices. To force the router to look for attached devices, click the Refresh button.
Upgrading the Router Software
The routing software of the FWG114P Wireless Firewall/Print Server is stored in FLASH memory,
and can be upgraded as new software is released by NETGEAR. Upgrade files can be downloaded
from Netgear's Web site. If the upgrade file is compressed (.ZIP file), you must first extract the
binary file before sending it to the router. The upgrade file can be sent to the router using your
browser.
Note: The Web browser used to upload new firmware into the FWG114P Wireless Firewall/Print
Server must support HTTP uploads. NETGEAR recommends using Microsoft Internet Explorer or
Netscape Navigator 3.0, or above.
From the Main Menu of the browser interface, under the Maintenance heading, select the Router
Upgrade heading.
To upload new firmware:
1. Download and unzip the new software file from NETGEAR.
2. In the Router Upgrade menu, click the Browse button and browse to the location of the binary
(.IMG) upgrade file.
3. Click Upload.
Note: When uploading software to the FWG114P, it is important not to interrupt the Web
browser by closing the window, clicking a link, or loading a new page. If the browser is
interrupted, it may corrupt the software. When the upload is complete, your router will
automatically restart. The upgrade process will typically take about one minute.
In some cases, you may need to reconfigure the router after upgrading.
Configuration File Management
The configuration settings of the FWG114P Wireless Firewall/Print Server are stored within the
router in a configuration file. This file can be saved (backed up) to a user’s computer, retrieved
(restored) from the user’s computer, or cleared to the factory default settings.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Maintenance 9-7
March 2004, 202-10027-01
From the Main Menu of the browser interface, under the Maintenance heading, select the Settings
Backup heading to bring up the menu shown below.
Figure 9-5: Settings Backup menu
Three options are available, and are described in the following sections.
Restoring and Backing Up the Configuration
The Restore and Backup options in the Settings Backup menu allow you to save and retrieve a file
containing your router’s configuration settings.
To save your settings, click Backup. Your browser will extract the configuration file from the
router and will prompt you for a location on your computer to store the file. You can give the file a
meaningful name at this time, such as SBC.cfg.
To restore your settings from a saved configuration file, enter the full path to the file on your
computer or click the Browse button to locate the file. When you have located it, click the Restore
button to send the file to the router. The router will then reboot automatically.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
9-8 Maintenance
March 2004, 202-10027-01
Erasing the Configuration
It is sometimes desirable to restore the router to a known blank condition. This can be done by
using the Erase function, which will restore all factory settings. After an erase, the router's
password will be password, the LAN IP address will be 192.168.0.1, and the router's DHCP client
will be enabled.
To erase the configuration, click the Erase button.
To restore the factory default configuration settings without knowing the login password or IP
address, you must use the Default Reset button on the rear panel of the router. See “Restoring the
Default Configuration and Password” on page 11-7.
Changing the Administrator Password
The default password for the router’s Web Configuration Manager is password. Netgear
recommends that you change this password to a more secure password.
From the main menu of the browser interface, under the Maintenance heading, select Set Password
to bring up this menu.
Figure 9-6: Set Password menu
To change the password, first enter the old password, and then enter the new password twice. Click
Apply. To change the login idle timeout, change the number of minutes and click Apply.
Advanced Configuration 10-1
March 2004, 202-10027-01
Chapter 10
Advanced Configuration
This chapter describes how to configure the advanced features of your ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P. These features can be found under the Advanced heading
in the Main Menu of the browser interface.
Using the WAN Setup Options
The first feature category under the Advanced heading is WAN Setup. This menu allows
configuration of a DMZ server, MTU size, port speed, and so on. From the Main Menu of the
browser interface, under Advanced, click on WAN IP Setup to view the WAN IP Setup menu,
shown below.
Figure 10-1: WAN Setup Menu
The WAN Setup options let you configure a DMZ server, change the MTU size, and set the WAN
port speed. These options are discussed below.
• Connect Automatically, as Required
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
10-2 Advanced Configuration
March 2004, 202-10027-01
Normally, this option is Enabled, so that an Internet connection will be made automatically
whenever Internet-bound traffic is detected. In locations where Internet access is billed by the
minute, if this causes high connection costs, you can disable this setting.
If disabled, you must connect manually, using the sub-screen accessed from the Router Status
menu “Show WAN Status” screen.
• Setting Up a Default DMZ Server
The use of the term ‘DMZ’ has become common, although it is a misnomer. In traditional
firewalls, a DMZ is actually a separate physical network port. A true DMZ port is for
connecting servers that require greater access from the outside, and will therefore be provided
with a different level of security by the firewall. A better term for our application is Exposed
Host.
The default DMZ server feature is helpful when using some online games and
videoconferencing applications that are incompatible with NAT. The router is programmed to
recognize some of these applications and to work properly with them, but there are other
applications that may not function well. In some cases, one local computer can run the
application properly if that computer’s IP address is entered as the default DMZ server.
Incoming traffic from the Internet is normally discarded by the router unless the traffic is a
response to one of your local computers or a service that you have configured in the Ports
menu. Instead of discarding this traffic, you can have it forwarded to one computer on your
network. This computer is called the Default DMZ Server.
The WAN Setup menu lets you configure a Default DMZ Server.
To assign a computer or server to be a Default DMZ server, follow these steps:
1. Click WAN Setup link on the Advanced section of the main menu.
2. Type the IP address for that server. To remove the default DMZ server, replace the IP
address numbers with all zeros.
3. Click Apply.
• Respond to Ping on Internet WAN Port
If you want the router to respond to a 'ping' from the Internet, click the ‘Respond to Ping on
Internet WAN Port’ check box. This should only be used as a diagnostic tool, since it allows
your router to be discovered. Do not check this box unless you have a specific reason to do so.
Note: DMZ servers pose a security risk. A computer designated as the default DMZ
server loses much of the protection of the firewall, and is exposed to attacks from the
Internet. If compromised, the DMZ server can be used to attack your network.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Advanced Configuration 10-3
March 2004, 202-10027-01
• Setting the MTU Size
The default MTU size is usually fine. The normal MTU (Maximum Transmit Unit) value for
most Ethernet networks is 1500 Bytes. For some ISPs, particularly those using PPPoE, you
may need to reduce the MTU. This should not be done unless you are sure it is necessary for
your ISP.
Any packets sent through the router that are larger than the configured MTU size will be
repackaged into smaller packets to meet the MTU requirement. To change the MTU size,
under MTU Size, enter a new size between 64 and 1500. Then, click Apply to save the new
configuration.
• Setting the WAN Port Speed
In most cases, your router can automatically determine (AutoSense) the connection speed of
the Internet (WAN) port. If you cannot establish an Internet connection and the Internet LED
blinks continuously, you may need to manually select the port speed.
If you know that the Ethernet port on your broadband modem supports 100BaseT, select
100M; otherwise, select 10M.
How to Configure Dynamic DNS
If your network has a permanently assigned IP address, you can register a domain name and have
that name linked with your IP address by public Domain Name Servers (DNS). However, if your
Internet account uses a dynamically assigned IP address, you will not know in advance what your
IP address will be, and the address can change frequently. In this case, you can use a commercial
dynamic DNS service, which will allow you to register your domain to their IP address, and will
forward traffic directed to your domain to your frequently-changing IP address.
The router contains a client that can connect to a dynamic DNS service provider. To use this
feature, you must select a service provider and obtain an account with them. After you have
configured your account information in the router, whenever your ISP-assigned IP address
changes, your router will automatically contact your dynamic DNS service provider, log in to your
account, and register your new IP address.
1. Log in to the router at its default LAN address of http://192.168.0.1, with its default user name
of admin, default password of password, or using whatever password and LAN address you
have chosen for the router.
2. From the Main Menu of the browser interface, under Advanced, click on Dynamic DNS.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
10-4 Advanced Configuration
March 2004, 202-10027-01
3. Access the website of one of the dynamic DNS service providers whose names appear in the
‘Select Service Provider’ box, and register for an account.
For example, for dyndns.org, go to www.dyndns.org.
4. Select the “Use a dynamic DNS service” check box.
5. Select the name of your dynamic DNS Service Provider.
6. Type the host name that your dynamic DNS service provider gave you.
The dynamic DNS service provider may call this the domain name. If your URL is
myName.dyndns.org, then your host name is “myName.”
7. Type the user name for your dynamic DNS account.
8. Type the password (or key) for your dynamic DNS account.
9. If your dynamic DNS provider allows the use of wildcards in resolving your URL, you may
select the Use wildcards check box to activate this feature.
For example, the wildcard feature will cause *.yourhost.dyndns.org to be aliased to the same
IP address as yourhost.dyndns.org
10. Click Apply to save your configuration.
Note: If your ISP assigns a private WAN IP address, such as 192.168.x.x or 10.x.x.x,
the dynamic DNS service will not work because private addresses will not be routed on
the Internet.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Advanced Configuration 10-5
March 2004, 202-10027-01
Using the LAN IP Setup Options
The second feature category under the Advanced heading is LAN IP Setup. This menu allows
configuration of LAN IP services, such as DHCP and RIP. From the Main Menu of the browser
interface, under Advanced, click on LAN IP Setup to view the LAN IP Setup menu, shown below.
Figure 10-2: LAN IP Setup Menu
Configuring LAN TCP/IP Setup Parameters
The router is shipped preconfigured to use private IP addresses on the LAN side, and to act as a
DHCP server. The router’s default LAN IP configuration is:
• LAN IP addresses—192.168.0.1
• Subnet mask—255.255.255.0
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
10-6 Advanced Configuration
March 2004, 202-10027-01
These addresses are part of the IETF-designated private address range for use in private networks,
and should be suitable in most applications. If your network has a requirement to use a different IP
addressing scheme, you can make those changes in this menu.
The LAN IP parameters are:
• IP Address
This is the LAN IP address of the router.
• IP Subnet Mask
This is the LAN Subnet Mask of the router. Combined with the IP address, the IP Subnet Mask
allows a device to know which other addresses are local to it, and which must be reached
through a gateway or router.
• RIP Direction
RIP (Router Information Protocol) allows a router to exchange routing information with other
routers. The RIP Direction selection controls how the router sends and receives RIP packets.
Both is the default.
— When set to Both or Out Only, the router will broadcast its routing table periodically.
— When set to Both or In Only, it will incorporate the RIP information that it receives.
— When set to None, it will not send any RIP packets and will ignore any RIP packets
received.
• RIP Version
This controls the format and the broadcasting method of the RIP packets that the router sends.
(It recognizes both formats when receiving.) By default, this is set for RIP-1.
— RIP-1 is universally supported. RIP-1 is probably adequate for most networks, unless you
have an unusual network setup.
— RIP-2 carries more information. RIP-2B uses subnet broadcasting.
Note: If you change the LAN IP address of the router while connected through the
browser, you will be disconnected. You must then open a new connection to the new IP
address and log in again.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Advanced Configuration 10-7
March 2004, 202-10027-01
Using the Router as a DHCP server
By default, the router will function as a DHCP (Dynamic Host Configuration Protocol) server,
allowing it to assign IP, DNS server, and default gateway addresses to all computers connected to
the router's LAN. The assigned default gateway address is the LAN address of the router. IP
addresses will be assigned to the attached PCs from a pool of addresses specified in this menu.
Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN.
For most applications, the default DHCP and TCP/IP settings of the router are satisfactory. See “IP
Configuration by DHCP” on page B-10 for an explanation of DHCP and information about how to
assign IP addresses for your network.
If another device on your network will be the DHCP server, or if you will manually configure the
network settings of all of your computers, clear the ‘Use router as DHCP server’ check box.
Otherwise, leave it checked.
Specify the pool of IP addresses to be assigned by setting the Starting IP Address and Ending IP
Address. These addresses should be part of the same IP address subnet as the router’s LAN IP
address. Using the default addressing scheme, you should define a range between 192.168.0.2 and
192.168.0.253, although you may wish to save part of the range for devices with fixed addresses.
The router will deliver the following parameters to any LAN device that requests DHCP:
• An IP Address from the range you have defined.
• Subnet Mask.
• Gateway IP Address (the router’s LAN IP address).
• Primary DNS Server (if you entered a Primary DNS address in the Basic Settings menu;
otherwise, the router’s LAN IP address).
• Secondary DNS Server (if you entered a Secondary DNS address in the Basic Settings menu).
Using Address Reservation
When you specify a reserved IP address for a computer on the LAN, that computer will always
receive the same IP address each time it access the router’s DHCP server. Reserved IP addresses
should be assigned to servers that require permanent IP settings.
To reserve an IP address:
1. Click the Add button.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
10-8 Advanced Configuration
March 2004, 202-10027-01
2. In the IP Address box, type the IP address to assign to the computer or server.
(choose an IP address from the router’s LAN subnet, such as 192.168.0.X)
3. Type the MAC Address of the computer or server.
(Tip: If the computer is already present on your network, you can copy its MAC address from
the Attached Devices menu and paste it here.)
4. Click Apply to enter the reserved address into the table.
Note: The reserved address will not be assigned until the next time the computer contacts the
router's DHCP server. Reboot the computer or access its IP configuration and force a DHCP
release and renew.
To edit or delete a reserved address entry:
1. Click the button next to the reserved address you want to edit or delete.
2. Click Edit or Delete.
Configuring Static Routes
Static Routes provide additional routing information to your router. Under normal circumstances,
the router has adequate routing information after it has been configured for Internet access, and
you do not need to configure additional static routes. You must configure static routes only for
unusual cases, such as multiple routers or multiple IP subnets located on your network.
From the Main Menu of the browser interface, under Advanced, click on Static Routes to view the
Static Route menu.
To add or edit a Static Route:
1. Click the Add button to open the Static Routes menu.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Advanced Configuration 10-9
March 2004, 202-10027-01
Figure 10-3. Static Route Entry and Edit Menu
2. Type a route name for this static route in the Route Name box.
(This is for identification purpose only.)
3. Select Active to make this route effective.
4. Select Private if you want to limit access to the LAN only. The static route will not be reported
in RIP.
5. Type the Destination IP Address of the final destination.
6. Type the IP Subnet Mask for this destination.
If the destination is a single host, type 255.255.255.254.
7. Type the Gateway IP Address, which must be a router on the same LAN segment as the router.
8. Type a number between 1 and 15 as the Metric value.
This represents the number of routers between your network and the destination. Usually, a
setting of 2 or 3 works, but if this is a direct connection, set it to 1.
9. Click Apply to have the static route entered into the table.
As an example of when a static route is needed, consider the following case:
• Your primary Internet access is through a cable modem to an ISP.
• You have an ISDN router on your home network for connecting to the company where
you are employed. This router’s address on your LAN is 192.168.0.100.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
10-10 Advanced Configuration
March 2004, 202-10027-01
• Your company’s network is 134.177.0.0.
When you first configured your router, two implicit static routes were created. A default route was
created with your ISP as the gateway, and a second static route was created to your local network
for all 192.168.0.x addresses. With this configuration, if you attempt to access a device on the
134.177.0.0 network, your router will forward your request to the ISP. The ISP forwards your
request to the company where you are employed, and the request will likely be denied by the
company’s firewall.
In this case you must define a static route, telling your router that 134.177.0.0 should be accessed
through the ISDN router at 192.168.0.100. The static route would look like Figure 10-3.
In this example:
• The Destination IP Address and IP Subnet Mask fields specify that this static route applies to
all 134.177.x.x addresses.
• The Gateway IP Address fields specifies that all traffic for these addresses should be
forwarded to the ISDN router at 192.168.0.100.
• A Metric value of 1 will work since the ISDN router is on the LAN.
• Private is selected only as a precautionary security measure in case RIP is activated.
Enabling Remote Management Access
Using the Remote Management page, you can allow a user or users on the Internet to configure,
upgrade and check the status of your FWG114P Wireless Firewall/Print Server.
To configure your router for Remote Management:
1. Select the Turn Remote Management On check box.
2. Specify what external addresses will be allowed to access the router’s remote management.
Note: For enhanced security, restrict access to as few external IP addresses as practical.
a. To allow access from any IP address on the Internet, select Everyone.
Note: Be sure to change the router's default configuration password to a very secure
password. The ideal password should contain no dictionary words from any language,
and should be a mixture of letters (both upper and lower case), numbers, and symbols.
Your password can be up to 30 characters.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Advanced Configuration 10-11
March 2004, 202-10027-01
b. To allow access from a range of IP addresses on the Internet, select IP address range.
Enter a beginning and ending IP address to define the allowed range.
c. To allow access from a single IP address on the Internet, select Only this computer.
Enter the IP address that will be allowed access.
3. Specify the Port Number that will be used for accessing the management interface.
Web browser access normally uses the standard HTTP service port 80. For greater security,
you can change the remote management Web interface to a custom port by entering that
number in the box provided. Choose a number between 1024 and 65535, but do not use the
number of any common service port. The default is 8080, which is a common alternate for
HTTP.
4. Click Apply to have your changes take effect.
Note: When accessing your router from the Internet, you will type your router's WAN IP address
into your browser's Address (in IE) or Location (in Netscape) box, followed by a colon (:) and the
custom port number. For example, if your external address is 134.177.0.123 and you use port
number 8080, you must enter in your browser: http://134.177.0.123:8080
Using Universal Plug and Play (UPnP)
Universal Plug and Play (UPnP) helps devices, such as Internet appliances and computers, access
the network and connect to other devices as needed. UPnP devices can automatically discover the
services from other registered UPnP devices on the network.
Figure 10-4. UPnP Menu
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
10-12 Advanced Configuration
March 2004, 202-10027-01
Turn UPnP On: UPnP can be enabled or disabled for automatic device configuration. The default
setting for UPnP is enabled. If disabled, the router will not allow any device to automatically
control the resources, such as port forwarding (mapping), of the router.
Advertisement Period: The Advertisement Period is how often the router will broadcast its UPnP
information. This value can range from 1 to 1440 minutes. The default period is 30 minutes.
Shorter durations will ensure that control points have current device status at the expense of
additional network traffic. Longer durations may compromise the freshness of the device status but
can significantly reduce network traffic.
Advertisement Time To Live: The time to live for the advertisement is measured in hops (steps)
for each UPnP packet sent. The time to live hop count is the number of steps a broadcast packet is
allowed to propagate for each UPnP advertisement before it disappears. The number of hops can
range from 1 to 255. The default value for the advertisement time to live is 4 hops, which should
be fine for most home networks. If you notice that some devices are not being updated or reached
correctly, then it may be necessary to increase this value a little.
UPnP Portmap Table: The UPnP Portmap Table displays the IP address of each UPnP device that
is currently accessing the router and which ports (Internal and External) that device has opened.
The UPnP Portmap Table also displays what type of port is opened and if that port is still active for
each IP address.
Advanced Wireless Settings
Note: Incorrectly changing these settings can prevent the wireless functions from working.
• RTS Threshold
Request to Send Threshold. The packet size that is used to determine if it should use the
CSMA/CD (Carrier Sense Multiple Access with Collision Detection) mechanism or the
CSMA/CA define the mechanism for packet transmission. With the CSMA/CD transmission
mechanism, the transmitting station sends out the actual packet as soon as it has waited for the
silence period. With the CSMA/CA transmission mechanism, the transmitting station sends
out an RTS packet to the receiving station, and waits for the receiving station to send back a
CTS (Clear to Send) packet before sending the actual packet data.
• Fragmentation Length
This is the maximum packet size used for fragmentation. Packets larger than the size
programmed in this field will be fragmented. The Fragment Threshold value must be larger
than the RTS Threshold value.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Advanced Configuration 10-13
March 2004, 202-10027-01
• Beacon Interval
Specifies the data beacon rate between 20 and 1000.
•DTIM
The Delivery Traffic Indication Message. Specifies the data beacon rate between 1 and 255.
• Preamble Type
A long transmit preamble may provide a more reliable connection or slightly longer range. A
short transmit preamble gives better performance.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
10-14 Advanced Configuration
March 2004, 202-10027-01
Troubleshooting 11-1
March 2004, 202-10027-01
Chapter 11
Troubleshooting
This chapter gives information about troubleshooting your ProSafe Wireless 802.11g Firewall/
Print Server Model FWG114P. After each problem description, instructions are provided to help
you diagnose and solve the problem.
Basic Functioning
After you turn on power to the router, the following sequence of events should occur:
1. When power is first applied, verify that the PWR LED is on.
2. After approximately 10 seconds, verify that:
a. The TEST LED is not lit.
b. The LAN port LEDs are lit for any local ports that are connected.
If a port’s LED is lit, a link has been established to the connected device. If a LAN port is
connected to a 100 Mbps device, verify that the port’s LED is green. If the port is 10
Mbps, the LED will be OFF.
c. The Internet port LED is lit.
If any of these conditions does not occur, refer to the appropriate following section.
Power LED Not On
If the Power and other LEDs are off when your router is turned on:
• Make sure that the power cord is properly connected to your router and that the power supply
adapter is properly connected to a functioning power outlet.
• Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product.
If the error persists, you have a hardware problem and should contact technical support.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
11-2 Troubleshooting
March 2004, 202-10027-01
LEDs Never Turn Off
When the router is turned on, the LEDs turns on for about 10 seconds and then turns off. If all the
LEDs stay on, there is a fault within the router.
If all LEDs are still on one minute after power up:
• Cycle the power to see if the router recovers.
• Clear the router’s configuration to the factory defaults. This will set the router’s IP address to
192.168.0.1. This procedure is explained in “Restoring the Default Configuration and
Password” on page 11-7.
If the error persists, you might have a hardware problem and should contact technical support.
LAN or Internet Port LEDs Not On
If either the LAN LEDs or the Internet LED do not light when the Ethernet connection is made,
check the following:
• Make sure that the Ethernet cable connections are secure at the router and at the hub or
workstation.
• Make sure that power is turned on to the connected hub or workstation.
• Be sure you are using the correct cable:
When connecting the router’s Internet port to a broadband modem, use the cable that was
supplied with the broadband modem. This cable could be a standard straight-through Ethernet
cable or an Ethernet crossover cable.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Troubleshooting 11-3
March 2004, 202-10027-01
Troubleshooting the Web Configuration Interface
If you are unable to access the router’s Web Configuration interface from a computer on your local
network, check the following:
• Check the Ethernet connection between the computer and the router as described in the
previous section.
• Make sure your computer’s IP address is on the same subnet as the router. If you are using the
recommended addressing scheme, your computer’s address should be in the range of
192.168.0.2 to 192.168.0.254. Refer to “Verifying TCP/IP Properties” on page 3-5 or
“Verifying TCP/IP Properties (Macintosh)” on page 3-8 to find your computer’s IP address.
Follow the instructions in Chapter 4 to configure your computer.
Note: If your computer’s IP address is shown as 169.254.x.x: Recent versions of Windows
and MacOS will generate and assign an IP address if the computer cannot reach a DHCP
server. These auto-generated addresses are in the range of 169.254.x.x. If your IP address is in
this range, check the connection from the computer to the router and reboot your computer.
• If your router’s IP address has been changed and you do not know the current IP address, clear
the router’s configuration to the factory defaults. This will set the router’s IP address to
192.168.0.1. This procedure is explained in “Restoring the Default Configuration and
Password” on page 11-7.
• Make sure your browser has Java, JavaScript, or ActiveX enabled. If you are using Internet
Explorer, click Refresh to be sure the Java applet is loaded.
• Try quitting the browser and launching it again.
• Make sure you are using the correct login information. The factory default login name is
admin and the password is password. Make sure that CAPS LOCK is off when entering this
information.
If the router does not save changes you have made in the Web Configuration Interface, check the
following:
• When entering configuration settings, be sure to click the APPLY button before moving to
another menu or tab, or your changes will be lost.
• Click the Refresh or Reload button in the Web browser. The changes may have occurred, but
the Web browser may be caching the old configuration.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
11-4 Troubleshooting
March 2004, 202-10027-01
Troubleshooting the ISP Connection
If your router is unable to access the Internet, you should first determine whether the router is able
to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your
router must request an IP address from the ISP. You can determine whether the request was
successful using the Web Configuration Manager.
To check the WAN IP address:
1. Launch your browser and select an external site, such as www.netgear.com.
2. Access the Main Menu of the router’s configuration at http://192.168.0.1.
3. Under the Maintenance heading, select Router Status.
4. Check that an IP address is shown for the WAN Port.
If 0.0.0.0 is shown, your router has not obtained an IP address from your ISP.
If your router is unable to obtain an IP address from the ISP, you may need to force your
broadband modem to recognize your new router by performing the following procedure:
1. Turn off power to the broadband modem.
2. Turn off power to your router.
3. Wait five minutes and reapply power to the broadband modem.
4. When the modem’s LEDs indicate that it has reacquired sync with the ISP, reapply power to
your router.
If your router is still unable to obtain an IP address from the ISP, the problem may be one of the
following:
• Your ISP may require a login program.
Ask your ISP whether they require PPP over Ethernet (PPPoE) or some other type of login.
• If your ISP requires a login, you may have incorrectly set the login name and password.
• Your ISP may check for your computer's host name.
Assign the computer Host Name of your ISP account as the Account Name in the Basic
Settings menu.
• Your ISP only allows one Ethernet MAC address to connect to Internet, and may check for
your computer’s MAC address. In this case:
Inform your ISP that you have bought a new network device and ask them to use the router’s
MAC address.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Troubleshooting 11-5
March 2004, 202-10027-01
OR
Configure your router to spoof your computer’s MAC address. This can be done in the Basic
Settings menu. Refer to “Manually Configuring Your Internet Connection” on page 3-17.
If your router can obtain an IP address, but your computer is unable to load any Web pages from
the Internet:
• Your computer may not recognize any DNS server addresses.
A DNS server is a host on the Internet that translates Internet names (such as www addresses)
to numeric IP addresses. Typically your ISP will provide the addresses of one or two DNS
servers for your use. If you entered a DNS address during the router’s configuration, reboot
your computer and verify the DNS address as described in “Verifying TCP/IP Properties” on
page 3-5. Alternatively, you may configure your computer manually with DNS addresses, as
explained in your operating system documentation.
• Your computer may not have the router configured as its TCP/IP gateway.
If your computer obtains its information from the router by DHCP, reboot the computer and
verify the gateway address as described in “Verifying TCP/IP Properties” on page 3-5.
Troubleshooting a TCP/IP Network Using a Ping Utility
Most TCP/IP terminal devices and routers contain a ping utility that sends an echo request packet
to the designated device. The device then responds with an echo reply. Troubleshooting a TCP/IP
network is made very easy by using the ping utility in your computer or workstation.
Testing the LAN Path to Your Router
You can ping the router from your computer to verify that the LAN path to your router is set up
correctly.
To ping the router from a computer running Windows 95 or later:
1. From the Windows toolbar, click on the Start button and select Run.
2. In the field provided, type Ping followed by the IP address of the router, as in this example:
ping 192.168.0.1
3. Click on OK.
You should see a message like this one:
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
11-6 Troubleshooting
March 2004, 202-10027-01
Pinging <IP address> with 32 bytes of data
If the path is working, you see this message:
Reply from < IP address >: bytes=32 time=NN ms TTL=xxx
If the path is not working, you see this message:
Request timed out
If the path is not functioning correctly, you could have one of the following problems:
• Wrong physical connections
— Make sure the LAN port LED is on. If the LED is off, follow the instructions in “LAN
or Internet Port LEDs Not On” on page 11-2.
— Check that the corresponding Link LEDs are on for your network interface card and
for the hub ports (if any) that are connected to your workstation and router.
• Wrong network configuration
— Verify that the Ethernet card driver software and TCP/IP software are both installed
and configured on your computer or workstation.
— Verify that the IP address for your router and your workstation are correct and that the
addresses are on the same subnet.
Testing the Path from Your Computer to a Remote Device
After verifying that the LAN path works correctly, test the path from your computer to a remote
device. From the Windows run menu, type:
PING -n 10 <IP address>
where <IP address> is the IP address of a remote device, such as your ISP’s DNS server.
If the path is functioning correctly, replies as in the previous section are displayed. If you do not
receive replies:
— Check that your computer has the IP address of your router listed as the default gateway. If
the IP configuration of your computer is assigned by DHCP, this information will not be
visible in your computer’s Network Control Panel. Verify that the IP address of the router
is listed as the default gateway as described in “Verifying TCP/IP Properties” on page 3-5.
— Check to see that the network address of your computer (the portion of the IP address
specified by the netmask) is different from the network address of the remote device.
— Check that your broadband modem is connected and functioning.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Troubleshooting 11-7
March 2004, 202-10027-01
— If your ISP assigned a host name to your computer, enter that host name as the Account
Name in the Basic Settings menu.
— Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs. Many
broadband ISPs restrict access by only allowing traffic from the MAC address of your
broadband modem, but some ISPs additionally restrict access to the MAC address of a
single computer connected to that modem. If this is the case, you must configure your
router to “clone” or “spoof” the MAC address from the authorized computer. Refer to
“Manually Configuring Your Internet Connection” on page 3-17.
Restoring the Default Configuration and Password
This section explains how to restore the factory default configuration settings, changing the
router’s administration password to password and the IP address to 192.168.0.1. You can erase the
current configuration and restore factory defaults in two ways:
• Use the Erase function of the router (see “Erasing the Configuration” on page 9-8).
• Use the Default Reset button on the rear panel of the router. Use this method for cases when
the administration password or IP address is not known.
To restore the factory default configuration settings without knowing the administration password
or IP address, you must use the Default Reset button on the rear panel of the router.
1. Press and hold the Default Reset button until the Test LED turns on (about 10 seconds).
2. Release the Default Reset button and wait for the router to reboot.
Problems with Date and Time
The E-Mail menu in the Content Filtering section displays the current date and time of day. The
FWG114P Wireless Firewall/Print Server uses the Network Time Protocol (NTP) to obtain the
current time from one of several Network Time Servers on the Internet. Each entry in the log is
stamped with the date and time of day. Problems with the date and time function can include:
• Date shown is January 1, 2000. Cause: The router has not yet successfully reached a Network
Time Server. Check that your Internet access settings are configured correctly. If you have just
completed configuring the router, wait at least five minutes and check the date and time again.
• Time is off by one hour. Cause: The router does not automatically sense Daylight Savings
Time. In the E-Mail menu, check or uncheck the box marked “Adjust for Daylight Savings
Time”.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
11-8 Troubleshooting
March 2004, 202-10027-01
Technical Specifications A-1
March 2004, 202-10027-01
Appendix A
Technical Specifications
This appendix provides technical specifications for the ProSafe Wireless 802.11g Firewall/Print
Server Model FWG114P.
Network Protocol and Standards Compatibility
Data and Routing
Protocols: TCP/IP, RIP-1, RIP-2, DHCP
PPP over Ethernet (PPPoE)
VPN
Protocols:
Tunnels:
IPSec, SHA-1, MD5, DES, 3DES, ESP, DH1, DH2
2 IPSec Tunnels
Power Adapter
North America: 120V, 60 Hz, input
United Kingdom,
Australia: 240V, 50 Hz, input
Europe: 230V, 50 Hz, input
Japan: 100V, 50/60 Hz, input
All regions (output): 12 V DC @ 1.2 A output, 18W maximum
Physical Specifications
Dimensions: H: 32 x L: 188 x W: 124 mm (1.25 x 7.4 x 4.9 in.)
Weight: 0.64 kg (1.4 lb)
Environmental
Specifications
Operating temperature: 0° to 40° C (32º to 104º F)
Operating humidity: 90% maximum relative humidity, noncondensing
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
A-2 Technical Specifications
March 2004, 202-10027-01
Electromagnetic
Emissions
For North America and
Australia FCC Part 15 Class B
For Japan VCCI Class B
For Europe EN 300 328, EN 301 489-17, EN 301 489-1, EN 60950
Interface Specifications
LAN: 10BASE-T or 100BASE-Tx, RJ-45
WAN: 10BASE-T or 100BASE-Tx
Printer: USB v1.1
Serial: RS-232 male DB-9 connector
Wireless
Data Encoding: 802.11b: Direct Sequence Spread Spectrum (DSSS)
802.11g: Orthogonal Frequency Division Multiplexing (OFDM)
Maximum Computers Per
Wireless Network: Limited by the amount of wireless network traffic generated by each
node. Typically 30-70 nodes.
802.11b and g
Radio Data Rate 1, 2, 5.5, 6, 9, 12, 18, 24, 36, 48, and 54 Mbps (Auto-rate capable)
802.11b and g
Transmit Power and
Receive Sensitivity
Maximum Transmit Power / Receive Sensitivity
54 Mbps, 11g 14.5 dBm typical - 72 dBm typical
48 Mbps, 11g 14.5 dBm typical - 75 dBm typical
36 Mbps, 11g 15.5 dBm typical - 80dBm typical
24 Mbps, 11g 15.5 dBm typical - 82 dBm typical
18Mbps, 11g 16.5 dBm typical - 84 dBm typical
12 Mbps, 11g 16.5 dBm typical - 85 dBm typical
6 Mbps, 11g 16.5 dBm typical - 86 dBm typical
11 Mbps, 11b 17.5 dBm typical - 83 dBm typical
5.5 Mbps, 11b 17.5 dBm typical - 86 dBm typical
2 Mbps, 11b 17.5 dBm typical - 89 dBm typical
1Mbps, 11b 17.5 dBm typical - 92 dBm typical
Note: For Europe, the maximum transmit power does not exceed +15 dBm
Antenna: External detachable 5 dBi omnidirectional
802.11 Security 40-bits (also called 64-bits), 128-bits WEP data encryption, and WPA
Networks, Routing, and Firewall Basics B-1
March 2004, 202-10027-01
Appendix B
Networks, Routing, and Firewall Basics
This appendix provides an overview of IP networks, routing, and firewalls.
Related Publications
As you read this document, you may be directed to various RFC documents for further
information. An RFC is a Request For Comment (RFC) published by the Internet Engineering
Task Force (IETF), an open organization that defines the architecture and operation of the Internet.
The RFC documents outline and define the standard protocols and procedures for the Internet. The
documents are listed on the World Wide Web at www.ietf.org and are mirrored and indexed at
many other sites worldwide.
Basic Router Concepts
Large amounts of bandwidth can be provided easily and relatively inexpensively in a local area
network (LAN). However, providing high bandwidth between a local network and the Internet can
be very expensive. Because of this expense, Internet access is usually provided by a slower-speed
wide-area network (WAN) link, such as a cable or DSL modem. In order to make the best use of
the slower WAN link, a mechanism must be in place for selecting and transmitting only the data
traffic meant for the Internet. The function of selecting and forwarding this data is performed by a
router.
What is a Router?
A router is a device that forwards traffic between networks based on network layer information in
the data and on routing tables maintained by the router. In these routing tables, a router builds up a
logical picture of the overall network by gathering and exchanging information with other routers
in the network. Using this information, the router chooses the best path for forwarding network
traffic.
Routers vary in performance and scale, number of routing protocols supported, and types of
physical WAN connection they support.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
B-2 Networks, Routing, and Firewall Basics
March 2004, 202-10027-01
Routing Information Protocol
One of the protocols used by a router to build and maintain a picture of the network is the Routing
Information Protocol (RIP). Using RIP, routers periodically update one another and check for
changes to add to the routing table.
The FWG114P Wireless Firewall/Print Server supports both the older RIP-1 and the newer RIP-2
protocols. Among other improvements, RIP-2 supports subnet and multicast protocols. RIP is not
required for most home applications.
IP Addresses and the Internet
Because TCP/IP networks are interconnected across the world, every machine on the Internet must
have a unique address to make sure that transmitted data reaches the correct destination. Blocks of
addresses are assigned to organizations by the Internet Assigned Numbers Authority (IANA).
Individual users and small organizations may obtain their addresses either from the IANA or from
an Internet service provider (ISP). You can contact IANA at www.iana.org.
The Internet Protocol (IP) uses a 32-bit address structure. The address is usually written in dot
notation (also called dotted-decimal notation), in which each group of eight bits is written in
decimal form, separated by decimal points.
For example, the following binary address:
11000011 00100010 00001100 00000111
is normally written as:
195.34.12.7
The latter version is easier to remember and easier to enter into your computer.
In addition, the 32 bits of the address are subdivided into two parts. The first part of the address
identifies the network, and the second part identifies the host node or station on the network. The
dividing point may vary depending on the address range and the application.
There are five standard classes of IP addresses. These address classes have different ways of
determining the network and host sections of the address, allowing for different numbers of hosts
on a network. Each address type begins with a unique bit pattern, which is used by the TCP/IP
software to identify the address class. After the address class has been determined, the software
can correctly identify the host section of the address. The following figure shows the three main
address classes, including network and host sections of the address for each address type.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Networks, Routing, and Firewall Basics B-3
March 2004, 202-10027-01
Figure 11-1: Three Main Address Classes
The five address classes are:
• Class A
Class A addresses can have up to 16,777,214 hosts on a single network. They use an eight-bit
network number and a 24-bit node number. Class A addresses are in this range:
1.x.x.x to 126.x.x.x.
• Class B
Class B addresses can have up to 65,354 hosts on a network. A Class B address uses a 16-bit
network number and a 16-bit node number. Class B addresses are in this range:
128.1.x.x to 191.254.x.x.
• Class C
Class C addresses can have 254 hosts on a network. Class C addresses use 24 bits for the
network address and eight bits for the node. They are in this range:
192.0.1.x to 223.255.254.x.
• Class D
Class D addresses are used for multicasts (messages sent to many hosts). Class D addresses are
in this range:
224.0.0.0 to 239.255.255.255.
• Class E
Class E addresses are for experimental use.
C
lass A
N
etwork Node
C
lass B
C
lass C
Network Node
Network Node
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
B-4 Networks, Routing, and Firewall Basics
March 2004, 202-10027-01
This addressing structure allows IP addresses to uniquely identify each physical network and each
node on each physical network.
For each unique value of the network portion of the address, the base address of the range (host
address of all zeros) is known as the network address and is not usually assigned to a host. Also,
the top address of the range (host address of all ones) is not assigned, but is used as the broadcast
address for simultaneously sending a packet to all hosts with the same network address.
Netmask
In each of the address classes previously described, the size of the two parts (network address and
host address) is implied by the class. This partitioning scheme can also be expressed by a netmask
associated with the IP address. A netmask is a 32-bit quantity that, when logically combined (using
an AND operator) with an IP address, yields the network address. For instance, the netmasks for
Class A, B, and C addresses are 255.0.0.0, 255.255.0.0, and 255.255.255.0, respectively.
For example, the address 192.168.170.237 is a Class C IP address whose network portion is the
upper 24 bits. When combined (using an AND operator) with the Class C netmask, as shown here,
only the network portion of the address remains:
11000000 10101000 10101010 11101101 (192.168.170.237)
combined with:
11111111 11111111 11111111 00000000 (255.255.255.0)
Equals:
11000000 10101000 10101010 00000000 (192.168.170.0)
As a shorter alternative to dotted-decimal notation, the netmask may also be expressed in terms of
the number of ones from the left. This number is appended to the IP address, following a backward
slash (/), as “/n.” In the example, the address could be written as 192.168.170.237/24, indicating
that the netmask is 24 ones followed by 8 zeros.
Subnet Addressing
By looking at the addressing structures, you can see that even with a Class C address, there are a
large number of hosts per network. Such a structure is an inefficient use of addresses if each end of
a routed link requires a different network number. It is unlikely that the smaller office LANs would
have that many devices. You can resolve this problem by using a technique known as subnet
addressing.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Networks, Routing, and Firewall Basics B-5
March 2004, 202-10027-01
Subnet addressing allows us to split one IP network address into smaller multiple physical
networks known as subnetworks. Some of the node numbers are used as a subnet number instead.
A Class B address gives us 16 bits of node numbers translating to 64,000 nodes. Most
organizations do not use 64,000 nodes, so there are free bits that can be reassigned. Subnet
addressing makes use of those bits that are free, as shown below.
Figure 11-2: Example of Subnetting a Class B Address
A Class B address can be effectively translated into multiple Class C addresses. For example, the
IP address of 172.16.0.0 is assigned, but node addresses are limited to 255 maximum, allowing
eight extra bits to use as a subnet address. The IP address of 172.16.97.235 would be interpreted as
IP network address 172.16, subnet number 97, and node number 235. In addition to extending
the number of addresses available, subnet addressing provides other benefits. Subnet addressing
allows a network manager to construct an address scheme for the network by using different
subnets for other geographical locations in the network or for other departments in the
organization.
Although the preceding example uses the entire third octet for a subnet address, note that you are
not restricted to octet boundaries in subnetting. To create more network numbers, you need only
shift some bits from the host address to the network address. For instance, to partition a Class C
network number (192.68.135.0) into two, you shift one bit from the host address to the network
address. The new netmask (or subnet mask) is 255.255.255.128. The first subnet has network
number 192.68.135.0 with hosts 192.68.135.1 to 129.68.135.126, and the second subnet has
network number 192.68.135.128 with hosts 192.68.135.129 to 192.68.135.254.
Note: The number 192.68.135.127 is not assigned because it is the broadcast address
of the first subnet. The number 192.68.135.128 is not assigned because it is the network
address of the second subnet.
7262
C
lass B
Network Subnet Node
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
B-6 Networks, Routing, and Firewall Basics
March 2004, 202-10027-01
The following table lists the additional subnet mask bits in dotted-decimal notation. To use the
table, write down the original class netmask and replace the 0 value octets with the dotted-decimal
value of the additional subnet bits. For example, to partition your Class C network with subnet
mask 255.255.255.0 into 16 subnets (4 bits), the new subnet mask becomes 255.255.255.240.
The following table displays several common netmask values in both the dotted-decimal and the
masklength formats.
Table 11-1. Netmask Notation Translation Table for One Octet
Number of Bits Dotted-Decimal Value
1 128
2 192
3 224
4 240
5 248
6 252
7 254
8 255
Table 11-2. Netmask Formats
Dotted-Decimal Masklength
255.0.0.0 /8
255.255.0.0 /16
255.255.255.0 /24
255.255.255.128 /25
255.255.255.192 /26
255.255.255.224 /27
255.255.255.240 /28
255.255.255.248 /29
255.255.255.252 /30
255.255.255.254 /31
255.255.255.255 /32
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Networks, Routing, and Firewall Basics B-7
March 2004, 202-10027-01
NETGEAR strongly recommends that you configure all hosts on a LAN segment to use the same
netmask for the following reasons:
• So that hosts recognize local IP broadcast packets.
When a device broadcasts to its segment neighbors, it uses a destination address of the local
network address with all ones for the host address. In order for this scheme to work, all devices
on the segment must agree on which bits comprise the host address.
• So that a local router or bridge recognizes which addresses are local and which are remote.
Private IP Addresses
If your local network is isolated from the Internet (for example, when using NAT), you can assign
any IP addresses to the hosts without problems. However, the IANA has reserved the following
three blocks of IP addresses specifically for private networks:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
NETGEAR recommends that you choose your private network number from this range. The
DHCP server of the FWG114P Wireless Firewall/Print Server is preconfigured to automatically
assign private addresses.
Regardless of your particular situation, do not create an arbitrary IP address; always follow the
guidelines explained here. For more information about address assignment, refer to RFC 1597,
Address Allocation for Private Internets, and RFC 1466, Guidelines for Management of IP
Address Space. The Internet Engineering Task Force (IETF) publishes RFCs on its Web site at
www.ietf.org.
Single IP Address Operation Using NAT
In the past, if multiple computers on a LAN needed to access the Internet simultaneously, you had
to obtain a range of IP addresses from the ISP. This type of Internet account is more costly than a
single-address account typically used by a single user with a modem, rather than a router. The
FWG114P Wireless Firewall/Print Server employs an address-sharing method called Network
Address Translation (NAT). This method allows several networked computers to share an Internet
account using only a single IP address, which may be statically or dynamically assigned by your
ISP.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
B-8 Networks, Routing, and Firewall Basics
March 2004, 202-10027-01
The router accomplishes this address sharing by translating the internal LAN IP addresses to a
single address that is globally unique on the Internet. The internal LAN IP addresses can be either
private addresses or registered addresses. For more information about IP address translation, refer
to RFC 1631, The IP Network Address Translator (NAT).
The following figure illustrates a single IP address operation.
Figure 11-3: Single IP Address Operation Using NAT
This scheme offers the additional benefit of firewall-like protection because the internal LAN
addresses are not available to the Internet through the translated connection. All incoming
inquiries are filtered out by the router. This filtering can prevent intruders from probing your
system. However, using port forwarding, you can allow one PC (for example, a Web server) on
your local network to be accessible to outside users.
1
92.168.0.2
1
92.168.0.3
1
92.168.0.4
1
92.168.0.5
192.168.0.1 172.21.15.105
Private IP addresses
assigned by user
Internet
IP addresses
assigned by ISP
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Networks, Routing, and Firewall Basics B-9
March 2004, 202-10027-01
MAC Addresses and Address Resolution Protocol
An IP address alone cannot be used to deliver data from one LAN device to another. To send data
between LAN devices, you must convert the IP address of the destination device to its media
access control (MAC) address. Each device on an Ethernet network has a unique MAC address,
which is a 48-bit number assigned to each device by the manufacturer. The technique that
associates the IP address with a MAC address is known as address resolution. Internet Protocol
uses the Address Resolution Protocol (ARP) to resolve MAC addresses.
If a device sends data to another station on the network and the destination MAC address is not yet
recorded, ARP is used. An ARP request is broadcast onto the network. All stations on the network
receive and read the request. The destination IP address for the chosen station is included as part of
the message so that only the station with this IP address responds to the ARP request. All other
stations discard the request.
Related Documents
The station with the correct IP address responds with its own MAC address directly to the sending
device. The receiving station provides the transmitting station with the required destination MAC
address. The IP address data and MAC address data for each station are held in an ARP table. The
next time data is sent, the address can be obtained from the address information in the table.
For more information about address assignment, refer to the IETF documents RFC 1597, Address
Allocation for Private Internets, and RFC 1466, Guidelines for Management of IP Address Space.
For more information about IP address translation, refer to RFC 1631, The IP Network Address
Translator (NAT).
Domain Name Server
Many of the resources on the Internet can be addressed by simple descriptive names, such as
www.NETGEAR.com. This addressing is very helpful at the application level, but the descriptive
name must be translated to an IP address in order for a user to actually contact the resource. Just as
a telephone directory maps names to phone numbers, or as an ARP table maps IP addresses to
MAC addresses, a domain name system (DNS) server maps descriptive names of network
resources to IP addresses.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
B-10 Networks, Routing, and Firewall Basics
March 2004, 202-10027-01
When a PC accesses a resource by its descriptive name, it first contacts a DNS server to obtain the
IP address of the resource. The PC sends the desired message using the IP address. Many large
organizations, such as ISPs, maintain their own DNS servers and allow their customers to use the
servers to look up addresses.
IP Configuration by DHCP
When an IP-based local area network is installed, each PC must be configured with an IP address.
If the computers need to access the Internet, they should also be configured with a gateway address
and one or more DNS server addresses. As an alternative to manual configuration, there is a
method by which each PC on the network can automatically obtain this configuration information.
A device on the network may act as a Dynamic Host Configuration Protocol (DHCP) server. The
DHCP server stores a list or pool of IP addresses, along with other information (such as gateway
and DNS addresses) that it may assign to the other devices on the network. The FWG114P
Wireless Firewall/Print Server has the capacity to act as a DHCP server.
The FWG114P Wireless Firewall/Print Server also functions as a DHCP client when connecting to
the ISP. The firewall can automatically obtain an IP address, subnet mask, DNS server addresses,
and a gateway address if the ISP provides this information by DHCP.
Internet Security and Firewalls
When your LAN connects to the Internet through a router, an opportunity is created for outsiders
to access or disrupt your network. A NAT router provides some protection because by the very
nature of the Network Address Translation (NAT) process, the network behind the NAT router is
shielded from access by outsiders on the Internet. However, there are methods by which a
determined hacker can possibly obtain information about your network or at the least can disrupt
your Internet access. A greater degree of protection is provided by a firewall router.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Networks, Routing, and Firewall Basics B-11
March 2004, 202-10027-01
What is a Firewall?
A firewall is a device that protects one network from another, while allowing communication
between the two. A firewall incorporates the functions of the NAT router, while adding features for
dealing with a hacker intrusion or attack. Several known types of intrusion or attack can be
recognized when they occur. When an incident is detected, the firewall can log details of the
attempt, and can optionally send e-mail to an administrator notifying them of the incident. Using
information from the log, the administrator can take action with the ISP of the hacker. In some
types of intrusions, the firewall can fend off the hacker by discarding all further packets from the
hacker’s IP address for a period of time.
Stateful Packet Inspection
Unlike simple Internet sharing routers, a firewall uses a process called stateful packet inspection to
ensure secure firewall filtering to protect your network from attacks and intrusions. Since
user-level applications, such as FTP and Web browsers can create complex patterns of network
traffic, it is necessary for the firewall to analyze groups of network connection "states." Using
stateful packet inspection, an incoming packet is intercepted at the network layer and then
analyzed for state-related information associated with all network connections. A central cache
within the firewall keeps track of the state information associated with all network connections.
All traffic passing through the firewall is analyzed against the state of these connections in order to
determine whether or not it will be allowed to pass through or be rejected.
Denial of Service Attack
A hacker may be able to prevent your network from operating or communicating by launching a
Denial of Service (DoS) attack. The method used for, such an attack can be as simple as merely
flooding your site with more requests than it can handle. A more sophisticated attack may attempt
to exploit some weakness in the operating system used by your router or gateway. Some operating
systems can be disrupted by simply sending a packet with incorrect length information.
Ethernet Cabling
Although Ethernet networks originally used thick or thin coaxial cable, most installations currently
use unshielded twisted pair (UTP) cabling. The UTP cable contains eight conductors, arranged in
four twisted pairs, and terminated with an RJ45 type connector. A normal straight-through UTP
Ethernet cable follows the EIA568B standard wiring as described below in Table B-1
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
B-12 Networks, Routing, and Firewall Basics
March 2004, 202-10027-01
.
Category 5 Cable Quality
Category 5 distributed cable that meets ANSI/EIA/TIA-568-A building wiring standards can be a
maximum of 328 feet (ft.) or 100 meters (m) in length, divided as follows:
20 ft. (6 m) between the hub and the patch panel (if used)
295 ft. (90 m) from the wiring closet to the wall outlet
10 ft. (3 m) from the wall outlet to the desktop device
The patch panel and other connecting hardware must meet the requirements for 100 Mbps
operation (Category 5). Only 0.5 inch (1.5 cm) of untwist in the wire pair is allowed at any
termination point.
A twisted pair Ethernet network operating at 10 Mbits/second (10BASE-T) will often tolerate low
quality cables, but at 100 Mbits/second (10BASE-Tx) the cable must be rated as Category 5, or
Cat 5, by the Electronic Industry Association (EIA). This rating will be printed on the cable jacket.
A Category 5 cable will meet specified requirements regarding loss and crosstalk. In addition,
there are restrictions on maximum cable length for both 10 and 100 Mbits/second networks.
Table B-1. UTP Ethernet cable wiring, straight-through
Pin Wire color Signal
1 Orange/White Transmit (Tx) +
2 Orange Transmit (Tx) -
3 Green/White Receive (Rx) +
4Blue
5 Blue/White
6 Green Receive (Rx) -
7 Brown/White
8Brown
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Networks, Routing, and Firewall Basics B-13
March 2004, 202-10027-01
Inside Twisted Pair Cables
For two devices to communicate, the transmitter of each device must be connected to the receiver
of the other device. The crossover function is usually implemented internally as part of the
circuitry in the device. Computers and workstation adapter cards are usually media-dependent
interface ports, called MDI or uplink ports. Most repeaters and switch ports are configured as
media-dependent interfaces with built-in crossover ports, called MDI-X or normal ports. Auto
Uplink technology automatically senses which connection, MDI or MDI-X, is needed and makes
the right connection.
Figure B-1 illustrates straight-through twisted pair cable.
Figure B-1: Straight-Through Twisted-Pair Cable
Figure B-2 illustrates crossover twisted pair cable.
Figure B-2: Crossover Twisted-Pair Cable
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
B-14 Networks, Routing, and Firewall Basics
March 2004, 202-10027-01
Figure B-3: Category 5 UTP Cable with Male RJ-45 Plug at Each End
Note: Flat “silver satin” telephone cable may have the same RJ-45 plug. However, using telephone
cable results in excessive collisions, causing the attached port to be partitioned or disconnected
from the network.
Uplink Switches, Crossover Cables, and MDI/MDIX Switching
In the wiring table above, the concept of transmit and receive are from the perspective of the PC,
which is wired as Media Dependant Interface (MDI). In this wiring, the PC transmits on pins 1 and
2. At the hub, the perspective is reversed, and the hub receives on pins 1 and 2. This wiring is
referred to as Media Dependant Interface - Crossover (MDI-X).
When connecting a PC to a PC, or a hub port to another hub port, the transmit pair must be
exchanged with the receive pair. This exchange is done by one of two mechanisms. Most hubs
provide an Uplink switch which will exchange the pairs on one port, allowing that port to be
connected to another hub using a normal Ethernet cable. The second method is to use a crossover
cable, which is a special cable in which the transmit and receive pairs are exchanged at one of the
two cable connectors. Crossover cables are often unmarked as such, and must be identified by
comparing the two connectors. Since the cable connectors are clear plastic, it is easy to place them
side by side and view the order of the wire colors on each. On a straight-through cable, the color
order will be the same on both connectors. On a crossover cable, the orange and blue pairs will be
exchanged from one connector to the other.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Networks, Routing, and Firewall Basics B-15
March 2004, 202-10027-01
The FWG114P Wireless Firewall/Print Server incorporates Auto UplinkTM technology (also called
MDI/MDIX). Each LOCAL Ethernet port will automatically sense whether the Ethernet cable
plugged into the port should have a normal connection (e.g. connecting to a PC) or an uplink
connection (e.g. connecting to a router, switch, or hub). That port will then configure itself to the
correct configuration. This feature also eliminates the need to worry about crossover cables, as
Auto UplinkTM will accommodate either type of cable to make the right connection.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
B-16 Networks, Routing, and Firewall Basics
March 2004, 202-10027-01
Preparing Your Network C-1
March 2004, 202-10027-01
Appendix C
Preparing Your Network
This appendix describes how to prepare your network to connect to the Internet through the
ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P and how to verify the readiness
of broadband Internet service from an Internet service provider (ISP).
Preparing Your Computers for TCP/IP Networking
Computers access the Internet using a protocol called TCP/IP (Transmission Control Protocol/
Internet Protocol). Each computer on your network must have TCP/IP installed and selected as its
networking protocol. If a Network Interface Card (NIC) is already installed in your PC, then TCP/
IP is probably already installed as well.
Most operating systems include the software components you need for networking with TCP/IP:
•Windows
® 95 or later includes the software components for establishing a TCP/IP network.
• Windows 3.1 does not include a TCP/IP component. You need to purchase a third-party TCP/
IP application package, such as NetManage Chameleon.
• Macintosh Operating System 7 or later includes the software components for establishing a
TCP/IP network.
• All versions of UNIX® or Linux® include TCP/IP components. Follow the instructions
provided with your operating system or networking software to install TCP/IP on your
computer.
Note: If an ISP technician configured your computer during the installation of a
broadband modem, or if you configured it using instructions provided by your ISP, you
may need to copy the current configuration information for use in the configuration of
your firewall. Write down this information before reconfiguring your computers. Refer
to “Obtaining ISP Configuration Information for Windows Computers” on page C-10 or
“Obtaining ISP Configuration Information for Macintosh Computers” on page C-11 for
further information.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
C-2 Preparing Your Network
March 2004, 202-10027-01
In your IP network, each PC and the firewall must be assigned unique IP addresses. Each PC must
also have certain other IP configuration information, such as a subnet mask (netmask), a domain
name server (DNS) address, and a default gateway address. In most cases, you should install TCP/
IP so that the PC obtains its specific network configuration information automatically from a
DHCP server during bootup. For a detailed explanation of the meaning and purpose of these
configuration items, refer to “Appendix B, “Networks, Routing, and Firewall Basics.”
The FWG114P Wireless Firewall/Print Server is shipped preconfigured as a DHCP server. The
firewall assigns the following TCP/IP configuration information automatically when the
computers are rebooted:
• PC or workstation IP addresses—192.168.0.2 through 192.168.0.254
• Subnet mask—255.255.255.0
• Gateway address (the firewall)—192.168.0.1
These addresses are part of the IETF-designated private address range for use in private networks.
Configuring Windows 95, 98, and Me for TCP/IP Networking
As part of the PC preparation process, you need to manually install and configure TCP/IP on each
networked PC. Before starting, locate your Windows CD; you may need to insert it during the
TCP/IP installation process.
Install or Verify Windows Networking Components
To install or verify the necessary components for IP networking:
1. On the Windows taskbar, click the Start button, point to Settings, and then click Control Panel.
2. Double-click the Network icon.
The Network window opens, which displays a list of installed components:
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Preparing Your Network C-3
March 2004, 202-10027-01
You must have an Ethernet adapter, the TCP/IP protocol, and Client for Microsoft Networks.
If you need to install a new adapter, follow these steps:
a. Click the Add button.
b. Select Adapter, and then click Add.
c. Select the manufacturer and model of your Ethernet adapter, and then click OK.
If you need TCP/IP:
a. Click the Add button.
b. Select Protocol, and then click Add.
c. Select Microsoft.
d. Select TCP/IP, and then click OK.
Note: It is not necessary to remove any other network components shown in the
Network window in order to install the adapter, TCP/IP, or Client for Microsoft
Networks.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
C-4 Preparing Your Network
March 2004, 202-10027-01
If you need Client for Microsoft Networks:
a. Click the Add button.
b. Select Client, and then click Add.
c. Select Microsoft.
d. Select Client for Microsoft Networks, and then click OK.
3. Restart your PC for the changes to take effect.
Enabling DHCP to Automatically Configure TCP/IP Settings
After the TCP/IP protocol components are installed, each PC must be assigned specific
information about itself and resources that are available on its network. The simplest way to
configure this information is to allow the PC to obtain the information from the internal DHCP
server of the FWG114P Wireless Firewall/Print Server. To use DHCP with the recommended
default addresses, follow these steps:
1. Connect all computers to the firewall, then restart the firewall and allow it to boot.
2. On each attached PC, open the Network control panel (refer to the previous section) and select
the Configuration tab.
3. From the components list, select TCP/IP->(your Ethernet adapter) and click Properties.
4. In the IP Address tab, select “Obtain an IP address automatically”.
5. Select the Gateway tab.
6. If any gateways are shown, remove them.
7. Click OK.
8. Restart the PC.
Repeat steps 2 through 8 for each PC on your network.
Selecting Windows’ Internet Access Method
1. On the Windows taskbar, click the Start button, point to Settings, and then click Control Panel.
2. Double-click the Internet Options icon.
3. Select “I want to set up my Internet connection manually” or “I want to connect through a
Local Area Network” and click Next.
4. Select “I want to connect through a Local Area Network” and click Next.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Preparing Your Network C-5
March 2004, 202-10027-01
5. Uncheck all boxes in the LAN Internet Configuration screen and click Next.
6. Proceed to the end of the Wizard.
Verifying TCP/IP Properties
After your PC is configured and has rebooted, you can check the TCP/IP configuration using the
utility winipcfg.exe:
1. On the Windows taskbar, click the Start button, and then click Run.
2. Type winipcfg, and then click OK.
The IP Configuration window opens, which lists (among other things), your IP address, subnet
mask, and default gateway.
3. From the drop-down box, select your Ethernet adapter.
The window is updated to show your settings, which should match the values below if you are
using the default TCP/IP settings that NETGEAR recommends:
• The IP address is between 192.168.0.2 and 192.168.0.254
• The subnet mask is 255.255.255.0
• The default gateway is 192.168.0.1
Configuring Windows NT, 2000 or XP for IP Networking
As part of the PC preparation process, you need to manually install and configure TCP/IP on each
networked PC. Before starting, locate your Windows CD; you may need to insert it during the
TCP/IP installation process.
Installing or Verifying Windows Networking Components
To install or verify the necessary components for IP networking:
1. On the Windows taskbar, click the Start button, point to Settings, and then click Control Panel.
2. Double-click the Network and Dialup Connections icon.
3. If an Ethernet adapter is present in your PC, you should see an entry for Local Area
Connection. Double-click that entry.
4. Select Properties.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
C-6 Preparing Your Network
March 2004, 202-10027-01
5. Verify that ‘Client for Microsoft Networks’ and ‘Internet Protocol (TCP/IP)’ are present. If
not, select Install and add them.
6. Select ‘Internet Protocol (TCP/IP)’, click Properties, and verify that “Obtain an IP address
automatically is selected.
7. Click OK and close all Network and Dialup Connections windows.
8. Make sure your PC is connected to the firewall, then reboot your PC.
Verifying TCP/IP Properties
To check your PC’s TCP/IP configuration:
1. On the Windows taskbar, click the Start button, and then click Run.
The Run window opens.
2. Type cmd and then click OK.
A command window opens
3. Type ipconfig /all
Your IP Configuration information will be listed, and should match the values below if you are
using the default TCP/IP settings that NETGEAR recommends:
• The IP address is between 192.168.0.2 and 192.168.0.254
• The subnet mask is 255.255.255.0
• The default gateway is 192.168.0.1
4. Type exit
Configuring the Macintosh for TCP/IP Networking
Beginning with Macintosh Operating System 7, TCP/IP is already installed on the Macintosh. On
each networked Macintosh, you will need to configure TCP/IP to use DHCP.
MacOS 8.6 or 9.x
1. From the Apple menu, select Control Panels, then TCP/IP.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Preparing Your Network C-7
March 2004, 202-10027-01
The TCP/IP Control Panel opens:
2. From the “Connect via” box, select your Macintosh’s Ethernet interface.
3. From the “Configure” box, select Using DHCP Server.
You can leave the DHCP Client ID box empty.
4. Close the TCP/IP Control Panel.
5. Repeat this for each Macintosh on your network.
MacOS X
1. From the Apple menu, choose System Preferences, then Network.
2. If not already selected, select Built-in Ethernet in the Configure list.
3. If not already selected, Select Using DHCP in the TCP/IP tab.
4. Click Save.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
C-8 Preparing Your Network
March 2004, 202-10027-01
Verifying TCP/IP Properties for Macintosh Computers
After your Macintosh is configured and has rebooted, you can check the TCP/IP configuration by
returning to the TCP/IP Control Panel. From the Apple menu, select Control Panels, then TCP/IP.
The panel is updated to show your settings, which should match the values below if you are using
the default TCP/IP settings that NETGEAR recommends:
• The IP Address is between 192.168.0.2 and 192.168.0.254
• The Subnet mask is 255.255.255.0
• The Router address is 192.168.0.1
If you do not see these values, you may need to restart your Macintosh or you may need to switch
the “Configure” setting to a different option, then back again to “Using DHCP Server”.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Preparing Your Network C-9
March 2004, 202-10027-01
Verifying the Readiness of Your Internet Account
For broadband access to the Internet, you need to contract with an Internet service provider (ISP)
for a single-user Internet access account using a cable modem or DSL modem. This modem must
be a separate physical box (not a card) and must provide an Ethernet port intended for connection
to a Network Interface Card (NIC) in a computer. Your firewall does not support a USB-connected
broadband modem.
For a single-user Internet account, your ISP supplies TCP/IP configuration information for one
computer. With a typical account, much of the configuration information is dynamically assigned
when your PC is first booted up while connected to the ISP, and you will not need to know that
dynamic information.
In order to share the Internet connection among several computers, your firewall takes the place of
the single PC, and you need to configure it with the TCP/IP information that the single PC would
normally use. When the firewall’s Internet port is connected to the broadband modem, the firewall
appears to be a single PC to the ISP. The firewall then allows the computers on the local network to
masquerade as the single PC to access the Internet through the broadband modem. The method
used by the firewall to accomplish this is called Network Address Translation (NAT) or IP
masquerading.
Are Login Protocols Used?
Some ISPs require a special login protocol, in which you must enter a login name and password in
order to access the Internet. If you normally log in to your Internet account by running a program,
such as WinPOET or EnterNet, then your account uses PPP over Ethernet (PPPoE).
When you configure your router, you will need to enter your login name and password in the
router’s configuration menus. After your network and firewall are configured, the firewall will
perform the login task when needed, and you will no longer need to run the login program from
your PC. It is not necessary to uninstall the login program.
What Is Your Configuration Information?
More and more, ISPs are dynamically assigning configuration information. However, if your ISP
does not dynamically assign configuration information but instead uses fixed configurations, your
ISP should have given you the following basic information for your account:
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
C-10 Preparing Your Network
March 2004, 202-10027-01
• An IP address and subnet mask
• A gateway IP address, which is the address of the ISP’s router
• One or more domain name server (DNS) IP addresses
• Host name and domain suffix
For example, your account’s full server names may look like this:
mail.xxx.yyy.com
In this example, the domain suffix is xxx.yyy.com.
If any of these items are dynamically supplied by the ISP, your firewall automatically acquires
them.
If an ISP technician configured your PC during the installation of the broadband modem, or if you
configured it using instructions provided by your ISP, you need to copy the configuration
information from your PC’s Network TCP/IP Properties window or Macintosh TCP/IP Control
Panel before reconfiguring your PC for use with the firewall. These procedures are described next.
Obtaining ISP Configuration Information for Windows Computers
As mentioned above, you may need to collect configuration information from your PC so that you
can use this information when you configure the FWG114P Wireless Firewall/Print Server.
Following this procedure is only necessary when your ISP does not dynamically supply the
account information.
To get the information you need to configure the firewall for Internet access:
1. On the Windows taskbar, click the Start button, point to Settings, and then click Control Panel.
2. Double-click the Network icon.
The Network window opens, which displays a list of installed components.
3. Select TCP/IP, and then click Properties.
The TCP/IP Properties dialog box opens.
4. Select the IP Address tab.
If an IP address and subnet mask are shown, write down the information. If an address is
present, your account uses a fixed (static) IP address. If no address is present, your account
uses a dynamically-assigned IP address. Click “Obtain an IP address automatically”.
5. Select the Gateway tab.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Preparing Your Network C-11
March 2004, 202-10027-01
If an IP address appears under Installed Gateways, write down the address. This is the ISP’s
gateway address. Select the address and then click Remove to remove the gateway address.
6. Select the DNS Configuration tab.
If any DNS server addresses are shown, write down the addresses. If any information appears
in the Host or Domain information box, write it down. Click Disable DNS.
7. Click OK to save your changes and close the TCP/IP Properties dialog box.
You are returned to the Network window.
8. Click OK.
9. Reboot your PC at the prompt. You may also be prompted to insert your Windows CD.
Obtaining ISP Configuration Information for Macintosh
Computers
As mentioned above, you may need to collect configuration information from your Macintosh so
that you can use this information when you configure the FWG114P Wireless Firewall/Print
Server. Following this procedure is only necessary when your ISP does not dynamically supply the
account information.
To get the information you need to configure the firewall for Internet access:
1. From the Apple menu, select Control Panels, then TCP/IP.
The TCP/IP Control Panel opens, which displays a list of configuration settings. If the
“Configure” setting is “Using DHCP Server”, your account uses a dynamically-assigned IP
address. In this case, close the Control Panel and skip the rest of this section.
2. If an IP address and subnet mask are shown, write down the information.
3. If an IP address appears under Router address, write down the address. This is the ISP’s
gateway address.
4. If any Name Server addresses are shown, write down the addresses. These are your ISP’s DNS
addresses.
5. If any information appears in the Search domains information box, write it down.
6. Change the “Configure” setting to “Using DHCP Server”.
7. Close the TCP/IP Control Panel.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
C-12 Preparing Your Network
March 2004, 202-10027-01
Restarting the Network
Once you have set up your computers to work with the firewall, you must reset the network for the
devices to be able to communicate correctly. Restart any computer that is connected to the firewall.
After configuring all of your computers for TCP/IP networking and restarting them, and
connecting them to the local network of your FWG114P Wireless Firewall/Print Server, you are
ready to access and configure the firewall.
Firewall Log Formats D-1
March 2004, 202-10027-01
Appendix D
Firewall Log Formats
Action List
Drop: Packet dropped by Firewall current inbound or outbound rules.
Reset: TCP session reset by Firewall.
Forward: Packet forwarded by Firewall to the next hop based on matching the criteria in
the rules table.
Receive: Packet was permitted by the firewall rules and modified prior to being
forwarded and/or replied to.
Field List
<DATE><TIME>: Log's date and time
<EVENT>: Event is that access the device or access other host via the device
<PKT_TYPE>: Packet type pass Firewall
<SRC_IP><DST_IP>: IP address in the packet
<SRC_PORT><DST_PORT>: Port in the packet
<SRC_INF><DST_INF>: Include `LAN` and `WAN` (optional)
<ACTION>: As `Action List` referenced
<DESCRIPTION>: A complement to the log (optional)
<DIRECTION>: Inbound and Outbound
<SERVICE>: Firewall costumed service
Outbound Log
Outgoing packets that match the Firewall rules are logged.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
D-2 Firewall Log Formats
March 2004, 202-10027-01
The format is:
<DATE> <TIME> <PKT_TYPE> <SRC_IP> <SRC_INF> <DST_IP > <DST_INF>
<ACTION><DESCRIPTION>
[Fri, 2003-12-05 22:19:42] - UDP Packet - Source:172.31.12.233,138 ,WAN -
Destination:172.31.12.255,138 ,LAN [Drop] - [Inbound Default rule match]
[Fri, 2003-12-05 22:35:04] - TCP Packet - Source:172.31.12.156,34239 ,WAN -
Destination:192.168.0.10,21[FTP Control] ,LAN [Forward] - [Inbound Rule(1)
match]
[Fri, 2003-12-05 22:35:11] - UDP Packet - Source:172.31.12.200,138 ,WAN -
Destination:172.31.12.255,138 ,LAN [Forward] - [Inbound Rule(1) not match]
Notes:
SRC_INF = WAN
DST_INF = LAN
DESCRIPTION = "Inbound rule match", "Inbound Default rule match"
PKT_TYPE = "UDP packet", "TCP connection", "ICMP packet"
Inbound Log
Incoming packets that match the Firewall rules are logged.
The format is:
<DATE> <TIME> <PKT_TYPE> <SRC_IP> <SRC_INF> <DST_IP > <DST_INF>
<ACTION><DESCRIPTION>
[Fri, 2003-12-05 22:59:56] - ICMP Packet [Echo Request] - Source:192.168.0.10,LAN
- Destination:192.168.0.1,WAN [Forward] - [Outbound Default rule match]
[Fri, 2003-12-05 23:00:58] - ICMP Packet [Echo Request] - Source:192.168.0.10,LAN
- Destination:172.31.12.200,WAN [Forward] - [Outbound Default rule match]
[Fri, 2003-12-05 23:02:30] - TCP Packet - Source:192.168.0.10,3472 ,LAN -
Destination:216.239.39.99,80[HTTP] ,WAN [Forward] - [Outbound Default rule
match]
Notes:
SRC_INF = LAN
DST_INF = WAN
DESCRIPTION = "Outbound rule match", "Outbound Default rule match"
PKT_TYPE = "UDP packet", "TCP connection", "ICMP packet"
Other IP Traffic
Some special packets matching the Firewall rules, like VPN connection, etc. are logged.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Firewall Log Formats D-3
March 2004, 202-10027-01
The format is:
<DATE><TIME><PKT_TYPE>< SRC_IP><SRC_PORT ><SRC_INF>< DST_IP><DST_PORT
><DST_PORT><ACTION><DESCRIPTION>
<DATE><TIME> <PKT_TYPE> <SRC_IP> <SRC_INF> <DST_IP> <DST_INF> <ACTION>
<DESCRIPTION>
[Wed, 2003-07-30 17:43:28] - IPSEC Packet - Source: 64.3.3.201, 37180 WAN -
Destination: 10.10.10.4,80[HTTP] LAN - [Drop] [VPN Packet]
[Wed, 2003-07-30 18:44:50] - IP Packet [Type Field: 321] - Source 18.7.21.69
192.168.0.3 - [Drop]
Notes:
DESCRIPTION = "VPN Packet"
PKT_TYPE = "GRE", "AH", "ESP", "IP packet [Type Field: Num]", "IPSEC"
ACTION = "Forward", "Drop"
Router Operation
Operations that the router initiates are logged.
The format is:
<DATE><TIME><EVENT>
[Wed, 2003-07-30 16:30:59] - Log emailed
[Wed, 2003-07-30 13:38:31] - NETGEAR activated
[Wed, 2003-07-30 13:42:01] - NTP Reply Invalid
The format is:
<DATE><TIME><EVENT><DST_IP>
<DATE><TIME><EVENT><SRC_IP>
[Wed, 2003-07-30 16:32:33] - Send out NTP Request to 207.46.130.100
[Wed, 2003-07-30 16:35:27] - Receive NTP Reply from 207.46.130.100
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
D-4 Firewall Log Formats
March 2004, 202-10027-01
Other Connections and Traffic to this Router
The format is:
<DATE><TIME>< PKT_TYPE ><SRC_IP><DST_IP><ACTION>
[Fri, 2003-12-05 22:31:27] - ICMP Packet[Echo Request] - Source: 192.168.0.10 -
Destination: 192.168.0.1 - [Receive]
[Wed, 2003-07-30 16:34:56] - ICMP Packet[Type: 238] - Source: 64.3.3.201 -
Destination: 192.168.0.3 - [Drop]
[Fri, 2003-12-05 22:59:56] - ICMP Packet[Echo Request] - Source:192.168.0.10 -
Destination:192.168.0.1 - [Receive]
The format is:
<DATE><TIME><EVENT>< SRC_IP><SRC_PORT ><SRC_INF><
DST_IP><DST_PORT><DST_INF><ACTION>
[Wed, 2003-07-30 16:24:23] - UDP Packet - Source: 207.46.130.100 WAN -
Destination: 10.10.10.4,1234 LAN - [Drop]
[Wed, 2003-07-30 17:48:09] - TCP Packet[SYN] - Source: 64.3.3.201,65534 WAN -
Destination: 10.10.10.4,1765 LAN - [Receive]
[Fri, 2003-12-05 22:07:11] - IP Packet [Type Field:8], from 20.97.173.18 to
172.31.12.157 - [Drop]
Notes:
ACTION = "Drop", "Receive"
EVENT = "ICMP Packet", "UDP Packet", "TCP Packet", "IP Packet"
DoS Attack/Scan
Common attacks and scans are logged.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Firewall Log Formats D-5
March 2004, 202-10027-01
The format is:
<DATE><TIME><PKT_TYPE>< SRC_IP><SRC_PORT ><SRC_INF>< DST_IP><DST_PORT
><DST_PORT><ACTION><DESCRIPTION>
<DATE> <TIME> <PKT_TYPE> <SRC_IP> <SRC_INF> <DST_IP> <DST_INF> <ACTION>
<DESCRIPTION>
[Fri, 2003-12-05 21:22:07] - TCP Packet - Source:172.31.12.156,54611 ,WAN -
Destination:172.31.12.157,134 ,LAN [Drop] - [FIN Scan]
[Fri, 2003-12-05 21:22:38] - TCP Packet - Source:172.31.12.156,59937 ,WAN -
Destination:172.31.12.157,670 ,LAN [Drop] - [Nmap Xmas Scan]
[Fri, 2003-12-05 21:23:06] - TCP Packet - Source:172.31.12.156,39860 ,WAN -
Destination:172.31.12.157,18000 ,LAN [Drop] - [Null Scan]
[Fri, 2003-12-05 21:27:55] - TCP Packet - Source:172.31.12.156,38009 ,WAN -
Destination:172.31.12.157,15220 ,LAN [Drop] - [Full Sapu Scan]
[Fri, 2003-12-05 21:28:56] - TCP Packet - Source:172.31.12.156,35128 ,WAN -
Destination:172.31.12.157,38728 ,LAN [Drop] - [Full Xmas Scan]
[Fri, 2003-12-05 21:30:30] - IP Packet - Source:227.113.223.77,WAN -
Destination:172.31.12.157,LAN [Drop] - [Fragment Attack]
[Fri, 2003-12-05 21:30:30] - IP Packet - Source:20.97.173.18,WAN -
Destination:172.31.12.157,LAN [Drop] - [Targa3 Attack]
[Fri, 2003-12-05 21:30:30] - TCP Packet - Source:3.130.176.84,37860 ,WAN -
Destination:172.31.12.157,63881 ,LAN [Drop] - [Vecna Scan]
[Fri, 2003-12-05 21:30:31] - ICMP Packet [Type 238] - Source:100.110.182.63,WAN
- Destination:172.31.12.157,LAN [Drop] - [ICMP Flood]
[Fri, 2003-12-05 21:33:52] - UDP Packet - Source:127.0.0.1,0 ,WAN -
Destination:172.31.12.157,0 ,LAN [Drop] - [Fragment Attack]
[Fri, 2003-12-05 19:20:00] - TCP Session - Source:54.148.179.175,58595 ,LAN -
Destination:192.168.0.1,20[FTP Data] ,WAN [Reset] - [SYN Flood]
[Fri, 2003-12-05 19:21:22] - UDP Packet - Source:172.31.12.156,7 ,LAN -
Destination:172.31.12.157,7 ,WAN [Drop] - [UDP Flood]
[Fri, 2003-12-05 20:59:08] - ICMP Echo Request packet - Source:192.168.0.5,LAN -
Destination:172.31.12.99,WAN [Drop] - [ICMP Flood]
[Fri, 2003-12-05 18:07:29] - TCP Packet - Source:192.168.0.10,1725 ,LAN -
Destination:61.177.58.50,1352 ,WAN [Drop] - [TCP incomplete sessions overflow]
[Fri, 2003-12-05 21:11:24] - TCP Packet - Source:192.168.0.10,2342 ,LAN -
Destination:61.177.58.50,1352 ,WAN [Drop] - [First TCP Packet not SYN]
Notes:
DESCRIPTION = "SYN Flood", "UDP Flood", "ICMP Flood", "IP Spoofing", "TearDrop",
"Brute Force", "Ping of Death", "Fragment Attack", "Targa3 Attack", "Big Bomb"
"SYN with Data", "Full Xmas Scan", "Full Head Scan", "Full Sapu Scan", "FIN
Scan", "SYN FIN Scan", "Null Scan", "Nmap Xmas Scan", "Vecna Scan", "Tcp SYN RES
Set", "Other Scan"
"TCP incomplete sessions overflow", "TCP preconnect traffic", "TCP invalid
traffic", "First TCP Packet not SYN", "First TCP Packet with no SYN"
<DATE><TIME><PKT_TYPE>< SRC_IP >< DST_IP><ACTION>
[Wed, 2003-07-30 17:45:17] - TCP Packet [Malformed, Length=896] - Source:
64.3.3.201 - Destination: 10.10.10.4 - [Drop]
[Wed, 2003-07-30 17:45:17] - TCP Packet [Malformed, Length=1000] - Source:
64.3.3.201- Destination: 10.10.10.4 - [Forward]
Notes:
PKT_TYPE = "TCP", "UDP", "ICMP", "Proto: Number"
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
D-6 Firewall Log Formats
March 2004, 202-10027-01
Access Block Site
If keyword blocking is enabled and a keyword is specified, attempts to access a site whose URL
contains a specified keyword are logged.
The format is
<DATE> <TIME> <EVENT> <SRC_IP> <SRC_INF> <DST_IP> <DST_INF> <ACTION>
[Fri, 2003-12-05 23:01:47] - Attempt to access blocked sites -
Source:192.168.0.10,LAN - Destination:www.google.com/,WAN - [Drop]
Notes:
EVENT = Attempt to access blocked sites
SRC_INF = LAN
DST_INF = WAN
All Web Sites and News Groups Visited
All Web sites and News groups that you visit are logged.
The format is
<DATE> <TIME> <EVENT> <SRC_IP> <SRC_INF> <DST_IP> <DST_INF> <ACTION>
[Fri, 2003-12-05 23:03:49] - Access site - Source:192.168.0.10,LAN -
Destination:euro.allyes.com,WAN - [Forward]
Notes:
EVENT = Attempt to access blocked sites
SRC_INF = LAN or WAN
DST_INF = WAN or LAN
System Admin Sessions
Administrator session logins and failed attempts are logged, as well as manual or idle-time
logouts.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Firewall Log Formats D-7
March 2004, 202-10027-01
The format is:
<DATE><TIME><EVENT ><SRC_IP>
<DATE><TIME><EVENT ><SRC_IP><SRC_PORT><DST_IP><DST_PORT><ACTION>
[Fri, 2003-12-05 21:07:43] - Administrator login successful - IP:192.168.0.10
[Fri, 2003-12-05 21:09:16] - Administrator logout - IP:192.168.0.10
[Fri, 2003-12-05 21:09:31] - Administrator login fail, Username error -
IP:192.168.0.10
[Fri, 2003-12-05 21:09:25] - Administrator login fail, Password error -
IP:192.168.0.10
[Fri, 2003-12-05 21:16:15] - Login screen timed out - IP:192.168.0.10
[Fri, 2003-12-05 21:07:43] - Administrator Interface Connecting[TCP] - Source
192.168.0.10,2440 - Destination 192.168.0.1,80 - [Receive]
Notes:
ACTION: Receive or Drop
Policy Administration LOG
<DATE> <TIME> <EVENT> <DIRECTION> <SERVICE>< DESCRIPTION >
[Fri, 2003-12-05 21:48:41] - Administrator Action - Inbound Policy to Service
[BGP] is Added
[Fri, 2003-12-05 21:49:41] - Administrator Action - Outbound Policy to Service
[BGP] is Added
[Fri, 2003-12-05 21:50:14] - Administrator Action - Inbound Policy to Service
[BGP] is Modified
[Fri, 2003-12-05 21:50:57] - Administrator Action - Outbound Policy to Service
[BGP] is Modified
[Fri, 2003-12-05 21:51:14] - Administrator Action - Inbound Policy to Service
[BGP] is Deleted
[Fri, 2003-12-05 21:52:12] - Administrator Action - Inbound Policy to Service
[BGP] is Moved to Index [0]
[Fri, 2003-12-05 21:54:41] - Administrator Action - Outbound Policy to Service
[FTP] is Moved to Index [1]
[Fri, 2003-12-05 22:01:47] - Administrator Action - Inbound Policy to Service
[BGP] is changed to Disable
[Fri, 2003-12-05 22:02:14] - Administrator Action - Inbound Policy to Service
[BGP] is changed to Enable
[Fri, 2003-12-05 22:02:35] - Administrator Action - Outbound Policy to Service
[NFS] is changed to Disable
[Fri, 2003-12-05 22:02:52] - Administrator Action - Outbound Policy to Service
[NFS] is changed to Enable
Notes:
DIRECTION: Inbound or Outbound
SERVICE: Supported service name
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
D-8 Firewall Log Formats
March 2004, 202-10027-01
Wireless Networking Basics E-1
March 2004, 202-10027-01
Appendix E
Wireless Networking Basics
This chapter provides an overview of Wireless networking.
Wireless Networking Overview
The FWG114P Wireless Firewall/Print Server conforms to the Institute of Electrical and
Electronics Engineers (IEEE) 802.11b and 802.11g standards for wireless LANs (WLANs). On an
802.11b or g wireless link, data is encoded using direct-sequence spread-spectrum (DSSS)
technology and is transmitted in the unlicensed radio spectrum at 2.5GHz. The maximum data rate
for the 802.11b wireless link is 11 Mbps, but it will automatically back down from 11 Mbps to 5.5,
2, and 1 Mbps when the radio signal is weak or when interference is detected. The 802.11g auto
rate sensing rates are 1, 2, 5.5, 6, 9, 12, 18, 24, 36, 48, and 54 Mbps.
The 802.11 standard is also called Wireless Ethernet or Wi-Fi by the Wireless Ethernet
Compatibility Alliance (WECA, see http://www.wi-fi.net), an industry standard group promoting
interoperability among 802.11 devices. The 802.11 standard offers two methods for configuring a
wireless network - ad hoc and infrastructure.
Infrastructure Mode
With a wireless Access Point, you can operate the wireless LAN in the infrastructure mode. This
mode provides wireless connectivity to multiple wireless network devices within a fixed range or
area of coverage, interacting with wireless nodes via an antenna.
In the infrastructure mode, the wireless access point converts airwave data into wired Ethernet
data, acting as a bridge between the wired LAN and wireless clients. Connecting multiple Access
Points via a wired Ethernet backbone can further extend the wireless network coverage. As a
mobile computing device moves out of the range of one access point, it moves into the range of
another. As a result, wireless clients can freely roam from one Access Point domain to another and
still maintain seamless network connection.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
E-2 Wireless Networking Basics
March 2004, 202-10027-01
Ad Hoc Mode (Peer-to-Peer Workgroup)
In an ad hoc network, computers are brought together as needed; thus, there is no structure or fixed
points to the network - each node can generally communicate with any other node. There is no
Access Point involved in this configuration. This mode enables you to quickly set up a small
wireless workgroup and allows workgroup members to exchange data or share printers as
supported by Microsoft networking in the various Windows operating systems. Some vendors also
refer to ad hoc networking as peer-to-peer group networking.
In this configuration, network packets are directly sent and received by the intended transmitting
and receiving stations. As long as the stations are within range of one another, this is the easiest
and least expensive way to set up a wireless network.
Network Name: Extended Service Set Identification (ESSID)
The Extended Service Set Identification (ESSID) is one of two types of Service Set Identification
(SSID). In an ad hoc wireless network with no access points, the Basic Service Set Identification
(BSSID) is used. In an infrastructure wireless network that includes an access point, the ESSID is
used, but may still be referred to as SSID.
An SSID is a thirty-two character (maximum) alphanumeric key identifying the name of the
wireless local area network. Some vendors refer to the SSID as network name. For the wireless
devices in a network to communicate with each other, all devices must be configured with the
same SSID.
The ESSID is usually broadcast in the air from an access point. The wireless station sometimes can
be configured with the ESSID ANY. This means the wireless station will try to associate with
whichever access point has the stronger radio frequency (RF) signal, providing that both the access
point and wireless station use Open System authentication.
Authentication and WEP Data Encryption
The absence of a physical connection between nodes makes the wireless links vulnerable to
eavesdropping and information theft. To provide a certain level of security, the IEEE 802.11
standard has defined these two types of authentication methods:
•Open System. With Open System authentication, a wireless computer can join any network
and receive any messages that are not encrypted.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Wireless Networking Basics E-3
March 2004, 202-10027-01
•Shared Key. With Shared Key authentication, only those PCs that possess the correct
authentication key can join the network. By default, IEEE 802.11 wireless devices operate in
an Open System network.
Wired Equivalent Privacy (WEP) data encryption is used when the wireless devices are configured
to operate in Shared Key authentication mode.
802.11 Authentication
The 802.11 standard defines several services that govern how two 802.11 devices communicate.
The following events must occur before an 802.11 Station can communicate with an Ethernet
network through an access point, such as the one built in to the FWG114P:
1. Turn on the wireless station.
2. The station listens for messages from any access points that are in range.
3. The station finds a message from an access point that has a matching SSID.
4. The station sends an authentication request to the access point.
5. The access point authenticates the station.
6. The station sends an association request to the access point.
7. The access point associates with the station.
8. The station can now communicate with the Ethernet network through the access point.
An access point must authenticate a station before the station can associate with the access point or
communicate with the network. The IEEE 802.11 standard defines two types of authentication:
Open System and Shared Key.
• Open System Authentication allows any device to join the network, assuming that the device
SSID matches the access point SSID. Alternatively, the device can use the “ANY” SSID
option to associate with any available Access Point within range, regardless of its SSID.
• Shared Key Authentication requires that the station and the access point have the same WEP
Key to authenticate. These two authentication procedures are described below.
Open System Authentication
The following steps occur when two devices use Open System Authentication:
1. The station sends an authentication request to the access point.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
E-4 Wireless Networking Basics
March 2004, 202-10027-01
2. The access point authenticates the station.
3. The station associates with the access point and joins the network.
This process is illustrated below.
Figure E-1: Open system authentication
Shared Key Authentication
The following steps occur when two devices use Shared Key Authentication:
1. The station sends an authentication request to the access point.
2. The access point sends challenge text to the station.
3. The station uses its configured 64-bit or 128-bit default key to encrypt the challenge text, and
sends the encrypted text to the access point.
4. The access point decrypts the encrypted text using its configured WEP Key that corresponds
to the station’s default key. The access point compares the decrypted text with the original
challenge text. If the decrypted text matches the original challenge text, then the access point
and the station share the same WEP Key and the access point authenticates the station.
5. The station connects to the network.
If the decrypted text does not match the original challenge text (the access point and station do not
share the same WEP Key), then the access point will refuse to authenticate the station and the
station will be unable to communicate with either the 802.11 network or Ethernet network.
This process is illustrated below.
).4%2.%4 ,/#!,
$&7
/1.
/1.$&7
?MjÊ. +Á.?wjË8ÁjjÄÄË7+!Ë.jWÖÁÍßËÁjÝ?
-/$%, 7 Ϥo
072 4%34
7,!.
(QDEOH
$FFHVV3RLQW$3
!UTHENTICATIONREQUESTSENTTO!0
!0AUTHENTICATES
#LIENTCONNECTSTONETWORK
2SHQ6\VWHP
$XWKHQWLFDWLRQ6WHSV
#ABLEOR
$,3MODEM
&OLHQW
DWWHPSWLQJ
WRFRQQHFW
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Wireless Networking Basics E-5
March 2004, 202-10027-01
Figure E-2: Shared key authentication
Overview of WEP Parameters
Before enabling WEP on an 802.11 network, you must first consider what type of encryption you
require and the key size you want to use. Typically, there are three WEP Encryption options
available for 802.11 products:
1. Do Not Use WEP: The 802.11 network does not encrypt data. For authentication purposes, the
network uses Open System Authentication.
2. Use WEP for Encryption: A transmitting 802.11 device encrypts the data portion of every
packet it sends using a configured WEP Key. The receiving device decrypts the data using the
same WEP Key. For authentication purposes, the network uses Open System Authentication.
3. Use WEP for Authentication and Encryption: A transmitting 802.11 device encrypts the data
portion of every packet it sends using a configured WEP Key. The receiving device decrypts the
data using the same WEP Key. For authentication purposes, the wireless network uses Shared Key
Authentication.
Note: Some 802.11 access points also support Use WEP for Authentication Only (Shared Key
Authentication without data encryption).
).4%2.%4 ,/#!,
$&7
/1.
/1.$&7
?MjÊ. +Á.?wjË8ÁjjÄÄË7+!Ë.jWÖÁÍßËÁjÝ?
-/$%, 7 Ϥo
072 4%34
7,!.
(QDEOH
$FFHVV3RLQW!UTHENTICATION
REQUESTSENTTO!0
!0SENDSCHALLENGETEXT
#LIENTENCRYPTS
CHALLENGETEXTAND
SENDSITBACKTO!0
!0DECRYPTSANDIFCORRECT
AUTHENTICATESCLIENT
#LIENTCONNECTSTONETWORK
6KDUHG.H\
$XWKHQWLFDWLRQ6WHSV
#ABLEOR
$,3MODEM
&OLHQW
DWWHPSWLQJ
WRFRQQHFW
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
E-6 Wireless Networking Basics
March 2004, 202-10027-01
Key Size
The IEEE 802.11 standard supports two types of WEP encryption: 40-bit and 128-bit.
The 64-bit WEP data encryption method allows for a five-character (40-bit) input. Additionally,
24 factory-set bits are added to the forty-bit input to generate a 64-bit encryption key. The 24
factory-set bits are not user-configurable). This encryption key will be used to encrypt/decrypt all
data transmitted via the wireless interface. Some vendors refer to the 64-bit WEP data encryption
as 40-bit WEP data encryption since the user-configurable portion of the encryption key is 40 bits
wide.
The 128-bit WEP data encryption method consists of 104 user-configurable bits. Similar to the
forty-bit WEP data encryption method, the remaining 24 bits are factory set and not user
configurable. Some vendors allow passphrases to be entered instead of the cryptic hexadecimal
characters to ease encryption key entry.
128-bit encryption is stronger than 40-bit encryption, but 128-bit encryption may not be available
outside of the United States due to U.S. export regulations.
When configured for 40-bit encryption, 802.11 products typically support up to four WEP Keys.
Each 40-bit WEP Key is expressed as 5 sets of two hexadecimal digits (0-9 and A-F). For
example, “12 34 56 78 90” is a 40-bit WEP Key.
When configured for 128-bit encryption, 802.11 products typically support four WEP Keys but
some manufacturers support only one 128-bit key. The 128-bit WEP Key is expressed as 13 sets of
two hexadecimal digits (0-9 and A-F). For example, “12 34 56 78 90 AB CD EF 12 34 56 78 90”
is a 128-bit WEP Key.
Table E-1: Encryption Key Sizes
Note: Typically, 802.11 access points can store up to four 128-bit WEP Keys but some 802.11
client adapters can only store one. Therefore, make sure that your 802.11 access and client
adapters’ configurations match.
Encryption Key Size # of Hexadecimal Digits Example of Hexadecimal Key Content
64-bit (24+40) 10 4C72F08AE1
128-bit (24+104) 26 4C72F08AE19D57A3FF6B260037
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Wireless Networking Basics E-7
March 2004, 202-10027-01
WEP Configuration Options
The WEP settings must match on all 802.11 devices that are within the same wireless network as
identified by the SSID. In general, if your mobile clients will roam between access points, then all
of the 802.11 access points and all of the 802.11 client adapters on the network must have the same
WEP settings.
Note: Whatever keys you enter for an AP, you must also enter the same keys for the client adapter
in the same order. In other words, WEP key 1 on the AP must match WEP key 1 on the client
adapter, WEP key 2 on the AP must match WEP key 2 on the client adapter, and so on.
Note: The AP and the client adapters can have different default WEP Keys as long as the keys are
in the same order. In other words, the AP can use WEP key 2 as its default key to transmit while a
client adapter can use WEP key 3 as its default key to transmit. The two devices will communicate
as long as the AP’s WEP key 2 is the same as the client’s WEP key 2 and the AP’s WEP key 3 is
the same as the client’s WEP key 3.
Wireless Channels
The wireless frequencies used by 802.11b/g networks are discussed below.
IEEE 802.11b/g wireless nodes communicate with each other using radio frequency signals in the
ISM (Industrial, Scientific, and Medical) band between 2.4 GHz and 2.5 GHz. Neighboring
channels are 5 MHz apart. However, due to spread spectrum effect of the signals, a node sending
signals using a particular channel will utilize frequency spectrum 12.5 MHz above and below the
center channel frequency. As a result, two separate wireless networks using neighboring channels
(for example, channel 1 and channel 2) in the same general vicinity will interfere with each other.
Applying two channels that allow the maximum channel separation will decrease the amount of
channel cross-talk, and provide a noticeable performance increase over networks with minimal
channel separation.
The radio frequency channels used in 802.11b/g networks are listed in Table E-2:
Table E-2: 802.11b/g Radio Frequency Channels
Channel Center Frequency Frequency Spread
1 2412 MHz 2399.5 MHz - 2424.5 MHz
2 2417 MHz 2404.5 MHz - 2429.5 MHz
3 2422 MHz 2409.5 MHz - 2434.5 MHz
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
E-8 Wireless Networking Basics
March 2004, 202-10027-01
Note: The available channels supported by the wireless products in various countries are different.
For example, Channels 1 to 11 are supported in the U.S. and Canada, and Channels 1 to 13 are
supported in Europe and Australia.
The preferred channel separation between the channels in neighboring wireless networks is 25
MHz (5 channels). This means that you can apply up to three different channels within your
wireless network. There are only 11 usable wireless channels in the United States. It is
recommended that you start using channel 1 and grow to use channel 6, and 11 when necessary, as
these three channels do not overlap.
WPA Wireless Security
Wi-Fi Protected Access (WPA) is a specification of standards-based, interoperable security
enhancements that increase the level of data protection and access control for existing and future
wireless LAN systems.
The IEEE introduced the WEP as an optional security measure to secure 802.11b (Wi-Fi) WLANs,
but inherent weaknesses in the standard soon became obvious. In response to this situation, the
Wi-Fi Alliance announced a new security architecture in October 2002 that remedies the
shortcomings of WEP. This standard, formerly known as Safe Secure Network (SSN), is designed
to work with existing 802.11 products and offers forward compatibility with 802.11i, the new
wireless security architecture being defined in the IEEE.
4 2427 MHz 2414.5 MHz - 2439.5 MHz
5 2432 MHz 2419.5 MHz - 2444.5 MHz
6 2437 MHz 2424.5 MHz - 2449.5 MHz
7 2442 MHz 2429.5 MHz - 2454.5 MHz
8 2447 MHz 2434.5 MHz - 2459.5 MHz
9 2452 MHz 2439.5 MHz - 2464.5 MHz
10 2457 MHz 2444.5 MHz - 2469.5 MHz
11 2462 MHz 2449.5 MHz - 2474.5 MHz
12 2467 MHz 2454.5 MHz - 2479.5 MHz
13 2472 MHz 2459.5 MHz - 2484.5 MHz
Table E-2: 802.11b/g Radio Frequency Channels
Channel Center Frequency Frequency Spread
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Wireless Networking Basics E-9
March 2004, 202-10027-01
WPA offers the following benefits:
• Enhanced data privacy
• Robust key management
• Data origin authentication
• Data integrity protection
The Wi-Fi Alliance is now performing interoperability certification testing on Wi-Fi Protected
Access products. Starting August of 2003, all new Wi-Fi certified products will have to support
WPA. NETGEAR will implement WPA on client and access point products and make this
available in the second half of 2003. Existing Wi-Fi certified products will have one year to add
WPA support or they will lose their Wi-Fi certification.
The 802.11i standard is currently in draft form, with ratification due at the end of 2003. While the
new IEEE 802.11i standard is being ratified, wireless vendors have agreed on WPA as an
interoperable interim standard.
How Does WPA Compare to WEP?
WEP is a data encryption method and is not intended as a user authentication mechanism. WPA
user authentication is implemented using 802.1x and the Extensible Authentication Protocol
(EAP). Support for 802.1x authentication is required in WPA. In the 802.11 standard, 802.1x
authentication was optional. For details on EAP specifically, refer to IETF's RFC 2284.
With 802.11 WEP, all access points and client wireless adapters on a particular wireless LAN must
use the same encryption key. A major problem with the 802.11 standard is that the keys are
cumbersome to change. If you do not update the WEP keys often, an unauthorized person with a
sniffing tool can monitor your network for less than a day and decode the encrypted messages.
Products based on the 802.11 standard alone offer system administrators no effective method to
update the keys.
For 802.11, WEP encryption is optional. For WPA, encryption using Temporal Key Integrity
Protocol (TKIP) is required. TKIP replaces WEP with a new encryption algorithm that is stronger
than the WEP algorithm, but that uses the calculation facilities present on existing wireless devices
to perform encryption operations. TKIP provides important data encryption enhancements
including a per-packet key mixing function, a message integrity check (MIC) named Michael, an
extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. Through
these enhancements, TKIP addresses all of known WEP vulnerabilities.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
E-10 Wireless Networking Basics
March 2004, 202-10027-01
How Does WPA Compare to IEEE 802.11i?
WPA will be forward compatible with the IEEE 802.11i security specification currently under
development. WPA is a subset of the current 802.11i draft and uses certain pieces of the 802.11i
draft that are ready to bring to market today, such as 802.1x and TKIP. The main pieces of the
802.11i draft that are not included in WPA are secure IBSS (Ad-Hoc mode), secure fast handoff
(for specialized 802.11 VoIP phones), as well as enhanced encryption protocols, such as
AES-CCMP. These features are either not yet ready for market or will require hardware upgrades
to implement.
What are the Key Features of WPA Security?
The following security features are included in the WPA standard:
• WPA Authentication
• WPA Encryption Key Management
– Temporal Key Integrity Protocol (TKIP)
– Michael message integrity code (MIC)
– AES Support (to be phased in)
• Support for a Mixture of WPA and WEP Wireless Clients, but mixing WEP and WPA is
discouraged
These features are discussed below.
WPA addresses most of the known WEP vulnerabilities and is primarily intended for wireless
infrastructure networks as found in the enterprise. This infrastructure includes stations, access
points, and authentication servers (typically RADIUS servers). The RADIUS server holds (or has
access to) user credentials (for example, user names and passwords) and authenticates wireless
users before they gain access to the network.
The strength of WPA comes from an integrated sequence of operations that encompass 802.1X/
EAP authentication and sophisticated key management and encryption techniques. Its major
operations include:
• Network security capability determination. This occurs at the 802.11 level and is
communicated through WPA information elements in Beacon, Probe Response, and (Re)
Association Requests. Information in these elements includes the authentication method
(802.1X or Pre-shared key) and the preferred cipher suite (WEP, TKIP, or AES).
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Wireless Networking Basics E-11
March 2004, 202-10027-01
The primary information conveyed in the Beacon frames is the authentication method and the
cipher suite. Possible authentication methods include 802.1X and Pre-shared key. Pre-shared
key is an authentication method that uses a statically configured pass phrase on both the
stations and the access point. This obviates the need for an authentication server, which in
many home and small office environments will not be available nor desirable. Possible cipher
suites include: WEP, TKIP, and AES (Advanced Encryption Standard). We talk more about
TKIP and AES when addressing data privacy below.
• Authentication. EAP over 802.1X is used for authentication. Mutual authentication is gained
by choosing an EAP type supporting this feature and is required by WPA. 802.1X port access
control prevents full access to the network until authentication completes. 802.1X
EAPOL-Key packets are used by WPA to distribute per-session keys to those stations
successfully authenticated.
The supplicant in the station uses the authentication and cipher suite information contained in
the information elements to decide which authentication method and cipher suite to use. For
example, if the access point is using the pre-shared key method then the supplicant need not
authenticate using full-blown 802.1X. Rather, the supplicant must simply prove to the access
point that it is in possession of the pre-shared key. If the supplicant detects that the service set
does not contain a WPA information element then it knows it must use pre-WPA 802.1X
authentication and key management in order to access the network.
• Key management. WPA features a robust key generation/management system that integrates
the authentication and data privacy functions. Keys are generated after successful
authentication and through a subsequent 4-way handshake between the station and Access
Point (AP).
• Data Privacy (Encryption). Temporal Key Integrity Protocol (TKIP) is used to wrap WEP in
sophisticated cryptographic and security techniques to overcome most of its weaknesses.
• Data integrity. TKIP includes a message integrity code (MIC) at the end of each plaintext
message to ensure messages are not being spoofed.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
E-12 Wireless Networking Basics
March 2004, 202-10027-01
WPA Authentication: Enterprise-level User
Authentication via 802.1x/EAP and RADIUS
Figure E-3: WPA Overview
IEEE 802.1x offers an effective framework for authenticating and controlling user traffic to a
protected network, as well as providing a vehicle for dynamically varying data encryption keys via
EAP from a RADIUS server, for example. This framework enables using a central authentication
server, which employs mutual authentication so that a rogue wireless user does not join the
network.
It is important to note that 802.1x does not provide the actual authentication mechanisms. When
using 802.1x, the EAP type, such as Transport Layer Security (EAP-TLS), or EAP Tunneled
Transport Layer Security (EAP-TTLS), defines how the authentication takes place.
Note: For environments with a Remote Authentication Dial-In User Service (RADIUS)
infrastructure, WPA supports Extensible Authentication Protocol (EAP). For environments
without a RADIUS infrastructure, WPA supports the use of a pre-shared key.
Together, these technologies provide a framework for strong user authentication.
Windows XP implements 802.1x natively, and several NETGEAR switch and wireless access
point products support 802.1x.
Certificate
Authority
(for
example
Win Server,
VeriSign)
WPA
enabled
wireless
client with
“supplicant”
TCP/IP
Ports Closed
Until RADIUS Server
Wired Network with Optional
802.1x Port Based Network
Access Control
WPA enabled
Access Point
using
pre-shared key
or
802.1x
TCP/IP
Ports Opened
After
Authenticated
Wireless LAN
Login
Authentication
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Wireless Networking Basics E-13
March 2004, 202-10027-01
Figure E-4: 802.1x Authentication Sequence
The AP sends Beacon Frames with WPA information element to the stations in the service set.
Information elements include the required authentication method (802.1x or Pre-shared key) and
the preferred cipher suite (WEP, TKIP, or AES). Probe Responses (AP to station) and Association
Requests (station to AP) also contain WPA information elements.
1. Initial 802.1x communications begin with an unauthenticated supplicant (client device)
attempting to connect with an authenticator (802.11 access point). The client sends an
EAP-start message. This begins a series of message exchanges to authenticate the client.
2. The access point replies with an EAP-request identity message.
1
2
3
4
56
7
Client with a WPA-
enabled wireless
adapter and supplicant
(Win XP, Funk,
Meetinghouse)
For example, a
WPA-enabled AP
For example, a
RADIUS server
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
E-14 Wireless Networking Basics
March 2004, 202-10027-01
3. The client sends an EAP-response packet containing the identity to the authentication server.
The access point responds by enabling a port for passing only EAP packets from the client to
an authentication server located on the wired side of the access point. The access point blocks
all other traffic, such as HTTP, DHCP, and POP3 packets, until the access point can verify the
client's identity using an authentication server (for example, RADIUS).
4. The authentication server uses a specific authentication algorithm to verify the client's identity.
This could be through the use of digital certificates or some other EAP authentication type.
5. The authentication server will either send an accept or reject message to the access point.
6. The access point sends an EAP-success packet (or reject packet) to the client.
7. If the authentication server accepts the client, then the access point will transition the client's
port to an authorized state and forward additional traffic.
The important part to know at this point is that the software supporting the specific EAP type
resides on the authentication server and within the operating system or application “supplicant”
software on the client devices. The access point acts as a “pass through” for 802.1x messages,
which means that you can specify any EAP type without needing to upgrade an 802.1x-compliant
access point. As a result, you can update the EAP authentication type to such devices as token
cards (Smart Cards), Kerberos, one-time passwords, certificates, and public key authentication, or
as newer types become available and your requirements for security change.
WPA Data Encryption Key Management
With 802.1x, the rekeying of unicast encryption keys is optional. Additionally, 802.11 and 802.1x
provide no mechanism to change the global encryption key used for multicast and broadcast
traffic. With WPA, rekeying of both unicast and global encryption keys is required.
For the unicast encryption key, the Temporal Key Integrity Protocol (TKIP) changes the key for
every frame, and the change is synchronized between the wireless client and the wireless access
point (AP). For the global encryption key, WPA includes a facility (the Information Element) for
the wireless AP to advertise the changed key to the connected wireless clients.
If configured to implement dynamic key exchange, the 802.1x authentication server can return
session keys to the access point along with the accept message. The access point uses the session
keys to build, sign and encrypt an EAP key message that is sent to the client immediately after
sending the success message. The client can then use contents of the key message to define
applicable encryption keys. In typical 802.1x implementations, the client can automatically change
encryption keys as often as necessary to minimize the possibility of eavesdroppers having enough
time to crack the key in current use.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Wireless Networking Basics E-15
March 2004, 202-10027-01
Temporal Key Integrity Protocol (TKIP)
WPA uses TKIP to provide important data encryption enhancements including a per-packet key
mixing function, a message integrity check (MIC) named Michael, an extended initialization
vector (IV) with sequencing rules, and a re-keying mechanism. TKIP also provides for the
following:
• The verification of the security configuration after the encryption keys are determined.
• The synchronized changing of the unicast encryption key for each frame.
• The determination of a unique starting unicast encryption key for each preshared key
authentication.
Michael
With 802.11 and WEP, data integrity is provided by a 32-bit integrity check value (ICV) that is
appended to the 802.11 payload and encrypted with WEP. Although the ICV is encrypted, you can
use cryptanalysis to change bits in the encrypted payload and update the encrypted ICV without
being detected by the receiver.
With WPA, a method known as Michael specifies a new algorithm that calculates an 8-byte
message integrity check (MIC) using the calculation facilities available on existing wireless
devices. The MIC is placed between the data portion of the IEEE 802.11 frame and the 4-byte
ICV. The MIC field is encrypted together with the frame data and the ICV.
Michael also provides replay protection. A new frame counter in the IEEE 802.11 frame is used to
prevent replay attacks.
Optional AES Support to be Phased In
One of the encryption methods supported by WPA, besides TKIP, is the advanced encryption
standard (AES), although AES support will not be required initially for Wi-Fi certification. This is
viewed as the optimal choice for security conscience organizations, but the problem with AES is
that it requires a fundamental redesign of the NIC’s hardware in both the station and the access
point. TKIP is a pragmatic compromise that allows organizations to deploy better security while
AES capable equipment is being designed, manufactured, and incrementally deployed.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
E-16 Wireless Networking Basics
March 2004, 202-10027-01
Is WPA Perfect?
WPA is not without its vulnerabilities. Specifically, it is susceptible to denial of service (DoS)
attacks. If the access point receives two data packets that fail the message integrity code (MIC)
within 60 seconds of each other, then the network is under an active attack, and as a result, the
access point employs counter measures, which include disassociating each station using the access
point. This prevents an attacker from gleaning information about the encryption key and alerts
administrators, but it also causes users to lose network connectivity for 60 seconds. More than
anything else, this may just prove that no single security tactic is completely invulnerable. WPA is
a definite step forward in WLAN security over WEP and has to be thought of as a single part of an
end-to-end network security strategy.
Product Support for WPA
Starting in August, 2003, NETGEAR, Inc. wireless Wi-Fi certified products will support the WPA
standard. NETGEAR, Inc. wireless products that had their Wi-Fi certification approved before
August, 2003 will have one year to add WPA so as to maintain their Wi-Fi certification.
WPA requires software changes to the following:
• Wireless access points
• Wireless network adapters
• Wireless client programs
Supporting a Mixture of WPA and WEP Wireless Clients is Discouraged
To support the gradual transition of WEP-based wireless networks to WPA, a wireless AP can
support both WEP and WPA clients at the same time. During the association, the wireless AP
determines which clients use WEP and which clients use WPA. The disadvantage to supporting a
mixture of WEP and WPA clients is that the global encryption key is not dynamic. This is because
WEP-based clients cannot support it. All other benefits to the WPA clients, such as integrity, are
maintained.
However, a mixed mode supporting WPA and non-WPA clients would offer network security that
is no better than that obtained with a non-WPA network, and thus this mode of operation is
discouraged.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Wireless Networking Basics E-17
March 2004, 202-10027-01
Changes to Wireless Access Points
Wireless access points must have their firmware updated to support the following:
•The new WPA information element
To advertise their support of WPA, wireless APs send the beacon frame with a new 802.11
WPA information element that contains the wireless AP's security configuration (encryption
algorithms and wireless security configuration information).
•The WPA two-phase authentication
Open system, then 802.1x (EAP with RADIUS or preshared key).
•TKIP
•Michael
•AES (optional)
To upgrade your wireless access points to support WPA, obtain a WPA firmware update from your
wireless AP vendor and upload it to your wireless AP.
Changes to Wireless Network Adapters
Wireless networking software in the adapter, and possibly in the OS or client application, must be
updated to support the following:
•The new WPA information element
Wireless clients must be able to process the WPA information element and respond with a
specific security configuration.
•The WPA two-phase authentication
Open system, then 802.1x supplicant (EAP or preshared key).
•TKIP
•Michael
•AES (optional)
To upgrade your wireless network adapters to support WPA, obtain a WPA update from your
wireless network adapter vendor and update the wireless network adapter driver.
For Windows wireless clients, you must obtain an updated network adapter driver that supports
WPA. For wireless network adapter drivers that are compatible with Windows XP (Service Pack 1)
and Windows Server 2003, the updated network adapter driver must be able to pass the adapter's
WPA capabilities and security configuration to the Wireless Zero Configuration service.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
E-18 Wireless Networking Basics
March 2004, 202-10027-01
Microsoft has worked with many wireless vendors to embed the WPA firmware update in the
wireless adapter driver. So, to update your Microsoft Windows wireless client, all you have to do
is obtain the new WPA-compatible driver and install the driver. The firmware is automatically
updated when the wireless network adapter driver is loaded in Windows.
Changes to Wireless Client Programs
Wireless client programs must be updated to permit the configuration of WPA authentication (and
preshared key) and the new WPA encryption algorithms (TKIP and the optional AES component).
To obtain the Microsoft WPA client program, visit the Microsoft Web site.
Virtual Private Networking F-1
March 2004, 202-10027-01
Appendix F
Virtual Private Networking
There have been many improvements in the Internet, including Quality of Service, network
performance, and inexpensive technologies, such as DSL. But one of the most important advances
has been in Virtual Private Networking (VPN) Internet Protocol security (IPSec). IPSec is one of
the most complete, secure, and commercially available, standards-based protocols developed for
transporting data.
What is a VPN?
A VPN is a shared network, where private data is segmented from other traffic, so that only the
intended recipient has access. The term VPN was originally used to describe a secure connection
over the Internet. Today, however, VPN is also used to describe private networks, such as Frame
Relay, Asynchronous Transfer Mode (ATM), and Multiprotocol Label Switching (MPLS).
A key aspect of data security is that the data flowing across the network is protected by encryption
technologies. Private networks lack data security, which allows data attackers to tap directly into
the network and read the data. IPSec-based VPNs use encryption to provide data security, which
increases the network’s resistance to data tampering or theft.
IPSec-based VPNs can be created over any type of IP network, including the Internet, Frame
Relay, ATM, and MPLS, but only the Internet is ubiquitous and inexpensive.
VPNs are traditionally used for:
•Intranets: Intranets connect an organization’s locations. These locations range from the
headquarters offices, to branch offices, to a remote employee’s home. Often this connectivity
is used for e-mail and for sharing applications and files. While Frame Relay, ATM, and MPLS
accomplish these tasks, the shortcomings of each limits connectivity. The cost of connecting
home users is also very expensive compared to Internet-access technologies, such as DSL or
cable. Because of this, organizations are moving their networks to the Internet, which is
inexpensive, and using IPSec to create these networks.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
F-2 Virtual Private Networking
March 2004, 202-10027-01
•Remote Access: Remote access enables telecommuters and mobile workers to access e-mail
and business applications. A dial-up connection to an organization’s modem pool is one
method of access for remote workers, but is expensive because the organization must pay the
associated long distance telephone and service costs. Remote access VPNs greatly reduce
expenses by enabling mobile workers to dial a local Internet connection and then set up a
secure IPSec-based VPN communications to their organization.
•Extranets: Extranets are secure connections between two or more organizations. Common
uses for extranets include supply-chain management, development partnerships, and
subscription services. These undertakings can be difficult using legacy network technologies
due to connection costs, time delays, and access availability. IPSec-based VPNs are ideal for
extranet connections. IPSec-capable devices can be quickly and inexpensively installed on
existing Internet connections.
What is IPSec and How Does It Work?
IPSec is an Internet Engineering Task Force (IETF) standard suite of protocols that provides data
authentication, integrity, and confidentiality as data is transferred between communication points
across IP networks. IPSec provides data security at the IP packet level. A packet is a data bundle
that is organized for transmission across a network, and includes a header and payload (the data in
the packet). IPSec emerged as a viable network security standard because enterprises wanted to
ensure that data could be securely transmitted over the Internet. IPSec protects against possible
security exposures by protecting data while in transit.
IPSec Security Features
IPSec is the most secure method commercially available for connecting network sites. IPSec was
designed to provide the following security features when transferring packets across networks:
•Authentication: Verifies that the packet received is actually from the claimed sender.
•Integrity: Ensures that the contents of the packet did not change in transit.
•Confidentiality: Conceals the message content through encryption.
IPSec Components
IPSec contains the following elements:
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Virtual Private Networking F-3
March 2004, 202-10027-01
•Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and
integrity.
•Authentication Header (AH): Provides authentication and integrity.
•Internet Key Exchange (IKE): Provides key management and Security Association (SA)
management.
Encapsulating Security Payload (ESP)
ESP provides authentication, integrity, and confidentiality, which protect against data tampering
and, most importantly, provides message content protection.
IPSec provides an open framework for implementing industry standard algorithms, such as SHA
and MD5. The algorithms IPSec uses produce a unique and unforgeable identifier for each packet,
which is a data equivalent of a fingerprint. This fingerprint allows the device to determine if a
packet has been tampered with. Furthermore, packets that are not authenticated are discarded and
not delivered to the intended receiver.
ESP also provides all encryption services in IPSec. Encryption translates a readable message into
an unreadable format to hide the message content. The opposite process, called decryption,
translates the message content from an unreadable format to a readable message. Encryption/
decryption allows only the sender and the authorized receiver to read the data. In addition, ESP has
an option to perform authentication, called ESP authentication. Using ESP authentication, ESP
provides authentication and integrity for the payload and not for the IP header.
Figure F-1: Original packet and packet with IPSec Encapsulated Security Payload
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
F-4 Virtual Private Networking
March 2004, 202-10027-01
The ESP header is inserted into the packet between the IP header and any subsequent packet
contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt
the ESP header, nor does it encrypt the ESP authentication.
Authentication Header (AH)
AH provides authentication and integrity, which protect against data tampering, using the same
algorithms as ESP. AH also provides optional anti-replay protection, which protects against
unauthorized retransmission of packets. The authentication header is inserted into the packet
between the IP header and any subsequent packet contents. The payload is not touched.
Although AH protects the packet’s origin, destination, and contents from being tampered with, the
identity of the sender and receiver is known. In addition, AH does not protect the data’s
confidentiality. If data is intercepted and only AH is used, the message contents can be read. ESP
protects data confidentiality. For added protection in certain cases, AH and ESP can be used
together. In the following table, IP HDR represents the IP header and includes both source and
destination IP addresses.
Figure F-2: Original packet and packet with IPSec Authentication Header
IKE Security Association
IPSec introduces the concept of the Security Association (SA). An SA is a logical connection
between two devices transferring data. An SA provides data protection for unidirectional traffic by
using the defined IPSec protocols. An IPSec tunnel typically consists of two unidirectional SAs,
which together provide a protected, full-duplex data channel.
The SAs allow an enterprise to control exactly what resources may communicate securely,
according to security policy. To do this an enterprise can set up multiple SAs to enable multiple
secure VPNs, as well as define SAs within the VPN to support different departments and business
partners.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Virtual Private Networking F-5
March 2004, 202-10027-01
Mode
SAs operate using modes. A mode is the method in which the IPSec protocol is applied to the
packet. IPSec can be used in tunnel mode or transport mode. Typically, the tunnel mode is used for
gateway-to-gateway IPSec tunnel protection, while transport mode is used for host-to-host IPSec
tunnel protection. A gateway is a device that monitors and manages incoming and outgoing
network traffic and routes the traffic accordingly. A host is a device that sends and receives
network traffic.
•Transport Mode: The transport mode IPSec implementation encapsulates only the packet’s
payload. The IP header is not changed. After the packet is processed with IPSec, the new IP
packet contains the old IP header (with the source and destination IP addresses unchanged)
and the processed packet payload. Transport mode does not shield the information in the IP
header; therefore, an attacker can learn where the packet is coming from and where it is going
to. The previous packet diagrams show a packet in transport mode.
•Tunnel Mode: The tunnel mode IPSec implementation encapsulates the entire IP packet. The
entire packet becomes the payload of the packet that is processed with IPSec. A new IP header
is created that contains the two IPSec gateway addresses. The gateways perform the
encapsulation/decapsulation on behalf of the hosts. Tunnel mode ESP prevents an attacker
from analyzing the data and deciphering it, as well as knowing who the packet is from and
where it is going.
Note: AH and ESP can be used in both transport mode or tunnel mode.
Figure F-3: Original packet and packet with IPSec ESP in Tunnel mode
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
F-6 Virtual Private Networking
March 2004, 202-10027-01
Key Management
IPSec uses the Internet Key Exchange (IKE) protocol to facilitate and automate the SA setup and
the exchange of keys between parties transferring data. Using keys ensures that only the sender
and receiver of a message can access it.
IPSec requires that keys be re-created, or refreshed, frequently, so that the parties can
communicate securely with each other. IKE manages the process of refreshing keys; however, a
user can control the key strength and the refresh frequency. Refreshing keys on a regular basis
ensures data confidentiality between sender and receiver.
Understand the Process Before You Begin
This document provides case studies on how to configure secure IPSec VPN tunnels. This
document assumes the reader has a working knowledge of NETGEAR management systems.
NETGEAR is a member of the VPN Consortium, a group formed to facilitate IPSec VPN vendor
interoperability. The VPN Consortium has developed specific scenarios to aid system
administrators in the often confusing process of connecting two different vendor implementations
of the IPSec standard. The case studies in this appendix follow the addressing and configuration
mechanics defined by the VPN Consortium. Additional information regarding inter-vendor
interoperability may be found at http://www.vpnc.org/interop.html.
It is a good idea to gather all the necessary information required to establish a VPN before you
begin the configuration process. You should understand whether the firmware is up to date, all of
the addresses that will be necessary, and all of the parameters that need to be set on both sides. Try
to understand any incompatibilities before you begin, so that you minimize any potential
complications which may arise from normal firewall or WAN processes.
If you are not a full-time system administrator, it is a good idea to familiarize yourself with the
mechanics of a VPN. The brief description in this appendix will help. Other good sources include:
• The NETGEAR VPN Tutorial – http://www.netgear.com/planetvpn/pvpn_2.html
• The VPN Consortium – http://www.vpnc.org/
• The VPN bibliography in “Additional Reading“ on page F-11.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Virtual Private Networking F-7
March 2004, 202-10027-01
VPN Process Overview
Even though IPSec is standards-based, each vendor has its own set of terms and procedures for
implementing the standard. Because of these differences, it may be a good idea to review some of
the terms and the generic processes for connecting two gateways before diving into the specifics.
Network Interfaces and Addresses
The VPN gateway is aptly named because it functions as a “gatekeeper” for each of the computers
connected on the Local Area Network behind it.
In most cases, each Gateway will have a “public” facing address (WAN side) and a “private”
facing address (LAN side). These addresses are referred to as the “network interface” in
documentation regarding the construction of VPN communication. Please note that the addresses
used in the example do not use full TCP/IP notation.
Interface Addressing
This TechNote uses example addresses provided the VPN Consortium. It is important to
understand that you will be using addresses specific to the devices that you are attempting to
connect via IPSec VPN.
Figure F-4: VPNC Example Network Interface Addressing
It is also important to make sure the addresses do not overlap or conflict. That is, each set of
addresses should be separate and distinct.
Gateway A
22.23.24.25
14.15.16.17
10.5.6.0/24 172.23.9.0/24
172.23.9.110.5.6.1
WAN IP WAN IP LAN IPLAN IP
Gateway B
VPNC Example
Network Interface Addressing
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
F-8 Virtual Private Networking
March 2004, 202-10027-01
It will also be important to know the subnet mask of both gateway LAN Connections.
Firewalls
It is important to understand that many gateways are also firewalls. VPN tunnels cannot function
properly if firewall settings disallow all incoming traffic. Please refer to the firewall instructions
for both gateways to understand how to open specific protocols, ports, and addresses that you
intend to allow.
Setting Up a VPN Tunnel Between Gateways
An SA, frequently called a tunnel, is the set of information that allows two entities (networks, PCs,
routers, firewalls, gateways) to “trust each other” and communicate securely as they pass
information over the Internet.
Table 5-3. WAN (Internet/Public) and LAN (Internal/Private) Addressing
Gateway LAN or WAN VPNC Example Address
Gateway A LAN (Private) 10.5.6.1
Gateway A WAN (Public) 14.15.16.17
Gateway B LAN (Private) 22.23.24.25
Gateway B WAN (Public) 172.23.9.1
Table 5-4. Subnet Addressing
Gateway LAN or WAN Interface Name Example Subnet Mask
Gateway A LAN (Private) Subnet Mask A 255.255.255.0
Gateway B LAN (Private) Subnet Mask B 255.255.255.0
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Virtual Private Networking F-9
March 2004, 202-10027-01
Figure F-5: VPN Tunnel SA
The SA contains all the information necessary for gateway A to negotiate a secure and encrypted
communication stream with gateway B. This communication is often referred to as a “tunnel.” The
gateways contain this information so that it does not have to be loaded onto every computer
connected to the gateways.
Each gateway must negotiate its Security Association with another gateway using the parameters
and processes established by IPSec. As illustrated below, the most common method of
accomplishing this process is via the Internet Key Exchange (IKE) protocol which automates some
of the negotiation procedures. Alternatively, you can configure your gateways using manual key
exchange, which involves manually configuring each paramter on both gateways.
Figure F-6: IPSec SA negotiation
1. The IPSec software on Host A initiates the IPSec process in an attempt to communicate
with Host B. The two computers then begin the Internet Key Exchange (IKE) process.
AB
VPN Gateway
VPN Gateway
1) Communication
request sent to VPN Gateway
2) IKE Phase I authentication
3) IKE Phase II negotiation
4) Secure data transfer
5) IPSec tunnel termination
IPSec Security Association IKE
VPN Tunnel Negotiation Steps
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
F-10 Virtual Private Networking
March 2004, 202-10027-01
2. IKE Phase I.
a. The two parties negotiate the encryption and authentication algorithms to use in the IKE
SAs.
b. The two parties authenticate each other using a predetermined mechanism, such as
preshared keys or digital certificates.
c. A shared master key is generated by the Diffie-Hellman Public key algorithm within the
IKE framework for the two parties. The master key is also used in the second phase to
derive IPSec keys for the SAs.
3. IKE Phase II.
a. The two parties negotiate the encryption and authentication algorithms to use in the IPSec
SAs.
b. The master key is used to derive the IPSec keys for the SAs. Once the SA keys are created
and exchanged, the IPSec SAs are ready to protect user data between the two VPN
gateways.
4. Data transfer. Data is transferred between IPSec peers based on the IPSec parameters and
keys stored in the SA database.
5. IPSec tunnel termination. IPSec SAs terminate through deletion or by timing out.
VPNC IKE Security Parameters
It is important to remember that both gateways must have the identical parameters set for the
process to work correctly. The settings in these examples follow the examples given for Scenario 1
of the VPN Consortium.
VPNC IKE Phase I Parameters
The IKE Phase 1 parameters used:
•Main mode
•TripleDES
• SHA-1
• MODP group 1
• Ppre-shared secret of "hr5xb84l6aa9r6"
• SA lifetime of 28800 seconds (eight hours)
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Virtual Private Networking F-11
March 2004, 202-10027-01
VPNC IKE Phase II Parameters
The IKE Phase 2 parameters used in Scenario 1 are:
•TripleDES
• SHA-1
• ESP tunnel mode
• MODP group 1
• Perfect forward secrecy for rekeying
• SA lifetime of 28800 seconds (one hour)
Testing and Troubleshooting
Once you have completed the VPN configuration steps you can use PCs, located behind each of
the gateways, to ping various addresses on the LAN side of the other gateway.
You can troubleshoot connections using the VPN status and log details on the NETGEAR gateway
to determine if IKE negotiation is working. Common problems encountered in setting up VPNs
include:
• Parameters may be configured differently on Gateway A vs. Gateway B.
• Two LANs set up with similar or overlapping addressing schemes.
• So many required configuration parameters mean errors such as mistyped information or
mismatched parameter selections on either side are more likely to happen.
Additional Reading
•Building and Managing Virtual Private Networks, Dave Kosiur, Wiley & Sons; ISBN:
0471295264
•Firewalls and Internet Security: Repelling the Wily Hacker, William R. Cheswick and Steven
M. Bellovin, Addison-Wesley; ISBN: 0201633574
•VPNs A Beginners Guide, John Mains, McGraw Hill; ISBN: 0072191813
• [FF98] Floyd, S., and Fall, K., Promoting the Use of End-to-End Congestion Control in the
Internet. IEEE/ACM Transactions on Networking, August 1999.
Relevant RFCs listed numerically:
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
F-12 Virtual Private Networking
March 2004, 202-10027-01
• [RFC 791] Internet Protocol DARPA Internet Program Protocol Specification, Information
Sciences Institute, USC, September 1981.
• [RFC 1058] Routing Information Protocol, C Hedrick, Rutgers University, June 1988.
• [RFC 1483] Multiprotocol Encapsulation over ATM Adaptation Layer 5, Juha Heinanen,
Telecom Finland, July 1993.
• [RFC 2401] S. Kent, R. Atkinson, Security Architecture for the Internet Protocol, RFC 2401,
November 1998.
• [RFC 2407] D. Piper, The Internet IP Security Domain of Interpretation for ISAKMP,
November 1998.
• [RFC 2474] K. Nichols, S. Blake, F. Baker, D. Black, Definition of the Differentiated Services
Field (DS Field) in the IPv4 and IPv6 Headers, December 1998.
• [RFC 2475] S. Blake, D. Black, M. Carlson, E. Davies, Z. Wang, and W. Weiss, An
Architecture for Differentiated Services, December 1998.
• [RFC 2481] K. Ramakrishnan, S. Floyd, A Proposal to Add Explicit Congestion Notification
(ECN) to IP, January 1999.
• [RFC 2408] D. Maughan, M. Schertler, M. Schneider, J. Turner, Internet Security Association
and Key Management Protocol (ISAKMP).
• [RFC 2409] D. Harkins, D.Carrel, Internet Key Exchange (IKE) protocol.
• [RFC 2401] S. Kent, R. Atkinson, Security Architecture for the Internet Protocol.
NETGEAR VPN Configuration FVS318 or FVM318 to FWG114P G-1
March 2004, 202-10027-01
Appendix G
NETGEAR VPN Configuration
FVS318 or FVM318 to FWG114P
This appendix provides a case study on how to configure a secure IPSec VPN tunnel between a
NETGEAR FVS318 or FVM318 to a FWG114P. The configuration options and screens for the
FVS318 and FVM318 are the same.
Configuration Template
The configuration in this document follows the addressing and configuration mechanics defined
by the VPN Consortium. Gather all the necessary information before you begin the configuration
process. Verify whether the firmware is up to date, all of the addresses that will be necessary, and
all of the parameters that need to be set on both sides. Check that there are no firewall restrictions.
Table G-1. Summary
VPN Consortium Scenario: Scenario 1
Type of VPN LAN-to-LAN or Gateway-to-Gateway (not PC/Client-to-Gateway)
Security Scheme: IKE with Preshared Secret/Key (not Certificate-based)
Date Tested: December 2003
Model/Firmware Tested:
NETGEAR-Gateway A FVS318 firmware version A1.4 or 2.0; FVM318 firmware version 1.1
NETGEAR-Gateway B FWG114P with firmware version 2 Release 2
IP Addressing:
NETGEAR-Gateway A Static IP address
NETGEAR-Gateway B Static IP address
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
G-2 NETGEAR VPN Configuration FVS318 or FVM318 to FWG114P
March 2004, 202-10027-01
Figure G-1: Addressing and Subnet Used for Examples
Step-By-Step Configuration of FVS318 or FVM318 Gateway A
1. Log in to the FVS318 or FVM318 labeled Gateway A as in the illustration.
Out of the box, the FVS318 or FVM318 is set for its default LAN address of
http://192.168.0.1 with its default user name of admin and default password of password. For
this example we will assume you have set the local LAN address as 10.5.6.1 for Gateway A
and have set your own password.
Figure G-2: NETGEAR FVS318 VPN Settings Pre-Configuration
Gateway A
22.23.24.25
14.15.16.17
10.5.6.0/24 172.23.9.0/24
172.23.9.110.5.6.1
WAN IP WAN IP LAN IPLAN IP
Gateway B
VPNC Example
Network Interface Addressing
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
NETGEAR VPN Configuration FVS318 or FVM318 to FWG114P G-3
March 2004, 202-10027-01
2. Click the VPN Settings link on the left side of the Settings management GUI. Click the radio
button of the first available VPN leg (all 8 links are available in the example). Click the Edit
button below. This will take you to the VPN Settings – Main Mode Menu.
Figure G-3: Figure 3 – NETGEAR FVS318 VPN Settings (part 1) – Main Mode
– In the Connection Name box, enter in a unique name for the VPN tunnel to be configured
between the NETGEAR devices. For this example we have used toFVS328.
– Enter a Local IPSec Identifier name for the NETGEAR FVS318 Gateway A. This name
must be entered in the other endpoint as Remote IPSec Identifier. In this example we used
14.15.16.17 as the local identifier.
– Enter a Remote IPSec Identifier name for the remote NETGEAR FWG114P Gateway B.
This name must be entered in the other endpoint as Local IPSec Identifier. In this example
we used 22.23.24.25 as the remote identifier.
– Choose a subnet from local address from the “Tunnel can be accessed from” pull-down
menu.
– Type the starting LAN IP Address of Gateway A (10.5.6.1 in our example) in the Local IP
Local LAN start IP Address field.
– Type the finishing LAN IP Address of Gateway A (0.0.0.0 in our example) in the Local IP
Local LAN finish IP Address field.
– Type the LAN Subnet Mask of Gateway A (255.255.255.0 in our example) in the Local
LAN IP Subnetmask field.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
G-4 NETGEAR VPN Configuration FVS318 or FVM318 to FWG114P
March 2004, 202-10027-01
– Choose a subnet from local address from the “Tunnel can access” pull-down menu.
– Type the starting LAN IP Address of Gateway B (172.23.9.1 in our example) in the Local
IP Remote LAN Start IP Address field.
– Type the finishing LAN IP Address of Gateway B (0.0.0.0 in our example) in the Local IP
Remote LAN Finish IP Address field.
– Type the LAN Subnet Mask of Gateway B (255.255.255.0 in our example) in the Remote
LAN IP Subnetmask field.
– Type the WAN IP address (22.23.24.25 in our example) of Gateway B in the Remote
WAN IP or FQDN field.
Figure G-4: Figure 4 – NETGEAR FVS318 VPN Settings (part 2) – Main Mode
– From the Secure Association drop-down box, select Main Mode.
– Next to Perfect Forward Secrecy, select the Enabled radio button.
– From the Encryption Protocol drop-down box, select 3DES.
– In the PreShared Key box, type a unique text string to be used as the shared key between
Gateway A and Gateway B. In this example we used hr5xb84l6aa9r6. You must make
sure the key is the same for both gateways.
– In the Key Life box, enter in 3600 seconds.
– In the IKE Life Time, enter 28800 seconds.
– Check the NETBIOS Enable box if you wish to pass NetBIOS traffic over the VPN
tunnel, allowing functions, such as Microsoft Network Neighborhood browsing.
3. Click the Apply button in the lower center of the screen to save all changes and return to the
VPN Settings screen.
4. When the screen returns to the VPN Settings, make sure the Enable check box is selected.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
NETGEAR VPN Configuration FVS318 or FVM318 to FWG114P G-5
March 2004, 202-10027-01
Step-By-Step Configuration of FWG114P Gateway B
1. Log in to the NETGEAR FVS328 labeled Gateway B as in the illustration.
Out of the box, the FVS328 is set for its default LAN address of http://192.168.0.1, with its
default user name of admin and default password of password. For this example we will
assume you have set the local LAN address as 172.23.9.1 for Gateway B and have set your
own user name and password.
2. Click the IKE Policies link under the VPN category link on the left side of the Settings
management GUI. This will open the IKE Policies Menu. Click Add. This will open a new
screen titled IKE Policy Configuration.
Figure G-5: NETGEAR FVS328 IKE Policy Configuration – Part 1
– Enter an appropriate name for the policy in the Policy Name field. This name is not
supplied to the remote VPN Endpoint. It is used to help you manage the IKE policies. In
our example we have used FVS318 as the Policy Name. In the Policy Name field type
FVS318.
– From the Direction/Type drop-down box, select Both Directions.
– From the Exchange Mode drop-down box, select Main Mode.
– From the Local Identity drop-down box, select WAN IP Address (WAN IP address will
automatically be populated into the Local Identity Data field after policy is applied).
– From the Remote Identity drop-down box, select Remote WAN IP (WAN IP address will
automatically be populated into the Local Identity Data field after policy is applied).
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
G-6 NETGEAR VPN Configuration FVS318 or FVM318 to FWG114P
March 2004, 202-10027-01
Figure G-6: NETGEAR FVS328 IKE Policy Configuration – Part 2
– From the Encryption Algorithm drop-down box, select 3DES.
– From the Authentication Algorithm drop-down box, select MD5.
– From the Authentication Method radio button, select Pre-shared Key.
– In the Pre-Shared Key field, type hr5xb84l6aa9r6. You must make sure the key is the
same for both gateways.
– From the Diffie-Hellman (DH) Group drop-down box, select Group 1 (768 Bit).
– In the SA Life Time field, type 28800.
3. Click the Apply Button. This will bring you back to the IKE Policies Menu.
Figure G-7: NETGEAR FVS328 IKE Policies (Post Configuration)
The FVS318 IKE Policy is now displayed in the IKE Policies page.
4. Click the VPN Policies link under the VPN category link on the left side of the Settings
management GUI. This will take you to the VPN Policies Menu page. Click Add Auto Policy.
This will open a new screen titled VPN – Auto Policy.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
NETGEAR VPN Configuration FVS318 or FVM318 to FWG114P G-7
March 2004, 202-10027-01
Figure G-8: NETGEAR FVS328 VPN – Auto Policy (part 1)
– Enter a unique name to identify this policy. This name is not supplied to the remote VPN
endpoint. In our example we have used to318 as the Policy Name. In the Policy Name
field type to318.
– From the IKE policy drop-down box, select the IKE Policy that was set up in the earlier
step – this being the FVS318 IKE Policy.
– From the Remote VPN Endpoint Address Type drop-down box, select IP Address.
– Type the WAN IP Address of Gateway A (14.15.16.17 in our example) in the Remote
VPN Endpoint Address Data field.
–Type 300 in the SA Life Time (Seconds) field.
–Type 0 in the SA Life Time (Kbytes) field.
– Check the IPSec PFS check box.
– From the PFS Key Group drop-down box, select Group 2 (1024 Bit).
– From the Traffic Selector Local IP drop-down box, select Subnet address.
– Type the starting LAN IP Address of Gateway B (172.23.9.1 in our example) in the Local
IP Start IP Address field.
– Type the finishing LAN IP Address of Gateway B (0.0.0.0 in our example) in the Local IP
Finish IP Address field.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
G-8 NETGEAR VPN Configuration FVS318 or FVM318 to FWG114P
March 2004, 202-10027-01
– Type the LAN Subnet Mask of Gateway B (255.255.255.0 in our example) in the Local IP
Subnet Mask field.
Figure G-9: NETGEAR FWG114P VPN – Auto Policy (part 2)
– From the Traffic Selector Remote IP drop-down box, select Subnet address.
– Type the starting LAN IP Address of Gateway A (10.5.6.1 in our example) in the Remote
IP Start IP Address field.
– Type the finishing LAN IP Address of Gateway A (0.0.0.0 in our example) in the Remote
IP Finish IP Address field.
– Type the LAN Subnet Mask of Gateway A (255.255.255.0 in our example) in the Remote
IP Subnet Mask field.
– From the AH Configuration Authentication Algorithm drop-down box, select MD5.
– Select Enable Encryption in the ESP Configuration Enable Encryption check box.
– From the ESP Configuration Encryption Algorithm drop-down box, select 3DES.
– Select Enable Authentication in the ESP Configuration Enable Authentication check box.
– From the ESP Configuration Authentication Algorithm drop-down box, select MD5.
– Select NETBIOS Enable in the NETBIOS Enable check box.
5. Click the Apply Button. You will be taken back to the VPN Policies Menu page.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
NETGEAR VPN Configuration FVS318 or FVM318 to FWG114P G-9
March 2004, 202-10027-01
Figure G-10: NETGEAR FWG114P VPN Policies Menu (Post Configuration)
6. When the screen returns to the VPN Policies, make sure the Enable check box is selected.
Click the Apply button.
Test the VPN Connection
1. From a PC behind the NETGEAR FVS318 or FVM318 gateway A attempt to ping the remote
FWG114P gateway B LAN Interface address (example address 172.23.9.1).
2. From a PC behind the FWG114P gateway B attempt to ping the remote NETGEAR FVS318
or FVM318 gateway A LAN Interface address (example address 10.5.6.1).
3. Click the Broadband Status link on the left side of the FWG114P Settings management GUI.
Click the Show VPN Status button below. This will take you to the IPSec Connection Status
Screen. If the connection is functioning properly, the State fields will show “Estab.”
4. Click the Router Status link on the left side of the FVS318 Settings management GUI. Click
the Show VPN Logs button below. NETGEAR log files should be similar to the example
below.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
G-10 NETGEAR VPN Configuration FVS318 or FVM318 to FWG114P
March 2004, 202-10027-01
NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328 H-1
March 2004, 202-10027-01
Appendix H
NETGEAR VPN Configuration
FVS318 or FVM318 with FQDN to FVS328
This appendix provides a case study on how to configure a VPN tunnel between a NETGEAR
FVS318 or FVM318 to a FWG114P using a Fully Qualified Domain Name (FQDN) to resolve the
public address of one or both routers. The configurations screens and settings for the FVS318 and
FVM318 are the same.
Configuration Template
The configuration in this document follows the addressing and configuration mechanics defined
by the VPN Consortium. Gather all the necessary information before you begin the configuration
process. Verify whether the firmware is up to date, all of the addresses that will be necessary, and
all of the parameters that need to be set on both sides. Check that there are no firewall restrictions.
Table H-1. Summary
VPN Consortium Scenario: Scenario 1
Type of VPN LAN-to-LAN or Gateway-to-Gateway (not PC/Client-to-Gateway)
Security Scheme: IKE with Preshared Secret/Key (not Certificate-based)
Date Tested: December 2003
Model/Firmware Tested:
NETGEAR-Gateway A FVS318 firmware version A1.4 or 2.0; FVM318 firmware version 1.1
NETGEAR-Gateway B FVS328 with firmware version 1.0 Release 00
IP Addressing:
NETGEAR-Gateway A Fully Qualified Domain Name (FQDN)
NETGEAR-Gateway B Static IP address
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
H-2 NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328
March 2004, 202-10027-01
Figure H-1: Addressing and Subnet Used for Examples
Using DDNS and Fully Qualified Domain Names (FQDN)
Many ISPs (Internet Service Providers) provide connectivity to their customers using dynamic
instead of static IP addressing. This means that a user’s IP address does not remain constant over
time, which presents a challenge for gateways attempting to establish VPN connectivity.
A Dynamic DNS (DDNS) service allows a user whose public IP address is dynamically assigned
to be located by a host or domain name. It provides a central public database where information
(such as e-mail addresses, host names and IP addresses) can be stored and retrieved. Now, a
gateway can be configured to use a 3rd party service in lieu of a permanent and unchanging IP
address to establish bi-directional VPN connectivity.
To use DDNS, you must register with a DDNS service provider. Example DDNS Service
Providers include:
Table H-1. Example DDNS Service Providers
In this example, Gateway A is configured using an example FQDN provided by a DDNS Service
provider. In this case we established the hostname netgear.dyndns.org for Gateway A using the
DynDNS www.dyndns.org
TZO.com netgear.tzo.com
ngDDNS ngddns.iego.net
Gateway A
22.23.24.25
FQDN
netgear.dydns.org
10.5.6.0/24 172.23.9.0/24
172.23.9.110.5.6.1
WAN IP WAN IP LAN IPLAN IP
Gateway B
VPNC Example
Network Interface Addressing
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328 H-3
March 2004, 202-10027-01
DynDNS service. Gateway B will use the DDNS Service Provider when establishing a VPN
tunnel.
In order to establish VPN connectivity Gateway A must be configured to use Dynamic DNS, and
Gateway B must be configured to use a DNS hostname to find Gateway A provided by a DDNS
Service Provider. Again, the following step-by-step procedures assume that you have already
registered with a DDNS Service Provider and have the configuration information necessary to set
up the gateways.
Step-By-Step Configuration of FVS318 or FVM318 Gateway A
1. Log in to the FVS318 or FVM318 labeled Gateway A as in the illustration.
Out of the box, the FVS318 or FVM318 is set for its default LAN address of
http://192.168.0.1, with its default user name of admin and default password of password.
For this example we will assume you have set the local LAN address as 10.5.6.1 for Gateway
A and have set your own password.
2. Click Dynamic DNS on the left side of the Settings management GUI.
3. Access the Web site of one of the dynamic DNS service providers whose names appear in the
‘Use a dynamic DNS service’ list, and register for an account.
For example, for dyndns.org, click the link or go to www.dyndns.org.
Figure H-2: Dynamic DNS Setup menu
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
H-4 NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328
March 2004, 202-10027-01
4. Select the Use a dynamic DNS service radio button for the service you are using. In this
example we are using www.DynDNS.org as the service provider.
– Type the Host Name that your dynamic DNS service provider gave you.
The dynamic DNS service provider may call this the domain name. In this example we are
using dyndns.org as the domain suffix.
– Type the User Name for your dynamic DNS account. In this example we used netgear as
the Host Name. This means that the complete FQDN we are using is netgear.dyndns.org
and the Host Name is “netgear.”
– Type the Password (or key) for your dynamic DNS account.
5. Click Apply to save your configuration.
6. Click VPN Settings on the left side of the Settings management GUI.
Figure H-3: NETGEAR FVS318 VPN Settings Pre-Configuration
7. Click the radio button of first available VPN leg (all 8 links are available in the example).
Click Edit. This will take you to the VPN Settings – Main Mode Menu.
Note: The router supports only basic DDNS and the login and password may not be
secure. If your ISP assigns a private WAN IP address, such as 192.168.x.x or 10.x.x.x,
the dynamic DNS service will not work because private addresses will not be routed on
the Internet.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328 H-5
March 2004, 202-10027-01
Figure H-4: NETGEAR FVS318 VPN Settings (part 1) – Main Mode
– In the Connection Name box, enter in a unique name for the VPN tunnel to be configured
between the NETGEAR devices. For this example we have used toFVS328.
– Enter a Local IPSec Identifier name for the NETGEAR FVS318 Gateway A. This name
must be entered in the other endpoint as Remote IPSec Identifier. In this example we used
netgear.dyndns.org (the FQDN) as the local identifier.
– Enter a Remote IPSec Identifier name for the remote NETGEAR FVS328 Gateway B.
This name must be entered in the other endpoint as Local IPSec Identifier. In this example
we used 22.23.24.25 as the remote identifier.
– Choose a subnet from local address from the “Tunnel can be accessed” from pull-down
menu.
– Type the starting LAN IP Address of Gateway A (10.5.6.1 in our example) in the Local IP
Local LAN start IP Address field.
– Type the finishing LAN IP Address of Gateway A (0.0.0.0 in our example) in the Local IP
Local LAN finish IP Address field.
– Type the LAN Subnet Mask of Gateway A (255.255.255.0 in our example) in the Local
LAN IP Subnetmask field.
– Choose a subnet from local address from the “Tunnel can access” pull-down menu.
– Type the starting LAN IP Address of Gateway B (172.23.9.1 in our example) in the Local
IP Remote LAN Start IP Address field.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
H-6 NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328
March 2004, 202-10027-01
– Type the finishing LAN IP Address of Gateway B (0.0.0.0 in our example) in the Local IP
Remote LAN Finish IP Address field.
– Type the LAN Subnet Mask of Gateway B (255.255.255.0 in our example) in the Remote
LAN IP Subnetmask field.
– Type the WAN IP address (22.23.24.25 in our example) of Gateway B in the Remote
WAN IP or FQDN field.
Figure H-5: Figure 4 – NETGEAR FVS318 VPN Settings (part 2) – Main Mode
– From the Secure Association drop-down box, select Main Mode.
– Next to Perfect Forward Secrecy, select the Enabled radio button.
– From the Encryption Protocol drop-down box, select 3DES.
– In the PreShared Key box, type a unique text string to be used as the shared key between
Gateway A and Gateway B. In this example we used hr5xb84l6aa9r6. You must make
sure the key is the same for both gateways.
– In the Key Life box, enter in 3600 seconds.
– In the IKE Life Time, enter 28800 seconds.
– Check the NETBIOS Enable box if you wish to pass NetBIOS traffic over the VPN
tunnel, allowing functions, such as Microsoft Network Neighborhood browsing.
8. Click the Apply button in the lower center of the screen to save all changes and return to the
VPN Settings screen.
9. When the screen returns to the VPN Settings, make sure the Enable check box is selected.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328 H-7
March 2004, 202-10027-01
Step-By-Step Configuration of FVS328 Gateway B
1. Log in to the NETGEAR FVS328, labeled Gateway B in the illustration.
Out of the box, the FVS328 is set for its default LAN address of http://192.168.0.1, with its
default user name of admin and default password of password. For this example we will
assume you have set the local LAN address as 172.23.9.1 for Gateway B.
2. Click IKE Policies link under the VPN category and click Add on the IKE Policies Menu.
Figure H-6: NETGEAR FVS328 IKE Policy Configuration – Part 1
– Enter an appropriate name for the policy in the Policy Name field. This name is not
supplied to the remote VPN Endpoint. It is used to help you manage the IKE policies. In
our example we have used FVS318 as the Policy Name. In the Policy Name field type
FVS318.
– From the Direction/Type drop-down box, select Both Directions.
– From the Exchange Mode drop-down box, select Main Mode.
– From the Local Identity drop-down box, select WAN IP Address (WAN IP address will
automatically be populated into the Local Identity Data field after policy is applied).
– From the Remote Identity drop-down box, select Fully Qualified Domain Name.
– Type the FQDN (netgear.dnydns.org in our example) in the Remote Identity Data field.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
H-8 NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328
March 2004, 202-10027-01
Figure H-7: NETGEAR FVS328 IKE Policy Configuration – Part 2
– From the Encryption Algorithm drop-down box, select 3DES.
– From the Authentication Algorithm drop-down box, select MD5.
– From the Authentication Method radio button, select Pre-shared Key.
– In the Pre-Shared Key field, type hr5xb84l6aa9r6. You must make sure the key is the
same for both gateways.
– From the Diffie-Hellman (DH) Group drop-down box, select Group 1 (768 Bit).
– In the SA Life Time field, type 28800.
3. Click Apply. This will bring you back to the IKE Policies Menu.
Figure H-8: NETGEAR FWG114P IKE Policies (Post Configuration)
The FVS318 IKE Policy is now displayed in the IKE Policies page.
4. Click the VPN Policies link under the VPN category on the left side of the Settings
management GUI. This will take you to the VPN Policies Menu page. Click Add Auto Policy.
This will open a new screen titled VPN – Auto Policy.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328 H-9
March 2004, 202-10027-01
Figure H-9: NETGEAR FVS328 VPN – Auto Policy (part 1)
– Enter a unique name to identify this policy. This name is not supplied to the remote VPN
endpoint. In our example we have used to318 as the Policy Name. In the Policy Name
field type to318.
– From the IKE policy drop-down box, select the IKE Policy that was set up in the earlier
step – the FVS318 IKE Policy.
– From the Remote VPN Endpoint Address Type drop-down box, select IP Address.
– Type the WAN IP Address of Gateway A (14.15.16.17 in our example) in the Remote
VPN Endpoint Address Data field.
–Type 300 in the SA Life Time (Seconds) field.
–Type 0 in the SA Life Time (Kbytes) field.
– Check the IPSec PFS check box.
– From the PFS Key Group drop-down box, select Group 2 (1024 Bit).
– From the Traffic Selector Local IP drop-down box, select Subnet address.
– Type the starting LAN IP Address of Gateway B (172.23.9.1 in our example) in the Local
IP Start IP Address field.
– Type the finishing LAN IP Address of Gateway B (0.0.0.0 in our example) in the Local IP
Finish IP Address field.
– Type the LAN Subnet Mask of Gateway B (255.255.255.0 in our example) in the Local IP
Subnet Mask field.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
H-10 NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328
March 2004, 202-10027-01
Figure H-10: NETGEAR FVS328 VPN – Auto Policy (part 2)
– From the Traffic Selector Remote IP drop-down box, select Subnet address.
– Type the starting LAN IP Address of Gateway A (10.5.6.1 in our example) in the Remote
IP Start IP Address field.
– Type the finishing LAN IP Address of Gateway A (0.0.0.0 in our example) in the Remote
IP Finish IP Address field.
– Type the LAN Subnet Mask of Gateway A (255.255.255.0 in our example) in the Remote
IP Subnet Mask field.
– From the AH Configuration Authentication Algorithm drop-down box, select MD5.
– Select the Enable Encryption check box.
– From the ESP Configuration Encryption Algorithm drop-down box, select 3DES.
– Select the Enable Authentication check box.
– From the ESP Configuration Authentication Algorithm drop-down box, select MD5.
– Select the NETBIOS Enable check box.
5. Click the Apply Button. You will be taken back to the VPN Policies Menu page.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328 H-11
March 2004, 202-10027-01
Figure H-11: NETGEAR FVS328 VPN Policies Menu (Post Configuration)
6. When the screen returns to the VPN Policies, make sure the Enable check box is selected.
Click the Apply button.
Test the VPN Connection
1. From a PC behind the NETGEAR FVS318 or FVM318 Gateway A, attempt to ping the
remote FWG114P Gateway B LAN Interface address (example address 172.23.9.1).
2. From the FVS318 or FVM318, click the Router Status link on the left side of the Settings
management menu. Click the Show VPN Status button. This will take you to the IPSec
Connection Status Screen. If the connection is functioning properly, the State fields will show
“Estab.”
3. From the FVS328, click the VPN Status link under the VPN section of the main menu. The
VPN Logs and status are displayed.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
H-12 NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328
March 2004, 202-10027-01
March 2004, 202-10027-01
Glossary 1
Glossary
List of Glossary Terms
Use the list below to find definitions for technical terms used in this manual.
10BASE-T
IEEE 802.3 specification for 10 Mbps Ethernet over twisted pair wiring.
100BASE-Tx
IEEE 802.3 specification for 100 Mbps Ethernet over twisted pair wiring.
802.1x
802.1x defines port-based, network access control used to provide authenticated network access and
automated data encryption key management.
The IEEE 802.1x draft standard offers an effective framework for authenticating and controlling user traffic
to a protected network, as well as dynamically varying encryption keys. 802.1x uses a protocol called EAP
(Extensible Authentication Protocol) and supports multiple authentication methods, such as token cards,
Kerberos, one-time passwords, certificates, and public key authentication. For details on EAP specifically,
refer to IETF's RFC 2284.
802.11b
IEEE specification for wireless networking at 11 Mbps using direct-sequence spread-spectrum (DSSS)
technology and operating in the unlicensed radio spectrum at 2.4-2.5GHz.
802.11g
A soon to be ratified IEEE specification for wireless networking at 54 Mbps using direct-sequence
spread-spectrum (DSSS) technology and operating in the unlicensed radio spectrum at 2.4GHz. 802.11g is
backwards compatible with 802.11b.
Access Control List (ACL)
An ACL is a database that an Operating System uses to track each user’s access rights to system objects
(such as file directories and/or files).
Ad-hoc Mode
An 802.11 networking framework in which devices or stations communicate directly with each other,
without the use of an access point (AP). Ad-hoc mode is also referred to as peer-to-peer mode or an
Independent Basic Service Set (IBSS). Ad-hoc mode is useful for establishing a network where wireless
infrastructure does not exist or where services are not required.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
2Glossary
March 2004, 202-10027-01
ADSL
Short for asymmetric digital subscriber line, a technology that allows data to be sent over existing copper
telephone lines at data rates of from 1.5 to 9 Mbps when receiving data (known as the downstream rate) and
from 16 to 640 Kbps when sending data (known as the upstream rate).
ADSL requires a special ADSL modem. ADSL is growing in popularity as more areas around the world
gain access.
ARP
Address Resolution Protocol, a TCP/IP protocol used to convert an IP address into a physical address (called
a DLC address), such as an Ethernet address.
A host wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP network. The host
on the network that has the IP address in the request then replies with its physical hardware address. There is
also Reverse ARP (RARP) which can be used by a host to discover its IP address. In this case, the host
broadcasts its physical address and a RARP server replies with the host's IP address.
Auto Uplink
Auto UplinkTM technology (also called MDI/MDIX) eliminates the need to worry about crossover vs.
straight-through Ethernet cables. Auto UplinkTM will accommodate either type of cable to make the right
connection.
Bandwidth
The information capacity, measured in bits per second, that a channel could transmit. Bandwidth examples
include 10 Mbps for Ethernet, 100 Mbps for Fast Ethernet, and 1000 Mbps (I Gbps) for Gigabit Ethernet.
Baud
The signaling rate of a line, that is, the number of transitions (voltage or frequency changes) made per
second. Also known as line speed.
Broadcast
A packet sent to all devices on a network.
CA
A Certificate Authority is a trusted third-party organization or company that issues digital certificates used
to create digital signatures and public-private key pairs.
Cat 5
Category 5 unshielded twisted pair (UTP) cabling. An Ethernet network operating at 10 Mbits/second
(10BASE-T) will often tolerate low quality cables, but at 100 Mbits/second (10BASE-Tx) the cable must be
rated as Category 5, or Cat 5 or Cat V, by the Electronic Industry Association (EIA).
This rating will be printed on the cable jacket. Cat 5 cable contains eight conductors, arranged in four
twisted pairs, and terminated with an RJ45 type connector. In addition, there are restrictions on maximum
cable length for both 10 and 100 Mbits/second networks.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Glossary 3
March 2004, 202-10027-01
Certificate Authority
A Certificate Authority is a trusted third-party organization or company that issues digital certificates used
to create digital signatures and public-private key pairs.
The role of the CA in this process is to guarantee that the individual granted the unique certificate is, in fact,
who he or she claims to be. Usually, this means that the CA has an arrangement with a financial institution,
such as a credit card company, which provides it with information to confirm an individual's claimed
identity. CAs are a critical component in data security and electronic commerce because they guarantee that
the two parties exchanging information are really who they claim to be.
DHCP
An Ethernet protocol specifying how a centralized DHCP server can assign network configuration
information to multiple DHCP clients. The assigned information includes IP addresses, DNS addresses, and
gateway (router) addresses.
DMZ
Specifying a Default DMZ Server allows you to set up a computer or server that is available to anyone on
the Internet for services that you have not defined. There are security issues with doing this, so only do this
if you are willing to risk open access.
DNS
Short for Domain Name System (or Service), an Internet service that translates domain names into IP
addresses.
Because domain names are alphabetic, they are easier to remember. The Internet however, is really based on
IP addresses. Every time you use a domain name, therefore, a DNS service must translate the name into the
corresponding IP address. For example, the domain name www.example.com might translate to
198.105.232.4. The DNS system is, in fact, its own network. If one DNS server does not know how to
translate a particular domain name, it asks another one, and so on, until the correct IP address is returned.
Domain Name
A descriptive name for an address or group of addresses on the Internet. Domain names are of the form of a
registered entity name plus one of a number of predefined top level suffixes, such as .com, .edu, .uk, and so
on. For example, in the address mail.NETGEAR.com, mail is a server name and NETGEAR.com is the
domain.
DSL
Short for digital subscriber line, but is commonly used in reference to the asymmetric version of this
technology (ADSL) that allows data to be sent over existing copper telephone lines at data rates of from 1.5
to 9 Mbps when receiving data (known as the downstream rate) and from 16 to 640 Kbps when sending data
(known as the upstream rate).
ADSL requires a special ADSL modem. ADSL is growing in popularity as more areas around the world
gain access.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
4Glossary
March 2004, 202-10027-01
Dynamic Host Configuration Protocol
DHCP. An Ethernet protocol specifying how a centralized DHCP server can assign network configuration
information to multiple DHCP clients. The assigned information includes IP addresses, DNS addresses, and
gateway (router) addresses.
EAP
Extensible Authentication Protocol is a general protocol for authentication that supports multiple
authentication methods.
EAP, an extension to PPP, supports such authentication methods as token cards, Kerberos, one-time
passwords, certificates, public key authentication and smart cards. In wireless communications using EAP, a
user requests connection to a WLAN through an AP, which then requests the identity of the user and
transmits that identity to an authentication server, such as RADIUS. The server asks the AP for proof of
identity, which the AP gets from the user and then sends back to the server to complete the authentication.
EAP is defined by RFC 2284.
ESSID
The Extended Service Set Identification (ESSID) is a thirty-two character (maximum) alphanumeric key
identifying the wireless local area network.
Gateway
A local device, usually a router, that connects hosts on a local network to other networks.
IEEE
Institute of Electrical and Electronics Engineers. This American organization was founded in 1963 and sets
standards for computers and communications.
IETF
Internet Engineering Task Force. An organization responsible for providing engineering solutions for TCP/
IP networks. In the network management area, this group is responsible for the development of the SNMP
protocol.
IP
Internet Protocol is the main internetworking protocol used in the Internet. Used in conjunction with the
Transfer Control Protocol (TCP) to form TCP/IP.
IP Address
A four-byte number uniquely defining each host on the Internet, usually written in dotted-decimal notation
with periods separating the bytes (for example, 134.177.244.57).
Ranges of addresses are assigned by Internic, an organization formed for this purpose.
ISP
Internet service provider.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Glossary 5
March 2004, 202-10027-01
Internet Protocol
The main internetworking protocol used in the Internet. Used in conjunction with the Transfer Control
Protocol (TCP) to form TCP/IP.
LAN
A communications network serving users within a limited area, such as one floor of a building.
local area network
LAN. A communications network serving users within a limited area, such as one floor of a building.
A LAN typically connects multiple personal computers and shared network devices, such as storage and
printers. Although many technologies exist to implement a LAN, Ethernet is the most common for
connecting personal computers.
MAC address
The Media Access Control address is a unique 48-bit hardware address assigned to every network interface
card. Usually written in the form 01:23:45:67:89:ab.
Mbps
Megabits per second.
MD5
MD5 creates digital signatures using a one-way hash function, meaning that it takes a message and converts
it into a fixed string of digits, also called a message digest.
When using a one-way hash function, one can compare a calculated message digest against the message
digest that is decrypted with a public key to verify that the message has not been tampered with. This
comparison is called a “hashcheck.”
MDI/MDIX
In cable wiring, the concept of transmit and receive are from the perspective of the computer, which is wired
as a Media Dependant Interface (MDI). In MDI wiring, a computer transmits on pins 1 and 2. At the hub,
switch, router, or access point, the perspective is reversed, and the hub receives on pins 1 and 2. This wiring
is referred to as Media Dependant Interface - Crossover (MDI-X). See also Auto Uplink.
MTU
The size in bytes of the largest packet that can be sent or received.
NAT
A technique by which several hosts share a single IP address for access to the Internet.
NetBIOS
Network Basic Input Output System. An application programming interface (API) for sharing services
and information on local-area networks (LANs). Provides for communication between stations of a
network where each station is given a name. These names are alphanumeric names, 16 characters in length.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
6Glossary
March 2004, 202-10027-01
netmask
Combined with the IP address, the IP Subnet Mask allows a device to know which other addresses are local
to it, and which must be reached through a gateway or router.
A number that explains which part of an IP address comprises the network address and which part is the host
address on that network. It can be expressed in dotted-decimal notation or as a number appended to the IP
address. For example, a 28-bit mask starting from the MSB can be shown as 255.255.255.192 or as /28
appended to the IP address.
Network Address Translation
A technique by which several hosts share a single IP address for access to the Internet.
packet
A block of information sent over a network. A packet typically contains a source and destination network
address, some protocol and length information, a block of data, and a checksum.
Point-to-Point Protocol
PPP. A protocol allowing a computer using TCP/IP to connect directly to the Internet.
PPP
A protocol allowing a computer using TCP/IP to connect directly to the Internet.
PPPoA
PPPoA. PPP over ATM is a protocol for connecting remote hosts to the Internet over an always-on
connection by simulating a dial-up connection.
PPPoE
PPPoE. PPP over Ethernet is a protocol for connecting remote hosts to the Internet over an always-on
connection by simulating a dial-up connection.
PPP over ATM
PPPoA. PPP over ATM is a protocol for connecting remote hosts to the Internet over an always-on
connection by simulating a dial-up connection.
PPP over Ethernet
PPPoE. PPP over Ethernet is a protocol for connecting remote hosts to the Internet over an always-on
connection by simulating a dial-up connection.
PPTP
Point-to-Point Tunneling Protocol. A method for establishing a virtual private network (VPN) by embedding
Microsoft’s network protocol into Internet packets.
PSTN
Public Switched Telephone Network.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
Glossary 7
March 2004, 202-10027-01
RADIUS
Short for Remote Authentication Dial-In User Service, RADIUS is an authentication system.
Using RADIUS, you must enter your user name and password before gaining access to a network. This
information is passed to a RADIUS server, which checks that the information is correct, and then authorizes
access. Though not an official standard, the RADIUS specification is maintained by a working group of the
IETF.
RIP
A protocol in which routers periodically exchange information with one another so that they can determine
minimum distance paths between sources and destinations.
router
A device that forwards data between networks. An IP router forwards data based on IP source and
destination addresses.
SSID
A Service Set Identification is a thirty-two character (maximum) alphanumeric key identifying a wireless
local area network. For the wireless devices in a network to communicate with each other, all devices must
be configured with the same SSID.
This is typically the configuration parameter for a wireless computer card. It corresponds to the ESSID in
the wireless Access Point and to the wireless network name. See also Wireless Network Name and ESSID.
Subnet Mask
Combined with the IP address, the IP Subnet Mask allows a device to know which other addresses are local
to it, and which must be reached through a gateway or router.
TLS
Short for Transport Layer Security, TLS is a protocol that guarantees privacy and data integrity between
client/server applications communicating over the Internet.
The TLS protocol is made up of two layers. The TLS Record Protocol ensures that a connection is private by
using symmetric data encryption and ensures that the connection is reliable. The second TLS layer is the
TLS Handshake Protocol, which allows authentication between the server and client and the negotiation of
an encryption algorithm and cryptographic keys before data is transmitted or received. Based on Netscape’s
SSL 3.0, TLS supercedes and is an extension of SSL. TLS and SSL are not interoperable.
Universal Plug and Play
UPnP. A networking architecture that provides compatibility among networking technology. UPnP
compliant routers provide broadband users at home and small businesses with a seamless way to participate
in online games, videoconferencing and other peer-to-peer services.
UTP
Unshielded twisted pair is the cable used by 10BASE-T and 100BASE-Tx Ethernet networks.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P
8Glossary
March 2004, 202-10027-01
WAN
A long distance link used to extend or connect remotely located local area networks. The Internet is a large
WAN.
WEP
Wired Equivalent Privacy is a data encryption protocol for 802.11b wireless networks.
All wireless nodes and access points on the network are configured with a 64-bit or 128-bit Shared Key for
data encryption.
wide area network
WAN. A long distance link used to extend or connect remotely located local area networks. The Internet is a
large WAN.
Wi-Fi
A trade name for the 802.11b wireless networking standard, given by the Wireless Ethernet Compatibility
Alliance (WECA, see http://www.wi-fi.net), an industry standards group promoting interoperability among
802.11b devices.
Windows Internet Naming Service
WINS. Windows Internet Naming Service is a server process for resolving Windows-based computer names
to IP addresses.
If a remote network contains a WINS server, your Windows PCs can gather information from that WINS
server about its local hosts. This allows your PCs to browse that remote network using the Windows
Network Neighborhood feature.
WINS
WINS. Windows Internet Naming Service is a server process for resolving Windows-based computer names
to IP addresses.
Wireless Network Name (SSID)
Wireless Network Name (SSID) is the name assigned to a wireless network. This is the same as the SSID or
ESSID configuration parameter.
WPA
Wi-Fi Protected Access (WPA) is a specification of standards-based, interoperable security enhancements
that increase the level of data protection and access control for existing and future wireless LAN systems.
Index 1
Numerics
802.11b E-1
A
Account Name 3-10, 3-12, 3-18
Address Resolution Protocol B-9
Addressing F-7
ad-hoc mode E-2
Austria 3-18
Authentication Header (AH) F-3, F-4
Auto MDI/MDI-X B-15, G-2
Auto Uplink 2-4, B-15, G-2
B
backup configuration 9-7
Basic Wireless Connectivity 4-9
BigPond 3-18
BSSID E-2
C
CA 8-26
Cabling B-11
Cat5 cable 3-1, B-12, G-2
Certificate Authority 8-26
Classical IP 2-5
configuration
automatic by DHCP 2-5
backup 9-7
erasing 9-8
restore 9-6
router, initial 3-1
Connection Monitor 8-46
content filtering 2-3, 6-1
crossover cable 2-4, 11-2, B-14, B-15, G-2
D
date and time 11-7
Daylight Savings Time 11-7
daylight savings time 6-13
Default DMZ Server 10-2
Denial of Service (DoS) protection 2-3
denial of service attack B-11
DHCP B-10
DHCP Client ID C-7
DMZ 2-4, 10-2
DMZ Server 10-2
DNS Proxy 2-5
DNS server 3-11, 3-12, 3-18, C-11
domain C-11
Domain Name 3-10, 3-12, 3-18
domain name server (DNS) B-9
DoS attack B-11
E
Enable VPN Passthrough (IPSec, PPTP, L2TP) 6-11
Encapsulating Security Payload F-3
EnterNet C-9
erase configuration 9-8
ESP F-3
ESSID 4-9, E-2
Ethernet 2-4
Ethernet cable B-11
exposed host 10-2
Index
2Index
F
factory settings, restoring 9-8
firewall features 2-3
Flash memory, for firmware upgrade 2-1
FQDN 2-3
front panel 2-7, 2-8
Fully Qualified Domain Name 2-3
G
gateway address C-11
General 8-4, 8-7, 8-11
H
host name 3-10, 3-12, 3-18
I
IANA
contacting B-2
IETF B-1
Web site address B-7
IKE Security Association F-4
inbound rules 6-6
infrastructure mode E-2
installation 2-5
Internet account
address information C-9
establishing C-9
Internet Key Exchange (IKE) F-3
Internet Protocol security F-1
Internet Service Provider 3-1
Intranets F-1
IP addresses C-10, C-11
and NAT B-7
and the Internet B-2
assigning B-2, B-9
auto-generated 11-3
private B-7
translating B-9
IP configuration by DHCP B-10
IP networking
for Macintosh C-6
for Windows C-2, C-5
IPSec F-1
IPSec Components F-2
IPSec SA negotiation F-9
IPSec Security Features F-2
ISP 3-1
L
LAN IP Setup Menu 10-5
LEDs
description 2-7
troubleshooting 11-2
logsending 6-13
Log Viewer 8-46
LPD/LPR Printing 7-1
M
MAC address 11-7, B-9
spoofing 3-12, 3-19, 11-5
Macintosh C-10
configuring for IP networking C-6
DHCP Client ID C-7
network printing 7-1, 7-8
Obtaining ISP Configuration Information C-11
masquerading C-9
MDI/MDI-X B-15, G-2
MDI/MDI-X wiring B-14, G-5
metric 10-9
Modem 5-2
modem 2-2, 2-5, 2-8, 3-14
Modem Type 3-16
N
NAT C-9
NAT. See Network Address Translation
netmask
translation table B-6
Index 3
Network Address Translation 2-5, B-7, C-9
Network Time Protocol 6-13, 11-7
newsgroup 6-3
NTP 6-13, 11-7
O
Open System authentication E-2
outbound rules 6-9
P
package contents 2-6
Passphrase 4-5, 4-11
passphrase 2-2
password
restoring 11-7
PC, using to configure C-12
ping 10-2
PKIX 8-26
port filtering 6-9
port forwarding behind NAT B-8
port numbers 6-3
PPP over Ethernet 2-5, C-9
PPPoE 2-5, 3-10, C-9
PPTP 3-18
Primary DNS Server 3-11, 3-12, 3-14, 3-18
protocols
Address Resolution B-9
DHCP B-10
Routing Information 2-4, B-2
support 2-1
publications, related B-1
R
range 4-1
rear panel 2-8
remote management 10-10
requirements
hardware 3-1
reserved IP adresses 10-7
restore configuration 9-6
restore factory settings 9-8
Restrict Wireless Access by MAC Address 4-10
RFC
1466 B-7, B-9
1597 B-7, B-9
1631 B-8, B-9
finding B-7
RIP (Router Information Protocol) 10-6
router concepts B-1
Router Status 9-1
Routing Information Protocol 2-4, B-2
RTS Threshold 5-3, 5-5, 5-6
rules
inbound 6-6
outbound 6-9
S
SA F-4
Secondary DNS Server 3-11, 3-12, 3-14, 3-18
security 2-1, 2-4
Serial 3-16, 5-2
serial 2-1, 2-8
Serial Line Speed 9-3
Serial Port Log 9-3
Serial Port Phone Line Speed 9-3
Serial Port Physical Link Status 9-3
Serial Port PPP IP Address 9-3
Serial Port PPP Link Status 9-3
Serial Port Status 9-3
service blocking 6-9
service numbers 6-4
Setup Wizard 3-1
Shared Key authentication E-3
SMTP 6-14
spoof MAC address 11-5
SSID 4-4, 4-9, 4-10, E-2
stateful packet inspection 2-3, 6-1, B-11
4Index
subnet addressing B-4
subnet mask B-5, C-10, C-11
T
TCP/IP
configuring C-1, D-1, F-1
network, troubleshooting 11-5
TCP/IP properties
verifying for Macintosh C-8
verifying for Windows C-5, C-6
Telstra 3-18
Testing and Troubleshooting F-11
time of day 11-7
time zone 6-13
time-stamping 6-13
Transport Mode F-5
troubleshooting 11-1
Trusted Host 6-3
Tunnel Mode F-5
U
Universal Plug and Play 10-11
Uplink switch B-14
UPnP 10-11
USB C-9
USB 2.0 2-8
V
VPN F-1
VPN Consortium F-6
VPN Process Overview F-7
VPNC IKE Phase I Parameters F-10
VPNC IKE Phase II Parameters F-11
W
WEP E-3
Wi-Fi E-1
Windows, configuring for IP routing C-2, C-5
winipcfg utility C-5
WinPOET C-9
Wired Equivalent Privacy. See WEP
Wireless Ethernet E-1
Wireless Security 4-2