Page 1 Reference Manual for the ProSafe VPN Firewall 200 FVX538 NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA 202-10062-02 Version 1.1 January 2005 January 2005...
Page 2 In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Page 3 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Certificate of the Manufacturer/Importer It is hereby certified that the FVX538 ProSafe VPN Firewall 200 has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example, test transmitters) in accordance with the regulations may, however, be subject to certain restrictions.
Page 4 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions * are met: 1.
Page 5 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function.
Page 6 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Product and Publication Details Model Number: FVX538 Publication Date: January 2005 Product Family: Router Product Name: FVX538 ProSafe VPN Firewall 200 Home or Business Product: Business Language: English January 2005...
Page 7: Table Of Contents
Rack Mounting the Router ..................2-8 The Router’s IP Address, Login Name, and Password ..........2-9 Logging into the Router ....................2-9 Default Factory Settings ..................2-10 NETGEAR Related Products ..................2-11 Chapter 3 Network Planning Overview of the Planning Process ..................3-1 Inbound Traffic ......................3-1 Virtual Private Networks (VPNs) ................3-1...
Page 8 Reference Manual for the ProSafe VPN Firewall 200 FVX538 The Load Balancing Case for Firewalls With Dual WAN Ports ........3-2 Inbound Traffic ........................3-3 Inbound Traffic to Single WAN Port (Reference Case) ..........3-3 Inbound Traffic to Dual WAN Port Systems .............3-3 Inbound Traffic: Dual WAN Ports for Improved Reliability .........3-4 Inbound Traffic: Dual WAN Ports for Load Balancing ........3-4 Virtual Private Networks (VPNs) ..................3-5...
Page 9 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Load Balancing (and Protocol Binding) Setup ..........4-17 Step 5: Configure Dynamic DNS (If Needed) ............4-20 Step 6: Configure the WAN Options (If Needed) ............4-23 Chapter 5 LAN Configuration Using the LAN IP Setup Options ..................5-1 Configuring LAN TCP/IP Setup Parameters ............5-2 Using the Firewall as a DHCP server ...............5-4 Using Address Reservation ..................5-5...
Page 10 Creating a VPN Connection: Between FVX538 and FVX538 ........7-5 Configuring the FVX538 ...................7-5 Configuring the FVS338 ...................7-9 Testing the Connection ................... 7-11 Creating a VPN Connection: Netgear VPN Client to FVX538 ........7-11 Configuring the FVX538 ..................7-12 Configuring the VPN Client ..................7-12 Testing the Connection ...................7-20...
Page 11 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Login Failures and Attacks ..................8-13 Monitoring ........................8-15 Viewing VPN Firewall Status and Time Information ..........8-15 Firewall Status ....................8-15 Time Information ....................8-17 WAN Ports ......................8-19 WAN Port Connection Status ................8-19 Dynamic DNS Status ..................8-20 Internet Traffic Information ................8-20 LAN Ports and Attached Devices ................8-21 Known PCs and Devices .................8-21...
Page 12 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Appendix A Technical Specifications Appendix B Network, Routing, Firewall, and Basics Related Publications ...................... B-1 Basic Router Concepts ....................B-1 What is a Router? ....................B-2 Routing Information Protocol ................... B-2 IP Addresses and the Internet ..................
Page 13 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Enabling DHCP to Automatically Configure TCP/IP Settings ......... C-8 DHCP Configuration of TCP/IP in Windows XP ............. C-8 DHCP Configuration of TCP/IP in Windows 2000 ..........C-10 DHCP Configuration of TCP/IP in Windows NT4 ..........C-13 Verifying TCP/IP Properties for Windows XP, 2000, and NT4 ......
Page 14 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Testing and Troubleshooting ..................D-11 Additional Reading ...................... D-11 Glossary List of Glossary Terms ..................Glossary-1 Numeric ......................Glossary-1 A .........................Glossary-2 B .........................Glossary-2 C .........................Glossary-3 D .........................Glossary-3 E .........................Glossary-4 G .........................Glossary-5 I ...........................Glossary-5 L ..........................Glossary-7 M .........................Glossary-7 P .........................Glossary-8...
Page 15: About This Manual
This manual is written for the FVX538 VPN firewall according to these specifications.: Table 1-2. Manual Scope Product Version FVX538 ProSafe VPN Firewall 200 Manual Publication Date January 2005 Note: Product updates are available on the NETGEAR, Inc. Web site at http://kbserver.netgear.com/products/FVX538.asp. About This Manual January 2005...
Page 16: How To Use This Manual
• button to access the full NETGEAR, Inc. online knowledge base for the product model. • Links to PDF versions of the full manual and individual chapters.
Page 17: How To Print This Manual
Reference Manual for the ProSafe VPN Firewall 200 FVX538 How to Print this Manual To print this manual you can choose one of the following several options, according to your needs. • Printing a Page in the HTML View. Each page in the HTML version of the manual is dedicated to a major topic. Use the Print button on the browser toolbar to print the page contents.
Page 18 Reference Manual for the ProSafe VPN Firewall 200 FVX538 About This Manual January 2005...
Page 19: Introduction
Chapter 2 Introduction This chapter describes the features of the NETGEAR FVX538 ProSafe VPN Firewall 200. Key Features of the VPN Firewall The FVX538 ProSafe VPN Firewall 200 with 8+1 port switch connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL modem.
Page 20: Dual Wan Ports For Increased Reliability Or Outbound Load Balancing
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Front panel LEDs for easy monitoring of status and activity. • Flash memory for firmware upgrade. • 1 U Rack mountable. Dual WAN Ports for Increased Reliability or Outbound Load Balancing The FVX538 VPN firewall has two broadband WAN ports, WAN1 and WAN2, each capable of operating independently at speeds of either 10 Mbps or 100 Mbps.
Page 21: Security
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • With its URL keyword filtering feature, the FVX538 prevents objectionable content from reaching your PCs. The firewall allows you to control access to Internet content by screening for keywords within Web addresses. You can configure the firewall to log and report attempts to access objectionable Internet sites.
Page 22: Extensive Protocol Support
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Extensive Protocol Support The FVX538 VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). For further information about TCP/IP, refer to Appendix B, “Network, Routing, Firewall, and Basics.”...
Page 23: Maintenance And Support
The FVX538 VPN firewall’s front panel LEDs provide an easy way to monitor its status and activity. Maintenance and Support NETGEAR offers the following features to help you maximize your use of the FVX538 VPN firewall: • Flash memory for firmware upgrade •...
Page 24: The Router's Front Panel
• Warranty and Support Information Card. If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the firewall for repair. The Router’s Front Panel The FVX538 ProSafe VPN Firewall 200 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button.
Page 25 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Table 2-1. Object Descriptions (continued) Object Activity Description WAN Ports Two RJ-45 WAN ports N-way automatic speed negotiation, Auto MDI/MDIX. and LEDs Link/Act LED On (Green) The WAN port has detected a link with a connected Ethernet device. Blinking (Green) Data is being transmitted or received by the WAN port.
Page 26: The Router's Rear Panel
Reference Manual for the ProSafe VPN Firewall 200 FVX538 The Router’s Rear Panel The rear panel of the FVX538 ProSafe VPN Firewall 200 (Figure 2-2) contains the On/Off switch and AC power connection. 100-240 VAC, 50-60Hz, 0.7A max. AC Power On/Off Connection Switch...
Page 27: The Router's Ip Address, Login Name, And Password
Reference Manual for the ProSafe VPN Firewall 200 FVX538 The Router’s IP Address, Login Name, and Password Check the label on the bottom of the FVX538’s enclosure if you forget the following factory default information: • IP Address: http://192.168.1.1 to reach the Web-based GUI from the LAN •...
Page 28: Default Factory Settings
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Figure 2-5: Login screen on the Web browser Default Factory Settings When you first receive your FVX538, the default factory settings will be set as shown in Table 2-1 below. You can restore these defaults with the Factory Defaults restore switch on the front panel — “The Router’s Front Panel”...
Page 29: Netgear Related Products
Reference Manual for the ProSafe VPN Firewall 200 FVX538 NETGEAR Related Products NETGEAR products related to the FVX538 ProSafe VPN Firewall 200 are as follows: • FA311 10/100 PCI Adapter • FA511 10/100 32-bit CardBus Adapter • GA311 10/100/1000 PCI Adapter •...
Page 30 Reference Manual for the ProSafe VPN Firewall 200 FVX538 2-12 Introduction January 2005...
Page 31: Network Planning
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Chapter 3 Network Planning This chapter describes the factors to consider when planning a network using a firewall that has dual WAN ports. Overview of the Planning Process The areas that require planning when using a firewall that has dual WAN ports include: •...
Page 32: The Roll-Over Case For Firewalls With Dual Wan Ports
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Note: Once the gateway firewall WAN port rolls over, the VPN tunnel collapses and must be re-established using the new WAN IP address. The Roll-over Case for Firewalls With Dual WAN Ports Rollover (Figure 3-1) for the dual WAN port case is different from the single gateway WAN port...
Page 33: Inbound Traffic
IP address is dynamic. Router WAN IP netgear.dyndns.org IP address of WAN port: FQDN is required for dynamic IP address and is optional for fixed IP address Figure 3-3: Inbound traffic to single WAN port case Inbound Traffic to Dual WAN Port Systems The IP address range of the firewall’s WAN port must be both fixed and public so that the public...
Page 34: Inbound Traffic: Dual Wan Ports For Improved Reliability
Dual WAN Ports (Before Rollover) WAN1 IP (N/A) WAN1 IP Router Router WAN1 port inactive netgear.dyndns.org netgear.dyndns.org WAN2 port inactive WAN2 IP WAN2 IP (N/A) IP address of active WAN port changes after a rollover (use of fully-qualified domain names always required)
Page 35: Virtual Private Networks (Vpns)
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Virtual Private Networks (VPNs) When implementing virtual private network (VPN) tunnels, a mechanism must be used for determining the IP addresses of the tunnel end points. The addressing of the firewall’s dual WAN port depends on the configuration being implemented: Table 3-1.
Page 36: Vpn Road Warrior (Client-To-Gateway)
Dual WAN Ports (After Rollover) Dual WAN Ports (Before Rollover) WAN1 IP (N/A) WAN1 IP Gateway Gateway WAN1 port inactive netgear.dyndns.org netgear.dyndns.org WAN2 port inactive VPN Router VPN Router WAN2 IP WAN2 IP (N/A) IP address of active WAN port changes after a rollover (use of fully-qualified domain names always required) Figure 3-6: Dual gateway WAN ports before and after rollover •...
Page 37: Vpn Road Warrior: Dual Gateway Wan Ports For Improved Reliability
Fully-Qualified Domain Names (FQDN) Remote PC - optional for Fixed IP addresses (running NETGEAR - required for Dynamic IP addresses ProSafe VPN Client) Figure 3-8: Single gateway WAN port case for VPN road warrior The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is dynamic, a fully-qualified domain name must be used.
Page 38: Vpn Road Warrior: Dual Gateway Wan Ports For Load Balancing
Fully-Qualified Domain Names (FQDN) Remote PC - required for Fixed IP addresses (running NETGEAR - required for Dynamic IP addresses ProSafe VPN Client) Remote PC must re-establish VPN tunnel after a rollover Figure 3-10: Dual gateway WAN ports, after rollover, for VPN road warrior The purpose of the fully-qualified domain name in this case is to toggle the domain name of the gateway firewall between the IP addresses of the active WAN port (i.e., WAN1 and WAN2) so that...
Page 39: Vpn Gateway-To-Gateway
Gateway B WAN IP WAN IP LAN IP LAN IP FQDN 172.23.9.1 10.5.6.1 netgear.dyndns.org 22.23.24.25 VPN Router VPN Router (at office B) (at office A) Fully-Qualified Domain Names (FQDN) - optional for Fixed IP addresses - required for Dynamic IP addresses Figure 3-12: Single gateway WAN ports case for gateway-to-gateway VPN tunnels The IP address of the gateway WAN ports can be either fixed or dynamic.
Page 40: Vpn Gateway-To-Gateway: Dual Gateway Wan Ports For Improved Reliability
Reference Manual for the ProSafe VPN Firewall 200 FVX538 VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability In the case of the dual WAN ports on the gateway VPN firewall (Figure 3-13), either of the gateway WAN ports at one end can initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to balance the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance.
Page 41: Vpn Gateway-To-Gateway: Dual Gateway Wan Ports For Load Balancing
WAN_B1 IP Gateway A Gateway B WAN_A1 port inactive netgearB.dyndns.org LAN IP LAN IP 172.23.9.1 10.5.6.1 netgear.dyndns.org WAN_B2 port inactive WAN_A2 IP VPN Router VPN Router WAN_B2 IP (N/A) (at office B) (at office A) Fully-Qualified Domain Names (FQDN) - required for Fixed IP addresses...
Page 42: Vpn Telecommuter (Client-To-Gateway Through A Nat Router)
(at employer's Remote PC Fully-Qualified Domain Names (FQDN) home office) main office) (running NETGEAR - optional for Fixed IP addresses ProSafe VPN Client) - required for Dynamic IP addresses Figure 3-16: Single gateway WAN port case for VPN telecommuter The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is dynamic, a fully-qualified domain name must be used.
Page 43: Vpn Telecommuter: Dual Gateway Wan Ports For Improved Reliability
(at employer's Remote PC Fully-Qualified Domain Names (FQDN) home office) main office) (running NETGEAR - required for Fixed IP addresses ProSafe VPN Client) - required for Dynamic IP addresses Figure 3-17: Dual gateway WAN ports, before rollover, for VPN telecommuter...
Page 44: Vpn Telecommuter: Dual Gateway Wan Ports For Load Balancing
(at employer's Remote PC Fully-Qualified Domain Names (FQDN) home office) main office) (running NETGEAR - optional for Fixed IP addresses ProSafe VPN Client) - required for Dynamic IP addresses Figure 3-19: Dual gateway WAN ports (load balancing case) for VPN telecommuter The IP addresses of the gateway WAN ports can be either fixed or dynamic.
Page 45: Connecting The Fvx538 To The Internet
Chapter 4 Connecting the FVX538 to the Internet This chapter describes how to connect the WAN ports of the FVX538 VPN firewall to the Internet. What You Will Need to Do Before You Begin The FVX538 ProSafe VPN Firewall 200 is a powerful and versatile solution for your networking needs.
Page 46 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Set up your accounts Have active Internet services such as that provided by cable or DSL broadband accounts and locate the Internet Service Provider (ISP) configuration information. • In this document, the WAN side of the network is presumed to be provisioned as shown in Figure 4-1 with two ISPs connected to the FVX538 VPN firewall through...
Page 47: Cabling And Computer Hardware Requirements
FVX538, your must use a Java-enabled web browser program that supports HTTP uploads such as Microsoft Internet Explorer or Netscape Navigator. NETGEAR recommends using Internet Explorer or Netscape Navigator 4.0 or above. Free browser programs are readily available for Windows, Macintosh, or UNIX/Linux.
Page 48: Where Do I Get The Internet Configuration Parameters
• You may also refer to the FVX538 Resource CD for the NETGEAR Router ISP Guide which provides Internet connection information for many ISPs. Once you locate your Internet configuration parameters, you may want to record them on the page below.
Page 49: Record Your Internet Connection Information
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Record Your Internet Connection Information Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by your ISP.
Page 50: Connecting The Fvx538 Prosafe Vpn Firewall 200
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Connecting the FVX538 ProSafe VPN Firewall 200 This section provides instructions for connecting the FVX538 VPN firewall. Also, the Resource CD for ProSafe VPN Firewall included with your firewall contains an animated Installation Assistant to help you through this procedure.
Page 51: Step 1: Physically Connect The Vpn Firewall To Your Network (Required)
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Step 1: Physically Connect the VPN Firewall to Your Network (Required) Turn off your computer and Cable or DSL Modem. Disconnect the Ethernet cable from your computer which connects to your cable or DSL modem.
Page 52: Step 3: Configure The Internet Connections To Your Isps (Required)
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Figure 4-2: Login screen on the Web browser For security reasons, the firewall has its own user name and password. When prompted, enter for the firewall user name and for the firewall password, both in lower case admin password letters.The firewall user name and password are not the same as any user name or password...
Page 53 Reference Manual for the ProSafe VPN Firewall 200 FVX538 WAN1 screens WAN2 screens Figure 4-3: WAN1 and WAN2 Basic Settings and Setup Wizard Screens Connecting the FVX538 to the Internet January 2005...
Page 54 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Click Setup Wizard on the WAN1 ISP Settings screen to get the Setup Wizard (WAN1) screen. Click Next and follow the steps in the WAN1 Setup Wizard for inputting the configuration parameters from your ISP1 to connect to the Internet.
Page 55 Reference Manual for the ProSafe VPN Firewall 200 FVX538 The steps to configure WAN port 2 are as follows: Repeat the above steps to set up the parameters for ISP2. Start by clicking the WAN2 ISP link directly under WAN Setup on the upper left of the main menu to get the WAN2 ISP Settings screen shown in Figure 4-3.
Page 56: Manually Configuring Your Internet Connection
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Manually Configuring Your Internet Connection You can manually configure your firewall using the menu below if you do not want to allow the Setup Wizard to determine your configuration as described in the previous sections. ISP Does Not Require Login ISP Does Require Login Figure 4-4: Browser-based configuration WAN ISP Settings menus (WAN1 ISP shown)
Page 57: Programming The Traffic Meter (If Desired)
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Programming the Traffic Meter (if Desired) From the Main Menu of the browser interface, under WAN Setup, click Traffic Meter. You will get the screens shown in Figure 4-5. Fill out the information described in Table 4-1.
Page 58 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Table 4-1. Traffic meter Parameter Description Enable Traffic Meter Check this if you wish to record the volume of Internet traffic passing through the Router's WAN1 or WAN2 port.WAN1 or WAN2 can be selected through the drop down menu, the entire configuration is specific to each wan interface.
Page 59: Step 4: Configure The Wan Mode (Required For Dual Wan)
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Step 4: Configure the WAN Mode (Required for Dual WAN) The dual WAN ports of the FVX538 ProSafe VPN Firewall 200 can be configured on a mutually exclusive basis for either rollover for increased system reliability or load balancing for maximum bandwidth efficiency.
Page 60: Rollover Setup
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Rollover Setup Perform the following steps to configure the dual WAN ports for rollover: Click the WAN Mode link directly under Setup on the upper left of the main menu to invoke the WAN Mode Auto-Rollover screen shown in Figure 4-6.
Page 61: Load Balancing (And Protocol Binding) Setup
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Test Period—DNS query is sent periodically after every test period. The minimum test period is 30 seconds. • Maximum Failures—The WAN interface is considered down after the configured number of DNS queries have failed to elicit a DNS reply from the configured DNS server. The minimum number of failed DNS queries is four.
Page 62 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Figure 4-7: WAN Mode screen for load balancing and protocol binding Fill out the screen using the following parameter definitions: • Detection of WAN failure—WAN failure is detected using DNS queries to the DNS server.
Page 63 Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Test Period—DNS query is sent periodically after every test period. The minimum test period is 30 seconds. • Maximum Failures—The WAN interface is considered down after the configured number of DNS queries have failed to elicit a DNS reply from the configured DNS server. The minimum number of failed DNS queries is four.
Page 64: Step 5: Configure Dynamic Dns (If Needed)
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Step 5: Configure Dynamic DNS (If Needed) If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS). However, if your Internet account uses a dynamically assigned IP address, you will not know in advance what your IP address will be, and the address can change frequently.
Page 65 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Dynamic DNS screen for rollover mode Dynamic DNS screens for load balancing mode Figure 4-8: Dynamic DNS screens Connecting the FVX538 to the Internet 4-21 January 2005...
Page 66 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Each DNS service provider requires its own parameters (Figure 4-9). DynDNS Service Screen TZO Service Screen Oray Service Screen Figure 4-9: Dynamic DNS service provider screens Access the website of one of the dynamic DNS service providers whose names appear in the ‘Select Service Provider’...
Page 67: Step 6: Configure The Wan Options (If Needed)
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the dynamic DNS service will not work because private addresses will not be routed on the Internet.
Page 68 Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Port Speed—In most cases, your router can automatically determine the connection speed of the Internet (WAN) port. If you cannot establish an Internet connection and the Internet LED blinks continuously, you may need to manually select the port speed. If you know that the Ethernet port on your broadband modem supports 100BaseT, select 100M;...
Page 69: Lan Configuration
Chapter 5 LAN Configuration This chapter describes how to configure the advanced features of your FVX538 ProSafe VPN Firewall 200. These features can be found under the Advanced heading in the Main Menu of the browser interface. • LAN Setup •...
Page 70: Configuring Lan Tcp/Ip Setup Parameters
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Figure 5-1: LAN IP Setup menu Note: Once you have completed the LAN IP setup, all outbound traffic is allowed and all inbound traffic is discarded. To change these traffic rules, refer to Chapter 6, “Firewall Protection and Content Filtering.
Page 71 Reference Manual for the ProSafe VPN Firewall 200 FVX538 • IP Subnet Mask: The subnet mask specifies the network number portion of an IP address. Your router will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use 255.255.255.0 as the subnet mask (computed by the router).
Page 72: Using The Firewall As A Dhcp Server
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Ending IP Address - This box specifies the last of the contiguous addresses in the IP address pool. 192.168.1.254 is the default ending address. • WINS Server - This box can specify the Windows NetBios Server IP if one is present in your network.
Page 73: Using Address Reservation
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Primary DNS Server (if you entered a Primary DNS address in the Basic Settings menu; otherwise, the firewall’s LAN IP address) • Secondary DNS Server (if you entered a Secondary DNS address in the Basic Settings menu) •...
Page 74: Multi Home Lan Ips
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Multi Home LAN IPs Click Multi Home LAN IPs Setup on the LAN IP Setup screen (see Figure 5-1) to invoke the Secondary LAN IP Setup screens. This allows the firewall to act as a gateway to additional logical subnets on your LAN.
Page 75: Step 1: Enable The Dmz Port
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Step 1: Enable the DMZ port From the Main Menu of the browser interface, under Advanced, click on DMZ Setup to view the DMZ Setup menu, shown below. Figure 5-4: DMZ Setup screen To enable and configure the DMZ port: Click the Enable DMZ Port checkbox.
Page 76: Step 2: Define The Dmz Port Rules
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Ending IP Address - This box specifies the last of the contiguous addresses in the IP address pool. 192.168.10.254 is the default ending address. • WINS Server - This box specifies the Windows Internet Naming Service Server IP. •...
Page 77: Configuring Static Routes
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Configuring Static Routes Static Routes provide additional routing information to your firewall. Under normal circumstances, the firewall has adequate routing information after it has been configured for Internet access, and you do not need to configure additional static routes. You must configure static routes only for unusual cases such as multiple firewalls or multiple IP subnets located on your network.
Page 78 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Select Active to make this route effective. Type the Destination IP Address of the final destination. Type the IP Subnet Mask for this destination. If the destination is a single host, type 255.255.255.255. Type the Gateway IP Address, which must be a firewall on the same LAN segment as the firewall.
Page 79: Firewall Protection And Content Filtering
Chapter 6 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the FVX538 ProSafe VPN Firewall 200 to protect your network. These features can be found by clicking on the Content Filtering heading in the Main Menu of the browser interface. Firewall Protection and Content Filtering Overview The FVX538 ProSafe VPN Firewall 200 provides you with Web content filtering options, plus browsing activity reporting and instant alerts via e-mail.
Page 80 Reference Manual for the ProSafe VPN Firewall 200 FVX538 A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of the FVX538 are: • Inbound: Block all access from outside except responses to requests from the LAN side. •...
Page 81 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Note: This feature is for Advanced Administrators only! Incorrect configuration will cause serious problems. Outbound Services—This lists all existing rules for outbound traffic. If you have not defined any rules, only the default rule will be listed. The default rule allows all outgoing traffic. •...
Page 82: Services-Based Rules
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Click the button for the desired actions: – Edit - to make any changes to the rule definition. The Inbound Service screen will be displayed (see “Inbound Rules (Port Forwarding)” on page 6-5) with the data for the selected rule.
Page 83: Inbound Rules (Port Forwarding)
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Quality of service (QoS) priorities—Each service at its own native priority that impacts its quality of performance and tolerance for jitter or delays. You can change this QoS priority if desired to change the traffic mix through the system.
Page 84 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Table 6-1. Inbound Services Item Description Services Select the desired Service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Customized Services”...
Page 85 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Note: Some residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location.
Page 86 This application note describes how to configure multi-NAT to support multiple public IP addresses on one WAN interface of a NETGEAR FVX538 ProSafe VPN Firewall 200. By creating an inbound rule, we will configure the firewall to host an additional public IP addresses and associate this address with a web server on the LAN.
Page 87 Reference Manual for the ProSafe VPN Firewall 200 FVX538 – LAN IP address subnet is 192.168.1.1 255.255.255.0 – DMZ IP address subnet is 192.168.10.1 255.255.255.0 • Web server PC on the firewall's LAN – LAN IP address is 192.168.1.2 – Access to Web server is (simulated) public IP address 10.1.0.52 IP Address Requirements—If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN or...
Page 88 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Figure 6-5: Rule example: one-to-one NAT mapping Select Action "ALLOW always". For Send to LAN Server, enter the local IP address of your web server PC. For Public Destination IP Address, choose "Other Public IP Address." Enter one of your public Internet addresses that will be used by clients on the Internet to reach your web server.
Page 89 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Figure 6-6: Rule example: one-to-one NAT mapping on inbound services To test the connection from a PC on the Internet, type http://<IP_address>, where <IP_address> is the public IP address you have mapped to your web server. You should see the home page of your web server.
Page 90 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Note: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet.
Page 91: Outbound Rules (Service Blocking)
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Outbound Rules (Service Blocking) The FVX538 allows you to block the use of certain Internet services by PCs on your network. This is called service blocking or port filtering. Figure 6-8: Add Outbound Service Rules screen Note: See “Source MAC Filtering”...
Page 92 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Table 6-1. Outbound Services Item Description Action Select the desired action for outgoing connections covered by this rule: • BLOCK always • BLOCK by schedule, otherwise Allow • ALLOW always • ALLOW by schedule, otherwise Block Note: Any outbound traffic which is not blocked by rules you create will be allowed by the Default rule.
Page 93 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Outbound Rule Example: Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu.
Page 94: Customized Services
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules menu, as shown in Figure 6-10: Figure 6-10: Rules table with examples For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules Table, beginning at the top and proceeding to the default rules at the bottom.
Page 95 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Although the FVX538 already holds a list of many service port numbers, you are not limited to these choices. Use the Services menu to add additional services and applications to the list for use in defining firewall rules.
Page 96: Quality Of Service (Qos) Priorities
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Click Apply. The new service will now appear in the Services menu, and in the Service name selection box in the Rules menu. Quality of Service (QoS) Priorities This setting determines the priority of a service, which in turn, determines the quality of that service for the traffic passing through the firewall.
Page 97 Example 1 (priority unchanged): If the native ToS setting for a service is 3 and the Netgear QoS setting for this service is None, then the traffic for this service is placed in the queue that handles priority 3 traffic.
Page 98: Managing Groups And Hosts
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Managing Groups and Hosts The Network Database is an automatically-maintained list of all known PCs and network devices. PCs and devices become known by the following methods: • DHCP Client Requests—By default, the DHCP server in this Router is enabled, and will accept and respond to DHCP client requests from PCs and other network devices.
Page 99 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Figure 6-13: Groups and Hosts screens Firewall Protection and Content Filtering 6-21 January 2005...
Page 100: Using A Schedule To Block Or Allow Specific Traffic
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Table 6-3. Groups and hosts Item Description Known PCs and This table lists all current entries in the Network Database. For each PC or device, Devices the following data is displayed. •...
Page 101 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Figure 6-14: Schedule menu To invoke rules and block keywords or Internet domains based on a schedule, select Every Day or select one or more days. If you want to limit access completely for the selected days, select All Day.
Page 102: Time Zone
VPN firewall's content and Web component filtering feature. By default, this feature is disabled; all requested traffic from any Web site is allowed. When users try to access a blocked site, they will get a message: Blocked by NETGEAR. •...
Page 103 Reference Manual for the ProSafe VPN Firewall 200 FVX538 The Block Sites menu is shown in Figure 6-15: Figure 6-15: Block Sites menu Firewall Protection and Content Filtering 6-25 January 2005...
Page 104 • In the Trusted Domains box, enter the exact matching domain name for which the keyword filtering will be bypassed. Example: Enter www.netgear.com to bypass URL keyword filtering for this domain. The domains in this list will be allowed without any filtering, web component filtering still applies.
Page 105: Source Mac Filtering
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Source MAC Filtering Source MAC Filter will drop the Internet-bound traffic received from the PCs with the specified MAC address. • By default, the source MAC address filter is disabled. All the traffic received from PCs with any MAC address is allowed by default.
Page 106: Port Triggering
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Table 6-5. Source MAC address filter Item Description Activation • Enable the source MAC filter by ticking the check box. • Press APPLY. • Now add the MAC Addresses from which the traffic should be dropped by clicking on ADD button.
Page 107 Reference Manual for the ProSafe VPN Firewall 200 FVX538 • After a PC has finished using a Port Triggering application, there is a Time-out period before the application can be used by another PC. This is required because this Router cannot be sure when the application has terminated.
Page 108: Getting E-Mail Notifications Of Event Logs And Alerts
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Table 6-6. Port Triggering Item Description Port Triggering • Enable - Indicates if the rule is enabled or disabled. Generally, there is no need to Rules disable a rule unless it interferes with some other function such as Port Forwarding. •...
Page 109 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Figure 6-18: Logs and E-mail screens Click on View Log button to view various log messages generated by the Router. • In view log window To delete all log entries: Click Clear Log. •...
Page 110 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Items to include in the log: • Use these checkboxes to determine which events are included in the log. Selecting all events will increase the size of the log, so it is good practice to disable any events which are not really required.
Page 111: Syslog
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • In the Log Threshold Time box, set the logs Threshold time. • In the Alert Queue Length box, set the alerts queue length. Click Apply to have your changes take effect. Syslog You can configure the firewall to send system logs to an external PC that is running a syslog logging program.
Page 112 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Figure 6-19: Firewall Logs menu Table 6-7. Log entry descriptions Field Description Date and Time The date and time the log entry was recorded. Description or The type of event and what action was taken if any. Action Source IP The IP address of the initiating device for this log entry.
Page 113: Administrator Information
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Table 6-7. Log entry descriptions Field Description Source port and The service port number of the initiating device, and whether it originated interface from the LAN or WAN Destination The name or IP address of the destination device or website. Destination port and The service port number of the destination device, and whether it’s on the interface...
Page 114 Reference Manual for the ProSafe VPN Firewall 200 FVX538 6-36 Firewall Protection and Content Filtering January 2005...
Page 115: Virtual Private Networking
Chapter 7 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVX538 VPN firewall. VPN tunnels provide secure, encrypted communications between your local network and a remote network or computer. Tip: When using dual WAN port networks, use the VPN Wizard to configure the basic parameters and them edit the VPN and IKE Policy screens for the various VPN scenarios.
Page 116: Fully Qualified Domain Names
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Figure 7-1 shows the setup screens for the selected WAN mode. This setup is accomplished in “Step 4: Configure the WAN Mode (Required for Dual WAN)” on page 4-15. Rollover Mode Setup Screen Load Balancing Mode Setup Screen Figure 7-1: WAN Mode Setup screens Fully Qualified Domain Names...
Page 117 Reference Manual for the ProSafe VPN Firewall 200 FVX538 “Step 5: Configure Dynamic DNS (If Needed)” on page 4-20 for how to select and configure the Dynamic DNS service. FVX538 Functional Block Diagram FVX538 Firewall WAN 1 Port Rest of FVX538 FVX538 Internet...
Page 118 Reference Manual for the ProSafe VPN Firewall 200 FVX538 FVX538 Functional Block Diagram FVX538 Firewall WAN 1 Port Rest of FVX538 Load Internet FVX538 WAN Port Balancing WAN 2 Port Control Functions Functions FQDN required (dynamic IP addresses) FQDN optional (static IP addresses) Dynamic DNS screens FQDN setup for WAN1 port Select Dynamic DNS service...
Page 119: Creating A Vpn Connection: Between Fvx538 And Fvx538
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Creating a VPN Connection: Between FVX538 and FVX538 This section describes how to configure a VPN connection between a NETGEAR FVX538 VPN Firewall and a NETGEAR FVS338 VPN Firewall. Using each firewall's VPN Wizard, we will create a set of policies (IKE and VPN) that will allow the two firewalls to connect from locations with fixed IP addresses.
Page 120 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Click Next. Enter the WAN IP address of the remote FVS338. Click WAN1 to bind this connection to the WAN1 port. Figure 7-5: WAN IP address of remote FVS338 Click Next. Enter the LAN IP address and subnet mask of the remote FVS338.
Page 121 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Click Done to create the 'to_fvs' IKE and VPN policies. In the IKE Policies menu, the 'to_fvs' IKE policy will appear in the table. Figure 7-7: IKE Policies You can view the IKE parameters by selecting 'to_fvs' and clicking Edit. It should not be necessary to make any changes.
Page 122 Reference Manual for the ProSafe VPN Firewall 200 FVX538 In the VPN Policies menu, the 'to_fvs' VPN policy will appear in the table. Figure 7-9: FVX538 VPN Policies screen Virtual Private Networking January 2005...
Page 123: Configuring The Fvs338
Reference Manual for the ProSafe VPN Firewall 200 FVX538 You can view the VPN parameters by selecting 'to_fvs' and clicking Edit. It should not be necessary to make any changes. Figure 7-10: FVX538-to-FVS338 VPN screen Configuring the FVS338 Select the VPN Wizard Give the client connection a name, such as to_fvx.
Page 124 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Select 'a remote VPN gateway'. Figure 7-11: VPN Wizard start page Click Next. Enter the WAN IP address of the remote FVX538. Figure 7-12: WAN IP address of remote FVX538 Click Next. 7-10 Virtual Private Networking January 2005...
Page 125: Testing The Connection
PCs are to be connected, an additional policy or policies must be created. Each PC will use Netgear's VPN Client. Since the PC's IP address is assumed to be unknown, the PC must always be the Initiator of the connection.
Page 126: Configuring The Fvx538
Reference Manual for the ProSafe VPN Firewall 200 FVX538 This procedure was developed and tested using: • Netgear FVX538 ProSafe VPN Firewall 200 with version 1.6.11 firmware • Netgear VPN Client version 10.3.5 (Build 6) • NAT router: Netgear FR114P with version 1.5_09 firmware...
Page 127 Reference Manual for the ProSafe VPN Firewall 200 FVX538 In the upper left of the Policy Editor window, click the New Document icon to open a New Connection. Figure 7-15: New Client Connection screen Virtual Private Networking 7-13 January 2005...
Page 128 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Give the New Connection a name, such as to_FVS. Figure 7-16: New connection named In the Remote Party Identity section, select ID Type of IP Subnet. Enter the LAN IP Subnet Address and Subnet Mask of the FVX538's LAN. Select 'Connect using Secure Gateway Tunnel'.
Page 129 Reference Manual for the ProSafe VPN Firewall 200 FVX538 For Domain Name, enter 'fvs_local.com' and enter the WAN IP Address of the FVX538. Figure 7-17: Remote client info In the left frame, click on My Identity. Select Certificate = None. Under ID Type, select 'Domain Name'.
Page 130 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Leave Virtual Adapter disabled, and select your computer's Network Adapter. Your current IP address will appear. Figure 7-18: My Identity screen Before leaving the My Identity menu, click the Pre-Shared Key button. 7-16 Virtual Private Networking January 2005...
Page 131 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Click Enter Key, type your preshared key, and click OK. This key will be shared by all users of the FVX538 policy "home". Figure 7-19: Pre-shared key In the left frame, click on Security Policy. Virtual Private Networking 7-17 January 2005...
Page 132 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Select Phase 1 Negotiation Mode = Aggressive Mode. PFS should be disabled, and Replay Detection should be enabled. Figure 7-20: Client Security Policy screen 7-18 Virtual Private Networking January 2005...
Page 133 Reference Manual for the ProSafe VPN Firewall 200 FVX538 In the left frame, expand Authentication and select Proposal 1. Compare with the figure below. No changes should be necessary. Figure 7-21: Client Authorization screen Virtual Private Networking 7-19 January 2005...
Page 134: Testing The Connection
Reference Manual for the ProSafe VPN Firewall 200 FVX538 In the left frame, expand Key Exchange and select Proposal 1. Compare with the figure below. No changes should be necessary. Figure 7-22: Client Key Exchange screen In the upper left of the window, click the disk icon to save the policy. Testing the Connection Right-click on the VPN client icon in your Windows toolbar and select "Connect...", then...
Page 135 Reference Manual for the ProSafe VPN Firewall 200 FVX538 For additional status and troubleshooting information, right-click on the VPN client icon your Windows toolbar and select "Connection Monitor" or "Log Viewer", or view the VPN log and status menu in the FVX538. Figure 7-23: Client Connection Monitor screen Virtual Private Networking 7-21...
Page 136 Reference Manual for the ProSafe VPN Firewall 200 FVX538 7-22 Virtual Private Networking January 2005...
Page 137: Router And Network Management
Chapter 8 Router and Network Management This chapter describes how to use the network management features of your FVX538 ProSafe VPN Firewall 200. These features can be found by clicking on the appropriate heading in the Main Menu of the browser interface. The FVX538 ProSafe VPN Firewall 200 offers many tools for managing the network traffic to optimize its performance.
Page 138: Vpn Firewall Features That Reduce Traffic
Reference Manual for the ProSafe VPN Firewall 200 FVX538 As a result and depending on the traffic being carried, the WAN side of the firewall will be the limiting factor to throughput for most installations. Using the dual WAN ports in load balancing mode increases the bandwidth capacity of the WAN side of the FVX538 VPN firewall.
Page 139 Reference Manual for the ProSafe VPN Firewall 200 FVX538 – Single address: The rule will be applied to the address of a particular PC. – Address range: The rule is applied to a range of addresses. – Groups: The rule is applied to a Group (you use the Network Database to assign PCs to Groups—see “Groups and Hosts”...
Page 140: Block Sites
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Scanning the Network—The local network is scanned using standard methods such as arp. This will detect active devices which are not DHCP clients. However, sometimes the name of the PC or device cannot be accurately determined, and will be shown as Unknown. “Managing Groups and Hosts”...
Page 141: Source Mac Filtering
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Source MAC Filtering If you want to reduce outgoing traffic by preventing Internet access by certain PCs on the LAN, you can use the source MAC filtering feature to drop the traffic received from the PCs with the specified MAC addresses.
Page 142 Reference Manual for the ProSafe VPN Firewall 200 FVX538 You can also enable a check on special rules: • VPN Passthrough—Enable this to pass the VPN traffic without any filtering, specially used when this firewall is between two VPN tunnel end points. •...
Page 143: Port Triggering
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Port Triggering Port triggering allows some applications to function correctly that would otherwise be partially blocked by the firewall. Using this feature requires that you know the port numbers used by the Application.
Page 144: Vpn Tunnels
Reference Manual for the ProSafe VPN Firewall 200 FVX538 VPN Tunnels The VPN firewall permits up to 200 VPN tunnels at a time. Each tunnel requires extensive processing for encryption and authentication. Chapter 7, “Virtual Private Networking” for the procedure on how to use this feature. Using QoS to Shift the Traffic Mix The QoS priority settings determine the priority and, in turn, the quality of service for the traffic passing through the firewall.
Page 145: Changing The Passwords And Login Timeout
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Changing the Passwords and Login Timeout The default passwords for the firewall’s Web Configuration Manager is password. Netgear recommends that you change this password to a more secure password. From the main menu of the browser interface, under the Management heading, select Set Password to bring up this menu.
Page 146 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Note: Be sure to change the firewall's default configuration password to a very secure password. The ideal password should contain no dictionary words from any language, and should be a mixture of letters (both upper and lower case), numbers, and symbols. Your password can be up to 30 characters.
Page 147: Command Line Interface
FVX538. Command Line Interface Note: The command line interface is not supported at this time. Check the Netgear Web site for the latest status. You can access the command line interface (CLI) either by using telnet or by connecting a terminal to the console port on the front of the unit.
Page 148: Event Alerts
Reference Manual for the ProSafe VPN Firewall 200 FVX538 From the command line prompt, enter the following command: telnet 192.168.1.1 Enter admin and password when prompted for the login and password information (or enter guest and password to log in as a read-only guest). Note: No password protection exists when using the console port to access the unit.
Page 149: Login Failures And Attacks
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Each WAN port is programmed separately. WAN port shuts down once the traffic limit is reached. An email alert can be sent when this shutdown happens. Figure 8-3: Traffic Limit Reached alert Login Failures and Attacks Figure 8-3 shows the Log screen that is invoked by clicking Logs and Email under Security on...
Page 150 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Select the types of alerts to email. Enable email alerts. Accumulate 64 messages before sending a log email. Wait 24 hours before sending sending an email. Accumulate 8 messages before sending an alert email. Figure 8-4: Logs and email screen 8-14 Router and Network Management...
Page 151: Monitoring
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Monitoring You can view status information about the firewall, WAN ports, LAN ports, and VPN tunnels and program SNMP connections. Viewing VPN Firewall Status and Time Information Firewall Status The Router Status menu provides status and usage information. From the main menu of the browser interface, click on Management, then select Router Status to view this screen.
Page 152 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Figure 8-5: Router Status screen 8-16 Router and Network Management January 2005...
Page 153: Time Information
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Table 8-1. Router Status Item Description System Name This is the Account Name that you entered in the Basic Settings page. Firmware Version This is the current software the router is using. This will change if you upgrade your router.
Page 154 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Automatic adjustment enable for daylight savings time Current date and time Figure 8-6: Time information on the Schedule screen If supported for your region, you can check Automatically adjust for Daylight Savings Time. 8-18 Router and Network Management January 2005...
Page 155: Wan Ports
Table 8-1. Current date and time Item Description Use Default NTP If enabled, the system clock is updated regularly by contacting a Default Netgear Servers (Network NTP Server on the Internet. Time Protocol) Use Custom NTP If you prefer to use a particular NTP server, enable this and enter the name or IP Servers address of an NTP Server in the Server 1 Name/IP Address field.
Page 156: Dynamic Dns Status
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Dynamic DNS Status Invoke the Dynamic DNS Status screen from Dynamic DNS screen by clicking Show Status to see the current DDNS Status in a sub-window. Figure 8-8: Dynamic DNS Status screen Internet Traffic Information The Internet Traffic screen provides the following information: •...
Page 157: Lan Ports And Attached Devices
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Figure 8-9: Internet Traffic information LAN Ports and Attached Devices Known PCs and Devices The Attached Devices menu contains a table of all IP devices that the firewall has discovered on the local network.
Page 158 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Figure 8-10: Network Database screen The Network Database is an automatically-maintained list of all known PCs and network devices. PCs and devices become known by the following methods: • DHCP Client Requests—By default, the DHCP server in this Router is enabled, and will accept and respond to DHCP client requests from PCs and other network devices.
Page 159: Dhcp Log
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Note: If the firewall is rebooted, the table data is lost until the firewall rediscovers the devices. To force the firewall to look for attached devices, click the Refresh button. DHCP Log You can view the DHCP log.
Page 160: Firewall
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Table 8-1. Port Triggering Status data Item Description Rule The name of the Rule. LAN IP Address The IP address of the PC currently using this rule. Open Ports The Incoming ports which are associated the this rule. Incoming traffic using one of these ports will be sent to the IP address above.
Page 161 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Select the types of logs to email. Enable emailing of logs. Enable system logs. Accumulate 64 messages before sending a log email. Wait 24 hours before sending sending an email. Accumulate 8 messages before sending an alert email.
Page 162 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Invoke the Firewall Log screen from Logs and Email screen. Figure 8-14: Firewall Log screen (invoked from Logs and Email screen) 8-26 Router and Network Management January 2005...
Page 163: Vpn Tunnels
Reference Manual for the ProSafe VPN Firewall 200 FVX538 VPN Tunnels You can view the status of the VPN tunnels. Figure 8-15: VPN Status/Log and IPSec Connection Status screens Table 8-1. VPN Status data Item Description Policy Name The name of the VPN policy associated with this SA. Endpoint The IP address on the remote VPN Endpoint.
Page 164: Snmp
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Table 8-1. VPN Status data Item Description State The current status of the SA.Phase 1 is Authentication phase and Phase 2 is Key Exchange phase. Action Use this button to terminate/build the SA (connection) if required. SNMP SNMP lets you monitor and manage log resources from an SNMP-compliant system manager.
Page 165 Back to return to the Diagnostics screen. Perform a DNS A DNS (Domain Name Server) converts the Internet name (e.g. www.netgear.com) to Lookup an IP address. If you need the IP address of a Web, FTP, Mail or other Server on the Internet, you can do a DNS lookup to find the IP address.
Page 166: Configuration File Management
This file can be saved (backed up) to a user’s PC, retrieved (restored) from the user’s PC, or cleared to factory default settings. You can also upgrade the firewall software with the latest version from Netgear. From the Main Menu of the browser interface, under the Management heading, select the Settings Backup heading to bring up the menu shown below.
Page 167: Restoring And Backing Up The Configuration
NETGEAR. Upgrade files can be downloaded from Netgear's website. If the upgrade file is compressed (.ZIP file), you must first extract the binary (.TRX) file before sending it to the firewall. The upgrade file can be sent to the firewall using your browser.
Page 168: Erasing The Configuration (Factory Defaults Reset)
Be careful how you use this! Figure 8-19: Router Upgrade menu To upload new firmware: Download and unzip the new software file from NETGEAR. In the Router Upgrade menu, click the Browse button and browse to the location of the binary image (.IMG) upgrade file Click Upload.
Page 169 Reference Manual for the ProSafe VPN Firewall 200 FVX538 • To restore the factory default configuration settings without knowing the login password or IP address, you must use the Default Reset button on the front panel of the firewall (see “The Router’s Front Panel”...
Page 170 Reference Manual for the ProSafe VPN Firewall 200 FVX538 8-34 Router and Network Management January 2005...
Page 171: Troubleshooting
• Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support.
Page 172: Leds Never Turn Off
Reference Manual for the ProSafe VPN Firewall 200 FVX538 LEDs Never Turn Off When the firewall is turned on, the LEDs turns on for about 10 seconds and then turn off. If all the LEDs stay on, there is a fault within the firewall. If all LEDs are still on one minute after power up: •...
Page 173: Troubleshooting The Web Configuration Interface
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Troubleshooting the Web Configuration Interface If you are unable to access the firewall’s Web Configuration interface from a PC on your local network, check the following: • Check the Ethernet connection between the PC and the firewall as described in the previous section.
Page 174: Troubleshooting The Isp Connection
Web Configuration Manager. To check the WAN IP address: Launch your browser and select an external site such as www.netgear.com Access the Main Menu of the firewall’s configuration at http://192.168.1.1 Under the Management heading, select Router Status Check that an IP address is shown for the WAN Port If 0.0.0.0 is shown, your firewall has not obtained an IP address from your ISP.
Page 175: Troubleshooting A Tcp/Ip Network Using A Ping Utility
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Configure your firewall to spoof your PC’s MAC address. This can be done in the Basic Settings menu. Refer to “Manually Configuring Your Internet Connection” on page 4-12. If your firewall can obtain an IP address, but your PC is unable to load any web pages from the Internet: •...
Page 176: Testing The Path From Your Pc To A Remote Device
Reference Manual for the ProSafe VPN Firewall 200 FVX538 If the path is not working, you see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems: • Wrong physical connections —...
Page 177: Restoring The Default Configuration And Password
Reference Manual for the ProSafe VPN Firewall 200 FVX538 — Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs. Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem, but some ISPs additionally restrict access to the MAC address of a single PC connected to that modem.
Page 178 Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Time is off by one hour. Cause: The firewall does not automatically sense Daylight Savings Time. In the E-Mail menu, check or uncheck the box marked “Adjust for Daylight Savings Time”.
Page 179 Appendix A Technical Specifications This appendix provides technical specifications for the FVX538 ProSafe VPN Firewall 200. Network Protocol and Standards Compatibility Data and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP PPP over Ethernet (PPPoE) Power Adapter North America: 120V, 60 Hz, input United Kingdom, Australia: 240V, 50 Hz, input Europe:...
Page 180 Reference Manual for the ProSafe VPN Firewall 200 FVX538 VCCI Class B EN 55 022 (CISPR 22), Class B Interface Specifications LAN: 10BASE-T or 100BASE-Tx, RJ-45 WAN: 10BASE-T or 100BASE-Tx Technical Specifications January 2005...
Page 181: Network, Routing, Firewall, And Basics
Appendix B Network, Routing, Firewall, and Basics This chapter provides an overview of IP networks, routing, and networking. Related Publications As you read this document, you may be directed to various RFC documents for further information. An RFC is a Request For Comment (RFC) published by the Internet Engineering Task Force (IETF), an open organization that defines the architecture and operation of the Internet.
Page 182: What Is A Router
Reference Manual for the ProSafe VPN Firewall 200 FVX538 What is a Router? A router is a device that forwards traffic between networks based on network layer information in the data and on routing tables maintained by the router. In these routing tables, a router builds up a logical picture of the overall network by gathering and exchanging information with other routers in the network.
Page 183 Reference Manual for the ProSafe VPN Firewall 200 FVX538 The latter version is easier to remember and easier to enter into your computer. In addition, the 32 bits of the address are subdivided into two parts. The first part of the address identifies the network, and the second part identifies the host node or station on the network.
Page 184: Netmask
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Class C Class C addresses can have 254 hosts on a network. Class C addresses use 24 bits for the network address and eight bits for the node. They are in this range: 192.0.1.x to 223.255.254.x.
Page 185: Subnet Addressing
Reference Manual for the ProSafe VPN Firewall 200 FVX538 As a shorter alternative to dotted-decimal notation, the netmask may also be expressed in terms of the number of ones from the left. This number is appended to the IP address, following a backward slash (/), as “/n.”...
Page 186 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Although the preceding example uses the entire third octet for a subnet address, note that you are not restricted to octet boundaries in subnetting. To create more network numbers, you need only shift some bits from the host address to the network address.
Page 187: Private Ip Addresses
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Table 9-2. Netmask Formats 255.255.255.0 255.255.255.128 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 255.255.255.254 255.255.255.255 Configure all hosts on a LAN segment to use the same netmask for the following reasons: • So that hosts recognize local IP broadcast packets When a device broadcasts to its segment neighbors, it uses a destination address of the local network address with all ones for the host address.
Page 188: Single Ip Address Operation Using Nat
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Single IP Address Operation Using NAT In the past, if multiple PCs on a LAN needed to access the Internet simultaneously, you had to obtain a range of IP addresses from the ISP. This type of Internet account is more costly than a single-address account typically used by a single user with a modem, rather than a router.
Page 189: Mac Addresses And Address Resolution Protocol
Reference Manual for the ProSafe VPN Firewall 200 FVX538 This scheme offers the additional benefit of firewall-like protection because the internal LAN addresses are not available to the Internet through the translated connection. All incoming inquiries are filtered out by the router. This filtering can prevent intruders from probing your system.
Page 190: Domain Name Server
Many of the resources on the Internet can be addressed by simple descriptive names such as www.NETGEAR.com. This addressing is very helpful at the application level, but the descriptive name must be translated to an IP address in order for a user to actually contact the resource. Just as...
Page 191: What Is A Firewall
Reference Manual for the ProSafe VPN Firewall 200 FVX538 What is a Firewall? A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion or attack.
Page 192: Category 5 Cable Quality
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Table B-1. UTP Ethernet cable wiring, straight-through Wire color Signal Orange/White Transmit (Tx) + Orange Transmit (Tx) - Green/White Receive (Rx) + Blue Blue/White Green Receive (Rx) - Brown/White Brown Category 5 Cable Quality Category 5 distributed cable that meets ANSI/EIA/TIA-568-A building wiring standards can be a maximum of 328 feet (ft.) or 100 meters (m) in length, divided as follows: 20 ft.
Page 193: Inside Twisted Pair Cables
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Inside Twisted Pair Cables For two devices to communicate, the transmitter of each device must be connected to the receiver of the other device. The crossover function is usually implemented internally as part of the circuitry in the device.
Page 194: Uplink Switches, Crossover Cables, And Mdi/Mdix Switching
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Figure B-3: Category 5 UTP Cable with Male RJ-45 Plug at Each End Note: Flat “silver satin” telephone cable may have the same RJ-45 plug. However, using telephone cable results in excessive collisions, causing the attached port to be partitioned or disconnected from the network.
Page 195 Reference Manual for the ProSafe VPN Firewall 200 FVX538 The FVX538 VPN firewall incorporates Auto Uplink technology (also called MDI/MDIX). Each LOCAL Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection (e.g. connecting to a PC) or an uplink connection (e.g. connecting to a router, switch, or hub).
Page 196 Reference Manual for the ProSafe VPN Firewall 200 FVX538 B-16 Network, Routing, Firewall, and Basics January 2005...
Page 197: Appendix C Preparing Your Network
Appendix C Preparing Your Network This appendix describes how to prepare your network to connect to the Internet through the FVX538 ProSafe VPN Firewall 200 and how to verify the readiness of broadband Internet service from an Internet service provider (ISP). Note: If an ISP technician configured your computer during the installation of a broadband modem, or if you configured it using instructions provided by your ISP, you may need to copy the current configuration information for use in the configuration of...
Page 198: Configuring Windows 95, 98, And Me For Tcp/Ip Networking
Reference Manual for the ProSafe VPN Firewall 200 FVX538 In your IP network, each PC and the firewall must be assigned a unique IP addresses. Each PC must also have certain other IP configuration information such as a subnet mask (netmask), a domain name server (DNS) address, and a default gateway address.
Page 199 Reference Manual for the ProSafe VPN Firewall 200 FVX538 You must have an Ethernet adapter, the TCP/IP protocol, and Client for Microsoft Networks. Note: It is not necessary to remove any other network components shown in the Network window in order to install the adapter, TCP/IP, or Client for Microsoft Networks.
Page 200: Enabling Dhcp To Automatically Configure Tcp/Ip Settings
Reference Manual for the ProSafe VPN Firewall 200 FVX538 If you need Client for Microsoft Networks: Click the Add button. Select Client, and then click Add. Select Microsoft. Select Client for Microsoft Networks, and then click OK. Restart your PC for the changes to take effect. Enabling DHCP to Automatically Configure TCP/IP Settings After the TCP/IP protocol components are installed, each PC must be assigned specific information about itself and resources that are available on its network.
Page 201 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Verify the following settings as shown: • Client for Microsoft Network exists • Ethernet adapter is present • TCP/IP is present • Primary Network Logon is set to Windows logon Click on the Properties button. The following TCP/IP Properties window will display.
Page 202: Selecting Windows' Internet Access Method
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • By default, the IP Address tab is open on this window. • Verify the following: Obtain an IP address automatically is selected. If not selected, click in the radio button to the left of it to select it. This setting is required to enable the DHCP server to automatically assign an IP address.
Page 203: Configuring Windows Nt4, 2000 Or Xp For Ip Networking
From the drop-down box, select your Ethernet adapter. The window is updated to show your settings, which should match the values below if you are using the default TCP/IP settings that NETGEAR recommends for connecting through a router or gateway: •...
Page 204: Enabling Dhcp To Automatically Configure Tcp/Ip Settings
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Enabling DHCP to Automatically Configure TCP/IP Settings You will find there are many similarities in the procedures for different Windows systems when using DHCP to configure TCP/IP. The following steps will walk you through the configuration process for each of these versions of Windows.
Page 205 Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Now you should be at the Local Area Network Connection Status window. This box displays the connection status, duration, speed, and activity statistics. • Administrator logon access rights are needed to use this window.
Page 206: Dhcp Configuration Of Tcp/Ip In Windows 2000
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Verify that the Obtain an IP address automatically radio button is selected. • Verify that Obtain DNS server address automatically radio button is selected. • Click the OK button. This completes the DHCP configuration of TCP/ IP in Windows XP.
Page 207 Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Click on the My Network Places icon on the Windows desktop. This will bring up a window called Network and Dial-up Connections. • Right click on Local Area Connection and select Properties. •...
Page 208 Reference Manual for the ProSafe VPN Firewall 200 FVX538 • With Internet Protocol (TCP/IP) selected, click on Properties to open the Internet Protocol (TCP/IP) Properties dialogue box. • Verify that • Obtain an IP address automatically is selected. • Obtain DNS server address automatically is selected.
Page 209: Dhcp Configuration Of Tcp/Ip In Windows Nt4
Reference Manual for the ProSafe VPN Firewall 200 FVX538 DHCP Configuration of TCP/IP in Windows NT4 Once you have installed the network card, you need to configure the TCP/IP environment for Windows NT 4.0. Follow this procedure to configure TCP/IP with DHCP in Windows NT 4.0. •...
Page 210 Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Highlight the TCP/IP Protocol in the Network Protocols box, and click on the Properties button. C-14 Preparing Your Network January 2005...
Page 211: Verifying Tcp/Ip Properties For Windows Xp, 2000, And Nt4
Type ipconfig /all Your IP Configuration information will be listed, and should match the values below if you are using the default TCP/IP settings that NETGEAR recommends for connecting through a router or gateway: • The IP address is between 192.168.0.2 and 192.168.0.254 •...
Page 212: Configuring The Macintosh For Tcp/Ip Networking
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • The default gateway is 192.168.1.1 Type exit Configuring the Macintosh for TCP/IP Networking Beginning with Macintosh Operating System 7, TCP/IP is already installed on the Macintosh. On each networked Macintosh, you will need to configure TCP/IP to use DHCP. MacOS 8.6 or 9.x From the Apple menu, select Control Panels, then TCP/IP.
Page 213: Verifying Tcp/Ip Properties For Macintosh Computers
TCP/IP Control Panel. From the Apple menu, select Control Panels, then TCP/IP. The panel is updated to show your settings, which should match the values below if you are using the default TCP/IP settings that NETGEAR recommends: •...
Page 214: Verifying The Readiness Of Your Internet Account
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Verifying the Readiness of Your Internet Account For broadband access to the Internet, you need to contract with an Internet service provider (ISP) for a single-user Internet access account using a cable modem or DSL modem. This modem must be a separate physical box (not a card) and must provide an Ethernet port intended for connection to a Network Interface Card (NIC) in a computer.
Page 215: Obtaining Isp Configuration Information For Windows Computers
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • An IP address and subnet mask • A gateway IP address, which is the address of the ISP’s router • One or more domain name server (DNS) IP addresses • Host name and domain suffix For example, your account’s full server names may look like this: mail.xxx.yyy.com...
Page 216: Obtaining Isp Configuration Information For Macintosh Computers
Reference Manual for the ProSafe VPN Firewall 200 FVX538 If an IP address appears under Installed Gateways, write down the address. This is the ISP’s gateway address. Select the address and then click Remove to remove the gateway address. Select the DNS Configuration tab. If any DNS server addresses are shown, write down the addresses.
Page 217: Restarting The Network
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Restarting the Network Once you’ve set up your computers to work with the firewall, you must reset the network for the devices to be able to communicate correctly. Restart any computer that is connected to the FVX538 VPN firewall.
Page 218 Reference Manual for the ProSafe VPN Firewall 200 FVX538 C-22 Preparing Your Network January 2005...
Page 219: Virtual Private Networking
Appendix D Virtual Private Networking There have been many improvements in the Internet including Quality of Service, network performance, and inexpensive technologies, such as DSL. But one of the most important advances has been in Virtual Private Networking (VPN) Internet Protocol security (IPSec). IPSec is one of the most complete, secure, and commercially available, standards-based protocols developed for transporting data.
Page 220: What Is Ipsec And How Does It Work
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Remote Access: Remote access enables telecommuters and mobile workers to access e-mail and business applications. A dial-up connection to an organization’s modem pool is one method of access for remote workers, but is expensive because the organization must pay the associated long distance telephone and service costs.
Page 221: Encapsulating Security Payload (Esp
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity. • Authentication Header (AH): Provides authentication and integrity. • Internet Key Exchange (IKE): Provides key management and Security Association (SA) management. Encapsulating Security Payload (ESP) ESP provides authentication, integrity, and confidentiality, which protect against data tampering and, most importantly, provide message content protection.
Page 222: Authentication Header (Ah
Reference Manual for the ProSafe VPN Firewall 200 FVX538 The ESP header is inserted into the packet between the IP header and any subsequent packet contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor does it encrypt the ESP authentication.
Page 223: Mode
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Mode SAs operate using modes. A mode is the method in which the IPSec protocol is applied to the packet. IPSec can be used in tunnel mode or transport mode. Typically, the tunnel mode is used for gateway-to-gateway IPSec tunnel protection, while transport mode is used for host-to-host IPSec tunnel protection.
Page 224: Key Management
This TechNote provides case studies on how to configure a secure IPSec VPN tunnels. This document assumes the reader has a working knowledge of NETGEAR management systems. NETGEAR is a member of the VPN Consortium, a group formed to facilitate IPSec VPN vendor interoperability. The VPN Consortium has developed specific scenarios to aid system administrators in the often confusing process of connecting two different vendor implementations of the IPSec standard.
Page 225: Vpn Process Overview
Reference Manual for the ProSafe VPN Firewall 200 FVX538 VPN Process Overview Even though IPSec is standards-based, each vendor has its own set of terms and procedures for implementing the standard. Because of these differences, it may be a good idea to review some of the terms and the generic processes for connecting two gateways before diving into to the specifics.
Page 226: Firewalls
Reference Manual for the ProSafe VPN Firewall 200 FVX538 It is also important to make sure the addresses do not overlap or conflict. That is, each set of addresses should be separate and distinct. Table 9-1. WAN (Internet/Public) and LAN (Internal/Private) Addressing Gateway LAN or WAN VPNC Example Address...
Page 227 Reference Manual for the ProSafe VPN Firewall 200 FVX538 VPN Tunnel VPN Gateway B VPN Gateway A Figure 9-8: VPN Tunnel SA The SA contains all the information necessary for gateway A to negotiate a secure and encrypted communication stream with gateway B. This communication is often referred to as a “tunnel.” The gateways contain this information so that it does not have to be loaded onto every computer connected to the gateways.
Page 228: Vpnc Ike Security Parameters
Reference Manual for the ProSafe VPN Firewall 200 FVX538 IKE Phase I. The two parties negotiate the encryption and authentication algorithms to use in the IKE SAs. The two parties authenticate each other using a predetermined mechanism, such as preshared keys or digital certificates. A shared master key is generated by the Diffie-Hellman Public key algorithm within the IKE framework for the two parties.
Page 229: Vpnc Ike Phase Ii Parameters
LAN-side of the other gateway. You can troubleshoot connections using the VPN status and log details on the Netgear gateway to determine if IKE negotiation is working. Common problems encountered in setting up VPNs include: •...
Page 230 Reference Manual for the ProSafe VPN Firewall 200 FVX538 • [RFC 791] Internet Protocol DARPA Internet Program Protocol Specification, Information Sciences Institute, USC, September 1981. • [RFC 1058] Routing Information Protocol, C Hedrick, Rutgers University, June 1988. • [RFC 1483] Multiprotocol Encapsulation over ATM Adaptation Layer 5, Juha Heinanen, Telecom Finland, July 1993.
Page 231: Glossary List Of Glossary Terms
Glossary List of Glossary Terms Use the list below to find definitions for technical terms used in this manual. Numeric 10BASE-T IEEE 802.3 specification for 10 Mbps Ethernet over twisted pair wiring. 100BASE-Tx IEEE 802.3 specification for 100 Mbps Ethernet over twisted pair wiring. 802.1x 802.1x defines port-based, network access control used to provide authenticated network access and automated data encryption key management.
Page 232 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Access Control List (ACL) An ACL is a database that an Operating System uses to track each user’s access rights to system objects (such as file directories and/or files). Ad-hoc Mode An 802.11 networking framework in which devices or stations communicate directly with each other, without the use of an access point (AP).
Page 233 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Broadcast A packet sent to all devices on a network. Class of Service A term to describe treating different types of traffic with different levels of service priority. Higher priority traffic gets faster treatment during times of switch congestion A Certificate Authority is a trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs.
Page 234 .com, .edu, .uk, etc. For example, in the address mail.NETGEAR.com, mail is a server name and NETGEAR.com is the domain. Short for digital subscriber line, but is commonly used in reference to the asymmetric version of this technology (ADSL) that allows data to be sent over existing copper telephone lines at data rates of from 1.5...
Page 235 Reference Manual for the ProSafe VPN Firewall 200 FVX538 the AP for proof of identity, which the AP gets from the user and then sends back to the server to complete the authentication. EAP is defined by RFC 2284. ESSID The Extended Service Set Identification (ESSID) is a thirty-two character (maximum) alphanumeric key identifying the wireless local area network.
Page 236 Reference Manual for the ProSafe VPN Firewall 200 FVX538 BSSs that form a single subnetwork. Most corporate wireless LANs operate in infrastructure mode because they require access to the wired LAN in order to use services such as file servers or printers. Internet Control Message Protocol ICMP is an extension to the Internet Protocol (IP) that supports packets containing error, control, and informational messages.
Page 237 Reference Manual for the ProSafe VPN Firewall 200 FVX538 See “Local Area Network” Local Area Network A communications network serving users within a limited area, such as one floor of a building. A LAN typically connects multiple personal computers and shared network devices such as storage and printers. Although many technologies exist to implement a LAN, Ethernet is the most common for connecting personal computers and is limited to a distance of 1,500 feet.
Page 238 Reference Manual for the ProSafe VPN Firewall 200 FVX538 router, or access point, the perspective is reversed, and the hub receives on pins 1 and 2. This wiring is referred to as Media Dependant Interface - Crossover (MDI-X). The size in bytes of the largest packet that can be sent or received. packet A block of information sent over a network.
Page 239 Reference Manual for the ProSafe VPN Firewall 200 FVX538 PSTN Public Switched Telephone Network. See “Quality of Service” Quality of Service QoS is a networking term that specifies a guaranteed level of throughput. Throughput is the amount of data transferred from one device to another or processed in a specified amount of time - typically, throughputs are measured in bytes per second (Bps).
Page 240: January
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Segment A section of a LAN that is connected to the rest of the network using a switch, bridge, or repeater. Subnet Mask Combined with the IP address, the IP Subnet Mask allows a device to know which other addresses are local to it, and which must be reached through a gateway or router.
Page 241 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Wired Equivalent Privacy is a data encryption protocol for 802.11b wireless networks. All wireless nodes and access points on the network are configured with a 64-bit or 128-bit Shared Key for data encryption. Wide Area Network A WAN is a computer network that spans a relatively large geographical area.
Page 242 Reference Manual for the ProSafe VPN Firewall 200 FVX538 Glossary January 2005...

This manual is also suitable for:

Prosafe fvx538

NETGEAR FVX538 - ProSafe VPN Firewall 200 Router Reference Manual

Chapter 1 About this Manual

Chapter 2 Introduction

Chapter 3 Network Planning

Chapter 4 Connecting the FVX538 to the Internet

Chapter 5 LAN Configuration

Chapter 6 Firewall Protection and Content Filtering

Chapter 7 Virtual Private Networking

Chapter 8 Router and Network Management

Chapter 9 Troubleshooting

Appendix A Network, Routing, Firewall, and Basics

Appendix C Preparing Your Network

Appendix D Virtual Private Networking

Quick Links

Troubleshooting

Related Manuals for NETGEAR FVX538 - ProSafe VPN Firewall 200 Router

Summary of Contents for NETGEAR FVX538 - ProSafe VPN Firewall 200 Router