Page 1 Reference Manual for the ProSafe VPN Firewall 50 FVS338 NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA 202-10046-01 Version 1.0 January 2005 January 2005...
Page 2 In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Page 3 Certificate of the Manufacturer/Importer It is hereby certified that the FVS338 ProSafe VPN Firewall 50 has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example, test transmitters) in accordance with the regulations may, however, be subject to certain restrictions.
Page 4 Reference Manual for the ProSafe VPN Firewall 50 FVS338 Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions * are met: 1.
Page 5 Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function.
Page 6 Reference Manual for the ProSafe VPN Firewall 50 FVS338 Product and Publication Details Model Number: Publication Date: Product Family: Product Name: Home or Business Product: Language: FVS338 January 2005 Router FVS338 ProSafe VPN Firewall 50 Business English January 2005...
Page 7: Table Of Contents
Easy Installation and Management ...2-4 Maintenance and Support ...2-5 Package Contents ...2-5 The Router’s Front Panel ...2-6 The Router’s Rear Panel ...2-7 The Router’s IP Address, Login Name, and Password ...2-8 Default Factory Settings ...2-9 NETGEAR Related Products ...2-9 Chapter 3 Network Planning Overview of the Planning Process ...3-1...
Page 8 VPN Gateway-to-Gateway: Single Gateway WAN Ports (Reference Case) ...3-8 VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved System Reliability VPN Telecommuter (Client-to-Gateway Through a NAT Router) ...3-10 VPN Telecommuter: Single Gateway WAN Port (Reference Case) ... 3-11 VPN Telecommuter: Dual Gateway WAN Ports for Improved System Reliability 3-11...
Page 9 Configure the WAN Options (If Needed) ...4-18 Chapter 5 Serial Port Configuration Configuring a Serial Port Modem ...5-1 Basic Requirements for Serial Port Modem Configuration ...5-1 How to Configure a Serial Port Modem ...5-2 Configuring Auto-Rollover ...5-3 Basic Requirements for Auto-Rollover ...5-3 How to Configure Auto-Rollover ...5-3 Chapter 6 LAN Configuration...
Page 10 Creating a VPN Connection: Between FVX538 and FVS338 ...8-1 Configuring the FVX538 ...8-2 Configuring the FVS338 ...8-6 Testing the Connection ...8-8 Creating a VPN Connection: Netgear VPN Client to FVS338 ...8-8 Configuring the FVS338 ...8-9 Configuring the VPN Client ...8-9 Testing the Connection ...8-17...
Page 11 Traffic Limits Reached ... 9-11 Login Failures and Attacks ...9-12 Monitoring ...9-14 Viewing VPN Firewall Status and Time Information ...9-14 Firewall Status ...9-14 Time Information ...9-16 WAN Ports ...9-18 WAN Port Connection Status ...9-18 Dynamic DNS Status ...9-19 Internet Traffic Information ...9-19 LAN Ports and Attached Devices ...9-20 Known PCs and Devices ...9-20 DHCP Log ...9-22...
Page 12 Appendix B Network, Routing, Firewall, and Basics Related Publications ... B-1 Basic Router Concepts ... B-1 What is a Router? ... B-2 Routing Information Protocol ... B-2 IP Addresses and the Internet ... B-2 Netmask ... B-4 Subnet Addressing ... B-5 Private IP Addresses ...
Page 13 Enabling DHCP to Automatically Configure TCP/IP Settings ... C-8 DHCP Configuration of TCP/IP in Windows XP ... C-8 DHCP Configuration of TCP/IP in Windows 2000 ... C-10 DHCP Configuration of TCP/IP in Windows NT4 ... C-13 Verifying TCP/IP Properties for Windows XP, 2000, and NT4 ... C-15 Configuring the Macintosh for TCP/IP Networking ...
Page 14 Reference Manual for the ProSafe VPN Firewall 50 FVS338 Testing and Troubleshooting ... D-11 Additional Reading ... D-11 Glossary List of Glossary Terms ...Glossary-1 Numeric ...Glossary-1 A ...Glossary-2 B ...Glossary-2 C ...Glossary-3 D ...Glossary-3 E ...Glossary-4 G ...Glossary-5 I ...Glossary-5 L ...Glossary-7 M ...Glossary-7 P ...Glossary-8...
Page 15: About This Manual
This manual is written for the FVS338 VPN firewall according to these specifications.: Table 1-2. Manual Scope Product Version Manual Publication Date Note: Product updates are available on the NETGEAR, Inc. Web site at http://kbserver.netgear.com/products/FVS338.asp. About This Manual About This Manual FVS338 ProSafe VPN Firewall 50...
Page 16: How To Use This Manual
• button to access the full NETGEAR, Inc. online knowledge base for the product model. • Links to PDF versions of the full manual and individual chapters.
Page 17: How To Print This Manual
How to Print this Manual To print this manual you can choose one of the following several options, according to your needs. • Printing a Page in the HTML View. Each page in the HTML version of the manual is dedicated to a major topic. Use the Print button on the browser toolbar to print the page contents.
Page 18 Reference Manual for the ProSafe VPN Firewall 50 FVS338 About This Manual January 2005...
Page 19: Introduction
This chapter describes the features of the NETGEAR FVS338 ProSafe VPN Firewall 50. Key Features of the VPN Firewall The FVS338 ProSafe VPN Firewall 50 with 8 port switch connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL modem.
Page 20: Full Routing On Both The Broadband And Serial Wan Ports
Reference Manual for the ProSafe VPN Firewall 50 FVS338 • SNMP for manageability. • Front panel LEDs for easy monitoring of status and activity. • Flash memory for firmware upgrade. Full Routing on Both the Broadband and Serial WAN Ports You can install, configure, and operate the FVS338 to take full advantage of a variety of routing options on both the serial and broadband WAN ports, including: •...
Page 21: Security
Security The FVS338 VPN firewall is equipped with several features designed to maintain security, as described in this section. • PCs Hidden by NAT NAT opens a temporary path to the Internet for requests originating from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the PCs on the LAN.
Page 22: Easy Installation And Management
• VPN Wizard The FVS338 VPN firewall includes the NETGEAR VPN Wizard to easily configure VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC) to ensure the VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.
Page 23: Maintenance And Support
The FVS338 VPN firewall’s front panel LEDs provide an easy way to monitor its status and activity. Maintenance and Support NETGEAR offers the following features to help you maximize your use of the FVS338 VPN firewall: • Flash memory for firmware upgrade •...
Page 24: The Router's Front Panel
• Warranty and Support Information Card. If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the firewall for repair. Router’s Front Panel The FVS338 ProSafe VPN Firewall 50 front panel shown below contains the status LEDs.
Page 25: The Router's Rear Panel
Local LEDs Link/Act LED On (Green) Blinking (Green) 100 LED On (Green) The Router’s Rear Panel The rear panel of the FVS338 ProSafe VPN Firewall 50 connections, modem connector, factory defaults button, On/Off switch, and DC power connection. MODEM FACTORY DEFAULTS...
Page 26: The Router's Ip Address, Login Name, And Password
• On/Off switch • DC power in (12 VDC, 1.2A) The Router’s IP Address, Login Name, and Password Check the label on the bottom of the FVS338’s enclosure if you forget the following factory default information: • IP Address: http://192.168.1.1 to reach the Web-based GUI from the LAN •...
Page 27: Default Factory Settings
Password (case sensitive) Built-in DHCP server IP Configuration Time Zone Adjust for Daylight Saving TIme NETGEAR Related Products NETGEAR products related to the FVS338 ProSafe VPN Firewall 50 are as follows: • FA311 10/100 PCI Adapter • FA511 10/100 32-bit CardBus Adapter •...
Page 28 Reference Manual for the ProSafe VPN Firewall 50 FVS338 • VPN01L and VPN05L ProSafe VPN Client Software • WG302 ProSafe 802.11g Access Point 2-10 January 2005 Introduction...
Page 29: Network Planning
A virtual private network (VPN) tunnel provides a secure communication channel between either two gateway VPN routers or between a remote PC client and gateway VPN router. As a result, the IP address of at least one of the tunnel end points must be known in advance in order for the other tunnel end point to establish (or re-establish) the VPN tunnel.
Page 30: The Fail-Over Case For Routers With Dual Wan Ports
Rules menu. Instead of discarding this traffic, you can have it forwarded to one or more LAN hosts on your network. These LAN hosts are called exposed hosts. The addressing of the router’s dual WAN port depends on the configuration being implemented:...
Page 31: Single Exposed Host
PSTN service so that the failover to a serial connection would be as seamless as possible. Single Exposed Host The Internet IP address of the router’s WAN port must be public so that the public can send incoming traffic to the exposed host when this feature is supported and enabled.
Page 32: Multiple Exposed Hosts
Figure 3-3: Dual WAN port case with exposed host, before and after failover Multiple Exposed Hosts The IP address range of the router’s WAN port must be both fixed and public so that the public can send incoming traffic to the multiple exposed hosts when this feature is supported and enabled.
Page 33: Virtual Private Networks (Vpns)
Virtual Private Networks (VPNs) When implementing virtual private network (VPN) tunnels, a mechanism must be used for determining the IP addresses of the tunnel end points. The addressing of the router’s dual WAN port depends on the configuration being implemented: Table 3-1.
Page 34: Vpn Road Warrior (Client-To-Gateway)
IP address of active WAN port changes after a failover (use of fully-qualified domain names always required) Figure 3-5: Dual gateway WAN ports before and after failover VPN Road Warrior (Client-to-Gateway) The following situations exemplify the requirements for a remote PC client with no router to establish a VPN tunnel with a gateway VPN router: •...
Page 35: Vpn Road Warrior: Dual Gateway Wan Ports For Improved System Reliability
VPN Road Warrior: Dual Gateway WAN Ports for Improved System Reliability In the case of the dual WAN ports on the gateway VPN router initiates the VPN tunnel with the active gateway WAN port (port WAN1 in this example) because the IP address of the remote PC client is not known in advance.
Page 36: Vpn Gateway-To-Gateway
The purpose of the fully-qualified domain name is this case is to toggle the domain name of the gateway router between the IP addresses of the active WAN port (i.e., WAN1 and WAN2) so that the remote PC client can determine the gateway IP address to establish or re-establish a VPN tunnel.
Page 37 VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved System Reliability In the case of the dual WAN ports on the gateway VPN router WAN ports at one end can initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to balance the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance.
Page 38: Vpn Telecommuter (Client-To-Gateway Through A Nat Router)
NAT router for budgetary reasons. The following situations exemplify the requirements for a remote PC client connected to the Internet with a dynamic IP address through a NAT router to establish a VPN tunnel with a gateway VPN router at the company office: •...
Page 39: Vpn Telecommuter: Single Gateway Wan Port (Reference Case)
In the case of the single WAN port on the gateway VPN router at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router is not known in advance. The gateway WAN port must act as the responder.
Page 40 The purpose of the fully-qualified domain name is this case is to toggle the domain name of the gateway router between the IP addresses of the active WAN port (i.e., WAN1 and WAN2) so that the remote PC client can determine the gateway IP address to establish or re-establish a VPN tunnel.
Page 41: Connecting The Fvs338 To The Internet
Connecting the FVS338 to the Internet This chapter describes how to set up the firewall on your Local Area Network (LAN) and connect to the Internet. You can perform basic configuration of your FVS338 ProSafe VPN Firewall 50 using the Setup Wizard, or manually configure your Internet connection. What You Will Need Before You Begin You need to prepare these three things before you can connect your VPN firewall to the Internet: A computer properly connected to the VPN firewall as explained below.
Page 42: Internet Configuration Requirements
For Macintosh computers, open the TCP/IP or Network control panel. • You may also refer to the FVS338 Resource CD for the NETGEAR Router ISP Guide which provides Internet connection information for many ISPs. Once you locate your Internet configuration parameters, you may want to record them on the page below according to the instructions in Information”...
Page 43: Worksheet For Recording Your Internet Connection Information
Worksheet for Recording Your Internet Connection Information Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by your ISP. Some ISPs use your full e-mail address as the login name. The Service Name is not required by all ISPs.
Page 44: Connecting The Fvs338 To Your Lan
Connect the Ethernet cable (B) which came with the VPN firewall from a Local port on the router to your computer. Note: The FVS338 VPN firewall incorporates Auto Uplink port will automatically sense whether the cable plugged into the port should have a 'normal' connection (e.g.
Page 45 2. Log in to the FVS338. Note: To connect to the VPN firewall, your computer needs to be configured to obtain an IP address automatically via DHCP. Please refer to for instructions on how to do this. Turn on the VPN firewall and wait for the TEST light to stop blinking. Now, turn on your computer.
Page 46 Reference Manual for the ProSafe VPN Firewall 50 FVS338 Connect to the Internet. Figure 4-1: Setup Wizard You are now connected to the VPN firewall. If you do not see the menu above, click the Setup Wizard link on the upper left of the main menu. Choose NAT or Classical Routing.
Page 47: Configuring For A Wizard-Detected Login Account
Perform a DNS Lookup. A DNS (Domain Name Server) converts the Internet name (e.g. www.netgear.com) to an IP address. If you need the IP address of a Web, FTP, Mail or other Server on the Internet, you can do a DNS lookup to find the IP address.
Page 48: Configuring For A Wizard-Detected Dynamic Ip Account
Address to manually type in the MAC address that your ISP expects. Click Apply to save your settings. Click the Test button to test your Internet connection. If the NETGEAR Web site does not appear within one minute, refer to...
Page 49: Configuring For A Wizard-Detected Fixed Ip (Static) Account
MAC address. Click Apply to save your settings. Click the Test button to test your Internet connection. If the NETGEAR Web site does not appear within one minute, refer to Configuring for a Wizard-Detected Fixed IP (Static) Account If the Setup Wizard determines that your Internet service account uses Fixed IP assignment, you will be directed to the correct setup menu.
Page 50 Reference Manual for the ProSafe VPN Firewall 50 FVS338 Configure the firewall Connect to the Internet Follow the steps below to configure a serial port Internet connection on your firewall. Connect the Firewall to your dial-up modem Turn off your modem and connect the cable from the serial port of the FVS338 to the modem.
Page 51 Figure 4-2: Serial Internet Connection configuration menu Fill in the analog ISP Internet configuration parameters as appropriate: • For a Dial-up Account, enter the Account information. Check “Connect as required” to enable the firewall to automatically dial the number. To enable Idle Time disconnect, check the box and enter a time in minutes.
Page 52 PC configuration and pasting them into the FVS338 Modem Properties Initial String field. For more information on this procedure, please refer to the support area of the NETGEAR web site. • Select the Serial Line Speed. This is the maximum speed the modem will attempt to use.
Page 53: Testing Your Internet Connection
After completing the Internet connection configuration, your can test your Internet connection. Log in to the VPN firewall, then, from the Setup Basic Settings link, click the Test button. If the NETGEAR Web site does not appear within one minute, refer to Chapter 10, “Troubleshooting.
Page 54: Manually Configuring Your Internet Connection
Reference Manual for the ProSafe VPN Firewall 50 FVS338 Manually Configuring Your Internet Connection You can manually configure your firewall using the menu below, or you can allow the Setup Wizard to determine your configuration as described in the previous section. ISP Does Not Require Login ISP Does Require Login Figure 4-3: Browser-based configuration Basic Settings menu...
Page 55: How To Manually Configure The Primary Internet Connection
Note: A DNS server is a host on the Internet that translates Internet names (such as www.netgear.com) to numeric IP addresses. Typically your ISP transfers the IP address of one or two DNS servers to your firewall during login. If the ISP does not transfer an address, you must obtain it from the ISP and enter it manually here.
Page 56: Configure Dynamic Dns (If Needed)
PC that you are now using. You must be using the one PC that is allowed by the ISP. Or, select “Use this MAC address” and enter it. Click Apply to save your settings. Click Test to test your Internet connection. If the NETGEAR Web site does not appear within one minute, refer to Chapter 10,...
Page 57 Figure 4-4: Dynamic DNS screens Each DNS service provider requires its own parameters DynDNS Service Screen Figure 4-5: Dynamic DNS service provider screens Access the website of one of the dynamic DNS service providers whose names appear in the ‘Select Service Provider’ box, and register for an account. For example, for dyndns.org, go to www.dyndns.org.
Page 58: Configure The Wan Options (If Needed)
Reference Manual for the ProSafe VPN Firewall 50 FVS338 Type the entire FQDN name that your dynamic DNS service provider gave you, such as myName.dyndns.org. Type the user name for logging into your dynamic DNS account. Type the password (or key) for your dynamic DNS account. If your dynamic DNS provider allows the use of wildcards in resolving your URL, you may select the Use wildcards check box to activate this feature.
Page 59 Edit the default information you want to change. • Respond To Ping On Internet Port—If you want the router to respond to a 'Ping' from the Internet, click this check box. This can be used as a diagnostic tool. You shouldn't check this box unless you have a specific reason to do so.
Page 60 Reference Manual for the ProSafe VPN Firewall 50 FVS338 4-20 Connecting the FVS338 to the Internet January 2005...
Page 61: Serial Port Configuration
This chapter describes how to configure the serial port options of your FVS338 ProSafe VPN Firewall 50. The FVS338 serial port lets you share the broadband connection of another FVS338, share resources between two LANs, and take advantage of the routing functions on the broadband (WAN), LAN, and serial network interfaces.
Page 62: How To Configure A Serial Port Modem
PC, establishing a connection to your ISP, and then copying the modem string settings from the PC configuration and pasting them into the FVS338 modem configuration fields. For more information on this procedure, please refer to the support area of the NETGEAR web site.
Page 63: Configuring Auto-Rollover
Configuring Auto-Rollover You can configure the serial port of the FVS338 to provide an auto-rollover backup connection for your broadband service. Be sure you have prepared the basic requirements listed below, then follow the ‘how to’ procedure. Basic Requirements for Auto-Rollover Auto-Rollover requires these elements: A broadband connection to the FVS338.
Page 64 Reference Manual for the ProSafe VPN Firewall 50 FVS338 Figure 5-2: Auto-Rollover configuration menu Configure the Auto-Rollover settings. Click Apply for the changes to take effect. January 2005 Serial Port Configuration...
Page 65: Lan Configuration
This chapter describes how to configure the advanced features of your FVS338 ProSafe VPN Firewall 50. These features can be found under the Advanced heading in the Main Menu of the browser interface. • LAN Setup • DMZ Setup • Static Routes Using the LAN IP Setup Options The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and RIP.
Page 66: Configuring Lan Tcp/Ip Setup Parameters
RIP is applicable if your network contains multiple routers. • IP Address: Type the IP address of your router (factory default: 192.168.1.1). Make sure that LAN Port IP address and DMZ port IP address are in different subnets. Filtering.
Page 67 Configuration Protocol) server, providing TCP/IP configuration for all computers connected to the router's LAN. If another device on your network will be the DHCP server, or if you will manually configure all devices, select the Disable option under DHCP configuration. Select the DHCP Relay option to configure the router as a DHCP relay.
Page 68: Using The Firewall As A Dhcp Server
Reference Manual for the ProSafe VPN Firewall 50 FVS338 • Ending IP Address - This box specifies the last of the contiguous addresses in the IP address pool. 192.168.1.254 is the default ending address. • WINS Server - This box can specify the Windows NetBios Server IP if one is present in your network.
Page 69: Using Address Reservation
• Primary DNS Server (if you entered a Primary DNS address in the Basic Settings menu; otherwise, the firewall’s LAN IP address) • Secondary DNS Server (if you entered a Secondary DNS address in the Basic Settings menu) • WINS Server (if you entered a Secondary DNS address in the Basic Settings menu) Using Address Reservation When you specify a reserved IP address for a PC on the LAN, that PC will always receive the same IP address each time it access the firewall’s DHCP server.
Page 70: Multi Home Lan Ips
Internet for services that you haven't defined. There are security issues with doing this, so only do this if you're willing to risk open access. If you do not assign an exposed host, the router discards any incoming service requests that are undefined.
Page 71: Exposed Host (Software Dmz)
Instead of discarding this traffic, you can have it forwarded to one computer on your network. This computer is called the exposed host. Note: For security, NETGEAR strongly recommends that you avoid using the exposed host feature. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet.
Page 72: One-To-One Nat Mapping
Reference Manual for the ProSafe VPN Firewall 50 FVS338 From the Main Menu of the browser interface, under Advanced, click on DMZ Setup to view the DMZ Setup menu, shown below. Figure 6-4: DMZ Setup screen (exposed host setup) To assign a computer or server to be a exposed host: Click Default DMZ Server.
Page 73 IP address in the Destination Field of the inbound rule. Note: For security, NETGEAR strongly recommends that you avoid using the one-to-one NAT mapping feature. When a computer is designated as the destination of one-to-one NAT mapping, it loses much of the protection of the firewall and is exposed to many exploits from the Internet.
Page 74: Configuring Static Routes
Reference Manual for the ProSafe VPN Firewall 50 FVS338 Click Apply. Note: All incoming traffic to that IP address will be sent to the selected PC. Out-going traffic from the selected PC will use the IP address you entered, not the default WAN IP address. No firewall protection is available.
Page 75 To add or edit a Static Route: Click the Add button to open the Add/Edit Menu, shown below. Type a route name for this static route in the Route Name box under the table. (This is for identification purpose only.) Select Private if you want to limit access to the LAN only.
Page 76 Reference Manual for the ProSafe VPN Firewall 50 FVS338 6-12 LAN Configuration January 2005...
Page 77: Firewall Protection And Content Filtering
You can also block Internet access by applications and services, such as chat or games. A firewall is a special category of router that protects one network (the “trusted” network, such as your LAN) from another (the “untrusted” network, such as the Internet), while allowing communication between the two.
Page 78 Reference Manual for the ProSafe VPN Firewall 50 FVS338 A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of the FVS338 are: • Inbound: Block all access from outside except responses to requests from the LAN side. •...
Page 79 Outbound Services—This lists all existing rules for outbound traffic. If you have not defined any rules, only the default rule will be listed. The default rule allows all outgoing traffic. • To create a new outbound service rule: Click the Add button. It does not matter which radio button is selected. The Outbound Service screen will be displayed (see on page 7-9).
Page 80: Services-Based Rules
UDP Flooding: Enable this to limit the number of UDP sessions created from one LAN machine. • TCP Flooding: Enable this to protect the router from Syn flood attack. • Enable DNS Proxy: Enable this to allow the incoming DNS queries.
Page 81: Inbound Rules (Port Forwarding)
Inbound Rules (Port Forwarding) Because the FVS338 uses Network Address Translation (NAT), your network presents only one IP address to the Internet and outside users cannot directly address any of your local computers. However, by defining an inbound rule you can make a local server (for example, a web server or game server) visible and available to the Internet.
Page 82 Reference Manual for the ProSafe VPN Firewall 50 FVS338 Table 7-1. Inbound Services Item Description Services Select the desired Service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see Action Select the desired action for packets covered by this rule:...
Page 83: Inbound Rule Example: A Local Public Web Server
Note: Some residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location.
Page 84: Inbound Rule Example: Allowing Videoconference From Restricted Addresses
Reference Manual for the ProSafe VPN Firewall 50 FVS338 Inbound Rule Example: Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown Figure 7-4, CU-SeeMe connections are allowed only from a specified range of external IP addresses.
Page 85: Outbound Rules (Service Blocking)
• Local PCs must access the local server using the PCs’ local LAN address (192.168.0.99 in this example). Attempts by local PCs to access the server using the external WAN IP address will fail. Outbound Rules (Service Blocking) The FVS338 allows you to block the use of certain Internet services by PCs on your network. This is called service blocking or port filtering.
Page 86 Reference Manual for the ProSafe VPN Firewall 50 FVS338 Table 7-2. Outbound Services Item Description Services Select the desired Service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see Action Select the desired action for outgoing connections covered by this rule:...
Page 87: Outbound Rule Example: Blocking Instant Messenger
Table 7-2. Outbound Services Item Description This determines whether packets covered by this rule are logged. Select the desired action: • Always - always log traffic considered by this rule, whether it matches or not. This is useful when debugging your rules. •...
Page 88: Order Of Precedence For Rules
Reference Manual for the ProSafe VPN Firewall 50 FVS338 Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules menu, as shown in Figure 7-7: Figure 7-7: Rules table with examples For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules Table, beginning at the top and proceeding to the default rules at the bottom.
Page 89 Although the FVS338 already holds a list of many service port numbers, you are not limited to these choices. Use the Services menu to add additional services and applications to the list for use in defining firewall rules. The Services menu shows a list of services that you have defined, as shown in Figure 7-8:...
Page 90: Quality Of Service (Qos) Priorities
Reference Manual for the ProSafe VPN Firewall 50 FVS338 Click Apply. The new service will now appear in the Services menu, and in the Service name selection box in the Rules menu. Quality of Service (QoS) Priorities This setting determines the priority of a service, which in turn, determines the quality of that service for the traffic passing through the firewall.
Page 91 Example 1 (priority unchanged): If the native ToS setting for a service is 3 and the Netgear QoS setting for this service is None, then the traffic for this service is placed in the queue that handles priority 3 traffic.
Page 92: Managing Groups And Hosts
PCs and devices become known by the following methods: • DHCP Client Requests—By default, the DHCP server in this Router is enabled, and will accept and respond to DHCP client requests from PCs and other network devices. These requests also generate an entry in the Network Database. Because of this, leaving the DHCP Server feature (on the LAN screen) enabled is strongly recommended.
Page 93 Reference Manual for the ProSafe VPN Firewall 50 FVS338 Figure 7-10: Groups and Hosts screens Firewall Protection and Content Filtering 7-17 January 2005...
Page 94: Using A Schedule To Block Or Allow Specific Traffic
Reference Manual for the ProSafe VPN Firewall 50 FVS338 Table 7-4. Groups and hosts Item Description Known PCs and This table lists all current entries in the Network Database. For each PC or device, Devices the following data is displayed. •...
Page 95 Reference Manual for the ProSafe VPN Firewall 50 FVS338 Figure 7-11: Schedule menu To invoke rules and block keywords or Internet domains based on a schedule, select Every Day or select one or more days. If you want to limit access completely for the selected days, select All Day.
Page 96: Time Zone
VPN firewall's content and Web component filtering feature. By default, this feature is disabled; all requested traffic from any Web site is allowed. When users try to access a blocked site, they will get a message: Blocked by NETGEAR. •...
Page 97 Reference Manual for the ProSafe VPN Firewall 50 FVS338 Figure 7-12: Block Sites menu Firewall Protection and Content Filtering 7-21 January 2005...
Page 98 • In the Trusted Domains box, enter the exact matching domain name for which the keyword filtering will be bypassed. Example: Enter www.netgear.com to bypass URL keyword filtering for this domain. The domains in this list will be allowed without any filtering, web component filtering still applies.
Page 99: Source Mac Filtering
Source MAC Filtering Source MAC Filter will drop the Internet-bound traffic received from the PCs with the specified MAC address. • By default, the source MAC address filter is disabled. All the traffic received from PCs with any MAC address is allowed by default. •...
Page 100: Port Triggering
• This Router matches the response to the previous request, and forwards the response to the PC. Without Port Triggering, this response would be treated as a new connection request rather than a response. As such, it would be handled in accordance with the Port Forwarding rules.
Page 101 • After a PC has finished using a Port Triggering application, there is a Time-out period before the application can be used by another PC. This is required because this Router cannot be sure when the application has terminated. Note: For additional ways of allowing inbound traffic, see Forwarding)”...
Page 102: Getting E-Mail Notifications Of Event Logs And Alerts
Getting E-Mail Notifications of Event Logs and Alerts Your router will log security-related events such as denied incoming service requests, hacker probes, and administrator logins, according to your settings on this screen. If you have set up content filtering on the Block Sites page (see can also log when someone on your network tried to access a blocked site.
Page 103 Figure 7-15: Logs and E-mail screens Click on View Log button to view various log messages generated by the Router. • In view log window To delete all log entries: Click Clear Log. • To see the most recent entries: Click Refresh.
Page 104 Reference Manual for the ProSafe VPN Firewall 50 FVS338 Items to include in the log: • Use these checkboxes to determine which events are included in the log. Selecting all events will increase the size of the log, so it is good practice to disable any events which are not really required.
Page 105: Syslog
• In the Log Threshold Time box, set the logs Threshold time. • In the Alert Queue Length box, set the alerts queue length. Click Apply to have your changes take effect. Syslog You can configure the firewall to send system logs to an external PC that is running a syslog logging program.
Page 106 Reference Manual for the ProSafe VPN Firewall 50 FVS338 Figure 7-16: Firewall Logs menu Table 7-8. Log entry descriptions Field Description Date and Time The date and time the log entry was recorded. Description or The type of event and what action was taken if any. Action Source IP The IP address of the initiating device for this log entry.
Page 107: Administrator Information
Table 7-8. Log entry descriptions Field Description Source port and The service port number of the initiating device, and whether it originated interface from the LAN or WAN Destination The name or IP address of the destination device or website. Destination port and The service port number of the destination device, and whether it’s on the interface...
Page 108 Reference Manual for the ProSafe VPN Firewall 50 FVS338 7-32 Firewall Protection and Content Filtering January 2005...
Page 109: Virtual Private Networking
Dynamic DNS service. Creating a VPN Connection: Between FVX538 and FVS338 This section describes how to configure a VPN connection between a NETGEAR FVX538 VPN Firewall and a NETGEAR FVS338 VPN Firewall. Using each firewall's VPN Wizard, we will create a set of policies (IKE and VPN) that will allow the two firewalls to connect from locations with fixed IP addresses.
Page 110: Configuring The Fvx538
Reference Manual for the ProSafe VPN Firewall 50 FVS338 Configuring the FVX538 Select the VPN Wizard Give the client connection a name, such as to_fvs. Enter a value for the pre-shared key. Select 'a remote VPN gateway'. Figure 8-1: VPN Wizard start page Click Next.
Page 111 Enter the LAN IP address and subnet mask of the remote FVS338. Figure 8-3: LAN IP address and subnet mask of remote FVX538 Click Next. Click Done to create the 'to_fvs' IKE and VPN policies. In the IKE Policies menu, the 'to_fvs' IKE policy will appear in the table. Figure 8-4: IKE Policies Virtual Private Networking Reference Manual for the ProSafe VPN Firewall 50 FVS338...
Page 112 Reference Manual for the ProSafe VPN Firewall 50 FVS338 You can view the IKE parameters by selecting 'to_fvs' and clicking Edit. It should not be necessary to make any changes. Figure 8-5: FVX538-to-FVS338 IKE screen Virtual Private Networking January 2005...
Page 113 Reference Manual for the ProSafe VPN Firewall 50 FVS338 In the VPN Policies menu, the 'to_fvs' VPN policy will appear in the table. Figure 8-6: FVX538 VPN Policies screen Virtual Private Networking January 2005...
Page 114: Configuring The Fvs338
Reference Manual for the ProSafe VPN Firewall 50 FVS338 You can view the VPN parameters by selecting 'to_fvs' and clicking Edit. It should not be necessary to make any changes. Figure 8-7: FVX538-to-FVS338 VPN screen Configuring the FVS338 Select the VPN Wizard Give the client connection a name, such as to_fvx.
Page 115 Select 'a remote VPN gateway'. Figure 8-8: VPN Wizard start page Click Next. Enter the WAN IP address of the remote FVX538. Figure 8-9: WAN IP address of remote FVX538 Click Next. Virtual Private Networking Reference Manual for the ProSafe VPN Firewall 50 FVS338 January 2005...
Page 116: Testing The Connection
PCs are to be connected, an additional policy or policies must be created. Each PC will use Netgear's VPN Client. Since the PC's IP address is assumed to be unknown, the PC must always be the Initiator of the connection.
Page 117: Configuring The Fvs338
This procedure was developed and tested using: • Netgear FVS338 ProSafe VPN Firewall 50 with version 1.6.11 firmware • Netgear VPN Client version 10.3.5 (Build 6) • NAT router: Netgear FR114P with version 1.5_09 firmware Configuring the FVS338 Select the VPN Wizard Give the client connection a name, such as home.
Page 118 Reference Manual for the ProSafe VPN Firewall 50 FVS338 In the upper left of the Policy Editor window, click the New Document icon to open a New Connection. Figure 8-12: New Client Connection screen 8-10 Virtual Private Networking January 2005...
Page 119 Give the New Connection a name, such as to_FVS. to_FVS Figure 8-13: New connection named In the Remote Party Identity section, select ID Type of IP Subnet. Enter the LAN IP Subnet Address and Subnet Mask of the FVS338's LAN. Select 'Connect using Secure Gateway Tunnel'.
Page 120 Reference Manual for the ProSafe VPN Firewall 50 FVS338 For Domain Name, enter 'fvs_local.com' and enter the WAN IP Address of the FVS338. to_FVS Figure 8-14: Remote client info In the left frame, click on My Identity. Select Certificate = None. Under ID Type, select 'Domain Name'.
Page 121 Leave Virtual Adapter disabled, and select your computer's Network Adapter. Your current IP address will appear. to_FVS Figure 8-15: My Identity screen Before leaving the My Identity menu, click the Pre-Shared Key button. Click Enter Key, type your preshared key, and click OK. Virtual Private Networking Reference Manual for the ProSafe VPN Firewall 50 FVS338 January 2005...
Page 122 Reference Manual for the ProSafe VPN Firewall 50 FVS338 This key will be shared by all users of the FVS338 policy "home". Figure 8-16: Pre-shared key In the left frame, click on Security Policy. 8-14 Virtual Private Networking January 2005...
Page 123 Select Phase 1 Negotiation Mode = Aggressive Mode. PFS should be disabled, and Replay Detection should be enabled. to_FVS Figure 8-17: Client Security Policy screen Virtual Private Networking Reference Manual for the ProSafe VPN Firewall 50 FVS338 January 2005 8-15...
Page 124 Reference Manual for the ProSafe VPN Firewall 50 FVS338 In the left frame, expand Authentication and select Proposal 1. Compare with the figure below. No changes should be necessary. to_FVS Figure 8-18: Client Authorization screen 8-16 Virtual Private Networking January 2005...
Page 125: Testing The Connection
In the left frame, expand Key Exchange and select Proposal 1. Compare with the figure below. No changes should be necessary. to_FVS Figure 8-19: Client Key Exchange screen In the upper left of the window, click the disk icon to save the policy. Testing the Connection Right-click on the VPN client icon "My Connections\to_FVS".
Page 126 Reference Manual for the ProSafe VPN Firewall 50 FVS338 For additional status and troubleshooting information, right-click on the VPN client icon your Windows toolbar and select "Connection Monitor" or "Log Viewer", or view the VPN log and status menu in the FVS338. Figure 8-20: Client Connection Monitor screen 8-18 Virtual Private Networking...
Page 127: Router And Network Management
As a result and depending on the traffic being carried, the WAN side of the firewall will be the limiting factor to throughput for most installations. Router and Network Management Router and Network Management January 2005...
Page 128: Vpn Firewall Features That Reduce Traffic
WAN Users—These settings determine which Internet locations are covered by the rule, based on their IP address. – Any: The rule applies to all Internet IP address. – Single address: The rule applies to a single Internet IP address. 9-3). Router and Network Management January 2005...
Page 129 PCs and devices become known by the following methods: • DHCP Client Request—By default, the DHCP server in this Router is enabled, and will accept and respond to DHCP client requests from PCs and other network devices. These requests also generate an entry in the Network Database.
Page 130: Block Sites
Features that tend to increase WAN-side loading are as follows: • Port forwarding • Port triggering • Exposed hosts for the procedure on how to use this feature. for the procedure on how to use this feature. January 2005 for the procedure on how Router and Network Management...
Page 131: Port Forwarding
• UDP Flooding—Enable this to limit the number of UDP sessions created from one LAN machine. • TCP Flooding—Enable this to protect the router from Syn flood attack. • Enable DNS Proxy—Enable this to allow the incoming DNS queries. •...
Page 132: Port Triggering
• This Router matches the response to the previous request and forwards the response to the PC. Without Port Triggering, this response would be treated as a new connection request rather than a response. As such, it would be handled in accordance with the Port Forwarding rules.
Page 133: Exposed Hosts
• You can accept the default priority defined by the service itself by not changing its QoS setting. Router and Network Management Reference Manual for the ProSafe VPN Firewall 50 FVS338 for the procedure on how to use this feature.
Page 134: Tools For Traffic Management
Changing the Administrator Password and Login Timeout The default password for the firewall’s Web Configuration Manager is password. Netgear recommends that you change this password to a more secure password. From the main menu of the browser interface, under the Management heading, select Set Password to bring up this menu.
Page 135: Enabling Remote Management Access
Note: If you make the administrator login timeout value too large, you will have to wait a long time before you are able to log back into the router if your previous login was disrupted (i.e., you did not click Logout on the Main Menu bar to log out).
Page 136 Choose a number between 1024 and 65535, but do not use the number of any common service port. The default is 8080, which is a common alternate for HTTP. Click Apply to have your changes take effect. 9-10 Router and Network Management January 2005...
Page 137: Event Alerts
(:) and the custom port number. For example, if your WAN IP address is 134.177.0.123 and you use port number 8080, type the following in your browser: https://134.177.0.123:8080 The router’s remote login URL is https://IP_address:port_number or https://FullyQualifiedDomainName:port_number. If you do not use the SSL https://address, but rather use http://address, the FVS338 will automatically attempt to redirect to https://address.
Page 138: Login Failures And Attacks
Log screen that is invoked by clicking Logs and Email under Security on the Main Menu bar. 9-12 Each WAN port is programmed separately. WAN port shuts down once the traffic limit is reached. An email alert can be sent when this shutdown happens. Router and Network Management January 2005...
Page 139 Select the types of alerts to email. Enable email alerts. Accumulate 15 messages before sending an email. Wait 15 seconds before sending sending an email. Accumulate 15 messages before sending an email. Figure 9-4: Logs and email screen Router and Network Management 9-13 January 2005...
Page 140: Monitoring
SNMP connections. Viewing VPN Firewall Status and Time Information Firewall Status The Router Status menu provides status and usage information. From the main menu of the browser interface, click on Management, then select Router Status to view this screen. 9-14...
Page 141 Reference Manual for the ProSafe VPN Firewall 50 FVS338 Figure 9-5: Router Status screen Router and Network Management 9-15 January 2005...
Page 142: Time Information
This is the Account Name that you entered in the Basic Settings page. Firmware Version This is the current software the router is using. This will change if you upgrade your router. LAN Port Information These are the current settings for MAC address, IP address, DHCP role and Subnet Mask that you set in the LAN IP Setup page.
Page 143 Figure 9-6: Time information on the Schedule screen If supported for your region, you can check Automatically adjust for Daylight Savings Time. Router and Network Management Reference Manual for the ProSafe VPN Firewall 50 FVS338 January 2005 Automatic adjustment enable for daylight...
Page 144: Wan Ports
Table 9-1. Current date and time Item Description Use Default NTP If enabled, the system clock is updated regularly by contacting a Default Netgear Servers (Network NTP Server on the Internet. Time Protocol) Use Custom NTP If you prefer to use a particular NTP server, enable this and enter the name or IP Servers address of an NTP Server in the Server 1 Name/IP Address field.
Page 145: Dynamic Dns Status
Traffic. The volume of traffic for each protocol will be displayed in a sub-window. Traffic counters are updated in MBytes scale and the counter starts only when traffic passed is at least 1 MB. Router and Network Management Reference Manual for the ProSafe VPN Firewall 50 FVS338 January 2005...
Page 146: Lan Ports And Attached Devices
The Attached Devices menu contains a table of all IP devices that the firewall has discovered on the local network. From the Main Menu of the browser interface, under the Security heading, select Groups and Hosts to view the table, shown below. 9-20 Router and Network Management January 2005...
Page 147 PCs and devices become known by the following methods: • DHCP Client Requests—By default, the DHCP server in this Router is enabled, and will accept and respond to DHCP client requests from PCs and other network devices. These requests also generate an entry in the Network Database. Because of this, leaving the DHCP Server feature (on the LAN screen) enabled is strongly recommended.
Page 148: Dhcp Log
You can view the DHCP log. Invoke the DHCP Log from LAN IP Setup screen. Figure 9-11: DHCP Log Port Triggering Status You can view the status of port triggering. Invoke the Port Triggering Status screen from Port Triggering screen. Figure 9-12: Port Triggering Status screen 9-22 Router and Network Management January 2005...
Page 149: Firewall
You can view the log of the firewall activities. Figure 9-3 shows the Log screen that is invoked by clicking Logs and Email under Security on the Main Menu bar. Router and Network Management Reference Manual for the ProSafe VPN Firewall 50 FVS338 January 2005 9-23...
Page 150 Select the types of logs to email. Enable emailing of logs. Enable system logs. Accumulate 15 messages before sending an email. Wait 15 seconds before sending sending an email. Accumulate 15 messages before sending an email. Router and Network Management January 2005...
Page 151: Vpn Tunnels
Reference Manual for the ProSafe VPN Firewall 50 FVS338 Invoke the Firewall Log screen from Logs and Email screen. Figure 9-14: Firewall Log screen (invoked from Logs and Email screen) VPN Tunnels You can view the status of the VPN tunnels. Router and Network Management 9-25 January 2005...
Page 152 The amount of data transmitted over this SA. State The current status of the SA.Phase 1 is Authentication phase and Phase 2 is Key Exchange phase. Action Use this button to terminate/build the SA (connection) if required. 9-26 Router and Network Management January 2005...
Page 153: Snmp
Diagnostics You can perform diagnostics such as pinging an IP address, perform a DNS lookup, display the routing table, reboot the firewall, and capture packets. Note: For normal operation, diagnostics are not required. Router and Network Management 9-27 January 2005...
Page 154 Back to return to the Diagnostics screen. Perform a DNS A DNS (Domain Name Server) converts the Internet name (e.g. www.netgear.com) to Lookup an IP address. If you need the IP address of a Web, FTP, Mail or other Server on the Internet, you can do a DNS lookup to find the IP address.
Page 155: Configuration File Management
Description Reboot the Router Use this button to perform a remote reboot (restart). You can use this if the Router seems to have become unstable or is not operating normally. Note: Rebooting will break any existing connections either to the Router (such as this one) or through the Router (for example, LAN users accessing the Internet).
Page 156: Restoring And Backing Up The Configuration
NETGEAR. Upgrade files can be downloaded from Netgear's website. If the upgrade file is compressed (.ZIP file), you must first extract the binary (.TRX) file before sending it to the firewall. The upgrade file can be sent to the firewall using your browser.
Page 157: Erasing The Configuration (Factory Defaults Reset)
Figure 9-19: Router Upgrade menu To upload new firmware: Download and unzip the new software file from NETGEAR. In the Router Upgrade menu, click the Browse button and browse to the location of the binary (.BIN) upgrade file Click Upload.
Page 158 • To restore the factory default configuration settings without knowing the login password or IP address, you must use the Default Reset button on the front panel of the firewall (see Router’s Front Panel” on page Password” on page 10-7.
Page 159: Troubleshooting
• Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support.
Page 160: Leds Never Turn Off
Reference Manual for the ProSafe VPN Firewall 50 FVS338 LEDs Never Turn Off When the firewall is turned on, the LEDs turns on for about 10 seconds and then turn off. If all the LEDs stay on, there is a fault within the firewall. If all LEDs are still on one minute after power up: •...
Page 161: Troubleshooting The Web Configuration Interface
Troubleshooting the Web Configuration Interface If you are unable to access the firewall’s Web Configuration interface from a PC on your local network, check the following: • Check the Ethernet connection between the PC and the firewall as described in the previous section.
Page 162: Troubleshooting The Isp Connection
Web Configuration Manager. To check the WAN IP address: Launch your browser and select an external site such as www.netgear.com Access the Main Menu of the firewall’s configuration at http://192.168.1.1 Under the Management heading, select Router Status Check that an IP address is shown for the WAN Port If 0.0.0.0 is shown, your firewall has not obtained an IP address from your ISP.
Page 163: Troubleshooting A Tcp/Ip Network Using A Ping Utility
Configure your firewall to spoof your PC’s MAC address. This can be done in the Basic Settings menu. If your firewall can obtain an IP address, but your PC is unable to load any web pages from the Internet: • Your PC may not recognize any DNS server addresses.
Page 164: Testing The Path From Your Pc To A Remote Device
Reference Manual for the ProSafe VPN Firewall 50 FVS338 If the path is not working, you see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems: • Wrong physical connections —...
Page 165: Restoring The Default Configuration And Password
— Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs. Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem, but some ISPs additionally restrict access to the MAC address of a single PC connected to that modem.
Page 166 Reference Manual for the ProSafe VPN Firewall 50 FVS338 10-8 Troubleshooting January 2005...
Page 167: Technical Specifications
This appendix provides technical specifications for the FVS338 ProSafe VPN Firewall 50. Network Protocol and Standards Compatibility Data and Routing Protocols: Power Adapter North America: United Kingdom, Australia: Europe: Japan: All regions (output): Physical Specifications Dimensions: Weight: Environmental Specifications Operating temperature: Operating humidity: Technical Specifications Technical Specifications...
Page 168 Reference Manual for the ProSafe VPN Firewall 50 FVS338 Electromagnetic Emissions Meets requirements of: Interface Specifications LAN: WAN: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B 10BASE-T or 100BASE-Tx, RJ-45 10BASE-T or 100BASE-Tx January 2005 Technical Specifications...
Page 169: Network, Routing, Firewall, And Basics
(WAN) link such as a cable or DSL modem. In order to make the best use of the slower WAN link, a mechanism must be in place for selecting and transmitting only the data traffic meant for the Internet. The function of selecting and forwarding this data is performed by a router. Network, Routing, Firewall, and Basics...
Page 170: What Is A Router
IP protocol over a single-user broadband connection. Routing Information Protocol One of the protocols used by a router to build and maintain a picture of the network is the Routing Information Protocol (RIP). Using RIP, routers periodically update one another and check for changes to add to the routing table.
Page 171 The latter version is easier to remember and easier to enter into your computer. In addition, the 32 bits of the address are subdivided into two parts. The first part of the address identifies the network, and the second part identifies the host node or station on the network. The dividing point may vary depending on the address range and the application.
Page 172: Netmask
Reference Manual for the ProSafe VPN Firewall 50 FVS338 • Class C Class C addresses can have 254 hosts on a network. Class C addresses use 24 bits for the network address and eight bits for the node. They are in this range: 192.0.1.x to 223.255.254.x.
Page 173: Subnet Addressing
Reference Manual for the ProSafe VPN Firewall 50 FVS338 As a shorter alternative to dotted-decimal notation, the netmask may also be expressed in terms of the number of ones from the left. This number is appended to the IP address, following a backward slash (/), as “/n.”...
Page 174 Reference Manual for the ProSafe VPN Firewall 50 FVS338 Although the preceding example uses the entire third octet for a subnet address, note that you are not restricted to octet boundaries in subnetting. To create more network numbers, you need only shift some bits from the host address to the network address.
Page 175: Private Ip Addresses
• So that a local router or bridge recognizes which addresses are local and which are remote Private IP Addresses If your local network is isolated from the Internet (for example, when using NAT), you can assign any IP addresses to the hosts without problems.
Page 176: Single Ip Address Operation Using Nat
IP addresses from the ISP. This type of Internet account is more costly than a single-address account typically used by a single user with a modem, rather than a router. The FVS338 VPN firewall employs an address-sharing method called Network Address Translation (NAT).
Page 177: Mac Addresses And Address Resolution Protocol
Internet through the translated connection. All incoming inquiries are filtered out by the router. This filtering can prevent intruders from probing your system. However, using port forwarding, you can allow one PC (for example, a Web server) on your local network to be accessible to outside users.
Page 178: Domain Name Server
Many of the resources on the Internet can be addressed by simple descriptive names such as www.NETGEAR.com. This addressing is very helpful at the application level, but the descriptive name must be translated to an IP address in order for a user to actually contact the resource. Just as...
Page 179: What Is A Firewall
A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion or attack. Several known types of intrusion or attack can be recognized when they occur.
Page 180: Category 5 Cable Quality
Reference Manual for the ProSafe VPN Firewall 50 FVS338 Table B-1. UTP Ethernet cable wiring, straight-through Wire color Signal Orange/White Transmit (Tx) + Orange Transmit (Tx) - Green/White Receive (Rx) + Blue Blue/White Green Receive (Rx) - Brown/White Brown Category 5 Cable Quality Category 5 distributed cable that meets ANSI/EIA/TIA-568-A building wiring standards can be a maximum of 328 feet (ft.) or 100 meters (m) in length, divided as follows: 20 ft.
Page 181: Inside Twisted Pair Cables
Inside Twisted Pair Cables For two devices to communicate, the transmitter of each device must be connected to the receiver of the other device. The crossover function is usually implemented internally as part of the circuitry in the device. Computers and workstation adapter cards are usually media-dependent interface ports, called MDI or uplink ports.
Page 182: Uplink Switches, Crossover Cables, And Mdi/Mdix Switching
Reference Manual for the ProSafe VPN Firewall 50 FVS338 Figure B-3: Category 5 UTP Cable with Male RJ-45 Plug at Each End Note: Flat “silver satin” telephone cable may have the same RJ-45 plug. However, using telephone cable results in excessive collisions, causing the attached port to be partitioned or disconnected from the network.
Page 183 (e.g. connecting to a PC) or an uplink connection (e.g. connecting to a router, switch, or hub). That port will then configure itself to the correct configuration. This feature also eliminates the need to worry about crossover cables, as Auto Uplink will accommodate either type of cable to make the right connection.
Page 184 Reference Manual for the ProSafe VPN Firewall 50 FVS338 B-16 Network, Routing, Firewall, and Basics January 2005...
Page 185: Appendix C Preparing Your Network
This appendix describes how to prepare your network to connect to the Internet through the FVS338 ProSafe VPN Firewall 50 and how to verify the readiness of broadband Internet service from an Internet service provider (ISP). Note: If an ISP technician configured your computer during the installation of a broadband modem, or if you configured it using instructions provided by your ISP, you may need to copy the current configuration information for use in the configuration of your firewall.
Page 186: Configuring Windows 95, 98, And Me For Tcp/Ip Networking
Reference Manual for the ProSafe VPN Firewall 50 FVS338 In your IP network, each PC and the firewall must be assigned a unique IP addresses. Each PC must also have certain other IP configuration information such as a subnet mask (netmask), a domain name server (DNS) address, and a default gateway address.
Page 187 You must have an Ethernet adapter, the TCP/IP protocol, and Client for Microsoft Networks. Note: It is not necessary to remove any other network components shown in the Network window in order to install the adapter, TCP/IP, or Client for Microsoft Networks.
Page 188: Enabling Dhcp To Automatically Configure Tcp/Ip Settings
Reference Manual for the ProSafe VPN Firewall 50 FVS338 If you need Client for Microsoft Networks: Click the Add button. Select Client, and then click Add. Select Microsoft. Select Client for Microsoft Networks, and then click OK. Restart your PC for the changes to take effect. Enabling DHCP to Automatically Configure TCP/IP Settings After the TCP/IP protocol components are installed, each PC must be assigned specific information about itself and resources that are available on its network.
Page 189 Verify the following settings as shown: • Client for Microsoft Network exists • Ethernet adapter is present • TCP/IP is present • Primary Network Logon is set to Windows logon Click on the Properties button. The following TCP/IP Properties window will display.
Page 190: Selecting Windows' Internet Access Method
Reference Manual for the ProSafe VPN Firewall 50 FVS338 • By default, the IP Address tab is open on this window. • Verify the following: Obtain an IP address automatically is selected. If not selected, click in the radio button to the left of it to select it. This setting is required to enable the DHCP server to automatically assign an IP address.
Page 191: Configuring Windows Nt4, 2000 Or Xp For Ip Networking
From the drop-down box, select your Ethernet adapter. The window is updated to show your settings, which should match the values below if you are using the default TCP/IP settings that NETGEAR recommends for connecting through a router or gateway: •...
Page 192: Enabling Dhcp To Automatically Configure Tcp/Ip Settings
Reference Manual for the ProSafe VPN Firewall 50 FVS338 Enabling DHCP to Automatically Configure TCP/IP Settings You will find there are many similarities in the procedures for different Windows systems when using DHCP to configure TCP/IP. The following steps will walk you through the configuration process for each of these versions of Windows.
Page 193 • Now you should be at the Local Area Network Connection Status window. This box displays the connection status, duration, speed, and activity statistics. • Administrator logon access rights are needed to use this window. • Click the Properties button to view details about the connection.
Page 194: Dhcp Configuration Of Tcp/Ip In Windows 2000
Reference Manual for the ProSafe VPN Firewall 50 FVS338 • Verify that the Obtain an IP address automatically radio button is selected. • Verify that Obtain DNS server address automatically radio button is selected. • Click the OK button. This completes the DHCP configuration of TCP/ IP in Windows XP.
Page 195 • Click on the My Network Places icon on the Windows desktop. This will bring up a window called Network and Dial-up Connections. • Right click on Local Area Connection and select Properties. • The Local Area Connection Properties dialog box appears. •...
Page 196 Reference Manual for the ProSafe VPN Firewall 50 FVS338 • With Internet Protocol (TCP/IP) selected, click on Properties to open the Internet Protocol (TCP/IP) Properties dialogue box. • Verify that • Obtain an IP address automatically is selected. • Obtain DNS server address automatically is selected.
Page 197: Dhcp Configuration Of Tcp/Ip In Windows Nt4
DHCP Configuration of TCP/IP in Windows NT4 Once you have installed the network card, you need to configure the TCP/IP environment for Windows NT 4.0. Follow this procedure to configure TCP/IP with DHCP in Windows NT 4.0. • Choose Settings from the Start Menu, and then select Control Panel. This will display Control Panel window.
Page 198 Reference Manual for the ProSafe VPN Firewall 50 FVS338 • Highlight the TCP/IP Protocol in the Network Protocols box, and click on the Properties button. C-14 January 2005 Preparing Your Network...
Page 199: Verifying Tcp/Ip Properties For Windows Xp, 2000, And Nt4
Type ipconfig /all Your IP Configuration information will be listed, and should match the values below if you are using the default TCP/IP settings that NETGEAR recommends for connecting through a router or gateway: • The IP address is between 192.168.0.2 and 192.168.0.254 •...
Page 200: Configuring The Macintosh For Tcp/Ip Networking
Reference Manual for the ProSafe VPN Firewall 50 FVS338 • The default gateway is 192.168.1.1 Type exit Configuring the Macintosh for TCP/IP Networking Beginning with Macintosh Operating System 7, TCP/IP is already installed on the Macintosh. On each networked Macintosh, you will need to configure TCP/IP to use DHCP. MacOS 8.6 or 9.x From the Apple menu, select Control Panels, then TCP/IP.
Page 201: Verifying Tcp/Ip Properties For Macintosh Computers
TCP/IP Control Panel. From the Apple menu, select Control Panels, then TCP/IP. The panel is updated to show your settings, which should match the values below if you are using the default TCP/IP settings that NETGEAR recommends: •...
Page 202: Verifying The Readiness Of Your Internet Account
WinPOET or EnterNet, then your account uses PPP over Ethernet (PPPoE). When you configure your router, you will need to enter your login name and password in the router’s configuration menus. After your network and firewall are configured, the firewall will perform the login task when needed, and you will no longer need to run the login program from your PC.
Page 203: Obtaining Isp Configuration Information For Windows Computers
• An IP address and subnet mask • A gateway IP address, which is the address of the ISP’s router • One or more domain name server (DNS) IP addresses • Host name and domain suffix For example, your account’s full server names may look like this: mail.xxx.yyy.com...
Page 204: Obtaining Isp Configuration Information For Macintosh Computers
In this case, close the Control Panel and skip the rest of this section. If an IP address and subnet mask are shown, write down the information. If an IP address appears under Router address, write down the address. This is the ISP’s gateway address.
Page 205: Restarting The Network
Reference Manual for the ProSafe VPN Firewall 50 FVS338 Restarting the Network Once you’ve set up your computers to work with the firewall, you must reset the network for the devices to be able to communicate correctly. Restart any computer that is connected to the FVS338 VPN firewall.
Page 206 Reference Manual for the ProSafe VPN Firewall 50 FVS338 C-22 Preparing Your Network January 2005...
Page 207: Virtual Private Networking
There have been many improvements in the Internet including Quality of Service, network performance, and inexpensive technologies, such as DSL. But one of the most important advances has been in Virtual Private Networking (VPN) Internet Protocol security (IPSec). IPSec is one of the most complete, secure, and commercially available, standards-based protocols developed for transporting data.
Page 208: What Is Ipsec And How Does It Work
Reference Manual for the ProSafe VPN Firewall 50 FVS338 • Remote Access: Remote access enables telecommuters and mobile workers to access e-mail and business applications. A dial-up connection to an organization’s modem pool is one method of access for remote workers, but is expensive because the organization must pay the associated long distance telephone and service costs.
Page 209: Encapsulating Security Payload (Esp
• Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity. • Authentication Header (AH): Provides authentication and integrity. • Internet Key Exchange (IKE): Provides key management and Security Association (SA) management. Encapsulating Security Payload (ESP) ESP provides authentication, integrity, and confidentiality, which protect against data tampering and, most importantly, provide message content protection.
Page 210: Authentication Header (Ah
Reference Manual for the ProSafe VPN Firewall 50 FVS338 The ESP header is inserted into the packet between the IP header and any subsequent packet contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor does it encrypt the ESP authentication.
Page 211: Mode
Mode SAs operate using modes. A mode is the method in which the IPSec protocol is applied to the packet. IPSec can be used in tunnel mode or transport mode. Typically, the tunnel mode is used for gateway-to-gateway IPSec tunnel protection, while transport mode is used for host-to-host IPSec tunnel protection.
Page 212: Key Management
This TechNote provides case studies on how to configure a secure IPSec VPN tunnels. This document assumes the reader has a working knowledge of NETGEAR management systems. NETGEAR is a member of the VPN Consortium, a group formed to facilitate IPSec VPN vendor interoperability. The VPN Consortium has developed specific scenarios to aid system administrators in the often confusing process of connecting two different vendor implementations of the IPSec standard.
Page 213: Vpn Process Overview
Reference Manual for the ProSafe VPN Firewall 50 FVS338 VPN Process Overview Even though IPSec is standards-based, each vendor has its own set of terms and procedures for implementing the standard. Because of these differences, it may be a good idea to review some of the terms and the generic processes for connecting two gateways before diving into to the specifics.
Page 214: Firewalls
Reference Manual for the ProSafe VPN Firewall 50 FVS338 It is also important to make sure the addresses do not overlap or conflict. That is, each set of addresses should be separate and distinct. Table 10-1. WAN (Internet/Public) and LAN (Internal/Private) Addressing Gateway LAN or WAN Gateway A...
Page 215 VPN Gateway A Figure 10-8: VPN Tunnel SA The SA contains all the information necessary for gateway A to negotiate a secure and encrypted communication stream with gateway B. This communication is often referred to as a “tunnel.” The gateways contain this information so that it does not have to be loaded onto every computer connected to the gateways.
Page 216: Vpnc Ike Security Parameters
Reference Manual for the ProSafe VPN Firewall 50 FVS338 IKE Phase I. The two parties negotiate the encryption and authentication algorithms to use in the IKE SAs. The two parties authenticate each other using a predetermined mechanism, such as preshared keys or digital certificates. A shared master key is generated by the Diffie-Hellman Public key algorithm within the IKE framework for the two parties.
Page 217: January
LAN-side of the other gateway. You can troubleshoot connections using the VPN status and log details on the Netgear gateway to determine if IKE negotiation is working. Common problems encountered in setting up VPNs include: •...
Page 218 Reference Manual for the ProSafe VPN Firewall 50 FVS338 • [RFC 791] Internet Protocol DARPA Internet Program Protocol Specification, Information Sciences Institute, USC, September 1981. • [RFC 1058] Routing Information Protocol, C Hedrick, Rutgers University, June 1988. • [RFC 1483] Multiprotocol Encapsulation over ATM Adaptation Layer 5, Juha Heinanen, Telecom Finland, July 1993.
Page 219: Glossary List Of Glossary Terms
Glossary List of Glossary Terms Use the list below to find definitions for technical terms used in this manual. Numeric 10BASE-T IEEE 802.3 specification for 10 Mbps Ethernet over twisted pair wiring. 100BASE-Tx IEEE 802.3 specification for 100 Mbps Ethernet over twisted pair wiring. 802.1x 802.1x defines port-based, network access control used to provide authenticated network access and automated data encryption key management.
Page 220 Reference Manual for the ProSafe VPN Firewall 50 FVS338 Access Control List (ACL) An ACL is a database that an Operating System uses to track each user’s access rights to system objects (such as file directories and/or files). Ad-hoc Mode An 802.11 networking framework in which devices or stations communicate directly with each other, without the use of an access point (AP).
Page 221 DHCP An Ethernet protocol specifying how a centralized DHCP server can assign network configuration information to multiple DHCP clients. The assigned information includes IP addresses, DNS addresses, and gateway (router) addresses. Glossary January 2005...
Page 222 .com, .edu, .uk, etc. For example, in the address mail.NETGEAR.com, mail is a server name and NETGEAR.com is the domain. Short for digital subscriber line, but is commonly used in reference to the asymmetric version of this technology (ADSL) that allows data to be sent over existing copper telephone lines at data rates of from 1.5...
Page 223 A LAN specification developed jointly by Xerox, Intel and Digital Equipment Corporation. Ethernet networks transmit packets at a rate of 10 Mbps. Gateway A local device, usually a router, that connects hosts on a local network to other networks. ICMP See “Internet Control Message Protocol”...
Page 224 Reference Manual for the ProSafe VPN Firewall 50 FVS338 BSSs that form a single subnetwork. Most corporate wireless LANs operate in infrastructure mode because they require access to the wired LAN in order to use services such as file servers or printers. Internet Control Message Protocol ICMP is an extension to the Internet Protocol (IP) that supports packets containing error, control, and informational messages.
Page 225 Reference Manual for the ProSafe VPN Firewall 50 FVS338 See “Local Area Network” Local Area Network A communications network serving users within a limited area, such as one floor of a building. A LAN typically connects multiple personal computers and shared network devices such as storage and printers. Although many technologies exist to implement a LAN, Ethernet is the most common for connecting personal computers and is limited to a distance of 1,500 feet.
Page 226 Reference Manual for the ProSafe VPN Firewall 50 FVS338 router, or access point, the perspective is reversed, and the hub receives on pins 1 and 2. This wiring is referred to as Media Dependant Interface - Crossover (MDI-X). The size in bytes of the largest packet that can be sent or received.
Page 227 Request For Comment. Refers to documents published by the Internet Engineering Task Force (IETF) proposing standard protocols and procedures for the Internet. RFCs can be found at www.ietf.org. router A device that forwards data between networks. An IP router forwards data based on IP source and destination addresses. SSID A Service Set Identification is a thirty-two character (maximum) alphanumeric key identifying a wireless local area network.
Page 228: January
Subnet Mask Combined with the IP address, the IP Subnet Mask allows a device to know which other addresses are local to it, and which must be reached through a gateway or router. TCP/IP The main internetworking protocols used in the Internet. The Internet Protocol (IP) used in conjunction with the Transfer Control Protocol (TCP) form TCP/IP.
Page 229 Reference Manual for the ProSafe VPN Firewall 50 FVS338 Wired Equivalent Privacy is a data encryption protocol for 802.11b wireless networks. All wireless nodes and access points on the network are configured with a 64-bit or 128-bit Shared Key for data encryption. Wide Area Network A WAN is a computer network that spans a relatively large geographical area.
Page 230 Reference Manual for the ProSafe VPN Firewall 50 FVS338 Glossary January 2005...

NETGEAR ProSafe FVS338 Reference Manual

Chapter 1 About this Manual

Chapter 2 Introduction

Chapter 3 Network Planning

Chapter 4 Connecting the FVS338 to the Internet

Chapter 5 Serial Port Configuration

Chapter 6 LAN Configuration

Chapter 7 Firewall Protection and Content Filtering

Chapter 8 Virtual Private Networking

Chapter 9 Router and Network Management

Chapter 10 Troubleshooting

Appendix A Network, Routing, Firewall, and Basics

Appendix C Preparing Your Network

Appendix D Virtual Private Networking

Quick Links

Troubleshooting

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for NETGEAR ProSafe FVS338

Summary of Contents for NETGEAR ProSafe FVS338