Page 1
Reference Manual for the ADSL Firewall Router DG834
NETGEAR, Inc.
4500 Great America Parkway
Santa Clara, CA 95054 USA
Phone 1-888-NETGEAR
202-10005-05
June 2005
202-10005-05, June 2005
Page 2
© 2005 by NETGEAR, Inc. All rights reserved.
Trademarks
NETGEAR is a trademark of Netgear, Inc.
Microsoft, Windows, and Wi ndow s NT are registered trademar ks of Microsoft Corporation.
Other brand and product names are registered trademarks or trademarks of their respective holders.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to
make changes to the products described in this document without notice.
NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit
layout(s) described herein.
Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice
This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to
part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a
residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and
used in accordance with the instruct ions, may cause harmf ul interference to radio communications. However, there is no
guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to
radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try
to correct the interference by one or more of the following measures:
• Reorient or relocate the receiving antenna.
• Increase the separation between the equipment and receiver.
• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
• Consult the dealer or an experienced radio/TV technician for help.
Federal Communications Commission (FCC) Radiation Exposure Statement
This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. In order to avoid
the possibility of exceeding the FCC radio frequency exposure limits, human proximity to the antenna shall not be less
than 20 cm (8 inches) during normal operation.
EN 55 022 Declaration of Conformance
This is to certify that the DG834 ADSL Firewall Router is shielded against the generation of radio interference in
accordance with the application of Council Directive 89/336/EEC, Article 4a. Conformity is declared by the application
of EN 55 022 Class B (CISPR 22).
Bestätigung des Herstellers/Importeurs
ii
202-10005-05, June 2005
Page 3
Es wird hiermit bestätigt, daß das DG834 ADSL Firewall Router gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg
46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kan n
jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt
gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.
Certificate of the Manufacturer/Importer
It is hereby certified that the DG834 ADSL Firewall Router has been suppressed in accordance with the conditions set
out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example, test
transmitters) in accordance with the regulations may, however, be subject to certain restrictions. Please refer to the notes
in the operating instructions.
Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market
and has been granted the right to test the series for compliance with the regulations.
Voluntary Control Council for Interference (VCCI) Statement
This equipment is in the second category (information equipment to be used in a residential area or an adjacent area
thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing
Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.
When used near a radio or TV receiver , it may become the cause of radio interference.
Read instructions for correct handling.
Customer Support
Refer to the Support Information Card that shipped with your DG834 ADSL Firewall Router.
World Wide Web
NETGEAR maintains a World Wide Web home page that you can access at the universal resource locator (URL)
http://www.netgear.com. A direct connection to the Internet and a Web browser such as Internet Explorer
or Netscape are required.
Product and Publication Details
Model Number: DG834
Publication Date: June 2005
Product Family: router
Product Name: DG834 ADSL Firewall Router
Home or Business Product: Business
Language: English
Publication Part Number: 202-10005-05
202-10005-05, June 2005
iii
Page 4
iv
202-10005-05, June 2005
Page 5
Contents
Chapter 1
About This Manual
Audience, Scope, Conventions, and Formats ................................................................1-1
How to Use This Manual ................................................................................................1-2
How to Print this Manual .................................................................................................1-3
Chapter 2
Introduction
About the Router ............................................................................................................2-1
Key Features ..................................................................................................................2-1
A Powerful, True Firewall .........................................................................................2-2
Easy Installation and Management ..........................................................................2-2
Protocol Support ......................................................................................................2-3
Virtual Private Networking (VPN) .............................................................................2-4
Content Filtering .......................................................................................................2-4
Auto Sensing and Auto Uplink™ LAN Ethernet Connections ..................................2-5
What’s in the Box? ..........................................................................................................2-5
The Router’s Front Panel .........................................................................................2-5
The Router’s Rear Panel .........................................................................................2-6
Chapter 3
Connecting the Router to the Internet
What You Need Before You Begin ..................................................................................3-1
ADSL Microfilter Requirements ................................................................................3-1
ADSL Microfilter .................................................................................................3-1
ADSL Microfilter with Built-In Splitter .................................................................3-2
Ethernet Cabling Requirements ............................................................................... 3-2
Computer Hardware Requirements .........................................................................3-2
LAN Configuration Requirements ............................................................................3-2
Internet Configuration Requirements ....................................................................... 3-3
Where Do I Get the Internet Configuration Parameters? ............................. ............3-3
Contents v
202-10005-05, June 2005
Page 6
Record Your Internet Connection Information ..........................................................3-3
Connecting the DG834 to Your LAN ......... .... ... ... ... ... .... ... ... ... .... .....................................3-4
How to Connect the Router ......................................................................................3-5
Auto-Detecting Your Internet Connection Type ..............................................................3-9
Wizard-Detected PPPoE Login Account Setup ............ ....... ...... ....... ...... ...... ....... ...3-10
Wizard-Detected PPPoA Login Account Setup ............ ....... ...... ....... ...... ...... ....... ...3-11
Wizard-Detected Dynamic IP Account Setup .........................................................3-11
Wizard-Detected IP Over ATM Account Setup ......................................................3-12
Wizard-Detected Fixed IP (Static) Account Setup ........................................ ..........3-13
Testing Your Internet Connection ..................................................................................3-14
Manually Configuring Your Internet Connec tion ........................ ... ... ... .... ... ... ................3-14
How to Perform Manual Configuration ...................................................................3-15
Internet Connection Requires Login and Uses PPPoE ...................................3-16
Internet Connection Requires Login and Uses PPPoA ...................................3-17
Internet Connection Does Note Require A Login ............................................3-18
ADSL Settings ........................................................................................................3-19
Chapter 4
Protecting Your Network
Protecting Access to Your DG834 ADSL Firewall Router ............. ... ... .... ... .....................4-1
How to Change the Built-In Password .....................................................................4-1
Changing the Administrator Login Timeout ..............................................................4-2
Configuring Basic Firewall Services ...............................................................................4-2
Blocking Keywords, Sites, and Services ......... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ..4-3
How to Block Keywords and Sites ...........................................................................4-3
Firewall Rules .................................................................................................................4-5
Inbound Rules (Port Forwarding) .............................. ............................................... 4-6
Inbound Rule Example: A Local Public Web Server ..........................................4-6
Inbound Rule Example: Allowing Videoconferencing ........................................ 4-8
Considerations for Inbound Rules .....................................................................4-8
Outbound Rules (Service Blocking) .........................................................................4-9
Outbound Rule Example: Blocking Instant Messenger .....................................4-9
Order of Precedence for Rules ..............................................................................4-11
Services ................................. ................................................ .......................................4-12
How to Define Services ..........................................................................................4-12
Setting Times and Scheduling Firewall Services ................................................ .......... 4-13
vi Contents
202-10005-05, June 2005
Page 7
How to Set Your Time Zone ...................................................................................4-13
How to Schedule Firewall Services ........................................................................4-14
Chapter 5
Managing Your Network
Backing Up, Restoring, or Erasing Your Settings ...........................................................5-1
How to Back Up the Configuration to a File ............................................................. 5-1
How to Restore the Configuration from a File .............................. ............................5-2
How to Erase the Configuration ...............................................................................5-2
Upgrading the Router’s Firmware .................... ......... .......... .......... .......... ......... .......... .....5-2
How to Upgrade the Router Firmware .....................................................................5-3
Network Management Information .................................................................................5-4
Viewing Router Status and Usage Statistics ....................... ... ... ... .... ... ... ... ... .... ... ... ..5-4
Viewing Attached Devices ........................................................................................5-9
Viewing, Selecting, and Saving Logged Information ................................................5-9
Selecting What Information to Log ..................................................................5-11
Saving Log Files on a Server ..........................................................................5-12
Examples of Log Messages ...................................................................................5-12
Activation and Administration ..........................................................................5-12
Dropped Packets .............................................................................................5-12
Enabling Security Event E-mail Notification .................................................................5-13
Running Diagnostic Utilities and Rebooting the Router ................................................5-14
Enabling Remote Management ....................................................................................5-15
Configuring Remote Management .........................................................................5-15
Chapter 6
Advanced Configuration
Configuring Advanced Security ......................................................................................6-1
Setting Up A Default DMZ Server ............................................................................6-1
How to Configure a Default DMZ Server ...........................................................6-2
Connect Automatically, as Required ........................................................................6-3
Disable Port Scan and DOS Protection ...................................................................6-3
Respond to Ping on Internet WAN Port ...................................................................6-3
MTU Size .................................................................................................................6-3
Configuring LAN IP Settings ...........................................................................................6-3
DHCP ................................. .............................................................. ........................6-5
Use Router as DHCP server ................................................. .... ... ... ... ... .... ... ... ..6-5
Contents vii
202-10005-05, June 2005
Page 8
Reserved IP addresses .....................................................................................6-6
How to Configure LAN TCP/IP Settings ...................................................................6-7
Configuring Dynamic DNS .......................................................................................6-7
How to Configure Dynamic DNS ..............................................................................6-8
Using Static Routes ........................................................................................................6-9
Static Route Example ...............................................................................................6-9
How to Configure Static Routes .............................................................................6-10
Universal Plug and Play (UPnP) ...................................................................................6-12
Chapter 7
Virtual Private Networking (Advanced Feature)
Overview of VPN Configuration ......................................................................................7-2
Client-to-Gateway VPN Tunnels ..............................................................................7-2
Gateway-to-Gateway VPN Tunnels .........................................................................7-2
Planning a VPN ..............................................................................................................7-3
VPN Tunnel Configuration .................................. ... .......................................... ... .... ... ... ..7-6
How to Set Up a Client-to-Gateway VPN Configuration .................................................7-6
Step 1: Configuring the Client-to-Gateway VPN Tunnel on the DG834 ...................7-7
Step 2: Configuring the NETGEAR ProSafe VPN Client on the Remote PC .........7-12
How to Set Up a Gateway-to-Gateway VPN Configuration ....... ................................... 7-20
VPN Tunnel Control ..................... .... ... ... ... .... ... ... ... ... .... .......................................... ......7-27
Activating a VPN Tunnel ........................................................................................7-27
Using the VPN Status Page to Activate a VPN Tunnel ....................................7-27
Activate the VPN Tunnel by Pinging the Remote Endpoint .............................7-28
Start Using a VPN Tunnel to Active It ..............................................................7-30
Verifying the Status of a VPN Tunnel .....................................................................7-30
Deactivating a VPN Tunnel ....... ... ... ... .... ................................................................7-32
Using the Policy Table on the VPN Policies Page to Deactivate a VPN Tunnel 7-32
Using the VPN Status Page to Deactivate a VPN Tunnel ......... ... ... ... ... .... ... ...7-33
Deleting a VPN Tunnel ...........................................................................................7-35
How to Set Up VPN Tunnels in Special Circumstances ...............................................7-35
Using Auto Policy to Configure VPN Tunnels ........................................................7-36
Configuring VPN Network Connection Parameters ......... ... ... .... ... ... ... ... .... ... ...7-36
Example of Using Auto Policy .........................................................................7-41
Using Manual Policy to Configure VPN Tunnels ....................................................7-48
viii Contents
202-10005-05, June 2005
Page 9
Chapter 8
Troubleshooting
Basic Functioning ...........................................................................................................8-1
Power LED Not On ...................................................................................................8-2
Test LED Never Turns On or Test LED Stays On .....................................................8-2
LAN or WAN Port LEDs Not On ...............................................................................8-2
Troubleshooting the Web Configuration Interface ..........................................................8-3
Troubleshooting the ISP Connection ..............................................................................8-4
ADSL link .................................................................................................................8-4
WAN LED Blinking Yellow ..................................................................................8-4
WAN LED Off ......................................... ... ... ....................................... ... .... ... ... ..8-4
Obtaining a WAN IP Address .... ... ... .......................................... ... .... ... ... ..................8-5
Troubleshooting PPPoE or PPPoA .......................................................................... 8-6
Troubleshooting Internet Browsing ..........................................................................8-6
Troubleshooting a TCP/IP Network Using the Ping Utility ..............................................8-7
Testing the LAN Path to Your Router .......................................................................8-7
Testing the Path from Your Computer to a Remote Device .....................................8-8
Restoring the Default Configuration and Password ............... .........................................8-9
Using the Reset button .............................................................................................8-9
Problems with Date and Time .........................................................................................8-9
Appendix A
Technical Specifications
Appendix B
Network and Routing Basics
Related Publications ...................................................................................................... B-1
Basic Router Concepts .................................................................................................. B-1
What is a Router? ................................................................................................... B-1
Routing Information Protocol ................................................................................... B-2
IP Addresses and the Internet ......................................... .... ... ... ... .... ... ... ... ... .... ... ... . B-2
Netmask .................................... ................................................................ ..............B-4
Subnet Addressing .................................................................................................. B-4
Private IP Addresses ................................. ... ... ... .......................................... ........... B-7
Single IP Address Operation Using NAT ................................................................. B-7
MAC Addresses and Address Resolution Protocol ................................................. B-8
Related Documents ................................................................................................. B-9
Contents ix
202-10005-05, June 2005
Page 10
Domain Name Server .............................................................................................. B-9
IP Configuration by DHCP .............................. ... .... .......................................... ... ... . B-9
Internet Security and Firewalls .................................................................................... B-10
What is a Firewall? ................................................................................................ B-10
Stateful Packet Inspection ............................... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ..... B-10
Denial of Service Attack .........................................................................................B-11
Ethernet Cabling ................................. ... ... .... ... .......................................... ... ... ... .... ... ...B-11
Category 5 Cable Quality .......................................................................................B-11
Inside Twisted Pair Cables .................................................................................... B-12
Uplink Switches, Crossover Cables, and MDI/MDIX Switching ............................ B-13
Appendix C
Preparing Your Network
Preparing Your Computers for TCP/IP Networking ......................................... ... .... ... ... . C-1
Configuring Windows 95, 98, and Me for TCP/IP Networking ....................................... C-2
Installing or Verifying Windows Networking Components ....................................... C-2
Enabling DHCP to Automatically Configure TCP/IP Settings in Windows 95B, 98, and Me
C-4
Selecting the Windows’ Internet Access Method .................................................... C-6
Verifying TCP/IP Properties .................................................................................... C-6
Configuring Windows NT4, 2000 or XP for IP Networking ............................................C-7
Installing or Verifying Windows Networking Components ....................................... C-7
DHCP Configuration of TCP/IP in Windows XP, 2000, or NT4 ..................... ... ... .... ... ... . C-8
DHCP Configuration of TCP/IP in Windows XP ..................................................... C-8
DHCP Configuration of TCP/IP in Windows 2000 ................................................ C-10
DHCP Configuration of TCP/IP in Windows NT4 .................................................. C-13
Verifying TCP/IP Properties for Windows XP, 2000, and NT4 ......................... ... .. C-15
Configuring the Macintosh for TCP/IP Networking ...................................................... C-16
MacOS 8.6 or 9.x ...................... ... ... ... .... ... ... ... .......................................... ............C-16
MacOS X ...... ... .......................................... .......................................... ..................C-16
Verifying TCP/IP Properties for Macintosh Computers ... .... ... ... ... .... ... ... ... ... .... .....C-17
Verifying the Readiness of Your Internet Account ....................................................... C-18
Are Login Protocols Used? ................................................................................... C-18
What Is Your Configuration Information? ..............................................................C-18
Obtaining ISP Configuration Information for Windows Computers .......................C-19
Obtaining ISP Configuration Information for Macintosh Computers .....................C-20
Restarting the Network ................................................................................................ C-21
x Contents
202-10005-05, June 2005
Page 11
Appendix D
Virtual Private Networking
What is a VPN? ............................................................................................................. D-1
What Is IPSec and How Does It Work? ......................................................................... D-2
IPSec Security Features .............................. ... ... .... ... ... ... .... .................................... D-2
IPSec Components ...................... ... ... .... ... .......................................... ....................D-2
Encapsulating Security Payload (ESP) ...................................................................D-3
Authentication Header (AH) ............................... .... ... ... .......................................... . D-4
IKE Security Association ........... .......................................... ... ... ... ........................... D-4
Mode ...................................... ...................... .................... ...................... ........... D-5
Key Management ....................................................................................................D-6
Understand the Process Before You Begin ...................................................................D-6
VPN Process Overview ......... ... ... .......................................... ........................................ D-7
Network Interfaces and Addresses ......................................................................... D-7
Interface Addressing ......................................................................................... D-7
Firewalls ........................................................................................................... D-8
Setting Up a VPN Tunnel Between Gateways ........................................................ D-8
VPNC IKE Security Parameters ......... ... ... .... ............................................................... D-10
VPNC IKE Phase I Parameters .............................................................................D-10
VPNC IKE Phase II Parameters ............................................................................ D-11
Testing and Troubleshooting ........................................................................................ D-11
Additional Reading ...................... .... ... .......................................... ... ... .... ..................... D-11
Appendix E
NETGEAR VPN Configuration
DG834 to FVL328 .......................................................................................................... E-1
Configuration Profile .................................. ... ... ... .... ... .......................................... .... E-1
Step-By-Step Conf iguration .................... ... ... ... ... .... ... ... ... .... .................................... E-2
DG834 with FQDN to FVL328 ....................................................................................... E-6
Configuration Profile .................................. ... ... ... .... ... .......................................... .... E-6
The Use of a Fully Qualified Domain Name (FQDN) ........................................ E-7
Step-By-Step Conf iguration ................ .... ... ... .......................................... ... ... .... ....... E-8
Configuration Summary (Telecommuter Example) ...................................................... E-13
Setting Up the Client-to-Gateway VPN Configuration (Telecommuter Example) ........ E-14
Step 1: Configuring the Client-to-Gateway VPN Tunnel on the VPN Router at the
Employer’s Main Office ......................................................................................... E-15
Contents xi
202-10005-05, June 2005
Page 12
Step 2: Configuring the NETGEAR ProSafe VPN Client on the Remote PC at the
Telecommuter’s Home Office .......... ... .... ... ... ... ... .... ... ... ... .... ... ............................... E-17
Monitoring the VPN Tunnel (Telecommuter Example) ........................ .......... .......... ..... E-26
Viewing the PC Client’s Connection Monitor and Log Viewer ............................... E-26
Viewing the VPN Router’s VPN Status and Log Information ................................ E-28
Glossary
xii Contents
202-10005-05, June 2005
Page 13
Chapter 1
About This Manual
This chapter describes the intended audience, scope, conventions, and formats of this manual.
Audience, Scope, Conventions, and Formats
This reference manual assumes that the reader has basic to intermediate computer and Internet
skills. However, basic computer network, Internet, firewall, and VPN technologies tutorial
information is provided in the Appendices and on the Netgear website.
This guide uses the following typographical conventions:
Table 1-1. Typographical Conventions
italics Emphasis, books, CDs, URL names
bold User input
fixed Screen text, file and server names, extensions, commands, IP addresses
This guide uses the following formats to highlight special messages:
Note: This format is used to highlight information of importance or special interest.
This manual is written for the DG834 ADSL router according to these specifications:
Table 1-2. Manual Scope
Product Version DG834 ADSL Firewall Router
Manual Publication Date June 2005
Note: Product updates are available on the NETGEAR, Inc. Web site at
http://kbserver.netgear.com/products/DG834.asp.
About This Manual 1-1
202-10005-05, June 2005
Page 14
Reference Manual for the ADSL Firewall Router DG834
How to Use This Manual
The HTML version of this manual includes the following:
• Buttons, and , for browsing forwards or backwards through the manual one page
at a time
• A button that displays the table of contents and an button. Double-click on a
link in the table of contents or index to navigate directly to where the topic is described in the
manual.
• A button to access the full NETGEAR, Inc. online knowledge base for the
product model.
• Links to PDF versions of the full manual and individual chapters.
1-2 About This Manual
202-10005-05, June 2005
Page 15
Reference Manual for the ADSL Firewall Router DG834
How to Print this Manual
To print this manual you can choose one of the following several options, according to your needs.
• Printing a Page in the HTML View.
Each page in the HTML version of the manual is dedicated to a major topic. Use the Print
button on the browser toolbar to print the page contents.
• Printing a Chapter.
Use the PDF of This Chapter link at the top left of any page.
– Click the PDF of This Chapter link at the top right of any page in the chapter you want to
print. The PDF version of the chapter you were viewing opens in a browser window.
Note: Your computer must have the free Adobe Acrobat reader installed in order to view
and print PDF files. The Acrobat reader is available on the Adobe Web site at
http://www.adobe.com.
– Click the print icon in the upper left of the window.
Tip: If your printer supports printing two pages on a single sheet of paper, you can save
paper and printer ink by selecting this feature.
• Printing the Full Manual.
Use the Complete PDF Manua l link at the top left of any page.
– Click the Complete PDF Manual link at the top left of any page in the manual. The PDF
version of the complete manual opens in a browser window.
– Click the print icon in the upper left of the window.
Tip: If your printer supports printing two pages on a single sheet of paper, you can save
paper and printer ink by selecting this feature.
About This Manual 1-3
202-10005-05, June 2005
Page 16
Reference Manual for the ADSL Firewall Router DG834
1-4 About This Manual
202-10005-05, June 2005
Page 17
Chapter 2
Introduction
This chapter describes the features of the NETGEAR DG834 ADSL Firewall Router. The DG834
ADSL router is a combination of a built-in ADSL modem, router, 4-port switch, and firewall
which enables your entire network to safely share an Internet connection that otherwise is used by
a single computer.
Note: If you are unfamiliar with networking and routing, refer to Appendix B, “Network
and Routing Basics” to become more familiar with the terms and procedures used in this
manual.
About the Router
The DG834 ADSL Firewall Router provides continuous, high-speed 10/100 Ethernet access
between your Ethernet devices. The DG834 ADSL router enables your entire network to share an
Internet connection through the built-in ADSL modem that otherwise is used by a single computer.
With minimum setup, you can install and use the router within minutes.
The DG834 ADSL router provides multiple Web content filtering options, plus e-mail browsing
activity, reporting, and instant alerts. Parents and network administrators can establish restricted
access policies based on time of day, Web site addresses, and address keywords. They can also
share high-speed ADSL Internet access for up to 253 personal computers. The included firewall
and Network Address Translation (NAT) features protect you from hackers.
Key Features
The DG834 ADSL router provides the following features :
• A built-in ADSL modem
• A powerful, true firewall
• Easy, Web-based setup for installation and management
Introduction 2-1
202-10005-05, June 2005
Page 18
Reference Manual for the ADSL Firewall Router DG834
• Extensive Internet protocol support
• Trustworthy VPN Communications over the Internet
• VPN Wizard for easy VPN configuration
• Content filtering
• Auto Sensing and Auto Uplink™ LAN Ethernet connections
These features are discussed below.
A Powerful, True Firewall
Unlike simple Internet sharing NAT routers, the DG834 is a true firewall, using stateful packet
inspection to defend against hacker attacks. Its firewall features include:
• Denial of Service (DoS) protection
Automatically detects and thwarts Denial of Service (DoS) attacks such as Ping of Death,
SYN Flood, LAND Attack and IP Spoofing.
• Blocks unwanted traffic from the Internet to your LAN.
• Blocks access from your LAN to Internet locations or services that you specify as off-limits.
• Logs security incidents
The DG834 will log security events such as blocked incoming traffic, port scans, attacks, and
administrator logins. Y ou can configure the router to email the log to you at specified intervals.
You can also configure the router to send immediate alert messages to your email address or
email pager whenever a significant event occurs.
Easy Installation and Management
You can install, configure, and operate the DG834 within minutes after connecting it to the
network. The following features simplify installation and management tasks:
• Browser-based management
Browser-based configuration allows you to easily configure your router from almost any type
of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup Wizard is
provided and online help documentation is built into the browser-based Web Management
Interface.
• Smart Wizard
The router automatically senses the type of Internet connection, asking you only for the
information required for your type of ISP account.
2-2 Introduction
202-10005-05, June 2005
Page 19
Reference Manual for the ADSL Firewall Router DG834
• Remote management
The router allows you to log in to the Web management interface from a remote location via
the Internet. For security, you can limit remote management access to a specified remote IP
address or range of addresses, and you can choose a nonstandard port number.
• Diagnostic functions
The router incorporates built-in diagnostic functions such as Ping, DNS lookup, and remote
reboot. These functions allow you to test Internet connectivity and reboot the router. You can
use these diagnostic functions directly from the DG834 when you are connected on the LAN
or when you are connected over the Internet via the remote management function.
• Visual monitoring
The router’s front panel LEDs provide an easy way to monitor its status and activity.
• Flash erasable programmable read-only memory (EPROM) for firmware upgrades.
Protocol Support
The DG834 supports Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing
Information Protocol (RIP). Appendix B, “Network and Routing Basics” provides further
information on TCP/IP.
• The Ability to Enable or Disable IP Address Sharing by NAT
The DG834 allows several networked PCs to share an Internet account using only a single IP
address, which may be statically or dynamically assigned by your Internet service provider
(ISP). This technique, known as Network Address Translation (NAT), allows the use of an
inexpensive single-user ISP account. This feature can also be turned off comp let ely while
using the DG834 if you want to manage the IP address scheme yourself.
• Automatic Configuration of Attached PCs by DHCP
The DG834 dynamically assigns network configuration information, including IP, router, and
domain name server (DNS) addresses, to attached PCs on the LAN using the Dynamic Host
Configuration Protocol (DHCP). This feature greatly simplifies configuration of PCs on your
local network.
• DNS Proxy
When DHCP is enabled and no DNS addresses are specified, the router provides its own
address as a DNS server to the attached PCs. The router obtains actual DNS addresses from
the ISP during connection setup and forwards DNS requests from the LAN.
• Classical IP (RFC 1577)
Some Internet service providers, in Europe for example, use Classical IP in their ADSL
services. In such cases, the router is able to use the Classical IP address from the ISP.
Introduction 2-3
202-10005-05, June 2005
Page 20
Reference Manual for the ADSL Firewall Router DG834
• PPP over Ethernet (PPPoE)
PPP over Ethernet is a protocol for connecting remote hosts to the Internet over an ADSL
connection by simulating a dial-up connection. This feature eliminates the need to run a login
program such as EnterNet or WinPOET on your computer.
• PPP over ATM (PPPoA)
PPP over ATM is a protocol for connecting remote hosts to the Internet over an ADSL
connection by simulating an ATM connection.
• Dynamic DNS
Dynamic DNS services allow remote users to find your network using a domain name when
your IP address is not permanently assigned. The router contains a client that can connect to
many popular Dynamic DNS services to register your dynamic IP address.
• Universal Plug and Play (UPnP)
UPnP is a networking architecture that provides compatibility between networking
technologies. UPnP compliant routers provide broadband users at home and small businesses
with a seamless way to participate in online games, videoconferencing and other peer-to-peer
services.
Virtual Private Networking (VPN)
The DG834 ADSL router provides a secure encrypted connection between your local area network
(LAN) and remote networks or clients. It includes the following VPN features:
• Supports 8 VPN connections.
• Supports industry standard VPN protocols
The DG834 ADSL router supports standard Manual or IKE keying methods, standard MD5
and SHA-1 authentication methods, and standard DES and 3DES encryption methods. It is
compatible with many other VPN products.
• Supports 3DES encryption for maximum security.
• VPN Wizard based on VPNC recommended settings.
Content Filtering
With its content filtering feature, the DG834 prevents objectionable content from reaching your
PCs. The router allows you to control access to Internet content by screening for keywords within
Web addresses. You can configure the router to log and report attempts to access objectionable
Internet sites.
2-4 Introduction
202-10005-05, June 2005
Page 21
Reference Manual for the ADSL Firewall Router DG834
Auto Sensing and Auto Uplink™ LAN Ethernet Connections
With its internal 4-port 10/100 switch, the DG834 can connect to either a 10 Mbps standard
Ethernet network or a 100 Mbps Fast Ethernet network. The local LAN ports are autosensing and
capable of full-duplex or half-duplex operation.
TM
The router incorporates Auto Uplink
sense whether the Ethernet cable plugged into the port should have a ‘normal’ connection such as
to a computer or an ‘uplink’ connection such as to a switch or hub. That port will then configure
itself to the correct configuration. This feature also eliminates the need to worry about crossover
cables, as Auto Uplink will accommodate either type of cable to make the right connection.
technology. Each local Ethernet port will automatically
What’s in the Box?
The product package should contain the following items:
• DG834 ADSL Firewall Router
• AC power adapter (varies by region)
• Category 5 (Cat 5) Ethernet cable
• Telephone cable
• Microfilters (quantity and type vary by region)
• ADSL Firewall Router Resource CD, including:
—This guide
— Application Notes
• A Printed Quick Installation Guide
• Warranty and Support Information Cards
If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the
carton, including the original packing materials, in case you need to return the product for repair.
The Router’ s Front Panel
The DG834 ADSL Firewall Router front panel shown below contains status LEDs.
Introduction 2-5
202-10005-05, June 2005
Page 22
Reference Manual for the ADSL Firewall Router DG834
Power Test Internet LAN
Figure 2-1: DG834 Front Panel
You can use the LEDs to verify various conditions. Table 2-1 lists and describes each LED on the
front panel of the router. These LEDs are green when lit.
Table 2-1. LED Descriptions
Label Activity Description
Power On
Off
Test On
Off
Internet Blink — Amber
On — Green
Blink — Green
LAN On (Green)
Blink (Green)
On (Amber)
Blink (Amber)
Off
Power is supplied to the router.
Power is not supplied to the router.
The system is initializing.
The system is ready and running.
Indicates ADSL training.
The Internet port has detected a link with an attached device.
Data is being transmitted or received by the Internet port.
The Local port has detected a link with a 100 Mbps device.
Data is being transmitted or received at 100 Mbps.
The Local port has detected a link with a 10 Mbps device.
Data is being transmitted or received at 10 Mbps.
No link is detected on this port.
The Router’s Rear Panel
The rear panel of the DG834 ADSL Firewall Router (Figure 2-2) contains port connections.
2-6 Introduction
202-10005-05, June 2005
Page 23
Reference Manual for the ADSL Firewall Router DG834
LAN
Power
Figure 2-2: DG834 Rear Panel
ADSL
Internet
Reset
Viewed from left to right, the rear panel contains the following elements:
• AC power adapter outlet
• Four Local Ethernet RJ-45 ports for connecting the router to the local computers
• Factory Default Reset push button
• ADSL port for connecting the router to an ADSL line
Introduction 2-7
202-10005-05, June 2005
Page 24
Reference Manual for the ADSL Firewall Router DG834
2-8 Introduction
202-10005-05, June 2005
Page 25
Chapter 3
Connecting the Router to the Internet
This chapter describes how to set up the router on your Local Area Network (LAN) and connect to
the Internet. It describes how to configure your DG834 ADSL Firewall Router for Internet access
using the Setup Wizard, or how to manually configure your Internet connection.
What You Need Before You Begin
You need to prepare the following before you can establish an Internet connection through your
router:
1. The router connected to an ADSL line and a computer properly connected to the router as
explained below.
2. Active Internet service such as that provided by an ADSL account.
3. The Internet Service Provider (ISP) configuration information for your DSL account.
Note: If you purchased the DG834 in a country where a microfilter is not included, you must
acquire one.
ADSL Microfilter Requirements
ADSL technology uses the same wires as your telephone service. However, ADSL adds signals to
the telephone lines which create noise in the telephone service. You must use ADSL microfilters to
filter out these signals before they reach your telephone.
ADSL Microfilter
Phone
Figure 3-1: ADSL microfilter
Connecting the Router to the Internet 3-1
202-10005-05, June 2005
Page 26
Reference Manual for the ADSL Firewall Router DG834
Each device such as a telephone, fax machine, answering machine, or caller ID display will require
an ADSL microfilter.
Note: Do not connect the DG834 to the ADSL line through a microfilter unless the microfilter is a
combination microfilter/splitter specifically designed for this purpose. Doing so will prevent the
built-in ADSL modem in the DG834 from establishing a connection to the Internet. If you have
any doubts about this, connect the DG834 directly to the ADSL line.
ADSL Microfilter with Built-In Splitter
DSL
Phone
Figure 3-2: ADSL microfilter with built-in splitter
Line
Use an ADSL microfilter with built-in splitter when there is a single wall outlet which must
provide connectivity for both the DG834 and telephone equipment.
Ethernet Cabling Requirements
The DG834 ADSL router connects to your Ethernet LAN via twisted-pair cables. If the computer
will connect to your network at 100 Mbps, you must use a Category 5 (CAT5) cable such as the
one provided with your router.
Computer Hardware Requirements
To use the DG834 ADSL router on your network, each computer must have an installed Ethernet
adapter and an Ethernet cable, or a 802.11g wireless adapter.
LAN Configuration Requirements
For the initial connection to the Internet and configuration of your router, you need to connect a
computer to the router which is set to automatically get its TCP/IP configuration from the router
via DHCP.
Note: Please refer to Appendix C, “Preparing Your Network” for assistance with DHCP
configuration.
3-2 Connecting the Router to the Internet
202-10005-05, June 2005
Page 27
Reference Manual for the ADSL Firewall Router DG834
Internet Configuration Requirements
Depending on how your ISP set up your Internet account, you need one or more of these
configuration parameters to connect your router to the Internet:
• Virtual Path Identifier (VPI)/Virtual Channel Indentifier (VCI) parameters
• Multiplexing Method
• Host and Domain Names
• ISP Login Name and Password
• ISP Domain Name Server (DNS) Addresses
• Fixed or Static IP Address
Where Do I Get the Internet Configuration Parameters?
There are several ways you can gather the required Internet connection information.
• Your ISP should have provided you with all the information needed to connect to the Internet.
If you cannot locate this information, you can ask your ISP to provide it or you can try one of
the options below.
• If you have a computer already connected using the active Internet access account, you can
gather the configuration information from that computer.
• For Windows 95/98/ME, open the Network control panel, select the TCP/IP entry for the
Ethernet adapter, and click Properties.
• For Windows 2000/XP, open the Local Area Network Connection, select the TCP/IP entry
for the Ethernet adapter, and click Properties.
• For Macintosh computers, open the TCP/IP or Network control panel.
• You can also refer to the DG834 Resource CD for the NETGEAR Router ISP Guide which
provides Internet connection information for many ISPs.
Once you locate your Internet configuration parameters, you may want to record them on the next
page.
Record Your Internet Connection Information
Print the following page. Fill in the configuration parameters from your Internet Service Provider
(ISP).
Connecting the Router to the Internet 3-3
202-10005-05, June 2005
Page 28
Reference Manual for the ADSL Firewall Router DG834
ISP Multiplexing Method and Virtual Circuit Number: The default settings of your DG834
ADSL Firewall Router will work fine for most ISPs. However, some ISPs use a specific
Multiplexing Method or a Virtual Circuit Number for either the Virtual Path Identifier (VPI) or
V irtual Channel Identifier (VCI). If your ISP provided you with a specific Multiplexing Method or
VPI/VCI number, then fill in the following:
Multiplexing Method, circle one: LLC-based or VC-based
VPI: ________
VCI: ___________
ISP Login Name: The login name and password are case sensitive and must be entered exactly as
given by your ISP. Some ISPs use your full e-mail address as the login name. The Service Name is
not required by all ISPs. If you use a login name and password, then fill in the following:
A number between 0 and 255.
A number between 1 and 65535.
Login Name: ______________________________
Service Name: _____________________________
Fixed or Static IP Address: If you have a static IP address, record the following information. For
example, 169.254.141.148 could be a valid IP address.
Fixed or Static Internet IP Address: ______
Router IP Address: ______.______.______.______
Subnet Mask: ______.______.______.______
ISP DNS Server Addresses: If you were given DNS server addresses, fill in the following:
Primary DNS Server IP Address: ______
Secondary DNS Server IP Address: ______.______.______.______
Host and Domain Names: Some ISPs use a specific host or domain name like CCA7324-A or
home. If you did not get host or domain names, use the following examples as a guide:
• If your main e-mail account with your ISP is aaa@yyy.com, then use aaa as your host name.
Your ISP might call this your account, user, host, computer, or system name.
• If your ISP’s mail server is mail.xxx.yyy.com, then use xxx.yyy.com as the domain name.
ISP Host Name: _________________________
.______.______.______
.______.______.______
Password: __________________________ __
ISP Domain Name: _______________________
Connecting the DG834 to Your LAN
This section provides instructions for connecting the DG834 ADSL router.
3-4 Connecting the Router to the Internet
202-10005-05, June 2005
Page 29
Reference Manual for the ADSL Firewall Router DG834
Note: The Resource CD included with your router contains an animated Installation Assistant to
help you through this procedure.
How to Connect the Router
There are four steps to connecting your firewall:
1. Install ADSL filters on the phone lines.
2. Connect the router to the ADSL filter.
3. Log in to the router.
4. Connect to the Internet.
Follow the steps below to connect your router to your network. Before you begin, locate the ADSL
configuration information from your Internet Service Provider (ISP).
1. INSTALL ADSL FILTERS ON THE PHONE LINES.
a. You need to install a filter on every telephone or device that shares the same phone
number as your ADSL router. Select the filter that came with your router.
One-Line Filter
Two-Line Filter
With Splitter
Phone
DSL
Phone
Line
Splitter
Figure 3-3: ADSL microfilters
Note: If you purchased the DG834 in a country where the filter is not included, you must
acquire one.
b. Two-Line Filter Example. Insert the two-line filter into the phone outlet and connect the
phone to the phone line connector (A):
Connecting the Router to the Internet 3-5
202-10005-05, June 2005
Page 30
Reference Manual for the ADSL Firewall Router DG834
.
Line
Phone
DSL
A
Figure 3-4: Connecting an ADSL microfilter and phone
Note: To use a one-line filter with a separate splitter, insert the splitter into the phone
outlet, connect the one-line filter to the splitter, and connect the phone to the filter.
2. CONNECT THE DG834 TO THE ADSL FILTERS.
Note: Improperly connecting a filter to your DG834 ADSL router will block your ADSL
connection.
a. Turn off your computer.
b. Connect the ADSL port of the DG834 to the ADSL port (B) of the two-line filter:
Lin e
Phone
DSL
B
ADSL Firewall Router DG834
Figure 3-5: Connecting the DG834 ADSL router to an ADSL microfilter and phone
3-6 Connecting the Router to the Internet
202-10005-05, June 2005
Page 31
Reference Manual for the ADSL Firewall Router DG834
Connect the Ethernet cable (C) from your DG834’s LAN port to the Ethernet adapter in
c.
your computer.
Line
Phone
DSL
C
ADSL Firewall Router DG834
Figure 3-6: Connecting a computer to the DG834 ADSL router
Note: The DG834 ADSL router incorporates Auto UplinkTM technology. Each Ethernet LAN
port will automatically sense whether the cable plugged into the port should have a 'normal'
connection (for example, connecting to a computer) or an 'uplink' connection (for example,
connecting to a switch or hub). That port will then configure itself to the correct configuration.
This feature also eliminates the need to worry about crossover cables, as Auto Uplink will
accommodate either type of cable to make the right connection.
d. Connect the power adapter to the router and plug it in to a power outlet. Verify the
following:
The power light is lit after turning on the router.
The ADSL link light is solid green, indicating a link has been established to the
ADSL network.
e. Now, turn on your computer. If software usually logs you in to your Internet connection,
do not run that software. Cancel it if it starts automatically. Verify the following:
The local lights are lit for any connected computers.
Connecting the Router to the Internet 3-7
202-10005-05, June 2005
Page 32
Reference Manual for the ADSL Firewall Router DG834
3.
LOG IN TO THE DG834.
Note: Your computer needs to be configured for DHCP. For instructions on configuring for
DHCP, please see Appendix C, “Preparing Your Network”.
a. Connect to the router by typing http://192.168.0.1 in the address field of Internet Explorer
or Netscape
Figure 3-7: Connect to the router
®
Navigator.
A login window opens as shown below:
Figure 3-8: Login window
b.
When prompted, enter admin for the user name and password for the password, both in
lower case letters. After logging in, you will see the menu below.
3-8 Connecting the Router to the Internet
202-10005-05, June 2005
Page 33
Reference Manual for the ADSL Firewall Router DG834
Figure 3-9: Setup Wizard
CONNECT TO THE INTERNET
4.
The router is now properly attached to your network. You are now ready to configure your
router to connect to the Internet. There are two ways you can configure your router to connect
to the Internet:
a. Let the DG834 auto-detect the type of Internet connection you have and configure it. See
“Auto-Detecting Your Internet Connection Type” on page 3-9 for instructions.
b. Manually choose which type of Internet connection you have and configure it. See
“Manually Configuring Your Internet Connection” on page 3-14 for instructions.
These options are described below. In either case, unless your ISP automatically assigns your
configuration automatically via DHCP, you need the configuration parameters from your ISP you
recorded in “Record Your Internet Connection Information” on page 3-3.
Auto-Detecting Your Internet Connection Type
The Web Configuration Manager built in to the router contains a Setup Wizard that can
automatically determine your network connection type.
1. If your router has not yet been configured, the Setup Wizard shown in Figure 3-9 should
launch automatically.
Connecting the Router to the Internet 3-9
202-10005-05, June 2005
Page 34
Reference Manual for the ADSL Firewall Router DG834
Note: If instead of the Setup Wizard menu, the main menu of the router’s Configuration
Manager as shown in Figure 3-15 appears, click the Setup Wizard link in the upper left to
bring up this menu.
2. You must select a country and language. Language choices are English, French, German, and
Italian. After you change the language, the remaining setup screens change to the language of
your choice.
3. Select Yes to allow the router to automatically determine your connection.
4. Click Next.
The Setup Wizard will now check for the following connection types:
• Dynamic IP assignment
• A login protocol such as PPPoE or PPPoA
• Classical IP over ATM (RFC1577)
• Fixed IP address assignment
Next, the Setup Wizard will report which connection type it has discovered, and then display
the appropriate configuration page. If the Setup Wizard finds no connection, you will be
prompted to check the physical connection between your router and the ADSL line. When the
connection is properly made, the router’s Internet LED should be on.
5. The ADSL settings for the multiplexing method and VPI/VCI will update with the preset
defaults. The multiplexing method preset default settings will usually work. Only change the
multiplexing method if you are sure your ISP requires Virtual Path Identifier (VPI) or Virtual
Channel Identifier (VCI) settings that are different from the default values.
Incorrect VPI or VCI settings will prevent you from connecting to the Internet. To change
these settings, click the ADSL Settings link on the main menu. See “ADSL Settings” on page
3-19 for more details.
The procedures for filling in the configuration page for each type of connection follow below.
Wizard-Detected PPPoE Login Account Setup
If the Setup Wizard determines that your Internet service account uses a login protocol such as
PPP over Ethernet (PPPoE), you will be directed to the PPPoE page shown in Figure 3-10:
3-10 Connecting the Router to the Internet
202-10005-05, June 2005
Page 35
Reference Manual for the ADSL Firewall Router DG834
Figure 3-10: Setup Wizard menu for PPPoE login accounts
Enter the PPPoE login user name and password.
Wizard-Detected PPPoA Login Account Setup
If the Setup Wizard determines that your Internet service account uses a login protocol such as
PPP over ATM (PPPoA), you will be directed to the PPPoA page shown in Figure 3-11 below:
Figure 3-11: Setup Wizard menu for PPPoA login accounts
Enter your login user name and password. These fields are case sensitive.
Wizard-Detected Dynamic IP Account Setup
If the Setup Wizard determines that your Internet service account uses Dynamic IP assignment,
you will be directed to the page shown in Figure 3-12 below:
Connecting the Router to the Internet 3-11
202-10005-05, June 2005
Page 36
Reference Manual for the ADSL Firewall Router DG834
Figure 3-12: Setup Wizard menu for Dynamic IP address
Click Apply to set Dynamic IP as the connection method.
Wizard-Detected IP Over ATM Account Setup
If the Setup Wizard determines that your Internet service account uses IP over ATM Classical IP
assignment (RFC1577), you will be directed to the page shown in Figure 3-13 below:
Figure 3-13: Setup Wizard menu for IP over ATM (Classical IP) address
1.
Enter your assigned IP Address and Subnet Mask. This information should have been
provided to you by your ISP. You need the configuration parameters from your ISP you
recorded in “Record Your Internet Connection Information” on page 3-3.
2. Enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is
available, enter it also.
DNS servers are required to perform the function of translating an Internet name such as
www.netgear.com to a numeric IP address. For a fixed IP address configuration, you must
obtain DNS server addresses from your ISP and enter them manually here.
3. Click Apply to save the settings.
3-12 Connecting the Router to the Internet
202-10005-05, June 2005
Page 37
Reference Manual for the ADSL Firewall Router DG834
Click the Test button to test your Internet connection. If the NETGEAR Web site does not
4.
appear within one minute, refer to Chapter 8, “Troubleshooting”.
Wizard-Detected Fixed IP (Static) Account Setup
If the router determines that your Internet service account uses Fixed IP assignment, you will be
directed to the page shown in Figure 3-14 below:
Figure 3-14: Setup Wizard menu for Fixed IP address
1.
If required, enter the Account Name and Domain Name from your ISP.
2. Choose “Use Static IP Address” or “Use IP Over ATM” (IPoA — RFC1483 Routed)
according to the information from your ISP. If you choose IPoA, the router will be able to
detect the gateway IP address but you still need to provide the router IP address.
3. Enter your assigned IP Address, Subnet Mask, and the IP Address of your ISP’s gateway
router. This information should have been provided to you by your ISP. You need the
configuration parameters from your ISP you recorded in “Record Your Internet Connection
Information” on page 3-3.
4. Enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is
available, enter it also.
Connecting the Router to the Internet 3-13
202-10005-05, June 2005
Page 38
Reference Manual for the ADSL Firewall Router DG834
DNS servers are required to perform the function of translating an Internet name such as
www.netgear.com to a numeric IP address. For a fixed IP address configuration, you must
obtain DNS server addresses from your ISP and enter them manually here.
5. Click Apply to save the settings.
6. Click the Test button to test your Internet connection. If the NETGEAR Web site does not
appear within one minute, refer to Chapter 8, “Troubleshooting”.
Testing Your Internet Connection
After completing the Internet connection configuration, your can test your Internet connection.
Log in to the router, then, from the Basic Settings link in the Setup menu, click the Test button. If
the NETGEAR Web site does not appear within one minute, refer to Chapter 8,
“Troubleshooting”.
Your router is now configured to provide Internet access for your network. Your router
automatically connects to the Internet when one of your computers requires access. It is not
necessary to run a dialer or login application such as Dial-Up Networking or Enternet to connect,
log in, or disconnect. These functions are performed by the router as needed.
To access the Internet from any computer connected to your router, launch a browser such as
Microsoft Internet Explorer or Netscape Navigator. You should see the router’s Internet LED
blink, indicating communication to the ISP. The browser should begin to display a Web page.
The following chapters describe how to configure the Advanced features of your router, and how
to troubleshoot problems that may occur.
Manually Configuring Your Internet Connection
You can manually configure your router using the menu below, or you can allow the Setup W izard
to determine your configuration as described in the previous section.
3-14 Connecting the Router to the Internet
202-10005-05, June 2005
Page 39
Reference Manual for the ADSL Firewall Router DG834
ISP Does Not Require Login
Figure 3-15: Basic Settings menu
ISP Does Require Login
How to Perform Manual Configuration
We recommend that you start the manual configuration from the Setup Wizard:
1. Select your country and language. Language choices are Englis h, French, Germa n, and Italian.
After you change the language, the remaining setup screens change to the language of your
choice.
2. Select No to manually configure your router connection.
3. Click Next.
4. Manually configure the router in the Basic Settings menu shown in Figure 3-15.
5. Follow the instructions below according to the encapsulation method and whether your
Internet connection requires a login. The following methods are available:
• Internet Connection Requires Login and Uses PPPoE
• Internet Connection Requires Login and Uses PPPoA
Connecting the Router to the Internet 3-15
202-10005-05, June 2005
Page 40
Reference Manual for the ADSL Firewall Router DG834
• Internet Connection Does Not Require a Login
6. Usually the default ADSL Settings work fine for most ISPs and you can skip this step. If you
have any problems with your connection, check the ADSL Settings. See “ADSL Settings” on
page 3-19 for more details.
Internet Connection Requires Login and Uses PPPoE
1. If your Internet connection does require login, select Yes and fill in the settings according to
the instructions below.
Note: You will no longer need to launch the ISP’s login program on your computer in order to
access the Internet. When you start an Internet application, your router automatically logs you
in.
2. Choose PPPoE for the encapsulation method.
3. Enter the login name (frequently the email address your ISP provided), password, and service
name (if required).
4. If you want to change the login timeout, enter a new value in minutes. This determines how
long the router keeps the Internet connection active after there is no Internet activity from the
LAN. Entering an Idle Timeout value of zero means never log out.
5. When a connection uses PPPoE, the IP address is normally assigned automatically. However,
the DG834 allows this address to be set manually.
• Select “Get Automatically from ISP” if your ISP assigns your IP address.
• Select “Use Static IP Address” if your ISP gives you a statically assigned address.
6. The DNS server is used to look up site addresses based on their names.
• Select “Get Automatically from ISP” if your ISP uses DHCP to assign your DNS servers.
Your ISP will automatically assign this address.
• Select “Use These DNS Servers” if your ISP gave you one or two DNS addresses. Type
the primary and secondary addresses.
7. You should only disable NAT if you are sure you do not require it. NAT automatically assigns
private IP addresses (192.168.0.x) to LAN connected devices. When NAT is disabled, only
standard routing is performed by this router.
Classical routing lets you directly manage the IP addresses the DG834 uses. Classical routing
should be selected only by experienced users.
3-16 Connecting the Router to the Internet
202-10005-05, June 2005
Page 41
Reference Manual for the ADSL Firewall Router DG834
Note: Disabling NAT will reboot the router and reset all the DG834 configuration settings to
the factory default. Disable NAT only if you plan to install the DG834 in a setting where you
will be manually administering the IP address space on the LAN side of the router.
Internet Connection Requires Login and Uses PPPoA
1. If your Internet connection does require login, select Yes and fill in the settings according to
the instructions below.
Note: You will no longer need to launch the ISP’s login program on your computer in order to
access the Internet. When you start an Internet application, your router automatically logs you
in.
2. Choose PPPoA for the encapsulation method.
3. Enter the login name (frequently the email address your ISP provided), and password.
4. If you want to change the login timeout, enter a new value in minutes. This determines how
long the router keeps the Internet connection active after there is no Internet activity from the
LAN. Entering an Idle Timeout value of zero means never log out.
5. When a connection uses PPPoA, the IP address is normally assigned automatically. However,
the DG834 allows this address to be set manually.
• Select “Get Automatically from ISP” if your ISP assigns your IP address.
• Select “Use Static IP Address” if your ISP gives you a statically assigned address.
6. The DNS server is used to look up site addresses based on their names.
• Select “Get Automatically from ISP” if your ISP uses DHCP to assign your DNS servers.
Your ISP will automatically assign this address.
7. Select “Use These DNS Servers” if your ISP gave you one or two DNS addresses. Type the
primary and secondary addresses.You should only disable NAT if you are sure you do not
require it. NAT automatically assigns private IP addresses (192.168.0.x) to LAN connected
devices. When NAT is disabled, only standard routing is performed by this router.
Classical routing lets you directly manage the IP addresses the DG834 uses. Classical routing
should be selected only by experienced users.
Note: Disabling NAT will reboot the router and reset all the DG834 configuration settings to
the factory default. Disable NAT only if you plan to install the DG834 in a setting where you
will be manually administering the IP address space on the LAN side of the router.
Connecting the Router to the Internet 3-17
202-10005-05, June 2005
Page 42
Reference Manual for the ADSL Firewall Router DG834
Internet Connection Does Note Require A Login
1. If your Internet connection does not require a login, select No and fill in the settings according
to the instructions below.
2. Enter your Account Name (may also be called Host Name) and Domain Name.
These parameters may be necessary to access your ISP’s mail or news servers.
3. Internet IP Address:
• Select “Get Dynamically from ISP” if your ISP uses DHCP to assign your IP address.
Your ISP will automatically assign these addresses.
• Select “Use Static IP Address” if your ISP has assigned you a permanent, fixed (static) IP
address. Enter the IP address that your ISP assigned. Also enter the IP Subnet Mask and
the Gateway IP Address. The gateway is the ISP’s router to which your router will
connect.
• Select “IP Over ATM (IPoA)” if your ISP uses Classical IP Addresses (RFC1577). Enter
the IP address, IP Subnet Mask, and Gateway IP Addresses that your ISP assigned.
4. Domain Name Server (DNS) Address:
• Select “Get Dynamically from ISP” if your ISP uses DHCP to assign your IP address.
Your ISP will automatically assign this address.
• If you know that your ISP does not automatically transmit DNS addresses to the router
during login, select “Use these DNS servers” and enter the IP address of your ISP’s
Primary DNS Server. If a Secondary DNS Server address is available, enter it also.
A DNS server is a host on the Internet that translates Internet names (such as
www .netgear.com) to numeric IP addresses. T ypically your ISP transfers the IP address of one
or two DNS servers to your router during login. If the ISP does not transfer an address, you
must obtain it from the ISP and enter it manually here.
5. You should only disable NAT if you are sure you do not require it. NAT automatically assigns
private IP addresses (192.168.0.x) to LAN connected devices. When NAT is disabled, only
standard routing is performed by this router.
Classical routing lets you directly manage the IP addresses the DG834 uses. Classical routing
should be selected only by experienced users.
Note: Disabling NAT will reboot the router and reset all the DG834 configuration settings to
the factory default. Disable NAT only if you plan to install the DG834 in a setting where you
will be manually administering the IP address space on the LAN side of the router
3-18 Connecting the Router to the Internet
202-10005-05, June 2005
Page 43
Reference Manual for the ADSL Firewall Router DG834
Router MAC Address:
6.
This section determines the Ethernet MAC address that will be used by the router on the
Internet port. Some ISPs will register the Ethernet MAC address of the network interface card
in your computer when your account is first opened. They will then only accept traffic from
the MAC address of that computer. This feature allows your router to masquerade as that
computer by “cloning” its MAC address.
T o change the MAC address, select “Use this Computer’ s MAC address”. The router will then
capture and use the MAC address of the computer that you are now using. You must be using
the one computer that is allowed by the ISP. Alternatively, select “Use this MAC address” and
enter it.
7. Click Apply to save your settings.
8. Click the Test button to test your Internet connection.
If the NETGEAR Web site does not appear within one minute, refer to Chapter 8,
“Troubleshooting”.
ADSL Settings
The default settings of your DG834 ADSL Firewall Router will work fine for most ISPs. However,
some ISPs use a specific Multiplexing Method and Virtual Circuit Number for the Virtual Path
Identifier (VPI) and Virtual Channel Identifier (VCI).
Note: The correct country must be selected from the Setup Wizard’s first page for the default
ADSL Settings to work.
If your ISP provided you with a specific Multiplexing Method or VPI/VCI number, then fill in the
following:
1. Select the ADSL Settings link from the main menu.
2. For the Multiplexing Method, select LLC-based or VC-based.
3. Type a number between 0 and 255 for the VPI. The default is 8.
4. Type a number between 1 and 65535 for the VCI. The default is 35.
5. Click Apply.
Connecting the Router to the Internet 3-19
202-10005-05, June 2005
Page 44
Reference Manual for the ADSL Firewall Router DG834
3-20 Connecting the Router to the Internet
202-10005-05, June 2005
Page 45
Chapter 4
Protecting Your Network
This chapter describes how to use the basic firewall features of the DG834 ADSL Firewall Router
to protect your network.
Protecting Access to Your DG834 ADSL Firewall Router
For security reasons, the router has its own user name and password. Also, after a period of
inactivity for a set length of time, the administrator login will automatically disconnect. When
prompted, enter admin for the router User Name and password for the router Password. You can
use procedures below to change the router's password and the amount of time for the
administrator’s login timeout.
Note: The user name and password are not the same as any user name or password your may use
to log in to your Internet connection.
NETGEAR recommends that you change this password to a more secure password. The ideal
password should contain no dictionary words from any language, and should be a mixture of both
upper and lower case letters, numbers, and symbols. Your password can be up to 30 characters.
How to Change the Built-In Password
1. Log in to the router at its default LAN address of http://192.168.0.1 with its default User Name
of admin, default password of password, or using whatever Password and LAN address you
have chosen for the router.
Figure 4-1: Log in to the router
2.
From the Main Menu of the browser interface, under the Maintenance heading, select Set
Password to bring up the menu shown in Figure 4-2.
Protecting Your Network 4-1
202-10005-05, June 2005
Page 46
Reference Manual for the ADSL Firewall Router DG834
Figure 4-2: Set Password menu
3.
To change the password, first enter the old password, and then enter the new password twice.
4. Click Apply to save your changes.
Note: After changing the password, you will be required to log in again to continue the
configuration. If you have backed up the router settings previously , you should do a new backup so
that the saved settings file includes the new password.
Changing the Administrator Login Timeout
For security, the administrator's login to the router configuration will timeout after a period of
inactivity. To change the login timeout period:
1. In the Set Password menu, type a number in ‘Administrator login times out’ field. The
suggested default value is 5 minutes.
2. Click Apply to save your changes or click Cancel to keep the current period.
Configuring Basic Firewall Services
Basic firewall services you can configure include access blocking and scheduling of firewall
security. These topics are presented below.
4-2 Protecting Your Network
202-10005-05, June 2005
Page 47
Reference Manual for the ADSL Firewall Router DG834
Blocking Keywords, Sites, and Services
The router provides a variety of options for blocking Internet based content and communications
services. With its content filtering feature, the DG834 ADSL router prevents objectionable content
from reaching your PCs. The router allows you to control access to Internet content by screening
for keywords within Web addresses. Key content filtering options include:
• Keyword blocking of HTTP traffic.
• Outbound Service Blocking limits access from your LAN to Internet locations or services that
you specify as off-limits.
• Denial of Service (DoS) protection. Automatically detects and thwarts Denial of Service
(DoS) attacks such as Ping of Death, SYN Flood, LAND Attack and IP Spoofing.
• Blocking unwanted traffic from the Internet to your LAN.
The section below explains how to configure your
router to perform these functions.
How to Block Keywords and Sites
The DG834 ADSL router allows you to restrict access to Internet content based on functions such
as Web addresses and Web address keywords.
1. Log in to the router at its default LAN address of http://192.168.0.1 with its default User Name
of admin, default password of password, or using whatever Password and LAN address you
have chosen for the router.
2. Select the Block Sites link of the Security menu.
Protecting Your Network 4-3
202-10005-05, June 2005
Page 48
Reference Manual for the ADSL Firewall Router DG834
Figure 4-3: Block Sites menu
3.
To enable keyword blocking, select one of the following:
• Per Schedule—to turn on keyword blocking according to the settings on the Schedule
page.
• Always—to turn on keyword blocking all of the time, independent of the Schedule page.
4. Enter a keyword or domain in the Keyword box, click Add Keyword, then click Apply.
Some examples of Keyword application follow:
• If the keyword “XXX” is specified, the URL <http://www.badstuff.com/xxx.html> is
blocked.
• If the keyword “.com” is specified, only Web sites with other domain suffixes (such as
.edu or .gov) can be viewed.
• Enter the keyword “.” to block all Internet browsing access.
Up to 32 entries are supported in the Keyword list.
5. T o delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply.
6. To specify a trusted user, enter that computer’s IP address in the Trusted IP Address box and
click Apply.
You can specify one trusted user, which is a computer that will be exempt from blocking and
logging. Since the trusted user will be identified by an IP address, you should configure that
computer with a fixed IP address.
4-4 Protecting Your Network
202-10005-05, June 2005
Page 49
Reference Manual for the ADSL Firewall Router DG834
Click Apply to save your settings.
7.
Firewall Rules
Firewall rules are used to block or allow specific traffic passing through from one side of the router
to the other. Inbound rules (WAN to LAN) restrict access by outsiders to private resources,
selectively allowing only specific outside users to access specific resources. Outbound rules (LAN
to WAN) determine what outside resources local users can have access to.
A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of
the DG834 are:
• Inbound: Block all access from outside except responses to requests from the LAN side.
• Outbound: Allow all access from the LAN side to the outside.
You can define additional rules that will specify exceptions to the default rules. By adding custom
rules, you can block or allow access based on the service or application, source or destinat ion IP
addresses, and time of day. You can also choose to log traffic that matches or does not match the
rule you have defined.
You can change the order of precedence of rules so that the rule that applies most often will take
effect first. See “Order of Precedence for Rules” on page 4-11 for more details.
To access the rules configuration of the DG834, click the Firewall Rules link on the main menu,
then click Add for either an Outbound or Inbound Service.
Figure 4-4: Rules menu
Protecting Your Network 4-5
202-10005-05, June 2005
Page 50
Reference Manual for the ADSL Firewall Router DG834
• To edit an existing rule, select its button on the left side of the table and click Edit.
• To delete an existing rule, select its button on the left side of the table and click Delete.
• T o move an existing rule to a dif ferent position in the table, select its button on the left side
of the table and click Move. At the script prompt, enter the number of the desired new
position and click OK.
Inbound Rules (Port Forwarding)
Because the DG834 uses Network Address Translation (NAT), your network presents only one IP
address to the Internet, and outside users cannot directly address any of your local computers.
However, by defining an inbound rule you can make a local server (for example, a Web server or
game server) visible and available to the Internet. The rule tells the rou ter to direct inb ound traffic
for a particular service to one local server based on the destination port number. This is also known
as port forwarding.
Note: Some residential broadband ISP accounts do not allow you to run any server
processes (such as a Web or FTP server) from your location. Your ISP may periodically
check for servers and may suspend your account if it discovers any active services at
your location. If you are unsure, refer to the Acceptable Use Policy of your ISP.
Remember that allowing inbound services opens holes in your firewall. Only enable those ports
that are necessary for your network. Following are two application examples of inbound rules:
Inbound Rule Example: A Local Public Web Server
If you host a public W eb ser ver on your local network, you can define a rule to allow inbound Web
(HTTP) requests from any outside IP address to the IP address of your Web server at any time of
day. This rule is shown in Figure 4-5:
4-6 Protecting Your Network
202-10005-05, June 2005
Page 51
Reference Manual for the ADSL Firewall Router DG834
Figure 4-5: Rule example:
A Local Public Web Server
The parameters are:
•Service
From this list, select the application or service to be allowed or blocked. The list already
displays many common services, but you are not limited to these choices. Use the Services
menu to add any additional services or applications that do not already appear.
• Action
Choose how you want this type of traffic to be handled. You can block or allow always, or you
can choose to block or allow according to the schedule you have defined in the Schedule
menu.
• Send to LAN Server
Enter the IP address of the computer or server on your LAN which will receive the inbound
traffic covered by this rule.
• WAN Users
These settings determine which packets are covered by the rule, based on their source (WAN)
IP address. Select the desired option:
– Any — all IP addresses are covered by this rule.
– Address range — if this option is selected, you must enter the Start and Finish fields.
– Single address — enter the required address in the Start field.
Protecting Your Network 4-7
202-10005-05, June 2005
Page 52
Reference Manual for the ADSL Firewall Router DG834
•Log
You can select whether the traffic will be logged. The choices are:
– Never — no log entries will be made for this service.
– Always — any traffic for this service type will be logged.
– Match — traffic of this type which matches the parameters and action will be logged.
– Not match — traffic of this type which does not match the parameters and action will be
logged.
Inbound Rule Example: Allowing Videoconferencing
If you want to allow incoming videoconferencing to be initiated from a restricted range of outside
IP addresses, such as from a branch office, you can create an inbound rule. In the example shown
in Figure 4-6, CU-SeeMe connections are allowed only from a specified range of external IP
addresses. In this case, we have also specified logging of any incoming CU-SeeMe requests that
do not match the allowed parameters.
Figure 4-6: Rule example: Videoconference from Restrict ed Addresses
Considerations for Inbound Rules
• If your external IP address is assigned dynamically by your ISP, the IP address may change
periodically as the DHCP lease expires. Consider using the Dynamic DNS feature in the
Advanced menu so that external users can always find your network.
4-8 Protecting Your Network
202-10005-05, June 2005
Page 53
Reference Manual for the ADSL Firewall Router DG834
• If the IP address of the local server computer is assigned by DHCP, it may change when the
computer is rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu
to keep the computer’s IP address constant.
• Local computers must access the local server using the computer’s local LAN address
(192.168.0.11 in the example in Figure 4-6 above). Attempts by local computers to access the
server using the external WAN IP address will fail.
Outbound Rules (Service Blocking)
The DG834 allows you to block the use of certain Internet services by computers on your network.
This is called service blocking or port filtering. You can define an outbound rule to block Internet
access from a local computer based on:
• IP address of the local computer (source address)
• IP address of the Internet site being contacted (destination address)
•Time of day
• Type of service being requested (service port number)
Following is an application example of outbound rules:
Outbound Rule Example: Blocking Instant Messenger
If you want to block Instant Messenger usage by employees during working hours, you can create
an outbound rule to block that application from any internal IP address to any external address
according to the schedule that you have created in the Schedule menu. Y ou can also have the router
log any attempt to use Instant Messenger during that blocked period.
Protecting Your Network 4-9
202-10005-05, June 2005
Page 54
Reference Manual for the ADSL Firewall Router DG834
Figure 4-7: Rule example: Blocking Instant Messenger
The parameters are:
•Service
From this list, select the application or service to be allowed or blocked. The list already
displays many common services, but you are not limited to these choices. Use the Add Custom
Service feature to add any additional services or applications that do not already appear.
• Action
Choose how you want this type of traffic to be handled. You can block or allow always, or you
can choose to block or allow according to the schedule you have defined in the Schedule
menu.
• LAN Users
These settings determine which packets are covered by the rule, based on their source LAN IP
address. Select the desired option:
– Any — all IP addresses are covered by this rule.
– Address range — if this option is selected, you must enter the Start and Finish fields.
– Single address — enter the required address in the Start field.
4-10 Protecting Your Network
202-10005-05, June 2005
Page 55
Reference Manual for the ADSL Firewall Router DG834
• WAN Users
These settings determine which packets are covered by the rule, based on their destination
WAN IP address. Select the desired option:
– Any — all IP addresses are covered by this rule.
– Address range —if this option is selected, you must enter the Start and Finish fields.
– Single address — enter the required address in the Start field.
•Log
You can select whether the traffic will be logged. The choices are:
– Never — no log entries will be made for this service.
– Always — any traffic for this service type will be logged.
– Match — traffic of this type that matches the parameters and action will be logged.
– Not match — traffic of this type that does not match the parameters and action will be
logged.
Order of Precedence for Rules
As you define new rules, they are added to the tables in the Rules menu, as shown in Figure 4-8:
Figure 4-8: Rules table with examples
Protecting Your Network 4-11
202-10005-05, June 2005
Page 56
Reference Manual for the ADSL Firewall Router DG834
For any traffic attempting to pass through the firewall, the packet information is subjected to the
rules in the order shown in the Rules Table, beginning at the top and proceeding to the default rules
at the bottom. In some cases, the order of precedence of two or more rules may be important in
determining the disposition of a packet. The Move button allows you to relocate a defined rule to a
new position in the table.
Services
Services are functions performed by server computers at the request of client computers. For
example, Web servers serve Web pages, time servers serve time and date information, and game
hosts serve data about other players’ moves. When a computer on the Internet sends a request for
service to a server computer, the requested service is identified by a service or port number. This
number appears as the destination port number in the transmitted IP packets. For example, a packet
that is sent with destination port number 80 is an HTTP (Web server) request.
The service numbers for many common protocols are defined by the Internet Engineering Task
Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for other
applications are typically chosen from the range 1024 to 65535 by the authors of the application.
Although the DG834 already holds a list of many service port numbers, you are not limited to
these choices. Use the procedure below to create your own service definitions.
How to Define Services
1. Log in to the router at its default LAN address of http://192.168.0.1 with its default User Name
of admin, default password of password, or using whatever Password and LAN address you
have chosen for the router.
2. Select the Services link of the Security menu to display the Services menu shown in
Figure 4-9:
Figure 4-9: Services menu
4-12 Protecting Your Network
202-10005-05, June 2005
Page 57
Reference Manual for the ADSL Firewall Router DG834
• To create a new Service, click the Add Custom Service button.
• To edit an existing Service, select its button on the left side of the table and click Edit
Service.
• To delete an existing Service, select its button on the left side of the table and click Delete
Service.
3. Use the page shown below to define or edit a service.
Figure 4-10: Add Services menu
4.
Click Apply to save your changes.
Setting Times and Scheduling Firewall Services
The DG834 ADSL router uses the Network Time Protocol (NTP) to obtain the current time and
date from one of several Network Time Servers on the Internet.
How to Set Your Time Zone
In order to localize the time for your log entries, you must specify your Time Zone:
1. Log in to the router at its default LAN address of http://192.168.0.1 with its default User Name
of admin, default password of password, or using whatever Password and LAN address you
have chosen for the router.
2. Select the Schedule link of the Security menu to display menu shown below.
Protecting Your Network 4-13
202-10005-05, June 2005
Page 58
Reference Manual for the ADSL Firewall Router DG834
Figure 4-11: Schedule Services menu
3.
Select your Time Zone. This setting will be used for the blocking schedule according to your
local time zone and for time-stamping log entries.
Select the Adjust for daylight savings time check box if your time zone is currently in daylight
savings time.
Note: If your region uses Daylight Savings Time, you must manually select Adjust for
Daylight Savings Time on the first day of Daylight Savings Time, and clear it at the end.
Enabling Daylight Savings Time will cause one hour to be added to the standard time.
4. The router has a list of NETGEAR NTP servers. If you would prefer to use a particular NTP
server as the primary server, enter its IP address under Use this NTP Server.
5. Click Apply to save your settings.
How to Schedule Firewall Services
If you enabled services blocking in the Block Services menu or Port forwarding in the Ports menu,
you can set up a schedule for when blocking occurs or when access is not restricted.
1. Log in to the router at its default LAN address of http://192.168.0.1 with its default User Name
of admin, default password of password, or using whatever Password and LAN address you
have chosen for the router.
4-14 Protecting Your Network
202-10005-05, June 2005
Page 59
Reference Manual for the ADSL Firewall Router DG834
Select the Schedule link of the Security menu to display menu shown above in the Schedule
2.
Services menu.
3. T o block Internet services based on a schedule, select Every Day or select one or more days. If
you want to limit access completely for the selected days, select All Day. Otherwise, to limit
access during certain times for the selected days, enter Start Blocking and End Blocking times.
Note: Enter the values in 24-hour time format. For example, 10:30 am would be 10 hours and
30 minutes and 10:30 pm would be 22 hours and 30 minutes. If you set the start time after the
end time, the schedule will be effective through midnight the next day.
4. Click Apply to save your changes.
Protecting Your Network 4-15
202-10005-05, June 2005
Page 60
Reference Manual for the ADSL Firewall Router DG834
4-16 Protecting Your Network
202-10005-05, June 2005
Page 61
Chapter 5
Managing Your Network
This chapter describes how to perform network management tasks with your DG834 ADSL
Firewall Router.
Backing Up, Restoring, or Erasing Your Settings
The configuration settings of the DG834 ADSL router are stored in a configuration file in the
router. This file can be backed up to your computer, restored, or reverted to factory default
settings. The procedures below explain how to do these tasks.
How to Back Up the Configuration to a File
1. Log in to the router at its default LAN address of http://192.168.0.1 with its default User Name
of admin, default password of password, or using whatever User Name, Password and LAN
address you have chosen for the router.
2. From the Maintenance heading of the Main Menu, select the Backup Settings menu as seen in
Figure 5-1.
Figure 5-1: Backup Settings menu
3.
Click Backup to save a copy of the current settings.
Managing Your Network 5-1
202-10005-05, June 2005
Page 62
Reference Manual for the ADSL Firewall Router DG834
Store th e .cfg file on a computer on your network.
4.
How to Restore the Configuration from a File
1. Log in to the router at its default LAN address of http://192.168.0.1 with its default User Name
of admin, default password of password, or using whatever User Name, Password and LAN
address you have chosen for the router.
2. From the Maintenance heading of the Main Menu, select the Settings Backup menu as seen in
Figure 5-1.
3. Enter the full path to the file on your network or click the Browse button to locate the file.
4. When you have located the .cfg file, click the Restore button to upload the file to the router.
5. The router will then reboot automatically.
How to Erase the Configuration
It is sometimes desirable to restore the router to the factory default settings. This can be done by
using the Erase function.
1. To erase the configuration, from the Maintenance menu Settings Backup link, click the Erase
button on the screen.
2. The router will then reboot automatically.
After an erase, the router's password will be password, the LAN IP address will be
192.168.0.1, and the router's DHCP client will be enabled.
Note: To restore the factory default configuration settings without knowing the login password or
IP address, you must use the Default Reset button on the rear panel of the router. See “DG834 Rear
Panel“ on page 2-7.
Upgrading the Router’s Firmware
The software of the DG834 ADSL router is stored in FLASH memory, and can be upgraded as
new software is released by NETGEAR.
Upgrade files can be downloaded from NETGEAR's Web site. If the upgrade file is compressed
(.ZIP file), you must first extract the binary (.BIN or .IMG) file before uploading it to the router.
5-2 Managing Your Network
202-10005-05, June 2005
Page 63
Reference Manual for the ADSL Firewall Router DG834
How to Upgrade the Router Firmware
Note: NETGEAR recommends that you back up your config uration before doing a firmware
upgrade. After the upgrade is complete, you may need to restore your configuration settings.
1. Download and unzip the new software file from NETGEAR.
The Web browser used to upload new firmware into the router must support HTTP uploads.
NETGEAR recommends using Microsoft Internet Explorer 5.0 or above, or Netscape
Navigator 4.7 or above.
2. Log in to the router at its default LAN address of http://192.168.0.1 with its default User Name
of admin, default password of password, or using whatever User Name, Password and LAN
address you have chosen for the router.
3. From the Main Menu of the browser interface, under the Maintenance heading, select the
Router Upgrade heading to display the menu shown in Figure 5-2.
Figure 5-2: Router Upgrade menu
4.
In the Router Upgrade menu, click the Browse to locate the binary (.BIN or .IMG) upgrade
file.
5. Click Upload.
Note: When uploading software to the router, it is important not to interrupt the Web
browser by closing the window, clicking a link, or loading a new page. If the browser is
interrupted, it may corrupt the software. When the upload is complete, your router will
automatically restart. The upgrade process will typically take about one minute. In some
cases, you may need to clear the configuration and reconfigure the router after
upgrading.
Managing Your Network 5-3
202-10005-05, June 2005
Page 64
Reference Manual for the ADSL Firewall Router DG834
Network Management Information
The DG834 provides a variety of status and usage inform ation which is discussed below.
Viewing Router Status and Usage Statistics
From the Main Menu, under Maintenance, select Router Status to view the screen in Figure 5-3 .
Figure 5-3: Router Status screen
The Router Status menu provides status and usage information.
This screen shows the following parameters:
5-4 Managing Your Network
202-10005-05, June 2005
Page 65
Reference Manual for the ADSL Firewall Router DG834
Table 5-1. Menu 3.2 - Router Status Fields
Field Description
Account Name The Host Name assigned to the router in the Basic Settings menu.
Firmware Version This field displays the router firmware version.
ADSL Port These parameters apply to the Internet (ADSL) port of the router.
MAC Address This field displays the Ethernet MAC address bein g used by the Internet
(ADSL) port of the router.
IP Address This field displays the IP address being used by the Internet (ADSL) port
of the router. If no address is shown, the router cannot connect to the
Internet.
DHCP If None, the router will use a fixed IP address on the ADSL.
If Client, the router will obtain an IP address dynamically from the ISP.
IP Subnet Mask This field displays the IP Subnet Mask being used by the Internet (ADSL)
port of the router.
Domain Name Server (DNS) This field displays the DNS Server IP addresses being used by the
router. These addresses are usually obtained dynamically from the ISP.
LAN Port These parameters apply to the Local (ADSL) port of the router.
MAC Address This field displays the Ethernet MAC address being used by the Local
(LAN) port of the router.
IP Address This field displays the IP address being used by the Local (LAN) port of
the router. The default is 192.168.0.1.
DHCP If OFF, the router will not assign IP addresses to PCs on the LAN.
If ON, the router will assign IP addresses to PCs on the LAN.
IP Subnet Mask This field displays the IP Subnet Mask being used by the Local (LAN)
port of the router. The default is 255.255.255.0.
Modem These parameters apply to the Local (WAN) port of the router.
ADSL Firmware Version The version of the firmware.
Modem Status The connection status of the modem.
Downstream Speed The speed at which the modem is receiving data from the ADSL line.
Upstream Speed The speed at which the modem is transmitting data to the ADSL line.
VPI The Virtual Path Identifier setting.
VCI The Virtual Channel Identifier setting.
Click the Show Statistics button to display router usage statistics, as shown in Figure 5-3 below:
Managing Your Network 5-5
202-10005-05, June 2005
Page 66
Reference Manual for the ADSL Firewall Router DG834
Figure 5-4: Router Statistics screen
This screen shows the following statistics:.
Table 5-1. Router Statistics Fields
Field Description
WAN, LAN, or
Serial Port
Status The link status of the port.
TxPkts The number of packets transmitted on this port since reset or manual clear.
RxPkts The number of packets received on this port since reset or manual clear.
Collisions The number of collisions on this port since reset or manual clear.
Tx B/s The current line utilization—percentage of current bandwidth used on this port.
Rx B/s The average line utilization for this port.
Up Time The time elapsed since the last power cycle or reset.
Poll Interval Specifies the interval at which the statistics are updated in this window. Click Stop to
The statistics for the WAN (Internet), LAN (local), and Serial ports. For each port, the
screen displays:
freeze the display.
Click the Connection Status button to display router connection status, as shown in Figure 5-5 and
Figure 5-6.
5-6 Managing Your Network
202-10005-05, June 2005
Page 67
Reference Manual for the ADSL Firewall Router DG834
Figure 5-5: Connection Status screen for Dynamic IP
Clicking the Renew button updates the status information.
This screen shows the following statistics:
Table 5-1. Connection Status Fields for Dynamic IP
Field Description
IP Address The IP Address assigned to the WAN port by the ADSL Internet Service Provider.
Subnet Mask The Network Mask assigned to the WAN port by the ADSL Internet Service Provider.
Default Gateway The default gateway router assigned to the WAN port by the ADSL Internet Service
Provider.
DHCP Server The DHCP server’s IP address.
DNS Server The DNS server’s IP address.
Lease Obtained Date and time the lease was obtained.
Lease Expires Date and time the lease expires.
Managing Your Network 5-7
202-10005-05, June 2005
Page 68
Reference Manual for the ADSL Firewall Router DG834
An alternate view of the Connection Status screen is shown in Figure 5-6 below:
Figure 5-6: Connection Status screen for PPPoA
Clicking the Renew button updates the status information.
This screen shows the following statistics:
Table 5-1. Connection Status Fields for PPPoA
Field Description
Connection Time The time elapsed since the last connection to the Internet via the ADSL port.
Connecting to
Sender
Negotiation ON or OFF
Authentication ON or OFF
IP Address The IP Address assigned to the WAN port by the ADSL Internet Service Provider.
Network Mask The Network Mask assigned to the WAN port by the ADSL Internet Service Provider.
5-8 Managing Your Network
The connection status.
202-10005-05, June 2005
Page 69
Reference Manual for the ADSL Firewall Router DG834
Viewing Attached Devices
The Attached Devices menu contains a table of all IP devices that the router has discovered on the
local network. From the Main Menu of the browser interface, under the Maintenance heading,
select Attached Devices to view the table, shown in Figure 5-7:
Figure 5-7: Attached Devices menu
For each device, the table shows the IP address, Device Name if available, and the Ethernet MAC
address. Note that if the router is rebooted, the table data is lost until the router rediscovers the
devices. To force the router to look for attached devices, click the Refresh button.
Viewing, Selecting, and Saving Logged Information
The router will log security-related events such as denied incoming service requests, hacker
probes, and administrator logins. If you enabled content filtering in the Block Sites menu, the Logs
page can show you when someone on your network tries to access a blocked site. If you enabled
e-mail notification, you will receive these logs in an e-mail message. If you do not have e-mail
notification enabled, you can view the logs here.
An example of the logs file is shown below.
Managing Your Network 5-9
202-10005-05, June 2005
Page 70
Reference Manual for the ADSL Firewall Router DG834
Figure 5-8: Security Logs menu
Log entries are described in Table 5-1 below:
5-10 Managing Your Network
202-10005-05, June 2005
Page 71
Reference Manual for the ADSL Firewall Router DG834
Table 5-1. Security Log entry descriptions
Field Description
Date and Time The date and time the log entry was recorded.
Description or
The type of event and what action was taken if any.
Action
Source IP The IP address of the initiating device for this log entry.
Source port and
interface
The service port number of the initiating device, and whether it
originated from the LAN or WAN
Destination The name or IP address of the destination de vice or Web site.
Destination port
and interface
The service port number of the destination device, and whether
it’s on the LAN or WAN.
Log action buttons are described in Table 5-2 below:
Table 5-2. Security Log action buttons
Field Description
Refresh Refresh the log screen.
Clear Log Clear the log entries.
Send Log Email the log immediately.
Apply Apply the current settings.
Cancel Clear the current settings.
Selecting What Information to Log
Besides the standard information listed above, you can choose to log additional information. Those
optional selections are as follows:
• Attempted access to blocked site
• Connections to the Web-based interface of the router
• Router operation (start up, get time, etc.)
• Known DoS attacks and Port Scans
Managing Your Network 5-11
202-10005-05, June 2005
Page 72
Reference Manual for the ADSL Firewall Router DG834
Saving Log Files on a Server
You can choose to write the logs to a computer running a syslog program. To activate this feature,
select to Broadcast on Lan or enter the IP address of the server where the Syslog file will be
written.
Examples of Log Messages
Following are examples of log messages. In all cases, the log entry shows the timestamp as: Day,
Year-Month-Date Hour:Minute:Second
Activation and Administration
Tue, 2002-05-21 18:48:39 - NETGEAR activated
[This entry indicates a power-up or reboot with initial time entry.]
Tue, 2002-05-21 18:55:00 - Administrator login successful - IP:192.168.0.2
Thu, 2002-05-21 18:56:58 - Administrator logout - IP:192.168.0.2
[This entry shows an administrator logging in and out from IP address 192.168.0.2.]
Tue, 2002-05-21 19:00:06 - Login screen timed out - IP:192.168.0.2
[This entry shows a time-out of the administrator login.]
Wed, 2002-05-22 22:00:19 - Log emailed
[This entry shows when the log was emailed.]
Dropped Packets
Wed, 2002-05-22 07:15:15 - TCP packet dropped - Source:64.12.47.28,4787,WAN Destination:134.177.0.11,21,LAN - [Inbound Default rule match]
Sun, 2002-05-22 12:50:33 - UDP packet dropped - Source:64.12.47.28,10714,WAN Destination:134.177.0.11,6970,LAN - [Inbound Default rule match]
Sun, 2002-05-22 21:02:53 - ICMP packet dropped - Source:64.12.47.28,0,WAN Destination:134.177.0.11,0,LAN - [Inbound Default rule match]
[These entries show an inbound FTP (port 21) packet, User Datagram Protocol (UDP) packet
(port 6970), and Internet Control Message Protocol (ICMP) packet (port 0) being dropped as a
result of the default inbound rule, which states that all inbound packets are denied.]
5-12 Managing Your Network
202-10005-05, June 2005
Page 73
Reference Manual for the ADSL Firewall Router DG834
Enabling Security Event E-mail Notification
In order to receive logs and alerts by e-mail, you must provide your e-mail information in the
E-mail subheading:
Figure 5-9: E-mail menu
• Turn e-mail notification on. Select this check box if you want to receive e-mail logs and
alerts from the router.
• Send alerts and logs via email. Enter the name or IP address of your ISP’s outgoing (SMTP)
mail server (such as mail.myISP.com). You may be able to find this information in the
configuration menu of your e-mail program. Enter the e-mail address to which logs and alerts
are sent. This e-mail address will also be used as the From address. If you leave this box blank,
log and alert messages will not be sent via e-mail.
• Send alert immediately. Select the corresponding check box if you would like immed i ate
notification of a significant security event, such as a known attack, port scan, or attempted
access to a blocked site.
• Send logs according to this schedule. Specifies how often to send the logs: Hourly, Daily,
Weekly, or When Full.
– Day for sending log
Specifies which day of the week to send the log. Relevant when the log is sent weekly or
daily.
– Time for sending log
Specifies the time of day to send the log. Relevant when the log is sent daily or weekly.
Managing Your Network 5-13
202-10005-05, June 2005
Page 74
Reference Manual for the ADSL Firewall Router DG834
If the Weekly, Daily or Hourly option is selected and the log fills up before the specified
period, the log is automatically e-mailed to the specified e-mail address. After the log is sent, it
is cleared from the router’s memory. If the router cannot e-mail the log file, the log buffer may
fill up. In this case, the router overwrites the log and discards its contents.
Running Diagnostic Utilities and Rebooting the Router
The DG834 ADSL router has a diagnostics feature. You can use the diagnostics menu to perform
the following functions from the router:
• Ping an IP Address to test connectivity to see if you can reach a remote host.
• Perform a DNS Lookup to test if an Internet name resolves to an IP address to verify that the
DNS server configuration is working.
• Display the Routing Table to identify what other routers the router is communicating with.
• Reboot the router to enable new network configurations to take effect or to clear problems
with the router’s network connection.
From the Main Menu of the browser interface, under the Maintenance heading, select the Router
Diagnostics heading to display the menu shown in Figure 5-10.
Figure 5-10: Diagnostics menu
5-14 Managing Your Network
202-10005-05, June 2005
Page 75
Reference Manual for the ADSL Firewall Router DG834
Enabling Remote Management
Using the Remote Management page, you can allow a user or users on the Internet to configure,
upgrade and check the status of your DG834 ADSL Firewall Router.
Note: Be sure to change the router's default password to a very secure password. The
ideal password should contain no dictionary words from a ny language, and should be a
mixture of letters (both upper and lower case), numbers, and symbols. Your password
can be up to 30 characters.
Configuring Remote Management
1. Log in to the router at its default LAN address of http://192.168.0.1 with its default User Name
of admin, default password of password, or using whatever User Name, Password and LAN
address you have chosen for the router.
2. From the Advanced section of the main menu, select the Remote Management link.
3. Select the Turn Remote Management On check box.
4. Specify what external addresses will be allowed to access the router’s remote management.
For security, restrict access to as few external IP addresses as practical:
• To allow access from any IP address on the Internet, select Everyone.
• To allow access from a range of IP addresses on the Internet, select IP address range.
Enter a beginning and ending IP address to define the allowed range.
• To allow access from a single IP address on the Internet, select Only this Computer.
Enter the IP address that will be allowed access.
5. Specify the Port Number that will be used for accessing the management interface.
Web browser access normally uses the standard HTTP service port 80. For greater security,
you can change the remote management Web interface to a custom port by entering that
number in the box provided. Choose a number between 1024 and 65535, but do not use the
number of any common service port. The default is 8080, which is a common alternate for
HTTP.
6. Click Apply to have your changes take effect.
Managing Your Network 5-15
202-10005-05, June 2005
Page 76
Reference Manual for the ADSL Firewall Router DG834
When accessing your router from the Internet, you will type your router's WAN IP address in
your browser's Address (in IE) or Location (in Netscape) box, followed by a colon (:) and th e
custom port number. For example, if your external address is 134.177.0.123 and you use port
number 8080, enter in your browser:
http://134.177.0.123:8080
Note: In this case, the http:// must be included in the address.
5-16 Managing Your Network
202-10005-05, June 2005
Page 77
Chapter 6
Advanced Configuration
This chapter describes how to configure the advanced features of your DG834 ADSL Firewall
Router.
Configuring Advanced Security
The DG834 ADSL Firewall Router provides a variety of advanced features, such as:
• Setting up a Demilitarized Zone (DMZ) Server
• Connecting Automatically, as Required
• Disabling Port Scan and DOS Protection
• Responding to a Ping on the Internet WAN Port
•MTU Size
• Flexibility on configuring your LAN TCP/IP settings
• Using the Router as a DHCP Server
• Configuring Dynamic DNS
• Configuring Static Routes
These features are discussed below.
Setting Up A Default DMZ Server
The Default DMZ Server feature is helpful when using some online games and videoconferencing
applications that are incompatible with NAT. The router is programmed to recognize some of these
applications and to work properly with them, but there are other applications that may not function
well. In some cases, one local computer can run the application properly if that computer’s IP
address is entered as the Default DMZ Server.
Advanced Configuration 6-1
202-10005-05, June 2005
Page 78
Reference Manual for the ADSL Firewall Router DG834
Note: For security reasons, you should avoid using the Default DMZ Server feature.
When a computer is designated as the Default DMZ Server, it loses much of the
protection of the firewall, and is exposed to many exploits from the Internet. If
compromised, the computer can be used to attack your network.
Incoming traffic from the Internet is normally discarded by the router unless the traffic is a
response to one of your local computers or a service that you have configured in the Ports menu.
Instead of discarding this traffic, you can have it forwarded to one computer on your network. This
computer is called the Default DMZ Server.
How to Configure a Default DMZ Server
To assign a computer or server to be a Default DMZ server, follow these steps:
1. Log in to the router at its default LAN address of http://192.168.0.1 with its default User Name
of admin, default password of password, or using whatever Password and LAN address you
have chosen for the router.
2. From the Main Menu, under Advanced, click the WAN Setup link to view the page shown in
Figure 6-1:
Figure 6-1: WAN Setup Page
3.
Select the Default DMZ Server check box.
4. Type the IP address for that server.
5. Click Apply to save your changes.
6-2 Advanced Configuration
202-10005-05, June 2005
Page 79
Reference Manual for the ADSL Firewall Router DG834
Connect Automatically, as Required
Normally , this option should be enabled, so that an Internet connection will be made automatically ,
whenever Internet-bound traffic is detected. If this causes high connection costs, you can disable
this setting.
If disabled, you must connect manually, using the sub-screen accessed from the "Connection
Status" button on the Status screen.
If you have an "Always on" connection, this setting has no effect.
Disable Port Scan and DOS Protection
The Firewall protects your LAN against Port Scans and Denial of Service (DOS) attacks. This
should be disabled only in special circumstances.
Respond to Ping on Internet WAN Port
If you want the router to respond to a 'ping' from the Internet, select the ‘Respond to Ping on
Internet WAN Port’ check box. This should only be used as a diagnostic tool, since it allows your
router to be discovered. Do not select this box unless you have a specific reason to do so.
MTU Size
The normal MTU (Maximum Transmit Unit) value for most Ethernet networks is 1500 Bytes, or
1492 Bytes for PPPoE connections. For some ISPs you may need to reduce the MTU. But this is
rarely required, and should not be done unless you are sure it is necessary for your ISP connection.
Configuring LAN IP Settings
The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and RIP. These
features can be found under the Advanced heading in the Main Menu of the browser interface.
The router is shipped preconfigured to use private IP addresses on the LAN side, and to act as a
DHCP server. The router’s default LAN IP configuration is:
• LAN IP addresses—192.168.0.1
• Subnet mask—255.255.255.0
Advanced Configuration 6-3
202-10005-05, June 2005
Page 80
Reference Manual for the ADSL Firewall Router DG834
These addresses are part of the Internet Engineering T ask Force (IETF)-designated private address
range for use in private networks, and should be suitable in most applications. If your network has
a requirement to use a different IP addressing scheme, you can make those changes in this menu.
Figure 6-2: LAN IP Setup Menu
The LAN TCP/IP Setup parameters are:
• IP Address
This is the LAN IP address of the router.
• IP Subnet Mask
This is the LAN Subnet Mask of the router. Combined with the IP address, the IP Subnet Mask
allows a device to know which other addresses are local to it, and which must be reached
through a gateway or router.
• RIP Direction
RIP (Router Information Protocol) allows a router to exchange routing information with other
routers. The RIP Direction selection controls how the Router sends and receives RIP packets.
Both is the default.
— When set to Both or Out Only, the router will broadcast its routing table periodically.
— When set to Both or In Only, it will incorporate the RIP information that it receives.
— When set to None, it will not send any RIP packets and will ignore any RIP packets
received.
6-4 Advanced Configuration
202-10005-05, June 2005
Page 81
Reference Manual for the ADSL Firewall Router DG834
• RIP Version
This controls the format and the broadcasting method of the RIP packets that the router sends.
It recognizes both formats when receiving. By default, this is set for RIP-1.
— RIP-1 is universally supported. RIP-1 is probably adequate for most networks, unless you
have an unusual network setup.
— RIP-2 carries more information. Both RIP-2B and RIP-2M send the routing data in RIP-2
format.
— RIP-2B uses subnet broadcasting.
— RIP-2M uses multicasting.
Note: If you change the LAN IP address of the router while connected through the
browser, you will be disconnected. You must then open a new connection to the new IP
address and log in again.
DHCP
By default, the router will function as a DHCP (Dynamic Host Configuration Protocol) server,
allowing it to assign IP, DNS server, and default gateway addresses to all computers connected to
the router's LAN. The assigned default gateway address is the LAN address of the router. IP
addresses will be assigned to the attached PCs from a pool of addresses specified in this menu.
Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN.
For most applications, the default DHCP and TCP/IP settings of the router are satisfactory. See “IP
Configuration by DHCP”on page B-9 for an explanation of DHCP and information about how to
assign IP addresses for your network.
Use Router as DHCP server
If another device on your network will be the DHCP server, or if you will manually configure the
network settings of all of your computers, clear the ‘Use router as DHCP server’ check box.
Otherwise, leave it selected.
Specify the pool of IP addresses to be assigned by setting the Starting IP Address and Ending IP
Address. These addresses should be part of the same IP address subnet as the router’s LAN IP
address. Using the default addressing scheme, you should define a range between 192.168.0.2 and
192.168.0.254, although you may want to save part of the range for devices with fixed addresses.
The router will deliver the following parameters to any LAN device that requests DHCP:
Advanced Configuration 6-5
202-10005-05, June 2005
Page 82
Reference Manual for the ADSL Firewall Router DG834
• An IP Address from the range you have defined
• Subnet Mask
• Gateway IP Address is the router’s LAN IP address
• Primary DNS Server, if you entered a Primary DNS address in the Basic Settings menu;
otherwise, the router’s LAN IP address
• Secondary DNS Server, if you entered a Secondary DNS address in the Basic Settings menu
• WINS Server, short for Windows Internet Naming Service Server, determines the IP address
associated with a particular Windows computer. A WINS server records and reports a list of
names and IP address of Windows PCs on its local network. If you connect to a remote
network that contains a WINS server, enter the server’s IP address here. This allows your PCs
to browse the network using the Network Neighborhood feature of Windows.
Reserved IP addresses
When you specify a reserved IP address for a computer on the LAN, that computer will always
receive the same IP address each time it access the router’s DHCP server. Reserved IP addresses
should be assigned to servers that require permanent IP settings.
To reserve an IP address:
1. Click the Add button.
2. In the IP Address box, type the IP address to assign to the computer or server.
Choose an IP address from the router’s LAN subnet, such as 192.168.0.x.
3. Type the MAC Address of the computer or server.
Tip: If the computer is already present on your network, you can copy its MAC address from
the Attached Devices menu and paste it here.
4. Click Apply to enter the reserved address into the table.
Note: The reserved address will not be assigned until the next time the computer contacts the
router's DHCP server. Reboot the computer or access its IP configuration and force a DHCP
release and renew.
To edit or delete a reserved address entry:
1. Click the button next to the reserved address you want to edit or delete.
2. Click Edit or Delete.
6-6 Advanced Configuration
202-10005-05, June 2005
Page 83
Reference Manual for the ADSL Firewall Router DG834
How to Configure LAN TCP/IP Settings
1. Log in to the router at its default LAN address of http://192.168.0.1 with its default User Name
of admin, default password of password, or using whatever User Name, Password and LAN
address you have chosen for the router.
2. From the Main Menu, under Advanced, click the LAN IP Setup link to view the men u, shown
in Figure 6-3:
.
Figure 6-3: LAN IP Setup Menu
3.
Enter the TCP/IP, DHCP, or Reserved IP parameters.
4. Click Apply to save your changes.
Configuring Dynamic DNS
If your network has a permanently assigned IP address, you can register a domain name and have
that name linked with your IP address by public Domain Name Servers (DNS). However, if your
Internet account uses a dynamically assigned IP address, you will not know in advance what your
IP address will be, and the address can change frequently. In this case, you can use a commercial
dynamic DNS service that will allow you to register your domain to their IP address, and will
forward traffic directed at your domain to your frequently-changing IP address.
Advanced Configuration 6-7
202-10005-05, June 2005
Page 84
Reference Manual for the ADSL Firewall Router DG834
The router contains a client that can connect to a dynamic DNS service provider. To use this
feature, you must select a service provider and obtain an account with them. After you have
configured your account information in the router, whenever your ISP-assigned IP address
changes, your router will automatically contact your dynamic DNS service provider, log in to your
account, and register your new IP address.
How to Configure Dynamic DNS
1. Log in to the router at its default LAN address of http://192.168.0.1 with its default User Name
of admin, default password of password, or using whatever User Name, Password and LAN
address you have chosen for the router.
2. From the Main Menu of the browser interface, under Advanced, select Dynamic DNS to
display the page below.
Figure 6-4: Dynamic DNS menu
3.
Access the Web site of one of the dynamic DNS service providers whose names appear in the
‘Service Provider’ box, and register for an account.
For example, for dyndns.org, go to www.dyndns.org.
4. Select the “Use a dynamic DNS service” check box.
5. Select the name of your dynamic DNS Service Provider.
6. Type the Host Name that your dynamic DNS service provider gave you.
The dynamic DNS service provider may call this the domain name. If your URL is
myName.dyndns.org, then your Host Name is “myName.”
6-8 Advanced Configuration
202-10005-05, June 2005
Page 85
Reference Manual for the ADSL Firewall Router DG834
Type the User Name for your dynamic DNS account.
7.
8. Type the Password (or key) for your dynamic DNS account.
9. If your dynamic DNS provider allows the use of wildcards in resolving your URL, you can
select the Use wildcards check box to activate this feature.
For example, the wildcard feature will cause *.yourhost.dyndns.org to be aliased to the same
IP address as yourhost.dyndns.org
10. Click Apply to save your configuration.
Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the
dynamic DNS service will not work because private addresses will not be routed on the
Internet.
Using Static Routes
Static Routes provide additional routing information to your router. Under normal circumstances,
the router has adequate routing information after it has been configured for Internet access, and
you do not need to configure additional static routes. You must configure static routes only for
unusual cases such as multiple routers or multiple IP subnets located on your network.
Static Route Example
As an example of when a static route is needed, consider the following case:
• Your primary Internet access is through a cable modem to an ISP.
• You have an ISDN router on your home network for connecting to the company where
you are employed. This router’s address on your LAN is 192.168.0.100.
• Your company’s network is 134.177.0.0.
When you first configured your router, two implicit static routes were created. A default route was
created with your ISP as the router, and a second static route was created to your local network for
all 192.168.0.x addresses. With this configuration, if you attempt to access a device on the
134.177.0.0 network, your router will forward your request to the ISP. The ISP forwards your
request to the company where you are employed, and the request will likely be denied by the
company’s firewall.
Advanced Configuration 6-9
202-10005-05, June 2005
Page 86
Reference Manual for the ADSL Firewall Router DG834
In this case you must define a static route, telling your router that 134.177.0.0 should be accessed
through the ISDN router at 192.168.0.100. The static route would look like Figure 6-6.
In this example:
• The Destination IP Address and IP Subnet Mask fields specify that this static route applies to
all 134.177.x.x addresses.
• The Router IP Address fields specifies that all traffic for these addresses should be forwarded
to the ISDN router at 192.168.0.100.
• A Metric value of 1 will work since the ISDN router is on the LAN.
This represents the number of routers between your network and the des tination. This is a
direct connection so it is set to 1.
• Private is selected only as a precautionary security measure in case RIP is activated.
How to Configure Static Routes
1. Log in to the router at its default LAN address of http://192.168.0.1 with its default User Name
of admin, default password of password, or using whatever User Name, Password and LAN
address you have chosen for the router.
2. From the Main Menu of the browser interface, under Advanced, click Static Routes to view
the Static Routes menu, shown in Figure 6-5.
Figure 6-5: Static Routes Table
6-10 Advanced Configuration
202-10005-05, June 2005
Page 87
Reference Manual for the ADSL Firewall Router DG834
To add or edit a Static Route:
3.
a. Click the Edit button to open the Edit Menu, shown in Figure 6-6.
Figure 6-6: Static Ro ute Entry and Edit Menu
b.
Type a route name for this static route in the Route Name box under the table.
This is for identification purpose only.
c. Select Private if you want to limit access to the LAN only.
The static route will not be reported in RIP.
d. Select Active to make this route effective.
e. Type the Destination IP Address of the final destination.
f. Type the IP Subnet Mask for this destination.
If the destination is a single host, type 255.255.255.255.
g. Type the Gateway IP Address, which must be a router on the same LAN segment as the
router.
h. Type a number between 1 and 15 as the Metric value.
This represents the number of routers between your network and the destination. Usually,
a setting of 2 or 3 works, but if this is a direct connection, set it to 1.
4. Click Apply to have the static route entered into the table.
Advanced Configuration 6-11
202-10005-05, June 2005
Page 88
Reference Manual for the ADSL Firewall Router DG834
Universal Plug and Play (UPnP)
Universal Plug and Play (UPnP) helps devices, such as Internet appliances and computers, access
the network and connect to other devices as needed. UPnP devices can automatically discover the
services from other registered UPnP devices on the network.
1. Click UPnP on the main menu to invoke the UPnP menu:
Figure 6-7: Universal Plug and Play menu
2.
Fill out the UPnP screen:
• Turn UPnP On: UPnP can be enabled or disabled for automatic device configuration. The
default setting for UPnP is enabled. If disabled, the Router will not allow any device to
automatically control the resources, such as port forwarding (mapping), of the Router.
• Advertisement Period: The Advertisement Period is how often the Router will advertise
(broadcast) its UPnP information. This value can range from 1 to 1440 minutes. The
default period is for 30 minutes. Shorter durations will ensure that control points have
current device status at the expense of additional network traffic. Longer durations may
compromise the freshness of the device status but can significantly reduce network traffic.
• Advertisement Time To Live: The time to live for the advertisement is measured in hops
(steps) for each UPnP packet sent. A hop is the number of steps allowed to propagate for
each UPnP advertisement before it disappears. The number of hops can range from 1 to
255. The default value for the advertisement time to live is 4 hops, which should be fine
for most home networks. If you notice that some devices are not being updated or reached
correctly, then it may be necessary to increase this value a little.
6-12 Advanced Configuration
202-10005-05, June 2005
Page 89
Reference Manual for the ADSL Firewall Router DG834
• UPnP Portmap Table: The UPnP Portmap Table displays the IP address of each UPnP
device that is currently accessing the Router and which ports (Internal and External) that
device has opened. The UPnP Portmap Table also displays what type of port is opened and
if that port is still active for each IP address.
3. To save, cancel or refresh the table:
a. Click Apply to save the new settings to the Router.
b. Click Cancel to disregard any unsaved changes.
c. Click Refresh to update the portmap table and to show the active ports that are currently
opened by UPnP devices.
Advanced Configuration 6-13
202-10005-05, June 2005
Page 90
Reference Manual for the ADSL Firewall Router DG834
6-14 Advanced Configuration
202-10005-05, June 2005
Page 91
Chapter 7
Virtual Private Networking (Advanced Feature)
This chapter describes how to use the virtual private networking (VPN) features of the DG834
ADSL router. VPN communications paths are called tunnels. VPN tunnels provide secure,
encrypted communications between your local network and a remote network or computer.
This chapter is organized as follows:
• “Overview of VPN Configuration” on page 7-2 provides an overview of the two most
common VPN configurations: Client-to-Gateway and Gateway-to-Gateway.
• “Planning a VPN” on page 7-3 provides a worksheet for recording the configuration
parameters of the VPN you want to set up, along with the VPN Committee (VPNC)
recommended default parameters set by the VPN Wizard.
• “VPN Tunnel Configuration” on page 7-6 summarizes the three ways to configure a VPN
tunnel: VPN Wizard (recommended for most situations), Auto Policy, and Manual Policy.
• “How to Set Up a Client-to-Gateway VPN Configuration” on page 7-6 provides the steps
needed to configure a VPN tunnel between a remote PC and a network gateway using the VPN
Wizard and the NETGEAR ProSafe VPN Client.
• “How to Set Up a Gateway-to-Gateway VPN Configuration” on page 7-20 provides the steps
needed to configure a VPN tunnel between two network gateways using the VPN Wizard.
• “VPN Tunnel Control” on page 7-27 provides the step-by-step procedures for activating,
verifying, deactivating, and deleting a VPN tunnel once the VPN tunnel has been configured.
• “How to Set Up VPN Tunnels in Special Circumstances” on page 7-35 provides the steps
needed to configure VPN tunnels when there are special circumstances and the VPNC
recommended defaults of the VPN Wizard are inappropriate. The two alternatives for
configuring VPN tunnels are Auto Policy and Manual Policy.
Virtual Private Networking (Advanced Feature) 7-1
202-10005-05, June 2005
Page 92
Reference Manual for the ADSL Firewall Router DG834
Overview of VPN Configuration
T wo common scenarios for configuring VPN tunnels are between a remote personal computer an d
a network gateway and between two or more network gateways. The DG834 supports both of
these types of VPN configurations. The DG834 ADSL router supports up to five concurrent
tunnels.
Client-to-Gateway VPN Tunnels
Client-to-Gateway VPN Tunnels provide secure access from a remote PC, such as a telecommuter
connecting to an office network (see Figure 7-1).
VPN Tunnel
DG834
PC
(Running NETGEAR
PCs
Figure 7-1: Client-to-Gateway VPN Tunnel
A VPN client access allows a remote PC to connect to your network from any location on the
Internet. In this case, the remote PC is one tunnel endpoint, running the VPN client software. The
DG834 ADSL router on your network is the other tunnel endpoint. See “How to Set Up a
Client-to-Gateway VPN Configuration” on page 7-6 to set up this configuration.
ProSafe VPN Client)
Gateway-to-Gateway VPN Tunnels
• Gateway-to-Gateway VPN Tunnels provide secure access between networks, such as a branch
or home office and a main office (see Figure 7-2).
7-2 Virtual Private Networking (Advanced Feature)
202-10005-05, June 2005
Page 93
A
DG834 VPN Firewall
Reference Manual for the ADSL Firewall Router DG834
VPN Tunnel
B
DG834 VPN Firewall
PCs
Figure 7-2: Gateway-to-Gateway VPN Tunnel
A VPN between two or more NETGEAR VPN-enabled routers is a good way to connect branch or
home offices and business partners over the Internet. VPN tunnels also enable access to network
resources across the Internet. In this case, use DG834s on each end of the tunnel to form the VPN
tunnel end points. See “How to Set Up a Gateway-to-Gateway VPN Configuration” on page 7-20
to set up this configuration.
PCs
Planning a VPN
When you set up a VPN, it is helpful to plan the network configuration and record the
configuration parameters on a worksheet:
Virtual Private Networking (Advanced Feature) 7-3
202-10005-05, June 2005
Page 94
Reference Manual for the ADSL Firewall Router DG834
Table 7-1. VPN Tunnel Configuration Worksheet
Connection Name:
Pre-Shared Key:
Secure Association -- Main Mode or Manual Keys:
Perfect Forward Secrecy -- Enabled or Disabled:
NETBIOS -- Enabled or Disabled:
Encryption Protocol -- DES or 3DES:
Authentication Protocol -- MD5 or SHA-1:
Diffie-Hellman (DH) Group -- Group 1 or Group 2:
Key Life in seconds:
IKE Life Time in seconds:
VPN Endpoint Local IPSec ID LAN IP Address Subnet Mask
FQDN or Gateway IP
(WAN IP Address)
To set up a VPN connection, you must configure each endpoint with specific identification and
connection information describing the other endpoint. You must configure the outbound VPN
settings on one end to match the inbound VPN settings on other end, and vice versa.
This set of configuration information defines a security association (SA) between the two VPN
endpoints. When planning your VPN, you must make a few choices first:
• Will the local end be any device on the LAN, a portion of the local network (as defined by a
subnet or by a range of IP addresses), or a single PC?
• Will the remote end be any device on the remote LAN, a portion of the remote network (as
defined by a subnet or by a range of IP addresses), or a single PC?
• Will either endpoint use Fully Qualified Domain Names (FQDNs)? FQDNs supplied by
Dynamic DNS providers (see “The Use of a Fully Qualified Domain Name (FQDN)” on page
E-7) can allow a VPN endpoint with a dynamic IP address to initiate or respond to a tunnel
request. Otherwise, the side using a dynamic IP address must always be the initiator.
7-4 Virtual Private Networking (Advanced Feature)
202-10005-05, June 2005
Page 95
Reference Manual for the ADSL Firewall Router DG834
• What method will you use to configure your VPN tunnels?
— The VPN Wizard using VPNC defaults (see Table 7-2)
— The typical automated Internet Key Exchange (IKE) setup (see “Using Auto Policy to
Configure VPN Tunnels” on page 7-36)
— A Manual Keying setup in which you must specify each phase of the connection (see
“Using Manual Policy to Configure VPN Tunnels” on page 7-48)?
Table 7-2. Parameters Recommended by the VPNC and Used in the VPN Wizard
Parameter Factory Default
Secure Association Main Mode
Authentication Method Pre-shared Key
Encryption Method 3DES
Authentication Protocol SHA-1
Diffie-Hellman (DH) Group Group 2 (1024 bit)
Key Life 8 hours
IKE Life Time 1 hour
NETBIOS Enabled
• What level of IPSec VPN encryption will you use?
— DES - The Data Encryption Standard (DES) processes input data that is 64 bits wide,
encrypting these values using a 56 bit key. Faster but less secure than 3DES.
— 3DES - (Triple DES) achieves a higher level of security by encrypting the data three times
using DES with three different, unrelated keys.
• What level of authentication will you use?
— MDS: 128 bits, faster but less secure.
— SHA-1: 160 bits, slower but more secure.
Note: NETGEAR publishes additional interoperability scenarios with various gateway
and client software products. Look on the NETGEAR web site at
www.netgear.com for these interoperability scenarios.
Virtual Private Networking (Advanced Feature) 7-5
202-10005-05, June 2005
Page 96
Reference Manual for the ADSL Firewall Router DG834
VPN Tunnel Configuration
There are two tunnel configurations and three ways to configure them:
• Use the VPN Wizard to configure a VPN tunnel (recommended for most situations):
— See “How to Set Up a Client-to-Gateway VPN Configuration” on page 7-6.
— See “How to Set Up a Gateway-to-Gateway VPN Configuration” on page 7-20.
• See “Using Auto Policy to Configure VPN Tu nn els” on page 7- 36 when the VPN Wizard and
its VPNC defaults (see Table 7-2 on page 7-5) are not appropriate for your special
circumstances, but you want to automate the Internet Key Exchange (IKE) setup.
• See “Using Manual Policy to Configure VPN Tunnels” on page 7-48 when the VPN Wizard
and its VPNC defaults (see Table 7-2 on page 7-5) are not appropriate for your special
circumstances and you must specify each phase of the connection. You manually enter all the
authentication and key parameters. You have more control over the process, however the
process is more complex and there are more opportunities for errors or configuration
mismatches between your DG834 and the corresponding VPN endpoint gateway or client
workstation.
How to Set Up a Client-to-Gateway VPN Configuration
Setting up a VPN between a remote PC running the NETGEAR ProSafe VPN Client and a
network gateway (see Figure 7-3) involves the following two steps:
• “Step 1: Configuring the Client-to-Gateway VPN Tunnel on the DG834” on page 7-7 uses the
VPN Wizard to configure the VPN tunnel between the remote PC and network gateway.
• “Step 2: Configuring the NETGEAR ProSafe VPN Client on the Remote PC” on page 7-12
configures the NETGEAR ProSafe VPN Client endpoint.
7-6 Virtual Private Networking (Advanced Feature)
202-10005-05, June 2005
Page 97
Reference Manual for the ADSL Firewall Router DG834
VPN Tunnel
22.23.24.25
DG834
192.168.3.1
PCs
Figure 7-3: Client-to-Gateway VPN Tunnel
Step 1: Configuring the Client-to-Gateway VPN Tunnel on the DG834
Note: This section uses the VPN Wizard to set up the VPN tunnel using the VPNC
default parameters listed in Table 7-2 on page 7-5. If you have special requirements not
covered by these VPNC-recommended parameters, refer to “How to Set Up VPN
Tunnels in Special Circumstances” on page 7-35 to set up the VPN tunnel.
0.0.0.0
PC
(Running NETGEAR
ProSafe VPN Client)
Virtual Private Networking (Advanced Feature) 7-7
202-10005-05, June 2005
Page 98
Reference Manual for the ADSL Firewall Router DG834
The worksheet below identifies the parameters used in the following procedure. A blank
worksheet is at “Planning a VPN” on page 7-3.
Table 7-3. VPN Tunnel Configuration Worksheet
Connection Name: RoadWarrior
Pre-Shared Key: 12345678
Secure Association -- Main Mode or Manual Keys: Main
Perfect Forward Secrecy -- Enabled or Disabled: Disabled
NETBIOS -- Enabled or Disabled: Enabled
Encryption Protocol -- DES or 3DES: 3DES
Authentication Protocol -- MD5 or SHA-1: SHA-1
Diffie-Hellman (DH) Group -- Group 1 or Group 2: Group 2
Key Life in seconds: 28800
IKE Life Time in seconds: 3600 (1 hour)
(8 hours)
FQDN or Gateway IP
VPN Endpoint Local IPSec ID LAN IP Address Subnet Mask
Client toDG834 — — Dynamic
DG834 toClient 192.168.3.1 255.255.255.0 22.23.24.25
(WAN IP Address)
Follow this procedure to configure a client-to-gateway VPN tunnel using the VPN Wizard.
1. Log in to the DG834 at its LAN address of http://192.168.0.1 with its default user name of
admin and password of password. Click the VPN Wizard link in the main menu to display
this screen. Click Next to proceed.
7-8 Virtual Private Networking (Advanced Feature)
202-10005-05, June 2005
Page 99
Reference Manual for the ADSL Firewall Router DG834
Figure 7-4: VPN Wizard Start Screen
Fill in the Connection Name and the pre-shared key, select the type of target end point, and
2.
click Next to proceed.
Note: The Connection Name is arbitrary and not relevant to how the configuration functions.
Enter the new Connection Name:
(e.g., RoadWarrior)
Enter the pre-shared key:
(e.g., 12345678)
Select the radio button:
A remote VPN client (single PC)
Figure 7-5: Connection Name and Remote IP Type
Virtual Private Networking (Advanced Feature) 7-9
202-10005-05, June 2005
Page 100
Reference Manual for the ADSL Firewall Router DG834
The Summary screen below displays.
Figure 7-6: VPN Wizard Summary
7-10 Virtual Private Networking (Advanced Feature)
202-10005-05, June 2005
Loading...