Netgear FM114P, FR114P, FR114W Reference Guide

Download

Reference Manual for the Model FR114P, FR114W and FM114P Cable/D SL ProSafe Firewall Family

NETGEAR,Inc.

4500 Great America Parkway Santa Clara, CA 95054 USA Phone 1-888-NETGEAR

SM-FM114PNA-0 May 2002

Trademarks

NETGEAR and Auto Uplink are trademarks or registered trademarks of Netgear, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.

Statement of Conditions

In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice.

NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.

Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice

This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

• Reorient or relocate the receiving antenna.

• Increase the separation between the equipment and receiver.

• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.

• Consult the dealer or an experienced radio/TV technician for help.

EN 55 022 Declaration of Conformance

This is to certify that the FR114P, FR114W or FM114P Cable/DSL ProSafe Firewall is shielded against the generation of radio interference in accordance with the application of Council Directive 89/336/EEC, Article 4a. Conformity is declared by the application of EN 55 022 Class B (CISPR 22).

Bestätigung des Herstellers/Importeurs

Es wird hiermit bestätigt, daß das FR114P, FR114W or FM114P Cable/DSL ProSafe Firewall gemäß der im BMPT-AmtsblVfg243/1991 und Vfg 46/1992 aufgeführtenBestimmungenentstört ist. Das vorschriftsmäßigeBetreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungenin der Betriebsanleitung.

Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.

Certificate of t he Manufacturer/Importer

It is hereby certified that the FR114P, FR114W or FM114P Cable/DSL ProSafe Firewall has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example, test transmitters) in accordance with the regulations may, however, be subject to certain restrictions. Please refer to the notes in the operating instructions.

Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations.

Voluntary Control Council for Interference (VCCI) Statement

This equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.

When used near a radio or TV receiver, it may become the cause of radio interference. Read instructions for correct handling.

Technical Support

Refer to the Support Information Card that shipped with your FR114P, FR114W or FM114P Cable/DSL ProSafe Firewall.

World Wide Web

NETGEAR maintains a World Wide Web home page that you can access at the universal resource locator (URL) http://www.netgear.com. A direct connection to the Internet and a Web browser such as Internet Explorer or Netscape are required.

iii

About This Guide

Typographical Conventions ............................................................................................. xv

Special Message Formats ...............................................................................................xvi

Technical Support ............................................................................................................xvi

Related Publications ........................................................................................................xvi

Chapter 1 Introduction

About the NETGEAR ProSafe Firewalls .........................................................................1-1

Key Features ..................................................................................................................1-1

A Powerful, True Firewall .........................................................................................1-2

Content Filtering .......................................................................................................1-3

Configurable Ethernet Connection ...........................................................................1-3

Protocol Support ......................................................................................................1-3

Easy Installation and Management ..........................................................................1-4

Maintenance and Support ........................................................................................1-5

Chapter 2 SettingUptheHardware

Package Contents ..........................................................................................................2-1

Local Network Hardware Requirements .........................................................................2-2

PC Requirements ..............................................................................................2-2

Access Device Requirement .............................................................................2-2

The Firewall’s Front Panel ..............................................................................................2-3

The Firewall’s Rear Panel ..............................................................................................2-4

Connecting the Firewall ..................................................................................................2-4

Connecting to Your Internet Access Device .............................................................2-5

Connecting to your Local Ethernet Network .............................................................2-5

Preparing your Wireless Devices .............................................................................2-6

Installing a Wireless Card in the FR114W .........................................................2-6

Connecting the Power Adapter ................................................................................2-6

Contents v

Verifying Connections .....................................................................................................2-7

Chapter 3 Preparing Your Network

Preparing Your Personal Computers for IP Networking .................................................3-1

Configuring Windows 95, 98, and ME for IP Networking ................................................3-2

Install or Verify Windows Networking Components ..................................................3-2

Assign TCP/IP configuration by DHCP ....................................................................3-4

Selecting Internet Access Method ............................................................................3-4

Verifying TCP/IP Properties .....................................................................................3-5

Configuring Windows NT or 2000 for IP Networking ......................................................3-5

Install or Verify Windows Networking Components ..................................................3-5

Verifying TCP/IP Properties .....................................................................................3-6

Configuring the Macintosh for IP Networking .................................................................3-6

MacOS 8.6 or 9.x ...............................................................................................3-7

MacOS X ...........................................................................................................3-7

Verifying TCP/IP Properties (Macintosh) ..................................................................3-8

Your Internet Account .....................................................................................................3-8

Login Protocols ........................................................................................................3-9

Account Information .................................................................................................3-9

Obtaining ISP Configuration Information (Windows) .......................................3-10

Obtaining ISP Configuration Information (Macintosh) .....................................3-11

Restarting the Network .................................................................................................3-11

Ready for Configuration ................................................................................................3-12

Chapter 4 Basic Configuration

Accessing the Web Configuration Manager ...................................................................4-1

Configuration using the Setup Wizard ............................................................................4-4

Configuring for Dynamic IP Account ........................................................................4-5

Configuring for Fixed IP Account .............................................................................4-6

Configuring for an Account with Login .....................................................................4-7

Manual Configuration .....................................................................................................4-8

Completing the Configuration .........................................................................................4-9

Chapter 5 Security

What is a Firewall ...........................................................................................................5-1

vi Contents

Security Log ....................................................................................................................5-2

Examples of log messages ......................................................................................5-4

Activation and Administration ............................................................................5-4

Dropped Packets ...............................................................................................5-4

Block Sites ......................................................................................................................5-5

Rules ..............................................................................................................................5-6

Inbound Rules (Port Forwarding) .............................................................................5-8

Inbound Rule Example: A Local Public Web Server ..........................................5-9

Inbound Rule Example: Allowing Videoconference from Restricted Addresses 5-10

Considerations for Inbound Rules: ..................................................................5-10

Outbound Rules (Service Blocking) .......................................................................5-11

Following is an application example of outbound rules: ..................................5-11

Outbound Rule Example: Blocking Instant Messenger ...................................5-11

Order of Precedence for Rules ..............................................................................5-12

Default DMZ Server ...............................................................................................5-12

Respond to Ping on Internet WAN Port .................................................................5-13

Services ........................................................................................................................5-14

Schedule .......................................................................................................................5-16

Time Zone ........................................................................................................5-17

E-Mail ...........................................................................................................................5-18

Chapter 6 Wireless

Wireless Settings ............................................................................................................6-2

Identification ......................................................................................................6-2

Options ..............................................................................................................6-3

Access Point ......................................................................................................6-3

Configuring WEP (Wired Equivalent Privacy) .................................................................6-4

Restricting Wireless Access by MAC Address ...............................................................6-5

Additional Notes .............................................................................................................6-6

Security ....................................................................................................................6-6

Placement and Range ..............................................................................................6-6

Chapter 7 Print Server

Network Printing from Windows .....................................................................................7-1

Installing the PTP Driver ..........................................................................................7-1

Contents vii

Printer Management ..........................................................................................7-3

Port Options .......................................................................................................7-3

LPD/LPR Printing from Windows .............................................................................7-4

Windows NT 4.0 Server Configuration ..............................................................7-5

Client PC Setup for LPD/LPR Printing ...............................................................7-7

Network Printing from the Macintosh ..............................................................................7-9

MacOS 8 or 9 Configuration .....................................................................................7-9

MacOS X Configuration .........................................................................................7-10

Network Printing from Linux .........................................................................................7-10

Troubleshooting the Print Server ..................................................................................7-10

Chapter 8 Maintenance

System Status .................................................................................................................8-1

Attached Devices ............................................................................................................8-4

Changing the Administration Password ..........................................................................8-4

Configuration File Settings Management .......................................................................8-5

Restore and Backup the Configuration ....................................................................8-6

Erase the Configuration ...........................................................................................8-6

Router Upgrade ..............................................................................................................8-7

Diagnostics .....................................................................................................................8-8

Ping an IP Address ..................................................................................................8-8

Perform a DNS Lookup ............................................................................................8-8

Display the Routing Table ........................................................................................8-9

Reboot the Router ....................................................................................................8-9

Chapter 9 Advanced Configuration

Dynamic DNS .................................................................................................................9-1

LAN IP Setup ..................................................................................................................9-3

LAN TCP/IP Setup ...................................................................................................9-3

MTU Size .................................................................................................................9-5

DHCP .......................................................................................................................9-5

Use router as DHCP server ...............................................................................9-5

Reserved IP adresses .......................................................................................9-6

Static Routes ..................................................................................................................9-6

Static Route Example ...............................................................................................9-8

viii Contents

Remote Management .....................................................................................................9-9

Chapter 10 Troubleshooting

Basic Functioning .........................................................................................................10-1

Power LED Not On .................................................................................................10-2

Test LED Never Turns On or Test LED Stays On ...................................................10-2

Local or Internet Port Link LEDs Not On ................................................................10-2

Troubleshooting the Web Configuration Interface ........................................................10-4

Troubleshooting the ISP Connection ............................................................................10-5

Troubleshooting a TCP/IP Network Using a Ping Utility ...............................................10-6

Testing the LAN Path to Your Firewall ....................................................................10-6

Testing the Path from Your PC to a Remote Device ..............................................10-7

Restoring the Default Configuration and Password ......................................................10-8

Using the Default Reset button ..............................................................................10-8

Problems with Date and Time .......................................................................................10-8

Appendix A Technical Specifications

Appendix B Networks, Routing, and Firewall Basics

Basic Router Concepts .................................................................................................. B-1

What is a Router? ................................................................................................... B-1

Routing Information Protocol ................................................................................... B-2

IP Addresses and the Internet ................................................................................. B-2

Netmask .................................................................................................................. B-4

Subnet Addressing .................................................................................................. B-5

Private IP Addresses ............................................................................................... B-7

Single IP Address Operation Using NAT ................................................................. B-8

MAC Addresses and Address Resolution Protocol ................................................. B-9

Domain Name Server .............................................................................................. B-9

IP Configuration by DHCP .................................................................................... B-10

Internet Security and Firewalls .................................................................................... B-10

What is a Firewall? ................................................................................................ B-10

Stateful Packet Inspection ......................................................................................B-11

Denial of Service Attack .........................................................................................B-11

Wireless Networking .................................................................................................... B-12

Contents ix

Wireless Network Configuration ............................................................................ B-12

Ad-hoc Mode (Peer-to-Peer Workgroup) ........................................................ B-12

Infrastructure Mode ........................................................................................ B-12

Extended Service Set Identification (ESSID) ........................................................ B-13

Authentication and WEP Encryption ..................................................................... B-13

Wireless Channel Selection .................................................................................. B-14

Ethernet Cabling .......................................................................................................... B-15

Uplink Switches and Crossover Cables ................................................................ B-16

Cable Quality ......................................................................................................... B-16

Glossary Index

x Contents

Figure 2-1. FR114P Front Panel ................................................................................2-3

Figure 2-2. FR114P Rear Panel .................................................................................2-4

Figure 4-1. Login window ...........................................................................................4-2

Figure 4-2. Browser-based configuration main menu ................................................4-3

Figure 4-3. Setup Wizard menu for Dynamic IP address ...........................................4-5

Figure 4-4. Setup Wizard menu for Fixed IP address ................................................4-6

Figure 4-5. Setup Wizard menu for PPPoE login accounts ........................................4-7

Figure 5-1. Logs menu ...............................................................................................5-2

Figure 5-2. Block Sites menu .....................................................................................5-5

Figure 5-3. Rules menu ..............................................................................................5-6

Figure 5-4. Rule example: A Local Public Web Server ..............................................5-9

Figure 5-5. Rule example: Videoconference from Restricted Addresses .................5-10

Figure 5-6. Rule example: Blocking Instant Messenger ...........................................5-11

Figure 5-7. Rules table with examples .....................................................................5-12

Figure 5-8. Services menu .......................................................................................5-14

Figure 5-9. Add Custom Service menu ....................................................................5-15

Figure 6-1. Wireless Settings menu ...........................................................................6-2

Figure 6-2. Wireless WEP menu ................................................................................6-4

Figure 6-3. Wireless Access menu .............................................................................6-5

Figure 8-1. System Status screen ..............................................................................8-1

Figure 8-2. Router Statistics screen ...........................................................................8-3

Figure 8-3. Attached Devices menu ...........................................................................8-4

Figure 8-4. Set Password menu .................................................................................8-5

Figure 8-5. Settings Backup menu .............................................................................8-6

Figure 8-6. Router Upgrade menu .............................................................................8-7

Figure 8-7. Diagnostics menu ....................................................................................8-8

Figure 9-1. Dynamic DNS menu ................................................................................9-2

Figure 9-2. LAN IP Setup Menu .................................................................................9-3

Figure 9-3. Static Routes Summary Table ..................................................................9-7

Figure 9-4. Static Route Entry and Edit Menu ............................................................9-7

Figure B-1. Three Main Address Classes .................................................................. B-3

Figure B-2. Example of Subnetting a Class B Address ............................................. B-5

Figure B-3. Single IP Address Operation Using NAT ................................................ B-8

xii

Table 2-1. LED Descriptions .....................................................................................2-3

Table 5-1. Log entry descriptions ..............................................................................5-3

Table 5-2. Log action buttons ....................................................................................5-3

Table 8-1. Menu 3.2 - System Status Fields .............................................................8-2

Table 8-2. Router Statistics Fields ...........................................................................8-3

Table B-1. Netmask Notation Translation Table for One Octet ................................. B-6

Table B-2. Netmask Formats .................................................................................... B-6

Table B-3. 802.11 Radio Frequency Channels ....................................................... B-14

Table B-4. UTP Ethernet cable wiring, straight-through ......................................... B-15

xiii

xiv

About This Guide

Congratulations on your purchase of the NETGEAR™FR114P, FR114W or FM114P Cable/DSL ProSafe Firewall. A firewall is a special type of router that incorporates features for security. The NETGEAR ProSafe Firewall is a complete security solution that protects your network from attacks and intrusions.

This guide describes the features of the firewall and provides installation and configuration instructions.

Typographical Conventions

This guide uses the following typographical conventions: italics Book titles and UNIX file, command, and directory names.

courier font Screen text, user-typed command-line entries.

Initial Caps Menu titles and window and button names. [Enter] Named keys in text are shown enclosed in square brackets. The notation

[Enter] is used for the Enter key and the Return key.

[Ctrl]+C Two or more keys that must be pressed simultaneously are shown in text

linked with a plus (+) sign.

ALL CAPS DOS file and directory names.

About This Guide xv

ReferenceManualfortheModelFR114P,FR114WandFM114PCable/DSLProSafeFirewallFamily

Special Message Formats

This guide uses the following formats to highlight special messages:

Note: This format is used to highlight information of importance or special interest.

Caution: This format is used to highlight information that will help you prevent

equipment failure or loss of data.

Warning: This format is used to highlight information about the possibility of injury or

equipment damage.

Danger: This format is used to alert you that there is the potential for incurring an

electrical shock if you mishandle the equipment.

Technical Support

For help with any technical issues, contact Customer Support at 1-888-NETGEAR, or visit us on the Web at www.NETGEAR.com. The NETGEAR Web site includes an extensive knowledge base, answers to frequently asked questions, and a means for submitting technical questions online.

Related Publications

As you read this document, you m ay be directed to various RFC documents for further information. An RFC is a Request For Comment (RFC) published by the Internet Engineering Task Force (IETF), an open organizationthat defines the architecture and operation of the Internet. The RFC documents outline and define the standard protocols and procedures for the Internet. The documents are listed on the World Wide Web at www.ietf.org andaremirroredandindexedat many other sites worldwide.

xvi About This Guide

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

For more information about address assignment, refer to the IETF documents RFC 1597, Address Allocation for Private Internets, and RFC 1466, Guidelines for Management of IP Address Space.

For more information about IP address translation, refer to RFC 1631, The IP Network Address Translator (NAT).

About This Guide xvii

Chapter 1

Introduction

This chapter describes the features of the NETGEAR FR114P, FR114W and FM114P Cable/DSL ProSafe Firewalls.

About the NETGEAR ProSafe Firewalls

The NETGEAR ProSafe Firewall is a complete security solution that protects your network from attacks and intrusions. Unlike simple Internet sharing routers that rely on NAT for security,the NETGEAR ProSafe Firewall uses Stateful Packet Inspection for Denial of Service (DoS) attack protection and intrusion detection. The NETGEAR ProSafe Firewall allows Internet access for up to 253 users. The ProSafe Firewall family consists of these three products:

• FR114P Firewall with Print Server

• FR114W Wireless-Ready Firewall

• FM114P Wireless Firewall with Print Server The FR114P and FM114P firewalls include a built-in print server, allowing the sharing of a printer

by all PCs on your network. The FM114P firewall includes an 802.11b-compliant wireless access point, while the FR114W firewall can be upgraded to an access point by adding a NETGEAR

802.11b wireless adapter card.

Key Features

The NETGEAR ProSafe Firewalls offer the following features.

Introduction 1-1

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

A Powerful, True Firewall

Unlike simple Internet sharing NAT routers, the NETGEAR ProSafe Firewall is a true firewall, using stateful packet inspection to defend against hacker attacks. Its firewall features include:

• Denial of Service (DoS) protection Automatically detects and thwarts Denial of Service (DoS) attacks such as Ping of Death, SYN Flood, LAND Attack and IP Spoofing.

• Blocks unwanted traffic from the Internet to your LAN.

• Blocks access from your LAN to Internet locations or services that you specify as off-limits.

• Logs security incidents The NETGEAR ProSafe Firewall will log security events such as blocked incoming traffic, port scans, attacks, and administrator logins. Youcan configure the firewall to email the log to you at specified intervals. You can also configure the firewall to send immediate alert messages to your email address or email pager whenever a significant event occurs.

Wireless Access Point

The FM114P firewall includes an 802.11b-compliant wireless access point, while the FR114W firewall can be upgraded to an access point by adding a NETGEAR 802.11bwireless adapter card. With an integrated wireless access point, the firewall provides continuous, high-speed 11 Mbps access between your wireless and Ethernet devices. The access point provides:

• 802.11b Standards-based wireless networking at up to 11 Mbps

• 64-bit and 128-bit WEP encryption security

• WEP keys can be generated manually or by passphrase

• Wireless access can be restricted by MAC address

Integrated Print Server

The FR114P and FM114P NETGEAR ProSafe Firewalls include a built-in print server. A print server eliminates the bottleneck of a dedicated always-on PC print server and supports multiple print jobs simultaneously.

• Protocol Support PTP (Peer-to-Peer) over TCP/IP for Windows LPR printing for Windows, Macintosh, or Linux

1-2 Introduction

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

• High-speed Parallel Port Connection 36 pin Centronics, bi-directional IEEE 1284 compliant (supports Nibble mode) with up to

1.5Mbps transfer rate

Content Filtering

With its content filtering feature, the NETGEAR ProSafe Firewall prevents objectionable content from reaching your PCs. The firewall allows you to control access to Internet content by screening for keywords within Web addresses. You can configure the firewall to log and report attempts to access objectional Internet sites.

Configurable Ethernet Connection

With its internal 4-port 10/100 switch, the NETGEAR ProSafe Firewall can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network. The local LAN interface is autosensing and is capable of full-duplex or half-duplex operation. An uplink switch is provided for cascading to an external Ethernet hub or switch.

Protocol Support

The NETGEAR ProSafe Firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP).

For further information about TCP/IP, refer to Appendix B, “Networks, Routing, and Firewall

Basics.”

• IP Address Sharing by NAT The NETGEAR ProSafe Firewall allows several networked PCs to share an Internet account using only a single IP address, which may be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as Network Address Translation (NAT), allows the use of an inexpensive single-user ISP account.

• Automatic Configuration of Attached PCs by DHCP The NETGEAR ProSafe Firewall dynamically assigns network configuration information, including IP, gateway, and domain name server (DNS) addresses, to attached PCs on the LAN using the Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies configuration of PCs on your local network.

Introduction 1-3

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

• DNS Proxy When DHCP is enabled and no DNS addresses are specified, the firewall provides its own address as a DNS server to the attached PCs. The firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN.

• PPP over Ethernet (PPPoE) PPP over Ethernet is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial-up connection. This feature eliminates the need to run a login program such as EnterNet or WinPOET on your PC.

•DynamicDNS Dynamic DNS services allow remote users to find your network using a domain name when your IP address is not permanently assigned. The firewall contains a client that can connect to many popular Dynamic DNS services to register your dynamic IP address.

Easy Installation and Management

You can install, configure, and operate the NETGEAR ProSafe Firewall within minutes after connecting it to the network. The following features simplify installation and management tasks:

• Browser-based management Browser-based configuration allows you to easily configure your firewall from almost any type of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup Wizardis provided and online help documentation is built into the browser-based Web Management Interface.

• Smart Wizard The firewall automatically senses the type of Internet connection, asking you only for the information required for your type of ISP account.

• Remote management The firewall allows you to login to the Web Management Interface from a remote location on the Internet. For security, you can limit remote management access to a specified remote IP address or range of addresses, and you can choose a nonstandard port number.

• Diagnostic functions The firewall incorporates built-in diagnostic functions such as Ping, DNS lookup, and remote reboot.

• Visual monitoring The firewall’s front panel LEDs provide an easy way to monitor its status and activity.

1-4 Introduction

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Maintenance and Support

NETGEAR offers the following features to help you maximize your use of the firewall:

• Flash EPROM for firmware upgrade

• Technical support seven days a week, twenty-four hours a day

Introduction 1-5

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

1-6 Introduction

Chapter 2

Setting Up the Hardware

This chapter describesthe hardware installation of the FR114P, FR114W and FM114P Cable/DSL ProSafe Firewalls.

Package Contents

The product package should contain the following items:

• FR114P, FR114W or FM114P Cable/DSL ProSafe Firewall

• AC power adapter

• Category 5 (CAT5) Ethernet cable

• Resource CD, including: — This manual — Installer for Print server driver (applies to FR114P or FM114P only) — Application Notes, Tools, and other helpful information

• NETGEAR Cable/DSL ProSafe Firewall Installation Guide (for each model)

• Warranty and registration card

• Support information card

If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the product for repair.

Setting Up the Hardware 2-1

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Local Network Hardware Requirements

The NETGEAR ProSafe Firewall is intended for use in a network of personal computers (PCs) that are interconnected by twisted-pair Ethernet cables.

PC Requirements

To install and run the NETGEAR ProSafe Firewall over your network of PCs, each PC must have an installed Ethernet Network Interface Card (NIC) and an Ethernet cable. If the PC will connect to your network at 100 Mbps, you must use a C ategory 5 (CAT5) cable such as the cable provided with your firewall.

Any PC that will connect to the firewall (FR114W and FM114P only) by a wireless connection must have an 802.11b-compliant wireless adapter card.

Access Device Requirement

The shared broadband access device (cable modem or DSL modem) must provide a standard 10 Mbps (10BASE-T) Ethernet interface.

2-2 Setting Up the Hardware

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

The Firewall’s Front Panel

The front panel of the NETGEAR ProSafe Firewall contains status LEDs. The FR114P front panel is shown in Figure 2-1

Figure 2-1. FR114P Front Panel

You can use some of the LEDs to verify connections. Table 2-1 lists and describes each LED on the front panel of the firewall. These LEDs are green when lit, except for the TEST LED, which is amber.

Table 2-1. LED Descriptions

Label Activity Description

POWER On Power is supplied to the firewall. TEST On

Off

PRINTER (These LEDs present only on FR114P and FM114P)

ACT Blinking Data is being transmitted or received by the Printer port. ALERT On (Amber) The connected printer is offline, is out of paper,or has a paper

INTERNET

100 (100 Mbps) On

Off

LINK/ACT (Link/Activity)

LOCAL

100 (100 Mbps) On

LINK/ACT (Link/Activity)

WLAN On The Wireless (WLAN) port is operating (FR114Wand FM114P)

On Blinking

Off On

Blinking

The system is initializing. The system is ready and running.

jam.

The Internet (WAN) port is operating at 100 Mbps. The Internet (WAN) port is operating at 10 Mbps.

The Internet port has detected a link with an attached device. Data is being transmitted or received by the Internet port.

The Local port is operating at 100 Mbps. The Local port is operating at 10 Mbps.

The Local port has detected a link with an attached device. Data is being transmitted or received by the Local port.

Setting Up the Hardware 2-3

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

The Firewall’s Rear Panel

The rear panel of the NETGEAR ProSafe Firewall contains port connections. The FR114P Firewall rear panel is shown in Figure 2-2

Figure 2-2. FR114P Rear Panel

The rear panel contains the following features:

• AC power adapter outlet

• Internet (WAN) Ethernet port for connecting the firewall to a cable or DSL modem

• Four Local (LAN) Ethernet ports for connecting the firewall to the local PCs

• Uplink switch for converting LAN port 4 to uplink (crossover) wiring

• Factory Default Reset pushbutton

• Parallel Printer port (FR114P and FM114P only)

• Wireless adapter slot (FR114W only)

• Wireless antenna (FM114P only)

Connecting the Firewall

Before using your firewall, you need to do the following:

• Connect your cable or DSL modem to the Internet port of the firewall (described next.

• Connect your local Ethernet network to the Local port(s) of the firewall (see page 2-5).

• Prepare your wireless devices.

• Install your wireless adapter card (FR114W only)

• Connect the power adapter (see page 2-6)

Note: The Resource CD included with your firewall contains an animated Connection Guide to

help you through this procedure.

2-4 Setting Up the Hardware

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Connecting to Your Internet Access Device

Your cable or DSL modem must provide a standard 10BASE-T or 100BASE-Tx Ethernet connection (not USB) for connection to your PC or network. The FR114P Firewall does not include a cable for this connection. Instead, use the Ethernet cable provided with your access device or any other standard Ethernet cable. Follow these steps:

1. Locate the Ethernet cable currentlygoing from your DSL or cable modem to the computer that

you use to access the Internet.

Note: You must use the existing cable to connect the modem to your firewall, not to connect

your PCs to your firewall. The Ethernet cable supplied by your ISP for connecting to your cable or DSL modem may be an Ethernet crossover cable rather than a normal straight-through cable.

2. Remove this cable from the computer and insert that end into the Internet port on the firewall.

3. Turn the cable or DSL modem off for ten seconds, then on again.

Connecting to your Local Ethernet Network

Your local area network (LAN) will attach to the firewall’s Local ports shown in Figure 2-2.The Local ports are capable of operation at either 10 Mbps (10BASE-T) or 100 Mbps (100BASE-Tx), depending on the Ethernet interface of the attached PC, hub, or switch. For any connection which will operate at 100 Mbps, you must use a Category 5 (CAT5) rated Ethernet cable, such as the cable included with the firewall.

The FR114P Firewall incorporates a four-port switch for connection to your local network. Ports 1 through 3 are permanently configured for MDI-X wiring, for connection to a PC. Port 4 can be set to MDI (Uplink) or MDI-X (Normal) by using the Normal/Uplink pushbutton switch.

Connect up to four PCs directly to any of the four Local ports of the firewall using standard Ethernet cables such as the one included with your firewall. If a PC is connected to port 4, be sure that the Normal/Uplink pushbutton switch is in the Normal position.

If your local network consists of more than four hosts, you will need to connect your firewall to another hub or switch. In t his case, connect port 4 of your firewall to any port of an Ethernet hub or switch, and set the Normal/Uplink pushbutton switch to the Uplink position.

Setting Up the Hardware 2-5

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Preparing your Wireless Devices

For the FM114P Wireless Firewall with Print Server, rotate the antenna to a vertical position and tighten the base.

Installing a Wireless Card in the FR114W

The FR114W Wireless-Ready Firewall can be upgraded to wireless operation by purchasing and installing a NETGEAR Model MA401 802.11b Wireless PC Card. The FR114W will function normally without a wireless adapter card, but will not have wireless connectivity. To install the MA401 Wireless PC Card in your FR114W, follow these steps:

1. Locate the wireless adapter card slot on the rear panel.

2. Remove the rubber dust cover from the slot.

3. Slide the MA401 card into the slot with the card’s front label and LED facing up.

4. Be sure that the MA401 card is securely seated into the internal connector.

The blue plastic end cap of the MA401card should be outside of the FR114W’s case.

Initial Configuration of Your Wireless PCs

Detailed instructions on configuring your wireless devices for TCP/IP networking are provided in the next chapter. However,if you already have a functioning wireless network and you wish to use a wireless PC to initially configure the firewall, you will need to change the settings of that PC to match the default settings of the firewall:

• The SSID should be Wireless (note the capitalization).

• WEP encryption is disabled.

• Your IP address must be in the range of 192.168.0.2 to 192.168.0.254, with a netmask of

255.255.255.0.

Connecting the Power Adapter

To connect the firewall to the power adapter:

1. Plug the connector of the power adapter into the power adapter outlet on the rear panel of the

firewall.

2. Plug the other end of the adapter into a standard wall outlet.

3. Verify that the Power LED on the firewall is lit.

2-6 Setting Up the Hardware

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Verifying Connections

After applying power to the firewall, complete the following steps to verify the connections to it:

1. When power is first applied, verify that the POWER LED is on.

2. Verify that the TEST LED turns on within a few seconds.

3. After approximately 10 seconds, verify that: a. The TEST LED has turned off. b. The LOCAL LINK/ACT LEDs are lit for any local ports that are connected. c. The INTERNET LINK/ACT LED is lit.

If a LINK/ACT LED is lit, a link has been established to the connected device.

4. If any port is connected to a 100 Mbps device, verify that the 100 LED for that port is lit.

The firewall is now properly attached to the network. Next, you need to prepare your network to access the Internet through the firewall. See the following chapter.

Setting Up the Hardware 2-7

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

2-8 Setting Up the Hardware

Chapter 3

Preparing Your Network

This chapter describes how to prepare your PC network to connect to the Internet through the FR114P, FR114W or FM114P Cable/DSL ProSafe Firewall and how to order broadband Internet service from an Internet service provider (ISP). .

Note: If an ISP technician configured your PC during the installation of a broadband

modem, or if you configured it using instructions provided by your ISP, you may need to copy the current configuration information for use in the configuration of your firewall. Write down this information before reconfiguring your PCs. Refer to “Obtaining ISP

Configuration Information (Windows)”onpage 3-10 or “Obtaining ISP Configuration Information (Macintosh)”onpage 3-11 for further information.

Preparing Your Personal Computers for IP Networking

Personal Computers access the Internet using a protocol called TCP/IP (Transmission Control Protocol/Internet Protocol). Each PC on your network must have TCP/IP installed and selected as its networking protocol. If a Network Interface Card (NIC) is already installed in your PC, then TCP/IP is probably already installed as w ell.

Note: In this chapter, we use the term “PC” to refer to personal computers in general, and not

necessarily Windows computers. Most PC operating systems include the software components you need for networking with TCP/

IP:

• Windows

• Windows 3.1 does not include a TCP/IP component. You need to purchase a third-party TCP/ IP application package such as NetManage Chameleon.

Preparing Your Network 3-1

95 or later includes the software components for establishing a TCP/IP network.

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

• Macintosh Operating System 7 or later includes the software components for establishing a TCP/IP network.

• All versions of UNIX or Linux include TCP/IP components. Follow the instructions provided with your operating system or networking software to install TCP/IP on your computer..

In your IP network, each PC and the firewall must be assigned a unique IP addresses. Each PC must also have certain other IP configuration information such as a subnet mask (netmask), a domain name server (DNS) address, and a default gateway address. In most cases, you should install TCP/IP so that the PC obtains its specific network configuration information automatically from a DHCP server during bootup. For a detailed explanation of the meaning and purpose of these configuration items, refer to “Appendix B, “Networks, Routing, and Firewall Basics.”

The NETGEAR ProSafe Firewall is shipped preconfiguredas a DHCP server.The firewall assigns the following TCP/IP configuration information automatically when the PCs are rebooted:

• PC or workstation IP addresses—192.168.0.2 through 192.168.0.254

• Subnet mask—255.255.255.0

• Gateway address (the firewall)—192.168.0.1

These addresses are part of the IETF-designated private address range for use in private networks.

Configuring Windows 95, 98, and ME for IP Networking

As part of the PC preparation process, you need to manually install and configure TCP/IP on each networked PC. Before starting, locate your Windows CD; you may need to insert it during the TCP/IP installation process.

Install or Verify Windows Networking Components

To install or verify the necessary components for IP networking:

1. On the Windows taskbar, click the Start button, point to Settings, and then click Control Panel.

2. Double-click the Network icon.

The Network window opens, which displays a list of installed components:

3-2 Preparing Your Network

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

You must have an Ethernet adapter, the TCP/IP protocol, and Client for Microsoft Networks.

Note: It is not necessary to remove any other network components shown in the

Network window in order to install the adapter, TCP/IP, or Client for Microsoft Networks.

Ifyouneedtheadapter:

a. Click the Add button. b. Select Adapter, and then click Add. c. Select the manufacturer and model of your Ethernet adapter, and then click OK.

If you need TCP/IP:

a. Click the Add button. b. Select Protocol, and then click Add. c. Select Microsoft.

Preparing Your Network 3-3

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

d. Select TCP/IP, and then click OK.

If you need Client for Microsoft Networks:

a. Click the Add button. b. Select Client, and then click Add. c. Select Microsoft. d. Select Client for Microsoft Networks, and then click OK.

3. Restart your PC for the changes to take effect.

Assign TCP/IP configuration by DHCP

After the TCP/IP protocol components are installed, each PC must be assigned specific information about itself and resources that are available on its network. The simplest way to configure this information is to allow the PC to obtain the information from the internal DHCP server of the NETGEAR ProSafe Firewall. To use DHCP with the recommended default addresses, follow these steps:

1. Connect all PCs to the firewall, then restart the firewall and allow it to boot.

2. On each attached PC, open the Network control panel (refer to the previous section) and select

the Configuration tab.

3. From the components list, select TCP/IP->(your Ethernet adapter) and click Properties.

4. In the IP Address tab, select “Obtain an IP address automatically”.

5. Select the Gateway tab.

6. If any gateways are shown, remove them.

7. Click OK.

8. Restart the PC.

Repeat steps 2 through 8 for each PC on your network.

Selecting Internet Access Method

1. On the Windows taskbar, click the Start button, point to Settings, and then click Control Panel.

2. Double-click the Internet Options icon.

3-4 Preparing Your Network

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

3. Select “I want to set up my Internet connection manually” or “I want to connect through a

Local Area Network” and click Next.

4. Select “I want to connect through a Local Area Network” and click Next.

5. Uncheck all boxes in the LAN Internet Configuration screen and click Next.

6. ProceedtotheendoftheWizard.

Verifying TCP/IP Properties

After your PC is configured and has rebooted, you can check the TCP/IP configuration using the utility winipcfg.exe:

1. On the Windows taskbar, click the Start button, and then click Run.

2. Type winipcfg, and then click OK.

The I P Configuration window opens, which lists (among other things), your IP address, subnet mask, and default gateway.

3. From the drop-down box, select your Ethernet adapter.

The window is updated to show your settings, which should match the values below if you are using the default TCP/IP settings that NETGEAR recommends:

• The IP address is between 192.168.0.2 and 192.168.0.254

• The subnet mask is 255.255.255.0

• The default gateway is 192.168.0.1

Configuring Windows NT or 2000 for IP Networking

Install or Verify Windows Networking Components

To install or verify the necessary components for IP networking:

1. On the Windows taskbar, click the Start button, point to Settings, and then click Control Panel.

2. Double-click the Network and Dialup Connections icon.

Preparing Your Network 3-5

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

3. If an Ethernet adapter is present in your PC, you should see an entry for Local Area

Connection. Double-click that entry.

4. Select Properties.

5. Verify that ‘Client for Microsoft Networks’ and ‘Internet Protocol (TCP/IP)’ are present. If

not, select Install and add them.

6. Select ‘Internet Protocol (TCP/IP)’, click Properties, and verify that “Obtain an IP address

automatically is selected.

7. Click OK and close all Network and Dialup Connections windows.

8. Make sure your PC is connected to the firewall, then reboot your PC.

Verifying TCP/IP Properties

To check your PC’s TCP/IP configuration:

1. On the Windows taskbar, click the Start button, and then click Run.

The Run window opens.

2. Type cmd and then click OK.

A command window opens

3. Type ipconfig /all

Your IP Configuration information will be listed, and should match the values below if you are using the default TCP/IP settings that NETGEAR recommends:

• The IP address is between 192.168.0.2 and 192.168.0.254

• The subnet mask is 255.255.255.0

• The default gateway is 192.168.0.1

4. Type exit

Configuring the Macintosh for IP Networking

Beginning with Macintosh Operating System 7, TCP/IP is already installed on the Macintosh. On each networked Macintosh, you will need to configure TCP/IP to use DHCP.

3-6 Preparing Your Network

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

MacOS 8.6 or 9.x

1. From the Apple menu, select Control Panels, then TCP/IP.

The TCP/IP Control Panel opens:

2. From the “Connect via” box, select your Macintosh’s Ethernet interface.

3. From the “Configure” box, select Using DHCP Server.

You can leave the DHCP Client ID box empty.

4. Close the TCP/IP Control Panel.

5. Repeat this for each M acintosh on your network.

MacOS X

1. From the Apple menu, choose System Preferences, then Network.

2. If not already selected, select Built-in Ethernet in the Configure list.

3. If not already selected, Selct Using DHCP in the TCP/IP tab.

4. Click Save.

Preparing Your Network 3-7

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Verifying TCP/IP Properties (Macintosh)

After your Macintosh is configured and has rebooted, you can check the TCP/IP configuration by returning to the TCP/IP Control Panel. From the Apple menu, select Control Panels, then TCP/IP.

The panel is updated to show your settings, which should match the values below if you are using the default TCP/IP settings that NETGEAR recommends:

• The IP Address is between 192.168.0.2 and 192.168.0.254

• The Subnet mask is 255.255.255.0

• The Router address is 192.168.0.1

If you do not see these values, you may need to restart your Macintosh or you may need to switch the “Configure” setting to a different option, then back again to “Using DHCP Server”.

Your Internet Account

For access to the Internet, you need to contract with an Internet service provider (ISP) for a single-user Internet access account using an external broadband access device such as a cable modem or DSL modem. This modem must be a separate physical box (not a card) and must provide an Ethernet port intended for connection to a Network Interface Card (NIC) in a PC. Your firewall does not support a USB-connected broadband modem.

3-8 Preparing Your Network

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

For a single-user Internet account, your ISP supplies TCP/IP configuration information for one PC. With a typical account, much of the configuration information is dynamically assigned when your PC is first booted up while connected to the ISP, and you will not need to know that dynamic information.

In order to share the Internet connection among several computers, your firewall takes the place of the single PC, and you need to configure it with t he TCP/IP information that the single PC would normally use. When the firewall’s Internet port is connected to the broadband modem, the firewall appears to be a single PC to the ISP. The firewall then allows the PCs on the local network to masquerade as the single PC to access the Internet through the broadband modem. The method used by the firewall to accomplish this is called Network Address Translation (NAT) or IP masquerading.

Login Protocols

Some ISPs require a special login protocol, in which you must enter a login name and password in order to access the Internet. If you normally log in to your Internet account by running a program such as WinPOET or EnterNet, then your account uses PPP over Ethernet (PPPoE).

When you configure your firewall, you will need to enter your login name and password in the firewall’s configuration menus. After your network and firewall are configured, the firewall will perform the login task when needed, and you will no longer need to run the login program from your PC. It is not necessary to uninstall the login program.

Account Information

Unless these items are dynamically assigned by the ISP, your ISP should give you the following basic information for your account:

• An IP address and subnet mask

• A gateway IP address, which is the address of the ISP’s router

• One or more domain name server (DNS) IP addresses

• Host name and domain suffix For example, your account’s full server names may look like this:

mail.xxx.yyy.com

In this example, the domain suffix is xxx.yyy.com.

Preparing Your Network 3-9

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

If any of these items are dynamically supplied by the ISP, your firewall automatically acquires them. If an ISP technician configured your PC during the installation of the broadband modem, or if you configured it using instructions provided by your ISP, you need to copy configuration information from your PC’s Network TCP/IP Properties window (or Macintosh TCP/IP Control Panel) before reconfiguring your PC for use with the firewall. These procedures are described next.

Obtaining ISP Configuration Information (Windows)

As mentioned above, you may need to collect configuration information from your PC so that you can use this information when you configure the NETGEAR ProSafe Firewall. Following this procedure is only necessary when your ISP does not dynamically supply the account information.

To get the information you need to configure the firewall for Internet access:

1. On the Windows taskbar, click the Start button, point to Settings, and then click Control Panel.

2. Double-click the Network icon.

The Network window opens, which displays a list of installed components.

3. Select TCP/IP, and then click Properties.

The TCP/IP Properties dialog box opens.

4. Select the IP Address tab.

If an IP address and subnet mask are shown, w rite down the information. If an address is present, your account uses a fixed (static) IP address. If no address is present, your account uses a dynamically-assigned IP address. Click “Obtain an IP address automatically”.

5. Select the Gateway tab.

If an IP address appears under Installed Gateways, write down the address. This is the ISP’s gateway address. Select the address and then click Remove to remove the gateway address.

6. Select the DNS Configuration tab.

If any DNS server addresses are shown, write down the addresses. If any information appears in the Host or Domain information box, write it down. Click Disable DNS.

7. Click OK to save your changes and close the TCP/IP Properties dialog box.

You are returned to the Network window.

8. Click OK.

9. Reboot your PC at the prompt. You may also be prompted to insert your Windows CD.

3-10 Preparing Your Network

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Obtaining ISP Configuration Information (Macintosh)

As mentioned above, you may need to collect configuration information from your Macintosh so that you can use this i nformation when you configure the NETGEAR ProSafe Firewall. Following this procedure is only necessary when your ISP does not dynamically supply the account information.

To get the information you need to configure the firewall for Internet access:

1. From the Apple menu, select Control Panels, then TCP/IP.

The TCP/IP Control Panel opens, which displays a l ist of configuration settings. If the “Configure” setting is “Using DHCP Server”, your account uses a dynamically-assigned IP address. In this case, close the Control Panel and skip the rest of this section.

2. If an IP address and subnet mask are shown, w rite down the information.

3. If an IP address appears under Router address, write down the address. This is the ISP’s

gateway address.

4. If any Name Server addresses are shown, write down the addresses. These are your ISP’sDNS

addresses.

5. If any information appears in the Search domains information box, write it down.

6. Change the “Configure” setting to “Using DHCP Server”.

7. Close the TCP/IP Control Panel.

Restarting the Network

Once you’ve set up your computers to work with the firewall, you must reset the network for the devices to be able to communicate correctly.

1. Turn off the DSL or cable modem, wait 15 seconds, and then turn it on again

2. Turn off the firewall, and then turn it on again and wait until the Test light turns off.

3. Restart any computer that is connected to the firewall.

Note: If the modem doesn’t have an on/off switch, either pull the modem’s power adapter out of

the wall socket or power down the power strip.

Preparing Your Network 3-11

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Ready for Configuration

After configuring all of your PCs for TCP/IP networking and connecting them to the local network of your NETGEAR ProSafe Firewall, you are ready to access and configure the firewall. Proceed to the next chapter.

3-12 Preparing Your Network

Chapter 4

Basic Configuration

This chapter describes how to perform the basic configuration of your FR114P, FR114W or FM114P Cable/DSL ProSafe Firewall using the Setup Wizard, which walks you through the configuration process for your Internet connection.

Accessing the Web Configuration Manager

In order to use the browser-based Web Configuration Manager, your PC must have a web browser program installed such as Microsoft Internet Explorer or Netscape Navigator. Because the Configuration M anager uses Java, your Web browser must be Java-enabled and support HTTP uploads. NETGEAR recommends using Microsoft Internet Explorer 5.0 or Netscape Navigator

4.7 or above. Free browser programs are readily available for Windows, Macintosh, or UNIX/

Linux. To configure for Internet access using your browser:

1. Connect your PC and firewall as described in the previous chapter.

Make sure your PC has been rebooted since connecting with the firewall.

2. Launch your web browser.

Note: If you normally use a login program (such as Enternet or WinPOET) to access the

Internet, do not launch that program.

3. Click your browser’s Stop button.

4. In the Address (or Location) box of your browser, type http://192.168.0.1 and press ENTER.

Basic Configuration 4-1

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

A login window opens as shown in Figure 4-1 below:.

Figure 4-1. Login window

This screen may have a different appearance in other browsers.

5. Type admin in the User Name box, password in the Password box, and then click OK.

(If your firewall password was previously changed, enter the current password.)

If your firewall has not yet been configured, the Setup Wizard should launch automatically. Otherwise, the main menu of the Web Configuration Manager will appear as shown in Figure 4-2 below:

4-2 Basic Configuration

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Figure 4-2. Browser-based configuration main menu

You can manually configureyour firewall using this menu as described in “Manual Configuration“

on page 4-8, or you can allow the Setup Wizard to determine your configurationas described in the

following chapter.

Basic Configuration 4-3

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Configuration using the Setup Wizard

The WebConfiguration Manager contains a Setup Wizard that can automatically determine your network connection type. If the Setup Wizard does not launch automatically, click on the Setup Wizard heading in the upper left of the opening screen, shown in Figure 4-2.

When the Wizard launches, allow the firewall to automatically determine your connection type by selecting Yes in the menu below and clicking Next:

The Setup Wizard will now check for a connection on the Internet port. If the Setup Wizard determines that there is no connection to the Internet port, you will be prompted to check the physical connection between your firewall and cable or DSL modem. When the connection is properly made, the firewall’s Internet LED should be on.

Next, the Setup Wizard will attempt to determine which of the following connection types your Internet service account uses:

• Dynamic IP assignment

• Fixed IP address assignment

• A login protocol such as PPPoE The Setup Wizard w ill report which connection type it has discovered, and it will then use the

appropriate configuration menu for that connection type.

4-4 Basic Configuration

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Configuring for Dynamic IP Account

If the Setup Wizard determines that your Internet service account uses Dynamic IP assignment, you will be directed to the menu shown in Figure 4-3 below:

Figure 4-3. Setup Wizard menu for Dynamic IP address

1. Enter your Account Name (may also be called Host Name) and Domain Name. These

parametersmay be necessary to access your ISP’s servicessuch as mail or news servers. I f you leave the Domain Name field blank, the firewall will attempt to learn the domain automatically from the ISP. If this is not successful, you may need to enter it manually.

2. Domain Name Server (DNS) Address: If you know that your ISP does not automatically

transmit DNS addresses to the firewall during login, select “Use these DNS servers” and enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is available, enter it also.

A DNS server is a host on the Internet that translates Internet names (such as www addresses)to numeric IP addresses. Typically your ISP transfers the IP addresses of one or two DNS servers t o your firewall during login. If the ISP does not transfer an address, you must obtain it from the ISP and enter it manually here. If you enter an address here, you should reboot your PCs after configuring the firewall.

Basic Configuration 4-5

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

3. Router’s M AC Address: This section determines the Ethernet MAC address that will be used

by the firewall on the Internet port. If your ISP allows access by only one specific PC’s Ethernet MAC address, select "Use this MAC address". The firewall will then capture and use the MAC address of the PC that you are now using. You must be using the one PC that is allowedbytheISP.

Some ISPs will register the Ethernet MAC address of the network interface card in your PC when your account is first opened. They will then only accept traffic from the MAC address of that PC. This feature allows your firewall to masquerade as that PC by using its MAC address.

4. ClickonApply,thenproceedto“Completing the Configuration“ on page 4-9.

Configuring for Fixed IP Account

If the Setup Wizard determines that your Internet service account uses Fixed IP assignment, you will be directed to the menu shown in Figure 4-4 below:

Figure 4-4. Setup Wizard menu for Fixed IP address

Enter your assigned IP Address, Subnet Mask, and the IP Address of your ISP’s gateway

router. This information should have been provided to you by your ISP.

2. Domain Name Server (DNS) Address: If you know that your ISP does not automatically

4-6 Basic Configuration

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

3. ClickonApply,thenproceedto“Completing the Configuration“ on page 4-9.

Configuring for an Account with Login

If the Setup Wizard determines that your Internet service account uses a login protocol such as PPP over Ethernet (PPPoE), you will be directed to a menu like the PPPoE menu shown in

Figure 4-5 below:

Figure 4-5. Setup Wizard menu for PPPoE login accounts

Enter your Account Name (may also be called Host Name) and Domain Name. These

2. Enter the PPPoE login user name and password provided by your ISP. These fields are case

sensitive. If you wish to change the login timeout, enter a new value in minutes.

Basic Configuration 4-7

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Note: You will no longer need to launch the ISP’slogin program on your PC in order to access

the Internet. When you start an Internet application, your firewall will automatically log you in.

3. Domain Name Server (DNS) Address: If you know that your ISP does not automatically

4. ClickonApply,thenproceedto“Completing the Configuration“ on page 4-9.

Manual Configuration

You can manually configure the firewall in the Basic Settings menu shown in Figure 4-2 using these steps:

1. Select whether your Internet connection requires a login.

Select ‘Yes’ if you normally must launch a login program such as EnterNet or WinPOET in order to access the Internet.

2. Enter your Account Name (may also be called Host Name) and Domain Name. These

parameters m ay be necessary to access your ISP’s services such as mail or news servers.

3. (If displayed) Enter the PPPoE login user name and password provided by your ISP. These

fields are case sensitive. If you wish to change the login timeout, enter a new value in minutes.

Note: You will no longer need to launch the ISP’slogin program on your PC in order to access

the Internet. When you start an Internet application, your firewall will automatically log you in.

4. Internet IP Address: If your ISP has assigned you a permanent, fixed (static) IP address for

your PC, s elect “Use static IP address”. Enter the IP address that your ISP assigned. Also enter the netmask and the Gateway IP address. The Gateway is the ISP’s router to which your firewall will connect.

4-8 Basic Configuration

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

5. Domain Name Server (DNS) Address: If you know that your ISP does not automatically

6. Router’s M AC Address: This section determines the Ethernet MAC address that will be used

by the firewall on the Internet port. Some ISPs will register the Ethernet MAC address of the network interface card in your PC when your account is first opened. They will then only accept traffic f rom the MAC address of that PC. This feature allows your firewall to masquerade as that PC by “cloning” its MAC address.

To change the MAC address, select "Use this Computer’s MAC address". The firewall will then capture and use the MAC address of the PC that you are now using. You must be using the one PC that is allowed by the ISP.

7. Click Apply, then proceed to Completing the Configuration.

Completing the Configuration

Click on the Test button to test your Internet connection. If the NETGEAR website does not appear within one minute, refer to Chapter 10, “Troubleshooting”.

Your firewall is now configured to provide Internet access for your network. When your firewall and PCs are configured correctly, your firewall automatically accesses the Internet when one of your LAN devices requires access.

Note: After your firewall has been configured, it will not be necessary to run a dialer or

login application such as Dial-Up N etworking, EnterNet, or WinPOET to connect, log in, or disconnect. These functions will be performed by the firewall as needed. Any such login software installed on your PC can be disabled or uninstalled.

To access the Internet from any PC connected to your firewall, launch a browser such as Microsoft Internet Explorer or Netscape Navigator. You should see the firewall’s Internet LED blink, indicating communication to the ISP. The browser should begin to display a Webpage.

Basic Configuration 4-9

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

The followingchapters describe how to configure the Advanced features of your firewall, and how to troubleshoot problems that may occur.

4-10 Basic Configuration

Chapter 5

Security

This chapter describes how to use the security features of your FR114P, FR114W or FM114P Cable/DSL ProSafe Firewall. The firewall provides you with selective blocking of inbound and outbound services, Web content filtering by keyword, and with security incident logging. You can configure the firewall to e-mail its l og to you at specified intervals. You can also configure the firewall to send immediate alert messages to your e-mail address or e-mail pager whenever a significant security event occurs.

To configure these features of your firewall, click on the subheadings under the Security heading in the Main Menu of the browser interface.

What is a Firewall

A firewall is a special category of router that protects one network (the “trusted” network, such as your LAN) from another (the “untrusted” network, such as the Internet), while allowing communication between the two. A firewall incorporates the functions of a NAT (Network Address Translation) router, while adding features for dealing with a hacker intrusion or attack, and for controlling the types of traffic that can flow between the two networks. Unlike simple Internet sharing NA T routers, a firewall uses a process called stateful packet inspection to protect your network from attacks and intrusions. NAT performs a very limited stateful inspection in that it considers whether the incoming packet is in response to an outgoing request, but true Stateful Packet Inspection goes far beyond NAT.

Security 5-1

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Security Log

The firewall will log security-related events such as denied incoming and outgoing service requests, hacker probes, and administrator logins. If you enable content filtering in the Block Sites menu, the Log page will also show you when someone on your network tried to access a blocked site. If you enabled e-mail notification, you'll receive these logs in an e-mail message. If you don't have e-mail notification enabled, you can view the logs here. An example is shown in Figure 5-1:

Figure 5-1. Logs menu

5-2 Security

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Log entries are described in Table 5-1

Table 5-1. Log entry descriptions

Field Description

Date and Time The date and time the log entry was recorded. Description or

The type of event and what action was taken if any.

Action Source IP The IP address of the initiating device for this log entry. Source port and

interface

The service port number of the initiating device, and whether it

originated from the LAN or WAN Destination The name or IP address of the destination device or website. Destination port

and interface

The service port number of the destination device, and whether

it’s on the LAN or WAN.

Log action buttons are described in Table 5-2

Table 5-2. Log action buttons

Field Description

Refresh Click this button to refresh the log screen. Clear Log Click this button to clear the log entries.

Send Log

Security 5-3

Click this button to email the log immediately.

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Examples of log messages

Following are examples of log m essages. In all cases, the log entry shows the timestamp as: Day, Year-Month-Date Hour:Minute:Second

Activation and Administration

Tue, 2002-05-21 18:48:39 - NETGEAR activated

[This entry indicates a power-up or reboot with initial time entry.]

Tue, 2002-05-21 18:53:28 - Administrator login failed - IP:192.168.0.2 Tue, 2002-05-21 18:55:00 - Administrator login successful - IP:192.168.0.2 Thu, 2002-05-21 18:56:58 - Administrator logout - IP:192.168.0.2

[This entry shows an administrator logging in and logging out of the firewall from IP address

192.168.0.2.]

Tue, 2002-05-21 19:00:06 - Login screen timed out - IP:192.168.0.2

[This entry shows a timout of the administrator login.]

Wed, 2002-05-22 22:00:19 - Log emailed

[This entry shows when the log was emailed.]

Dropped Packets

Wed, 2002-05-22 07:15:15 - TCP packet dropped - Source:64.12.47.28,4787,WAN Destination:134.177.0.11,21,LAN - [Inbound Default rule match]

Sun, 2002-05-22 12:50:33 - UDP packet dropped - Source:64.12.47.28,10714,WAN Destination:134.177.0.11,6970,LAN - [Inbound Default rule match]

Sun, 2002-05-22 21:02:53 - ICMP packet dropped - Source:64.12.47.28,0,WAN Destination:134.177.0.11,0,LAN - [Inbound Default rule match]

[These entries show an inbound FTP (port 21) packet, UDP packet, and ICMP packet being dropped as a result of the default inbound rule, which states that all inbound packets are denied.]

5-4 Security

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Block Sites

The NETGEAR ProSafe Firewall allows you to restrict access based on Web addresses and Web address keywords. Up to 255 entries are supported in the Keyword list. The Keyword Blocking menu is shown in Figure 5-2:

Figure 5-2. Block Sites menu

To enable keyword blocking, check “Turn keyword blocking on”, then click Apply. To add a keyword or domain, type it in the Keyword box, click Add Keyword, then click Apply. To delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply. Keyword application examples:

• If the keyword "XXX" is specified, the URL <http://www.badstuff.com/xxx.html> is blocked.

• If the keyword “.com” is specified, only websites with other domain suffixes (such as .edu or .gov) can be viewed.

• If you wish to block all Internet browsing access, enter the keyword “.”.

To specify a Trusted User, enter that PC’s IP address in the Trusted User box and click Apply.

Security 5-5

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

You may specify one Trusted User, which is a PC that will be exempt from blocking and logging. Since the Trusted User will be identified by an IP address, you should configure that PC with a fixed or reserved IP address.

Rules

Firewall rules are used to block or allow specific traffic passing through from one side to the other. Inbound rules (WAN to LAN) restrict access by outsidersto private resources, selectivelyallowing only specific outside users to access specific resources. Outbound rules (LAN to WAN)determine what outside resources local users can have access to.

A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of the NETGEAR ProSafe Firewall are:

• Inbound: Block all access from outside except responses to requests from the LAN side.

• Outbound: Allow all access from the LAN side to the outside.

These default rules are shown in the Rules table of the Rules menu in Figure 5-3:

Figure 5-3. Rules menu

5-6 Security

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

You may define additional rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. You can also choose to log traffic that m atches or does not match the rule you have defined.

To create a new rule, click the Add button. To edit an existing rule, select its button on the left side of the table and click Edit. To delete an existing rule, select its button on the left side of the table and click Delete. To move an exisiting rule to a different position in the table, select its button on the left side of the

table and click Move. At the script prompt, enter the number of the desired new position and click OK.

An example of the menu for defining or editing a rule is shown in Figure 5-4. The parameters are:

•Service From this list, select the application or service to be allowed or blocked. The list already displays many common services, but you are not limited to these choices. Use the Services menu to add any additional services or applications that do not already appear.

• Action Choose how you would like this type of traffic to be handled. You can block or allow always, or you can choose to block or allow according to the schedule you have defined in the Schedule menu.

• Source Address Specify traffic originating on the LAN (outbound) or the WAN (inbound), and choose whether you would like the traffic to be restricted by source IP address. You can select Any, a Single address, or a Range. If you select a range of addresses, enter the range in the start and finish boxes. If you select a single address, enter it in the start box.

• Destination Address The Destination Address will be assumed to be from the opposite (LAN or WAN) of the Source Address. As with the Source Address, you can select Any, a Single address, or a Range unless NAT is enabled and the destination is the LAN. In that case, you must enter a Single LAN address in the start box.

•Log You can select whether the traffic will be logged. The choices are:

• Never - no log entries will be made for this service.

• Always - any traffic for this service type will be logged.

Security 5-7

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

• Match - traffic of this type which matches the parameters and action will be logged.

• Not match - traffic of this type which does not match the parameters and action will be

logged.

Inbound Rules (Port Forwarding)

Because the NETGEAR ProSafe Firewall uses Network Address Translation(NAT), your network presents only one IP address to the Internet, and outside users cannot directly address any of your local computers. However, by defining an inbound rule you can can make a local server (for example, a web server or game server) visible and available to the Internet. The rule tells the firewall to direct inbound traffic for a particular service to one local server based on the destination port number. This is also known as port forwarding. .

Note: Some residential broadband ISP accounts do not allow you to run any server

processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location. If you are unsure, refer to the Acceptable Use Policy of your ISP.

Remember that allowing inbound services opens holes in your firewall. Only enable those ports that are necessary for your network. Following are two application examples of inbound rules:

5-8 Security

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Inbound Rule Example: A Local Public Web Server

If you host a public web server on your local network, you can define a rule to allow inbound web (HTTP) requests from any outside IP address to the IP address of your web s erver at any time of day. This rule is shown in Figure 5-4:

Figure 5-4. Rule example: A Local Public Web Server

Security 5-9

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Inbound Rule Example: Allowing Videoconference from Restricted Addresses

If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown in Figure 5-5, CU-SeeMe connections are allowed only from a specified range of external IP addresses. In this case, we have also specified logging of any incoming CU-SeeMe requests that do not match the allowed parameters.

Figure 5-5. Rule example: Videoconference from Restricted Addresses

Considerations for Inbound Rules:

• If your external IP address is assigned dynamically by your ISP, the IP address may change periodically as the DHCP lease expires. Consider using the Dyamic DNS feature in the Advanced menus so that external users can always f ind your network.

• If the IP address of the local server PC is assigned by DHCP, it may change when the PC is rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu to keep the PC’s IP address constant.

• Local PCs must access the local server using the PCs’ local LAN address (192.168.0.99 in this example). Attempts by local PCs to access the server using the external WAN IP address will fail.

5-10 Security

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Outbound Rules (Service Blocking)

The NETGEAR ProSafe Firewall allows you to block the use of certain Internet services by PCs on your network. This is called service blocking or port filtering. You can define an outbound rule to block Internet access from a local PC based on:

• the IP address of the local PC (source address)

• the IP address of the Internet site being contacted (destination address)

• the time of day

• the type of service being requested (service port number)

Following is an application example of outbound rules:

Outbound Rule Example: Blocking Instant Messenger

If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu. You can also have the firewall log any attempt to use Instant Messenger during that blocked period.

Figure 5-6. Rule example: Blocking Instant Messenger

Security 5-11

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Order of Precedence for Rules

As you define new rules, they are added to the tables in the Rules menu, as shown in Figure 5-7:

Figure 5-7. Rules table with examples

For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules Table, beginningat the top and proceeding to the default rules at the bottom. In some cases, the order of precedence of two or more rules may be important in determiningthe disposition of a packet. The Move button allows you to relocate a defined rule to a new position in the table.

Default DMZ Server

Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one of your local computers or a service for which you have configured an inbound rule. Instead of discarding this traffic, you can have it forwarded to one computer on your network. This computer is called the Default DMZ Server.

5-12 Security

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

The Default DMZ Server feature is helpful when using some online games and videoconferencing applications that are incompatible with NAT. The firewall is programmed to recognize some of these applications and to work properly with them, but there are other applications that may not function well. In some cases, one local PC can run the application properly if that PC’s IP address is entered as the Default DMZ Server..

Note: For security, NETGEAR strongly recommends that you avoid using the Default

DMZ Serverfeature. When a computer is designatedas the Default DMZ Server,it loses much of the protection of the firewall, and is exposed to many exploits from the Internet. If compromised, the computer can be used to attack your network.

To assign a computer or server to be a Default DMZ server:

1. Click Default DMZ Server.

2. Type the IP address for that server.

3. Click Apply.

Note: In this application, the use of the term ‘DMZ’ has become common, although it is

a misnomer. In traditional firewalls, a DMZ is actually a separate physical network port. A true DMZ port is for connecting servers that require greater access from the outside, and will therefore be provided with a different level of security by the firewall. A better term for our application is Exposed Host.

Respond to Ping on Internet WAN Port

If you want the firewall to respond to a 'ping' from the Internet, click the ‘Respond to Ping on Internet WAN Port’ check box. This should only be used as a diagnostic tool, since it allows your firewall to be discovered. Don't check this box unless you have a specific reason to do so.

Security 5-13

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Services

Services are functions performed by server computers at the request of client computers. For example, Web servers serve web pages, time servers serve time and date information, and game hosts serve data about other players’ moves. When a computer on the Internet sends a request for service to a server computer, the requested service is identified by a service or port number. This number appears as the destination port number in the transmittedIP packets. For example, a packet that is sent with destination port number 80 i s an HTTP (Web server) request.

The service numbers for many common protocols are defined by the Internet Engineering Task Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for other applications are typically chosen from the range 1024 to 65535 by the authors of the application.

Although the NETGEAR ProSafe Firewall already holds a list of many service port numbers, you are not limited to these choices. Use the Services menu to add additional services and applications to the list for use in defining firewall rules. The Services menu shows a list of services that you have defined, as shown in Figure 5-8:

Figure 5-8. Services menu

5-14 Security

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

To define a new service, first you m ust determine which port number or range of numbers is used by the application. This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups. When you have the port number information, go the the Services menu and click on the Add Custom Service button. The Add Services menu will appear, as shown in Figure 5-9:

Figure 5-9. Add Custom Service menu

To add a service,

1. Enter a descriptive name for the service so that you will remember what it is.

2. Select whether the service uses TCP or UDP as its transport protocol.

If you can’t determine which is used, select both.

3. Enter the lowest port number used by the service.

4. Enter the highest port number used by t he service.

If the service only uses a single port number, enter the same number in both fields.

5. Click Apply.

The new service will now appear in the Services menu, and in the Service name selection box in the Rules menu.

Security 5-15

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Schedule

If you enabled content filtering in the Block Sites menu, or if you defined an outbound rule to use a schedule, you can set up a schedule for when blocking occurs or when access is restricted. The firewall allows you to specify when blocking will be enforced by configuring the Schedule tab shown below:

To block keywords or Internet domains based on a schedule:

1. Select Every Day or select one or more days.

2. If you want to limit access completely for the selected days, select All Day.

Otherwise, If you want to limit access during certain times for the selected days, type a Start Blocking time and an End Blocking time.

Note: Note: Enter the values as 24-hour time. For example, 10:30 am would be 10 hours and

30 minutes and 10:30 pm would be 22 hours and 30 minutes.

5-16 Security

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

3. Click Apply

Time Zone

The NETGEAR ProSafe Firewall uses the Network Time Protocol (NTP) to obtain the current time and date from one of several Network Time Servers on the Internet. In order to localize the time for your log entries, you must select your Time Zone from the list.

If your region uses Daylight Savings Time, you must manually check Adjust for Daylight Savings Time at the beginning of the Daylight Savings Time, and uncheck it at the end. Enabling Daylight Savings Time will cause one hour to be added to the standard time.

The firewall has a list of publicly available NTP servers. If you would prefer to use a particular NTP server as the primary server, enter its IP address under Use this NTP Server.

Be sure to click Apply when you have finished configuring this menu.

Security 5-17

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

E-Mail

In order to r eceive logs and alerts by e-mail, you must provide your e-mail information in the E-Mail subheading:

• Turn e-mail notification on Check this box if you wish to receive e-mail logs and alerts from the firewall.

• Your outgoing mail server Enter the name or IP address of your ISP’s outgoing (SMTP) mail server (such as mail.myISP.com). You may be able to find this information in the configuration menu of your e-mail program. If you leave this box blank, log and alert messages will not be sent via e-mail.

• Sendtothise-mailaddress Enter the e-mail address to which logs and alerts are sent. This e-mail address will also be used as the From address. If you leave this box blank, log and alert messages will not be sent via e-mail.

You can specify that logs are immediately sent to the specified e-mail address when any of the following events occur:

• If a Denial of Service attack is detected

• If a Port Scan is detected

• If a user on your LAN attempts to access a website that you blocked using Keyword blocking.

5-18 Security

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

You can specify that logs are sent to you according to a schedule. Select whether you would like to receive the logs Hourly, Daily, Weekly, or When Full. Depending on your selection, you may also need to specify:

– Day for sending log

Relevant when the log is sent weekly or daily.

– Time for sending log

Relevant when the log is sent daily or weekly.

If the Weekly, Daily or Hourly option is selected and the log fills up before the specified period, the log is automatically e-mailed to the specified e-mail address. After the log is sent, the log is cleared from the firewall’s memory. If the firewall cannot e-mail the log file, the log buffer may fill up. In this case, the firewall overwrites the log and discards its contents.

Be sure to click Apply when you have finished configuring this menu.

Security 5-19

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

5-20 Security

Chapter 6

Wireless

This chapter describes how to configure the Wireless networking features of your FR114W Wireless-Ready Firewall or FM114P Wireless Firewall with Print Server. This chapter does not apply to the FR114P Firewall with Print Server.

The FR114W Wireless-Ready Firewall can be upgraded to wireless operation by purchasing and installing a NETGEAR Model MA401 802.11b Wireless PC Card. For instructions on upgrading the FR114W, refer to “Installing a Wireless Card in the FR114W“ on page 2-6.

Note: If you are configuring the firewall from a wireless PC and you change the

firewall’s SSID, channel, or WEP settings, you will lose your wireless connection when you click on Apply. You must then change the wireless settings of your PC to match the firewall’s new settings.

Wireless 6-1

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Wireless Settings

To configure the Wireless interface of your firewall, click on the Wireless heading in the Main Menu of the browser interface. The Wireless Settings menu will appear, as shown in Figure 6-1:

Figure 6-1. Wireless Settings menu

Identification

In the Identification section are the following parameters:

• Regulatory Domain This field displays the region of operation for which the wireless interface is intended. It may not be legal to operate the firewall in a region other than the region shown here.

•StationName This is the Account Name that was defined in the Basic Settings menu. Some Wireless status screens may display this name as the Access Point in use.

• SSID (Service Set ID) Enter a value of up to 32 alphanumeric characters. The same SSID must be assigned to all wireless devices in your network. The default SSID is Wireless, but NETGEAR strongly recommends that you change your network’s SSID to a different value.

6-2 Wireless

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Options

Channel Number This field determines which operating frequency will be used. It should not be necessary t o change the wireless channel unless you notice interference problems with another nearby access point. The default wireless channel is 10.

WEP Status This field displays the current WEP (Wired Equivalent Privacy) setting. To enable WEP or change the encryption level or keys, click the Configure WEP button and follow the instructions in

“Configuring WEP (Wired Equivalent Privacy)“ on page 6-4.

Access Point

For increased security, you can restrict access to the wireless network to only allow specific PCs, based on their MAC addresses. You can allow access by:

• Everyone In this case, the firewall will allow access to any PC with the correct SSID.

• Trusted PCs only In this case, the firewall will authenticate each wireless PC by SSID and by MAC address, using the list of MAC addresses you have entered. To specify the allowed MAC addresses, click the Trusted PCs button and follow the instructions in “Restricting Wireless Access by

MAC Address“ on page 6-5.

Be sure to click Apply to save any settings from this menu.

Wireless 6-3

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Configuring WEP (Wired Equivalent Privacy)

From the Wireless menu, click the Configure WEP button to display the Wireless WEP menu, shown in Figure 6-2:

Figure 6-2. Wireless WEP menu

Authentication Type Normally this can be l eft at the default value of "Automatic". If that fails, select the appropriate value - "Open System" or "Shared Key". Check your Wireless card's documentation to see what method to use.

Encryption Select the WEP Encryption level:

• Off - no data encryption (Open System)

• 64-bit (sometimes called 40-bit) encryption

• 128-bit encryption

Keys If WEP is enabled, you can manually or automatically program the four data encryption keys. These values must be identical on all PCs and Access Points in your network.

6-4 Wireless

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

• Manual - Enter ten hexadecimal digits (any combination of 0-9, a-f, or A-F)

• Automatic - Enter a word or group of printable characters in the Passphrase box and click the Generate Keys button.

Default Key Select which of the four keys will be active.

Be sure to click Apply to save any settings from this menu.

Restricting Wireless Access by MAC Address

For increased security, you can restrict access to the wireless network to only allow specific PCs, based on their MAC addresses. From the Wireless menu, click the Trusted PCs button to display the Wireless Access menu, shown in Figure 6-3:

Figure 6-3. Wireless Access menu

The Trusted PCs window displays a list of MAC addresses that will be allowed to connect to the firewall. These PCs must also have the correct SSID and WEP settings.To restrict access based on MAC addresses:

1. Select “Trusted PCs only” in the Wireless Settings menu, then click Apply.

2. Click the “Trusted PCs” button to go to the Wireless Access menu.

Wireless 6-5

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

3. Obtain the Ethernet MAC address of the wireless interface card of each authorized PC.

This address is usually printed on the card itself, or it may appear in the router’s DHCP table.

4. Enter each MAC address into the Wireless Adapter Address box, then click Add.

To delete a MA C address from the table, click on it to select it, then click the Delete button.

Additional Notes

Security

Unlike wired network data, your wireless data transmissions can extend beyond your walls and can be received by anyone with a compatible adapter. For this reason, NETGEAR strongly recommendsthat you make use of the security features of your wireless equipment. As a minimum security precaution, you should change the SSID setting of all devices on your network from the factory setting to a unique password. Restricting access by MAC address filtering adds another obstacle against unwanted hosts joining your network.

If your wireless PCs need Internet access but don’t require access to your private wired network, disable bridging between the wireless and wired PCs

To hinder a determined eavesdropper, you should enable Wired Equivalent Privacy (WEP) data encryption.However, there may be a significant degradation of the data throughput on the wireless link when WEP is enabled.

For further information on wireless networking, refer to “Wireless Networking”inAppendix B,

“Networks, Routing, and Firewall Basics.”

Placement and Range

The operating distance or range of your wireless connection can vary significantly based on the physical placement of the wireless firewall. For best results, place your firewall:

• near the center of the area in which your PCs will operate,

• inanelevatedlocationsuchasahighshelf,

• away from potential sources of interference, such as PCs, microwaves, and cordless phones,

• away from large metal surfaces.

6-6 Wireless

Chapter 7

Print Server

This chapter describes how to install and configure the print server in your FR114P Firewall with Print Server or FM114P Wireless Firewall with Print Server. This chapter does not apply to the FR114W Wireless-Ready Firewall.

Network Printing from Windows

The NETGEAR ProSafe Firewall supports two methods for printing from Windows:

• Print Port Driver After installing the Print Port Driver, Windows users can print directly to the firewall. Print jobs are spooled (queued) on each PC. The supplied Print Port Driver supports Windows 95/ 98/ME, NT4.0, Windows 2000 and Windows XP.

• LPD/LPR Printing If using Windows NT 4.0 Server or Windows 2000 Server, LPD/LPR printing can be used. No software needs to be installed on either the Windows Server or each client PC. Print jobs will be spooled (queued) on the WindowsServer,and can be managed using the standard Windows Server tools.

Installing the PTP Driver

The following procedure is for all versions of Windows (95/98/ME, NT4.0, 2000, XP). The Windows ‘Add Printer’ screens will vary depending on your version or Windows, but the procedure is the same:

1. Make sure that the printer is ON and connected to the firewall’s printer port.

2. Insert the supplied CD-ROM into your drive. If the setup program does not start automatically,

run SETUP.EXE in the root folder.

Print Server 7-1

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

3. Scroll down to the Drivers section and click on FR114P Print Server driver for Windows.

4. When asked, select ‘Run this program from its current location’.

5. Follow the steps to install the Print Server driver.

6. When the installation is finished, make sure the ‘Run Print Port Setup now’ checkbox is

checked, and click Finish.

7. The Print Port Setup will then run, and the following screen will be displayed:

The screen should show your firewall and printer.

8. Click on the Port 1 symbol, and then click the Add button.

Note: Under Windows95,you may receive an error message stating that SETUPAPI.DLL was

not found. In this case, you should either upgrade your Internet Explorer to version 5 or later, or consult the Print Server Troubleshooting section in this chapter.

9. A pop-up message will inform you if the port has been created successfully, and then the

Windows Add Printer wizard will start.

a. Click Next to browse for your printer on the network. b. Select the correct Printer Manufacturer and Model, or use the ‘Have Disk’ option if

appropriate.

7-2 Print Server

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

c. If desired, change the Printer name to be more descriptive (such as DeskJet on

PrintServer)

d. If prompted about Sharing, do NOT enable Sharing.

10. Installation is now complete. You can now print using this printer.

To make changes later, use the Start menu to run this program. The default installation is Start -> Programs -> NETGEAR Firewall Print Server -> Add Port.

Printer Management

• Using PTP printing, print jobs can be managed in the same manner as any Windows printer. Open the Printers folder (Start -> Settings -> Printers) and double-click any printer to see the current print jobs.

• If the printer attached to the firewall is changed, run the ‘Add Port’ program again and select the new printer.

• To delete a port created by this setup program, use the ‘Windows Delete Port’ facility:

a. Right-click any printer in the Printers folder, and select Properties. b. Locate the Delete Port button. This button is on either the Details or Ports tab, depending

on your version of Windows.

Port Options

The options for the Print Port Driver are accessed via the Windows Port Settings button.

Print Server 7-3

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Use Start -> Settings -> Printers to open the Printers folder, then right-click the Printer and select Properties. The Port Settings button is on either the Details or Port tab, depending on your version of Windows. An example screen is shown below:

Items shown on this screen are as follows:

•Port If desired, click Browse to select a different device. The ‘Select Device Port’ button supports

multi-port models, but the firewall is a single-port print server. The Port Name is shown in the Printer's Properties.

• Banner Check this option to print a banner page before each print job. The User Name will be printed

on the banner page. If using a PostScript Printer, check the PostScript box.

• Retry Interval Determines how often Windows will poll the print server to establish a connection when the

printer is busy.

LPD/LPR Printing from Windows

LPD/LPR printing is supported by Windows NT 4.0 Server and Windows 2000/XP. No software needs to be installed on the client PCs. Third-party drivers are available for earlier versions of Windows.

7-4 Print Server

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Windows NT 4.0 Server Configuration

To use LPD printing, Microsoft TCP/IP Printing must be installed and enabled. This can be checked using Start-Settings-Control Panel-Network - Services.

To configure your NT 4.0 Server for LPD printing, follow this procedure:

1. Go to Start->Settings->Printers and launch the Add Printer wizard.

2. When prompted with ‘This printer will be managed by..’, select My Computer and click Next.

3. Select Add Port, then select LPR Port and click New Port.

4. In the Dialog requesting ‘Name or Address of server providing lpd’, enter the IP address of the

FR114P Firewall.

5. For Name of printer or print queue on that server, enter L1.

6. Click OK. When returned to the Printer Ports window, select Close and then install your

printer driver as usual.

7. When prompted about Sharing, select the Sharing button.

8. In the Shared dialog box, enter the shared printer name. The shared name is how other users

will see this printer. You should advise client PCs of the Server name and this printer name.

9. Click OK to save and exit.

Windows 2000 Server Configuration

The LPD/LPR Port is not enabled by default. To enable it, use this procedure:

1. In Control Panel, select Add/Remove Programs, then Windows Components.

Print Server 7-5

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

2. Select Other Network File and Print Services, then click the Details button.

3. Enable Print Services for Unix, then click OK.

4. Click Next and complete the Wizard.

Adding the Printer:

1. Open your Printers folder, and start the Add Printer Wizard.

2. When prompted, select Local Printer.

7-6 Print Server

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

3. In the Select the Printer Port screen, select LPR Port, as shown below. Click Next to continue.

4. In the Dialog requesting ‘Name or Address of server providing lpd’, enter the IP address of the

FR114P Firewall.

5. For Name of printer or print queue on that server, enter L1.

6. Click OK, then Next, and continue the Wizard.

7. At the Select Sharing screen, select the button for Share As, and enter the shared printer name.

The shared name is how other users will see this printer. You should advise client PCs of the Server name and this printer name.

8. Complete the Add Printer wizard.

Client PC Setup for LPD/LPR Printing

After configuring the Windows Server, client PCs on the LAN can install the new printer. The following procedure is for Windows 95/98/ME, Windows NT4.0, and Windows 2000

workstation.

1. From Start -> Settings, open the Printers folder, and start the Add Printer Wizard.

2. When prompted, select Network Printer.

Print Server 7-7

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

3. When prompted for Network Path or Queue Name, click the Browse button, and locate the

Server and Printer that your Network Administrator advised you to use.

4. Click OK, then Next.

5. Select the correct printer Manufacturer and Model, then click Next.

6. Follow the prompts to complete the Wizard.

7. The new printer will be listed with any other installed printers, and may be selected when

printing from any Windows application.

7-8 Print Server

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Network Printing from the Macintosh

Macintosh computers can connect to a TCP/IP network printer using the Line Printer Remote (LPR) protocol. LPR printing can be set up on any Macintosh that has Desktop Printing installed or available. Desktop Printing is supported on MacOS versions beginning from 8.1. LaserWriter8 version 8.5.1 or higher is also required.

MacOS 8 or 9 Configuration

To configure the Macintosh to use the print server, follow these steps:

1. From the Apple Extras folder,under Apple LaserWriter Software, launch the Desktop Printing

Utility. A new window titled New Desktop Printer will appear.

2. Select LaserWriter 8 in the ‘With’ drop-down menu.

3. Select Printer (LPR) and click OK.

A new window titled Untitled 1 will open.

4. If the PostScript Printer Description does not match your printer, click Change... and select

your actual printer. If your printer model does not appear, click the Generic button.

5. ClickOKtoreturntotheUntitled1window.

6. In the LPR Printer Selection box, click Change...

7. In the Printer Address field, type the name or IP address of the firewall.

The IP address will usually be 192.168.0.1. You can leave the Queue Name blank.

8. Click Verify to make sure your computer can see the printer.

You should see the IP address displayed above the button. If no IP address appears, check that you have correctly typed the queue name or IP Address.

9. ClickOKtoreturntotheUntitled1window.

10. At the bottom of the Untitled 1 dialog box, click ‘Create...’.

11. When prompted, rename the printer with a descriptive name and click Save.

A printer icon should now appear on your desktop.

12. Quit the Desktop Printer Utility.

Print Server 7-9

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

MacOS X Configuration

To configure the Macintosh to use the print server, follow these steps:

1. Activate the Print Center.

2. Select Printers from the menu bar.

3. Click ‘Add Printer’ from the Printers drop-down menu.

4. Choose the ‘LPR Printers using IP’ option, and enter the following items: a. LPR Printer’s Address

Enter the firewall’s LAN IP address (usually 192.168.0.1).

b. Check ‘Use default Queue on Server’. c. Select the Printer Model that is connected to the firewall’s printer port.

5. Click Add to add this printer.

Network Printing from Linux

Linux, FreeBSD, and other similar operating systems can use the Line Printer Remote (LPR) protocol to connect to the network print server. Because of variations in the configuration environmentsfor these operating systems, please refer to your operating system documentationfor information on configuring for LPR printing.

The NETGEAR ProSafe Firewall’s print server supports graphics mode printing.

Troubleshooting the Print Server

When I tried to install the Printer Driver for Peer-to-Peer printing, I received an error message and the installation was aborted.

This may be caused by an existing installation of the printer port software. Before attempting another installation, remove the existing installation and restart your PC.

To remove an existing printer port installation:

7-10 Print Server

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

a. Open Start -> Settings -> Control Panel -> Add/Remove Programs. b. Look for an entry with a name like “NETGEAR ProSafe Firewall Router”, “NETGEAR

Print Server”, "Print Server Driver" or "Print Server Port".

c. Select this item, click Add/Remove, and confirm the deletion.

I am using Windows 95. The Printer Driver installed and ran, but when I selected a port and clicked Add, the printer was not installed.

Try installing the printer using the standard Windows tools, as follows:

a. From Start -> Settings, open the Printers folder, and start the Add Printer Wizard. b. When prompted, select Network Printer and click Next. c. For Network Path or Queue, enter a dummy value such as \\123, as shown below.

Select NO for " Do you print for MS-DOS programs?".

d. The printer wizard will display a message stating that "The Network Printer is off-line".

This is OK. Continue the Add Printer Wizard until finished.

e. When finished, go to Start -> Settings -> Printers. The new printer icon will be grayed out

indicating the printer is not ready.

Print Server 7-11

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

f. Right-click the new printer and select Properties. Then select the Details tab, as shown

below.

g. Click the Add Port button. On the resulting screen, select Other, then select the

NETGEAR Print Server Port as the port to add.

7-12 Print Server

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

h. Click OK to see the Print Port Configuration screen.

i. Click the Browse Device button, select the firewall, and click OK. j. Click OK to return to the Printers folders, and right-click on the new printer.Make sure

that the Work Offline option is NOT checked.

k. The new printer should no longer be grayed out, and is ready for use.

Print Server 7-13

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

7-14 Print Server

Chapter 8

Maintenance

This chapter describes how to use the maintenance features of your FR114P, FR114W and FM114P Cable/DSL ProSafe Firewalls. These features can be found by clicking on the Maintenance heading in the Main Menu of the browser interface.

System Status

The System Status menu provides a limited amount of status and usage information. From the Main Menu of the browser interface, under Maintenance, select System Status to view the System Status screen, shown in Figure 8-1.

Figure 8-1. System Status screen

Maintenance 8-1

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

This screen shows the following parameters:

Table 8-1. Menu 3.2 - System Status Fields

Field Description

System Name This field displays the Host Name assigned to the firewall in the Basic

Settings menu. Firmware Version This field displays the firewall firmware version. WAN Port These parameters apply to the Internet (WAN) port of the firewall.

MAC Address Thisfield displays the Ethernet MAC address being used by the Internet

(WAN) port of the firewall.

IP Address This field displays the IP address being used by the Internet (WAN) port

of the firewall. If no address is shown, the firewall cannot connect to the

Internet.

DHCP If set to None, the firewall is configured to use a fixed IP address on the

WAN.

If set to Client, the firewall is configured to obtain an IP address

dynamically from the ISP

IP Subnet Mask This field displays the IP Subnet Mask being used by the Internet(WAN)

port of the firewall.

Domain Name Servers

(DNS)

LAN Port These parameters apply to the Local (WAN) port of the firewall.

MAC Address Thisfield displays the Ethernet MAC address being used by the Local

IP Address This field displays the IP address being used by the Local (LAN) port of

IP Subnet Mask This field displays the IP Subnet Mask being used by the Local (LAN)

DHCP If set to OFF,the firewall will not assign IP addresses to local PCs on the

This field displays the DNS Server IP addresses being used by the

firewall. These addresses are usually obtained dynamically from the ISP.

(LAN) port of the firewall.

the firewall. The default is 192.168.0.1

port of the firewall. The default is 255.255.255.0

LAN.

If set to ON, the firewall is configured to assign IP addresses to local

PCs on the LAN.

8-2 Maintenance

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Click on the “Show Statistics” button to display firewall usage statistics, as shown in Figure 8-2 below:

Figure 8-2. Router Statistics screen

This screen shows the following statistics:.

Table 8-2. Router Statistics Fields

Field Description

Port The statistics for the WAN (Internet) and LAN (local) ports. For each port, the screen

displays: Status The link status of the port. TxPkts The number of packets transmitted on this port since reset or manual clear. RxPkts The number of packets received on this port since reset or manual clear. Collisions The number of collisions on this port since reset or manual clear. Tx B/s The current line utilization—percentage of current bandwidth used on this port. Tx B/s The average line utilization —average CLU for this port. UpTime Thetimeelapsedsincethisportacquiredlink.

System up Time Thetime elapsed since the last power cycle or reset. Poll Interval Specifies the intervals at which the statistics are updated in this window. Click on Stop

to freeze the display.

Click on the “Show PPPoE Status” button to display the progress of the PPPoE connection, as shown in Figure 8-2.

Maintenance 8-3

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Click on the “Show VPN Log” “Show VPN Status” buttons to display VPN connection information, as described in Chapter 6, “Virtual Private Networking.”

Attached Devices

The Attached Devices menu contains a table of all IP devices that the firewall has discovered on the local network. From the Main Menu of the browser interface, under the Maintenance heading, select Attached Devices to view t he table, shown in Figure 8-3

Figure 8-3. Attached Devices menu

For each device, the table shows the IP address, NetBIOS Host Name (if available), and Ethernet MAC address. Note that if the firewall is rebooted, the table data is lost until the firewall rediscovers the devices. To force the firewall to look for attached devices, click the Refresh button.

Changing the Administration Password

You can use the Set Password menu to change the firewall administrator's password for accessing the Settings pages. (Note that this is NOT your ISP account password).

The default password for the firewall’s Web Configuration Manager is password. NETGEAR recommends that you change this password to a more secure password. The ideal password should contain no dictionary words from any language, and should be a mixture of letters (both upper and lower case), numbers, and symbols. Your password can be up to 30 characters.

8-4 Maintenance

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

From the Main Menu of the browser interface, under the Maintenance heading, select Set Password to bring up the menu shown in Figure 8-4.

Figure 8-4. Set Password menu

To change the password, first enter the old password, and then enter the new password twice. Click Apply.

After changing the password, you may be required to log in again to continue the configuration. If

you have backed up the firewall settings previously, you should do a new backup so that the saved settings file includes the new password.

For security, the administrator's login to the firewall configuration will timeout after a period of inactivity. To change the login timeout period:

1. Type the value in ‘Administrator login times out’ field.The suggested default value is 5

minutes.

2. Click Apply to save your changes or click Cancel to keep the current period.

Configuration File Settings Management

The configuration settings of the FR114P Firewall are stored within the firewall in a configuration file. This file can be saved (backed up) to a user’s PC, retrieved (restored) from the user’s PC, or cleared to factory default settings.

Maintenance 8-5

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

From the Main Menu of the browser interface, under the Maintenance heading, select the Settings Backup heading to bring up the menu shown in Figure 8-5.

Figure 8-5. Settings Backup menu

Three options are available, and are described in the following sections.

Restore and Backup the Configuration

The Restore and Backup options in the Settings Backup menu allow you to save and retrieve a file containing your firewall’s configuration settings.

To save your settings, select the Backup tab. Click the Backup button. Your browser will extract the configuration file from the firewall and will prompt you for a location on your PC to store the file. You can give the file a meaningful name at this time, such as pacbell.cfg.

To restore your settings from a saved configuration file, enter the full path to the file on your PC or click the Browse button to browse to the file. When you have located it, click the Restore button t o send the file to the firewall. The firewall will then reboot automatically.

Erase the Configuration

It is sometimes desirable to restore the firewall to a known blank condition. This can be done by using the Erase function, which will restore all factory settings. After an erase, the firewall's password will be password, t he LAN IP address will be 192.168.0.1, and the firewall's DHCP client will be enabled.

8-6 Maintenance

Netgear FM114P, FR114P, FR114W Reference Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

Reference Manual for the Model FR114P, FR114W and FM114P Cable/D SL ProSafe Firewall Family

Contents

About This Guide

Typographical Conventions

Special Message Formats

Technical Support

Related Publications

About the NETGEAR ProSafe Firewalls

Key Features

A Powerful, True Firewall

Content Filtering

Configurable Ethernet Connection

Protocol Support

Easy Installation and Management

Maintenance and Support

Package Contents

Local Network Hardware Requirements

PC Requirements

Access Device Requirement

The Firewall’s Front Panel

The Firewall’s Rear Panel

Connecting the Firewall

Connecting to Your Internet Access Device

Connecting to your Local Ethernet Network

Preparing your Wireless Devices

Installing a Wireless Card in the FR114W

Connecting the Power Adapter

Verifying Connections

Preparing Your Personal Computers for IP Networking

Configuring Windows 95, 98, and ME for IP Networking

Install or Verify Windows Networking Components

Assign TCP/IP configuration by DHCP

Selecting Internet Access Method

Verifying TCP/IP Properties

Configuring Windows NT or 2000 for IP Networking

Install or Verify Windows Networking Components

Verifying TCP/IP Properties

Configuring the Macintosh for IP Networking

MacOS 8.6 or 9.x

MacOS X

Verifying TCP/IP Properties (Macintosh)

Your Internet Account

Login Protocols

Account Information

Obtaining ISP Configuration Information (Windows)

Obtaining ISP Configuration Information (Macintosh)

Restarting the Network

Ready for Configuration

Accessing the Web Configuration Manager

Configuration using the Setup Wizard

Configuring for Dynamic IP Account

Configuring for Fixed IP Account

Configuring for an Account with Login

Manual Configuration

Completing the Configuration

What is a Firewall

Security Log

Examples of log messages

Activation and Administration

Dropped Packets

Block Sites

Rules

Inbound Rules (Port Forwarding)

Inbound Rule Example: A Local Public Web Server

Inbound Rule Example: Allowing Videoconference from Restricted Addresses

Considerations for Inbound Rules:

Outbound Rules (Service Blocking)

Following is an application example of outbound rules:

Outbound Rule Example: Blocking Instant Messenger

Order of Precedence for Rules

Default DMZ Server

Respond to Ping on Internet WAN Port

Services

Schedule

Time Zone

E-Mail