FR328S Cable/DSL
ProSafe Firewall with Dial
Back-Up
Reference Manual
NETGEAR, Inc.
4500 Great America Parkway
Santa Clara, CA 95054 USA
Phone 1-888-NETGEAR
SM-FR328SNA-0
Sept 2002
© 2002 by NETGEAR, Inc. All rights reserved.
Trademarks
NETGEAR and Auto Uplink are trademar ks or registered trademarks of Netgear, Inc.
Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporat io n.
Other brand and product names are registered trademark s or trademarks of their respective holders.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to
make changes to the products described in this document without notice.
NETGEAR does not assume any liabi l ity that may occur due to the use or application of the product(s) or circuit
layout(s) described herein.
Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice
This equipment has b een tested and found to co mply with the limits f or a Class B digital device, pursuant to
part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a
residential inst allation. This equipment generates, uses, and can radiate radio freq uency energy and, if not insta ll ed and
used in accordance with the inst ructions, m ay caus e harmful inte rference to radio c ommunic ations. Ho wever, there is no
guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to
radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try
to correct the interference by one or more of the following measures:
• Reorient or relocate the receiving an t enna.
• Increase the separation between the equip ment and receiver.
• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
• Consult the dealer or an experienced radio/TV technician for help.
EN 55 022 Declaration of Conformance
This is to certify that the FR328S Cable/DSL Pr oSafe Firewall with Dial Back-Up is shielded against the generation of
radio interference in accordance with the application of Council Directive 89/336/EEC, Article 4a. Conformity is
declared by the application of EN 55 022 Class B (C ISPR 22).
ii
Bestätigung des Herstellers/Importeurs
Es wird hiermit bestätigt, daß dasFR328S Cable/DSL ProSafe Firewall with Dial Back-Up gemäß der im
BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben
einiger Geräte (z.B . Testsender) kann jedoch gewissen Beschrän kungen unterliegen. Lesen Sie dazu bitte die
Anmerkungen in der Betriebsanleitung.
Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt
gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.
Certificate of the Manufacturer/Importer
It is hereby certified that the FR328S Cable/DSL ProSafe Firewall with Dial Back-Up has been suppressed
accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some
in
equipment (for example, test transm itt ers) i n accordance with the regulations may, however, be subject to certain
restrictions. Please refer to the notes in the operating instructions.
Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market
and has been granted the right to test the series for compliance with the regulations.
Voluntary Control Council for Interference (VCCI) Statement
This equipment is in the second categor y (information equipment to be used in a residentia l area or an adjacent area
thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing
Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.
When used near a radio or TV receiver, it may become the cause of radi o i nt erference.
Read instructions for correct handling.
Technical Support
Refer to the Support Information Card that shipped with your FR328S Cable/DSL ProSafe Firewall with Dial Back-Up.
World Wide Web
NETGEAR maintains a World Wide Web home page that you can access at the universal resource locat or (URL)
http://www.netgear.com. A direct connection to the Internet and a Web browser such as Internet Explorer
or Netscape are required.
iii
iv
Contents
Preface
About This Manual
Audience ..................... ............. ....... ............. ............. ............. ............ ............. ............. .1-xiii
Typographical Conventions ..........................................................................................1-xiii
Special Message Formats ........................................................................................... 1-xiv
Technical Support ........................................................................................................ 1-xiv
Chapter 1
Introduction
About the FR328S ....................................... ...... ....... ...... ....... .........................................1-1
Key Features ..................................................................................................................1-1
A Powerful, True Firewall .........................................................................................1-1
Content Filtering ............................. ....... ...... ....... ...... ............................................. ...1-2
Configurable Auto Uplink™ Ethernet Connection ....................................................1-2
Protocol Support ......................................................................................................1-2
Easy Installation and Management ..........................................................................1-3
What’s in the Box? ..........................................................................................................1-5
The Firewall’s Front Panel .................................................................................1-5
The Firewall’s Rear Panel ..................................................................................1-6
Chapter 2
Connecting the Firewall to the Internet
What You Will Need Before You Begin ...........................................................................2-1
LAN Hardware Requirements ..................................................................................2-1
Computer Requirements ....................... ............................................. ....... ...... ...2-1
Cable or DSL Modem Requirement ..................................................................2-1
LAN Configuration Requirements ............................................................................2-2
Internet Configuration Requirements .......................................................................2-2
Where Do I Get the Internet Configuration Parameters? ..................................2-2
Connecting the FR328S Firewall to Your LAN ................................................................2-4
Connecting the FR328S Firewall to the Internet .............................................................2-8
Contents v
Configuring A Serial Port Internet Connection ..............................................................2-14
Testing Your Internet Connection ..................................................................................2-18
Manually Configuring Your Internet Connection ...........................................................2-19
Chapter 3
Protecting Your Network
Protecting Access to Your FR328S Firewall ...................................................................3-1
Configuring Basic Firewall Servic es .................. ....... ...... ....... ...... ...... ....... ...... ....... ...... ...3- 3
Blocking Keywords, Sites, and Services ..................................................................3-3
Rules ..............................................................................................................................3-5
Inbound Rules (Port Forwarding) .............................................................................3-7
Inbound Rule Example: A Local Public Web Server ..........................................3-7
Inbound Rule Example: Allowing Videoconference from Restricted Addresses 3-9
Considerations for Inbound Rules .....................................................................3-9
Outbound Rules (Service Blocking) .......................................................................3-10
Outbound Rule Example: Blocking Instant Messenger ...................................3-10
Order of Precedence for Rules ..............................................................................3-12
Services ...................... .............................................. ............................................. .......3-13
Setting Times and Scheduling Firewall Services ..........................................................3-14
Chapter 4
Managing Your Network
Network Management Information .................................................................................4-1
Viewing Router Status and Usage Statistics ............................................................4-1
Viewing Attached Devices ........................................................................................4-4
Viewing, Selecting, and Saving Logged Information ................................................4-5
Selecting What Information to Log ....................................................................4-6
Saving Log Files on a Server .. ....... ...... ....... ...... ............................................. ...4- 7
Examples of log messages ......................................................................................4-7
Activation and Administration ............................................................................4-7
Dropped Packets ...............................................................................................4-7
Enabling Security Event E-mail Notification ...................................................................4-8
Backing Up, Restoring, or Erasing Your Settings ...........................................................4-9
Running Diagnostic Utilities and Rebooting the Router ................................................4-12
Enabling Remote Management ....................................................................................4-13
Upgrading the Router’s Firmware .................................................................................4-14
vi Contents
Chapter 5
Advanced Configuration
Configuring Advanced Security ......................................................................................5-1
Setting Up A Default DMZ Server ............................................................................5-1
Respond to Ping on Internet WAN Port ...................................................................5-2
Configuring LAN IP Settings ...........................................................................................5-2
LAN TCP/IP Setup ...................................................................................................5-2
MTU Size .................................................................................................................5-3
DHCP ................................ ................................................................. ......................5-4
Use router as DHCP server ...............................................................................5-4
Reserved IP addresses .....................................................................................5-5
Configuring Dynamic DNS .......................................................................................5-6
Using Static Routes ........................................................................................................5-8
Static Route Example ...............................................................................................5-8
Chapter 6
Troubleshooting
Basic Functions .... ...... ....... ............................................. ....... ...... ...................................6-1
Power LED Not On ...................................................................................................6-2
Test LED Never Turns On or Test LED Stays On .....................................................6-2
Local or Internet Port Link LEDs Not On ..................................................................6-2
Troubleshooting the Web Configuration Interface ..........................................................6-4
Troubleshooting the ISP Connection ..............................................................................6-5
Troubleshooting a TCP/IP Network Using a Ping Utility .................................................6-6
Testing the LAN Path to Your Firewall ......................................................................6-6
Testing the Path from Your PC to a Remote Device ................................................6-7
Restoring the Default Configuration and Password ........................................................6-8
Using the Default Reset button ................................................................................6-8
Problems with Date and Time .........................................................................................6-9
Appendix A
Technical Specifications
Appendix B
Networks, Routing, and Firewall Basics
Related Publications ...................................................................................................... B-1
Basic Router Concepts ................... ...... ....... ...... ....... ...... ....... ...... .................................. B- 1
What is a Router? ................................................................................................... B-2
Routing Information Protocol ................................................................................... B-2
Contents vii
IP Addresses and the Internet ................................................................................. B-2
Netmask ............................ ................................................................. ..................... B -4
Subnet Addressing .................................................................................................. B-5
Private IP Addresses ............................................................................................... B-7
Single IP Address Operation Using NAT ................................................................. B-8
MAC Addresses and Address Resolution Protocol ................................................. B-9
Related Documents ............................................................................................... B-10
Domain Name Server ............................................................................................ B-10
IP Configuration by DHCP .....................................................................................B-11
Internet Security and Firewalls .....................................................................................B-1 1
What is a Firewall? .................................................................................................B-11
Stateful Packet Inspection ..................................................................................... B-12
Denial of Service Attack ........................................................................................ B-12
Ethernet Cabling .......................................................................................................... B-12
Uplink Switches and Crossover Cables ................................................................ B-13
Cable Quality ......................................................................................................... B-13
Appendix C
Preparing Your Network
Preparing Your Computers for TCP/IP Networking .......................................................C-1
Configuring Windows 95, 98, and ME for TCP/IP Networking ................................ C-2
Install or Verify Windows Networking Components ..........................................C-2
Enabling DHCP to Automatically Configure TCP/IP Settings ........................... C-4
Selecting Windows’ Internet Acce ss Metho d ........................ ....... ...... ....... ...... .. C-4
Verifying TCP/IP Properties ..............................................................................C-5
Configuring Windows NT, 2000 or XP for IP Networking ........................................C-5
Install or Verify Windows Networking Components ..........................................C-5
Verifying TCP/IP Properties ..............................................................................C-6
Configuring the Macintosh for TCP/IP Networking ..................................................C-6
MacOS 8.6 or 9.x ............... ...... ....... ...... ............................................. ....... ...... .. C-6
MacOS X . ...... ....... ............................................. ....... ...... .................................. C- 7
Verifying TCP/IP Properties for Macintosh Computers ..................................... C-8
Verifying the Readiness of Your Internet Account ......................................................... C-9
Are Login Protocols Used? .....................................................................................C-9
What Is Your Configuration Information? ................................................................C-9
Obtaining ISP Configuration Information for Windows Computers ................. C-10
viii Contents
Obtaining ISP Configuration Information for Macintosh Computers ............... C-11
Restarting the Network ................................................................................................ C-12
Glossary
Index
Contents ix
x Contents
List of Procedures
Procedure 2-1: Record Your Internet Connection Information ......................................2-3
Procedure 2-2: Connecting the Firewall to Your LAN ....................................................2-4
Procedure 2-3: Auto-Detecting Your Internet Connection Type ....................................2-9
Procedure 2-4: Wizard-Detected Login Account Setup ...............................................2-10
Procedure 2-5: Wizard-Detected Dynamic IP Account Setup .....................................2-11
Procedure 2-6: Wizard-Detected Fixed IP (Static) Account Setup ..............................2-13
Procedure 2-7: Serial Port Internet Connection Configuration ....................................2-14
Procedure 2-8: Manual Configuration .........................................................................2-20
Procedure 3-1: Changing the Built-In Password ...........................................................3-2
Procedure 3-1: Changing the Administrator Login Timeout ..........................................3-3
Procedure 3-2: Block Keywords and Sites ....................................................................3-4
Procedure 3-3: Define Services ..................................................................................3-13
Procedure 3-4: Setting Yo ur Time Zone ......................................................................3-14
Procedure 3-5: Scheduling Firewall Services ..............................................................3-16
Procedure 4-6: Backup the Configuration to a File .......................................................4-9
Procedure 4-7: Restore a Configuration from a File ....................................................4-11
Procedure 4-8: Erase the Configuration ......................................................................4-11
Procedure 4-9: Configure Remote Management ........................................................4-13
Procedure 4-1: Router Upgrade ..................................................................................4-14
Procedure 5-1: Configure LAN TCP/IP Setup ...............................................................5-6
Procedure 5-2: Configure Dynamic DNS ......................................................................5-7
Procedure 5-3: Configuring Static Routes .....................................................................5-9
xi
xii
Preface
About This Manual
Thank your for purchasing the NETGEAR™ FR328S Cable/DSL ProSafe Firewall with Dial
Back-Up.
This manual describes the features of the firewall and provides installation and configuration
instructions.
Audience
This reference manu al assumes th at the reade r has int ermediate to advanced com puter and Intern et
skills. However, basic computer network, Internet, firewall, and VPN technologies tutorial
information is provided in the Appendices.
Typographical Conventions
This guide uses the following typographical conventions:
italics Book titles and UNIX file, command, and directory names.
courier font Screen text, user-typed com mand-line entries.
Initial Caps Menu titles and window and button names.
[Enter] Named keys in text are shown enclosed in square brackets. The notation
[Enter] is used for the Enter key and the Return key.
[Ctrl]+C Two or more keys that must be pressed simultaneously are shown in text
linked with a plus (+) sign.
ALL CAPS DOS file and directory names.
About This Manual xiii
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Special Message Forma ts
This guide uses the following formats to highlight special messages:
Note: This format is used to highlight information of importance or special interest.
Procedure: This format is used to let you know that you are following a sequence of
steps required to complete a task.
Warning: This format is used to highl igh t in for m at ion about the possibility of injur y or
equipment damage.
Danger: This format is used to alert you that there is the potential for incurring an
electrical shock if you mishandle the equipment.
Technical Support
For help with any technical issues, contact Customer Support at 1-888-NETGEAR, or visit us on
the Web at www.NETGEAR.com. The NETGEAR Web site includes an extensive knowledge
base, answers to frequently asked questions, and a means for submitting technical questions
online.
xiv About This Manual
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
About This Manual xv
Chapter 1
Introduction
This chapter describes the features of the NETGEAR FR328S Cable/DSL ProSafe Firewall with
Dial Back-Up.
About the FR328S
The FR328S is a c omplete securit y solut ion that protec ts your network f rom at tacks a nd intru sions.
Unlike simple Internet sharing routers that rely on Network Address Translation (NAT) for
security, the FR328S uses S ta teful Pack et I nspect ion for Den ial of Ser vice (Do S) atta ck pro tection
and intrusion detectio n. The 8-port FR328S with aut o fail-over conn ectiv ity through the serial port
provides highly reliable Internet access for up to 253 users.
Key Features
The FR328S o ffers the followin g features.
A Powerful, True Firewall
Unlike simple Internet sharing NAT routers, the FR328S is a true firew all, using stateful packet
inspection to defend against hacker attacks. Its firewall features include:
• Denial of Service (DoS) protection
Automatically detects and thwarts Denial of Service (DoS) attacks such as Ping of Death,
SYN Flood, LAND Attack and IP Spoofing.
• Blocks unwanted traffic from the Internet to your LAN.
• Blocks access from your LAN to Internet locations or services that you specify as off-limits.
Introduction 1-1
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
• Logs security incidents
The FR328S will log security events suc h as blocke d inco ming traffic, port scans, attack s, and
administrator logins. You can configure the firewall to email the log to you at specified
intervals. You can also configure the firewall to send immediate alert messages to your email
address or email pager whenever a significant event occurs.
Content Filtering
With its content filtering feature, the FR328S prevents objectionable content from reaching your
PCs. The firewall allows you to control access to Internet content by screening for keywords
within Web addresses. You can configure the firewall to log and report attempts to access
objectionable Internet sites.
Configurable Auto Uplink™ Ethernet Connection
With its internal 8-port 10/100 switch, the FR328S can connect to either a 10 Mbps standard
Ethernet network or a 10 0 Mbps Fast Etherne t net work . Both the l ocal LAN and the I ntern et WAN
interfaces are autosensing and capable of full-duplex or half-duplex operation.
The firewall incorporates Auto UplinkTM technology. Each LOCAL Ethernet port will
automatically sense whether the Ethernet cable plugged into the port should have a ‘normal’
connection such as to a PC or an ‘uplin k’ connecti on such as to a switch or hub. Th at port wil l then
configure itself to the correct configuration. This feature also eliminates the need to worry about
crossover cables, as Auto Uplink will accommodate either type of cable to make the right
connection.
Protocol Support
The FR328S supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing
Information Protocol (RIP).
further information on TCP/IP.
• IP Address Sharing by NAT
The FR328S allows severa l ne tworked PCs to share an Inte rne t ac count using only a single IP
address, which may be statically or dynamically assigned by your Internet service provider
(ISP). This technique, known as Network Address Translation (NAT), allows the use of an
inexpensive single-user ISP account.
1-2 Introduction
Appendix B, “Networks, Routing, and Firewall Basics” provides
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
• Automatic Configuration of Attached PCs by DHCP
The FR328S dynamically assigns network configuration information, including IP, gateway,
and domain name server (DNS) addre sses, to attached PCs on the LAN using the Dynamic
Host Configuration Protocol (DHCP). This feature greatly simplifies configuration of PCs on
your local network.
• DNS Proxy
When DHCP is enabled and no DNS addresses are specified, the firewall provides its own
address as a DNS server to the attached PCs. The firewall obtains actual DNS addresses from
the ISP during connection setup and forwards DNS requests from the LAN.
• PPP over Ethernet (PPPoE)
PPP over Ethernet is a protocol for connecting remote hosts to the Internet over a DSL
connection by simulating a dial-up connection. This feature eliminates the need to run a login
program such as EnterNet or WinPOET on your PC.
• PPTP login support for European ISPs, BigPond login for Telstra cable in Australia.
•Dynamic DNS
Dynamic DNS services allow remote users to find your network using a domain name when
your IP address is not pe rman ent ly assigned. The firewall contai ns a client that can connect to
many popular Dynamic DNS services to register your dynamic IP address.
Easy Installation and Management
You can install, configure, and operate the FR328S within minutes after connecting it to the
network. The following features simplify installation and management tasks:
• Browser-based management
Browser-based configuration allows you to easily configure your firewall from almost any
type of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup
Wizard is provided and online help documentation is built into the browser-based Web
Management Interface.
• Smart Wizard
The firewall automatically senses the type of Internet connection, asking you only for the
information required for your type of ISP account.
• Auto fail-over connectivity through an analog or ISDN modem connected to the serial port
If the cable or DSL modem I ntern et c onnect ion f ails , aft er a wait ing f or a n amount o f time you
specify, the FR328S c an aut omatic ally e stabl ish a backup ISDN or di al-u p Inte rnet connect ion
via the serial port on the firewall.
Introduction 1-3
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
• Remote management
The firewall allows you to logi n t o the W eb Management Interface from a re mo te loc ati on vi a
the Internet. For security, you can limi t remote management access to a specified remote IP
address or range of addresses, and you can choose a nonstandard port number.
• Remote Access Server connectivity vial the serial port
• Diagnostic functions
The firewall incorporates built-in diagnostic functions such as Ping, DNS lookup, and remote
reboot. These functi ons allow you to test Inter net conne ctivity and reboot the fi rewall. You can
use these diagnostic f unctions di rectly from the FR328S when your are conne ct on the LAN or
when you are connected over the Internet via the remote management function.
• Visual monitoring
The firewall’s front panel LEDs provide an easy way to monitor its status and activity.
• Flash EPROM for firmware upgrade
• Regional support, including ISPs like Telstra DSL and BigPond or Deutsche Telekom.
1-4 Introduction
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
What’s in the Box?
The product package should contain the following items:
• FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
• AC power adapter
• Category 5 (CAT5) Ethernet cable
• Resource CD, including:
— This manual
— Application Notes, Tools, and other helpful information
• Warranty and registration card
• Support information card
If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the
carton, including the original packing materials, in case you need to return the product for repair.
The Firewall’s Front Panel
The front panel of the FR328S (Figure 1-1) contains status LEDs.
Figure 1-1: FR328S Front Panel
You can use some of the LEDs to verify connections. Table 1-1 lists and describes each LED on
the front pa nel of the fire wall.
Introduction 1-5
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
These LEDs are green when lit, except for the TEST LED, which is amber.
Table 1-1: LED Descriptions
Label Activity Description
POWER On Power is supplied to the firewall.
TEST On
Off
MODEM On/Blinking The port detected a link with the Internet WAN connection or
INTERNET
100 On/Blinking The Internet port is operating at 100 Mbps.
LINK/ACT (Activity) On/Blinking The port detected a link with the Internet WAN connection and is
LOCAL
100 On/Blinking The Local port is operating at 100 Mbps.
LINK/ACT
On/Blinking The Local port has detected a link with a LAN connection and is
(Link/Activity)
The system is initializing.
The system is ready and running.
Remote Access Server. Blinking indicates data transmission.
operating at 10 Mbps. Blinking indicates data transmission.
operating at 10 Mbps. Blinking indicates data transmission.
The Firewall’s Rear Panel
The rear panel of the FR328S (Figure 1-2) contains the connections identified below.
MODEM
87654321
10/100M
INTERN ET
12VDCO.5A
LOCA L
Figure 1-2: FR328S Rear Panel
Viewed from left to right, the rear panel contains the following elements:
• DB-9 serial port for modem connection
• Factory Default Reset push button
• Eight Local Ethernet RJ-45 ports for connecting the firewall to the local computers
• Internet WAN Ethernet RJ-45 port for connecting the firewall to a cable or DSL modem
• AC power adapter input
1-6 Introduction
Chapter 2
Connecting the Firewall to the Internet
This chapter describes how to set up the firewall on your Local Area Network (LAN), connect to
the Internet, perform basic configuration of your FR328S Cable/DSL ProSafe Firewall with Dial
Back-Up using the Setup Wizard, or how to manually configure your Internet connection.
What You Will Need Before You Begin
You need to prepare these three things before you can connect your firewall to the Internet:
1. A computer properly connected to the firewall as explained below.
2. Active Internet service such as that provided by a DSL or Cable modem account.
3. The Internet Service Provider (ISP) configuration information for your DSL or Cable modem
account.
LAN Hardware Requirements
The FR328S Firewall connects to your LAN via twisted-pair Ethernet cables.
Computer Requirements
To use the FR328S Firewall on your network, each computer must have an installed Ethernet
Network Interface Card (NIC) and an Ethernet cable. If the computer will connect to your network
at 100 Mbps, you must use a Category 5 (CAT5) cable such as the one provide d with your fire wall.
Cable or DSL Modem Requirement
The cable modem or DSL modem must provide a standard 10 Mbps 10BASE-T or 100 Mbps
100BASE-T Ethernet interface.
Connecting the Firewall to the Internet 2-1
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
LAN Configuration Requirements
For the initial connection to the Interne t and configuration of your firewall, you will need to
connect a computer to the firewal l which is set to automa ti cally get its TCP/IP configurati on fr om
the firewall via DHCP.
Note: Please refer to Appendix C, "Preparing Your Network" for assistance with DHCP
configuration.
Internet Configuration Requirements
Depending on how your ISP set up your Internet account, you will need one or more of these
configuration parameters to connect your firewall to the Internet:
• Host and Domain Names
• ISP Login Name and Password
• ISP Domain Name Server (DNS) Addresses
• Fixed or Static IP Address
Where Do I Get the Internet Configuration Parameters?
There are several ways you can gather the required Internet connection information.
• Your ISP should have provided you with all the inf orma ti on ne eded to connect to the Inte rne t.
If you cannot locate this information, you can ask your ISP to provide it or you can try one of
the options below.
• If you have a computer already connected using the active Internet access account, you can
gather the configuration information from that computer.
• For Windows 95/98/ME, open the Network control panel, select the TCP/IP entry for the
Ethernet adapter, and click Properties.
• For Windows 2000/XP, open the Local Area Network Connecti on, select the TCP/IP entry
for the Ethernet adapter, and click Properties.
• For Macintosh computers, open the TCP/IP or Network control panel.
• You may also refer to the FR328S Resource CD for the NETGEAR Router ISP Guide which
provides Internet connection infromation for many ISPs.
Once you locate your Internet configu ration par ameters , you may want to rec ord them on the page
below according to the instructions in
page 2-3.
2-2 Connecting the Firewall to the Internet
“Record Your Internet Connection Information” on
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Procedure 2-1: Record Your Internet Connection Information
1. Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP).
ISP Login Name: The login name an d pas swor d ar e ca se s ens itive and must be entered exact ly as
given by your ISP. Some ISPs use your full e -mail addr ess as the l ogin na me. The Ser vice Na me is
not required by all ISPs. If you connect using a login name and password, then fill in the
following:
Login Name: ______________________________ Password: ____________________________
Service Nam e: _____________________________
Fixed or Static IP Address: If you have a static IP address, record the following information. For
example, 169.254.141.148 could be a valid IP address.
Fixed or Static Internet IP Address: ______ . ______ . ______ . ______
Subnet Mask: ______ . ______ . ______ . ______
Gateway IP Address: ______ . ______ . ______ . ______
ISP DNS Se rver Addresses: If you were given DNS server addresses, fill in the following:
Primary DNS Server IP Address: ______ . ______ . ______ . ______
Secondary DNS Server IP Address: ______ . ______ . ______ . ______
Host and Domain Names: Some ISPs use a specific host or domain name like CCA7324-A or
home. If you haven’t been given host or domain names, you can use the following examples as a
guide:
• If your main e-mail account with your ISP is aaa@yyy.com, then use aaa as your host name.
Your ISP might call this your account, user, host, computer, or system name.
• If your ISP’s mail server is mail.xxx.yyy.com, then use xxx.yyy.com as the domain name.
ISP Host Name: _________________________ ISP Domain Name: _______________________
For Serial Port Internet Access: If you use a dial-up account, record the following:
Account/U ser Name: _________________________ Password: _________________________
Telephone number:
Connecting the Firewall to the Internet 2-3
______________________ Alternative number: ______________________
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Connecting the FR328S Firewall to Your LAN
This section provides instructions for connecting the FR328S Cable/DSL ProSafe Firewall with
Dial Back-Up to your
Note: The Resource CD included with your firewall con tains an animat ed Installat ion Assista nt to
help you through this procedure.
Procedure 2-2: Connecting the Firewall to Your LAN
There are three steps to connecting your firewall:
1. Connect the firewall to your network
2. Log in to the firewall
3. Connect to the Internet
Follow the steps below to connect your firewall to your network. You can also refer to the
Resource CD included wi th your firewa ll which contains an animat ed Inst allation As sistant to help
you through this procedure.
Local Area Network (LAN).
1. Connect the Firewall
a. Turn off your computer and Cable or DSL Modem.
2-4 Connecting the Firewall to the Internet
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
b. Disconnect the Ethernet cable (A) from your computer which connects to your Cable or
DSL modem.
A
DSL modem
Figure 2-1: Disconnect the Cable or DSL Modem
c. Connect the Ethernet cable (A) from your Cable or DSL modem to the FR328S’s Internet
port.
DSL
modem
MODEM
LOCAL
10/100M
87654321
A
INTERNET
12VDCO.5A
Figure 2-2: Connect the Cable or DSL Modem to the firewall
Connecting the Firewall to the Internet 2-5
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
d. Connect the Ethernet cable (B) which came with the firewall from a Local port on the
router to your computer.
DSL
modem
B
LOCAL
MODEM
10/100M
87654321
INTERNET
A
12VDCO.5A
Figure 2-3: Connect the computers on your network to the firewall
Note: The FR328S Firewall incorporates Auto UplinkTM technology. Each LOCAL Ethernet
port will automatically sense whether the cable plugged into the port should have a 'normal'
connection (e.g. connecting to a PC) or an 'uplink' connection (e.g. connecting to a switch or
hub). That port will then configure itself to the correct configuration. This feature also
eliminates the need to worry about crossover cables, as Auto Uplink will accommodate either
type of cab le to make the right connec tion.
e. Turn on the Cable or DSL modem and wait about 30 seconds for the lights to stop
blinking.
2. Log in to the Firewall
Note: T o conn ect to the fi rewall, your comput er needs to be conf igured to obt ain an IP addre ss
automatically via DHCP. Please refer to
Appendix C, "Preparing Your Network" for
instructions on how to do this.
a. Turn on the firewall and wait for the Test light to stop blinking.
b. Now, turn on your computer.
Note: If you usually run software to log in to your Internet connection, do not run that
software.
2-6 Connecting the Firewall to the Internet
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Now that the Cable or DSL Modem, firewall, and the computer are turned on, ve rify the
following:
• When power on the firewall was first turned on, the PWR light went on, the TEST light
turned on within a few seconds, and then went off after approximately 10 seconds.
• The firewall’s LOCAL LINK/ACT lights are lit for any compu ters th at are conne cted to it .
• The firewall’s INTERNET LINK light is lit, indicating a l ink has been e stablished to the
cable or DSL modem.
c. Next, use a browser like Internet Explorer or Netscape to log in to the firewall at its default
address of http://192.168.0.1.
Figure 2-4: Log in to the firewall
A login window opens as shown in Figure 2-5 below:
Figure 2-5: Login window
d. For security reasons, the firewall has its own user name and password. When prompted,
admin for the firewall User N ame and password for the firewall Password, both in
enter
lower case letters.
Note: The user name and password are not the same as any user name or password you
may use to log in to your Internet connection.
Connecting the Firewall to the Internet 2-7
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
3. Connect to the Internet
Figure 2-6: Setup Wizard
a. You are now connected to the firewall. If you do not see the menu above, click the Setup
Wizard link on the upper left of the main menu. Click the Yes button in the Setup Wizard.
b. Please click Next to follow the steps in the Setup Wizard to input the configuration
parameters from your ISP to connect to the Internet.
Note: If you were unable to connect to the firewall, please refe r to “Basic Functions” on page 6-1.
Connecting the FR328S Firewall to the Internet
The firewall is now properly attached to your network. You are now ready to configure your
firewall to connect to the Internet. There are two ways you can configure your firewall to connect
to the Internet:
• Let the FR328S auto-detect the type of Internet connection you have and configure it.
• Manually choose which type of Internet connection you have and configure it.
These options are described below. In either case, unless your ISP automatically assigns your
configuration automatically via DHCP, you will need the configuration parameters from your ISP
you recorded in “Record Your Internet Connection Information” on page 2-3.
2-8 Connecting the Firewall to the Internet
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Procedure 2-3: Auto-Detecting Your Internet Connection Type
The Web Configuration Manager built in to the firewall contains a Setup Wizard that can
automatically determine your network connection type.
1. If your firewall has not yet been configured, the Setup Wizard shown in Figure 2-7 should
launch automatically.
When the Wizard launches, select Yes in the menu below to allow the firewall to automatically
determine your connection.
Figure 2 -7: Built -in Web-based Config ura t ion Mana ge r Setu p Wizard
Note: If, instead of the Setup Wizard menu, the main menu of the firewall’s Configuration
Manager as shown in
Figure 2-12 appears, click the Setup Wizard link in the upper left to
bring up this menu.
2. Click Next
The Setup Wizard will now check for the following connection types:
• Dynamic IP assignment
• A login protocol such as PPPoE
• Fixed IP address assignment
Connecting the Firewall to the Internet 2-9
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Next, the Setup Wizard will report which connection type it has discovered, and then display
the appropriate configuration menu. If the Setup Wizard finds no connection, you will be
prompted to check the physical connection between your firewall and the cable or DSL
modem. When the connection is properly made, the firewall’s Internet LED should be on.
The procedures for filling in the configuration menu for each type of connection follow below.
Procedure 2-4: Wizard-Detected Login Account Setup
If the Setup Wizard determines that your Internet service account uses a login protocol such as
PPP over Ethernet (PPPoE), you will be directed to a menu like the PPPoE menu in
Figure 2-8:
Figure 2-8: Setup Wizard menu for PPPoE login accounts
1. Enter your Account Name (may also be called Host Name) and Domain Name. These
parameters may be ne cessary to acc ess your ISP’s services such as mai l or news servers . If yo u
leave the Domain Name field blank, the firewall will attempt to learn the domain
automatically from the ISP. If this is not successful, you may need t o enter it manually.
2. Enter the PPPoE login user name and password provided by your ISP. These fields are case
sensitive. If you wish to change the login timeout, enter a new value in minutes.
2-10 Connecting the Firewall to the Internet
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Note: You will no longer need to launch the ISP’s login prog ram on yo ur PC in ord er to acc ess
the Internet. When you start an Internet application, your firewall will automatically log you
in.
3. Domain Name Server (DNS) Address: If you know that your ISP does not automatically
transmit DNS addresses to the firewall during login, select “Use these DNS servers” and enter
the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is
available, enter it also.
If you enter an address here, after you finish configuring the firewall, reboot your PCs so
that the settings take effect.
4. Click on Apply to save your settings.
5. Click on the Test button to test your Internet connection. If the NETGEAR website does not
appear within one minute, refer to
Chapter 6, Troubleshooting”.
Procedure 2-5: Wizard-Detected Dynamic IP Account Setup
If the Setup Wizard determines that your Internet service account uses Dynamic IP assignment,
you will be directed to the menu shown in
Figure 2-9 below:
Figure 2-9: Setup Wizard menu for Dynamic IP address
Connecting the Firewall to the Internet 2-11
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
1. Enter your Account Name (may also be called Host Name) and Domain Name. These
parameters may be ne cessary to acc ess your ISP’s services such as mai l or news servers . If yo u
leave the Domain Name field blank, the firewall will attempt to learn the domain
automatically from the ISP. If this is not successful, you may need t o enter it manually.
2. If you know that your ISP does not automatically transmit DNS addresses to the firewall
during login, select “Use these DNS servers” and enter the IP address of your ISP’s Primary
DNS Server. If a Secondary DNS Se rver address is available, enter it also .
A DNS server is a host on the Internet that translates Internet names (such as
www .netge ar.com) to numeric IP addresses. Typ ical ly your ISP tr ansfe rs the IP add ress of
one or two DNS servers to your firewall during login. If the ISP does not transfer an
address, you must ob tain it fr om the ISP a nd enter it manuall y here. I f you ent er an addr ess
here, you should reboot your PCs after configuring the firewall.
3. The Router’s MAC Address is the Ethernet MAC address that will be used by the firewall on
the Internet port.
If your ISP allows access from only one specific computer’s Ethernet MAC address, select
“Use this MA C address.” T he firewall will then capture and use the MAC address of the
computer that you are now using. You must be using the one computer that is allowed by the
ISP. Otherwise, you can type in a MAC address.
Note: Some ISPs will register the Ethernet MAC address of the network interface card in
your PC when your account is first opened. They will then only accept traffic from the
MAC address of that PC. This feature allows your firewall to masquerade as that PC by
using its MAC address.
4. Click on Apply to save your settings.
5. Click on the Test button to test your Internet connection. If the NETGEAR website does not
appear within one minute, refer to
2-12 Connecting the Firewall to the Internet
Chapter 6, Troubleshooting”.
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Procedure 2-6: Wizard-Detected Fixed IP (Static) Account Setup
If the Setup Wizard determines that your Internet service account uses Fixed IP assignment, you
will be directed to the menu shown in
Figure 2-10: Setup Wizard menu for Fixed IP address
Figure 2-10 below:
1. Enter your assigned IP Address, Subnet Mask, and the IP Address of your ISP’s gateway
router. This information should have been provided to you by your ISP. You will need the
configuration parameters from your ISP you recorded in “Record Your Internet Connection
Information” on page 2-3.
2. Enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is
available, enter it also.
A DNS servers are requi red to p erform th e functi on of tra nslatin g an Inte rnet name such as
www .netgear.com to a numeric IP addres s. For a fixed IP address c onfi gur ation, you must
obtain DNS server addresses from your ISP and enter them manually here. You should
reboot your PCs after configuring the firewall for these settings to take effect.
3. Click on Apply to save the settings.
4. Click on the Test button to test your Internet connection. If the NETGEAR website does not
appear within one minute, refer to
Connecting the Firewall to the Internet 2-13
Chapter 6, Troubleshooting.
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Configuring A Serial Port Internet Connection
Use the procedure below to configure an Internet connection via the serial port of your firewall.
Procedure 2-7: Serial Port Internet Connection Configuration
There are three steps to configuring the serial port of your firewall for an Internet connection:
1. Connect the firewall to your ISDN or dial-up analog modem
2. Configure the firewall
3. Connect to the Internet
Follow the steps below to configure a serial port Internet connection on your firewall.
1. Connect the Firewall to your ISDN or dial-up modem
a. Turn off your Modem and connect the cable (C) from your FR328S’s serial port to the
modem.
ISDN or
analog modem
C
MODEM
LOCAL
10/100M
87654321
INTERNET
12VDCO.5A
Figure 2-11: Connect the ISDN or analog modem to the firewall
b. Turn on the modem and wait about 30 seconds for the lights to stop blinking.
2-14 Connecting the Firewall to the Internet
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
2. Configure the Serial Port of the Firewall.
Note: T o conn ect to the fi rewall, your comput er needs to be conf igured to obt ain an IP addre ss
automatically via DHCP. If you need instructions on how to do this, please refer to
Appendix C, "Preparing Your Network".
a. Use a browser to log in to the firewall at http://192.168.0.1 with its default User Name of
admin and default Password of password, or using whatever Password you have set up.
Note: The user name and password are not the same as any user name or password you
may use to log in to your Internet connection.
b. From the Setup menu, click the Serial Port link to display the menu below.
Figure 2-12: Setup Serial Port configuration menu
Connecting the Firewall to the Internet 2-15
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
c. Choose the type of Serial Port Usage:
• Auto-rollover with a wait time in min utes
• Primary Internet connection
d. Fill in the ISP Internet configuration parameters as appropriate:
• For a Dial-up Account, enter the Account/User Name, Password, the Telephone
number to dial, an Alternative Telephone number if available. Check “Connect as
required” to enable the fi rewall to automat ically dial the number . If you want to ena ble
a Idle Time disconnect, check the box and enter a time in minutes.
• To configure the TCP/IP settings, fill in whatever address parameters your ISP
provided.
e. Conf igure the Modem parameters:
Figure 2-13: Modem configuration menu
• Select the Serial Line Speed.
This is the maximum speed the modem will attempt to use. For ISDN permanent
connections, the speeds are typically 64000 or 128000 bps. For dial-up modems, 56000
bps would be a typical setting.
—For ISDN, select “Permanent connection (leased line).”
—For dial-up, select your modem from the list.
—If your modem is not on the list, select “User Defined” and enter the Modem Properties.
2-16 Connecting the Firewall to the Internet
• Select the Modem Type
Figure 2-14: Modem Properties menu
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
• If you are using the “Generic Modem” selection and configuring your own modem
stings, fill in the Modem Properties settings.
Note: You can validate modem string settings by first connecting the modem directly
to a PC, establishing a connection to your ISP, and then copying the modem string
settings from the PC configuration and pasting them into the FR328S Modem
Properties Initial String field. For more information on this procedure, please refer to
the support area of the NETGEAR web site.
f. Click Apply to save your settings.
3. Connect to the Internet to test your configuration.
a. If you have a broadband connection, disconnect it.
b. From a workstation, open a browser and test your serial port Internet connection.
Note: The response time of your serial port Internet connection will be slower than a
broadband Internet connection.
Connecting the Firewall to the Internet 2-17
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Testing Your Internet Connection
After completing the Internet connection configuration, your can test your Internet connection.
Log in to the firewall, then, from the S etup Basic Se ttings link, click on the Test button. If the
NETGEAR website does not appear within one minute, refer to
Your firewall is now configured to provide Internet access for your network. Your firewall
automatically connects to the Internet when one of your computers requires access. It is not
necessary to run a dialer or login application such as Dial-Up Networking or Enternet to connect,
log in, or disconnect. These functions are performed by the firewall as needed.
To access the Internet from any computer connected to your firewall, launch a browser such as
Microsoft Internet Explorer or Netscape Navigator. You should see the firewall’s Internet LED
blink, indicating communication to the ISP. The browser should begin to display a Web page.
The following chapter s descri be how to con figure t he Advanced f eatures of your firewal l, and how
to troubleshoot problems that may occur.
Chapter 6, Troubleshooting.
2-18 Connecting the Firewall to the Internet
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Manually Configuring Your Internet Connection
You can manually configure your firewall using the menu below, or you can allow the Setup
Wizard to determine your configuration as described in the previous section.
Figure 2-15: Browser-based configuration Basic Settings menu
Connecting the Firewall to the Internet 2-19
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Procedure 2-8: Manual Configuration
You can manually configure the firewall in the Basic Settings menu shown in Figure 2-12 using
these steps:
1. Select whether your Internet connection requires a login.
Select Broadband with Login if you normally must lau nch a login program such as Enterne t or
WinPOET in order to access the In ternet.
Note: If you are a Telstra BigPond cable modem customer, or if you are in an area such as
Austria that uses PPTP, login is required. If so, select BigPond or PPTP from the Internet
Service Type drop down box.
2. Enter your Account Name (may also be called Host Name) and Domain Name.
These parameters may be nec essar y to access your IS P’s services such as mail or news s erver s.
3. (If displayed) Enter the PPPoE login user name and password provided by your ISP.
These fields are case sensitive. If you wish to change the login timeout, enter a new value in
minutes.
Note: You will no longer need to launch the ISP’s login prog ram on yo ur PC in ord er to acc ess
the Internet. When you start an Internet application, your firewall will automatically log you
in.
4. Internet IP Address:
If your ISP has assigned you a permanent, fixed (static) IP address for your PC, select “Use
static IP address”. Ente r t h e IP addr ess tha t your ISP assigned. Also enter the ne tmas k and t he
Gateway IP address. The Gateway is the ISP’s router to which your firewall will connect.
5. Domain Name Server (DNS) Address:
If you know that your ISP does not automatically transmit DNS addresses to the firewall
during login, select “Use these DNS servers” and enter the IP address of your ISP’s Primary
DNS Server. If a Secondary DNS Se rver address is available, enter it also .
A DNS server is a host on the Internet that translates Internet names (such as
www .netge ar.com) to numeric IP addresses. Typ ical ly your ISP tr ansfe rs the IP add ress of
one or two DNS servers to your firewall during login. If the ISP does not transfer an
address, you must ob tain it fr om the ISP a nd enter it manuall y here. I f you ent er an addr ess
here, you should reboot your PCs after configuring the firewall.
2-20 Connecting the Firewall to the Internet
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
6. Router’s MAC Address:
This sectio n determine s the Etherne t MAC address that will be used by the fi rewall on the
Internet port. Some ISPs will register the Ethe rne t M AC add res s of the network interface car d
in your PC when your account is first opened. They will then only accept traffic from the
MAC address of that PC. This feature allows your firewall to masquerade as that PC by
“cloning” its MAC address.
To change the MAC address, select “Use this Computer’s MAC address.” The firewall will
then capture and use the MAC address of the PC that you are now using. You must be using
the one PC that is allowed by the ISP. Or, select “Use th is MAC address” and enter it.
7. Click Apply to save your settings.
8. Click on the Test button to test your Internet connection.
If the NETGEAR website does not appear within one minute, refer to Chapter 6,
Troubleshooting.
Connecting the Firewall to the Internet 2-21
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
2-22 Connecting the Firewall to the Internet
Chapter 3
Protecting Your Network
This chapter describes how to use the basic firewall features of the FR328S Cable/DSL ProSafe
Firewall with Dial Back-Up to protect your network.
Protecting Access to Your FR328S Firewall
For security reasons, the firewall has its own user name and password. Also, after a period of
inactivity for a set length of time, the administrator login will automatically disconnect. When
prompted, enter admin for the firewall User Name and password for the firewall Password.
You can use procedures below to change the firewall's password and the amount of time for the
administrator’s login timeout.
Note: The user name and password are not the same as any user name or password your may use
to log in to yo ur Internet con nection.
NETGEAR recommends that you change this password to a more secure password. The ideal
password should contain no dictionary words from any language, and should be a mixture of both
upper and lower case letters, numbers, and symbols. Your password can be up to 30 characters.
Protecting Your Network 3-1
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Procedure 3-1: Changing the Built-In Password
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of
address you have chosen for the firewall.
2. From the Main Menu of the browser interface, under the Maintenance heading, select Set
Password to bring up the menu shown in
admin, default password of password, or using whatever Password and LAN
Figure 3-1: Log in to the firewall
Figure 3-2.
Figure 3-2: Set Password menu
3. To change the password, first enter the old password, and then enter the new password twice.
4. Click Apply to save your changes.
Note: After changing the password, you will be required to log in again to continue the
configuration.
If you have backed up the firewall settings previously, you should do a new
backup so that the saved settings file includes the new password.
3-2 Protecting Your Network
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Procedure 3-1: Changing the Administrator Login Timeout
For security, the admini strator's login to the firewall configuration will timeout after a period of
inactivity. To change the login timeout period:
1. In the Set Password menu, type a number in ‘Administrator login times out’ field.The
suggested default value is 5 minutes.
2. Click Apply to save your changes or click Cancel to keep the current period.
Configuring Basic Firewall Services
Basic firewall services you can configure include access blocking and scheduling of firewall
security. These topics are presented below.
Blocking Keywords, Sites, and Services
The firewall provides a variety of options for blocking Internet based content and
communications services. With its content filtering feature, the FR328S Firewall prevents
objectionable content from reaching your PCs. The FR328S allows you to control access to
Internet content by screening for keywords within Web addresses. Key content filtering options
include:
• Blocks access from your LAN to Internet locations that you specify as off-limits.
• Keyword blocking of newsgroup names.
• Outbound Services Blocking limits access from your LAN to Internet locations or services
that you specify as off-limi ts.
• Denial of Service (DoS) protection. Automatically detects and thwarts Denial of Service
(DoS) attacks such as Ping of Death, SYN Flood, LAND Attack and IP Spoofing.
• Blocks unwanted traffic from the Internet to your LAN.
The section below explains how to configure your firewall to perform these functions.
Protecting Your Network 3-3
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Procedure 3-2: Block Keywords and Sites
The FR328S Firewall allows you to restrict access to Internet content based on functions such as
Java or Cookies, Web addresses and Web address keywords.
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of
address you have chosen for the firewall.
2. Click on the Block Sites link of the Security menu.
admin, default password of password, or using whatever Password and LAN
Figure 3-3: Block Sites menu
3. To enable keyword blocking, check “Turn keyword blocking on”, enter a keyword or domain
in the Keyword box, click Add Keyword, then click Apply.
Some examples of Keyword application follow:
• If the keyword “XXX” is specified, the URL <http://www.badstuff.com/xxx.html> is
blocked, as is the newsgroup alt.pictures.xxx.
3-4 Protecting Your Network
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
• If the keyword “.com” is specified , only websit es with other domain suf fixe s (such as .edu
or .gov) can be viewed.
• Enter the keyword “.” to block all Internet browsing access.
Up to 32 entries are supported in the Keyword list.
4. To delete a keyword or domain, sel ect it from the l is t, cl i ck Del et e Keywor d, t hen cl i ck Appl y.
5. To specify a Trusted User, enter that PC’s IP address in the Trusted User box and click Apply.
You may specify one Trusted User, which is a PC that will be exempt from blocking and
logging. Since the Trusted User will be identified by an IP address, you should configure that
PC with a fixed IP address.
6. Click Apply to save your settings.
Rules
Firewall rules are used to bloc k or allow specifi c traf fic passi ng through from one side to the other.
Inbound rules (WAN to LAN) restrict access by outside rs to private re sources, sele ctively allo wing
only specific outside users to access specific resourc es. Outbound rules (LAN to WAN) determine
what outside resources local users can have access to.
A firewall has two defau lt rules, one fo r inbound traffic and one for outbo und. The defa ult ru les of
the FR328S are:
• Inbound: Block all access from outside except responses to requests from the LAN side.
• Outbound: Allow all access from the LAN side to the outside.
You may define ad ditional rul es that will specify exc eptions to t he default rules. By adding cu stom
rules, you can block or allow access based on the service or application, source or destination IP
addresses, and time of day. You can also choose to log traffic that matches or does not match the
rule you have defined.
Protecting Your Network 3-5
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
T o acce ss the Rule s configu ration o f the FR328S, click th e Rules li nk on the ma in menu, then click
Add for either an Outbound or Inbound Service.
Figure 3-4. Rules menu
• To edit an existing rule, select its button on the left side of the table and click Edit.
• To delete an existing ru le, select its button on the left side of the table and click Delete.
• T o move an existing rule to a dif fer ent positio n in t he table, select its button on the l eft side
of the table and click Move. At the script prompt, enter the number of the desired new
position and click OK.
3-6 Protecting Your Network
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Inbound Rules (Port Forwarding)
Because the FR328S uses Network Address T rans lation (NAT), your network presents onl y one IP
address to the Internet, and outside users cannot directly address any of your local computers.
However, by defining an inbound rule you can make a local server (for example, a web server or
game server) visible and available to the Internet. The rule tells the firewall to direct inbound
traffic fo r a particul ar ser vic e to one loc al serve r based on t he desti natio n port number. This is also
known as port forwarding.
Note: Some residential broadband ISP accounts do not allow you to run any server
processes (such as a Web or FTP server) from your location. Your ISP may periodically
check for servers and may suspend your account if it discovers any active services at
your location. If you are unsure, refer to the Acceptable Use Policy of your ISP.
Remember that allowing inbound services opens holes in your firewall. Only enable those ports
that are necessary for your network. Following are two application examples of inbound rules:
Inbound Rule Example: A Local Public Web Server
If you host a public web s erver on your local network, you can define a rule to al l ow inb ound web
(HTTP) requests from any outside IP address to the IP address of your web server at any time of
day. This rule is shown in
Figure 3-5:
Figure 3-5. Rule example: A Local Public Web Server
Protecting Your Network 3-7
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
The parameters are:
•Service
From this list, select the application or service to be allowed or blocked. The list already
displays many common services, but you are not limited to these choices. Use the Add
Services menu to add any additional services or applications that do not already appear.
• Action
Choose how you would like this type of traffic to be handled. You can block or allow
always, or you can choos e to bl ock or allo w accor ding to the s chedul e yo u have d efined i n
the Schedule menu.
• Send to LAN Server
Enter the IP address of the PC or Server on your LAN which will receive the
inbound traffic covered by this rule.
• WAN Users
These settings determine which packets are covered by the rule, based on their
source (WAN) IP address. Select the desired option:
• Any All IP addresses are covered by this rule.
• Address range If this opt ion is sel ecte d, you must enter the "S tar t" and "Finish " fiel ds.
• Single address Enter the required address in the "Start" fields.
•Log
You can select whether the traffic will be logged. The choices are:
• Never - no log entries will be made for this service.
• Always - any traffic for this service type will be logged.
• Match - traffic of this type which matches the parameters and action will be logged.
• Not match - traffic of this type which does not match the parameters and action will be
logged.
3-8 Protecting Your Network
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Inbound Rule Example: Allowing Videoconference from Restricted Addresses
If you want to allow incoming videoconf er enc in g to be initi at ed fr om a rest ri ct ed ra nge of outside
IP addresses, such as from a branch office, you can create an inbound rule. In the example shown
in
Figure 3-6, CU-SeeMe connections are allowed only from a specified range of external IP
addresses. In this case, we have also specified logging of any incoming CU-SeeMe requests that
do not match the allowed parameters.
Figure 3-6. Rule example: Videoconference from Restricted Addresses
Considerations for Inbound Rules
• If your external IP address is assigned dynamically by your ISP, the IP address may change
periodically as the DHCP lease expires. Consider using the Dynamic DNS feature in the
Advanced menus so that external users can always find your network.
• If the IP address of the local server PC is assigned by DHCP, it may change when the PC is
rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu to keep the
PC’s IP address constant.
• Local PCs must access t h e l oc al ser ver using the PCs’ local LAN address (192.168.0.11 in the
example in
Figure 3-6 above). Attempts by local PCs to access the server using the external
WAN IP address will fail.
Protecting Your Network 3-9
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Outbound Rules (Service Blocking)
The FR328S allows you to block th e use of cert ain Int ernet servic es by PCs on your network. Thi s
is called service blocking or port filtering. You can define an outbound rule to block Internet
access from a local PC based on:
• the IP address of the local PC (source address)
• the IP address of the Internet site being contacted (destination address)
• the time of day
• the type of service being requested (service port number)
Following is an application example of outbound rules:
Outbound Rule Example: Blocking Instant Messenger
If you want to block Instant Me sse nge r usa ge by employees during working hours, you can cr ea te
an outbound rule to block that application from any internal IP address to any external address
according to the schedule that you have created in the Schedule menu. You can also have the
firewall log any attempt to use Instant Messenger during that blocked period.
Figure 3-7. Rule example: Blocking Instant Messenger
3-10 Protecting Your Network
The parameters are:
•Service
From this list, select the application or service to be allowed or blocked. The list already
displays many common services, but you are not limited to these choices. Use the Add
Services menu to add any additional services or applications that do not already appear.
• Action
Choose how you would like this type of traffic to be handled. You can block or allow
always, or you can choos e to bl ock or allo w accor ding to the s chedul e yo u have d efined i n
the Schedule menu.
• LAN Users
These settings determine which packets are covered by the rule, based on their
source LAN IP address. Select the desired option:
• Any All IP addresses are covered by this rule.
• Address range If this opt ion is sel ecte d, you must enter the "S tar t" and "Finish " fiel ds.
• Single address Enter the required address in the "Start" fields.
• WAN Users
These settings determine which packets are covered by the rule, based on their
destination WAN IP address. Select the desired option:
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
• Any All IP addresses are covered by this rule.
• Address range If this opt ion is sel ecte d, you must enter the "S tar t" and "Finish " fiel ds.
• Single address Enter the required address in the "Start" fields.
•Log
You can select whether the traffic will be logged. The choices are:
• Never - no log entries will be made for this service.
• Always - any traffic for this service type will be logged.
• Match - traffic of this type which matches the parameters and action will be logged.
• Not match - traffic of this type which does not match the parameters and action will be
logged.
Protecting Your Network 3-11
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Order of Precedence for Rules
As you define new rules, they are added to the tables in the Rules menu, as shown in Figure 3-8:
Figure 3-8. Rules table with examples
For any traffic attempting to pass through the firewall, the packet info rmation is sub jected to the
rules in the order shown i n the Rule s Table, beginning at the top and pr oceeding t o the def ault ru les
at the bottom. In some cases, the order of precedence of two or more rules may be important in
determining the dispo sition of a pac ket. The Move button allows you to relo cate a defin ed rule to a
new position in the table.
3-12 Protecting Your Network
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Services
Services are functions performed by server computers at the request of client computers. For
example, Web servers serve web pages, time servers serve time and date information, and game
hosts serve data about other players’ moves. When a computer on the Internet sends a request for
service to a server computer, the requested service is identified by a service or port number. This
number appears as the destination port number in the transmitted IP packets. For example, a packet
that is sent with destination port number 80 is an HTTP (Web server) request.
The service numbers for many common protocols are defined by the Internet Engineering Task
Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for other
applications are typically chosen from the range 1024 to 65535 by the authors of the application.
Although the FR328S already holds a list of many service port numbers, you are not limited to
these choices. Use the procedure below to create your own service definitions.
Procedure 3-3: Define Services
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of
address you have chosen for the firewall.
2. Click on the Services link of the Security menu to display the Services menu shown in
Figure 3-9:
• To create a new Service, click the Add button.
• To edit an existing Service, select its button on the left side of the table and click Edit.
Protecting Your Network 3-13
admin, default password of password, or using whatever Password and LAN
Figure 3-9: Services menu
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
• To delete an exis ti ng Se rvi ce, select its butt on on the left side of the ta ble and click Delete.
3. Modify the menu shown below for defining or editing a service.
Figure 3-10: Add Services menu
4. Click Apply to save your changes.
Setting Times and Scheduling Firewall Services
The FR328S Firewall uses the Network Time Protocol (NTP) to obtain the current time and date
from one of several Netwo rk Time Servers on the Internet. I n order to localize the time for your
log entries, you must select your Time Zone from the list.
Procedure 3-4: Setting Your Time Zone
In order to localize the time for your log entries, you must specify your Time Zone:
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of
address you have chosen for the firewall.
3-14 Protecting Your Network
admin, default password of password, or using whatever Password and LAN
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
2. Click on the Schedule link of the Security menu to display menu shown below.
Figure 3-11: Schedule Services menu
3. Select your Time Zone. This setting will be used for the blocking schedule according to your
local time zone and for time-stamping lo g entries.
Check the Daylight Savings Time box if your time zone is currently in daylight savings time.
Note: If your region uses Daylight Savings Time, you must manually check Adjust for
Daylight Savings Time on the first day of Daylight Savings Time, and uncheck it at the end.
Enabling Daylight Savings Time will cause one hour to be added to the standard time.
4. The firewall has a l ist of publicly availabl e NTP serve rs. If you would pref er to us e a parti cular
NTP server as the primary server, enter its IP address under Use this NTP Server.
5. Click Apply to save your settings.
Protecting Your Network 3-15
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Procedure 3-5: Scheduling Firewall Services
If you enabled services blocking in the Block Services menu or Port forwarding in the Ports menu,
you can set up a schedule for when blocking occurs or when access isn't restricted.
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of
address you have chosen for the firewall.
2. Click on the Schedule link of the Sec urity menu to di splay men u sho wn above i n the Schedule
Services menu.
3. T o bl ock Inter net s ervic es base d on a s che dule, s elect Every Da y or se lect one or mor e days . If
you want to limit access completely for the selected days, select All Day. Otherwise, to limit
access during certain times for the sele cted da ys, enter St art Blo cking and End Blocking times.
Note: Enter the values as 24-hour time. For example, 10:30 am would be 10 hours and 30
minutes and 10:30 pm would be 22 hours and 30 minutes.
4. Click Apply to save your changes.
admin, default password of password, or using whatever Password and LAN
3-16 Protecting Your Network
Chapter 4
Managing Your Network
This chapter describes how to perform network management tasks with your FR328S Cable/DSL
ProSafe Firewall with Dial Back-Up.
Network Management Information
The FR328S provides a variety of status and usage information which is discussed below.
Viewing Router Status and Usage Statistics
From the Main Menu, under Maintenance, select Router Status to view the screen in Figure 4-1.
Figure 4-1: Router Status screen
Managing Your Network 4-1
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
The Router Status menu provides a limited amount of status and usage information. From the
Main Menu of the browser interface, under Maintenance, select Router Status to view the status
screen, shown in
Figure 4-1.
This scree n shows the following par ameters:
Table 4-1. Menu 3.2 - Router Status Fields
Field Description
System Name This field displays the Host Name assigned to the firewall in the Basic
Settings menu.
Firmware Version This field displays the firewall firmware version.
WAN Port These parameters apply to the Internet (WAN) port of the firewall.
MAC Address This field displays the Ethernet MAC addres s being used by the Interne t
(WAN) port of the firewall.
IP Address This field displays the IP add res s be ing us ed b y th e Inte rne t (WAN) port
of the firewall. If no address is shown, the firewall cannot connect to the
Internet.
DHCP If set to None, the firewall is configured to use a fixed IP address on the
WAN.
If set to Client, the firewall is configured to obtain an IP address
dynamically from the ISP
IP Subnet Mask This field displays the IP Subn et Mask bein g used by the Inter net (W AN)
port of the firewall.
Domain Name Servers
(DNS)
LAN Port These parameters apply to the Local (WAN) port of the firewall.
MAC Address This field displays the Ethernet MAC address being used by the Local
IP Address This field displays the IP address being used by the Local (LAN) port of
IP Subnet Mask This field displays the IP Subnet Mask being used by the Local (LAN)
DHCP If set to OFF, the firewall will not assi gn IP a ddres ses t o local PCs on th e
This field displays the DNS Server IP addresses being used by the
firewall. These addresses are usually obtained dynamically from the ISP .
(LAN) port of the firewall.
the firewall. The default is 192.168.0.1
port of the firewall. The default is 255.255.255.0
LAN.
If set to ON, the firewall is configured to assign IP addresses to local
PCs on the LAN.
4-2 Managing Your Network
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Click on the “Show Statistics” button to display firewall usage statistics, as shown in Figure 4-2
below:
Figure 4-2. Router Statistics screen
This scree n shows the following statistics:.
Table 4-2. Router Statistics Fields
Field Description
WAN, LAN, or
Serial Port
Status The link status of the port.
TxPkts The number of packets transmitted on this port since reset or manual clear.
RxPkts The number of packets received on this port since reset or manual clear.
Collisions The number of collisions on this port since reset or manual clear.
Tx B/s The current line utilization—percentage of current bandwidth used on this port.
Tx B/s The average line utilization —average CLU for this port.
Up Time The time elapsed since this port acquired link.
System up Time The time elapsed since the last power cycle or reset.
Poll Interval Speci fie s the intervals at which the statistics are updated in this wi ndo w. Click on Stop
The statistics for the WAN (Internet), LAN (local), and Serial ports. For each port, the
screen displays:
to freeze the display.
Managing Your Network 4-3
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Viewing Attached Devices
The Attached Devices menu contains a table of all IP devices that the firewall has discovered on
the local network. From th e Main Me nu of th e b rows er in terface, under the Mainten ance heading,
select Attached Devices to view the table, shown in
Figure 4-3: Attached Devices menu
For each device, the table shows the IP address, NetBIOS Host Name, if available, and the
Ethernet MAC address. Note that if the firewall is rebooted, the table data is lost until the firewall
rediscovers the devices. To force the firewall to look for attached devices, click the Refresh button.
Figure 4-3
4-4 Managing Your Network
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Viewing, Selecting, and Saving Logged Information
The firewall will log security-relate d events such as denied incoming service requests, hacker
probes, and administr ator logi ns. If you enable d content filter ing in t he Block Sit es menu, the Logs
page shows you when someone on your network tried to access a blocked site. If you enabled
e-mail notification, you'll receive these logs in an e-mail message. If you don't have e-mail
notification enabled, you can view the logs here. An example is shown below.
Figure 4-4: Security Logs menu
Managing Your Network 4-5
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Log entries are described in Table 4-5
Table 4-5: Security Log entry descriptions
Field Description
Date and Time The date and time the log entry was recorded.
Description or
The type of event and what action was taken if any.
Action
Source IP The IP address of the initiating device for this log entry.
Source port and
interface
The service port number of the initiating device, and whether it
originated from the LAN or WAN
Destination The name or IP address of the destination device or website.
Destination port
and interface
The service port number of the destination device, and whether
it’s on the LAN or WAN.
Log action buttons are described in Table 4-6
Table 4-6: Security Log action buttons
Field Description
Refresh Click this button to refresh the log screen.
Clear Log Click this button to clear the log entries.
Send Log Click this button to email the log immediately.
Apply Click this button to apply the current settings.
Cancel Click this button to clear the current settings.
Selecting What Information to Log
Besides the standard inf ormation lis ted above, you can ch oose to log addit ional informati on. Those
optional selections are as follows:
• All incoming and outgoing traffic
• Attempted access to blocked site
• Connections to the Web-based interface of this Router
4-6 Managing Your Network
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
• Router operation (start up, get tim e, etc.)
• Known DoS attacks and Port Scans
Saving Log Files on a Server
You can choose to writ e the logs to a PC runni ng a sysl og pr ogr am. To activate this feature, check
the box under Syslog and enter the IP address of the server where the log file will be written.
Examples of log messages
Following are example s of log me ssages. In all cases , the lo g entry shows the tim estamp as: Day,
Year-Month-Date
Activation and Administration
Tue, 2002-05-21 18:48:39 - NETGEAR activated
[This entry indicates a power-up or reboot with initial time entry.]
Tue, 2002-05-21 18:55:00 - Administrator login successful - IP:192.168.0.2
Thu, 2002-05-21 18:56:58 - Administrator logout - IP:192.168.0.2
Hour:Minute:Second
[This entry shows an administrator logging in and out from IP address 192.168.0.2.]
Tue, 2002-05-21 19:00:06 - Login screen timed out - IP:192.168.0.2
[This entry shows a time-out of the administrator login.]
Wed, 2002-05-22 22:00:19 - Log emailed
[This entry shows when the log was emailed.]
Dropped Packets
Wed, 2002-05-22 07:15:15 - TCP packet dropped - Source:64.12.47.28,4787,WAN Destination:134.177.0.11,21,LAN - [Inbound Default rule match]
Sun, 2002-05-22 12:50:33 - UDP packet dropped - Source:64.12.47.28,10714,WAN Destination:134.177.0.11,6970,LAN - [Inbound Default rule match]
Sun, 2002-05-22 21:02:53 - ICMP packet dropped - Source:64.12.47.28,0,WAN Destination:134.177.0.11,0,LAN - [Inbound Default rule match]
[These entries show an inbound FTP (port 21) packet, UDP packet (port 6970), and ICMP
packet (port 0) being dropped as a result of the default inbound rule, which states that all
inbound packets are denied.]
Managing Your Network 4-7
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Enabling Securit y Ev en t E-ma il No tification
In order to receive logs and alerts by e-mail, you must provide your e-mail information in the
E-Mail subheading:
• Turn e-mail notification on
Check this box if you wish to receive e-mail logs and alerts from the firewall.
• Your outgoing mail server
Enter the name or IP address of your ISP’s outgoing (SMTP) mail server (such as
mail.myISP.com). You may be able to find this information in the conf iguration menu of your
e-mail program. If you leave this box blank, log and alert messages will not be sent via e- mail .
• Send to this e-mail address
Enter the e-mail add ress to which l ogs and al erts are sent. Thi s e-mail address will also be used
as the From address. If you leave this box blank, log and alert messages will not be sent via
e-mail.
You can specify that logs are automatically sent to the specified e-mail address with these options:
• Send alert immediately
Check this box if you wo uld like i mmediate not ificat ion of a significan t securi ty event, such as
a known attack, port scan, or attempted access to a blocked site.
4-8 Managing Your Network
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
• Send logs according to this schedule
Specifies how often to send the logs: Hourly, Daily, Weekly, or When Full.
– Day for sending log
Specifies which day of the week to send the log. Relevant when the log is sent weekly or
daily.
– Time for sending l og
Specifies the time of day to send the log. Relevant when the log is sent daily or weekly.
If the Weekly, Daily or Hourly option is selected and the log fills up before the specified
period, the log is automatically e-mail ed to the specified e-mail address. Afte r the log is sent,
the log is cleared from th e fi rewall’s memory. If the firewall cannot e-mail the log file, the log
buffer may fill up. In this case, the firewall overwrites the log and discards its contents.
Backing Up, Restoring, or Erasing Your Settings
The configuration set tings of the FR32 8S Firewa ll are store d in a conf igura tion f ile i n the fi rewal l.
This file can be backed up to your computer, restored, or reverted to factory default settings. The
procedures below explain how to do these tasks.
Procedure 4-6: Backup the Configuration to a File
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of
address you have chosen for the firewall.
Managing Your Network 4-9
admin, default password of password, or using whatever Password and LAN
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
2. From the Maintenance h eadi ng of t he Main Menu, select the Set tings Backup menu as seen in
Figure 4-7.
Figure 4-7: Settings Backup menu
3. Click Backup to save a copy of the current settings.
4. Store the .cfg file on a computer on your network.
4-10 Managing Your Network
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Procedure 4-7: Restore a Configuration from a File
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of
admin, default password of password, or using whatever Password and LAN
address you have chosen for the firewall.
2. From the Maintenance h eadi ng of t he Main Menu, select the Set tings Backup menu as seen in
Figure 4-7.
3. Enter the full path to the f il e on your net work or cli ck the Browse button to browse to the fil e.
4. When you have locate d the .cfg file, click the Restore button to upload the file to the firewall.
5. The firewall will then rebo ot automatically.
Procedure 4-8: Erase the Configuration
It is sometimes desirable to restore the fire wall to the factory default set ti ngs . Thi s can be done by
using the Erase function.
1. To erase the configuration, from the Maintenance menu Settings Backup link, click the Erase
button on the screen.
2. The firewall will then rebo ot automatically.
After an era se, the firewall's password will be password, the LAN IP address will be
192.168.0.1, and the router's DHCP client will be enabled.
Note: To restore the factory de fault configuration set tings without knowing the login pass word or
IP address, you must use t he Default Reset button on t he r ea r pa nel of the firewall. See
“Using the
Default Reset button“ on page 6-8.
Managing Your Network 4-11
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Running Diagno stic Utilities and Rebo o tin g the Ro uter
The FR328S Firewall has a diagnostics feature. You can use the diagnostics menu to perform the
following functions from the firewall:
• Ping an IP Address to test connectivity to see if you can reach a remote host.
• Perform a DNS Lookup to test if an Internet name resolves to an IP address to verify that the
DNS server configuration is working.
• Display the Routing Table to identify what other routers the router is communicating with.
• Trace the Routing Path to identify any connectivity or congestion problems in the network.
• Reboot the Router to enable new network configurations to take effect or to clear problems
with the router’s network connection.
From the Main Menu of the browser interface, under the Maintenance heading, select the Router
Diagnostics heading
to display the menu shown in Figure 4-8.
Figure 4-8: Diagnostics menu
4-12 Managing Your Network
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Enabling Remote Management
Using the Remote Management page, you can allow a user or users on the Internet to configure,
upgrade and check the status of your NETGEAR Cable/DSL ProSafe VPN Firewall.
Note: Be sure to change the router's default password to a very secure password. The
ideal password should contain no dictionary words from any language, and should be a
mixture of letters (both upper and lower case), numbers, and symbols. Your password
can be up to 30 characters.
Procedure 4-9: Configure Remote Management
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of
address you have chosen for the firewall.
2. Select the Allow Remote Management check box.
admin, default password of password, or using whatever Password and LAN
3. Specify what external addresses will be allowed to access the fi rewall’s remote management.
For security, NETGEAR recommends that you restrict access to as few external IP addresses
as practical.
a. To allow access from any IP address on the Internet, select Everyone.
b. To allow access from a range of IP addresses on the Internet, select IP address range.
Enter a beginning and ending IP address to define the allowed range.
c. To allow access from a single IP address on the Internet, select Only this PC.
Enter the IP address that will be allowed access.
4. Specify the Port Number that will be used for accessing the management interface.
Web browser access normally uses the standard HTTP service port 80. For greater security,
you can change the remote management web interface to a custom port by entering that
number in the box provided. Choose a number between 1024 and 65535, but do not use the
number of any common service port. The default is 8080, which is a common alternate for
HTTP.
5. Click Apply to have your changes take effect.
Managing Your Network 4-13
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
When accessing your router from the Internet, you will type your router's WAN IP address into
your browser's Address (in IE) or Location (in Netscape) box, followed by a colon (:) and the
custom port number. For example, if your external address is 134.177.0.123 and you use port
number 8080, enter in your browser:
http://134.177.0.123:8080
Upgrading the Router’s Firmware
The software of the FR328S Firewall is stored in FLASH memory, and can be upgraded as new
software is released by NETGEAR.
Upgrade files can be downloaded from NETGEAR's website. If the upgrade file is compressed
(.ZIP file), you must first extract the binary (.BIN or .IMG) file before uploading it to the firewall.
Note: The Web browser used to upload new firmware into the firewall must support HTTP
uploads. NETGEAR recommends using Microsoft Internet Explorer 5.0 or Netscape Navigator
4.7 and above.
Procedure 4-1: Router Upgrade
1. Download a nd unzip the new software file from NETGEAR.
2. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of
address you have chosen for the firewall.
3. From the Main Menu of the browser interface, under the Maintenance heading, select the
Router Upgrade heading
4-14 Managing Your Network
admin, default password of password, or using whatever Password and LAN
to display the menu shown in Figure 4-9.
Figure 4-9: Router Upgrade menu
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
4. In the Router Upgrade menu, click the Browse to locate the binary (.BIN or .IMG) upgrade
file.
5. Click Upload.
Note: When uploading software to the fir ewall , it is imp ortan t not to i nterr upt th e Web browser by
closing the window, clicking a link, or loading a new page. If the browser is interrupted, it may
corrupt the software. When the upload is complete, your firewall will automatically restart. The
upgrade process will typically take about one minute. In some cases, you may need to clear the
configuration and reconfigure the firewall after upgrading.
Managing Your Network 4-15
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
4-16 Managing Your Network
Chapter 5
Advanced Configuration
This chapter describes how to configure the advanced features of your FR328S Cable/DSL
ProSafe Firewall with Dial Back-Up.
Configuring Advanced Security
The FR328S Cable/DSL ProSafe Firewall with Dial Back-Up provides a variety of advanced
features, such as:
• Setting u p a Demilitarized Zone (DMZ) Server
• The flexibility of configuring your LAN TCP/IP settings
• Connecting a Remote Access Server through the serial port
These features are discussed below.
Setting Up A Default DMZ Server
The Default DMZ Server feature is helpful whe n using some online game s and videoconferencing
applications that are incompatible with NAT. The firewall is programmed to recognize some of
these applications and to work properly with them, but there are other applications that may not
function well. In some cases, one loca l PC can run th e appl ic ation properly if that PC’s IP address
is entered as the Default DMZ Server.
Note: For security, you should avoid using the Default DMZ Server feature. When a
computer is design ated as the De fault DMZ Ser ver , it lose s much of the protect ion of th e
firewall, and is exposed to many exploits from the Internet. If compromised, the
computer can be used to attack your network.
Advanced Configuration 5-1
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a
response to one of your local computers or a service that you have configured in the Ports menu.
Instead of discardin g this t raffi c, you ca n have it forw arded to one computer on you r network. This
computer is called the Default DMZ Server.
To assign a computer or server to be a Default DMZ server:
1. Click Default DMZ Server.
2. Type the IP address for that server.
3. Click Apply.
Respond to Ping on Internet WAN Port
If you want the firewall to respond to a 'ping' from the Internet, click the ‘Respond to Ping on
Internet WAN Port’ check box. This should only be used as a diagnostic tool, since it allows your
firewall to be discovered. Don't check this box unless you have a specific reason to do so.
Configuring LAN IP Settings
The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and RIP. These
features can be found under the Advanced heading in the Main Menu of the browser interface.
LAN TCP/IP Setup
The firewall is shipped preconfigured to use private IP addresses on the LAN side, and to act as a
DHCP server. The firewall’s default LAN IP configuration is:
• LAN IP addresses—192.168.0.1
• Subnet mask—255.255.255.0
These addresses ar e p art of the IETF-designated private address range fo r use in private networks,
and should be suit able in mos t appl ic ations . If yo ur net work has a requ irement to us e a different IP
addressing scheme, you can make those changes in this menu.
The LAN TCP/IP Setup parameters are:
• IP Address
This is the LAN IP address of the firewall.
5-2 Advanced Configura tio n
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
• IP Subnet Mask
This is the LAN Subnet Mask of the firewall. Combined with the IP address, the IP Subnet
Mask allows a device to know which other addr esses are loca l to it, and which must be reac hed
through a gateway or router.
• RIP Direction
RIP (Router Informat ion Prot ocol) allows a router to exc hange routing information wi th other
routers. The RIP Dir ectio n sele ction contro ls how the firewa ll se nds and recei ves RIP pack ets.
Both is the default.
— When set to Both or Out Only, the firewall will broadcast its routing table periodically.
— When set to Both or In Only, it will inco rporate the R IP information that it receives.
— When set to None, it will not send any RIP packets and will ignore any RIP packets
received.
• RIP Version
This controls the fo rm at and the broadcasting met hod of the RIP packets that the ro uter sends.
It recognizes both formats when receiving. By default, this is set for RIP-1.
— RIP-1 is universally supported. RIP-1 is probabl y adequate for most networks, unles s you
have an unusual network setup.
— RIP-2 carries more information. Both RIP-2B and RIP-2M send the routing data in RIP-2
format.
— RIP-2B uses subnet broadcasting.
— RIP-2M uses multicasting.
Note: If you change the LAN IP address of the firewall while connected through the
browser, you will be disconnected. You must then open a new connection to the new IP
address and log in again.
MTU Size
The normal MTU (Maximum Transmit Unit) value for most Ethernet net works is 1500 Bytes. For
some ISPs, particularly some using PPPoE, you may need to reduce the MTU. This is rarely
required, and should not be done unless you are sure it is necessary for your ISP connection.
Any packets sent through the firewall that are larger than the configured MTU size will be
repackaged into smaller p ackets to meet the MTU requirement. To change the MTU size:
1. Under MTU Size, select Custom.
Advanced Configuration 5-3
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
2. Enter a new size between 64 and 1500.
3. Click Apply to save the new configuration.
DHCP
By default, the firewall will function as a DHCP (Dynamic Host Configuration Protocol) server,
allowing it to assign IP, DNS server, and default gateway addresses to all computers connected to
the router's LAN. The assigned default gateway address is the LAN address of the firewall. IP
addresses will be assigned to the attached PCs from a pool of addresses specified in this menu.
Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN.
For most applications, the default DHCP and TCP/IP settings of the firewall are satisfactory. See
“IP Configuration by DHCP” on page B-11” for an explanation of DHCP and information about
how to assign IP addresses for your network.
Use router as DHCP server
If another device on your network will be the DHCP server, or if you will manually configure the
network settings of all of your computers, clear the ‘Use router as DHCP server’ check box.
Otherwise, leave it checked.
Specify the pool of IP addresses to be assigned by setting the Starting IP Address and Ending IP
Address. These addresses should be part of the same IP address subnet as the firewall’s LAN IP
address. Using th e d efa ul t addressing scheme, you should define a range be twee n 192.168.0.2 and
192.168.0.253, although you may wish to save part of the range for devices with fixed addresses.
The firewall will deliver the following parameters to any LAN device that requests DHCP:
• An IP Address from the range you have defined
• Subnet Mask
• Gateway IP Address is the firewall’s LAN IP address
• Primary DNS Server, if you entered a Primary DNS address in the Basic Settings menu;
otherwise, the firewall’s LAN IP address
• Secondary DNS Server, if you entered a Secondary DNS address in the Basic Settings menu
5-4 Advanced Configura tio n
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
• WINS Server, short for Windows Internet Naming Service Server, determines the IP
address associated with a particular Windows computer.
A WINS server records and
reports a list of names and IP address of Windows PCs on its local network. If you
connect to a remote network that contains a WINS server, enter the server’s IP address
here. This allows your PCs to browse the network using the Network Neighborhood
feature of Windows.
Reserved IP addresses
When you specify a reserved IP address for a PC on the LAN, that PC will always receive the
same IP address each time it access the firewall’s DHCP server. Reserved IP addresses should be
assigned to servers that require permanent IP settings.
To reserve an IP address:
1. Click the Add button.
2. In the IP Address box, type the IP address to assign to the PC or server.
Choose an IP address from the router’s LAN subnet, such as 192.168.0.X.
3. Type the MAC Address of the PC or server.
Tip: If the PC is already present on your network, you can copy its MAC address from the
Attached Devices menu and paste it here.
4. Click Apply to enter the reserved address into the table.
Note: The reserved address will not be assi gned until the next ti me the PC conta cts the ro uter's
DHCP server. Reboot the PC or access its IP configuration and force a DHCP release and
renew.
To edit or delete a reserved address entry:
1. Click the button next to the reserved address you want to edit or delete.
2. Click Edit or Delete.
Advanced Configuration 5-5
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Procedure 5-1: Configure LAN TCP/IP Setup
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of
address you have chosen for the firewall.
2. From the Main Menu, under Advanced, click the LAN IP Setup li nk to view the menu, shown
in
Figure 5-1
admin, default password of password, or using whatever Password and LAN
Figure 5-1: LAN IP Setup Menu
3. Enter the TCP/IP, MTU, or DHCP parameters.
4. Click Apply to save your changes.
Configuring Dynamic DNS
If your network has a permanently assigned IP address, you can register a domain name and have
that name linked with your IP address by public Domain Name Servers (DNS). However, if your
Internet account uses a dynamically assigned IP address, you will not know in advance what your
IP address will be, and the address can change frequently. In this case, you can use a commercial
dynamic DNS service, who will allow you to register your domain to their IP address, and will
forward traffic directed at your domain to your frequently-changing IP address.
5-6 Advanced Configura tio n
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
The firewall contains a client that can connect to a dynamic DNS service provider. To use this
feature, you must select a service provider and obtain an account with them. After you have
configured your account information in the firewall, whenever your ISP-assigned IP address
changes, your firewall will automatically contact your dynamic DNS service provider, log in to
your account, and register your new IP address.
Procedure 5-2: Configure Dynamic DNS
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of
address you have chosen for the firewall.
2. From the Main Menu of the browser interface, under Advanced, click on Dynamic DNS.
3. Access the website of one of the dynamic DNS service providers whose names appear in the
‘Select Service Provider’ box, and register for an account.
For example, for dyndns.org, go to www.dyndns.org.
4. Select the “Use a dynamic DNS service” check box.
admin, default password of password, or using whatever Password and LAN
5. Select the name of your dynamic DNS Service Provider.
6. Type the Host Name that your dynamic DNS service provider gave you.
The dynamic DNS service provider may call this the domain name. If your URL is
myName.dyndns.org, then your Host Name is “myName.”
7. Type the User Name for your dynamic DNS account.
8. Type the Password (or key) for your dynamic DNS account.
9. If your dynamic DNS provider allows the use of wildcards in resolving your URL, you may
select the Use wildcards check box to activate this feature.
For example, the wildcard feature will cause *.yourhost.dyndns.org to be aliased to the same
IP address as yourhost.dyndns.org
10. Click Apply to save your configuration.
Note: If your ISP a ssigns a pr ivate WAN IP address suc h as 192.168.x.x or 1 0.x.x. x, the
dynamic DNS service will not work because private addresses will not be routed on the
Internet.
Advanced Configuration 5-7
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Using Static Routes
Static Routes provide additional routing information to your firewall. Under normal
circumstances, the firewall has adequate routing information after it has been configured for
Internet access, and you do not need to configure additional static routes. You must configure
static routes onl y f or unusual cases such as mul ti pl e routers or multiple IP subnets located on your
network.
Static Route Example
As an example of when a static route is needed, consider the following case:
• Your primary Internet access is through a cable modem to an ISP.
• You have an ISDN router on your home network for connecting to the company where
you are employed. This router’s address on your LAN is 192.168.0.100.
• Your company’s network is 134.177.0.0.
When you first configured your firewall, two implicit static routes were created. A default route
was created with your ISP as the gateway, and a second static route was created to your local
network for all 192.168.0. x addres ses. W ith t his confi guratio n, if you att empt to acce ss a device on
the 134.177.0.0 networ k, your firewa ll will f orward you r request to the I SP. The ISP forwards your
request to the company where you are employed, and the request will likely be denied by the
company’s firewall.
In this case you must define a stati c route, tel ling your firewall that 134.1 77.0.0 sh ould be ac cessed
through the ISDN router at 192.168.0.100. The static route would look like
In this example:
• The Destination IP Address and IP Subnet Mask fields specify that this static route applies to
all 134.177.x.x addresses.
• The Gateway IP Addres s fields spec ifies that all traffic for these addresses should be
forwarded to the ISDN router at 192.168.0.100.
• A Metric value of 1 will work since the ISDN router is on the LAN.
This represents the number of routers between your network and the destination. This is a
direct connection so it is set to 1.
• Private is selected only as a precautionary security measure in case RIP is activated.
5-8 Advanced Configura tio n
Figure 5-3.
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Procedure 5-3: Configuring Static Routes
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of
address you have chosen for the firewall.
2. From the Main Menu of the browser inte rface, unde r Advanced, cl ick on St atic Route s to view
the Static Routes menu, shown in
admin, default password of password, or using whatever Password and LAN
Figure 5-2.
Figure 5-2: Static Routes Table
3. To add or edit a Static Route:
a. Click the Edit button to open the Edit Menu, shown in Figure 5-3.
Figure 5-3: Static Route Entry and Edit Menu
b. Type a route name for this static route in the Route Name box under the table.
This is for identification purpose only.
c. Select Active to make this route effectiv e.
Advanced Configuration 5-9
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
d. Select Private if you want to limit access to the LAN only.
The static route will not be reported in RIP.
e. Type the Destination IP Address of the final destination.
f. Type the IP Subnet Mask for this destination.
If the destination is a single host, type 255.255.255.255.
g. Type the Gateway IP Address, which must be a router on the same LAN segment as the
firewall.
h. Type a number between 1 and 15 as the Metric value.
This represents the number of routers between your network and the destination. Usually,
a setting of 2 or 3 works, but if this is a direct connection, set it to 1.
4. Click Apply to have the static route entered into the table.
5-10 Adv anced Confi gu ra tio n
Chapter 6
Troubleshooting
This chapter gives information about troubleshooting your FR328S Cable/DSL ProSafe Firewall
with Dial Back-Up. For the common problems listed, go to the section indicated.
• Is the firewall on?
• Have I connected the firewall correctly?
Go to “Basic Functions“ on page 6-1.
• I can’t access the firewall’s configuration with my browser.
Go to “Troubleshooting the Web Configuration Interface“ on page 6-4.
• I’ve configured the firewall but I can’t access the Internet.
Go to “Troubleshooting the ISP Connection“ on page 6-5.
• I can’t remember the firewall’s configuration password.
• I want to clear the configuration and start over again.
Go to “Restoring the Default Configuration and Password“ on page 6-8.
Basic Functions
After you turn on power to the firewall, the following sequence of events should occur:
1. When power is first applied, verify that the Power LED is o n.
2. Verify that the Test LED lights within a few seconds, indicating that the self-test procedure is
running.
3. After approximately 10 seconds, verify that:
a. The Test LED is not lit.
Troubleshooting 6-1
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
b. The Local port Link LEDs are lit for any local ports that are connected.
c. The Internet Link port LED is lit.
If a port’s Link LED is lit, a link has been established to the connected device. If a port is
connected to a 100 Mbps device, verify that the port’s 100 LED is lit.
If any of these conditions does not occur, refer to the appropriate following section.
Power LED Not On
If the Power and other LEDs are off when your firewall is turned on:
• Make sure that the power cord is properly connected to your firewall and that the power
supply adapter is properly connected to a functioning power outlet.
• Check that you are using the 12VDC power adapter supplied by NETGEAR for this product.
If the error persists, you have a hardware problem and should contact technical support.
Test LED Never Turns On or Test LED Stays On
When the firewall is turned on, the Test LED turns on for about 10 seconds and then turns off. If
the Test LED does not turn on, or if it stays on, there is a fault within the firewall.
If you experience problems with the Test LED:
• Cycle the power to see if the firewall recovers and the LED blinks for the correct amount of
time.
If all LEDs including the Test LED are still on one minute after po wer up:
• Cycle the power to see if the firewall recovers.
• Clear the firewall’s configuration to factory defaults. This will set the firewall’s IP address to
192.168.0.1. This procedure is explained in
If the error persists, you might have a hardware problem and should contact technical support.
“Using the Default Reset button“ on page 6-8.
Local or Internet Port Link LEDs Not On
If either the Local or Internet Port Link LEDs do not light when the Ethernet connection is made,
check the following:
6-2 Troubleshooting
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
• Make sure that the Ethernet cable connections are secure at the firewall and at the hub or PC.
• Make sure that power is turned on to the connected hub or PC.
• Be sure you are using the correct cable:
— When connecting the firewall’s Internet port to a cable or DSL modem, use the cable that
was supplied with the cable or DSL modem. This cable could be a standard
straight-through Ethernet cable or an Ethernet crossover cable.
Troubleshooting 6-3
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Troubleshooting the Web Configuration Interf ace
If you are unable to access the firewall’s Web Configuration interface from a PC on your local
network, check the following:
• Check the Ethernet connection between the PC and the firewall as described in the previous
section.
• Make sure your PC’s IP address is on the same subnet as the firewall. If you are using the
recommended addressing scheme, your PC’s address should be in the range of 192.168.0.2 to
192.168.0.254. Refer to
Macintosh for TCP/IP Networking“ on page C-6 to find your PC’s IP address. Follow the
instructions in Appendix C to configure your PC.
Note: If your PC’s IP address is shown as 169.254.x.x:
Recent versions of Windows and MacOS will generate and assign an IP address if the
computer cannot reach a DHCP server. These auto-generated addresses are in the range of
169.254.x.x. If your IP address is in this range, check the connection from the PC to the
firewall and reboot your PC.
• If your firewall’s IP address has been changed and you don’t know the current IP address,
clear the firewall’s configuration to factory defaults. This will set the firewall’s IP address to
192.168.0.1. This procedure is explained in
“Verifying TCP/IP Properties“ on page C-5 or “Configuring the
“Using the Default Reset button“ on page 6-8.
• Make sure your browser has Java, JavaScript, or ActiveX enabled. If you are using Internet
Explorer, click Refresh to be sure the Java applet is loaded.
• Try quitting the browser and launching it again.
• Make sure you are using the correct login information. The factory default login name is
admin and the password is password. Make sure that CAPS LOCK is off when entering this
information.
If the firewall doe s not s ave changes you have made i n the Web Configuration Interface, check th e
following:
• When entering configuration settings, be sure to click the APPLY button before moving to
another menu or tab, or your changes are lost.
• Click the Refresh or Reload button in the Web browser. The changes may have occurred, but
the Web browser may be caching the old configuration.
6-4 Troubleshooting
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Troubleshooting the ISP Connection
If your firewall is unable to access the Internet, you should first determine whether the firewall is
able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address,
your firewall must request an IP address from the ISP. You can determine whether the request was
successful using the Web Configuration Manager.
To check the WAN IP address:
1. Launch your browser and select an external site such as www.netgear.com
2. Access the Main Menu of the firewall’s configuration at http://192.168.0.1
3. Under the Maintenance heading, select Router Status
4. Check that an IP address is shown for the WAN Port
If 0.0.0.0 is shown, your firewall has not obtained an IP address from your ISP.
If your firewall is una ble to obtai n an IP a ddress fr om the IS P, you may need to force yo ur cabl e or
DSL modem to recognize your new firewall by performing the following procedure:
1. Turn off power to the cable or DSL modem.
2. Turn off power to your firewall.
3. Wait five minutes and reapply power to the cable or DSL modem.
4. When the modem’s LEDs indicate that it has reacquired sync with the ISP, reapply power to
your firewall.
If your firewall is still unable to obtain an IP address from the ISP, the problem may be one of the
following:
• Your ISP may require a login program.
Ask your ISP whether they require PPP over Ethernet (PPPoE) or some other type of login.
• If your ISP requires a login, you may have incorrectly set the login name and password.
• Your ISP may check for your PC's host name.
Assign the PC Host Name of your ISP account as the Account Name in the Basic Settings
menu.
• Your ISP only allows one Ethernet MAC address to connect to Internet, and may check for
your PC’s MAC address. In this case:
Inform your ISP that you have bought a new net work device, and ask the m to use the firewall ’ s
MAC address.
Troubleshooting 6-5
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
OR
Configure your firewall to spoof your PC’s MAC address. This can be done in the Basic
Settings menu. Refer to
“Manually Configuring Your Internet Connection“ on page 2-19.
If your firewall can obtain an IP address, but your PC is unable to load any web pages from the
Internet:
• Your PC may not recognize any DNS server addresses.
A DNS server is a host on the Internet that translates Internet names (such as
www .netgear .com) to numeric IP
addresses. Typically your ISP will provide the addresses of
one or two DNS servers for your use. If you entered a DNS address during the firewall’s
configuration, reboot your PC and verify the DNS address as described in
“Verifying TCP/IP
Properties“ on page C-6. Alternatively, you may configure your PC manually with DNS
addresses, as explained in your operating system documentation.
• Your PC may not have the firewall configured as its TCP/IP gateway.
If your PC obtains its information from the firewall by DHCP, reboot the PC and verify the
gateway address as described in
“Verifying TCP/IP Properties“ on page C-6.
Troubleshooting a TCP/IP Network Using a Ping Utility
Most TCP/IP terminal devices and routers contain a ping utility that sends an echo request packet
to the designated device. The device then responds with an echo reply. Troubleshooting a TCP/IP
network is made easier by using the ping utility in your PC or workstation.
Testing the LAN Path to Your Firewall
You can ping the fi rewall from yo ur PC to verify t hat the LAN path to your firew all is set up
correctly.
To ping the firewall from a PC running Windows 95 or later:
1. From the Windows toolbar, click on the Start button and select Run.
2. In the field provided, type Ping followed by the IP address of the firewall, as in this example:
ping 192.168.0.1
3. Click on OK.
You should see a message like this one:
6-6 Troubleshooting
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Pinging <IP address> with 32 bytes of data
If the path is working, you s ee this messag e:
Reply from < IP address >: bytes=32 time=NN ms TTL=xxx
If the path is not working, y ou see this mess age:
Request timed out
If the path is not functioning correctly, you could have one of the following problems:
• Wrong physical connections
— Make sure the LAN port LED is on. If the LED is off, follow the instructions in
“Local or Internet Port Link LEDs Not On” on page 6-2.
— Check that the corresponding Link LEDs are on for your network interface card and
for the hub ports (if any) that are connected to your workstation and firewall.
• Wrong network configuration
— Verify that the Ethernet card driver software and TCP/IP software are both installed
and configured on your PC or workstation.
— Verify that the IP address for your firewall and your workstation are correct and that
the addresses are on the same subnet.
Testing the Path from Your PC to a Remote Device
After verifying that the LAN path works correctly, test the path from your PC to a remote device.
From the Windows run menu, type:
PING -n 10 <IP address>
where <IP address> is the IP address of a remote device such as your ISP’s DNS server.
If the path is functioning correctly, replies as in the previous section are displayed. If you do not
receive replies:
— Check that your PC has the IP address of your fi re wall listed as the defau lt gat eway. If the
IP configuration of your PC is assigned by DHCP, this information will not be visible in
your PC’s Network Control Panel. Verify that the IP addre ss of th e firewall is listed as the
default gateway as described in
— Check to see that the network address of your PC (the portion of the IP address specified
by the netmask) is different from the network address of the remote device.
— Check that your cable or DSL modem is connected and functioning.
Troubleshooting 6-7
“Verifying TCP/IP Properties“ on page C-5.
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
— If your ISP assigned a host name to your PC, enter t hat ho st name a s the Acc ount Name i n
the Basic Settings menu.
— Your ISP coul d be r eject ing t he Ethe rnet MAC addr esses of al l but one of your PCs. Many
broadband ISPs restrict access by only allowing traffic from the MAC address of your
broadband modem, but some ISPs additionally restrict access to the MAC address of a
single PC connected to tha t modem. If this is the case, you must c onfigu re your fire wall t o
“clone” or “spoof” the MAC address from the authorized PC. Refer to
“Manually
Configuring Your Internet Connection“ on page 2-19.
Restoring the Default Configuration and Passwor d
This section explains how to restore the factory default configuration settings, changing the
firewall’s administration password to password and the IP address to 192.168.0.1. You can erase
the current configuration and restore factory defaults in two ways:
• Use the Erase function of the Web Configuration Manager (see “Backing Up, Restoring, or
Erasing Your Settings“ on page 4-9).
• Use the Default Reset but ton on the rear panel of the fi rewa ll . Use t hi s met hod f o r cas es wh en
the administration password or IP address is not known.
Using the Default Reset button
To restore the factory default configuration settin gs wit hout k nowin g the ad mi ni st rat io n password
or IP address, you must use the Default Reset button on the rear panel of the firewall.
To restore the factory default configuration settings, follow these steps:
1. Press and hold the Default Reset button until the Test LED turns on (about 10 seconds).
LOCAL
MODEM
Reset
10/100M
87654321
Figure 6-1.Reset Button
6-8 Troubleshooting
INTERNET
12VDCO.5A
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
2. Release the D efault Reset button and wait for the firewall to reboot.
Problems with Date and Time
The E-Mail menu in the Content Filtering section displays the current date and time of day. The
FR328S Firewall uses the Network Time Protocol (NTP) to obtain the current time from one of
several Network Time Servers on the Internet. Each entry in the log is stamped with the date and
time of day. Problems with the date and time function can include:
• Date shown is January 1, 2000
Cause: The firewall has not yet successfully reached a Network Time Server. Check that your
Internet access settings are configured correctly. If you have just completed configuring the
firewall, wait at least five minutes and check the date and time again.
• Time is off by one hour
Cause: The firewall does not automat ically s ense Dayl ight Sa vings Time. In the E-Mail menu,
check or uncheck the box marked “Adjust for Daylight Savings Time”.
Troubleshooting 6-9
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
6-10 Troubleshooting
Appendix A
Technical Specifications
This appendix provides technical specifica ti ons for the FR328S Cable/DSL ProSafe Firewall with
Dial Back-Up.
Network Protocol and Standards Co mpatibility
Data and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP
PPP over Ethernet (PPPoE)
Power Adapter
North America: 120V, 60 Hz, input
United Kingdom, Australia: 240V, 50 Hz, input
Europe: 230V, 50 Hz, input
Japan: 100V, 50/60 Hz, input
All regions (output): 12 V DC @ 1.2A output, 20W maximum
Physical Specifications
Dimensions: H: 1.56 in (3.96 cm)
W: 10.0 in (25.4 cm)
D: 9.0 in (17.8 cm)
Weight: 2.72 lb. (1.23 Kg)
Technical Specifications A-1
FR328S Cable/DSL ProSafe Firewall with Dial Back-Up
Environmental Specifications
Operating temperature: 32°-140° F (0° to 40° C)
Operating humidity: 90% maximum relative humidity, noncondensing
Electromagnetic Emissions
Meets requirements of: FCC Part 15 Class B
VCCI Class B
EN 55 022 (CISPR 22), Class B
Interface Specifications
Local: 10BASE-T or 100BASE-Tx, RJ-45
Internet: 10BASE-T or 100BASE-Tx, RJ-45
A-2 Technical Specifications
Appendix B
Networks, Routing, and Firewall Basics
This chapter provides an overview of IP networks, routing, and firewalls.
Related Publications
As you read this document, you may be directed to various RFC documents for further
information. An RFC is a Request For Comment (RFC) published by the Internet Engineering
T ask F orce (IETF), an ope n or ganizat ion that defi nes the arch itectur e and operat ion of the In ternet.
The RFC documents outline and define th e standard pr otocols and pr ocedures for the Internet. The
documents are listed on the World Wide Web at www.ietf.org and are mirrored and indexed at
many other sites worldwide.
Basic Router Concepts
Large amounts of bandwidth can be provided easily and relatively inexpensively in a local area
network (LAN). However , provid ing high band width between a local network and the Inte rnet can
be very expensive. Because of this expense, Internet access is usually prov ided by a slower-speed
wide-area network (WAN) link such as a cable or DSL modem. In order to mak e the bes t use of the
slower WAN link, a mechanism must be in place for sel ecting and transmit ting only t he data t raf fic
meant for the Internet. The function of selecting and forwarding this data is performed by a router.
Networks, Routing, and Firewall Basics B-1
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall
What is a Router?
A router is a device that forwards traffic between networks based on network layer information in
the data and o n routing tables main tai ne d by the router. In these routing tables, a r out er builds up a
logical picture of the overall network by gathering and exchanging information with other routers
in the network. Using this information, the router chooses the best path for forwarding network
traffic.
Routers vary in performance and scale, number of routing protocols supported, and types of
physical WAN connection they support. The Model FVS318 Cable/DSL ProSafe VPN Firewall is
a small office router that routes the IP protocol over a single-user broadband connection.
Routing Information Protocol
One of the protocols used by a router to b uil d a nd mai ntain a picture of the net w ork is the Routing
Information Protocol (RIP). Using RIP, routers periodically update one another and check for
changes to add to the routing table.
The FVS318 VPN Firewall supports both the older RIP-1 and the newer RIP-2 protocols. Among
other improvements, RIP-2 supports subnet and multicast protocols. RIP is not required for most
home applications.
IP Addresses and the Internet
Because TCP/IP networks are interconnected across the world, every machine on the Internet must
have a unique address to make sur e that t ransmit ted dat a reache s the corr ect des tinat io n. Blocks of
addresses are assigned to organizations by the Internet Assigned Numbers Authority (IANA).
Individual users an d s ma ll organizations may ob tai n t heir addresses either fr om t he I ANA or fr om
an Internet service provider (ISP). You can contact IANA at www.iana.org.
The Internet Protocol (IP) uses a 32-bit address structure. The address is usually written in dot
notation (also called dotted-decimal notation), in which each group of eight bits is written in
decimal form, separated by decimal points.
For example, the following binary address:
11000011 00100010 00001100 00000111
is normally written as:
195.34.12.7
B-2 Networks, Routing, and Firewall Basi cs
Loading...