How it Works
NETGEAR
Loading...
FR328S
Data Sheet
2 pgs643.4 Kb0
Quick Start Manual
2 pgs469.17 Kb0
User guide
131 pgs4.2 Mb0
User Manual
135 pgs2.15 Mb0
Table of contents
Loading...

NETGEAR FR328S User Manual

Download
Page 1

FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

NETGEAR, Inc.
4500 Great America Parkway Santa Clara, CA 95054 USA Phone 1-888-NETGEAR
M-10207-01, Reference Manual v2 October 2003
Page 2
© 2003 by NETGEAR, Inc. Full Manual. All rights reserved.
Trademarks
NETGEAR and Auto Uplink are trademarks or registered trademarks of Netgear, Inc. Microsoft, Windows, and Wi ndow s NT are registered trademar ks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice.
NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice
This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruct ions, may cause harmf ul interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna.
Increase the separation between the equipment and receiver.
Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
Consult the dealer or an experienced radio/TV technician for help.
EN 55 022 Declaration of Conformance
This is to certify that the FR328S ProSafe Firewall with Dial Back-Up is shielded against the generation of radio interference in accordance with the application of Council Directive 89/336/EEC, Article 4a. Conformity is declared by the application of EN 55 022 Class B (CISPR 22).
ii
M-10207-01, Reference Manual v2
Page 3
Bestätigung des Herstellers/Importeurs
Es wird hiermit bestätigt, daß dasFR328S ProSafe Firewall with Dial Back-Up gemäß der im BMPT-AmtsblVfg 243/ 1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.
Certificate of the Manufacturer/Importer
It is hereby certified that the FR328S ProSafe Firewall wi th Dial Back-Up has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example, test transmitters) in accordance with the regulations may, however, be subject to certain restrictions. Please refer to the notes in the operating instructions.
Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations.
Voluntary Contr ol Council for Interference (VCCI) Statement
This equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.
When used near a radio or TV receiver , it may become the cause of radio interference. Read instructions for correct handling.
Technical Support
Refer to the Support Information Card that shipped with your FR328S ProSafe Firewall with Dial Back-Up.
World Wide Web
NETGEAR maintains a World Wide Web home page that you can access at the universal resource locator (URL) http://www.netgear.com. A direct connection to the Internet and a Web browser such as Internet Explorer or Netscape are required.
M-10207-01, Reference Manual v2
iii
Page 4
iv
M-10207-01, Reference Manual v2
Page 5

Contents

Chapter 1 About This Manual
Audience, Versions, Conventions ...................................................................................1-1
How to Use this Manual ..................................................................................................1-2
How to Print this Manual .................................................................................................1-3
Chapter 2 Introduction
Key Features ..................................................................................................................2-1
Full Routing on Both the Broadband and Serial Ports ........................ ... ... ... .... ... ... ..2-1
A Powerful, True Firewall with Comprehensive Content Filtering ............................2-2
Protocol Support ......................................................................................................2-2
Configurable Auto Uplink™ Ethernet Connection ....................................................2-3
Easy Installation and Management ..........................................................................2-3
What’s in the Box? ..........................................................................................................2-4
The Firewall’s Front Panel .......................................................................................2-5
The Firewall’s Rear Panel ........................................................................................2-6
Chapter 3 Connecting the Firewall to the Internet
What You Will Need Before You Begin .................................. .... .....................................3-1
Hardware Requirements ..........................................................................................3-1
Configuration Requirements ....................................................................................3-2
Internet Configuration Requirements ....................................................................... 3-2
Where Do I Get the Internet Configuration Parameters? ..................................3-2
Record Your Internet Connection Information ..........................................................3-3
Connecting the FR328S Firewall to Your LAN ...............................................................3-4
How to Connect the Firewall to Your LAN ................................................................3-4
Connecting the FR328S Firewall to the Internet ................... .................... ................... .. 3-8
How to Auto-Detect Your Internet Connection Type ................................................3-8
How to Complete the Wizard-Detected Login Account Setup ................................3-10
Contents v
M-10207-01, Reference Manual v2
Page 6
How to Complete the Wizard-Detected Dynamic IP Account Setup ......................3-11
How to Complete Wizard-Detected Fixed IP Account Setup .................................3-12
Configuring a Serial Port as the Primary Internet Connection ......................................3-13
How to Configure the Serial Port for an Internet Connection .................................3-13
Testing Your Internet Connection ..................................................................................3-15
Manually Configuring Your Internet Connection ................. ... .... ... ... ... .... ... ... ... ... .... ... ...3-16
How to Manually Configure the Primary Internet Connection ................................3-17
Chapter 4 Serial Port Configuration
Configuring a Serial Port Modem ...................................................................................4-2
Basic Requirements for Serial Port Modem Configuration .......................................4-2
How to Configure a Serial Port Modem ....................................................................4-2
Configuring Auto-Rollover ..............................................................................................4-3
Basic Requirements for Auto-Rollover .....................................................................4-3
How to Configure Auto-Rollover ...............................................................................4-3
Configuring Dial-in on the Serial Port .............................................................................4-4
Basic Requirements for Dial-in .................................................................................4-5
How to Configure Dial-in ..........................................................................................4-5
Configuring LAN-to-LAN Settings ...................................................................................4-6
Basic Requirements for LAN-to-LAN Connections ..................................................4-6
How to Configure LAN-to-LAN Connections ............................................................4-6
Chapter 5 Protecting Your Network
Protecting Access to Your FR328S Firewall ..................................................................5-1
How to Change the Built-In Password .....................................................................5-1
How to Change the Administrator Login Timeout ....................................................5-2
Configuring Basic Firewall Services ...............................................................................5-2
Blocking Keywords, Sites, and Services ......... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ..5-3
How to Block Keywords and Sites ...........................................................................5-3
Services ................................. ................................................ .........................................5-5
How to Define Services ............................................................................................5-5
Rules ..............................................................................................................................5-6
Inbound Rules (Port Forwarding) .............................. ............................................... 5-7
Inbound Rule Example: A Local Public Web Server ..........................................5-8
Inbound Rule Example: Allowing Videoconference from Restricted Addresses 5-10
vi Contents
M-10207-01, Reference Manual v2
Page 7
Considerations for Inbound Rules ...................................................................5-10
Outbound Rules (Service Blocking) .......................................................................5-11
Outbound Rule Example: Blocking Instant Messenger ...................................5-11
Order of Precedence for Rules ..............................................................................5-13
Setting Times and Scheduling Firewall Services ................................................ .......... 5-13
How to Set Your Time Zone ...................................................................................5-14
How to Schedule Firewall Services ........................................................................5-15
Chapter 6 Managing Your Network
Network Management Information .................................................................................6-1
Viewing Router Status and Usage Statistics ............................................................6-1
Viewing Attached Devices ........................................................................................6-4
Viewing, Selecting, and Saving Logged Information ................................................6-5
Selecting What Information to Log ....................................................................6-6
Saving Log Files on a Server ............................................................................6-7
Examples of log messages ......................................................................................6-7
Activation and Administration ............................................................................6-7
Dropped Packets ...............................................................................................6-7
Enabling Security Event E-mail Notification ...................................................................6-8
Backing Up, Restoring, or Erasing Your Settings ...........................................................6-9
How to Back Up the Configuration to a File ............................................................. 6-9
How to Restore a Configuration from a File .............................. ............................. 6-10
How to Erase the Configuration .............................................................................6-10
Running Diagnostic Utilities and Rebooting the Router ................................................6-11
Enabling Remote Management ....................................................................................6-12
How to Configure Remote Management ................................................................6-12
Upgrading the Router’s Firmware .................... ......... .......... .......... .......... ......... .......... ...6-13
How to Upgrade the Router ...................... .............................................................6-13
Chapter 7 Advanced Configuration
Configuring Advanced Security ......................................................................................7-1
Setting Up A Default DMZ Server ............................................................................7-1
Respond to Ping on Internet WAN Port ...................................................................7-2
Configuring LAN IP Settings ...........................................................................................7-2
LAN TCP/IP Setup ...................................................................................................7-2
Contents vii
M-10207-01, Reference Manual v2
Page 8
MTU Size .................................................................................................................7-3
DHCP ................................. .............................................................. ........................7-4
Use router as DHCP server ...............................................................................7-4
Reserved IP addresses .....................................................................................7-5
How to Configure LAN TCP/IP Setup ......................................................................7-5
Configuring Dynamic DNS .......................................................................................7-6
How to Configure Dynamic DNS ..............................................................................7-7
Using Static Routes ........................................................................................................7-8
Static Route Example ...............................................................................................7-8
How to Configure Static Routes ...............................................................................7-9
Chapter 8 Troubleshooting
Basic Functions ..............................................................................................................8-1
Power LED Not On ...................................................................................................8-2
Test LED Never Turns On or Test LED Stays On .....................................................8-2
Local or Internet Port Link LEDs Not On ..................................................................8-2
Troubleshooting the Web Configuration Interface ..........................................................8-3
Troubleshooting the ISP Connection ..............................................................................8-4
Troubleshooting a TCP/IP Network Using a Ping Utility .................................................8-5
Testing the LAN Path to Your Firewall ......................................................................8-5
Testing the Path from Your PC to a Remote Device ................................................8-6
Restoring the Default Configuration and Password ............... .........................................8-7
Using the Default Reset button ................................................................................8-7
Problems with Date and Time .........................................................................................8-8
Appendix A Technical Specifications
Appendix B Networks, Routing, and Firewall Basics
Related Publications ...................................................................................................... B-1
Basic Router Concepts .................................................................................................. B-1
What is a Router? ................................................................................................... B-1
Routing Information Protocol ................................................................................... B-2
IP Addresses and the Internet .. ... .... ... ... ... .... ................................................................. B-2
Netmask .................................... ................................................................ ..............B-4
Subnet Addressing .................................................................................................. B-5
viii Contents
M-10207-01, Reference Manual v2
Page 9
Private IP Addresses ................................. ... ... ... .......................................... ........... B-7
Single IP Address Operation Using NAT ....................................................................... B-8
MAC Addresses and Address Resolution Protocol ................................................. B-9
Related Documents ................................................................................................. B-9
Domain Name Server ............................................................................................ B-10
IP Configuration by DHCP ...................................................................... ... ... ... ... ......... B-10
Internet Security and Firewalls .................................................................................... B-10
What is a Firewall? .................................................................................................B-11
Stateful Packet Inspection ............................................................... ... ... .... ... ...B-11
Denial of Service Attack ..................................................................................B-11
Ethernet Cabling ................................. ... ... .... ... .......................................... ... ... ... .... ... ...B-11
Category 5 Cable Quality ...................................................................................... B-12
Inside Twisted Pair Cables .................................................................................... B-13
Uplink Switches, Crossover Cables, and MDI/MDIX Switching ............................ B-14
Appendix C Preparing Your Network
Preparing Your Computers for TCP/IP Networking ................................................... ... . C-1
Configuring Windows 95, 98, and ME for TCP/IP Networking ................................C-2
Install or V erify Windows Networking Components .......................................... C-2
Enabling DHCP to Automatically Configure TCP/IP Settings ...........................C-4
Selecting Windows’ Internet Access Method ................ ......................... ........... C-4
Verifying TCP/IP Properties .............................................................................. C-5
Configuring Windows NT, 2000 or XP for IP Networking ........................................ C-5
Install or V erify Windows Networking Components .......................................... C-5
Verifying TCP/IP Properties .............................................................................. C-6
Configuring the Macintosh for TCP/IP Networking .................... .......... ......... .......... . C-6
MacOS 8.6 or 9.x ................ ... ... ... .......................................... ........................... C-6
MacOS X .................................. ... .... ...................................... .... ... ... ... ... .... ... ... . C-7
Verifying TCP/IP Properties for Macintosh Computers .....................................C-8
Verifying the Readiness of Your Internet Account ......................................................... C-9
Are Login Protocols Used? ..................................................................................... C-9
What Is Your Configuration Information? ................................................................C-9
Obtaining ISP Configuration Information for Windows Computers .................C-10
Obtaining ISP Configuration Information for Macintosh Computers ............... C-11
Restarting the Network ................................................................................................ C-12
Contents ix
M-10207-01, Reference Manual v2
Page 10
Glossary Index
x Contents
M-10207-01, Reference Manual v2
Page 11
Chapter 1
About This Manual
Thank your for purchasing the NETGEAR™ FR328S ProSafe Firewall with Dial Back-Up. This chapter describes the target audience, versions, conventions, and features of this manual.

Audience, Versions, Conventions

This reference manual assumes that the reader has basic to intermediate computer and Internet skills. However, basic co mputer network, Internet, and firewall technologies tutorial information is provided in the Appendices and on the Netgear website.
This guide uses the following formats to highlight special messages:
Note: This format is used to highlight information of importance or special interest.
This manual is written for the FR328S Firewall according to these versions.:
Ta ble 1-1. Product, Firmware Version, Manual Version, and Publication Date
Product FR328S ProSafe Firewall with Dial Back-Up Firmware Version Number Version 1.4 Release 05 Manual Part Number M-10207-01, Reference Manual v2 Manual Publication Date October 2003
Note: Product updates are available on the NETGEAR, Inc. web site at http://
www.netgear.com/support/main.asp. Documentation updates are available on the
NETGEAR, Inc. web site at http://www.netgear.com/docs.
About This Manual 1-1
M-10207-01, Reference Manual v2
Page 12
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

How to Use this Manual

The HTML version of this manual includes a variety of navigation features as well as links to PDF versions of the full manual and individual chapters.
1
2 3
Figure Preface -2: HTML version of this manual
1. Left pane. Use the left pane to view the Contents, Index, Search, and Favorites tabs.
To view the HTML version of the manual, you must have a version 4 or later browser with JavaScript enabled.
2. Toolbar buttons. Use the toolbar buttons across the top to navigate, print pages, and more.
The Show in Contents button locates the current topic in the Contents tab.
Previous/Next buttons display the previous or next topic.
The PDF button links to a PDF version of the full manual.
The Print button prints the current topic. Using this button when a step-by-step procedure is displayed will send the entire procedure to your printer--you do not have to worry about specifying the correct range of pages.
3. Right pane. Use the right pane to view the contents of the manual. Also, each page of the
manual includes a link at the top right which links to a PDF file containing just the currently selected chapter of the manual.
1-2 About This Manual
M-10207-01, Reference Manual v2
Page 13
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

How to Print this Manual

To print this manual you man choose one of the following several options, according to your needs.
Printing a “How To” Sequence of Steps in the HTML View. Use the Print button on
the upper right of the toolbar to print the currently displayed topic. Using this button when a step-by-step procedure is displayed will send the entire procedure to your printer--you do not have to worry about specifying the correct range of pages.
Printing a Chapter. Use the link at the top right of any page.
Click “PDF of This Chapter” link at the top right of any page in the chapter you want to
print. The PDF version of the chapter you were viewing opens in a browser window. Note: Your computer must have the free Adobe Acrobat reader installed in order to view
and print PDF files. The Acrobat reader is available on the Adobe web site at
http://www.adobe.com.
Click the print icon in the upper left of the window.
Tip: If your printer supports printing two pages on a single sheet of paper, you can save paper an printer ink by selecting this feature.
Printing the Full Manual. Use the PDF button in the toolbar at the top right of the browser
window. – Click the PDF button on the upper right of the toolbar. The PDF version of the
chapter you were viewing opens in a browser window.
Click the print icon in the upper left of the window.
Tip: If your printer supports printing two pages on a single sheet of paper, you can save paper an printer ink by selecting this feature.
About This Manual 1-3
M-10207-01, Reference Manual v2
Page 14
Page 15
Chapter 2
Introduction
This chapter describes the features of the NETGEAR FR328S ProSafe Firewall with Dial Back-Up.
The FR328S is a complete security solution that protects your network from att acks and intrusions. Unlike simple Internet sharing routers that rely on Network Address Translation (NAT) for security, the FR328S uses S t ateful Packet Inspection for Denial of Service (DoS) attack protection and intrusion detection. The 8-port FR328S with auto fail-over connect ivity through the serial port provides highly reliable Internet access for up to 253 users.

Key Features

The FR328S offers the following key features.
Full routing capabilities on both the broadband and serial ports, enabling Internet access via either the serial or broadband ports.
A powerful true firewall with comprehensive content filtering options.
Extensive protocol support.
Configurable Auto Uplink
Easy installation and management.
Ethernet Connections.
These features are discussed below.

Full Routing on Both the Broadband and Serial Ports

You can install, configure, and operate the FR328S to take full advantage of a variety of routing options on both the serial and broadband WAN ports, including:
Internet access via either the serial or broadband port.
Auto fail-over connectivity through an analog or ISDN modem connected to the serial port If the broadband Internet connection fails, after a waiting for an amount of time you specify, the FR328S can automatically establish a backup ISDN or dial-up Internet connection via the serial port on the firewall.
Introduction 2-1
M-10207-01, Reference Manual v2
Page 16
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Remote Access Server (RAS) allows you to log in remotely through the serial port to access a server on your LAN, other LAN resources, or the Internet based on a user name and password you define.
LAN-to-LAN access between two FR328S firewalls through the serial port with the option of enabling auto-failover Internet access across the serial LAN-to-LAN connection.

A Powerful, True Firewall with Comprehensive Content Filtering

Unlike simple Internet sharing NAT routers, the FR328S is a true firewall, using stateful packet inspection to defend against hacker attacks. Its firewall features include:
Denial of Service (DoS) protection Automatically detects and thwarts Denial of Service (DoS) attacks such as Ping of Death, SYN Flood, LAND Attack and IP Spoofing.
Blocks unwanted traffic from the Internet to your LAN.
Blocks access from your LAN to Internet locations or services that you specify as off-limits.
Logs security incidents The FR328S will log security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the firewall to email the log to you at specified intervals. You can also configure the firewall to send immediate alert messages to your email address or email pager whenever a significant event occurs.
With its content filtering feature, the FR328S prevents objectionable content from reaching your PCs. The firewall allows you to control access to Internet content by screening for keywords within Web addresses. You can configure the firewall to log and report attempts to access objectionable Internet sites.

Protocol Support

The FR328S supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). Appendix B, “Networks, Routing, and Firewall Basics” provides further information on TCP/IP.
The Ability to Enable or Disable IP Address Sharing by NAT The FR328S allows several networked PCs to share an Internet account using only a single IP address, which may be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user ISP account. This feature can also be turned off completely for using the FR328S in settings where you want to manage the IP address scheme of your organization.
2-2 Introduction
M-10207-01, Reference Manual v2
Page 17
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Automatic Configuration of Attached PCs by DHCP The FR328S dynamically assigns network configuration information, including IP, gateway, and domain name server (DNS) addresses, to attached PCs on the LAN using the Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies configuration of PCs on your local network.
DNS Proxy When DHCP is enabled and no DNS addresses are specified, the firewall provides its own address as a DNS server to the attached PCs. The firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN.
PPP over Ethernet (PPPoE) PPP over Ethernet is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial-up connection. This feature eliminates the need to run a login program such as EnterNet or WinPOET on your PC.
PPTP login support for European ISPs, BigPond login for Telstra DSL in Australia.
Dynamic DNS Dynamic DNS services allow remote users to find your network using a domain name when your IP address is not permanently assigned. The firewall contains a client that can connect to many popular Dynamic DNS services to register your dynamic IP address.

Configurable Auto Uplink™ Ethernet Connection

With its internal 8-port 10/100 switch, the FR328S can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network. Both the local LAN and the Internet W AN interfaces are autosensing and capable of full-duplex or half-duplex operation.
TM
The firewall incorporates Auto Uplink
technology. Each LOCAL Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a ‘normal’ connection such as to a PC or an ‘uplink’ connection such as to a switch or hub. That port will then configure itself to the correct configuration. This feature also eliminates the need to worry about crossover cables, as Auto Uplink will accommodate either type of cable to make the right connection.

Easy Installation and Management

You can install, configure, and operate the FR328S within minutes after connecting it to the network. The following features simplify installation and management tasks:
Introduction 2-3
M-10207-01, Reference Manual v2
Page 18
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Browser-based management
Browser-based configuration allows you to easily configure your firewall from almost any type of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup Wizard is provided and online help documentation is built into the browser-based interface.
Remote management
The firewall allows you to log in to the browser-based management interface from a remote location via the Internet using SSL encryption. For security , you can limit remote management access to a specified remote IP address or range of addresses, and you can choose a nonstandard port number.
Smart Wizard
The firewall automatically senses the type of Internet connection, asking you only for the information required for your type of ISP account.
Diagnostic functions
The firewall incorporates built-in diagnostic functions such as Ping, DNS lookup, and remote reboot. These functions allow you to test Intern et connectivity and reboot the firewall. You can use these diagnostic functions directly from the FR328S when your are connected on the LAN or when you are connected over the Internet via the remote management function.
Visual monitoring
The firewall’s front panel LEDs provide an easy way to monitor its status and activity.
Flash EPROM for firmware upgrade

What’s in the Box?

The product package should contain the following items:
FR328S ProSafe Firewall with Dial Back-Up
•AC power adapter
Category 5 (CAT5) Ethernet cable
Resource CD (SW-10045-01), including:
— This manual — Application Notes, Tools, and other helpful information
Warranty and registration card
Support information card If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the
carton, including the original packing materials, in case you need to return the product for repair.
2-4 Introduction
M-10207-01, Reference Manual v2
Page 19
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

The Firewall’s Front Panel

The front panel of the FR328S (Figure 2-1) contains status LEDs.
Figure 2-1: FR328S Front Panel
You can use some of the LEDs to verify connections. Table 2-1 lists and describes each LED on the front panel of the firewall.
These LEDs are green when lit, except for the TEST LED, which is amber.
Table 2-1: LED Descriptions
Label Activity Description
POWER On Power is supplied to the firewall. TEST On
Off
MODEM On/Blinking The port detected a link with the Internet WAN connection or
INTERNET
100 On/Blinking The Internet port is operating at 100 Mbps. LINK/ACT (Activity) On/Blinking The port detected a link with the Internet WAN connection and is
LOCAL
100 On/Blinking The Local port is operating at 100 Mbps. LINK/ACT
(Link/Activity)
On/Blinking The Local port has detected a link with a LAN connection and is
The system is initializing. The system is ready and running.
Remote Access Server. Blinking indicates data transmission.
operating at 10 Mbps. Blinking indicates data transmission.
operating at 10 Mbps. Blinking indicates data transmission.
Introduction 2-5
M-10207-01, Reference Manual v2
Page 20
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

The Firewall’s Rear Panel

The rear panel of the FR328S (Figure 2-2) contains the connections identified below.
LOC AL
MODEM
87654321
10/100M
INTERN ET
Figure 2-2: FR328S Rear Panel
Viewed from left to right, the rear panel contains the following elements:
DB-9 serial port for modem connection
Factory Default Reset push button
Eight Local Ethernet RJ-45 ports for connecting the firewall to the local computers
Internet WAN Ethernet RJ-45 port for connecting the firewall to a cable or DSL modem
12V DC 1.2A power adapter input
12VDC O.5A
2-6 Introduction
M-10207-01, Reference Manual v2
Page 21
Chapter 3
Connecting the Firewall to the Internet
This chapter describes how to set up the firewall on your Local Area Network (LAN), connect to the Internet, perform basic configuration of your FR328S ProSafe Firewall with Dial Back-Up using the Setup Wizard, or how to manually configure your Internet connection.

What You Will Need Before You Begin

You need to prepare these three things before you can connect your firewall to the Internet:
1. A computer properly connected to the firewall as explained below.
2. Active Internet service such as that provided by a DSL or Cable modem account.
3. The Internet Service Provider (ISP) configuration information for your DSL or Cable modem
account.

Hardware Requirements

The FR328S Firewall connects to your LAN via twisted-pair Ethernet cables. To use the FR328S Firewall on your network, each computer must have an installed Ethernet Network Interface Card (NIC) and an Ethernet cable. If the computer will connect to your network at 100 Mbps, you must use a Category 5 (CAT5) cable such as the one provided with your firewall. For more on CAT5 cabling, please see “Ethernet Cabling“ on page B-11.
The broadband modem must provide a standard 10 Mbps 10BASE-T or 100 Mbps 100BASE-T Ethernet interface.
The serial modem must have the standard serial modem interface and cable with a DB-9 connector as illustrated in “FR328S Rear Panel“ on page 2-6.
Connecting the Firewall to the Internet 3-1
M-10207-01, Reference Manual v2
Page 22
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

Configuration Requirements

For the initial connection to the Internet and configuration of your firewall, you will need to connect a computer to the firewall which is set to automatically get its TCP/IP configuration from the firewall via DHCP.
Note: For assistance with DHCP configuration, please refer to the animated Windows TCP/IP Configuration Tutorials on the Resource CD (SW-10045-01) or in Appendix C, "Preparing Yo ur
Network".

Internet Configuration Requirements

Depending on how your ISP set up your Internet account, you will need one or more of these configuration parameters to connect your firewall to the Internet:
Host and Domain Names
ISP Login Name and Password
ISP Domain Name Server (DNS) Addresses
Fixed or Static IP Address
Where Do I Get the Internet Configuration Parameters?
There are several ways you can gather the required Internet connection information.
Your ISP should have provided you with all the information needed to connect to the Internet.
If you cannot locate this information, you can ask your ISP to provide it or you can try one of the options below.
If you have a computer already connected using the active Internet access account, you can
gather the configuration information from that computer.
For Windows 95/98/ME, open the Network control panel, select the TCP/IP entry for the Ethernet adapter, and click Properties.
For Windows 2000/XP, open the Local Area Network Connection, select the TCP/IP entry for the Ethernet adapter, and click Properties.
For Macintosh computers, open the TCP/IP or Network control panel.
You may also refer to the FR328S Resource CD for the NETGEAR Router ISP Guide which provides Internet connection information for many ISPs.
Once you locate your Internet configuration parameters, you may want to record them on the page below according to the instructions in “Record Your Internet Connection Information” on
page 3-3.
3-2 Connecting the Firewall to the Internet
M-10207-01, Reference Manual v2
Page 23
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

Record Your Internet Connection Information

Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as
given by your ISP. Some ISPs use your full e-mail address as the login name. The Service Name is not required by all ISPs. If you connect using a login name and password, then fill in the following:
Login Name: ________________________
Password: ______________________
Service Name: ________________________ Fixed or Static IP Address: If you have a static IP address, record the following information. For
example, 169.254.141.148 could be a valid IP address. Fixed or Static Internet IP Address: ______
.______.______.______ Subnet Mask: ______.______.______.______ Gateway IP Address: ______.______.______.______
ISP DNS Server Addresses: If you were given DNS server addresses, fill in the following: Primary DNS Server IP Address: ______
.______.______.______
Secondary DNS Server IP Address: ______.______.______.______ Host and Domain Names: Some ISPs use a specific host or domain name like CCA7324-A or
home. If you haven’t been given host or domain names, you can use the following examples as a
guide:
If your main e-mail account with your ISP is
aaa@yyy.com, then use aaa as your host name.
Your ISP might call this your account, user, host, computer, or system name.
If your ISP’s mail server is
mail.xxx.yyy.com, then use xxx.yyy.com as the domain name.
ISP Host Name: __________________
ISP Domain Name: ___________________
For Serial Port Internet Access: If you use a dial-up account, record the following: Account/User Name: ___________________
Password: ____________________
Telephone number: _________________ Alternative number: _________________
Connecting the Firewall to the Internet 3-3
M-10207-01, Reference Manual v2
Page 24
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

Connecting the FR328S Firewall to Your LAN

This section provides instructions for connecting the FR328S ProSafe Firewall with Dial Back-Up to your Local Area Network (LAN).
Note: The Resource CD included with your firewall cont ains an animated Installation Assistant to guide you through this procedure.

How to Connect the Firewall to Your LAN

There are three steps to connecting your firewall:
1. Connect the firewall to your network.
2. Log in to the firewall.
3. Connect to the Internet.
Follow the steps below to connect your firewall to your network. You can also refer to the Resource CD included with your firewall which contains an animated Installation Assistant to help you through this procedure.
1. Connect the Firewall
a. Turn off your computer and Cable or DSL Modem. b. Disconnect the Ethernet cable (A) from your computer which connects to yo ur Cable or
DSL modem.
A
DSL modem
Figure 3-1: Disconnect the Cable or DSL Modem
3-4 Connecting the Firewall to the Internet
M-10207-01, Reference Manual v2
Page 25
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Connect the Ethernet cable (A) from your Cable or DSL modem to the FR328S’s Internet
c.
port.
LOCAL
MODEM
10/100M
87654321
Figure 3-2: Connect the Cable or DSL Modem to the firewall
d.
Connect the Ethernet cable (B) which came with the firewall from a Local port on the
A
INTERNET
12VDCO.5A
router to your computer.
modem
DSL
DSL
modem
B
LOCAL
MODEM
10/100M
87654321
INTERNET
A
12VDCO.5A
Figure 3-3: Connect the computers on your network to the firewall
Note: The FR328S Firewall incorporates Auto UplinkTM technology . Each LOCAL Ethernet
port will automatically sense whether the cable plugged into the port should have a 'normal' connection (e.g. connecting to a PC) or an 'uplink' connection (e.g. connecting to a switch or hub). That port will then configure itself to the correct configuration. This feature also eliminates the need to worry about crossover cables, as Auto Uplink will accommodate either type of cable to make the right connection.
Connecting the Firewall to the Internet 3-5
M-10207-01, Reference Manual v2
Page 26
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Turn on the Cable or DSL modem and wait about 30 seconds for the lights to stop
e.
blinking.
2. Log in to the Firewall
Note: To connect to the firewall, your computer needs to be configured to obtain an IP address automatically via DHCP. Please refer to Appendix C, "Preparing Your Network" for instructions on how to do this.
a. Turn on the firewall and wait for the Test light to stop blinking. b. Now, turn on your computer.
Note: If you usually run software to log in to your Internet connection, do not run that software.
Now that the Cable or DSL Modem, firewall, and the computer are turned on, verify the following:
When power on the firewall was first turned on, the PWR light went on, the TEST light turned on within a few seconds, and then went off after approximately 10 seconds.
The firewall’s LOCAL LINK/ACT lights are lit for any computers that are connected to it.
The firewall’s INTERNET LINK light is lit, indicating a link has been established to the cable or DSL modem.
c. Next, use a browser like Internet Explorer or Netscape to log in to the firewall at its default
address of http://192.168.0.1.
Figure 3-4: Log in to the firewall
3-6 Connecting the Firewall to the Internet
M-10207-01, Reference Manual v2
Page 27
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
A login window opens as shown in Figure 3-5 below:
Figure 3-5: Login window
d.
For security reasons, the firewall has its own user name and password. When prompted, enter
admin for the firewall User Name and password for the firewall Password, both in
lower case letters. Note: The user name and password are not the same as any user name or password you
may use to log in to your Internet connection.
3. Connect to the Internet
Figure 3-6: Setup Wizard
a.
You are now connected to the firewall. If you do not see the menu above, click the Setup Wizard link on the upper left of the main menu.
Connecting the Firewall to the Internet 3-7
M-10207-01, Reference Manual v2
Page 28
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Select the NAT option and click Next to follow the steps in the Setup Wizard to input the
b.
configuration parameters from your ISP to connect to the Internet. If you choose not to use NAT, each computer on the LAN connected to the FR328S must have a valid public IP address in the same subnet as the Wan port of the FR328S. For more information on NAT, please see “Single IP Address Operation Using NAT“ on page B-8
If you were unable to connect to the firewall, please refer to Troubleshooting “Basic Functions“ on
page 8-1.

Connecting the FR328S Firewall to the Internet

You are now ready to configure your firewall to connect to the Internet. There are two ways you can configure your firewall to connect to the Internet:
Let the FR328S auto-detect the type of Internet connection you have and configure it.
Manually choose which type of Internet connection you have and configure it. These options are described below. Unless your ISP uses DHCP, you will need the parameters
from your ISP you recorded in “Record Your Internet Connection Information” on page 3-3.

How to Auto-Detect Your Internet Connection Type

The Web Configuration Manager built in to the firewall contains a Setup Wizard that can automatically determine your network connection type.
1. If your firewall has not yet been configured, the Setup Wizard should launch automatically.
3-8 Connecting the Firewall to the Internet
M-10207-01, Reference Manual v2
Page 29
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
When the Wizard launches, select Yes in the menu below to allow the firewall to automatically determine your connection.
Figure 3-7: Setup Wizard
Note: If you do not see the Setup Wizard, click the Setup Wizard link in the upper left to
bring up this menu.
2. Click Next
The Setup Wizard will now check for the following connection types:
Dynamic IP assignment
A login protocol such as PPPoE
Fixed IP address assignment
Next, the Setup Wizard will report which connection type it has discovered, and then display the appropriate configuration menu. If the Setup Wizard finds no connection, you will be prompted to check the physical connection between your firewall and the cable or DSL modem. When the connection is properly made, the firewall’s Internet LED should be on.
The procedures for filling in the configuration menu for each type of connection follow below.
Connecting the Firewall to the Internet 3-9
M-10207-01, Reference Manual v2
Page 30
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

How to Complete the Wizard-Detected Login Account Setup

If the Setup Wizard determines that your Internet service account uses a login protocol such as PPP over Ethernet (PPPoE), you will be directed to a menu like the PPPoE menu in Figure 3-8:
Figure 3-8: Setup Wizard menu for PPPoE login accounts
1.
Enter your Account Name (may also be called Host Name) and Domain Name. These parameters may be necessary to access your ISP’s services such as mail or news servers. If you leave the Domain Name field blank, the firewall will attempt to learn the domain automatically from the ISP. If this is not successful, you may need to enter it manually.
2. Enter the PPPoE login user name and password provided by your ISP. These fields are case
sensitive. If you wish to change the login timeout, enter a new value in minutes. Note: You will no longer need to launch the ISP’s login program on your PC in order to
access the Internet. When you start an Internet application, your firewall will automatically log you in.
3. Domain Name Server (DNS) Address: If you know that your ISP does not automatically
transmit DNS addresses to the firewall during login, select “Use these DNS servers” and enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is available, enter it also.
Note: If you enter an address here, after you finish configuring the firewall, reboot your PCs so that the settings take effect.
3-10 Connecting the Firewall to the Internet
M-10207-01, Reference Manual v2
Page 31
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Click Apply to save your settings.
4.
5. Click Test to test your Internet connection. If the NETGEAR website does not appear within
one minute, refer to Chapter 8, Troubleshooti ng”.

How to Complete the Wizard-Detected Dynamic IP Account Setup

If the Setup Wizard determines that your Internet service account uses Dynamic IP assignment, you will be directed to the menu shown in Figure 3-9 below:
Figure 3-9: Setup Wizard menu for Dynamic IP address
1.
Enter your Account Name (may also be called Host Name) and Domain Name. These parameters may be necessary to access your ISP’s services such as mail or news servers. If you leave the Domain Name field blank, the firewall will attempt to learn the domain automatically from the ISP. If this is not successful, you may need to enter it manually.
2. If you know that your ISP does not automatically transmit DNS addresses to the firewall
during login, select “Use these DNS servers” and enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is available, enter it also.
Note: DNS servers are required to perform the function of translating an Internet name such as www.netgear.com to a numeric IP address. For a fixed IP address configuration, you must obtain DNS server addresses from your ISP and enter them manually here. Y ou should reboot your PCs after configuring the firewall for these settings to take effect.
Connecting the Firewall to the Internet 3-11
M-10207-01, Reference Manual v2
Page 32
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
The Router’s MAC Address is the Ethernet MAC address that will be used by the firewall on
3.
the Internet port. If your ISP allows access from only one specific computer’s Ethernet MAC address, select
“Use this MAC address.” The firewall will then capture and use the MAC address of the computer that you are now using. You must be using the one computer that is allowed by the ISP. Otherwise, you can type in a MAC address.
Note: Some ISPs will register the Ethernet MAC address of the network interface card in your PC when your account is first opened. They will then only accept traffic from the MAC address of that PC. This feature allows your firewall to masquerade as that PC by using its MAC address.
4. Click Apply to save your settings.
5. Click Test to test your Internet connection. If the NETGEAR website does not appear within
one minute, refer to Chapter 8, Troubleshooti ng”.

How to Complete Wizard-Detected Fixed IP Account Setup

If the Setup Wizard determines that your Internet service account uses Fixed IP assignment, you will be directed to the menu shown in Figure 3-10 below:
Figure 3-10: Setup Wizard menu for Fixed IP address
3-12 Connecting the Firewall to the Internet
M-10207-01, Reference Manual v2
Page 33
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Enter your assigned IP Address, Subnet Mask, and the IP Address of your ISP’s gateway
1.
router. This information should have been provided to you by your ISP. You will need the configuration parameters from your ISP you recorded in “Record Your Internet Connection
Information” on page 3-3.
2. Enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is
available, enter it also. Note: DNS servers are required to perform the function of translating an Internet name such
as www.netgear.com to a numeric IP address. For a fixed IP address configuration, you must obtain DNS server addresses from your ISP and enter them manually here. Y ou should reboot your PCs after configuring the firewall for these settings to take effect.
3. Click Apply to save the settings.
4. Click Test to test your Internet connection. If the NETGEAR website does not appear within
one minute, refer to Chapter 8, Troubleshooti ng.

Configuring a Serial Port as the Primary Internet Connection

Use the procedure below to configure an Internet connection via the serial port of your firewall.

How to Configure the Serial Port for an Internet Connection

There are three steps to configuring the serial port of your firewall for an Internet connection:
1. Connect the firewall to your ISDN or dial-up analog modem
2. Configure the firewall
3. Connect to the Internet
Follow the steps below to configure a serial port Internet connection on your firewall.
1. Connect the Firewall to your ISDN or dial-up modem
a. Turn off your modem and connect the cable from the serial port of the FR328S to the
modem.
b. Turn on the modem and wait about 30 seconds for the lights to stop blinking.
2. Configure the Serial Port of the Firewall.
a. Use a browser to log in to the firewall at http://192.168.0.1 with its default User Name of
admin and default Password of password, or using whatever Password you have set up.
Connecting the Firewall to the Internet 3-13
M-10207-01, Reference Manual v2
Page 34
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
From the Setup Basic Settings menu, click Serial Port.
b.
Figure 3-11: Serial Internet Connection configuration menu
c.
Fill in the ISDN or analog ISP Internet configuration parameters as appropriate:
For a Dial-up Account, enter the Account information. Check “Connect as required”
to enable the firewall to automatically dial the number. To enable Idle Time disconnect, check the box and enter a time in minutes.
To configure the Internet IP settings, fill in the address parameters your ISP provided.
d. Configure the Modem parameters.
3-14 Connecting the Firewall to the Internet
M-10207-01, Reference Manual v2
Page 35
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Note: Y ou can validate modem string settings by first connecting the modem directly to a PC, establishing a connection to your ISP, and then copying the modem string settings from the PC configuration and pasting them into the FR328S Modem Properties Initial String field. For more information on this procedure, please refer to the support area of the NETGEAR web site.
Select the Serial Line Speed. This is the maximum speed the modem will attempt to
use. For ISDN permanent connections, the speeds are typically 64000 or 128000 bps. For dial-up modems, 56000 bps would be a typical setting.
Select the Modem Type.
For ISDN, select “Permanent connection (leased line).” – For dial-up, select your modem from the list. “Standard Modem” should work in
most cases.
If your modem is not on the list, select “User Defined” and enter the Modem
Properties.
Note: If you are not using modem from the pre-defined list but are using the “User Defined” Modem Type, you must first use the Serial Port menu Modem link to fill in the Modem Properties settings for your modem.
e. Click Apply to save your settings.
3. Connect to the Internet to test your configuration.
a. If you have a broadband connection, disconnect it. b. From a workstation, open a browser and test your serial port Internet connection.
Note: The response time of your serial port Internet connection will be slower than a broadband Internet connection.

Testing Your Internet Connection

After completing the Internet connection configuration, your can test your Internet connection. Log in to the firewall, then, from the Setup Basic Settings link, click on the Test button. If the NETGEAR website does not appear within one minute, refer to Chapter 8, Troubleshootin g.
To access the Internet from any computer connected to your firewall, launch a browser such as Microsoft Internet Explorer or Netscape Navigator. You should see the firewall’s Internet LED blink, indicating communication to the ISP. The browser should begin to display a Web page.
The following chapters describe how to configure the Advanced features of your firewall, and how to troubleshoot problems that may occur.
Connecting the Firewall to the Internet 3-15
M-10207-01, Reference Manual v2
Page 36
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

Manually Configuring Your Internet Connection

You can manually configure your firewall using the menu below, or you can allow the Setup Wizard to determine your configuration as described in the previous section.
ISP Does Not Require Login
ISP Does Require Login
Figure 3-12: Browser-based configuration Basic Settings menu
3-16 Connecting the Firewall to the Internet
M-10207-01, Reference Manual v2
Page 37
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

How to Manually Configure the Primary Internet Connection

Use these steps to manually configure the primary Internet connection in the Basic Settings menu.
1. Select your Internet connection type (broadband with or without login, or serial).
Note: If you are a Telstra BigPond broadband customer, or if you are in an area such as Austria that uses broadband PPTP, login is required. If so, select BigPond or PPTP from the Internet Service Type drop down box.
2. Enter your Account Name (may also be called Host Name) and Domain Name. These
parameters may be necessary to access your ISP’s services such as mail or news servers.
3. If needed, enter the PPPoE login user name and password provided by your ISP. These fields
are case sensitive. To change the login timeout, ente r a new value in minutes. Note: You will no longer need to run the ISP’s login program on your PC in order to access
the Internet. When you start an Internet application, your firewall automatically logs you in.
4. Internet IP Address: If your ISP assigned you a permanent, fixed IP address for your PC, select
“Use static IP address.” Enter the IP address your ISP assigned. Also enter the netmask and the Gateway IP address. The Gateway is the ISP’s router to which your firewall will connect.
5. Domain Name Server (DNS) Address: If your ISP does not automatically transmit DNS
addresses to the firewall during login, select “Use these DNS servers” and enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is available, enter it.
Note: A DNS server is a host on the Internet that translates Internet names (such as www .netgear.com) to numeric IP addresses. Typically your ISP transfers the IP address of one or two DNS servers to your firewall during login. If the ISP does not transfer an address, you must obtain it from the ISP and enter it manually here. If you enter an address here, you should reboot your PCs after configuring the firewall.
6. Router’s MAC Address: This section determines the Ethernet MAC address that will be used
by the firewall on the Internet port. Some ISPs will register the Ethernet MAC address of the network interface card in your PC when your account is first opened. They will then only accept traffic from the MAC address of that PC. This feature allows your firewall to masquerade as that PC by “cloning” its MAC address. To change the MAC address, select “Use this Computer’s MAC address.” The firewall will then capture and use the MAC address of the PC that you are now using. You must be using the one PC that is allowed by the ISP. Or, select “Use this MAC address” and enter it.
7. Click Apply to save your settings.
8. Click Test to test your Internet connection. If the NETGEAR website does not appear within
one minute, refer to Chapter 8, Troubleshooti ng.
Connecting the Firewall to the Internet 3-17
M-10207-01, Reference Manual v2
Page 38
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
3-18 Connecting the Firewall to the Internet
M-10207-01, Reference Manual v2
Page 39
Chapter 4
Serial Port Configuration
This chapter describes how to configure the serial port options of your FR328S ProSafe Firewall with Dial Back-Up. The FR328S serial port lets you share the broadband connection of another FR328S, share resources between two LANs, and take advantage of the routing functions on the broadband (WAN), LAN, and serial network interfaces.
Note: If you configure the serial port of the FR328S as the primary Internet connection, you will not be able to configure the other serial port options. For instructions on configuring the serial port as the primary Internet connection, please see “Configuring a Serial Port as the Primary Internet
Connection“ on page 3-13.
The FR328S provides these serial port configuration options:
•Modem
Use this option to configure the serial modem settings for any of the features below.
Auto-Rollover
Use this option to provide a backup connection for your broadband service. If the broadband service you configured in the Basic Settings menu fails, the FR328S will automatically connect to the Internet through the serial port. However, you will then be accessing the Internet at a slower speed than you would through your broadband service.
Dial-in
Dial-in lets a single remote computer connect to the FR328S through the serial port to gain access to LAN resources or a remote access server.
LAN-to-LAN
LAN-to-LAN enables direct communications between two FR328S firewalls to: — Share resources on the two LANs. — Let users on one FR328S share the Internet connection of the other FR328S. — Let users on one FR328S connect to the Internet through the second FR328S in case the
broadband connection of the first FR328S fails.
The procedures for these configuration options are presented below.
Serial Port Configuration 4-1
M-10207-01, Reference Manual v2
Page 40
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

Configuring a Serial Port Modem

You can configure a serial port modem for any of the features described above. Be sure you have prepared the basic requirements listed below, then follow the ‘how to’ procedure.

Basic Requirements for Serial Port Modem Configuration

Configuring a serial port modem requires these elements:
1. A serial analog or ISDN modem.
2. A serial modem cable with a DB9 connector.
3. An active phone or ISDN line.

How to Configure a Serial Port Modem

Follow the steps below to configure a serial port modem.
1. From the main menu, click Modem in the Serial Port section.
Figure 4-1: Serial Port Modem configuration menu
2.
Select the Serial Line Speed. This is the maximum speed the modem will attempt to use. For ISDN permanent connections, the speeds are typically 64000 or 128000 bps. For dial-up modems, 56000 bps would be a typical setting.
— For ISDN, select “Permanent connection (leased line).” — For dial-up, “Standard Modem” should work in most cases. Otherwise, select your modem
from the list.
4-2 Serial Port Configuration
M-10207-01, Reference Manual v2
Page 41
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
— If your modem is not on the list, select “User Defined” and enter the Modem Properties.
If you are using the “User Defined” selection and configuring your own modem stings, fill in the Modem Properties settings.
Note: Y ou can validate modem string settings by first connecting the modem directly to a PC, establishing a connection to your ISP, and then copying the modem string settings from the PC configuration and pasting them into the FR328S Modem Properties Initial String field. For more information on this procedure, please refer to the support area of the NETGEAR web site.
3. Click Apply to save your settings.

Configuring Auto-Rollover

You can configure the serial port of the FR328S to provide an auto-rollover backup connection for your broadband service.
Be sure you have prepared the basic requirements listed below, then follow the ‘how to’ procedure.

Basic Requirements for Auto-Rollover

Auto-Rollover requires these elements:
1. A broadband connection to the FR328S.
2. An ISDN or analog phone line with an active ISDN or dial-up ISP account
3. A serial modem properly configured and attached to the DB9 connector on the serial port.
4. The Auto-Rollover settings configured and applied to the FR328S.

How to Configure Auto-Rollover

Follow the steps below to configure a serial port auto-rollover connection.
1. Configure a serial port modem according to the instructions above.
2. From the main menu, click Auto-rollover in the Serial Port section.
Serial Port Configuration 4-3
M-10207-01, Reference Manual v2
Page 42
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Figure 4-2: Auto-Rollover configuration menu
Configure the Auto-Rollover settings.
3.
4. Click Apply for the changes to take effect.

Configuring Dial-in on the Serial Port

Dial-in lets a single remote computer connect to the FR328S through the serial port to gain access to LAN resources or a remote access server.
Be sure you have prepared the basic requirements listed below, then follow the ‘how to’ procedure.
4-4 Serial Port Configuration
M-10207-01, Reference Manual v2
Page 43
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

Basic Requirements for Dial-in

Dial-in requires these elements:
1. A broadband connection to the FR328S.
2. An analog phone line.
3. A serial modem properly configured and attached to the DB9 connector on the serial port.
4. The Dial-in settings configured and applied to the FR328S.

How to Configure Dial-in

Follow the steps below to configure a serial port dial-in connection.
1. Configure a serial port modem according to the instructions above.
2. From the Serial Port section of the main menu, click Dial-in.
Figure 4-3: Serial Port Dial-in settings screen
3.
Configure the Dial-in settings.
4. Click Apply for the changes to take effect.
Serial Port Configuration 4-5
M-10207-01, Reference Manual v2
Page 44
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

Configuring LAN-to-LAN Settings

LAN-to-LAN enables direct communications between two FR328S firewalls.
Serial Connection
FR328S A
FR328S B
192.168.3.1
Figure 4-4: LAN-to-LAN network configuration
192.168.0.1

Basic Requirements for LAN-to-LAN Connections

Serial port LAN-to-LAN configurations require these elements:
1. An ISDN or analog phone line with an active ISDN or dial-up ISP account.
2. A serial modem properly configured and attached to the DB9 connector on the serial port.
3. A broadband connection to one FR328S for LAN-to-LAN auto-rollover Internet access.
4. The LAN-to-LAN settings configured and applied to the two FR328S firewalls.

How to Configure LAN-to-LAN Connections

Follow the steps below to configure a serial port LAN-to-LAN connection.
1. Configure a serial port modem according to the instructions above.
2. From the main menu, click LAN-to-LAN in the Serial Port section.
4-6 Serial Port Configuration
M-10207-01, Reference Manual v2
Page 45
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Figure 4-5: LAN-to-LAN configuration menu
Configure the LAN-to-LAN settings.
3.
Note: The LAN subnet address of each FR328S must be different.
4. Click Apply for the changes to take effect.
Serial Port Configuration 4-7
M-10207-01, Reference Manual v2
Page 46
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
4-8 Serial Port Configuration
M-10207-01, Reference Manual v2
Page 47
Chapter 5
Protecting Your Network
This chapter describes how to use the basic firewall features of the FR328S ProSafe Firewall with Dial Back-Up to protect your network.

Protecting Access to Your FR328S Firewall

For security reasons, the firewall has its own user name and password. Also, after a period of inactivity for a set length of time, the administrator login will automatically disconnect. When prompted, enter admin for the firewall User Name and password for the firewall password. You can use procedures below to change the firewall password and the amount of time for the administrator’s login timeout.
Note: The user name and password are not the same as any user name or password your may use to log in to your Internet connection.
Change this password to a more secure password. The ideal password should contain no dictionary words from any language, and should be a mixture of both upper and lower case letters, numbers, and symbols. Your password can be up to 30 characters.

How to Change the Built-In Password

1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of address you have chosen for the firewall.
Protecting Your Network 5-1
admin, default password of password, or using whatever password and LAN
M-10207-01, Reference Manual v2
Page 48
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
From the Main Menu of the browser interface, under the Maintenance heading, select Set
2.
Password to bring up the menu shown in Figure 5-1.
Figure 5-1: Set Password menu
3.
To change the password, first enter the old password, and then enter the new password twice.
4. Click Apply to save your changes.
Note: After changing the password, you will be required to log in again to continue the configuration.
If you have backed up the firewall settings previously, you should do a new
backup so that the saved settings file includes the new password.

How to Change the Administrator Login Timeout

For security, the administrator's login to the firewall configuration will timeout after a period of inactivity. To change the login timeout period:
1. In the Set Password menu, type a number in ‘Administrator login times out’ field.The
suggested default value is 5 minutes.
2. Click Apply to save your changes or click Cancel to keep the current period.

Configuring Basic Firewall Services

Basic firewall services you can configure include access blocking and scheduling of firewall security. These topics are presented below.
5-2 Protecting Your Network
M-10207-01, Reference Manual v2
Page 49
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

Blocking Keywords, Sites, and Services

The firewall provides a variety of options for blocking Internet based content and
communications services.
objectionable content from reaching your PCs. The FR328S allows you to control access to Internet content by screening for keywords within Web addresses. Key content filtering options include:
Blocks access from your LAN to Internet locations that you specify as off-limits.
Keyword blocking of newsgroup names.
Outbound Services Blocking limits access from your LAN to Internet locations or services that you specify as off-limits.
Denial of Service (DoS) protection. Automatically detects and thwarts Denial of Service (DoS) attacks such as Ping of Death, SYN Flood, LAND Attack and IP Spoofing.
Blocks unwanted traffic from the Internet to your LAN.
With its content filtering feature, the FR328S Firewall prevents
The section below explains how to configure your
firewall to perform these functions.

How to Block Keywords and Sites

The FR328S Firewall allows you to restrict access to Internet content based on functions such as Java or Cookies, Web addresses and Web address keywords.
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of address you have chosen for the firewall.
admin, default password of password, or using whatever password and LAN
Protecting Your Network 5-3
M-10207-01, Reference Manual v2
Page 50
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Click on the Block Sites link of the Security menu.
2.
Figure 5-2: Block Sites menu
3.
To enable keyword blocking, check “Turn keyword blocking on”, enter a keyword or domain in the Keyword box, click Add Keyword, then click Apply.
Some examples of Keyword application follow:
If the keyword “XXX” is specified, the URL <http://www.badstuff.com/xxx.html> is
blocked, as is the newsgroup alt.pictures.xxx.
If the keyword “.com” is specified, only websites with other domain suffixes (such as .edu
or .gov) can be viewed.
Enter the keyword “.” to block all Internet browsing access. Up to 32 entries are supported in the Keyword list.
4. T o delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply.
5. To spec ify a Trusted User, enter that PC’s IP address in the Trusted User box and click Apply.
You may specify one Trusted User, which is a PC that will be exempt from blocking and logging. Since the Trusted User will be identified by an IP address, you should configure that PC with a fixed IP address.
6. Click Apply to save your settings.
5-4 Protecting Your Network
M-10207-01, Reference Manual v2
Page 51
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

Services

Services are functions performed by server computers at the request of client computers. For example, Web servers serve web page s, time servers serve time and date information, and game hosts serve data about other players’ moves. When a computer on the Internet sends a request for service to a server computer, the requested service is identified by a service or port number. This number appears as the destination port number in the transmitted IP packets. For example, a packet that is sent with destination port number 80 is an HTTP (Web server) request.
The service numbers for many common protocols are defined by the Internet Engineering Task Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for other applications are typically chosen from the range 1024 to 65535 by the authors of the application.
Although the FR328S already holds a list of many service port numbers, you are not limited to these choices. Use the procedure below to create your own service definitions.

How to Define Services

1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of address you have chosen for the firewall.
admin, default password of password, or using whatever password and LAN
2. Click Services on the Security menu to display the Services menu:
Figure 5-3: Services menu
To create a new Service, click the Add button.
To edit an existing Service, select its button on the left side of the table and click Edit.
To delete an existing Service, select its button on the left side of the table and click Delete.
Protecting Your Network 5-5
M-10207-01, Reference Manual v2
Page 52
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Modify the menu shown below for defining or editing a service.
3.
Figure 5-4: Add Services menu
4.
Click Apply to save your changes.

Rules

Firewall rules are used to block or allow specific traffic passing through from one side to the other. Inbound rules (WAN to LAN) restrict access by outsiders to private resources, selectively allowing only specific outside users to access specific resources. Outbound rules (LAN to WAN) determine what outside resources local users can have access to.
A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of the FR328S are:
Inbound: Block all access from outside except responses to requests from the LAN side.
Outbound: Allow all access from the LAN side to the outside.
You may define additional rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destinat ion IP addresses, and time of day. You can also choose to log traffic that matches or does not match the rule you have defined.
5-6 Protecting Your Network
M-10207-01, Reference Manual v2
Page 53
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
T o access the Rules configuration of the FR328S, click the Rules link on the main menu, then click Add for either an Outbound or Inbound Service.
Figure 5-5. Rules menu
To edit an existing rule, select its button on the left side of the table and click Edit.
To delete an existing rule, select its button on the left side of the table and click Delete.
T o move an existing rule to a dif ferent position in the table, select its button on the left side
of the table and click Move. At the script prompt, enter the number of the desired new position and click OK.

Inbound Rules (Port Forwarding)

When Network Address Translation (NAT) is on, the FR328S presents only one IP address to the Internet, and outside users cannot directly address any of your local computers. However, by defining an inbound rule you can make a local server (for example, a web server or game server) visible and available to the Internet. The rule tells the firewall to direct inbound traffic for a particular service to one local server based on the destination port number. This is also known as port forwarding.
When NAT is off, all Internet addresses on your LAN are presented to the Internet and outside users can directly address any of your local computers. For security purposes, do not turn NA T off unless the FR328S is behind another router or firewall.
Protecting Your Network 5-7
M-10207-01, Reference Manual v2
Page 54
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Note: Some residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location. If you are unsure, refer to the Acceptable Use Policy of your ISP.
Remember that allowing inbound services opens holes in your firewall. Only enable those ports that are necessary for your network. Following are two application examples of inbound rules:
Inbound Rule Example: A Local Public Web Server
If you host a public web server on your local network, you can define a rule to allow inbo und web (HTTP) requests from any outside IP address to the IP address of your web server at any time of day. This rule is shown in Figure 5-6:
Figure 5-6. Rule example: A Local Public Web Server
5-8 Protecting Your Network
M-10207-01, Reference Manual v2
Page 55
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
The parameters are:
•Service
From this list, select the application or service to be allowed or blocked. The list already displays many common services, but you are not limited to these choices. Use the Add Services menu to add any additional services or applications that do not already appear.
Action
Choose how you would like this type of traffic to be handled. You can block or allow always, or you can choose to block or allow according to the schedule you have defined in the Schedule menu.
Send to LAN Server
Enter the IP address of the PC or Server on your LAN which will receive the inbound traffic covered by this rule.
WAN Users
These settings determine which packets are covered by the rule, based on their source (WAN) IP address. Select the desired option:
Any All IP addresses are covered by this rule.
Address range If this option is selected, you must enter the "Start" and "Finish" fields.
Single address Enter the required address in the "Start" fields.
•Log
You can select whether the traffic will be logged. The choices are:
Never - no log entries will be made for this service.
Always - any traffic for this service type will be logged.
Match - traffic of this type which matches the parameters and action will be logged.
Not match - traffic of this type which does not match the parameters and action will be logged.
Protecting Your Network 5-9
M-10207-01, Reference Manual v2
Page 56
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Inbound Rule Example: Allowing Videoconference from Restricted Addresses
If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown in Figure 5-7, CU-SeeMe connections are allowed only from a specified range of external IP addresses. In this case, we have also specified logging of any incoming CU-SeeMe requests that do not match the allowed parameters.
Figure 5-7. Rule example: Videoconference from Restricted Addresses
Considerations for Inbound Rules
If your external IP address is assigned dynamically by your ISP, the IP address may change periodically as the DHCP lease expires. Consider using the Dynamic DNS feature in the Advanced menus so that external users can always find your network.
If the IP address of the local server PC is assigned by DHCP, it may change when the PC is rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu to keep the PC’s IP address constant.
Local PCs must access the local server using the PCs’ local LAN address (192.168.0.11 in the example in Figure 5-7 above). Attempts by local PCs to access the server using the external WAN IP address will fail.
5-10 Protecting Your Network
M-10207-01, Reference Manual v2
Page 57
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

Outbound Rules (Service Blocking)

The FR328S allows you to block the use of certain Internet services by PCs on your network. This is called service blocking or port filtering. You can define an outbound rule to block Internet access from a local PC based on the:
IP address of the local PC (source address)
IP address of the Internet site being contacted (destination address)
•Time of day
Type of service being requested (service port number)
Following is an application example of outbound rules:
Outbound Rule Example: Blocking Instant Messenger
If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu. You can also have the firewall log any attempt to use Instant Messenger during that blocked period.
Figure 5-8. Rule example: Blocking Instant Messenger
Protecting Your Network 5-11
M-10207-01, Reference Manual v2
Page 58
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
The parameters are:
•Service
From this list, select the application or service to be allowed or blocked. The list already displays many common services, but you are not limited to these choices. Use the Add Services menu to add any additional services or applications that do not already appear.
Action
Choose how you would like this type of traffic to be handled. You can block or allow always, or you can choose to block or allow according to the schedule you have defined in the Schedule menu.
LAN Users
These settings determine which packets are covered by the rule, based on their source LAN IP address. Select the desired option:
Any All IP addresses are covered by this rule.
Address range If this option is selected, you must enter the "Start" and "Finish" fields.
Single address Enter the required address in the "Start" fields.
WAN Users
These settings determine which packets are covered by the rule, based on their destination WAN IP address. Select the desired option:
Any All IP addresses are covered by this rule.
Address range If this option is selected, you must enter the "Start" and "Finish" fields.
Single address Enter the required address in the "Start" fields.
•Log
You can select whether the traffic will be logged. The choices are:
Never - no log entries will be made for this service.
Always - any traffic for this service type will be logged.
Match - traffic of this type which matches the parameters and action will be logged.
Not match - traffic of this type which does not match the parameters and action will be logged.
5-12 Protecting Your Network
M-10207-01, Reference Manual v2
Page 59
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

Order of Precedence for Rules

As you define new rules, they are added to the tables in the Rules menu, as shown in Figure 5-9:
Figure 5-9. Rules table with examples
For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules Table, beginning at the top and proceeding to the default rules at the bottom. In some cases, the order of precedence of two or more rules may be important in determining the disposition of a packet. The Move button allows you to relocate a defined rule to a new position in the table.

Setting Times and Scheduling Firewall Services

The FR328S Firewall uses the Network Time Protocol (NTP) to obtain the current time and date from one of several Network Time Servers on the Internet. In order to localize the time for your log entries, you must select your Time Zone from the list.
Protecting Your Network 5-13
M-10207-01, Reference Manual v2
Page 60
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

How to Set Your Time Zone

In order to localize the time for your log entries, you must specify your Time Zone:
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of address you have chosen for the firewall.
2. Click Schedule on the Security menu to display menu shown below.
admin, default password of password, or using whatever password and LAN
Figure 5-10: Schedule Services menu
3.
Select your Time Zone. This setting will be used for the blocking schedule according to your local time zone and for time-stamping log entries.
Check the Daylight Savings Time box if your time zone is currently in daylight savings time.
5-14 Protecting Your Network
M-10207-01, Reference Manual v2
Page 61
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Note: If your region uses Daylight Savings Time, you must manually check Adjust for Daylight Savings Time on the first day of Daylight Savings Time, and uncheck it at the end. Enabling Daylight Savings Time will cause one hour to be added to the standard time.
4. The firewall uses Netgear NTP servers by default. If you would prefer to use a particular NTP
server as the primary server, enter its IP address under Use this NTP Server.
5. Click Apply to save your settings.

How to Schedule Firewall Services

If you enabled services blocking in the Block Services menu or Port forwarding in the Ports menu, you can set up a schedule for when blocking occurs or when access isn't restricted.
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of address you have chosen for the firewall.
2. Click Schedule on the Security menu to display the Schedule Services menu.
3. T o block Internet services based on a schedule, select Every Day or select one or more days. If
you want to limit access completely for the selected days, select All Day. Otherwise, to limit access during certain times for the selected days, enter Start Blocking and End Blocking times.
admin, default password of password, or using whatever Password and LAN
Note: Enter the values as 24-hour time. For example, 10:30 am would be 10 hours and 30
minutes and 10:30 pm would be 22 hours and 30 minutes.
4. Click Apply to save your changes.
Protecting Your Network 5-15
M-10207-01, Reference Manual v2
Page 62
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
5-16 Protecting Your Network
M-10207-01, Reference Manual v2
Page 63
Chapter 6
Managing Your Network
This chapter describes how to perform network management tasks with your FR328S ProSafe Firewall with Dial Back-Up.

Network Management Information

The FR328S provides a variety of status and usage information which is discussed below.

Viewing Router Status and Usage Statistics

From the Main Menu, under Maintenance, select Router Status to view the screen in Figure 6-1 .
Figure 6-1: Router Status screen
The Router Status menu provides a limited amount of status and usage information. From the Main Menu of the browser interface, under Maintenance, select Router Status to view the status screen, shown in Figure 6-1.
Managing Your Network 6-1
M-10207-01, Reference Manual v2
Page 64
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
This screen shows the following parameters:
Table 6-1. Menu 3.2 - Router Status Fields
Field Description
System Name This field displays the Host Name assigned to the firewall in the Basic
Settings menu. Firmware Version This field displays the firewall firmware version. LAN Port These parameters apply to the Local (WAN) port of the firewall.
MAC Address This field displays the Ethernet MAC address being used by the Local
(LAN) port of the firewall.
IP Address This field displays the IP address being used by the Local (LAN) port of
the firewall. The default is 192.168.0.1
IP Subnet Mask This field displays the IP Subnet Mask being used by the Local (LAN)
port of the firewall. The default is 255.255.255.0
DHCP If set to OFF , the firewall will not assign IP addresses to local PCs on the
LAN.
If set to ON, the firewall is configured to assign IP addresses to local
PCs on the LAN. WAN Port These parameters apply to the Internet (WAN) port of the firewall.
MAC Address This field displays the Ethernet MAC address being used by the Internet
(WAN) port of the firewall.
IP Address This field displays the IP address being used by the Internet (WAN) port
of the firewall. If no address is shown, the firewall cannot connect to the
Internet.
DHCP If set to None, the firewall is configured to use a fixed IP address on the
WAN.
If set to Client, the firewall is configured to obtain an IP address
dynamically from the ISP
IP Subnet Mask This field displays the IP Subnet Mask being used by the Internet (WAN)
port of the firewall.
Domain Name Servers
(DNS)
This field displays the DNS Server IP addresses being used by the
firewall. These addresses are usually obtained dynamically from the ISP.
6-2 Managing Your Network
M-10207-01, Reference Manual v2
Page 65
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Click the “Show Statistics” button to display firewall usage statistics, as shown in Figure 6-2 below:
Figure 6-2. Router Statistics screen
This screen shows the following statistics:
Table 6-2. Router Statistics Fields
Field Description
WAN, LAN, or Serial Port
Status The link status of the port. TxPkts The number of packets transmitted on this port since reset or manual clear. RxPkts The number of packets received on this port since reset or manual clear. Collisions The number of collisions on this port since reset or manual clear. Tx B/s The current line utilization—bytes per second of current bandwidth used on this port. Rx B/s The bytes per second of average line utilization for this port.
Up Time The time elapsed since this port acquired link. System up Time The time elapsed since the last power cycle or reset. Poll Interval Specifies the intervals at which the statistics are updated in this window. Click on Stop
The statistics for the WAN (Internet), LAN (local), and Serial ports. For each port, the screen displays:
to freeze the display.
Managing Your Network 6-3
M-10207-01, Reference Manual v2
Page 66
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

Viewing Attached Devices

The Attached Devices menu contains a tab l e of all IP devices that the firewall has discovered on the local network. From the Main Menu of the browser interface, under the Maintenance heading, select Attached Devices to view the table, shown in Figure 6-3.
Figure 6-3: Attached Devices menu
For each device, the table shows the IP address, NetBIOS Host Name, if available, and the Ethernet MAC address. Note that if the firewall is rebooted, the table data is lost until the firewall rediscovers the devices. To force the firewall to look for attached devices, click the Refresh button.
6-4 Managing Your Network
M-10207-01, Reference Manual v2
Page 67
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

Viewing, Selecting, and Saving Logged Information

The firewall will log security-related events such as denied incoming service requests, hacker probes, and administrator logins. If you enabled content filtering in the Block Sites menu, the Logs page shows you when someone on your network tried to access a blocked site. If you enabled e-mail notification, you'll receive these logs in an e-mail message. If you don't have e-mail notification enabled, you can view the logs here. An example is shown below.
Figure 6-4: Security Logs menu
Managing Your Network 6-5
M-10207-01, Reference Manual v2
Page 68
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Log entries are described in Table 6-5
Table 6-5: Security Log entry descriptions
Field Description
Date and Time The date and time the log entry was recorded. Description or
The type of event and what action was taken if any.
Action Source IP The IP address of the initiating device for this log entry. Source port and
interface
The service port number of the initiating device, and whether it
originated from the LAN or WAN Destination The name or IP address of the destination de vice or website. Destination port
and interface
The service port number of the destination device, and whether
it’s on the LAN or WAN.
Log action buttons are described in Table 6-6
Table 6-6: Security Log action buttons
Field Description
Refresh Click this button to refresh the log screen. Clear Log Click this button to clear the log entries. Send Log Click this button to email the log immediately. Apply Click this button to apply the current settings. Cancel Click this button to clear the current settings.
Selecting What Information to Log
Besides the standard information listed above, you can choose to log additional information. Those optional selections are as follows:
All incoming and outgoing traffic
Attempted access to blocked site
Connections to the Web-based interface of this Router
6-6 Managing Your Network
M-10207-01, Reference Manual v2
Page 69
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Router operation (start up, get time, etc.)
Known DoS attacks and Port Scans
Saving Log Files on a Server
You can choose to write the logs to a PC running a syslog program. To activate this feature, check the Enable Syslog box and enter the IP address of the server where the log file will be written. Be sure to click Apply to save your changes.

Examples of log messages

Following are examples of log messages. In all cases, the log entry shows the timestamp as: Day, Year-Month-Date Hour:Minute:Second
Activation and Administration
Tue, 2002-05-21 18:48:39 - NETGEAR activated
[This entry indicates a power-up or reboot with initial time entry.]
Tue, 2002-05-21 18:55:00 - Administrator login successful - IP:192.168.0.2 Thu, 2002-05-21 18:56:58 - Administrator logout - IP:192.168.0.2
[This entry shows an administrator logging in and out from IP address 192.168.0.2.]
Tue, 2002-05-21 19:00:06 - Login screen timed out - IP:192.168.0.2
[This entry shows a time-out of the administrator login.]
Wed, 2002-05-22 22:00:19 - Log emailed
[This entry shows when the log was emailed.]
Dropped Packets
Wed, 2002-05-22 07:15:15 - TCP packet dropped - Source:64.12.47.28,4787,WAN ­Destination:134.177.0.11,21,LAN - [Inbound Default rule match]
Sun, 2002-05-22 12:50:33 - UDP packet dropped - Source:64.12.47.28,10714,WAN ­Destination:134.177.0.11,6970,LAN - [Inbound Default rule match]
Sun, 2002-05-22 21:02:53 - ICMP packet dropped - Source:64.12.47.28,0,WAN ­Destination:134.177.0.11,0,LAN - [Inbound Default rule match]
[These entries show an inbound FTP (port 21) packet, UDP packet (port 6970), and ICMP packet (port 0) being dropped as a result of the default inbound rule, which states that all inbound packets are denied.]
Managing Your Network 6-7
M-10207-01, Reference Manual v2
Page 70
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

Enabling Security Event E-mail Notification

In order to receive logs and alerts by e-mail, you must provide your e-mail information in the E-Mail subheading:
Figure 6-7: E-mail notification menu
Turn e-mail notification on Check this box if you wish to receive e-mail logs and alerts from the firewall.
Your outgoing mail server Enter the name or IP address of your ISP’s outgoing (SMTP) mail server (such as mail.myISP.com). You may be able to find this information in the configuration menu of your e-mail program. If you leave this box blank, log and alert messages will not be sent via e-mail.
6-8 Managing Your Network
M-10207-01, Reference Manual v2
Page 71
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Send to this e-mail address Enter the e-mail address to which logs and alerts are sent. This e-mail address will also be used as the From address. If you leave this box blank, log and alert messages will not be sent via e-mail.
You can specify that logs are automatically sent to the specified e-mail address with these options:
Send alert immediately Check this box if you would like immediate notification of a significant security event, such as a known attack, port scan, or attempted access to a blocked site.
Send logs according to this schedule Specifies how often to send the logs: Hourly, Daily, Weekly, or When Full.
Day for sending log
Specifies which day of the week to send the log. Relevant when the log is sent weekly or daily.
Time for sending log
Specifies the time of day to send the log. Relevant when the log is sent daily or weekly.
If the Weekly, Daily or Hourly option is selected and the log fills up before the specified period, the log is automatically e-mailed to the specified e-mail address. After the log is sent, the log is cleared from the firewall’s memory. If the firewall cannot e-mail the log file, the log buffer may fill up. In this case, the firewall overwrites the log and discards its contents.

Backing Up, Restoring, or Erasing Your Settings

The configuration settings of the FR328S Firewall are stored in a configuration file in the firewall. This file can be backed up to your computer, restored, or reverted to factory default settings. The procedures below explain how to do these tasks.

How to Back Up the Configuration to a File

1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of address you have chosen for the firewall.
Managing Your Network 6-9
admin, default password of password, or using whatever password and LAN
M-10207-01, Reference Manual v2
Page 72
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
From the Maintenance heading of the Main Menu, select the Settings Backup menu as seen in
2.
Figure 6-8.
Figure 6-8: Settings Backup menu
3.
Click Backup to save a copy of the current settings.
4. Store th e .cfg file on a computer on your network.

How to Restore a Configuration from a File

1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of
admin, default password of password, or using whatever password and LAN
address you have chosen for the firewall.
2. From the Maintenance heading of the Main Menu, select the Settings Backup menu as seen in
Figure 6-8.
3. Enter the full path to the file on your network or click Browse to browse to the file.
4. When you have located the .cfg file, click Restore to upload the file to the firewall.
5. The firewall will then reboot automatically.

How to Erase the Configuration

It is sometimes desirable to restore the firewall to the factory default settings. This can be done by using the Erase function.
1. To erase the configuration, from the Maintenance menu Settings Backup link, click Erase.
6-10 Managing Your Network
M-10207-01, Reference Manual v2
Page 73
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
The firewall will then reboot automatically.
2.
After an erase, the firewall password will be password, the LAN IP address will be
192.168.0.1, and the router's DHCP client will be enabled. Note: To restore the factory default configuration settings without knowing the login
password or IP address, you must use the Default Reset button on the rear panel of the firewall. See “Using the Default Reset button“ on page 8-7.

Running Diagnostic Utilities and Rebooting the Router

The FR328S Firewall has a diagnostics feature. You can use the diagnostics menu to perform the following functions from the firewall:
Ping an IP Address to test connectivity to see if you can reach a remote host.
Perform a DNS Lookup to test if an Internet name resolves to an IP address to verify that the DNS server configuration is working.
Display the Routing Table to identify what other routers the router is communicating with.
Reboot the Router to enable new network configurations to take effect or to clear problems with the router’s network connection.
From the Main Menu of the browser interface, under the Maintenance heading, select the Router Diagnostics heading to display the menu shown in Figure 6-9.
Figure 6-9: Diagnostics menu
Managing Your Network 6-11
M-10207-01, Reference Manual v2
Page 74
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

Enabling Remote Management

Using the Remote Management page, you can allow a user or users on the Internet to configure, upgrade and check the status of your FR328S ProSafe Firewall with Dial Back-Up.
Note: Be sure to change the router's default password to a very secure password. The ideal password should contain no dictionary words from a ny language, and should be a mixture of letters (both upper and lower case), numbers, and symbols. Your password can be up to 30 characters.

How to Configure Remote Management

1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of address you have chosen for the firewall.
2. Select the Allow Remote Management check box.
3. Specify what external addresses will be allowed to access the firewall’s remote management.
For stronger security, restrict access to as few external IP addresses as practical.
admin, default password of password, or using whatever Password and LAN
a. To allow access from any IP address on the Internet, select Everyone. b. To allow access from a range of IP addresses on the Internet, select IP address range.
Enter a beginning and ending IP address to define the allowed range.
c. To allow access from a single IP address on the Internet, select Only this PC.
Enter the IP address that will be allowed access.
4. Specify the Port Number that will be used for accessing the management interface.
Web browser access normally uses the standard HTTPS service port 80. For greater security, you can change the remote management web interface to a custom port by entering that number in the box provided. Choose a number between 1024 and 65535, but do not use the number of any common service port. The default is 8080, which is a common alternate for HTTP.
5. Click Apply to have your changes take effect.
6-12 Managing Your Network
M-10207-01, Reference Manual v2
Page 75
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
When accessing your router from the Internet, you will type your router's WAN IP address into your browser's Address (in IE) or Location (in Netscape) box, followed by a colon (:) and the custom port number. For example, if your external address is 134.177.0.123 and you use port number 8080, enter in your browser:
https://134.177.0.123:8080

Upgrading the Router’s Firmware

The software of the FR328S Firewall is stored in FLASH memory, and can be upgraded as new software is released by NETGEAR.
Upgrade files can be downloaded from NETGEAR's website. If the upgrade file is compressed (.ZIP file), you must first extract the binary (.IMG) file before uploading it to the firewall.
Note: The Web browser used to upload new firmware into the firewall must support HTTP uploads. NETGEAR recommends using Microsoft Internet Explorer 5.0 or Netscape Navigator
4.7 and above.

How to Upgrade the Router

1. Download and unzip the new software file from the NETGEAR web site.
2. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of
admin, default password of password, or using whatever password and LAN
address you have chosen for the firewall.
3. From the Main Menu of the browser interface, under the Maintenance heading, select the
Router Upgrade heading to display the menu shown in Figure 6-10.
Figure 6-10: Router Upgrade menu
4.
In the Router Upgrade menu, click Browse to locate the binary (.IMG) upgrade file.
Managing Your Network 6-13
M-10207-01, Reference Manual v2
Page 76
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Click Upload.
5.
Note: When uploading software to the firewall, it is important not to interrupt the Web browser by closing the window, clicking a link, or loading a new page. If the browser is interrupted, it may corrupt the software. When the upload is complete, your firewall will automatically restart. The upgrade process will typically take about one minute. In some cases, you may need to clear the configuration and reconfigure the firewall after upgrading.
6-14 Managing Your Network
M-10207-01, Reference Manual v2
Page 77
Chapter 7
Advanced Configuration
This chapter describes how to configure the advanced features of your FR328S ProSafe Firewall with Dial Back-Up.

Configuring Advanced Security

The FR328S ProSafe Firewall with Dial Back-Up provides a variety of advanced features, such as:
Setting up a Demilitarized Zone (DMZ) Server
The flexibility of configuring your LAN TCP/IP settings
Connecting a Remote Access Server through the serial port
These features are discussed below.

Setting Up A Default DMZ Server

The Default DMZ Server feature is helpful when using some online games and videoconferencing applications that are incompatible with NAT. The firewall is programmed to recognize some of these applications and to work properly with them, but there are other applications that may not function well. In some cases, one local PC can run the application properly if that PC’s IP address is entered as the Default DMZ Server.
Note: For security, you should avoid using the Default DMZ Server feature. When a computer is designated as the Default DMZ Server, it loses much of the protection of the firewall, and is exposed to many exploits from the Internet. If compromised, the computer can be used to attack your network.
Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one of your local computers or a service that you have configured in the Ports menu. Instead of discarding this traffic, you can have it forwarded to one computer on your network. This computer is called the Default DMZ Server.
Advanced Configuration 7-1
M-10207-01, Reference Manual v2
Page 78
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
To assign a computer or server to be a Default DMZ server:
1. Click Default DMZ Server.
2. Type the IP address for that server.
3. Click Apply.

Respond to Ping on Internet WAN Port

If you want the firewall to respond to a 'ping' from the Internet, click the ‘Respond to Ping on Internet WAN Port’ check box. This should only be used as a diagnostic tool, since it allows your firewall to be discovered. Don't check this box unless you have a specific reason to do so.

Configuring LAN IP Settings

The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and RIP. These features can be found under the Advanced heading in the Main Menu of the browser interface.

LAN TCP/IP Setup

The firewall is shipped preconfigured to use private IP addresses on the LAN side, and to act as a DHCP server. The firewall’s default LAN IP configuration is:
LAN IP addresses—192.168.0.1
Subnet mask—255.255.255.0
These addresses are part of the IETF-designated private address range for use in private networks, and should be suitable in most applications. If your network has a requirement to use a different IP addressing scheme, you can make those changes in this menu.
The LAN TCP/IP Setup parameters are:
IP Address This is the LAN IP address of the firewall.
IP Subnet Mask This is the LAN Subnet Mask of the firewall. Combined with the IP address, the IP Subnet Mask allows a device to know which other addresses are local to it, and which must be reached through a gateway or router.
7-2 Advanced Configuration
M-10207-01, Reference Manual v2
Page 79
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
RIP Direction RIP (Router Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction selection controls how the firewall sends and receives RIP packets. Both is the default.
— When set to Both or Out Only, the firewall will broadcast its routing table periodically. — When set to Both or In Only, it will incorporate the RIP information that it receives. — When set to None, it will not send any RIP packets and will ignore any RIP packets
received.
RIP Version This controls the format and the broadcasting method of the RIP packets that the router sends. It recognizes both formats when receiving. By default, this is set for RIP-1.
— RIP-1 is universally supported. RIP-1 is probably adequate for most networks, unless you
have an unusual network setup.
— RIP-2 carries more information. Both RIP-2B and RIP-2M send the routing data in RIP-2
format.
RIP-2B uses subnet broadcasting.
RIP-2M uses multicasting.
Note: If you change the LAN IP address of the firewall while connected through the browser, you will be disconnected. You must then open a new connection to the new IP address and log in again.

MTU Size

The normal MTU (Maximum Transmit Unit) value for most Ethernet networks is 1500 Bytes. F or some ISPs, particularly some using PPPoE, you may need to reduce the MTU. This is rarely required, and should not be done unless you are sure it is necessary for your ISP connection.
Any packets sent through the firewall that are larger than the configured MTU size will be repackaged into smaller packets to meet the MTU requirement. To change the MTU size:
1. Under MTU Size, select Custom.
2. Enter a new size between 64 and 1500.
3. Click Apply to save the new configuration.
Advanced Configuration 7-3
M-10207-01, Reference Manual v2
Page 80
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

DHCP

By default, the firewall will function as a DHCP (Dynamic Host Configuration Protocol) server, allowing it to assign IP, DNS server, and default gateway addresses to all computers connected to the router's LAN. The assigned default gateway address is the LAN address of the firewall. IP addresses will be assigned to the attached PCs from a pool of addresses specified in this menu. Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN.
For most applications, the default DHCP and TCP/IP settings of the firewall are satisfactory. See
“IP Configuration by DHCP” on page B-10” for an explanation of DHCP and information about
how to assign IP addresses for your network.
Use router as DHCP server
If another device on your network will be the DHCP server, or if you will manually configure the network settings of all of your computers, clear the ‘Use router as DHCP server’ check box. Otherwise, leave it checked.
Specify the pool of IP addresses to be assigned by setting the Starting IP Address and Ending IP Address. These addresses should be part of the same IP address subnet as the firewall’s LAN IP address. Using the default addressing scheme, you should define a range between 192.168.0.2 and
192.168.0.253, although you may wish to save part of the range for device s with fixed addresses.
The firewall will deliver the following parameters to any LAN device that requests DHCP:
An IP Address from the range you have defined
Subnet Mask
Gateway IP Address is the firewall’s LAN IP address
Primary DNS Server, if you entered a Primary DNS address in the Basic Settings menu; otherwise, the firewall’s LAN IP address
Secondary DNS Server, if you entered a Secondary DNS address in the Basic Settings menu
WINS Server, s
hort for Windows Internet Naming Service Server, determines the IP address associated with a particular Windows computer. A WINS server records and reports a list of names and IP address of Windows PCs on its local network. If you connect to a remote network that contains a WINS server , enter the server’ s IP address here. This allows your PCs to browse the network using the Network Neighborhood feature of Windows.
7-4 Advanced Configuration
M-10207-01, Reference Manual v2
Page 81
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Reserved IP addresses
When you specify a reserved IP address for a PC on the LAN, that PC will always receive the same IP address each time it access the firewall’s DHCP server. Reserved IP addresses should be assigned to servers that require permanent IP settings.
To res erve an IP address:
1. Click Add.
2. In the IP Address box, type the IP address to assign to the PC or server.
Choose an IP address from the router’s LAN subnet, such as 192.168.0.X.
3. Type the MAC Address of the PC or server.
Tip: If the PC is already present on your network, you can copy its MAC address from the Attached Devices menu and paste it here.
4. Click Apply to enter the reserved address into the table.
Note: The reserved address will not be assigned until the next time the PC contacts the router's DHCP server. Reboot the PC or access its IP configuration and force a DHCP release and renew.
To edit or delete a res erved address entry:
1. Click the button next to the reserved address you want to edit or delete.
2. Click Edit or Delete.

How to Configure LAN TCP/IP Setup

1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of address you have chosen for the firewall.
Advanced Configuration 7-5
admin, default password of password, or using whatever password and LAN
M-10207-01, Reference Manual v2
Page 82
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
From the Main Menu, under Advanced, click the LAN IP Setup link to view the men u, shown
2.
in Figure 7-1
Figure 7-1: LAN IP Setup Menu
3.
Enter the TCP/IP, MTU, or DHCP parameters.
4. Click Apply to save your changes.

Configuring Dynamic DNS

If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS). However, if your Internet account uses a dynamically assigned IP address, you will not know in advance what your IP address will be, and the address can change frequently. In this case, you can use a commercial dynamic DNS service, who will allow you to register your domain to their IP address, and will forward traffic directed at your domain to your frequently-changing IP address.
The firewall contains a client that can connect to a dynamic DNS service provider. To use this feature, you must select a service provider and obtain an account with them. After you have configured your account information in the firewall, whenever your ISP-assigned IP address changes, your firewall will automatically contact your dynamic DNS service provider, log in to your account, and register your new IP address.
7-6 Advanced Configuration
M-10207-01, Reference Manual v2
Page 83
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

How to Configure Dynamic DNS

1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of address you have chosen for the firewall.
2. From the Main Menu of the browser interface, under Advanced, click Dynamic DNS.
3. Access the website of one of the dynamic DNS service providers whose names appear in the
‘Select Service Provider’ box, and register for an account. For example, for dyndns.org, go to www.dyndns.org.
4. Select the “Use a dynamic DNS service” check box.
5. Select the name of your dynamic DNS Service Provider.
6. Type the Hos t Name that your dynamic DNS service provider gave you.
The dynamic DNS service provider may call this the domain name. If your URL is myName.dyndns.org, then your Host Name is “myName.”
7. Type the User Na me for your dynamic DNS account.
8. Type the Password (or key) for your dynamic DNS account.
admin, default password of password, or using whatever password and LAN
9. If your dynamic DNS provider allows the use of wildcards in resolving your URL, you may
select the Use wildcards check box to activate this feature. For example, the wildcard feature will cause *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org
10. Click Apply to save your configuration.
11. You can now check the status of the Dynamic DNS connection by clicking Show Status.
Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the dynamic DNS service will not work because private addresses will not be routed on the Internet.
Advanced Configuration 7-7
M-10207-01, Reference Manual v2
Page 84
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

Using Static Routes

Static Routes provide additional routing information to your firewall. Under normal circumstances, the firewall has adequate routing information after it has been configured for Internet access, and you do not need to configure additional static routes. You must configure static routes only for unusual cases such as multiple routers or multiple IP subnets located on your network.

Static Route Example

As an example of when a static route is needed, consider the following case:
Your primary Internet access is through a cable modem to an ISP.
You have an ISDN router on your home network for connecting to the company where
you are employed. This router’s address on your LAN is 192.168.0.100.
Your company’s network is 134.177.0.0.
When you first configured your firewall, two implicit static routes were created. A default route was created with your ISP as the gateway, and a second static route was created to your local network for all 192.168.0.x addresses. With this configuration, if you attempt to access a device on the 134.177.0.0 network, your firewall will forward your request to the ISP. The ISP forwards your request to the company where you are employed, and the request will likely be denied by the company’s firewall.
In this case you must define a static route, telling your firewall that 134.177.0.0 should be accessed through the ISDN router at 192.168.0.100. The static route would look like Figure 7-2.
In this example:
The Destination IP Address and IP Subnet Mask fields specify that this static route applies to all 134.177.x.x addresses.
The Gateway IP Address fields specifies that all traffic for these addresses should be forwarded to the ISDN router at 192.168.0.100.
A Metric value of 1 will work since the ISDN router is on the LAN. This represents the number of routers between your network and the des tination. This is a direct connection so it is set to 1.
Private is selected only as a precautionary security measure in case RIP is activated.
7-8 Advanced Configuration
M-10207-01, Reference Manual v2
Page 85
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

How to Configure Static Routes

1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of address you have chosen for the firewall.
2. From the Main Menu of the browser interface, under Advanced, click on Static Routes to view
the Static Routes menu.
3. To add or edit a Static Route: a. Click Edit to open the Static Routes edit menu.
admin, default password of password, or using whatever Password and LAN
Figure 7-2: Static Route Entry and Edit Menu
b.
Type a route name for this static route in the Route Name box under the table. This is for identification purpose only.
c. Select Active to make this route effective. d. Select Private if you want to limit access to the LAN only.
The static route will not be reported in RIP.
e. Type the Destination IP Address of the final destination. f. Type the IP Subnet Mask for this destination.
If the destination is a single host, type 255.255.255.255.
g. Type the Gateway IP Address, which must be a router on the same LAN segment as the
firewall.
Advanced Configuration 7-9
M-10207-01, Reference Manual v2
Page 86
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Type a number between 1 and 15 as the Metric value.
h.
This represents the number of routers between your network and the destination. Usually, a setting of 2 or 3 works, but if this is a direct connection, set it to 1.
4. Click Apply to have the static route entered into the table.
7-10 Advanced Configuration
M-10207-01, Reference Manual v2
Page 87
Chapter 8
Troubleshooting
This chapter gives information about troubleshooting your FR328S ProSafe Firewall with Dial Back-Up. For the common problems listed, go to the section indicated.
Is the firewall on?
Have I connected the firewall correctly?
Go to “Basic Functions“ on page 8-1.
I can’t access the firewall’s configuration with my browser.
Go to “Troubleshooting the Web Configuration Interface“ on page 8-3.
I’ve configured the firewall but I can’t access the Internet.
Go to “Troubleshooting the ISP Connection“ on page 8-4.
I can’t remember the firewall’s configuration password.
I want to clear the configuration and start over again.
Go to “Restoring the Default Configuration and Password“ on page 8-7.

Basic Functions

After you turn on power to the firewall, the following sequence of events should occur:
1. When power is first applied, verify that the Power LED is on.
2. Verify that the Test LED lights within a few seconds, indicating that the self-test procedure is
running.
3. After approximately 10 seconds, verify that: a. The Test LED is not lit. b. The Local port Link LEDs are lit for any local ports that are connected. c. The Internet Link port LED is lit.
Troubleshooting 8-1
M-10207-01, Reference Manual v2
Page 88
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
If a port’s Link LED is lit, a link has been established to the connected device. If a port is connected to a 100 Mbps device, verify that the port’s 100 LED is lit.
If any of these conditions does not occur, refer to the appropriate following section.

Power LED Not On

If the Power and other LEDs are off when your firewall is turned on:
Make sure that the power cord is properly connected to your firewall and that the power supply adapter is properly connected to a functioning power outlet.
Check that you are using the 12VDC power adapter supplied by NETGEAR for this product.
If the error persists, you have a hardware problem and should contact technical support.

Test LED Never Turns On or Test LED Stays On

When the firewall is turned on, the Test LED turns on for about 10 seconds and then turns off. If the Test LED does not turn on, or if it stays on, there is a fault within the firewall.
If you experience problems with the Test LED:
Cycle the power to see if the firewall recovers and the LED blinks for the correct amount of time.
If all LEDs including the Test LED are still on one minute after power up:
Cycle the power to see if the firewall recovers.
Clear the firewall’s configuration to factory defaults. This will set the firewall’s IP address to
192.168.0.1. This procedure is explained in “Using the Default Reset button“ on page 8-7.
If the error persists, you might have a hardware problem and should contact technical support.

Local or Internet Port Link LEDs Not On

If either the Local or Internet Port Link LEDs do not light when the Ethernet connection is made, check the following:
Make sure that the Ethernet cable connections are secure at the firewall and at the hub or PC.
Make sure that power is turned on to the connected hub or PC.
8-2 Troubleshooting
M-10207-01, Reference Manual v2
Page 89
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Be sure you are using the correct cable: — When connecting the firewall’s Internet port to a cable or DSL modem, use the cable that
was supplied with the cable or DSL modem. This cable could be a standard straight-through Ethernet cable or an Ethernet crossover cable.

Troubleshooting the Web Configuration Interface

If you are unable to access the firewall’s Web Configuration interface from a PC on your local network, check the following:
Check the Ethernet connection between the PC and the firewall as described in the previous section.
Make sure your PC’s IP address is on the same subnet as the firewall. If you are using the recommended addressing scheme, your PC’s address should be in the range of 192.168.0.2 to
192.168.0.254. Refer to “Verifying TCP/IP Properties“ on page C-5 or “Configuring the
Macintosh for TCP/IP Networking“ on page C-6 to find your PC’s IP address. Follow the
instructions in Appendix C to configure your PC. Note: If your PC’s IP address is shown as 169.254.x.x:
Recent versions of Windows and MacOS will generate and assign an IP address if the computer cannot reach a DHCP server. These auto-generated addresses are in the range of
169.254.x.x. If your IP address is in this range, check the connection from the PC to the firewall and reboot your PC.
If your firewall’s IP address has been changed and you don’t know the current IP address, clear the firewall’s configuration to factory defaults. This will set the firewall’ s IP address to
192.168.0.1. This procedure is explained in “Using the Default Reset button“ on page 8-7.
Make sure your browser has Java, JavaScript, or ActiveX enabled. If you are using Internet Explorer, click Refresh to be sure the Java applet is loaded.
Try quitting the browser and launching it again.
Make sure you are using the correct login information. The factory default login name is admin and the password is password. Make sure that CAPS LOCK is off when entering this information.
If the firewall does not save changes you have made in the W eb Configuration Interface, check the following:
When entering configuration settings, be sure to click the APPLY button before moving to another menu or tab, or your changes are lost.
Troubleshooting 8-3
M-10207-01, Reference Manual v2
Page 90
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Click the Refresh or Reload button in the Web browser. The changes may have occurred, but the Web browser may be caching the old configuration.

Troubleshooting the ISP Connection

If your firewall is unable to access the Internet, you should first determine whether the firewall is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your firewall must request an IP address from the ISP. You can determine whether the request was successful using the Web Configura t ion Manager.
To check the WAN IP address:
1. Launch your browser and select an external site such as www.netgear.com
2. Access the Main Menu of the firewall’s configuration at http://192.168.0.1
3. Under the Maintenance heading, select Router Status
4. Check that an IP address is shown for the WAN Port
If 0.0.0.0 is shown, your firewall has not obtained an IP address from your ISP.
If your firewall is unable to obtain an IP address from the ISP, you may need to force your cable or DSL modem to recognize your new firewall by performing the following procedure:
1. Turn off power to the cable or DSL modem.
2. Turn off power to your firewall.
3. Wait five minutes and reapply power to the cable or DSL modem.
4. When the modem’s LEDs indicate that it has reacquired sync with the ISP, reapply power to
your firewall.
If your firewall is still unable to obtain an IP address from the ISP, the problem may be one of the following:
Your ISP may require a login program. Ask your ISP whether they require PPP over Ethernet (PPPoE) or some other type of login.
If your ISP requires a login, you may have incorrectly set the login name and password.
Your ISP may check for your PC's host name. Assign the PC Host Name of your ISP account as the Account Name in the Basic Settings menu.
8-4 Troubleshooting
M-10207-01, Reference Manual v2
Page 91
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Your ISP only allows one Ethernet MAC address to connect to Internet, and may check for your PC’s MAC address. In this case:
Inform your ISP that you have bought a new network device, and ask them to use the firewall’s MAC address.
OR Configure your firewall to spoof your PC’s MAC address. This can be done in the Basic
Settings menu. Refer to “Manually Configuring Your Internet Connection“ on page 3-16.
If your firewall can obtain an IP address, but your PC is unable to load any web pages from the Internet:
Your PC may not recognize any DNS server addresses. A DNS server is a host on the Internet that translates Internet names (such as
www.netgear.com) to numeric IP addresses. Typically your ISP will provide the addresses of one or two DNS servers for your use. If you entered a DNS address during the firewall’s configuration, reboot your PC and verify the DNS address as described in “Verifying TCP/IP
Properties“ on page C-6. Alternatively, you may configure your PC manually with DNS
addresses, as explained in your operating system documentation.
Your PC may not have the firewall configured as its TCP/IP gateway. If your PC obtains its information from the firewall by DHCP, reboot the PC and verify the
gateway address as described in “Verifying TCP/IP Properties“ on page C-6.

Troubleshooting a TCP/IP Network Using a Ping Utility

Most TCP/IP terminal devices and routers contain a ping utility that sends an echo request packet to the designated device. The device then responds with an echo reply. Troubleshooting a TCP/IP network is made easier by using the ping utility in your PC or workstation.

Testing the LAN Path to Your Firewall

You can ping the firewall from your PC to verify that the LAN path to your firewall is set up correctly.
To ping the firewall from a PC running Windows 95 or later:
1. From the Windows toolbar, click on the Start button and select Run.
Troubleshooting 8-5
M-10207-01, Reference Manual v2
Page 92
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
In the field provided, type Ping followed by the IP address of the firewall, as in this example:
2.
ping 192.168.0.1
3. Click on OK.
You should see a message like this one:
Pinging <IP address> with 32 bytes of data
If the path is working, you see this message:
Reply from < IP address >: bytes=32 time=NN ms TTL=xxx
If the path is not working, you see this message:
Request timed out
If the path is not functioning correctly, you could have one of the following problems:
Wrong physical connections
— Make sure the LAN port LED is on. If the LED is off, follow the instructions in
“Local or Internet Port Link LEDs Not On” on page 8-2.
— Check that the corresponding Link LEDs are on for your network interface card and
for the hub ports (if any) that are connected to your workstation and firewall.
Wrong network configuration
— Verify that the Ethernet card driver software and TCP/IP software are both installed
and configured on your PC or workstation.
— Verify that the IP address for your firewall and your workstation are correct and that
the addresses are on the same subnet.

Testing the Path from Your PC to a Remote Device

After verifying that the LAN path works correctly, test the path from your PC to a remote device. From the Windows run menu, type:
PING -n 10 <IP address>
where <IP address> is the IP address of a remote device such as your ISP’s DNS server. If the path is functioning correctly, replies as in the previous section are displayed. If you do not
receive replies:
8-6 Troubleshooting
M-10207-01, Reference Manual v2
Page 93
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
— Check that your PC has the IP address of your firewall listed as the default gateway. If the
IP configuration of your PC is assigned by DHCP, this information will not be visible in your PC’s Network Control Panel. Verify that the IP address of the firewall is listed as the default gateway as described in “Verifying TCP/IP Properties“ on page C-5.
— Check to see that the network address of your PC (the portion of the IP address specified
by the netmask) is different from the network address of the remote device. — Check that your cable or DSL modem is connected and functioning. — If your ISP assigned a host name to your PC, enter that host name as the Account Name in
the Basic Settings menu. — Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs. Many
broadband ISPs restrict access by only allowing traffic from the MAC address of your
broadband modem, but some ISPs additionally restrict access to the MAC address of a
single PC connected to that modem. If this is the case, you must configure your firewall to
“clone” or “spoof” the MAC address from the authorized PC. Refer to “Manually
Configuring Your Internet Connection“ on page 3-16.

Restoring the Default Configuration and Password

This section explains how to restore the factory default configuration settings, changing the firewall’s administration password to password and the IP address to 192.168.0.1. You can erase the current configuration and restore factory defaults in two ways:
Use the Erase function of the Web Configuration Manager (see “Backing Up, Restoring, or
Erasing Your Settings“ on page 6-9).
Use the Default Reset button on the rear panel of the firewall. Use this method for cases when the administration password or IP address is not known.

Using the Default Reset button

To restore the factory default configuration settings without knowing the administration password or IP address, you must use the Default Reset button on the rear panel of the firewall.
To restore the factory default configuration settings, follow these steps:
Troubleshooting 8-7
M-10207-01, Reference Manual v2
Page 94
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Press and hold the Default Reset button until the Test LED turns on (about 10 seconds).
1.
LOCA L
MODEM
87654321
Reset
10/100M
INTERN ET
12VDCO.5A
Figure 8-1. Reset Button
2.
Release the Default Reset button and wait for the firewall to reboot.

Problems with Date and Time

The E-Mail menu in the Content Filtering section displays the current date and time of day. The FR328S Firewall uses the Network Time Protocol (NTP) to obtain the current time from one of several Network Time Servers on the Internet. Each entry in the log is stamped with the date and time of day. Problems with the date and time function can include:
Date shown is January 1, 2000 Cause: The firewall has not yet successfully reached a Network Time Server. Check that your Internet access settings are configured correctly. If you have just completed configuring the firewall, wait at least five minutes and check the date and time again.
Time is off by one hour Cause: The firewall does not automatically sense Daylight Savings Time. In the E-Mail menu, check or uncheck the box marked “Adjust for Daylight Savings Time”.
8-8 Troubleshooting
M-10207-01, Reference Manual v2
Page 95
Appendix A
Technical Specifications
This appendix provides technical specifications for the FR328S ProSafe Firewall with Dial Back-Up.
Network Protocol and Standards Compatibility
Data and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP
PPP over Ethernet (PPPoE)
Power Adapter
North America: 120V, 60 Hz, input United Kingdom, Australia: 240V, 50 Hz, input Europe: 230V, 50 Hz, input Japan: 100V, 50/60 Hz, input All regions (output): 12 V DC @ 1.2A output, 20W maximum
Physical Specifications
Dimensions: H: 1.56 in (3.96 cm)
W: 10.0 in (25.4 cm) D: 9.0 in (17.8 cm)
Weight: 2.72 lb. (1.23 Kg)
Environmental Specifications
Operating temperature: 32°-140° F (0° to 40° C) Operating humidity: 90% maximum relative humidity, noncondensing
Electromagnetic Emissions
Technical Specifications A-1
M-10207-01, Reference Manual v2
Page 96
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Meets requirements of: FCC Part 15 Class B
VCCI Class B EN 55 022 (CISPR 22), Class B
Interface Specifications
Local: 10BASE-T or 100BASE-Tx, RJ-45 Internet: 10BASE-T or 100BASE-Tx, RJ-45
A-2 Technical Specifications
M-10207-01, Reference Manual v2
Page 97
Appendix B
Networks, Routing, and Firewall Basics
This chapter provides an overview of IP networks, routing, and networking.

Related Publications

As you read this document, you may be directed to various RFC documents for further information. An RFC is a Request For Comment (RFC) published by the Internet Engineering T ask Force (IETF), an open organization that defines the architecture and operation of the Internet. The RFC documents outline and define the standard protocols and procedures for the Internet. The documents are listed on the World Wide Web at www.ietf.org and are mirrored and indexed at many other sites worldwide.

Basic Router Concepts

Large amounts of bandwidth can be provided easily and relatively inexpensively in a local area network (LAN). However, providing high bandwidth between a local network and the Internet can be very expensive. Because of this expense, Internet access is usually provided by a slower-speed wide-area network (WAN) link such as a cable or DSL modem. In order to make the best use of the slower WAN link, a mechanism must be in place for selecting and transmitting only the data traffic meant for the Internet. The function of selecting and forwarding this data is performed by a router.

What is a Router?

A router is a device that forwards traffic between networks based on network layer information in the data and on routing tables maintained by the router. In these routing tables, a router builds up a logical picture of the overall network by gathering and exchanging information with other routers in the network. Using this information, the router chooses the best path for forwarding network traffic.
Routers vary in performance and scale, number of routing protocols supported, and types of physical WAN connection they support. The FR328S ProSafe Firewall with Dial Back-Up is a small office router that routes the IP protocol over a single-user broadband connection.
Networks, Routing, and Firewall Basics B-1
M-10207-01, Reference Manual v2
Page 98
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2

Routing Information Protocol

One of the protocols used by a router to build and maintain a picture of the network is the Routing Information Protocol (RIP). Using RIP, routers periodically update one another and check for changes to add to the routing table.
The FR328S Firewall supports both the older RIP-1 and the newer RIP-2 protocols. Among other improvements, RIP-2 supports subnet and multicast protocols. RIP is not required for most home applications.

IP Addresses and the Internet

Because TCP/IP networks are interconnected across the world, every machine on the Internet must have a unique address to make sure that transmitted data reaches the correct destination. Blocks of addresses are assigned to organizations by the Internet Assigned Numbers Authority (IANA). Individual users and small organizations may obtain their addresses either from the IANA or from an Internet service provider (ISP). You can contact IANA at www.iana.org.
The Internet Protocol (IP) uses a 32-bit address structure. The address is usually written in dot notation (also called dotted-decimal notation), in which each group of eight bits is written in decimal form, separated by decimal points.
For example, the following binary address:
11000011 00100010 00001100 00000111
is normally written as:
195.34.12.7
The latter version is easier to remember and easier to enter into your computer. In addition, the 32 bits of the address are subdivided into two parts. The first part of the address
identifies the network, and the second part identifies the host node or station on the network. The dividing point may vary depending on the address range and the application.
B-2 Networks, Routing, and Firewall Basics
M-10207-01, Reference Manual v2
Page 99
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
C
N
C
C
There are five standard classes of IP addresses. These address classes have different ways of determining the network and host sections of the address, allowing for different numbers of hosts on a network. Each address type begins with a unique bit pattern, which is used by the TCP/IP software to identify the address class. After the address class has been determined, the software can correctly identify the host section of the address. The follow figure shows the three main address classes, including network and host sections of the address for each address type.
lass A
etwork Node
lass B
Network Node
lass C
Network Node
Figure 8-2: Three Main Address Classes
The five address classes are:
Class A Class A addresses can have up to 16,777,214 hosts on a single network. They use an eight-bit network number and a 24-bit node number. Class A addresses are in this range:
1.x.x.x to 126.x.x.x.
Class B Class B addresses can have up to 65,354 hosts on a network. A Class B address uses a 16-bit network number and a 16-bit node number. Class B addresses are in this range:
128.1.x.x to 191.254.x.x.
Class C Class C addresses can have 254 hosts on a network. Class C addresses use 24 bits for the network address and eight bits for the node. They are in this range:
192.0.1.x to 223.255.254.x.
Networks, Routing, and Firewall Basics B-3
M-10207-01, Reference Manual v2
Page 100
FR328S ProSafe Firewall with Dial Back-Up Reference Manual v2
Class D Class D addresses are used for multicasts (messages sent to many hosts). Class D addresses are in this range:
224.0.0.0 to 239.255.255.255.
Class E Class E addresses are for experimental use.
This addressing structure allows IP addresses to uniquely identify each physical network and each node on each physical network.
For each unique value of the network portion of the address, the base address of the range (host address of all zeros) is known as the network address and is not usually assigned to a host. Also, the top address of the range (host address of all ones) is not assigned, but is used as the broadcast address for simultaneously sending a packet to all hosts with the same network address.

Netmask

In each of the address classes previously described, the size of the two parts (network address and host address) is implied by the class. This partitioning scheme can also be expressed by a netmask associated with the IP address. A netmask is a 32-bit quantity that, when logically combined (using an AND operator) with an IP address, yields the network address. For instance, the netmasks for Class A, B, and C addresses are 255.0.0.0, 255.255.0.0, and 255.255.255.0, respectively.
For example, the address 192.168.170.237 is a Class C IP address whose network portion is the upper 24 bits. When combined (using an AND operator) with the Class C netmask, as shown here, only the network portion of the address remains:
11000000 10101000 10101010 11101101 (192.168.170.237)
combined with:
11111111 11111111 11111111 00000000 (255.255.255.0)
Equals:
11000000 10101000 10101010 00000000 (192.168.170.0)
As a shorter alternative to dotted-decimal notation, the netmask may also be expressed in terms of the number of ones from the left. This number is appended to the IP address, following a backward slash (/), as “/n.” In the example, the address could be written as 192.168.170.237/24, indicating that the netmask is 24 ones followed by 8 zeros.
B-4 Networks, Routing, and Firewall Basics
M-10207-01, Reference Manual v2
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use