Netgear FVG318 Reference Guide

Page 1
Reference Manual for the
VPN Firewall FVG318
NETGEAR, Inc.
4500 Great America Parkway
Santa Clara, CA 95054 USA
BETA
Version 1
BETA
August 2005
Page 2
© 2005 by NETGEAR, Inc. All rights reserved.
Trademarks
NETGEAR is a trademark of Netgear, Inc.
Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation.
Other brand and product names are registered trademarks or trademarks of their respective holders.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to
make changes to the products described in this document without notice.
NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit
layout(s) described herein.
BETA
part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a
residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and
used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no
guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to
radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try
to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna.
Increase the separation between the equipment and receiver.
Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice
This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to
Consult the dealer or an experienced radio/TV technician for help.
EN 55 022 Declaration of Conformance
This is to certify that the FVG318 ProSafe 802.11g Wireless VPN Firewall is shielded against the generation of radio
interference in accordance with the application of Council Directive 89/336/EEC, Article 4a. Conformity is declared by
the application of EN 55 022 Class B (CISPR 22).
ii
Page 3
iii
BETA
Bestätigung des Herstellers/Importeurs
Es wird hiermit bestätigt, daß das FVG318 ProSafe 802.11g Wireless VPN Firewall gemäß der im BMPT-AmtsblVfg
243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte
(z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der
Betriebsanleitung.
Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt
gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.
refer to the notes in the operating instructions.
Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market
Certificate of the Manufacturer/Importer
It is hereby certified that the FVG318 ProSafe 802.11g Wireless VPN Firewall has been suppressed in accordance with
the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for
example, test transmitters) in accordance with the regulations may, however, be subject to certain restrictions. Please
and has been granted the right to test the series for compliance with the regulations.
Voluntary Control Council for Interference (VCCI) Statement
This equipment is in the second category (information equipment to be used in a residential area or an adjacent area
thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing
Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.
When used near a radio or TV receiver, it may become the cause of radio interference.
Read instructions for correct handling.
Page 4

Product and Publication Details

Model Number: FVG318
Publication Date: August 2005
Product Family: Router
Product Name: FVG318 ProSafe 802.11g Wireless VPN Firewall
Home or Business Product: Business
Language: English
BETA
iv
Page 5

Contents

BETA
Chapter 1
About This Manual
Audience, Scope, Conventions, and Formats ................................................................ 1-1
How to Use This Manual ................................................................................................1-2
How to Print this Manual .................................................................................................1-3
Chapter 2
802.11g and 802.11b Wireless Networking .............................................................. 2-2
Wireless Multimedia (WMM) Support .......................................................................2-2
Key Features of the Wireless VPN Firewall ....................................................................2-1
Introduction
A Powerful, True Firewall with Content Filtering ......................................................2-2
Be sure to restart your network in the correct sequence. .................................3-4
Make sure the Ethernet cables are securely plugged in. ...................................3-4
Security ....................................................................................................................2-3
Autosensing Ethernet Connections with Auto Uplink ...............................................2-3
Extensive Protocol Support ......................................................................................2-4
Easy Installation and Management ..........................................................................2-4
Maintenance and Support ........................................................................................2-5
Package Contents ..........................................................................................................2-6
The FVG318 Front Panel .........................................................................................2-7
The FVG318 Rear Panel ..........................................................................................2-8
NETGEAR-Related Products .........................................................................................2-9
NETGEAR Product Registration, Support, and Documentation .....................................2-9
Prepare to Install Your FVG318 ...................................................................................... 3-1
First, Connect the FVG318 .............................................................................................3-1
Now, Configure the FVG318 for Internet Access and Wireless Connectivity .................3-3
Troubleshooting Tips ......................................................................................................3-4
Chapter 3
Connecting the Firewall to the Internet
Contents v
Page 6
Make sure the computer & router wireless settings match exactly. ..................3-5
Make sure the network settings of the computer are correct. ...........................3-5
Check the router status lights to verify correct router operation. ......................3-5
BETA
Inbound Rule Example: A Local Public Web Server ..........................................5-5
Inbound Rule Example: Allowing a Videoconference from Restricted Addresses 5-6
Considerations for Inbound Rules .....................................................................5-6
How to Configure WPA2-PSK ................................................................................4-20
How to Log On to the FVG318 After
Configuration Settings Have Been Applied ..............................................................3-7
How to Bypass the Configuration Assistant .............................................................3-8
Default Factory Settings ...........................................................................................4-6
Before You Change the SSID and WEP Settings ....................................................4-7
How to Set Up and Test Basic Wireless Connectivity ..............................................4-8
How to Restrict Wireless Access by MAC Address ................................................. 4-9
How to Configure WEP ..........................................................................................4-10
How to Configure WPA with Radius .......................................................................4-12
How to Configure WPA2 with Radius .....................................................................4-14
How to Configure WPA and WPA2 with Radius .....................................................4-16
How to Configure WPA-PSK ..................................................................................4-18
How to Configure WPA-PSK and WPA2-PSK ........................................................ 4-21
Inbound Rules (Port Forwarding) .............................................................................5-5
Outbound Rules (Service Blocking) .........................................................................5-7
Overview of How to Access the FVG318 Wireless VPN Firewall ...................................3-6
Using the Smart Setup Wizard ....................................................................................... 3-9
How to Manually Configure Your Internet Connection ..................................................3-10
Observing Performance, Placement, and Range Guidelines .........................................4-1
Implementing Appropriate Wireless Security ..................................................................4-2
Understanding Wireless Settings ...................................................................................4-3
Chapter 4
Wireless Configuration
Chapter 5
Firewall Protection and
Content Filtering
Firewall Protection and Content Filtering Overview ........................................................5-1
Block Sites ......................................................................................................................5-2
Using Rules to Block or Allow Specific Kinds of Traffic ..................................................5-3
vi Contents
Page 7
BETA
Outbound Rule Example: Blocking Instant Messenger .....................................5-7
Order of Precedence for Rules ................................................................................5-8
Default DMZ Server ................................................................................................. 5-8
Respond to Ping on Internet WAN Port ...................................................................5-9
Services ........................................................................................................................5-10
Using a Schedule to Block or Allow Specific Traffic ......................................................5-12
Time Zone ..............................................................................................................5-13
Getting E-Mail Notifications of Event Logs and Alerts ..................................................5-14
Viewing Logs of Web Access or Attempted Web Access .............................................5-16
Syslog .................................................................................................................... 5-17
Exporting a Security Policy ..............................................................................6-18
Importing a Security Policy ..............................................................................6-19
Client-to-Gateway VPN Tunnels ..............................................................................6-2
Gateway-to-Gateway VPN Tunnels .........................................................................6-2
Overview of VPN Configuration ...................................................................................... 6-2
Chapter 6
Basic Virtual Private Networking
Planning a VPN ..............................................................................................................6-3
VPN Tunnel Configuration ..............................................................................................6-5
How to Set Up a Client-to-Gateway VPN Configuration .................................................6-5
Step 1: Configuring the Client-to-Gateway VPN Tunnel on the FVG318 .................6-6
Step 2: Configuring the NETGEAR ProSafe VPN Client on the Remote PC ...........6-9
Monitoring the Progress and Status of the VPN Client Connection .......................6-16
Transferring a Security Policy to Another Client ....................................................6-18
Procedure to Configure a Gateway-to-Gateway VPN Tunnel ................................6-21
How to Set Up a Gateway-to-Gateway VPN Configuration .......................................... 6-20
VPN Tunnel Control ...................................................................................................... 6-26
Activating a VPN Tunnel ........................................................................................ 6-26
Start Using a VPN Tunnel to Activate It ...........................................................6-26
Using the VPN Status Page to Activate a VPN Tunnel ....................................6-26
Activate the VPN Tunnel by Pinging the Remote Endpoint .............................6-27
Verifying the Status of a VPN Tunnel ..................................................................... 6-29
Deactivating a VPN Tunnel ....................................................................................6-30
Using the Policy Table on the VPN Policies Page to Deactivate a VPN Tunnel 6-30
Using the VPN Status Page to Deactivate a VPN Tunnel ...............................6-31
Contents vii
Page 8
Deleting a VPN Tunnel ...........................................................................................6-32
Using Policies to Manage VPN Traffic .....................................................................7-2
Using Automatic Key Management .......................................................................... 7-2
IKE Policies’ Automatic Key and Authentication Management ................................7-3
VPN Policy Configuration for Auto Key Negotiation .................................................7-5
VPN Policy Configuration for Manual Key Exchange ...............................................7-9
Certificate Revocation List (CRL) ...........................................................................7-14
BETA
Testing the Gateway A FVG318 LAN and the Gateway B LAN .......................7-21
VPN Consortium Scenario 1:
Gateway-to-Gateway with Preshared Secrets ....................................................... 7-15
FVG318 Scenario 1: FVG318 to Gateway B IKE and VPN Policies ......................7-16
How to Check VPN Connections ........................................................................... 7-21
FVG318 Scenario 2: FVG318 to FVG318 with RSA Certificates ...........................7-22
Backing Up the Configuration ..................................................................................8-7
Restoring the Configuration .....................................................................................8-7
Erasing the Configuration .........................................................................................8-8
Configuring LAN TCP/IP Setup Parameters ............................................................9-3
Using the Firewall as a DHCP server .......................................................................9-4
Using Address Reservation ......................................................................................9-5
Chapter 7
Advanced Virtual Private Networking
Overview of FVG318 Policy-Based VPN Configuration ................................................. 7-1
Using Digital Certificates for IKE Auto-Policy Authentication .......................................7-13
Walk-Through of Configuration Scenarios on the FVG318 ..........................................7-14
Viewing Wireless VPN Firewall Status Information .........................................................8-1
Viewing a List of Attached Devices .................................................................................8-5
Upgrading the Firewall Software ....................................................................................8-5
Configuration File Management ..................................................................................... 8-7
Chapter 8
Maintenance
Changing the Administrator Password ...........................................................................8-8
How to Configure Dynamic DNS ....................................................................................9-1
Using the LAN IP Setup Options ....................................................................................9-2
Chapter 9
Advanced Configuration
Configuring Static Routes ............................................................................................... 9-5
viii Contents
Page 9
BETA
Static Route Example ...............................................................................................9-7
Enabling Remote Management Access .........................................................................9-7
Power LED Not On ................................................................................................. 10-1
LEDs Never Turn Off ..............................................................................................10-2
LAN or Internet Port LEDs Not On .........................................................................10-2
Basic Functioning .........................................................................................................10-1
Chapter 10
Troubleshooting
Troubleshooting the Web Configuration Interface ........................................................10-3
Troubleshooting the ISP Connection ............................................................................10-4
Troubleshooting a TCP/IP Network Using a Ping Utility ...............................................10-5
Testing the LAN Path to Your Firewall .................................................................... 10-5
Testing the Path from Your PC to a Remote Device .............................................. 10-6
Restoring the Default Configuration and Password ...................................................... 10-7
Problems with Date and Time ....................................................................................... 10-7
Gathering the Network Information ......................................................................... B-1
Configuring the Gateways ....................................................................................... B-2
Activating the VPN Tunnel ...................................................................................... B-5
Configuring the VPN Tunnel ................................................................................... B-6
Viewing and Editing the VPN Parameters ............................................................... B-9
Initiating and Checking the VPN Connections .......................................................B-11
Configuring the VPN Tunnel ................................................................................. B-13
Viewing and Editing the VPN Parameters ............................................................. B-16
Initiating and Checking the VPN Connections ...................................................... B-18
Case Study Overview .................................................................................................... B-1
Appendix A
Technical Specifications
Appendix B
VPN Configuration of NETGEAR FVS318v3
The FVG318-to-FVG318 Case ...................................................................................... B-6
The FVG318-to-FVS318v2 Case ................................................................................ B-13
The FVG318-to-FVL328 Case ..................................................................................... B-20
Configuring the VPN Tunnel ................................................................................. B-20
Viewing and Editing the VPN Parameters ............................................................. B-23
Initiating and Checking the VPN Connections ...................................................... B-25
Contents ix
Page 10
The FVG318-to-VPN Client Case ................................................................................ B-27
Client-to-Gateway VPN Tunnel Overview ............................................................. B-27
Configuring the VPN Tunnel ................................................................................. B-28
BETA
Initiating and Checking the VPN Connections ...................................................... B-36
x Contents
Page 11
Chapter 1
About This Manual
BETA
Note: Product updates are available on the NETGEAR, Inc. Web site at
Note: This format is used to highlight information of importance or special interest.
italics Emphasis, books, CDs, URL names
bold User input
This chapter describes the intended audience, scope, conventions, and formats of this manual.

Audience, Scope, Conventions, and Formats

This reference manual assumes that the reader has basic to intermediate computer and Internet
skills. However, basic computer network, Internet, firewall, and VPN technologies tutorial
information is provided in the Appendices and on the NETGEAR Web site.
This guide uses the following typographical conventions:
Table 1-1. Typographical Conventions
fixed Screen text, file and server names, extensions, commands, IP addresses
This guide uses the following formats to highlight special messages:
This manual is written for the FVG318 Wireless VPN Firewall according to these specifications.:
Product Version FVG318 ProSafe 802.11g Wireless VPN Firewall
Table 1-2. Manual Scope
Manual Publication Date August 2005
http://kbserver.netgear.com/products/FVG318.asp.
About This Manual 1-1
Page 12
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
at a time

How to Use This Manual

The HTML version of this manual includes the following:
Buttons, and , for browsing forwards or backwards through the manual one page
link in the table of contents or index to navigate directly to where the topic is described in the
manual.
A button that displays the table of contents and an button. Double-click on a
product model.
A button to access the full NETGEAR, Inc. online Knowledge Base for the
Links to PDF versions of the full manual and individual chapters.
1-2 About This Manual
Page 13
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
to print. The PDF version of the chapter you were viewing opens in a browser window.
Note: Your computer must have the free Adobe Acrobat reader installed in order to view
and print PDF files. The Acrobat reader is available on the Adobe Web site at
Each page in the HTML version of the manual is dedicated to a major topic. Use the Print
button on the browser toolbar to print the page contents.

How to Print this Manual

To print this manual you can choose one of the following several options, according to your needs.
Printing a Page in the HTML View.
Printing a Chapter.
Use the PDF of This Chapter link at the top left of any page.
Click the “PDF of This Chapter” link at the top right of any page in the chapter you want
http://www.adobe.com.
Tip: If your printer supports printing two pages on a single sheet of paper, you can save
paper and printer ink by selecting this feature.
Click the print icon in the upper left of the window.
Use the Complete PDF Manual link at the top left of any page.
Printing the Full Manual.
version of the complete manual opens in a browser window.
Click the Complete PDF Manual link at the top left of any page in the manual. The PDF
Tip: If your printer supports printing two pages on a single sheet of paper, you can save
paper and printer ink by selecting this feature.
Click the print icon in the upper left of the window.
About This Manual 1-3
Page 14
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
1-4 About This Manual
Page 15
Chapter 2
Introduction
BETA
This chapter describes the features of the NETGEAR FVG318 ProSafe 802.11g Wireless VPN
Firewall.

Key Features of the Wireless VPN Firewall

The FVG318 ProSafe 802.11g Wireless VPN Firewall with eight-port switch connects your local
area network (LAN) to the Internet through an external access device such as a cable modem or
DSL modem and provides 802.11b/g wireless LAN connectivity.
The FVG318 is a complete security solution that protects your network from attacks and
intrusions. Unlike simple Internet sharing firewalls that rely on Network Address Translation
(NAT) for security, the FVG318 uses stateful packet inspection for Denial of Service attack (DoS)
protection and intrusion detection. The FVG318 allows Internet access for up to 253 users. The
FVG318 Wireless VPN Firewall provides you with multiple Web content filtering options, plus
browsing activity reporting and instant alerts — both via e-mail. Parents and network
administrators can establish restricted access policies based on time-of-day, Web site addresses
and address keywords, and share high-speed cable/DSL Internet access for up to 253 personal
computers. In addition to NAT, the built-in firewall protects you from hackers.
With minimum setup, you can install and use the firewall within minutes.
The FVG318 Wireless VPN Firewall provides the following features:
802.11g and 802.11b standards-based wireless networking.
Wireless Multimedia (WMM) support.
Easy, Web-based setup for installation and management.
Front panel LEDs for easy monitoring of status and activity.
Content filtering and site blocking security.
Built-in eight-port 10/100 Mbps switch.
Ethernet connection to a WAN device, such as a cable modem or DSL modem.
Extensive protocol support.
Flash memory for firmware upgrade.
Introduction 2-1
Page 16
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
as well as dynamic encryption key generation.

802.11g and 802.11b Wireless Networking

The FVG318 Wireless VPN Firewall includes an 802.11g-compliant wireless access point. The
access point provides:
802.11b standards-based wireless networking at up to 11 Mbps.
802.11g wireless networking at up to 54 Mbps, which conforms to the 802.11g standard.
WPA and WPA2 enterprise class strong security with RADIUS and certificate authentication
servers but with all of the strong security of WPA and WPA2.
WPA-PSK and WPA2-PSK pre-shared key authentication without the overhead of RADIUS
64-bit and 128-bit WEP encryption security.
WEP keys can be generated manually or by passphrase.
Wireless access can be restricted by MAC Address.
name (SSID) can connect.
Wireless network name broadcast can be turned off so that only devices that have the network

Wireless Multimedia (WMM) Support

WMM is a subset of the 802.11e standard. WMM allows wireless traffic to have a range of
Automatically detects and thwarts DoS attacks such as Ping of Death, SYN Flood, LAND
Attack, and IP Spoofing.
priorities, depending on the kind of data. Time-dependent information such as video or audio will
have a higher priority than normal traffic. For WMM to function correctly, wireless clients must
also support WMM.

A Powerful, True Firewall with Content Filtering

Unlike simple Internet sharing NAT firewalls, the FVG318 is a true firewall, using stateful packet
inspection to defend against hacker attacks. Its firewall features include:
DoS protection.
Blocks unwanted traffic from the Internet to your LAN.
Blocks access from your LAN to Internet locations or services that you specify as off-limits.
2-2 Introduction
Logs security incidents.
Page 17
BETA
technology. Each Ethernet port automatically senses
TM
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Although NAT prevents Internet locations from directly accessing the PCs on the LAN, the
firewall allows you to direct incoming traffic to specific PCs based on the service port number
of the incoming request, or to one designated “DNS” host computer. You can specify
The FVG318 logs security events such as blocked incoming traffic, port scans, attacks, and
administrator logins. You can configure the firewall to email the log to you at specified
intervals. You can also configure the firewall to send immediate alert messages to your e-mail
address or email pager whenever a significant event occurs.
your PCs. The firewall allows you to control access to Internet content by screening for
keywords within Web addresses. You can configure the firewall to log and report attempts to
access objectionable Internet sites.
NAT opens a temporary path to the Internet for requests originating from the local network.
Requests originating from outside the LAN are discarded, preventing users outside the LAN
from finding and directly accessing the PCs on the LAN.
forwarding of single ports or ranges of ports.
With its content filtering feature, the FVG318 prevents objectionable content from reaching

Security

The FVG318 Wireless VPN Firewall is equipped with several features designed to maintain
security, as described in this section.
PCs Hidden by NAT
Port Forwarding with NAT

Autosensing Ethernet Connections with Auto Uplink

With its internal eight-port 10/100 switch, the FVG318 can connect to either a 10 Mbps standard
Ethernet network or a 100 Mbps Fast Ethernet network. Both the LAN and WAN interfaces are
autosensing and capable of full-duplex or half-duplex operation.
The firewall incorporates Auto Uplink
whether the Ethernet cable plugged into the port should have a normal connection such as to a PC
or an uplink connection such as to a switch or hub. That port then configures itself to the correct
configuration. This feature also eliminates the need to worry about crossover cables, as Auto
Uplink will accommodate either type of cable to make the right connection.
Introduction 2-3
Page 18
(RIP). For further information about TCP/IP, refer to
BETA
When DHCP is enabled and no DNS addresses are specified, the firewall provides its own
address as a DNS server to the attached PCs. The firewall obtains actual DNS addresses from
The FVG318 Wireless VPN Firewall allows several networked PCs to share an Internet
account using only a single IP address, which may be statically or dynamically assigned by
your Internet service provider (ISP). This technique, known as NAT, allows the use of an
inexpensive single-user ISP account.
The FVG318 Wireless VPN Firewall dynamically assigns network configuration information,
including IP, gateway, and Domain Name Server (DNS) addresses, to attached PCs on the
LAN using the Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies
configuration of PCs on your local network.
the ISP during connection setup and forwards DNS requests from the LAN.
PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by
simulating a dial-up connection. This feature eliminates the need to run a login program such
as Entersys or WinPOET on your PC.
Browser-based configuration allows you to easily configure your firewall from almost any
type of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup
Wizard is provided and online help documentation is built into the browser-based Web
Management Interface.
The FVG318 Wireless VPN Firewall automatically senses the type of Internet connection,
asking you only for the information required for your type of ISP account.
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318

Extensive Protocol Support

The FVG318 Wireless VPN Firewall supports the Transmission Control Protocol/Internet Protocol
(TCP/IP) and Routing Information Protocol
Appendix B, “Network, Routing, and Firewall Basics.”
IP Address Sharing by NAT
Automatic Configuration of Attached PCs by DHCP
DNS Proxy
Point-to-Point Protocol over Ethernet (PPPoE)

Easy Installation and Management

You can install, configure, and operate the FVG318 ProSafe 802.11g Wireless VPN Firewall
within minutes after connecting it to the network. The following features simplify installation and
management tasks:
Browser-based management
Smart Wizard
2-4 Introduction
Page 19
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
FVS318 firewall.
Note: The FVS318v3 firmware is not backward compatible with earlier versions of the
The firewall allows you to login to the Web Management Interface from a remote location on
the Internet. For security, you can limit remote management access to a specified remote IP
The firewall incorporates built-in diagnostic functions such as Ping, DNS lookup, and remote
reboot.
address or range of addresses, and you can choose a nonstandard port number.
The FVG318 Wireless VPN Firewall’s front panel LEDs provide an easy way to monitor its
status and activity.
Diagnostic functions
Remote management
Visual monitoring

Maintenance and Support

NETGEAR offers the following features to help you maximize your use of the FVG318 Wireless
VPN Firewall:
Flash memory for firmware upgrade.
Free technical support seven days a week, 24 hours a day.
Introduction 2-5
Page 20
— This guide.
— Application Notes and other helpful information.
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318

Package Contents

The product package should contain the following items:
FVG318 ProSafe 802.11g Wireless VPN Firewall.
•AC power adapter.
Category 5 (Cat 5) Ethernet cable.
Installation Guide.
Resource CD, including:
Registration and Warranty Card.
If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the
carton, including the original packing materials, in case you need to return the firewall for repair.
2-6 Introduction
Page 21
The system is initializing.
The system is ready and running.
The Internet (WAN) port is operating at 100 Mbps.
BETA
The Internet (WAN) port is operating at 10 Mbps.
The Internet port has detected a link with an attached device.
Data is being transmitted or received by the Internet port.
The Local port is operating at 100 Mbps.
The Local port is operating at 10 Mbps.
The Local port has detected a link with an attached device.
Data is being transmitted or received by the Local port.
The wireless interface is on/data transmission in progress.
The wireless interface is off.
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318

The FVG318 Front Panel

The front panel of the FVG318 Wireless VPN Firewall contains the status LEDs described below.
Figure 2-1: FVG318 front panel
describes the LEDs on the front panel of the firewall. These LEDs are green when lit.
You can use some of the LEDs to verify connections. Viewed from left to right, Table 2-1
Table 2-1. LED Descriptions
LED Label Activity Description
Off
PWR On Power is supplied to the firewall.
TEST On
Off
100 (100 Mbps) On
INTERNET
On
Blinking
LINK/ACT
(Link/Activity)
LOCAL
Off
On
Blinking
Off
100 (100 Mbps) On
LINK/ACT
(Link/Activity)
WLAN On/Blink
Introduction 2-7
Page 22
PowerINTERNET
Port
Ports
LOCAL
FACTORY
BETA
Reset Button
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Antenna

The FVG318 Rear Panel

The rear panel of the FVG318 Wireless VPN Firewall contains the port connections listed below.
Figure 2-2: FVG318 rear panel
Viewed from left to right, the rear panel contains the following features:
Detachable wireless antenna
Factory default reset push button
Eight Ethernet LAN ports
Internet Ethernet WAN port for connecting the firewall to a cable or DSL modem
DC power input
2-8 Introduction
Page 23
FA511 CardBus Adapter
FA120 USB 2.0 Adapter
FA311 PCI Adapter
FA120 USB 2.0 Adapter
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318

NETGEAR-Related Products

NETGEAR products related to the FVG318 are listed in the following table:
Table 2-2. NETGEAR-Related Products
Category Wireless Wired
WG511T 108 Mbps PC Card
WG511 54 Mbps PC Card
Notebooks WAG511 108 Mbps Dual Band PC Card
WG111 54 Mbps USB 2.0 Adapter
MA521 802.11b PC Card
MA111 802.11b USB Adapter
WG311T 108 Mbps PCI Adapter
Desktops WAG311 108 Mbps Dual Band PCI Adapter
WG311 54 Mbps PCI Adapter
WG111 54 Mbps USB 2.0 Adapter
MA111 802.11b USB Adapter
ANT24O5 5 dBi Antenna
ANT2409 Indoor/Outdoor 9 dBi Antenna
ANT24D18 Indoor/Outdoor 18 dBi Antenna
Antenna Cables–1.5, 3, 5, 10, and 30 m lengths
PDAs MA701 802.11b Compact Flash Card
Antennas and
Accessories
VPN01L and VPN05L ProSafe VPN Client Software
NETGEAR Product Registration, Support, and
Documentation
Register your product at http://www.NETGEAR.com/register. Registration is required before you
can use our telephone support service.
Product updates and Web support are always available by going to: http://kbserver.netgear.com.
Documentation is available on the Resource CD and at http://kbserver.netgear.com.
When the wireless VPN firewall is connected to the Internet, click the Knowledge Base or the
Documentation link under the Web Support menu to view support information or the
documentation for the wireless VPN firewall.
Introduction 2-9
Page 24
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
2-10 Introduction
Page 25
Chapter 3
,QWHUQHW
Connecting the Firewall to the Internet
A
BETA
This chapter describes how to set up the firewall on your LAN, connect to the Internet, perform
basic configuration of your FVG318 ProSafe 802.11g Wireless VPN Firewall using the Setup
Wizard, or how to manually configure your Internet connection.
Follow these instructions to set up your firewall.
computer you first registered with your cable modem service provider.

Prepare to Install Your FVG318

For Cable Modem Service: When you set up the wireless VPN firewall, be sure to use the
For DSL Service: You may need information such as the DSL login name and password in
order to complete the wireless VPN firewall setup.

First, Connect the FVG318

a. Turn off and unplug your cable or DSL modem.
b. Turn off your computer.
1. Connect the wireless VPN firewall to your computer and modem
illustration) that connects your
computer to the cable or DSL modem.
the Ethernet cable (point A in the
c. At the computer end only, disconnect
Connecting the Firewall to the Internet 3-1
Page 26
,QWHUQHW
B
,QWHUQHW
BETA
C
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Securely insert the Ethernet cable from your
modem into the FVG318 Internet port (point B
in the illustration).
d.
cable that came with your FVG318 into a
Local port on the router such as port 4 (point C
in the illustration), and the other end into the
Ethernet port of your computer (point D in the
e. Securely insert one end of the blue NETGEAR
illustration)
.
D
Warning: Failure to restart your network in the correct sequence could prevent you from connecting to
2. Restart your network in the correct sequence
the Internet.
First, plug in and turn on the cable or DSL modem.Wait about 2 minutes.
a.
b. Now, plug in the power cord to your FVG318 and wait about 30 seconds.
Note: For DSL customers, if ISP-provided software logs you in to the Internet, do not run
that software. You may need to go to the Internet Explorer® Tools menu, Internet Options,
Connections tab page where you can select the “Never dial a connection” radio button and
click Apply.
c. Last, turn on your computer.
d. Check the status lights and verify the following:
3-2 Connecting the Firewall to the Internet
Page 27
Wireless
BETA
Local Port 4
Internet Port
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Test
Power
see the Troubleshooting Tips in this guide.
Power: The power light should be lit. If after 2 minutes the power light turns solid amber,
on, see the Troubleshooting Tips in this guide.
Test: The test light blinks when the FVG318 is first turned on. If after 2 minutes it is still
Internet: The Internet light on the FVG318 should be lit. If not, make sure the Ethernet
cable is securely attached to the wireless VPN firewall Internet port and the powered on
modem.
Troubleshooting Tips in this guide.
Wireless: The WLAN light should be lit. If the Wireless light is not lit, see the
LOCAL: A LOCAL light should be lit.
Now, Configure the FVG318 for Internet Access and Wireless
Connectivity
Use the Smart Wizard configuration assistant to configure the FVG318.
From the Ethernet connected computer you just set
up, open a browser. With the FVG318 in its factory
default state, your browser will display the
1.
NETGEAR Smart Wizard welcome page.
Note: If you do not see this page, type http://
www.routerlogin.net in the browser address bar
and click Enter.
If you still cannot connect to the FVG318, verify
your computer networking setup. Your computer
should be set to obtain both IP and DNS server addresses automatically, which is usually so.
For help with this, please see the Reference Manual or animated tutorials on the Resource CD.
Connecting the Firewall to the Internet 3-3
Page 28
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Click OK to proceed.
2. Follow the Smart Wizard prompts to connect to the Internet and set up wireless connectivity.
3. Click Done on the Success screen and, if prompted,
click OK to finish and close the screen.
or log in to the FVG318 from a computer with a
wireless adapter. For wireless connectivity
problems, see the Troubleshooting Tips below or in
4. Verify wireless connectivity. Connect to the Internet
the Reference Manual on the CD.
Note: The configuration wizard only appears when
the FVG318 is in its factory default state. After you
configure the FVG318, it will not appear again. You
can always connect to the router configuration menu to change its settings. To do so, open a
browser and go to http://www.routerlogin.net. Then, when prompted, enter admin as the
user name and password for the password both in lower case letters.

Troubleshooting Tips

Here are some tips for correcting simple problems you may have.

Be sure to restart your network in the correct sequence.

Always follow this sequence: 1) Unplug and turn off the modem, FVG318, and computer; 2) plug
in and turn on the modem, wait two minutes; 3) plug in the FVG318 and wait 30 seconds; 4) turn
on the computer.

Make sure the Ethernet cables are securely plugged in.

plugged in Ethernet cable, the corresponding wireless VPN firewall LAN port status light will
For each powered on computer connected to the wireless VPN firewall with a securely
be lit. The label on the bottom of the wireless VPN firewall identifies the number of each LAN
port.
the FVG318 to the modem is plugged in securely and the modem and wireless VPN firewall
The Internet port status light on the wireless VPN firewall will be lit if the Ethernet cable from
are turned on.
3-4 Connecting the Firewall to the Internet
Page 29
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
the account. If so, in the Router MAC Address section of the Basic Settings menu, select, “Use
this Computer’s MAC Address.” The router will then capture and use the MAC address of the
computer that you are now using. You must be using the computer that is registered with the
ISP. Click Apply to save your settings. Restart the network in the correct sequence.
the router according to the instructions in the Reference Manual on the CD.

Check the router status lights to verify correct router operation.

If the Power light does not turn solid green within 2 minutes after turning the router on, reset
the instructions in the Reference Manual on the CD.
If the Wireless light does not come on, verify that the wireless feature is turned on according to
Connecting the Firewall to the Internet 3-5

Make sure the computer & router wireless settings match exactly.

The Wireless Network Name (SSID) and security settings (WEP/WPA, MAC access control list)
of the FVG318 and wireless computer must match exactly.

Make sure the network settings of the computer are correct.

automatically via DHCP.
LAN and wirelessly connected computers must be configured to obtain an IP address
Some cable modem ISPs require you to use the MAC address of the computer registered on
Page 30
Any time a browser is opened on any computer connected to
the wireless VPN firewall, the wireless VPN firewall will
automatically connect to that browser and display the
Automatic Access via
the Smart Wizard
Configuration
Configuration Assistant welcome page.
Assistant
BETA
There is no need to enter the wireless VPN firewall URL in
the browser, or provide the login user name and password.
You can bypass the Smart Wizard Configuration Assistant
feature by typing
http://www.routerlogin.net/basicsetting.htm
in the browser address bar and pressing Enter. You will not
be prompted for a user name or password.
This will enable you to manually configure the wireless VPN
firewall even when it is in the factory default state. When
manually configuring the firewall, you must complete the
configuration by clicking Apply when you finish entering your
settings. If you do not do so, a browser on any PC connected
to the firewall will automatically display the firewall's
Configuration Assistant welcome page rather than the
browser’s home page.
Manually enter a URL
to bypass the Smart
Wizard Configuration
Assistant
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Overview of How to Access the FVG318 Wireless VPN
Firewall
The table below describes how you access the wireless VPN firewall, depending on the state of the
wireless VPN firewall.
Table 3-1. Ways to access the firewall
Factory Default
Firewall State Access Options Description
Note: The wireless
VPN firewall is
supplied in the
factory default state.
Also, the factory
default state is
restored when you
use the factory reset
button. See
“Backing Up the
Configuration” on
page 8-7 for more
information on this
feature.
3-6 Connecting the Firewall to the Internet
Page 31
http://www.routerlogin.net
Connect to the wireless VPN firewall by typing either of these
URLs in the address field of your browser, then press Enter:
http://www.routerlogin.com
The wireless VPN firewall will prompt you to enter the user
name of admin and the password. The default password is
password.
Connect to the wireless VPN firewall by typing the IP address
of the wireless VPN firewall in the address field of your
browser, then press Enter. 192.168.0.1 is the default IP
address of the wireless VPN firewall. The wireless VPN
firewall will prompt you to enter the user name of admin and
BETA
the password. The default password is password.
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Enter the IP address
of the wireless VPN
firewall
field of your browser, then press Enter.
How to Log On to the FVG318 After
Configuration Settings Have Been Applied
1. Connect to the wireless VPN firewall by typing http://www.routerlogin.net in the address
Figure 3-1: Login URL
For security reasons, the firewall has its own user name and password. When prompted, enter
admin for the firewall user name and password for the firewall password, both in lower case
2.
letters. To change the password, see “Changing the Administrator Password” on page 8-8
Note: The firewall user name and password are not the same as any user name or password
you may use to log in to your Internet connection.
A login window like the one shown below opens:
Connecting the Firewall to the Internet 3-7
Table 3-1. Ways to access the firewall (continued)
Enter the standard
Configuration
Firewall State Access Options Description
URL to access the
Settings Have Been
wireless VPN firewall
Applied
Page 32
Once you have entered your user name and password, your Web browser should find the
BETA
FVG318 Wireless VPN Firewall and display the home page as shown below.
http://www.routerlogin.net/basicsetting.htm in your browser, then press Enter.
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Figure 3-2: Login window
Figure 3-3: Login result: FVG318 home page NEED NEW SCREEN
When the wireless VPN firewall is connected to the Internet, click the Knowledge Base or the
Documentation link under the Web Support menu to view support information or the
documentation for the wireless VPN firewall.
If you do not click Logout, the wireless VPN firewall will wait five minutes after there is no
activity before it automatically logs you out.

How to Bypass the Configuration Assistant

1. When the wireless VPN firewall is in the factory default state, type
3-8 Connecting the Firewall to the Internet
Page 33
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
have trouble connecting to the Internet, use the Troubleshooting Tips “Troubleshooting Tips”
When the wireless VPN firewall is in the factory default state, a user name and password are
not required.
home page NEED NEW SCREEN” on page 3-8.
If you do not click Logout, the wireless VPN firewall waits five minutes after there is no
activity before it automatically logs you out.
field of your browser, then press Enter.
admin for the firewall user name and password for the firewall password, both in lower case
letters. To change the password, see “Changing the Administrator Password” on page 8-8
Note: The firewall user name and password are not the same as any user name or password
you may use to log in to your Internet connection.
Once you have entered your user name and password, your Web browser should find the
FVG318 Wireless VPN Firewall and display the home page as shown in Figure 3-3.
on page 3-4 to correct basic problems, or refer to Chapter 10, “Troubleshooting.”
2. The browser then displays the FVG318 settings home page shown in “Login result: FVG318

Using the Smart Setup Wizard

You can use the Smart Setup Wizard to assist with manual configuration or to verify the Internet
connection. The Smart Setup Wizard is not the same as the Smart Wizard Configuration Assistant
(as illustrated in Figure 3-5) that only appears when the firewall is in its factory default state. After
you configure the wireless VPN firewall, the Smart Wizard Configuration Assistant will not
appear again.
To use the Smart Setup Wizard to assist with manual configuration or to verify the Internet
connection settings, follow this procedure.
1. Connect to the wireless VPN firewall by typing http://www.routerlogin.net in the address
2. For security reasons, the firewall has its own user name and password. When prompted, enter
3. Click Setup Wizard on the upper left of the main menu.
4. Click Next to proceed. Input your ISP settings, as needed.
5. At the end of the Setup Wizard, click the Test button to verify your Internet connection. If you
Connecting the Firewall to the Internet 3-9
Page 34
ISP Does Require Login
ISP Does Not Require Login
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318

How to Manually Configure Your Internet Connection

You can manually configure your firewall using the menu below, or you can allow the Setup
Wizard to determine your configuration as described in the previous section.
Figure 3-4: Browser-based configuration Basic Settings menu NEED NEW SCREENs
3-10 Connecting the Firewall to the Internet
Page 35
BETA
Navigator.
®
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Enter your Account Name (may also be called Host Name) and Domain Name.
These parameters may be necessary to access your ISP’s services such as mail or news
servers.
If your ISP has assigned you a permanent, fixed (static) IP address for your PC, select
“Use static IP address”. Enter the IP address that your ISP assigned. Also enter the
netmask and the Gateway IP address. The Gateway is the ISP’s firewall to which your
firewall will connect.
If you know that your ISP does not automatically transmit DNS addresses to the firewall
during login, select “Use these DNS servers” and enter the IP address of your ISP’s
Primary DNS Server. If a Secondary DNS Server address is available, enter it also.
Note: After completing the DNS configuration, restart the computers on your network so
that these settings take effect.
This section determines the Ethernet MAC address that will be used by the firewall on the
Internet port. Some ISPs will register the Ethernet MAC address of the network interface
card in your PC when your account is first opened. They will then only accept traffic from
the MAC address of that PC. This feature allows your firewall to masquerade as that PC
by “cloning” its MAC address.
To change the MAC address, select “Use this Computer’s MAC address.” The firewall
will then capture and use the MAC address of the PC that you are now using. You must be
using the one PC that is allowed by the ISP. Or, select “Use this MAC address” and
enter it.
You can manually configure the firewall using the Basic Settings menu shown in Figure 3-4 using
these steps:
Internet Explorer or Netscape
1. Log in to the firewall at its default address of http://www.routerlogin.net using a browser like
2. Click the Basic Settings link under the Setup section of the main menu.
menu and fill in the settings according to the instructions below. If your Internet connection
3. If your Internet connection does not require a login, click No at the top of the Basic Settings
a. Account:
does require a login, click Ye s, and skip to step 4.
b. Internet IP Address:
c. Domain Name Server (DNS) Address:
d. Firewall’s MAC Address:
e. Click Apply to save your settings.
Connecting the Firewall to the Internet 3-11
Page 36
If your Internet connection does require a login, fill in the settings according to the instructions
below. Select Yes if you normally must launch a login program such as Enternet or WinPOET
in order to access the Internet.
Note: After you finish setting up your firewall, you will no longer need to launch the ISP’s
login program on your PC in order to access the Internet. When you start an Internet
application, your firewall will automatically log you in.
Cable broadband connections, select your Internet service provider from the drop-down
list.
a. For connections that require a login using protocols such as PPPoE, PPTP, Telstra Bigpond
The screen will change according to the ISP settings requirements of the ISP you select.
b.
page 3-9.
c. Fill in the parameters for your ISP according to the Wizard-detected procedures starting on
BETA
d. Click Apply to save your settings.
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
4.
Figure 3-5: Basic Settings ISP list
3-12 Connecting the Firewall to the Internet
Page 37
Chapter 4
Wireless Configuration
BETA
This chapter describes how to configure the wireless features of your FVG318 Wireless VPN
Firewall.
degradation or inability to wirelessly connect to the wireless VPN firewall. For complete
range and performance specifications, please see Appendix A, “Technical
Note: Failure to follow these guidelines can result in significant performance

Observing Performance, Placement, and Range Guidelines

In planning your wireless network, you should consider the level of security required. You should
also select the physical placement of your FVG318 in order to maximize the network speed. For
further information on wireless networking, refer to in Appendix E, “Wireless Networking
Basics.”
Specifications.”
line-of-sight access (even if through walls). The best location is elevated, such as wall
mounted or on the top of a cubicle, and at the center of your wireless coverage area for all the
mobile devices.
Away from sources of interference, such as PCs, microwaves, and 2.4 GHz cordless phones.
Away from large metal surfaces.
Be aware that the time it takes to establish a wireless connection can vary depending on both your
security settings and placement. WEP connections can take slightly longer to establish. Also, WEP
encryption can consume more battery power on a notebook computer.
The operating distance or range of your wireless connection can vary significantly based on the
physical placement of the FVG318 Wireless VPN Firewall. The latency, data throughput
performance, and notebook power consumption also vary depending on your configuration
choices. For best results, place your wireless VPN firewall:
Near the center of the area in which your PCs will operate.
In an elevated location, such as a high shelf where the wirelessly connected PCs have
Wireless Configuration 4-1
Page 38
Note: Indoors, computers can connect to wireless networks at ranges of 300 feet or
more. Such distances allow others outside of your area to access your network.
5DGLXV8SWR)HHW
:LUHOHVV'DWD
6HFXULW\2SWLRQV
.O3ECURITY%ASYBUTNOSECURITY
-!#!CCESS,IST.ODATASECURITY
8¤¤|+
#

/1.$&7


/1.$&7
$&7
$/(57
$&7
$/(57
+Á.?wjËoåÔ±¤¤~Ë8ÁjjÄÄËÁjÝ?Ê+ÁÍË.jÁÜjÁ
7(67
Á?aM?a
3:5
7%03ECURITYBUTSOME
PERFORMANCEIMPACT
70!OR70!03+6ERYSTRONGSECURITY
02).4%2 -/$%- ).4%2.%4 ,/#!, 7,!.
FVG318
unknown PCs cannot wirelessly connect to the FVG318. Restricting access by MAC address
adds an obstacle against unwanted access to your network, but the data broadcast over the
wireless link is fully exposed.
the SSID, only devices that have the correct SSID can connect. This nullifies wireless network
‘discovery’ feature of some products, such as Windows XP, but the data is still exposed.
Key authentication and WEP data encryption will block all but the most determined
eavesdropper.
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318

Implementing Appropriate Wireless Security

Unlike wired network data, your wireless data transmissions can extend beyond your walls and
can be received by anyone with a compatible adapter. For this reason, use the security features of
your wireless equipment. The FVG318 Wireless VPN Firewall provides highly effective security
features which are covered in detail in this chapter.
Figure 4-1: FVG318 wireless data security options
There are several ways you can enhance the security of your wireless network:
Restrict Access Based on MAC Address. You can allow only trusted PCs to connect so that
Turn Off the Broadcast of the Wireless Network Name SSID. If you disable broadcast of
WEP. Wired Equivalent Privacy (WEP) data encryption provides data security. WEP Shared
4-2 Wireless Configuration
Page 39
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
the same fashion. The FVG318 will automatically adjust to the 802.11g or 802.11b
protocol as the device requires without compromising the speed of the other devices.
Note: The 802.11b and 802.11g wireless networking protocols are configured in exactly
data encryption provides data security. The very strong authentication along with dynamic per
frame rekeying of WPA and WPA2 make it virtually impossible to compromise. Because this
is a new standard, wireless device driver and software availability may be limited.
WPA/WPA2 with Radius or WPA/WPA2-PSK. Wi-Fi Protected Access (WPA and WPA2)

Understanding Wireless Settings

To configure the wireless settings of your FVG318, click the Wireless link in the Setup section of
the main menu. The wireless settings menu will appear, as shown below.
Figure 4-2: Wireless Settings menu
Wireless Configuration 4-3
Page 40
to operate the wireless features of the wireless VPN firewall in a region other than one of
those identified in this field. Unless you select a region, you will only be able to use
Enter a value of up to 32 alphanumeric characters. In a setting where there is more than
one wireless network, different wireless network names provide a means for separating the
traffic. Any device you want to participate in the 802.11b/g wireless network will need to
use this SSID for that network. The FVG318 default SSID is: NETGEAR.
Channel 11.
necessary to change the wireless channel unless you notice interference problems with
another nearby access point. For more information on the wireless channel frequencies,
BETA
be used if they can operate in 802.11b mode.
please refer to “Wireless Channels” on page E-7.
g & b - Both 802.11g and 802.11b wireless stations can be used.
g only - Only 802.11g wireless stations can be used.
b only - All 802.11b wireless stations can be used. 802.11g wireless stations can still
The default is “g & b” which allows both 802.11g and 802.11b wireless stations to access
this device.
wireless communications through the FVG318.
disable broadcast of the SSID, only devices that have the correct SSID can connect.
Disabling SSID broadcast somewhat hampers the wireless network ‘discovery’ feature of
some products.
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Wireless Network Name (SSID). The SSID is also known as the wireless network name.
Wireless Network. The station name of the FVG318.
Region. This field identifies the region where the FVG318 can be used. It may not be legal
Channel. This field determines which operating frequency will be used. It should not be
Mode. Select the desired wireless mode. The options are:
— Enable Wireless Access Point. Enables the wireless radio. When disabled, there are no
Wireless Access Point
Allow Broadcast of Name (SSID). The default setting is to enable SSID broadcast. If you
Lets you restrict wireless connections according to a list of Trusted PCs MAC addresses.
When the Trusted PCs Only radio button is selected, the FVG318 checks the MAC address of
the wireless station and only allows connections to PCs identified on the trusted PCs list.
To restrict access based on MAC addresses, click the Set up Access List button and update the
MAC access control list.
Wireless Card Access List
4-4 Wireless Configuration
Page 41
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
authentication. Each user (Wireless Client) must have a "user" login on the Radius Server
- normally done via a digital certificate. Also, this device must have a "client" login on the
Radius server. Data transmissions are encrypted using a key which is automatically
generated.
Disable: No data encryption is used.
WEP (Wired Equivalent Privacy): Use WEP 64 or 128 bit data encryption.
WPA with Radius: This version of WPA requires the use of a Radius server for
support WPA2. If selected, you must use AES encryption, and configure the Radius Server
Settings. Each user (Wireless Client) must have a "user" login on the Radius Server -
normally done via a digital certificate. Also, this device must have a "client" login on the
Radius server. Data transmissions are encrypted using a key which is automatically
generated.
WPA2 with Radius: WPA2 is a later version of WPA. Only select this if all clients
encryption) or WPA2 (with TKIP encryption). If selected, encryption must be TKIP +
AES. If selected, you must configure the Radius Server Settings.
WPA and WPA2 with Radius: This selection allows clients to use either WPA (with AES
encryption
WPA-PSK (Wi-Fi Protected Access Pre-Shared Key): Use WPA-PSK standard
WPA2. If selected, you must use AES encryption, and enter the WPA passphrase
(Network key).
WPA2-PSK: WPA2 is a later version of WPA. Only select this if all clients support
encryption) or WPA2 (with TKIP encryption). If selected, encryption must be TKIP +
WPA-PSK and WPA2-PSK: This selection allows clients to use either WPA (with AES
AES.
Security Options
Wireless Configuration 4-5
Page 42
FEATURE DEFAULT FACTORY SETTINGS
SSID NETGEAR
RF Channel 11 until the region is selected
Access Point Enabled
All wireless stations allowed
SSID broadcast Enabled
Access Point Connections
Wireless Card Access List for
BETA
WEP Security Disabled
Authentication Type Open System
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318

Default Factory Settings

The FVG318 default factory settings shown below. You can restore these defaults with the Factory
Default Restore button on the rear panel as seen in the illustration “FWG114P v2 Rear Panel” on
page 2-9. After you install the FVG318 Wireless VPN Firewall, use the procedures below to
customize any of the settings to better meet your networking needs.
4-6 Wireless Configuration
Page 43
Secondary __________________
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Wireless is the default FVG318 SSID. However, you may customize it by using up to 32
alphanumeric characters. Write your customized SSID on the line below.
Note: The SSID in the wireless VPN firewall is the SSID you configure in the wireless adapter
card. All wireless nodes in the same network must be configured with the same SSID:

Before You Change the SSID and WEP Settings

Take the following steps:
For a new wireless network, print or copy this form and fill in the configuration parameters. For an
existing wireless network, the person who set up or is responsible for the network will be able to
provide this information. Be sure to set the Regulatory Domain correctly as the first step.
SSID: The Service Set Identification (SSID) identifies the wireless local area network.
Circle one: Open System or Shared Key. Choose “Shared Key” for more security.
Note: If you select shared key, the other devices in the network will not connect unless they
are set to Shared Key as well and have the same keys in the same positions as those in the
Authentication
FVG318.
For all four 802.11b keys, choose the Key Size. Circle one: 64 or 128 bits
Key 1: ___________________________________
WEP Encryption Keys
Key 2: ___________________________________ Key 3: ___________________________________ Key 4: ___________________________________
Record the WPA-PSK or WPA2-PSK key:
Key: ___________________________________
WPA-PSK or WPA2-PSK (Pre-Shared Key)
For WPA or WPA2, record the following RADIUS settings:
WPA or WPA2 RADIUS Settings
Shared Key: ___________________________________
Port: ___________________________________
Server Name/IP Address: Primary _________________
Use the procedures described in the following sections to configure the FVG318. Store this
information in a safe place.
BETA
Wireless Configuration 4-7
Page 44
admin and default password of password, or using whatever LAN address and password you
have set up.
BETA
Set the Regulatory Domain correctly.
enter a value of up to 32 alphanumeric characters. The default SSID is NETGEAR.
Note: The characters are case sensitive. An access point always functions in infrastructure
mode. The SSID for any wireless device communicating with the access point must match the
SSID configured in the FVG318 ProSafe 802.11g Wireless VPN Firewall. If they do not
match, you will not get a wireless connection to the FVG318.
It should not be necessary to change the wireless channel unless you notice interference
problems with another nearby wireless router or access point. Select a channel that is not being
used by any other wireless networks within several hundred feet of your wireless VPN
firewall. For more information on the wireless channel frequencies please refer to “Wireless
Channels” on page E-7.
Mode drop-down list.
Stations” and the Encryption Strength set to “Disable.”
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318

How to Set Up and Test Basic Wireless Connectivity

Follow the instructions below to set up and test basic wireless connectivity. Once you have
established basic wireless connectivity, you can enable security settings appropriate to your needs.
1. Log in using the default LAN address of http://192.168.0.1 with the default user name of
Figure 4-3: Wireless Settings menu
2.
3. Choose a suitable descriptive name for the wireless network name (SSID). In the SSID box,
4. Set the Channel.
5. Depending on the types of wireless adapters you have in your computers, choose from the
6. For initial configuration and test, leave the Wireless Card Access List set to “All Wireless
4-8 Wireless Configuration
Page 45
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Note: If you are configuring the FVG318 from a wireless computer and you change the
wireless VPN firewall’s SSID, channel, or security settings, you will lose your wireless
connection when you click on Apply. You must then change the wireless settings of your
computer to match the FVG318’s new settings.
Click Apply to save your changes.
7.
Program the wireless adapter of your PCs to have the same SSID that you configured in the
FVG318. Check that they have a wireless link and are able to obtain an IP address by DHCP
from the wireless VPN firewall.
8. Configure and test your PCs for wireless connectivity.
Once your PCs have basic wireless connectivity to the wireless VPN firewall, then you can
configure the advanced options and wireless security functions.

How to Restrict Wireless Access by MAC Address

To restrict access based on MAC addresses, follow these steps:
and default password of password.
1. Log in at the default LAN address of http://192.168.0.1 with the default user name of admin
2. Click Wireless in the main menu of the FVG318. From the Wireless Settings menu, click
Setup Access List.
Figure 4-4: Wireless Station Access menu
Click the Turn Access Control On checkbox to enable MAC filtering.
3.
Wireless Configuration 4-9
Page 46
Note: When configuring the FVG318 from a wireless computer whose MAC address is
not in the access control list, if you select Turn Access Control On, you will lose your
wireless connection when you click Apply. You must then access the wireless VPN
firewall from a wired computer or from a wireless computer which is on the access
control list to make any further changes.
wireless connection when you click Apply. You must then either configure your wireless
adapter to match the new wireless settings or access the wireless VPN firewall from a
Note: When changing the wireless settings from a wireless computer, you will lose your
wired computer to make any further changes.
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Click Add to open the Wireless Card Access Setup menu. You can select a device from the list
of available wireless cards the FVG318 has discovered in your area, or you can manually enter
the MAC address and Device Name (usually the NetBIOS name).
4.
5. Click Add to add this device to your MAC access control list.
this list will be allowed to wirelessly connect to the FVG318.
6. Be sure to click Apply to save your trusted wireless PCs list settings. Now, only devices on
To remove a MAC address from the table, click to select it, then click the Delete button.
and default password of password, or using whatever LAN address and password you set up.

How to Configure WEP

To configure WEP data encryption, follow these steps:
1. Log in at the default LAN address of http://192.168.0.1 with the default user name of admin
4-10 Wireless Configuration
Page 47
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Click Wireless Settings in the main menu of the FVG318.
2.
Figure 4-5: Wireless Settings menu (WEP)
Select WEP on the pulldown menu. The WEP options menu will open.
3.
automatically program the four data encryption keys. These values must be identical on all
4. Choose the Authentication Type and Encryption Strength options. You can manually or
PCs and Access Points in your network.
to "Open System" or "Shared Key", wireless stations must use the same method.
Authentication Type: Normally this can be left at the default value of "Automatic." If set
Encryption: Select the desired WEP Encryption:
64-bit (sometimes called 40-bit) encryption
128-bit encryption
Wireless Configuration 4-11
Page 48
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
encryption keys. These values must be identical on all PCs and Access Points in your
network.
Automatic Key Generation (Passphrase): Enter a word or group of printable
WEP Keys: If using WEP, you can manually or automatically program the four data
populated with key values.
characters (this phrase is case sensitive) in the Passphrase box and click the "Generate
Keys" button to automatically configure the WEP Key(s).
If encryption is set to 64 bit, then each of the four key boxes will automatically be
automatically be populated with a key value.
If encryption is set to 128 bit, then only the selected WEP key box will
A-F). These hex values are not case sensitive. Select which of the four keys will be
used and enter the matching WEP key information for your network in the selected
Manual Entry Mode: Enter ten hexadecimal digits (any combination of 0-9, a-f, or
key box.
For 64 bit WEP: Enter ten hexadecimal digits (any combination of 0-9, A-F).
For 128 bit WEP: Enter twenty-six hexadecimal digits (any combination of 0-9,
A-F).
Please refer to “Overview of WEP Parameters” on page E-5 for a full explanation of each of
these options, as defined by the IEEE 802.11b wireless communication standard.
5. Click Apply to save your settings.

How to Configure WPA with Radius

Note: Not all wireless adapters support WPA. Furthermore, client software is required on the
client. Windows XP and Windows 2000 with Service Pack 3 do include the client software that
supports WPA. Nevertheless, the wireless adapter hardware and driver must also support WPA.
Consult the product document for your wireless adapter and WPA client software for instructions
on configuring WPA settings.
1. Log in at the default LAN address of http://192.168.0.1 with the default user name of admin
To configure WPA with Radius, follow these steps:
and default password of password, or using whatever LAN address and password you have
set up.
4-12 Wireless Configuration
Page 49
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
of the primary Radius Server on your LAN.
Secondary Radius Server on your LAN, enter its name or IP address here.
Click Wireless Settings in the main menu of the FVG318.
2.
Select WPA with Radius on the pulldown menu. The WPA with Radius menu will open.
Encryption: There is no choice for encryption; this is displayed for your information. For
WPA with Radius, TKIP is used.
Figure 4-6: Wireless Settings menu (WPA with Radius)
3.
4. Enter the Radius settings.
Primary Server Name/IP Address: This field is required. Enter the name or IP address
Secondary Radius Server Name/IP Address: This field is optional. If you have a
Wireless Configuration 4-13
Page 50
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Radius Port: Enter the port number used for connecting to the Radius Server.
on the Radius server.
Shared Key: Enter the desired value for the Shared Key. This must match the value used
Enable this if you want to use the Radius Accounting system. If enabled, the following
Radius Accounting: Enable Radius Accounting
fields must be correct:
Radius Accounting Port: Enter the port number used for Accounting data on the Radius
Server.
messages to the Radius accounting server periodically.
If enabled, enter the desired Update Report interval in the field provided.
Update Report: Enable this if you wish to have this AP send Accounting update
5. Click Apply to save your settings.

How to Configure WPA2 with Radius

Note: Not all wireless adapters support WPA2. Furthermore, client software is required on the
client. Windows XP and Windows 2000 with Service Pack 3 do include the client software that
supports WPA2. Nevertheless, the wireless adapter hardware and driver must also support WPA2.
Consult the product document for your wireless adapter and WPA2 client software for instructions
on configuring WPA2 settings.
To configure WPA2 with Radius, follow these steps:
1. Log in at the default LAN address of http://192.168.0.1 with the default user name of admin
and default password of password, or using whatever LAN address and password you have
set up.
4-14 Wireless Configuration
Page 51
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
of the primary Radius Server on your LAN.
Click Wireless Settings in the main menu of the FVG318.
2.
Figure 4-7: Wireless Settings menu (WPA2 with Radius)
Select WPA2 with Radius on the pulldown menu. The WPA2 with Radius menu will open.
Encryption: There is no choice for encryption; this is displayed for your information. For
WPA2 with Radius, AES is used.
3.
Primary Server Name/IP Address: This field is required. Enter the name or IP address
4. Enter the Radius settings.
Wireless Configuration 4-15
Page 52
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Secondary Radius Server on your LAN, enter its name or IP address here.
Secondary Radius Server Name/IP Address: This field is optional. If you have a
Radius Port: Enter the port number used for connecting to the Radius Server.
Shared Key: Enter the desired value for the Shared Key. This must match the value used
on the Radius server.
Enable this if you want to use the Radius Accounting system. If enabled, the following
fields must be correct:
Radius Accounting: Enable Radius Accounting
Server.
messages to the Radius accounting server periodically.
If enabled, enter the desired Update Report interval in the field provided.
Radius Accounting Port: Enter the port number used for Accounting data on the Radius
Update Report: Enable this if you wish to have this AP send Accounting update
5. Click Apply to save your settings.

How to Configure WPA and WPA2 with Radius

Note: Not all wireless adapters support WPA and WPA2. Furthermore, client software is required
on the client. Windows XP and Windows 2000 with Service Pack 3 do include the client software
that supports WPA and WPA2. Nevertheless, the wireless adapter hardware and driver must also
support WPA and WPA2. Consult the product document for your wireless adapter and WPA and
WPA2 client software for instructions on configuring WPA and WPA2 settings.
To configure WPA and WPA2 with Radius, follow these steps:
1. Log in at the default LAN address of http://192.168.0.1 with the default user name of admin
and default password of password, or using whatever LAN address and password you have
set up.
4-16 Wireless Configuration
Page 53
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
of the primary Radius Server on your LAN.
Click Wireless Settings in the main menu of the FVG318.
2.
Figure 4-8: Wireless Settings menu (WPA and WPA2 with Radius)
Select WPA and WPA2 with Radius on the pulldown menu. The WPA and WPA2 with
Radius menu will open.
Encryption: There is no choice for encryption; this is displayed for your information. For
WPA and WPA2 with Radius, WPA clients must use TKIP, and WPA2 clients must use AES.
3.
Primary Server Name/IP Address: This field is required. Enter the name or IP address
4. Enter the Radius settings.
Wireless Configuration 4-17
Page 54
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Secondary Radius Server on your LAN, enter its name or IP address here.
Secondary Radius Server Name/IP Address: This field is optional. If you have a
Radius Port: Enter the port number used for connecting to the Radius Server.
Shared Key: Enter the desired value for the Shared Key. This must match the value used
on the Radius server.
Enable this if you want to use the Radius Accounting system. If enabled, the following
fields must be correct:
Radius Accounting: Enable Radius Accounting
Server.
messages to the Radius accounting server periodically.
If enabled, enter the desired Update Report interval in the field provided.
Radius Accounting Port: Enter the port number used for Accounting data on the Radius
Update Report: Enable this if you wish to have this AP send Accounting update
5. Click Apply to save your settings.

How to Configure WPA-PSK

Note: Not all wireless adapters support WPA. Furthermore, client software is required on the
client. Windows XP and Windows 2000 with Service Pack 3 do include the client software that
and default password of password, or using whatever LAN address and password you have
set up.
supports WPA. Nevertheless, the wireless adapter hardware and driver must also support WPA.
Consult the product document for your wireless adapter and WPA client software for instructions
on configuring WPA settings.
1. Log in at the default LAN address of http://192.168.0.1, with the default user name of admin
To configure WPA-PSK, follow these steps:
4-18 Wireless Configuration
Page 55
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Click Wireless Settings in the main menu of the FVG318.
2.
Figure 4-9: Wireless Settings menu (WPA-PSK)
Select WPA-PSK on the pulldown menu. The WPA-PSK menu will open.
3.
4. Select the desired Encryption method. For WPA-PSK, you can choose TKIP or AES.
in the Passphrase box. The Passphrase must be 8 to 63 characters in length. The 256 Bit key
used for encryption is generated from this passphrase.
5. Enter the pre-shared key in the Passphrase field. Enter a word or group of printable characters
Shorter periods provide greater security, but adversely affect performance. If desired, you can
change the default value.
6. Enter the Key Lifetime. This setting determines how often the encryption key is changed.
7. Click Apply to save your settings.
Wireless Configuration 4-19
Page 56
and default password of password, or using whatever LAN address and password you have
set up.
BETA
Select WPA2-PSK on the pulldown menu. The WPA2-PSK menu will open.
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318

How to Configure WPA2-PSK

Note: Not all wireless adapters support WPA2. Furthermore, client software is required on the
client. Windows XP and Windows 2000 with Service Pack 3 do include the client software that
supports WPA2. Nevertheless, the wireless adapter hardware and driver must also support WPA2.
Consult the product document for your wireless adapter and WP2 client software for instructions
on configuring WPA2 settings.
To configure WPA2-PSK, follow these steps:
1. Log in at the default LAN address of http://192.168.0.1, with the default user name of admin
2. Click Wireless Settings in the main menu of the FVG318.
Figure 4-10: Wireless Settings menu (WPA2-PSK)
3.
4-20 Wireless Configuration
Page 57
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
and default password of password, or using whatever LAN address and password you have
Select the desired Encryption method. For WPA2-PSK, the only option is AES.
in the Passphrase box. The Passphrase must be 8 to 63 characters in length. The 256 Bit key
used for encryption is generated from this passphrase.
Shorter periods provide greater security, but adversely affect performance. If desired, you can
change the default value.
set up.
5. Enter the pre-shared key in the Passphrase field. Enter a word or group of printable characters
4.
6. Enter the Key Lifetime. This setting determines how often the encryption key is changed.
7. Click Apply to save your settings.

How to Configure WPA-PSK and WPA2-PSK

Note: Not all wireless adapters support WPA and WPA2. Furthermore, client software is required
on the client. Windows XP and Windows 2000 with Service Pack 3 do include the client software
that supports WPA and WPA2. Nevertheless, the wireless adapter hardware and driver must also
support WPA and WPA2. Consult the product document for your wireless adapter and WPA and
WPA2 client software for instructions on configuring WPA and WPA2 settings.
To configure WPA-PSK and WPA2-PSK, follow these steps:
1. Log in at the default LAN address of http://192.168.0.1, with the default user name of admin
Wireless Configuration 4-21
Page 58
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Click Wireless Settings in the main menu of the FVG318.
2.
Figure 4-11: Wireless Settings menu (WPA-PSK and WPA2-PSK)
Select WPA-PSK and WPA2-PSK on the pulldown menu. The WPA-PSK and WPA2-PSK
menu will open.
3.
4. Select the desired Encryption method. For WPA-PSK and WPA2-PSK, the only option is
TKIP + AES. WPA clients must use TKIP, and WPA2 clients must use AES.
in the Passphrase box. The Passphrase must be 8 to 63 characters in length. The 256 Bit key
used for encryption is generated from this passphrase.
5. Enter the pre-shared key in the Passphrase field. Enter a word or group of printable characters
6. Enter the Key Lifetime. This setting determines how often the encryption key is changed.
Shorter periods provide greater security, but adversely affect performance. If desired, you can
change the default value.
7. Click Apply to save your settings.
4-22 Wireless Configuration
Page 59
Chapter 5
Content Filtering
Firewall Protection and
BETA
This chapter describes how to use the content filtering features of the FVG318 ProSafe 802.11g
Wireless VPN Firewall to protect your network. These features can be found by clicking on the
Security heading in the main menu of the browser interface.

Firewall Protection and Content Filtering Overview

The FVG318 ProSafe 802.11g Wireless VPN Firewall provides you with Web content filtering
options, plus browsing activity reporting and instant alerts via e-mail. Parents and network
administrators can establish restricted access policies based on time-of-day, Web addresses and
Web address keywords. You can also block Internet access by applications and services, such as
chat or games.
A firewall is a special category of router that protects one network (the trusted network, such as
your LAN) from another (the untrusted network, such as the Internet), while allowing
communication between the two. A firewall incorporates the functions of a NAT (Network
Address Translation) router, while adding features for dealing with a hacker intrusion or attack,
and for controlling the types of traffic that can flow between the two networks. Unlike simple
Internet sharing NAT routers, a firewall uses a process called stateful packet inspection to protect
your network from attacks and intrusions. NAT performs a very limited stateful inspection in that
it considers whether the incoming packet is in response to an outgoing request, but true stateful
packet inspection goes far beyond NAT.
To configure these features of your firewall, click on the subheadings under the Security heading
in the main menu of the browser interface. The subheadings are described below:
Firewall Protection and Content Filtering 5-1
Page 60
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318

Block Sites

The FVG318 allows you to restrict access based on Web addresses and Web address keywords. Up
to 255 entries are supported in the Keyword list. The Block Sites menu is shown in Figure 5-1:
Figure 5-1: Block Sites menu
as is the newsgroup alt.pictures.XXX.
To enable keyword blocking, check Turn keyword blocking on, then click Apply.
To add a keyword or domain, type it in the Keyword box, click Add Keyword, then click Apply.
To delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply.
Keyword application examples:
If the keyword "XXX" is specified, the URL <http://www.badstuff.com/xxx.html> is blocked,
.gov) can be viewed.
If the keyword “.com” is specified, only Web sites with other domain suffixes (such as .edu or
If you wish to block all Internet browsing access, enter the keyword “.”.
5-2 Firewall Protection and Content Filtering
Page 61
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
You may specify one Trusted User, which is a PC that will be exempt from blocking and
logging. Since the Trusted User will be identified by an IP address, you should configure that
PC with a fixed or reserved IP address.
To specify a Trusted User, enter that PC’s IP address in the Trusted User box and click Apply.

Using Rules to Block or Allow Specific Kinds of Traffic

Firewall rules are used to block or allow specific traffic passing through from one side to the other.
Inbound rules (WAN to LAN) restrict access by outsiders to private resources, selectively allowing
only specific outside users to access specific resources. Outbound rules (LAN to WAN) determine
what outside resources local users can have access to.
A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of
the FVG318 are:
Inbound: Block all access from outside except responses to requests from the LAN side.
Outbound: Allow all access from the LAN side to the outside.
These default rules are shown in the Rules table of the Rules menu in Figure 5-2:
Figure 5-2: Rules menu
Firewall Protection and Content Filtering 5-3
Page 62
BETA
or WAN) of the Source Address. As with the Source Address, you can select Any, a Single
address, or a Range unless NAT is enabled and the destination is the LAN. In that case, you
already displays many common services, but you are not limited to these choices. Use the
Services menu to add any additional services or applications that do not already appear.
always, or you can choose to block or allow according to the schedule you have defined in the
Schedule menu.
and choose whether you would like the traffic to be restricted by source IP address. You can
select Any, a Single address, or a Range. If you select a range of addresses, enter the range in
the start and finish boxes. If you select a single address, enter it in the start box.
must enter a Single LAN address in the start box.
Never — no log entries will be made for this service.
Match — traffic of this type that matches the parameters and action will be logged.
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
You may define additional rules that specify exceptions to the default rules. By adding custom
rules, you can block or allow access based on the service or application, source or destination IP
addresses, and time of day. You can also choose to log traffic that matches or does not match the
rule you have defined.
To create a new rule, click the Add button.
To edit an existing rule, select its button on the left side of the table and click Edit.
To move an existing rule to a different position in the table, select its button on the left side of the
table and click Move. At the script prompt, enter the number of the desired new position and
To delete an existing rule, select its button on the left side of the table and click Delete.
click OK.
An example of the menu for defining or editing a rule is shown in Figure 5-3. The parameters are:
Service. From this list, select the application or service to be allowed or blocked. The list
Action. Choose how you would like this type of traffic to be handled. You can block or allow
Source Address. Specify traffic originating on the LAN (outbound) or the WAN (inbound),
Destination Address.The Destination Address will be assumed to be from the opposite (LAN
Log. You can select whether the traffic will be logged. The choices are:
5-4 Firewall Protection and Content Filtering
Page 63
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Note: Some residential broadband ISP accounts do not allow you to run any server
processes (such as a Web or FTP server) from your location. Your ISP may periodically
check for servers and may suspend your account if it discovers any active services at
your location. If you are unsure, refer to the Acceptable Use Policy of your ISP.

Inbound Rules (Port Forwarding)

Because the FVG318 uses Network Address Translation (NAT), your network presents only one
IP address to the Internet, and outside users cannot directly address any of your local computers.
However, by defining an inbound rule you can make a local server (for example, a Web server or
game server) visible and available to the Internet. The rule tells the firewall to direct inbound
traffic for a particular service to one local server based on the destination port number. This is also
known as port forwarding.
Remember that allowing inbound services opens holes in your FVG318 Wireless VPN Firewall.
Only enable those ports that are necessary for your network. Following are two application
examples of inbound rules:
Inbound Rule Example: A Local Public Web Server
If you host a public Web server on your local network, you can define a rule to allow inbound Web
(HTTP) requests from any outside IP address to the IP address of your Web server at any time of
day. This rule is shown in Figure 5-3:
Figure 5-3: Rule example: a local public Web server
Firewall Protection and Content Filtering 5-5
Page 64
periodically as the DHCP lease expires. Consider using the Dyamic DNS feature in the
Advanced menus so that external users can always find your network.
rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu to keep the
PC’s IP address constant.
this example). Attempts by local PCs to access the server using the external WAN IP address
will fail.
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Inbound Rule Example: Allowing a Videoconference from Restricted Addresses
If you want to allow incoming videoconferencing to be initiated from a restricted range of outside
IP addresses, such as from a branch office, you can create an inbound rule. In the example shown
in Figure 5-4, CU-SEEME connections are allowed only from a specified range of external IP
addresses. In this case, we have also specified logging of any incoming CU-SeeMe requests that
do not match the allowed parameters.
Figure 5-4: Rule example: a videoconference from restricted addresses
Considerations for Inbound Rules
If your external IP address is assigned dynamically by your ISP, the IP address may change
If the IP address of the local server PC is assigned by DHCP, it may change when the PC is
Each local PC must access the local server using the PC’s local LAN address (192.168.0.99 in
5-6 Firewall Protection and Content Filtering
Page 65
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318

Outbound Rules (Service Blocking)

The FVG318 allows you to block the use of certain Internet services by PCs on your network. This
is called service blocking or port filtering. You can define an outbound rule to block Internet
access from a local PC based on:
IP address of the local PC (source address)
IP address of the Internet site being contacted (destination address)
•Time of day
Type of service being requested (service port number)
Following is an application example of an outbound rule:
Outbound Rule Example: Blocking Instant Messenger
If you want to block Instant Messenger usage by employees during working hours, you can create
an outbound rule to block that application from any internal IP address to any external address
according to the schedule that you have created in the Schedule menu. You can also have the
firewall log any attempt to use Instant Messenger during that blocked period.
Figure 5-5: Rule example: blocking Instant Messenger
Firewall Protection and Content Filtering 5-7
Page 66
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318

Order of Precedence for Rules

As you define new rules, they are added to the tables in the Rules table, as shown below:
Figure 5-6: Rules table with examples
For any traffic attempting to pass through the firewall, the packet information is subjected to the
rules in the order shown in the Rules table, beginning at the top and proceeding to the default rules
at the bottom. In some cases, the order of precedence of two or more rules may be important in
determining the disposition of a packet. The Move button allows you to relocate a defined rule to a
new position in the table.

Default DMZ Server

Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a
response to one of your local computers or a service for which you have configured an inbound
rule. Instead of discarding this traffic, you can have it forwarded to one computer on your network.
This computer is called the Default DMZ Server.
5-8 Firewall Protection and Content Filtering
Page 67
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
a misnomer. In traditional firewalls, a DMZ is actually a separate physical network port.
A true DMZ port is for connecting servers that require greater access from the outside,
and will therefore be provided with a different level of security by the firewall. A better
term for our application is Exposed Host.

Respond to Ping on Internet WAN Port

If you want the firewall to respond to a ping from the Internet, click the Respond to Ping on
Internet WAN Port check box. This should only be used as a diagnostic tool, since it allows your
firewall to be discovered. Don't check this box unless you have a specific reason to do so.
Firewall Protection and Content Filtering 5-9
The Default DMZ Server feature is helpful when using some online games and videoconferencing
applications that are incompatible with NAT. The firewall is programmed to recognize some of
these applications and to work properly with them, but there are other applications that may not
function well. In some cases, one local PC can run the application properly if that PC’s IP address
is entered as the Default DMZ Server.
Note: For security, NETGEAR strongly recommends that you avoid using the Default
DMZ Server feature. When a computer is designated as the Default DMZ Server, it loses
much of the protection of the firewall, and is exposed to many exploits from the Internet.
If compromised, the computer can be used to attack your network.
Note: In this application, the use of the term “DMZ” has become common, although it is
To assign a computer or server to be a Default DMZ server:
1. Click Default DMZ Server.
2. Type the IP address for that server.
3. Click Apply.
Page 68
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318

Services

Services are functions performed by server computers at the request of client computers. For
example, Web servers serve Web pages, time servers serve time and date information, and game
hosts serve data about other players’ moves. When a computer on the Internet sends a request for
service to a server computer, the requested service is identified by a service or port number. This
number appears as the destination port number in the transmitted IP packets. For example, a packet
that is sent with destination port number 80 is an HTTP (Web server) request.
The service numbers for many common protocols are defined by the Internet Engineering Task
Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for other
applications are typically chosen from the range 1024 to 65535 by the authors of the application.
in defining firewall rules. The Services menu shows a list of services that you have defined, as
Although the FVG318 already holds a list of many service port numbers, you are not limited to
shown in Figure 5-7:
these choices. Use the Services menu to add additional services and applications to the list for use
Figure 5-7: Services menu
To define a new service, first you must determine which port number or range of numbers is used
by the application. This information can usually be determined by contacting the publisher of the
application or from user groups of newsgroups.
5-10 Firewall Protection and Content Filtering
Page 69
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Custom Service button. The Add Services menu appears as shown in Figure 5-8:
To add a service:
1. When you have the port number information, go the Services menu and click on the Add
Figure 5-8: Add Custom Service menu
Enter a descriptive name for the service so that you will remember what it is.
2.
If you can’t determine which is used, select both.
3. Select whether the service uses TCP or UDP as its transport protocol.
If the service only uses a single port number, enter the same number in both fields.
4. Enter the lowest port number used by the service.
5. Enter the highest port number used by the service.
6. Click Apply.
The new service now appears in the Services menu, and in the Service name selection box in the
Rules menu.
Firewall Protection and Content Filtering 5-11
Page 70
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318

Using a Schedule to Block or Allow Specific Traffic

If you enabled content filtering in the Block Sites menu, or if you defined an outbound rule to use
a schedule, you can set up a schedule for when blocking occurs or when access is restricted. The
firewall allows you to specify when blocking will be enforced by configuring the Schedule page
shown below:
Figure 5-9: Schedule page
5-12 Firewall Protection and Content Filtering
Page 71
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
To block keywords or Internet domains based on a schedule, select Every Day or select one or
more days. If you want to limit access completely for the selected days, select All Day. Otherwise,
If you want to limit access during certain times for the selected days, type a Start Blocking time
and an End Blocking time.
Note: Enter the values as 24-hour time. For example, to specify 10:30 am, enter 10 hours and 30
minutes; for 10:30 pm, enter 22 hours and 30 minutes.
Be sure to click Apply when you have finished configuring this page.

Time Zone

The FVG318 Wireless VPN Firewall uses the Network Time Protocol (NTP) to obtain the current
time and date from one of several Network Time Servers on the Internet. In order to localize the
time for your log entries, you must specify your Time Zone:
and for time-stamping log entries.
Time Zone. Select your local time zone. This setting will be used for the blocking schedule
Daylight Savings Time. Check this box for daylight savings time.
Note: If your region uses Daylight Savings Time, you must manually select Adjust for
Daylight Savings Time on the first day of Daylight Savings Time, and unselect it at the end.
Enabling Daylight Savings Time will add one hour to the standard time.
Be sure to click Apply when you have finished configuring this menu.
Firewall Protection and Content Filtering 5-13
Page 72
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318

Getting E-Mail Notifications of Event Logs and Alerts

alerts and logs by e-mail area:
In order to receive logs and alerts by e-mail, you must provide your e-mail information in the Send
the firewall.
Figure 5-10: E-mail menu
Turn e-mail notification on. Check this box if you wish to receive e-mail logs and alerts from
blank. Enter the name or IP address of your ISP’s outgoing (SMTP) mail server (such as
mail.myISP.com). You may be able to find this information in the configuration menu of your
e-mail program. Enter the e-mail address to which logs and alerts are sent. This e-mail address
Send alerts and logs by e-mail. If your enable e-mail notification, these boxes cannot be
will also be used as the From address. If you leave this box blank, log and alert messages will
not be sent via e-mail.
specified e-mail address when any of the following events occur:
Send E-mail alerts immediately. You can specify that logs are immediately sent to the
If a Denial of Service attack is detected.
If a Port Scan is detected.
5-14 Firewall Protection and Content Filtering
Page 73
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
menu.
If a user on your LAN attempts to access a Web site that you blocked using the Block Sites
schedule. Select whether you would like to receive the logs None, Hourly, Daily, Weekly, or
When Full. Depending on your selection, you may also need to specify:
Day for sending log
Send logs according to this schedule. You can specify that logs are sent to you according to a
Relevant when the log is sent weekly or daily.
Relevant when the log is sent daily or weekly.
Time for sending log
If the Weekly, Daily or Hourly option is selected and the log fills up before the specified
period, the log is automatically e-mailed to the specified e-mail address. After the log is sent,
the log is cleared from the firewall’s memory. If the firewall cannot e-mail the log file, the log
buffer may fill up. In this case, the firewall overwrites the log and discards its contents.
Be sure to click Apply when you have finished configuring this menu.
Firewall Protection and Content Filtering 5-15
Page 74
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318

Viewing Logs of Web Access or Attempted Web Access

The firewall logs security-related events such as denied incoming and outgoing service requests,
hacker probes, and administrator logins. If you enable content filtering in the Block Sites menu,
the Log page will also show you when someone on your network tried to access a blocked site. If
you enabled e-mail notification, you'll receive these logs in an e-mail message. If you don't have
e-mail notification enabled, you can view the logs here. An example is shown in Figure 5-11:
Figure 5-11: Logs menu
5-16 Firewall Protection and Content Filtering
Page 75
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Log entries are described in Table 5-1
Table 5-1. Log entry descriptions
Field Description
Date and Time The date and time the log entry was recorded.
The type of event and what action was taken if any.
Description or
Action
The service port number of the initiating device, and whether it
originated from the LAN or WAN.
Source IP The IP address of the initiating device for this log entry.
Source port and
interface
Destination The name or IP address of the destination device or Web site.
The service port number of the destination device, and whether it’s on
the LAN or WAN.
Destination port and
interface
Button Description
Refresh Refresh the log screen.
Clear Log Clear the log entries.
Log action buttons are described in Table 5-2
Table 5-2. Log action buttons
Send Log Email the log immediately.

Syslog

You can configure the firewall to send system logs to an external PC that is running a syslog
logging program. Enter the IP address of the logging PC and click the Enable Syslog check box.
Logging programs are available for Windows, Macintosh, and Linux computers.
Firewall Protection and Content Filtering 5-17
Page 76
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
5-18 Firewall Protection and Content Filtering
Page 77
Chapter 6
Basic Virtual Private Networking
BETA
Wireless VPN Firewall. VPN communications paths are called tunnels. VPN tunnels provide
secure, encrypted communications between your local network and a remote network or computer.
This chapter describes how to use the virtual private networking (VPN) features of the FVG318
The VPN information is organized as follows:
common VPN configurations: client-to-gateway and gateway-to-gateway.
“Overview of VPN Configuration” on page 6-2 provides an overview of the two most
parameters set by the VPN Wizard.
“Planning a VPN” on page 6-3 provides the VPN Committee (VPNC) recommended default
tunnel: VPN Wizard (recommended for most situations) and Advanced (see Chapter 7,
“Advanced Virtual Private Networking).
“VPN Tunnel Configuration” on page 6-5 summarizes the two ways to configure a VPN
needed to configure a VPN tunnel between a remote PC and a network gateway using the VPN
Wizard and the NETGEAR ProSafe VPN Client.
“How to Set Up a Client-to-Gateway VPN Configuration” on page 6-5 provides the steps
needed to configure a VPN tunnel between two network gateways using the VPN Wizard.
“How to Set Up a Gateway-to-Gateway VPN Configuration” on page 6-20 provides the steps
verifying, deactivating, and deleting a VPN tunnel once the VPN tunnel has been configured.
“VPN Tunnel Control” on page 6-26 provides the step-by-step procedures for activating,
VPN tunnels when there are special circumstances and the VPNC recommended defaults of
Chapter 7, “Advanced Virtual Private Networking” provides the steps needed to configure
the VPN Wizard are inappropriate.
Internet Protocol security (IPSec). IPSec is one of the most complete, secure, and
commercially available, standards-based protocols developed for transporting data.
Appendix C, “Virtual Private Networking” discusses Virtual Private Networking (VPN)
Appendix B, “VPN Configuration of NETGEAR FVS318v3” presents a case study on how to
configure a secure IPSec VPN tunnel from a NETGEAR FVG318 to a FVL328. This case
study follows the VPN Consortium interoperability profile guidelines (found at
http://www.vpnc.org/InteropProfiles/Interop-01.html).
Basic Virtual Private Networking 6-1
Page 78
VPN Tunnel
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
FVS318

Overview of VPN Configuration

Two common scenarios for configuring VPN tunnels are between a remote personal computer and
a network gateway and between two or more network gateways. The FVG318 supports both of
these types of VPN configurations. The FVG318 Wireless VPN Firewall supports up to eight
concurrent tunnels.

Client-to-Gateway VPN Tunnels

Client-to-gateway VPN tunnels provide secure access from a remote PC, such as a telecommuter
connecting to an office network (see Figure 6-1).
24.0.0.1
PCs
192.168.3.1
Figure 6-1: Client-to-gateway VPN tunnel
A VPN client access allows a remote PC to connect to your network from any location on the
Internet. In this case, the remote PC is one tunnel endpoint, running the VPN client software. The
or home office and a main office (see Figure 6-2).
FVG318 Wireless VPN Firewall on your network is the other tunnel endpoint. See “How to Set Up
a Client-to-Gateway VPN Configuration” on page 6-5 to set up this configuration.

Gateway-to-Gateway VPN Tunnels

Gateway-to-gateway VPN tunnels provide secure access between networks, such as a branch
6-2 Basic Virtual Private Networking
Page 79
PCs
VPN Gateway B
BETA
VPN Tunnel
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
PCs
VPN Gateway A
Figure 6-2: Gateway-to-gateway VPN tunnel
A VPN between two or more NETGEAR VPN-enabled firewalls is a good way to connect branch
or home offices and business partners over the Internet. VPN tunnels also enable access to network
resources across the Internet. In this case, use FVG318s on each end of the tunnel to form the VPN
tunnel end points. See “How to Set Up a Gateway-to-Gateway VPN Configuration” on page 6-20
to set up this configuration.

Planning a VPN

To set up a VPN connection, you must configure each endpoint with specific identification and
connection information describing the other endpoint. You must configure the outbound VPN
subnet or by a range of IP addresses), or a single PC?
settings on one end to match the inbound VPN settings on other end, and vice versa.
This set of configuration information defines a security association (SA) between the two VPN
endpoints. When planning your VPN, you must make a few choices first:
Will the local end be any device on the LAN, a portion of the local network (as defined by a
defined by a subnet or by a range of IP addresses), or a single PC?
Will the remote end be any device on the remote LAN, a portion of the remote network (as
provisioned with DHCP addressing, where the IP address of the WAN port can change from
time to time. Under these circumstances, configuring the WAN port with a dynamic DNS
(DynDNS) service provider simplifies the configuration task. When DynDNS is configured on
Will either endpoint use Fully Qualified Domain Names (FQDNs)? Many DSL accounts are
the WAN port, configure the VPN using FDQN.
Basic Virtual Private Networking 6-3
Page 80
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
FQDNs supplied by Dynamic DNS providers can allow a VPN endpoint with a dynamic IP
address to initiate or respond to a tunnel request. Otherwise, the side using a dynamic IP
address must always be the initiator.
What method will you use to configure your VPN tunnels?
— The VPN Wizard using VPNC defaults (see Tabl e 6- 1 )
— Advanced methods (see Chapter 7, “Advanced Virtual Private Networking”)
Table 6-1. Parameters recommended by the VPNC and used in the VPN Wizard
BETA
Note: NETGEAR publishes additional interoperability scenarios with various gateway
encrypting these values using a 56 bit key. Faster but less secure than 3DES.
— DE — The Data Encryption Standard (DES) processes input data that is 64 bits wide,
Parameter Factory Default
Secure Association Main Mode
Authentication Method Pre-shared Key
Encryption Method 3DES
Authentication Protocol SHA-1
Diffie-Hellman (DH) Group Group 2 (1024 bit)
Key Life 8 hours
IKE Life Time 24 hours
NETBIOS Enabled
What level of IPSec VPN encryption will you use?
times using DES with three different, unrelated keys.
— 3DES — (Triple DES) achieves a higher level of security by encrypting the data three
—AES
— MDS — 128 bits, faster but less secure.
What level of authentication will you use?
— SHA-1 — 160 bits, slower but more secure.
and client software products.
6-4 Basic Virtual Private Networking
Page 81
PC
(Running NETGEAR
ProSafe VPN Client)
VPN Tunnel
24.0.0.1
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
PCs
BETA
FVS318v3
192.168.3.1
— See “How to Set Up a Client-to-Gateway VPN Configuration” on page 6-5.
— See “How to Set Up a Gateway-to-Gateway VPN Configuration” on page 6-20.

VPN Tunnel Configuration

There are two tunnel configurations and three ways to configure them:
Use the VPN Wizard to configure a VPN tunnel (recommended for most situations):
defaults (see Table 6-1 on page 6-4) are not appropriate for your special circumstances.
See Chapter 7, “Advanced Virtual Private Networking” when the VPN Wizard and its VPNC

How to Set Up a Client-to-Gateway VPN Configuration

Setting up a VPN between a remote PC running the NETGEAR ProSafe VPN Client and a
network gateway (see Figure 6-3) involves the following two steps:
the VPN Wizard to configure the VPN tunnel between the remote PC and network gateway.
“Step 1: Configuring the Client-to-Gateway VPN Tunnel on the FVG318” on page 6-6 uses
“Step 2: Configuring the NETGEAR ProSafe VPN Client on the Remote PC” on page 6-9
configures the NETGEAR ProSafe VPN Client endpoint.
Figure 6-3: Client-to-gateway VPN tunnel
Basic Virtual Private Networking 6-5
Page 82
Note: This section uses the VPN Wizard to set up the VPN tunnel using the VPNC
default parameters listed in Table 6-1 on page 6-4. If you have special requirements not
covered by these VPNC-recommended parameters, refer to Chapter 7, “Advanced
Virtual Private Networking” to set up the VPN tunnel.
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Step 1: Configuring the Client-to-Gateway VPN Tunnel on the
FVG318
Follow this procedure to configure a client-to-gateway VPN tunnel using the VPN Wizard.
admin and password of password. Click the VPN Wizard link in the main menu to display
1. Log in to the FVG318 at its LAN address of http://192.168.0.1 with its default user name of
this screen. Click Next to proceed.
Fill in the Connection Name and the pre-shared key, select the type of target end point, and
Figure 6-4: VPN Wizard start screen
2.
click Next to proceed.
Note: The Connection Name is arbitrary and not relevant to how the configuration functions.
6-6 Basic Virtual Private Networking
Page 83
BETA
Enter the new Connection Name:
(RoadWarrior in this example)
Enter the pre-shared key:
(12345678 in this example)
Select the radio button:
A remote VPN client (single PC)
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
The Summary screen below displays.
Figure 6-5: Connection Name and Remote IP Type
Figure 6-6: VPN Wizard Summary
Basic Virtual Private Networking 6-7
Page 84
To view the VPNC recommended authentication and encryption settings used by the VPN
Wizard, click the here link (see Figure 6-6). Click Back to return to the Summary screen.
Click Done on the Summary screen (see Figure 6-6) to complete the configuration procedure.
The VPN Policies menu below displays showing that the new tunnel is enabled.
To view or modify the tunnel settings, select the radio button next to the tunnel entry and click
Edit.
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Figure 6-7: VPNC Recommended Settings
3.
Figure 6-8: VPN Policies
6-8 Basic Virtual Private Networking
Page 85
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Step 2: Configuring the NETGEAR ProSafe VPN Client on the
Remote PC
This procedure describes how to configure the NETGEAR ProSafe VPN Client. This example
assumes the PC running the client has a dynamically assigned IP address.
Note: Before installing the NETGEAR ProSafe VPN Client software, be sure to turn off
any virus protection or firewall software you may be running on your PC.
The PC must have the NETGEAR ProSafe VPN Client program installed that supports IPSec. Go
to the NETGEAR Web site (http://www.netgear.com) and select VPN01L_VPN05L in the Product
Quick Find drop-down menu for information on how to purchase the NETGEAR ProSafe VPN
Client.
1. Install the NETGEAR ProSafe VPN Client on the remote PC and reboot.
a. You may need to insert your Windows CD to complete the installation.
b. If you do not have a modem or dial-up adapter installed in your PC, you may see the
warning message stating “The NETGEAR ProSafe VPN Component requires at least one
dial-up adapter be installed.” You can disregard this message.
or the IPSec Component or both. The VPN Adapter is not necessary.
c. Install the IPSec Component. You may have the option to install either the VPN Adapter
Note: The procedure in this section explains how to create a new security policy from
scratch. For the procedure on how to import an existing security policy that has already
been created on another client running the NETGEAR ProSafe VPN Client, see
“Transferring a Security Policy to Another Client” on page 6-18.
d. The system should show the ProSafe icon ( ) in the system tray after rebooting.
e. Double-click the system tray icon to open the Security Policy Editor.
2. Add a new connection.
a. Run the NETGEAR ProSafe Security Policy Editor program and create a VPN
Connection.
Basic Virtual Private Networking 6-9
Page 86
From the Edit menu of the Security Policy Editor, click Add, then Connection. A “New
Connection” listing appears in the list of policies. Rename the “New Connection” so that it
matches the Connection Name you entered in the VPN Settings of the FVG318 on
b.
LAN A.
Note: In this example, the Connection Name used on the client side of the VPN tunnel is
NETGEAR_VPN_router and it does not have to match the RoadWarrior Connection
Name used on the gateway side of the VPN tunnel (see Figure 6-5) because Connection
Names are unrelated to how the VPN tunnel functions.
BETA
Tip: Choose Connection Names that make sense to the people using and administrating
the VPN.
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Figure 6-9: Security Policy Editor new connection
6-10 Basic Virtual Private Networking
Page 87
BETA
22.23.24.25 would be used.
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Figure 6-10: Security Policy Editor connection settings
Select Secure in the Connection Security check box.
d. Select IP Subnet in the ID Type menu.
c.
In this example, type 192.168.3.1 in the Subnet field as the network address of the
FVG318.
e. Enter 255.255.255.0 in the Mask field as the LAN Subnet Mask of the FVG318.
f. Select All in the Protocol menu to allow all traffic through the VPN tunnel.
g. Select the Connect using Secure Gateway Tunnel check box.
h. Select IP Address in the ID Type menu below the check box.
i. Enter the public WAN IP Address of the FVG318 in the field directly below the ID Type
The resulting Connection Settings are shown in Figure 6-10.
menu. In this example,
3. Configure the Security Policy in the NETGEAR ProSafe VPN Client software.
name or clicking on the “+” symbol. My Identity and Security Policy subheadings appear
a. In the Network Security Policy list, expand the new connection by double clicking its
below the connection name.
b. Click on the Security Policy subheading to show the Security Policy menu.
Basic Virtual Private Networking 6-11
Page 88
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Select the Main Mode in the Select Phase 1 Negotiation Mode check box.
c.
Figure 6-11: Security Policy Editor Security Policy
In this step, you will provide information about the remote VPN client PC. You will need to
4. Configure the VPN Client Identity.
— The Pre-Shared Key that you configured in the FVG318.
provide:
— Either a fixed IP address or a “fixed virtual” IP address of the VPN client PC.
a. In the Network Security Policy list on the left side of the Security Policy Editor window,
click on My Identity.
6-12 Basic Virtual Private Networking
Page 89
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Adapter in the Name menu if you have a dial-up Internet account. Select your Ethernet
adapter if you have a dedicated Cable or DSL line. You may also choose Any if you will
Choose None in the Select Certificate box.
b.
address in the Internal Network IP Address box. Otherwise, leave this box empty.
c. Select IP Address in the ID Type box. If you are using a virtual fixed IP address, enter this
be switching between adapters or if you have only one adapter.
d. In the Internet Interface box, select the adapter you use to access the Internet. Select PPP
entered. This field is case sensitive.
button. Enter the FVG318's Pre-Shared Key and click OK. In this example, 12345678 is
e. Click the Pre-Shared Key button. In the Pre-Shared Key dialog box, click the Enter Key
Figure 6-12: Security Policy Editor My Identity
Figure 6-13: Security Policy Editor Pre-Shared Key
Basic Virtual Private Networking 6-13
Page 90
Configure the VPN Client Authentication Proposal.
In this step, you will provide the type of encryption (DES or 3DES) to be used for this
connection. This selection must match your selection in the FVG318 configuration.
a. In the Network Security Policy list on the left side of the Security Policy Editor window,
expand the Security Policy heading by double clicking its name or clicking on the “+”
symbol.
symbol. Then select Proposal 1 below Authentication.
b. Expand the Authentication subheading by double clicking its name or clicking on the “+”
In the Authentication Method menu, select Pre-Shared key.
c.
d. In the Encrypt Alg menu, select the type of encryption. In this example, use Triple DES.
e. In the Hash Alg menu, select SHA-1.
f. In the SA Life menu, select Unspecified.
g. In the Key Group menu, select Diffie-Hellman Group 2.
BETA
symbol. Then select Proposal 1 below Key Exchange.
In this step, you will provide the type of encryption (DES or 3DES) to be used for this
connection. This selection must match your selection in the FVG318 configuration.
a. Expand the Key Exchange subheading by double clicking its name or clicking on the “+”
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
5.
Figure 6-14: Security Policy Editor Authentication
6. Configure the VPN Client Key Exchange Proposal.
6-14 Basic Virtual Private Networking
Page 91
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
In the SA Life menu, select Unspecified.
b.
c. In the Compression menu, select None.
d. Check the Encapsulation Protocol (ESP) check box.
e. In the Encrypt Alg menu, select the type of encryption. In this example, use Triple DES.
f. In the Hash Alg menu, select SHA-1.
g. In the Encapsulation menu, select Tunnel.
h. Leave the Authentication Protocol (AH) check box unchecked.
From the File menu at the top of the Security Policy Editor window, select Save.
After you have configured and saved the VPN client information, your PC will automatically
open the VPN connection when you attempt to access any IP addresses in the range of the
remote VPN firewall’s LAN.
To check the VPN Connection, you can initiate a request from the remote PC to the FVG318’s
network by using the “Connect” option in the NETGEAR ProSafe menu bar. The NETGEAR
ProSafe client will report the results of the attempt to connect. Since the remote PC has a
dynamically assigned WAN IP address, it must initiate the request.
To perform a ping test using our example, start from the remote PC:
Figure 6-15: Security Policy Editor Key Exchange
7. Save the VPN Client Settings.
8. Check the VPN Connection.
Basic Virtual Private Networking 6-15
Page 92
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Establish an Internet connection from the PC.
a.
seconds and two minutes, the ping response should change from “timed out” to “reply.”
This will cause a continuous ping to be sent to the first FVG318. After between several
b. On the Windows taskbar, click the Start button, and then click Run.
c. Ty p e ping -t 192.168.3.1 , and then click OK.
Figure 6-16: Running a Ping test to the LAN from the PC
Figure 6-17: Ping test results
Once the connection is established, you can open the browser of the PC and enter the LAN IP
address of the remote FVG318. After a short wait, you should see the login screen of the Wireless
VPN Firewall (unless another PC already has the FVG318 management interface open).

Monitoring the Progress and Status of the VPN Client Connection

Information on the progress and status of the VPN client connection can be viewed by opening the
NETGEAR ProSafe Log Viewer.
NETGEAR ProSafe VPN Client, then Log Viewer.
1. To launch this function, click on the Windows Start button, then select Programs, then
6-16 Basic Virtual Private Networking
Page 93
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Note: Use the active VPN tunnel information and pings to determine whether a failed
connection is due to the VPN tunnel or some reason outside the VPN tunnel.
The Log Viewer screen for a similar successful connection is shown below:
Figure 6-18: Log Viewer screen
The Connection Monitor screen for a similar connection is shown below:
2.
Figure 6-19: Connection Monitor screen
In this example you can see the following:
The FVG318 has a public IP WAN address of 22.23.24.25.
The FVG318 has a LAN IP address of 192.168.3.1.
The VPN client PC has a dynamically assigned address of 192.168.2.2.
Basic Virtual Private Networking 6-17
Page 94
normal Internet access. If this is the case, you will need to close the VPN connection in
order to have normal Internet access.
Note: While your PC is connected to a remote LAN through a VPN, you might not have
Step 1: Select Export Security Policy from
the File pulldown.
Step 2: Click Export once you decide the name of the file
BETA
and directory where you want to store the client policy.
In this example, the exported policy is named policy.spd
and is being stored on the C drive.
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
While the connection is being established, the Connection Name field in this menu will say “SA”
before the name of the connection. When the connection is successful, the “SA” will change to the
yellow key symbol shown in the illustration above.

Transferring a Security Policy to Another Client

This section explains how to export and import a security policy as an .spd file so that an existing
NETGEAR ProSafe VPN Client configuration can be copied to other PCs running the NETGEAR
ProSafe VPN Client.
Exporting a Security Policy
The following procedure (Figure 6-20) enables you to export a security policy as an .spd file.
6-18 Basic Virtual Private Networking
Figure 6-20: Exporting a security policy
Page 95
Step 2: Select the security policy to import.
In this example, the security policy file is
named FVS318v3_clientpolicy_direct.spd
and located on the Desktop.
BETA
The security policy is now imported.
In this example, the connection name is
Scenario_1.
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Importing a Security Policy
The following procedure (Figure 6-21) enables you to import an existing security policy.
Step 1: Invoke the NETGEAR ProSafe
VPN Client and select Import Security
Policy from the File pulldown.
Figure 6-21: Importing a security policy
Basic Virtual Private Networking 6-19
Page 96
B
FVS318v3 VPN Firewall
VPN Tunnel
PCs
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
A
Note: This section uses the VPN Wizard to set up the VPN tunnel using the VPNC
default parameters listed in Table 6-1 on page 6-4. If you have special requirements not
covered by these VPNC-recommended parameters, refer to Chapter 7, “Advanced
Virtual Private Networking” to set up the VPN tunnel.

How to Set Up a Gateway-to-Gateway VPN Configuration

FVS318v3 VPN Firewall
PCs
Figure 6-22: Gateway-to-Gateway VPN Tunnel
Follow the procedure below to set the LAN IPs on each FVG318 to different subnets and
configure each properly for the Internet.
The LAN IP address ranges of each VPN endpoint must be different. The connection will fail if
both are using the NETGEAR default address range of 192.168.0.x.
In this example, LAN A uses 192.168.0.1 and LAN B uses 192.168.3.1.
6-20 Basic Virtual Private Networking
Page 97
BETA
Enter the new Connection Name:
(GtoG in this example)
Enter the pre-shared key:
(12345678 in this example)
admin and password of password. Click the VPN Wizard link in the
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Select the radio button:
A remote VPN Gateway

Procedure to Configure a Gateway-to-Gateway VPN Tunnel

Follow this procedure to configure a gateway-to-gateway VPN tunnel using the VPN Wizard.
default user name of
main menu to display this screen. Click Next to proceed.
1. Log in to the FVG318 on LAN A at its default LAN address of http://192.168.0.1 with its
Fill in the Connection Name and the pre-shared key, select the type of target end point, and
Figure 6-23: VPN Wizard start screen
2.
click Next to proceed.
Figure 6-24: Connection Name and Remote IP Type
Basic Virtual Private Networking 6-21
Page 98
Enter the WAN IP address of the remote VPN
gateway:
(22.23.24.25 in this example)
(192.168.3.1 in this example)
Enter the LAN IP settings of the remote VPN
gateway:
• IP Address
(255.255.255.0 in this example)
• Subnet Mask
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
3. Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click Next.
Figure 6-25: Remote IP
4. Identify the IP addresses at the target endpoint that can use this tunnel, and click Next.
Figure 6-26: Secure Connection Remote Accessibility
6-22 Basic Virtual Private Networking
Page 99
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
The Summary screen below displays.
Figure 6-27: VPN Wizard Summary
Basic Virtual Private Networking 6-23
Page 100
To view the VPNC recommended authentication and encryption settings used by the VPN
Wizard, click the here link (see Figure 6-27). Click Back to return to the Summary screen.
Click Done on the Summary screen (see Figure 6-27) to complete the configuration
procedure. The VPN Policies menu below displays showing that the new tunnel is enabled.
BETA
Reference Manual for the ProSafe 802.11g Wireless VPN Firewall FVG318
Figure 6-28: VPN Recommended Settings
5.
Figure 6-29: VPN Policies
6-24 Basic Virtual Private Networking
Loading...