Netgear FVL328 Reference Guide

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

NETGEAR, Inc.

4500 Great America Parkway Santa Clara, CA 95054 USA Phone 1-888-NETGEAR

202-10030-02 May 24, 2004

May 2004, 202-10030-02

Trademarks

NETGEAR and Auto Uplink are trademarks or registered trademarks of NETGEAR, Inc. Microsoft, Windows, and Wi ndow s NT are registered trademar ks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders. Portions of this

document are copyright Intoto, Inc.

Statement of Conditions

In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice.

NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.

EN 55 022 Declaration of Conformance

This is to certify that the FVL328 Prosafe High Speed VPN Firewall is shielded against the generation of radio interference in accordance with the application of Council Directive 89/336/EEC, Article 4a. Conformity is declared by the application of EN 55 022 Class B (CISPR 22).

Certificate of the Manufacturer/Importer

It is hereby certified that the FVL328 Prosafe High Speed VPN Firewall has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example, test transmitters) in accordance with the regulations may, however, be subject to certain restrictions. Please refer to the notes in the operating instructions.

The Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations.

May 2004, 202-10030-02

Bestätigung des Herstellers/Importeurs

Es wird hiermit bestätigt, daß dasFVL328 Prosafe High Speed VPN Firewall gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.

Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.

Voluntary Control Council for Interference (VCCI) Statement

This equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto), and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines, aimed at preventing radio interference in such residential areas.

When used near a radio or TV receiver , it may become the cause of radio interference. Read instructions for correct handling.

Technical Support

Refer to the Support Information Card that shipped with your FVL328 Prosafe High Speed VPN Firewall.

World Wide Web

NETGEAR maintains a World Wide Web home page that you can access at the universal resource locator (URL) http://www.netgear.com. A direct connection to the Internet and a Web browser such as Internet Explorer or Netscape are required.

May 2004, 202-10030-02

iii

May 2004, 202-10030-02

Chapter 1 About This Manual

Audience ................................... ................ ................ ................. ................ ................ .....1-1

Scope .............................................................................................................................1-1

Typographical Conventions ............................................................................................1-2

Special Message Formats ..............................................................................................1-2

How to Use this Manual ..................................................................................................1-3

How to Print this Manual .................................................................................................1-4

Chapter 2 Introduction

About the FVL328 ...........................................................................................................2-1

Summary of New Features in the FVL328 .....................................................................2-1

Key Features ..................................................................................................................2-2

Virtual Private Networking ........................................................................................2-2

A Powerful, True Firewall .........................................................................................2-3

Content Filtering .......................................................................................................2-3

Configurable Auto Uplink™ Ethernet Connection ....................................................2-3

Protocol Support ......................................................................................................2-4

Easy Installation and Management ..........................................................................2-5

What’s in the Box? ..........................................................................................................2-6

The Firewall’s Front Panel .......................................................................................2-6

The Firewall’s Rear Panel ........................................................................................2-7

Chapter 3 Connecting the FVL328 to the Internet

Connecting the FVL328 to Your LAN ..............................................................................3-1

How to Connect the FVL328 to Y our LAN ................................................................3-1

Configuring for a Wizard-Detected Login Account ...................................................3-6

Configuring for a Wizard-Detected Dynamic IP Account .........................................3-8

Configuring for a Wizard-Detected Fixed IP (Static) Account ..................................3-8

Contents i

May 2004, 202-10030-02

Testing Your Internet Connection ....................................................................................3-9

Manually Configuring Your Internet Connecti on ...........................................................3-10

How to Complete a Manual Configuration .............................................................3-11

Chapter 4 WAN and LAN Configuration

Configuring LAN IP Settings ...........................................................................................4-1

Using the Router as a DHCP Server ........................................................................4-2

How to Configure LAN TCP/IP Settings and View the DHCP Log ...........................4-3

How to Configure Reserved IP Addresses ................... ... .... .....................................4-4

Configuring WAN Settings ..............................................................................................4-5

Connect Automatically, as Required ........................................................................4-6

Setting Up a Default DMZ Server .............................. ... ... .... ... ... ... .... ... ... ... ...............4-7

How to Assign a Default DMZ Server ......................................................................4-7

Multi-DMZ Servers ...................................................................................................4-7

Responding to Ping on Internet WAN Port ...............................................................4-8

MTU Size .................................................................................................................4-8

Port Speed ......................... ... .... ... ... ... .... ... ... ... .......................................... ...............4-8

Port Triggering ............................. .... ... ... ... .... .......................................... ........................4-9

Port Triggering Rules ...................... ... .... ... ... ... .......................................... .............4-10

Adding a new Rule ............. ... .... ... ... ... .... ... ... ... .......................................... .............4-10

Checking Operation and Status .............................................................................4-11

Configuring Dynamic DNS ............................................................................................4-11

How to Configure Dynamic DNS ............................................................................4-12

Using Static Routes ......................................................................................................4-12

Static Route Example .............................................................................................4-12

How to Configure Static Routes .............................................................................4-13

Chapter 5 Protecting Your Network

Firewall Protection and Content Filtering Overview ............ ... .... ... ... ... .... ... ... ... ...............5-1

Using the Block Sites Menu to Screen Content ..............................................................5-1

Apply Keyword Blocking to Groups ..........................................................................5-3

Services and Rules Regulate Inbound and Outbound Traffic .........................................5-3

Defining a Service ....................................................................................................5-4

Using Inbound/Outbound Rules to Block or Allow Services .....................................5-5

Examples of Using Services and Rules to Regulate Traffic ...........................................5-7

ii Contents

May 2004, 202-10030-02

Inbound Rules (Port Forwarding) .............................. ............................................... 5-7

Example: Port Forwarding to a Local Public Web Server ..................................5-8

Example: Port Forwarding for Videoconferencing .............................................5-8

Example: Port Forwarding for VPN Tunnels when NAT is Off ...........................5-9

Outbound Rules (Service Blocking or Port Filtering) ........................ ...... ...... ....... ...5-10

Outbound Rule Example: Blocking Instant Messaging ....................................5-10

Other Rules Considerations ............ .......................................... ...................................5-11

Order of Precedence for Rules ..............................................................................5-11

Rules Menu Options ...............................................................................................5-12

Using a Schedule to Block or Allow Content or Traffic .................................................5-13

Setting the Time Zone ........ ... .... ... ... .......................................... ... .... ... ...................5-14

Set Clock ................................................................................................................5-14

Enable NTP (Network Time Protocol) ....................................................................5-14

User-defined NTP Server ...... .... ... ... ... .... ................................................................5-15

Getting E-Mail Notifications of Event Logs and Alerts ..................................................5-15

Viewing Logs of Web Access or Attempted Web Access .............................................5-17

What to Include in the Event Log ...........................................................................5-19

Chapter 6 Virtual Private Networking

Overview of FVL328 Policy-Based VPN Configuration ..................................................6-1

Using Policies to Manage VPN Traffic .....................................................................6-1

Using Automatic Key Management ..................................... ................................... .. 6-2

IKE Policies’ Automatic Key and Authentication Management ................................6-3

VPN Policy Configuration for Auto Key Negotiation ..................... ............................ 6-6

VPN Policy Configuration for Manual Key Exchange ...............................................6-9

Using Digital Certificates for IKE Auto-Policy Authentication .......................................6-14

Certificate Revocation List (CRL) ...........................................................................6-15

How to Use the VPN Wizard to Configure a VPN Tunnel .............................................6-15

Walk-Through of Configuration Scenarios ....................................................................6-18

VPNC Scenario 1: Gateway-to-Gateway with Preshared Secrets .........................6-19

FVL328 Scenario 1: How to Configure the IKE and VPN Policies .........................6-21

How to Check VPN Connections ...........................................................................6-26

FVL328 Scenario 2: Authenticating with RSA Certificates .....................................6-27

Contents iii

May 2004, 202-10030-02

Chapter 7 Managing Your Network

Protecting Access to Your FVL328 Firewall ....................................................................7-1

How to Change the Built-In Password .....................................................................7-1

How to Change the Administrator Login Timeout ....................................................7-2

Internet Traffic .................................................................................................................7-3

Internet Traffic Limit ..................................................................................................7-3

Enable Monthly Limit .......... ... .... .......................................... ... ... ... .... ... ... ... ...............7-4

Internet Traffic Statistics ...........................................................................................7-4

Traffic by Protocol ........................ ... ... .... ... ... ... ... .... ... .......................................... ... ..7-5

Network Database ..........................................................................................................7-5

Advantages of the Network Database ............................. .... ... ... ... .... ... ... ... ... .... ... ... ..7-6

Known PCs and Devices ..........................................................................................7-7

Operations .................................... ... ... .... .......................................... ........................7-7

Network Management ....................................................................................................7-8

How to Configure Remote Management ..................................................................7-8

Viewing Router Status and Usage Statistics .................................... ... ... ... ... .... ... ... ..7-9

Viewing Attached Devices ......................................................................................7-12

Viewing, Selecting, and Saving Logged Information ..............................................7-13

Changing the Include in Log Settings ..............................................................7-14

Enabling the Syslog Feature ...........................................................................7-15

Enabling Security Event E-mail Notification .................................................................7-15

Backing Up, Restoring, or Erasing Your Settings .........................................................7-17

How to Back Up the FVL328 Configuration to a File ..............................................7-17

How to Restore a Configuration from a File .............................. ............................. 7-18

How to Erase the Configuration .............................................................................7-18

Running Diagnostic Utilities and Rebooting the Router ................................................7-19

Upgrading the Router’s Firmware .................... ......... .......... .......... .......... ......... .......... ...7-20

How to Upgrade the Router ...................................................................................7-20

Chapter 8 Troubleshooting

Basic Functions ..............................................................................................................8-1

Power LED Not On ...................................................................................................8-2

Test LED Never Turns On or Test LED Stays On .....................................................8-2

Local or Internet Port Link LEDs Not On ..................................................................8-3

iv Contents

May 2004, 202-10030-02

Troubleshooting the Web Configuration Interface ..........................................................8-3

Troubleshooting the ISP Connection ..............................................................................8-4

Troubleshooting a TCP/IP Network Using a Ping Utility .................................................8-5

How to Test the LAN Path to Your Firewall ..............................................................8-6

How to Test the Path from Your PC to a Remote Device .........................................8-6

Restoring the Default Configuration and Password ............... .........................................8-7

How to Use the Default Reset Button ......................................................................8-7

Problems with Date and Time .........................................................................................8-8

Appendix A Technical Specifications

Appendix B Networks, Routing, and Firewall Basics

Related Publications ...................................................................................................... B-1

Basic Router Concepts .................................................................................................. B-1

What is a Router? ................................................................................................... B-1

Routing Information Protocol ................................................................................... B-2

IP Addresses and the Internet ......................................... .... ... ... ... .... ... ... ... ... .... ... ... . B-2

Netmask .................................... ................................................................ ..............B-4

Subnet Addressing .................................................................................................. B-4

Private IP Addresses ................................. ... ... ... .......................................... ........... B-7

Single IP Address Operation Using NAT ................................................................. B-7

MAC Addresses and Address Resolution Protocol ................................................. B-8

Related Documents ................................................................................................. B-9

Domain Name Server .............................................................................................. B-9

IP Configuration by DHCP .............................. ... .... ... ... ... .... ... ... .............................. B -9

Internet Security and Firewalls .................................................................................... B-10

What is a Firewall? ................................................................................................ B-10

Stateful Packet Inspection ............................... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ..... B-10

Denial of Service Attack .........................................................................................B-11

Ethernet Cabling ................................. ... ... .... ... .......................................... ... ... ... .... ... ...B-11

Category 5 Cable Quality .......................................................................................B-11

Inside Twisted Pair Cables .................................................................................... B-12

Uplink Switches, Crossover Cables, and MDI/MDIX Switching ............................ B-13

Contents v

May 2004, 202-10030-02

Appendix C Preparing Your Network

What You Will Need Before You Begin .................................. .... .................................... C-1

LAN Hardware Requirements ................................................................................. C-1

LAN Configuration Requirements ...........................................................................C-2

Internet Configuration Requirements ...................................................................... C-2

Where Do I Get the Internet Configuration Parameters? ................................. C-2

Worksheet for Recording Your Internet Connection Information .............................C-3

Preparing Your Computers for TCP/IP Networking ................................................ ... ... . C-4

Configuring Windows 95, 98, and Me for TCP/IP Networking ....................................... C-5

Install or V erify Windows Networking Components ................................................. C-5

Enabling DHCP to Automatically Configure TCP/IP Settings .................................C-6

Selecting Windows’ Internet Access Method ................ ......................... ........... C-7

Verifying TCP/IP Properties .................................................................................... C-7

Configuring Windows NT, 2000 or XP for IP Networking .............................. ................. C-8

Installing or Ve rifying Windows Networking Components ................ ... ... ... ... .... ... .... C-8

Verifying TCP/IP Properties .................................................................................... C-8

Configuring the Macintosh for TCP/IP Networking ........................................................ C-9

MacOS 8.6 or 9.x ......................... .......................................... ................................. C-9

MacOS X ...... ... .......................................... .......................................... ..................C-10

Verifying TCP/IP Properties for Macintosh Computers ... .... ... ... ... .... ... ... ... ... .... .....C-10

Restarting the Network ................................................................................................ C-11

Appendix D Firewall Log Formats

Action List ...................................................................................................................... D-1

Field List ........................................................................................................................ D-1

Outbound Log ..................................... .......................................... ................................. D-1

Inbound Log ...................................................................................................................D-2

Other IP Traffic ......................................... .... ... ... ... ....................................... ... ... .... ... ... . D-2

Router Operation ........................................................................................................... D-3

Other Connections and Traffic to this Router ................................................................ D-4

DoS Attack/Scan ...........................................................................................................D-4

Access Block Site .......................................................................................................... D-6

All Web Sites and News Groups Visited ........................................................................D-6

System Admin Sessions ................................................................................................ D-6

vi Contents

May 2004, 202-10030-02

Policy Administration LOG .............................................................................................D-7

Appendix E Virtual Private Networking

What is a VPN? ............................................................................................................. E-1

What is IPSec and How Does It Work? ......................................................................... E-2

IPSec Security Features .............................. ... ... .... ... ... ... .... ... ... ... .... ....................... E-2

IPSec Components ................................................................................................. E-2

Encapsulating Security Payload (ESP) ................................................................... E-3

Authentication Header (AH) ............................... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... .... E-4

IKE Security Association ........... .......................................... ... ... ... ........................... E-4

Mode ...................................... ...................... .................... ...................... ........... E-5

Key Management .................................................................................................... E-6

Understand the Process Before You Begin .. ................................................................. E-6

VPN Process Overview ......... ... ... .... ... ... ... .......................................... ........................... E-7

Network Interfaces and Addresses ......................................................................... E-7

Interface Addressing ......................................................................................... E-7

Firewalls ........................................................................................................... E-8

Setting Up a VPN Tunnel Between Gateways ........................................................ E-8

VPNC IKE Security Parameters ......... ... ... .... ... ............................................................ E-10

VPNC IKE Phase I Parameters ............................................................................. E-10

VPNC IKE Phase II Parameters .............................................................................E-11

Testing and Troubleshooting .........................................................................................E-11

Additional Reading ...................... .... ... ... ... .... ... .......................................... ... ... ... ..........E-11

Appendix F NETGEAR VPN Configuration FVS318 or FVM318 to FVL328

Configuration Template ... .... ............................................................................................F-1

Step-By-Step Configuration of FVS318 or FVM318 Gateway A ............................. ........F-2

Step-By-Step Configuration of FVL328 Gateway B ........................................................F-5

Test the VPN Connection .............................................................................................F-10

Appendix G NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router

Configuration Profile ........................................... ... ... .......................................... ...........G -1

Step-By-Step Configuration of FVL328 or FWAG114 Gateway .....................................G-2

Step-By-Step Configuration of the FVL328 Firewall B ........... .... ... ... ... .... ... ... ... ... .... ... ... .G-7

Contents vii

May 2004, 202-10030-02

Testing the VPN Connection .. ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ..................................G-14

From the Client PC to the FVL328 .................. ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ..G-14

From the FVL328 to the Client PC ......... .......................................... ... ... ... ............G-15

Monitoring the PC VPN Connection ................... ... ... .... ... ... ... .... ..................................G-15

Viewing the FVL328 VPN Status and Log Information ................................................G-17

Appendix H NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVL328

Configuration Template ... .... ...........................................................................................H-1

Using DDNS and Fully Qualified Domain Names (FQDN) ..................................... H-2

Step-By-Step Configuration of FVS318 or FVM318 Gateway A ....................................H-3

Step-By-Step Configuration of FVL328 Gateway B .......................................................H-7

Test the VPN Connection ............................................................................................ H-12

Glossary Index

viii Contents

May 2004, 202-10030-02

Chapter 1

About This Manual

This chapter introduces the Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2.

Audience

This reference manual assumes that the reader has basic to intermediate computer and Internet skills. However, basic computer network, Internet, firewall, and VPN technology tutorial information is provided in the Appendices and on the NETGEAR Web site.

Scope

This manual is written for the FVL328 Firewall according to these specifications:

Table 1-1. Manual Specifications

Product FVL328 Prosafe High Speed VPN Firewall Firmware Version Number Version 2.0 Release 05 Manual Part Number 202-10030-02 Manual Publication Date May 24, 2004

Note: Product updates are available on the NETGEAR Web site at

http://kbserver.netgear.com/products/FVL328.asp.

About This Manual 1

May 2004, 202-10030-02

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

Typographical Conventions

This guide uses the following typographical conventions:

Table 1-2. Typographical conventions

italics Emphasis.

bold User input. [Enter] Named keys in text are shown enclosed in square brackets. The notation [Enter]

is used for the Enter key and the Return key.

MALL CAPS DOS file and directory names.

Special Message Formats

This guide uses the following formats to highlight special messages:

Note: This format is used to highlight information of importance or special interest.

2 About This Manual

May 2004, 202-10030-02

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

How to Use this Manual

This manual is published in both HTML and .PDF file formats. The HTML version of this manual provides links to the .PDF versions of the manual and includes these features. To view the HTML version of the manual, you must have a browser with JavaScript enabled.

2 3

Figure Preface 1-1: HTML version of this manual

1. Left pane. Use the left pane to view the Contents, Index, and Search tabs.

2. Toolbar buttons. Use the toolbar buttons across the top to navigate, print pages, and more.

–The Show in Contents button locates the current topic in the Contents tab.

– Previous/Next buttons display the previous or next topic.

–The PDF button links to a PDF version of the full manual.

–The Print button prints the current topic. Use this button when a

step-by-step procedure is displayed to send the entire procedure to your printer. You do not have to worry about specifying the range of pages.

3. Right pane. Use the right pane to view the contents of the manual. Also, each page of the

manual includes a link at the top right which links to a PDF file containing just the currently selected chapter of the manual.

About This Manual 3

May 2004, 202-10030-02

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

How to Print this Manual

To print this manual you can choose one of the following options, according to your needs.

• Printing a “How To” Sequence of Steps in the HTML View. Use the Print button on the

upper right side of the toolbar to print the currently displayed topic. Use this button when a step-by-step procedure is displayed to send the entire procedure to your printer. You do not have to worry about specifying the range of pages.

• Printing a Chapter. Use the link at the top right of any page.

– Click the “PDF of This Chapter” link at the top right of any page in the chapter you want

to print. A new browser window opens showing the PDF version of the chapter you were

viewing. – Click the print icon in the upper left of the window. – Tip: If your printer supports printing two pages on a single sheet of paper, you can save

paper and printer ink by selecting this feature.

• Printing the Full Manual. Use the PDF button in the toolbar at the top right of the browser

window. – Click the PDF button. A new browser window opens showing the PDF version of the full

manual. – Click the print icon in the upper left side of the window. – Tip: If your printer supports printing two pages on a single sheet of paper, you can save

paper and printer ink by selecting this feature.

4 About This Manual

May 2004, 202-10030-02

Chapter 2

Introduction

This chapter describes the features of the NETGEAR FVL328 Prosafe High Speed VPN Firewall. The FVL328 Firewall is now ICSA certified. It provides connections for multiple computers to the Internet through an external broadband access device (such as a cable modem or DSL modem) and supports IPSec-based secure tunnels to IPSec-compatible VPN servers.

About the FVL328

The FVL328 is a complete security solution that protects your network from attacks and intrusions and enables secure communications using Virtual Private Networks (VPN). Unlike simple Internet sharing routers that rely on Network Address Translation (NAT) for security, the FVL328 uses Stateful Packet Inspection for Denial of Service (DoS) attack protection and intrusion detection. The 8-port FVL328 provides highly reliable Internet access for up to 253 users with up to 100 concurrent VPN tunnels.

Summary of New Features in the FVL328

The NETGEAR FVL328 VPN ProSafe Firewall contains many new features, including:

• Multi-DMZ (One-to-One DMZ)

– Up to 7 different WAN IPs can be mapped, one-to-one, to up to 7 private LAN IPs.

• Resettable WAN traffic meter

– Programmable traffic limit – Can block traffic or send e-mail when limit reached

• VPN Wizard that simplifies VPN setup and uses the VPNC defaults

• Four groups for keyword blocking

• E-mail authentication

Introduction 2-1

May 2004, 202-10030-02

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

• IP-MAC access control: ensures a computer with an assigned MAC address always gets the same IP address when using DHCP

• Port Triggering

• Ease of Use Improvements

– Period (.) can be used to advance IP address, like using Tab – Clearer VPN status page – Advanced e-mail settings: Authentication, change from address Support for PPPoE with

static IP address – Trace route support added in diagnostic page – On services page, if the Finish port number is blank then the Start port number is used. – Allow broadcast IP for Syslog if e-mail enabled to send logs, log will be sent if reboot, etc. – Logs sent when reboots are initiated if e-mail is enabled

• ICSA Certified firewall, SMB 4.0 criteria

Key Features

The FVL328 features are highlighted below.

Virtual Private Networking

The FVL328 Firewall provides a secure encrypted connection between your local network and remote networks or clients. Its VPN features include:

• VPN Wizard: Simplifies VPN setup, uses VPNC defaults.

• Support for up to 100 simultaneous VPN connections.

• Support for industry standard VPN protocols. The FVL328 Prosafe High Speed VPN Firewall supports standard keying methods (Manual or IKE), standard authentication methods (MD5 and SHA-1), and standard encryption methods (DES, 3DES). It is compatible with many other VPN products.

• Support for up to 168 bit encryption (3DES) for maximum security.

• Support for VPN Main Mode, Aggressive mode, or Manual Keying.

2-2 Introduction

May 2004, 202-10030-02

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

• Support for Fully Qualified Domain Name (FQDN) configuration when the Dynamic DNS feature is enabled with one of the supported service providers.

• VPNC Certified.

A Powerful, True Firewall

Unlike simple Internet sharing NAT routers, the FVL328 is a true firewall, using stateful packet inspection to defend against hacker attacks. Its firewall features include:

• Firewall Policies: A firewall policy can be set for each of the 7 private LAN IPs

• DoS protection Automatically detects and thwarts DoS attacks such as Ping of Death, SYN Flood, Land Attack and IP Spoofing.

• Blocks unwanted traffic from the Internet to your LAN.

• Blocks access from your LAN to Internet locations or services that you specify as off-limits.

• Logs security incidents The FVL328 will log security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the firewall to e-mail the log to you at specified intervals. You can also configure the firewall to send immediate alert messages to your e-mail address or e-mail pager whenever a significant event occurs.

• ICSA Certified, Small/Medium Business (SMB) Category version 4.0

Content Filtering

With its content filtering feature, the FVL328 prevents objectionable content from reaching your computers. The firewall allows you to control access to Internet content by screening for keywords within Web addresses. You can configure the firewall to log and report attempts to access objectionable Internet sites. You can also create up to four groups, each with keyword blocking.

Configurable Auto Uplink™ Ethernet Connection

With its internal 8-port 10/100 switch, the FVL328 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network. Both the local LAN and the Internet W AN interfaces are 10/100 Mbps, autosensing, and capable of full-duplex or half-duplex operation.

Introduction 2-3

May 2004, 202-10030-02

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

The firewall incorporates Auto UplinkTM technology. Each local Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a ‘normal’ connection such as to a PC or an ‘uplink’ connection such as to a switch or hub. That port will then configure itself to the correct configuration. This feature also eliminates the need to worry about crossover cables, as Auto Uplink will accommodate either type of cable to make the right connection.

Protocol Support

The FVL328 supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). Appendix B, “Networks, Routing, and Firewall Basics” provides further information on TCP/IP. Supported protocols include:

• The Ability to Enable or Disable IP Address Sharing by NAT The FVL328 allows several networked computers to share an Internet account using only a single IP address, which may be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user ISP account. This feature can also be turned off completely for using the FVL328 in settings where you want to manage the IP address scheme of your organization.

• Automatic Configuration of Attached computers by DHCP The FVL328 dynamically assigns network configuration information, including IP, gateway, and domain name server (DNS) addresses, to attached computers using Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies configuration of computers on your local network. IP-MAC address locking ensures the same PC always gets the same IP address.

• DNS Proxy When DHCP is enabled and no DNS addresses are specified, the firewall provides its own address as a DNS server to the attached computers. The firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN. There is a checkbox to disable this feature.

• PPP over Ethernet (PPPoE) PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial-up connection. This feature eliminates the need to run a login program such as EnterNet or WinPOET on your computer. The FVL328 now supports fixed IP with login.

• Point-to-Point Tunneling Protocol PPTP login support for European ISPs and BigPond login for Telstra cable in Australia.

2-4 Introduction

May 2004, 202-10030-02

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

• Dynamic DNS Dynamic DNS services allow remote users to find your network using a domain name when your IP address is not permanently assigned. The firewall contains a client that can connect to many popular Dynamic DNS services to register your dynamic IP address. See “Configuring

Dynamic DNS” on page 4-11.

Easy Installation and Management

You can install, configure, and operate the FVL328 within minutes after connecting it to the network. The following features simplify installation and management tasks:

• Browser-based management Browser-based configuration allows you to easily configure your firewall from almost any type of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup Wizard is provided and online help documentation is built into the browser-based Web Management Interface.

• Smart Wizard The firewall automatically senses the type of Internet connection, asking you only for the information required for your type of ISP account.

•VPN Wizard The virtual private networking (VPN) Wizard of the FVL328 Firewall helps you configure VPN tunnels to provide secure, encrypted communications between your local network and a remote network or computer.

• Remote management The firewall allows you to login to the Web Management Interface from a remote location via the Internet using secure SLL protocol. For security, you can limit remote management access to a specified remote IP address or range of addresses, and you can choose a nonstandard port number.

• Diagnostic functions The firewall incorporates built-in diagnostic functions such as Ping, DNS lookup, and remote reboot. These functions allow you to test Intern et connectivity and reboot the firewall. You can use these diagnostic functions directly from the FVL328 when your are connected on the LAN or when you are connected over the Internet via the remote management function. The FVL328 also now supports trace route.

• Visual monitoring The firewall’s front panel LEDs provide an easy way to monitor its status and activity.

• Flash EPROM for firmware upgrades.

Introduction 2-5

May 2004, 202-10030-02

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

Note: Product updates are available on the NETGEAR Web site at

http://kbserver.netgear.com/products/FVL328.asp.

• Includes a battery-backed real-time clock so time will persist if power is removed.

• Regional support, including ISPs like Telstra DSL and BigPond or Deutsche Telekom.

What’s in the Box?

The product package should contain the following items:

• FVL328 Prosafe High Speed VPN Firewall

•AC power adapter

• FVL328 Resource CD (230-10061-02), including: — This manual — Application notes, tools, and other helpful information

• Warranty and registration card

• Support information card

If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the product for repair.

The Firewall’s Front Panel

The front panel of the FVL328 (Figure 2-1) contains status LEDs.

MODEL

ProSafe Hi-Speed VPN Firewall

Cable/DSL

PWR TEST

INTERNET LOCAL

100

LNK/ACT

12345678

Figure 2-1: FVL328 Front Panel

2-6 Introduction

May 2004, 202-10030-02

100

LNK/ACT

FVL328

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

You can use some of the LEDs to verify connections. Table 2-1 lists and describes each LED on the front panel of the firewall. These LEDs are green when lit, except for the TEST LED, which is amber.

Table 2-1: LED Descriptions

Label Activity Description

POWER On Power is supplied to the firewall. TEST On

Off

Internet

100 On/Blinking The Internet port is operating at 100 Mbps. LINK/ACT (Activity) On/Blinking The port detected a link with the Internet WAN connection and is

LOCAL

100 On/Blinking The Local port is operating at 100 Mbps. LINK/ACT

(Link/Activity)

On/Blinking The Local port has detected a link with a LAN connection and is

The system is initializing. The system is ready and running.

operating at 10 Mbps. Blinking indicates data transmission.

The Firewall’s Rear Panel

The rear panel of the FVL328 (Figure 2-2) contains the connections identified below.

Figure 2-2: FVL328 Rear Panel

Viewed from left to right, the rear panel contains the following elements:

• Factory Default Reset push button

• Eight Local Ethernet RJ-45 ports for connecting the firewall to local computers

• Internet WAN Ethernet RJ-45 port for connecting the firewall to a broadband modem

• AC power adapter input

Introduction 2-7

May 2004, 202-10030-02

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

2-8 Introduction

May 2004, 202-10030-02

Chapter 3

Connecting the FVL328 to the Internet

This chapter describes how to set up the firewall on your Local Area Network (LAN) and connect to the Internet. You can perform basic configurat ion of your FVL328 Prosafe High Speed VPN Firewall using the Setup Wizard, or manually configure your Internet connection.

Connecting the FVL328 to Your LAN

This section provides instructions for connecting the FVL328 Prosafe High Speed VPN Firewall to your Local Area Network (LAN).

Note: Appendix C, "Preparing Your Network" provides instructions for identifying network

configuration parameters.

How to Connect the FVL328 to Your LAN

There are three steps to connecting your firewall:

• Connect the firewall to your network.

• Restart your network in the correct sequence.

• Log in to the firewall.

• Connect to the Internet.

Follow the steps below to connect your firewall to your network.

1. CONNECT THE FIREWALL

a. Turn off your computer. b. Turn off the broadband modem.

Connecting the FVL328 to the Internet 3-1

May 2004, 202-10030-02

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

Locate the Ethernet cable (Cable 1 in the diagram below) that runs from your broadband

modem to the computer. Disconnect the cable at the comp uter end only — point (A) in the diagram.

Disconnect

from

computer

Cable 1

%URDGEDQGPRGHP

Figure 3-1: Disconnect the broadband modem

Securely insert the end of the Ethernet cable (Cable 1) that you disconnected from your computer into the Internet port (B) on the FVL328. Cable 1 now connects from your cable or DSL broadband modem to the router.

Internet Port

,/#!,

-

).4%2.%4

,/#!,

-ODEL&6,(I3PEED60.&IREWALL

).4%2.%4

-ODEL&6,(I3PEED60.&IREWALL

-

"ROADBANDMODEM

Figure 3-2: Connect the broadband modem to the router

3-2 Connecting the FVL328 to the Internet

May 2004, 202-10030-02

6$#/!

Cable 1

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

Locate the blue Ethernet cable that came with your router. Securely insert one end of the

cable (Cable 2 in the diagram below) into a LAN port on the router such as LAN port 8 (C), and the other end into the Ethernet port of your computer (D).

Cable 2

,/#!,

-

).4%2.%4

6$#/!

-ODEL&6,(I3PEED60.&IREWALL

Cable 1

Local Port 8

"ROADBANDMODEM

Figure 3-3: Connect the computers on your network to the router

Note: The FVL328 incorporates Auto UplinkTM technology which eliminates the need to worry about crossover cables by automatically adjusting to the cable type.

Connecting the FVL328 to the Internet 3-3

May 2004, 202-10030-02

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

RESTART YOUR NETWORK IN THE CORRECT SEQUENCE

Warning: Failure to restart your network in the correct sequence could prevent you from

connecting to the Internet.

a. First, turn on the broadband modem and wait 2 minutes. b. Now, turn on your firewall. c. Last, turn on your computer.

Note: If software usually logs you in to the Internet, do not run that software, or cancel it if it starts automatically.

d. Check the status lights and verify the following:

• Power: The power light goes on when your turn the firewall on.

• Test: The test light turns on, then goes off after less than a minute.

• Local: A Local light on the router is lit. If no Local lights are lit, check that the Ethernet cable connecting the powered on computer to the router is securely attached at both ends.

• Internet: The Internet light on the firewall is lit. If the Internet light is not lit, make sure the Ethernet cable is securely attached to the firewall Internet port and the powered on modem.

3. LOG IN TO THE FIREWALL

a. From your PC, launch your Internet browser.

Because you are not yet connected to the Internet, your browser will display a page not found message.

b. Connect to the firewall by typing http://192.168.0.1 in the address field of Internet

Explorer or Netscape

Figure 3-4: Log in to the firewall

3-4 Connecting the FVL328 to the Internet

Navigator and clicking Enter.

May 2004, 202-10030-02

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

A login window opens as shown here:

Figure 3-5: Login window

Enter admin for the router user name and password for the router password, both in lower case letters.

d. After logging in to the router, you will see the Internet connection Setup Wizard on the

settings main page. Note: The user name and password are not the same as any user name or password you

may use to log in to your Internet connection.

4. RUN THE SETUP WIZARD TO CONNECT TO THE INTERNET

Figure 3-6: Setup Wizard

Connecting the FVL328 to the Internet 3-5

May 2004, 202-10030-02

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

You are now connected to the firewall. If you do not see the menu above, click the Setup

Wizard link on the upper left of the main menu.

b. Choose NAT or Classical Routing. NAT automatically assigns private IP addresses

(192.168.0.x) to LAN connected devices. Classical routing lets you directly manage the IP addresses the FVL328 uses. Classical routing should be selected only by experienced users.

c. Click Next and follow the steps in the Setup Wizard for inputting the configuration

parameters from your ISP to connect to the Internet. Note: If you choose not to use the Setup Wizard, you can manually configure your

Internet connection settings by following the procedure “Manually Configuring Your

Internet Connection” on page 3-10.

Unless your ISP automatically assigns your configuration automatically via DHCP, you will need the configuration parameters from your ISP as you recorded them previously in

“Worksheet for Recording Your Internet Connection Information” on page C-3

d. When the firewall successfully detects an active Internet service, the firewall’s Internet

LED goes on. The Setup Wizard reports which connection typ e it discovered, and displays the appropriate configuration menu. If the Setup Wi zard finds no connection, you will be prompted to check the physical connection between your firewall and the cable or DSL line.

e. The Setup Wizard will report the type of connection it finds. The options are:

• Connections that require a login using protocols such as PPPoE, Telstra BigPond, or PPTP broadband Internet connections.

• Connections that use dynamic IP address assignment.

• Connections that use fixed IP address assignment.

The procedures for filling in the configuration menu for each type of connection follow below.

Configuring for a Wizard-Detected Login Account

If the Setup Wizard determines that your Internet service account uses a login protocol such as PPP over Ethernet (PPPoE), you will be directed to the PPPoE:

3-6 Connecting the FVL328 to the Internet

May 2004, 202-10030-02

+ 204 hidden pages

Netgear FVL328 Reference Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

Trademarks

Statement of Conditions

EN 55 022 Declaration of Conformance

Certificate of the Manufacturer/Importer

Bestätigung des Herstellers/Importeurs

Voluntary Control Council for Interference (VCCI) Statement

Technical Support

World Wide Web

Contents

Audience

Scope

Typographical Conventions

Special Message Formats

How to Use this Manual

How to Print this Manual

About the FVL328

Summary of New Features in the FVL328

Key Features

Virtual Private Networking

A Powerful, True Firewall

Content Filtering

Configurable Auto Uplink™ Ethernet Connection

Protocol Support

Easy Installation and Management

What’s in the Box?

The Firewall’s Front Panel

The Firewall’s Rear Panel

Connecting the FVL328 to Your LAN

How to Connect the FVL328 to Your LAN

Configuring for a Wizard-Detected Login Account