Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
NETGEAR, Inc.
4500 Great America Parkway
Santa Clara, CA 95054 USA
Phone 1-888-NETGEAR
202-10030-02
May 24, 2004
May 2004, 202-10030-02
© 2004 by NETGEAR, Inc. All rights reserved. FullManual.
Trademarks
NETGEAR and Auto Uplink are trademarks or registered trademarks of NETGEAR, Inc.
Microsoft, Windows, and Wi ndow s NT are registered trademar ks of Microsoft Corporation.
Other brand and product names are registered trademarks or trademarks of their respective holders. Portions of this
document are copyright Intoto, Inc.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to
make changes to the products described in this document without notice.
NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit
layout(s) described herein.
EN 55 022 Declaration of Conformance
This is to certify that the FVL328 Prosafe High Speed VPN Firewall is shielded against the generation of radio
interference in accordance with the application of Council Directive 89/336/EEC, Article 4a. Conformity is declared by
the application of EN 55 022 Class B (CISPR 22).
Certificate of the Manufacturer/Importer
It is hereby certified that the FVL328 Prosafe High Speed VPN Firewall has been suppressed in accordance with the
conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example,
test transmitters) in accordance with the regulations may, however, be subject to certain restrictions. Please refer to the
notes in the operating instructions.
The Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market
and has been granted the right to test the series for compliance with the regulations.
ii
May 2004, 202-10030-02
Bestätigung des Herstellers/Importeurs
Es wird hiermit bestätigt, daß dasFVL328 Prosafe High Speed VPN Firewall gemäß der im BMPT-AmtsblVfg 243/1991
und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B.
Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der
Betriebsanleitung.
Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt
gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.
Voluntary Control Council for Interference (VCCI) Statement
This equipment is in the second category (information equipment to be used in a residential area or an adjacent area
thereto), and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing
Equipment and Electronic Office Machines, aimed at preventing radio interference in such residential areas.
When used near a radio or TV receiver , it may become the cause of radio interference.
Read instructions for correct handling.
Technical Support
Refer to the Support Information Card that shipped with your FVL328 Prosafe High Speed VPN Firewall.
World Wide Web
NETGEAR maintains a World Wide Web home page that you can access at the universal resource locator (URL)
http://www.netgear.com. A direct connection to the Internet and a Web browser such as Internet Explorer
or Netscape are required.
May 2004, 202-10030-02
iii
iv
May 2004, 202-10030-02
Contents
Chapter 1
About This Manual
Audience ................................... ................ ................ ................. ................ ................ .....1-1
Scope .............................................................................................................................1-1
Typographical Conventions ............................................................................................1-2
Special Message Formats ..............................................................................................1-2
How to Use this Manual ..................................................................................................1-3
How to Print this Manual .................................................................................................1-4
Chapter 2
Introduction
About the FVL328 ...........................................................................................................2-1
Summary of New Features in the FVL328 .....................................................................2-1
Key Features ..................................................................................................................2-2
Virtual Private Networking ........................................................................................2-2
A Powerful, True Firewall .........................................................................................2-3
Content Filtering .......................................................................................................2-3
Configurable Auto Uplink™ Ethernet Connection ....................................................2-3
Protocol Support ......................................................................................................2-4
Easy Installation and Management ..........................................................................2-5
What’s in the Box? ..........................................................................................................2-6
The Firewall’s Front Panel .......................................................................................2-6
The Firewall’s Rear Panel ........................................................................................2-7
Chapter 3
Connecting the FVL328 to the Internet
Connecting the FVL328 to Your LAN ..............................................................................3-1
How to Connect the FVL328 to Y our LAN ................................................................3-1
Configuring for a Wizard-Detected Login Account ...................................................3-6
Configuring for a Wizard-Detected Dynamic IP Account .........................................3-8
Configuring for a Wizard-Detected Fixed IP (Static) Account ..................................3-8
Contents i
May 2004, 202-10030-02
Testing Your Internet Connection ....................................................................................3-9
Manually Configuring Your Internet Connecti on ...........................................................3-10
How to Complete a Manual Configuration .............................................................3-11
Chapter 4
WAN and LAN Configuration
Configuring LAN IP Settings ...........................................................................................4-1
Using the Router as a DHCP Server ........................................................................4-2
How to Configure LAN TCP/IP Settings and View the DHCP Log ...........................4-3
How to Configure Reserved IP Addresses ................... ... .... .....................................4-4
Configuring WAN Settings ..............................................................................................4-5
Connect Automatically, as Required ........................................................................4-6
Setting Up a Default DMZ Server .............................. ... ... .... ... ... ... .... ... ... ... ...............4-7
How to Assign a Default DMZ Server ......................................................................4-7
Multi-DMZ Servers ...................................................................................................4-7
Responding to Ping on Internet WAN Port ...............................................................4-8
MTU Size .................................................................................................................4-8
Port Speed ......................... ... .... ... ... ... .... ... ... ... .......................................... ...............4-8
Port Triggering ............................. .... ... ... ... .... .......................................... ........................4-9
Port Triggering Rules ...................... ... .... ... ... ... .......................................... .............4-10
Adding a new Rule ............. ... .... ... ... ... .... ... ... ... .......................................... .............4-10
Checking Operation and Status .............................................................................4-11
Configuring Dynamic DNS ............................................................................................4-11
How to Configure Dynamic DNS ............................................................................4-12
Using Static Routes ......................................................................................................4-12
Static Route Example .............................................................................................4-12
How to Configure Static Routes .............................................................................4-13
Chapter 5
Protecting Your Network
Firewall Protection and Content Filtering Overview ............ ... .... ... ... ... .... ... ... ... ...............5-1
Using the Block Sites Menu to Screen Content ..............................................................5-1
Apply Keyword Blocking to Groups ..........................................................................5-3
Services and Rules Regulate Inbound and Outbound Traffic .........................................5-3
Defining a Service ....................................................................................................5-4
Using Inbound/Outbound Rules to Block or Allow Services .....................................5-5
Examples of Using Services and Rules to Regulate Traffic ...........................................5-7
ii Contents
May 2004, 202-10030-02
Inbound Rules (Port Forwarding) .............................. ............................................... 5-7
Example: Port Forwarding to a Local Public Web Server ..................................5-8
Example: Port Forwarding for Videoconferencing .............................................5-8
Example: Port Forwarding for VPN Tunnels when NAT is Off ...........................5-9
Outbound Rules (Service Blocking or Port Filtering) ........................ ...... ...... ....... ...5-10
Outbound Rule Example: Blocking Instant Messaging ....................................5-10
Other Rules Considerations ............ .......................................... ...................................5-11
Order of Precedence for Rules ..............................................................................5-11
Rules Menu Options ...............................................................................................5-12
Using a Schedule to Block or Allow Content or Traffic .................................................5-13
Setting the Time Zone ........ ... .... ... ... .......................................... ... .... ... ...................5-14
Set Clock ................................................................................................................5-14
Enable NTP (Network Time Protocol) ....................................................................5-14
User-defined NTP Server ...... .... ... ... ... .... ................................................................5-15
Getting E-Mail Notifications of Event Logs and Alerts ..................................................5-15
Viewing Logs of Web Access or Attempted Web Access .............................................5-17
What to Include in the Event Log ...........................................................................5-19
Chapter 6
Virtual Private Networking
Overview of FVL328 Policy-Based VPN Configuration ..................................................6-1
Using Policies to Manage VPN Traffic .....................................................................6-1
Using Automatic Key Management ..................................... ................................... .. 6-2
IKE Policies’ Automatic Key and Authentication Management ................................6-3
VPN Policy Configuration for Auto Key Negotiation ..................... ............................ 6-6
VPN Policy Configuration for Manual Key Exchange ...............................................6-9
Using Digital Certificates for IKE Auto-Policy Authentication .......................................6-14
Certificate Revocation List (CRL) ...........................................................................6-15
How to Use the VPN Wizard to Configure a VPN Tunnel .............................................6-15
Walk-Through of Configuration Scenarios ....................................................................6-18
VPNC Scenario 1: Gateway-to-Gateway with Preshared Secrets .........................6-19
FVL328 Scenario 1: How to Configure the IKE and VPN Policies .........................6-21
How to Check VPN Connections ...........................................................................6-26
FVL328 Scenario 2: Authenticating with RSA Certificates .....................................6-27
Contents iii
May 2004, 202-10030-02
Chapter 7
Managing Your Network
Protecting Access to Your FVL328 Firewall ....................................................................7-1
How to Change the Built-In Password .....................................................................7-1
How to Change the Administrator Login Timeout ....................................................7-2
Internet Traffic .................................................................................................................7-3
Internet Traffic Limit ..................................................................................................7-3
Enable Monthly Limit .......... ... .... .......................................... ... ... ... .... ... ... ... ...............7-4
Internet Traffic Statistics ...........................................................................................7-4
Traffic by Protocol ........................ ... ... .... ... ... ... ... .... ... .......................................... ... ..7-5
Network Database ..........................................................................................................7-5
Advantages of the Network Database ............................. .... ... ... ... .... ... ... ... ... .... ... ... ..7-6
Known PCs and Devices ..........................................................................................7-7
Operations .................................... ... ... .... .......................................... ........................7-7
Network Management ....................................................................................................7-8
How to Configure Remote Management ..................................................................7-8
Viewing Router Status and Usage Statistics .................................... ... ... ... ... .... ... ... ..7-9
Viewing Attached Devices ......................................................................................7-12
Viewing, Selecting, and Saving Logged Information ..............................................7-13
Changing the Include in Log Settings ..............................................................7-14
Enabling the Syslog Feature ...........................................................................7-15
Enabling Security Event E-mail Notification .................................................................7-15
Backing Up, Restoring, or Erasing Your Settings .........................................................7-17
How to Back Up the FVL328 Configuration to a File ..............................................7-17
How to Restore a Configuration from a File .............................. ............................. 7-18
How to Erase the Configuration .............................................................................7-18
Running Diagnostic Utilities and Rebooting the Router ................................................7-19
Upgrading the Router’s Firmware .................... ......... .......... .......... .......... ......... .......... ...7-20
How to Upgrade the Router ...................................................................................7-20
Chapter 8
Troubleshooting
Basic Functions ..............................................................................................................8-1
Power LED Not On ...................................................................................................8-2
Test LED Never Turns On or Test LED Stays On .....................................................8-2
Local or Internet Port Link LEDs Not On ..................................................................8-3
iv Contents
May 2004, 202-10030-02
Troubleshooting the Web Configuration Interface ..........................................................8-3
Troubleshooting the ISP Connection ..............................................................................8-4
Troubleshooting a TCP/IP Network Using a Ping Utility .................................................8-5
How to Test the LAN Path to Your Firewall ..............................................................8-6
How to Test the Path from Your PC to a Remote Device .........................................8-6
Restoring the Default Configuration and Password ............... .........................................8-7
How to Use the Default Reset Button ......................................................................8-7
Problems with Date and Time .........................................................................................8-8
Appendix A
Technical Specifications
Appendix B
Networks, Routing, and Firewall Basics
Related Publications ...................................................................................................... B-1
Basic Router Concepts .................................................................................................. B-1
What is a Router? ................................................................................................... B-1
Routing Information Protocol ................................................................................... B-2
IP Addresses and the Internet ......................................... .... ... ... ... .... ... ... ... ... .... ... ... . B-2
Netmask .................................... ................................................................ ..............B-4
Subnet Addressing .................................................................................................. B-4
Private IP Addresses ................................. ... ... ... .......................................... ........... B-7
Single IP Address Operation Using NAT ................................................................. B-7
MAC Addresses and Address Resolution Protocol ................................................. B-8
Related Documents ................................................................................................. B-9
Domain Name Server .............................................................................................. B-9
IP Configuration by DHCP .............................. ... .... ... ... ... .... ... ... .............................. B -9
Internet Security and Firewalls .................................................................................... B-10
What is a Firewall? ................................................................................................ B-10
Stateful Packet Inspection ............................... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ..... B-10
Denial of Service Attack .........................................................................................B-11
Ethernet Cabling ................................. ... ... .... ... .......................................... ... ... ... .... ... ...B-11
Category 5 Cable Quality .......................................................................................B-11
Inside Twisted Pair Cables .................................................................................... B-12
Uplink Switches, Crossover Cables, and MDI/MDIX Switching ............................ B-13
Contents v
May 2004, 202-10030-02
Appendix C
Preparing Your Network
What You Will Need Before You Begin .................................. .... .................................... C-1
LAN Hardware Requirements ................................................................................. C-1
LAN Configuration Requirements ...........................................................................C-2
Internet Configuration Requirements ...................................................................... C-2
Where Do I Get the Internet Configuration Parameters? ................................. C-2
Worksheet for Recording Your Internet Connection Information .............................C-3
Preparing Your Computers for TCP/IP Networking ................................................ ... ... . C-4
Configuring Windows 95, 98, and Me for TCP/IP Networking ....................................... C-5
Install or V erify Windows Networking Components ................................................. C-5
Enabling DHCP to Automatically Configure TCP/IP Settings .................................C-6
Selecting Windows’ Internet Access Method ................ ......................... ........... C-7
Verifying TCP/IP Properties .................................................................................... C-7
Configuring Windows NT, 2000 or XP for IP Networking .............................. ................. C-8
Installing or Ve rifying Windows Networking Components ................ ... ... ... ... .... ... .... C-8
Verifying TCP/IP Properties .................................................................................... C-8
Configuring the Macintosh for TCP/IP Networking ........................................................ C-9
MacOS 8.6 or 9.x ......................... .......................................... ................................. C-9
MacOS X ...... ... .......................................... .......................................... ..................C-10
Verifying TCP/IP Properties for Macintosh Computers ... .... ... ... ... .... ... ... ... ... .... .....C-10
Restarting the Network ................................................................................................ C-11
Appendix D
Firewall Log Formats
Action List ...................................................................................................................... D-1
Field List ........................................................................................................................ D-1
Outbound Log ..................................... .......................................... ................................. D-1
Inbound Log ...................................................................................................................D-2
Other IP Traffic ......................................... .... ... ... ... ....................................... ... ... .... ... ... . D-2
Router Operation ........................................................................................................... D-3
Other Connections and Traffic to this Router ................................................................ D-4
DoS Attack/Scan ...........................................................................................................D-4
Access Block Site .......................................................................................................... D-6
All Web Sites and News Groups Visited ........................................................................D-6
System Admin Sessions ................................................................................................ D-6
vi Contents
May 2004, 202-10030-02
Policy Administration LOG .............................................................................................D-7
Appendix E
Virtual Private Networking
What is a VPN? ............................................................................................................. E-1
What is IPSec and How Does It Work? ......................................................................... E-2
IPSec Security Features .............................. ... ... .... ... ... ... .... ... ... ... .... ....................... E-2
IPSec Components ................................................................................................. E-2
Encapsulating Security Payload (ESP) ................................................................... E-3
Authentication Header (AH) ............................... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... .... E-4
IKE Security Association ........... .......................................... ... ... ... ........................... E-4
Mode ...................................... ...................... .................... ...................... ........... E-5
Key Management .................................................................................................... E-6
Understand the Process Before You Begin .. ................................................................. E-6
VPN Process Overview ......... ... ... .... ... ... ... .......................................... ........................... E-7
Network Interfaces and Addresses ......................................................................... E-7
Interface Addressing ......................................................................................... E-7
Firewalls ........................................................................................................... E-8
Setting Up a VPN Tunnel Between Gateways ........................................................ E-8
VPNC IKE Security Parameters ......... ... ... .... ... ............................................................ E-10
VPNC IKE Phase I Parameters ............................................................................. E-10
VPNC IKE Phase II Parameters .............................................................................E-11
Testing and Troubleshooting .........................................................................................E-11
Additional Reading ...................... .... ... ... ... .... ... .......................................... ... ... ... ..........E-11
Appendix F
NETGEAR VPN Configuration
FVS318 or FVM318 to FVL328
Configuration Template ... .... ............................................................................................F-1
Step-By-Step Configuration of FVS318 or FVM318 Gateway A ............................. ........F-2
Step-By-Step Configuration of FVL328 Gateway B ........................................................F-5
Test the VPN Connection .............................................................................................F-10
Appendix G
NETGEAR VPN Client
to NETGEAR FVL328 or FWAG114 VPN Router
Configuration Profile ........................................... ... ... .......................................... ...........G -1
Step-By-Step Configuration of FVL328 or FWAG114 Gateway .....................................G-2
Step-By-Step Configuration of the FVL328 Firewall B ........... .... ... ... ... .... ... ... ... ... .... ... ... .G-7
Contents vii
May 2004, 202-10030-02
Testing the VPN Connection .. ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ..................................G-14
From the Client PC to the FVL328 .................. ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ..G-14
From the FVL328 to the Client PC ......... .......................................... ... ... ... ............G-15
Monitoring the PC VPN Connection ................... ... ... .... ... ... ... .... ..................................G-15
Viewing the FVL328 VPN Status and Log Information ................................................G-17
Appendix H
NETGEAR VPN Configuration
FVS318 or FVM318 with FQDN to FVL328
Configuration Template ... .... ...........................................................................................H-1
Using DDNS and Fully Qualified Domain Names (FQDN) ..................................... H-2
Step-By-Step Configuration of FVS318 or FVM318 Gateway A ....................................H-3
Step-By-Step Configuration of FVL328 Gateway B .......................................................H-7
Test the VPN Connection ............................................................................................ H-12
Glossary
Index
viii Contents
May 2004, 202-10030-02
Chapter 1
About This Manual
This chapter introduces the Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Revision 2.
Audience
This reference manual assumes that the reader has basic to intermediate computer and Internet
skills. However, basic computer network, Internet, firewall, and VPN technology tutorial
information is provided in the Appendices and on the NETGEAR Web site.
Scope
This manual is written for the FVL328 Firewall according to these specifications:
Table 1-1. Manual Specifications
Product FVL328 Prosafe High Speed VPN Firewall
Firmware Version Number Version 2.0 Release 05
Manual Part Number 202-10030-02
Manual Publication Date May 24, 2004
Note: Product updates are available on the NETGEAR Web site at
http://kbserver.netgear.com/products/FVL328.asp.
About This Manual 1
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Typographical Conventions
This guide uses the following typographical conventions:
Table 1-2. Typographical conventions
italics Emphasis.
bold User input.
[Enter] Named keys in text are shown enclosed in square brackets. The notation [Enter]
is used for the Enter key and the Return key.
S
MALL CAPS DOS file and directory names.
Special Message Formats
This guide uses the following formats to highlight special messages:
Note: This format is used to highlight information of importance or special interest.
2 About This Manual
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
How to Use this Manual
This manual is published in both HTML and .PDF file formats. The HTML version of this manual
provides links to the .PDF versions of the manual and includes these features. To view the HTML
version of the manual, you must have a browser with JavaScript enabled.
1
2
3
Figure Preface 1-1: HTML version of this manual
1. Left pane. Use the left pane to view the Contents, Index, and Search tabs.
2. Toolbar buttons. Use the toolbar buttons across the top to navigate, print pages, and more.
–The Show in Contents button locates the current topic in the Contents tab.
– Previous/Next buttons display the previous or next topic.
–The PDF button links to a PDF version of the full manual.
–The Print button prints the current topic. Use this button when a
step-by-step procedure is displayed to send the entire procedure to your
printer. You do not have to worry about specifying the range of pages.
3. Right pane. Use the right pane to view the contents of the manual. Also, each page of the
manual includes a link at the top right which links to a PDF file
containing just the currently selected chapter of the manual.
About This Manual 3
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
How to Print this Manual
To print this manual you can choose one of the following options, according to your needs.
• Printing a “How To” Sequence of Steps in the HTML View. Use the Print button on the
upper right side of the toolbar to print the currently displayed topic. Use this button when a
step-by-step procedure is displayed to send the entire procedure to your printer. You do not
have to worry about specifying the range of pages.
• Printing a Chapter. Use the link at the top right of any page.
– Click the “PDF of This Chapter” link at the top right of any page in the chapter you want
to print. A new browser window opens showing the PDF version of the chapter you were
viewing.
– Click the print icon in the upper left of the window.
– Tip: If your printer supports printing two pages on a single sheet of paper, you can save
paper and printer ink by selecting this feature.
• Printing the Full Manual. Use the PDF button in the toolbar at the top right of the browser
window.
– Click the PDF button. A new browser window opens showing the PDF version of the full
manual.
– Click the print icon in the upper left side of the window.
– Tip: If your printer supports printing two pages on a single sheet of paper, you can save
paper and printer ink by selecting this feature.
4 About This Manual
May 2004, 202-10030-02
Chapter 2
Introduction
This chapter describes the features of the NETGEAR FVL328 Prosafe High Speed VPN Firewall.
The FVL328 Firewall is now ICSA certified. It provides connections for multiple computers to the
Internet through an external broadband access device (such as a cable modem or DSL modem) and
supports IPSec-based secure tunnels to IPSec-compatible VPN servers.
About the FVL328
The FVL328 is a complete security solution that protects your network from attacks and intrusions
and enables secure communications using Virtual Private Networks (VPN). Unlike simple Internet
sharing routers that rely on Network Address Translation (NAT) for security, the FVL328 uses
Stateful Packet Inspection for Denial of Service (DoS) attack protection and intrusion detection.
The 8-port FVL328 provides highly reliable Internet access for up to 253 users with up to 100
concurrent VPN tunnels.
Summary of New Features in the FVL328
The NETGEAR FVL328 VPN ProSafe Firewall contains many new features, including:
• Multi-DMZ (One-to-One DMZ)
– Up to 7 different WAN IPs can be mapped, one-to-one, to up to 7 private LAN IPs.
• Resettable WAN traffic meter
– Programmable traffic limit
– Can block traffic or send e-mail when limit reached
• VPN Wizard that simplifies VPN setup and uses the VPNC defaults
• Four groups for keyword blocking
• E-mail authentication
Introduction 2-1
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
• IP-MAC access control: ensures a computer with an assigned MAC address always
gets the same IP address when using DHCP
• Port Triggering
• Ease of Use Improvements
– Period (.) can be used to advance IP address, like using Tab
– Clearer VPN status page
– Advanced e-mail settings: Authentication, change from address Support for PPPoE with
static IP address
– Trace route support added in diagnostic page
– On services page, if the Finish port number is blank then the Start port number is used.
– Allow broadcast IP for Syslog if e-mail enabled to send logs, log will be sent if reboot, etc.
– Logs sent when reboots are initiated if e-mail is enabled
• ICSA Certified firewall, SMB 4.0 criteria
Key Features
The FVL328 features are highlighted below.
Virtual Private Networking
The FVL328 Firewall provides a secure encrypted connection between your local network and
remote networks or clients. Its VPN features include:
• VPN Wizard: Simplifies VPN setup, uses VPNC defaults.
• Support for up to 100 simultaneous VPN connections.
• Support for industry standard VPN protocols.
The FVL328 Prosafe High Speed VPN Firewall supports standard keying methods (Manual or
IKE), standard authentication methods (MD5 and SHA-1), and standard encryption methods
(DES, 3DES). It is compatible with many other VPN products.
• Support for up to 168 bit encryption (3DES) for maximum security.
• Support for VPN Main Mode, Aggressive mode, or Manual Keying.
2-2 Introduction
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
• Support for Fully Qualified Domain Name (FQDN) configuration when the Dynamic DNS
feature is enabled with one of the supported service providers.
• VPNC Certified.
A Powerful, True Firewall
Unlike simple Internet sharing NAT routers, the FVL328 is a true firewall, using stateful packet
inspection to defend against hacker attacks. Its firewall features include:
• Firewall Policies: A firewall policy can be set for each of the 7 private LAN IPs
• DoS protection
Automatically detects and thwarts DoS attacks such as Ping of Death, SYN Flood, Land
Attack and IP Spoofing.
• Blocks unwanted traffic from the Internet to your LAN.
• Blocks access from your LAN to Internet locations or services that you specify as off-limits.
• Logs security incidents
The FVL328 will log security events such as blocked incoming traffic, port scans, attacks, and
administrator logins. You can configure the firewall to e-mail the log to you at specified
intervals. You can also configure the firewall to send immediate alert messages to your e-mail
address or e-mail pager whenever a significant event occurs.
• ICSA Certified, Small/Medium Business (SMB) Category version 4.0
Content Filtering
With its content filtering feature, the FVL328 prevents objectionable content from reaching your
computers. The firewall allows you to control access to Internet content by screening for keywords
within Web addresses. You can configure the firewall to log and report attempts to access
objectionable Internet sites. You can also create up to four groups, each with keyword blocking.
Configurable Auto Uplink™ Ethernet Connection
With its internal 8-port 10/100 switch, the FVL328 can connect to either a 10 Mbps standard
Ethernet network or a 100 Mbps Fast Ethernet network. Both the local LAN and the Internet W AN
interfaces are 10/100 Mbps, autosensing, and capable of full-duplex or half-duplex operation.
Introduction 2-3
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
The firewall incorporates Auto UplinkTM technology. Each local Ethernet port will automatically
sense whether the Ethernet cable plugged into the port should have a ‘normal’ connection such as
to a PC or an ‘uplink’ connection such as to a switch or hub. That port will then configure itself to
the correct configuration. This feature also eliminates the need to worry about crossover cables, as
Auto Uplink will accommodate either type of cable to make the right connection.
Protocol Support
The FVL328 supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing
Information Protocol (RIP). Appendix B, “Networks, Routing, and Firewall Basics” provides
further information on TCP/IP. Supported protocols include:
• The Ability to Enable or Disable IP Address Sharing by NAT
The FVL328 allows several networked computers to share an Internet account using only a
single IP address, which may be statically or dynamically assigned by your Internet service
provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user
ISP account. This feature can also be turned off completely for using the FVL328 in settings
where you want to manage the IP address scheme of your organization.
• Automatic Configuration of Attached computers by DHCP
The FVL328 dynamically assigns network configuration information, including IP, gateway,
and domain name server (DNS) addresses, to attached computers using Dynamic Host
Configuration Protocol (DHCP). This feature greatly simplifies configuration of computers on
your local network. IP-MAC address locking ensures the same PC always gets the same IP
address.
• DNS Proxy
When DHCP is enabled and no DNS addresses are specified, the firewall provides its own
address as a DNS server to the attached computers. The firewall obtains actual DNS addresses
from the ISP during connection setup and forwards DNS requests from the LAN. There is a
checkbox to disable this feature.
• PPP over Ethernet (PPPoE)
PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by
simulating a dial-up connection. This feature eliminates the need to run a login program such
as EnterNet or WinPOET on your computer. The FVL328 now supports fixed IP with login.
• Point-to-Point Tunneling Protocol PPTP login support for European ISPs and BigPond login
for Telstra cable in Australia.
2-4 Introduction
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
• Dynamic DNS
Dynamic DNS services allow remote users to find your network using a domain name when
your IP address is not permanently assigned. The firewall contains a client that can connect to
many popular Dynamic DNS services to register your dynamic IP address. See “Configuring
Dynamic DNS” on page 4-11.
Easy Installation and Management
You can install, configure, and operate the FVL328 within minutes after connecting it to the
network. The following features simplify installation and management tasks:
• Browser-based management
Browser-based configuration allows you to easily configure your firewall from almost any
type of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup
Wizard is provided and online help documentation is built into the browser-based Web
Management Interface.
• Smart Wizard
The firewall automatically senses the type of Internet connection, asking you only for the
information required for your type of ISP account.
•VPN Wizard
The virtual private networking (VPN) Wizard of the FVL328 Firewall helps you configure
VPN tunnels to provide secure, encrypted communications between your local network and a
remote network or computer.
• Remote management
The firewall allows you to login to the Web Management Interface from a remote location via
the Internet using secure SLL protocol. For security, you can limit remote management access
to a specified remote IP address or range of addresses, and you can choose a nonstandard port
number.
• Diagnostic functions
The firewall incorporates built-in diagnostic functions such as Ping, DNS lookup, and remote
reboot. These functions allow you to test Intern et connectivity and reboot the firewall. You can
use these diagnostic functions directly from the FVL328 when your are connected on the LAN
or when you are connected over the Internet via the remote management function. The
FVL328 also now supports trace route.
• Visual monitoring
The firewall’s front panel LEDs provide an easy way to monitor its status and activity.
• Flash EPROM for firmware upgrades.
Introduction 2-5
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Note: Product updates are available on the NETGEAR Web site at
http://kbserver.netgear.com/products/FVL328.asp.
• Includes a battery-backed real-time clock so time will persist if power is removed.
• Regional support, including ISPs like Telstra DSL and BigPond or Deutsche Telekom.
What’s in the Box?
The product package should contain the following items:
• FVL328 Prosafe High Speed VPN Firewall
•AC power adapter
• FVL328 Resource CD (230-10061-02), including:
— This manual
— Application notes, tools, and other helpful information
• Warranty and registration card
• Support information card
If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the
carton, including the original packing materials, in case you need to return the product for repair.
The Firewall’s Front Panel
The front panel of the FVL328 (Figure 2-1) contains status LEDs.
MODEL
ProSafe Hi-Speed VPN Firewall
Cable/DSL
PWR TEST
INTERNET LOCAL
100
LNK/ACT
12345678
Figure 2-1: FVL328 Front Panel
2-6 Introduction
May 2004, 202-10030-02
100
LNK/ACT
FVL328
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
You can use some of the LEDs to verify connections. Table 2-1 lists and describes each LED on
the front panel of the firewall. These LEDs are green when lit, except for the TEST LED, which is
amber.
Table 2-1: LED Descriptions
Label Activity Description
POWER On Power is supplied to the firewall.
TEST On
Off
Internet
100 On/Blinking The Internet port is operating at 100 Mbps.
LINK/ACT (Activity) On/Blinking The port detected a link with the Internet WAN connection and is
LOCAL
100 On/Blinking The Local port is operating at 100 Mbps.
LINK/ACT
(Link/Activity)
On/Blinking The Local port has detected a link with a LAN connection and is
The system is initializing.
The system is ready and running.
operating at 10 Mbps. Blinking indicates data transmission.
operating at 10 Mbps. Blinking indicates data transmission.
The Firewall’s Rear Panel
The rear panel of the FVL328 (Figure 2-2) contains the connections identified below.
Figure 2-2: FVL328 Rear Panel
Viewed from left to right, the rear panel contains the following elements:
• Factory Default Reset push button
• Eight Local Ethernet RJ-45 ports for connecting the firewall to local computers
• Internet WAN Ethernet RJ-45 port for connecting the firewall to a broadband modem
• AC power adapter input
Introduction 2-7
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
2-8 Introduction
May 2004, 202-10030-02
Chapter 3
Connecting the FVL328 to the Internet
This chapter describes how to set up the firewall on your Local Area Network (LAN) and connect
to the Internet. You can perform basic configurat ion of your FVL328 Prosafe High Speed VPN
Firewall using the Setup Wizard, or manually configure your Internet connection.
Connecting the FVL328 to Your LAN
This section provides instructions for connecting the FVL328 Prosafe High Speed VPN Firewall
to your Local Area Network (LAN).
Note: Appendix C, "Preparing Your Network" provides instructions for identifying network
configuration parameters.
How to Connect the FVL328 to Your LAN
There are three steps to connecting your firewall:
• Connect the firewall to your network.
• Restart your network in the correct sequence.
• Log in to the firewall.
• Connect to the Internet.
Follow the steps below to connect your firewall to your network.
1. CONNECT THE FIREWALL
a. Turn off your computer.
b. Turn off the broadband modem.
Connecting the FVL328 to the Internet 3-1
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Locate the Ethernet cable (Cable 1 in the diagram below) that runs from your broadband
c.
modem to the computer. Disconnect the cable at the comp uter end only — point (A) in the
diagram.
Disconnect
from
computer
A
Cable 1
%URDGEDQGPRGHP
Figure 3-1: Disconnect the broadband modem
d.
Securely insert the end of the Ethernet cable (Cable 1) that you disconnected from your
computer into the Internet port (B) on the FVL328. Cable 1 now connects from your cable
or DSL broadband modem to the router.
Internet Port
B
,/#!,
-
).4%2.%4
,/#!,
-ODEL&6,(I3PEED60.&IREWALL
).4%2.%4
-ODEL&6,(I3PEED60.&IREWALL
-
"ROADBANDMODEM
Figure 3-2: Connect the broadband modem to the router
3-2 Connecting the FVL328 to the Internet
May 2004, 202-10030-02
6$#/!
6$#/!
Cable 1
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Locate the blue Ethernet cable that came with your router. Securely insert one end of the
e.
cable (Cable 2 in the diagram below) into a LAN port on the router such as LAN port 8
(C), and the other end into the Ethernet port of your computer (D).
D
Cable 2
,/#!,
-
).4%2.%4
6$#/!
-ODEL&6,(I3PEED60.&IREWALL
Cable 1
C
Local Port 8
"ROADBANDMODEM
Figure 3-3: Connect the computers on your network to the router
Note: The FVL328 incorporates Auto UplinkTM technology which eliminates the need to
worry about crossover cables by automatically adjusting to the cable type.
Connecting the FVL328 to the Internet 3-3
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
RESTART YOUR NETWORK IN THE CORRECT SEQUENCE
2.
Warning: Failure to restart your network in the correct sequence could prevent you from
connecting to the Internet.
a. First, turn on the broadband modem and wait 2 minutes.
b. Now, turn on your firewall.
c. Last, turn on your computer.
Note: If software usually logs you in to the Internet, do not run that software, or cancel it if
it starts automatically.
d. Check the status lights and verify the following:
• Power: The power light goes on when your turn the firewall on.
• Test: The test light turns on, then goes off after less than a minute.
• Local: A Local light on the router is lit. If no Local lights are lit, check that the
Ethernet cable connecting the powered on computer to the router is securely attached
at both ends.
• Internet: The Internet light on the firewall is lit. If the Internet light is not lit, make
sure the Ethernet cable is securely attached to the firewall Internet port and the
powered on modem.
3. LOG IN TO THE FIREWALL
a. From your PC, launch your Internet browser.
Because you are not yet connected to the Internet, your browser will display a page not
found message.
b. Connect to the firewall by typing http://192.168.0.1 in the address field of Internet
®
Explorer or Netscape
Figure 3-4: Log in to the firewall
3-4 Connecting the FVL328 to the Internet
Navigator and clicking Enter.
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
A login window opens as shown here:
c.
Figure 3-5: Login window
Enter admin for the router user name and password for the router password, both in
lower case letters.
d. After logging in to the router, you will see the Internet connection Setup Wizard on the
settings main page.
Note: The user name and password are not the same as any user name or password you
may use to log in to your Internet connection.
4. RUN THE SETUP WIZARD TO CONNECT TO THE INTERNET
Figure 3-6: Setup Wizard
Connecting the FVL328 to the Internet 3-5
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
You are now connected to the firewall. If you do not see the menu above, click the Setup
a.
Wizard link on the upper left of the main menu.
b. Choose NAT or Classical Routing. NAT automatically assigns private IP addresses
(192.168.0.x) to LAN connected devices. Classical routing lets you directly manage the IP
addresses the FVL328 uses. Classical routing should be selected only by experienced
users.
c. Click Next and follow the steps in the Setup Wizard for inputting the configuration
parameters from your ISP to connect to the Internet.
Note: If you choose not to use the Setup Wizard, you can manually configure your
Internet connection settings by following the procedure “Manually Configuring Your
Internet Connection” on page 3-10.
Unless your ISP automatically assigns your configuration automatically via DHCP, you
will need the configuration parameters from your ISP as you recorded them previously in
“Worksheet for Recording Your Internet Connection Information” on page C-3
d. When the firewall successfully detects an active Internet service, the firewall’s Internet
LED goes on. The Setup Wizard reports which connection typ e it discovered, and displays
the appropriate configuration menu. If the Setup Wi zard finds no connection, you will be
prompted to check the physical connection between your firewall and the cable or DSL
line.
e. The Setup Wizard will report the type of connection it finds. The options are:
• Connections that require a login using protocols such as PPPoE, Telstra BigPond, or
PPTP broadband Internet connections.
• Connections that use dynamic IP address assignment.
• Connections that use fixed IP address assignment.
The procedures for filling in the configuration menu for each type of connection follow
below.
Configuring for a Wizard-Detected Login Account
If the Setup Wizard determines that your Internet service account uses a login protocol such as
PPP over Ethernet (PPPoE), you will be directed to the PPPoE:
3-6 Connecting the FVL328 to the Internet
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Enter your Account Name (may also be called Host Name) and Domain Name. These
1.
parameters may be necessary to access your ISP’s services such as mail or news servers. If you
leave the Domain Name field blank, the firewall will attempt to learn the domain
automatically from the ISP. If this is not successful, you may need to enter it manually.
2. Enter the PPPoE login user name and password provided by your ISP. These fields are case
sensitive. If you want to change the login timeout, enter a new value in minutes.
Note: You will no longer need to launch the ISP’s login program on your computer in order to
access the Internet. When you start an Internet application, the firewall will automatically log
you in.
3. Enable or disable NAT (Network Address Translation). NAT allows all LAN computers to
gain Internet access via this Router, by sharing this Router's WAN IP address. In most
situations, NAT is essential for Internet access via this Router. You should only disable NAT if
you are sure you do not require it. When NAT is disabled, only standard routing is performed
by this Router.
4. Perform a DNS Lookup. A DNS (Domain Name Server) converts the Internet name (e.g.
www.netgear.com) to an IP address. If you need the IP address of a Web, FTP, Mail or other
Server on the Internet, you can do a DNS lookup to find the IP address.
Domain Name Server (DNS) Address: If you know that your ISP does not automatically
transmit DNS addresses to the firewall during login, select “Use these DNS servers” and enter
the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is
available, enter it also.
If you enter an address here, after you finish configuring the firewall, reboot your computers
so that the settings take effect.
5. Enter the Router's MAC Address. Each computer or router on your network has a unique
32-bit local Ethernet address. This is also referred to as the computer's MAC (Media Access
Control) address. Usually, select Use default address.
If your ISP requires MAC authentication, then select either Use this Computer's MAC address
to have the router use the MAC address of the computer you are now using, or Use This MAC
Address to manually type in the MAC address that your ISP expects.
6. Click Apply to save your settings.
7. Click the Test button to test your Internet connection. If the NETGEAR Web site does not
appear within one minute, refer to Chapter 8, Troubleshooting.
Connecting the FVL328 to the Internet 3-7
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Configuring for a Wizard-Detected Dynamic IP Account
If the Setup Wizard determines that your Internet service account uses Dynamic IP assignment,
you will be directed to the Dynamic IP menu.
1. Enter your Account Name (may also be called Host Name) and Domain Name. These
parameters may be necessary to access your ISP’s services such as mail or news servers. If you
leave the Domain Name field blank, the firewall will attempt to learn the domain
automatically from the ISP. If this is not successful, you may need to enter it manually.
2. If you know that your ISP does not automatically transmit DNS addresses to the firewall
during login, select “Use these DNS servers” and enter the IP address of your ISP’s Primary
DNS Server. If a Secondary DNS Server address is available, enter it also.
A DNS server is a host on the Internet that translates Internet names (such as
www .netgear.com) to numeric IP addresses. Typically your ISP transfers the IP address of one
or two DNS servers to your firewall during login. If the ISP does not transfer an address, you
must obtain it from the ISP and enter it manually here. If you enter an address here, you should
reboot your computers after configuring the firewall.
3. The Router’s MAC Address is the Ethernet MAC address that will be used by the firewall on
the Internet port.
If your ISP allows access from only one specific computer’s Ethernet MAC address, select
“Use this MAC address.” The firewall will then capture and use the MAC address of the
computer that you are now using. You must be using the one computer that is allowed by the
ISP. Otherwise, you can type in a MAC address.
Note: Some ISPs will register the Ethernet MAC address of the network interface card in your
computer when your account is first opened. They will then only accept traffic from the MAC
address of that computer. This feature allows your firewall to masquerade as that computer by
using its MAC address.
4. Click Apply to save your settings.
5. Click the Test button to test your Internet connection. If the NETGEAR Web site does not
appear within one minute, refer to Chapter 8, Troubleshooting.
Configuring for a Wizard-Detected Fixed IP (Static) Account
If the Setup Wizard determines that your Internet service account uses Fixed IP assignment, you
will be directed to the Fixed IP menu.
3-8 Connecting the FVL328 to the Internet
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Enter your assigned IP Address, Subnet Mask, and the IP Address of your ISP’s gateway
1.
router. This information should have been provided to you by your ISP. You will need the
configuration parameters from your ISP you recorded in “Worksheet for Recording Your
Internet Connection Information” on page C-3.
2. Enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is
available, enter it also.
DNS servers are required to perform the function of translating an Internet name such as
www.netgear.com to a numeric IP address. For a fixed IP address configuration, you must
obtain DNS server addresses from your ISP and enter them manually here. You should reboot
your computers after configuring the firewall for these settings to take effect.
3. Click Apply to save the settings.
4. Click the Test button to test your Internet connection. If the NETGEAR Web site does not
appear within one minute, refer to Chapter 8, Troubleshooting.
Testing Your Internet Connection
After completing the Internet connection configuration, your can test your Internet connection.
Log in to the firewall, then, from the Setup Basic Settings link, click the Test button. If the
NETGEAR Web site does not appear within one minute, refer to Chapter 8, Troubleshooting.
Your firewall is now configured to provide Internet access for your network. Your firewall
automatically connects to the Internet when one of your computers requires access. It is not
necessary to run a dialer or login application such as Dial-Up Networking or Enternet to connect,
log in, or disconnect. These functions are performed by the firewall as needed.
To access the Internet from any computer connected to your firewall, launch a browser such as
Microsoft Internet Explorer or Netscape Navigator. You should see the firewall’s Internet LED
blink, indicating communication to the ISP. The browser should begin to display a Web page.
The following chapters describe how to configure the advanced features of your firewall, and how
to troubleshoot problems that may occur.
Connecting the FVL328 to the Internet 3-9
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Manually Configuring Your Internet Connection
You can manually configure your firewall using the menu below, or you can allow the Setup
Wizard to determine your configuration as described in the previous section.
ISP Does Not Require Login
ISP Does Require Login
Figure 3-7: Browser-based configuration Basic Settings menu
3-10 Connecting the FVL328 to the Internet
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
How to Complete a Manual Configuration
Manually configure the firewall in the Basic Settings menu using these steps:
1. Answer the question, “Does Your Internet Connection Require a Login?”
• Select Yes if you normally must launch a login program such as Enternet or WinPOET in
order to access the Internet. You must also log in to establish a PPPoE connection that uses
a Static IP address.
Note: If you are a T elstra BigPond cable modem customer, or if you are in an area such as
Austria that uses PPTP, login is required. Select Yes, then select BigPond or PPTP from
the Internet Service Type drop-down box.
• Select No if you do not log in to establish your Internet connection.
2. If you selected Yes, follow the instructions below.
If your Internet connection does not require a login, skip to step 3.
– Enter your Account Name (may also be called Host Name) and Domain Name.
These parameters may be necessary to access your ISP’s services such as mail or news
servers. These fields are case sensitive.
– If you want to change the login timeout, enter a new value in minutes. This determines
how long the firewall keeps the Internet connection active after there is no Internet activity
from the LAN. Entering an Idle Timeout value of zero means never log out.
– If you want to disable NA T, select the Disable radio button. Before disabling NAT, back up
your current configuration settings.
Note: Disabling NAT will reboot the router and reset all the FVL328 configuration
settings to the factory default. Disable NAT only if you plan to install the FVL328 in a
setting where you will be manually administering the IP address space on the LAN side
of the router.
– Domain Name Server (DNS) Address:
If you know that your ISP does not automatically transmit DNS addresses to the firewall
during login, select “Use these DNS servers” and enter the IP address of your ISP’s
Primary DNS Server. If a Secondary DNS Server address is available, enter it also
3. If you selected No, follow the instructions below.
– If required, enter your Account Name (may also be called Host Name) and Domain Name.
These parameters may be necessary to access your ISP’s services such as mail or news
servers. The Account Name and Domain Name are not always required.
Connecting the FVL328 to the Internet 3-11
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
– If you want to disable NA T, select the Disable radio button. Before disabling NAT, back up
your current configuration settings.
Note: Disabling NAT will reboot the router and reset all the FVL328 configuration
settings to the factory default. Disable NAT only if you plan to install the FVL328 in a
setting where you will be manually administering the IP address space on the LAN side
of the router.
– Internet IP Address (also commonly called the WAN IP address):
If your ISP has assigned you a permanent, fixed (static) IP address for your computer,
select “Use static IP address.” Enter the IP address that your ISP assigned. Also enter the
netmask and the Gateway IP address. The Gateway is the ISP’s router to which your
firewall will connect.
– Domain Name Server (DNS) Address:
If you know that your ISP does not automatically transmit DNS addresses to the firewall
during login, select “Use these DNS servers” and enter the IP address of your ISP’s
Primary DNS Server. If a Secondary DNS Server address is available, enter it also.
A DNS server is a host on the Internet that translates Internet names (such as
www .netgear.com) to numeric IP addresses. Typically your ISP transfers the IP address of
one or two DNS servers to your firewall during login. If the ISP does not transfer an
address, you must obtain it from the ISP and enter it manually here. If you enter an address
here, you should reboot your computers after configuring the firewall.
– Router’s MAC Address:
This section determines the Ethernet MAC address that will be used by the firewall on the
Internet port. Some ISPs will register the Ethernet MAC address of the network interface
card in your computer when your account is first opened. They will then only accept
traffic from the MAC address of that computer. This feature allows your firewall to
masquerade as that computer by “cloning” its MAC address.
To change the MAC address, select “Use this Computer’s MAC address.” The firewall
will then capture and use the MAC address of the computer that you are now using. You
should use the one computer that is allowed by the ISP. Or, select “Use this MAC address”
and enter it.
4. Click Apply to save your settings.
5. Click the Test button to test your Internet connection.
If the NETGEAR Web site does not appear within one minute, refer to Chapter 8,
Troubleshooting.
3-12 Connecting the FVL328 to the Internet
May 2004, 202-10030-02
Chapter 4
WAN and LAN Configuration
This chapter describes how to configure the W AN and LAN settings of your FVL328 Prosafe High
Speed VPN Firewall.
Configuring LAN IP Settings
The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and RIP. These
features can be found under the Advanced heading in the Main Menu of the browser interface.
The firewall is shipped preconfigured to use private IP addresses on the LAN side, and to act as a
DHCP server. The firewall’s default LAN IP configuration is:
• LAN IP addresses—192.168.0.1
• Subnet mask—255.255.255.0
These addresses are part of the IETF-designated private address range for use in private networks,
and should be suitable in most applications. If your network has a requirement to use a different IP
addressing scheme, you can make those changes.
The LAN TCP/IP Setup parameters are:
• IP Address
This is the LAN IP address of the firewall.
Note: If you change the LAN IP address of the firewall while connected through the
browser, you will be disconnected. You must then open a new connection to the new IP
address and log in again.
• IP Subnet Mask
This is the LAN Subnet Mask of the firewall. Combined with the IP address, the IP Subnet
Mask allows a device to know which other addresses are local to it, and which must be reached
through a gateway or router.
WAN and LAN Configuration 4-1
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
• RIP Direction
RIP (Router Information Protocol) allows a router to exchange routing information with other
routers. The RIP Direction selection controls how the firewall sends and receives RIP packets.
Both is the default.
— When set to Both or Out Only, the firewall will broadcast its routing table periodically.
— When set to Both or In Only, it will incorporate the RIP information that it receives.
— When set to None, it will not send any RIP packets and will ignore any RIP packets
received.
• RIP Version
This controls the format and the broadcasting method of the RIP packets that the router sends.
It recognizes both formats when receiving. By default, this is set for RIP-1.
— RIP-1 is universally supported. RIP-1 is probably adequate for most networks, unless you
have an unusual network setup.
— RIP-2 carries more information. Both RIP-2B and RIP-2M send the routing data in RIP-2
format.
— RIP-2B uses subnet broadcasting.
— RIP-2M uses multicasting.
Note: Multicasting can reduce the load on non-router machines because they do not
listen to the RIP multicast address and will not receive the RIP packets. However, if one
router uses multicasting, then all routers on your network must use multicasting.
Using the Router as a DHCP Server
By default, the firewall will function as a DHCP (Dynamic Host Configuration Protocol) server,
allowing it to assign IP, DNS server, and default gateway addresses to all computers connected to
the router's LAN. The assigned default gateway address is the LAN address of the firewall. IP
addresses will be assigned to the attached PCs from a pool of addresses specified in this menu.
Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN.
For most applications, the default DHCP and TCP/IP settings of the firewall are satisfactory. See
“IP Configuration by DHCP” on page B-9 for an explanation of DHCP and information about how
to assign IP addresses for your network.
4-2 WAN and LAN Configuration
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
If another device on your network will be the DHCP server, or if you will manually configure the
network settings of all of your computers, clear the ‘Use router as DHCP server’ check box.
Otherwise, leave it checked.
Specify the pool of IP addresses to be assigned by setting the Starting IP Address and Ending IP
Address. These addresses should be part of the same IP address subnet as the firewall’s LAN IP
address. Using the default addressing scheme, you should define a range between 192.168.0.2 and
192.168.0.253, although you may wish to save part of the range for device s with fixed addresses.
The firewall will deliver the following parameters to any LAN device that requests DHCP:
• An IP Address from the range you have defined
• Subnet Mask
• Gateway IP Address is the firewall’s LAN IP address
• Primary DNS Server, if you entered a Primary DNS address in the Basic Settings menu;
otherwise, the firewall’s LAN IP address
• Secondary DNS Server, if you entered a Secondary DNS address in the Basic Settings menu
How to Configure LAN TCP/IP Settings and View the DHCP Log
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user
name of
admin, default password of password, or using whatever password and LAN address
you have chosen for the firewall.
2. From the Main Menu, under Advanced, click the LAN IP Setup link to view the men u, shown
below. To view the DHCP Log, click DHCP Log.
WAN and LAN Configuration 4-3
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Figure 4-1: LAN IP Setup Menu
Enter the LAN TCP/IP and DHCP parameters.
3.
4. Click Apply to save your changes.
How to Configure Reserved IP Addresses
When you specify a reserved IP address for a PC on the LAN, that PC will always receive the
same IP address each time it accesses the firewall’s DHCP server. Reserved IP addresses should be
assigned to servers that require permanent IP settings.
To res erve an IP address:
1. Click the Add button.
2. In the IP Address box, type the IP address to assign to the PC or server.
Choose an IP address from the router’s LAN subnet, such as 192.168.0.X.
4-4 WAN and LAN Configuration
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Type the MAC Address of the PC or server.
3.
Note: If the PC is already present on your network, you can copy its MAC address from the
Attached Devices menu and paste it here.
4. Click Apply to enter the reserved address into the table.
Note: The reserved address will not be assigned until the next time the PC contacts the router's
DHCP server. Reboot the PC or access its IP configuration and force a DHCP release and
renew.
To edit or delete a res erved address entry:
1. Click the button next to the reserved address you want to edit or delete.
2. Click Edit or Delete.
Configuring WAN Settings
Using this page, you can set up a Default DMZ Server and allow the router to respond to a ping
from the Internet. Both of these options have security issues, so use them carefully.
The WAN Setup menu allows configuration of WAN services such as automatic connection, DMZ
server, enabling diagnostic PING tests on the WAN interface, setting the MTU size, and the WAN
port speed. These features can be found under the Advanced WAN Setup heading in the Main
Menu of the browser interface.
Note: Configure the Networking Database (see “Network Database” on page 7-5) before
configuring the DMZ Servers (see “Setting Up a Default DMZ Server” on page 4-7 and
“Multi-DMZ Servers” on page 4-7).
These features are discussed below.
WAN and LAN Configuration 4-5
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Figure 4-2: WAN Setup
Connect Automatically, as Required
Normally, this option should be Enabled, so that an Internet connection will be made
automatically, whenever Internet-bound traffic is detected. If this causes high connection costs,
you can disable this setting.
If disabled, you must connect manually, using the sub-screen accessed from the Connection Status
button on the Status screen.
4-6 WAN and LAN Configuration
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Setting Up a Default DMZ Server
Specifying a Default DMZ Server allows you to set up a computer or server that is available to
anyone on the Internet for services that you haven't defined. There are security issues with doing
this, so only do this if you're willing to risk open access. If you do not assign a Default DMZ
Server, the router discards any incoming service requests that are undefined.
The default DMZ server feature is helpful when using some online games and videoconferencin g
applications that are incompatible with NAT. The firewall is programmed to recognize some of
these applications and to work properly with them, but there are other applications that may not
function well. In some cases, one local PC can run the application properly if that PC’s IP address
is entered as the default DMZ server.
Note: For security, you should avoid using the default DMZ server feature. When a
computer is designated as the default DMZ server, it loses much of the protection of the
firewall, and is exposed to many exploits from the Internet. If compromised, the
computer can be used to attack your network.
Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a
response to one of your local computers or a service that you have configured in the Ports menu.
Instead of discarding this traffic, you can have it forwarded to one computer on your network. This
computer is called the Default DMZ Server.
How to Assign a Default DMZ Server
1. Click Default DMZ Server check box.
2. Type the IP address for that server.
3. Click Apply.
Multi-DMZ Servers
This feature can only be used if your ISP has allocated you multiple fixed Internet IP addresses.
In this situation, you can define a separate DMZ server for each Internet IP address. To use the
Multi-DMZ feature, follow this procedure for each Internet IP address:
1. Enable one of the Multi-DMZ checkboxes.
2. To the right of the checkbox, ente r the Internet IP address assigne d to you by your ISP.
WAN and LAN Configuration 4-7
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Select the PC to be used as the DMZ Server for this IP address.
3.
• Click Apply.
Note:
• All incoming traffic to that IP address will be sent to the selected PC.
• Out-going traffic from the selected PC will use the IP address you entered, not the default
WAN IP address.
• If you only have one (1) Internet IP address, you cannot use the Multi-DMZ feature, only the
Default DMZ Server setting above.
Responding to Ping on Internet WAN Port
If you want the FVL328 to respond to a ping from the Internet, click this check box. This should
only be used as a diagnostic tool, since it allows your firewall to be discovered. Again, like the
DMZ server, this can be a security problem. You shouldn't check this box unless you have a
specific reason to do so.
MTU Size
The normal MTU (Maximum Transmit Unit) value for most Ethernet networks is 1500 bytes or
1492 Bytes for PPPoE connections. For some ISPs you may need to reduce the MTU. But this is
rarely required, and should not be done unless you are sure it is necessary for your ISP connection.
Any packets sent through the firewall that are larger than the configured MTU size will be
repackaged into smaller packets to meet the MTU requirement.
To change the MTU size:
1. Under MTU Size, select Custom.
2. Enter a new size between 64 and 1500.
3. Click Apply to save the new configuration.
Port Speed
In most cases, your router can automatically determine the connection speed of the Internet
(WAN) port. If you cannot establish an Internet connection and the Internet LED blinks
continuously, you may need to manually select the port speed.
4-8 WAN and LAN Configuration
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
If you know that the Ethernet port on your broadband modem supports 100BaseT, select 100M;
otherwise, select 10M. Use the half-duplex settings unless you are sure you need full duplex.
Port Triggering
Port Triggering is used to allow applications which would otherwise be blocked by the firewall.
Using this feature requires that you know the port numbers used by the Application.
Once configured, operation is as follows:
1. A PC makes an outgoing connection using a port number defined in the Port Triggering table.
2. This Router records this connection, opens the INCOMING port or ports associated with this
entry in the Port Triggering table, and associates them with the PC.
3. The remote system receives the PC’s request, and responds using a different port number.
4. This Router matches the response to the previous request, and forwards the response to the PC.
(Without Port Triggering, this response would be treated as a new connection request rather
than a response. As such, it would be handled in accordance with the Port Forwarding rules.)
Note
• Only 1 PC can use a Port Triggering application at any time.
• After a PC has finished using a Port Triggering application, there is a Time-out period before
the application can be used by another PC. This is required because this Router canno t be sure
when the application has terminated.
Figure 4-3: Port Triggering
WAN and LAN Configuration 4-9
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Port Triggering Rules
This table lists the current rules:
• Enable - Indicates if the rule is enabled or disabled. Generally, there is no need to disable a rule
unless it interferes with some other function, such as Port Forwarding.
• Name - The name for this rule.
• Outgoing Ports - The port or port range for outgoing traffic. An outgoing connection using one
of these ports will Trigger this rule.
• Incoming Ports - The port or port range used by the remote system when it responds to the
outgoing request. A response using one of these ports will be forwarded to the PC which
triggered this rule.
Adding a new Rule
Figure 4-4: Port Trigger Add
To add a new rule, click the Add and enter the following data on the resulting screen.
• Name - enter a suitable name for this rule (e.g. the name of the application)
• Enable/Disable - select the desired option.
• Outgoing (Trigger) Port Range - enter the range of port numbers used by the application when
it generates an outgoing request.
4-10 WAN and LAN Configuration
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
• Incoming (Response) Port Range - enter the range of port numbers used by the remote system
when it responds to the PC's request.
Modifying or Deleting an existing Rule
1. Select the desired rule by clicking the radio button beside the rule.
2. Click Edit or Delete as desired.
Checking Operation and Status
To see which rules are currently being used, click the Status button. The following data will be
displayed:
• Rule - the name of the Rule.
• LAN IP Address - The IP address of the PC currently using this rule.
• Open Ports - the Incoming ports which are associated the this rule. Incoming traffic using one
of these ports will be sent to the IP address above.
• Time Remaining - The time remaining before this rule is released, and thus available for other
PCs. This timer is restarted whenever incoming or outgoing traffic is received.
Configuring Dynamic DNS
If your network has a permanently assigned IP address, you can register a domain name and have
that name linked with your IP address by public Domain Name Servers (DNS). However, if your
Internet account uses a dynamically assigned IP address, you will not know in advance what your
IP address will be, and the address can change frequently. In this case, you can use a commercial
dynamic DNS service, which will allow you to register your domain to their IP address, and will
forward traffic directed to your domain to your frequently-changing IP address.
The firewall contains a client that can connect to a dynamic DNS service provider. To use this
feature, you must select a service provider and obtain an account with them. After you have
configured your account information in the firewall, whenever your ISP-assigned IP address
changes, your firewall will automatically contact your dynamic DNS service provider, log in to
your account, and register your new IP address.
WAN and LAN Configuration 4-11
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
How to Configure Dynamic DNS
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user
name of
you have chosen for the firewall.
2. From the Main Menu of the browser interface, under Advanced, click Dynamic DNS.
3. Click the radio button for the dynamic DNS service you will use. Access the Web site of the
dynamic DNS service providers whose, and register for an account.
For example, for TZO.com, go to www.TZO.com.
4. Click Apply to save your configuration.
admin, default password of password, or using whatever password and LAN address
Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the
dynamic DNS service will not work because private addresses will not be routed on the
Internet.
Using Static Routes
Static Routes provide additional routing information to your firewall. Under normal
circumstances, the firewall has adequate routing information after it has been configured for
Internet access, and you do not need to configure additional static routes. You must configure
static routes only for unusual cases such as multiple routers or multiple IP subnets located on your
network.
Static Route Example
As an example of when a static route is needed, consider the following case:
• Your primary Internet access is through a cable modem to an ISP.
• You have an ISDN router on your home network for connecting to the company where
you are employed. This router’s address on your LAN is 192.168.0.100.
• Your company’s network is 134.177.0.0.
4-12 WAN and LAN Configuration
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
When you first configured your firewall, two implicit static routes were created. A default route
was created with your ISP as the gateway, and a second static route was created to your local
network for all 192.168.0.x addresses. With this configuration, if you attempt to access a device on
the 134.177.0.0 network, your firewall will forward your request to the ISP. The ISP forwards your
request to the company where you are employed, and the request will likely be denied by the
company’s firewall.
In this case you must define a static route, telling your firewall that 134.177.0.0 should be accessed
through the ISDN router at 192.168.0.100. The static route would look like Figure 4-6.
In this example:
• The Destination IP Address and IP Subnet Mask fields specify that this static route applies to
all 134.177.x.x addresses.
• The Gateway IP Address fields specifies that all traffic for these addresses should be
forwarded to the ISDN router at 192.168.0.100.
• A Metric value of 1 will work since the ISDN router is on the LAN.
This represents the number of routers between your network and the des tination. This is a
direct connection so it is set to 1.
• Private is selected only as a precautionary security measure in case RIP is activated.
How to Configure Static Routes
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user
name of
you have chosen for the firewall.
2. From the Main Menu of the browser interface, under Advanced, click on Static Routes to view
the Static Routes menu, shown in Figure 4-5.
Figure 4-5: Static Routes Table
WAN and LAN Configuration 4-13
admin, default password of password, or using whatever password and LAN address
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
To add or edit a Static Route:
3.
a. Click the Edit button to open the Edit Menu, shown below.
Figure 4-6: Static Ro ute Entry and Edit Menu
b.
Type a route name for this static route in the Route Name box under the table.
This is for identification purpose only.
c. Select Active to make this route effective.
d. Select Private if you want to limit access to the LAN only.
The static route will not be reported in RIP.
e. Type the Destination IP Address of the final destination.
f. Type the IP Subnet Mask for this destination.
If the destination is a single host, type 255.255.255.255.
g. Type the Gateway IP Address, which must be a router on the same LAN segment as the
firewall.
h. Type a number between 1 and 15 as the Metric value.
This represents the number of routers between your network and the destination. Usually,
a setting of 2 or 3 works, but if this is a direct connection, set it to 1.
4. Click Apply to have the static route entered into the table.
4-14 WAN and LAN Configuration
May 2004, 202-10030-02
Chapter 5
Protecting Your Network
This chapter describes how to use the firewall features of the FVL328 Prosafe High Speed VPN
Firewall to protect your network.
Firewall Protection and Content Filtering Overview
The FVL328 Prosafe High Speed VPN Firewall provides you with Web content filtering options,
plus browsing activity reporting and instant alerts via e-mail. Parents and network administrators
can establish restricted access policies based on time-of-day, Web addresses, and Web address
keywords. You can also block Internet access by applications and services, such as chat or games.
A firewall is a special category of router that protects one network (the “trusted” network, such as
your LAN) from another (the “untrusted” network, such as the Internet), while allowing
communication between the two. A firewall incorporates the functions of a NAT (Network
Address Translation) router, while adding features for dealing with a hacker intrusion or attack,
and for controlling the types of traffic that can flow between the two networks. Unlike simple
Internet sharing NAT routers, a firewall uses a process called stateful packet inspection to protect
your network from attacks and intrusions. NAT performs a very limited stateful inspection in that
it considers whether the incoming packet is in response to an outgoing request, but true Stateful
Packet Inspection goes far beyond NAT.
To configure these features of your router, click on the subheadings under the Content Filtering
heading in the Main Menu of the browser interface. The subheadings are described below:
Using the Block Sites Menu to Screen Content
The FVL328 allows you to restrict access based on the following categories:
• Use of a proxy server
• Type of file (Java, ActiveX, Cookie)
• Web addresses
• Web address keywords
Protecting Your Network 5-1
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Many Web sites will not function correctly if these components are blocked.
These options are discussed below.
The Keyword Blocking menu is shown here.
Figure 5-1: Block Sites menu
T o enable filtering, click the checkbox next to the type of filtering you want to enable. The filtering
choices are:
• Proxy: blocks use of a proxy server
• Java: blocks use of Java applets
• ActiveX: blocks use of ActiveX components (OCX files) used by IE on Windows
5-2 Protecting Your Network
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
• Cookies: blocks all cookies
To enable keyword blocking, check “Turn keyword blocking on”, then click Apply.
To add a keyword or domain, type it in the Keyword box, click Add Keyword, then click Apply.
To delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply.
Keyword application examples:
• If the keyword “XXX” is specified, the URL <http://www.badstuff.com/xxx.html> is blocked,
as is the newsgroup alt.pictures.XXX.
• If the keyword “.com” is specified, only Web sites with other domain suffixes (such as .edu or
.gov) can be viewed.
• If you want to block all Internet browsing access, enter the keyword “.”.
Up to 255 entries are supported in the Keyword list.
Apply Keyword Blocking to Groups
Select the Groups you wish to apply the Keyword Blocking to.
• To manage these groups, use the Network Database screen on the Maintenance me nu.
• The Web Components settings always apply to all PCs.
Services and Rules Regulate Inbound and Outbound Traffic
The FVL328 Prosafe High Speed VPN Firewall firewall lets you regulate what ports are available
to the various TCP/IP protocols. Follow these two steps to configure inbound or outbound traffic:
1. Define a Service
2. Set up an Inbound or Outbound Rule that uses the Service
These steps are discussed below.
Protecting Your Network 5-3
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Defining a Service
Services are functions performed by server computers at the request of client computers. For
example, Web servers serve Web pages, time servers serve time and date information, and game
hosts serve data about other players’ moves. When a computer on the Internet sends a request for
service to a server computer, the requested service is identified by a service or port number. This
number appears as the destination port number in the transmitted IP packets. For example, a packet
that is sent with destination port number 80 is an HTTP (Web server) request.
The service numbers for many common protocols are defined by the Internet Engineering Task
Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for other
applications are typically chosen from the range 1024 to 65535 by the authors of the application.
Although the FVL328 already holds a list of many service port numbers, you are not limited to
these choices. Use the Services menu to add additional services and applications to the list for use
in defining firewall rules. The Services menu shows a list of services that you have defined.
To define a new service, first you must determine which port number or range of numbers is used
by the application. This information can usually be determined by contacting the publisher of the
application or from user groups of newsgroups. When you have the port number information, go
the Services menu and click on the Add Custom Service button. The Add Services menu will
appear.
To add a service:
1. Enter a descriptive name for the service so that you will remember what it is.
2. Select whether the service uses TCP or UDP as its transport protocol.
If you can’t determine which is used, select both.
3. Enter the lowest port number used by the service.
4. Enter the highest port number used by the service.
If the service only uses a single port number, enter the same number in both fields.
5. Click Apply.
The new service will now appear in the Services menu, and in the Service name selection box in
the Rules menu.
5-4 Protecting Your Network
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Using Inbound/Outbound Rules to Block or Allow Services
Firewall rules are used to block or allow specific traffic passing through from one side of the
firewall to the other . Inbound rules (WAN to LAN) restrict access by outsiders to private resources,
selectively allowing only specific outside users to access specific resources. Outbound rules (LAN
to WAN) determine what outside resources local users can have access to.
A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of
the FVL328 are:
• Inbound: Block all access from outside except responses to requests from the LAN side.
• Outbound: Allow all access from the LAN side to the outside.
These default rules are shown here:
Figure 5-2: Rules menu
Protecting Your Network 5-5
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
You can define additional rules that will specify exceptions to the default rules. By adding custom
rules, you can block or allow access based on the service or application, source or destinat ion IP
addresses, and time of day. You can also choose to log traffic that matches or does not match the
rule you have defined.
To create a new rule, click the Add button.
To edit an existing rule, select its button on the left side of the table and click Edit.
To delete an existing rule, select its button on the left side of the table and click Delete.
To move an existing rule to a different position in the table, select its button on the left side of the
table and click Move. At the script prompt, enter the number of the desired new position and click
OK.
An example of the menu for defining or editing a rule is shown in Figure 5-2. The parameters are:
• Service. From this list, select the application or service to be allowed or blocked. The list
already displays many common services, but you are not limited to these choices. Use the
Services menu to add any additional services or applications that do not already appear.
• Action. Choose how you would like this type of traffic to be handled. You can block or allow
always, or you can choose to block or allow according to the schedule you have defined in the
Schedule menu.
• Source Address. Specify traffic originating on the LAN (outbound) or the WAN (inbound),
and choose whether you would like the traffic to be restricted by source IP address. You can
select Any, a Single address, or a Range. If you select a range of addresses, enter the range in
the start and finish boxes. If you select a single address, enter it in the start box.
• Destination Address.The Destination Address will be assumed to be from the opposite (LAN
or WAN) of the Source Address. As with the Source Address, you can select Any, a Single
address, or a Range unless NAT is enabled and the destination is the LAN. In that case, you
must enter a Single LAN address in the start box.
• Log. You can select whether the traffic will be logged. The choices are:
– Never - no log entries will be made for this service.
– Match - traffic of this type which matches the parameters and action will be logged.
5-6 Protecting Your Network
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Examples of Using Services and Rules to Regulate Traffic
Use the examples to see how you combine Services and Rules to regulate how the TCP/IP
protocols are used on your firewall to enable either blocking or allowing specific Internet traffic on
your firewall.
Inbound Rules (Port Forwarding)
Because the FVL328 uses Network Address Translation (NAT), your network presents only one IP
address to the Internet, and outside users cannot directly address any of your local computers.
However, by defining an inbound rule, also known as port forwarding, you can make a local server
(for example, a Web server or game server) visible and available to the Internet. The rule tells the
router to direct inbound traffic for a particular service to one local server based on the destination
port number. This is also known as port forwarding.
Note: Some home broadband accounts do not allow you to run any server processes
(such as a Web or FTP server). Your ISP may check for servers and suspend your
account if it discovers active servers at your location. If you are unsure, refer to the
Acceptable Use Policy of your ISP.
Follow these guidelines when setting up port forwarding inbound rules:
• If your external IP address is assigned dynamically by your ISP, the IP address may change
periodically as the DHCP lease expires. Consider using the Dynamic DNS feature in the
Advanced menus so that external users can always find your network.
• If the IP address of the local server computer is assigned by DHCP, it may change when the
computer is rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu
to keep the computer’s IP address constant.
• Local computers must access the local server using the local LAN address of the computer.
Attempts by local computers to access the server using the external WAN IP address will fail.
Remember that allowing inbound services opens holes in your FVL328 Firewall. Only enable
those ports that are necessary for your network. Following are two application examples of
inbound rules:
Protecting Your Network 5-7
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Example: Port Forwarding to a Local Public Web Server
If you host a public W eb ser ver on your local network, you can define a rule to allow inbound Web
(HTTP) requests from any outside IP address to the IP address of your Web server any time of day.
Figure 5-3: Rule example: A Local Public Web Server
This rule is shown in Figure 5-3.
Example: Port Forwarding for Videoconferencing
If you want to allow incoming videoconferencing to be initiated from a restricted range of outside
IP addresses, such as from a branch office, you can create an inbound rule. In the example shown
in Figure 5-4, CU-SeeMe is a predefined service and its connections are allowed only from a
specified range of external IP addresses. In this case, we have also specified logging of any
incoming CU-SeeMe requests that do not match the allowed parameters.
5-8 Protecting Your Network
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Figure 5-4: Rule example: Videoconference from Restrict ed Addresses
Example: Port Forwarding for VPN Tunnels when NAT is Off
If you want to allow incoming VPN IPSec tunnels to be initiated from outside IP addresses
anywhere on the Internet when NAT is off, first create a service and then an inbound rule.
Figure 5-5: Service example: port forwarding for VPN when NAT is Off
In the example shown in Figure 5-5, UDP port 500 connections are defined as the IPSec service.
Protecting Your Network 5-9
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Figure 5-6: Inbound rule example:
VPN IPSec when NAT is off
In the example shown in Figure 5-6, VPN IPSec connections are allowed for any internal LAN IP
address.
Outbound Rules (Service Blocking or Port Filtering)
The FVL328 allows you to block the use of certain Internet services by computers on your
network. This is called service blocking or port filtering. You can define an outbound rule to block
Internet access from a local computer based on:
• IP address of the local computer (source address)
• IP address of the Internet site being contacted (destination address)
•Time of day
• Type of service being requested (service port number)
Outbound Rule Example: Blocking Instant Messaging
If you want to block Instant Messenger usage by employees during working hours, you can create
an outbound rule to block that application from any internal IP address to any external address
according to the schedule that you have created in the Schedule menu. Y ou can also have the router
log any attempt to use Instant Messenger during that blocked period.
5-10 Protecting Your Network
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Figure 5-7: Rule example: Blocking Instant Messenger
Other Rules Considerations
The order of precedence of rules is determined by the position of the rule on a list of many rules.
Also, there are optional Rules settings you can configure. These topics are presented here.
Order of Precedence for Rules
As you define new rules, they are added to the tables in the Rules menu. For any traffic attempting
to pass through the firewall, the packet information is subjected to the rules in the order of the
entries in the Rules T able, beginning at the top and proceeding to the default rules at the bottom. In
some cases, the order of precedence of two or more rules may be important in determining the
disposition of a packet. The Move button allows you to relocate a defined rule to a new position in
the table.
Protecting Your Network 5-11
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Rules Menu Options
Figure 5-8: Rules menu options
Use the Options checkboxes to enable the following:
• Enable VPN Passthrough (IPSec, PPTP, L2TP)
If LAN users need to use VPN (Virtual Private Networking) software on their computer, and
connect to remote sites or servers, enable this checkbox. This will allow the VPN protocols
(IPSec, PPTP, L2TP) to be used. If this checkbox is not checked, these protocols are blocked.
• Drop fragmented IP packets
If checked, all fragmented IP pack ets wil l be dropped (discarded). Normally, this should NOT
be checked.
• Block TCP flood
If checked, when a TCP flood attack is detected, the port used will be closed, and no traffic
will be able to use that port.
• Block UDP flood
If checked, when a UDP flood attack is detected, all traffic from that IP address will be
blocked.
• Block non-standard packets
If checked, only known packet types will be accepted; other packets will be blocked. The
known packet types are TCP, UDP , ICMP, ESP, and GRE. Note that these are packet types, not
protocols.
5-12 Protecting Your Network
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Using a Schedule to Block or Allow Content or Traffic
If you enabled content filtering in the Block Sites menu, or if you defined an outbound rule to use
a schedule, you can set up a schedule for when blocking occurs or when access is restricted. The
router allows you to specify when blocking will be enforced by configuring the Schedule tab
shown below.
Figure 5-9: Schedule menu
Protecting Your Network 5-13
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
To block keywords or Internet domains based on a schedule, select Every Day or select one or
more days. If you want to limit access completely for the selected days, select All Day. Otherwise,
If you want to limit access during certain times for the selected days, type a Start Time and an End
Time.
Note: Enter the values in 24-hour time format. For example, 10:30 am would be 10 hours and 30
minutes and 10:30 pm would be 22 hours and 30 minutes.
Be sure to click Apply when you have finished configuring this menu.
Setting the Time Zone
The FVL328 Firewall uses the Network Time Protocol (NTP) to obtain the current time and date
from one of several Network Time Servers on the Internet. In order to localize the time for your
log entries, you must specify your Time Zone:
• Time Zone. Select your local time zone. This setting will be used for the blocking schedule
and for time-stamping log entries. At power-up, the clock is set to Saturday 01/01/2001
00:00:00.
• Automatically Adjust for Daylight Savings Time. Select this check box for automatic dayli ght
savings time.
Note: If supported for your region, you can check Automatically adjust for Daylight Savings
Time. If this is not supported, you must manually adjust the time to allow for Daylight Saving.
Be sure to click Apply when you have finished configuring this menu.
Set Clock
Use this to set a particular Date/Time to the RTC (Real-Time Clock). This is only useful if NTP
(below) is not being used. Otherwise, your setting will be lost on the next synchronization with the
NTP Server.
Enable NTP (Network Time Protocol)
If enabled, the RTC is updated regularly by contacting a NTP Server on the Internet. The fixed
NTP query interval is 2 hours.
5-14 Protecting Your Network
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
User-defined NTP Server
Choose your NTP server. The firewall uses NETGEAR NTP servers by default. If you would
prefer to use a particular NTP server as the primary server, enter its IP address under Use this NTP
Server.
If you prefer to use a particular NTP server, enable this and enter the name or IP address of an NTP
Server in the Server 1 field. If required, you can also enter the address of another NTP server in
the Server 2 field.
Getting E-Mail Notifications of Event Logs and Alerts
In order to receive logs and alerts by e-mail, you must provide your e-mail information in the
E-Mail subheading:
Figure 5-10: E-mail menu
• Turn e-mail notification on. Select this check box if you want to receive e-mail logs and
alerts from the router.
Protecting Your Network 5-15
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
• Send alerts and logs by e-mail. If you enable e-mail notification, these boxes cannot be
blank.
• Enter the e-mail address to which logs and alerts will be sent. This e-mail address will also
be used as the From address. If you leave this box blank, log and alert messages will not
be sent via e-mail.
– If you wish to set the From E-mail address used by this mail, or your SMTP server
requires you to login before you can send mail, click the Advanced button and
configure the Advanced E-mail screen.
Figure 5-11: Advanced E-mail
– Check “My Mail Server requires authentication” if you need to log in to your SMTP
server in order to send e-mail. If this is checked, you must enter the login name and
password for your mail server.
• Enter the name or IP address of your ISP’s outgoing (SMTP) mail server (such as
mail.myISP.com). You may be able to find this information in the configuration menu of
your e-mail program.
Tip: You used this information when you set up your e-mail program. If you cannot
remember it, check the settings in your e-mail program.
• Send E-mail alerts immediately. You can specify that logs are immediately sent to the
specified e-mail address when any of the following events occur:
– If a Denial of Service attack is detected.
– If a Port Scan is detected.
5-16 Protecting Your Network
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
– If a user on your LAN attempts to access a Web site that you blocked using Keyword
blocking.
• Send logs according to this schedule. You can specify that logs are sent to you according to a
schedule. Select whether you would like to receive the logs Hourly , Daily, W eekly, When Full,
or None for no logs. Depending on your selection, you may also need to specify:
– Day for sending log
Relevant when the log is sent weekly or daily.
– Time for sending log
Relevant when the log is sent daily or weekly.
If the Weekly, Daily or Hourly option is selected and the log fills up before the specified
period, the log is automatically e-mailed to the specified e-mail address. After the log is sent,
the log is cleared from the router’s memory. If the router cannot e-mail the log file, the log
buffer may fill up. In this case, the router overwrites the log and discards its contents.
Be sure to click Apply when you have finished configuring this menu.
Viewing Logs of Web Access or Attempted Web Access
The router will log security-related events, such as denied incoming and outgoing service requests,
hacker probes, and administrator logins. If you enable content filtering in the Block Sites menu,
the Log page will also show you when someone on your network tries to access a blocked site. If
you enabled e-mail notification, you will receive these logs in an e-mail message. If you do not
have e-mail notification enabled, you can view the logs here.
Protecting Your Network 5-17
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Figure 5-12: Logs menu
See Appendix D, “Firewall Log Formats” for a full explanation of log entry formats.
Log action buttons are described in Table 5-1
5-18 Protecting Your Network
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
.
Table 5-1. Log action buttons
Field Description
Refresh Refreshes the log screen.
Clear Log Clears the log entries.
Send Log E-mails the log immediately.
What to Include in the Event Log
Use these checkboxes to determ ine whic h even ts ar e included in the log. Checking all options wi ll
increase the size of the log, so it is good practice to disable any events which are not really
required.
• All Web sites and news groups visited - If checked, all visited Web sites and newsgroups are
logged.
• All Incoming TCP/UDP/ICMP traffic - If checked, all incoming TCP/UDP/ICMP connections
and traffic is logged.
• All Outgoing TCP/UDP/ICMP traffic - If checked, all outgoing TCP/UDP/ICMP connections
and traffic is logged.
• Other IP traffic - If checked, all other traffic (IP packets which are not TCP, UDP, or ICMP) is
logged.
• Router operation (start up, get time, etc.) - If checked, Router operations, such as starting up
and getting the time from the Internet Time Server, are logged.
• Connection to the Web-based interface of this Router - If checked, Administrator connections
to the Web-based interface will be logged.
• Other connections and traffic to this Router - If checked, this will log traffic sent to thi s Router
(rather than through this Router to the Internet).
• Allow duplicate log entries - If checked, then events or packets which fall within more than
one (1) category above will have a log entry for each category in which they belong. This will
generate a large number of log entries. If unchecked, then events or packets will only be
logged once. Usually, this should be left unchecked.
Logging programs are available for Windows, Macintosh, and Linux computers.
Enable one of these three options, as required:
Protecting Your Network 5-19
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
• Disable - select this if you do not have a Syslog server.
• Broadcast on LAN - the Syslog data is broadcast, rather than sent to a specific Syslog server.
Use this if your Syslog Server does not have a fixed IP address.
• Send to this Syslog server IP address - If your Syslog server has a fixed IP address, select this
option, and enter the IP address of your Syslog server.
5-20 Protecting Your Network
May 2004, 202-10030-02
Chapter 6
Virtual Private Networking
This chapter describes how to use the virtual private networking (VPN) features of the FVL328
Firewall. VPN tunnels provide secure, encrypted communications between your local network and
a remote network or computer. See also “How to Use the VPN Wizard to Configure a VPN
Tunnel” on page 6-15.
Overview of FVL328 Policy-Based VPN Configuration
The FVL328 uses state-of-the-art firewall and security technology to facilitate controlled and
actively monitored VPN connectivity . Since the FVL328 strictly conforms to Internet Engineering
Task Force (IETF) standards, it is interoperable with devices from major network equipment
vendors.
Telecommuter with
client software
VPN tunnels
encrypt data
FVL328 VPN FirewallFVL328 VPN Firewall
Figure 6-1: Secure access through FVL328 VPN routers
Using Policies to Manage VPN Traffic
You create policy definitions to manage VPN traffic on the FVL328. There are two kinds of
policies:
Virtual Private Networking 6-1
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
• IKE Policies: Define the authentication scheme and automatically generate the encryption
keys. As an alternative option, to further automate the process, you can create an Internet Key
Exchange (IKE) policy which uses a trusted certificate authority to provide the authentication
while the IKE policy still handles the encryption.
• VPN Policies: Apply the IKE policy to specific traffic which requires a VPN tunnel. Or, you
can create a VPN policy which does not use an IKE policy but in which you manually enter all
the authentication and key parameters.
Since the VPN Auto policies require IKE policies, you must define the IKE policy first. The
FVL328 also allows you to manually input the authentication scheme and encryption key values.
VPN Manual policies manage the keys according to settings you select and do not use IKE
policies.
In order to establish secure communication over the Internet with the remote site you need to
configure matching VPN parameters on both the local and remote sites. The outbound VPN
parameters on one end must match to the inbound VPN parameters on other end, and vice versa.
When the network traffic enters into the FVL328 from the LAN network interface, if there is no
VPN policy found for a type of network traffic, then that traffic passes through without any
change. However, if the traffic is selected by a VPN policy, then the Internet Protocol security
IPSec authentication and encryption rules will be applied to it as defined in the VPN policy.
By default, a new VPN policy is added with the least priority, that is, at the end of the VPN policy
table. You can change the priority by selecting the VPN policy from the policy table and clicking
Move.
Using Automatic Key Management
The most common configuration scenarios will use IKE policies to automatically manage the
authentication and encryption keys. Based on the IKE policy, so me parameters for the VPN tunnel
are generated automatically. The IKE protocols perform negotiations between the two VPN
endpoints to automatically generate required parameters.
Some organizations will use an IKE policy with a Certificate Authority (CA) to perform
authentication. Typica lly, CA authentication is used in large organizations which maintain their
own internal CA server. This requires that each VPN gateway have a certificate and trust
certificate root from the CA. Using CAs reduces the amount of data entry required on each VPN
endpoint.
6-2 Virtual Private Networking
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
IKE Policies’ Automatic Key and Authentication Management
Click the IKE Policies link from the VPN section of the main menu, and then click the Add button
of the IKE Policies screen to display the IKE Policy Configuration menu shown in Figure 6-2.
Figure 6-2: IKE - Policy Configuration Menu
Virtual Private Networking 6-3
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
The IKE Policy Configuration fields are defined in the following table.
Table 6-1. IKE Policy Configuration Fields
Field Description
General
Policy Name
Direction/Type
Exchange Mode
Local
These settings identify this policy and determine its major characteristics.
The descriptive name of the IKE policy. Each policy should have a unique
policy name. This name is not supplied to the remote VPN endpoint. It is
only used to help you identify IKE policies.
This setting is used when determining if the IKE policy matches the current
traffic. The drop-down menu includes the following:
• Initiator – Outgoing connections are allowed, but incoming are blocked.
• Responder – Incoming connections are allowed, but outgoing are
blocked.
• Both Directions – Both outgoing and incoming connections are allowed.
• Remote Access – This is to allow only incoming client connections,
where the IP address of the remote clie n t is un known.
If Remote Access is selected, the “Exchange Mode” MUST be
“Aggressive,” and the ‘Identities’ below (both Local and Remote) MUST
be “Name.” On the matching VPN Policy, the IP address of the remote
VPN endpoint should be set to 0.0.0.0.
Main Mode or Aggressive Mode. This setting must match the setting used
on the remote VPN endpoint.
• Main Mode is slower but more secure.
• Aggressive Mode is faster but less secure.
These parameters apply to the Local FVL328 firewall.
Local Identity Type
Local Identity Data
Use this field to identify the local FVL328. You can choose one of the
following four options from the drop-down list:
• By its Internet (WAN) port IP address.
• By its Fully Qualified Domain Name (FQDN) – your domain name.
• By a Fully Qualified User Name – your name, E-mail address, or
other ID.
• By DER ASN.1 DN – the binary Distinguished Encoding Rules (DER)
encoding of your ASN.1 X.500 Distinguished Name.
This field lets you identify the local FVL328 by name.
6-4 Virtual Private Networking
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Table 6-1. IKE Policy Configuration Fields
Field Description
Remote
Remote Identity Type
Remote Identity Data
IKE SA Parameters
Encryption Algorithm
Authentication Algorithm
Authentication Method
These parameters apply to the target remote FVL328 firewall, VPN
gateway, or VPN client.
Use this field to identify the remote FVL328. You can choose one of the
following four options from the drop-down list:
• By its Internet (WAN) port IP address.
• By its Fully Qualified Domain Name (FQDN) – your domain name.
• By a Fully Qualified User Name – your name, E-mail address, or
other ID.
• By DER ASN.1 DN – the binary DER encoding of your ASN.1 X.500
Distinguished Name.
This field lets you identify the target remote FVL328 by name.
These parameters determine the properties of the IKE Security
Association.
Choose the encryption algorithm for this IKE policy:
•DES
• 3DES is more secure and is the default
If you enable Authentication Headers (AH), this menu lets you select from
these authentication algorithms:
• MD5 –- less secure
• SHA-1 – more secure (default)
Y ou can select Pre-Shared Key or R SA Signature.
Pre-Shared Key
RSA Signature
Diffie-Hellman (DH) Group
SA Life Time
Specify the key according to the requirements of the Authentication
Algorithm you selected.
• For MD5, the key length should be 16 bytes.
• For SHA-1, the key length should be 20 bytes.
RSA Signature requires a certificate.
The Diffie-Hellman groups are MODP Oakley Groups 1 and 2. The DH
Group setting determines the size of the key used in the key exchange.
This must match the value used on the remote VPN gateway or client.
Select Group 1 (768 bit) or Group 2 (1024 bit).
The amount of time in seconds before the Security Association expires;
over an hour (3600) is common.
Virtual Private Networking 6-5
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
VPN Policy Configuration for Auto Key Negotiation
An already defined IKE policy is required for VPN - Auto Policy configuration. From the VPN
Policies section of the main menu, you can navigate to the VPN - Auto Policy configuration menu.
Figure 6-3: VPN - Auto Policy Menu
6-6 Virtual Private Networking
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
The VPN Auto Policy fields are defined in the following table.
Table 6-1. VPN Auto Policy Configuration Fields
Field Description
General
Policy Name The descriptive name of the VPN policy. Each policy should have a unique
IKE Policy The existing IKE policies are presented in a drop-down list.
Remote VPN Endpoint The address used to locate the remote VPN firewall or client to which you want
SA Life Time The duration of the Security Association before it expires.
IPSec PFS
PFS Key Group If PFS is enabled, this setting determines the DH group bit size used in the key
These settings identify this policy and determine its major characteristics.
policy name. This name is not supplied to the remote VPN endpoint. It is only
used to help you identify VPN policies.
Note: Create the IKE policy BEFORE creating a VPN - Auto policy.
to connect. The remote VPN endpoint must have this FVL328’s Local Identity
Data entered as its “Remote VPN Endpoint”:
• By its IP Address.
• By its Fully Qualified Domain Name (FQDN) – your domain name.
• Seconds - the amount of time before the SA expires. Over an hour is common
(3600).
• Kbytes - the amount of traffic before the SA expires.
One of these can be set without setting the other.
If enabled, security is enhanced by ensuring that the key is changed at regular
intervals. Also, even if one key is broken, subsequent keys are no easier to
break. Each key has no relationship to the previous key.
exchange. This must match the value used on the remote gateway. Select
Group 1 (768 bit) or Group 2 (1024 bit).
Virtual Private Networking 6-7
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Table 6-1. VPN Auto Policy Configuration Fields
Field Description
Traffic Selector These settings determine if and when a VPN tunnel will be established. If
network traffic meets all criteria, then a VPN tunnel will be created.
Local IP The drop-down menu allows you to configure the source IP address of the
outbound network traffic for which this VPN policy will provide security.
Usually, this address will be from your network address space. The choices are:
• ANY for all valid IP addresses in the Internet address space
Note: Choosing ANY sends all traffic through the tunnel, which will eliminate
activities such as Web access.
• Single IP Address
• Range of IP Addresses
• Subnet Address
Remote IP The drop-down menu allows you to configure the destination IP address of the
outbound network traffic for which this VPN policy will provide security. Usually,
this address will be from the remote site's corporate network address space.
The choices are:
• ANY for all valid IP addresses in the Internet address space
Note: Choosing ANY sends all traffic to the WAN through the tunnel,
preventing for example, remote management or response to ping.
• Single IP Address
• Range of IP Addresses
• Subnet Address
Authenticating Header
(AH) Configuration
Enable Authentication Use this check box to enable or disable AH for this VPN policy.
Authentication
Algorithm
AH specifies the authentication protocol for the VPN header. These settings
must match the remote VPN endpoint.
If you enable AH, then select the authentication algorithm:
MD5 – the default, or SHA1 - more secure
6-8 Virtual Private Networking
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Table 6-1. VPN Auto Policy Configuration Fields
Field Description
Encapsulated Security
Payload (ESP)
Configuration
Enable Encryption Use this check box to enable or disable ESP Encryption.
Encryption
Algorithm
Enable Authentication Use this check box to enable or disable ESP transform for this VPN policy.
Authentication
Algorithm
NetBIOS Enable Check this if you want NetBIOS traffic to be forwarded over the VPN tunnel.
ESP provides security for the payload (data) sent through the VPN tunnel.
Generally, you will want to enable both Encryption and Authentication. Two ESP
modes are available:
Plain ESP encryption or ESP encryption with authentication
These settings must match the remote VPN endpoint.
If you enable ESP encryption, then select the encryption algorithm:
DES – the default, or 3DES - more secure
If you enable AH, then use this menu to select which authentication algorithm
will be employed. The choices are:
MD5 – the default, or SHA1 – more secure
The NetBIOS protocol is used by Microsoft Networking for such features as
Network Neighborhood.
VPN Policy Configuration for Manual Key Exchange
With Manual Key Management, you will not use an IKE policy. You must manually type in all the
required key information. Click the VPN Policies link from the VPN section of the main menu to
display the menu shown below.
Virtual Private Networking 6-9
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Figure 6-4: VPN - Manual Policy Menu
6-10 Virtual Private Networking
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
The VPN Manual Policy fields are defined in the following table.
Table 6-1. VPN Manual Policy Configuration Fields
Field Description
General
Policy Name The name of the VPN policy. Each policy should have a unique policy name.
Remote VPN Endpoint The WAN Internet IP address or Fully Qualifi ed Domain Name of the remote
Traffic Selector These settings determine if and when a VPN tunnel will be established. If
Local IP The drop-down menu allows you to configure the source IP address of the
Remote IP The drop-down menu allows you to configure the destination IP address of the
These settings identify this policy and determine its major characteristics.
This name is not supplied to the remote VPN Endpoint. It is used to help you
identify VPN policies.
VPN firewall or client to which you want to connect. The remote VPN endpoint
must have this FVL328’s WAN Internet IP address entered as its “Remote
VPN Endpoint.”
network traffic meets all criteria, then a VPN tunnel will be created.
outbound network traffic for which this VPN policy will provide security.
Usually, this address will be from your network address space. The choices
are:
• ANY for all valid IP addresses in the Internet address space
Note: Choosing ANY sends all traffic through the tunnel, which will eliminate
activities such as Web access.
• Single IP Address
• Range of IP Addresses
• Subnet Address
outbound network traffic for which this VPN policy will provide security.
Usually, this address will be from the remote site's corporate network address
space. The choices are:
• ANY for all valid IP addresses in the Internet address space
Note: Choosing ANY sends all traffic to the WAN through the tunnel,
preventing for example, remote management or response to ping.
• Single IP Address
• Range of IP Addresses
• Subnet Address
Virtual Private Networking 6-11
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Table 6-1. VPN Manual Policy Configuration Fields
Field Description
Authenticating Header
(AH) Configuration
SPI - Incoming
SPI - Outgoing Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote
Enable Authentication Use this check box to enable or disable AH. Authentication is often not used,
Authentication
Algorithm
Key - In
AH specifies the authentication protocol for the VPN header. These settings
must match the remote VPN endpoint.
Note: The “Incoming” settings must match the “Outgoing” settings on the
remote VPN endpoint, and the “Outgoing” settings must match the “Incoming”
settings on the remote VPN endpoint.
Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote
VPN endpoint has the same value in its "Outgoing SPI" field.
VPN endpoint has the same value in its "Incoming SPI" field.
so you can leave the check box unselected.
If you enable AH, then select the authentication algorithm:
• MD5 – the default
• SHA1 – more secure
Enter the keys in the fields provided. For MD5, the keys should be 16
characters. For SHA-1, the keys should be 20 characters.
Enter the keys.
• For MD5, the keys should be 16 characters.
• For SHA-1, the keys should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - Out" field.
Key - Out Enter the keys in the fields provided.
• For MD5, the keys should be 16 characters.
• For SHA-1, the keys should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - In" field.
6-12 Virtual Private Networking
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Table 6-1. VPN Manual Policy Configuration Fields
Field Description
Encapsulated Security
Payload (ESP)
Configuration
SPI - Incoming
SPI - Outgoing Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote
Enable Encryption Use this check box to enable or disable ESP Encryption.
Encryption
Algorithm
Key - In
Key - Out Enter the key in the fields provided.
ESP provides security for the payload (data) sent through the VPN tunnel.
Generally, you will want to enable both encryption and authentication. when
you use ESP. Two ESP modes are available:
• Plain ESP encryption
• ESP encryption with authentication
These settings must match the remote VPN endpoint.
Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote
VPN endpoint has the same value in its "Outgoing SPI" field.
VPN endpoint has the same value in its "Incoming SPI" field.
If you enable ESP Encryption, then select the Encryption Algorithm:
• DES - the default
• 3DES -more secure
Enter the key in the fields provided.
• For DES, the key should be 8 characters.
• For 3DES, the key should be 24 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Encryption Algorithm "Key - Out" field.
• For DES, the key should be 8 characters.
• For 3DES, the key should be 24 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Encryption Algorithm "Key - In" field.
Virtual Private Networking 6-13
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Table 6-1. VPN Manual Policy Configuration Fields
Field Description
Enable Authentication Use this check box to enable or disable ESP authentication for this VPN policy.
Authentication
Algorithm
Key - In
Key - Out Enter the key in the fields provided.
NetBIOS Enable Check this if you want NetBIOS traffic to be forwarded over the VPN tunnel.
If you enable authentication, then use this menu to select the alg orithm:
• MD5 – the default
• SHA1 – more secure
Enter the key.
• For MD5, the key should be 16 characters.
• For SHA-1, the key should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - Out" field.
• For MD5, the key should be 16 characters.
• For SHA-1, the key should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - In" field.
The NetBIOS protocol is used by Microsoft Networking for such features as
Network Neighborhood.
Using Digital Certificates for IKE Auto-Policy Authentication
Digital certificates are character strings generated using encryption and authentication schemes
which cannot be duplicated by anyone without access to the different values used in the production
of the string. They are issued by Certification Authorities (CAs) to authenticate a person or a
workstation uniquely. The CAs are authorized to issue these certificates by Policy Certification
Authorities (PCAs), who are in turn certified by the Internet Policy Registration Authority (IPRA).
The FVL328 is able to use certificates to authenticate users at the endpoints during the IKE key
exchange process.
The certificates can be obtained from a certificate server an organization might maintain internally
or from the established public CAs. The certificates are produced by providing the particulars of
the user being identified to the CA. The information provided may include the user's name, e-mail
ID, domain name, etc.
6-14 Virtual Private Networking
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
A CA is part of a trust chain. A CA has a public key which is signed. The combination of the
signed public key and the private key enables the CA process to eliminate ‘man in the middle’
security threats. A ‘self’ certificate has your public key and the name of your CA, and relies on the
CA’s certificate to authenticate. Each CA has its own certificate. The certificates of a CA are added
to the FVL328 and can then be used to form IKE policies for the user. Once a CA certificate is
added to the FVL328 and a certificate is created for a user, the corresponding IKE policy is added
to the FVL328. Whenever the user tries to send traffic through the FVL328, the certificates are
used in place of pre-shared keys during initial key exchange as the authentication and key
generation mechanism. Once the keys are established and the tunnel is set up the connection
proceeds according to the VPN policy.
Certificate Revocation List (CRL)
Each Certification Authority (CA) maintains a list of the revoked certificates. The list of these
revoked certificates is known as the Certificate Revocation List (CRL).
Whenever an IKE policy receives the certificate from a peer, it checks for this certificate in the
CRL on the FVL328 obtained from the corresponding CA. If the certificate is not present in the
CRL it means that the certificate is not revoked. IKE can then use this certificate for
authentication. If the certificate is present in the CRL it means that the certificate is revoked, and
the IKE will not authenticate the client.
You must manually update the FVL328 CRL regularly in order for the CA-based authentication
process to remain valid.
How to Use the VPN Wizard to Configure a VPN Tunnel
Note: If you have turned NAT off, before configuring VPN IPSec tunnels you must first
open UDP port 500 for inbound traffic as explained in “Example: Port Forwarding for
VPN Tunnels when NAT is Off” on page 5-9.
Follow this procedure to configure a VPN tunnel using the VPN Wizard.
Note: The LAN IP address ranges of each VPN endpoint must be different. The connection will
fail if both are using the NETGEAR default address range of 192.168.0.x.
Virtual Private Networking 6-15
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Log in to the FVS318 on LAN A at its default LAN address of http://192.168.0.1 with its
1.
default user name of
admin and password of password. Click the VPN Wizard link in the
main menu to display this screen. Click Next to proceed.
Figure 6-5: VPN Wizard Start Screen
2.
Fill in the Connection Name, pre-shared key, and select the type of target end point, and click
Next to proceed.
Figure 6-6: Connection Name and Remote IP Type
6-16 Virtual Private Networking
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
3. Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click Next.
Figure 6-7: Remote IP
4. Identify the IP addresses at the target endpoint which can use this tunnel, and click Next.
Figure 6-8: Secure Connection Remote Accessibility
The Summary screen below displays.
Virtual Private Networking 6-17
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Figure 6-9: VPN Wizard Summary
To view the VPNC recommended authentication and encryption Phase 1 and Phase 2 se ttings
the VPN Wizard used, click the “here” link.
5. Click Done to complete the configuration procedure. The VPN Settings menu displays
showing that the new tunnel is enabled
T o view or modify the tunnel settings, select the radio button next to the tunnel entry and click
Edit.
Walk-Through of Configuration Scenarios
There are a variety of configurations you might implement with the FVL328. The scenarios listed
below illustrate typical configurations you might use in your organization.
In order to help make it easier to set up an IPsec system, the following two scenarios are provided.
These scenarios were developed by the VPN Consortium (http://www.vpnc.org). The goal is to
make it easier to get the systems from different vendors to interoperate. NETGEAR is providing
you with both of these scenarios in the following two formats:
6-18 Virtual Private Networking
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
• VPN Consortium Scenarios without any product implementation details
• VPN Consortium Scenarios based on the FVL328 user interface
The purpose of providing these two versions of the same scenarios is to help you determine where
the two vendors use different vocabulary. Seeing the examples presented in these different ways
will reveal how systems from different vendors do the same thing. See Appendix E, “Virtual
Private Networking” for a full discussion of VPN and the configuration templates NETGEAR
developed for publishing multi-vendor VPN integration configuration case studies.
Note: See Appendix F, “NETGEAR VPN Configuration FVS318 or FVM318 to
FVL328 for a detailed procedure for configuring VPN communications between a
NETGEAR FVS318 and a FVL328. NETGEAR publishes additional interoperability
scenarios with various gateway and client software products. Look on the NETGEAR
Web site at www.netgear.com/docs for more details.
VPNC Scenario 1: Gateway-to-Gateway with Preshared Secrets
The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication.
10.5.6.0/24
Gateway A
10.5.6.1
Figure 6-10: VPN Consortium Scenario 1
14.15.16.17 22.23.24.25
Internet
Gateway B
172.23.9.0/24
172.23.9.1
Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has
the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17.
Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet)
interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used
for testing IPsec but is not needed for configuring Gateway A.
Note: The /24 after the IP address refers to the full range of IP addresses. For example, 10.5.6.0/24
refers to IP address 10.5.6.0 with the netmask 255.255.255.0.
Virtual Private Networking 6-19
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
The IKE Phase 1 parameters used in Scenario 1 are:
•Main mode
• TripleDES
• SHA-1
• MODP group 2 (1024 bits)
• pre-shared secret of "hr5xb84l6aa9r6"
• SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying
The IKE Phase 2 parameters used in Scenario 1 are:
• TripleDES
• SHA-1
• ESP tunnel mode
• MODP group 2 (1024 bits)
• Perfect forward secrecy for rekeying
• SA lifetime of 3600 seconds (one hour) with no kbytes rekeying
• Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4
subnets
6-20 Virtual Private Networking
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
FVL328 Scenario 1: How to Configure the IKE and VPN Policies
Note: This scenario assumes all ports are open on the FVL328. You can verify this by reviewing
the security settings as seen in the Rules menu.
Use this scenario illustration and configuration screens as a model to build your configuration.
WAN I P
Scenario 1
Gateway B
WAN I P
FVL328
Gateway A
14.15.16.17 22.23.24.25
LAN IP
Figure 6-11: LAN to LAN VPN access from an FVL328 to an FVL328
Note: If you have turned NAT off, before configuring VPN IPSec tunnels you must first
open UDP port 500 for inbound traffic as explained in “Example: Port Forwarding for
VPN Tunnels when NAT is Off” on page 5-9.
1. Log in to the FVL328 labeled Gateway A as in the illustration.
Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user
name of
admin and default password of password, or using whatever Password and LAN
address you have chosen for the firewall.
2. Configure the WAN (Internet) and LAN IP addresses of the FVL328.
172.23.9.1/2410.5.6.1/24
LAN IP
a. From the main menu Setup section, click the Basic Settings link.
Virtual Private Networking 6-21
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
WAN IP
addresses
ISP provides
these addresses
Figure 6-12:
b.
FVL328 Internet IP Address menu
Select whether enable or disable NAT (Network Address Translation). NAT allows all
LAN computers to gain Internet access via this Router, by sharing this Router's WAN IP
address. In most situations, NAT is essential for Internet access via this Router. You should
only disable NAT if you are sure you do not require it. When NAT is disabled, only
standard routing is performed by this Router.
c. Configure the WAN Internet Address according to the settings in Figure 6-11 above and
click Apply to save your settings. For more information on configuring the WAN IP
settings in the Basic Setup topics, please see “How to Complete a Manual Configuration”
on page 3-11.
6-22 Virtual Private Networking
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
From the main menu Advanced section, click the LAN IP Setup link.
d.
e. Configure the LAN IP address according to the settings in Figure 6-11 above and click
Apply to save your settings. For more information on LAN TCP/IP setup topics, please
see “How to Configure LAN TCP/IP Settings and View the DHCP Log” on page 4-3.
Note: After you click Apply to change the LAN IP address settings, your workstation will
be disconnected from the FVL328. You will have to log on with http://10.5.6.1 which is
now the address you use to connect to the built-in Web-based configuration manager of
the FVL328.
3. Set up the IKE Policy illustrated below on the FVL328.
Virtual Private Networking 6-23
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
From the main menu VPN section, click the IKE Policies link, and then click the Add
a.
button to display the screen below.
Figure 6-13: Scenario 1 IKE Policy
Configure the IKE Policy according to the settings in the illustration above and click
b.
Apply to save your settings. For more information on IKE Policy topics, please see “IKE
Policies’ Automatic Key and Authentication Management” on page 6-3.
6-24 Virtual Private Networking
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
4. Set up the FVL328 VPN -Auto Policy illustrated below.
a. From the main menu VPN section, click the VPN Policies link, and then click the Add
Auto Policy button.
Figure 6-14: Scenario 1 VPN - Auto Policy
b.
Configure the IKE Policy according to the settings in the illustration above and click
Apply to save your settings. For more information on IKE Policy topics, please see “IKE
Policies’ Automatic Key and Authentication Management” on page 6-3.
Virtual Private Networking 6-25
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
5. After applying these changes, you will see a table entry like the one below.
Figure 6-15: VPN Policies table
Now all traffic from the range of LAN IP addresses specified on FVL328 A and FVL328 B
will flow over a secure VPN tunnel.
How to Check VPN Connections
You can test connectivity and view VPN status information on the FVL328.
1. To test connectivity between the Gateway A FVL328 LAN and the Gateway B LAN, follow
these steps:
a. Using our example, from a computer attached to the FVL328 on LAN A, on a Windows
computer click the Start button on the taskbar and then click Run.
b. Type ping -t 172.23.9.1, and then click OK.
c. This will cause a continuous ping to be sent to the LAN interface of Gateway B. After
between several seconds and two minutes, the ping response should change from “timed
out” to “reply.”
d. At this point the connection is established.
6-26 Virtual Private Networking
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
T o test connectivity between the FVL328 Gateway A and Gateway B WAN ports, follow these
2.
steps:
a. Using our example, log in to the FVL328 on LAN A, go to the main menu Maintenance
section and click the Diagnostics link.
b. To test connectivity to the WAN port of Gateway B, enter 22.23.24.25, and then click
Ping.
c. This will cause a ping to be sent to the WAN interface of Gateway B. After between
several seconds and two minutes, the ping response should change from “timed out” to
“reply.” You may have to run this test several times before you get the “reply” me ssage
back from the target FVL328.
d. At this point the connection is established.
Note: If you want to ping the FVL328 as a test of network connectivity, be sure the FVL328 is
configured to respond to a ping on the Internet WAN port by checking the check box seen in
the Rules menu. However, to preserve a high degree of security, you should turn off this
feature when you are finished with testing.
3. To view the FVL328 event log and status of Security Associations, follow these steps:
a. Go to the FVL328 main menu VPN section and click the VPN Status link.
b. The log screen will display a history of the VPN connections, and the IPSec SA and IKE
SA tables will report the status and data transmission statistics of the VPN tunnels for each
policy.
FVL328 Scenario 2: Authenticating with RSA Certificates
The following is a typical gateway-to-gateway VPN that uses Public Key Infrastructure X.509
(PKIX) certificates for authentication. The network setup is identical to the one given in Scenario
1. The IKE Phase 1 and Phase 2 parameters are identical to the ones given in Scenario 1, with the
exception that the identification is done with signatures authenticated by PKIX certificates.
Note: Before completing this configuration scenario, make sure the correct Time Zone is set on the
FVL328. For instructions on this topic, please see, “Setting the Time Zone” on page 5-14.
1. Obtain a root certificate.
a. Obtain the root certificate (which includes the CA’s public key) from a Certificate
Authority (CA).
Virtual Private Networking 6-27
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Note: The procedure for obtaining certificates differs between a CA like Verisign and a
CA such as a Windows 2000 certificate server, which an organization operates for
providing certificates for its members. For example, an administrator of a Windows 2000
certificate server might provide it to you via e-mail.
b. Save the certificate as a text file called trust.txt.
2. Install the trusted CA certificate for the Trusted Root CA.
a. Log in to the FVL328.
b. From the main menu VPN section, click the CAs link.
c. Click Add to add a CA.
d. Click Browse to locate the trust.txt file.
e. Click Upload.
Figure 6-16: Certificate Authorities table
You will now see a screen such as the one above showing that the Certificate Authority is
now registered with the FVL328.
3. Create a certificate request for the FVL328.
a. From the main menu VPN section, click the Certificates link.
6-28 Virtual Private Networking
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Click the Generate Request button to display the screen illustrated in Figure 6-17 below.
b.
.
Figure 6-17: Generate Self Certificate Request menu
c.
Fill in the fields on the Add Self Certificate screen.
•Required
– Name. Enter a name to identify this certificate.
– Subject. This is the name other organizations will see as the holder (owner) of this
certificate. This should be your registered business name or official company
name. Generally, all certificates should have the same value in the Subject field.
– Hash Algorithm. Select the desired option: MD5 or SHA1.
– Signature Algorithm: RSA.
– Signature Key Length. Select the desired option: 512, 1024, or 2048.
• Optional
– IP Address. If you have a fixed IP address on your WAN (Internet) port, you can
enter it here. Otherwise, you should leave this blank.
– Domain Name. If you have a domain name, you can enter it here. Otherwise, you
should leave this blank.
– E-mail Address. You can enter your e-mail address here.
Virtual Private Networking 6-29
May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Click the Next button to continue. The FVL328 generates a Self Certificate Request as
d.
shown below.
Highlight, copy and
paste this data into
a text file.
Figure 6-18: Self Certificate Request data
4. Transmit the Self Certificate Request data to the Trusted Root CA.
a. Highlight the text in the Data to supply to CA area, copy it, and paste it into a text file.
b. Give the certificate request data to the CA. In the case of a Windows 2000 internal CA,
you might simply e-mail it to the CA administrator. The procedures of a CA like Verisign
and a CA such as a Windows 2000 certificate server administrator will differ. Follow the
procedures of your CA.
c. When you have finished gathering the Self Certificate Request data, click the Done button.
You will return to the Certificates screen where your pending “FVL328” Self Certificate
Request will be listed, as illustrated in Figure 6-19 below.
6-30 Virtual Private Networking
May 2004, 202-10030-02
Loading...