Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
NETGEAR, Inc.
4500 Great America Parkway
Santa Clara, CA 95054 USA
Phone 1-888-NETGEAR
M-10144-01
December 2003
M-10144-01
© 2003 by NETGEAR, Inc. All rights reserved. FullManual.
Trademarks
NETGEAR and Auto Uplink are trademarks or registered trademarks of NETGEAR, Inc.
Microsoft, Windows, and Wi ndow s NT are registered trademar ks of Microsoft Corporation.
Other brand and product names are registered trademarks or trademarks of their respective holders. Portions of this
document are copyright Intoto, Inc.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to
make changes to the products described in this document without notice.
NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit
layout(s) described herein.
EN 55 022 Declaration of Conformance
This is to certify that the FVL328 Prosafe High Speed VPN Firewall is shielded against the generation of radio
interference in accordance with the application of Council Directive 89/336/EEC, Article 4a. Conformity is declared by
the application of EN 55 022 Class B (CISPR 22).
Certificate of the Manufacturer/Importer
It is hereby certified that the FVL328 Prosafe High Speed VPN Firewall has been suppressed in accordance with the
conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example,
test transmitters) in accordance with the regulations may, however, be subject to certain restrictions. Please refer to the
notes in the operating instructions.
The Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market
and has been granted the right to test the series for compliance with the regulations.
ii
M-10144-01
Bestätigung des Herstellers/Importeurs
Es wird hiermit bestätigt, daß dasFVL328 Prosafe High Speed VPN Firewall gemäß der im BMPT-AmtsblVfg 243/1991
und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B.
Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der
Betriebsanleitung.
Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt
gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.
Voluntary Control Council for Interference (VCCI) Statement
This equipment is in the second category (information equipment to be used in a residential area or an adjacent area
thereto), and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing
Equipment and Electronic Office Machines, aimed at preventing radio interference in such residential areas.
When used near a radio or TV receiver , it may become the cause of radio interference.
Read instructions for correct handling.
Technical Support
Refer to the Support Information Card that shipped with your FVL328 Prosafe High Speed VPN Firewall.
World Wide Web
NETGEAR maintains a World Wide Web home page that you can access at the universal resource locator (URL)
http://www.netgear.com. A direct connection to the Internet and a Web browser such as Internet Explorer
or Netscape are required.
M-10144-01
iii
iv
M-10144-01
Contents
Chapter 1
About This Manual
Audience ................................... ................ ................ ................. ................ ................ .....1-1
Scope .............................................................................................................................1-1
Typographical Conventions ............................................................................................1-2
Special Message Formats ..............................................................................................1-2
Features of the HTML Version of this Manual ................................................................1-3
How to Print this Manual .................................................................................................1-4
Chapter 2
Introduction
About the FVL328 ...........................................................................................................2-1
Summary of New Features in the FVL328 .....................................................................2-1
Key Features ..................................................................................................................2-1
Virtual Private Networking ........................................................................................2-2
A Powerful, True Firewall .........................................................................................2-2
ICSA Small/Medium Business Category ..................................................................2-3
Content Filtering .......................................................................................................2-3
Configurable Auto Uplink™ Ethernet Connection ....................................................2-3
Protocol Support ......................................................................................................2-3
Easy Installation and Management ..........................................................................2-4
What’s in the Box? ..........................................................................................................2-5
The Firewall’s Front Panel .......................................................................................2-6
The Firewall’s Rear Panel ........................................................................................2-7
Chapter 3
Connecting the FVL328 to the Internet
What You Will Need Before You Begin .................................. .... .....................................3-1
LAN Hardware Requirements ..................................................................................3-1
LAN Configuration Requirements ............................................................................3-1
Internet Configuration Requirements ....................................................................... 3-2
Contents i
M-10144-01
Where Do I Get the Internet Configuration Parameters? ..................................3-2
Worksheet for Recording Your Internet Connection Information ..............................3-3
Connecting the FVL328 to Your LAN ..............................................................................3-4
How to Connect the FVL328 to Y our LAN ................................................................3-4
Configuring for a Wizard-Detected Login Account ...................................................3-9
Configuring for a Wizard-Detected Dynamic IP Account .......................................3-11
Configuring for a Wizard-Detected Fixed IP (Static) Account ................................3-12
Testing Your Internet Connection ..................................................................................3-13
Manually Configuring Your Internet Connection ...........................................................3-14
How to Complete a Manual Configuration .............................................................3-15
Chapter 4
WAN and LAN Configuration
Configuring LAN IP Settings ...........................................................................................4-1
Using the Router as a DHCP Server ........................................................................4-2
How to Configure LAN TCP/IP Setup Settings ........................................................4-3
How to Configure Reserved IP Addresses ................... ... .... .....................................4-4
Configuring WAN Settings ..............................................................................................4-4
Connecting Automatically, as Required ...................................................................4-5
Setting Up a Default DMZ Server .............................. ... ... .... ... ... ... .... ... ... ... ...............4-5
How to Assign a Default DMZ Server ......................................................................4-5
Responding to Ping on Internet WAN Port ...............................................................4-6
How to Set the MTU Size .........................................................................................4-6
Configuring Dynamic DNS ..............................................................................................4-6
How to Configure Dynamic DNS ..............................................................................4-7
Using Static Routes ........................................................................................................4-7
Static Route Example ...............................................................................................4-7
How to Configure Static Routes ...............................................................................4-8
Chapter 5
Protecting Your Network
Protecting Access to Your FVL328 Firewall ....................................................................5-1
How to Change the Built-In Password .....................................................................5-1
How to Change the Administrator Login Timeout ....................................................5-2
Configuring Basic Firewall Services ...............................................................................5-2
Blocking Keywords, Sites, and Services ......... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ..5-3
How to Block Keywords and Sites ...........................................................................5-3
ii Contents
M-10144-01
Using Firewall Rules to Regulate Network Traffic ..........................................................5-5
Rules Menu Options .................................................................................................5-6
Using Inbound Rules (Port Forwarding) ...................................................................5-7
Inbound Rule Example: A Local Public Web Server ..........................................5-7
Inbound Rule Example: Videoconferencing from Restricted Addresses .................. 5-9
Considerations for Inbound Rules .....................................................................5-9
Using Outbound Rules (Service Blocking) .............................................................5-10
Outbound Rule Example: Blocking Instant Messenger ...................................5-10
Understanding the Order of Precedence for Rules ................................................5-12
Regulating Access to Network Services .......................................................................5-12
How to Define Services ..........................................................................................5-13
Setting Times and Scheduling Firewall Services ................................................ .......... 5-14
How to Set Your Time Zone ...................................................................................5-14
How to Schedule Firewall Services ........................................................................5-16
Chapter 6
Virtual Private Networking
Overview of FVL328 Policy-Based VPN Configuration ..................................................6-1
Using Policies to Manage VPN Traffic .....................................................................6-1
Using Automatic Key Management ..................................... ................................... .. 6-2
IKE Policies’ Automatic Key and Authentication Management ................................6-3
VPN Policy Configuration for Auto Key Negotiation ..................... ............................ 6-6
VPN Policy Configuration for Manual Key Exchange ...............................................6-9
Using Digital Certificates for IKE Auto-Policy Authentication .......................................6-14
Certificate Revocation List (CRL) ...........................................................................6-14
Walk-Through of Configuration Scenarios ....................................................................6-15
VPNC Scenario 1: Gateway-to-Gateway with Preshared Secrets .........................6-15
FVL328 Scenario 1: How to Configure the IKE and VPN Policies .........................6-17
How to Check VPN Connections ...........................................................................6-21
FVL328 Scenario 2: Authenticating with RSA Certificates .....................................6-22
Chapter 7
Managing Your Network
Network Management ....................................................................................................7-1
How to Configure Remote Management ..................................................................7-1
Viewing Router Status and Usage Statistics .................................... ... ... ... ... .... ... ... ..7-3
Viewing Attached Devices ........................................................................................7-5
Contents iii
M-10144-01
Viewing, Selecting, and Saving Logged Information ................................................7-6
Changing the Include in Log Settings ................................................................7-8
Enabling the Syslog Feature .............................................................................7-8
Enabling Security Event E-mail Notification ...................................................................7-9
Backing Up, Restoring, or Erasing Your Settings .........................................................7-10
How to Back Up the FVL328 Configuration to a File ..............................................7-10
How to Restore a Configuration from a File .............................. ............................. 7-11
How to Erase the Configuration .............................................................................7-11
Running Diagnostic Utilities and Rebooting the Router ................................................7-12
Upgrading the Router’s Firmware .................... ......... .......... .......... .......... ......... .......... ...7-13
How to Upgrade the Router ...................................................................................7-14
Chapter 8
Troubleshooting
Basic Functions ..............................................................................................................8-1
Power LED Not On ...................................................................................................8-2
Test LED Never Turns On or Test LED Stays On .....................................................8-2
Local or Internet Port Link LEDs Not On ..................................................................8-3
Troubleshooting the Web Configuration Interface ..........................................................8-3
Troubleshooting the ISP Connection ..............................................................................8-4
Troubleshooting a TCP/IP Network Using a Ping Utility .................................................8-5
How to Test the LAN Path to Your Firewall ..............................................................8-6
How to Test the Path from Your PC to a Remote Device .........................................8-6
Restoring the Default Configuration and Password ............... .........................................8-7
How to Use the Default Reset Button ......................................................................8-7
Problems with Date and Time .........................................................................................8-8
Appendix A
Technical Specifications
Appendix B
Networks, Routing, and Firewall Basics
Related Publications ...................................................................................................... B-1
Basic Router Concepts .................................................................................................. B-1
What is a Router? ................................................................................................... B-1
Routing Information Protocol ................................................................................... B-2
IP Addresses and the Internet ......................................... .... ... ... ... .... ... ... ... ... .... ... ... . B-2
Netmask .................................... ................................................................ ..............B-4
iv Contents
M-10144-01
Subnet Addressing .................................................................................................. B-4
Private IP Addresses ................................. ... ... ... .......................................... ........... B-7
Single IP Address Operation Using NAT ................................................................. B-7
MAC Addresses and Address Resolution Protocol ................................................. B-9
Related Documents ................................................................................................. B-9
Domain Name Server .............................................................................................. B-9
IP Configuration by DHCP ................................. .... ... ... ... .... ... ............................... B-10
Internet Security and Firewalls .................................................................................... B-10
What is a Firewall? .................................................................................................B-11
Stateful Packet Inspection ............................... ... .... ... ... ... .... ... ................................B-11
Denial of Service Attack .........................................................................................B-11
Ethernet Cabling ................................. ... ... .... .......................................... ... ... ... ............ B-12
Uplink Switches and Crossover Cables ................................................................ B-12
Cable Quality ......................................................................................................... B-13
Appendix C
Preparing Your Network
Preparing Your Computers for TCP/IP Networking .. .... ... ... ... .... ... ...... .... ... ... ... ... .... ... ... . C-1
Configuring Windows 95, 98, and Me for TCP/IP Networking ....................................... C-2
Install or V erify Windows Networking Components ................................................. C-2
Enabling DHCP to Automatically Configure TCP/IP Settings .................................C-4
Selecting Windows’ Internet Access Method ................ ......................... ........... C-4
Verifying TCP/IP Properties .................................................................................... C-5
Configuring Windows NT, 2000 or XP for IP Networking .............................. ................. C-5
Installing or Ve rifying Windows Networking Components ................ ... ... ... ... .... ... .... C-5
Verifying TCP/IP Properties .................................................................................... C-6
Configuring the Macintosh for TCP/IP Networking ........................................................ C-6
MacOS 8.6 or 9.x ......................... .......................................... ................................. C-6
MacOS X ...... ...................................... .... ... ... ... ... .... ... ... ....................................... ... . C-7
Verifying TCP/IP Properties for Macintosh Computers ........................................... C-8
Verifying the Readiness of Your Internet Account ......................................................... C-9
Are Login Protocols Used? ..................................................................................... C-9
What Is Your Configuration Information? ................................................................C-9
Obtaining ISP Configuration Information for Windows Computers .......................C-10
Obtaining ISP Configuration Information for Macintosh Computers ..................... C-11
Restarting the Network ................................................................................................C-12
Contents v
M-10144-01
Appendix D
Firewall Log Formats
Action List ...................................................................................................................... D-1
Field List ........................................................................................................................ D-1
Outbound Log ..................................... .......................................... ................................. D-1
Inbound Log ...................................................................................................................D-2
Other IP Traffic ......................................... .... ... ... ... ....................................... ... ... .... ... ... . D-2
Router Operation ........................................................................................................... D-3
Other Connections and Traffic to this Router ................................................................ D-4
DoS Attack/Scan ...........................................................................................................D-4
Access Block Site .......................................................................................................... D-6
All Web Sites and News Groups Visited ........................................................................D-6
System Admin Sessions ................................................................................................ D-6
Policy Administration LOG .............................................................................................D-7
Appendix E
Virtual Private Networking
What is a VPN? ............................................................................................................. E-1
What Is IPSec and How Does It Work? ......................................................................... E-2
IPSec Security Features ................................. ... .... ... ... ... .... ... ................................. E-2
IPSec Components ................................................................................................. E-2
Encapsulating Security Payload (ESP) ................................................................... E-3
Authentication Header (AH) ............................... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... .... E-4
IKE Security Association ........... .......................................... ... ... ... ........................... E-4
Mode ...................................... ...................... .................... ...................... ........... E-5
Key Management .................................................................................................... E-6
Understand the Process Before You Begin .. ................................................................. E-6
VPN Process Overview ......... ... ... .... ... ... ... .......................................... ........................... E-7
Network Interfaces and Addresses ......................................................................... E-7
Interface Addressing ......................................................................................... E-7
Firewalls ........................................................................................................... E-8
Setting Up a VPN Tunnel Between Gateways ........................................................ E-8
VPNC IKE Security Parameters ......... ... ... .... ... ............................................................ E-10
VPNC IKE Phase I Parameters ............................................................................. E-10
VPNC IKE Phase II Parameters .............................................................................E-11
Testing and Troubleshooting .........................................................................................E-11
vi Contents
M-10144-01
Additional Reading .......................... ... ... .......................................... ... .... ... ...................E-11
Appendix F
NETGEAR VPN Configuration
FVS318 or FVM318 to FVL328
Configuration Template ... .... ............................................................................................F-1
Step-By-Step Configuration of FVS318 or FVM318 Gateway A ............................. ........F-2
Step-By-Step Configuration of FVL328 Gateway B ........................................................F-5
Test the VPN Connection .............................................................................................F-10
Appendix G
FVL328 to Windows 2000 Server
and SSH Sentinel VPN Configuration
Configuring FVL328 to Windows 2000 Server VPN ............................................... ... ... .G-1
Windows 2000 Server configuration ...................................... .................................G-1
Create an IP Security Policy called DUT To Win2K ..........................................G-1
Create an IP Filter called To DUT .....................................................................G-3
Create an IP Filter Called To Win2K .................................................................G-7
Configure the General Properties ...................................................................G-12
Configure the FVL328 IKE policy ...................................................................G-14
Configure the FVL328 VPN policy ..................................................................G-15
FVL328 to SSH Sentinel 1.3 Remote VPN .................................................................G-16
Create the FVL328 IKE Policy ........................................................................G-23
Create the FVL328 VPN Policy ......................................................................G-23
Ping a PC to Bring Up the Tunnel ...................................................................G-24
Appendix H
NETGEAR VPN Client
to NETGEAR FVL328 or FWAG114 VPN Router
Configuration Profile ........................................... ... ... .......................................... ...........H-1
Step-By-Step Configuration of FVL328 or FWAG114 Gateway ..................................... H-2
Step-By-Step Configuration of the NETGEAR VPN Client B .........................................H-7
Testing the VPN Connection .. ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... .................................. H-14
From the Client PC to the FVL328 .................. ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... .. H-14
From the FVL328 to the Client PC ......... .......................................... ... ... ... ............H-15
Monitoring the PC VPN Connection ................... ... ... .... ... ... ... .... .................................. H-15
Viewing the FVL328 VPN Status and Log Information ................................................ H-17
Contents vii
M-10144-01
Appendix I
NETGEAR VPN Configuration
FVS318 or FVM318 with FQDN to FVL328
Configuration Template ... .... .............................................................................................I-1
Using DDNS and Fully Qualified Domain Names (FQDN) .......................................I-2
Step-By-Step Configuration of FVS318 or FVM318 Gateway A ............................. ......... I-3
Step-By-Step Configuration of FVL328 Gateway B .........................................................I-7
Test the VPN Connection ..............................................................................................I-12
Glossary
Index
viii Contents
M-10144-01
Chapter 1
About This Manual
This chapter introduces the NETGEAR FVL328 Prosafe High Speed VPN Firewall manual.
Audience
This reference manual assumes that the reader has basic to intermediate computer and Internet
skills. However, basic computer network, Internet, firewall, and VPN technology tutorial
information is provided in the Appendices and on the NETGEAR Web site.
Scope
This manual is written for the FVL328 Firewall according to these specifications.:
Table 1-1. Manual Specifications
Product Version FVL328 Prosafe High Speed VPN Firewall
Firmware Version Number Version 1.5 Release 07
Manual Part Number M-10144-01
Manual Publication Date December 2003
Note: Product updates are available on the NETGEAR Web site at
www.netgear.com/support/main.asp. Documentation updates are available on the
NETGEAR, Inc. Web site at www.netgear.com/docs.
About This Manual 1-1
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Typographical Conventions
This guide uses the following typographical conventions:
Table 1-2. Typographical conventions
italics Emphasis.
bold times roman User input.
[Enter] Named keys in text are shown enclosed in square brackets. The notation [Enter]
is used for the Enter key and the Return key.
Small Caps DOS file and directory names.
Special Message Formats
This guide uses the following formats to highlight special messages:
Note: This format is used to highlight information of importance or special interest.
1-2 About This Manual
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Features of the HTML Version of this Manual
The HTML version of this manual includes these features.
1
2
3
Figure Preface 1-1: HTML version of this manual
1. Left pane. Use the left pane to view the Contents, Index, Search, and Favorites tabs.
To view the HTML version of the manual, you must have a version 4 or later browser with
JavaScript enabled.
2. Toolbar buttons. Use the toolbar buttons across the top to navigate, print pages, and more.
–The Show in Contents button locates the current topic in the Contents tab.
– Previous/Next buttons display the previous or next topic.
–The PDF button links to a PDF version of the full manual.
–The Print button prints the current topic. Using this button when a step-by-step
procedure is displayed will send the entire procedure to your printer—you do not
have to worry about specifying the correct range of pages.
3. Right pane. Use the right pane to view the contents of the manual. Also, each page of the
manual includes a link at the top right which links to a PDF file
containing just the currently selected chapter of the manual.
About This Manual 1-3
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
How to Print this Manual
To print this manual you can choose one of the following several options, according to your needs.
• Printing a “How To” Sequence of Steps in the HTML View. Use the Print button on the
upper right side of the toolbar to print the currently displayed topic. Using this button when a
step-by-step procedure is displayed will send the entire procedure to your printer—you do not
have to worry about specifying the correct range of pages.
• Printing a Chapter. Use the link at the top right of any page.
– Click the “PDF of This Chapter” link at the top right of any page in the chapter you want
to print. A new browser window opens showing the PDF version of the chapter you were
viewing.
– Click the print icon in the upper left of the window.
– Tip: If your printer supports printing two pages on a single sheet of paper, you can save
paper and printer ink by selecting this feature.
• Printing the Full Manual. Use the PDF button in the toolbar at the top right of the browser
window.
– Click the PDF button. A new browser window opens showing the PDF version of the
chapter you were viewing.
– Click the print icon in the upper left side of the window.
– Tip: If your printer supports printing two pages on a single sheet of paper, you can save
paper and printer ink by selecting this feature.
1-4 About This Manual
M-10144-01
Chapter 2
Introduction
This chapter describes the features of the NETGEAR FVL328 Prosafe High Speed VPN Firewall.
The FVL328 Firewall is now ICSA certified. It provides connection for multiple computers to the
Internet through an external broadband access device (such as a cable modem or DSL modem) and
supports IPSec-based secure tunnels to IPSec-compatible VPN servers.
About the FVL328
The FVL328 is a complete security solution that protects your network from attacks and intrusions
and enables secure communications using Virtual Private Networks (VPN). Unlike simple Internet
sharing routers that rely on Network Address Translation (NAT) for security, the FVL328 uses
Stateful Packet Inspection for Denial of Service (DoS) attack protection and intrusion detection.
The 8-port FVL328 provides highly reliable Internet access for up to 253 users with up to 100
concurrent VPN tunnels.
Summary of New Features in the FVL328
The NETGEAR FVL328 VPN ProSafe Firewall contains many new features, including:
•
ICSA Certified, Small/Medium Business (SMB) Category
• VPNC Certified
• Enhanced Logging
Key Features
The FVL328 features are highlighted below.
Introduction 2-1
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Virtual Private Networking
The FVL328 Firewall provides a secure encrypted connection between your local network and
remote networks or clients. Its VPN features include:
• Support for up to 100 simultaneous VPN connections.
• Support for industry standard VPN protocols.
The FVL328 Prosafe High Speed VPN Firewall supports standard keying methods (Manual or
IKE), standard authentication methods (MD5 and SHA-1), and standard encryption methods
(DES, 3DES). It is compatible with many other VPN products.
• Support for up to 168 bit encryption (3DES) for maximum security.
• Support for VPN Main Mode, Aggressive mode, or Manual Keying.
• Support for Fully Qualified Domain Name (FQDN) configuration when the Dynamic DNS
feature is enabled with one of the supported service providers.
• VPNC Certified
A Powerful, True Firewall
Unlike simple Internet sharing NAT routers, the FVL328 is a true firewall, using stateful packet
inspection to defend against hacker attacks. Its firewall features include:
• DoS protection
Automatically detects and thwarts DoS attacks such as Ping of Death, SYN Flood, LAND
Attack and IP Spoofing.
• Blocks unwanted traffic from the Internet to your LAN.
• Blocks access from your LAN to Internet locations or services that you specify as off-limits.
• Logs security incidents
The FVL328 will log security events such as blocked incoming traffic, port scans, attacks, and
administrator logins. You can configure the firewall to e-mail the log to you at specified
intervals. You can also configure the firewall to send immediate alert messages to your e-mail
address or e-mail pager whenever a significant event occurs.
• ICSA Certified, Small/Medium Business (SMB) Category version 4.0
2-2 Introduction
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
ICSA Small/Medium Business Category
The NETGEAR FVL328 provides meets the ICSA SMB Category by providing Remote
Administration over an encrypted link from a public source. Additionally, the firewall provides a
default security policy denying all inbound non-Remote Administration related traffic originating
from public network sources while allowing a set of common services outbound.
The FVL328 enforces another security policy allowing a standard set of services inbound and
outbound. Therefore, a means to configure Access Control Rules will be available on the product
Content Filtering
With its content filtering feature, the FVL328 prevents objectionable content from reaching your
computers. The firewall allows you to control access to Internet content by screening for keywords
within Web addresses. You can configure the firewall to log and report attempts to access
objectionable Internet sites.
Configurable Auto Uplink™ Ethernet Connection
With its internal 8-port 10/100 switch, the FVL328 can connect to either a 10 Mbps standard
Ethernet network or a 100 Mbps Fast Ethernet network. Both the local LAN and the Internet W AN
interfaces are 10/100 Mbps, autosensing, and capable of full-duplex or half-duplex operation.
TM
The firewall incorporates Auto Uplink
sense whether the Ethernet cable plugged into the port should have a ‘normal’ connection such as
to a PC or an ‘uplink’ connection such as to a switch or hub. That port will then configure itself to
the correct configuration. This feature also eliminates the need to worry about crossover cables, as
Auto Uplink will accommodate either type of cable to make the right connection.
technology. Each local Ethernet port will automatically
Protocol Support
The FVL328 supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing
Information Protocol (RIP). Appendix B, “Networks, Routing, and Firewall Basics” provides
further information on TCP/IP. Supported protocols include:
Introduction 2-3
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
• The Ability to Enable or Disable IP Address Sharing by NAT
The FVL328 allows several networked computers to share an Internet account using only a
single IP address, which may be statically or dynamically assigned by your Internet service
provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user
ISP account. This feature can also be turned off completely for using the FVL328 in settings
where you want to manage the IP address scheme of your organization.
• Automatic Configuration of Attached computers by DHCP
The FVL328 dynamically assigns network configuration information, including IP, gateway,
and domain name server (DNS) addresses, to attached computers using Dynamic Host
Configuration Protocol (DHCP). This feature greatly simplifies configuration of computers on
your local network.
• DNS Proxy
When DHCP is enabled and no DNS addresses are specified, the firewall provides its own
address as a DNS server to the attached computers. The firewall obtains actual DNS addresses
from the ISP during connection setup and forwards DNS requests from the LAN.
• PPP over Ethernet (PPPoE)
PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by
simulating a dial-up connection. This feature eliminates the need to run a login program such
as EnterNet or WinPOET on your computer.
• Point-to-Point Tunneling Protocol PPTP login support for European ISPs and BigPond login
for Telstra cable in Australia.
• Dynamic DNS
Dynamic DNS services allow remote users to find your network using a domain name when
your IP address is not permanently assigned. The firewall contains a client that can connect to
many popular Dynamic DNS services to register your dynamic IP address. See “Configuring
Dynamic DNS” on page 4-6.
Easy Installation and Management
You can install, configure, and operate the FVL328 within minutes after connecting it to the
network. The following features simplify installation and management tasks:
• Browser-based management
Browser-based configuration allows you to easily configure your firewall from almost any
type of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup
Wizard is provided and online help documentation is built into the browser-based Web
Management Interface.
2-4 Introduction
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
• Smart Wizard
The firewall automatically senses the type of Internet connection, asking you only for the
information required for your type of ISP account.
• Remote management
The firewall allows you to login to the Web Management Interface from a remote location via
the Internet using secure SLL protocol. For security, you can limit remote management access
to a specified remote IP address or range of addresses, and you can choose a nonstandard port
number.
• Diagnostic functions
The firewall incorporates built-in diagnostic functions such as Ping, DNS lookup, and remote
reboot. These functions allow you to test Intern et connectivity and reboot the firewall. You can
use these diagnostic functions directly from the FVL328 when your are connected on the LAN
or when you are connected over the Internet via the remote management function.
• Visual monitoring
The firewall’s front panel LEDs provide an easy way to monitor its status and activity.
• Flash EPROM for firmware upgrades
Note: Product updates are available on the NETGEAR Web site at
www.netgear.com/support/main.asp.
• Includes a battery-backed real-time clock so time will persist if power is removed
• Regional support, including ISPs like Telstra DSL and BigPond or Deutsche Telekom.
What’s in the Box?
The product package should contain the following items:
• FVL328 Prosafe High Speed VPN Firewall
•AC power adapter
• FVL328 Resource CD (SW-10018-01), including:
— This manual
— Application notes, tools, and other helpful information
• Warranty and registration card
Introduction 2-5
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
• Support information card
If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the
carton, including the original packing materials, in case you need to return the product for repair.
Note: Product updates are available on the NETGEAR, Inc. Web site at http://
www.netgear.com/support/main.asp. Documentation updates are available on the
NETGEAR, Inc. Web site at http://www.netgear.com/docs.
The Firewall’s Front Panel
The front panel of the FVL328 (Figure 2-1) contains status LEDs.
MODEL
ProSafe Hi-Speed VPN Firewall
Cable/DSL
PWR TEST
INTERNET LOCAL
100
LNK/ACT
12345678
Figure 2-1: FVL328 Front Panel
100
LNK/ACT
FVL328
You can use some of the LEDs to verify connections. Table 2-1 lists and describes each LED on
the front panel of the firewall.
These LEDs are green when lit, except for the TEST LED, which is amber.
Table 2-1: LED Descriptions
Label Activity Description
POWER On Power is supplied to the firewall.
TEST On
Off
INTERNET
100 On/Blinking The Internet port is operating at 100 Mbps.
LINK/ACT (Activity) On/Blinking The port detected a link with the Internet WAN connection and is
LOCAL
2-6 Introduction
The system is initializing.
The system is ready and running.
operating at 10 Mbps. Blinking indicates data transmission.
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Table 2-1: LED Descriptions
100 On/Blinking The Local port is operating at 100 Mbps.
LINK/ACT
(Link/Activity)
On/Blinking The Local port has detected a link with a LAN connection and is
operating at 10 Mbps. Blinking indicates data transmission.
The Firewall’s Rear Panel
The rear panel of the FVL328 (Figure 2-2) contains the connections identified below.
Figure 2-2: FVL328 Rear Panel
Viewed from left to right, the rear panel contains the following elements:
• Factory Default Reset push button
• Eight Local Ethernet RJ-45 ports for connecting the firewall to local computers
• Internet WAN Ethernet RJ-45 port for connecting the firewall to a cable or DSL modem
• AC power adapter input
•
Introduction 2-7
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
2-8 Introduction
M-10144-01
Chapter 3
Connecting the FVL328 to the Internet
This chapter describes how to set up the firewall on your Local Area Network (LAN) and connect
to the Internet. You can perform basic configurat ion of your FVL328 Prosafe High Speed VPN
Firewall using the Setup Wizard, or manually configure your Internet connection.
What You Will Need Before You Begin
You need to prepare these three things before you can connect your firewall to the Internet:
1. A computer properly connected to the firewall as explained below.
2. Active Internet service such as that provided by a DSL or Cable modem account.
3. The Internet Service Provider (ISP) configuration information for your account.
LAN Hardware Requirements
The FVL328 Firewall connects to your LAN via twisted-pair Ethernet cables.
To use the FVL328 Firewall on your network, each computer must have an installed Ethernet
Network Interface Card (NIC) and an Ethernet cable. If the computer will connect to your network
at 100 Mbps, you must use a Category 5 (CAT5) cable such as the one provided with your firewall.
The broadband modem must provide a standard 10 Mbps 10BASE-T or 100 Mbps 100BASE-T
Ethernet interface.
LAN Configuration Requirements
For the initial connection to the Internet and configuration of your firewall, you will need to
connect a computer to the firewall which is set to automatically get its TCP/IP configuration from
the firewall via DHCP. The computer you use must have a Web browser such as Internet Explorer
v5 or greater or Netscape Communicator v4.7 or greater.
Note: Please refer to Appendix C, "Preparing Your Network" for assistance with DHCP
configuration.
Connecting the FVL328 to the Internet 3-1
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Internet Configuration Requirements
Depending on how your ISP or IT group set up your Internet access, you will need one or more of
these configuration parameters to connect your firewall to the Internet:
• Host and Domain Names
• ISP Login Name and Password
• ISP Domain Name Server (DNS) Addresses
• Fixed or Static IP Address
Where Do I Get the Internet Configuration Parameters?
There are several ways you can gather the required Internet connection information.
• Your ISP should have provided you with all the information needed to connect to the Internet.
If you cannot locate this information, you can ask your ISP to provide it or you can try one of
the options below.
• If you have a computer already connected using the active Internet access account, you can
gather the configuration information from that computer.
• For Windows 95/98/Me, open the Network control panel, select the TCP/IP entry for the
Ethernet adapter, and click Properties.
• For Windows 2000/XP, open the Local Area Network Connection, select the TCP/IP entry
for the Ethernet adapter, and click Properties.
• For Macintosh computers, open the TCP/IP or Network control panel.
• You may also refer to the FVL328 Resource CD for the NETGEAR Router ISP Guide which
provides Internet connection information for many ISPs.
Once you locate your Internet configuration parameters, you may want to record them on the page
below according to the instructions in “Worksheet for Recording Your Internet Connection
Information” on page 3-3.
3-2 Connecting the FVL328 to the Internet
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Worksheet for Recording Your Internet Connection Information
Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP).
ISP Login Name: The login name and password are case sensitive and must be entered exactly as
given by your ISP. Some ISPs use your full e-mail address as the login name. The Service Name is
not required by all ISPs. If you connect using a login name and password, then fill in the
following:
Login Name: ______________________________
Password: __________________________ __
Service Name: _____________________________
Fixed or Static IP Address: If you have a static IP address, record the following information. For
example, 169.254.141.148 could be a valid IP address.
Fixed or Static Internet IP Address: ______
.______.______.______
Subnet Mask: ______.______.______.______
Gateway IP Address: ______.______.______.______
ISP DNS Server Addresses: If you were given DNS server addresses, fill in the following:
Primary DNS Server IP Address: ______
.______ ______.______
Secondary DNS Server IP Address: ______.______.______.______
Host and Domain Names: Some ISPs use a specific host or domain name like CCA7324-A or
home. If you haven’t been given host or domain names, you can use the following examples as a
guide:
• If your main e-mail account with your ISP is
aaa@yyy.com, then use aaa as your host name.
Your ISP might call this your account, user, host, computer, or system name.
• If your ISP’s mail server is
mail.xxx.yyy.com, then use xxx.yyy.com as the domain name.
ISP Host Name: _________________________
Connecting the FVL328 to the Internet 3-3
ISP Domain Name: _______________________
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Connecting the FVL328 to Your LAN
This section provides instructions for connecting the FVL328 Prosafe High Speed VPN Firewall
to your Local Area Network (LAN).
Note: The Resource CD included with your firewall contains an animated Installation Assistant to
help you through this procedure.
How to Connect the FVL328 to Your LAN
There are three steps to connecting your firewall:
• Connect the firewall to your network.
• Log in to the firewall.
• Connect to the Internet.
Follow the steps below to connect your firewall to your network.
1. Connect the FVL328.
a. Turn off your computer and cable or DSL modem.
b. Disconnect the Ethernet cable (A) from your computer which connects to yo ur cable or
DSL modem.
A
DSL modem
Figure 3-1: Disconnect the cable or DSL modem
3-4 Connecting the FVL328 to the Internet
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Connect the Ethernet cable (A) from your cable or DSL modem to the FVL328’s Internet
c.
port.
Cable or
DSL modem
LOCA L
876543221INTERN ET
10/100M
A
12VDCO.5A
Figure 3-2: Connect the cable or DSL modem to the firewall
d.
Connect the Ethernet cable (B) which came with the firewall from a Local port on the
router to your computer.
Cable or
DSL modem
B
LOCA L
876543221INTERN ET
10/100M
12VDCO.5A
Figure 3-3: Connect the computers on your network to the firewall
Note: The FVL328 Firewall incorporates Auto UplinkTM technology. Each Ethernet port
will automatically sense whether the cable plugged into the port should have a 'normal'
connection (e.g. connecting to a PC) or an 'uplink' connection (e.g. connecting to a switch
or hub). That port will then configure itself to the correct configuration. This feature also
eliminates the need to worry about crossover cables, as Auto Uplink will accommodate
either type of cable to make the right connection.
e. Turn on the cable or DSL modem and wait about 30 seconds for the lights to stop blinking.
Connecting the FVL328 to the Internet 3-5
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
2. Log in to the FVL328.
Note: To connect to the firewall, your computer needs to be configured to obtain an IP
address automatically via DHCP. Please refer to Appendix C, "Preparing Your Network"
for instructions on how to do this.
a. Turn on the firewall and wait for the TEST light to stop blinking.
b. Now, turn on your computer.
Note: If you usually run software to log in to your Internet connection, do not run that
software.
Now that the cable or DSL modem, firewall, and the computer are turned on, verify the
following:
• When power on the firewall was first turned on, the PWR light went on, the TEST light
turned on within a few seconds, and then went off after approximately 10 seconds.
• The firewall’s LOCAL LINK/ACT lights are lit for any computers that are connected to it.
• The firewall’s INTERNET LINK light is lit, indicating a link has been established to the
cable or DSL modem.
c. Next, use a browser like Internet Explorer or Netscape to log in to the firewall at its default
address of http://192.168.0.1.
Figure 3-4: Log in to the firewall
3-6 Connecting the FVL328 to the Internet
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
A login window opens as shown in Figure 3-5 below:
Figure 3-5: Login window
d.
For security reasons, the firewall has its own user name and password. When prompted,
admin for the firewall User Name and password for the firewall Password, both in
enter
lower case letters. This default password should be changed later, as described in
“Protecting Access to Your FVL328 Firewall” on page 5-1.
Note: The user name and password are not the same as any user name or password you
may use to log in to your Internet connection.
3. Connect to the Internet.
Figure 3-6: Setup Wizard
Connecting the FVL328 to the Internet 3-7
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
You are now connected to the firewall. If you do not see the menu above, click the Setup
a.
Wizard link on the upper left of the main menu.
b. Choose NAT or Classical Routing. NAT automatically assigns private IP addresses
(192.168.0.x) to LAN connected devices. Classical routing lets you directly manage the IP
addresses the FVL328 uses. Classical routing should be selected only by experienced
users.
c. Click Next and follow the steps in the Setup Wizard for inputting the configuration
parameters from your ISP to connect to the Internet.
Note: If you choose not to use the Setup Wizard, you can manually configure your
Internet connection settings by following the procedure “Manually Configuring Your
Internet Connection” on page 3-14.
Unless your ISP automatically assigns your configuration automatically via DHCP, you
will need the configuration parameters from your ISP as you recorded them previously in
“Worksheet for Recording Your Internet Connection Information” on page 3-3
d. When the firewall successfully detects an active Internet service, the firewall’s Internet
LED goes on. The Setup Wizard reports which connection typ e it discovered, and displays
the appropriate configuration menu. If the Setup Wi zard finds no connection, you will be
prompted to check the physical connection between your firewall and the cable or DSL
line.
e. The Setup Wizard will report the type of connection it finds. The options are:
• Connections that require a login using protocols such as PPPoE, Telstra BigPond, or
PPTP broadband Internet connections.
• Connections that use dynamic IP address assignment.
• Connections that use fixed IP address assignment.
The procedures for filling in the configuration menu for each type of connection follow
below.
3-8 Connecting the FVL328 to the Internet
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Configuring for a Wizard-Detected Login Account
If the Setup Wizard determines that your Internet service account uses a login protocol such as
PPP over Ethernet (PPPoE), you will be directed to a menu like the PPPoE menu in Figure 3-7:
Figure 3-7: Setup Wizard menu for PPPoE login accounts
1.
Enter your Account Name (may also be called Host Name) and Domain Name. These
parameters may be necessary to access your ISP’s services such as mail or news servers. If you
leave the Domain Name field blank, the firewall will attempt to learn the domain
automatically from the ISP. If this is not successful, you may need to enter it manually.
2. Enter the PPPoE login user name and password provided by your ISP. These fields are case
sensitive. If you want to change the login timeout, enter a new value in minutes.
Note: You will no longer need to launch the ISP’s login program on your computer in order to
access the Internet. When you start an Internet application, the firewall will automatically log
you in.
3. Enable or disable NAT (Network Address Translation). NAT allows all LAN computers to
gain Internet access via this Router, by sharing this Router's WAN IP address. In most
situations, NAT is essential for Internet access via this Router. You should only disable NAT if
you are sure you do not require it. When NAT is disabled, only standard routing is performed
by this Router.
Connecting the FVL328 to the Internet 3-9
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Perform a DNS Lookup. A DNS (Domain Name Server) converts the Internet name (e.g.
4.
www.netgear.com) to an IP address. If you need the IP address of a Web, FTP, Mail or other
Server on the Internet, you can do a DNS lookup to find the IP address.
Domain Name Server (DNS) Address: If you know that your ISP does not automatically
transmit DNS addresses to the firewall during login, select “Use these DNS servers” and enter
the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is
available, enter it also.
If you enter an address here, after you finish configuring the firewall, reboot your computers
so that the settings take effect.
5. Enter the Router's MAC Address. Each computer or router on your network has a unique
32-bit local Ethernet address. This is also referred to as the computer's MAC (Media Access
Control) address. Usually, select Use default address.
If your ISP requires MAC authentication, then select either Use this Computer's MAC address
to have the router use the MAC address of the computer you are now using, or Use This MAC
Address to manually type in the MAC address that your ISP expects.
6. Click Apply to save your settings.
7. Click the Test button to test your Internet connection. If the NETGEAR Web site does not
appear within one minute, refer to Chapter 8, Troubleshooting.
3-10 Connecting the FVL328 to the Internet
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Configuring for a Wizard-Detected Dynamic IP Account
If the Setup Wizard determines that your Internet service account uses Dynamic IP assignment,
you will be directed to the menu shown in Figure 3-8 below:
Figure 3-8: Setup Wizard menu for Dynamic IP address
1.
Enter your Account Name (may also be called Host Name) and Domain Name. These
parameters may be necessary to access your ISP’s services such as mail or news servers. If you
leave the Domain Name field blank, the firewall will attempt to learn the domain
automatically from the ISP. If this is not successful, you may need to enter it manually.
2. If you know that your ISP does not automatically transmit DNS addresses to the firewall
during login, select “Use these DNS servers” and enter the IP address of your ISP’s Primary
DNS Server. If a Secondary DNS Server address is available, enter it also.
A DNS server is a host on the Internet that translates Internet names (such as
www .netgear.com) to numeric IP addresses. Typically your ISP transfers the IP address of one
or two DNS servers to your firewall during login. If the ISP does not transfer an address, you
must obtain it from the ISP and enter it manually here. If you enter an address here, you should
reboot your computers after configuring the firewall.
3. The Router’s MAC Address is the Ethernet MAC address that will be used by the firewall on
the Internet port.
Connecting the FVL328 to the Internet 3-11
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
If your ISP allows access from only one specific computer’s Ethernet MAC address, select
“Use this MAC address.” The firewall will then capture and use the MAC address of the
computer that you are now using. You must be using the one computer that is allowed by the
ISP. Otherwise, you can type in a MAC address.
Note: Some ISPs will register the Ethernet MAC address of the network interface card in your
computer when your account is first opened. They will then only accept traffic from the MAC
address of that computer. This feature allows your firewall to masquerade as that computer by
using its MAC address.
4. Click Apply to save your settings.
5. Click the Test button to test your Internet connection. If the NETGEAR Web site does not
appear within one minute, refer to Chapter 8, Troubleshooting.
Configuring for a Wizard-Detected Fixed IP (Static) Account
If the Setup Wizard determines that your Internet service account uses Fixed IP assignment, you
will be directed to the menu shown in Figure 3-9 below:
Figure 3-9: Setup Wizard menu for Fixed IP address
1.
Enter your assigned IP Address, Subnet Mask, and the IP Address of your ISP’s gateway
router. This information should have been provided to you by your ISP. You will need the
configuration parameters from your ISP you recorded in “Worksheet for Recording Your
Internet Connection Information” on page 3-3.
3-12 Connecting the FVL328 to the Internet
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is
2.
available, enter it also.
DNS servers are required to perform the function of translating an Internet name such as
www.netgear.com to a numeric IP address. For a fixed IP address configuration, you must
obtain DNS server addresses from your ISP and enter them manually here. You should reboot
your computers after configuring the firewall for these settings to take effect.
3. Click Apply to save the settings.
4. Click the Test button to test your Internet connection. If the NETGEAR Web site does not
appear within one minute, refer to Chapter 8, Troubleshooting.
Testing Your Internet Connection
After completing the Internet connection configuration, your can test your Internet connection.
Log in to the firewall, then, from the Setup Basic Settings link, click the Test button. If the
NETGEAR Web site does not appear within one minute, refer to Chapter 8, Troubleshooting.
Your firewall is now configured to provide Internet access for your network. Your firewall
automatically connects to the Internet when one of your computers requires access. It is not
necessary to run a dialer or login application such as Dial-Up Networking or Enternet to connect,
log in, or disconnect. These functions are performed by the firewall as needed.
To access the Internet from any computer connected to your firewall, launch a browser such as
Microsoft Internet Explorer or Netscape Navigator. You should see the firewall’s Internet LED
blink, indicating communication to the ISP. The browser should begin to display a Web page.
The following chapters describe how to configure the advanced features of your firewall, and how
to troubleshoot problems that may occur.
Connecting the FVL328 to the Internet 3-13
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Manually Configuring Your Internet Connection
You can manually configure your firewall using the menu below, or you can allow the Setup
Wizard to determine your configuration as described in the previous section.
ISP Does Not Require Login
ISP Does Require Login
Figure 3-10: Browser-based configuration Basic Settings menu
3-14 Connecting the FVL328 to the Internet
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
How to Complete a Manual Configuration
Manually configure the firewall in the Basic Settings menu using these steps:
1. Answer the question, “Does Your Internet Connection Require a Login?”
• Select Yes if you normally must launch a login program such as Enternet or WinPOET in
order to access the Internet.
Note: If you are a T elstra BigPond cable modem customer, or if you are in an area such as
Austria that uses PPTP, login is required. Select Yes, then select BigPond or PPTP from
the Internet Service Type drop-down box.
• Select No if you do not log in to establish your Internet connection.
2. If you selected Yes, follow the instructions below.
If your Internet connection does not require a login, skip to step 3.
– Enter your Account Name (may also be called Host Name) and Domain Name.
These parameters may be necessary to access your ISP’s services such as mail or news
servers. These fields are case sensitive.
– If you want to change the login timeout, enter a new value in minutes. This determines
how long the firewall keeps the Internet connection active after there is no Internet activity
from the LAN. Entering an Idle Timeout value of zero means never log out.
– If you want to disable NA T, select the Disable radio button. Before disabling NAT, back up
your current configuration settings.
Note: Disabling NAT will reboot the router and reset all the FVL328 configuration
settings to the factory default. Disable NAT only if you plan to install the FVL328 in a
setting where you will be manually administering the IP address space on the LAN side
of the router.
– Domain Name Server (DNS) Address:
If you know that your ISP does not automatically transmit DNS addresses to the firewall
during login, select “Use these DNS servers” and enter the IP address of your ISP’s
Primary DNS Server. If a Secondary DNS Server address is available, enter it also
3. If you selected No, follow the instructions below.
– If required, enter your Account Name (may also be called Host Name) and Domain Name.
These parameters may be necessary to access your ISP’s services such as mail or news
servers. The Account Name and Domain Name are not always required.
Connecting the FVL328 to the Internet 3-15
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
– If you want to disable NA T, select the Disable radio button. Before disabling NAT, back up
your current configuration settings.
Note: Disabling NAT will reboot the router and reset all the FVL328 configuration
settings to the factory default. Disable NAT only if you plan to install the FVL328 in a
setting where you will be manually administering the IP address space on the LAN side
of the router.
– Internet IP Address (also commonly called the WAN IP address):
If your ISP has assigned you a permanent, fixed (static) IP address for your computer,
select “Use static IP address.” Enter the IP address that your ISP assigned. Also enter the
netmask and the Gateway IP address. The Gateway is the ISP’s router to which your
firewall will connect.
– Domain Name Server (DNS) Address:
If you know that your ISP does not automatically transmit DNS addresses to the firewall
during login, select “Use these DNS servers” and enter the IP address of your ISP’s
Primary DNS Server. If a Secondary DNS Server address is available, enter it also.
A DNS server is a host on the Internet that translates Internet names (such as
www .netgear.com) to numeric IP addresses. Typically your ISP transfers the IP address of
one or two DNS servers to your firewall during login. If the ISP does not transfer an
address, you must obtain it from the ISP and enter it manually here. If you enter an address
here, you should reboot your computers after configuring the firewall.
– Router’s MAC Address:
This section determines the Ethernet MAC address that will be used by the firewall on the
Internet port. Some ISPs will register the Ethernet MAC address of the network interface
card in your computer when your account is first opened. They will then only accept
traffic from the MAC address of that computer. This feature allows your firewall to
masquerade as that computer by “cloning” its MAC address.
To change the MAC address, select “Use this Computer’s MAC address.” The firewall
will then capture and use the MAC address of the computer that you are now using. You
should use the one computer that is allowed by the ISP. Or, select “Use this MAC address”
and enter it.
4. Click Apply to save your settings.
5. Click the Test button to test your Internet connection.
If the NETGEAR Web site does not appear within one minute, refer to Chapter 8,
Troubleshooting.
3-16 Connecting the FVL328 to the Internet
M-10144-01
Chapter 4
WAN and LAN Configuration
This chapter describes how to configure the W AN and LAN settings of your FVL328 Prosafe High
Speed VPN Firewall v2.
Configuring LAN IP Settings
The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and RIP. These
features can be found under the Advanced heading in the Main Menu of the browser interface.
The firewall is shipped preconfigured to use private IP addresses on the LAN side, and to act as a
DHCP server. The firewall’s default LAN IP configuration is:
• LAN IP addresses—192.168.0.1
• Subnet mask—255.255.255.0
These addresses are part of the IETF-designated private address range for use in private networks,
and should be suitable in most applications. If your network has a requirement to use a different IP
addressing scheme, you can make those changes.
The LAN TCP/IP Setup parameters are:
• IP Address
This is the LAN IP address of the firewall.
• IP Subnet Mask
This is the LAN Subnet Mask of the firewall. Combined with the IP address, the IP Subnet
Mask allows a device to know which other addresses are local to it, and which must be reached
through a gateway or router.
• RIP Direction
RIP (Router Information Protocol) allows a router to exchange routing information with other
routers. The RIP Direction selection controls how the firewall sends and receives RIP packets.
Both is the default.
— When set to Both or Out Only, the firewall will broadcast its routing table periodically.
— When set to Both or In Only, it will incorporate the RIP information that it receives.
WAN and LAN Configuration 4-1
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual
— When set to None, it will not send any RIP packets and will ignore any RIP packets
received.
• RIP Version
This controls the format and the broadcasting method of the RIP packets that the router sends.
It recognizes both formats when receiving. By default, this is set for RIP-1.
— RIP-1 is universally supported. RIP-1 is probably adequate for most networks, unless you
have an unusual network setup.
— RIP-2 carries more information. Both RIP-2B and RIP-2M send the routing data in RIP-2
format.
— RIP-2B uses subnet broadcasting.
— RIP-2M uses multicasting.
Note: If you change the LAN IP address of the firewall while connected through the
browser, you will be disconnected. You must then open a new connection to the new IP
address and log in again.
Using the Router as a DHCP Server
By default, the firewall will function as a DHCP (Dynamic Host Configuration Protocol) server,
allowing it to assign IP, DNS server, and default gateway addresses to all computers connected to
the router's LAN. The assigned default gateway address is the LAN address of the firewall. IP
addresses will be assigned to the attached PCs from a pool of addresses specified in this menu.
Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN.
For most applications, the default DHCP and TCP/IP settings of the firewall are satisfactory. See
“IP Configuration by DHCP” on page B-10 for an explanation of DHCP and information about
how to assign IP addresses for your network.
If another device on your network will be the DHCP server, or if you will manually configure the
network settings of all of your computers, clear the ‘Use router as DHCP server’ check box.
Otherwise, leave it checked.
Specify the pool of IP addresses to be assigned by setting the Starting IP Address and Ending IP
Address. These addresses should be part of the same IP address subnet as the firewall’s LAN IP
address. Using the default addressing scheme, you should define a range between 192.168.0.2 and
192.168.0.253, although you may wish to save part of the range for device s with fixed addresses.
4-2 WAN and LAN Configuration
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual
The firewall will deliver the following parameters to any LAN device that requests DHCP:
• An IP Address from the range you have defined
• Subnet Mask
• Gateway IP Address is the firewall’s LAN IP address
• Primary DNS Server, if you entered a Primary DNS address in the Basic Settings menu;
otherwise, the firewall’s LAN IP address
• Secondary DNS Server, if you entered a Secondary DNS address in the Basic Settings menu
How to Configure LAN TCP/IP Setup Settings
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user
name of
you have chosen for the firewall.
2. From the Main Menu, under Advanced, click the LAN IP Setup link to view the men u, shown
below.
admin, default password of password, or using whatever password and LAN address
Figure 4-1: LAN IP Setup Menu
WAN and LAN Configuration 4-3
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual
Enter the LAN TCP/IP and DHCP parameters.
3.
4. Click Apply to save your changes.
How to Configure Reserved IP Addresses
When you specify a reserved IP address for a PC on the LAN, that PC will always receive the
same IP address each time it accesses the firewall’s DHCP server. Reserved IP addresses should be
assigned to servers that require permanent IP settings.
To res erve an IP address:
1. Click the Add button.
2. In the IP Address box, type the IP address to assign to the PC or server.
Choose an IP address from the router’s LAN subnet, such as 192.168.0.X.
3. Type the MAC Address of the PC or server.
Note: If the PC is already present on your network, you can copy its MAC address from the
Attached Devices menu and paste it here.
4. Click Apply to enter the reserved address into the table.
Note: The reserved address will not be assigned until the next time the PC contacts the router's
DHCP server. Reboot the PC or access its IP configuration and force a DHCP release and
renew.
To edit or delete a res erved address entry:
1. Click the button next to the reserved address you want to edit or delete.
2. Click Edit or Delete.
Configuring WAN Settings
The WAN Setup menu allows configuration of WAN services such as automatic connection, DMZ
server, enabling diagnostic PING tests on the WAN interface, setting the MTU size, and the WAN
port speed,. These features can be found under the Advanced WAN Setup heading in the Main
Menu of the browser interface.
These features are discussed below.
4-4 WAN and LAN Configuration
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual
Connecting Automatically, as Required
Normally, this option should be Enabled, so that an Internet connection will be made
automatically , whenever Internet-bound traffic is detected. However , if this causes high connection
costs, you can disable this setting.
If disabled, you must connect manually, using the sub-screen accessed from the "Connection
Status" button on the Status screen.
Setting Up a Default DMZ Server
The default DMZ server feature is helpful when using some online games and videoconferencin g
applications that are incompatible with NAT. The firewall is programmed to recognize some of
these applications and to work properly with them, but there are other applications that may not
function well. In some cases, one local PC can run the application properly if that PC’s IP address
is entered as the default DMZ server.
Note: For security, you should avoid using the default DMZ server feature. When a
computer is designated as the default DMZ server, it loses much of the protection of the
firewall, and is exposed to many exploits from the Internet. If compromised, the
computer can be used to attack your network.
Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a
response to one of your local computers or a service that you have configured in the Ports menu.
Instead of discarding this traffic, you can have it forwarded to one computer on your network. This
computer is called the Default DMZ Server.
How to Assign a Default DMZ Server
1. Click Default DMZ Server check box.
2. Type the IP address for that server.
3. Click Apply.
WAN and LAN Configuration 4-5
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual
Responding to Ping on Internet WAN Port
If you want the firewall to respond to a 'ping' from the Internet, click the ‘Respond to Ping on
Internet WAN Port’ check box. This should only be used as a diagnostic tool, since it allows your
firewall to be discovered. Don't check this box unless you have a specific reason to do so.
How to Set the MTU Size
The normal MTU (Maximum Transmit Unit) value for most Ethernet networks is 1500 bytes or
1492 Bytes for PPPoE connections. For some ISPs you may need to reduce the MTU. But this is
rarely required, and should not be done unless you are sure it is necessary for your ISP connection.
Any packets sent through the firewall that are larger than the configured MTU size will be
repackaged into smaller packets to meet the MTU requirement.
To change the MTU size:
1. Under MTU Size, select Custom.
2. Enter a new size between 64 and 1500.
3. Click Apply to save the new configuration.
Configuring Dynamic DNS
If your network has a permanently assigned IP address, you can register a domain name and have
that name linked with your IP address by public Domain Name Servers (DNS). However, if your
Internet account uses a dynamically assigned IP address, you will not know in advance what your
IP address will be, and the address can change frequently. In this case, you can use a commercial
dynamic DNS service, which will allow you to register your domain to their IP address, and will
forward traffic directed to your domain to your frequently-changing IP address.
The firewall contains a client that can connect to a dynamic DNS service provider. To use this
feature, you must select a service provider and obtain an account with them. After you have
configured your account information in the firewall, whenever your ISP-assigned IP address
changes, your firewall will automatically contact your dynamic DNS service provider, log in to
your account, and register your new IP address.
4-6 WAN and LAN Configuration
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual
How to Configure Dynamic DNS
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user
name of
you have chosen for the firewall.
2. From the Main Menu of the browser interface, under Advanced, click Dynamic DNS.
3. Click the radio button for the dynamic DNS service you will use. Access the website of the
dynamic DNS service providers whose, and register for an account.
For example, for TZO.com, go to www.TZO.com.
4. Click Apply to save your configuration.
admin, default password of password, or using whatever password and LAN address
Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the
dynamic DNS service will not work because private addresses will not be routed on the
Internet.
Using Static Routes
Static Routes provide additional routing information to your firewall. Under normal
circumstances, the firewall has adequate routing information after it has been configured for
Internet access, and you do not need to configure additional static routes. You must configure
static routes only for unusual cases such as multiple routers or multiple IP subnets located on your
network.
Static Route Example
As an example of when a static route is needed, consider the following case:
• Your primary Internet access is through a cable modem to an ISP.
• You have an ISDN router on your home network for connecting to the company where
you are employed. This router’s address on your LAN is 192.168.0.100.
• Your company’s network is 134.177.0.0.
WAN and LAN Configuration 4-7
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual
When you first configured your firewall, two implicit static routes were created. A default route
was created with your ISP as the gateway, and a second static route was created to your local
network for all 192.168.0.x addresses. With this configuration, if you attempt to access a device on
the 134.177.0.0 network, your firewall will forward your request to the ISP. The ISP forwards your
request to the company where you are employed, and the request will likely be denied by the
company’s firewall.
In this case you must define a static route, telling your firewall that 134.177.0.0 should be accessed
through the ISDN router at 192.168.0.100. The static route would look like Figure 4-3.
In this example:
• The Destination IP Address and IP Subnet Mask fields specify that this static route applies to
all 134.177.x.x addresses.
• The Gateway IP Address fields specifies that all traffic for these addresses should be
forwarded to the ISDN router at 192.168.0.100.
• A Metric value of 1 will work since the ISDN router is on the LAN.
This represents the number of routers between your network and the des tination. This is a
direct connection so it is set to 1.
• Private is selected only as a precautionary security measure in case RIP is activated.
How to Configure Static Routes
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user
name of
you have chosen for the firewall.
2. From the Main Menu of the browser interface, under Advanced, click on Static Routes to view
the Static Routes menu, shown in Figure 4-2.
Figure 4-2: Static Routes Table
To add or edit a Static Route:
3.
4-8 WAN and LAN Configuration
admin, default password of password, or using whatever password and LAN address
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual
Click the Edit button to open the Edit Menu, shown below.
a.
Figure 4-3: Static Ro ute Entry and Edit Menu
b.
Type a route name for this static route in the Route Name box under the table.
This is for identification purpose only.
c. Select Active to make this route effective.
d. Select Private if you want to limit access to the LAN only.
The static route will not be reported in RIP.
e. Type the Destination IP Address of the final destination.
f. Type the IP Subnet Mask for this destination.
If the destination is a single host, type 255.255.255.255.
g. Type the Gateway IP Address, which must be a router on the same LAN segment as the
firewall.
h. Type a number between 1 and 15 as the Metric value.
This represents the number of routers between your network and the destination. Usually,
a setting of 2 or 3 works, but if this is a direct connection, set it to 1.
4. Click Apply to have the static route entered into the table.
WAN and LAN Configuration 4-9
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual
4-10 WAN and LAN Configuration
M-10144-01
Chapter 5
Protecting Your Network
This chapter describes how to use the basic firewall features of the FVL328 Prosafe High Speed
VPN Firewall to protect your network.
Protecting Access to Your FVL328 Firewall
For security reasons, the firewall has its own user name and password. Also, after a period of
inactivity for a set length of time, the administrator login will automatically disconnect. You can
use the procedures below to change the firewall's password and the amount of time for the
administrator’s login timeout.
Note: The user name and password are not the same as any user name or password your may use
to log in to your Internet connection.
NETGEAR recommends that you change this password to a more secure password. The ideal
password should contain no dictionary words from any language, and should be a mixture of both
upper and lower case letters, numbers, and symbols. Your password can be up to 30 characters.
How to Change the Built-In Password
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of
address you have chosen for the firewall.
2. From the main menu of the browser interface, under the Maintenance heading, select Set
Password to bring up the menu shown below.
Protecting Your Network 5-1
admin, default password of password, or using whatever password and LAN
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Figure 5-1: Set Password menu
To change the password, first enter the old password, then enter the new password twice.
3.
4. Click Apply to save your changes.
Note: After changing the password, you will be required to log in again to continue the
configuration. If you have backed up the firewall settings previously, you should do a new
backup so that the saved settings file includes the new password.
How to Change the Administrator Login Timeout
For security, the administrator’s login to the firewall configuration will time out after a period of
inactivity. To change the login timeout period:
1. In the Set Password menu, type a number in ‘Administrator login times out’ field. The
suggested default value is 5 minutes.
2. Click Apply to save your changes or click Cancel to keep the current period.
Configuring Basic Firewall Services
Basic firewall services you can configure include access blocking and scheduling of firewall
security. These topics are presented below.
5-2 Protecting Your Network
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Blocking Keywords, Sites, and Services
The firewall provides a variety of options for blocking Internet based content and communications
services. With its content filtering feature, the FVL328 Firewall prevents objectionable content
from reaching your computers. The FVL328 allows you to control access to Internet content by
screening for keywords within Web addresses. Key content filtering options include:
• Blocking access from your LAN to Internet locations that you specify as off-limits.
• Keyword blocking of newsgroup names.
• Outbound services blocking to limit access from your LAN to Internet locations or services
that you specify as off-limits.
• Denial of Service (DoS) protection. Automatically detects and thwarts (DoS) attacks such as
Ping of Death, SYN Flood, LAND Attack and IP Spoofing.
• Blocks unwanted traffic from the Internet to your LAN.
The section below explains how to configure your
firewall to perform these functions.
How to Block Keywords and Sites
The FVL328 Firewall allows you to restrict access to Internet content based on functions such as
Java or Cookies, Web addresses and Web address keywords.
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of
address you have chosen for the firewall.
2. Click the Block Sites link in the Security section of the main menu.
admin, default password of password, or using whatever password and LAN
Protecting Your Network 5-3
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Figure 5-2: Block Sites menu
3.
To enable keyword blocking, check “Turn keyword blocking on”, enter a keyword or domain
in the Keyword box, click Add Keyword, then click Apply.
Some examples of Keyword blocking follow:
• If the keyword “XXX” is specified, the URL <http://www.badstuff.com/xxx.html> is
blocked, as is the newsgroup alt.pictures.xxx.
• If the keyword “.com” is specified, only Web sites with other domain suffixes (such as
.edu or .gov) can be viewed.
• If the keyword “.” is entered, all Internet browsing access will be blocked.
Up to 32 entries are supported in the Keyword list.
4. T o delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply.
5. To spec ify a Trusted User, enter that computers IP address in the Trusted User box and click
Apply.
You may specify one Trusted User , which is a computer that will be exempt from blocking and
logging. Since the Trusted User will be identified by an IP address, you should configure that
computer with a fixed IP address.
5-4 Protecting Your Network
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Click Apply to save your settings.
6.
Using Firewall Rules to Regulate Network Traffic
Firewall rules are used to block or allow specific traffic passing through from one side to the other.
Inbound rules (WAN to LAN) restrict access by outsiders to private resources, selectively allowing
only specific outside users to access specific resources. Outbound rules (LAN to WAN) determine
what outside resources local users can have access to.
A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of
the FVL328 are:
• Inbound: Block all access from outside except responses to requests from the LAN side.
• Outbound: Allow all access from the LAN side to the outside.
You may define additional rules that will specify exceptions to the default rules. By adding custom
rules, you can block or allow access based on the service or application, source or destinat ion IP
addresses, and time of day. You can also choose to log traffic that matches or does not match the
rule you have defined.
To access the Rules configuration of the FVL328, click the Rules link on the main menu, then
click Add for either an Outbound or Inbound Service.
Protecting Your Network 5-5
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Figure 5-3: Rules menu
• To edit an existing rule, select its button on the left side of the table and click Edit.
• To delete an existing rule, select its button on the left side of the table and click Delete.
• T o move an existing rule to a dif ferent position in the table, select its button on the left side
of the table and click Move. At the script prompt, enter the number of the desired new
position and click OK.
Rules Menu Options
• Enable VPN Passthrough (IPSec, PP TP, L2TP) — if LAN users need to use VPN (Virtual
Private Networking) software on their computer, and connect to remote sites or servers,
enable this check box. This will allow the VPN protocols (IPSec, PP TP, L2TP) to be used.
If this check box is not selected, these protocols are blocked.
• Drop fragmented IP packets — if selected, all fragmented IP packets will be dropped
(discarded). Normally, this should NOT be selected.
5-6 Protecting Your Network
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
• Block TCP flood — if selected, then when a TCP flood attack is detected, the port used
will be closed, and no traffic will be able to use that port.
• Block UDP flood — if selected, then when a UDP floo d attac k is detect ed, all tr af fic from
that IP address will be blocked.
• Block non-standard packets — if selected, then only known packet types will be accepted;
other packets will be blocked. The known packet types are TCP, UDP, ICMP, ESP, and
GRE. Note that these are packet types, not protocols.
Using Inbound Rules (Port Forwarding)
The FVL328 uses Network Address Translation (NAT), unless this feature is turned off. Using
NAT, your network presents only one IP address to the Internet, and outside users cannot directly
address any of your local computers. However, by defining an inbound rule you can make a local
server (for example, a Web server or game server) visible and available to the Internet. The rule
tells the firewall to direct inbound traffic for a particular service to one local server based on the
destination port number. This is also known as port forwarding.
Note: Some residential broadband ISP accounts do not allow you to run any server
processes (such as a Web or FTP server) from your location. Your ISP may periodically
check for servers and may suspend your account if it discovers any active services at
your location. If you are unsure, refer to the Acceptable Use Policy of your ISP.
Remember that allowing inbound services opens holes in your firewall. Only enable those ports
that are necessary for your network. Following are two application examples of inbound rules:
Inbound Rule Example: A Local Public Web Server
If you host a public W eb ser ver on your local network, you can define a rule to allow inbound Web
(HTTP) requests from any outside IP address to the IP address of your Web server at any time of
day. This rule is shown below.
Protecting Your Network 5-7
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Figure 5-4: Rule example: a
local public Web server
The parameters are:
• Service — select the application or service to be allowed or blocked. The list already
displays many common services, but you are not limited to these choices. Use the Add
Services menu as seen in Figure 5-3 to add any additional services or applications.
• Action — choose how you would like this type of traffic to be handled. You can block or
allow always, or block according to the schedule you defined in the Schedule menu.
•Send to LAN Server —
enter the IP address of the PC or Server on your LAN which
will receive the inbound traffic covered by this rule.
• WAN Users — these settings determine which packets are covered by the rule,
based on their source (WAN) IP address. Select the desired option:
• Any - All IP addresses are covered by this rule.
• Address range - enter the "Start" and "Finish" fields.
• Single address - enter the required address in the "Start" fields.
• Log — you can select whether the traffic will be logged. The choices are:
• Never - no log entries will be made for this service.
• Always - any traffic for this service type will be logged.
• Match - traffic that matches the parameters and action will be logged.
• Not match - traffic that does not match the parameters and action will be logged.
5-8 Protecting Your Network
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Inbound Rule Example: Videoconferencing from Restricted Addresses
If you want to allow incoming videoconferencing to be initiated from a restricted range of outside
IP addresses, such as from a branch office, you can create an inbound rule. In the example shown
in Figure 5-5, CU-SeeMe connections are allowed only from a specified range of external IP
addresses. In this case, we have also specified logging of any incoming CU-SeeMe requests that
do not match the allowed parameters.
Figure 5-5: Rule example: Videoconferencing from Restricted Addresses
Considerations for Inbound Rules
• If your external IP address is assigned dynamically by your ISP, the IP address may change
periodically as the DHCP lease expires. Consider using the Dynamic DNS feature in the
Advanced menus so that external users can always find your network.
• If the IP address of the local server is assigned by DHCP, it may change when the computer is
rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu to keep the
computer’s IP address constant.
• Local computers must access the local server using the computers’ local LAN address
(192.168.0.11 in the example in Figure 5-5 above). Attempts by local computers to access the
server using the external WAN IP address will fail.
Protecting Your Network 5-9
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Using Outbound Rules (Service Blocking)
The FVL328 allows you to block the use of certain Internet services by computers on your
network. This is called service blocking or port filtering. You can define an outbound rule to block
Internet access from a local computer based on:
• IP address of the local computer (source address)
• IP address of the Internet site being contacted (destination address)
•Time of day
• Type of service being requested (service port number)
Following is an application example of outbound rules:
Outbound Rule Example: Blocking Instant Messenger
If you want to block Instant Messenger usage by employees during working hours, you can create
an outbound rule to block that application from any internal IP address to any external address,
according to the schedule that you have created in the Schedule menu. You can also have the
firewall log any attempt to use Instant Messenger during that blocked period.
Figure 5-6: Rule example: blocking instant messenger
5-10 Protecting Your Network
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
The parameters are:
• Service — select the application or service to be allowed or blocked. The list already
displays many common services, but you are not limited to these choices. Use the Add
Services menu as seen in Figure 5-3 to add any additional services or applications that do
not already appear.
• Action — choose how you would like this type of traffic to be handled. You can block or
allow always, or you can choose to block or allow according to the schedule you have
defined in the Schedule menu.
• LAN Users —
these settings determine which packets are covered by the rule, based
on their source LAN IP address. Select the desired option:
• Any: All IP addresses are covered by this rule.
• Address range: If this option is selected, you must enter the "Start" and "Finish" fields.
• Single address: Enter the required address in the "Start" fields.
• WAN Users —
these settings determine which packets are covered by the rule,
based on their destination WAN IP address. Select the desired option:
• Any - All IP addresses are covered by this rule.
• Address range - If this option is selected, you must enter the "Start" and "Finish"
fields.
• Single address - Enter the required address in the "Start" fields.
• Log — select whether the traffic will be logged. The choices are:
• Never - No log entries will be made for this service.
• Always - Any traffic for this service type will be logged.
• Match - Traffic of this type which matches the parameters and action will be logged.
• Not match - Traffic of this type which does not match the parameters and action will
be logged.
Protecting Your Network 5-11
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Understanding the Order of Precedence for Rules
As you define new rules, they are added to the tables in the Rules menu, as shown below.
Figure 5-7: Rules table with examples
For any traffic attempting to pass through the firewall, the packet information is subjected to the
rules in the order shown in the Rules Table, beginning at the top and proceeding to the default rules
at the bottom. In some cases, the order of precedence of two or more rules may be important in
determining the disposition of a packet. The Move button allows you to relocate a defined rule to a
new position in the table.
Regulating Access to Network Services
Services are functions performed by server computers at the request of client computers. For
example, Web servers serve Web pages, time servers serve time and date information, and game
hosts serve data about other players’ moves. When a computer on the Internet sends a request for
service to a server computer, the requested service is identified by a service or port number. This
number appears as the destination port number in the transmitted IP packets. For example, a packet
that is sent with destination port number 80 is an HTTP (Web server) request.
5-12 Protecting Your Network
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
The service numbers for many common protocols are defined by the Internet Engineering Task
Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for other
applications are typically chosen from the range 1024 to 65535 by the authors of the application.
For more information on this topic please see Appendix B, “Networks, Routing, and Firewall
Basics.
Although the FVL328 already holds a list of many service port numbers, you are not limited to
these choices. Use the procedure below to create your own service definitions.
How to Define Services
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of
address you have chosen for the firewall.
2. Click the Services link of the Security menu to display the menu shown below.
admin, default password of password, or using whatever password and LAN
Figure 5-8: Services menu
• To create a new service, click the Add Custom Service button.
• When there is an existing service, to edit the service, select the it from the list in the table
and click Edit Service.
• To delete an existing Service, select its button on the left side of the table and click Delete
Service.
Protecting Your Network 5-13
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Modify the menu shown below for defining or editing a service.
3.
Figure 5-9: Add Services menu
4.
Click Apply to save your changes.
Setting Times and Scheduling Firewall Services
The FVL328 Firewall uses the Network Time Protocol (NTP) to obtain the current time and date
from one of several Network Time Servers on the Internet. The FVL328 includes a battery-backed
real-time clock so time will persist if power is removed. In order to localize the time for your log
entries, you must select your Time Zone from the list.
How to Set Your Time Zone
In order to localize the time for your log entries, you must specify your Time Zone:
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of
address you have chosen for the firewall.
5-14 Protecting Your Network
admin, default password of password, or using whatever password and LAN
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Click the Schedule link of the Security menu to display the menu shown below.
2.
Figure 5-10: Schedule Services menu
3.
Select your Time Zone. This setting will be used for the blocking schedule according to your
local time zone and for time-stamping log entries.
Check the Daylight Savings Time box if your time zone is currently in daylight savings time.
Note: If your region uses Daylight Savings Time, you must manually check Adjust for
Daylight Savings Time on the first day of Daylight Savings Time, and uncheck it at the end.
Enabling Daylight Savings Time will cause one hour to be added to the standard time.
4. Timekeeping has 2 options:
• Synchronize to NTP Server - If enabled, the RTC (Real-Time Clock) is updated regularly
by contacting this server. If you prefer to use a particular NTP server, enter the server’s IP
address. If not enabled, the RTC is never updated.
Protecting Your Network 5-15
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
• Set Clock - Use this to set a particular Date/Time to the RTC. This is only useful if
“Synchronize to NTP Server” is disabled. Otherwise, your setting will be lost on the next
synchronization.
5. Click Apply to save your settings.
How to Schedule Firewall Services
If you enabled services blocking in the Block Services menu or Port forwarding in the Ports menu,
you can set up a schedule for when blocking occurs or when access is not restricted.
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of
address you have chosen for the firewall.
2. Click the Schedule link of the Security menu to display menu shown above in the Schedule
Services menu.
3. T o block Internet services based on a schedule, select Every Day or select one or more days. If
you want to limit access completely for the selected days, select All Day. Otherwise, to limit
access during certain times for the selected days, enter Start Blocking and End Blocking times.
admin, default password of password, or using whatever password and LAN
Note: Enter the values in 24-hour time format. For example, 10:30 am would be 10 hours and
30 minutes and 10:30 pm would be 22 hours and 30 minutes.
4. Click Apply to save your changes.
5-16 Protecting Your Network
M-10144-01
Chapter 6
Virtual Private Networking
This chapter describes how to use the virtual private networking (VPN) features of the FVL328
Firewall. VPN tunnels provide secure, encrypted communications between your local network and
a remote network or computer.
Overview of FVL328 Policy-Based VPN Configuration
The FVL328 uses state-of-the-art firewall and security technology to facilitate controlled and
actively monitored VPN connectivity . Since the FVL328 strictly conforms to Internet Engineering
Task Force (IETF) standards, it is interoperable with devices from major network equipment
vendors.
Telecommuter with
client software
VPN tunnels
encrypt data
FVL328 VPN FirewallFVL328 VPN Firewall
Figure 6-1: Secure access through FVL328 VPN routers
Using Policies to Manage VPN Traffic
You create policy definitions to manage VPN traffic on the FVL328. There are two kinds of
policies:
Virtual Private Networking 6-1
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
• IKE Policies: Define the authentication scheme and automatically generate the encryption
keys. As an alternative option, to further automate the process, you can create an Internet Key
Exchange (IKE) policy which uses a trusted certificate authority to provide the authentication
while the IKE policy still handles the encryption.
• VPN Policies: Apply the IKE policy to specific traffic which requires a VPN tunnel. Or, you
can create a VPN policy which does not use an IKE policy but in which you manually enter all
the authentication and key parameters.
Since the VPN Auto policies require IKE policies, you must define the IKE policy first. The
FVL328 also allows you to manually input the authentication scheme and encryption key values.
VPN Manual policies manage the keys according to settings you select and do not use IKE
policies.
In order to establish secure communication over the Internet with the remote site you need to
configure matching VPN parameters on both the local and remote sites. The outbound VPN
parameters on one end must match to the inbound VPN parameters on other end, and vice versa.
When the network traffic enters into the FVL328 from the LAN network interface, if there is no
VPN policy found for a type of network traffic, then that traffic passes through without any
change. However, if the traffic is selected by a VPN policy, then the Internet Protocol security
IPSec authentication and encryption rules will be applied to it as defined in the VPN policy.
By default, a new VPN policy is added with the least priority, that is, at the end of the VPN policy
table. You can change the priority by selecting the VPN policy from the policy table and clicking
Move.
Using Automatic Key Management
The most common configuration scenarios will use IKE policies to automatically manage the
authentication and encryption keys. Based on the IKE policy, so me parameters for the VPN tunnel
are generated automatically. The IKE protocols perform negotiations between the two VPN
endpoints to automatically generate required parameters.
Some organizations will use an IKE policy with a Certificate Authority (CA) to perform
authentication. Typica lly, CA authentication is used in large organizations which maintain their
own internal CA server. This requires that each VPN gateway have a certificate and trust
certificate root from the CA. Using CAs reduces the amount of data entry required on each VPN
endpoint.
6-2 Virtual Private Networking
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
IKE Policies’ Automatic Key and Authentication Management
Click the IKE Policies link from the VPN section of the main menu, and then click the Add button
of the IKE Policies screen to display the IKE Policy Configuration menu shown in Figure 6-2.
Figure 6-2: IKE - Policy Configuration Menu
Virtual Private Networking 6-3
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
The IKE Policy Configuration fields are defined in the following table.
Table 6-1. IKE Policy Configuration Fields
Field Description
General
Policy Name
Direction/Type
Exchange Mode
Local
These settings identify this policy and determine its major characteristics.
The descriptive name of the IKE policy. Each policy should have a unique
policy name. This name is not supplied to the remote VPN endpoint. It is
only used to help you identify IKE policies.
This setting is used when determining if the IKE policy matches the current
traffic. The drop-down menu includes the following:
• Initiator – Outgoing connections are allowed, but incoming are blocked.
• Responder – Incoming connections are allowed, but outgoing are
blocked.
• Both Directions – Both outgoing and incoming connections are allowed.
• Remote Access – This is to allow only incoming client connections,
where the IP address of the remote clie n t is un known.
If Remote Access is selected, the “Exchange Mode” MUST be
“Aggressive,” and the ‘Identities’ below (both Local and Remote) MUST
be “Name.” On the matching VPN Policy, the IP address of the remote
VPN endpoint should be set to 0.0.0.0.
Main Mode or Aggressive Mode. This setting must match the setting used
on the remote VPN endpoint.
• Main Mode is slower but more secure.
• Aggressive Mode is faster but less secure.
These parameters apply to the Local FVL328 firewall.
Local Identity Type
Local Identity Data
Remote
Use this field to identify the local FVL328. You can choose one of the
following four options from the drop-down list:
• By its Internet (WAN) port IP address.
• By its Fully Qualified Domain Name (FQDN) – your domain name.
• By a Fully Qualified User Name – your name, E-mail address, or
other ID.
• By DER ASN.1 DN – the binary Distinguished Encoding Rules (DER)
encoding of your ASN.1 X.500 Distinguished Name.
This field lets you identify the local FVL328 by name.
These parameters apply to the target remote FVL328 firewall, VPN
gateway, or VPN client.
6-4 Virtual Private Networking
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Table 6-1. IKE Policy Configuration Fields
Field Description
Remote Identity Type
Remote Identity Data
IKE SA Parameters
Encryption Algorithm
Authentication Algorithm
Authentication Method
Pre-Shared Key
Use this field to identify the remote FVL328. You can choose one of the
following four options from the drop-down list:
• By its Internet (WAN) port IP address.
• By its Fully Qualified Domain Name (FQDN) – your domain name.
• By a Fully Qualified User Name – your name, E-mail address, or
other ID.
• By DER ASN.1 DN – the binary DER encoding of your ASN.1 X.500
Distinguished Name.
This field lets you identify the target remote FVL328 by name.
These parameters determine the properties of the IKE Security
Association.
Choose the encryption algorithm for this IKE policy:
•DES
• 3DES is more secure and is the default
If you enable Authentication Headers (AH), this menu lets you select from
these authentication algorithms:
• MD5 –- the default
• SHA-1 – more secure
Y ou can select Pre-Shared Key or R SA Signature.
Specify the key according to the requirements of the Authentication
Algorithm you selected.
• For MD5, the key length should be 16 bytes.
• For SHA-1, the key length should be 20 bytes.
RSA Signature
Diffie-Hellman (DH) Group
SA Life Time
RSA Signature requires a certificate.
The Diffie-Hellman groups are MODP Oakley Groups 1 and 2. The DH
Group setting determines the size of the key used in the key exchange.
This must match the value used on the remote VPN gateway or client.
Select Group 1 (768 bit) or Group 2 (1024 bit).
The amount of time in seconds before the Security Association expires;
over an hour (3600) is common.
Virtual Private Networking 6-5
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
VPN Policy Configuration for Auto Key Negotiation
An already defined IKE policy is required for VPN - Auto Policy configuration. From the VPN
Policies section of the main menu, you can navigate to the VPN - Auto Policy configuration menu.
Figure 6-3: VPN - Auto Policy Menu
6-6 Virtual Private Networking
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
The VPN Auto Policy fields are defined in the following table.
Table 6-1. VPN Auto Policy Configuration Fields
Field Description
General
Policy Name The descriptive name of the VPN policy. Each policy should have a unique
IKE Policy The existing IKE policies are presented in a drop-down list.
Remote VPN Endpoint The address used to locate the remote VPN firewall or client to which you want
SA Life Time The duration of the Security Association before it expires.
IPSec PFS
PFS Key Group If PFS is enabled, this setting determines the DH group bit size used in the key
These settings identify this policy and determine its major characteristics.
policy name. This name is not supplied to the remote VPN endpoint. It is only
used to help you identify VPN policies.
Note: Create the IKE policy BEFORE creating a VPN - Auto policy.
to connect. The remote VPN endpoint must have this FVL328’s Local Identity
Data entered as its “Remote VPN Endpoint”:
• By its IP Address.
• By its Fully Qualified Domain Name (FQDN) – your domain name.
• Seconds - the amount of time before the SA expires. Over an hour is common
(3600).
• Kbytes - the amount of traffic before the SA expires.
One of these can be set without setting the other.
If enabled, security is enhanced by ensuring that the key is changed at regular
intervals. Also, even if one key is broken, subsequent keys are no easier to
break. Each key has no relationship to the previous key.
exchange. This must match the value used on the remote gateway. Select
Group 1 (768 bit) or Group 2 (1024 bit).
Traffic Selector These settings determine if and when a VPN tunnel will be established. If
network traffic meets all criteria, then a VPN tunnel will be created.
Virtual Private Networking 6-7
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Table 6-1. VPN Auto Policy Configuration Fields
Field Description
Local IP The drop-down menu allows you to configure the source IP address of the
outbound network traffic for which this VPN policy will provide security.
Usually, this address will be from your network address space. The choices are:
• ANY for all valid IP addresses in the Internet address space
Note: Choosing ANY sends all traffic through the tunnel, which will eliminate
activities such as Web access.
• Single IP Address
• Range of IP Addresses
• Subnet Address
Remote IP The drop-down menu allows you to configure the destination IP address of the
outbound network traffic for which this VPN policy will provide security. Usually,
this address will be from the remote site's corporate network address space.
The choices are:
• ANY for all valid IP addresses in the Internet address space
Note: Choosing ANY sends all traffic to the WAN through the tunnel,
preventing for example, remote management or response to ping.
• Single IP Address
• Range of IP Addresses
• Subnet Address
Authenticating Header
(AH) Configuration
Enable Authentication Use this check box to enable or disable AH for this VPN policy.
Authentication
Algorithm
Encapsulated Security
Payload (ESP)
Configuration
Enable Encryption Use this check box to enable or disable ESP Encryption.
Encryption
Algorithm
Enable Authentication Use this check box to enable or disable ESP transform for this VPN policy.
AH specifies the authentication protocol for the VPN header. These settings
must match the remote VPN endpoint.
If you enable AH, then select the authentication algorithm:
MD5 – the default, or SHA1 - more secure
ESP provides security for the payload (data) sent through the VPN tunnel.
Generally, you will want to enable both Encryption and Authentication. Two ESP
modes are available:
Plain ESP encryption or ESP encryption with authentication
These settings must match the remote VPN endpoint.
If you enable ESP encryption, then select the encryption algorithm:
DES – the default, or 3DES - more secure
6-8 Virtual Private Networking
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Table 6-1. VPN Auto Policy Configuration Fields
Field Description
Authentication
Algorithm
NetBIOS Enable Check this if you want NetBIOS traffic to be forwarded over the VPN tunnel.
If you enable AH, then use this menu to select which authentication algorithm
will be employed. The choices are:
MD5 – the default, or SHA1 – more secure
The NetBIOS protocol is used by Microsoft Networking for such features as
Network Neighborhood.
VPN Policy Configuration for Manual Key Exchange
With Manual Key Management, you will not use an IKE policy. You must manually type in all the
required key information. Click the VPN Policies link from the VPN section of the main menu to
display the menu shown below.
Virtual Private Networking 6-9
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Figure 6-4: VPN - Manual Policy Menu
6-10 Virtual Private Networking
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
The VPN Manual Policy fields are defined in the following table.
Table 6-1. VPN Manual Policy Configuration Fields
Field Description
General
Policy Name The name of the VPN policy. Each policy should have a unique policy name.
Remote VPN Endpoint The WAN Internet IP address or Fully Qualifi ed Domain Name of the remote
Traffic Selector These settings determine if and when a VPN tunnel will be established. If
Local IP The drop-down menu allows you to configure the source IP address of the
Remote IP The drop-down menu allows you to configure the destination IP address of the
These settings identify this policy and determine its major characteristics.
This name is not supplied to the remote VPN Endpoint. It is used to help you
identify VPN policies.
VPN firewall or client to which you want to connect. The remote VPN endpoint
must have this FVL328’s WAN Internet IP address entered as its “Remote
VPN Endpoint.”
network traffic meets all criteria, then a VPN tunnel will be created.
outbound network traffic for which this VPN policy will provide security.
Usually, this address will be from your network address space. The choices
are:
• ANY for all valid IP addresses in the Internet address space
Note: Choosing ANY sends all traffic through the tunnel, which will eliminate
activities such as Web access.
• Single IP Address
• Range of IP Addresses
• Subnet Address
outbound network traffic for which this VPN policy will provide security.
Usually, this address will be from the remote site's corporate network address
space. The choices are:
• ANY for all valid IP addresses in the Internet address space
Note: Choosing ANY sends all traffic to the WAN through the tunnel,
preventing for example, remote management or response to ping.
• Single IP Address
• Range of IP Addresses
• Subnet Address
Virtual Private Networking 6-11
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Table 6-1. VPN Manual Policy Configuration Fields
Field Description
Authenticating Header
(AH) Configuration
SPI - Incoming
SPI - Outgoing Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote
Enable Authentication Use this check box to enable or disable AH. Authentication is often not used,
Authentication
Algorithm
Key - In
AH specifies the authentication protocol for the VPN header. These settings
must match the remote VPN endpoint.
Note: The "Incoming" settings must match the "Outgoing" settings on the
remote VPN endpoint, and the "Outgoing" settings must match the "Incoming"
settings on the remote VPN endpoint.
Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote
VPN endpoint has the same value in its "Outgoing SPI" field.
VPN endpoint has the same value in its "Incoming SPI" field.
so you can leave the check box unselected.
If you enable AH, then select the authentication algorithm:
• MD5 – the default
• SHA1 – more secure
Enter the keys in the fields provided. For MD5, the keys should be 16
characters. For SHA-1, the keys should be 20 characters.
Enter the keys.
• For MD5, the keys should be 16 characters.
• For SHA-1, the keys should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - Out" field.
Key - Out Enter the keys in the fields provided.
• For MD5, the keys should be 16 characters.
• For SHA-1, the keys should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - In" field.
Encapsulated Security
Payload (ESP)
Configuration
SPI - Incoming
ESP provides security for the payload (data) sent through the VPN tunnel.
Generally, you will want to enable both encryption and authentication. when
you use ESP. Two ESP modes are available:
• Plain ESP encryption
• ESP encryption with authentication
These settings must match the remote VPN endpoint.
Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote
VPN endpoint has the same value in its "Outgoing SPI" field.
6-12 Virtual Private Networking
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Table 6-1. VPN Manual Policy Configuration Fields
Field Description
SPI - Outgoing Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote
VPN endpoint has the same value in its "Incoming SPI" field.
Enable Encryption Use this check box to enable or disable ESP Encryption.
Encryption
Algorithm
Key - In
Key - Out Enter the key in the fields provided.
Enable Authentication Use this check box to enable or disable ESP authentication for this VPN policy.
Authentication
Algorithm
Key - In
If you enable ESP Encryption, then select the Encryption Algorithm:
• DES - the default
• 3DES -more secure
Enter the key in the fields provided.
• For DES, the key should be 8 characters.
• For 3DES, the key should be 24 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Encryption Algorithm "Key - Out" field.
• For DES, the key should be 8 characters.
• For 3DES, the key should be 24 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Encryption Algorithm "Key - In" field.
If you enable authentication, then use this menu to select the alg orithm:
• MD5 – the default
• SHA1 – more secure
Enter the key.
• For MD5, the key should be 16 characters.
• For SHA-1, the key should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - Out" field.
Key - Out Enter the key in the fields provided.
• For MD5, the key should be 16 characters.
• For SHA-1, the key should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - In" field.
NetBIOS Enable Check this if you want NetBIOS traffic to be forwarded over the VPN tunnel.
The NetBIOS protocol is used by Microsoft Networking for such features as
Network Neighborhood.
Virtual Private Networking 6-13
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Using Digital Certificates for IKE Auto-Policy Authentication
Digital certificates are character strings generated using encryption and authentication schemes
which cannot be duplicated by anyone without access to the different values used in the production
of the string. They are issued by Certification Authorities (CAs) to authenticate a person or a
workstation uniquely. The CAs are authorized to issue these certificates by Policy Certification
Authorities (PCAs), who are in turn certified by the Internet Policy Registration Authority (IPRA).
The FVL328 is able to use certificates to authenticate users at the endpoints during the IKE key
exchange process.
The certificates can be obtained from a certificate server an organization might maintain internally
or from the established public CAs. The certificates are produced by providing the particulars of
the user being identified to the CA. The information provided may include the user's name, e-mail
ID, domain name, etc.
A CA is part of a trust chain. A CA has a public key which is signed. The combination of the
signed public key and the private key enables the CA process to eliminate ‘man in the middle’
security threats. A ‘self’ certificate has your public key and the name of your CA, and relies on the
CA’s certificate to authenticate. Each CA has its own certificate. The certificates of a CA are added
to the FVL328 and can then be used to form IKE policies for the user. Once a CA certificate is
added to the FVL328 and a certificate is created for a user, the corresponding IKE policy is added
to the FVL328. Whenever the user tries to send traffic through the FVL328, the certificates are
used in place of pre-shared keys during initial key exchange as the authentication and key
generation mechanism. Once the keys are established and the tunnel is set up the connection
proceeds according to the VPN policy.
Certificate Revocation List (CRL)
Each Certification Authority (CA) maintains a list of the revoked certificates. The list of these
revoked certificates is known as the Certificate Revocation List (CRL).
Whenever an IKE policy receives the certificate from a peer, it checks for this certificate in the
CRL on the FVL328 obtained from the corresponding CA. If the certificate is not present in the
CRL it means that the certificate is not revoked. IKE can then use this certificate for
authentication. If the certificate is present in the CRL it means that the certificate is revoked, and
the IKE will not authenticate the client.
You must manually update the FVL328 CRL regularly in order for the CA-based authentication
process to remain valid.
6-14 Virtual Private Networking
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Walk-Through of Configuration Scenarios
There are a variety of configurations you might implement with the FVL328. The scenarios listed
below illustrate typical configurations you might use in your organization.
In order to help make it easier to set up an IPsec system, the following two scenarios are provided.
These scenarios were developed by the VPN Consortium (http://www.vpnc.org). The goal is to
make it easier to get the systems from different vendors to interoperate. NETGEAR is providing
you with both of these scenarios in the following two formats:
• VPN Consortium Scenarios without any product implementation details
• VPN Consortium Scenarios based on the FVL328 user interface
The purpose of providing these two versions of the same scenarios is to help you determine where
the two vendors use different vocabulary. Seeing the examples presented in these different ways
will reveal how systems from different vendors do the same thing. See Appendix E, “Virtual
Private Networking” for a full discussion of VPN and the configuration templates NETGEAR
developed for publishing multi-vendor VPN integration configuration case studies.
Note: See Appendix F, “NETGEAR VPN Configuration FVS318 or FVM318 to
FVL328 for a detailed procedure for configuring VPN communications between a
NETGEAR FVS318 and a FVL328. NETGEAR publishes additional interoperability
scenarios with various gateway and client software products. Look on the NETGEAR
Web site at www.netgear.com/docs for more details.
VPNC Scenario 1: Gateway-to-Gateway with Preshared Secrets
The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication.
10.5.6.0/24
Gateway A
10.5.6.1
Figure 6-5: VPN Consortium Scenario 1
Virtual Private Networking 6-15
14.15.16.17 22.23.24.25
Internet
Gateway B
172.23.9.0/24
172.23.9.1
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has
the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17.
Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet)
interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used
for testing IPsec but is not needed for configuring Gateway A.
Note: The /24 after the IP address refers to the full range of IP addresses. For example, 10.5.6.0/24
refers to IP address 10.5.6.0 with the netmask 255.255.255.0.
The IKE Phase 1 parameters used in Scenario 1 are:
•Main mode
• TripleDES
• SHA-1
• MODP group 2 (1024 bits)
• pre-shared secret of "hr5xb84l6aa9r6"
• SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying
The IKE Phase 2 parameters used in Scenario 1 are:
• TripleDES
• SHA-1
• ESP tunnel mode
• MODP group 2 (1024 bits)
• Perfect forward secrecy for rekeying
• SA lifetime of 3600 seconds (one hour) with no kbytes rekeying
• Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4
subnets
6-16 Virtual Private Networking
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
FVL328 Scenario 1: How to Configure the IKE and VPN Policies
Note: This scenario assumes all ports are open on the FVL328. You can verify this by reviewing
the security settings as seen in the “Rules menu” on page 5-6.
Use this scenario illustration and configuration screens as a model to build your configuration.
WAN I P
Scenario 1
Gateway B
WAN I P
FVL328
Gateway A
14.15.16.17 22.23.24.25
LAN IP
Figure 6-6: LAN to LAN VPN access from an FVL328 to an FVL328
1. Log in to the FVL328 labeled Gateway A as in the illustration.
Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user
name of
admin and default password of password, or using whatever Password and LAN
address you have chosen for the firewall.
2. Configure the WAN (Internet) and LAN IP addresses of the FVL328.
a. From the main menu Setup section, click the Basic Settings link.
172.23.9.1/2410.5.6.1/24
LAN IP
WAN IP
addresses
ISP provides
these addresses
Figure 6-7: FVL328 Internet IP Address menu
Virtual Private Networking 6-17
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Select whether enable or disable NAT (Network Address Translation). NAT allows all
b.
LAN computers to gain Internet access via this Router, by sharing this Router's WAN IP
address. In most situations, NAT is essential for Internet access via this Router. You should
only disable NAT if you are sure you do not require it. When NAT is disabled, only
standard routing is performed by this Router.
c. Configure the WAN Internet Address according to the settings in Figure 6-6 above and
click Apply to save your settings. For more information on configuring the WAN IP
settings in the Basic Setup topics, please see “How to Complete a Manual Configuration”
on page 3-15.
d. From the main menu Advanced section, click the LAN IP Setup link.
e. Configure the LAN IP address according to the settings in Figure 6-6 above and click
Apply to save your settings. For more information on LAN TCP/IP setup topics, please
see “How to Configure LAN TCP/IP Setup Settings” on page 4-3.
6-18 Virtual Private Networking
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Note: After you click Apply to change the LAN IP address settings, your workstation will
be disconnected from the FVL328. You will have to log on with http://10.5.6.1 which is
now the address you use to connect to the built-in Web-based configuration manager of
the FVL328.
3. Set up the IKE Policy illustrated below on the FVL328.
a. From the main menu VPN section, click the IKE Policies link, and then click the Add
button to display the screen below.
Figure 6-8: Scenario 1 IKE Policy
b.
Configure the IKE Policy according to the settings in the illustration above and click
Apply to save your settings. For more information on IKE Policy topics, please see “IKE
Policies’ Automatic Key and Authentication Management” on page 6-3.
Virtual Private Networking 6-19
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
4. Set up the FVL328 VPN -Auto Policy illustrated below.
a. From the main menu VPN section, click the VPN Policies link, and then click the Add
Auto Policy button.
Figure 6-9: Scenario 1 VPN - Auto Policy
b.
Configure the IKE Policy according to the settings in the illustration above and click
Apply to save your settings. For more information on IKE Policy topics, please see “IKE
Policies’ Automatic Key and Authentication Management” on page 6-3.
6-20 Virtual Private Networking
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
5. After applying these changes, you will see a table entry like the one below.
Figure 6-10: VPN Policies table
Now all traffic from the range of LAN IP addresses specified on FVL328 A and FVL328 B
will flow over a secure VPN tunnel.
How to Check VPN Connections
You can test connectivity and view VPN status information on the FVL328.
1. To test connectivity between the Gateway A FVL328 LAN and the Gateway B LAN, follow
these steps:
a. Using our example, from a computer attached to the FVL328 on LAN A, on a Windows
computer click the Start button on the taskbar and then click Run.
b. Type ping -t 172.23.9.1, and then click OK.
c. This will cause a continuous ping to be sent to the LAN interface of Gateway B. After
between several seconds and two minutes, the ping response should change from “timed
out” to “reply.”
d. At this point the connection is established.
Virtual Private Networking 6-21
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
T o test connectivity between the FVL328 Gateway A and Gateway B WAN ports, follow these
2.
steps:
a. Using our example, log in to the FVL328 on LAN A, go to the main menu Maintenance
section and click the Diagnostics link.
b. To test connectivity to the WAN port of Gateway B, enter 22.23.24.25, and then click
Ping.
c. This will cause a ping to be sent to the WAN interface of Gateway B. After between
several seconds and two minutes, the ping response should change from “timed out” to
“reply.” You may have to run this test several times before you get the “reply” me ssage
back from the target FVL328.
d. At this point the connection is established.
Note: If you want to ping the FVL328 as a test of network connectivity, be sure the FVL328 is
configured to respond to a ping on the Internet WAN port by checking the check box seen in
“Rules menu” on page 5-6. However, to preserve a high degree of security, you should turn off
this feature when you are finished with testing.
3. To view the FVL328 event log and status of Security Associations, follow these steps:
a. Go to the FVL328 main menu VPN section and click the VPN Status link.
b. The log screen will display a history of the VPN connections, and the IPSec SA and IKE
SA tables will report the status and data transmission statistics of the VPN tunnels for each
policy.
FVL328 Scenario 2: Authenticating with RSA Certificates
The following is a typical gateway-to-gateway VPN that uses Public Key Infrastructure X.509
(PKIX) certificates for authentication. The network setup is identical to the one given in Scenario
1. The IKE Phase 1 and Phase 2 parameters are identical to the ones given in Scenario 1, with the
exception that the identification is done with signatures authenticated by PKIX certificates.
Note: Before completing this configuration scenario, make sure the correct Time Zone is set on the
FVL328. For instructions on this topic, please see, “How to Set Your Time Zone” on page 5-14.
1. Obtain a root certificate.
a. Obtain the root certificate (which includes the CA’s public key) from a Certificate
Authority (CA).
6-22 Virtual Private Networking
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Note: The procedure for obtaining certificates differs between a CA like Verisign and a
CA such as a Windows 2000 certificate server, which an organization operates for
providing certificates for its members. For example, an administrator of a Windows 2000
certificate server might provide it to you via e-mail.
b. Save the certificate as a text file called trust.txt.
2. Install the trusted CA certificate for the Trusted Root CA.
a. Log in to the FVL328.
b. From the main menu VPN section, click the CAs link.
c. Click Add to add a CA.
d. Click Browse to locate the trust.txt file.
e. Click Upload.
Figure 6-11: Certificate Authorities t able
You will now see a screen such as the one above showing that the Certificate Authority is
now registered with the FVL328.
3. Create a certificate request for the FVL328.
a. From the main menu VPN section, click the Certificates link.
Virtual Private Networking 6-23
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Click the Generate Request button to display the screen illustrated in Figure 6-12 below.
b.
.
Figure 6-12: Generate Self Certificate Request menu
c.
Fill in the fields on the Add Self Certificate screen.
•Required
– Name. Enter a name to identify this certificate.
– Subject. This is the name other organizations will see as the holder (owner) of this
certificate. This should be your registered business name or official company
name. Generally, all certificates should have the same value in the Subject field.
– Hash Algorithm. Select the desired option: MD5 or SHA1.
– Signature Algorithm: RSA.
– Signature Key Length. Select the desired option: 512, 1024, or 2048.
• Optional
– IP Address. If you have a fixed IP address on your WAN (Internet) port, you can
enter it here. Otherwise, you should leave this blank.
– Domain Name. If you have a domain name, you can enter it here. Otherwise, you
should leave this blank.
– E-mail Address. You can enter your e-mail address here.
6-24 Virtual Private Networking
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Click the Next button to continue. The FVL328 generates a Self Certificate Request as
d.
shown below.
Highlight, copy and
paste this data into
a text file.
Figure 6-13: Self Certificate Request data
4. Transmit the Self Certificate Request data to the Trusted Root CA.
a. Highlight the text in the Data to supply to CA area, copy it, and paste it into a text file.
b. Give the certificate request data to the CA. In the case of a Windows 2000 internal CA,
you might simply e-mail it to the CA administrator. The procedures of a CA like Verisign
and a CA such as a Windows 2000 certificate server administrator will differ. Follow the
procedures of your CA.
c. When you have finished gathering the Self Certificate Request data, click the Done button.
You will return to the Certificates screen where your pending “FVL328” Self Certificate
Request will be listed, as illustrated in Figure 6-14 below.
Virtual Private Networking 6-25
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Figure 6-14: Self Certificate Requests table
5. Receive the certificate back from the Trusted Root CA and save it as a text file.
Note: In the case of a Windows 2000 internal CA, the CA administrator might simply email it
to back to you. Follow the procedures of your CA. Save the certificate you get back from the
CA as a text file called final.txt.
6. Upload the new certificate.
a. From the main menu VPN section, click the Certificates link.
b. Click the radio button of the Self Certificate Request you want to upload.
c. Click the Upload Certificate button.
d. Browse to the location of the file you saved in step 5 above, which contains the certificate
from the CA.
e. Click the Upload button.
6-26 Virtual Private Networking
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
You will now see the “FVL328” entry in the Active Self Certificates table and the pending
f.
“FVL328” Self Certificate Request is gone, as illustrated below.
Figure 6-15: Self Certificates t able
7. Associate the new certificate and the Trusted Root CA certificate on the FVL328.
a. Create a new IKE policy called Scenario_2 with all the same properties of Scenario_1
(see “Scenario 1 IKE Policy” on page 6-19) except now use the RSA Signature instead of
the shared key.
Figure 6-16: IKE policy using RSA Signature
b.
Create a new VPN Auto Policy called scenario2a with all the same properties as
scenario1a except that it uses the IKE policy called Scenario_2.
Virtual Private Networking 6-27
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Now, the traffic from devices within the range of the LAN subnet addresses on FVL328
Gateway A and Gateway B will be authenticated using the certificates and generated keys
rather than via a shared key.
8. Set up Certificate Revocation List (CRL) checking.
a. Get a copy of the CRL from the CA and save it as a text file.
Note: The procedure for obtaining a CRL differs from a CA like Verisign and a CA such
as a Windows 2000 certificate server, which an organization operates for providing
certificates for its members. Follow the procedures of your CA.
b. From the main menu VPN section, click the CRL link.
c. Click Add to add a CRL.
d. Click Browse to locate the CRL file.
e. Click Upload.
Now expired or revoked certificates will not be allowed to use the VPN tunnels managed by
IKE policies which use this CA.
Note: You must update the CRLs regularly in order to maintain the validity of the
certificate-based VPN policies.
6-28 Virtual Private Networking
M-10144-01
Chapter 7
Managing Your Network
This chapter describes how to perform network management tasks with your FVL328 Prosafe
High Speed VPN Firewall.
Network Management
The FVL328 provides remote management access and a variety of status and usage information
which is discussed below.
How to Configure Remote Management
Using the Remote Management page, you can allow a user or users on the Internet to configure,
upgrade and check the status of your FVL328 Prosafe High Speed VPN Firewall.
Note: Be sure to change the router's default password to a very secure password. The
ideal password should contain no dictionary words from a ny language, and should be a
mixture of letters (both upper and lower case), numbers, and symbols. Your password
can be up to 30 characters.
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user
name of
you have chosen for the firewall.
2. In the Advanced section on the left navigator, select Remote Management.
3. Select the Turn Remote Management On check box.
4. Specify what external addresses will be allowed to access the firewall’s remote management.
Note: For security reasons, restrict access to as few external IP addresses as practical.
a. To allow access from any IP address on the Internet, select Everyone.
b. To allow access from a range of IP addresses on the Internet, select IP address range.
Managing Your Network 7-1
admin, default password of password, or using whatever password and LAN address
Enter a beginning and ending IP address to define the allowed range.
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
To allow access from a single IP address on the Internet, select Only this PC.
c.
Enter the IP address that will be allowed access.
5. Specify the Port Number that will be used for accessing the management interface.
Web browser access norma lly uses the standard HTTP service port 80. For greater security,
you can change the remote management Web interface to a custom port by entering that
number in the box provided. Choose a number between 1024 and 65535, but do not use the
number of any common service port. The default is 8080, which is a common alternate for
HTTP.
6. The IP Address to connect to this device is used to manage this router via the Internet. You
need its public IP Address, as seen from the Internet. This public IP Address is allocated by
your ISP, and is shown here. But if your ISP account uses a Dynamic IP Address, the address
can change each time you connect to your ISP. There are 2 solutions to this problem:
a. Have your ISP allocate you a Fixed IP address.
b. Use the DDNS (Dynamic DNS) feature so you can connect using a domain name, rather
than an IP address.
7. Click Apply to have your changes take effect.
When accessing your router from the Internet, the Secure Sockets Layer (SSL) will be enabled.
You will enter https:// and type your router's WAN IP address into your browser's Address (in IE)
or Location (in Netscape) box, followed by a colon (:) and the custom port number. For example, if
your external address is 134.177.0.123 and you use port number 80 80, enter in your browser:
https://134.177.0.123:8080
Note: When you remotely connect to the FVL with a browser via SSL, you may get a message
regarding the SSL certificate. If you are using a Windows computer with Internet Explorer 5.5
or higher, simply click Yes to accept the certificate.
Tip: If you are using a dynamic DNS service such as TZO, you can always identify the IP
address of your FVL328 by running
example,
tracert yourFVL328.mynetgear.net and you will see the IP address your ISP has
TRACERT from the Windows Start menu Run option. For
currently assigned to the FVL328.
7-2 Managing Your Network
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Viewing Router Status and Usage Statistics
From the main menu, under Maintenance, select Router Status to view the screen in Figure 7-1
below.
Figure 7-1: Router Status screen
The Router Status menu provides a limited amount of status and usage information.
This screen shows the following parameters:
Table 7-1. Router Status Fields
Field Description
System Name This field displays the Host Name assigned to the firewall in the Basic
Settings menu.
Firmware Version This field displays the firewall firmware version.
LAN Port These parameters apply to the Local (WAN) port of the firewall.
MAC Address This field displays the Ethernet MAC address being used by the Local
(LAN) port of the firewall.
IP Address This field displays the IP address being used by the Local (LAN) port of
the firewall. The default is 192.168.0.1
Managing Your Network 7-3
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Table 7-1. Router Status Fields
Field Description
DHCP If set to OFF, the firewall will not assign IP addresses to local computers
on the LAN.
If set to ON, the firewall is configured to assign IP addresses to local
computers on the LAN.
IP Subnet Mask This field displays the IP Subnet Mask being used by the Local (LAN)
port of the firewall. The default is 255.255.255.
WAN Port These parameters apply to the Internet (WAN) port of the firewall.
Network Address
Translation (NAT)
MAC Address This field displays the Ethernet MAC address being used by the Internet
IP Address This field displays the IP address being used by the Internet (WAN) port
DHCP If set to None, the firewall is configured to use a fixed IP address on the
IP Subnet Mask This field displays the IP Subnet Mask being used by the Internet (WAN)
Domain Name Server (DNS) This field displays the DNS Server IP addresses being used by the
NA T allows all LAN computers to gain Internet access via this Router, by
sharing this Router's WAN IP address. You should only turn NAT OFF if
you are sure you do not require it..
(WAN) port of the firewall.
of the firewall. If no address is shown, the firewall cannot connect to the
Internet.
WAN.
If set to Client, the firewall is configured to obtain an IP address
dynamically from the ISP
port of the firewall.
firewall. These addresses are usually obtained dynamically from the ISP.
Click the “Show Statistics” button to display firewall usage statistics, as shown in Figure 7-2
below:
Figure 7-2. Router Statistics screen
7-4 Managing Your Network
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
This screen shows the following statistics:
Table 7-2. Router Statistics Fields
Field Description
System up Time The time elapsed since the last power cycle or reset.
WAN or LAN Port The statistics for the WAN (Internet) and LAN (local) ports. For each port, the screen
displays:
Status The link status of the port.
TxPkts The number of packets transmitted on this port since reset or manual clear.
RxPkts The number of packets received on this port since reset or manual clear.
Collisions The number of collisions on this port since reset or manual clear.
Tx B/s The current line utilization—percentage of current bandwidth used on this port.
Rx B/s The average line utilization —average CLU for this port.
Up Time The time elapsed since this port acquired the link.
Poll Interval Specifies the intervals at which the statistics are updated in this window. Click Stop to
freeze the display. Click Set Interval to set the polling refresh interval.
Viewing Attached Devices
The Attached Devices menu contains a tab l e of all IP devices that the firewall has discovered on
the local network. From the main menu of the browser interface, under the Maintenance heading,
select Attached Devices to view the table, shown in Figure 7-3
Figure 7-3: Attached Devices menu
For each device, the table shows the IP address, Device Name (NetBIOS Host Name, if available),
and the Ethernet MAC address.
Managing Your Network 7-5
M-10144-01
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual
Select the check box if you want to enable NetBIOS detection. If the NetBIOS name is not
available, “Unknown” is listed as the Device Name.
If the firewall is rebooted, the table data is lost until the firewall rediscovers the devices. To force
the firewall to look for attached devices, click the Refresh button.
Viewing, Selecting, and Saving Logged Information
The firewall logs security-related events such as denied incoming service requests, hacker probes,
and administrator logins. If you enabled content filtering in the Block Sites menu, the Logs page
shows you when someone on your network tries to access a blocked site. If you enabled e-mail
notification, you will receive these logs in an e-mail message. If you do not have e-mail
notification enabled, you can view the logs here. An example is shown below.
Figure 7-4: Security Logs menu
7-6 Managing Your Network
M-10144-01
Loading...