Netgear FVS328 Reference Guide
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
NETGEAR, Inc.
4500 Great America Parkway
Santa Clara, CA 95054 USA
Phone 1-888-NETGEAR
202-10031-01
May 2004
May 2004, 202-10031-01
© 2004 by NETGEAR, Inc. All rights reserved. FullManual.
Trademarks
NETGEAR and Auto Uplink are trademarks or registered trademarks of NETGEAR, Inc.
Microsoft, Windows, and Wi ndow s NT are registered trademar ks of Microsoft Corporation.
Other brand and product names are registered trademarks or trademarks of their respective holders. Portions of this
document are copyright Intoto, Inc.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to
make changes to the products described in this document without notice.
NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit
layout(s) described herein.
EN 55 022 Declaration of Conformance
This is to certify that the FVS328 ProSafe VPN Firewall with Dial Back-up is shielded against the generation of radio
interference in accordance with the application of Council Directive 89/336/EEC, Article 4a. Conformity is declared by
the application of EN 55 022 Class B (CISPR 22).
Certificate of the Manufacturer/Importer
It is hereby certified that the FVS328 ProSafe VPN Firewall with Dial Back-up has been suppressed in accordance with
the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for
example, test transmitters) in accordance with the regulations may, however, be subject to certain restrictions. Please
refer to the notes in the operating instructions.
The Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market
and has been granted the right to test the series for compliance with the regulations.
ii
May 2004, 202-10031-01
Bestätigung des Herstellers/Importeurs
Es wird hiermit bestätigt, daß dasFVS328 ProSafe VPN Firewall with Dial Back-up gemäß der im BMPT-AmtsblVfg
243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte
(z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der
Betriebsanleitung.
Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt
gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.
Voluntary Control Council for Interference (VCCI) Statement
This equipment is in the second category (information equipment to be used in a residential area or an adjacent area
thereto), and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing
Equipment and Electronic Office Machines, aimed at preventing radio interference in such residential areas.
When used near a radio or TV receiver , it may become the cause of radio interference.
Read instructions for correct handling.
Technical Support
Refer to the Support Information Card that shipped with your FVS328 ProSafe VPN Firewall with Dial Back-up.
World Wide Web
NETGEAR maintains a World Wide Web home page that you can access at the universal resource locator (URL)
http://www.netgear.com. A direct connection to the Internet and a Web browser such as Internet Explorer
or Netscape are required.
May 2004, 202-10031-01
iii
iv
May 2004, 202-10031-01
Contents
Chapter 1
About This Manual
Audience ................................... ................ ................ ................. ................ ................ .....1-1
Scope .............................................................................................................................1-1
Typographical Conventions ............................................................................................1-2
Special Message Formats ..............................................................................................1-2
How to Use this Manual ..................................................................................................1-3
How to Print this Manual .................................................................................................1-4
Chapter 2
Introduction
About the FVS328 ..........................................................................................................2-1
Key Features ..................................................................................................................2-1
Full Routing on Both the Broadband and Serial Ports ........................................ ... ..2-1
Virtual Private Networking ........................................................................................2-2
A Powerful, True Firewall .........................................................................................2-2
Content Filtering .......................................................................................................2-3
Configurable Auto Uplink™ Ethernet Connection ....................................................2-3
Protocol Support ......................................................................................................2-3
Easy Installation and Management ..........................................................................2-4
What’s in the Box? ..........................................................................................................2-5
The Firewall’s Front Panel .......................................................................................2-5
The Firewall’s Rear Panel ........................................................................................2-7
Chapter 3
Connecting the FVS328 to the Internet
What You Will Need Before You Begin .................................. .... ... ... ... .... ... ... ... ... ............3-1
LAN Hardware Requirements ..................................................................................3-1
LAN Configuration Requirements ............................................................................3-1
Internet Configuration Requirements ....................................................................... 3-2
Where Do I Get the Internet Configuration Parameters? ..................................3-2
Contents i
May 2004, 202-10031-01
Worksheet for Recording Your Internet Connection Information ..............................3-3
Connecting the FVS328 to Your LAN ................................. ... .... ... ... ... .... ... ... ... ...............3-4
How to Connect the FVS328 to Your LAN ...............................................................3-4
Configuring a Wizard-Detected Login Account ........................................................3-8
Configuring a Wizard-Detected Dynamic IP Account ...... .......... .......... ......... .......... ..3-9
Configuring a Wizard-Detected Fixed IP (Static) Account ......................................3-10
How to Configure the Serial Port for an Internet Connection .......................................3-10
Testing Your Internet Connection ..................................................................................3-13
Manually Configuring Your Internet Connection ...........................................................3-14
How to Manually Configure the Primary Internet Connection ................................3-15
Chapter 4
Serial Port Configuration
Configuring a Serial Port Modem ...................................................................................4-2
Basic Requirements for Serial Port Modem Configuration .......................................4-2
How to Configure a Serial Port Modem ....................................................................4-2
Configuring Auto-Rollover ..............................................................................................4-3
Basic Requirements for Auto-Rollover .....................................................................4-3
How to Configure Auto-Rollover ...............................................................................4-3
Configuring Dial-in on the Serial Port .............................................................................4-4
Basic Requirements for Dial-in .................................................................................4-5
How to Configure Dial-in ..........................................................................................4-5
Configuring LAN-to-LAN Settings ...................................................................................4-6
Basic Requirements for LAN-to-LAN Connections ..................................................4-6
How to Configure LAN-to-LAN Connections ............................................................4-6
Chapter 5
WAN and LAN Configuration
Configuring LAN IP Settings ...........................................................................................5-1
Using the Router as a DHCP Server ........................................................................5-2
How to Configure LAN TCP/IP Setup Settings ........................................................5-3
How to Configure Reserved IP Addresses ................... ... .... .....................................5-4
Configuring WAN Settings ..............................................................................................5-4
Connecting Automatically, as Required ...................................................................5-5
Setting Up a Default DMZ Server .............................. ... ... .... ... ... ... .... ... ... ... ...............5-5
How to Assign a Default DMZ Server ......................................................................5-5
Responding to Ping on Internet WAN Port ...............................................................5-6
ii Contents
May 2004, 202-10031-01
How to Set the MTU Size .........................................................................................5-6
Configuring Dynamic DNS ..............................................................................................5-6
How to Configure Dynamic DNS ..............................................................................5-7
Using Static Routes ........................................................................................................5-7
Static Route Example ...............................................................................................5-7
How to Configure Static Routes ...............................................................................5-8
Chapter 6
Protecting Your Network
Protecting Access to Your FVS328 Firewall ...................................................................6-1
How to Change the Built-In Password .....................................................................6-1
How to Change the Administrator Login Timeout ....................................................6-2
Configuring Basic Firewall Services ...............................................................................6-2
Using the Block Sites Menu to Screen Content ..............................................................6-3
Services and Rules Regulate Inbound and Outbound Traffic .........................................6-4
Defining a Service ....................................................................................................6-5
Using Inbound/Outbound Rules to Block or Allow Services .....................................6-6
Examples of Using Services and Rules to Regulate Traffic ...........................................6-8
Inbound Rules (Port Forwarding) .............................. ............................................... 6-8
Example: Port Forwarding to a Local Public Web Server ..................................6-9
Example: Port Forwarding for Videoconferencing .............................................6-9
Example: Port Forwarding for VPN Tunnels when NAT is Off .........................6-10
Outbound Rules (Service Blocking or Port Filtering) ........................... ...... ....... ......6-11
Outbound Rule Example: Blocking Instant Messaging ....................................6-12
Other Rules Considerations ............... ... ... ....................................................................6-12
Order of Precedence for Rules ..............................................................................6-12
Rules Menu Options ...............................................................................................6-13
Setting Times and Scheduling Firewall Services ................................................ .......... 6-13
How to Set Your Time Zone ...................................................................................6-14
How to Schedule Firewall Services ........................................................................6-15
Chapter 7
Virtual Private Networking
Overview of FVS328 Policy-Based VPN Configuration ..................................................7-1
Using Policies to Manage VPN Traffic .....................................................................7-1
Using Automatic Key Management ..................................... ................................... .. 7-2
IKE Policies’ Automatic Key and Authentication Management ................................7-3
Contents iii
May 2004, 202-10031-01
VPN Policy Configuration for Auto Key Negotiation ..................... ............................ 7-6
VPN Policy Configuration for Manual Key Exchange ...............................................7-9
Using Digital Certificates for IKE Auto-Policy Authentication .......................................7-14
Certificate Revocation List (CRL) ...........................................................................7-14
How to Use the VPN Wizard to Configure a VPN Tunnel .............................................7-15
Walk-Through of Configuration Scenarios ....................................................................7-17
VPNC Scenario 1: Gateway-to-Gateway with Preshared Secrets .........................7-18
FVS328 Scenario 1: How to Configure the IKE and VPN Policies .........................7-20
How to Check VPN Connections ...........................................................................7-24
FVS328 Scenario 2: Authenticating with RSA Certificates ....................................7-25
Chapter 8
Managing Your Network
Network Management ....................................................................................................8-1
How to Configure Remote Management ..................................................................8-1
Viewing Router Status and Usage Statistics .................................... ... ... ... ... .... ... ... ..8-3
Viewing Attached Devices ........................................................................................8-6
Viewing, Selecting, and Saving Logged Information ................................................8-7
Changing the Include in Log Settings ................................................................8-9
Enabling the Syslog Feature .............................................................................8-9
Enabling Security Event E-mail Notification .................................................................8-10
Backing Up, Restoring, or Erasing Your Settings .........................................................8-11
How to Back Up the FVS328 Configuration to a File ............. ... ... .... ... ... ... ... .... ......8-11
How to Restore a Configuration from a File .............................. ............................. 8-12
How to Erase the Configuration .............................................................................8-13
Running Diagnostic Utilities and Rebooting the Router ................................................8-13
Upgrading the Router’s Firmware .................... ......... .......... .......... .......... ......... .......... ...8-14
How to Upgrade the Router ...................................................................................8-15
Chapter 9
Troubleshooting
Basic Functions ..............................................................................................................9-1
Power LED Not On ...................................................................................................9-2
Test LED Never Turns On or Test LED Stays On .....................................................9-2
Local or Internet Port Link LEDs Not On ..................................................................9-3
Troubleshooting the Web Configuration Interface ..........................................................9-3
Troubleshooting the ISP Connection ..............................................................................9-4
iv Contents
May 2004, 202-10031-01
Troubleshooting a TCP/IP Network Using a Ping Utility .................................................9-5
How to Test the LAN Path to Your Firewall ..............................................................9-6
How to Test the Path from Your PC to a Remote Device .........................................9-6
Restoring the Default Configuration and Password ............... .........................................9-7
How to Use the Default Reset Button ......................................................................9-7
Problems with Date and Time .........................................................................................9-8
Appendix A
Technical Specifications
Appendix B
Firewall Log Formats
Action List ...................................................................................................................... B-1
Field List ........................................................................................................................ B-1
Outbound Log ..................................... ... ... .......................................... .... ... .................... B-1
Inbound Log ................................................................................................................... B-2
Other IP Traffic ......................................... .... ... ... ... ... .... ...................................... .... ... ... . B-2
Router Operation ........................................................................................................... B-3
Other Connections and Traffic to this Router ................................................................ B-4
DoS Attack/Scan ........................................................................................................... B-4
Access Block Site .......................................................................................................... B-6
All Web Sites and News Groups Visited ........................................................................ B-6
System Admin Sessions ................................................................................................ B-6
Policy Administration LOG ............................................................................................. B-7
Appendix C
Networks, Routing, and Firewall Basics
Related Publications ......................................................................................................C-1
Basic Router Concepts .................................................................................................. C-1
What is a Router? ................................................................................................... C-1
Routing Information Protocol ...................................................................................C-2
IP Addresses and the Internet ......................................... .... ... ... ... .... ... ... ... ... .... ... ... . C-2
Netmask .................................... ................................................................ .............. C-4
Subnet Addressing .................................................................................................. C-4
Private IP Addresses ................................. ... ... ... .......................................... .... ... ....C-7
Single IP Address Operation Using NAT .................................................................C-7
MAC Addresses and Address Resolution Protocol ................................................. C-9
Related Documents ................................................................................................. C-9
Contents v
May 2004, 202-10031-01
Domain Name Server .............................................................................................. C-9
IP Configuration by DHCP ................................. .... ... ... ... .... ... ... ... .... ... ..................C-10
Internet Security and Firewalls .................................................................................... C-10
What is a Firewall? ................................................................................................ C-11
Stateful Packet Inspection ............................... ... .... ... ... ... .... ... ............................... C-11
Denial of Service Attack ........................................................................................ C-11
Ethernet Cabling ................................. ... ... .... ... ... .......................................... ... ... .... ... .. C-12
Uplink Switches and Crossover Cables ................................................................C-12
Cable Quality ......................................................................................................... C-13
Appendix D
Preparing Your Network
Preparing Your Computers for TCP/IP Networking ................................ ... ... ...... .... ... ... . D-1
Configuring Windows 95, 98, and Me for TCP/IP Networking ....................................... D-2
Install or V erify Windows Networking Components ................................................. D-2
Enabling DHCP to Automatically Configure TCP/IP Settings .................................D-4
Selecting Windows’ Internet Access Method ................ ......................... ........... D-4
Verifying TCP/IP Properties .................................................................................... D-5
Configuring Windows NT, 2000 or XP for IP Networking ................................. .............. D-5
Installing or Verifying Windows Networking Components ......... ... .... ... ... ... ... ....... ... . D-5
Verifying TCP/IP Properties .................................................................................... D-6
Configuring the Macintosh for TCP/IP Networking ........................................................ D-6
MacOS 8.6 or 9.x ......................... .......................................... ... .............................. D-6
MacOS X ...... ................................................................................ ........................... D-7
Verifying TCP/IP Properties for Macintosh Computers ........................................... D-8
Verifying the Readiness of Your Internet Account ......................................................... D-9
Are Login Protocols Used? ..................................................................................... D-9
What Is Your Configuration Information? ................................................................ D-9
Obtaining ISP Configuration Information for Windows Computers .......................D-10
Obtaining ISP Configuration Information for Macintosh Computers ..................... D-11
Restarting the Network ................................................................................................D-12
Appendix E
Virtual Private Networking
What is a VPN? ............................................................................................................. E-1
What is IPSec and How Does It Work? ......................................................................... E-2
IPSec Security Features .................................... .... .......................................... ... ... . E-2
vi Contents
May 2004, 202-10031-01
IPSec Components ................................................................ ... .............................. E-2
Encapsulating Security Payload (ESP) ................................................................... E-3
Authentication Header (AH) ............................... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... .... E-4
IKE Security Association ........... ... ... .......................................... ... .... ... ... ... .............. E-4
Mode ...................................... ...................... .................... ...................... ........... E-5
Key Management .................................................................................................... E-6
Understand the Process Before You Begin ................................................................... E-6
VPN Process Overview ......... ... ... .... ... ... ... .......................................... .... ... .................... E-7
Network Interfaces and Addresses ......................................................................... E-7
Interface Addressing ......................................................................................... E-7
Firewalls ........................................................................................................... E-8
Setting Up a VPN Tunnel Between Gateways ........................................................ E-8
VPNC IKE Security Parameters ......... ... ... .... ... ............................................................ E-10
VPNC IKE Phase I Parameters ............................................................................. E-10
VPNC IKE Phase II Parameters .............................................................................E-11
Testing and Troubleshooting .........................................................................................E-11
Additional Reading .......................... ... ... ... .... ... ... ... ... .... ... .......................................... ...E-11
Appendix F
NETGEAR VPN Configuration
FVS318 or FVM318 to FVS328
Configuration Profile ........................................... ... ... .... ... ... ... .... ..................................... F-1
Step-By-Step Configuration of FVS318 or FVM318 Gateway A ............................. ........F-2
Step-By-Step Configuration of FVS328 Gateway B ...................................... ... ... .... ... .....F-5
Test the VPN Connection ...............................................................................................F-9
Appendix G
NETGEAR VPN Configuration
FVS318 or FVM318 with FQDN to FVS328
Configuration Profile ........................................... ... ... .......................................... .... ... ....G-1
Using DDNS and Fully Qualified Domain Names (FQDN) .....................................G-2
Step-By-Step Configuration of FVS318 or FVM318 Gateway A ....................................G-3
Step-By-Step Configuration of FVS328 Gateway B ................................... ... ... ... .... ... ... .G-7
Test the VPN Connection ............................................................................................G-11
Appendix H
NETGEAR VPN Client
to NETGEAR the FVS328
Profile: Traveling User or Telecommuter at Home .........................................................H-1
Contents vii
May 2004, 202-10031-01
Step-By-Step Configuration of FVS328 Gateway ......................................... ................. H-2
Step-By-Step Configuration of the Netgear VPN Client B .............................................H-7
Testing the VPN Connection ............................ ... ... ... .... ... ... ... .... ... ... ... .... ... ... ...............H-14
From the Client PC to the FVS328 ........................................................................ H-14
From the FVS328 to the Client PC ...................................... ... ... ... .... ... ... ... ... .... ... .. H-15
Monitoring the PC VPN Connection ................... ... ... .... ... ... ... .... .................................. H-15
Viewing the FVS328 VPN Status and Log Information ........................... ..................... H-16
Glossary
Index
viii Contents
May 2004, 202-10031-01
Chapter 1
About This Manual
This chapter introduces the NETGEAR FVS328 ProSafe VPN Firewall with Dial Back-up
manual.
Audience
This reference manual assumes that the reader has basic to intermediate computer and Internet
skills. However, basic computer network, Internet, firewall, and VPN technology tutorial
information is provided in the Appendices and on the NETGEAR Web site.
Scope
This manual is written for the FVS328 Firewall according to these specifications.:
Table 1- 1. Manual Specifications
Product Version FVS328 ProSafe VPN Firewall with Dial Back-up
Firmware Version Number Verson 1.0 Release 09
Manual Part Number 202-10031-01
Manual Publication Date May 2004
Note: Product updates are available on the NETGEAR Web site at
http://kbserver.netgear.com/products/FVS328.asp.
About This Manual 1
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Typographical Conventions
This guide uses the following typographical conventions:
Table 1-2. Typographical conventions
italics Emphasis.
bold times roman User input.
[Enter] Named keys in text are shown enclosed in square brackets. The notation [Enter]
is used for the Enter key and the Return key.
Small Caps DOS file and directory names.
Special Message Formats
This guide uses the following formats to highlight special messages:
Note: This format is used to highlight information of importance or special interest.
2 About This Manual
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
How to Use this Manual
This manual includes both PDF and HTML versions. Use the topics below to identify how to take
advantage of these document formats when you need to view or print information from this
manual.
1
2
3
Figure Preface 1-1: HTML version of this manual
1. Left pane. Use the left pane to view the Contents, Index, Search, and Favorites tabs.
To view the HTML version of the manual, you must have a version 4 or later browser with
JavaScript enabled.
2. Toolbar buttons. Use the toolbar buttons across the top to navigate, print pages, and more.
–The Show in Contents button locates the current topic in the Contents tab.
– Previous/Next buttons display the previous or next topic.
–The PDF button links to a PDF version of the full manual.
–The Print button prints the current topic. Using this button when a step-by-step
procedure is displayed will send the entire procedure to your printer—you do not
have to worry about specifying the correct range of pages.
3. Right pane. Use the right pane to view the contents of the manual. Also, each page of the
manual includes a link at the top right which links to a PDF file
containing just the currently selected chapter of the manual.
About This Manual 3
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
How to Print this Manual
To print this manual you can choose one of the following several options, according to your needs.
• Printing a “How To” Sequence of Steps in the HTML View. Use the Print button on the
upper right side of the toolbar to print the currently displayed topic. Using this button when a
step-by-step procedure is displayed will send the entire procedure to your printer—you do not
have to worry about specifying the correct range of pages.
• Printing a Chapter. Use the link at the top right of any page.
– Click the “PDF of This Chapter” link at the top right of any page in the chapter you want
to print. A new browser window opens showing the PDF version of the chapter you were
viewing.
– Click the print icon in the upper left of the window.
– Tip: If your printer supports printing two pages on a single sheet of paper, you can save
paper and printer ink by selecting this feature.
• Printing the Full Manual. Use the PDF button in the toolbar at the top right of the browser
window.
– Click the PDF button. A new browser window opens showing the PDF version of the
chapter you were viewing.
– Click the print icon in the upper left side of the window.
– Tip: If your printer supports printing two pages on a single sheet of paper, you can save
paper and printer ink by selecting this feature.
4 About This Manual
May 2004, 202-10031-01
Chapter 2
Introduction
This chapter describes the features of the NETGEAR FVS328 ProSafe VPN Firewall with Dial
Back-up. The FVS328 Firewall provides connection for multiple computers to the Internet through
an external broadband access device such as a cable modem or DSL modem, and supports
IPSec-based secure tunnels to IPSec-compatible VPN servers. The 8-port FVS328 with auto
fail-over connectivity through the serial port provides highly reliable Internet access for up to 253
users.
About the FVS328
The FVS328 is a complete security solution that protects your network from attacks and intrusions
and enables secure communications using Virtual Private Networks (VPN). Unlike simple Internet
sharing routers that rely on Network Address Translation (NAT) for security, the FVS328 uses
Stateful Packet Inspection for Denial of Service (DoS) attack protection and intrusion detection.
The 8-port FVS328 provides highly reliable Internet access for up to 253 users with up to 50
concurrent VPN tunnels.
Key Features
The FVS328 features are highlighted below.
Full Routing on Both the Broadband and Serial Ports
You can install, configure, and operate the FVS328 to take full advantage of a variety of routing
options on both the serial and broadband WAN ports, including:
• Internet access via either the serial or broadband port.
• Auto fail-over connectivity through an analog or ISDN modem connected to the serial port
If the broadband Internet connection fails, after a waiting for an amount of time you specify,
the FVS328 can automatically establish a backup ISDN or dial-up Internet connection via the
serial port on the firewall.
Introduction 2-1
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
• Remote Access Server (RAS) allows you to log in remotely through the serial port to access a
server on your LAN, other LAN resources, or the Internet based on a user name and password
you define.
• LAN-to-LAN access between two FVS328 firewalls through the serial port with the option of
enabling auto-failover Internet access across the serial LAN-to-LAN connection.
Virtual Private Networking
The FVS328 Firewall provides a secure encrypted connection between your local network and
remote networks or clients. Its VPN features include:
• Support for up to 50 simultaneous VPN connections.
• Support for industry standard VPN protocols.
The FVS328 ProSafe VPN Firewall with Dial Back-up supports standard keying methods
(Manual or IKE), standard authentication methods (MD5 and SHA-1), and standard
encryption methods (DES, 3DES). It is compatible with many other VPN products.
• Support for up to 168 bit encryption (3DES) for maximum security.
• Support for VPN Main Mode, Aggressive mode, or Manual Keying.
• Support for Fully Qualified Domain Name (FQDN) configuration when the Dynamic DNS
feature is enabled with one of the supported service providers.
A Powerful, True Firewall
Unlike simple Internet sharing NAT routers, the FVS328 is a true firewall, using stateful packet
inspection to defend against hacker attacks. Its firewall features include:
• DoS protection
Automatically detects and thwarts DoS attacks such as Ping of Death, SYN Flood, LAND
Attack and IP Spoofing.
• Blocks unwanted traffic from the Internet to your LAN.
• Blocks access from your LAN to Internet locations or services that you specify as off-limits.
• Logs security incidents
The FVS328 will log security events such as blocked incoming traffic, port scans, attacks, and
administrator logins. You can configure the firewall to e-mail the log to you at specified
intervals. You can also configure the firewall to send immediate alert messages to your e-mail
address or e-mail pager whenever a significant event occurs.
2-2 Introduction
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Content Filtering
With its content filtering feature, the FVS328 prevents objectionable content from reaching your
computers. The firewall allows you to control access to Internet content by screening for keywords
within Web addresses. You can configure the firewall to log and report attempts to access
objectionable Internet sites.
Configurable Auto Uplink™ Ethernet Connection
With its internal 8-port 10/100 switch, the FVS328 can connect to either a 10 Mbps standard
Ethernet network or a 100 Mbps Fast Ethernet network. Both the local LAN and the Internet W AN
interfaces are 10/100 Mbps, autosensing, and capable of full-duplex or half-duplex operation.
TM
The firewall incorporates Auto Uplink
sense whether the Ethernet cable plugged into the port should have a ‘normal’ connection such as
to a PC or an ‘uplink’ connection such as to a switch or hub. That port will then configure itself to
the correct configuration. This feature also eliminates the need to worry about crossover cables, as
Auto Uplink will accommodate either type of cable to make the right connection.
technology. Each local Ethernet port will automatically
Protocol Support
The FVS328 supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing
Information Protocol (RIP). Appendix C, “Networks, Routing, and Firewall Basics” provides
further information on TCP/IP. Supported protocols include:
• The Ability to Enable or Disable IP Address Sharing by NAT
The FVS328 allows several networked computers to share an Internet account using only a
single IP address, which may be statically or dynamically assigned by your Internet service
provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user
ISP account. This feature can also be turned off completely for using the FVS328 in settings
where you want to manage the IP address scheme of your organization.
• Automatic Configuration of Attached computers by DHCP
The FVS328 dynamically assigns network configuration information, including IP, gateway,
and domain name server (DNS) addresses, to attached computers using Dynamic Host
Configuration Protocol (DHCP). This feature greatly simplifies configuration of computers on
your local network.
Introduction 2-3
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
• DNS Proxy
When DHCP is enabled and no DNS addresses are specified, the firewall provides its own
address as a DNS server to the attached computers. The firewall obtains actual DNS addresses
from the ISP during connection setup and forwards DNS requests from the LAN.
• PPP over Ethernet (PPPoE)
PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by
simulating a dial-up connection. This feature eliminates the need to run a login program such
as EnterNet or WinPOET on your computer.
• Point-to-Point Tunneling Protocol PPTP login support for European ISPs and BigPond login
for Telstra cable in Australia.
• Dynamic DNS
Dynamic DNS services allow remote users to find your network using a domain name when
your IP address is not permanently assigned. The firewall contains a client that can connect to
many popular Dynamic DNS services to register your dynamic IP address. See “Configuring
Dynamic DNS” on page 5-6.
Easy Installation and Management
You can install, configure, and operate the FVS328 within minutes after connecting it to the
network. The following features simplify installation and management tasks:
• Browser-based management
Browser-based configuration allows you to easily configure your firewall from almost any
type of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup
Wizard is provided and online help documentation is built into the browser-based Web
Management Interface.
• Smart Wizard
The firewall automatically senses the type of Internet connection, asking you only for the
information required for your type of ISP account.
• Remote management
The firewall allows you to login to the Web Management Interface from a remote location via
the Internet using secure SLL protocol. For security, you can limit remote management access
to a specified remote IP address or range of addresses, and you can choose a nonstandard port
number.
2-4 Introduction
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
• Diagnostic functions
The firewall incorporates built-in diagnostic functions such as Ping, DNS lookup, and remote
reboot. These functions allow you to test Intern et connectivity and reboot the firewall. You can
use these diagnostic functions directly from the FVS328 when your are connected on the LAN
or when you are connected over the Internet via the remote management function.
• Visual monitoring
The firewall’s front panel LEDs provide an easy way to monitor its status and activity.
• Flash EPROM for firmware upgrades
Note: Product updates are available on the NETGEAR Web site at
http://kbserver.netgear.com/products/FVS328.asp.
• Regional support, including ISPs like Telstra DSL and BigPond or Deutsche Telekom.
What’s in the Box?
The product package should contain the following items:
• FVS328 ProSafe VPN Firewall with Dial Back-up
•AC power adapter
• FVS328 Resource CD (230-10041-02), including:
— This manual
— Application notes, tools, and other helpful information
• Warranty and registration card
• Support information card
If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the
carton, including the original packing materials, in case you need to return the product for repair.
The Firewall’s Front Panel
The front panel of the FVS328 contains status LEDs. You can use some of the LEDs to verify
connections. Table 2-1 lists and describes each LED on the front panel of the firewall.
Introduction 2-5
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
-/$%,
0RO3AFE60.&IREWALLWITH$IAL"ACKUP
"ROADBAND
072 4%34 -ODEM
).4%2.%4
,.+
!#4
,/#!,
,.+!#4
&63
Figure 2-1: FVS328 Front Panel
These LEDs are green when lit, except for the TEST LED, which is amber.These LEDs are green
when lit, except for the TEST LED, which is amber.
Table 2-1: LED Descriptions
Label Activity Description
POWER On Power is supplied to the firewall.
TEST On
Off
MODEM On/Blinking The port detected a link with the Internet WAN connection or
INTERNET
100 On/Blinking The Internet port is operating at 100 Mbps.
LINK/ACT (Activity) On/Blinking The port detected a link with the Internet WAN connection and is
LOCAL
100 On/Blinking The Local port is operating at 100 Mbps.
LINK/ACT
On/Blinking The Local port has detected a link with a LAN connection and is
(Link/Activity)
The system is initializing.
The system is ready and running.
Remote Access Server. Blinking indicates data transmission.
operating at 10 Mbps. Blinking indicates data transmission.
operating at 10 Mbps. Blinking indicates data transmission.
2-6 Introduction
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
The Firewall’s Rear Panel
The rear panel of the FVS328 contains the connections identified below.
LOC AL
MODEM
87654321
10/100M
INTERN ET
Figure 2-2: FVS328 Rear Panel
Viewed from left to right, the rear panel contains the following elements:
• DB-9 serial port for modem connection
• Reset/Factory Default push button: push to reset; push and hold for 20 seconds to reset to
factory default settings
• Eight Local Ethernet RJ-45 ports for connecting the firewall to local computers
• Internet WAN Ethernet RJ-45 port for connecting the firewall to a cable or DSL modem
12VDC 1.2A
• 12V DC 1.2A power adapter input
Introduction 2-7
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
2-8 Introduction
May 2004, 202-10031-01
Chapter 3
Connecting the FVS328 to the Internet
This chapter describes how to set up the firewall on your Local Area Network (LAN) and connect
to the Internet. You can perform basic configuration of your FVS328 ProSafe VPN Firewall with
Dial Back-up using the Setup Wizard, or manually configure your Internet connection.
What You Will Need Before You Begin
You need to prepare these three things before you can connect your firewall to the Internet:
1. A computer properly connected to the firewall as explained below.
2. Active Internet service such as that provided by a DSL or Cable modem account.
3. The Internet Service Provider (ISP) configuration information for your account.
LAN Hardware Requirements
The FVS328 Firewall connects to your LAN via twisted-pair Ethernet cables.
To use the FVS328 Firewall on your network, each computer must have an installed Ethernet
Network Interface Card (NIC) and an Ethernet cable. If the computer will connect to your network
at 100 Mbps, you must use a Category 5 (CAT5) cable such as the one provided with your firewall.
The broadband modem must provide a standard 10 Mbps 10BASE-T or 100 Mbps 100BASE-T
Ethernet interface.
LAN Configuration Requirements
For the initial connection to the Internet and configuration of your firewall, you will need to
connect a computer to the firewall which is set to automatically get its TCP/IP configuration from
the firewall via DHCP. The computer you use must have a Web browser such as Internet Explorer
v5 or greater or Netscape Communicator v4.7 or greater.
Note: Please refer to Appendix D, "Preparing Your Network" for assistance with DHCP
configuration.
Connecting the FVS328 to the Internet 3-1
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Internet Configuration Requirements
Depending on how your ISP or IT group set up your Internet access, you will need one or more of
these configuration parameters to connect your firewall to the Internet:
• Host and Domain Names
• ISP Login Name and Password
• ISP Domain Name Server (DNS) Addresses
• Fixed or Static IP Address
Where Do I Get the Internet Configuration Parameters?
There are several ways you can gather the required Internet connection information.
• Your ISP should have provided you with all the information needed to connect to the Internet.
If you cannot locate this information, you can ask your ISP to provide it or you can try one of
the options below.
• If you have a computer already connected using the active Internet access account, you can
gather the configuration information from that computer.
• For Windows 95/98/Me, open the Network control panel, select the TCP/IP entry for the
Ethernet adapter, and click Properties.
• For Windows 2000/XP, open the Local Area Network Connection, select the TCP/IP entry
for the Ethernet adapter, and click Properties.
• For Macintosh computers, open the TCP/IP or Network control panel.
• You may also refer to the FVS328 Resource CD for the NETGEAR Router ISP Guide which
provides Internet connection information for many ISPs.
Once you locate your Internet configuration parameters, you may want to record them on the page
below according to the instructions in “Worksheet for Recording Your Internet Connection
Information” on page 3-3.
3-2 Connecting the FVS328 to the Internet
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Worksheet for Recording Your Internet Connection Information
Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP).
ISP Login Name: The login name and password are case sensitive and must be entered exactly as
given by your ISP. Some ISPs use your full e-mail address as the login name. The Service Name is
not required by all ISPs. If you connect using a login name and password, then fill in the
following:
Login Name: ________________________
Password: ______________________
Service Name: ________________________
Fixed or Static IP Address: If you have a static IP address, record the following information. For
example, 169.254.141.148 could be a valid IP address.
Fixed or Static Internet IP Address: ______
.______.______.______
Subnet Mask: ______.______.______.______
Gateway IP Address: ______.______.______.______
ISP DNS Server Addresses: If you were given DNS server addresses, fill in the following:
Primary DNS Server IP Address: ______
.______.______.______
Secondary DNS Server IP Address: ______.______.______.______
Host and Domain Names: Some ISPs use a specific host or domain name like CCA7324-A or
home. If you haven’t been given host or domain names, you can use the following examples as a
guide:
• If your main e-mail account with your ISP is
aaa@yyy.com, then use aaa as your host name.
Your ISP might call this your account, user, host, computer, or system name.
• If your ISP’s mail server is
mail.xxx.yyy.com, then use xxx.yyy.com as the domain name.
ISP Host Name: __________________
ISP Domain Name: ___________________
For Serial Port Internet Access: If you use a dial-up account, record the following:
Account/User Name: ___________________
Password: ____________________
Telephone number: _________________ Alternative number: _________________
Connecting the FVS328 to the Internet 3-3
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Connecting the FVS328 to Your LAN
This section provides instructions for connecting the FVS328 ProSafe VPN Firewall with Dial
Back-up to your Local Area Network (LAN).
Note: The Resource CD included with your firewall contains an animated Installation Assistant to
help you through this procedure.
How to Connect the FVS328 to Your LAN
There are three steps to connecting your firewall:
• Connect the firewall to your network.
• Log in to the firewall.
• Connect to the Internet.
Follow the steps below to connect your firewall to your network.
1. CONNECT THE FIREWALL BETWEEN YOUR PC & MODEM
a. Turn off your computer.
b. Turn off your broadband modem.
c. Connect a Cat 5 Ethernet cable from the Internet port of the FVS328 to the broadband
modem.
d. Connect the Cat 5 Ethernet cable which came with the firewall from your computer to a
Local port on the router.
Note: The FVS328 Firewall incorporates Auto Uplink
will automatically sense whether the cable plugged into the port should have a 'normal'
connection (e.g. connecting to a PC) or an 'uplink' connection (e.g. connecting to a switch
or hub). That port will then configure itself to the correct configuration. This feature also
eliminates the need to worry about crossover cables, as Auto Uplink will accommodate
either type of cable to make the right connection.
e. Securely insert one end of the Ethernet cable that came with your firewall into a Local port
on the router such as Local port 6 (C), and the other end into the Ethernet port of your
computer (D).
TM
technology. Each Ethernet port
2. RESTART YOUR NETWORK IN THE CORRECT SEQUENCE
3-4 Connecting the FVS328 to the Internet
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Warning: Failure to restart your network in the correct sequence could prevent you from
connecting to the Internet.
a. First, turn on the broadband modem and wait 2 minutes.
b. Now, turn on your firewall.
c. Last, turn on your computer.
Note: If software usually logs you in to the Internet, do not run that software or cancel it if
it starts automatically.
-/$%,
0RO3AFE60.&IREWALLWITH$IAL"ACKUP
"ROADBAND
072 4%34 -ODEM
).4%2.%4
,.+
!#4
,/#!,
,.+!#4
&63
Power
Test
Internet
Local Port 6
Figure 3-1: FVS328 status lights
Check the status lights and verify the following:
• Power: The power light goes on when your turn the firewall on.
• Test: The Test light turns on, blinks, then goes off solid after less than a minute.
• Internet: The Internet light on the firewall is lit. If the Internet light is not lit, make sure the
Ethernet cable is securely attached to the firewall Internet port and the powered on
modem.
• Local: A Local light on the router is lit. If no Local lights are lit, check that the Ethernet
cable connecting the powered on computer to the router is securely attached at both ends.
Connecting the FVS328 to the Internet 3-5
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
3. LOG IN TO THE FIREWALL
a. From your PC, launch your Internet browser.
b. Connect to the firewall by typing http://192.168.0.1 in the address field of Internet
Explorer or Netscape
c. For security reasons, the router ha s its own user name and password. When prompted,
admin for the router user name and password for the router password, both in lower
enter
case letters.
Note: The router user name and password are not the same as any user name or password
you may use to log in to your Internet connection.
A login window like the one shown below opens:
®
Navigator.
Figure 3-2: Login window
After logging in to the router, you will see the Internet connection Smart Wizard on the
d.
settings main page.
3-6 Connecting the FVS328 to the Internet
May 2004, 202-10031-01
Loading...