Netgear FVS328 Reference Guide

Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

NETGEAR, Inc.
4500 Great America Parkway Santa Clara, CA 95054 USA Phone 1-888-NETGEAR
202-10031-01 May 2004
May 2004, 202-10031-01
© 2004 by NETGEAR, Inc. All rights reserved. FullManual.

Trademarks

NETGEAR and Auto Uplink are trademarks or registered trademarks of NETGEAR, Inc. Microsoft, Windows, and Wi ndow s NT are registered trademar ks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders. Portions of this
document are copyright Intoto, Inc.

Statement of Conditions

In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice.
NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.

EN 55 022 Declaration of Conformance

This is to certify that the FVS328 ProSafe VPN Firewall with Dial Back-up is shielded against the generation of radio interference in accordance with the application of Council Directive 89/336/EEC, Article 4a. Conformity is declared by the application of EN 55 022 Class B (CISPR 22).

Certificate of the Manufacturer/Importer

It is hereby certified that the FVS328 ProSafe VPN Firewall with Dial Back-up has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example, test transmitters) in accordance with the regulations may, however, be subject to certain restrictions. Please refer to the notes in the operating instructions.
The Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations.
ii
May 2004, 202-10031-01

Bestätigung des Herstellers/Importeurs

Es wird hiermit bestätigt, daß dasFVS328 ProSafe VPN Firewall with Dial Back-up gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.

Voluntary Control Council for Interference (VCCI) Statement

This equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto), and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines, aimed at preventing radio interference in such residential areas.
When used near a radio or TV receiver , it may become the cause of radio interference. Read instructions for correct handling.

Technical Support

Refer to the Support Information Card that shipped with your FVS328 ProSafe VPN Firewall with Dial Back-up.

World Wide Web

NETGEAR maintains a World Wide Web home page that you can access at the universal resource locator (URL) http://www.netgear.com. A direct connection to the Internet and a Web browser such as Internet Explorer or Netscape are required.
May 2004, 202-10031-01
iii
iv
May 2004, 202-10031-01

Contents

Chapter 1 About This Manual
Audience ................................... ................ ................ ................. ................ ................ .....1-1
Scope .............................................................................................................................1-1
Typographical Conventions ............................................................................................1-2
Special Message Formats ..............................................................................................1-2
How to Use this Manual ..................................................................................................1-3
How to Print this Manual .................................................................................................1-4
Chapter 2 Introduction
About the FVS328 ..........................................................................................................2-1
Key Features ..................................................................................................................2-1
Full Routing on Both the Broadband and Serial Ports ........................................ ... ..2-1
Virtual Private Networking ........................................................................................2-2
A Powerful, True Firewall .........................................................................................2-2
Content Filtering .......................................................................................................2-3
Configurable Auto Uplink™ Ethernet Connection ....................................................2-3
Protocol Support ......................................................................................................2-3
Easy Installation and Management ..........................................................................2-4
What’s in the Box? ..........................................................................................................2-5
The Firewall’s Front Panel .......................................................................................2-5
The Firewall’s Rear Panel ........................................................................................2-7
Chapter 3 Connecting the FVS328 to the Internet
What You Will Need Before You Begin .................................. .... ... ... ... .... ... ... ... ... ............3-1
LAN Hardware Requirements ..................................................................................3-1
LAN Configuration Requirements ............................................................................3-1
Internet Configuration Requirements ....................................................................... 3-2
Where Do I Get the Internet Configuration Parameters? ..................................3-2
Contents i
May 2004, 202-10031-01
Worksheet for Recording Your Internet Connection Information ..............................3-3
Connecting the FVS328 to Your LAN ................................. ... .... ... ... ... .... ... ... ... ...............3-4
How to Connect the FVS328 to Your LAN ...............................................................3-4
Configuring a Wizard-Detected Login Account ........................................................3-8
Configuring a Wizard-Detected Dynamic IP Account ...... .......... .......... ......... .......... ..3-9
Configuring a Wizard-Detected Fixed IP (Static) Account ......................................3-10
How to Configure the Serial Port for an Internet Connection .......................................3-10
Testing Your Internet Connection ..................................................................................3-13
Manually Configuring Your Internet Connection ...........................................................3-14
How to Manually Configure the Primary Internet Connection ................................3-15
Chapter 4 Serial Port Configuration
Configuring a Serial Port Modem ...................................................................................4-2
Basic Requirements for Serial Port Modem Configuration .......................................4-2
How to Configure a Serial Port Modem ....................................................................4-2
Configuring Auto-Rollover ..............................................................................................4-3
Basic Requirements for Auto-Rollover .....................................................................4-3
How to Configure Auto-Rollover ...............................................................................4-3
Configuring Dial-in on the Serial Port .............................................................................4-4
Basic Requirements for Dial-in .................................................................................4-5
How to Configure Dial-in ..........................................................................................4-5
Configuring LAN-to-LAN Settings ...................................................................................4-6
Basic Requirements for LAN-to-LAN Connections ..................................................4-6
How to Configure LAN-to-LAN Connections ............................................................4-6
Chapter 5 WAN and LAN Configuration
Configuring LAN IP Settings ...........................................................................................5-1
Using the Router as a DHCP Server ........................................................................5-2
How to Configure LAN TCP/IP Setup Settings ........................................................5-3
How to Configure Reserved IP Addresses ................... ... .... .....................................5-4
Configuring WAN Settings ..............................................................................................5-4
Connecting Automatically, as Required ...................................................................5-5
Setting Up a Default DMZ Server .............................. ... ... .... ... ... ... .... ... ... ... ...............5-5
How to Assign a Default DMZ Server ......................................................................5-5
Responding to Ping on Internet WAN Port ...............................................................5-6
ii Contents
May 2004, 202-10031-01
How to Set the MTU Size .........................................................................................5-6
Configuring Dynamic DNS ..............................................................................................5-6
How to Configure Dynamic DNS ..............................................................................5-7
Using Static Routes ........................................................................................................5-7
Static Route Example ...............................................................................................5-7
How to Configure Static Routes ...............................................................................5-8
Chapter 6 Protecting Your Network
Protecting Access to Your FVS328 Firewall ...................................................................6-1
How to Change the Built-In Password .....................................................................6-1
How to Change the Administrator Login Timeout ....................................................6-2
Configuring Basic Firewall Services ...............................................................................6-2
Using the Block Sites Menu to Screen Content ..............................................................6-3
Services and Rules Regulate Inbound and Outbound Traffic .........................................6-4
Defining a Service ....................................................................................................6-5
Using Inbound/Outbound Rules to Block or Allow Services .....................................6-6
Examples of Using Services and Rules to Regulate Traffic ...........................................6-8
Inbound Rules (Port Forwarding) .............................. ............................................... 6-8
Example: Port Forwarding to a Local Public Web Server ..................................6-9
Example: Port Forwarding for Videoconferencing .............................................6-9
Example: Port Forwarding for VPN Tunnels when NAT is Off .........................6-10
Outbound Rules (Service Blocking or Port Filtering) ........................... ...... ....... ......6-11
Outbound Rule Example: Blocking Instant Messaging ....................................6-12
Other Rules Considerations ............... ... ... ....................................................................6-12
Order of Precedence for Rules ..............................................................................6-12
Rules Menu Options ...............................................................................................6-13
Setting Times and Scheduling Firewall Services ................................................ .......... 6-13
How to Set Your Time Zone ...................................................................................6-14
How to Schedule Firewall Services ........................................................................6-15
Chapter 7 Virtual Private Networking
Overview of FVS328 Policy-Based VPN Configuration ..................................................7-1
Using Policies to Manage VPN Traffic .....................................................................7-1
Using Automatic Key Management ..................................... ................................... .. 7-2
IKE Policies’ Automatic Key and Authentication Management ................................7-3
Contents iii
May 2004, 202-10031-01
VPN Policy Configuration for Auto Key Negotiation ..................... ............................ 7-6
VPN Policy Configuration for Manual Key Exchange ...............................................7-9
Using Digital Certificates for IKE Auto-Policy Authentication .......................................7-14
Certificate Revocation List (CRL) ...........................................................................7-14
How to Use the VPN Wizard to Configure a VPN Tunnel .............................................7-15
Walk-Through of Configuration Scenarios ....................................................................7-17
VPNC Scenario 1: Gateway-to-Gateway with Preshared Secrets .........................7-18
FVS328 Scenario 1: How to Configure the IKE and VPN Policies .........................7-20
How to Check VPN Connections ...........................................................................7-24
FVS328 Scenario 2: Authenticating with RSA Certificates ....................................7-25
Chapter 8 Managing Your Network
Network Management ....................................................................................................8-1
How to Configure Remote Management ..................................................................8-1
Viewing Router Status and Usage Statistics .................................... ... ... ... ... .... ... ... ..8-3
Viewing Attached Devices ........................................................................................8-6
Viewing, Selecting, and Saving Logged Information ................................................8-7
Changing the Include in Log Settings ................................................................8-9
Enabling the Syslog Feature .............................................................................8-9
Enabling Security Event E-mail Notification .................................................................8-10
Backing Up, Restoring, or Erasing Your Settings .........................................................8-11
How to Back Up the FVS328 Configuration to a File ............. ... ... .... ... ... ... ... .... ......8-11
How to Restore a Configuration from a File .............................. ............................. 8-12
How to Erase the Configuration .............................................................................8-13
Running Diagnostic Utilities and Rebooting the Router ................................................8-13
Upgrading the Router’s Firmware .................... ......... .......... .......... .......... ......... .......... ...8-14
How to Upgrade the Router ...................................................................................8-15
Chapter 9 Troubleshooting
Basic Functions ..............................................................................................................9-1
Power LED Not On ...................................................................................................9-2
Test LED Never Turns On or Test LED Stays On .....................................................9-2
Local or Internet Port Link LEDs Not On ..................................................................9-3
Troubleshooting the Web Configuration Interface ..........................................................9-3
Troubleshooting the ISP Connection ..............................................................................9-4
iv Contents
May 2004, 202-10031-01
Troubleshooting a TCP/IP Network Using a Ping Utility .................................................9-5
How to Test the LAN Path to Your Firewall ..............................................................9-6
How to Test the Path from Your PC to a Remote Device .........................................9-6
Restoring the Default Configuration and Password ............... .........................................9-7
How to Use the Default Reset Button ......................................................................9-7
Problems with Date and Time .........................................................................................9-8
Appendix A Technical Specifications
Appendix B Firewall Log Formats
Action List ...................................................................................................................... B-1
Field List ........................................................................................................................ B-1
Outbound Log ..................................... ... ... .......................................... .... ... .................... B-1
Inbound Log ................................................................................................................... B-2
Other IP Traffic ......................................... .... ... ... ... ... .... ...................................... .... ... ... . B-2
Router Operation ........................................................................................................... B-3
Other Connections and Traffic to this Router ................................................................ B-4
DoS Attack/Scan ........................................................................................................... B-4
Access Block Site .......................................................................................................... B-6
All Web Sites and News Groups Visited ........................................................................ B-6
System Admin Sessions ................................................................................................ B-6
Policy Administration LOG ............................................................................................. B-7
Appendix C Networks, Routing, and Firewall Basics
Related Publications ......................................................................................................C-1
Basic Router Concepts .................................................................................................. C-1
What is a Router? ................................................................................................... C-1
Routing Information Protocol ...................................................................................C-2
IP Addresses and the Internet ......................................... .... ... ... ... .... ... ... ... ... .... ... ... . C-2
Netmask .................................... ................................................................ .............. C-4
Subnet Addressing .................................................................................................. C-4
Private IP Addresses ................................. ... ... ... .......................................... .... ... ....C-7
Single IP Address Operation Using NAT .................................................................C-7
MAC Addresses and Address Resolution Protocol ................................................. C-9
Related Documents ................................................................................................. C-9
Contents v
May 2004, 202-10031-01
Domain Name Server .............................................................................................. C-9
IP Configuration by DHCP ................................. .... ... ... ... .... ... ... ... .... ... ..................C-10
Internet Security and Firewalls .................................................................................... C-10
What is a Firewall? ................................................................................................ C-11
Stateful Packet Inspection ............................... ... .... ... ... ... .... ... ............................... C-11
Denial of Service Attack ........................................................................................ C-11
Ethernet Cabling ................................. ... ... .... ... ... .......................................... ... ... .... ... .. C-12
Uplink Switches and Crossover Cables ................................................................C-12
Cable Quality ......................................................................................................... C-13
Appendix D Preparing Your Network
Preparing Your Computers for TCP/IP Networking ................................ ... ... ...... .... ... ... . D-1
Configuring Windows 95, 98, and Me for TCP/IP Networking ....................................... D-2
Install or V erify Windows Networking Components ................................................. D-2
Enabling DHCP to Automatically Configure TCP/IP Settings .................................D-4
Selecting Windows’ Internet Access Method ................ ......................... ........... D-4
Verifying TCP/IP Properties .................................................................................... D-5
Configuring Windows NT, 2000 or XP for IP Networking ................................. .............. D-5
Installing or Verifying Windows Networking Components ......... ... .... ... ... ... ... ....... ... . D-5
Verifying TCP/IP Properties .................................................................................... D-6
Configuring the Macintosh for TCP/IP Networking ........................................................ D-6
MacOS 8.6 or 9.x ......................... .......................................... ... .............................. D-6
MacOS X ...... ................................................................................ ........................... D-7
Verifying TCP/IP Properties for Macintosh Computers ........................................... D-8
Verifying the Readiness of Your Internet Account ......................................................... D-9
Are Login Protocols Used? ..................................................................................... D-9
What Is Your Configuration Information? ................................................................ D-9
Obtaining ISP Configuration Information for Windows Computers .......................D-10
Obtaining ISP Configuration Information for Macintosh Computers ..................... D-11
Restarting the Network ................................................................................................D-12
Appendix E Virtual Private Networking
What is a VPN? ............................................................................................................. E-1
What is IPSec and How Does It Work? ......................................................................... E-2
IPSec Security Features .................................... .... .......................................... ... ... . E-2
vi Contents
May 2004, 202-10031-01
IPSec Components ................................................................ ... .............................. E-2
Encapsulating Security Payload (ESP) ................................................................... E-3
Authentication Header (AH) ............................... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... .... E-4
IKE Security Association ........... ... ... .......................................... ... .... ... ... ... .............. E-4
Mode ...................................... ...................... .................... ...................... ........... E-5
Key Management .................................................................................................... E-6
Understand the Process Before You Begin ................................................................... E-6
VPN Process Overview ......... ... ... .... ... ... ... .......................................... .... ... .................... E-7
Network Interfaces and Addresses ......................................................................... E-7
Interface Addressing ......................................................................................... E-7
Firewalls ........................................................................................................... E-8
Setting Up a VPN Tunnel Between Gateways ........................................................ E-8
VPNC IKE Security Parameters ......... ... ... .... ... ............................................................ E-10
VPNC IKE Phase I Parameters ............................................................................. E-10
VPNC IKE Phase II Parameters .............................................................................E-11
Testing and Troubleshooting .........................................................................................E-11
Additional Reading .......................... ... ... ... .... ... ... ... ... .... ... .......................................... ...E-11
Appendix F NETGEAR VPN Configuration FVS318 or FVM318 to FVS328
Configuration Profile ........................................... ... ... .... ... ... ... .... ..................................... F-1
Step-By-Step Configuration of FVS318 or FVM318 Gateway A ............................. ........F-2
Step-By-Step Configuration of FVS328 Gateway B ...................................... ... ... .... ... .....F-5
Test the VPN Connection ...............................................................................................F-9
Appendix G NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328
Configuration Profile ........................................... ... ... .......................................... .... ... ....G-1
Using DDNS and Fully Qualified Domain Names (FQDN) .....................................G-2
Step-By-Step Configuration of FVS318 or FVM318 Gateway A ....................................G-3
Step-By-Step Configuration of FVS328 Gateway B ................................... ... ... ... .... ... ... .G-7
Test the VPN Connection ............................................................................................G-11
Appendix H NETGEAR VPN Client to NETGEAR the FVS328
Profile: Traveling User or Telecommuter at Home .........................................................H-1
Contents vii
May 2004, 202-10031-01
Step-By-Step Configuration of FVS328 Gateway ......................................... ................. H-2
Step-By-Step Configuration of the Netgear VPN Client B .............................................H-7
Testing the VPN Connection ............................ ... ... ... .... ... ... ... .... ... ... ... .... ... ... ...............H-14
From the Client PC to the FVS328 ........................................................................ H-14
From the FVS328 to the Client PC ...................................... ... ... ... .... ... ... ... ... .... ... .. H-15
Monitoring the PC VPN Connection ................... ... ... .... ... ... ... .... .................................. H-15
Viewing the FVS328 VPN Status and Log Information ........................... ..................... H-16
Glossary Index
viii Contents
May 2004, 202-10031-01
Chapter 1
About This Manual
This chapter introduces the NETGEAR FVS328 ProSafe VPN Firewall with Dial Back-up manual.

Audience

This reference manual assumes that the reader has basic to intermediate computer and Internet skills. However, basic computer network, Internet, firewall, and VPN technology tutorial information is provided in the Appendices and on the NETGEAR Web site.

Scope

This manual is written for the FVS328 Firewall according to these specifications.:
Table 1- 1. Manual Specifications
Product Version FVS328 ProSafe VPN Firewall with Dial Back-up Firmware Version Number Verson 1.0 Release 09 Manual Part Number 202-10031-01 Manual Publication Date May 2004
Note: Product updates are available on the NETGEAR Web site at
http://kbserver.netgear.com/products/FVS328.asp.
About This Manual 1
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Typographical Conventions

This guide uses the following typographical conventions:
Table 1-2. Typographical conventions
italics Emphasis. bold times roman User input. [Enter] Named keys in text are shown enclosed in square brackets. The notation [Enter]
is used for the Enter key and the Return key.
Small Caps DOS file and directory names.

Special Message Formats

This guide uses the following formats to highlight special messages:
Note: This format is used to highlight information of importance or special interest.
2 About This Manual
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

How to Use this Manual

This manual includes both PDF and HTML versions. Use the topics below to identify how to take advantage of these document formats when you need to view or print information from this manual.
1
2 3
Figure Preface 1-1: HTML version of this manual
1. Left pane. Use the left pane to view the Contents, Index, Search, and Favorites tabs.
To view the HTML version of the manual, you must have a version 4 or later browser with JavaScript enabled.
2. Toolbar buttons. Use the toolbar buttons across the top to navigate, print pages, and more.
–The Show in Contents button locates the current topic in the Contents tab.
Previous/Next buttons display the previous or next topic.
–The PDF button links to a PDF version of the full manual.
–The Print button prints the current topic. Using this button when a step-by-step
procedure is displayed will send the entire procedure to your printer—you do not have to worry about specifying the correct range of pages.
3. Right pane. Use the right pane to view the contents of the manual. Also, each page of the
manual includes a link at the top right which links to a PDF file containing just the currently selected chapter of the manual.
About This Manual 3
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

How to Print this Manual

To print this manual you can choose one of the following several options, according to your needs.
Printing a “How To” Sequence of Steps in the HTML View. Use the Print button on the
upper right side of the toolbar to print the currently displayed topic. Using this button when a step-by-step procedure is displayed will send the entire procedure to your printer—you do not have to worry about specifying the correct range of pages.
Printing a Chapter. Use the link at the top right of any page.
Click the “PDF of This Chapter” link at the top right of any page in the chapter you want
to print. A new browser window opens showing the PDF version of the chapter you were
viewing. – Click the print icon in the upper left of the window. – Tip: If your printer supports printing two pages on a single sheet of paper, you can save
paper and printer ink by selecting this feature.
Printing the Full Manual. Use the PDF button in the toolbar at the top right of the browser
window. – Click the PDF button. A new browser window opens showing the PDF version of the
chapter you were viewing. – Click the print icon in the upper left side of the window. – Tip: If your printer supports printing two pages on a single sheet of paper, you can save
paper and printer ink by selecting this feature.
4 About This Manual
May 2004, 202-10031-01
Chapter 2
Introduction
This chapter describes the features of the NETGEAR FVS328 ProSafe VPN Firewall with Dial Back-up. The FVS328 Firewall provides connection for multiple computers to the Internet through an external broadband access device such as a cable modem or DSL modem, and supports IPSec-based secure tunnels to IPSec-compatible VPN servers. The 8-port FVS328 with auto fail-over connectivity through the serial port provides highly reliable Internet access for up to 253 users.

About the FVS328

The FVS328 is a complete security solution that protects your network from attacks and intrusions and enables secure communications using Virtual Private Networks (VPN). Unlike simple Internet sharing routers that rely on Network Address Translation (NAT) for security, the FVS328 uses Stateful Packet Inspection for Denial of Service (DoS) attack protection and intrusion detection. The 8-port FVS328 provides highly reliable Internet access for up to 253 users with up to 50 concurrent VPN tunnels.

Key Features

The FVS328 features are highlighted below.

Full Routing on Both the Broadband and Serial Ports

You can install, configure, and operate the FVS328 to take full advantage of a variety of routing options on both the serial and broadband WAN ports, including:
Internet access via either the serial or broadband port.
Auto fail-over connectivity through an analog or ISDN modem connected to the serial port If the broadband Internet connection fails, after a waiting for an amount of time you specify, the FVS328 can automatically establish a backup ISDN or dial-up Internet connection via the serial port on the firewall.
Introduction 2-1
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Remote Access Server (RAS) allows you to log in remotely through the serial port to access a server on your LAN, other LAN resources, or the Internet based on a user name and password you define.
LAN-to-LAN access between two FVS328 firewalls through the serial port with the option of enabling auto-failover Internet access across the serial LAN-to-LAN connection.

Virtual Private Networking

The FVS328 Firewall provides a secure encrypted connection between your local network and remote networks or clients. Its VPN features include:
Support for up to 50 simultaneous VPN connections.
Support for industry standard VPN protocols. The FVS328 ProSafe VPN Firewall with Dial Back-up supports standard keying methods (Manual or IKE), standard authentication methods (MD5 and SHA-1), and standard encryption methods (DES, 3DES). It is compatible with many other VPN products.
Support for up to 168 bit encryption (3DES) for maximum security.
Support for VPN Main Mode, Aggressive mode, or Manual Keying.
Support for Fully Qualified Domain Name (FQDN) configuration when the Dynamic DNS feature is enabled with one of the supported service providers.

A Powerful, True Firewall

Unlike simple Internet sharing NAT routers, the FVS328 is a true firewall, using stateful packet inspection to defend against hacker attacks. Its firewall features include:
DoS protection Automatically detects and thwarts DoS attacks such as Ping of Death, SYN Flood, LAND Attack and IP Spoofing.
Blocks unwanted traffic from the Internet to your LAN.
Blocks access from your LAN to Internet locations or services that you specify as off-limits.
Logs security incidents The FVS328 will log security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the firewall to e-mail the log to you at specified intervals. You can also configure the firewall to send immediate alert messages to your e-mail address or e-mail pager whenever a significant event occurs.
2-2 Introduction
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Content Filtering

With its content filtering feature, the FVS328 prevents objectionable content from reaching your computers. The firewall allows you to control access to Internet content by screening for keywords within Web addresses. You can configure the firewall to log and report attempts to access objectionable Internet sites.

Configurable Auto Uplink™ Ethernet Connection

With its internal 8-port 10/100 switch, the FVS328 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network. Both the local LAN and the Internet W AN interfaces are 10/100 Mbps, autosensing, and capable of full-duplex or half-duplex operation.
TM
The firewall incorporates Auto Uplink sense whether the Ethernet cable plugged into the port should have a ‘normal’ connection such as to a PC or an ‘uplink’ connection such as to a switch or hub. That port will then configure itself to the correct configuration. This feature also eliminates the need to worry about crossover cables, as Auto Uplink will accommodate either type of cable to make the right connection.
technology. Each local Ethernet port will automatically

Protocol Support

The FVS328 supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). Appendix C, “Networks, Routing, and Firewall Basics” provides further information on TCP/IP. Supported protocols include:
The Ability to Enable or Disable IP Address Sharing by NAT The FVS328 allows several networked computers to share an Internet account using only a single IP address, which may be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user ISP account. This feature can also be turned off completely for using the FVS328 in settings where you want to manage the IP address scheme of your organization.
Automatic Configuration of Attached computers by DHCP The FVS328 dynamically assigns network configuration information, including IP, gateway, and domain name server (DNS) addresses, to attached computers using Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies configuration of computers on your local network.
Introduction 2-3
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
DNS Proxy When DHCP is enabled and no DNS addresses are specified, the firewall provides its own address as a DNS server to the attached computers. The firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN.
PPP over Ethernet (PPPoE) PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial-up connection. This feature eliminates the need to run a login program such as EnterNet or WinPOET on your computer.
Point-to-Point Tunneling Protocol PPTP login support for European ISPs and BigPond login for Telstra cable in Australia.
Dynamic DNS Dynamic DNS services allow remote users to find your network using a domain name when your IP address is not permanently assigned. The firewall contains a client that can connect to many popular Dynamic DNS services to register your dynamic IP address. See “Configuring
Dynamic DNS” on page 5-6.

Easy Installation and Management

You can install, configure, and operate the FVS328 within minutes after connecting it to the network. The following features simplify installation and management tasks:
Browser-based management Browser-based configuration allows you to easily configure your firewall from almost any type of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup Wizard is provided and online help documentation is built into the browser-based Web Management Interface.
Smart Wizard The firewall automatically senses the type of Internet connection, asking you only for the information required for your type of ISP account.
Remote management The firewall allows you to login to the Web Management Interface from a remote location via the Internet using secure SLL protocol. For security, you can limit remote management access to a specified remote IP address or range of addresses, and you can choose a nonstandard port number.
2-4 Introduction
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Diagnostic functions The firewall incorporates built-in diagnostic functions such as Ping, DNS lookup, and remote reboot. These functions allow you to test Intern et connectivity and reboot the firewall. You can use these diagnostic functions directly from the FVS328 when your are connected on the LAN or when you are connected over the Internet via the remote management function.
Visual monitoring The firewall’s front panel LEDs provide an easy way to monitor its status and activity.
Flash EPROM for firmware upgrades
Note: Product updates are available on the NETGEAR Web site at
http://kbserver.netgear.com/products/FVS328.asp.
Regional support, including ISPs like Telstra DSL and BigPond or Deutsche Telekom.

What’s in the Box?

The product package should contain the following items:
FVS328 ProSafe VPN Firewall with Dial Back-up
•AC power adapter
FVS328 Resource CD (230-10041-02), including: — This manual — Application notes, tools, and other helpful information
Warranty and registration card
Support information card
If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the product for repair.

The Firewall’s Front Panel

The front panel of the FVS328 contains status LEDs. You can use some of the LEDs to verify connections. Table 2-1 lists and describes each LED on the front panel of the firewall.
Introduction 2-5
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
-/$%,
0RO3AFE60.&IREWALLWITH$IAL"ACKUP
"ROADBAND
072 4%34 -ODEM
).4%2.%4
,.+
!#4
,/#!,


,.+!#4
&63
Figure 2-1: FVS328 Front Panel
These LEDs are green when lit, except for the TEST LED, which is amber.These LEDs are green when lit, except for the TEST LED, which is amber.
Table 2-1: LED Descriptions
Label Activity Description
POWER On Power is supplied to the firewall. TEST On
Off
MODEM On/Blinking The port detected a link with the Internet WAN connection or
INTERNET
100 On/Blinking The Internet port is operating at 100 Mbps. LINK/ACT (Activity) On/Blinking The port detected a link with the Internet WAN connection and is
LOCAL
100 On/Blinking The Local port is operating at 100 Mbps. LINK/ACT
On/Blinking The Local port has detected a link with a LAN connection and is
(Link/Activity)
The system is initializing. The system is ready and running.
Remote Access Server. Blinking indicates data transmission.
operating at 10 Mbps. Blinking indicates data transmission.
operating at 10 Mbps. Blinking indicates data transmission.
2-6 Introduction
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

The Firewall’s Rear Panel

The rear panel of the FVS328 contains the connections identified below.
LOC AL
MODEM
87654321
10/100M
INTERN ET
Figure 2-2: FVS328 Rear Panel
Viewed from left to right, the rear panel contains the following elements:
DB-9 serial port for modem connection
Reset/Factory Default push button: push to reset; push and hold for 20 seconds to reset to factory default settings
Eight Local Ethernet RJ-45 ports for connecting the firewall to local computers
Internet WAN Ethernet RJ-45 port for connecting the firewall to a cable or DSL modem
12VDC 1.2A
12V DC 1.2A power adapter input
Introduction 2-7
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
2-8 Introduction
May 2004, 202-10031-01
Chapter 3
Connecting the FVS328 to the Internet
This chapter describes how to set up the firewall on your Local Area Network (LAN) and connect to the Internet. You can perform basic configuration of your FVS328 ProSafe VPN Firewall with Dial Back-up using the Setup Wizard, or manually configure your Internet connection.

What You Will Need Before You Begin

You need to prepare these three things before you can connect your firewall to the Internet:
1. A computer properly connected to the firewall as explained below.
2. Active Internet service such as that provided by a DSL or Cable modem account.
3. The Internet Service Provider (ISP) configuration information for your account.

LAN Hardware Requirements

The FVS328 Firewall connects to your LAN via twisted-pair Ethernet cables. To use the FVS328 Firewall on your network, each computer must have an installed Ethernet
Network Interface Card (NIC) and an Ethernet cable. If the computer will connect to your network at 100 Mbps, you must use a Category 5 (CAT5) cable such as the one provided with your firewall.
The broadband modem must provide a standard 10 Mbps 10BASE-T or 100 Mbps 100BASE-T Ethernet interface.

LAN Configuration Requirements

For the initial connection to the Internet and configuration of your firewall, you will need to connect a computer to the firewall which is set to automatically get its TCP/IP configuration from the firewall via DHCP. The computer you use must have a Web browser such as Internet Explorer v5 or greater or Netscape Communicator v4.7 or greater.
Note: Please refer to Appendix D, "Preparing Your Network" for assistance with DHCP
configuration.
Connecting the FVS328 to the Internet 3-1
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Internet Configuration Requirements

Depending on how your ISP or IT group set up your Internet access, you will need one or more of these configuration parameters to connect your firewall to the Internet:
Host and Domain Names
ISP Login Name and Password
ISP Domain Name Server (DNS) Addresses
Fixed or Static IP Address
Where Do I Get the Internet Configuration Parameters?
There are several ways you can gather the required Internet connection information.
Your ISP should have provided you with all the information needed to connect to the Internet. If you cannot locate this information, you can ask your ISP to provide it or you can try one of the options below.
If you have a computer already connected using the active Internet access account, you can gather the configuration information from that computer.
For Windows 95/98/Me, open the Network control panel, select the TCP/IP entry for the
Ethernet adapter, and click Properties.
For Windows 2000/XP, open the Local Area Network Connection, select the TCP/IP entry
for the Ethernet adapter, and click Properties.
For Macintosh computers, open the TCP/IP or Network control panel.
You may also refer to the FVS328 Resource CD for the NETGEAR Router ISP Guide which provides Internet connection information for many ISPs.
Once you locate your Internet configuration parameters, you may want to record them on the page below according to the instructions in “Worksheet for Recording Your Internet Connection
Information” on page 3-3.
3-2 Connecting the FVS328 to the Internet
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Worksheet for Recording Your Internet Connection Information

Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as
given by your ISP. Some ISPs use your full e-mail address as the login name. The Service Name is not required by all ISPs. If you connect using a login name and password, then fill in the following:
Login Name: ________________________
Password: ______________________
Service Name: ________________________ Fixed or Static IP Address: If you have a static IP address, record the following information. For
example, 169.254.141.148 could be a valid IP address. Fixed or Static Internet IP Address: ______
.______.______.______ Subnet Mask: ______.______.______.______ Gateway IP Address: ______.______.______.______
ISP DNS Server Addresses: If you were given DNS server addresses, fill in the following: Primary DNS Server IP Address: ______
.______.______.______
Secondary DNS Server IP Address: ______.______.______.______ Host and Domain Names: Some ISPs use a specific host or domain name like CCA7324-A or
home. If you haven’t been given host or domain names, you can use the following examples as a
guide:
If your main e-mail account with your ISP is
aaa@yyy.com, then use aaa as your host name.
Your ISP might call this your account, user, host, computer, or system name.
If your ISP’s mail server is
mail.xxx.yyy.com, then use xxx.yyy.com as the domain name.
ISP Host Name: __________________
ISP Domain Name: ___________________
For Serial Port Internet Access: If you use a dial-up account, record the following: Account/User Name: ___________________
Password: ____________________
Telephone number: _________________ Alternative number: _________________
Connecting the FVS328 to the Internet 3-3
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Connecting the FVS328 to Your LAN

This section provides instructions for connecting the FVS328 ProSafe VPN Firewall with Dial Back-up to your Local Area Network (LAN).
Note: The Resource CD included with your firewall contains an animated Installation Assistant to
help you through this procedure.

How to Connect the FVS328 to Your LAN

There are three steps to connecting your firewall:
Connect the firewall to your network.
Log in to the firewall.
Connect to the Internet. Follow the steps below to connect your firewall to your network.
1. CONNECT THE FIREWALL BETWEEN YOUR PC & MODEM
a. Turn off your computer. b. Turn off your broadband modem. c. Connect a Cat 5 Ethernet cable from the Internet port of the FVS328 to the broadband
modem.
d. Connect the Cat 5 Ethernet cable which came with the firewall from your computer to a
Local port on the router. Note: The FVS328 Firewall incorporates Auto Uplink
will automatically sense whether the cable plugged into the port should have a 'normal' connection (e.g. connecting to a PC) or an 'uplink' connection (e.g. connecting to a switch or hub). That port will then configure itself to the correct configuration. This feature also eliminates the need to worry about crossover cables, as Auto Uplink will accommodate either type of cable to make the right connection.
e. Securely insert one end of the Ethernet cable that came with your firewall into a Local port
on the router such as Local port 6 (C), and the other end into the Ethernet port of your computer (D).
TM
technology. Each Ethernet port
2. RESTART YOUR NETWORK IN THE CORRECT SEQUENCE
3-4 Connecting the FVS328 to the Internet
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Warning: Failure to restart your network in the correct sequence could prevent you from connecting to the Internet.
a. First, turn on the broadband modem and wait 2 minutes. b. Now, turn on your firewall. c. Last, turn on your computer.
Note: If software usually logs you in to the Internet, do not run that software or cancel it if it starts automatically.
-/$%,
0RO3AFE60.&IREWALLWITH$IAL"ACKUP
"ROADBAND
072 4%34 -ODEM
).4%2.%4
,.+
!#4

,/#!,

,.+!#4
&63
Power
Test
Internet
Local Port 6
Figure 3-1: FVS328 status lights
Check the status lights and verify the following:
Power: The power light goes on when your turn the firewall on.
Test: The Test light turns on, blinks, then goes off solid after less than a minute.
Internet: The Internet light on the firewall is lit. If the Internet light is not lit, make sure the Ethernet cable is securely attached to the firewall Internet port and the powered on modem.
Local: A Local light on the router is lit. If no Local lights are lit, check that the Ethernet cable connecting the powered on computer to the router is securely attached at both ends.
Connecting the FVS328 to the Internet 3-5
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
3. LOG IN TO THE FIREWALL
a. From your PC, launch your Internet browser. b. Connect to the firewall by typing http://192.168.0.1 in the address field of Internet
Explorer or Netscape
c. For security reasons, the router ha s its own user name and password. When prompted,
admin for the router user name and password for the router password, both in lower
enter case letters.
Note: The router user name and password are not the same as any user name or password you may use to log in to your Internet connection.
A login window like the one shown below opens:
®
Navigator.
Figure 3-2: Login window
After logging in to the router, you will see the Internet connection Smart Wizard on the
d.
settings main page.
3-6 Connecting the FVS328 to the Internet
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
4. RUN THE SMART WIZARD TO CONNECT TO THE INTERNET
Figure 3-3: Setup Wizard
a. You are now connected to the router. If you do not see the menu above, click the Setup
Wizard link on the upper left of the main menu.
b. Choose NAT or Classical Routing. NAT automatically assigns private IP addresses
(192.168.0.x) to LAN connected devices. Classical routing lets you directly manage the IP addresses the FVS328 uses. Classical routing should be selected only by experienced users.
c. Click Next and follow the steps in the Setup Wizard for inputting the configuration
parameters from your ISP to connect to the Internet. Note: If you choose not to use the Setup Wizard, you can manually configure your
Internet connection settings by following the procedure “Manually Configuring Your
Internet Connection” on page 3-14.
Unless your ISP automatically assigns your configuration automatically via DHCP, you will need the configuration parameters from your ISP as you recorded them previously in
“Worksheet for Recording Your Internet Connection Information” on page 3-3
d. When the firewall successfully detects an active Internet service, the firewall’s Internet
LED goes on. The Setup Wizard reports which connection typ e it discovered, and displays the appropriate configuration menu. If the Setup Wi zard finds no connection, you will be prompted to check the physical connection between your firewall and the cable or DSL line.
e. The Setup Wizard will report the type of connection it finds. The options are:
Connections that require a login using protocols such as PPPoE, Telstra BigPond, or
PPTP broadband Internet connections.
Connecting the FVS328 to the Internet 3-7
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Connections that use dynamic IP address assignment.
Connections that use fixed IP address assignment. The procedures for filling in the configuration menu for each type of connection follow
below.

Configuring a Wizard-Detected Login Account

If the Setup Wizard determines that your Internet service account uses a login protocol such as PPP over Ethernet (PPPoE), you will be directed to the correct setup menu.
1. Enter your Account Name (may also be called Host Name) and Domain Name. These
parameters may be necessary to access your ISP’s services such as mail or news servers. If you leave the Domain Name field blank, the firewall will attempt to learn the domain automatically from the ISP. If this is not successful, you may need to enter it manually.
2. Enter the PPPoE login user name and password provided by your ISP. These fields are case
sensitive. If you want to change the login timeout, enter a new value in minutes.
Note: You will no longer need to launch the ISP’s login program on your computer in order to
access the Internet. When you start an Internet application, the firewall will automatically log you in.
3. Enable or disable NAT (Network Address Translation). NAT allows all LAN computers to
gain Internet access via this Router, by sharing this Router's WAN IP address. In most situations, NAT is essential for Internet access via this Router. You should only disable NAT if you are sure you do not require it. When NAT is disabled, only standard routing is performed by this Router.
4. Perform a DNS Lookup. A DNS (Domain Name Server) converts the Internet name (e.g.
www.netgear.com) to an IP address. If you need the IP address of a Web, FTP, Mail or other Server on the Internet, you can do a DNS lookup to find the IP address.
Domain Name Server (DNS) Address: If you know that your ISP does not automatically transmit DNS addresses to the firewall during login, select “Use these DNS servers” and enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is available, enter it also.
If you enter an address here, after you finish configuring the firewall, reboot your computers so that the settings take effect.
5. Enter the Router's MAC Address. Each computer or router on your network has a unique
32-bit local Ethernet address. This is also referred to as the computer's MAC (Media Access Control) address. Usually, select Use default address.
3-8 Connecting the FVS328 to the Internet
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
If your ISP requires MAC authentication, then select either Use this Computer's MAC address to have the router use the MAC address of the computer you are now using, or Use This MAC Address to manually type in the MAC address that your ISP expects.
6. Click Apply to save your settings.
7. Click the Test button to test your Internet connection. If the NETGEAR Web site does not
appear within one minute, refer to Chapter 9, Troubleshooting.

Configuring a Wizard-Detected Dynamic IP Account

If the Setup Wizard determines that your Internet service account uses Dynamic IP assignment, you will be directed to the correct setup menu.
1. Enter your Account Name (may also be called Host Name) and Domain Name. These
parameters may be necessary to access your ISP’s services such as mail or news servers. If you leave the Domain Name field blank, the firewall will attempt to learn the domain automatically from the ISP. If this is not successful, you may need to enter it manually.
2. If you know that your ISP does not automatically transmit DNS addresses to the firewall
during login, select “Use these DNS servers” and enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is available, enter it also.
A DNS server is a host on the Internet that translates Internet names (such as www .netgear.com) to numeric IP addresses. Typically your ISP transfers the IP address of one or two DNS servers to your firewall during login. If the ISP does not transfer an address, you must obtain it from the ISP and enter it manually here. If you enter an address here, you should reboot your computers after configuring the firewall.
3. The Router’s MAC Address is the Ethernet MAC address that will be used by the firewall on
the Internet port. If your ISP allows access from only one specific computer’s Ethernet MAC address, select
“Use this MAC address.” The firewall will then capture and use the MAC address of the computer that you are now using. You must be using the one computer that is allowed by the ISP. Otherwise, you can ty pe in a MAC address.
Note: Some ISPs will register the Ethernet MAC address of the network interface card in your computer when your account is first opened. They will then only accept traffic from the MAC address of that computer. This feature allows your firewall to masquerade as that computer by using its MAC address.
4. Click Apply to save your settings.
Connecting the FVS328 to the Internet 3-9
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Click the Test button to test your Internet connection. If the NETGEAR Web site does not
5.
appear within one minute, refer to Chapter 9, Troubleshooting.

Configuring a Wizard-Detected Fixed IP (Static) Account

If the Setup Wizard determines that your Internet service account uses Fixed IP assignment, you will be directed to the correct setup menu.
1. Enter your assigned IP Address, Subnet Mask, and the IP Address of your ISP’s gateway
router. This information should have been provided to you by your ISP. You will need the configuration parameters from your ISP you recorded in “Worksheet for Recording Your
Internet Connection Information” on page 3-3.
2. Enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is
available, enter it also. DNS servers are required to perform the function of translating an Internet name such as
www.netgear.com to a numeric IP address. For a fixed IP address configuration, you must obtain DNS server addresses from your ISP and enter them manually here. You should reboot your computers after configuring the firewall for these settings to take effect.
3. Click Apply to save the settings.
4. Click the Test button to test your Internet connection. If the NETGEAR Web site does not
appear within one minute, refer to Chapter 9, Troubleshooting.

How to Configure the Serial Port for an Internet Connection

Use the procedure below to configure an Internet connection via the serial port of your firewall. Follow the steps below to configure a serial port Internet connection on your firewall.
1. Connect the Firewall to your ISDN or dial-up modem
a. Turn off your modem and connect the cable from the serial port of the FVS328 to the
modem.
b. Turn on the modem and wait about 30 seconds for the lights to stop blinking.
2. Configure the Serial Port of the Firewall.
a. Use a browser to log in to the firewall at http://192.168.0.1 with its default User Name of
admin and default Password of password, or using whatever Password you have set up.
3-10 Connecting the FVS328 to the Internet
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
From the Setup Basic Settings menu, click Serial Port.
b.
Figure 3-4: Serial Internet Connection configuration menu
c.
Fill in the ISDN or analog ISP Internet configuration parameters as appropriate:
For a Dial-up Account, enter the Account information. Check “Connect as required”
to enable the firewall to automatically dial the number. To enable Idle Time disconnect, check the box and enter a time in minutes.
To configure the Internet IP settings, fill in the address parameters your ISP provided.
d. Configure the Modem parameters.
Connecting the FVS328 to the Internet 3-11
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Note: You can validate modem string settings by first connecting the modem directly to a PC, establishing a connection to your ISP, and then copying the modem string settings from the PC configuration and pasting them into the FVS328 Modem Properties Initial String field. For more information on this procedure, please refer to the support area of the NETGEAR web site.
Select the Serial Line Speed. This is the maximum speed the modem will attempt to
use. For ISDN permanent connections, the speeds are typically 64000 or 128000 bps. For dial-up modems, 56000 bps would be a typical setting.
Select the Modem Type.
For ISDN, select “Permanent connection (leased line).” – For dial-up, select your modem from the list. “Standard Modem” should work in
most cases.
If your modem is not on the list, select “User Defined” and enter the Modem
Properties.
Note: If you are not using modem from the pre-defined list but are using the “User Defined” Modem Type, you must first use the Serial Port menu Modem link to fill in the Modem Properties settings for your modem.
e. Click Apply to save your settings.
3. Connect to the Internet to test your configuration.
a. If you have a broadband connection, disconnect it. b. From a workstation, open a browser and test your serial port Internet connection.
Note: The response time of your serial port Internet connection will be slower than a broadband Internet connection.
3-12 Connecting the FVS328 to the Internet
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Testing Your Internet Connection

After completing the Internet connection configuration, your can test your Internet connection. Log in to the firewall, then, from the Setup Basic Settings link, click the Test button. If the NETGEAR Web site does not appear within one minute, refer to Chapter 9, Troubleshooting.
Your firewall is now configure d to provide Internet access for your network. Your firewall automatically connects to the Internet when one of your computers requires access. It is not necessary to run a dialer or login application such as Dial-Up Networking or Enternet to connect, log in, or disconnect. These functions are performed by the firewall as needed.
To access the Internet from any computer connected to your firewall, launch a browser such as Microsoft Internet Explorer or Netscape Navigator. You should see the firewall’s Internet LED blink, indicating communication to the ISP. The browser should begin to display a Web page.
The following chapters describe how to configure the advanced features of your firewall, and how to troubleshoot problems that may occur.
Connecting the FVS328 to the Internet 3-13
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Manually Configuring Your Internet Connection

You can manually configure your firewall using the menu below, or you can allow the Setup Wizard to determine your configuration as described in the previous section.
ISP Does Not Require Login
ISP Does Require Login
Figure 3-5: Browser-based configuration Basic Settings menu
3-14 Connecting the FVS328 to the Internet
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

How to Manually Configure the Primary Internet Connection

Use these steps to manually configure the primary Internet connection in the Basic Settings menu.
1. Select your Internet connection type (broadband with or without login, or serial).
Note: If you are a Telstra BigPond broadband customer, or if you are in an area such as Austria that uses broadband PPTP, login is required. If so, select BigPond or PPTP from the Internet Service Type drop down box.
2. Enter your Account Name (may also be called Host Name) and Domain Name. These
parameters may be necessary to access your ISP’s services such as mail or news servers.
3. If needed, enter the PPPoE login user name and password provided by your ISP. These fields
are case sensitive. To change the login timeout, enter a new value in minutes. You will no longer need to run the ISP’s login program on your PC in order to access the
Internet. When you start an Internet application, your firewall automatically logs you in.
4. If you want to disable NAT, select the Disable radio button. Before disabling NAT, back up
your current configuration settings.
Note: Disabling NAT will reboot the router and reset all the FVS328 configuration
settings to the factory default. Disable NAT only if you plan to install the FVS328 in a setting where you will be manually administering the IP address space on the LAN side of the router.
5. Internet IP Address: If your ISP assigned you a permanent, fixed IP address for your PC, select
“Use static IP address.” Enter the IP address your ISP assigned. Also enter the netmask and the Gateway IP address. The Gateway is the ISP’s router to which your firewall will connect.
6. Domain Name Server (DNS) Address: If your ISP does not automatically transmit DNS
addresses to the firewall during login, select “Use these DNS servers” and enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is available, enter it.
Note: A DNS server is a host on the Internet that translates Internet names (such as www .netgear.com) to numeric IP addresses. Typically your ISP transfers the IP address of one or two DNS servers to your firewall during login. If the ISP does not transfer an address, you must obtain it from the ISP and enter it manually here. If you enter an address here, you should reboot your PCs after configuring the firewall.
Connecting the FVS328 to the Internet 3-15
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Router’s MAC Address: This section determines the Ethernet MAC address that will be used
7.
by the firewall on the Internet port. Some ISPs will register the Ethernet MAC address of the network interface card in your PC when your account is first opened. They will then only accept traffic from the MAC address of that PC. This feature allows your firewall to masquerade as that PC by “cloning” its MAC address. To change the MAC address, select “Use this Computer’s MAC address.” The firewall will then capture and use the MAC address of the PC that you are now using. You must be using the one PC that is allowed by the ISP . Or, select “Use this MAC address” and enter it.
8. Click Apply to save your settings.
9. Click Test to test your Internet connection. If the NETGEAR Web site does not appear within
one minute, refer to Chapter 9, Troubleshooti ng.
3-16 Connecting the FVS328 to the Internet
May 2004, 202-10031-01
Chapter 4
Serial Port Configuration
This chapter describes how to configure the serial port options of your FVS328 ProSafe VPN Firewall with Dial Back-up. The FVS328 serial port lets you share the broadband connection of another FVS328, share resources between two LANs, and take advantage of th e routing functions on the broadband (WAN), LAN, and serial network interfaces.
Note: If you configure the serial port of the FVS328 as the primary Internet connection, you will not be able to configure the other serial port options. For instructions on configuring the serial port as the primary Internet connection, please see “How to Configure the Serial Port for an Internet
Connection“ on page 3-10.
The FVS328 provides these serial port configuration options:
•Modem
Use this option to configure the serial modem settings for any of the features below.
Auto-Rollover
Use this option to provide a backup connection for your broadband service. If the broadband service you configured in the Basic Settings menu fails, the FVS328 will automatically connect to the Internet through the serial port. However, you will then be accessing the Internet at a slower speed than you would through your broadband service.
Dial-in
Dial-in lets a single remote computer connect to the FVS328 through the serial port to gain access to LAN resources or a remote access server.
LAN-to-LAN
LAN-to-LAN enables direct communications between two FVS328 firewalls to: — Share resources on the two LANs. — Let users on one FVS328 share the Internet connection of the other FVS328. — Let users on one FVS328 connect to the Internet through the second FVS328 in case the
broadband connection of the first FVS328 fails.
The procedures for these configuration options are presented below.
Serial Port Configuration 4-1
May 2004, 202-10031-01M-10207-01, Reference Manual v2
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Configuring a Serial Port Modem

You can configure a seria l port modem for any of the features described above. Be sure you have prepared the basic requirements listed below, then follow the ‘how to’ procedure.

Basic Requirements for Serial Port Modem Configuration

Configuring a serial port modem requires these elements:
1. A serial analog or ISDN modem.
2. A serial modem cable with a DB9 connector.
3. An active phone or ISDN line.

How to Configure a Serial Port Modem

Follow the steps below to configure a serial port modem.
1. From the main menu, click Modem in the Serial Port section.
Figure 4-1: Serial Port Modem configuration menu
2.
Select the Serial Line Speed. This is the maximum speed the modem will attempt to use. For ISDN permanent connections, the speeds are typically 64000 or 128000 bps. For dial-up modems, 56000 bps would be a typical setting.
— For ISDN, select “Permanent connection (leased line).” — For dial-up, “Standard Modem” should work in most cases. Otherwise, select your modem
from the list.
4-2 Serial Port Configuration
May 2004, 202-10031-01M-10207-01, Reference Manual v2
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
— If your modem is not on the list, select “User Defined” and enter the Modem Properties.
If you are using the “User Defined” selection and configuring your own modem stings, fill in the Modem Properties settings.
Note: Y ou can validate modem string settings by first connecting the modem directly to a PC, establishing a connection to your ISP, and then copying the modem string settings from the PC configuration and pasting them into the FR328S Modem Properties Initial String field. For more information on this procedure, please refer to the support area of the NETGEAR web site.
3. Click Apply to save your settings.

Configuring Auto-Rollover

You can configure the serial port of the FVS328 to provide an auto-rollover backup connection for your broadband service.
Be sure you have prepared the basic requirements listed below, then follow the ‘how to’ procedure.

Basic Requirements for Auto-Rollover

Auto-Rollover requires these elements:
1. A broadband connection to the FVS328.
2. An ISDN or analog phone line with an active ISDN or dial-up ISP account
3. A serial modem properly configured and attached to the DB9 connector on the serial port.
4. The Auto-Rollover settings configured and applied to the FVS328.

How to Configure Auto-Rollover

Follow the steps below to configure a serial port auto-rollover connection.
1. Configure a serial port modem according to the instructions above.
2. From the main menu, click Auto-rollover in the Serial Port section.
Serial Port Configuration 4-3
May 2004, 202-10031-01M-10207-01, Reference Manual v2
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Figure 4-2: Auto-Rollover configuration menu
Configure the Auto-Rollover settings.
3.
4. Click Apply for the changes to take effect.

Configuring Dial-in on the Serial Port

Dial-in lets a single remote computer connect to the FVS328 through the serial port to gain access to LAN resources or a remote access server.
Be sure you have prepared the basic requirements listed below, then follow the ‘how to’ procedure.
4-4 Serial Port Configuration
May 2004, 202-10031-01M-10207-01, Reference Manual v2
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Basic Requirements for Dial-in

Dial-in requires these elements:
1. A broadband connection to the FVS328.
2. An analog phone line.
3. A serial modem properly configured and attached to the DB9 connector on the serial port.
4. The Dial-in settings configured and applied to the FVS328.

How to Configure Dial-in

Follow the steps below to configure a serial port dial-in connection.
1. Configure a serial port modem according to the instructions above.
2. From the Serial Port section of the main menu, click Dial-in.
Figure 4-3: Serial Port Dial-in settings screen
3.
Configure the Dial-in settings.
4. Click Apply for the changes to take effect.
Serial Port Configuration 4-5
May 2004, 202-10031-01M-10207-01, Reference Manual v2
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Configuring LAN-to-LAN Settings

LAN-to-LAN enables direct communications between two FVS328 firewalls.
Serial Connection
Firewall A
Firewall B
192.168.3.1
Figure 4-4: LAN-to-LAN network configuration
192.168.0.1

Basic Requirements for LAN-to-LAN Connections

Serial port LAN-to-LAN configurations require these elements:
1. An ISDN or analog phone line with an active ISDN or dial-up ISP account.
2. A serial modem properly configured and attached to the DB9 connector on the serial port.
3. A broadband connection to one FVS328 for LAN-to-LAN auto-rollover Internet access.
4. The LAN-to-LAN settings configured and applied to the two FVS328 firewalls.

How to Configure LAN-to-LAN Connections

Follow the steps below to configure a serial port LAN-to-LAN connection.
1. Configure a serial port modem according to the instructions above.
2. From the main menu, click LAN-to-LAN in the Serial Port section.
4-6 Serial Port Configuration
May 2004, 202-10031-01M-10207-01, Reference Manual v2
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Figure 4-5: LAN-to-LAN configuration menu
Configure the LAN-to-LAN settings.
3.
Note: The LAN subnet address of each FVS328 must be different.
4. Click Apply for the changes to take effect.
Serial Port Configuration 4-7
May 2004, 202-10031-01M-10207-01, Reference Manual v2
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
4-8 Serial Port Configuration
May 2004, 202-10031-01M-10207-01, Reference Manual v2
Chapter 5
WAN and LAN Configuration
This chapter describes how to configure the WAN and LAN settings of your FVS328 ProSafe VPN Firewall with Dial Back-up.

Configuring LAN IP Settings

The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and RIP. These features can be found under the Advanced heading in the Main Menu of the browser interface.
The firewall is shipped preconfigured to use private IP addresses on the LAN side, and to act as a DHCP server. The firewall’s default LAN IP configuration is:
LAN IP addresses—192.168.0.1
Subnet mask—255.255.255.0 These addresses are part of the IETF-designated private address range for use in private networks,
and should be suitable in most applications. If your network has a requirement to use a different IP addressing scheme, you can make those changes.
The LAN TCP/IP Setup parameters are:
IP Address This is the LAN IP address of the firewall.
IP Subnet Mask This is the LAN Subnet Mask of the firewall. Combined with the IP address, the IP Subnet Mask allows a device to know which other addresses are local to it, and which must be reached through a gateway or router.
RIP Direction RIP (Router Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction selection controls how the firewall sends and receives RIP packets. Both is the default.
— When set to Both or Out Only, the firewall will broadcast its routing table periodically. — When set to Both or In Only, it will incorporate the RIP information that it receives.
WAN and LAN Configuration 5-1
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
— When set to None, it will not send any RIP packets and will ignore any RIP packets
received.
RIP Version This controls the format and the broadcasting method of the RIP packets that the router sends. It recognizes both formats when receiving. By default, this is set for RIP-1.
— RIP-1 is universally supported. RIP-1 is probably adequate for most networks, unless you
have an unusual network setup.
— RIP-2 carries more information. Both RIP-2B and RIP-2M send the routing data in RIP-2
format. — RIP-2B uses subnet broadcasting. — RIP-2M uses multicasting.
Note: If you change the LAN IP address of the firewall while connected through the
browser, you will be disconnected. You mu st then open a new connection to the new IP address and log in again.

Using the Router as a DHCP Server

By default, the firewall will function as a DHCP (Dynamic Host Configuration Protocol) server, allowing it to assign IP, DNS server, and default gateway addresses to all computers connected to the router's LAN. The assigned default gateway address is the LAN address of the firewall. IP addresses will be assigned to the attached PCs from a pool of addresses specified in this menu. Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN.
For most applications, the default DHCP and TCP/IP settings of the firewall are satisfactory. See
“IP Configuration by DHCP” on page C-10 for an explanation of DHCP and information about
how to assign IP addresses for your network. If another device on your network will be the DHCP server, or if you will manually configure the
network settings of all of your computers, clear the ‘Use router as DHCP server’ check box. Otherwise, leave it checked.
Specify the pool of IP addresses to be assigned by setting the Starting IP Address and Ending IP Address. These addresses should be part of the same IP address subnet as the firewall’s LAN IP address. Using the default addressing scheme, you should define a range between 192.168.0.2 and
192.168.0.253, although you may wish to save part of the range for device s with fixed addresses.
5-2 WAN and LAN Configuration
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
The firewall will deliver the following parameters to any LAN device that requests DHCP:
An IP Address from the range you have defined
Subnet Mask
Gateway IP Address is the firewall’s LAN IP address
Primary DNS Server, if you entered a Primary DNS address in the Basic Settings menu; otherwise, the firewall’s LAN IP address
Secondary DNS Server, if you entered a Secondary DNS address in the Basic Settings menu

How to Configure LAN TCP/IP Setup Settings

1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user
name of you have chosen for the firewall.
2. From the Main Menu, under Advanced, click the LAN IP Setup link to view the men u, shown
below.
admin, default password of password, or using whatever password and LAN address
Figure 5-1: LAN IP Setup Menu
WAN and LAN Configuration 5-3
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Enter the LAN TCP/IP and DHCP parameters.
3.
4. Click Apply to save your changes.

How to Configure Reserved IP Addresses

When you specify a reserved IP address for a PC on the LAN, that PC will always receive the same IP address each time it accesses the firewall’s DHCP server. Reserved IP addresses should be assigned to servers that require permanent IP settings.
To reserve an IP address:
1. Click the Add button.
2. In the IP Address box, type the IP address to assign to the PC or server.
Choose an IP address from the router’s LAN subnet, such as 192.168.0.X.
3. Type the MAC Address of the PC or server.
Note: If the PC is already present on your network, you can copy its MAC address from the Attached Devices menu and paste it here.
4. Click Apply to enter the reserved address into the table.
Note: The reserved address will not be assigned until the next time the PC contacts the router's DHCP server. Reboot the PC or access its IP configuration and force a DHCP release and renew.
To edit or delete a reserved address entry:
1. Click the button next to the reserved address you want to edit or delete.
2. Click Edit or Delete.

Configuring WAN Settings

The WAN Setup menu allows configuration of WAN services such as automatic connection, DMZ server, enabling diagnostic PING tests on the WAN interface, setting the MTU size, and the WAN port speed,. These features can be found under the Advanced WAN Setup heading in the Main Menu of the browser interface.
These features are discussed below.
5-4 WAN and LAN Configuration
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Connecting Automatically, as Required

Normally, this option should be Enabled, so that an Internet connection will be made automatically , whenever Internet-bound traffic is detected. However , if this causes high connection costs, you can disable this setting.
If disabled, you must connect manually, using the sub-screen accessed from the Connection Status button on the Status screen.

Setting Up a Default DMZ Server

The default DMZ server feature is helpful when using some online games and videoconferencin g applications that are incompatible with NAT. The firewall is programmed to recognize some of these applications and to work properly with them, but there are other applications that may not function well. In some cases, one local PC can run the application properly if that PC’s IP address is entered as the default DMZ server.
Note: For security, you should avoid using the default DMZ server feature. When a
computer is designated as the default DMZ server, it loses much of the protection of the firewall, and is exposed to many exploits from the Internet. If compromised, the computer can be used to attack your network.
Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one of your local computers or a service that you have configured in the Ports menu. Instead of discarding this traffic, you can have it forwarded to one computer on your network. This computer is called the Default DMZ Server.

How to Assign a Default DMZ Server

1. Click Default DMZ Server check box.
2. Type the IP address for that server.
3. Click Apply.
WAN and LAN Configuration 5-5
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Responding to Ping on Internet WAN Port

If you want the firewall to respond to a 'ping' from the Internet, click the ‘Respond to Ping on Internet WAN Port’ check box. This should only be used as a diagnostic tool, since it allows your firewall to be discovered. Don't check this box unless you have a specific reason to do so.

How to Set the MTU Size

The normal MTU (Maximum Transmit Unit) value for most Ethernet networks is 1500 bytes or 1492 Bytes for PPPoE connections. For some ISPs you may need to reduce the MTU. But this is rarely required, and should not be done unless you are sure it is necessary for your ISP connection. Any packets sent through the firewall that are larger than the configured MTU size will be repackaged into smaller packets to meet the MTU requirement.
To change the MTU size:
1. Under MTU Size, select Custom.
2. Enter a new size between 64 and 1500.
3. Click Apply to save the new configuration.

Configuring Dynamic DNS

If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS). However, if your Internet account uses a dynamically assigned IP address, you will not know in advance what your IP address will be, and the address can change frequently. In this case, you can use a commercial dynamic DNS service, which will allow you to register your domain to their IP address, and will forward traffic directed to your domain to your frequently-changing IP address.
The firewall contains a client that can connect to a dynamic DNS service provider. To use this feature, you must select a service provider and obtain an account with them. After you have configured your account information in the firewall, whenever your ISP-assigned IP address changes, your firewall will automatically contact your dynamic DNS service provider, log in to your account, and register your new IP address.
5-6 WAN and LAN Configuration
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

How to Configure Dynamic DNS

1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user
name of you have chosen for the firewall.
2. From the Main Menu of the browser interface, under Advanced, click Dynamic DNS.
3. Click the radio button for the dynamic DNS service you will use. Access the We b site of the
dynamic DNS service providers whose, and register for an account. For example, for TZO.com, go to www.TZO.com.
4. Click Apply to save your configuration.
5. Click Status to see the login in progress.
admin, default password of password, or using whatever password and LAN address
Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the
dynamic DNS service will not work because private addresses will not be routed on the Internet.

Using Static Routes

Static Routes provide additional routing information to your firewall. Under normal circumstances, the firewall has adequate routing information after it has been configured for Internet access, and you do not need to configure additional static routes. You must configure static routes only for unusual cases such as multiple routers or multiple IP subnets located on your network.

Static Route Example

As an example of when a static route is needed, consider the following case:
You r primary Internet access is through a cable modem to an ISP.
You have an ISDN router on your home network for connecting to the company where
you are employed. This router’s address on your LAN is 192.168.0.100.
You r company’s network is 134.177.0.0.
WAN and LAN Configuration 5-7
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
When you first configured your firewall, two implicit static routes were created. A default route was created with your ISP as the gateway, and a second static route was created to your local network for all 192.168.0.x addresses. With this configuration, if you attempt to access a device on the 134.177.0.0 network, your firewall will forward your request to the ISP. The ISP forwards your request to the company where you are employed, and the request will likely be denied by the company’s firewall.
In this case you must define a static route, telling your firewall that 134.177.0.0 should be accessed through the ISDN router at 192.168.0.100. The static route would look like Figure 5-3.
In this example:
The Destination IP Address and IP Subnet Mask fields specify that this static route applies to all 134.177.x.x addresses.
The Gateway IP Address fields specifies that all traffic for these addresses should be forwarded to the ISDN router at 192.168.0.100.
A Metric value of 1 will work since the ISDN router is on the LAN. This represents the number of routers between your network and the des tination. This is a direct connection so it is set to 1.
Private is selected only as a precautionary security measure in case RIP is activated.

How to Configure Static Routes

1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user
name of you have chosen for the firewall.
2. From the Main Menu of the browser interface, under Advanced, click on Static Routes to view
the Static Routes menu, shown in Figure 5-2.
Figure 5-2: Static Routes Table
To add or edit a Static Route:
3.
5-8 WAN and LAN Configuration
admin, default password of password, or using whatever password and LAN address
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Click the Edit button to open the Edit Menu, shown below.
a.
Figure 5-3: Static Ro ute Entry and Edit Menu
b.
Type a route name for this static route in the Route Name box under the table. This is for identification purpose only.
c. Select Active to make this route effective. d. Select Private if you want to limit access to the LAN only.
The static route will not be reported in RIP.
e. Type the Destination IP Address of the final destination. f. Type the IP Subnet Ma sk for this destination.
If the destination is a single host, type 255.255.255.255.
g. Type the Gateway IP Address, which must be a router on the same LAN segment as the
firewall.
h. Type a number between 1 and 15 as the Metric value.
This represents the number of routers between your network and the destination. Usually, a setting of 2 or 3 works, but if this is a direct connection, set it to 1.
4. Click Apply to have the static route entered into the table.
WAN and LAN Configuration 5-9
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
5-10 WAN and LAN Configuration
May 2004, 202-10031-01
Chapter 6
Protecting Your Network
This chapter describes how to use the basic firewall features of the FVS328 ProSafe VPN Firewall with Dial Back-up to protect your network.

Protecting Access to Your FVS328 Firewall

For security reasons, the firewall has its own user name and password. Also, after a period of inactivity for a set length of time, the administrator login will automatically disconnect. You can use the procedures below to change the firewall's password and the amount of time for the administrator’s login timeout.
Note: The user name and password are not the same as any user name or password your may use
to log in to your Internet connection. NETGEAR recommends that you change this password to a more secure password. The ideal
password should contain no dictionary words from any language, and should be a mixture of both upper and lower case letters, numbers, and symbols. Your password can be up to 30 characters.

How to Change the Built-In Password

1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of address you have chosen for the firewall.
2. From the main menu of the browser interface, under the Maintenance heading, select Set
Password to bring up the menu shown below.
Protecting Your Network 6-1
admin, default password of password, or using whatever password and LAN
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Figure 6-1: Set Password menu
To change the password, first enter the old password, then enter the new password twice.
3.
4. Click Apply to save your changes.
Note: After changing the password, you will be required to log in again to continue the configuration. If you have backed up the firewall settings previously, you should do a new backup so that the saved settings file includes the new password.

How to Change the Administrator Login Timeout

For security, the administrator’s login to the firewall configuration will time out after a period of inactivity. To change the login timeout period:
1. In the Set Password menu, type a number in ‘Administrator login times out’ field. The
suggested default value is 5 minutes.
2. Click Apply to save your changes or click Cancel to keep the current period.

Configuring Basic Firewall Services

Basic firewall services you can configure include access blocking and scheduling of firewall security. These topics are presented below.
6-2 Protecting Your Network
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Using the Block Sites Menu to Screen Content

The FVS328 allows you to restrict access based on the following categories:
Use of a proxy server
Type of file (Java, ActiveX, Cookie)
Web addresses
Web address keywords
These options are discussed below. The Keyword Blocking menu is shown here.
Figure 6-2: Block Sites menu
T o enable filtering, click the checkbox next to the type of filtering you want to enable. The filtering choices are:
Proxy: blocks use of a proxy server
Protecting Your Network 6-3
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Java: blocks use of Java applets
ActiveX: blocks use of ActiveX components (OCX files) used by IE on Windows
Cookies: blocks all cookies
To enable keyword blocking, check “Turn keyword blocking on”, then click Apply. To add a keyword or domain, type it in the Keyword box, click Add Keyword, then click Apply. To delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply. Keyword application examples:
If the keyword "XXX" is specified, the URL <http://www.badstuff.com/xxx.html> is blocked, as is the newsgroup alt.pictures.XXX.
If the keyword “.com” is specified, only Web sites with other domain suffixes (such as .edu or .gov) can be viewed.
If you want to block all Internet browsing access, enter the keyword “.”.
Up to 255 entries are supported in the Keyword list. To specify a Trusted User, enter that computer’s IP address in the Trusted User box and click
Apply . You may specify one Trusted User, which is a computer that will be exempt from blocking and logging. Since the Trusted User will be identified by an IP address, you should configure that computer with a fixed or reserved IP address.

Services and Rules Regulate Inbound and Outbound Traffic

The FVS328 ProSafe VPN Firewall with Dial Back-up firewall lets you regulate what ports are available to the various TCP/IP protocols. Follow these two steps to configure inbound or outbound traffic:
1. Define a Service
2. Set up an Inbound or Outbound Rule that uses the Service
These steps are discussed below.
6-4 Protecting Your Network
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Defining a Service

Services are functions performed by server computers at the request of client computers. For example, Web servers serve We b pages, time servers serve time and date information, and game hosts serve data about other players’ moves. When a computer on the Internet sends a request for service to a server computer, the requested service is identified by a service or port number. This number appears as the destination port number in the transmitted IP packets. For example, a packet that is sent with destination port number 80 is an HTTP (Web server) request.
The service numbers for many common protocols are defined by the Internet Engineering Task Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for other applications are typically chosen from the range 1024 to 65535 by the authors of the application.
Although the FVS328 already holds a list of many service port numbers, you are not limited to these choices. Use the Services menu to add additional services and applications to the list for use in defining firewall rules. The Services menu shows a list of services that you have defined.
To define a new service, first you must determine which port number or range of numbers is used by the application. This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups. When you have the port number information, go the Services menu and click on the Add Custom Service button. The Add Services menu will appear.
To add a service,
1. Enter a descriptive name for the service so that you will remember what it is.
2. Select whether the service uses TCP or UDP as its transport protocol.
If you can’t determine which is used, select both.
3. Enter the lowest port number used by the service.
4. Enter the highest port number used by the service.
If the service only uses a single port number, enter the same number in both fields.
5. Click Apply.
The new service will now appear in the Services menu, and in the Service name selection box in the Rules menu.
Protecting Your Network 6-5
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Using Inbound/Outbound Rules to Block or Allow Services

Firewall rules are used to block or allow specific traffic passing through from one side of the firewall to the other . Inbound rules (WAN to LAN) restrict access by outsiders to private resources, selectively allowing only specific outside users to access specific resources. Outbound rules (LAN to WAN) determine what outside resources local users can have access to.
A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of the FVS328 are:
Inbound: Block all access from outside except responses to requests from the LAN side.
Outbound: Allow all access from the LAN side to the outside.
These default rules are shown in the Rules table of the Rules menu in Figure 6-3:
Figure 6-3: Rules menu
6-6 Protecting Your Network
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
You can define additional rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destinat ion IP addresses, and time of day. You can also choose to log traffic that matches or does not match the rule you have defined.
To create a new rule, click the Add button. To edit an existing rule, select its button on the left side of the table and click Edit. To delete an existing rule, select its button on the left side of the table and click Delete. To move an existing rule to a different position in the table, select its button on the left side of the
table and click Move. At the script prompt, enter the number of the desired new position and click OK.
An example of the menu for defining or editing a rule is shown in Figure 6-4. The parameters are:
Service. From this list, select the application or service to be allowed or blocked. The list already displays many common services, but you are not limited to these choices. Use the Services menu to add any additional services or applications that do not already appear.
Action. Choose how you would like this type of traffic to be handled. You can block or allow always, or you can choose to block or allow according to the schedule you have defined in the Schedule menu.
Source Address. Specify traffic originating on the LAN (outbound) or the WAN (inbound), and choose whether you would like the traffic to be restricted by source IP address. You can select Any, a Single address, or a Range. If you select a range of addresses, enter the range in the start and finish boxes. If you select a single address, enter it in the start box.
Destination Address.The Destination Address will be assumed to be from the opposite (LAN or WAN) of the Source Address. As with the Source Address, you can sele ct Any, a Single address, or a Range unless NAT is enabled and the destination is the LAN. In that case, you must enter a Single LAN address in the start box.
Log. You can select whether the traffic will be logged. The choices are: – Never - no log entries will be made for this service. – Match - traffic of this type which matches the parameters and action will be logged.
Protecting Your Network 6-7
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Examples of Using Services and Rules to Regulate Traffic

Use the examples to see how you combine Services and Rules to regulate how the TCP/IP protocols are used on your firewall to enable either blocking or allowing specific Internet traffic on your firewall.

Inbound Rules (Port Forwarding)

Because the FVS328 uses Network Address Translation (NAT), your network presents only one IP address to the Internet, and outside users cannot directly address any of your local computers. However, by defining an inbound rule, also known as port forwarding, you can make a local server (for example, a Web server or game server) visible and available to the Internet. The rule tells the router to direct inbound traffic for a particular service to one local server based on the destination port number. This is also known as port forwarding.
Note: Some home broadband accounts do not allow you to run any server processes
(such as a Web or FTP server). Your ISP may check for servers and suspend your account if it discovers active servers at your location. If you are unsure, refer to the Acceptable Use Policy of your ISP.
Follow these guidelines when setting up port forwarding inbound rules:
If your external IP address is assigned dynamically by your ISP, the IP address may change periodically as the DHCP lease expires. Consider using the Dynamic DNS feature in the Advanced menus so that external users can always find your network.
If the IP address of the local server computer is assigned by DHCP, it may change when the computer is rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu to keep the computer’s IP address constant.
Local computers must access the local server using the local LAN address of the computer. Attempts by local computers to access the server using the external WAN IP address will fail.
Remember that allowing inbound services opens holes in your FVS328 Firewall. Only enable those ports that are necessary for your network. Following are two application examples of inbound rules:
6-8 Protecting Your Network
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Example: Port Forwarding to a Local Public Web Server
If you host a public W eb ser ver on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web server any time of day.
Figure 6-4: Rule example: A Local Public Web Server
This rule is shown in Figure 6-4.
Example: Port Forwarding for Videoconferencing
If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown in Figure 6-5, CU-SeeMe is a predefined service and its connections are allowed only from a
Protecting Your Network 6-9
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
specified range of external IP addresses. In this case, we have also specified logging of any incoming CU-SeeMe requests that do not match the allowed parameters.
Figure 6-5: Rule example: Videoconference from Restrict ed Addresses
Example: Port Forwarding for VPN Tunnels when NAT is Off
If you want to allow incoming VPN IPSec tunnels to be initiated from outside IP addresses anywhere on the Internet when NAT is off, first create a service and then an inbound rule.
Figure 6-6: Service example: port forwarding for VPN when NAT is Off
In the example shown in Figure 6-6, UDP port 500 connections are defined as the IPSec service.
6-10 Protecting Your Network
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Figure 6-7: Inbound rule example:
VPN IPSec when NAT is off
In the example shown in Figure 6-7, VPN IPSec connections are allowed any internal LAN IP address.

Outbound Rules (Service Blocking or Port Filtering)

The FVS328 allows you to block the use of certain Internet services by computers on your network. This is called service blocking or port filtering. You can define an outbound rule to block Internet access from a local computer based on:
IP address of the local computer (source address)
IP address of the Internet site being contacted (destination address)
•Time of day
Type of service being requested (service port number)
Protecting Your Network 6-11
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Outbound Rule Example: Blocking Instant Messaging
If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu. Y ou can also have the router log any attempt to use Instant Messenger during that blocked period.
Figure 6-8: Rule example: Blocking Instant Messenger

Other Rules Considerations

The order of precedence of rules is determined by the position of the rule on a list of many rules. Also, there are optional Rules settings you can configure. These topics are presented here.

Order of Precedence for Rules

As you define new rules, they are added to the tables in the Rules menu. For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order of the entries in the Rules T able, beginning at the top and proceeding to the default rules at the bottom. In some cases, the order of precedence of two or more rules may be important in determining the disposition of a packet. The Move button allows you to relocate a defined rule to a new position in the table.
6-12 Protecting Your Network
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Rules Menu Options

Use the Options checkboxes to enable the following:
Enable VPN Passthrough (IPSec, PPTP, L2TP)
If LAN users need to use VPN (Virtual Private Networking) software on their computer, and connect to remote sites or servers, enable this checkbox. This will allow the VPN protocols (IPSec, PPTP, L2TP) to be used. If this checkbox is not checked, these protocols are blocked.
Drop fragmented IP packets If checked, all fragmented IP pack ets wil l be dropped (discarded). Normally, this should NOT
be checked.
Block TCP flood If checked, when a TCP flood attack is detected, the port used will be closed, and no traffic
will be able to use that port.
Block UDP flood If checked, when a UDP flood attack is detected, all traffic from that IP address will be
blocked.
Block non-standard packets If checked, only known packet types will be accepted; other packets will be blocked. The
known packet types are TCP, UDP, ICMP, ESP, and GRE. Note that these are packet types, not protocols.

Setting Times and Scheduling Firewall Services

The FVS328 Firewall uses the Network Time Protocol (NTP) to obtain the current time and date from one of several Network Time Servers on the Internet. In order to localize the time for your log entries, you must select your Time Zone from the list.
Protecting Your Network 6-13
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

How to Set Your Time Zone

In order to localize the time for your log entries, you must specify your Time Zone:
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of address you have chosen for the firewall.
2. Click Schedule on the Security menu to display menu shown below.
admin, default password of password, or using whatever password and LAN
Figure 6-9: Schedule Services menu
3.
Select your Time Zone. Use this setting for the blocking schedule according to your local time zone and for time-stamping log entries. At power-up, the clock is set to Saturday 01/01/2001 00:00:00.
Check the Daylight Savings Time box if your time zone is currently in daylight savings time.
6-14 Protecting Your Network
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Note: If your region uses Daylight Savings Time, you must manually check Adjust for
Daylight Savings Time on the first day of Daylight Savings Time, and uncheck it at the end. Enabling Daylight Savings Time will cause one hour to be added to the standard time.
4. Choose your NTP server. The firewall uses Netgear NTP servers by default. If you would
prefer to use a particular NTP server as the primary server, enter its IP address under Use this NTP Server. The fixed NTP query interval is 2 hours.
5. Click Apply to save your settings.

How to Schedule Firewall Services

If you enabled services blocking in the Block Services menu or Port forwarding in the Ports menu, you can set up a schedule for when blocking occurs or when access isn't restricted.
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User
Name of address you have chosen for the firewall.
2. Click Schedule on the Security menu to display the Schedule Services menu.
3. T o block Internet services based on a schedule, select Every Day or select one or more days. If
you want to limit access completely for the selected days, select All Day. Otherwise, to limit access during certain times for the selected days, enter Start Blocking and End Blocking times.
admin, default password of password, or using whatever Password and LAN
Note: Enter the values as 24-hour time. For example, 10:30 am would be 10 hours and 30 minutes and 10:30 pm would be 22 hours and 30 minutes.
4. Click Apply to save your changes.
Protecting Your Network 6-15
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
6-16 Protecting Your Network
May 2004, 202-10031-01
Chapter 7
Virtual Private Networking
This chapter describes how to use the virtual private networking (VPN) features of the FVS328 Firewall. VPN tunnels provide secure, encrypted communications between your local network and a remote network or computer.

Overview of FVS328 Policy-Based VPN Configuration

The FVS328 uses state-of-the-art firewall and security technology to facilitate controlled and actively monitored VPN connectivity . Since the FVS328 strictly conforms to Internet Engineering Task Force (IETF) standards, it is interoperable with devices from major network equipment vendors.
Telecommuter with
client software
VPN tunnels
encrypt data
VPN FirewallVPN Firewall
Figure 7-1: Secure access through FVS328 VPN routers

Using Policies to Manage VPN Traffic

You create policy definitions to manage VPN traffic on the FVS328. There are two kinds of policies:
Virtual Private Networking 7-1
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
IKE Policies: Define the authentication scheme and automatically generate the encryption keys. As an alternative option, to further automate the process, you can create an Internet Key Exchange (IKE) policy which uses a trusted certificate authority to provide the authentication while the IKE policy still handles the encryption.
VPN Policies: Apply the IKE policy to specific traffic which requires a VPN tunnel. Or, you can create a VPN policy which does not use an IKE policy but in which you manually enter all the authentication and key parameters.
Since the VPN Auto policies require IKE policies, you must define the IKE policy first. The FVS328 also allows you to manually input the authentication scheme and encryption key values. VPN Manual policies manage the keys according to settings you select and do not use IKE policies.
In order to establish secure communication over the Internet with the remote site you need to configure matching VPN parameters on both the local and remote sites. The outbound VPN parameters on one end must match to the inbound VPN parameters on other end, and vice versa.
When the network traffic enters into the FVS328 from the LAN network interface, if there is no VPN policy found for a type of network traffic, then that traffic passes through without any change. However, if the traffic is selected by a VPN policy, then the Internet Protocol security IPSec authentication and encryption rules will be applied to it as defined in the VPN policy.
By default, a new VPN policy is added with the least priority, that is, at the end of the VPN policy table. You can change the priority by selecting the VPN policy from the policy table and clicking Move.

Using Automatic Key Management

The most common configuration scenarios will use IKE policies to automatically manage the authentication and encryption keys. Based on the IKE policy, so me parameters for the VPN tunnel are generated automatically. The IKE protocols perform negotiations between the two VPN endpoints to automatically generate required parameters.
Some organizations will use an IKE policy with a Certificate Authority (CA) to perform authentication. Typically, CA authentication is used in large organizations which maintain their own internal CA server. This requires that each VPN gateway have a certificate and trust certificate root from the CA. Using CAs reduces the amount of data entry required on each VPN endpoint.
7-2 Virtual Private Networking
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

IKE Policies’ Automatic Key and Authentication Management

Click the IKE Policies link from the VPN section of the main menu, and then click the Add button of the IKE Policies screen to display the IKE Policy Configuration menu shown in Figure 7-2.
Figure 7-2: IKE - Policy Configuration Menu
Virtual Private Networking 7-3
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
The IKE Policy Configuration fields are defined in the following table.
Table 7-1. IKE Policy Configuration Fields
Field Description General
Policy Name
Direction/Type
Exchange Mode
Local
These settings identify this policy and determine its major characteristics. The descriptive name of the IKE policy. Each policy should have a unique
policy name. This name is not supplied to the remote VPN endpoint. It is only used to help you identify IKE policies.
This setting is used when determining if the IKE policy matches the current traffic. The drop-down menu includes the following:
• Initiator – Outgoing connections are allowed, but incoming are blocked.
• Responder – Incoming connections are allowed, but outgoing are blocked.
• Both Directions – Both outgoing and incoming connections are allowed.
• Remote Access – This is to allow only incoming client connections, where the IP address of the remote clie n t is un known.
If Remote Access is selected, the “Exchange Mode” MUST be “Aggressive,” and the ‘Identities’ below (both Local and Remote) MUST be “Name.” On the matching VPN Policy, the IP address of the remote VPN endpoint should be set to 0.0.0.0.
Main Mode or Aggressive Mode. This setting must match the setting used on the remote VPN endpoint.
• Main Mode is slower but more secure.
• Aggressive Mode is faster but less secure.
These parameters apply to the Local FVS328 firewall.
Local Identity Type
Local Identity Data
Remote
Use this field to identify the local FVS328. You can choose one of the following four options from the drop-down list:
• By its Internet (WAN) port IP address.
• By its Fully Qualified Domain Name (FQDN) – your domain name.
• By a Fully Qualified User Name – your name, E-mail address, or other ID.
• By DER ASN.1 DN – the binary Distinguished Encoding Rules (DER) encoding of your ASN.1 X.500 Distinguished Name.
This field lets you identify the local FVS328 by name. These parameters apply to the target remote FVS328 firewall, VPN
gateway, or VPN client.
7-4 Virtual Private Networking
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Table 7-1. IKE Policy Configuration Fields
Field Description
Remote Identity Type
Remote Identity Data
IKE SA Parameters
Encryption Algorithm
Authentication Algorithm
Authentication Method
Pre-Shared Key
Use this field to identify the remote FVS328. You can choose one of the following four options from the drop-down list:
• By its Internet (WAN) port IP address.
• By its Fully Qualified Domain Name (FQDN) – your domain name.
• By a Fully Qualified User Name – your name, E-mail address, or other ID.
• By DER ASN.1 DN – the binary DER encoding of your ASN.1 X.500 Distinguished Name.
This field lets you identify the target remote FVS328 by name. These parameters determine the properties of the IKE Security
Association. Choose the encryption algorithm for this IKE policy:
•DES
• 3DES is more secure and is the default
If you enable Authentication Headers (AH), this menu lets you select from these authentication algorithms:
• MD5 –- the default
• SHA-1 – more secure
Y ou can select Pre-Shared Key or R SA Signature. Specify the key according to the requirements of the Authentication
Algorithm you selected.
• For MD5, the key length should be 16 bytes.
• For SHA-1, the key length should be 20 bytes.
RSA Signature
Diffie-Hellman (DH) Group
SA Life Time
RSA Signature requires a certificate. The Diffie-Hellman groups are MODP Oakley Groups 1 and 2. The DH
Group setting determines the size of the key used in the key exchange. This must match the value used on the remote VPN gateway or client. Select Group 1 (768 bit) or Group 2 (1024 bit).
The amount of time in seconds before the Security Association expires; over an hour (3600) is common.
Virtual Private Networking 7-5
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

VPN Policy Configuration for Auto Key Negotiation

An already defined IKE policy is required for VPN - Auto Policy configuration. From the VPN Policies section of the main menu, you can navigate to the VPN - Auto Policy configuration menu.
Figure 7-3: VPN - Auto Policy Menu
7-6 Virtual Private Networking
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
The VPN Auto Policy fields are defined in the following table.
Table 7-1. VPN Auto Policy Configuration Fields
Field Description General
Policy Name The descriptive name of the VPN policy. Each policy should have a unique
IKE Policy The existing IKE policies are presented in a drop-down list.
Remote VPN Endpoint The address used to locate the remote VPN firewall or client to which you want
SA Life Time The duration of the Security Association before it expires.
IPSec PFS
PFS Key Group If PFS is enabled, this setting determines the DH group bit size used in the key
These settings identify this policy and determine its major characteristics.
policy name. This name is not supplied to the remote VPN endpoint. It is only used to help you identify VPN policies.
Note: Create the IKE policy BEFORE creating a VPN - Auto policy.
to connect. The remote VPN endpoint must have this FVS328’s Local Identity Data entered as its “Remote VPN Endpoint”:
• By its IP Address.
• By its Fully Qualified Domain Name (FQDN) – your domain name.
• Seconds - the amount of time before the SA expires. Over an hour is common (3600).
• Kbytes - the amount of traffic before the SA expires.
One of these can be set without setting the other.
If enabled, security is enhanced by ensuring that the key is changed at regular intervals. Also, even if one key is broken, subsequent keys are no easier to break. Each key has no relationship to the previous key.
exchange. This must match the value used on the remote gateway. Select Group 1 (768 bit) or Group 2 (1024 bit).
Traffic Selector These settings determine if and when a VPN tunnel will be established. If
network traffic meets all criteria, then a VPN tunnel will be created.
Virtual Private Networking 7-7
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Table 7-1. VPN Auto Policy Configuration Fields
Field Description
Local IP The drop-down menu allows you to configure the source IP address of the
outbound network traffic for which this VPN policy will provide security. Usually, this address will be from your network address space. The choices are:
• ANY for all valid IP addresses in the Internet address space Note: Choosing ANY sends all traffic through the tunnel, which will eliminate activities such as Web access.
• Single IP Address
• Range of IP Addresses
• Subnet Address
Remote IP The drop-down menu allows you to configure the destination IP address of the
outbound network traffic for which this VPN policy will provide security. Usually, this address will be from the remote site's corporate network address space. The choices are:
• ANY for all valid IP addresses in the Internet address space Note: Choosing ANY sends all traffic to the WAN through the tunnel, preventing for example, remote management or response to ping.
• Single IP Address
• Range of IP Addresses
• Subnet Address
Authenticating Header (AH) Configuration
Enable Authentication Use this check box to enable or disable AH for this VPN policy.
Authentication
Algorithm
Encapsulated Security Payload (ESP) Configuration
Enable Encryption Use this check box to enable or disable ESP Encryption.
Encryption Algorithm
Enable Authentication Use this check box to enable or disable ESP transform for this VPN policy.
AH specifies the authentication protocol for the VPN header. These settings must match the remote VPN endpoint.
If you enable AH, then select the authentication algorithm: MD5 – the default, or SHA1 - more secure
ESP provides security for the payload (data) sent through the VPN tunnel. Generally, you will want to enable both Encryption and Authentication. Two ESP modes are available: Plain ESP encryption or ESP encryption with authentication These settings must match the remote VPN endpoint.
If you enable ESP encryption, then select the encryption algorithm: DES – the default, or 3DES - more secure
7-8 Virtual Private Networking
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Table 7-1. VPN Auto Policy Configuration Fields
Field Description
Authentication Algorithm
NetBIOS Enable Check this if you want NetBIOS traffic to be forwarded over the VPN tunnel.
If you enable AH, then use this menu to select which authentication algorithm will be employed. The choices are: MD5 – the default, or SHA1 – more secure
The NetBIOS protocol is used by Microsoft Networking for such features as Network Neighborhood.

VPN Policy Configuration for Manual Key Exchange

With Manual Key Management, you will not use an IKE policy. Y ou must manually type in all the required key information. Click the VPN Policies link from the VPN section of the main menu to display the menu shown below.
Virtual Private Networking 7-9
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Figure 7-4: VPN - Manual Policy Menu
7-10 Virtual Private Networking
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
The VPN Manual Policy fields are defined in the following table.
Table 7-1. VPN Manual Policy Configuration Fields
Field Description General
Policy Name The name of the VPN policy. Each policy should have a unique policy name.
Remote VPN Endpoint The WAN Internet IP address or Fully Qualified Domain Name of the remote
Traffic Selector These settings determine if and when a VPN tunnel will be established. If
Local IP The drop-down menu allows you to configure the source IP address of the
Remote IP The drop-down menu allows you to configure the destination IP address of the
These settings identify this policy and determine its major characteristics.
This name is not supplied to the remote VPN Endpoint. It is used to help you identify VPN policies.
VPN firewall or client to which you want to connect. The remote VPN endpoint must have this FVS328’s WAN Internet IP address entered as its “Remote VPN Endpoint.”
network traffic meets all criteria, then a VPN tunnel will be created.
outbound network traffic for which this VPN policy will provide security. Usually, this address will be from your network address space. The choices are:
• ANY for all valid IP addresses in the Internet address space Note: Choosing ANY sends all traffic through the tunnel, which will eliminate activities such as Web access.
• Single IP Address
• Range of IP Addresses
• Subnet Address
outbound network traffic for which this VPN policy will provide security. Usually, this address will be from the remote site's corporate network address space. The choices are:
• ANY for all valid IP addresses in the Internet address space Note: Choosing ANY sends all traffic to the WAN through the tunnel, preventing for example, remote management or response to ping.
• Single IP Address
• Range of IP Addresses
• Subnet Address
Virtual Private Networking 7-11
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Table 7-1. VPN Manual Policy Configuration Fields
Field Description Authenticating Header
(AH) Configuration
SPI - Incoming
SPI - Outgoing Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote
Enable Authentication Use this check box to enable or disable AH. Authentication is often not used,
Authentication Algorithm
Key - In
AH specifies the authentication protocol for the VPN header. These settings must match the remote VPN endpoint.
Note: The Incoming settings must match the Outgoing settings on the remote VPN endpoint, and the Outgoing settings must match the Incoming settings on the remote VPN endpoint.
Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote VPN endpoint has the same value in its "Outgoing SPI" field.
VPN endpoint has the same value in its "Incoming SPI" field.
so you can leave the check box unselected. If you enable AH, then select the authentication algorithm:
• MD5 – the default
• SHA1 – more secure
Enter the keys in the fields provided. For MD5, the keys should be 16 characters. For SHA-1, the keys should be 20 characters.
Enter the keys.
• For MD5, the keys should be 16 characters.
• For SHA-1, the keys should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same value in its Authentication Algorithm "Key - Out" field.
Key - Out Enter the keys in the fields provided.
• For MD5, the keys should be 16 characters.
• For SHA-1, the keys should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same value in its Authentication Algorithm "Key - In" field.
Encapsulated Security Payload (ESP) Configuration
SPI - Incoming
ESP provides security for the payload (data) sent through the VPN tunnel. Generally, you will want to enable both encryption and authentication. when you use ESP. Two ESP modes are available:
• Plain ESP encryption
• ESP encryption with authentication
These settings must match the remote VPN endpoint.
Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote VPN endpoint has the same value in its "Outgoing SPI" field.
7-12 Virtual Private Networking
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Table 7-1. VPN Manual Policy Configuration Fields
Field Description
SPI - Outgoing Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote
VPN endpoint has the same value in its "Incoming SPI" field.
Enable Encryption Use this check box to enable or disable ESP Encryption.
Encryption Algorithm
Key - In
Key - Out Enter the key in the fields provided.
Enable Authentication Use this check box to enable or disable ESP authentication for this VPN policy.
Authentication Algorithm
Key - In
If you enable ESP Encryption, then select the Encryption Algorithm:
• DES - the default
• 3DES -more secure
Enter the key in the fields provided.
• For DES, the key should be 8 characters.
• For 3DES, the key should be 24 characters.
Any value is acceptable, provided the remote VPN endpoint has the same value in its Encryption Algorithm "Key - Out" field.
• For DES, the key should be 8 characters.
• For 3DES, the key should be 24 characters.
Any value is acceptable, provided the remote VPN endpoint has the same value in its Encryption Algorithm "Key - In" field.
If you enable authentication, then use this menu to select the alg orithm:
• MD5 – the default
• SHA1 – more secure
Enter the key.
• For MD5, the key should be 16 characters.
• For SHA-1, the key should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same value in its Authentication Algorithm "Key - Out" field.
Key - Out Enter the key in the fields provided.
• For MD5, the key should be 16 characters.
• For SHA-1, the key should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same value in its Authentication Algorithm "Key - In" field.
NetBIOS Enable Check this if you want NetBIOS traffic to be forwarded over the VPN tunnel.
The NetBIOS protocol is used by Microsoft Networking for such features as Network Neighborhood.
Virtual Private Networking 7-13
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Using Digital Certificates for IKE Auto-Policy Authentication

Digital certificates are character strings generated using encryption and authentication schemes which cannot be duplicated by anyone without access to the different values used in the production of the string. They are issued by Certification Authorities (CAs) to authenticate a person or a workstation uniquely. The CAs are authorized to issue these certificates by Policy Certification Authorities (PCAs), who are in turn certified by the Internet Policy Registration Authority (IPRA). The FVS328 is able to use certificates to authenticate users at the endpoints during the IKE key exchange process.
The certificates can be obtained from a certificate server an organization might maintain internally or from the established public CAs. The certificates are produced by providing the particulars of the user being identified to the CA. The information provided may include the user's name, e-mail ID, domain name, etc.
A CA is part of a trust chain. A CA has a public key which is signed. The combination of the signed public key and the private key enables the CA process to eliminate ‘man in the middle’ security threats. A ‘self’ certificate has your public key and the name of your CA, and relies on the CA’s certificate to authenticate. Each CA has its own certificate. The certificates of a CA are added to the FVS328 and can then be used to form IKE policies for the user. Once a CA certificate is added to the FVS328 and a certificate is created for a user, the corresponding IKE policy is added to the FVS328. Whenever the user tries to send traffic through the FVS328, the certificates are used in place of pre-shared keys during initial key exchange as the authentication and key generation mechanism. Once the keys are established and the tunnel is set up the connection proceeds according to the VPN policy.

Certificate Revocation List (CRL)

Each Certification Authority (CA) maintains a list of the revoked certificates. The list of these revoked certificates is known as the Certificate Revocation List (CRL).
Whenever an IKE policy receives the certificate from a peer, it checks for this certificate in the CRL on the FVS328 obtained from the corresponding CA. If the certificate is not present in the CRL it means that the certificate is not revoked. IKE can then use this certificate for authentication. If the certificate is present in the CRL it means that the certificate is revoked, and the IKE will not authenticate the client.
You must manually update the FVS328 CRL regularly in order for the CA-based authentication process to remain valid.
7-14 Virtual Private Networking
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

How to Use the VPN Wizard to Configure a VPN Tunnel

Note: If you have turned NAT off, before configuring VPN IPSec tunnels you must first open UDP port 500 for inbound traffic as explained in “Example: Port Forwarding for
VPN Tunnels when NAT is Off” on page 6-10.
Follow this procedure to configure a VPN tunnel using the VPN Wizard. Note: The LAN IP address ranges of each VPN endpoint must be different. The connection will
fail if both are using the NETGEAR default address range of 192.168.0.x.
1. Log in to the FVS318 on LAN A at its default LAN address of http://192.168.0.1 with its
default user name of main menu to display this screen. Click Next to proceed.
admin and password of password. Click the VPN Wizard link in the
Figure 7-5: VPN Wizard Start Screen
2.
Fill in the Connection Name, pre-shared key, and select the type of target end point, and click Next to proceed.
Virtual Private Networking 7-15
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Figure 7-6: Connection Name and Remote IP Type
3. Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click Next.
Figure 7-7: Remote IP
4. Identify the IP addresses at the target endpoint which can use this tunnel, and click Next.
Figure 7-8: Secure Connection Remote Accessibility
7-16 Virtual Private Networking
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
The Summary screen below displays.
Figure 7-9: VPN Wizard Summary
To view the VPNC recommended authentication and encryption Phase 1 and Phase 2 settings the VPN Wizard used, click the “here” link.
5. Click Done to complete the configuration procedure. The VPN Settings menu displays
showing that the new tunnel is enabled T o view or modify the tunnel settings, select the radio button next to the tunnel entry and click
Edit.

Walk-Through of Configuration Scenarios

There are a variety of configurations you might implement with the FVS328. The scenarios listed below illustrate typical configurations you might use in your organization.
Virtual Private Networking 7-17
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
In order to help make it easier to set up an IPsec system, the following two scenarios are provided. These scenarios were developed by the VPN Consortium (http://www.vpnc.org). The goal is to make it easier to get the systems from different vendors to interoperate. NETGEAR is providing you with both of these scenarios in the following two formats:
VPN Consortium Scenarios without any product implementation details
VPN Consortium Scenarios based on the FVS328 user interface The purpose of providing these two versions of the same scenarios is to help you determine where
the two vendors use different vocabulary. Seeing the examples presented in these different ways will reveal how systems from different vendors do the same thing. See Appendix E, “Virtual
Private Networking” for a full discussion of VPN and the configuration templates NETGEAR
developed for publishing multi-vendor VPN integration configuration case studies.
Note: See Appendix F, “NETGEAR VPN Configuration FVS318 or FVM318 to
FVS328 for a detailed procedure for configuring VP N co mmunications between a
NETGEAR FVS318 and a FVS328. NETGEAR publishes additional interoperability scenarios with various gateway and client software products. Look on the NETGEAR Web site at www.netgear.com/support/main.asp for more details.

VPNC Scenario 1: Gateway-to-Gateway with Preshared Secrets

The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication.
10.5.6.0/24
Gateway A
10.5.6.1
Figure 7-10: VPN Consortium Scenario 1
14.15.16.17 22.23.24.25
Internet
Gateway B
Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17.
7-18 Virtual Private Networking
May 2004, 202-10031-01
172.23.9.0/24
172.23.9.1
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used for testing IPsec but is not needed for configuring Gateway A.
Note: The /24 after the IP address refers to the full range of IP addresses. For example, 10.5.6.0/24
refers to IP address 10.5.6.0 with the netmask 255.255.255.0. The IKE Phase 1 parameters used in Scenario 1 are:
•Main mode
TripleDES
SHA-1
MODP group 2 (1024 bits)
pre-shared secret of "hr5xb84l6aa9r6"
SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying The IKE Phase 2 parameters used in Scenario 1 are:
TripleDES
SHA-1
ESP tunnel mode
MODP group 2 (1024 bits)
Perfect forward secrecy for rekeying
SA lifetime of 3600 seconds (one hour) with no kbytes rekeying
Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4 subnets
Virtual Private Networking 7-19
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

FVS328 Scenario 1: How to Configure the IKE and VPN Policies

Note: This scenario assumes all ports are open on the FVS328. You can verify this by reviewing the security settings as seen in the “Using Inbound/Outbound Rules to Block or Allow Services”
on page 6-6.
Use this scenario illustration and configuration screens as a model to build your configuration.
WAN I P
Scenario 1
Gateway B
WAN I P
FVS328
Gateway A
14.15.16.17 22.23.24.25
LAN IP
Figure 7-11: LAN to LAN VPN access from an FVS328 to an FVS328
1. Log in to the FVS328 labeled Gateway A as in the illustration.
Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of
admin and default password of password, or using whatever Password and LAN
address you have chosen for the firewall.
2. Configure the WAN (Internet) and LAN IP addresses of the FVS328.
a. From the main menu Setup section, click the Basic Settings link.
WAN IP
addresses
ISP provides
these addresses
172.23.9.1/2410.5.6.1/24 LAN IP
Figure 7-12: FVS328 Internet IP Address menu
7-20 Virtual Private Networking
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Select whether enable or disable NAT (Network Address Translation). NAT allows all
b.
LAN computers to gain Internet access via this Router, by sharing this Router's WAN IP address. In most situations, NAT is essential for Internet access via this Router. Y ou should only disable NAT if you are sure you do not require it. When NAT is disabled, only standard routing is performed by this Router.
c. Configure the WAN Internet Address according to the settings in Figure 7-11 above and
click Apply to save your settings. For more information on configuring the WAN IP settings in the Basic Setup topics, please see “Manually Configuring Your Internet
Connection” on page 3-14.
d. From the main menu Advanced section, click the LAN IP Setup link.
e. Configure the LAN IP address according to the settings in Figure 7-11 above and click
Apply to save your settings. For more information on LAN TCP/IP setup topics, please see “How to Configure LAN TCP/IP Setup Settings” on page 5-3.
Virtual Private Networking 7-21
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Note: After you click Apply to change the LAN IP address settings, your workstation will be disconnected from the FVS328. You will have to log on with http://10.5.6.1 which is now the address you use to connect to the built-in Web-based configuration manager of the FVS328.
3. Set up the IKE Policy illustrated below on the FVS328. a. From the main menu VPN section, click the IKE Policies link, and then click the Add
button to display the screen below.
Figure 7-13: Scenario 1 IKE Policy
b.
Configure the IKE Policy according to the settings in the illustration above and click Apply to save your settings. For more information on IKE Policy topics, please see “IKE
Policies’ Automatic Key and Authentication Management” on page 7-3.
7-22 Virtual Private Networking
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
4. Set up the FVS328 VPN -Auto Policy illustrated below.
a. From the main menu VPN section, click the VPN Policies link, and then click the Add
Auto Policy button.
Figure 7-14: Scenario 1 VPN - Auto Policy
b.
Configure the IKE Policy according to the settings in the illustration above and click Apply to save your settings. For more information on IKE Policy topics, please see “IKE
Policies’ Automatic Key and Authentication Management” on page 7-3.
Virtual Private Networking 7-23
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
5. After applying these changes, you will see a table entry like the one below.
Figure 7-15: VPN Policies table
Now all traffic from the range of LAN IP addresses specified on FVS328 A and FVS328 B will flow over a secure VPN tunnel.

How to Check VPN Connections

You can test connectivity and vie w VPN status information on the FVS328.
1. To test connectivity between the Gateway A FVS328 LAN and the Gateway B LAN, follow
these steps:
a. Using our example, from a computer attached to the FVS328 on LAN A, on a Windows
computer click the Start button on the taskbar and then click Run.
b. Type ping -t 172.23.9.1, and then click OK. c. This will cause a continuous ping to be sent to the LAN interface of Gateway B. After
between several seconds and two minutes, the ping response should change from “timed out” to “reply.”
d. At this point the connection is established.
7-24 Virtual Private Networking
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
T o test connectivity between the FVS328 Gateway A and Gateway B WAN ports, follow these
2.
steps:
a. Using our example, log in to the FVS328 on LAN A, go to the main menu Maintenance
section and click the Diagnostics link.
b. To test connectivity to the WAN port of Gateway B, enter 22.23.24.25, and then click
Ping.
c. This will cause a ping to be sent to the WAN interface of Gateway B. After between
several seconds and two minutes, the ping response should change from “timed out” to “reply.” You may have to run this test several times before you get the “reply” message back from the target FVS328.
d. At this point the connection is established.
Note: If you want to ping the FVS328 as a test of network connectivity, be sure the FVS328 is configured to respond to a ping on the Internet WAN port. However, to preserve a high degree of security, you should turn off this feature when you are finished with testing.
3. To view the FVS328 event log and status of Security Associations, follow these steps: a. Go to the FVS328 main menu VPN section and click the VPN Status link. b. The log screen will display a history of the VPN connections, and the IPSec SA and IKE
SA tables will report the status and data transmission statistics of the VPN tunnels for each policy.

FVS328 Scenario 2: Authenticating with RSA Certificates

The following is a typical gateway-to-gateway VPN that uses Public Key Infrastructure X.509 (PKIX) certificates for authentication. The network setup is identical to the one given in Scenario
1. The IKE Phase 1 and Phase 2 parameters are identical to the ones given in Scenario 1, with the
exception that the identification is done with signatures authenticated by PKIX certificates. Note: Before completing this configuration scenario, make sure the correct Time Zone is set on the
FVS328. For instructions on this topic, please see, “How to Set Your Time Zone” on page 6-14.
1. Obtain a root certificate.
a. Obtain the root certificate (which includes the CA’s public key) from a Certificate
Authority (CA).
Virtual Private Networking 7-25
May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Note: The procedure for obtaining certificates differs between a CA like Verisign and a CA such as a Windows 2000 certificate server, which an organization operates for providing certificates for its members. For example, an administrator of a Windows 2000 certificate server might provide it to you via e-mail.
b. Save the certificate as a text file called trust.txt.
2. Install the trusted CA certificate for the Trusted Root CA.
a. Log in to the FVS328. b. From the main menu VPN section, click the CAs link. c. Click Add to add a CA. d. Click Browse to locate the trust.txt file. e. Click Upload.
Figure 7-16: Certificate Authorities table
You will now see a screen such as the one above showing that the Certificate Authority is now registered with the FVS328.
3. Create a certificate request for the FVS328.
a. From the main menu VPN section, click the Certificates link.
7-26 Virtual Private Networking
May 2004, 202-10031-01
Loading...