Netgear FVS338 Reference Guide

ProSafe VPN Firewall 50 FVS338 Reference Manual

NETGEAR, Inc.

350 East Plumeria Drive San Jose, CA 95134

202-10046-09 v1.0 January 2010

Technical Support

Please refer to the support information card that shipped with your product. By registering your product at

http://www.netgear.com/register, we can provide you with faster expert technical support and timely notices of product

and software upgrades. NETGEAR, Inc. Support Information Phone: 1-888-NETGEAR, for US & Canada only. For other countries, see your Support information card. E-mail: support@netgear.com North American NETGEAR website: http://www.netgear.com

Trademarks

NETGEAR, the NETGEAR logo and ProSafe are trademarks and/or registered trademarks of NETGEAR, Inc. Microsoft, Windows, and Windows NT ar e registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.

Statement of Conditions

In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice.

NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.

Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice

This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruct ions, may cause harmf ul interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

• Reorient or relocate the receiving antenna.

• Increase the separation between the equipment and receiver.

• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.

• Consult the dealer or an experienced radio/TV technician for help.

EU Regulatory Compliance Statement

The ProSafe VPN Firewall 50 is compliant with the following EU Council Directives: 89/336/EEC and LVD 73/23/ EEC. Compliance is verified by testing to the following standards: EN55022 Class B, EN55024 and EN60950-1.

v1.0, January 2010

Bestätigung des Herstellers/Importeurs

Es wird hiermit bestätigt, daß das ProSafe VPN Firewall 50 gemäß der im BMPT -AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.

Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.

Certificate of the Manufacturer/Importer

It is hereby certified that the ProSafe VPN Firewall 50 has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example, test transmitters) in accordance with the regulations may, however , be subject to certain restricti ons. Plea se refer to the notes in the operating instructions.

Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations.

Voluntary Control Council for Interference (VCCI) Statement

This equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.

When used near a radio or TV receiver , it may become the cause of radio interference. Read instructions for correct handling.

Additional Copyrights

1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. The copyright holder’s name must not be used to endorse or promote any products derived from this software without his specific prior written permission.

This software is provided “as is” with no express or implied warranties of correctness or fitness for purpose.

v1.0, January 2010

iii

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer.

3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (

4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, contact openssl-core@openssl.org.

5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS,” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).

License to copy and use this software is granted provided that it is identified as the “RSA Data Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as “derived from the RSA Data Security, Inc. MD5 MessageDigest Algorithm” in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided “as is” without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software.

http://www.openssl.org/).”

v1.0, January 2010

Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University. The name of the University may not be used to endor se or promote products derived from thi s software without specific prior written permission. THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.

Zlib zlib.h. Interface of the zlib general purpose compression library version 1.1.4, March 11th,

This software is provided “as is,” without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

Jean-loup Gailly: jloup@gzip.org; Mark Adler: madler@alu mni.caltech.edu. The data format used by the zlib library is described by RFCs (Request for Comments) 1950 to 1952 in the files format), and rfc1952.txt (gzip format).

ftp://ds.internic.net/rfc/rfc1950.txt (zlib format), rfc1951.txt (deflate

Product and Publication Details

Model Number: FVS338 Publication Date: January 2010 Product Family: VPN firewall Product Name: ProSafe VPN Firewall 50 Home or Business Product: Business Language: English Publication Part Number: 202-10046-09 Publication Version Number 1.0

v1.0, January 2010

ProSafe VPN Firewall 50 FVS338 Reference Manual

About This Manual

Conventions, Formats and Scope ...................................................................................xiii

How to Print This Manual ................................................................................................xiv

Revision History ..................... ... .......................................... ... ..........................................xiv

Chapter 1 Introduction

Key Features ..................................................................................................................1-1

Full Routing on Both the Broadband and Serial WAN Ports ....................................1-2

A Powerful, True Firewall with Content Filtering ......................................................1-2

Security ....................................................................................................................1-3

Autosensing Ethernet Connections with Auto Uplink ...............................................1-3

Extensive Protocol Support ......................................................................................1-3

Easy Installation and Management ..........................................................................1-4

Maintenance and Support ...................... ... ... ... ... .... ... ... ... .... ...... ... .... ... ... ... ... .... ... ... ..1-5

Package Contents ..........................................................................................................1-5

VPN Firewall Hardware Components .................................... .... ... ... ... .... ... ...... ... .... ... ... ..1-5

Front Panel ...............................................................................................................1-6

Rear Panel ...............................................................................................................1-7

Factory Default Login .....................................................................................................1-8

Chapter 2 Connecting the VPN Firewall to the Internet

Understanding the Connection Steps .............................................................................2-1

Logging in to the VPN Firewall .............................. ... .... ... ... ... .... .....................................2-2

Navigating the Menus .....................................................................................................2-3

Configuring your Internet Connection .............................................................................2-3

Manually Configuring Your Broadband Internet Connection ...........................................2-9

Configuring the WAN Mode ..........................................................................................2-11

Configuring Dynamic DNS (Optional) ...........................................................................2-14

v1.0, January 2010

vii

ProSafe VPN Firewall 50 FVS338 Reference Manual

Configuring Advanced WAN Options (Optional) ...........................................................2-16

Additional WAN Related Configuration ..................................................................2-18

Chapter 3 LAN Configuration

Choosing the VPN Firewall DHCP Options ....................................................................3-1

Configuring the LAN Setup Options ...............................................................................3-2

Managing Groups and Hosts ........................................... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ..3-6

Creating the Network Database ......... .......................................... ............................3-6

Viewing the Network Database ................................................................................3-7

Adding Devices to the Network Database ................................................................3-8

Changing Group Names in the LAN Groups Database ...........................................3-9

Setting Up DHCP Address Reservation ...................................................................3-9

Configuring Multi-Home LAN IPs Addresses ................................................................3-10

Configuring Static Routes .............................................................................................3-11

Static Route Example .............................................................................................3-13

Configuring Routing Information Protocol (RIP) ........................... ... ... .... ... ... ...... .... ... ...3-14

Chapter 4 Firewall Protection and Content Filtering

About Firewall Security and Content Filtering ................................................................4-1

Using Rules to Block or Allow Specific Kinds of Traffic ..................................................4-2

Services-Based Rules .. .......................................... ... .......................................... .....4-2

Viewing the Firewall Rules .......................................................................................4-7

Order of Precedence for Firewall Rules ...................................................................4-8

Setting the Default Outbound Policy ............................................ .... ... ... ... ... .... ... ... ..4-8

Creating a LAN WAN Outbound Services Rule .......................................................4-8

Creating a LAN WAN Inbound Services Rule ..........................................................4-9

Modifying Rules ......................................................................................................4-10

Inbound Rules Examples .......................................................................................4-11

Outbound Rules Example: Blocking Instant Messenger ........................................4-14

Configuring Other Firewall Features .............................................................................4-15

Attack Checks ................................. ... .... ... ... .......................................... ................4-15

Configuring Session Limits .....................................................................................4-17

Managing the Application Level Gateway for SIP Sessions ..................................4-19

Creating Services, QoS Profiles, and Bandwidth Profiles ............................................4-20

Adding Customized Services .................................................................................4-20

viii Contents

v1.0, January 2010

ProSafe VPN Firewall 50 FVS338 Reference Manual

Specifying Quality of Service (QoS) Priorities ........................................ ... ... ....... ...4-22

Creating Bandwidth Profiles ...... ... ... ... ....................................................................4-23

Setting a Schedule to Block or Allow Specific Traffic ....................... ... .... ... ... ... ... ..........4-25

Blocking Internet Sites (Content Filtering) ....................................................................4-26

Configuring Source MAC Filtering ................................................................................4-29

Configuring IP/MAC Address Binding ...........................................................................4-31

Configuring Port Triggering ...........................................................................................4-33

E-Mail Notifications of Event Logs and Alerts ......................................... ......................4-36

Administrator Tips .........................................................................................................4-36

Chapter 5 Virtual Private Networking

Considerations for Dual WAN Port Systems ..................................................................5-1

Using the VPN Wizard for Client and Gateway Configurations ...................................... 5-2

Creating Gateway to Gateway VPN Tunnels with the Wizard .................................5-2

Creating a Client to Gateway VPN Tunnel ...............................................................5-6

Testing the Connections and Viewing Status Information ....................... ...................... 5-12

NETGEAR VPN Client Status and Log Information ............................................... 5-12

VPN Firewall VPN Connection Status and Logs .... ... ... ... .... ... ...... .... ... ... ... ... .... ... ...5-14

Managing VPN Policies ...... .......................................... ... .......................................... ...5-15

Configuring IKE Policies ............................... .......................................... ... .............5-16

Configuring VPN Policies .......................................................................................5-18

Managing Certificates ......................... ... ... .......................................... ..........................5-19

Viewing and Loading CA Certificates .....................................................................5-21

Viewing Active Self Certificates ..............................................................................5-22

Obtaining a Self Certificate from a Certificate Authority ......................... ... ... .... ...... 5-22

Managing your Certificate Revocation List (CRL) .. ... ... ..........................................5-25

Extended Authentication (XAUTH) Configuration ............................ ................... ..........5-26

Configuring XAUTH for VPN Clients ......................................................................5-27

User Database Configuration .... ... ... .......................................... .............................5-29

RADIUS Client Configuration .................................................................................5-30

Assigning IP Addresses to Remote Users (ModeConfig) .............................................5-32

ModeConfig Operation ...........................................................................................5-32

Configuring Mode Config Operation on the VPN Firewall ......................................5-33

Configuring the ProSafe VPN Client for ModeConfig ....................................... ......5-38

Configuring Keepalives and Dead Peer Detection .......................................................5-42

Contents ix

v1.0, January 2010

ProSafe VPN Firewall 50 FVS338 Reference Manual

Configuring Keepalives ..........................................................................................5-42

Configuring Dead Peer Detection ..........................................................................5-43

Configuring NetBIOS Bridging with VPN ......................................................................5-44

Chapter 6 VPN Firewall and Network Management

Performance Management ................................................. ... .... ... ... ...............................6-1

Bandwidth Capacity . .... ... .......................................... ... .......................................... ..6-1

VPN Firewall Features That Reduce Traffic .............................................................6-2

VPN Firewall Features That Increase Traffic ...........................................................6-4

Using QoS to Shift the Traffic Mix ............................................................................6-7

Tools for Traffic Management ................................. ... ... ... .... ... ... ...............................6-7

Configuring Users, Administrative Settings, and Remote Management .........................6-7

Changing Passwords and Settings ..........................................................................6-8

Adding External Users ....... ... .... ... ... .......................................... ... ............................6-9

Configuring an External Server for Authentication ................. ................................6-10

Enabling Remote Management Access .................................................................6-14

Using an SNMP Manager ......................................................................................6-16

Managing the Configuration File ............................................................................6-18

Configuring Date and Time Service .......................................................................6-21

Monitoring System Performance .............................. .... ... ... ... .... ... ... ... .... ...... ... ... .... ... ...6-23

Activating Notification of Events and Alerts ............................................................6-23

Viewing the Logs ....................................................................................................6-26

Enabling the Traffic Meter ......................................................................................6-27

Viewing the Router Configuration and System Status ...........................................6-30

Monitoring VPN Firewall Statistics ............................ ... ... .... ...................................6-32

Monitoring WAN Ports Status ................. ... ... .......................................... ... .............6-33

Monitoring Attached Devices ....... ... ... .... ... .............................................................6-34

Monitoring VPN Tunnel Connection Status ............................... ... .... ... ... ... ....... ... ...6-35

Viewing the VPN Logs ...........................................................................................6-36

Viewing the DHCP Log ..........................................................................................6-37

Viewing Port Triggering Status ...............................................................................6-37

Chapter 7 Troubleshooting

Basic Functions ..............................................................................................................7-1

Power LED Not On ...................................................................................................7-2

x Contents

v1.0, January 2010

ProSafe VPN Firewall 50 FVS338 Reference Manual

LEDs Never Turn Off ................................................................................................7-2

LAN or Internet Port LEDs Not On ............ .......................................... ... ..................7-2

Troubleshooting the Web Configuration Interface ..........................................................7-3

Troubleshooting the ISP Connection ..............................................................................7-4

Troubleshooting a TCP/IP Network Using a Ping Utility .................................................7-5

Testing the LAN Path to Your VPN Firewall .............................................................7-5

Testing the Path from Your PC to a Remote Device ................................................7-6

Restoring the Default Configuration and Password ............... .... ... ... ... .... ... ... ... ... ....... ... ..7-7

Problems with Date and Time .........................................................................................7-7

Performing Diagnostics ...................................... ... ... .... ... ... ... .........................................7-8

Appendix A Default Settings and Technical Specifications

Appendix B System Logs and Error Messages

System Log Messages .................................................................................................. B-1

System Startup ............................. ... ... .... ... .......................................... ... ................. B-1

Reboot ....................................... .......................................... ... ................................. B-2

NTP .................................... ................................................................. .................... B-2

Login/Logout ........................................................................................................... B-3

VPN Firewall Restart .......................................... .... .......................................... ....... B-3

IPSec Restart ........... .......................................... .... .......................................... ... .... B-4

WAN Status ..................... .......................................... ... .......................................... . B-4

Web Filtering and Content Filtering Logs ................................................................ B-7

Traffic Metering Logs ................................................................. ... .... ... ... ... ... ........... B-8

Unicast Logs ......... ... .... ... .......................................... ... .......................................... . B-8

FTP Logging ................................. .......................................... ... .............................. B-9

Invalid Packet Logging .......... .... ... .......................................... ............................... B-10

Routing Logs ............................................................................................................... B-12

LAN to WAN Logs ................................................................................................. B-13

WAN to LAN Logs ................................................................................................. B-13

Appendix C Two Factor Authentication

Why do I need Two-Factor Authentication? ...................................................................C-1

What are the benefits of Two-Factor Authentication? ............................................. C-1

What is Two-Factor Authentication ......................................................................... C-2

Contents xi

v1.0, January 2010

ProSafe VPN Firewall 50 FVS338 Reference Manual

NETGEAR Two-Factor Authentication Solutions ....................................................... .... C-2

Appendix D Related Documents

Index

xii Contents

v1.0, January 2010

About This Manual

The NETGEAR® Pr oSafe™ VPN Firewall 50 FVS338 Reference Manual describes how to install, configure and troubleshoot the ProSafe VPN Firewall 50. The information in this manual is intended for readers with intermediate computer and Internet skills.

Conventions, Formats and Scope

The conventions, formats, and scope of this manual are described in the following paragraphs.

• Typographical Conventions. This manual uses the following typographical conventions.

Italics Emphasis, books, CDs, file and server names, extensions

Bold User input, IP addresses, GUI screen text

Fixed Command prompt, CLI text, code

italics URL links

• Formats. This manual uses the following formats to highlight special messages:

Note: This format is used to highlight information of importance or special interest.

Tip: This format is used to highlight a procedure that will save time or resources.

Warning: Ignoring this type of note may result in a malfunction or damage to the

equipment.

Danger: This is a safety warning. Failure to take heed of this notice may result in

personal injury or death.

v1.0, January 2010

xiii

ProSafe VPN Firewall 50 FVS338 Reference Manual

• Scope. This manual is written for the VPN firewall according to these specifications:

Product Version ProSafe VPN Firewall 50 Manual Publication Date January 2010

For more information about network, Internet, firewall, and VPN technologies, see the links to the NETGEAR website in Appendix D, “Related Documents.

”

Note: Updates to this product are available on the NETGEAR, Inc. website at

http://kb.netgear.com/app/home.

How to Print This Manual

T o print this manual, your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files. The Acrobat reader is available on the Adobe websit e at

http://www.adobe.com.

Tip: If your printer supports printing two pages on a single sheet of paper, you can

save paper and printer ink by selecting this feature.

Revision History

Part Number

202-10046-02 1.0 Product update: New firmware and new user Interface 202-10046-03 1.0 Remove Trend Micro 202-10046-04 1.0 Updated features 202-10046-05 1.0 New features: IP/MAC Binding; Bandwidth Limits; Session Limits;

202-10046-05 1.1 Document corrections 202-10046-05 1.2 Document additions to Appendix B 202-10046-06 1.0 Maintenance release

xiv About This Manual

Version Number

Date Description

IKE Keep Alive; Dead Peer Detection; Oray support

v1.0, January 2010

ProSafe VPN Firewall 50 FVS338 Reference Manual

202-10046-08 1.0 Adds these corrections and topics for the March 2009 firmware

maintenance release:

• WIKID 2 factor authentication

• SIP AGL support

• DHCP Relay support

• Update VPN configuration procedure topics

• Update the Certificate management topic

• Correct the firewall scheduling topic

202-10046-09 1.0 January

2010

Added the following new features for the January 2010 firmware maintenance release:

• Connection reset and delay options on the Broadband ISP Settings screen (see “Manually Configuring Your Broadband Internet

Connection”).

• Support for DNS 3322 in the Dynamic DNS submenu (see

“Configuring Dynamic DNS (Optional)”).

• Support for an address range for inbound LAN rules on the Add LAN WAN Inbound Service screen (see “Inbound Rules (Port

Forwarding)” and “Creating a LAN WAN Inbound Services Rule”).

• Support for new log options such as Resolved DNS Names and VPN on the Firewall Logs & E-mail screen (see “Activating

Notification of Events and Alerts”).

In addition, made the following substantial changes to the book:

• Provided new captures for almost all screens and resized the some existing screen captures for better viewing.

• Made global stylistic changes for consistency and clarity.

• Made minor revisions in Chapter 1, “Introduction.”

• Reorganized Chapter 2, “Connecting the VPN Firewall to the

Internet.” In addition:

* Revised all sections in this chapter. * Added the “Understanding the Connection Steps” section. * Added the “Navigating the Menus” section. * Added the “Additional WAN Related Configuration” section. * Moved the “Enabling the Traffic Meter” section to Chapter 6,

“VPN Firewall and Network Management.”

• Reorganized Chapter 3, “LAN Configuration,” In addition:

* Made major revision in the “Configuring the LAN Setup Options” section. * Revised all sections in this chapter.

About This Manual xv

v1.0, January 2010

ProSafe VPN Firewall 50 FVS338 Reference Manual

202-10046-09 (continued)

1.0 January 2010

(continued)

• Reorganized Chapter 4, “Firewall Protection and Content Filtering.” In addition:

* Revised all sections in this chapter. * Added the “Configuring Other Firewall Features” section (which includes the new “Managing the Application Level Gateway for

SIP Sessions” subsection).

* Added the “Creating Services, QoS Profiles, and Bandwidth

Profiles” section.

• Reorganized Chapter 5, “Virtual Private Networking.” In addition:

* Made a major revision of the “Managing Certificates” section in this chapter. * Added the “Configuring Keepalives and Dead Peer Detection” section. * Added the “Configuring NetBIOS Bridging with VPN” section. * Made revisions in all other sections of this chapter.

• Reorganized Chapter 6, “VPN Firewall and Network Management.” In addition:

* Made major revisions in the “Configuring Users, Administrative

Settings, and Remote Management” section.

* Made major revisions in the “Monitoring System Performance” section. * Added the “Monitoring VPN Firewall Statistics” section. * Added the “Monitoring Attached Devices” section. * Included the “Enabling the Traffic Meter” section (moved from

Chapter 2, “Connecting the VPN Firewall to the Internet”).

* Moved the “Performing Diagnostics” section to Chapter 7,

“Troubleshooting.”

* Made revisions in all other sections of this chapter.

• Revised all sections in Chapter 7, “Troubleshooting” and included the “Performing Diagnostics” section (moved from Chapter 6, “VPN

Firewall and Network Management”).

xvi About This Manual

v1.0, January 2010

Chapter 1

Introduction

The ProSafe VPN Firewall 50 FVS338 integrates an 8-port switch that connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL modem.

The FVS338 is a complete security solution that protects your network from attacks and intrusions. For example, the FVS338 provides support for Stateful Packet Inspection, Denial of Service (DoS) attack protection and multi-NAT support. The FVS338 supports multiple Web content filtering options, plus browsing activity reporting and instant alerts—both, via e-mail. Network administrators can establish restricted access policies based on time-of-day, Website addresses and address keywords, and share high-speed cable/DSL Internet access for a local network.

The FVS338 is a plug-and-play device that can be installed and configured within minutes. This chapter contains the following sections:

• “Key Features” on this page

• “Package Contents” on page 1-5

• “VPN Firewall Hardware Components” on page 1-5

• “Factory Default Login” on page 1-8

Key Features

The FVS338 provides the following features:

• One 10/100 Mbps port for an Ethernet connection to a broadband W AN device, such as a cable modem or DSL modem, and one serial port for a dial-up modem connection to the Internet through the public switched telephone network (PSTN).

• Dual WAN ports (one broadband and one serial) provide for increased system reliability.

• Support for up to 50 VPN tunnels.

• Support for up to 400 internal LAN users (and 50K connections ).

• Easy, web-based setup for installation and management.

• URL keyword content filtering and site blocking security.

1-1

v1.0, January 2010

ProSafe VPN Firewall 50 FVS338 Reference Manual

• Quality of Service (QoS) support for traffic prioritization.

• Built in 8-port 10/100 Mbps switch.

• Extensive Protocol Support.

• Login capability.

• SNMP for manageability.

• Front panel LEDs for easy monitoring of status and activity.

• Flash memory for firmware upgrade.

Full Routing on Both the Broadband and Serial WAN Ports

You can install, configure, and operate the FVS338 to take full advantage of a variety of routing options on both the serial and broadband WAN ports, including:

• Internet access via either the serial or broadband port.

• Auto rollover connectivity (fail-over) through an analog modem connected to the serial port If the broadband Internet connection fails, after waiting for an pre-specified amount of time the FVS338 can automatically establish a backup dial-up Internet connection via its serial port.

A Powerful, True Firewall with Content Filtering

Unlike simple Internet sharing NAT routers, the FVS338 is a true firewall, using stateful packet inspection to defend against hacker attacks. Its firewall features include:

• DoS protection. Automatically detects and thwarts DoS attacks such as Ping of Death, SYN Flood, LAND Attack, and IP Spoofing.

• Blocks unwanted traffic from the Internet to your LAN.

• Blocks access from your LAN to Internet locations or services that you specify as off-limits.

• Logs security incidents. The FVS338 will log security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the FVS338 to e-mail the log to you at specified intervals. You c an also configure the FVS338 to send immediate alert messages to your e-mail address or e-mail pager whenever a significant event occurs.

• With its URL keyword filtering feature, the FVS338 prevents objectionable content from reaching your PCs. The FVS338’s firewall allows you to control access to Internet content by screening for keywords within W eb addresses. You can configure the firewall to log and report attempts to access objectionable Internet sites.

1-2 Introduction

v1.0, January 2010

ProSafe VPN Firewall 50 FVS338 Reference Manual

Security

The VPN firewall is equipped with several features designed to maintain security, as described in this section.

• PCs Hidden by NAT. NAT opens a temporary path to the Internet for requests originating from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the PCs on the LAN.

• Port Forwarding with NAT. Although NAT prevents Internet locations from directly accessing the PCs on the LAN, the FVS338 allows you to direct incoming traffic to specific PCs based on the service port number of the incoming request. You can specify forwarding of single ports or ranges of ports.

• Exposed Host (Software DMZ). Incoming traffic from the Internet is normally discarded by the FVS338 unless the traffic is a response to one of your local computers or a service for which you have configured an inbound rule. Instead of discardi ng this traffic, you can have it forwarded to one computer on your network.

Autosensing Ethernet Connections with Auto Uplink

With its internal 8-port 10/100 switch, the FVS338 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network. Both the LAN and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation.

The firewall incorporates Auto Uplink whether the Ethernet cable plugged into the port should have a ‘normal’ connection such as to a PC or an ‘uplink’ connection such as to a switch or hub. That port will then configure itself to the correct configuration. This feature also eliminates the need to worry about crossover cables, as Auto Uplink will accommodate either type of cable to make the right connection.

technology. Each Ethernet port will automatically sense

Extensive Protocol Support

The FVS338 supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol

• IP Address Sharing by NAT. The VPN firewall allows several networked PCs to share an Internet account using only a single IP address, which may be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user ISP account.

Introduction 1-3

(RIP).

v1.0, January 2010

ProSafe VPN Firewall 50 FVS338 Reference Manual

• Automatic Configuration of Attached PCs by DHCP. The FVS338 dynamically assigns network configuration information, including IP, gateway, and domain name server (DNS) addresses, to attached PCs on the LAN using the Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies configuration of PCs on your local network.

• DNS Proxy. When DHCP is enabled and no DNS addresses are specified, the FVS338 provides its own address as a DNS server to the attached PCs. The FVS338 obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN.

• PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial-up connection. This feature eliminates the need to run a login program such as EnterNet or WinPOET on your PC.

Easy Installation and Management

You can install, configure, and operate the FVS338 within minutes after connecting it to the network. The following features simplify installation and management tasks:

• Browser-based management. Browser-based configuration allows you to easily configure your firewall from almost any type of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup Wizard is provided and online help documentation is built into the browser-based Web Management Interface.

• Smart Wizard. The FVS338 automatically senses the type of Internet connection, asking you only for the information required for your type of ISP account.

• VPN Wizard. The FVS338 includes the NETGEAR VPN Wizard to easily configure VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC) to ensure the VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.

• SNMP. The FVS338 supports the Simple Network Management Protocol (SNMP) to let you monitor and manage log resources from an SNMP-compliant system manager. The SNMP system configuration lets you change the system variables for MIB2.

• Diagnostic functions. The FVS338 incorporates built-in diagnostic functions such as Ping, Trace Route, DNS lookup, and remote reboot.

• Remote management. The FVS338 allows you to securely login to the Web Management Interface from a remote location on the Internet. For additional security, you can limit remote management access to a specified remote IP address or range of addresses, and you can choose a nonstandard port number.

1-4 Introduction

v1.0, January 2010

ProSafe VPN Firewall 50 FVS338 Reference Manual

• Visual monitoring. The FVS338’s front panel LEDs provide an easy way to monitor its status and activity.

Maintenance and Support

NETGEAR offers the following features to help you maximize your use of the FVS338:

• Flash memory for firmware upgrade.

• Technical support seven days a week, 24 hours a day, according to the terms identified in the Warranty and Support information card provided with your product.

Package Contents

The product package should contain the following items:

• FVS338 ProSafe VPN Firewall 50

•AC power adapter

• Category 5 Ethernet cable

• Resource CD, including: – Application Notes and other helpful information. – ProSafe VPN Client Software (one user license)

• Warranty and Support Information Card.

If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the firewall for repair.

VPN Firewall Hardware Components

Following is a description of the front and rear panels of the FVS338, including instructions for installing the FVS338 using the rack mounting hardware.

Introduction 1-5

v1.0, January 2010

ProSafe VPN Firewall 50 FVS338 Reference Manual

Local LEDs

Internet

LEDs

Modem

LED

Power

LED

Test LED

Front Panel

The FVS338 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button.

Figure 1-1

The table below describes each item on the front panel and its operation.

Table 1-1. Object Descriptions

Object Activity Description

Power LED

Test LED

MDM LED

Internet LEDs

On (Green) Power is supplied to the FVS338. Off Power is not supplied to the FVS338. On (Amber) Test mode: The system is initializing or the initialization has failed. Blinking (Amber) Writing to Flash memory (during upgrading or resetting to defaults). Off The system has booted successfully. On (Green) The serial port has successfully connected to an ISP and received an

IP Address. Blinking (Green) Server data is being transmitted or received by the serial port. Off The serial port has no link.

Link/Act LED

On (Green) The WAN port has detected a link with a connected Ethernet device. Blinking (Green) Data is being transmitted or received by the WAN port. Off The WAN port has no link.

1-6 Introduction

v1.0, January 2010

ProSafe VPN Firewall 50 FVS338 Reference Manual

Table 1-1. Object Descriptions (continued)

Object Activity Description

Internet LEDs

(continued)

Local LEDs

100 LED

On (Green) The WAN port is operating at 100 Mbps. Off The WAN port is operating at 10 Mbps.

Link/Act LED

On (Green) The LAN port has detected a link with a connected Ethernet device. Blinking (Green) Data is being transmitted or received by the LAN port. Off The LAN port has no link.

100 LED

On (Green) The LAN port is operating at 100 Mbps. Off The LAN port is operating at 10 Mbps.

Rear Panel

The rear panel of the FVS338 contains the On/Off switch and AC power connection.

Figure 1-2

Viewed from left to right, the rear panel contains the following elements:

• Modem port: serves as the WAN2 Internet (dial-up) port through the public switched telephone network (PSTN).

• Factory Defaults reset button.

• Local ports: 8-port RJ-45 10/100 Mbps Fast Ethernet Switch, N-way automatic speed negotiation, auto MDI/MDIX.

• Internet port: serves as the WAN1 Internet (broadband) port. One RJ-45 WAN port, N-way automatic speed negotiation, Auto MDI/MDIX.

•On/Off switch

• DC power in (12 VDC, 1.2A)

Introduction 1-7

v1.0, January 2010

ProSafe VPN Firewall 50 FVS338 Reference Manual

LAN IP Address User Name Password

Factory Default Login

Check the label on the bottom of the FVS338’s enclosure if you forget the following factory default information:

• IP Address: http://192.168.1.1 to reach the Web-based GUI from the LAN

•User name: admin

• Password: password

To log in to the FVS338 once it is connected:

1. Go to http://192.168.1.1.

2. Enter admin for User Name and password for Password.

1-8 Introduction

Figure 1-3

Figure 1-4

v1.0, January 2010

Chapter 2

Connecting the VPN Firewall to the Internet

This section provides instructions for connecting the ProSafe VPN Firewall 50 FVS338, including these topics:

• “Understanding the Connection Steps” on this page

• “Logging in to the VPN Firewall” on page 2-2

• “Navigating the Menus” on page 2-3

• “Configuring your Internet Connection” on page 2-3

• “Manually Configuring Your Broadband Internet Connection” on page 2-9

• “Configuring the WAN Mode” on page 2-11

• “Configuring Dynamic DNS (Optional)” on page 2-14

• “Configuring Advanced WAN Options (Optional)” on page 2-16

Understanding the Connection Steps

Typically, six steps are required to complete the basic Internet connection of your VPN firewall.

1. Connect the firewall physically to your network. Connect the cables and restart your network according to the instructions in the installation guide. See the ProSafe VPN Firewall 50 FVS338 Installation Guide for complete steps. A PDF of the Installation Guide is on the NETGEAR website at: http://kbserver.netgear.com.

2. Log in to the VPN Firewall. After logging in, you are ready to set up and configure your VPN firewall. You can also change your password and enable remote management at this time. See “Logging in to the VPN Firewall” on page 2-2.

3. Configure the Internet connections to your ISP(s). During this phase, you will connect to your ISPs. See “Configuring your Internet Connection” on page 2-3.

4. Configure the WAN mode (required for dial-up backup WAN operation). Select either NAT or classical routing, and select either single WAN mode or single WAN with dial-up backup WAN operation. See “Configuring the WAN Mode” on page 2-11.

v1.0, January 2010

2-1

ProSafe VPN Firewall 50 FVS338 Reference Manual

5. Configure dynamic DNS on the WAN ports (optional). If required, configure your fully qualified domain names during this phase. See “Configuring Dynamic DNS (Optional)” on

page 2-14.

6. Configure the WAN options (optional). Optionally, you can change the MAC address, the default MTU size, and the port speed. However, these are relatively advanced features and changing them is not usually required. See “Configuring Advanced WAN Options (Optional)”

on page 2-16.

Each of these tasks is detailed separately in this chapter. Setting up VPN tunnels is covered in

Chapter 5, “Virtual Private Networking.”

Logging in to the VPN Firewall

To connect to the VPN firewall, your computer needs to be configured to obtain an IP address automatically from the VPN firewall by DHCP. For instructions on how to configure your computer for DHCP, see the “Preparing Your Network” document that you can access from

Appendix D, “Related Documents.”

To log in to the VPN firewall:

1. Open an Internet Explorer or Firefox browser. In the browser window, enter http://192.168.1.1 in the address field. The FVS338 login screen will display.

Figure 2-1

2. Enter admin for the User Name and password for the Password, both in lower case letters. The VPN firewall user name and password are not the same as any user name or password you may use to log in to your Internet connection.

3. Click Login. The Web Configuration Manager appears, displaying the Router Status screen as the default screen.

2-2 Connecting the VPN Firewall to the Internet

v1.0, January 2010

ProSafe VPN Firewall 50 FVS338 Reference Manual

Note: See “Enabling Remote Management Access” on page 6-14 for information on

remote management. If you enable remote management, change your password to a more secure one than the standard factory default (see “Changing

Passwords and Settings” on page 6-8).

Navigating the Menus

The Web Configuration Manager menus are organized in a layered structure of main categories and submenus:

• Main menu. The horizontal orange bar near the top of the page is the main menu, containing the primary configuration categories. Clicking on a primary category changes the contents of the submenu bar.

• Submenu. The horizontal grey bar immediately below the main menu is the submenu, containing subcategories of the currently selected primary category.

• Tab. Immediately below the submenu bar, at the top of the menu active window, are one or more tabs, further subdividing the currently selected subcategory if necessary.

• Option arrow . To the right of the tabs on some menus are one or more blue dots with an arrow in the center . Clicking an option arrow brings up either a popup window or an ad vanced option menu.

Tip: In the instructions in this guide, we may refer to a menu using the notation

primary | subcategory, such as Network Configuration | WAN Settings. In this example, Network is the selected primary category (in the main menu) and WAN Settings is the sele cted subcategory (in the submenu).

You can now proceed to the first configuration task, configuring the VPN firewall’s Internet connections.

Configuring your Internet Connection

You can configure both broadband ISP settings and dial-up ISP settings from the WAN Settings submenu.

Connecting the VPN Firewall to the Internet 2-3

v1.0, January 2010

ProSafe VPN Firewall 50 FVS338 Reference Manual

Broadband ISP WAN Port Settings

To automatically configure the broadband ISP connection:

1. Select Network Configuration from the main menu and WAN Settings from the submenu. The Broadband ISP Settings screen will display.

Figure 2-2

2. Click Auto Detect at the bottom of the screen to automatically detect the type of Internet connection provided by your ISP. Auto Detect will probe for different connection methods and suggest one that your ISP will most likely support.

2-4 Connecting the VPN Firewall to the Internet

v1.0, January 2010

ProSafe VPN Firewall 50 FVS338 Reference Manual

When Auto Detect successfully detects an active Internet service, it reports which connection type it discovered. The options are described in the Table 2-1.

Table 2-1. Internet connection methods

Connection Method Data Required

PPPoE Login (Requires username and password). PPTP Login (Requires username and password, local IP address, and PPTP

server IP address). DHCP (Dynamic IP) No data is required. Fixed IP IP address and related data are supplied by your ISP.

3. Click Broadband Status at the top right of the screen to verify your broadband connection status. Click connect if a connection is not yet established.

Figure 2-3

If Auto Detect does not find a connection, you will be prompted to check the physical connection between your VPN firewall and the DSL line or to check your VPN firewall’s MAC address (see “Configuring Advanced WAN Options (Optional)” on page 2-16).

4. As an optional step, set up the traffic meter for the broadband connection (see “Configuring

the WAN Mode” on page 2-11).

Note: At this point in the configuration process, you are now connected to the Internet

through the broadband Ethernet WAN. As an option, you can continue with the configuration of the dial-up ISP serial WAN interface.

Connecting the VPN Firewall to the Internet 2-5

v1.0, January 2010

ProSafe VPN Firewall 50 FVS338 Reference Manual

Dial-up ISP Serial WAN port Settings

The Dialup Settings screen will assist you in setting up the VPN firewall to access the Internet connection using a dial-up modem. Since the Dialup ISP Settings must be configured manually, you will need all of your ISP settings information before you begin.

To configure the dial-up ISP connection:

1. Select Network Configuration from the main menu and WAN Settings from the submenu.

2. Click the Dialup ISP Settings tab to display the Dialup Settings screen.

Figure 2-4

2-6 Connecting the VPN Firewall to the Internet

v1.0, January 2010

+ 188 hidden pages