Netgear FWAG114 Reference Guide

Reference Manual for the
ProSafe Dual Band
Wireless VPN Firewall
FWAG114

NETGEAR, Inc.

4500 Great America Parkway
Santa Clara, CA 95054 USA

SM-FWAG114NA-0
Version 1.0
June 2003

© 2003 by NETGEAR, Inc. All rights reserved.

Trademarks

NETGEAR is a trademark of Netgear, Inc.

Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation.

Other brand and product names are registered trademarks or trademarks of their respective holders.

Statement of Conditions

In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to
make changes to the products described in this document without notice.

NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit
layout(s) described herein.

Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice

This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to
part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a
residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and
used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no
guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to
radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try
to correct the interference by one or more of the following measures:

• Reorient or relocate the receiving antenna.

• Increase the separation between the equipment and receiver.

• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.

• Consult the dealer or an experienced radio/TV technician for help.

FCC Caution

1. FCC RF Radiation Exposure Statement: The equipment complies with FCC RF radiation exposure limits set forth
for an uncontrolled environment. This equipment should be installed and operated with a minimum distance of 20
centimeters between the radiator and your body.

2. This Transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. 3.
Changes or modifications to this unit not expressly approved by the party responsible for compliance could void the
user authority to operate the equipment.

EN 55 022 Declaration of Conformance

This is to certify that the ProSafe Dual Band Wireless VPN Firewall FWAG114 is shielded against the generation of
radio interference in accordance with the application of Council Directive 89/336/EEC, Article 4a. Conformity is
declared by the application of EN 55 022 Class B (CISPR 22).

ii

Bestätigung des Herstellers/Importeurs

Es wird hiermit bestätigt, daß das ProSafe Dual Band Wireless VPN Firewall FWAG114 gemäß der im
BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben
einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die
Anmerkungen in der Betriebsanleitung.

Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt
gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.

Certificate of the Manufacturer/Importer

It is hereby certified that the ProSafe Dual Band Wireless VPN Firewall FWAG114 has been suppressed in accordance
with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for
example, test transmitters) in accordance with the regulations may, however, be subject to certain restrictions. Please
refer to the notes in the operating instructions.

Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market
and has been granted the right to test the series for compliance with the regulations.

Voluntary Control Council for Interference (VCCI) Statement

This equipment is in the second category (information equipment to be used in a residential area or an adjacent area
thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing
Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.

When used near a radio or TV receiver, it may become the cause of radio interference.

Read instructions for correct handling.

iii

iv

Contents

Chapter 1
About This Manual

Audience .........................................................................................................................1-1

Typographical Conventions ............................................................................................1-1

Special Message Formats ..............................................................................................1-1

Features of the HTML Version of this Manual ................................................................ 1-2

Chapter 2
Introduction

Key Features of the VPN Firewall .................................................................................. 2-1

802.11g and 802.11b Wireless Networking .............................................................. 2-2

A Powerful, True Firewall with Content Filtering ......................................................2-2

Security ....................................................................................................................2-3

Autosensing Ethernet Connections with Auto Uplink ...............................................2-3

Extensive Protocol Support ......................................................................................2-3

Easy Installation and Management ..........................................................................2-4

Maintenance and Support ........................................................................................2-5

Package Contents ..........................................................................................................2-5

The FWAG114’s Front Panel ...................................................................................2-6

The FWAG114’s Rear Panel ....................................................................................2-7

Chapter 3
Connecting the FWAG114 to the Internet

What You Will Need Before You Begin ...........................................................................3-1

Cabling and Computer Hardware Requirements .....................................................3-1

Computer Network Configuration Requirements .....................................................3-1

Internet Configuration Requirements ....................................................................... 3-2

Where Do I Get the Internet Configuration Parameters? .........................................3-2

Record Your Internet Connection Information ..........................................................3-3

Connecting the ProSafe Dual Band Wireless VPN Firewall FWAG114 to Your LAN .....3-4

PPPoE Wizard-Detected Option ..............................................................................3-8

Contents v

Dynamic IP Wizard-Detected Option ..................................................................... 3-10

Fixed IP Account Wizard-Detected Option ............................................................. 3-11

Manually Configuring Your Internet Connection ........................................................... 3-12

Chapter 4
Wireless Configuration

Observe Performance, Placement, and Range Guidelines ............................................4-1

Implement Appropriate Wireless Security ......................................................................4-2

Understanding Wireless Settings ...................................................................................4-4

Common Wireless Settings ......................................................................................4-5

Understanding WEP Authentication and Encryption ................................................4-6

Authentication Type ...........................................................................................4-6

WEP .................................................................................................................. 4-7

Default Factory Settings ...........................................................................................4-7

Before You Change the SSID and WEP Settings ....................................................4-8

How to Set Up and Test Basic Wireless Connectivity ..............................................4-9

How to Restrict Wireless Access by MAC Address ............................................... 4-10

How to Configure WEP .......................................................................................... 4-12

Chapter 5
Firewall Protection and
Content Filtering

Firewall Protection and Content Filtering Overview ........................................................5-1

Block Sites ......................................................................................................................5-2

Using Rules to Block or Allow Specific Kinds of Traffic ..................................................5-3

Inbound Rules (Port Forwarding) .............................................................................5-5

Inbound Rule Example: A Local Public Web Server ..........................................5-5

Inbound Rule Example: Allowing Videoconference from Restricted Addresses 5-6

Considerations for Inbound Rules .....................................................................5-6

Outbound Rules (Service Blocking) .........................................................................5-7

Following is an application example of outbound rules: ....................................5-7

Outbound Rule Example: Blocking Instant Messenger .....................................5-7

Order of Precedence for Rules ................................................................................5-8

Default DMZ Server ................................................................................................. 5-8

Respond to Ping on Internet WAN Port ...................................................................5-9

Services ........................................................................................................................5-10

Using a Schedule to Block or Allow Specific Traffic ......................................................5-12

Time Zone ........................................................................................................5-13

vi Contents

Getting E-Mail Notifications of Event Logs and Alerts ..................................................5-14

Viewing Logs of Web Access or Attempted Web Access .............................................5-16

Syslog .................................................................................................................... 5-17

Chapter 6
Maintenance

Viewing VPN Firewall Status Information ....................................................................... 5-1

Viewing a List of Attached Devices .................................................................................5-5

Upgrading the Router Software ......................................................................................5-5

Configuration File Management ..................................................................................... 5-6

Restoring and Backing Up the Configuration ........................................................... 5-7

Erasing the Configuration .........................................................................................5-8

Changing the Administrator Password ...........................................................................5-8

Chapter 7
Virtual Private Networking

Overview of FWAG114 Policy-Based VPN Configuration ..............................................6-1

Using Policies to Manage VPN Traffic .....................................................................6-2

Using Automatic Key Management .......................................................................... 6-2

IKE Policies’ Automatic Key and Authentication Management ................................6-3

VPN Policy Configuration for Auto Key Negotiation .................................................6-6

VPN Policy Configuration for Manual Key Exchange ...............................................6-9

Using Digital Certificates for IKE Auto-Policy Authentication .......................................6-14

Certificate Revocation List (CRL) ...........................................................................6-14

Walk-Through of Configuration Scenarios on the FWAG114 .......................................6-15

VPN Consortium Scenario 1:

Gateway-to-Gateway with Preshared Secrets .......................................................6-16

FWAG114 Scenario 1: FWAG114 to Gateway B IKE and VPN Policies ................6-17

How to Check VPN Connections ........................................................................... 6-20

FWAG114 Scenario 2: FWAG114 to FWAG114 with RSA Certificates ..................6-22

Chapter 8
Advanced Configuration

How to Configure Dynamic DNS ....................................................................................6-1

Using the LAN IP Setup Options ....................................................................................6-3

Configuring LAN TCP/IP Setup Parameters ............................................................6-3

Using the Router as a DHCP server ........................................................................6-4

Using Address Reservation ......................................................................................6-5

Configuring Static Routes ............................................................................................... 6-6

Contents vii

Enabling Remote Management Access .........................................................................6-8

Chapter 9
Troubleshooting

Basic Functioning ...........................................................................................................7-1

Power LED Not On ................................................................................................... 7-1

LEDs Never Turn Off ................................................................................................7-2

LAN or Internet Port LEDs Not On ...........................................................................7-2

Troubleshooting the Web Configuration Interface ..........................................................7-3

Troubleshooting the ISP Connection ..............................................................................7-4

Troubleshooting a TCP/IP Network Using a Ping Utility .................................................7-5

Testing the LAN Path to Your Router .......................................................................7-5

Testing the Path from Your PC to a Remote Device ................................................7-6

Restoring the Default Configuration and Password ........................................................7-7

Problems with Date and Time .........................................................................................7-7

Appendix A
Technical Specifications

Appendix B
Network, Routing, Firewall, and Basics

Related Publications ...................................................................................................... B-1

Basic Router Concepts .................................................................................................. B-1

What is a Router? ................................................................................................... B-2

Routing Information Protocol ................................................................................... B-2

IP Addresses and the Internet ....................................................................................... B-2

Netmask .................................................................................................................. B-4

Subnet Addressing .................................................................................................. B-5

Private IP Addresses ............................................................................................... B-7

Single IP Address Operation Using NAT ....................................................................... B-8

MAC Addresses and Address Resolution Protocol ................................................. B-9

Related Documents ................................................................................................. B-9

Domain Name Server ............................................................................................ B-10

IP Configuration by DHCP ........................................................................................... B-10

Internet Security and Firewalls .................................................................................... B-10

What is a Firewall? .................................................................................................B-11

Stateful Packet Inspection ...............................................................................B-11

Denial of Service Attack ..................................................................................B-11

viii Contents

Ethernet Cabling .......................................................................................................... B-12

Uplink Switches, Crossover Cables, and MDI/MDIX Switching ............................ B-12

Cable Quality ......................................................................................................... B-13

Appendix C
Preparing Your Network

Preparing Your Computers for TCP/IP Networking ....................................................... C-1

Configuring Windows 95, 98, and Me for TCP/IP Networking ....................................... C-2

Install or Verify Windows Networking Components ................................................. C-2

Enabling DHCP to Automatically Configure TCP/IP Settings ................................. C-4

Selecting Windows’ Internet Access Method .......................................................... C-6

Verifying TCP/IP Properties .................................................................................... C-6

Configuring Windows NT4, 2000 or XP for IP Networking ............................................ C-7

Install or Verify Windows Networking Components ................................................. C-7

Enabling DHCP to Automatically Configure TCP/IP Settings ................................. C-8

DHCP Configuration of TCP/IP in Windows XP ..................................................... C-8

DHCP Configuration of TCP/IP in Windows 2000 ................................................ C-10

DHCP Configuration of TCP/IP in Windows NT4 .................................................. C-13

Verifying TCP/IP Properties for Windows XP, 2000, and NT4 .............................. C-15

Configuring the Macintosh for TCP/IP Networking ...................................................... C-16

MacOS 8.6 or 9.x .................................................................................................. C-16

MacOS X ............................................................................................................... C-16

Verifying TCP/IP Properties for Macintosh Computers ......................................... C-17

Verifying the Readiness of Your Internet Account ....................................................... C-18

Are Login Protocols Used? ................................................................................... C-18

What Is Your Configuration Information? .............................................................. C-18

Obtaining ISP Configuration Information for Windows Computers ....................... C-19

Obtaining ISP Configuration Information for Macintosh Computers ..................... C-20

Restarting the Network ................................................................................................ C-21

Appendix D
Wireless Networking Basics

Wireless Networking Overview ...................................................................................... D-1

Infrastructure Mode ................................................................................................. D-2

Ad Hoc Mode (Peer-to-Peer Workgroup) ................................................................ D-2

Network Name: Extended Service Set Identification (ESSID) ................................ D-2

Authentication and WEP Data Encryption ..................................................................... D-3

Contents ix

802.11 Authentication .............................................................................................. D-3

Open System Authentication ................................................................................... D-4

Shared Key Authentication ...................................................................................... D-4

Overview of WEP Parameters ................................................................................ D-5

Key Size .................................................................................................................. D-6

WEP Configuration Options .................................................................................... D-7

Wireless Channels ......................................................................................................... D-7

802/11b/g Wireless Channels ................................................................................. D-8

802/11a Legal Power Output and Wireless Channels ............................................. D-9

Appendix E
Virtual Private Networking

What is a VPN? ............................................................................................................. E-1

What Is IPSec and How Does It Work? ......................................................................... E-2

IPSec Security Features ......................................................................................... E-2

IPSec Components ................................................................................................. E-3

Encapsulating Security Payload (ESP) ................................................................... E-3

Authentication Header (AH) .................................................................................... E-4

IKE Security Association ......................................................................................... E-5

Mode ................................................................................................................. E-5

Key Management .................................................................................................... E-6

Understand the Process Before You Begin ................................................................... E-7

VPN Process Overview ................................................................................................. E-7

Network Interfaces and Addresses ......................................................................... E-8

Interface Addressing ......................................................................................... E-8

Firewalls ........................................................................................................... E-9

Setting Up a VPN Tunnel Between Gateways ........................................................ E-9

VPNC IKE Security Parameters ...................................................................................E-11

VPNC IKE Phase I Parameters ..............................................................................E-11

VPNC IKE Phase II Parameters ............................................................................ E-12

Testing and Troubleshooting ........................................................................................ E-12

Additional Reading ...................................................................................................... E-12

Glossary

List of Glossary Terms ................................................................................................... G-1

Index

x Contents

Chapter 1

About This Manual

Congratulations on your purchase of the NETGEAR® ProSafe Dual Band Wireless VPN Firewall
FWAG114. The FWAG114 wireless firewall provides connection for multiple personal computers
(PCs) to the Internet through an external broadband access device (such as a cable modem or DSL
modem) that is normally intended for use by a single PC.

Audience

This reference manual assumes that the reader has basic to intermediate computer and Internet
skills. However, basic computer network, Internet, firewall, and VPN technologies tutorial
information is provided in the Appendices and on the Netgear website.

Typographical Conventions

This guide uses the following typographical conventions:

Table 1. Typographical conventions

italics Emphasis.

bold times roman User input.

[Enter] Named keys in text are shown enclosed in square brackets. The notation [Enter]

is used for the Enter key and the Return key.

SMALL CAPS

DOS file and directory names.

Special Message Formats

This guide uses the following formats to highlight special messages:

Note: This format is used to highlight information of importance or special interest.

About This Manual 1

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Features of the HTML Version of this Manual

The HTML version of this manual includes these features.

1

Figure Preface -2: HTML version of this manual

1. Left pane. Use the left pane to view the Contents, Index, Search, and Favorites tabs.

To view the HTML version of the manual, you must have a version 4 or later browser with
Java or JavaScript enabled. To use the Favorites feature, your browser must be set to accept
cookies. You can record a list of favorite pages in the manual for easy later retrieval.

2
3

2. Toolbar buttons. Use the toolbar buttons across the top to navigate, print pages, and more.

–The Show in Contents button locates the currently displayed topic in the Contents tab.
– Previous/Next buttons display the topic that precedes or follows the current topic.
–The PDF button links to a PDF version of the full manual.
–The E-mail button enables you to send feedback by e-mail to Netgear support.
–The Print button prints the currently displayed topic. Using this button when a

step-by-step procedure is displayed will send the entire procedure to your printer--you do
not have to worry about specifying the correct range of pages.

–The Bookmark button bookmarks the currently displayed page in your browser.

3. Right pane. Use the right pane to view the contents of the manual. Also, each page of the
manual includes a “PDF of This Chapter” link at the top right which links to a PDF file
containing just the currently selected chapter of the manual.

2 About This Manual

Chapter 2

Introduction

This chapter describes the features of the NETGEAR ProSafe Dual Band Wireless VPN Firewall
FWAG114.

Key Features of the VPN Firewall

The ProSafe Dual Band Wireless VPN Firewall FWAG114 with 4-port switch connects your local
area network (LAN) to the Internet through an external access device such as a cable modem or
DSL modem.

The FWAG114 is a complete security solution that protects your network from attacks and
intrusions. Unlike simple Internet sharing routers that rely on Network Address Translation (NAT)
for security, the FWAG114 uses Stateful Packet Inspection for Denial of Service attack (DoS)
attack protection and intrusion detection. The FWAG114 allows Internet access for up to 253
users. The FWAG114 wireless firewall provides you with multiple Web content filtering options,
plus browsing activity reporting and instant alerts -- both via e-mail. Parents and network
administrators can establish restricted access policies based on time-of-day, Website addresses and
address keywords, and share high-speed cable/DSL Internet access for up to 253 personal
computers. In addition to NAT, the built-in firewall protects you from hackers.

With minimum setup, you can install and use the router within minutes.

The FWAG114 wireless firewall provides the following features:

• 802.11g and 802.11b standards-based wireless networking.

• Easy, web-based setup for installation and management.

• Content Filtering and Site Blocking Security.

• Built in 4-port 10/100 Mbps Switch.

• Ethernet connection to a WAN device, such as a cable modem or DSL modem.

• Extensive Protocol Support.

• Login capability.

• Front panel LEDs for easy monitoring of status and activity.

Introduction 2-1

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

• Flash memory for firmware upgrade.

802.11g and 802.11b Wireless Networking

The FWAG114 wireless firewall includes an 802.11b-compliant wireless access point, providing
continuous, high-speed 11 Mbps access between your wireless and Ethernet devices. The access
point provides:

• 802.11b Standards-based wireless networking at up to 11 Mbps.

• 802.11g wireless networking at up to 54 Mbps, which will conform to the 802.11g standard
when ratified.

• 64-bit and 128-bit WEP encryption security.

• WEP keys can be generated manually or by passphrase.

• Wireless access can be restricted by MAC address.

• Wireless network name broadcast can be turned off so that only devices that have the network
name (

SSID) can connect.

A Powerful, True Firewall with Content Filtering

Unlike simple Internet sharing NAT routers, the FWAG114 is a true firewall, using stateful packet
inspection to defend against hacker attacks. Its firewall features include:

• DoS protection.

Automatically detects and thwarts DoS attacks such as Ping of Death, SYN Flood, LAND
Attack, and IP Spoofing.

• Blocks unwanted traffic from the Internet to your LAN.

• Blocks access from your LAN to Internet locations or services that you specify as off-limits.

• Logs security incidents.

The FWAG114 will log security events such as blocked incoming traffic, port scans, attacks,
and administrator logins. You can configure the router to email the log to you at specified
intervals. You can also configure the router to send immediate alert messages to your email
address or email pager whenever a significant event occurs.

2-2 Introduction

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

• With its content filtering feature, the FWAG114 prevents objectionable content from reaching
your PCs. The router allows you to control access to Internet content by screening for
keywords within Web addresses. You can configure the router to log and report attempts to
access objectionable Internet sites.

Security

The FWAG114 wireless firewall is equipped with several features designed to maintain security, as
described in this section.

• PCs Hidden by NAT
NAT opens a temporary path to the Internet for requests originating from the local network.
Requests originating from outside the LAN are discarded, preventing users outside the LAN
from finding and directly accessing the PCs on the LAN.

• Port Forwarding with NAT
Although NAT prevents Internet locations from directly accessing the PCs on the LAN, the
router allows you to direct incoming traffic to specific PCs based on the service port number
of the incoming request, or to one designated “
forwarding of single ports or ranges of ports.

DNS” host computer. You can specify

Autosensing Ethernet Connections with Auto Uplink

With its internal 8-port 10/100 switch, the FWAG114 can connect to either a 10 Mbps standard
Ethernet network or a 100 Mbps Fast Ethernet network. Both the LAN and WAN interfaces are
autosensing and capable of full-duplex or half-duplex operation.

TM

The router incorporates Auto Uplink
whether the Ethernet cable plugged into the port should have a ‘normal’ connection such as to a
PC or an ‘uplink’ connection such as to a switch or hub. That port will then configure itself to the
correct configuration. This feature also eliminates the need to worry about crossover cables, as
Auto Uplink will accommodate either type of cable to make the right connection.

technology. Each Ethernet port will automatically sense

Extensive Protocol Support

The FWAG114 wireless firewall supports the Transmission Control Protocol/Internet Protocol
(TCP/IP) and Routing Information Protocol

Appendix B, “Network, Routing, Firewall, and Basics.”

Introduction 2-3

(RIP). For further information about TCP/IP, refer to

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

• IP Address Sharing by NAT
The FWAG114 wireless firewall allows several networked PCs to share an Internet account
using only a single IP address, which may be statically or dynamically assigned by your
Internet service provider (ISP). This technique, known as NAT, allows the use of an
inexpensive single-user ISP account.

• Automatic Configuration of Attached PCs by DHCP
The FWAG114 wireless firewall dynamically assigns network configuration information,
including IP,

gateway, and domain name server (DNS) addresses, to attached PCs on the LAN
using the Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies
configuration of PCs on your local network.

• DNS Proxy
When DHCP is enabled and no DNS addresses are specified, the router provides its own
address as a DNS server to the attached PCs. The router obtains actual DNS addresses from
the ISP during connection setup and forwards DNS requests from the LAN.

• PPP over Ethernet (PPPoE)
PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by
simulating a dial-up connection. This feature eliminates the need to run a login program such
as Entersys or WinPOET on your PC.

Easy Installation and Management

You can install, configure, and operate the ProSafe Dual Band Wireless VPN Firewall FWAG114
within minutes after connecting it to the network. The following features simplify installation and
management tasks:

• Browser-based management
Browser-based configuration allows you to easily configure your router from almost any type
of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup Wizard is
provided and online help documentation is built into the browser-based Web Management
Interface.

• Smart Wizard
The FWAG114 wireless firewall automatically senses the type of Internet connection, asking
you only for the information required for your type of ISP account.

• Diagnostic functions
The firewall incorporates built-in diagnostic functions such as Ping, DNS lookup, and remote
reboot.

2-4 Introduction

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

• Remote management
The firewall allows you to login to the Web Management Interface from a remote location on
the Internet. For security, you can limit remote management access to a specified remote IP
address or range of addresses, and you can choose a nonstandard port number.

• Visual monitoring
The FWAG114 wireless firewall’s front panel LEDs provide an easy way to monitor its status
and activity.

Maintenance and Support

NETGEAR offers the following features to help you maximize your use of the FWAG114 wireless
firewall:

• Flash memory for firmware upgrade

• Free technical support seven days a week, twenty-four hours a day

Package Contents

The product package should contain the following items:

• ProSafe Dual Band Wireless VPN Firewall FWAG114.

•AC power adapter.

• Category 5 (Cat 5) Ethernet cable.

• Resource CD for ProSafe Dual Band Wireless VPN Firewall, including:

— This guide.

— Application Notes and other helpful information.

• Registration and Warranty Card.

If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the
carton, including the original packing materials, in case you need to return the router for repair.

Introduction 2-5

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

The FWAG114’s Front Panel

The front panel of the FWAG114 wireless firewall contains the status LEDs described below.

Broadband

ProSafe Dual-Band Wireless VPN Firewall

PWR TEST

100

LINK/ACT

1234

100

LINK/ACT

802.11a

802.11g

MODEL

FWAG114

Figure 2-1: FWAG114 Front Panel

You can use some of the LEDs to verify connections. Viewed from left to right, Table 2-1
describes the LEDs on the front panel of the router. These LEDs are green when lit.

Table 2-1. LED Descriptions

Label Activity Description

POWER On Power is supplied to the firewall.

TEST On

Off

INTERNET

100 (100 Mbps) On

Off

LINK/ACT
(Link/Activity)

On
Blinking

LOCAL

100 (100 Mbps) On

Off

LINK/ACT
(Link/Activity)

On
Blinking

WLAN On The Wireless (WLAN) port is operating.

The system is initializing.
The system is ready and running.

The Internet (WAN) port is operating at 100 Mbps.
The Internet (WAN) port is operating at 10 Mbps.

The Internet port has detected a link with an attached device.
Data is being transmitted or received by the Internet port.

The Local port is operating at 100 Mbps.
The Local port is operating at 10 Mbps.

The Local port has detected a link with an attached device.
Data is being transmitted or received by the Local port.

2-6 Introduction

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

The FWAG114’s Rear Panel

The rear panel of the FWAG114 wireless firewall contains the port connections listed below.

12VDC, 1.2A

Internet

Reset

4321

Figure 1-2: FWAG114 Rear Panel

Viewed from left to right, the rear panel contains the following features:

• Wireless antenna

• AC power adapter outlet

• Factory Default Reset push button

• Internet (WAN) Ethernet port for connecting the router to a cable or DSL modem

• Four LAN Ethernet ports

• Wireless antenna

Introduction 2-7

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

2-8 Introduction

Chapter 3

Connecting the FWAG114 to the Internet

This chapter describes how to set up the router on your local area network (LAN) and connect to
the Internet. You find out how to configure your ProSafe Dual Band Wireless VPN Firewall
FWAG114 for Internet access using the Setup Wizard, or how to manually configure your Internet
connection.

What You Will Need Before You Begin

You need to prepare these three things before you begin:

1. Have active Internet service such as that provided by an cable or DSL broadband account.

2. Locate the Internet Service Provider (ISP) configuration information for your DSL account.

3. Connect the router to a cable or DSL modem and a computer as explained below.

Cabling and Computer Hardware Requirements

To use the FWAG114 wireless firewall on your network, each computer must have an installed
Ethernet Network Interface Card (NIC) and an Ethernet cable. If the computer will connect to your
network at 100 Mbps, you must use a Category 5 (CAT5) cable such as the one provided with your
router.

Computer Network Configuration Requirements

The FWAG114 includes a built-in Web Configuration Manager. To access the configuration menus
on the FWAG114, your must use a Java-enabled web browser program which supports HTTP
uploads such as Microsoft Internet Explorer or Netscape Navigator. NETGEAR recommends
using Internet Explorer or Netscape Navigator 4.0 or above. Free browser programs are readily
available for Windows, Macintosh, or UNIX/Linux.

For the initial connection to the Internet and configuration of your router, you will need to connect
a computer to the router which is set to automatically get its TCP/IP configuration from the router
via DHCP.

Connecting the FWAG114 to the Internet 3-1

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Note: For help with DHCP configuration, please refer to Appendix C, “Preparing Your Network.

The cable or DSL modem broadband access device must provide a standard 10 Mbps (10BASE-T)
Ethernet interface.

Internet Configuration Requirements

Depending on how your ISP set up your Internet account, you will need one or more of these
configuration parameters to connect your router to the Internet:

• Host and Domain Names

• ISP Login Name and Password

• ISP Domain Name Server (DNS) Addresses

• Fixed IP Address which is also known as Static IP Address

Where Do I Get the Internet Configuration Parameters?

There are several ways you can gather the required Internet connection information.

• Your ISP provides all the information needed to connect to the Internet. If you cannot locate
this information, you can ask your ISP to provide it or you can try one of the options below.

• If you have a computer already connected using the active Internet access account, you can
gather the configuration information from that computer.

— For Windows 95/98/ME, open the Network control panel, select the TCP/IP entry for the

Ethernet adapter, and click Properties. Record all the settings for each tab page.

— For Windows 2000/XP, open the Local Area Network Connection, select the TCP/IP entry

for the Ethernet adapter, and click Properties. Record all the settings for each tab page.

— For Macintosh computers, open the TCP/IP or Network control panel. Record all the

settings for each section.

• You may also refer to the FWAG114 Resource CD for the NETGEAR Router ISP Guide which
provides Internet connection information for many ISPs.

Once you locate your Internet configuration parameters, you may want to record them on the page
below.

3-2 Connecting the FWAG114 to the Internet

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Record Your Internet Connection Information

Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP).

ISP Login Name: The login name and password are case sensitive and must be entered exactly as
given by your ISP. For AOL customers, the login name is their primary screen name. Some ISPs
use your full e-mail address as the login name. The Service Name is not required by all ISPs. If
you connect using a login name and password, then fill in the following:

Login Name: ______________________________

Password: ____________________________

Service Name: _____________________________

Fixed or Static IP Address: If you have a static IP address, record the following information. For
example, 169.254.141.148 could be a valid IP address.

Fixed or Static Internet IP Address: ______

. ______ . ______ . ______
Gateway IP Address: ______ . ______ . ______ . ______
Subnet Mask: ______ . ______ . ______ . ______

ISP DNS Server Addresses: If you were given DNS server addresses, fill in the following:

Primary DNS Server IP Address: ______

. ______ . ______ . ______

Secondary DNS Server IP Address: ______ . ______ . ______ . ______

Host and Domain Names: Some ISPs use a specific host or domain name like CCA7324-A or

home. If you haven’t been given host or domain names, you can use the following examples as a

guide:

• If your main e-mail account with your ISP is aaa@yyy.com, then use aaa as your host name.

Your ISP might call this your account, user, host, computer, or system name.

• If your ISP’s mail server is mail.xxx.yyy.com, then use xxx.yyy.com as the domain name.

ISP Host Name: _________________________ ISP Domain Name: _______________________

Connecting the FWAG114 to the Internet 3-3

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Connecting the ProSafe Dual Band Wireless VPN Firewall
FWAG114 to Your LAN

This section provides instructions for connecting the FWAG114 wireless firewall. Also, the
Resource CD for ProSafe Dual Band Wireless VPN Firewall included with your router contains an
animated Installation Assistant to help you through this procedure.

Procedure: Connecting the VPN Firewall

There are three steps to connecting your router:

1. Connect the router to your network

2. Log in to the router

3. Connect to the Internet

Follow the steps below to connect your router to your network. You can also refer to the Resource
CD included with your router which contains an animated Installation Assistant to help you
through this procedure.

1. Connect the VPN firewall to your network.

a. Turn off your computer and Cable or DSL Modem.

b. Disconnect the Ethernet cable (A) from your computer which connects to your cable or

DSL modem.

A

Cable or DSL modem

Figure 3-1: Disconnect the cable or DSL Modem

3-4 Connecting the FWAG114 to the Internet

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

c. Connect the Ethernet cable from your cable or DSL modem to the Internet port (A) on the

FWAG114.

FWAG114 ProSafe
Wireless VPN
Firewall

INTERNET

RESET

LAN LAN LAN LAN

5-12VDC

A

Broadband Modem

Figure 3-2: Connect the cable or DSL Modem to the router

d. Connect the Ethernet cable which came with the router from a Local port on the router (B)

to your computer.

FWAG114 ProSafe
Wireless VPN
Firewall

INTERNET

5-12VDC

LAN LAN LAN LAN

RESET

B

Broadband Modem

Figure 3-3: Connect the computers on your network to the router

Connecting the FWAG114 to the Internet 3-5

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Note: The FWAG114 wireless firewall incorporates Auto UplinkTM technology. Each
LOCAL Ethernet port will automatically sense if the cable should have a normal
connection or an uplink connection. This feature eliminates the need to worry about
crossover cables because Auto Uplink will make the right connection either type of cable.

e. Now, turn on your computer. If software usually logs you in to your Internet connection,

do not run that software or cancel it if it starts automatically.

f. Verify the following:

• When your turn the router on, the power light goes on.

• The router’s local lights are lit for any computers that are connected to it.

• The router’s Internet light is lit, indicating a link has been established to the cable or
DSL modem.

Note: For wireless placement and range guidelines, and wireless configuration
instructions, please see

Chapter 4, “Wireless Configuration.”

2. Log in to the VPN firewall .

Note: To connect to the router, your computer needs to be configured to obtain an IP address

automatically via DHCP. If you need instructions on how to do this, please refer to

Appendix C, “Preparing Your Network.

a. Connect to the router by typing http://192.168.0.1 in the address filed of Internet Explorer

or Netscape® Navigator.

Figure 3-4: Log in to the router

b. For security reasons, the router has its own user name and password. When prompted,

enter

admin for the router user name and password for the router password, both in lower

case letters.The router user name and password are not the same as any user name or
password you may use to log in to your Internet connection.

3-6 Connecting the FWAG114 to the Internet

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

A login window shown below opens:

Figure 3-5: Login window

3. Connect to the Internet

Figure 3-6: Setup Wizard

a. You are now connected to the router. If you do not see the menu above, click the Setup

Wizard link on the upper left of the main menu.

b. Click Next and follow the steps in the Setup Wizard for inputting the configuration

parameters from your ISP to connect to the Internet.

Note: If you choose not to use the Setup Wizard, you can manually configure your
Internet connection settings by following the procedure

“Manually Configuring Your

Internet Connection” on page 3-12.

Unless your ISP automatically assigns your configuration automatically via DHCP, you
will need the configuration parameters from your ISP as you recorded them previously in

“Record Your Internet Connection Information” on page 3-3.

Connecting the FWAG114 to the Internet 3-7

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

c. When the router successfully detects an active Internet service, the router’s Internet LED

goes on. The Setup Wizard reports which connection type it discovered, and displays the
appropriate configuration menu. If the Setup Wizard finds no connection, you will be
prompted to check the physical connection between your router and the cable or DSL line.

d. The Setup Wizard will report the type of connection it finds. The options are:

• Connections which require a login using protocols such as
PPPoE, DHCP, or Static IP broadband connections.

• Connections which use dynamic IP address assignment.

• Connections which use fixed IP address assignment.

The procedures for filling in the configuration menu for each type of connection follow
below.

PPPoE Wizard-Detected Option

If the Setup Wizard discovers that your ISP uses PPPoE, you will see this menu:

Figure 3-7: Setup Wizard menu for PPPoE accounts

3-8 Connecting the FWAG114 to the Internet

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

• Enter the Account Name, Domain Name, Login, and Password as provided by your ISP. These
fields are case sensitive. The router will try to discover the domain automatically if you leave
the Domain Name blank. Otherwise, you may need to enter it manually.

• To change the login timeout, enter a new value in minutes. This determines how long the
router keeps the Internet connection active after there is no Internet activity from the LAN.
Entering a timeout value of zero means never log out.

Note: You no longer need to run the ISP’s login program on your PC in order to access the
Internet. When you start an Internet application, your router will automatically log you in.

• If you know that your ISP does not automatically transmit DNS addresses to the router during
login, select “Use these DNS servers” and enter the IP address of your ISP’s Primary DNS
Server. If a Secondary DNS Server address is available, enter it also.

Note: If you enter DNS addresses, restart your computers so that these settings take effect.

• If your ISP requires a specific MAC address for the connection, you may need to fill a MAC
address. Usually, it is not necessary to change the MAC address setting.

• Click Apply to save your settings.

• Click Test to verify that your Internet connection works. If the NETGEAR website does not
appear within one minute, refer to

Chapter 9, “Troubleshooting.”

Connecting the FWAG114 to the Internet 3-9

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Dynamic IP Wizard-Detected Option

If the Setup Wizard discovers that your ISP uses Dynamic IP assignment, you will see this menu:

Figure 3-8: Setup Wizard menu for Dynamic IP address accounts

• Enter your Account Name (may also be called Host Name) and Domain Name. These
parameters may be necessary to access your ISP’s services such as mail or news servers. If you
leave the Domain Name field blank, the router try to discover the domain. Otherwise, you may
need to enter it manually.

• If you know that your ISP does not automatically transmit DNS addresses to the router during
login, select Use these DNS servers and enter the IP address of your ISP’s Primary DNS
Server. If a Secondary DNS Server address is available, enter it also.

Note: If you enter DNS addresses, restart your computers so that these settings take effect.

• If your ISP requires a specific MAC address for the connection, you may need to fill a MAC
address. Usually, it is not necessary to change the MAC address setting.

• Click Apply to save your settings.

• Click Test to test your Internet connection. If the NETGEAR website does not appear within
one minute, refer to

3-10 Connecting the FWAG114 to the Internet

Chapter 9, “Troubleshooting.”

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Fixed IP Account Wizard-Detected Option

If the Setup Wizard discovers that your ISP uses Fixed IP assignment, you will see this menu:

Figure 3-9: Setup Wizard menu for Fixed IP address accounts

• Fixed IP is also called Static IP. Enter your assigned IP Address, Subnet Mask, and the IP
Address of your ISP’s gateway router. This information should have been provided to you by
your ISP. You will need the configuration parameters from your ISP you recorded in

“Record

Your Internet Connection Information” on page 3-3.

• Enter the IP address of your ISP’s Primary and Secondary DNS Server addresses.

Note: Restart the computers on your network so that these settings take effect.

• If your ISP requires a specific MAC address for the connection, you may need to fill a MAC
address. Usually, it is not necessary to change the MAC address setting.

• Click Apply to save the settings.

• Click Test to test your Internet connection. If the NETGEAR website does not appear within
one minute, refer to

Connecting the FWAG114 to the Internet 3-11

Chapter 9, “Troubleshooting.”

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Manually Configuring Your Internet Connection

You can manually configure your router using the menu below, or you can allow the Setup Wizard
to determine your configuration as described in the previous section.

ISP Does Not Require Login

ISP Does Require Login

Figure 3-10: Browser-based configuration Basic Settings menus

3-12 Connecting the FWAG114 to the Internet

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Procedure: Configuring the Internet Connection Manually

You can manually configure the router using the Basic Settings menu shown in Figure 3-10 using
these steps:

1. Click the Basic Settings link on the Setup menu.

2. If your Internet connection does not require a login, click No at the top of the Basic Settings

menu and fill in the settings according to the instructions below. If your Internet connection
does require a login, click Yes, and skip to step 3.

a. Enter your Account Name (may also be called Host Name) and Domain Name.

These parameters may be necessary to access your ISP’s services such as mail or news
servers.

b. Internet IP Address:

If your ISP has assigned you a permanent, fixed (static) IP address for your PC, select
“Use static IP address”. Enter the IP address that your ISP assigned. Also enter the
netmask and the Gateway IP address. The Gateway is the ISP’s router to which your router
will connect.

c. Domain Name Server (DNS) Address:

If you know that your ISP does not automatically transmit DNS addresses to the router
during login, select “Use these DNS servers” and enter the IP address of your ISP’s
Primary DNS Server. If a Secondary DNS Server address is available, enter it also.

Note: If you enter an address here, restart the computers on your network so that these
settings take effect.

d. Gateway’s MAC Address:

This section determines the Ethernet MAC address that will be used by the router on the
Internet port. Some ISPs will register the Ethernet MAC address of the network interface
card in your PC when your account is first opened. They will then only accept traffic from
the MAC address of that PC. This feature allows your router to masquerade as that PC by
“cloning” its MAC address.

To change the MAC address, select “Use this Computer’s MAC address.” The router will
then capture and use the MAC address of the PC that you are now using. You must be
using the one PC that is allowed by the ISP. Or, select “Use this MAC address” and enter
it.

e. Click Apply to save your settings.

3. If your Internet connection does require a login, fill in the settings according to the instructions

below.

Connecting the FWAG114 to the Internet 3-13

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Note: After you finish setting up your router, you will no longer need to launch the ISP’s login
program on your PC in order to access the Internet. When you start an Internet application,
your router will automatically log you in.

a. Select you Internet service provisory from the drop-down list.

b. The screen will change according to the ISP settings requirements of the ISP you select.

c. Fill in the parameters for your ISP according to the Wizard-detected procedures starting on

page 3-8.

d. Click Apply to save your settings.

3-14 Connecting the FWAG114 to the Internet

Chapter 4

Wireless Configuration

This chapter describes how to configure the wireless features of your FWAG114 wireless firewall.

Observe Performance, Placement, and Range Guidelines

In planning your wireless network, you should consider the level of security required. You should
also select the physical placement of your FWAG114 in order to maximize the network speed. For
further information on wireless networking, refer to in Appendix D, “Wireless Networking

Basics.”

The operating distance or range of your wireless connection can vary significantly based on the
physical placement of the FWAG114 wireless firewall. The latency, data throughput performance,
and notebook power consumption also vary depending on your configuration choices.

Note: Failure to follow these guidelines can result in significant performance

degradation or inability to wirelessly connect to the VPN firewall . For complete range
and performance specifications, please see Appendix A, “Technical Specifications.”

For best results, place your VPN firewall :

• Near the center of the area in which your PCs will operate.

• In an elevated location such as a high shelf where the wirelessly connected PCs have
line-of-sight access (even if through walls). The best location is elevated, such as wall
mounted or on the top of a cubicle, and at the center of your wireless coverage area for all the
mobile devices.

• Away from sources of interference, such as PCs, microwaves, and 2.4 GHz cordless phones.
The 802.11a standard operates at a higher frequency and should be less susceptible to
interference from cordless phones. This higher 802.11a frequency may not offer as much
range as the lower frequency 802.11b/g in a indoor environment with lots of obstructions.

• Away from large metal surfaces.

Wireless Configuration 4-1

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Be aware that the time it takes to establish a wireless connection can vary depending on both your
security settings and placement. WEP connections can take slightly longer to establish. Also, WEP
encryption can consume more battery power on a notebook PC.

Implement Appropriate Wireless Security

Note: Indoors, computers can connect over 802.11 wireless networks at ranges of 300

feet or more. Such distances can allow for others outside of your immediate area to
access your network.

Unlike wired network data, your wireless data transmissions can extend beyond your walls and
can be received by anyone with a compatible adapter. For this reason, use the security features of
your wireless equipment. The FWAG114 wireless firewall provides highly effective security
features which are covered in detail in this chapter. Deploy the security features appropriate to
your needs.

Wireless Data

FWAG11

INTERNET

5-12VDC

Figure 4-1: FWAG114 wireless data security options

4-2 Wireless Configuration

LAN LAN LAN LAN

RESET

1) Open System: Easy but no security

2) MAC Access List: No data security

3) WEP: Security but some performance impact

Security Options

Range: Up to 300 Feet

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

There are several ways you can enhance the security of you wireless network.

• Restrict Access Based on MAC Address. You can allow only trusted PCs to connect so that
unknown PCs cannot wirelessly connect to the FWAG114. Restricting access by MAC address
adds an obstacle against unwanted access to your network, but the data broadcast over the
wireless link is fully exposed.

• Turn Off the Broadcast of the Wireless Network Name SSID. If you disable broadcast of
the SSID, only devices that have the correct SSID can connect. This nullifies the wireless
network ‘discovery’ feature of some products such as Windows XP, but the data is still fully
exposed.

• Turn Off Bridging to the Wired LAN. If you disable bridging to the LAN, wireless devices
cannot communicate with computers on the Ethernet LAN but can still access the Internet.
This blocks any access to the computers on the wired LAN but the wireless data routed to the
Internet is still fully exposed.

• WEP. Wired Equivalent Privacy (WEP) data encryption provides data security. WEP Shared
Key authentication and WEP data encryption will block all but the most determined
eavesdropper.

Wireless Configuration 4-3

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Understanding Wireless Settings

To configure the wireless settings of your FWAG114, click the Wireless 11a or Wireless 11b/g link
in the Setup section of the main menu. The wireless settings menu will appear, as shown below.

Figure 4-2: Wireless 11a and 11b/g Settings menus

4-4 Wireless Configuration

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Note: The 802.11b and 802.11g wireless networking protocols are configured in exactly

the same fashion. The FWAG114 will automatically adjust to the 802.11g or 802.11b
protocol as the device requires without compromising the speed of the other connected
devices.

Common Wireless Settings

The 802.11a and the 802.11b/g wireless network identification settings are configured separately.
However, some types of items you configure in each network are the same. The Wireless Settings
menu items which are the same for either type of wireless network are discussed below.

• Station Name. The station name of the FWAG114.

• Regulatory Domain. For the Wireless 802.11a settings, unless you select a regulatory
domain, the 802.11a radio is turned off. This field identifies the region where the FWAG114
can be used. It may not be legal to operate the wireless features of the VPN firewall in a
region other than one of those identified in this field.

• SSID (Service Set Identification). The SSID is also known as the wireless network name.
Enter a value of up to 32 alphanumeric characters. In a setting where there is more than one
wireless network, different wireless network names provide a means for separating the traffic.
Any device you want to participate in the 11a or the 11b/g wireless network will need to use
this SSID for that network. The FWAG114 default SSID is: NETGEAR.

•Options.

– Channel/Frequency. This field determines which operating frequency will be used. It

should not be necessary to change the wireless channel unless you notice interference
problems with another nearby access point. For more information on the wireless channel
frequencies please refer to

“Wireless Channels” on page D-7.

– Turbo Mode, 802.11a Only. Enabling turbo mode allows the wireless node to transmit or

receive at a higher rate, up to 108 Mbps. Default: Disable.

–Data Rate. Shows the available transmit data rate of the wireless network. The possible

data rates supported for 802.11a interface are: 54 Mbps, 48 Mbps, 36 Mbps, 24 Mbps, 18
Mbps, 12 Mbps, 9 Mbps, and 6 Mbps. It can go up to 108 Mbps if the turbo mode is
enabled. Default: Best.

– Transmit Power. Set the transmit signal strength of the access point. The options are full,

half, quarter, eighth, and min. Decrease the transmit power if more than one AP is
co-located using the same channel frequency. Default: Full.

Wireless Configuration 4-5

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

– Beacon Interval. Specifies the Beacon Interval value. Enter a value in between 20 to

1000. Default: 100.

– DTIM. The Delivery Traffic Indication Message. Specifies the data beacon rate between 1

and 255. Default: 1

– WEP Status. If WEP is enabled, this will indicate the current settings.

• Access Point Connections. Lets you restrict wireless connections according to a list of
Trusted PCs MAC addresses. When the Trusted PCs Only radio button is selected, the
FWAG114 checks the MAC address of the wireless station and only allows connections to PCs
identified on the trusted PCs list.

• SSID Broadcast Enable. The default setting is to enable SSID broadcast. If you disable
broadcast of the SSID, only devices that have the correct SSID can connect. Disabling SSID
broadcast somewhat hampers the wireless network ‘discovery’ feature of some products.

• Enable Bridging to the Wired LAN. The default setting is to enable bridging to the wired
LAN. If you disable bridging to the LAN, wireless devices cannot communicate with
computers on the Ethernet LAN but can still access the Internet.

Although the types of settings described above are the same for either type of wireless network,
the choices you make in each type of network can be different. For example, you can disable the
SSID broadcast in you 802.11a wireless network but enable it in your 802.11b/g network.

Understanding WEP Authentication and Encryption

Restricting wireless access to your network prevents intruders from connecting to your network.
However, the wireless data transmissions are still vulnerable to snooping. Using the WEB data
encryption settings described below will prevent a determined intruder from eavesdropping on
your wireless data communications. Also, if you are using the Internet for such activities as
purchases or banking, those Internet sites use another level of highly secure encryption called SSL.
You can tell if a web site is using SSL because the web address begins with HTTPS rather than
HTTP.

Authentication Type

The FWAG114 lets you select the following wireless authentication schemes.

• Open System.

• Shared key.

4-6 Wireless Configuration

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Be sure to set your wireless adapter according to the authentication scheme you choose for the
FWAG114 wireless firewall. Please refer to “Authentication and WEP Data Encryption” on

page D-3 for a full explanation of each of these options, as defined by the IEEE 802.11 wireless

communication standard.

WEP

Choose the encryption settings from this menu. Please refer to “Overview of WEP Parameters” on

page D-5 for a full explanation of each of these options, as defined by the IEEE 802.11 wireless

communication standard.

• Disable. No encryption will be applied. This setting is useful for troubleshooting your wireless
connection, but leaves your wireless data fully exposed.

• 64-bit, 128-bit, or in the case of 802.11a, 152-bit WEP. When 64-, 128-, or 152-Bit WEP is
selected, WEP encryption will be applied.

If WEP is enabled, you can manually or automatically program the four data encryption keys.
These values must be identical on all PCs and access points in your network.

There are two methods for creating WEP encryption keys:

• Passphrase. Enter a word or group of printable characters in the Passphrase box and click the
Generate button.

• Manual. 64-bit WEP: Enter 10 hexadecimal digits (any combination of 0-9, a-f, or A-F).
128-bit WEP: Enter 26 hexadecimal digits (any combination of 0-9, a-f, or A-F).

Clicking the radio button selects which of the four keys will be the default.

Default Factory Settings

When you first receive your FWAG114, the default factory settings are shown below. You can
restore these defaults with the Factory Default Restore button on the rear panel. After you install
the FWAG114 wireless firewall, use the procedures below to customize any of the settings to
better meet your networking needs.

Wireless Configuration 4-7

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

FEATURE DEFAULT FACTORY SETTINGS

SSID for both 802.11a & 802.11b NETGEAR

11a RF Channel Off until the Regulatory Domain is

selected, then 52 Non-Turbo Mode; 50
Turbo Mod e

11b RF Channel 6

WEP Disabled

Authentication Type Open System

Access Point Connections for both

802.11a & 802.11b/g

Bridging to wired LAN for both

802.11a & 802.11b/g

SSID broadcast for both

802.11a & 802.11b/g

All wireless stations allowed

Enabled

Enabled

Before You Change the SSID and WEP Settings

Take the following steps:

For a new wireless network, print or copy this form and fill in the configuration parameters. For an
existing wireless network, the person who set up or is responsible for the network will be able to
provide this information. Be sure to set the Regulatory Domain correctly as the first step.

• SSID: The Service Set Identification (SSID) identifies the wireless local area network.

NETGEAR is the default FWAG114 SSID. However, you may customize it by using up
to 32 alphanumeric characters. Write your customized SSID on the line below.

Note: The SSID in the VPN firewall is the SSID you configure in the wireless adapter
card. All wireless nodes in the same network must be configured with the same SSID.

802.11a SSID: ______________________________

802.11b SSID: ______________________________

• Authentication

The two bands can use different authentication settings. Choose “Shared Key” for more
security.

802.11a SSID, circle one: Open System or Shared Key

802.11b SSID, circle one: Open System or Shared Key

4-8 Wireless Configuration

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Note: If you select shared key, the other devices in the network will not connect unless
they are set to Shared Key as well.

• WEP Encryption

802.11a and 802.11b differ in their use of WEP encryption keys. See “Security

Configuration” on page 2-21 for a description of these differences.

802.11a WEP Encryption Keys

Key 1: ___________________________________ Circle Key Size: 64 or 128 or 152 bits

Key 2: ___________________________________ Circle Key Size: 64 or 128 or 152 bits

Key 3: ___________________________________ Circle Key Size: 64 or 128 or 152 bits

Key 4: ___________________________________ Circle Key Size: 64 or 128 or 152 bits

802.11b WEP Encryption Keys

For all four 802.11b keys, choose the Key Size. Circle one: 64 or 128 bits

Key 1: ___________________________________

Key 2: ___________________________________

Key 3: ___________________________________

Key 4: ___________________________________

Use the procedures described in the following sections to configure the FWAG114. Store this
information in a safe place.

How to Set Up and Test Basic Wireless Connectivity

Follow the instructions below to set up and test basic wireless connectivity. Once you have
established basic wireless connectivity, you can enable security settings appropriate to your needs.

1. Log in the default LAN address of http://192.168.0.1 with the default user name of admin and

default password of password, or using whatever LAN address and password you have set up.

2. Depending on the types of wireless adapters you have in your computers, click the Wireless

11a or 11b link in the main menu of the FWAG114.

3. Set the Regulatory Domain correctly.

4. Choose a suitable descriptive name for the wireless network name (SSID). In the SSID box,

enter a value of up to 32 alphanumeric characters. The default SSID is NETGEAR.

Wireless Configuration 4-9

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Note: The characters are case sensitive. An access point always functions in infrastructure
mode. The SSID for any wireless device communicating with the access point must match the
SSID configured in the ProSafe Dual Band Wireless VPN Firewall FWAG114. If they do not
match, you will not get a wireless connection to the FWAG114.

5. Set the Channel.

It should not be necessary to change the wireless channel unless you notice interference
problems with another nearby wireless router or access point. Select a channel that is not being
used by any other wireless networks within several hundred feet of your VPN firewall . For
more information on the wireless channel frequencies please refer to

“Wireless Channels” on

page D-7.

6. For initial configuration and test, leave the Wireless Card Access List set to “All Wireless

Stations” and the Encryption Strength set to “Disable.”

7. Click Apply to save your changes.

Note: If you are configuring the FWAG114 from a wireless PC and you change the

VPN firewall ’s SSID, channel, or security settings, you will lose your wireless
connection when you click on Apply. You must then change the wireless settings of your
PC to match the FWAG114’s new settings.

8. Configure and test your PCs for wireless connectivity.

Program the wireless adapter of your PCs to have the same SSID that you configured in the
FWAG114. Check that they have a wireless link and are able to obtain an IP address by DHCP
from the VPN firewall .

Once your PCs have basic wireless connectivity to the VPN firewall , then you can configure the
advanced options and wireless security functions.

How to Restrict Wireless Access by MAC Address

To restrict access based on MAC addresses, follow these steps:

1. Log in at the default LAN address of http://192.168.0.1 with the default user name of admin

and default password of password.

2. Click the Wireless 11a or 11b link in the main menu of the FWAG114.

3. From the Wireless Settings menu, click the Trusted PCs only radio button.

4-10 Wireless Configuration

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

4. Click the Trusted PCs button to display the Wireless Access menu shown below.

Figure 4-3. Wireless Access menu

5. Enter the MAC address of a wireless adapter and click the Add button to add a wireless device

to the wireless access control list. The Trusted PCs list updates with the new entry.

Note: You can copy and paste the MAC addresses from the FWAG114’s Attached Devices
menu into the MAC Address box of this menu. To do this, configure each wireless PC to
obtain a wireless link to the VPN firewall . The PC should then appear in the Attached Devices
menu.

6. Click the Back button to return to the Wireless Settings menu.

Note: When configuring the FWAG114 from a wireless PC whose MAC address is not

in the Trusted PC list, if you select Turn Access Control On, you will lose your wireless
connection when you click on Apply. You must then access the VPN firewall from a
wired PC or from a wireless PC which is on the access control list to make any further
changes.

7. Be sure to click Apply to save your trusted wireless PCs list settings.

Now, only devices on this list will be allowed to wirelessly connect to the FWAG114.

Wireless Configuration 4-11

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

To remove a MAC address from the table, click on it to select it, then click the Delete button.

How to Configure WEP

To configure WEP data encryption, follow these steps:

1. Log in at the default LAN address of http://192.168.0.1 with the default user name of admin

and default password of password, or using whatever LAN address and password you have
set up.

2. Click the Wireless 11a or 11b link in the main menu of the FWAG114.

3. Click the Configure WEP button.

4. Choose the Authentication Type and WEP option.

5. You can manually or automatically program the four data encryption keys. These values must

be identical on all PCs and Access Points in your network.

• Automatic - Enter a word or group of printable characters in the Passphrase box and click

the Generate button. The four key boxes will be automatically populated with key values.

• Manual - Enter ten hexadecimal digits (any combination of 0-9, a-f, or A-F)

Select which of the four keys will be active.

Please refer to “Overview of WEP Parameters” on page D-5 for a full explanation of each of
these options, as defined by the IEEE 802.11b wireless communication standard.

6. Click Apply to save your settings.

Note: When configuring the VPN firewall from a wireless PC, if you configure WEP

settings, you will lose your wireless connection when you click on Apply. You must then
either configure your wireless adapter to match the VPN firewall WEP settings or
access the VPN firewall from a wired PC to make any further changes.

4-12 Wireless Configuration

Chapter 5

Firewall Protection and

Content Filtering

This chapter describes how to use the content filtering features of the ProSafe Dual Band Wireless
VPN Firewall FWAG114 to protect your network. These features can be found by clicking on the
Content Filtering heading in the Main Menu of the browser interface.

Firewall Protection and Content Filtering Overview

The ProSafe Dual Band Wireless VPN Firewall FWAG114 provides you with Web content
filtering options, plus browsing activity reporting and instant alerts via e-mail. Parents and
network administrators can establish restricted access policies based on time-of-day, web
addresses and web address keywords. You can also block Internet access by applications and
services, such as chat or games.

A firewall is a special category of router that protects one network (the “trusted” network, such as
your LAN) from another (the “untrusted” network, such as the Internet), while allowing
communication between the two. A firewall incorporates the functions of a NAT (Network
Address Translation) router, while adding features for dealing with a hacker intrusion or attack,
and for controlling the types of traffic that can flow between the two networks. Unlike simple
Internet sharing NAT routers, a firewall uses a process called stateful packet inspection to protect
your network from attacks and intrusions. NAT performs a very limited stateful inspection in that
it considers whether the incoming packet is in response to an outgoing request, but true Stateful
Packet Inspection goes far beyond NAT.

To configure these features of your router, click on the subheadings under the Content Filtering
heading in the Main Menu of the browser interface. The subheadings are described below:

Firewall Protection and Content Filtering 5-1

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Block Sites

The FWAG114 allows you to restrict access based on Web addresses and Web address keywords.
Up to 255 entries are supported in the Keyword list. The Keyword Blocking menu is shown in

Figure 5-1:

Figure 5-1: Block Sites menu

To enable keyword blocking, check “Turn keyword blocking on”, then click Apply.

To add a keyword or domain, type it in the Keyword box, click Add Keyword, then click Apply.

To delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply.

Keyword application examples:

• If the keyword "XXX" is specified, the URL <http://www.badstuff.com/xxx.html> is blocked,
as is the newsgroup alt.pictures.XXX.

• If the keyword “.com” is specified, only websites with other domain suffixes (such as .edu or
.gov) can be viewed.

• If you wish to block all Internet browsing access, enter the keyword “.”.

To specify a Trusted User, enter that PC’s IP address in the Trusted User box and click Apply.

5-2 Firewall Protection and Content Filtering

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

You may specify one Trusted User, which is a PC that will be exempt from blocking and
logging. Since the Trusted User will be identified by an IP address, you should configure that
PC with a fixed or reserved IP address.

Using Rules to Block or Allow Specific Kinds of Traffic

Firewall rules are used to block or allow specific traffic passing through from one side to the other.
Inbound rules (WAN to LAN) restrict access by outsiders to private resources, selectively allowing
only specific outside users to access specific resources. Outbound rules (LAN to WAN) determine
what outside resources local users can have access to.

A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of
the FWAG114 are:

• Inbound: Block all access from outside except responses to requests from the LAN side.

• Outbound: Allow all access from the LAN side to the outside.

These default rules are shown in the Rules table of the Rules menu in Figure 5-2:

Figure 5-2: Rules menu

Firewall Protection and Content Filtering 5-3

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

You may define additional rules that will specify exceptions to the default rules. By adding custom
rules, you can block or allow access based on the service or application, source or destination IP
addresses, and time of day. You can also choose to log traffic that matches or does not match the
rule you have defined.

To create a new rule, click the Add button.

To edit an existing rule, select its button on the left side of the table and click Edit.

To delete an existing rule, select its button on the left side of the table and click Delete.

To move an existing rule to a different position in the table, select its button on the left side of the
table and click Move. At the script prompt, enter the number of the desired new position and click
OK.

An example of the menu for defining or editing a rule is shown in Figure 5-3. The parameters are:

• Service. From this list, select the application or service to be allowed or blocked. The list
already displays many common services, but you are not limited to these choices. Use the
Services menu to add any additional services or applications that do not already appear.

• Action. Choose how you would like this type of traffic to be handled. You can block or allow
always, or you can choose to block or allow according to the schedule you have defined in the
Schedule menu.

• Source Address. Specify traffic originating on the LAN (outbound) or the WAN (inbound),
and choose whether you would like the traffic to be restricted by source IP address. You can
select Any, a Single address, or a Range. If you select a range of addresses, enter the range in
the start and finish boxes. If you select a single address, enter it in the start box.

• Destination Address.The Destination Address will be assumed to be from the opposite (LAN
or WAN) of the Source Address. As with the Source Address, you can select Any, a Single
address, or a Range unless NAT is enabled and the destination is the LAN. In that case, you
must enter a Single LAN address in the start box.

• Log. You can select whether the traffic will be logged. The choices are:

• Never - no log entries will be made for this service.

• Match - traffic of this type which matches the parameters and action will be logged.

5-4 Firewall Protection and Content Filtering

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Inbound Rules (Port Forwarding)

Because the FWAG114 uses Network Address Translation (NAT), your network presents only one
IP address to the Internet, and outside users cannot directly address any of your local computers.
However, by defining an inbound rule you can make a local server (for example, a web server or
game server) visible and available to the Internet. The rule tells the router to direct inbound traffic
for a particular service to one local server based on the destination port number. This is also known
as port forwarding.

Note: Some residential broadband ISP accounts do not allow you to run any server

processes (such as a Web or FTP server) from your location. Your ISP may periodically
check for servers and may suspend your account if it discovers any active services at
your location. If you are unsure, refer to the Acceptable Use Policy of your ISP.

Remember that allowing inbound services opens holes in your FWAG114 wireless firewall. Only
enable those ports that are necessary for your network. Following are two application examples of
inbound rules:

Inbound Rule Example: A Local Public Web Server

If you host a public web server on your local network, you can define a rule to allow inbound web
(HTTP) requests from any outside IP address to the IP address of your web server at any time of
day. This rule is shown in Figure 5-3:

Figure 5-3: Rule example: A Local Public Web Server

Firewall Protection and Content Filtering 5-5

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Inbound Rule Example: Allowing Videoconference from Restricted Addresses

If you want to allow incoming videoconferencing to be initiated from a restricted range of outside
IP addresses, such as from a branch office, you can create an inbound rule. In the example shown
in Figure 5-4, CU-SeeMe connections are allowed only from a specified range of external IP
addresses. In this case, we have also specified logging of any incoming CU-SeeMe requests that
do not match the allowed parameters.

Figure 5-4: Rule example: Videoconference from Restricted Addresses

Considerations for Inbound Rules

• If your external IP address is assigned dynamically by your ISP, the IP address may change
periodically as the DHCP lease expires. Consider using the Dyamic DNS feature in the
Advanced menus so that external users can always find your network.

• If the IP address of the local server PC is assigned by DHCP, it may change when the PC is
rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu to keep the
PC’s IP address constant.

• Local PCs must access the local server using the PCs’ local LAN address (192.168.0.99 in this
example). Attempts by local PCs to access the server using the external WAN IP address will
fail.

5-6 Firewall Protection and Content Filtering

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Outbound Rules (Service Blocking)

The FWAG114 allows you to block the use of certain Internet services by PCs on your network.
This is called service blocking or port filtering. You can define an outbound rule to block Internet
access from a local PC based on:

• IP address of the local PC (source address)

• IP address of the Internet site being contacted (destination address)

•Time of day

• Type of service being requested (service port number)

Following is an application example of outbound rules:

Outbound Rule Example: Blocking Instant Messenger

If you want to block Instant Messenger usage by employees during working hours, you can create
an outbound rule to block that application from any internal IP address to any external address
according to the schedule that you have created in the Schedule menu. You can also have the router
log any attempt to use Instant Messenger during that blocked period.

Figure 5-5: Rule example: Blocking Instant Messenger

Firewall Protection and Content Filtering 5-7

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Order of Precedence for Rules

As you define new rules, they are added to the tables in the Rules menu, as shown in Figure 5-6:

Figure 5-6: Rules table with examples

For any traffic attempting to pass through the firewall, the packet information is subjected to the
rules in the order shown in the Rules Table, beginning at the top and proceeding to the default rules
at the bottom. In some cases, the order of precedence of two or more rules may be important in
determining the disposition of a packet. The Move button allows you to relocate a defined rule to a
new position in the table.

Default DMZ Server

Incoming traffic from the Internet is normally discarded by the router unless the traffic is a
response to one of your local computers or a service for which you have configured an inbound
rule. Instead of discarding this traffic, you can have it forwarded to one computer on your network.
This computer is called the Default DMZ Server.

5-8 Firewall Protection and Content Filtering

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

The Default DMZ Server feature is helpful when using some online games and videoconferencing
applications that are incompatible with NAT. The router is programmed to recognize some of these
applications and to work properly with them, but there are other applications that may not function
well. In some cases, one local PC can run the application properly if that PC’s IP address is entered
as the Default DMZ Server.

Note: For security, NETGEAR strongly recommends that you avoid using the Default

DMZ Server feature. When a computer is designated as the Default DMZ Server, it loses
much of the protection of the firewall, and is exposed to many exploits from the Internet.
If compromised, the computer can be used to attack your network.

To assign a computer or server to be a Default DMZ server:

1. Click Default DMZ Server.

2. Type the IP address for that server.

3. Click Apply.

Note: In this application, the use of the term ‘DMZ’ has become common, although it is

a misnomer. In traditional firewalls, a DMZ is actually a separate physical network port.
A true DMZ port is for connecting servers that require greater access from the outside,
and will therefore be provided with a different level of security by the firewall. A better
term for our application is Exposed Host.

Respond to Ping on Internet WAN Port

If you want the router to respond to a 'ping' from the Internet, click the ‘Respond to Ping on
Internet WAN Port’ check box. This should only be used as a diagnostic tool, since it allows your
router to be discovered. Don't check this box unless you have a specific reason to do so.

Firewall Protection and Content Filtering 5-9

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Services

Services are functions performed by server computers at the request of client computers. For
example, Web servers serve web pages, time servers serve time and date information, and game
hosts serve data about other players’ moves. When a computer on the Internet sends a request for
service to a server computer, the requested service is identified by a service or port number. This
number appears as the destination port number in the transmitted IP packets. For example, a packet
that is sent with destination port number 80 is an HTTP (Web server) request.

The service numbers for many common protocols are defined by the Internet Engineering Task
Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for other
applications are typically chosen from the range 1024 to 65535 by the authors of the application.

Although the FWAG114 already holds a list of many service port numbers, you are not limited to
these choices. Use the Services menu to add additional services and applications to the list for use
in defining firewall rules. The Services menu shows a list of services that you have defined, as
shown in Figure 5-7:

Figure 5-7: Services menu

5-10 Firewall Protection and Content Filtering

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

To define a new service, first you must determine which port number or range of numbers is used
by the application. This information can usually be determined by contacting the publisher of the
application or from user groups of newsgroups. When you have the port number information, go
the Services menu and click on the Add Custom Service button. The Add Services menu will
appear, as shown in Figure 5-8:

Figure 5-8: Add Custom Service menu

To add a service,

1. Enter a descriptive name for the service so that you will remember what it is.

2. Select whether the service uses TCP or UDP as its transport protocol.

If you can’t determine which is used, select both.

3. Enter the lowest port number used by the service.

4. Enter the highest port number used by the service.

If the service only uses a single port number, enter the same number in both fields.

5. Click Apply.

The new service will now appear in the Services menu, and in the Service name selection box in
the Rules menu.

Firewall Protection and Content Filtering 5-11

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Using a Schedule to Block or Allow Specific Traffic

If you enabled content filtering in the Block Sites menu, or if you defined an outbound rule to use
a schedule, you can set up a schedule for when blocking occurs or when access is restricted. The
router allows you to specify when blocking will be enforced by configuring the Schedule tab
shown below:

Figure 5-9: Schedule menu

5-12 Firewall Protection and Content Filtering

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

To block keywords or Internet domains based on a schedule, select Every Day or select one or
more days. If you want to limit access completely for the selected days, select All Day. Otherwise,
If you want to limit access during certain times for the selected days, type a Start Blocking time
and an End Blocking time.

Note: Note: Enter the values as 24-hour time. For example, 10:30 am would be 10 hours and 30

minutes and 10:30 pm would be 22 hours and 30 minutes.

Be sure to click Apply when you have finished configuring this menu.

Time Zone

The FWAG114 wireless firewall uses the Network Time Protocol (NTP) to obtain the current time
and date from one of several Network Time Servers on the Internet. In order to localize the time
for your log entries, you must specify your Time Zone:

• Time Zone. Select your local time zone. This setting will be used for the blocking schedule
and for time-stamping log entries.

• Daylight Savings Time. Check this box for daylight savings time.

Note: If your region uses Daylight Savings Time, you must manually select Adjust for
Daylight Savings Time on the first day of Daylight Savings Time, and unselect it at the
end. Enabling Daylight Savings Time will add one hour to the standard time.

Be sure to click Apply when you have finished configuring this menu.

Firewall Protection and Content Filtering 5-13

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Getting E-Mail Notifications of Event Logs and Alerts

In order to receive logs and alerts by e-mail, you must provide your e-mail information in the
E-Mail subheading:

Figure 5-10: E-mail menu

• Turn e-mail notification on. Check this box if you wish to receive e-mail logs and alerts from
the router.

• Send alerts and logs by e-mail. If your enable e-mail notification, these boxes cannot be
blank. Enter the name or IP address of your ISP’s outgoing (SMTP) mail server (such as
mail.myISP.com). You may be able to find this information in the configuration menu of your
e-mail program. Enter the e-mail address to which logs and alerts are sent. This e-mail address
will also be used as the From address. If you leave this box blank, log and alert messages will
not be sent via e-mail.

• Send E-mail alerts immediately. You can specify that logs are immediately sent to the
specified e-mail address when any of the following events occur:

– If a Denial of Service attack is detected.

– If a Port Scan is detected.

5-14 Firewall Protection and Content Filtering

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

– If a user on your LAN attempts to access a website that you blocked using Keyword

blocking.

• Send logs according to this schedule. You can specify that logs are sent to you according to a
schedule. Select whether you would like to receive the logs None, Hourly, Daily, Weekly, or
When Full. Depending on your selection, you may also need to specify:

– Day for sending log

Relevant when the log is sent weekly or daily.

– Time for sending log

Relevant when the log is sent daily or weekly.

If the Weekly, Daily or Hourly option is selected and the log fills up before the specified
period, the log is automatically e-mailed to the specified e-mail address. After the log is sent,
the log is cleared from the router’s memory. If the router cannot e-mail the log file, the log
buffer may fill up. In this case, the router overwrites the log and discards its contents.

Be sure to click Apply when you have finished configuring this menu.

Firewall Protection and Content Filtering 5-15

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Viewing Logs of Web Access or Attempted Web Access

The router will log security-related events such as denied incoming and outgoing service requests,
hacker probes, and administrator logins. If you enable content filtering in the Block Sites menu,
the Log page will also show you when someone on your network tried to access a blocked site. If
you enabled e-mail notification, you'll receive these logs in an e-mail message. If you don't have
e-mail notification enabled, you can view the logs here. An example is shown in Figure 5-11:

Figure 5-11: Logs menu

5-16 Firewall Protection and Content Filtering

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Log entries are described in Table 5-1

Table 5-1. Log entry descriptions

Field Description

Date and Time The date and time the log entry was recorded.

Description or

The type of event and what action was taken if any.

Action

Source IP The IP address of the initiating device for this log entry.

Source port and
interface

The service port number of the initiating device, and whether it
originated from the LAN or WAN

Destination The name or IP address of the destination device or website.

Destination port
and interface

The service port number of the destination device, and whether
it’s on the LAN or WAN.

Log action buttons are described in Table 5-2

Table 5-2. Log action buttons

Field Description

Refresh Click this button to refresh the log screen.

Clear Log Click this button to clear the log entries.

Send Log Click this button to email the log immediately.

Syslog

You can configure the router to send system logs to an external PC that is running a syslog logging
program. Enter the IP address of the logging PC and click the Enable Syslog checkbox.

Logging programs are available for Windows, Macintosh, and Linux computers.

Firewall Protection and Content Filtering 5-17

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

5-18 Firewall Protection and Content Filtering

Chapter 6

Maintenance

This chapter describes how to use the maintenance features of your ProSafe Dual Band Wireless
VPN Firewall FWAG114. These features can be found by clicking on the Maintenance heading in
the Main Menu of the browser interface.

Viewing VPN Firewall Status Information

The Router Status menu provides status and usage information. From the main menu of the
browser interface, click on Maintenance, then select Router Status to view this screen.

Figure 6-1: Router Status screen

Maintenance 6-1

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

This screen shows the following parameters:

Table 6-1. Menu 3.2 - FWAG114 Status Fields

Field Description

System Name This field displays the System Name assigned to the router.

Firmware Version This field displays the router firmware version.

WAN Port These parameters apply to the Internet (WAN) port of the router.

MAC Address This field displays the MAC address being used by the Internet (WAN)

port of the router.

IP Address This field displays the IP address being used by the Internet (WAN) port

of the router. If no address is shown, the router cannot connect to the
Internet.

IP Subnet Mask This field displays the IP Subnet Mask being used by the Internet (WAN)

port of the router.

DHCP This field shows the protocol on the WAN port used to obtain the WAN

IP address. This field can show DHCP Client, Fixed IP, PPPoE, BPA or
PPTP. For example, if set to Client, the router is configured to obtain an
IP address dynamically from the ISP.

LAN Port These parameters apply to the Local (WAN) port of the router.

MAC Address This field displays the Media Access Control address being used by the

LAN port of the router.

IP Address This field displays the IP address being used by the Local (LAN) port of

the router. The default is 192.168.0.1

IP Subnet Mask This field displays the IP Subnet Mask being used by the Local (LAN)

port of the router. The default is 255.255.255.0

DHCP Identifies if the router’s built-in DHCP server is active for the LAN

attached devices.

IEEE802.11a/b/g Interface These parameters apply to the 802.11a Wireless port of the router.

SSID This field displays the wireless network name (SSID) being used by the

wireless port of the router. The default is Wireless.

MAC Address This field displays the MAC address being used by the wireless port of

the router.

Channel/Frequency Identifies if the channel the wireless port is using. See “Wireless

Channels” on page D-7 for the frequencies used on each channel.

WEP Status Identifies the current WEP configuration of this interface.

6-2 Maintenance

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Click “Show WAN Status” to display the WAN connection status.

Figure 6-2: Connection Status screen

This screen shows the following statistics:.

Table 6-1. Connection Status Fields

Field Description

Connection Time The length of time the router has been connected to your Internet service provider’s

network.

Connection Method The method used to obtain an IP address from your Internet service provider.

IP Address The WAN (Internet) IP Address assigned to the router.

Network Mask The WAN (Internet) Subnet Mask assigned to the router.

Default Gateway The WAN (Internet) default gateway the router communicates with.

Log action buttons are described in Table 6-2

Table 6-2. Connection Status action buttons

Field Description

Renew Click the Renew button to renew the DHCP lease.

Maintenance 6-3

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Click “Show Statistics” to display router usage statistics.

Figure 6-3: Router Statistics screen

This screen shows the following statistics:

Table 6-1. Router Statistics Fields

Field Description

interface The statistics for the WAN (Internet), LAN (local), 802.11a, and 802.11b/g interfaces.

For each interface, the screen displays:

Status The link status of the interface.

TxPkts The number of packets transmitted on this interface since reset or manual clear.

RxPkts The number of packets received on this interface since reset or manual clear.

Collisions The number of collisions on this interface since reset or manual clear.

Tx B/s The current transmission (outbound) bandwidth used on the interfaces.

Rx B/s The current reception (inbound) bandwidth used on the interfaces.

Up Time The amount of time since the router was last restarted.

Up Time The time elapsed since this port acquired the link.

Poll Interval Specifies the intervals at which the statistics are updated in this window. Click on Stop

to freeze the display.

6-4 Maintenance

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

WAN Status action buttons are described in Table 6-2

Table 6-2. Connection Status action buttons

Field Description

Set Interval Enter a time and click the button to set the polling frequency.

Stop Click the Stop button to freeze the polling information.

Viewing a List of Attached Devices

The Attached Devices menu contains a table of all IP devices that the router has discovered on the
local network. From the Main Menu of the browser interface, under the Maintenance heading,
select Attached Devices to view the table, shown below.

Figure 6-4: Attached Devices menu

For each device, the table shows the IP address, NetBIOS Host Name (if available), and Ethernet
MAC address. Note that if the router is rebooted, the table data is lost until the router rediscovers
the devices. To force the router to look for attached devices, click the Refresh button.

Upgrading the Router Software

The routing software of the FWAG114 wireless firewall is stored in FLASH memory, and can be
upgraded as new software is released by NETGEAR. Upgrade files can be downloaded from
Netgear's website. If the upgrade file is compressed (.ZIP file), you must first extract the binary
(.TRX) file before sending it to the router. The upgrade file can be sent to the router using your
browser.

Maintenance 6-5

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Note: The Web browser used to upload new firmware into the FWAG114 wireless firewall must
support HTTP uploads. NETGEAR recommends using Microsoft Internet Explorer or Netscape
Navigator 3.0 or above.

From the Main Menu of the browser interface, under the Maintenance heading, select the Router
Upgrade heading to display the menu shown below.

Figure 6-5: Router Upgrade menu

To upload new firmware:

1. Download and unzip the new software file from NETGEAR.

2. In the Router Upgrade menu, click the Browse button and browse to the location of the binary

(.BIN) upgrade file

3. Click Upload.

Note: When uploading software to the FWAG114 wireless firewall, it is important not to
interrupt the Web browser by closing the window, clicking a link, or loading a new page. If the
browser is interrupted, it may corrupt the software. When the upload is complete, your router
will automatically restart. The upgrade process will typically take about one minute.

In some cases, you may need to reconfigure the router after upgrading.

Configuration File Management

The configuration settings of the FWAG114 wireless firewall are stored within the router in a
configuration file. This file can be saved (backed up) to a user’s PC, retrieved (restored) from the
user’s PC, or cleared to factory default settings.

6-6 Maintenance

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

From the Main Menu of the browser interface, under the Maintenance heading, select the Settings
Backup heading to bring up the menu shown below.

Figure 6-6: Settings Backup menu

Three options are available, and are described in the following sections.

Restoring and Backing Up the Configuration

The Restore and Backup options in the Settings Backup menu allow you to save and retrieve a file
containing your router’s configuration settings.

To save your settings, select the Backup tab. Click the Backup button. Your browser will extract
the configuration file from the router and will prompt you for a location on your PC to store the
file. You can give the file a meaningful name at this time, such as pacbell.cfg.

To restore your settings from a saved configuration file, enter the full path to the file on your PC or
click the Browse button to browse to the file. When you have located it, click the Restore button to
send the file to the router. The router will then reboot automatically.

Maintenance 6-7

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Erasing the Configuration

It is sometimes desirable to restore the router to a known blank condition. This can be done by
using the Erase function, which will restore all factory settings. After an erase, the router's
password will be password, the LAN IP address will be 192.168.0.1, and the router's DHCP client
will be enabled.

To erase the configuration, click the Erase button.

To restore the factory default configuration settings without knowing the login password or IP
address, you must use the Default Reset button on the rear panel of the router. See “Restoring the

Default Configuration and Password” on page 7-7.

Changing the Administrator Password

The default password for the router’s Web Configuration Manager is password. Netgear
recommends that you change this password to a more secure password.

From the main menu of the browser interface, under the Maintenance heading, select Set Password
to bring up this menu.

Figure 6-7: Set Password menu

To change the password, first enter the old password, and then enter the new password twice. Click
Apply. To change the login idle timeout, change the number of minutes and click Apply.

6-8 Maintenance

Chapter 7

tue

e

eecoute

t

r

e

Virtual Private Networking

This chapter describes how to use the virtual private networking (VPN) features of the FWAG114
wireless firewall. VPN tunnels provide secure, encrypted communications between your local
network and a remote network or computer.

Overview of FWAG114 Policy-Based VPN Configuration

The FWAG114 uses state-of-the-art firewall and security technology to facilitate controlled and
actively monitored VPN connectivity. Since the FWAG114 strictly conforms to IETF standards, it
is interoperable with devices from major network equipment vendors.

client softwa

ls

ncrypt data

Figure 7-1: Secure access through FWAG114 VPN routers

Virtual Private Networking 7-1

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Using Policies to Manage VPN Traffic

You create policy definitions to manage VPN traffic on the FWAG114. There are two kinds of
policies:

• IKE Policies: Define the authentication scheme and automatically generate the encryption
keys. As an alternative option, to further automate the process, you can create an IKE policy
which uses a trusted certificate authority to provide the authentication while the IKE policy
still handles the encryption.

• VPN Policies: Apply the IKE policy to specific traffic which requires a VPN tunnel. Or, you
can create a VPN policy which does not use an IKE policy but in which you manually enter all
the authentication and key parameters.

Since the VPN policies use the IKE policies, you define the IKE policy first. The FWAG114 also
allows you to manually input the authentication scheme and encryption key values. In the case of
manual key management there will not be any IKE policies.

In order to establish secure communication over the Internet with the remote site you need to
configure matching VPN policies on both the local and remote FWAG114 wireless firewalls. The
outbound VPN policy on one end must match to the inbound VPN policy on other end, and vice
versa.

When the network traffic enters into the FWAG114 from the LAN network interface, if there is no
VPN policy found for a type of network traffic, then that traffic passes through without any
change. However, if the traffic is selected by a VPN policy, then the IPSec authentication and
encryption rules will be applied to it as defined in the VPN policy.

By default, a new VPN policy is added with the least priority, that is, at the end of the VPN policy
table.

Using Automatic Key Management

The most common configuration scenarios will use IKE policies to automatically manage the
authentication and encryption keys. Based on the IKE policy, some parameters for the VPN tunnel
are generated automatically. The IKE protocols perform negotiations between the two VPN
endpoints to automatically generate required parameters.

Some organizations will use an IKE policy with a Certificate Authority (CA) to perform
authentication. Typically, CA authentication is used in large organizations which maintain their
own internal CA server. This requires that each VPN gateway has a certificate from the CA. Using
CAs reduces the amount of data entry required on each VPN endpoint.

7-2 Virtual Private Networking

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

IKE Policies’ Automatic Key and Authentication Management

Click the IKE Policies link from the VPN section of the main menu, and then click the Add button
of the IKE Policies screen to display the IKE Policy Configuration menu shown in Figure 7-2.

Figure 7-2: IKE - Policy Configuration Menu

Virtual Private Networking 7-3

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

The IKE Policy Configuration fields are defined in the following table.

Table 7-1. IKE Policy Configuration Fields

Field Description

General

Policy Name

Direction/Type

Exchange Mode

These settings identify this policy and determine its major characteristics.

The descriptive name of the IKE policy. Each policy should have a unique
policy name. This name is not supplied to the remote VPN endpoint. It is
only used to help you identify IKE policies.

This setting is used when determining if the IKE policy matches the current
traffic. The drop-down menu includes the following:

• Initiator – Outgoing connections are allowed, but incoming are blocked.

• Responder – Incoming connections are allowed, but outgoing are
blocked.

• Both Directions – Both outgoing and incoming connections are allowed.

• Remote Access – This is to allow only incoming client connections,
where the IP address of the remote client is unknown.

If Remote Access is selected, the “Exchange Mode” MUST be
“Aggressive,” and the ‘Identities’ below (both Local and Remote) MUST
be “Name.” On the matching VPN Policy, the IP address of the remote
VPN endpoint should be set to 0.0.0.0.

Main Mode or Aggressive Mode. This setting must match the setting used
on the remote VPN endpoint.

• Main Mode is slower but more secure. Also, the “Identity” below must be
established by IP address.

• Aggressive Mode is faster but less secure. The “Identity” below can be by
name (host name, domain name, email address, etc.) instead of by IP
address.

Local

Local Identity Type

Local Identity Data

These parameters apply to the Local FWAG114 wireless firewall.

Use this field to identify the local FWAG114. You can choose one of the
following four options from the drop-down list:

• By its Internet (WAN) port IP address.

• By its Fully Qualified Domain Name (FQDN) -- your domain name.

• By a Fully Qualified User Name -- your name, E-mail address, or
other ID.

• By DER ASN.1 DN -- the binary DER encoding of your ASN.1 X.500
Distinguished Name.

This field lets you identify the local FWAG114 by name.

7-4 Virtual Private Networking

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Table 7-1. IKE Policy Configuration Fields

Field Description

Remote

Remote Identity Type

Remote Identity Data

IKE SA Parameters

Encryption Algorithm

Authentication Algorithm

Authentication Method

These parameters apply to the target remote FWAG114, VPN gateway, or
VPN client.

Use this field to identify the remote FWAG114. You can choose one of the
following four options from the drop-down list:

• By its Internet (WAN) port IP address.

• By its Fully Qualified Domain Name (FQDN) -- your domain name.

• By a Fully Qualified User Name -- your name, E-mail address, or
other ID.

• By DER ASN.1 DN -- the binary DER encoding of your ASN.1 X.500
Distinguished Name.

This field lets you identify the target remote FWAG114 by name.

These parameters determine the properties of the IKE Security
Association.

Choose the encryption algorithm for this IKE policy:

• DES is the default

• 3DES is more secure

If you enable Authentication Header (AH), this menu lets you to select from
these authentication algorithms:

• MD5 - the default

• SHA-1 - more secure

You may select Pre-Shared Key or RSA Signature.

Pre-Shared Key

RSA Signature

Diffie-Hellman (D-H) Group

SA Life Time

Specify the key according to the requirements of the Authentication
Algorithm you selected.

• For MD5, the key length should be 16 bytes.

• For SHA-1, the key length should be 20 bytes.

RSA Signature requires a certificate.

The DH Group setting determines the bit size used in the key exchange.
This must match the value used on the remote VPN gateway or client.

The amount of time in seconds before the Security Association expires;
over an hour (3600) is common.

Virtual Private Networking 7-5

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

VPN Policy Configuration for Auto Key Negotiation

An already defined IKE policy is required for VPN - Auto Policy configuration. From the VPN
Policies section of the main menu, you can navigate to the VPN - Auto Policy configuration menu.

Figure 7-3: VPN - Auto Policy Menu

7-6 Virtual Private Networking

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

The VPN Auto Policy fields are defined in the following table.

Table 7-1. VPN Auto Policy Configuration Fields

Field Description

General

Policy Name The descriptive name of the VPN policy. Each policy should have a unique

IKE Policy The existing IKE policies are presented in a drop-down list.

Remote VPN Endpoint The address used to locate the remote VPN firewall or client to which you

Address Type The address type used to locate the remote VPN firewall or client to which

Address Data The address used to locate the remote VPN firewall or client to which you

SA Life Time The duration of the Security Association before it expires.

These settings identify this policy and determine its major characteristics.

policy name. This name is not supplied to the remote VPN endpoint. It is
only used to help you identify VPN policies.

Note: Create the IKE policy BEFORE creating a VPN - Auto policy.

wish to connect. The remote VPN endpoint must have this FWAG114’s
Local IP values entered as its “Remote VPN Endpoint.”

• By its Fully Qualified Domain Name (FQDN) -- your domain name.

• By its IP Address.

you wish to connect.

• By its Fully Qualified Domain Name (FQDN) -- your domain name.

• By its IP Address.

wish to connect. The remote VPN endpoint must have this FWAG114’s
Local Identity Data entered as its “Remote VPN Endpoint.”

• By its Fully Qualified Domain Name (FQDN) -- your domain name.

• By its IP Address.

• Seconds - the amount of time before the SA expires. Over an hour is
common (3600).

• Kbytes - the amount of traffic before the SA expires.

One of these can be set without setting the other.

IPSec PFS

PFS Key Group If PFS is enabled, this setting determines the DH group bit size used in the

If enabled, security is enhanced by ensuring that the key is changed at
regular intervals. Also, even if one key is broken, subsequent keys are no
easier to break. Each key has no relationship to the previous key.

key exchange. This must match the value used on the remote gateway.

Virtual Private Networking 7-7

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Table 7-1. VPN Auto Policy Configuration Fields

Field Description

Traffic Selector These settings determine if and when a VPN tunnel will be established. If

network traffic meets all criteria, then a VPN tunnel will be created.

Local IP The drop-down menu allows you to configure the source IP address of the

outbound network traffic for which this VPN policy will provide security.
Usually, this address will be from your network address space. The
choices are:

• ANY for all valid IP addresses in the Internet address space

• Single IP Address

• Range of IP Addresses

• Subnet Address

Remote IP The drop-down menu allows you to configure the destination IP address of

the outbound network traffic for which this VPN policy will provide security.
Usually, this address will be from the remote site's corporate network
address space. The choices are:

• ANY for all valid IP addresses in the Internet address space

• Single IP Address

• Range of IP Addresses

• Subnet Address

Authenticating Header (AH)
Configuration

Enable Authentication Use this checkbox to enable or disable AH for this VPN policy.

Authentication
Algorithm

Encapsulated Security
Payload (ESP) Configuration

Enable Encryption Use this checkbox to enable or disable ESP Encryption.

Encryption
Algorithm

AH specifies the authentication protocol for the VPN header. These
settings must match the remote VPN endpoint.

If you enable AH, then select the authentication algorithm:

• MD5 - the default

• SHA1 - more secure

ESP provides security for the payload (data) sent through the VPN tunnel.
Generally, you will want to enable both Encryption and Authentication.
Two ESP modes are available:

• Plain ESP encryption

• ESP encryption with authentication

These settings must match the remote VPN endpoint.

If you enable ESP encryption, then select the encryption algorithm:

• DES - the default

• 3DES - more secure

7-8 Virtual Private Networking

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Table 7-1. VPN Auto Policy Configuration Fields

Field Description

Enable Authentication Use this checkbox to enable or disable ESP transform for this VPN policy.

You can select the ESP mode also with this menu.
Two ESP modes are available:

•Plain ESP

• ESP with authentication

Authentication
Algorithm

NETBIOS Enable Check this if you wish NETBIOS traffic to be forwarded over the VPN

If you enable AH, then use this menu to select which authentication
algorithm will be employed.
The choices are:

• MD5 - the default

• SHA1 - more secure

tunnel. The NETBIOS protocol is used by Microsoft Networking for such
features as Network Neighborhood.

VPN Policy Configuration for Manual Key Exchange

With Manual Key Management, you will not use an IKE policy. You must manually type in all the
required key information. Click the VPN Policies link from the VPN section of the main menu to
display the menu shown below.

Virtual Private Networking 7-9

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Figure 7-4: VPN - Manual Policy Menu

7-10 Virtual Private Networking

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

The VPN Manual Policy fields are defined in the following table.

Table 7-1. VPN Manual Policy Configuration Fields

Field Description

General

Policy Name The name of the VPN policy. Each policy should have a unique policy

Remote VPN Endpoint The WAN Internet IP address of the remote VPN firewall or client to which

Traffic Selector These settings determine if and when a VPN tunnel will be established. If

Local IP The drop down menu allows you to configure the source IP address of the

Remote IP The drop down menu allows you to configure the destination IP address of

These settings identify this policy and determine its major characteristics.

name. This name is not supplied to the remote VPN Endpoint. It is used to
help you identify VPN policies.

you wish to connect. The remote VPN endpoint must have this
FWAG114’s WAN Internet IP address entered as its “Remote VPN
Endpoint.”

network traffic meets all criteria, then a VPN tunnel will be created.

outbound network traffic for which this VPN policy will provide security.
Usually, this address will be from your network address space. The
choices are:

• ANY for all valid IP addresses in the Internet address space

• Single IP Address

• Range of IP Addresses

• Subnet Address

the outbound network traffic for which this VPN policy will provide security.
Usually, this address will be from the remote site's corporate network
address space. The choices are:

• ANY for all valid IP addresses in the Internet address space

• Single IP Address

• Range of IP Addresses

• Subnet Address

Authenticating Header (AH)
Configuration

SPI - Incoming

AH specifies the authentication protocol for the VPN header. These
settings must match the remote VPN endpoint.

Note: The "Incoming" settings here must match the "Outgoing" settings on
the remote VPN endpoint, and the "Outgoing" settings here must match
the "Incoming" settings on the remote VPN endpoint.

Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the
remote VPN endpoint has the same value in its "Outgoing SPI" field.

Virtual Private Networking 7-11

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Table 7-1. VPN Manual Policy Configuration Fields

Field Description

SPI - Outgoing Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the

remote VPN endpoint has the same value in its "Incoming SPI" field.

Enable Authentication Use this checkbox to enable or disable AH. Authentication is often not

used. In this case, leave the checkbox unchecked.

Authentication
Algorithm

Key - In

Key - Out Enter the keys in the fields provided.

Encapsulated Security
Payload (ESP) Configuration

SPI - Incoming

If you enable AH, then select the authentication algorithm:

• MD5 - the default

• SHA1 - more secure

Enter the keys in the fields provided. For MD5, the keys should be 16
characters. For SHA-1, the keys should be 20 characters.

Enter the keys.

• For MD5, the keys should be 16 characters.

• For SHA-1, the keys should be 20 characters.

Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - Out" field.

• For MD5, the keys should be 16 characters.

• For SHA-1, the keys should be 20 characters.

Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - In" field.

ESP provides security for the payload (data) sent through the VPN tunnel.
Generally, you will want to enable both encryption and authentication.
when you use ESP. Two ESP modes are available:

• Plain ESP encryption

• ESP encryption with authentication

These settings must match the remote VPN endpoint.

Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the
remote VPN endpoint has the same value in its "Outgoing SPI" field.

SPI - Outgoing Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the

remote VPN endpoint has the same value in its "Incoming SPI" field.

Enable Encryption Use this checkbox to enable or disable ESP Encryption.

Encryption
Algorithm

If you enable ESP Encryption, then select the Encryption Algorithm:

• DES - the default

• 3DES -more secure

7-12 Virtual Private Networking

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Table 7-1. VPN Manual Policy Configuration Fields

Field Description

Key - In

Key - Out Enter the key in the fields provided.

Enable Authentication Use this checkbox to enable or disable ESP authentication for this VPN

Authentication
Algorithm

Key - In

Key - Out Enter the key in the fields provided.

Enter the key in the fields provided.

• For DES, the key should be 8 characters.

• For 3DES, the key should be 24 characters.

Any value is acceptable, provided the remote VPN endpoint has the same
value in its Encryption Algorithm "Key - Out" field.

• For DES, the key should be 8 characters.

• For 3DES, the key should be 24 characters.

Any value is acceptable, provided the remote VPN endpoint has the same
value in its Encryption Algorithm "Key - In" field.

policy.

If you enable authentication, then use this menu to select the algorithm:

• MD5 - the default

• SHA1 - more secure

Enter the key.

• For MD5, the key should be 16 characters.

• For SHA-1, the key should be 20 characters.

Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - Out" field.

• For MD5, the key should be 16 characters.

• For SHA-1, the key should be 20 characters.

Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - In" field.

NETBIOS Enable Check this if you wish NETBIOS traffic to be forwarded over the VPN

tunnel. The NETBIOS protocol is used by Microsoft Networking for such
features as Network Neighborhood.

Virtual Private Networking 7-13

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Using Digital Certificates for IKE Auto-Policy Authentication

Digital certificates are strings generated using encryption and authentication schemes which
cannot be duplicated by anyone without access to the different values used in the production of the
string. They are issued by Certification Authorities (CAs) to authenticate a person or a workstation
uniquely. The CAs are authorized to issue these certificates by Policy Certification Authorities
(PCAs), who are in turn certified by the Internet Policy Registration Authority (IPRA). The
FWAG114 is able to use certificates to authenticate users at the end points during the IKE key
exchange process.

The certificates can be obtained from a certificate server an organization might maintain internally
or from the established public CAs. The certificates are produced by providing the particulars of
the user being identified to the CA. The information provided may include the user's name, e-mail
ID, domain name, etc.

Each CA has its own certificate. The certificates of a CA are added to the FWAG114 and can then
be used to form IKE policies for the user. Once a CA certificate is added to the FWAG114 and a
certificate is created for a user, the corresponding IKE policy is added to the FWAG114. Whenever
the user tries to send traffic through the FWAG114, the certificates are used in place of pre-shared
keys during initial key exchange as the authentication and key generation mechanism. Once the
keys are established and the tunnel is set up the connection proceeds according to the VPN policy.

Certificate Revocation List (CRL)

Each Certification Authority (CA) maintains a list of the revoked certificates. The list of these
revoked certificates is known as the Certificate Revocation List (CRL).

Whenever an IKE policy receives the certificate from a peer, it checks for this certificate in the
CRL on the FWAG114 obtained from the corresponding CA. If the certificate is not present in the
CRL it means that the certificate is not revoked. IKE can then use this certificate for
authentication. If the certificate is present in the CRL it means that the certificate is revoked, and
the IKE will not authenticate the client.

You must manually update the FWAG114 CRL regularly in order for the CA-based authentication
process to remain valid.

7-14 Virtual Private Networking

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Walk-Through of Configuration Scenarios on the FWAG114

There are a variety of configurations you might implement with the FWAG114. The scenarios
listed below illustrate typical configurations you might use in your organization.

In order to help make it easier to set up an IPsec system, the following two scenarios are provided.
These scenarios were developed by the VPN Consortium (http://www.vpnc.org). The goal is to
make it easier to get the systems from different vendors to interoperate. NETGEAR is providing
you with both of these scenarios in the following two formats:

• VPN Consortium Scenarios without Any Product Implementation Details

• VPN Consortium Scenarios Based on the FWAG114 User Interface

The purpose of providing these two versions of the same scenarios is to help you determine where
the two vendors use different vocabulary. Seeing the examples presented in these different ways
will reveal how systems from different vendors do the same thing.

Note: NETGEAR will publish additional interoperability scenarios with various

gateway and client software products. Look on the NETGEAR web site at
www.netgear.com for the HTML version of this manual. The scenarios will be published
as an additional section of the on-line version of this reference manual.

Virtual Private Networking 7-15

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

VPN Consortium Scenario 1:
Gateway-to-Gateway with Preshared Secrets

The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication.

10.5.6.0/24

Gateway A

10.5.6.1

Figure 7-5: VPN Consortium Scenario 1

14.15.16.17 22.23.24.25

Internet

Gateway B

172.23.9.0/24

172.23.9.1

Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has
the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17.

Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet)
interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used
for testing IPsec but is not needed for configuring Gateway A.

The IKE Phase 1 parameters used in Scenario 1 are:

•Main mode

• TripleDES

• SHA-1

• MODP group 2 (1024 bits)

• pre-shared secret of "hr5xb84l6aa9r6"

• SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying

The IKE Phase 2 parameters used in Scenario 1 are:

• TripleDES

• SHA-1

• ESP tunnel mode

• MODP group 2 (1024 bits)

• Perfect forward secrecy for rekeying

• SA lifetime of 3600 seconds (one hour) with no kbytes rekeying

• Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4
subnets

7-16 Virtual Private Networking

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

FWAG114 Scenario 1: FWAG114 to Gateway B IKE and VPN
Policies

Note: This scenario assumes all ports are open on the FWAG114. You can verify this by reviewing
the security settings as seen in the “Rules menu” on page 3-6.

Scenario 1

14.15.16.17 22.23.24.25
WAN IP

LAN IP

Figure 7-6: LAN to LAN VPN access from an FWAG114 to an FWAG114

Use this scenario illustration and configuration screens as a model to build your configuration.

1. Log in to the FWAG114 labeled Gateway A as in the illustration.

Log in at the default address of http://192.168.0.1 with the default user name of admin and
default password of

password, or using whatever password and LAN address you have

chosen.

WAN IP

172.23.9.1/2410.5.6.1/24
LAN IP

2. Configure the WAN (Internet) and LAN IP addresses of the FWAG114.

a. From the main menu Setup section, click on the Basic Setup link.

WAN IP

addresses

ISP provides

these addresses

Figure 7-7: FWAG114 Internet IP Address menu

Virtual Private Networking 7-17

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

b. Configure the WAN Internet Address according to the settings above and click Apply to

save your settings. For more information on configuring the WAN IP settings in the Basic
Setup topics, please see

c. From the main menu Advanced section, click on the LAN IP Setup link.

“How to Complete a Manual Configuration” on page 2-14.

Figure 7-8: LAN IP configuration menu

d. Configure the LAN IP address according to the settings above and click Apply to save

your settings. For more information on LAN TCP/IP setup topics, please see

“How to

Configure LAN TCP/IP Setup Settings” on page 6-5.

Note: After you click Apply to change the LAN IP address settings, your workstation will
be disconnected from the FWAG114. You will have to log on with http://10.5.6.1 which is
now the address you use to connect to the built-in web-based configuration manager of the
FWAG114.

7-18 Virtual Private Networking

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

3. Set up the IKE Policy illustrated below on the FWAG114.

a. From the main menu VPN section, click on the IKE Policies link, and then click the Add

button to display the screen below.

Figure 7-9: Scenario 1 IKE Policy

b. Configure the IKE Policy according to the settings in the illustration above and click

Apply to save your settings. For more information on IKE Policy topics, please see

“IKE

Policies’ Automatic Key and Authentication Management” on page 7-3.

Virtual Private Networking 7-19

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

4. Set up the FWAG114 VPN -Auto Policy illustrated below.

a. From the main menu VPN section, click on the VPN Policies link, and then click on the

Add Auto Policy button.

WAN IP

address

LAN IP

addresses

Figure 7-10: Scenario 1 VPN - Auto Policy

b. Configure the IKE Policy according to the settings in the illustration above and click

Apply to save your settings. For more information on IKE Policy topics, please see

“IKE

Policies’ Automatic Key and Authentication Management” on page 7-3.

5. After applying these changes, all traffic from the range of LAN IP addresses specified on
FWAG114 A and FWAG114 B will flow over a secure VPN tunnel.

How to Check VPN Connections

You can test connectivity and view VPN status information on the FWAG114.

7-20 Virtual Private Networking

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

1. To test connectivity between the Gateway A FWAG114 LAN and the Gateway B LAN, follow

these steps:

a. Using our example, from a PC attached to the FWAG114 on LAN A, on a Windows PC

click the Start button on the taskbar and then click Run.

b. Type ping -t 172.23.9.1, and then click OK.

c. This will cause a continuous ping to be sent to the LAN interface of Gateway B. After

between several seconds and two minutes, the ping response should change from “timed
out” to “reply.”

d. At this point the connection is established.

2. To test connectivity between the FWAG114 Gateway A and Gateway B WAN ports, follow

these steps:

a. Using our example, log in to the FWAG114 on LAN A, go to the main menu Maintenance

section and click the Diagnostics link.

b. To test connectivity to the WAN port of Gateway B, enter 22.23.24.25, and then click

Ping.

c. This will cause a ping to be sent to the WAN interface of Gateway B. After between

several seconds and two minutes, the ping response should change from “timed out” to
“reply.” You may have to run this test several times before you get the “reply” message
back from the target FWAG114.

d. At this point the connection is established.

Note: If you want to ping the FWAG114 as a test of network connectivity, be sure the
FWAG114 is configured to respond to a ping on the Internet WAN port by checking the
checkbox seen in

“Rules menu” on page 3-6. However, to preserve a high degree of security,

you should turn off this feature when you are finished with testing.

3. To view the FWAG114 event log and status of Security Associations, follow these steps:

a. Go to the FWAG114 main menu VPN section and click the VPN Status link.

b. The log screen will display a history of the VPN connections, and the IPSec SA and IKE

SA tables will report the status and data transmission statistics of the VPN tunnels for each
policy.

Virtual Private Networking 7-21

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

FWAG114 Scenario 2: FWAG114 to FWAG114 with RSA
Certificates

The following is a typical gateway-to-gateway VPN that uses Public Key Infrastructure x.509
(PKIX) certificates for authentication. The network setup is identical to the one given in scenario

1. The IKE Phase 1 and Phase 2 parameters are identical to the ones given in scenario 1, with the

exception that the identification is done with signatures authenticated by PKIX certificates.

Note: Before completing this configuration scenario, make sure the correct Time Zone is set on the
FWAG114. For instructions on this topic, please see, “How to Set Your Time Zone” on page 3-14.

1. Obtain a root certificate.

a. Obtain the root certificate (which includes the public key) from a Certificate Authority

(CA)

Note: The procedure for obtaining certificates differs from a CA like Verisign and a CA
such as a Windows 2000 certificate server, which an organization operates for providing
certificates for its members. For example, an administrator of a Windows 2000 certificate
server might provide it to you via e-mail.

b. Save the certificate as a text file called trust.txt.

2. Install the trusted CA certificate for the Trusted Root CA.

a. Log in to the FWAG114.

b. From the main menu VPN section, click on the CAs link.

c. Click Add to add a CA.

d. Click Browse to locate the trust.txt file.

e. Click Upload.

3. Create a certificate request for the FWAG114.

a. From the main menu VPN section, click the Certificates link.

7-22 Virtual Private Networking

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

b. Click the Generate Request button to display the screen illustrated in Figure 7-11 below.

.

FWAG114

Figure 7-11: Generate Self Certificate Request menu

c. Fill in the fields on the Add Self Certificate screen.

•Required

– Name. Enter a name to identify this certificate.
– Subject. This is the name which other organizations will see as the holder (owner)

of this certificate. This should be your registered business name or official
company name. Generally, all certificates should have the same value in the

Subject field.
– Hash Algorithm. Select the desired option: MD5 or SHA1.
– Signature Algorithm. Select the desired option: DSS or RSA.
– Signature Key Length. Select the desired option: 512, 1024, or 2048.

• Optional

– IP Address. If you use “IP type” in the IKE policy, you should input the IP

Address here. Otherwise, you should leave this blank.
– Domain Name. If you have a domain name, you can enter it here. Otherwise, you

should leave this blank.
– E-mail Address. You can enter you e-mail address here.

Virtual Private Networking 7-23

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

d. Click the Next button to continue. The FWAG114 generates a Self Certificate Request as

shown below.

Highlight, copy and
paste this data into
a text file.

Figure 7-12: Self Certificate Request data

4. Transmit the Self Certificate Request data to the Trusted Root CA.

a. Highlight the text in the Data to supply to CA area, copy it, and paste it into a text file.

b. Give the certificate request data to the CA. In the case of a Windows 2000 internal CA,

you might simply e-mail it to the CA administrator. The procedures of a CA like Verisign
and a CA such as a Windows 2000 certificate server administrator will differ. Follow the
procedures of your CA.

7-24 Virtual Private Networking

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

c. When you have finished gathering the Self Certificate Request data, click the Done button.

You will return to the Certificates screen where your pending “FWAG114” Self Certificate
Request will be listed, as illustrated in

FWAG114

Figure 7-13: Self Certificate Requests table

Figure 7-13 below.

5. Receive the certificate back from the Trusted Root CA and save it as a text file.

Note: In the case of a Windows 2000 internal CA, the CA administrator might simply email it

to back to you. Follow the procedures of your CA. Save the certificate you get back from the
CA as a text file called final.txt.

6. Upload the new certificate.

a. From the main menu VPN section, click on the Certificates link.

b. Click the radio button of the Self Certificate Request you want to upload.

c. Click the Upload Certificate button.

d. Browse to the location of the file you saved in step 5 above which contains the certificate

from the CA.

e. Click the Upload button.

Virtual Private Networking 7-25

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

G

f. You will now see the “FWAG114” entry in the Active Self Certificates table and the

pending “FWAG114” Self Certificate Request is gone, as illustrated below.

FWA

Figure 7-14: Self Certificates table

7. Associate the new certificate and the Trusted Root CA certificate on the FWAG114.

a. Create a new IKE policy called Scenario_2 with all the same properties of Scenario_1

(see

“Scenario 1 IKE Policy” on page 6-19) except now use the RSA Signature instead of

the shared key.

Figure 7-15: IKE policy using RSA Signature

b. Create a new VPN Auto Policy called scenario2a with all the same properties as

scenario1a except that it uses the IKE policy called Scenario_2.

7-26 Virtual Private Networking

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

Now, the traffic from devices within the range of the LAN subnet addresses on FWAG114 A
and Gateway B will be authenticated using the certificates rather than via a shared key.

8. Set up Certificate Revocation List (CRL) checking.

a. Get a copy of the CRL from the CA and save it as a text file.

Note: The procedure for obtaining a CRL differs from a CA like Verisign and a CA such
as a Windows 2000 certificate server, which an organization operates for providing
certificates for its members. Follow the procedures of your CA.

b. From the main menu VPN section, click on the CRL link.

c. Click Add to add a CRL.

d. Click Browse to locate the CRL file.

e. Click Upload.

Now expired or revoked certificates will not be allowed to use the VPN tunnels managed by
IKE policies which use this CA.

Note: You must update the CRLs regularly in order to maintain the validity of the
certificate-based VPN policies.

Virtual Private Networking 7-27

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114

7-28 Virtual Private Networking